* [PATCH 3.16 000/370] 3.16.42-rc1 review
@ 2017-03-10 11:46 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 028/370] powerpc/ibmebus: Fix device reference leaks in sysfs interface Ben Hutchings
` (371 more replies)
0 siblings, 372 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.16.42 release.
There are 370 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
Anything received after that time might be too late.
A combined patch relative to 3.16.41 will be posted as an additional
response to this. A shortlog and diffstat can be found below.
Ben.
-------------
Adrian Hunter (1):
mmc: sdhci: Fix recovery from tuning timeout
[61e53bd0047d58caee0c7170613045bf96de4458]
Aidan Thornton (2):
USB: serial: ch341: add register and USB request definitions
[6fde8d29b0424f292a4ec5dbce01458ad759a41f]
USB: serial: ch341: reinitialize chip on reconfiguration
[4e46c410e050bcac36deadbd8e20449d078204e8]
Akinobu Mita (1):
sysrq: attach sysrq handler correctly for 32-bit kernel
[802c03881f29844af0252b6e22be5d2f65f93fd0]
Al Viro (2):
Fix missing sanity check in /dev/sg
[137d01df511b3afe1f05499aea05f3bafc0fb221]
nfs_write_end(): fix handling of short copies
[c0cf3ef5e0f47e385920450b245d22bead93e7ad]
Alan Stern (7):
PCI: Check for PME in targeted sleep state
[6496ebd7edf446fccf8266a1a70ffcb64252593e]
USB: UHCI: report non-PME wakeup signalling for Intel hardware
[ccdb6be9ec6580ef69f68949ebe26e0fb58a6fb0]
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
[bcdbeb844773333d2d1c08004f3b3e25921040e5]
USB: fix problems with duplicate endpoint addresses
[0a8fd1346254974c3a852338508e4a4cddbb35f1]
USB: gadgetfs: fix checks of wTotalLength in config descriptors
[1c069b057dcf64fada952eaa868d35f02bb0cfc2]
USB: gadgetfs: fix unbounded memory allocation bug
[faab50984fe6636e616c7cc3d30308ba391d36fd]
USB: gadgetfs: fix use-after-free bug
[add333a81a16abbd4f106266a2553677a165725f]
Aleksa Sarai (1):
fs: exec: apply CLOEXEC before changing dumpable task flags
[613cc2b6f272c1a8ad33aefa21cad77af23139f7]
Aleksander Morgado (1):
USB: serial: qcserial: add Dell DW5570 QDL
[24d615a694d649aa2e167c3f97f62bdad07e3f84]
Alex Deucher (2):
drm/radeon: add additional pci revision to dpm workaround
[8729675c00a8d13cb2094d617d70a4a4da7d83c5]
drm/radeon: drop verde dpm quirks
[8a08403bcb39f5d0e733bcf59a8a74f16b538f6e]
Alex Porosanu (1):
crypto: caam - fix AEAD givenc descriptors
[d128af17876d79b87edf048303f98b35f6a53dbc]
Alexander Usyskin (1):
mei: move write cb to completion on credentials failures
[e09ee853c92011860a4bd2fbdf6126f60fc16bd3]
Alexey Kodanev (1):
tcp: initialize max window for a new fastopen socket
[0dbd7ff3ac5017a46033a9d0a87a8267d69119d9]
Amir Vadai (1):
net/sched: pedit: make sure that offset is valid
[95c2027bfeda21a28eb245121e6a249f38d0788e]
Ander Conselvan de Oliveira (1):
drm/i915: Don't leak edid in intel_crt_detect_ddc()
[c96b63a6a7ac4bd670ec2e663793a9a31418b790]
Andrew Collins (1):
net: Add netdev all_adj_list refcnt propagation to fix panic
[93409033ae653f1c9a949202fb537ab095b2092f]
Andrey Ryabinin (1):
drm/i915: fix use-after-free in page_flip_completed()
[05c41f926fcc7ef838c80a6a99d84f67b4e0b824]
Andy Shevchenko (1):
platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
[5a00b6c2438460b870a451f14593fc40d3c7edf6]
Anoob Soman (2):
packet: Do not call fanout_release from atomic contexts
[2bd624b4611ffee36422782d16e1c944d1351e98]
packet: call fanout_release, while UNREGISTERING a netdev
[6664498280cf17a59c3e7cf1a931444c02633ed1]
Anssi Hannula (3):
mmc: core: fix multi-bit bus width without high-speed mode
[3d4ef329757cfd5e0b23cce97cdeca7e2df89c99]
net: xilinx_emaclite: fix freezes due to unordered I/O
[acf138f1b00bdd1b7cd9894562ed0c2a1670888e]
net: xilinx_emaclite: fix receive buffer overflow
[cd224553641848dd17800fe559e4ff5d208553e8]
Anton Blanchard (1):
powerpc: Ignore reserved field in DCSR and PVR reads and writes
[178f358208ceb8b38e5cff3f815e0db4a6a70a07]
Ard Biesheuvel (7):
crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes
[11e3b725cfc282efe9d4a354153e99d86a16af08]
crypto: arm64/aes-ccm-ce: fix for big endian
[56e4e76c68fcb51547b5299e5b66a135935ff414]
crypto: arm64/aes-neon - fix for big endian
[a2c435cc99862fd3d165e1b66bf48ac72c839c62]
crypto: arm64/aes-xts-ce: fix for big endian
[caf4b9e2b326cc2a5005a5c557274306536ace61]
crypto: arm64/ghash-ce - fix for big endian
[9c433ad5083fd4a4a3c721d86cbfbd0b2a2326a5]
crypto: arm64/sha1-ce - fix for big endian
[ee71e5f1e7d25543ee63a80451871f8985b8d431]
crypto: arm64/sha2-ce - fix for big endian
[174122c39c369ed924d2608fc0be0171997ce800]
Arnaldo Carvalho de Melo (2):
perf scripting: Avoid leaking the scripting_context variable
[cf346d5bd4b9d61656df2f72565c9b354ef3ca0d]
perf trace: Use the syscall raw_syscalls:sys_enter timestamp
[ecf1e2253ea79c6204f4d6a5e756e8fb4aed5a7e]
Arnd Bergmann (5):
ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
[f0e8faa7a5e894b0fc99d24be1b18685a92ea466]
ISDN: eicon: silence misleading array-bounds warning
[950eabbd6ddedc1b08350b9169a6a51b130ebaaf]
[media] DaVinci-VPFE-Capture: fix error handling
[d3d83ee20afda16ad0133ba00f63c11a8d842a35]
[media] s5k4ecgx: select CRC32 helper
[c739c0a7c3c2472d7562b8f802cdce44d2597c8b]
scsi: mvsas: fix command_active typo
[af15769ffab13d777e55fdef09d0762bf0c249c4]
Arvind Yadav (1):
ata: sata_mv:- Handle return value of devm_ioremap.
[064c3db9c564cc5be514ac21fb4aa26cc33db746]
Augusto Mecking Caringi (1):
vme: Fix wrong pointer utilization in ca91cx42_slave_get
[c8a6a09c1c617402cc9254b2bc8da359a0347d75]
Axel Lin (1):
PM / devfreq: Add proper locking around list_del()
[0f376c9cd86c23f37312d37748b233660ef9d9af]
Baolin Wang (1):
usb: host: xhci: Fix possible wild pointer when handling abort command
[2a7cfdf37b7c08ac29df4c62ea5ccb01474b6597]
Bart Van Assche (4):
IB/mad: Fix an array index check
[2fe2f378dd45847d2643638c07a7658822087836]
IB/multicast: Check ib_find_pkey() return value
[d3a2418ee36a59bc02e9d454723f3175dcf4bfd9]
IPoIB: Avoid reading an uninitialized member variable
[11b642b84e8c43e8597de031678d15c08dd057bc]
dm rq: fix a race condition in rq_completed()
[d15bb3a6467e102e60d954aadda5fb19ce6fd8ec]
Bartosz Golaszewski (1):
ARM: davinci: da850: don't add emac clock to lookup table twice
[ef37427ac5677331145ab27a17e6f5f1b43f0c11]
Ben Hutchings (7):
Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
[not upstream; the reverted commit is fine upstream but depends
on other changes I haven't backported]
catc: Combine failure cleanup code in catc_probe()
[d41149145f98fe26dcd0bfd1d6cc095e6e041418]
catc: Use heap buffer for memory size test
[2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478]
kconfig/nconf: Fix hang when editing symbol with a long prompt
[79e51b5c2deea542b3bb8c66e0d502230b017dde]
net/sock: Add sock_efree() function
[62bccb8cdb69051b95a55ab0c489e3cab261c8ef]
pegasus: Use heap buffers for all register access
[5593523f968bc86d42a035c6df47d5e0979b5ace]
rtl8150: Use heap buffers for all register access
[7926aff5c57b577ab0f43364ff0c59d968f6a414]
Beniamino Galvani (1):
bonding: set carrier off for devices created through netlink
[005db31d5f5f7c31cfdc43505d77eb3ca5cf8ec6]
Benjamin Block (1):
scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
[dac37e15b7d511e026a9313c8c46794c144103cd]
Benjamin Marzinski (1):
dm space map metadata: fix 'struct sm_metadata' leak on failed create
[314c25c56c1ee5026cf99c570bdfe01847927acb]
Benjamin Poirier (1):
mlx4: Invoke softirqs after napi_reschedule
[bd4ce941c8d5b862b2f83364be5dbe8fc8ab48f8]
Bjorn Helgaas (1):
x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
[89e9f7bcd8744ea25fcf0ac671b8d72c10d7d790]
Bjørn Mork (3):
USB: serial: option: add device ID for HP lt2523 (Novatel E371)
[5d03a2fd2292e71936c4235885c35ccc3c94695b]
cdc_ncm: workaround for EM7455 "silent" data interface
[c086e7096170390594c425114d98172bc9aceb8a]
qmi_wwan/cdc_ether: add device ID for HP lt2523 (Novatel E371) WWAN card
[5b9f57516337b523f7466a53939aaaea7b78141b]
Boris Ostrovsky (2):
xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
[74470954857c264168d2b5a113904cf0cfd27d18]
xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing
[30faaafdfa0c754c91bac60f216c9f34a2bfdf7e]
Chandan Rajendra (2):
ext4: fix mballoc breakage with 64k block size
[69e43e8cc971a79dd1ee5d4343d8e63f82725123]
ext4: fix stack memory corruption with 64k block size
[30a9d7afe70ed6bd9191d3000e2ef1a34fb58493]
Chanwoo Choi (1):
PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL
[73613b16cb5c5d5a659fc8832eff99eead3f9afb]
Chris Brandt (1):
clk: renesas: mstp: Support 8-bit registers for r7s72100
[e2a33c34ddff22ee208d80abdd12b88a98d6cb60]
Chris Friesen (1):
route: do not cache fib route info on local routes with oif
[d6d5e999e5df67f8ec20b6be45e2229455ee3699]
Christopher Spinrath (1):
ARM: dts: imx6q-cm-fx6: fix fec pinctrl
[72649a46067903d00f46e2ebef6543768224f1a0]
Chuck Lever (2):
nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
[059aa734824165507c65fd30a55ff000afd14983]
nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
[406dab8450ec76eca88a1af2fc15d18a2b36ca49]
Con Kolivas (1):
ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
[82ffb6fc637150b279f49e174166d2aa3853eaf4]
Dan Carpenter (6):
[media] staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs()
[c4a407b91f4b644145492e28723f9f880efb1da0]
ext4: return -ENOMEM instead of success
[578620f451f836389424833f1454eeeb2ffc9e9f]
ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
[63117f09c768be05a0bf465911297dc76394f686]
sparc: leon: Fix a retry loop in leon_init_timers()
[601e6e3cc5bf6adb7d076fe24d10f6191a25ba9b]
target/iscsi: Fix double free in lio_target_tiqn_addtpg()
[a91918cd3ea11f91c68e08e1e8ce1b560447a80e]
usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
[c95a9f83711bf53faeb4ed9bbb63a3f065613dfb]
Daniel Borkmann (1):
net, sched: fix soft lockup in tc_classify
[628185cfddf1dfb701c4efe2cfd72cf5b09f5702]
Daniel Dressler (1):
Btrfs: delayed-inode: replace root args iff only fs_info used
[a585e94895ed8ab2930bfd5186ffd20301b5c703]
Daniele Palmas (1):
USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041
[5b09eff0c379002527ad72ea5ea38f25da8a8650]
Darren Stevens (1):
powerpc: Add missing error check to prom_find_boot_cpu()
[af2b7fa17eb92e52b65f96604448ff7a2a89ee99]
Darrick J. Wong (2):
ext4: reject inodes with negative size
[7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58]
xfs: update MAINTAINERS
[721a0edfbe1f302b93274ce75e0d62843ca63e0d]
Dave Jones (1):
ipv6: handle -EFAULT from skb_copy_bits
[a98f91758995cb59611e61318dddd8a6956b52c3]
Dave Martin (6):
ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
[228dbbfb5d77f8e047b2a1d78da14b7158433027]
arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
[aeb1f39d814b2e21e5e5706a48834bfd553d0059]
arm64/ptrace: Preserve previous registers for short regset write
[9a17b876b573441bfb3387ad55d98bf7184daf9d]
arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
[ad9e202aa1ce571b1d7fed969d06f66067f8a086]
powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
[99dfe80a2a246c600440a815741fd2e74a8b4977]
tile/ptrace: Preserve previous registers for short regset write
[fd7c99142d77dc4a851879a66715abf12a3193fb]
David Henningsson (1):
ALSA: hda - Add inverted internal mic for Asus Aspire 4830T
[522a7fa883e04725806308a5b663ce1f570e5870]
David Matlack (2):
KVM: x86: flush pending lapic jump label updates on module unload
[cef84c302fe051744b983a92764d3fcca933415d]
jump_labels: API for flushing deferred jump label updates
[b6416e61012429e0277bd15a229222fd17afc1c1]
David S. Miller (2):
decnet: Do not build routes to devices without decnet private data.
[a36a0d4008488fa545c74445d69eaf56377d5d4e]
irda: Fix lockdep annotations in hashbin_delete().
[4c03b862b12f980456f9de92db6d508a4999b788]
Davidlohr Bueso (1):
ipc/shm: Fix shmat mmap nil-page protection
[95e91b831f87ac8e1f8ed50c14d709089b4e01b8]
Douglas Caetano dos Santos (1):
tcp: fix wrong checksum calculation on MTU probing
[2fe664f1fcf7c4da6891f95708a7a56d3c024354]
Einar Jón (1):
can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer
[c97c52be78b8463ac5407f1cf1f22f8f6cf93a37]
Eli Cohen (1):
IB/mlx5: Wait for all async command completions to complete
[acbda523884dcf45613bf6818d8ead5180df35c2]
Eran Ben Elisha (1):
IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
[1f22e454df2eb99ba6b7ace3f594f6805cdf5cbc]
Eric Dumazet (22):
can: Fix kernel panic at security_sock_rcv_skb
[f1712c73714088a7252d276a57126d56c7d37e64]
dccp: do not send reset to already closed sockets
[346da62cc186c4b4b1ac59f87f4482b47a047388]
dccp: fix out of bound access in dccp_v4_err()
[6706a97fec963d6cb3f7fc2978ec1427b4651214]
gro: use min_t() in skb_gro_reset_offset()
[7cfd5fd5a9813f1430290d20c0fead9b4582a307]
ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
[21b995a9cb093fff33ec91d7cb3822b882a90a1e]
ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
[990ff4d84408fc55942ca6644f67e361737b3d8e]
ipv6: dccp: fix out of bound access in dccp_v6_err()
[1aa9d1a0e7eefcc61696e147d123453fc0016005]
ipv6: fix ip6_tnl_parse_tlv_enc_lim()
[fbfa743a9d2a0ffa24251764f10afc13eb21e739]
l2tp: do not use udp_ioctl()
[72fb96e7bdbbdd4421b0726992496531060f3636]
net/dccp: fix use-after-free in dccp_invalid_packet
[648f0c28df282636c0c8a7a19ca3ce5fc80a39c3]
net/llc: avoid BUG_ON() in skb_orphan()
[8b74d439e1697110c5e5c600643e823eb1dd0762]
net: avoid sk_forward_alloc overflows
[20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d]
net: clear sk_err_soft in sk_clone_lock()
[e551c32d57c88923f99f8f010e89ca7ed0735e83]
net: fix harmonize_features() vs NETIF_F_HIGHDMA
[7be2c82cfd5d28d7adb66821a992604eb6dd112e]
net: fix sk_mem_reclaim_partial()
[1a24e04e4b50939daa3041682b38b82c896ca438]
net: mangle zero checksum in skb_checksum_help()
[4f2e4ad56a65f3b7d64c258e373cb71e8d2499f4]
net: use a work queue to defer net_disable_timestamp() work
[5fa8bbda38c668e56b0c6cdecced2eac2fe36dec]
netlabel: out of bound access in cipso_v4_validate()
[d71b7896886345c53ef1d84bda2bc758554f5d61]
packet: fix races in fanout_add()
[d199fab63c11998a602205f7ee7ff7c05c97164b]
sysctl: fix proc_doulongvec_ms_jiffies_minmax()
[ff9f8a7cf935468a94d9927c68b00daae701667e]
tcp: fix 0 divide in __tcp_select_window()
[06425c308b92eaf60767bc71d359f4cbc7a561f8]
tcp: fix overflow in __tcp_retransmit_skb()
[ffb4d6c8508657824bcef68a36b2a0f9d8c09d10]
Eric Ren (1):
ocfs2: fix crash caused by stale lvb with fsdlm plugin
[e7ee2c089e94067d68475990bdeed211c8852917]
Eric Sandeen (2):
xfs: fix up xfs_swap_extent_forks inline extent handling
[4dfce57db6354603641132fac3c887614e3ebe81]
xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
[6b10b23ca94451fae153a5cc8d62fd721bec2019]
Eugenia Emantayev (1):
net/mlx4_en: Fix bad WQE issue
[6496bbf0ec481966ef9ffe5b6660d8d1b55c60cc]
Eva Rachel Retuya (1):
staging: iio: ad7606: fix improper setting of oversampling pins
[b321a38d2407c7e425c54bc09be909a34e49f740]
Fabien Parent (1):
ARM: dts: da850-evm: fix read access to SPI flash
[43849785e1079f6606a31cb7fda92d1200849728]
Felipe Balbi (7):
usb: add helper to extract bits 12:11 of wMaxPacketSize
[541b6fe63023f3059cf85d47ff2767a3e42a8e44]
usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
[7931ec86c1b738e4e90e58c6d95e5f720d45ee56]
usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
[19ec31230eb3084431bc2e565fd085f79f564274]
usb: dwc3: gadget: always unmap EP0 requests
[d62145929992f331fdde924d5963ab49588ccc7d]
usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs
[6b9018d4c1e5c958625be94a160a5984351d4632]
usb: gadget: composite: always set ep->mult to a sensible value
[eaa496ffaaf19591fe471a36cef366146eeb9153]
usb: gadget: composite: correctly initialize ep->maxpacket
[e8f29bb719b47a234f33b0af62974d7a9521a52c]
Feng Tang (1):
net: alx: Work around the DMA RX overflow issue
[881d0327db37ad917a367c77aff1afa1ee41e0a9]
Florian Fainelli (6):
drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments
[cd74da957ba2d03787ede1c22bbb183d9c728aad]
net: korina: Fix NAPI versus resources freeing
[e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6]
net: stmmac: Fix error path after register_netdev move
[b2eb09af7370fedc6b9d9f05762f01625438467a]
net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
[5701659004d68085182d2fd4199c79172165fa65]
net: systemport: Decouple flow control from __bcm_sysport_tx_reclaim
[148d3d021cf9724fcf189ce4e525a094bbf5ce89]
net: systemport: Pad packet before inserting TSB
[38e5a85562a6cd911fc26d951d576551a688574c]
Gabriel Krisman Bertazi (1):
mmc: sdhci: Ignore unexpected CARD_INT interrupts
[161e6d44a5e2d3f85365cb717d60e363171b39e6]
Geert Uytterhoeven (1):
usb: hub: Move hub_port_disable() to fix warning if PM is disabled
[3bc02bce908c7250781376052248f5cd60a4e3d4]
Geliang Tang (1):
fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes
[1deaf9d19776916cd1c83191503bf327319a301a]
Geoff Levand (1):
powerpc/ps3: Fix system hang with GCC 5 builds
[6dff5b67054e17c91bd630bcdda17cfca5aa4215]
Gerald Schaefer (1):
s390/vmlogrdr: fix IUCV buffer allocation
[5457e03de918f7a3e294eb9d26a608ab8a579976]
Giuseppe Lippolis (1):
USB: serial: option: add dlink dwm-158
[d8a12b7117b42fd708f1e908498350232bdbd5ff]
Govindarajulu Varadarajan (1):
enic: set skb->hash type properly
[17197236d62c44da127be461c63ac5cc2cce1e53]
Greg Kroah-Hartman (2):
HID: hid-cypress: validate length of report
[1ebb71143758f45dc0fa76e2f48429e13b16d110]
usb: gadgetfs: restrict upper bound on device configuration size
[0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1]
Guenter Roeck (3):
cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
[328cf6927bb72cadefddebbc9a23c793108147a2]
hwmon: (ds620) Fix overflows seen when writing temperature limits
[e36ce99ee0815d7919a7b589bfb66f3de50b6bc7]
hwmon: (g762) Fix overflows and crash seen when writing limit attributes
[4fccd4a1e8944033bcd7693ea4e8fb478cd2059a]
Hangbin Liu (3):
igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
[9c8bb163ae784be4f79ae504e78c862806087c54]
igmp: do not remove igmp souce list info when set link down
[24803f38a5c0b6c57ed800b47e695f9ce474bc3a]
mld: do not remove mld souce list info when set link down
[1666d49e1d416fcc2cce708242a52fe3317ea8ba]
Hannes Frederic Sowa (1):
udp: prevent skbs lingering in tunnel socket queues
[e5aed006be918af163eb397e45aa5ea6cefd5e01]
Hans de Goede (1):
drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating
[721d484563e1a51ada760089c490cbc47e909756]
Hauke Mehrtens (1):
mtd: nand: xway: disable module support
[73529c872a189c747bdb528ce9b85b67b0e28dec]
Hayeswang (1):
r8152: fix the sw rx checksum is unavailable
[19c0f40d4fca3a47b8f784a627f0467f0138ccc8]
Helge Deller (1):
parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
[2ad5d52d42810bed95100a3d912679d8864421ec]
Herbert Xu (3):
gro: Disable frag0 optimization on IPv6 ext headers
[57ea52a865144aedbcd619ee0081155e658b6f7d]
gro: Enter slow-path if there is no tailroom
[1272ce87fa017ca4cf32920764d879656b7a005a]
tun: Fix TUN_PKT_STRIP setting
[2eb783c43e7cf807a45899c10ed556b6dc116625]
Hiroshi Shimamoto (1):
sched/cputime: Fix invalid gtime in proc
[2541117b0cf79977fa11a0d6e17d61010677bd7b]
Huang Rui (1):
iommu/amd: Fix the left value check of cmd buffer
[432abf68a79332282329286d190e21fe3ac02a31]
Hui Wang (1):
ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
[af677166cf63c179dc2485053166e02c4aea01eb]
Ian Campbell (1):
VSOCK: do not disconnect socket when peer has shutdown SEND only
[dedc58e067d8c379a15a8a183c5db318201295bb]
Ilia Mirkin (1):
drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
[24bf7ae359b8cca165bb30742d2b1c03a1eb23af]
Ilya Dryomov (1):
libceph: verify authorize reply on connect
[5c056fdc5b474329037f2aa18401bd73033e0ce0]
Ivan Vecera (1):
be2net: fix status check in be_cmd_pmac_add()
[fe68d8bfe59c561664aa87d827aa4b320eb08895]
J. Bruce Fields (2):
svcrpc: don't leak contexts on PROC_DESTROY
[78794d1890708cf94e3961261e52dcec2cc34722]
svcrpc: fix oops in absence of krb5 module
[034dd34ff4916ec1f8f74e39ca3efb04eab2f791]
Jack Morgenstein (5):
IB/mlx4: Fix out-of-range array index in destroy qp flow
[c482af646d0809a8d5e1b7f4398cce3592589b98]
net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
[9577b174cd0323d287c994ef0891db71666d0765]
net/mlx4_core: Fix racy CQ (Completion Queue) free
[291c566a28910614ce42d0ffe82196eddd6346f4]
net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions
[7c3945bc2073554bb2ecf983e073dee686679c53]
net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach
[3b01fe7f91c8e4f9afc4fae3c5af72c14958d2d8]
Jakub Sitnicki (1):
ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
[00bc0ef5880dc7b82f9c320dead4afaad48e47be]
James Hogan (1):
KVM: MIPS: Flush KVM entry code from icache globally
[32eb12a6c11034867401d56b012e3c15d5f8141e]
Jan Kara (1):
fsnotify: Fix possible use-after-free in inode iteration on umount
[5716863e0f8251d3360d4cbfc0e44e08007075df]
Jeff Layton (1):
ceph: fix bad endianness handling in parse_reply_info_extra
[6df8c9d80a27cb587f61b4f06b57e248d8bc3f86]
Jeff Mahoney (3):
btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
[2a362249187a8d0f6d942d6e1d763d150a296f47]
btrfs: fix error handling when run_delayed_extent_op fails
[aa7c8da35d1905d80e840d075f07d26ec90144b5]
btrfs: fix locking when we put back a delayed ref that's too new
[d0280996437081dd12ed1e982ac8aeaa62835ec4]
Jens Axboe (1):
nbd: fix use-after-free of rq/bio in the xmit path
[429a787be6793554ee02aacc7e1f11ebcecc4453]
Jeremy Linton (1):
net: sky2: Fix shutdown crash
[06ba3b2133dc203e1e9bc36cee7f0839b79a9e8b]
Jiri Slaby (1):
net: sctp, forbid negative length
[a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf]
Johan Hovold (34):
USB: ch341: remove redundant close from open error path
[394a10331a9e43100a8ee293255cfc428c7355ac]
USB: phy: am335x-control: fix device and of_node leaks
[015105b12183556771e111e93f5266851e7c5582]
USB: serial: ch341: fix baud rate and line-control handling
[55fa15b5987db22b4f35d3f0798928c126be5f1c]
USB: serial: ch341: fix control-message error handling
[2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae]
USB: serial: ch341: fix initial modem-control state
[4e2da44691cffbfffb1535f478d19bc2dca3e62b]
USB: serial: ch341: fix modem-control and B0 handling
[030ee7ae52a46a2be52ccc8242c4a330aba8d38e]
USB: serial: ch341: fix open and resume after B0
[a20047f36e2f6a1eea4f1fd261aaa55882369868]
USB: serial: ch341: fix open error handling
[f2950b78547ffb8475297ada6b92bc2d774d5461]
USB: serial: ch341: fix resume after reset
[ce5e292828117d1b71cbd3edf9e9137cf31acd30]
USB: serial: cyberjack: fix NULL-deref at open
[3dca01114dcecb1cf324534cd8d75fd1306a516b]
USB: serial: garmin_gps: fix memory leak on failed URB submit
[c4ac4496e835b78a45dfbf74f6173932217e4116]
USB: serial: io_edgeport: fix NULL-deref at open
[0dd408425eb21ddf26a692b3c8044c9e7d1a7948]
USB: serial: io_ti: fix NULL-deref at open
[a323fefc6f5079844dc62ffeb54f491d0242ca35]
USB: serial: io_ti: fix another NULL-deref at open
[4f9785cc99feeb3673993b471f646b4dbaec2cc1]
USB: serial: iuu_phoenix: fix NULL-deref at open
[90507d54f712d81b74815ef3a4bbb555cd9fab2f]
USB: serial: keyspan_pda: verify endpoints at probe
[5d9b0f859babe96175cd33d7162a9463a875ffde]
USB: serial: kl5kusb105: fix open error path
[6774d5f53271d5f60464f824748995b71da401ab]
USB: serial: kobil_sct: fix NULL-deref in write
[21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09]
USB: serial: mos7720: fix NULL-deref at open
[b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc]
USB: serial: mos7720: fix parallel probe
[fde1faf872ed86d88e245191bc15a8e57368cd1c]
USB: serial: mos7720: fix parport use-after-free on probe errors
[75dd211e773afcbc264677b0749d1cf7d937ab2d]
USB: serial: mos7720: fix use-after-free on probe errors
[91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3]
USB: serial: mos7840: fix NULL-deref at open
[5c75633ef751dd4cd8f443dc35152c1ae563162e]
USB: serial: mos7840: fix misleading interrupt-URB comment
[472d7e55d559aa1cbf58c73b14fcfc4651b1a9f5]
USB: serial: omninet: fix NULL-derefs at open and disconnect
[a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e]
USB: serial: oti6858: fix NULL-deref at open
[5afeef2366db14587b65558bbfd5a067542e07fb]
USB: serial: pl2303: fix NULL-deref at open
[76ab439ed1b68778e9059c79ecc5d14de76c89a8]
USB: serial: quatech2: fix sleep-while-atomic in close
[f09d1886a41e9063b43da493ef0e845ac8afd2fa]
USB: serial: spcp8x5: fix NULL-deref at open
[cc0909248258f679c4bb4cd315565d40abaf6bc6]
USB: serial: ti_usb_3410_5052: fix NULL-deref at open
[ef079936d3cd09e63612834fe2698eeada0d8e3f]
bus: vexpress-config: fix device reference leak
[c090959b9dd8c87703e275079aa4b4a824ba3f8e]
powerpc/ibmebus: Fix device reference leaks in sysfs interface
[fe0f3168169f7c34c29b0cf0c489f126a7f29643]
powerpc/ibmebus: Fix further device reference leaks
[815a7141c4d1b11610dccb7fcbb38633759824f2]
powerpc/pci/rpadlpar: Fix device reference leaks
[99e5cde5eae78bef95bfe7c16ccda87fb070149b]
Johannes Berg (1):
cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts
[e6f462df9acd2a3295e5d34eb29e2823220cf129]
John Brooks (1):
iio: dht11: Use usleep_range instead of msleep for start signal
[5c113b5e0082e90d2e1c7b12e96a7b8cf0623e27]
Joonyoung Shim (1):
clocksource/exynos_mct: Clear interrupt when cpu is shut down
[bc7c36eedb0c7004aa06c2afc3c5385adada8fa3]
Josef Bacik (1):
nbd: only set MSG_MORE when we have more to send
[d61b7f972dab2a7d187c38254845546dfc8eed85]
Julien Grall (1):
arm/xen: Use alloc_percpu rather than __alloc_percpu
[24d5373dda7c00a438d26016bce140299fae675e]
Jussi Laako (1):
ALSA: hiface: Fix M2Tech hiFace driver sampling rate change
[995c6a7fd9b9212abdf01160f6ce3193176be503]
Kamal Heib (1):
IB/IPoIB: Remove can't use GFP_NOIO warning
[0b59970e7d96edcb3c7f651d9d48e1a59af3c3b0]
Kashyap Desai (1):
scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset
[18e1c7f68a5814442abad849abe6eacbf02ffd7c]
Kefeng Wang (1):
ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
[03e4deff4987f79c34112c5ba4eb195d4f9382b0]
Keno Fischer (1):
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
[8310d48b125d19fcd9521d83b8293e63eb1646aa]
Kinglong Mee (1):
SUNRPC: cleanup ida information when removing sunrpc module
[c929ea0b910355e1876c64431f3d5802f95b3d75]
Kirtika Ruchandani (1):
regmap: cache: Remove unused 'blksize' variable
[daaadbf07433b15c452b2ff411a293b2ccd98e03]
Konstantin Khlebnikov (1):
md/raid5: limit request size according to implementation limits
[e8d7c33232e5fdfa761c3416539bc5b4acd12db5]
Krzysztof Kozlowski (1):
thermal: hwmon: Properly report critical temperature in sysfs
[f37fabb8643eaf8e3b613333a72f683770c85eca]
Krzysztof Opasiak (1):
usb: gadget: composite: Test get_alt() presence instead of set_alt()
[7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f]
Kyle Roeschley (1):
ARM: zynq: Reserve correct amount of non-DMA RAM
[7a3cc2a7b2c723aa552028f4e66841cec183756d]
Larry Finger (2):
powerpc: Fix build warning on 32-bit PPC
[8ae679c4bc2ea2d16d92620da8e3e9332fa4039f]
ssb: Fix error routine when fallback SPROM fails
[8052d7245b6089992343c80b38b14dbbd8354651]
Leon Romanovsky (1):
net/mlx4: Remove BUG_ON from ICM allocation routine
[c1d5f8ff80ea84768f5fae1ca9d1abfbb5e6bbaa]
Linus Walleij (1):
regulator: stw481x-vmmc: fix ages old enable error
[295070e9aa015abb9b92cccfbb1e43954e938133]
Liping Zhang (2):
netfilter: nft_log: restrict the log prefix length to 127
[5ce6b04ce96896e8a79e6f60740ced911eaac7a4]
netfilter: rpfilter: fix incorrect loopback packet judgment
[6443ebc3fdd6f3c766d9442c18be274b3d736050]
Lu Baolu (2):
usb: xhci: fix possible wild pointer
[2b985467371a58ae44d76c7ba12b0951fee6ed98]
usb: xhci: hold lock over xhci_abort_cmd_ring()
[4dea70778c0f48b4385c7720c363ec8d37a401b4]
Lukasz Odzioba (1):
x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
[dd853fd216d1485ed3045ff772079cc8689a9a4a]
Lukáš Lalinský (1):
USB: Add quirk for WORLDE easykey.25 MIDI keyboard
[d9b2997e4a0a874e452df7cdd7de5a54502bd0aa]
Madhavan Srinivasan (1):
selftest/powerpc: Wrong PMC initialized in pmc56_overflow test
[df21d2fa733035e4d414379960f94b2516b41296]
Maor Gottlieb (3):
IB/mlx4: Put non zero value in max_ah device attribute
[731e0415b4af3a133d0316e4dc8ef0ea57dc3fdf]
IB/mlx4: Set traffic class in AH
[af4295c117b82a521b05d0daf39ce879d26e6cb1]
IB/mlx5: Put non zero value in max_ah
[86695a6582e3b1c4895de2bde4e1022b3a8fbda0]
Marcel J.E. Mol (1):
USB: serial: pl2303: add ATEN device ID
[d07830db1bdb254e4b50d366010b219286b8c937]
Marcelo Ricardo Leitner (3):
sctp: assign assoc_id earlier in __sctp_connect
[7233bc84a3aeda835d334499dc00448373caf5c0]
sctp: avoid BUG_ON on sctp_wait_for_sndbuf
[2dcab598484185dea7ec22219c76dcdd59e3cb90]
sctp: deny peeloff operation on asocs with threads sleeping on it
[dfcb9f4f99f1e9a49e43398a7bfbf56927544af1]
Marcos Paulo de Souza (1):
Input: i8042 - add Pegatron touchpad to noloop table
[41c567a5d7d1a986763e58c3394782813c3bcb03]
Mark Bloch (1):
IB/core: Save QP in ib_flow structure
[8ecc7985b4b15f1f14bce31d8ab45dc426df7da3]
Mark Rutland (2):
ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
[ddc37832a1349f474c4532de381498020ed71d31]
arm64: avoid returning from bad_mode
[7d9e8f71b989230bc613d121ca38507d34ada849]
Mathias Nyman (4):
usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
[37be66767e3cae4fd16e064d8bb7f9f72bf5c045]
xhci: Handle command completion and timeout race
[a5a1b9514154437aa1ed35c291191f82fd3e941a]
xhci: fix deadlock at host remove by running watchdog correctly
[d6169d04097fd9ddf811e63eae4e5cd71e6666e2]
xhci: free xhci virtual devices with leaf nodes first
[ee8665e28e8d90ce69d4abe5a469c14a8707ae0e]
Mauro Carvalho Chehab (1):
[media] siano: make it work again with CONFIG_VMAP_STACK
[f9c85ee67164b37f9296eab3b754e543e4e96a1c]
Maxim Patlasov (1):
btrfs: limit async_work allocation and worker func duration
[2939e1a86f758b55cdba73e29397dd3d94df13bc]
Maxime Jayat (1):
net: socket: fix recvmmsg not returning error from sock_error
[e623a9e9dec29ae811d11f83d0074ba254aba374]
Michal Hocko (2):
hotplug: Make register and unregister notifier API symmetric
[777c6e0daebb3fcefbbd6f620410a946b07ef6d0]
mm, fs: check for fatal signals in do_generic_file_read()
[5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6]
Michal Tesar (1):
igmp: Make igmp group member RFC 3376 compliant
[7ababb782690e03b78657e27bd051e20163af2d6]
Michel Dänzer (2):
drm/radeon: Hide the HW cursor while it's out of bounds
[6b16cf7785a4200b1bddf4f70c9dda2efc49e278]
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
[d74c67dd7800fc7aae381f272875c337f268806c]
Mike Kravetz (1):
mm/hugetlb.c: fix reservation race when freeing surplus pages
[e5bbc8a6c992901058bc09e2ce01d16c111ff047]
Miklos Szeredi (1):
vfs: fix uninitialized flags in splice_to_pipe()
[5a81e6a171cdbd1fa8bc1fdd80c23d3d71816fac]
Nathaniel Quillin (1):
USB: cdc-acm: add device id for GW Instek AFG-125
[301216044e4c27d5a7323c1fa766266fad00db5e]
Neil Horman (1):
netem: Segment GSO packets on enqueue
[6071bd1aa13ed9e41824bafad845b7b7f4df5cfd]
NeilBrown (2):
NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
[cfd278c280f997cf2fe4662e0acab0fe465f637b]
block_dev: don't test bdev->bd_contains when it is not stable
[bcc7f5b4bee8e327689a4d994022765855c807ff]
Nicholas Bellinger (3):
target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
[9b2792c3da1e80f2d460167d319302a24c9ca2b7]
target: Fix early transport_generic_handle_tmr abort scenario
[c54eeffbe9338fa982dc853d816fda9202a13b5a]
target: Use correct SCSI status during EXTENDED_COPY exception
[0583c261e6325f392c1f7a1b9112e31298e1a4bd]
Nicholas Mc Guire (1):
x86/boot: Add missing declaration of string functions
[fac69d0efad08fc15e4dbfc116830782acc0dc9a]
Nicholas Piggin (1):
powerpc/boot: Request no dynamic linker for boot wrapper
[ff45000fcb56b5b0f1a14a865d3541746d838a0a]
Nicolai Stange (1):
f2fs: set ->owner for debugfs status file's file_operations
[05e6ea2685c964db1e675a24a4f4e2adc22d2388]
Nicolas Iooss (1):
[media] ite-cir: initialize use_demodulator before using it
[7ec03e60ef81c19b5d3a46dd070ee966774b860f]
Nicolas PLANEL (1):
USB: ch341: set tty baud speed according to tty struct
[aa91def41a7bb1fd65492934ce6bea19202b6080]
Nikolay Aleksandrov (1):
net: bridge: fix old ioctl unlocked net device walk
[31ca0458a61a502adb7ed192bf9716c6d05791a5]
Oliver Hartkopp (1):
can: bcm: fix hrtimer/tasklet termination in bcm op removal
[a06393ed03167771246c4c43192d9c264bc48412]
Oliver Neukum (1):
usb: storage: unusual_uas: Add JMicron JMS56x to unusual device
[674aea07e38200ea6f31ff6d5f200f0cf6cdb325]
Ondrej Kozina (1):
dm crypt: mark key as invalid until properly loaded
[265e9098bac02bc5e36cda21fdbad34cb5b2f48d]
Pan Bian (2):
USB: serial: kl5kusb105: abort on open exception path
[3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c]
clk: clk-wm831x: fix a logic error
[20979202ee6e4c68dab7bcf408787225a656d18e]
Paolo Abeni (1):
ip6_tunnel: disable caching when the traffic class is inherited
[b5c2d49544e5930c96e2632a7eece3f4325a1888]
Paolo Bonzini (1):
kvm: fix page struct leak in handle_vmon
[06ce521af9558814b8606c0476c54497cf83a653]
Patrik Jakobsson (1):
drm/gma500: Add compat ioctl
[0a97c81a9717431e6c57ea845b59c3c345edce67]
Paul Mackerras (1):
KVM: PPC: Book3S HV: Save/restore XER in checkpointed register state
[0d808df06a44200f52262b6eb72bcb6042f5a7c5]
Pavel Shilovsky (3):
CIFS: Fix a possible memory corruption during reconnect
[53e0e11efe9289535b060a51d4cf37c25e0d0f2b]
CIFS: Fix a possible memory corruption in push locks
[e3d240e9d505fc67f8f8735836df97a794bbd946]
CIFS: Fix missing nls unload in smb2_reconnect()
[4772c79599564bd08ee6682715a7d3516f67433f]
Peter Zijlstra (1):
perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
[0b3589be9b98994ce3d5aeca52445d1f5627c4ba]
Quinn Tran (1):
qla2xxx: Fix crash due to null pointer access
[fc1ffd6cb38a1c1af625b9833c41928039e733f5]
Rabin Vincent (1):
block: protect iterate_bdevs() against concurrent close
[af309226db916e2c6e08d3eba3fa5c34225200c4]
Rasmus Villemoes (1):
lib/vsprintf.c: improve sanity check in vsnprintf()
[2aa2f9e21e4eb25c720b2e7d80f8929638f6ad73]
Reiter Wolfgang (2):
drop_monitor: add missing call to genlmsg_end
[4200462d88f47f3759bdf4705f87e207b0f5b2e4]
drop_monitor: consider inserted data in genlmsg_end
[3b48ab2248e61408910e792fe84d6ec466084c1a]
Richard Genoud (1):
tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done
[b389f173aaa1204d6dc1f299082a162eb0491545]
Richard Weinberger (1):
ubifs: Fix journal replay wrt. xattr nodes
[1cb51a15b576ee325d527726afff40947218fd5e]
Robbie Ko (1):
Btrfs: fix tree search logic when replaying directory entry deletes
[2a7bf53f577e49c43de4ffa7776056de26db65d9]
Rolf Eike Beer (1):
selftests: do not require bash to run netsocktests testcase
[3659f98b5375d195f1870c3e508fe51e52206839]
Russell Currey (1):
drivers/gpu/drm/ast: Fix infinite loop if read fails
[298360af3dab45659810fdc51aba0c9f4097e4f6]
Russell King (1):
i2c: mux: pca954x: fix i2c mux selection caching
[7f638c1cb0a1112dbe0b682a42db30521646686b]
Saeed Mahameed (1):
IB/mlx4: Fix port query for 56Gb Ethernet links
[6fa26208206c406fa529cd73f7ae6bf4181e270b]
Salvatore Benedetto (1):
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
[d6040764adcb5cb6de1489422411d701c158bb69]
Sergei Shtylyov (3):
sh_eth: R8A7740 supports packet shecksumming
[0f1f9cbc04dbb3cc310f70a11cba0cf1f2109d9c]
sh_eth: enable RX descriptor word 0 shift on SH7734
[71eae1ca77fd6be218d8a952d97bba827e56516d]
sh_eth: fix EESIPR values for SH77{34|63}
[978d3639fd13d987950e4ce85c8737ae92154b2c]
Sergey Senozhatsky (1):
printk: use rcuidle console tracepoint
[fc98c3c8c9dcafd67adcce69e6ce3191d5306c9c]
Shannon Nelson (1):
tcp: fix tcp_fastopen unaligned access complaints on sparc
[003c941057eaa868ca6fedd29a274c863167230d]
Shaohua Li (1):
md: MD_RECOVERY_NEEDED is set for mddev->recovery
[82a301cb0ea2df8a5c88213094a01660067c7fb4]
Shmulik Ladkani (1):
net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
[d65f2fa680d6f91438461df54c83a331b3a631c9]
Simon Horman (1):
sit: correct IP protocol used in ipip6_err
[d5d8760b78d0cfafe292f965f599988138b06a70]
Soheil Hassas Yeganeh (1):
sock: fix sendmmsg for partial sendmsg
[3023898b7d4aac65987bd2f485cc22390aae6f78]
Stefan Wahren (1):
mmc: mxs-mmc: Fix additional cycles after transmission stop
[01167c7b9cbf099c69fe411a228e4e9c7104e123]
Steffen Maier (3):
scsi: zfcp: do not trace pure benign residual HBA responses at default level
[56d23ed7adf3974f10e91b643bd230e9c65b5f79]
scsi: zfcp: fix rport unblock race with LUN recovery
[6f2ce1c6af37191640ee3ff6e8fc39ea10352f4c]
scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
[2dfa6688aafdc3f74efeb1cf05fb871465d67f79]
Stephen Hemminger (1):
netvsc: reduce maximum GSO size
[a50af86dd49ee1851d1ccf06dd0019c05b95e297]
Steven Rostedt (2):
fgraph: Handle a case where a tracer ignores set_graph_notrace
[794de08a16cf1fc1bf785dc48f66d36218cf6d88]
ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it
[847fa1a6d3d00f3bdf68ef5fa4a786f644a0dd67]
Takashi Iwai (7):
ALSA: hda - Add the top speaker pin config for HP Spectre x360
[0eec880966e77bdbee0112989a2be67d92e39929]
ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
[c7efff9284dfde95a11aaa811c9d8ec8167f0f6e]
ALSA: hda - Fix up GPIO for ASUS ROG Ranger
[85bcf96caba8b4a7c0805555638629ba3c67ea0c]
ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
[f73cd43ac3b41c0f09a126387f302bbc0d9c726d]
ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
[37a7ea4a9b81f6a864c10a7cb0b96458df5310a3]
ALSA: seq: Fix race at creating a queue
[4842e98f26dd80be3623c4714a244ba52ea096a8]
ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
[4763601a56f155ddf94ef35fc2c41504a2de15f5]
Theodore Ts'o (3):
ext4: add sanity checking to count_overhead()
[c48ae41bafe31e9a66d8be2ced4e42a6b57fa814]
ext4: fix in-superblock mount options processing
[5aee0f8a3f42c94c5012f1673420aee96315925a]
ext4: use more strict checks for inodes_per_block on mount
[cd6bb35bf7f6d7d922509bf50265383a0ceabe96]
Thorsten Horstmann (1):
mac80211: Fix adding of mesh vendor IEs
[da7061c82e4a1bc6a5e134ef362c86261906c860]
Tom Goff (1):
ipmr/ip6mr: Initialize the last assert time of mfc entries.
[70a0dec45174c976c64b4c8c1d0898581f759948]
Tony Lindgren (1):
usb: musb: Fix trying to free already-free IRQ 4
[8c300fe282fa254ea730c92cb0983e2642dc1fff]
Trond Myklebust (1):
NFS: Fix a performance regression in readdir
[79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb]
Vineet Gupta (2):
ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
[a524c218bc94c705886a0e0fedeee45d1931da32]
ARC: [arcompact] handle unaligned access delay slot corner case
[9aed02feae57bf7a40cb04ea0e3017cb7a998db4]
Vlad Tsyrklevich (1):
i2c: fix kernel memory disclosure in dev interface
[30f939feaeee23e21391cfc7b484f012eb189c3c]
Vladimir Zapolskiy (3):
ARM: dts: imx31: fix AVIC base address
[af92305e567b7f4c9cf48b9e46c1f48ec9ffb1fb]
ARM: dts: imx31: fix clock control module interrupts description
[2e575cbc930901718cc18e084566ecbb9a4b5ebb]
ARM: dts: imx31: move CCM device node to AIPS2 bus devices
[1f87aee6a2e55eda466a43ba6248a8b75eede153]
WANG Cong (4):
ping: fix a null pointer dereference
[73d2c6678e6c3af7e7a42b1e78cd0211782ade32]
sch_dsmark: update backlog as well
[bdf17661f63a79c3cb4209b970b1cc39e34f7543]
sch_htb: update backlog as well
[431e3a8e36a05a37126f34b41aa3a5a6456af04e]
sit: fix a double free on error path
[d7426c69a1942b2b9b709bf66b944ff09f561484]
Wan Ahmad Zainie (1):
usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake
[6c97cfc1a097b1e0786c836e92b7a72b4d031e25]
Wei Fang (1):
scsi: avoid a permanent stop of the scsi device's request queue
[d2a145252c52792bc59e4767b486b26c430af4bb]
Wei Yongjun (1):
iw_cxgb4: Fix error return code in c4iw_rdev_open()
[15f7e3c21b76598bc6e5816d2577ce843b2b963f]
Willem de Bruijn (2):
macvtap: read vnet_hdr_size once
[837585a5375c38d40361cfe64e6fd11e1addb936]
tun: read vnet_hdr_sz once
[e1edab87faf6ca30cd137e0795bc73aa9a9a22ec]
Yang Yang (1):
futex: Move futex_init() to core_initcall
[25f71d1c3e98ef0e52371746220d66458eac75bc]
Yegor Yefremov (1):
can: ti_hecc: add missing prepare and unprepare of the clock
[befa60113ce7ea270cb51eada28443ca2756f480]
.../devicetree/bindings/clock/imx31-clock.txt | 2 +-
Documentation/virtual/kvm/api.txt | 1 +
MAINTAINERS | 4 +-
Makefile | 4 +-
arch/arc/kernel/unaligned.c | 3 +-
arch/arm/boot/dts/da850-evm.dts | 1 +
arch/arm/boot/dts/imx31.dtsi | 18 +-
arch/arm/boot/dts/imx6q-cm-fx6.dts | 1 -
arch/arm/include/asm/cputype.h | 3 +
arch/arm/kernel/hw_breakpoint.c | 16 ++
arch/arm/kernel/ptrace.c | 2 +-
arch/arm/mach-davinci/da850.c | 12 +-
arch/arm/mach-ux500/pm.c | 4 +-
arch/arm/mach-zynq/common.c | 2 +-
arch/arm/xen/enlighten.c | 3 +-
arch/arm64/crypto/aes-ce-ccm-core.S | 53 +++---
arch/arm64/crypto/aes-ce.S | 1 +
arch/arm64/crypto/aes-modes.S | 91 +++++-----
arch/arm64/crypto/aes-neon.S | 25 +--
arch/arm64/crypto/ghash-ce-core.S | 6 +-
arch/arm64/crypto/sha1-ce-core.S | 4 +-
arch/arm64/crypto/sha2-ce-core.S | 4 +-
arch/arm64/include/uapi/asm/ptrace.h | 1 +
arch/arm64/kernel/entry.S | 2 +-
arch/arm64/kernel/ptrace.c | 11 +-
arch/arm64/kernel/traps.c | 28 ++-
arch/cris/boot/rescue/Makefile | 8 +
arch/mips/kvm/kvm_mips.c | 4 +-
arch/parisc/include/asm/bitops.h | 8 +-
arch/parisc/include/uapi/asm/bitsperlong.h | 2 -
arch/parisc/include/uapi/asm/swab.h | 5 +-
arch/powerpc/boot/ps3-head.S | 5 -
arch/powerpc/boot/ps3.c | 8 +-
arch/powerpc/boot/wrapper | 24 ++-
arch/powerpc/include/asm/kvm_host.h | 1 +
arch/powerpc/include/asm/ppc-opcode.h | 10 +-
arch/powerpc/include/uapi/asm/kvm.h | 1 +
arch/powerpc/kernel/asm-offsets.c | 1 +
arch/powerpc/kernel/ibmebus.c | 16 +-
arch/powerpc/kernel/misc_32.S | 2 +-
arch/powerpc/kernel/prom_init.c | 3 +
arch/powerpc/kernel/ptrace.c | 7 +
arch/powerpc/kvm/book3s_hv.c | 6 +
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 4 +
arch/sparc/kernel/leon_kernel.c | 56 +++---
arch/tile/kernel/ptrace.c | 2 +-
arch/x86/boot/string.c | 1 +
arch/x86/boot/string.h | 9 +
arch/x86/kernel/cpu/common.c | 2 +-
arch/x86/kernel/entry_32.S | 4 +-
arch/x86/kvm/lapic.c | 6 +
arch/x86/kvm/lapic.h | 1 +
arch/x86/kvm/vmx.c | 10 +-
arch/x86/kvm/x86.c | 12 +-
arch/x86/pci/acpi.c | 10 ++
crypto/algapi.c | 1 +
drivers/ata/sata_mv.c | 3 +
drivers/base/dma-mapping.c | 4 +-
drivers/base/regmap/regcache-lzo.c | 8 +-
drivers/block/nbd.c | 34 ++--
drivers/bus/vexpress-config.c | 7 +-
drivers/clk/clk-wm831x.c | 2 +-
drivers/clk/shmobile/clk-mstp.c | 27 ++-
drivers/clocksource/exynos_mct.c | 5 +
drivers/crypto/caam/caamalg.c | 4 +-
drivers/devfreq/devfreq.c | 19 ++-
drivers/gpu/drm/ast/ast_main.c | 7 +-
drivers/gpu/drm/gma500/psb_drv.c | 3 +
drivers/gpu/drm/i915/intel_crt.c | 9 +-
drivers/gpu/drm/i915/intel_display.c | 4 +-
drivers/gpu/drm/i915/intel_pm.c | 11 +-
drivers/gpu/drm/nouveau/dispnv04/hw.c | 3 +-
drivers/gpu/drm/radeon/radeon_cursor.c | 56 ++++--
drivers/gpu/drm/radeon/radeon_mode.h | 1 +
drivers/gpu/drm/radeon/si_dpm.c | 14 +-
drivers/hid/hid-cypress.c | 3 +
drivers/hwmon/ds620.c | 2 +-
drivers/hwmon/g762.c | 11 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/i2c/muxes/i2c-mux-pca954x.c | 5 +-
drivers/iio/humidity/dht11.c | 6 +-
drivers/infiniband/core/mad.c | 2 +-
drivers/infiniband/core/multicast.c | 7 +-
drivers/infiniband/core/uverbs_cmd.c | 1 -
drivers/infiniband/core/verbs.c | 4 +-
drivers/infiniband/hw/cxgb4/device.c | 1 +
drivers/infiniband/hw/mlx4/ah.c | 6 +-
drivers/infiniband/hw/mlx4/main.c | 30 ++--
drivers/infiniband/hw/mlx4/qp.c | 3 +-
drivers/infiniband/hw/mlx5/main.c | 1 +
drivers/infiniband/hw/mlx5/mr.c | 28 +++
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 2 -
drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 7 +-
drivers/input/serio/i8042-x86ia64io.h | 6 +
drivers/iommu/amd_iommu.c | 2 +-
drivers/isdn/hardware/eicon/message.c | 3 +-
drivers/md/dm-crypt.c | 7 +-
drivers/md/dm.c | 10 +-
drivers/md/md.c | 2 +-
drivers/md/persistent-data/dm-space-map-metadata.c | 14 +-
drivers/md/raid5.c | 9 +
drivers/media/i2c/Kconfig | 1 +
drivers/media/platform/davinci/vpfe_capture.c | 1 +
drivers/media/rc/ite-cir.c | 2 +
drivers/media/usb/siano/smsusb.c | 18 +-
drivers/misc/mei/client.c | 20 ++-
drivers/mmc/core/mmc.c | 4 +-
drivers/mmc/host/mxs-mmc.c | 6 +-
drivers/mmc/host/sdhci.c | 23 ++-
drivers/mtd/nand/Kconfig | 2 +-
drivers/net/bonding/bond_netlink.c | 6 +-
drivers/net/can/c_can/c_can_pci.c | 1 +
drivers/net/can/ti_hecc.c | 16 +-
drivers/net/ethernet/atheros/alx/main.c | 7 +-
drivers/net/ethernet/broadcom/bcmsysport.c | 43 +++--
drivers/net/ethernet/cisco/enic/enic_main.c | 18 +-
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
drivers/net/ethernet/korina.c | 8 +-
drivers/net/ethernet/marvell/sky2.c | 13 ++
drivers/net/ethernet/mellanox/mlx4/cq.c | 38 +++--
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 13 +-
drivers/net/ethernet/mellanox/mlx4/eq.c | 23 ++-
drivers/net/ethernet/mellanox/mlx4/icm.c | 7 +-
.../net/ethernet/mellanox/mlx4/resource_tracker.c | 11 +-
drivers/net/ethernet/renesas/sh_eth.c | 6 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 20 ++-
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 126 +++++++-------
drivers/net/hyperv/netvsc_drv.c | 4 +
drivers/net/macvtap.c | 4 +-
drivers/net/tun.c | 20 ++-
drivers/net/usb/catc.c | 56 +++---
drivers/net/usb/cdc_ether.c | 8 +
drivers/net/usb/cdc_ncm.c | 7 +
drivers/net/usb/pegasus.c | 29 +++-
drivers/net/usb/qmi_wwan.c | 7 +
drivers/net/usb/r8152.c | 7 +-
drivers/net/usb/rtl8150.c | 34 +++-
drivers/net/vxlan.c | 8 +-
drivers/net/xen-netfront.c | 9 +-
drivers/pci/hotplug/rpadlpar_core.c | 10 +-
drivers/pci/pci.c | 4 +
drivers/platform/x86/intel_mid_powerbtn.c | 2 +-
drivers/regulator/stw481x-vmmc.c | 3 +-
drivers/s390/char/vmlogrdr.c | 2 +-
drivers/s390/scsi/zfcp_dbf.c | 17 +-
drivers/s390/scsi/zfcp_dbf.h | 41 ++++-
drivers/s390/scsi/zfcp_erp.c | 61 ++++++-
drivers/s390/scsi/zfcp_ext.h | 4 +-
drivers/s390/scsi/zfcp_fsf.c | 8 +-
drivers/s390/scsi/zfcp_fsf.h | 3 +-
drivers/s390/scsi/zfcp_reqlist.h | 30 +++-
drivers/s390/scsi/zfcp_scsi.c | 61 ++++++-
drivers/scsi/megaraid/megaraid_sas_fusion.c | 1 +
drivers/scsi/mvsas/mv_94xx.c | 2 +-
drivers/scsi/qla2xxx/qla_os.c | 16 +-
drivers/scsi/scsi_sysfs.c | 4 -
drivers/scsi/sg.c | 4 +
drivers/ssb/pci.c | 1 +
drivers/staging/iio/adc/ad7606_core.c | 2 +-
drivers/staging/media/davinci_vpfe/vpfe_video.c | 2 +-
drivers/target/iscsi/iscsi_target_tpg.c | 1 -
drivers/target/target_core_sbc.c | 8 +-
drivers/target/target_core_transport.c | 17 +-
drivers/target/target_core_xcopy.c | 2 +-
drivers/thermal/thermal_hwmon.c | 2 +-
drivers/tty/serial/atmel_serial.c | 11 +-
drivers/tty/sysrq.c | 4 +-
drivers/usb/class/cdc-acm.c | 1 +
drivers/usb/core/config.c | 10 ++
drivers/usb/core/hub.c | 134 ++++++---------
drivers/usb/core/quirks.c | 4 +
drivers/usb/dwc3/ep0.c | 37 ++--
drivers/usb/dwc3/gadget.c | 20 ++-
drivers/usb/gadget/composite.c | 23 ++-
drivers/usb/gadget/dummy_hcd.c | 6 +-
drivers/usb/gadget/inode.c | 17 +-
drivers/usb/gadget/uvc_video.c | 2 +-
drivers/usb/host/uhci-pci.c | 4 +
drivers/usb/host/xhci-mem.c | 42 ++++-
drivers/usb/host/xhci-pci.c | 3 +-
drivers/usb/host/xhci-ring.c | 39 +++--
drivers/usb/host/xhci.c | 13 --
drivers/usb/musb/musbhsdma.h | 2 +-
drivers/usb/phy/phy-am335x-control.c | 2 +
drivers/usb/serial/ch341.c | 187 +++++++++++++--------
drivers/usb/serial/cyberjack.c | 10 ++
drivers/usb/serial/garmin_gps.c | 1 +
drivers/usb/serial/io_edgeport.c | 5 +
drivers/usb/serial/io_ti.c | 14 +-
drivers/usb/serial/iuu_phoenix.c | 11 ++
drivers/usb/serial/keyspan_pda.c | 14 ++
drivers/usb/serial/kl5kusb105.c | 35 +++-
drivers/usb/serial/kobil_sct.c | 12 ++
drivers/usb/serial/mos7720.c | 51 +++---
drivers/usb/serial/mos7840.c | 16 +-
drivers/usb/serial/omninet.c | 13 ++
drivers/usb/serial/option.c | 8 +
drivers/usb/serial/oti6858.c | 16 ++
drivers/usb/serial/pl2303.c | 9 +
drivers/usb/serial/pl2303.h | 1 +
drivers/usb/serial/qcserial.c | 1 +
drivers/usb/serial/quatech2.c | 4 -
drivers/usb/serial/spcp8x5.c | 14 ++
drivers/usb/serial/ti_usb_3410_5052.c | 7 +
drivers/usb/storage/unusual_devs.h | 7 +
drivers/vme/bridges/vme_ca91cx42.c | 2 +-
drivers/xen/gntdev.c | 2 +-
fs/block_dev.c | 9 +-
fs/btrfs/async-thread.c | 14 ++
fs/btrfs/async-thread.h | 1 +
fs/btrfs/delayed-inode.c | 15 +-
fs/btrfs/extent-tree.c | 5 +-
fs/btrfs/ioctl.c | 6 +-
fs/btrfs/tree-log.c | 3 +-
fs/ceph/mds_client.c | 9 +-
fs/cifs/cifsglob.h | 3 +
fs/cifs/cifsproto.h | 3 +
fs/cifs/connect.c | 34 +++-
fs/cifs/smb2file.c | 2 +-
fs/cifs/smb2pdu.c | 77 ++++++---
fs/cifs/smb2proto.h | 1 +
fs/exec.c | 10 +-
fs/ext4/inline.c | 4 +-
fs/ext4/inode.c | 6 +
fs/ext4/mballoc.c | 4 +-
fs/ext4/super.c | 64 ++++---
fs/f2fs/debug.c | 1 +
fs/nfs/dir.c | 15 +-
fs/nfs/file.c | 2 +-
fs/nfs/filelayout/filelayoutdev.c | 3 +-
fs/nfs/nfs4state.c | 1 +
fs/notify/inode_mark.c | 46 +----
fs/ocfs2/dlmglue.c | 10 ++
fs/ocfs2/stackglue.c | 6 +
fs/ocfs2/stackglue.h | 3 +
fs/splice.c | 1 +
fs/ubifs/tnc.c | 25 ++-
fs/xfs/xfs_bmap_util.c | 7 +-
fs/xfs/xfs_log_recover.c | 1 +
include/linux/can/core.h | 7 +-
include/linux/cpu.h | 15 +-
include/linux/jump_label_ratelimit.h | 5 +
include/linux/netdevice.h | 9 +-
include/linux/nfs4.h | 3 +-
include/linux/sunrpc/clnt.h | 1 +
include/linux/tcp.h | 7 +-
include/net/cfg80211.h | 11 ++
include/net/cipso_ipv4.h | 4 +
include/net/netfilter/nf_log.h | 2 +
include/net/sock.h | 17 +-
include/uapi/linux/usb/ch9.h | 19 +++
ipc/shm.c | 13 +-
kernel/cpu.c | 13 +-
kernel/events/core.c | 42 ++---
kernel/futex.c | 2 +-
kernel/jump_label.c | 7 +
kernel/printk/printk.c | 2 +-
kernel/sched/cputime.c | 3 +
kernel/sysctl.c | 1 +
kernel/trace/trace_functions_graph.c | 17 +-
lib/vsprintf.c | 2 +-
mm/filemap.c | 5 +
mm/huge_memory.c | 19 ++-
mm/hugetlb.c | 37 +++-
net/bridge/br_ioctl.c | 5 +-
net/can/af_can.c | 12 +-
net/can/af_can.h | 3 +-
net/can/bcm.c | 27 ++-
net/can/gw.c | 2 +-
net/can/raw.c | 4 +-
net/ceph/messenger.c | 13 ++
net/core/dev.c | 109 ++++++------
net/core/drop_monitor.c | 39 ++++-
net/core/sock.c | 16 +-
net/dccp/ipv4.c | 26 +--
net/dccp/ipv6.c | 16 +-
net/dccp/proto.c | 4 +
net/decnet/dn_route.c | 9 +-
net/ipv4/cipso_ipv4.c | 4 +
net/ipv4/igmp.c | 55 ++++--
net/ipv4/ipmr.c | 4 +-
net/ipv4/netfilter/ipt_rpfilter.c | 8 +-
net/ipv4/ping.c | 2 +
net/ipv4/route.c | 12 ++
net/ipv4/tcp_fastopen.c | 3 +-
net/ipv4/tcp_output.c | 21 ++-
net/ipv4/udp.c | 2 +-
net/ipv6/addrconf.c | 4 +-
net/ipv6/ip6_gre.c | 3 +
net/ipv6/ip6_offload.c | 1 +
net/ipv6/ip6_output.c | 11 +-
net/ipv6/ip6_tunnel.c | 49 ++++--
net/ipv6/ip6mr.c | 1 +
net/ipv6/mcast.c | 50 +++---
net/ipv6/netfilter/ip6t_rpfilter.c | 8 +-
net/ipv6/raw.c | 7 +-
net/ipv6/sit.c | 5 +-
net/ipv6/udp.c | 2 +-
net/irda/irqueue.c | 34 ++--
net/l2tp/l2tp_core.h | 1 +
net/l2tp/l2tp_ip.c | 27 ++-
net/l2tp/l2tp_ip6.c | 2 +-
net/llc/llc_conn.c | 3 +
net/llc/llc_sap.c | 3 +
net/mac80211/mesh.c | 2 +-
net/mac80211/mlme.c | 17 +-
net/netfilter/nf_log.c | 1 -
net/netfilter/nft_log.c | 3 +-
net/packet/af_packet.c | 45 +++--
net/sched/act_pedit.c | 24 ++-
net/sched/cls_api.c | 4 +-
net/sched/em_meta.c | 9 +-
net/sched/sch_dsmark.c | 3 +
net/sched/sch_htb.c | 5 +-
net/sched/sch_netem.c | 61 ++++++-
net/sctp/socket.c | 19 ++-
net/socket.c | 19 ++-
net/sunrpc/auth_gss/gss_rpc_xdr.c | 2 +-
net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
net/sunrpc/clnt.c | 5 +
net/sunrpc/sunrpc_syms.c | 1 +
net/vmw_vsock/af_vsock.c | 21 +--
net/wireless/core.h | 1 +
net/wireless/mlme.c | 12 ++
net/wireless/sme.c | 14 ++
scripts/kconfig/nconf.gui.c | 15 +-
sound/core/seq/seq_memory.c | 9 +-
sound/core/seq/seq_queue.c | 33 ++--
sound/pci/hda/patch_conexant.c | 28 +++
sound/pci/hda/patch_hdmi.c | 1 +
sound/pci/hda/patch_realtek.c | 2 +
sound/usb/card.c | 1 -
sound/usb/hiface/pcm.c | 2 +
sound/usb/mixer.c | 3 +-
tools/perf/builtin-trace.c | 4 +-
tools/perf/util/trace-event-scripting.c | 6 +-
tools/testing/selftests/net/run_netsocktests | 2 +-
.../powerpc/pmu/ebb/pmc56_overflow_test.c | 2 +-
338 files changed, 2959 insertions(+), 1356 deletions(-)
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 004/370] crypto: arm64/sha2-ce - fix for big endian
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 088/370] USB: serial: option: add dlink dwm-158 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 075/370] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T Ben Hutchings
` (221 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 174122c39c369ed924d2608fc0be0171997ce800 upstream.
The SHA256 digest is an array of 8 32-bit quantities, so we should refer
to them as such in order for this code to work correctly when built for
big endian. So replace 16 byte scalar loads and stores with 4x32 vector
ones where appropriate.
Fixes: 6ba6c74dfc6b ("arm64/crypto: SHA-224/SHA-256 using ARMv8 Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: use x2 instead of x0]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/sha2-ce-core.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/crypto/sha2-ce-core.S
+++ b/arch/arm64/crypto/sha2-ce-core.S
@@ -85,7 +85,7 @@ ENTRY(sha2_ce_transform)
ld1 {v12.4s-v15.4s}, [x8]
/* load state */
- ldp dga, dgb, [x2]
+ ld1 {dgav.4s, dgbv.4s}, [x2]
/* load partial input (if supplied) */
cbz x3, 0f
@@ -151,6 +151,6 @@ CPU_LE( rev32 v19.16b, v19.16b )
b 2b
/* store new state */
-3: stp dga, dgb, [x2]
+3: st1 {dgav.4s, dgbv.4s}, [x2]
ret
ENDPROC(sha2_ce_transform)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 001/370] staging: iio: ad7606: fix improper setting of oversampling pins
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 050/370] KVM: PPC: Book3S HV: Save/restore XER in checkpointed register state Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 037/370] IB/mlx5: Put non zero value in max_ah Ben Hutchings
` (216 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eva Rachel Retuya, Lars-Peter Clausen, Jonathan Cameron
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eva Rachel Retuya <eraretuya@gmail.com>
commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.
The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.
The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.
Signed-off-by: Eva Rachel Retuya <eraretuya@gmail.com>
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/adc/ad7606_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/adc/ad7606_core.c
+++ b/drivers/staging/iio/adc/ad7606_core.c
@@ -186,7 +186,7 @@ static ssize_t ad7606_store_oversampling
mutex_lock(&indio_dev->mlock);
gpio_set_value(st->pdata->gpio_os0, (ret >> 0) & 1);
gpio_set_value(st->pdata->gpio_os1, (ret >> 1) & 1);
- gpio_set_value(st->pdata->gpio_os1, (ret >> 2) & 1);
+ gpio_set_value(st->pdata->gpio_os2, (ret >> 2) & 1);
st->oversampling = lval;
mutex_unlock(&indio_dev->mlock);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 022/370] scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 015/370] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 105/370] IB/mlx4: Fix out-of-range array index in destroy qp flow Ben Hutchings
` (316 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sumit Saxena, Kashyap Desai, Hannes Reinecke, Tomas Henzl,
Kiran Kumar Kasturi, Martin K. Petersen
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kashyap Desai <kashyap.desai@broadcom.com>
commit 18e1c7f68a5814442abad849abe6eacbf02ffd7c upstream.
For SRIOV enabled firmware, if there is a OCR(online controller reset)
possibility driver set the convert flag to 1, which is not happening if
there are outstanding commands even after 180 seconds. As driver does
not set convert flag to 1 and still making the OCR to run, VF(Virtual
function) driver is directly writing on to the register instead of
waiting for 30 seconds. Setting convert flag to 1 will cause VF driver
will wait for 30 secs before going for reset.
Signed-off-by: Kiran Kumar Kasturi <kiran-kumar.kasturi@broadcom.com>
Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/megaraid/megaraid_sas_fusion.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2291,6 +2291,7 @@ int megasas_wait_for_outstanding_fusion(
printk("megaraid_sas: pending commands remain after waiting, "
"will reset adapter scsi%d.\n",
instance->host->host_no);
+ *convert = 1;
retval = 1;
}
out:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 123/370] Input: i8042 - add Pegatron touchpad to noloop table
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 059/370] thermal: hwmon: Properly report critical temperature in sysfs Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 112/370] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF Ben Hutchings
` (243 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcos Paulo de Souza, Dmitry Torokhov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
commit 41c567a5d7d1a986763e58c3394782813c3bcb03 upstream.
Avoid AUX loopback in Pegatron C15B touchpad, so input subsystem is able
to recognize a Synaptics touchpad in the AUX port.
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=93791
(Touchpad is not detected on DNS 0801480 notebook (PEGATRON C15B))
Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/serio/i8042-x86ia64io.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -211,6 +211,12 @@ static const struct dmi_system_id __init
DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "C15B"),
+ },
+ },
{ }
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 148/370] btrfs: fix locking when we put back a delayed ref that's too new
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 089/370] cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 147/370] btrfs: fix error handling when run_delayed_extent_op fails Ben Hutchings
` (249 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Liu Bo, Jeff Mahoney
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <jeffm@suse.com>
commit d0280996437081dd12ed1e982ac8aeaa62835ec4 upstream.
In __btrfs_run_delayed_refs, when we put back a delayed ref that's too
new, we have already dropped the lock on locked_ref when we set
->processing = 0.
This patch keeps the lock to cover that assignment.
Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/extent-tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2429,11 +2429,11 @@ static noinline int __btrfs_run_delayed_
if (ref && ref->seq &&
btrfs_check_delayed_seq(fs_info, delayed_refs, ref->seq)) {
spin_unlock(&locked_ref->lock);
- btrfs_delayed_ref_unlock(locked_ref);
spin_lock(&delayed_refs->lock);
locked_ref->processing = 0;
delayed_refs->num_heads_ready++;
spin_unlock(&delayed_refs->lock);
+ btrfs_delayed_ref_unlock(locked_ref);
locked_ref = NULL;
cond_resched();
count++;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 138/370] usb: gadget: composite: Test get_alt() presence instead of set_alt()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 159/370] USB: serial: io_ti: fix another NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 169/370] USB: serial: omninet: fix NULL-derefs at open and disconnect Ben Hutchings
` (350 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Krzysztof Opasiak, Felipe Balbi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Opasiak <k.opasiak@samsung.com>
commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.
By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.
After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.
Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.
Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/composite.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1521,9 +1521,7 @@ composite_setup(struct usb_gadget *gadge
value = min(w_length, (u16) 1);
break;
- /* function drivers must handle get/set altsetting; if there's
- * no get() method, we know only altsetting zero works.
- */
+ /* function drivers must handle get/set altsetting */
case USB_REQ_SET_INTERFACE:
if (ctrl->bRequestType != USB_RECIP_INTERFACE)
goto unknown;
@@ -1532,7 +1530,13 @@ composite_setup(struct usb_gadget *gadge
f = cdev->config->interface[intf];
if (!f)
break;
- if (w_value && !f->set_alt)
+
+ /*
+ * If there's no get_alt() method, we know only altsetting zero
+ * works. There is no need to check if set_alt() is not NULL
+ * as we check this in usb_add_function().
+ */
+ if (w_value && !f->get_alt)
break;
value = f->set_alt(f, w_index, w_value);
if (value == USB_GADGET_DELAYED_STATUS) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 146/370] PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 043/370] scsi: mvsas: fix command_active typo Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 056/370] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Ben Hutchings
` (354 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chanwoo Choi, Rafael J. Wysocki
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chanwoo Choi <cw00.choi@samsung.com>
commit 73613b16cb5c5d5a659fc8832eff99eead3f9afb upstream.
This patch fixes the bug of devfreq_add_device(). The devfreq device must
have the default governor. If find_devfreq_governor() returns error,
devfreq_add_device() fail to add the devfreq instance.
Fixes: 1b5c1be2c88e (PM / devfreq: map devfreq drivers to governor using name)
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/devfreq/devfreq.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -502,11 +502,16 @@ struct devfreq *devfreq_add_device(struc
list_add(&devfreq->node, &devfreq_list);
governor = find_devfreq_governor(devfreq->governor_name);
- if (!IS_ERR(governor))
- devfreq->governor = governor;
- if (devfreq->governor)
- err = devfreq->governor->event_handler(devfreq,
- DEVFREQ_GOV_START, NULL);
+ if (IS_ERR(governor)) {
+ dev_err(dev, "%s: Unable to find governor for the device\n",
+ __func__);
+ err = PTR_ERR(governor);
+ goto err_init;
+ }
+
+ devfreq->governor = governor;
+ err = devfreq->governor->event_handler(devfreq, DEVFREQ_GOV_START,
+ NULL);
if (err) {
dev_err(dev, "%s: Unable to start governor for the device\n",
__func__);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 167/370] USB: serial: mos7840: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 164/370] USB: serial: mos7720: fix use-after-free on probe errors Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 134/370] mtd: nand: xway: disable module support Ben Hutchings
` (240 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at mos7840_open+0x88/0x8dc [mos7840]
Note that we continue to treat the interrupt-in endpoint as optional for
now.
Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7840.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2179,6 +2179,17 @@ static int mos7840_calc_num_ports(struct
return mos7840_num_ports;
}
+static int mos7840_attach(struct usb_serial *serial)
+{
+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int mos7840_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
@@ -2457,6 +2468,7 @@ static struct usb_serial_driver moschip7
.tiocmset = mos7840_tiocmset,
.tiocmiwait = usb_serial_generic_tiocmiwait,
.get_icount = usb_serial_generic_get_icount,
+ .attach = mos7840_attach,
.port_probe = mos7840_port_probe,
.port_remove = mos7840_port_remove,
.read_bulk_callback = mos7840_bulk_in_callback,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 175/370] ALSA: hda - Fix up GPIO for ASUS ROG Ranger
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 076/370] ALSA: hda - Add the top speaker pin config for HP Spectre x360 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 166/370] USB: serial: mos7720: fix parallel probe Ben Hutchings
` (213 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 85bcf96caba8b4a7c0805555638629ba3c67ea0c upstream.
ASUS ROG Ranger VIII with ALC1150 codec requires the extra GPIO pin to
up for the front panel. Just use the existing fixup for setting up
the GPIO pins.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189411
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2282,6 +2282,7 @@ static const struct snd_pci_quirk alc882
SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC),
SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601),
SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS),
+ SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT),
SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP),
SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 156/370] USB: serial: garmin_gps: fix memory leak on failed URB submit
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 032/370] ARM: zynq: Reserve correct amount of non-DMA RAM Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 033/370] dm rq: fix a race condition in rq_completed() Ben Hutchings
` (258 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream.
Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/garmin_gps.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1044,6 +1044,7 @@ static int garmin_write_bulk(struct usb_
"%s - usb_submit_urb(write bulk) failed with status = %d\n",
__func__, status);
count = status;
+ kfree(buffer);
}
/* we are done with this urb, so let the host driver
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 179/370] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 067/370] NFS: Fix a performance regression in readdir Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 020/370] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Ben Hutchings
` (289 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit c7efff9284dfde95a11aaa811c9d8ec8167f0f6e upstream.
Although the old quirk table showed ASUS X71SL with ALC663 codec being
compatible with asus-mode3 fixup, the bugzilla reporter explained that
asus-model8 fits better for the dual headphone controls. So be it.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191781
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6127,6 +6127,7 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
SND_PCI_QUIRK(0x1043, 0x177d, "ASUS N551", ALC668_FIXUP_ASUS_Nx51),
SND_PCI_QUIRK(0x1043, 0x17bd, "ASUS N751", ALC668_FIXUP_ASUS_Nx51),
+ SND_PCI_QUIRK(0x1043, 0x1963, "ASUS X71SL", ALC662_FIXUP_ASUS_MODE8),
SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16),
SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 152/370] xhci: Handle command completion and timeout race
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 154/370] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 014/370] usb: gadget: composite: always set ep->mult to a sensible value Ben Hutchings
` (328 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman, Baolin Wang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit a5a1b9514154437aa1ed35c291191f82fd3e941a upstream.
If we get a command completion event at the same time as the command
timeout work starts on another cpu we might end up aborting the wrong
command.
If the command completion takes the xhci lock before the timeout work, it
will handle the command, pick the next command, mark it as current_cmd, and
re-queue the timeout work. When the timeout work finally gets the lock
It will start aborting the wrong command.
This case can be resolved by checking if the timeout work is pending inside
the timeout function itself. A new timeout work can only be pending if the
command completed and a new command was queued.
If there are no more commands pending then command completion will set
the current_cmd to NULL, which is already handled in the timeout work.
Reported-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-ring.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1294,7 +1294,11 @@ void xhci_handle_command_timeout(unsigne
spin_lock_irqsave(&xhci->lock, flags);
- if (!xhci->current_cmd) {
+ /*
+ * If timeout work is pending, or current_cmd is NULL, it means we
+ * raced with command completion. Command is handled so just return.
+ */
+ if (!xhci->current_cmd || timer_pending(&xhci->cmd_timer)) {
spin_unlock_irqrestore(&xhci->lock, flags);
return;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 159/370] USB: serial: io_ti: fix another NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 101/370] libceph: verify authorize reply on connect Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 138/370] usb: gadget: composite: Test get_alt() presence instead of set_alt() Ben Hutchings
` (351 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4f9785cc99feeb3673993b471f646b4dbaec2cc1 upstream.
In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
[<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16:
- No heartbeat_work to initialise earlier
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/io_ti.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1376,7 +1376,7 @@ stayinbootmode:
dev_dbg(dev, "%s - STAYING IN BOOT MODE\n", __func__);
serial->product_info.TiMode = TI_MODE_BOOT;
- return 0;
+ return 1;
}
@@ -2400,11 +2400,14 @@ static int edge_startup(struct usb_seria
usb_set_serial_data(serial, edge_serial);
status = download_fw(edge_serial);
- if (status) {
+ if (status < 0) {
kfree(edge_serial);
return status;
}
+ if (status > 0)
+ return 1; /* bind but do not register any ports */
+
return 0;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 169/370] USB: serial: omninet: fix NULL-derefs at open and disconnect
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 138/370] usb: gadget: composite: Test get_alt() presence instead of set_alt() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 064/370] Btrfs: fix tree search logic when replaying directory entry deletes Ben Hutchings
` (349 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e upstream.
Fix NULL-pointer dereferences at open() and disconnect() should the
device lack the expected bulk-out endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 000000b4
...
[c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
[<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
[<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
[<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
[<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])
Unable to handle kernel NULL pointer dereference at virtual address 00000234
...
[<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/omninet.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -38,6 +38,7 @@ static int omninet_write(struct tty_str
const unsigned char *buf, int count);
static int omninet_write_room(struct tty_struct *tty);
static void omninet_disconnect(struct usb_serial *serial);
+static int omninet_attach(struct usb_serial *serial);
static int omninet_port_probe(struct usb_serial_port *port);
static int omninet_port_remove(struct usb_serial_port *port);
@@ -56,6 +57,7 @@ static struct usb_serial_driver zyxel_om
.description = "ZyXEL - omni.net lcd plus usb",
.id_table = id_table,
.num_ports = 1,
+ .attach = omninet_attach,
.port_probe = omninet_port_probe,
.port_remove = omninet_port_remove,
.open = omninet_open,
@@ -104,6 +106,17 @@ struct omninet_data {
__u8 od_outseq; /* Sequence number for bulk_out URBs */
};
+static int omninet_attach(struct usb_serial *serial)
+{
+ /* The second bulk-out endpoint is used for writing. */
+ if (serial->num_bulk_out < 2) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int omninet_port_probe(struct usb_serial_port *port)
{
struct omninet_data *od;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 137/370] usb: dwc3: gadget: always unmap EP0 requests
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 168/370] USB: serial: mos7840: fix misleading interrupt-URB comment Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 045/370] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Ben Hutchings
` (207 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Tomasz Medrek, Janusz Dziedzic
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit d62145929992f331fdde924d5963ab49588ccc7d upstream.
commit 0416e494ce7d ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced") introduced a bug
where we would leak DMA resources which would cause
us to starve the system of them resulting in failing
DMA transfers.
Fix the bug by making sure that we always unmap EP0
requests since those are *always* mapped.
Fixes: 0416e494ce7d ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced")
Tested-by: Tomasz Medrek <tomaszx.medrek@intel.com>
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/gadget.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -257,11 +257,11 @@ void dwc3_gadget_giveback(struct dwc3_ep
if (req->request.status == -EINPROGRESS)
req->request.status = status;
- if (dwc->ep0_bounced && dep->number == 0)
+ if (dwc->ep0_bounced && dep->number <= 1)
dwc->ep0_bounced = false;
- else
- usb_gadget_unmap_request(&dwc->gadget, &req->request,
- req->direction);
+
+ usb_gadget_unmap_request(&dwc->gadget,
+ &req->request, req->direction);
dev_dbg(dwc->dev, "request %p from %s completed %d/%d ===> %d\n",
req, dep->name, req->request.actual,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 188/370] HID: hid-cypress: validate length of report
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 139/370] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 097/370] sparc: leon: Fix a retry loop in leon_init_timers() Ben Hutchings
` (253 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Benoit Camredon, Greg Kroah-Hartman, Jiri Kosina
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1ebb71143758f45dc0fa76e2f48429e13b16d110 upstream.
Make sure we have enough of a report structure to validate before
looking at it.
Reported-by: Benoit Camredon <benoit.camredon@airbus.com>
Tested-by: Benoit Camredon <benoit.camredon@airbus.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/hid-cypress.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/hid-cypress.c
+++ b/drivers/hid/hid-cypress.c
@@ -39,6 +39,9 @@ static __u8 *cp_report_fixup(struct hid_
if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
return rdesc;
+ if (*rsize < 4)
+ return rdesc;
+
for (i = 0; i < *rsize - 4; i++)
if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
__u8 tmp;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 182/370] KVM: MIPS: Flush KVM entry code from icache globally
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 173/370] USB: serial: spcp8x5: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 005/370] crypto: arm64/aes-ccm-ce: fix for big endian Ben Hutchings
` (191 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, Radim Krčmář,
James Hogan, kvm, Paolo Bonzini, linux-mips
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 32eb12a6c11034867401d56b012e3c15d5f8141e upstream.
Flush the KVM entry code from the icache on all CPUs, not just the one
that built the entry code.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kvm/kvm_mips.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/mips/kvm/kvm_mips.c
+++ b/arch/mips/kvm/kvm_mips.c
@@ -343,8 +343,8 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
mips32_GuestExceptionEnd - mips32_GuestException);
/* Invalidate the icache for these ranges */
- local_flush_icache_range((unsigned long)gebase,
- (unsigned long)gebase + ALIGN(size, PAGE_SIZE));
+ flush_icache_range((unsigned long)gebase,
+ (unsigned long)gebase + ALIGN(size, PAGE_SIZE));
/* Allocate comm page for guest kernel, a TLB will be reserved for mapping GVA @ 0xFFFF8000 to this page */
vcpu->arch.kseg0_commpage = kzalloc(PAGE_SIZE << 1, GFP_KERNEL);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 165/370] USB: serial: mos7720: fix parport use-after-free on probe errors
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 084/370] dm space map metadata: fix 'struct sm_metadata' leak on failed create Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 071/370] USB: cdc-acm: add device id for GW Instek AFG-125 Ben Hutchings
` (342 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream.
Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.
Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7720.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1936,22 +1936,20 @@ static int mos7720_startup(struct usb_se
usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
- /* start the interrupt urb */
- ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
- if (ret_val)
- dev_err(&dev->dev,
- "%s - Error %d submitting control urb\n",
- __func__, ret_val);
-
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
if (product == MOSCHIP_DEVICE_ID_7715) {
ret_val = mos7715_parport_init(serial);
- if (ret_val < 0) {
- usb_kill_urb(serial->port[0]->interrupt_in_urb);
+ if (ret_val < 0)
return ret_val;
- }
}
#endif
+ /* start the interrupt urb */
+ ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
+ if (ret_val) {
+ dev_err(&dev->dev, "failed to submit interrupt urb: %d\n",
+ ret_val);
+ }
+
/* LSR For Port 1 */
read_mos_reg(serial, 0, LSR, &data);
dev_dbg(&dev->dev, "LSR:%x\n", data);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 183/370] usb: musb: Fix trying to free already-free IRQ 4
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (168 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 057/370] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 113/370] scsi: zfcp: do not trace pure benign residual HBA responses at default level Ben Hutchings
` (201 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bin Liu, Greg Kroah-Hartman, Tony Lindgren
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.
When unloading omap2430, we can get the following splat:
WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
...
[<c01a8b78>] (free_irq) from [<bf0aea84>]
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]
(platform_drv_remove+0x24/0x3c)
...
This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.
Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren <tony@atomide.com>
[b-liu@ti.com: added Fixes tag]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/musb/musbhsdma.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/musb/musbhsdma.h
+++ b/drivers/usb/musb/musbhsdma.h
@@ -157,5 +157,5 @@ struct musb_dma_controller {
void __iomem *base;
u8 channel_count;
u8 used_channels;
- u8 irq;
+ int irq;
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 187/370] selftests: do not require bash to run netsocktests testcase
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 086/370] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 057/370] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Ben Hutchings
` (203 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Rolf Eike Beer
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rolf Eike Beer <eb@emlix.com>
commit 3659f98b5375d195f1870c3e508fe51e52206839 upstream.
Nothing in this minimal script seems to require bash. We often run these
tests on embedded devices where the only shell available is the busybox
ash. Use sh instead.
Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/testing/selftests/net/run_netsocktests | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/net/run_netsocktests
+++ b/tools/testing/selftests/net/run_netsocktests
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
echo "--------------------"
echo "running socket test"
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 160/370] USB: serial: iuu_phoenix: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 049/370] ext4: add sanity checking to count_overhead() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 163/370] USB: serial: mos7720: " Ben Hutchings
` (299 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream.
Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at iuu_open+0x78/0x59c [iuu_phoenix]
Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints
check")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/iuu_phoenix.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -68,6 +68,16 @@ struct iuu_private {
u32 clk;
};
+static int iuu_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_in < num_ports || serial->num_bulk_out < num_ports)
+ return -ENODEV;
+
+ return 0;
+}
+
static int iuu_port_probe(struct usb_serial_port *port)
{
struct iuu_private *priv;
@@ -1196,6 +1206,7 @@ static struct usb_serial_driver iuu_devi
.tiocmset = iuu_tiocmset,
.set_termios = iuu_set_termios,
.init_termios = iuu_init_termios,
+ .attach = iuu_attach,
.port_probe = iuu_port_probe,
.port_remove = iuu_port_remove,
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 139/370] USB: dummy-hcd: fix bug in stop_activity (handle ep0)
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 143/370] USB: gadgetfs: fix checks of wTotalLength in config descriptors Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 188/370] HID: hid-cypress: validate length of report Ben Hutchings
` (254 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Felipe Balbi, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.
The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things. But it
doesn't handle ep0. As a result, fuzz testing can generate a WARNING
like the following:
WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
[<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
[<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
[<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
[<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
[<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357
This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/dummy_hcd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -266,7 +266,7 @@ static void nuke(struct dummy *dum, stru
/* caller must hold lock */
static void stop_activity(struct dummy *dum)
{
- struct dummy_ep *ep;
+ int i;
/* prevent any more requests */
dum->address = 0;
@@ -274,8 +274,8 @@ static void stop_activity(struct dummy *
/* The timer is left running so that outstanding URBs can fail */
/* nuke any pending requests first, so driver i/o is quiesced */
- list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
- nuke(dum, ep);
+ for (i = 0; i < DUMMY_ENDPOINTS; ++i)
+ nuke(dum, &dum->ep[i]);
/* driver now does any non-usb quiescing necessary */
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 166/370] USB: serial: mos7720: fix parallel probe
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 175/370] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 178/370] net: systemport: Pad packet before inserting TSB Ben Hutchings
` (212 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit fde1faf872ed86d88e245191bc15a8e57368cd1c upstream.
A static usb-serial-driver structure that is used to initialise the
interrupt URB was modified during probe depending on the currently
probed device type, something which could break a parallel probe of a
device of a different type.
Fix this up by overriding the default completion callback for MCS7715
devices in attach() instead. We may want to use two usb-serial driver
instances for the two types later.
Fixes: fb088e335d78 ("USB: serial: add support for serial port on the
moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7720.c | 30 +++++++-----------------------
1 file changed, 7 insertions(+), 23 deletions(-)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -65,8 +65,6 @@ struct moschip_port {
struct urb *write_urb_pool[NUM_URBS];
};
-static struct usb_serial_driver moschip7720_2port_driver;
-
#define USB_VENDOR_ID_MOSCHIP 0x9710
#define MOSCHIP_DEVICE_ID_7720 0x7720
#define MOSCHIP_DEVICE_ID_7715 0x7715
@@ -962,25 +960,6 @@ static void mos7720_bulk_out_data_callba
tty_port_tty_wakeup(&mos7720_port->port->port);
}
-/*
- * mos77xx_probe
- * this function installs the appropriate read interrupt endpoint callback
- * depending on whether the device is a 7720 or 7715, thus avoiding costly
- * run-time checks in the high-frequency callback routine itself.
- */
-static int mos77xx_probe(struct usb_serial *serial,
- const struct usb_device_id *id)
-{
- if (id->idProduct == MOSCHIP_DEVICE_ID_7715)
- moschip7720_2port_driver.read_int_callback =
- mos7715_interrupt_callback;
- else
- moschip7720_2port_driver.read_int_callback =
- mos7720_interrupt_callback;
-
- return 0;
-}
-
static int mos77xx_calc_num_ports(struct usb_serial *serial)
{
u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
@@ -1930,6 +1909,12 @@ static int mos7720_startup(struct usb_se
tmp->interrupt_in_endpointAddress;
serial->port[1]->interrupt_in_urb = NULL;
serial->port[1]->interrupt_in_buffer = NULL;
+
+ if (serial->port[0]->interrupt_in_urb) {
+ struct urb *urb = serial->port[0]->interrupt_in_urb;
+
+ urb->complete = mos7715_interrupt_callback;
+ }
}
/* setting configuration feature to one */
@@ -2043,7 +2028,6 @@ static struct usb_serial_driver moschip7
.close = mos7720_close,
.throttle = mos7720_throttle,
.unthrottle = mos7720_unthrottle,
- .probe = mos77xx_probe,
.attach = mos7720_startup,
.release = mos7720_release,
.port_probe = mos7720_port_probe,
@@ -2057,7 +2041,7 @@ static struct usb_serial_driver moschip7
.chars_in_buffer = mos7720_chars_in_buffer,
.break_ctl = mos7720_break,
.read_bulk_callback = mos7720_bulk_in_callback,
- .read_int_callback = NULL /* dynamically assigned in probe() */
+ .read_int_callback = mos7720_interrupt_callback,
};
static struct usb_serial_driver * const serial_drivers[] = {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 142/370] USB: gadgetfs: fix use-after-free bug
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 163/370] USB: serial: mos7720: " Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 171/370] USB: serial: pl2303: fix NULL-deref at open Ben Hutchings
` (297 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Alan Stern, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit add333a81a16abbd4f106266a2553677a165725f upstream.
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:
BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
<IRQ> [ 201.343209] [< inline >] __dump_stack lib/dump_stack.c:15
<IRQ> [ 201.343209] [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[< inline >] kasan_report mm/kasan/report.c:306
[<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
[< inline >] config_buf drivers/usb/gadget/legacy/inode.c:1298
[<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
[<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
[<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
[< inline >] expire_timers kernel/time/timer.c:1348
[<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
[<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
[<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284
The cause of the bug is subtle. The dev_config() routine gets called
twice by the fuzzer. The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set. But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.
The second time dev_config() is called, the user data contains only a
full-speed config descriptor. But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config. Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.
The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1900,6 +1900,8 @@ dev_config (struct file *fd, const char
goto fail;
kbuf += total;
length -= total;
+ } else {
+ dev->hs_config = NULL;
}
/* could support multiple configs, using another encoding! */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 143/370] USB: gadgetfs: fix checks of wTotalLength in config descriptors
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 161/370] USB: serial: keyspan_pda: verify endpoints at probe Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 139/370] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Ben Hutchings
` (255 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Felipe Balbi, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.
Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user. In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).
This patch adds the additional check and fixes the existing check. It
may do a little more than strictly necessary, but one extra check
won't hurt.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/inode.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1842,10 +1842,12 @@ static struct usb_gadget_driver probe_dr
* such as configuration notifications.
*/
-static int is_valid_config (struct usb_config_descriptor *config)
+static int is_valid_config(struct usb_config_descriptor *config,
+ unsigned int total)
{
return config->bDescriptorType == USB_DT_CONFIG
&& config->bLength == USB_DT_CONFIG_SIZE
+ && total >= USB_DT_CONFIG_SIZE
&& config->bConfigurationValue != 0
&& (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
&& (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
@@ -1887,7 +1889,8 @@ dev_config (struct file *fd, const char
/* full or low speed config */
dev->config = (void *) kbuf;
total = le16_to_cpu(dev->config->wTotalLength);
- if (!is_valid_config (dev->config) || total >= length)
+ if (!is_valid_config(dev->config, total) ||
+ total > length - USB_DT_DEVICE_SIZE)
goto fail;
kbuf += total;
length -= total;
@@ -1896,7 +1899,8 @@ dev_config (struct file *fd, const char
if (kbuf [1] == USB_DT_CONFIG) {
dev->hs_config = (void *) kbuf;
total = le16_to_cpu(dev->hs_config->wTotalLength);
- if (!is_valid_config (dev->hs_config) || total >= length)
+ if (!is_valid_config(dev->hs_config, total) ||
+ total > length - USB_DT_DEVICE_SIZE)
goto fail;
kbuf += total;
length -= total;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 132/370] net/mlx4: Remove BUG_ON from ICM allocation routine
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 066/370] block: protect iterate_bdevs() against concurrent close Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 098/370] s390/vmlogrdr: fix IUCV buffer allocation Ben Hutchings
` (224 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Ozgur Karatas, Tariq Toukan, Leon Romanovsky
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit c1d5f8ff80ea84768f5fae1ca9d1abfbb5e6bbaa upstream.
This patch removes BUG_ON() macro from mlx4_alloc_icm_coherent()
by checking DMA address alignment in advance and performing proper
folding in case of error.
Fixes: 5b0bf5e25efe ("mlx4_core: Support ICM tables in coherent memory")
Reported-by: Ozgur Karatas <okaratas@member.fsf.org>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/icm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx4/icm.c
+++ b/drivers/net/ethernet/mellanox/mlx4/icm.c
@@ -117,8 +117,13 @@ static int mlx4_alloc_icm_coherent(struc
if (!buf)
return -ENOMEM;
+ if (offset_in_page(buf)) {
+ dma_free_coherent(dev, PAGE_SIZE << order,
+ buf, sg_dma_address(mem));
+ return -ENOMEM;
+ }
+
sg_set_buf(mem, buf, PAGE_SIZE << order);
- BUG_ON(mem->offset);
sg_dma_len(mem) = PAGE_SIZE << order;
return 0;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 119/370] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 035/370] ext4: fix stack memory corruption with 64k block size Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 051/370] dm crypt: mark key as invalid until properly loaded Ben Hutchings
` (267 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Adamson, Andy, Trond Myklebust, Olga Kornievskaia, NeilBrown
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.com>
commit cfd278c280f997cf2fe4662e0acab0fe465f637b upstream.
Various places assume that if nfs4_fl_prepare_ds() turns a non-NULL 'ds',
then ds->ds_clp will also be non-NULL.
This is not necessasrily true in the case when the process received a fatal signal
while nfs4_pnfs_ds_connect is waiting in nfs4_wait_ds_connect().
In that case ->ds_clp may not be set, and the devid may not recently have been marked
unavailable.
So add a test for ds_clp == NULL and return NULL in that case.
Fixes: c23266d532b4 ("NFS4.1 Fix data server connection race")
Signed-off-by: NeilBrown <neilb@suse.com>
Acked-by: Olga Kornievskaia <aglo@umich.edu>
Acked-by: Adamson, Andy <William.Adamson@netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/filelayout/filelayoutdev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfs/filelayout/filelayoutdev.c
+++ b/fs/nfs/filelayout/filelayoutdev.c
@@ -827,7 +827,8 @@ nfs4_fl_prepare_ds(struct pnfs_layout_se
nfs4_wait_ds_connect(ds);
}
out_test_devid:
- if (filelayout_test_devid_unavailable(devid))
+ if (ret->ds_clp == NULL ||
+ filelayout_test_devid_unavailable(devid))
ret = NULL;
out:
return ret;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 178/370] net: systemport: Pad packet before inserting TSB
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 166/370] USB: serial: mos7720: fix parallel probe Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 140/370] usb: gadgetfs: restrict upper bound on device configuration size Ben Hutchings
` (211 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 38e5a85562a6cd911fc26d951d576551a688574c upstream.
Inserting the TSB means adding an extra 8 bytes in front the of packet
that is going to be used as metadata information by the TDMA engine, but
stripped off, so it does not really help with the packet padding.
For some odd packet sizes that fall below the 60 bytes payload (e.g: ARP)
we can end-up padding them after the TSB insertion, thus making them 64
bytes, but with the TDMA stripping off the first 8 bytes, they could
still be smaller than 64 bytes which is required to ingress the switch.
Fix this by swapping the padding and TSB insertion, guaranteeing that
the packets have the right sizes.
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/broadcom/bcmsysport.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -843,15 +843,6 @@ static netdev_tx_t bcm_sysport_xmit(stru
goto out;
}
- /* Insert TSB and checksum infos */
- if (priv->tsb_en) {
- skb = bcm_sysport_insert_tsb(skb, dev);
- if (!skb) {
- ret = NETDEV_TX_OK;
- goto out;
- }
- }
-
/* The Ethernet switch we are interfaced with needs packets to be at
* least 64 bytes (including FCS) otherwise they will be discarded when
* they enter the switch port logic. When Broadcom tags are enabled, we
@@ -864,6 +855,15 @@ static netdev_tx_t bcm_sysport_xmit(stru
goto out;
}
+ /* Insert TSB and checksum infos */
+ if (priv->tsb_en) {
+ skb = bcm_sysport_insert_tsb(skb, dev);
+ if (!skb) {
+ ret = NETDEV_TX_OK;
+ goto out;
+ }
+ }
+
skb_len = skb->len < ETH_ZLEN + ENET_BRCM_TAG_LEN ?
ETH_ZLEN + ENET_BRCM_TAG_LEN : skb->len;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 154/370] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 081/370] clk: clk-wm831x: fix a logic error Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 152/370] xhci: Handle command completion and timeout race Ben Hutchings
` (329 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mathias Nyman, Wan Ahmad Zainie, Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
commit 6c97cfc1a097b1e0786c836e92b7a72b4d031e25 upstream.
Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK.
Adding its PCI ID to quirk.
Signed-off-by: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -150,7 +150,8 @@ static void xhci_pci_quirks(struct devic
pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI ||
- pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI)) {
+ pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI)) {
xhci->quirks |= XHCI_PME_STUCK_QUIRK;
}
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 149/370] xhci: free xhci virtual devices with leaf nodes first
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 030/370] powerpc/pci/rpadlpar: Fix device reference leaks Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 115/370] scsi: avoid a permanent stop of the scsi device's request queue Ben Hutchings
` (294 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Guenter Roeck, Greg Kroah-Hartman, Mathias Nyman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit ee8665e28e8d90ce69d4abe5a469c14a8707ae0e upstream.
the tt_info provided by a HS hub might be in use to by a child device
Make sure we free the devices in the correct order.
This is needed in special cases such as when xhci controller is
reset when resuming from hibernate, and all virt_devices are freed.
Also free the virt_devices starting from max slot_id as children
more commonly have higher slot_id than parent.
Reported-by: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-mem.c | 38 ++++++++++++++++++++++++++++++++++++--
1 file changed, 36 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -965,6 +965,40 @@ void xhci_free_virt_device(struct xhci_h
xhci->devs[slot_id] = NULL;
}
+/*
+ * Free a virt_device structure.
+ * If the virt_device added a tt_info (a hub) and has children pointing to
+ * that tt_info, then free the child first. Recursive.
+ * We can't rely on udev at this point to find child-parent relationships.
+ */
+void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id)
+{
+ struct xhci_virt_device *vdev;
+ struct list_head *tt_list_head;
+ struct xhci_tt_bw_info *tt_info, *next;
+ int i;
+
+ vdev = xhci->devs[slot_id];
+ if (!vdev)
+ return;
+
+ tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts);
+ list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) {
+ /* is this a hub device that added a tt_info to the tts list */
+ if (tt_info->slot_id == slot_id) {
+ /* are any devices using this tt_info? */
+ for (i = 1; i < HCS_MAX_SLOTS(xhci->hcs_params1); i++) {
+ vdev = xhci->devs[i];
+ if (vdev && (vdev->tt_info == tt_info))
+ xhci_free_virt_devices_depth_first(
+ xhci, i);
+ }
+ }
+ }
+ /* we are now at a leaf device */
+ xhci_free_virt_device(xhci, slot_id);
+}
+
int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,
struct usb_device *udev, gfp_t flags)
{
@@ -1828,8 +1862,8 @@ void xhci_mem_cleanup(struct xhci_hcd *x
}
}
- for (i = 1; i < MAX_HC_SLOTS; ++i)
- xhci_free_virt_device(xhci, i);
+ for (i = HCS_MAX_SLOTS(xhci->hcs_params1); i > 0; i--)
+ xhci_free_virt_devices_depth_first(xhci, i);
if (xhci->segment_pool)
dma_pool_destroy(xhci->segment_pool);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 185/370] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 023/370] PCI: Check for PME in targeted sleep state Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 118/370] drivers/gpu/drm/ast: Fix infinite loop if read fails Ben Hutchings
` (306 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Oliver Neukum, Oliver Neukum, Greg Kroah-Hartman, George Cherian
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 674aea07e38200ea6f31ff6d5f200f0cf6cdb325 upstream.
This device gives the following error on detection.
xhci_hcd 0000:00:11.0: ERROR Transfer event for disabled endpoint or
incorrect stream ring
The same error is not seen when it is added to unusual_device
list with US_FL_NO_REPORT_OPCODES passed.
Signed-off-by: George Cherian <george.cherian@cavium.com>
Signed-off-by: Oliver Neukum <oneukun@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1990,6 +1990,13 @@ UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_BROKEN_FUA ),
+/* Reported-by George Cherian <george.cherian@cavium.com> */
+UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
+ "JMicron",
+ "JMS56x",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_OPCODES),
+
/* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI)
* and Mac USB Dock USB-SCSI */
UNUSUAL_DEV( 0x1645, 0x0007, 0x0100, 0x0133,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 141/370] USB: gadgetfs: fix unbounded memory allocation bug
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 180/370] sh_eth: enable RX descriptor word 0 shift on SH7734 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 093/370] nfs_write_end(): fix handling of short copies Ben Hutchings
` (187 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Felipe Balbi, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.
Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:
BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
[< inline >] check_memory_region_inline mm/kasan/kasan.c:308
[<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
[<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
[< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689
[< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
[<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
[<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
[<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
[< inline >] SYSC_write fs/read_write.c:607
[<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
[<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.
This patch fixes the warning. It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1200,7 +1200,7 @@ ep0_write (struct file *fd, const char _
/* data and/or status stage for control request */
} else if (dev->state == STATE_DEV_SETUP) {
- /* IN DATA+STATUS caller makes len <= wLength */
+ len = min_t(size_t, len, dev->setup_wLength);
if (dev->setup_in) {
retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 181/370] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 186/370] USB: fix problems with duplicate endpoint addresses Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 136/370] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() Ben Hutchings
` (234 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, andi.kleen, luto, Borislav Petkov, Lukasz Odzioba,
Ingo Molnar, slaoub, bp, Peter Zijlstra, dave.hansen,
Linus Torvalds, Thomas Gleixner
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukasz Odzioba <lukasz.odzioba@intel.com>
commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.
A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().
Boris Petkov reproduced a crash:
[ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
[ 1.236535] IP: memcpy_erms+0x6/0x10
Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
Acked-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: andi.kleen@intel.com
Cc: bp@alien8.de
Cc: dave.hansen@linux.intel.com
Cc: luto@kernel.org
Cc: slaoub@gmail.com
Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
Link: http://lkml.kernel.org/r/1482933340-11857-1-git-send-email-lukasz.odzioba@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1105,7 +1105,7 @@ static __init int setup_disablecpuid(cha
{
int bit;
- if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
setup_clear_cpu_cap(bit);
else
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 180/370] sh_eth: enable RX descriptor word 0 shift on SH7734
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (181 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 110/370] IPoIB: Avoid reading an uninitialized member variable Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 141/370] USB: gadgetfs: fix unbounded memory allocation bug Ben Hutchings
` (188 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sergei Shtylyov, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit 71eae1ca77fd6be218d8a952d97bba827e56516d upstream.
The RX descriptor word 0 on SH7734 has the RFS[9:0] field in bits 16-25
(bits 0-15 usually used for that are occupied by the packet checksum).
Thus we need to set the 'shift_rd0' field in the SH7734 SoC data...
Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/renesas/sh_eth.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -713,6 +713,7 @@ static struct sh_eth_cpu_data sh7734_dat
.tsu = 1,
.hw_crc = 1,
.select_mii = 1,
+ .shift_rd0 = 1,
};
/* SH7763 */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 144/370] ARM: davinci: da850: don't add emac clock to lookup table twice
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 151/370] usb: host: xhci: Fix possible wild pointer when handling abort command Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 042/370] IB/mlx4: Fix port query for 56Gb Ethernet links Ben Hutchings
` (277 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bartosz Golaszewski, Sekhar Nori
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
commit ef37427ac5677331145ab27a17e6f5f1b43f0c11 upstream.
Similarly to the aemif clock - this screws up the linked list of clock
children. Create a separate clock for mdio inheriting the rate from
emac_clk.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
[nsekhar@ti.com: add a comment over mdio_clk to explaing its existence +
commit headline updates]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-davinci/da850.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/arch/arm/mach-davinci/da850.c
+++ b/arch/arm/mach-davinci/da850.c
@@ -297,6 +297,16 @@ static struct clk emac_clk = {
.gpsc = 1,
};
+/*
+ * In order to avoid adding the emac_clk to the clock lookup table twice (and
+ * screwing up the linked list in the process) create a separate clock for
+ * mdio inheriting the rate from emac_clk.
+ */
+static struct clk mdio_clk = {
+ .name = "mdio",
+ .parent = &emac_clk,
+};
+
static struct clk mcasp_clk = {
.name = "mcasp",
.parent = &pll0_sysclk2,
@@ -461,7 +471,7 @@ static struct clk_lookup da850_clks[] =
CLK(NULL, "arm", &arm_clk),
CLK(NULL, "rmii", &rmii_clk),
CLK("davinci_emac.1", NULL, &emac_clk),
- CLK("davinci_mdio.0", "fck", &emac_clk),
+ CLK("davinci_mdio.0", "fck", &mdio_clk),
CLK("davinci-mcasp.0", NULL, &mcasp_clk),
CLK("da8xx_lcdc.0", "fck", &lcdc_clk),
CLK("da830-mmc.0", NULL, &mmcsd0_clk),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 151/370] usb: host: xhci: Fix possible wild pointer when handling abort command
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 177/370] mei: move write cb to completion on credentials failures Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 144/370] ARM: davinci: da850: don't add emac clock to lookup table twice Ben Hutchings
` (278 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mathias Nyman, Greg Kroah-Hartman, Baolin Wang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Baolin Wang <baolin.wang@linaro.org>
commit 2a7cfdf37b7c08ac29df4c62ea5ccb01474b6597 upstream.
When current command was supposed to be aborted, host will free the command
in handle_cmd_completion() function. But it might be still referenced by
xhci->current_cmd, which need to set NULL.
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-ring.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1380,8 +1380,11 @@ static void handle_cmd_completion(struct
*/
if (cmd_comp_code == COMP_CMD_ABORT) {
xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
- if (cmd->status == COMP_CMD_ABORT)
+ if (cmd->status == COMP_CMD_ABORT) {
+ if (xhci->current_cmd == cmd)
+ xhci->current_cmd = NULL;
goto event_handled;
+ }
}
cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3]));
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 147/370] btrfs: fix error handling when run_delayed_extent_op fails
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 148/370] btrfs: fix locking when we put back a delayed ref that's too new Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 006/370] crypto: arm64/aes-neon - fix for big endian Ben Hutchings
` (248 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jon Nelson, David Sterba, Jeff Mahoney, Liu Bo
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <jeffm@suse.com>
commit aa7c8da35d1905d80e840d075f07d26ec90144b5 upstream.
In __btrfs_run_delayed_refs, the error path when run_delayed_extent_op
fails sets locked_ref->processing = 0 but doesn't re-increment
delayed_refs->num_heads_ready. As a result, we end up triggering
the WARN_ON in btrfs_select_ref_head.
Fixes: d7df2c796d7 (Btrfs: attach delayed ref updates to delayed ref heads)
Reported-by: Jon Nelson <jnelson-suse@jamponi.net>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/extent-tree.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2479,7 +2479,10 @@ static noinline int __btrfs_run_delayed_
*/
if (must_insert_reserved)
locked_ref->must_insert_reserved = 1;
+ spin_lock(&delayed_refs->lock);
locked_ref->processing = 0;
+ delayed_refs->num_heads_ready++;
+ spin_unlock(&delayed_refs->lock);
btrfs_debug(fs_info, "run_delayed_extent_op returned %d", ret);
btrfs_delayed_ref_unlock(locked_ref);
return ret;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 133/370] ARM: dts: imx31: fix AVIC base address
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 068/370] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Ben Hutchings
` (339 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shawn Guo, Fabio Estevam, Vladimir Zapolskiy
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
commit af92305e567b7f4c9cf48b9e46c1f48ec9ffb1fb upstream.
On i.MX31 AVIC interrupt controller base address is at 0x68000000.
The problem was shadowed by the AVIC driver, which takes the correct
base address from a SoC specific header file.
Fixes: d2a37b3d91f4 ("ARM i.MX31: Add devicetree support")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/imx31.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -30,11 +30,11 @@
};
};
- avic: avic-interrupt-controller@60000000 {
+ avic: interrupt-controller@68000000 {
compatible = "fsl,imx31-avic", "fsl,avic";
interrupt-controller;
#interrupt-cells = <1>;
- reg = <0x60000000 0x100000>;
+ reg = <0x68000000 0x100000>;
};
soc {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 134/370] mtd: nand: xway: disable module support
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 167/370] USB: serial: mos7840: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 029/370] powerpc/ibmebus: Fix further device reference leaks Ben Hutchings
` (239 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Hauke Mehrtens
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hauke Mehrtens <hauke@hauke-m.de>
commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream.
The xway_nand driver accesses the ltq_ebu_membase symbol which is not
exported. This also should not get exported and we should handle the
EBU interface in a better way later. This quick fix just deactivated
support for building as module.
Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/Kconfig
+++ b/drivers/mtd/nand/Kconfig
@@ -506,7 +506,7 @@ config MTD_NAND_FSMC
Flexible Static Memory Controller (FSMC)
config MTD_NAND_XWAY
- tristate "Support for NAND on Lantiq XWAY SoC"
+ bool "Support for NAND on Lantiq XWAY SoC"
depends on LANTIQ && SOC_TYPE_XWAY
select MTD_NAND_PLATFORM
help
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 130/370] net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 018/370] drm/gma500: Add compat ioctl Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 027/370] ARM: dts: imx6q-cm-fx6: fix fec pinctrl Ben Hutchings
` (274 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jack Morgenstein, Tariq Toukan, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 3b01fe7f91c8e4f9afc4fae3c5af72c14958d2d8 upstream.
mlx4_QP_FLOW_STEERING_DETACH_wrapper first removes the steering
rule (which results in freeing the rule structure), and then
references a field in this struct (the qp number) when releasing the
busy-status on the rule's qp.
Since this memory was freed, it could reallocated and changed.
Therefore, the qp number in the struct may be incorrect,
so that we are releasing the incorrect qp. This leaves the rule's qp
in the busy state (and could possibly release an incorrect qp as well).
Fix this by saving the qp number in a local variable, for use after
removing the steering rule.
Fixes: 2c473ae7e582 ("net/mlx4_core: Disallow releasing VF QPs which have steering rules")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -4091,6 +4091,7 @@ int mlx4_QP_FLOW_STEERING_DETACH_wrapper
int err;
struct res_qp *rqp;
struct res_fs_rule *rrule;
+ int qpn;
if (dev->caps.steering_mode !=
MLX4_STEERING_MODE_DEVICE_MANAGED)
@@ -4099,9 +4100,10 @@ int mlx4_QP_FLOW_STEERING_DETACH_wrapper
err = get_res(dev, slave, vhcr->in_param, RES_FS_RULE, &rrule);
if (err)
return err;
+ qpn = rrule->qpn;
/* Release the rule form busy state before removal */
put_res(dev, slave, vhcr->in_param, RES_FS_RULE);
- err = get_res(dev, slave, rrule->qpn, RES_QP, &rqp);
+ err = get_res(dev, slave, qpn, RES_QP, &rqp);
if (err)
return err;
@@ -4117,7 +4119,7 @@ int mlx4_QP_FLOW_STEERING_DETACH_wrapper
if (!err)
atomic_dec(&rqp->ref_count);
out:
- put_res(dev, slave, rrule->qpn, RES_QP);
+ put_res(dev, slave, qpn, RES_QP);
return err;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 071/370] USB: cdc-acm: add device id for GW Instek AFG-125 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 12:10 ` Geert Uytterhoeven
2017-03-10 11:46 ` [PATCH 3.16 133/370] ARM: dts: imx31: fix AVIC base address Ben Hutchings
` (340 subsequent siblings)
371 siblings, 1 reply; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chris Brandt, Stephen Boyd, Kuninori Morimoto, Geert Uytterhoeven
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Brandt <chris.brandt@renesas.com>
commit e2a33c34ddff22ee208d80abdd12b88a98d6cb60 upstream.
The RZ/A1 is different than the other Renesas SOCs because the MSTP
registers are 8-bit instead of 32-bit and if you try writing values as
32-bit nothing happens...meaning this driver never worked for r7s72100.
Fixes: b6face404f38 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi")
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/clk/shmobile/clk-mstp.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
--- a/drivers/clk/shmobile/clk-mstp.c
+++ b/drivers/clk/shmobile/clk-mstp.c
@@ -31,12 +31,14 @@
* @smstpcr: module stop control register
* @mstpsr: module stop status register (optional)
* @lock: protects writes to SMSTPCR
+ * @width_8bit: registers are 8-bit, not 32-bit
*/
struct mstp_clock_group {
struct clk_onecell_data data;
void __iomem *smstpcr;
void __iomem *mstpsr;
spinlock_t lock;
+ bool width_8bit;
};
/**
@@ -53,6 +55,18 @@ struct mstp_clock {
#define to_mstp_clock(_hw) container_of(_hw, struct mstp_clock, hw)
+static inline u32 cpg_mstp_read(struct mstp_clock_group *group,
+ u32 __iomem *reg)
+{
+ return group->width_8bit ? readb(reg) : clk_readl(reg);
+}
+
+static inline void cpg_mstp_write(struct mstp_clock_group *group, u32 val,
+ u32 __iomem *reg)
+{
+ group->width_8bit ? writeb(val, reg) : clk_writel(val, reg);
+}
+
static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable)
{
struct mstp_clock *clock = to_mstp_clock(hw);
@@ -64,12 +78,12 @@ static int cpg_mstp_clock_endisable(stru
spin_lock_irqsave(&group->lock, flags);
- value = clk_readl(group->smstpcr);
+ value = cpg_mstp_read(group, group->smstpcr);
if (enable)
value &= ~bitmask;
else
value |= bitmask;
- clk_writel(value, group->smstpcr);
+ cpg_mstp_write(group, value, group->smstpcr);
spin_unlock_irqrestore(&group->lock, flags);
@@ -77,7 +91,7 @@ static int cpg_mstp_clock_endisable(stru
return 0;
for (i = 1000; i > 0; --i) {
- if (!(clk_readl(group->mstpsr) & bitmask))
+ if (!(cpg_mstp_read(group, group->mstpsr) & bitmask))
break;
cpu_relax();
}
@@ -108,9 +122,9 @@ static int cpg_mstp_clock_is_enabled(str
u32 value;
if (group->mstpsr)
- value = clk_readl(group->mstpsr);
+ value = cpg_mstp_read(group, group->mstpsr);
else
- value = clk_readl(group->smstpcr);
+ value = cpg_mstp_read(group, group->smstpcr);
return !(value & BIT(clock->bit_index));
}
@@ -182,6 +196,9 @@ static void __init cpg_mstp_clocks_init(
return;
}
+ if (of_device_is_compatible(np, "renesas,r7s72100-mstp-clocks"))
+ group->width_8bit = true;
+
for (i = 0; i < MSTP_MAX_CLOCKS; ++i)
clks[i] = ERR_PTR(-ENOENT);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 120/370] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 034/370] ext4: fix mballoc breakage with 64k block size Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 015/370] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs Ben Hutchings
` (318 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jani Nikula, Hans de Goede, Ville Syrjälä
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit bb98e72adaf9d19719aba35f802d4836f5d5176c upstream.
On my Cherrytrail CUBE iwork8 Air tablet PIPE-A would get stuck on loading
i915 at boot 1 out of every 3 boots, resulting in a non functional LCD.
Once the i915 driver has successfully loaded, the panel can be disabled /
enabled without hitting this issue.
The getting stuck is caused by vlv_init_display_clock_gating() clearing
the DPOUNIT_CLOCK_GATE_DISABLE bit in DSPCLK_GATE_D when called from
chv_pipe_power_well_ops.enable() on driver load, while a pipe is enabled
driving the DSI LCD by the BIOS.
Clearing this bit while DSI is in use is a known issue and
intel_dsi_pre_enable() / intel_dsi_post_disable() already set / clear it
as appropriate.
This commit modifies vlv_init_display_clock_gating() to leave the
DPOUNIT_CLOCK_GATE_DISABLE bit alone fixing the pipe getting stuck.
Changes in v2:
-Replace PIPE-A with "a pipe" or "the pipe" in the commit msg and
comment
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97330
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161202142904.25613-1-hdegoede@redhat.com
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
(cherry picked from commit 721d484563e1a51ada760089c490cbc47e909756)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -5346,7 +5346,16 @@ static void valleyview_init_clock_gating
DRM_DEBUG_DRIVER("Current CD clock rate: %d MHz",
dev_priv->vlv_cdclk_freq);
- I915_WRITE(DSPCLK_GATE_D, VRHUNIT_CLOCK_GATE_DISABLE);
+ /*
+ * On driver load, a pipe may be active and driving a DSI display.
+ * Preserve DPOUNIT_CLOCK_GATE_DISABLE to avoid the pipe getting stuck
+ * (and never recovering) in this case. intel_dsi_post_disable() will
+ * clear it when we turn off the display.
+ */
+ val = I915_READ(DSPCLK_GATE_D);
+ val &= DPOUNIT_CLOCK_GATE_DISABLE;
+ val |= VRHUNIT_CLOCK_GATE_DISABLE;
+ I915_WRITE(DSPCLK_GATE_D, val);
/* WaDisableEarlyCull:vlv */
I915_WRITE(_3D_CHICKEN3,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 128/370] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2017-03-10 11:46 ` Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 067/370] NFS: Fix a performance regression in readdir Ben Hutchings
` (291 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Kweh, Hock Leong, Florian Fainelli
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 5701659004d68085182d2fd4199c79172165fa65 upstream.
There is currently a small window during which the network device registered by
stmmac can be made visible, yet all resources, including and clock and MDIO bus
have not had a chance to be set up, this can lead to the following error to
occur:
[ 473.919358] stmmaceth 0000:01:00.0 (unnamed net_device) (uninitialized):
stmmac_dvr_probe: warning: cannot get CSR clock
[ 473.919382] stmmaceth 0000:01:00.0: no reset control found
[ 473.919412] stmmac - user ID: 0x10, Synopsys ID: 0x42
[ 473.919429] stmmaceth 0000:01:00.0: DMA HW capability register supported
[ 473.919436] stmmaceth 0000:01:00.0: RX Checksum Offload Engine supported
[ 473.919443] stmmaceth 0000:01:00.0: TX Checksum insertion supported
[ 473.919451] stmmaceth 0000:01:00.0 (unnamed net_device) (uninitialized):
Enable RX Mitigation via HW Watchdog Timer
[ 473.921395] libphy: PHY stmmac-1:00 not found
[ 473.921417] stmmaceth 0000:01:00.0 eth0: Could not attach to PHY
[ 473.921427] stmmaceth 0000:01:00.0 eth0: stmmac_open: Cannot attach to
PHY (error: -19)
[ 473.959710] libphy: stmmac: probed
[ 473.959724] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 0 IRQ POLL
(stmmac-1:00) active
[ 473.959728] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 1 IRQ POLL
(stmmac-1:01)
[ 473.959731] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 2 IRQ POLL
(stmmac-1:02)
[ 473.959734] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 3 IRQ POLL
(stmmac-1:03)
Fix this by making sure that register_netdev() is the last thing being done,
which guarantees that the clock and the MDIO bus are available.
Fixes: 4bfcbd7abce2 ("stmmac: Move the mdio_register/_unregister in probe/remove")
Reported-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- stmmac_dvr_probe() returns a pointer
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2769,12 +2769,6 @@ struct stmmac_priv *stmmac_dvr_probe(str
spin_lock_init(&priv->lock);
spin_lock_init(&priv->tx_lock);
- ret = register_netdev(ndev);
- if (ret) {
- pr_err("%s: ERROR %i registering the device\n", __func__, ret);
- goto error_netdev_register;
- }
-
/* If a specific clk_csr value is passed from the platform
* this means that the CSR Clock Range selection cannot be
* changed at run-time and it is fixed. Viceversa the driver'll try to
@@ -2799,11 +2793,14 @@ struct stmmac_priv *stmmac_dvr_probe(str
}
}
- return priv;
+ ret = register_netdev(ndev);
+ if (ret)
+ netdev_err(priv->dev, "%s: ERROR %i registering the device\n",
+ __func__, ret);
+
+ return ret ? ERR_PTR(ret) : priv;
error_mdio_register:
- unregister_netdev(ndev);
-error_netdev_register:
netif_napi_del(&priv->napi);
error_hw_init:
clk_disable_unprepare(priv->stmmac_clk);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 140/370] usb: gadgetfs: restrict upper bound on device configuration size
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 178/370] net: systemport: Pad packet before inserting TSB Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 109/370] IB/mad: Fix an array index check Ben Hutchings
` (210 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Felipe Balbi, Greg Kroah-Hartman, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.
Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.
So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1862,7 +1862,8 @@ dev_config (struct file *fd, const char
u32 tag;
char *kbuf;
- if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
+ if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
+ (len > PAGE_SIZE * 4))
return -EINVAL;
/* we might need to change message format someday */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 135/370] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 073/370] CIFS: Fix a possible memory corruption in push locks Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 048/370] ext4: use more strict checks for inodes_per_block on mount Ben Hutchings
` (321 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Janusz Dziedzic
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit 7931ec86c1b738e4e90e58c6d95e5f720d45ee56 upstream.
For now this is just a cleanup patch, no functional
changes. We will be using the new function to fix a
bug introduced long ago by commit 0416e494ce7d
("usb: dwc3: ep0: correct cache sync issue in case
of ep0_bounced") and further worsened by commit
c0bd5456a470 ("usb: dwc3: ep0: handle non maxpacket
aligned transfers > 512")
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16:
- dwc3_ep0_start_trans() doesn't have a 'chain' parameter, so don't
give dwc3_ep0_prepare_one_trb() this parameter
- Also delete a debug log statement, removed earlier upstream
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/ep0.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -54,20 +54,13 @@ static const char *dwc3_ep0_state_string
}
}
-static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum, dma_addr_t buf_dma,
- u32 len, u32 type)
+static void dwc3_ep0_prepare_one_trb(struct dwc3 *dwc, u8 epnum,
+ dma_addr_t buf_dma, u32 len, u32 type)
{
- struct dwc3_gadget_ep_cmd_params params;
struct dwc3_trb *trb;
struct dwc3_ep *dep;
- int ret;
-
dep = dwc->eps[epnum];
- if (dep->flags & DWC3_EP_BUSY) {
- dev_vdbg(dwc->dev, "%s: still busy\n", dep->name);
- return 0;
- }
trb = dwc->ep0_trb;
@@ -80,6 +73,20 @@ static int dwc3_ep0_start_trans(struct d
| DWC3_TRB_CTRL_LST
| DWC3_TRB_CTRL_IOC
| DWC3_TRB_CTRL_ISP_IMI);
+}
+
+static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum, dma_addr_t buf_dma,
+ u32 len, u32 type)
+{
+ struct dwc3_gadget_ep_cmd_params params;
+ struct dwc3_ep *dep;
+ int ret;
+
+ dep = dwc->eps[epnum];
+ if (dep->flags & DWC3_EP_BUSY)
+ return 0;
+
+ dwc3_ep0_prepare_one_trb(dwc, epnum, buf_dma, len, type);
memset(¶ms, 0, sizeof(params));
params.param0 = upper_32_bits(dwc->ep0_trb_addr);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 028/370] powerpc/ibmebus: Fix device reference leaks in sysfs interface Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 077/370] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Ben Hutchings
` (369 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Axel Lin, MyungJoo Ham, Rafael J. Wysocki
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Axel Lin <axel.lin@ingics.com>
commit 0f376c9cd86c23f37312d37748b233660ef9d9af upstream.
Use devfreq_list_lock around list_del() to prevent list corruption.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/devfreq/devfreq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -507,17 +507,19 @@ struct devfreq *devfreq_add_device(struc
if (devfreq->governor)
err = devfreq->governor->event_handler(devfreq,
DEVFREQ_GOV_START, NULL);
- mutex_unlock(&devfreq_list_lock);
if (err) {
dev_err(dev, "%s: Unable to start governor for the device\n",
__func__);
goto err_init;
}
+ mutex_unlock(&devfreq_list_lock);
return devfreq;
err_init:
list_del(&devfreq->node);
+ mutex_unlock(&devfreq_list_lock);
+
device_unregister(&devfreq->dev);
err_dev:
kfree(devfreq);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 150/370] usb: xhci: fix possible wild pointer
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 008/370] net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 078/370] drm/radeon: Hide the HW cursor while it's out of bounds Ben Hutchings
` (261 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lu Baolu, Greg Kroah-Hartman, Mathias Nyman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 2b985467371a58ae44d76c7ba12b0951fee6ed98 upstream.
handle_cmd_completion() frees a command structure which might be still
referenced by xhci->current_cmd.
This might cause problem when xhci->current_cmd is accessed after that.
A real-life case could be like this. The host takes a very long time to
respond to a command, and the command timer is fired at the same time
when the command completion event arrives. The command completion
handler frees xhci->current_cmd before the timer function can grab
xhci->lock. Afterward, timer function grabs the lock and go ahead with
checking and setting members of xhci->current_cmd.
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1292,13 +1292,16 @@ void xhci_handle_command_timeout(unsigne
struct xhci_command *cur_cmd = NULL;
xhci = (struct xhci_hcd *) data;
- /* mark this command to be cancelled */
spin_lock_irqsave(&xhci->lock, flags);
- if (xhci->current_cmd) {
- cur_cmd = xhci->current_cmd;
- cur_cmd->status = COMP_CMD_ABORT;
+
+ if (!xhci->current_cmd) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
}
+ /* mark this command to be cancelled */
+ cur_cmd = xhci->current_cmd;
+ cur_cmd->status = COMP_CMD_ABORT;
/* Make sure command ring is running before aborting it */
hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
@@ -1440,6 +1443,8 @@ static void handle_cmd_completion(struct
xhci->current_cmd = list_entry(cmd->cmd_list.next,
struct xhci_command, cmd_list);
mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT);
+ } else if (xhci->current_cmd == cmd) {
+ xhci->current_cmd = NULL;
}
event_handled:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 157/370] USB: serial: io_edgeport: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 029/370] powerpc/ibmebus: Fix further device reference leaks Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 079/370] drm/radeon: add additional pci revision to dpm workaround Ben Hutchings
` (237 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream.
Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.
Unable to handle kernel NULL pointer dereference at virtual address 00000028
...
PC is at edge_open+0x24c/0x3e8 [io_edgeport]
Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/io_edgeport.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2761,6 +2761,11 @@ static int edge_startup(struct usb_seria
EDGE_COMPATIBILITY_MASK1,
EDGE_COMPATIBILITY_MASK2 };
+ if (serial->num_bulk_in < 1 || serial->num_interrupt_in < 1) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
dev = serial->dev;
/* create our private serial structure */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 155/370] USB: serial: cyberjack: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 136/370] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 091/370] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it Ben Hutchings
` (232 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream.
Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at cyberjack_open+0x40/0x9c [cyberjack]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/cyberjack.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/usb/serial/cyberjack.c
+++ b/drivers/usb/serial/cyberjack.c
@@ -50,6 +50,7 @@
#define CYBERJACK_PRODUCT_ID 0x0100
/* Function prototypes */
+static int cyberjack_attach(struct usb_serial *serial);
static int cyberjack_port_probe(struct usb_serial_port *port);
static int cyberjack_port_remove(struct usb_serial_port *port);
static int cyberjack_open(struct tty_struct *tty,
@@ -77,6 +78,7 @@ static struct usb_serial_driver cyberjac
.description = "Reiner SCT Cyberjack USB card reader",
.id_table = id_table,
.num_ports = 1,
+ .attach = cyberjack_attach,
.port_probe = cyberjack_port_probe,
.port_remove = cyberjack_port_remove,
.open = cyberjack_open,
@@ -100,6 +102,14 @@ struct cyberjack_private {
short wrsent; /* Data already sent */
};
+static int cyberjack_attach(struct usb_serial *serial)
+{
+ if (serial->num_bulk_out < serial->num_ports)
+ return -ENODEV;
+
+ return 0;
+}
+
static int cyberjack_port_probe(struct usb_serial_port *port)
{
struct cyberjack_private *priv;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 153/370] usb: xhci: hold lock over xhci_abort_cmd_ring()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 062/370] drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 035/370] ext4: fix stack memory corruption with 64k block size Ben Hutchings
` (269 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman, Lu Baolu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 4dea70778c0f48b4385c7720c363ec8d37a401b4 upstream.
In command timer function, xhci_handle_command_timeout(), xhci->lock
is unlocked before call into xhci_abort_cmd_ring(). This might cause
race between the timer function and the event handler.
The xhci_abort_cmd_ring() function sets the CMD_RING_ABORT bit in the
command register and polling it until the setting takes effect. A stop
command ring event might be handled between writing the abort bit and
polling for it. The event handler will restart the command ring, which
causes the failure of polling, and we ever believed that we failed to
stop it.
As a bonus, this also fixes some issues of calling functions without
locking in xhci_handle_command_timeout().
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: drop changes to the "failed to restart, or
host removed" case]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-ring.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1311,21 +1311,25 @@ void xhci_handle_command_timeout(unsigne
hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
(hw_ring_state & CMD_RING_RUNNING)) {
-
- spin_unlock_irqrestore(&xhci->lock, flags);
xhci_dbg(xhci, "Command timeout\n");
ret = xhci_abort_cmd_ring(xhci);
if (unlikely(ret == -ESHUTDOWN)) {
xhci_err(xhci, "Abort command ring failed\n");
xhci_cleanup_command_queue(xhci);
+ spin_unlock_irqrestore(&xhci->lock, flags);
usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
xhci_dbg(xhci, "xHCI host controller is dead.\n");
+
+ return;
}
- return;
+
+ goto time_out_completed;
}
/* command timeout on stopped ring, ring can't be aborted */
xhci_dbg(xhci, "Command timeout on stopped ring\n");
xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd);
+
+time_out_completed:
spin_unlock_irqrestore(&xhci->lock, flags);
return;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 111/370] IB/multicast: Check ib_find_pkey() return value
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 010/370] [media] ite-cir: initialize use_demodulator before using it Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 080/370] arm/xen: Use alloc_percpu rather than __alloc_percpu Ben Hutchings
` (309 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Sean Hefty, Bart Van Assche
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit d3a2418ee36a59bc02e9d454723f3175dcf4bfd9 upstream.
This patch avoids that Coverity complains about not checking the
ib_find_pkey() return value.
Fixes: commit 547af76521b3 ("IB/multicast: Report errors on multicast groups if P_key changes")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/multicast.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -516,8 +516,11 @@ static void join_handler(int status, str
if (status)
process_join_error(group, status);
else {
- ib_find_pkey(group->port->dev->device, group->port->port_num,
- be16_to_cpu(rec->pkey), &pkey_index);
+
+ if (ib_find_pkey(group->port->dev->device,
+ group->port->port_num, be16_to_cpu(rec->pkey),
+ &pkey_index))
+ pkey_index = MCAST_INVALID_PKEY_INDEX;
spin_lock_irq(&group->port->lock);
group->rec = *rec;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 070/370] mmc: sdhci: Fix recovery from tuning timeout
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 077/370] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 174/370] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Ben Hutchings
` (367 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Adrian Hunter, Dan O'Donovan
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 61e53bd0047d58caee0c7170613045bf96de4458 upstream.
Clearing the tuning bits should reset the tuning circuit. However there is
more to do. Reset the command and data lines for good measure, and then
for eMMC ensure the card is not still trying to process a tuning command by
sending a stop command.
Note the JEDEC eMMC specification says the stop command (CMD12) can be used
to stop a tuning command (CMD21) whereas the SD specification is silent on
the subject with respect to the SD tuning command (CMD19). Considering that
CMD12 is not a valid SDIO command, the stop command is sent only when the
tuning command is CMD21 i.e. for eMMC. That addresses cases seen so far
which have been on eMMC.
Note that this replaces the commit fe5fb2e3b58f ("mmc: sdhci: Reset cmd and
data circuits after tuning failure") which is being reverted for v4.9+.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Dan O'Donovan <dan@emutex.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/host/sdhci.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1959,7 +1959,27 @@ static int sdhci_execute_tuning(struct m
ctrl &= ~SDHCI_CTRL_EXEC_TUNING;
sdhci_writew(host, ctrl, SDHCI_HOST_CONTROL2);
+ sdhci_do_reset(host, SDHCI_RESET_CMD);
+ sdhci_do_reset(host, SDHCI_RESET_DATA);
+
err = -EIO;
+
+ if (cmd.opcode != MMC_SEND_TUNING_BLOCK_HS200)
+ goto out;
+
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
+
+ spin_unlock_irqrestore(&host->lock, flags);
+
+ memset(&cmd, 0, sizeof(cmd));
+ cmd.opcode = MMC_STOP_TRANSMISSION;
+ cmd.flags = MMC_RSP_SPI_R1B | MMC_RSP_R1B | MMC_CMD_AC;
+ cmd.busy_timeout = 50;
+ mmc_wait_for_cmd(mmc, &cmd, 0);
+
+ spin_lock_irqsave(&host->lock, flags);
+
goto out;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 105/370] IB/mlx4: Fix out-of-range array index in destroy qp flow
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 022/370] scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 025/370] regulator: stw481x-vmmc: fix ages old enable error Ben Hutchings
` (315 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Jack Morgenstein, Doug Ledford
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit c482af646d0809a8d5e1b7f4398cce3592589b98 upstream.
For non-special QPs, the port value becomes non-zero only at the
RESET-to-INIT transition. If the QP has not undergone that transition,
its port number value is still zero.
If such a QP is destroyed before being moved out of the RESET state,
subtracting one from the qp port number results in a negative value.
Using that negative value as an index into the qp1_proxy array
results in an out-of-bounds array reference.
Fix this by testing that the QP type is one that uses qp1_proxy before
using the port number. For special QPs of all types, the port number is
specified at QP creation time.
Fixes: 9433c188915c ("IB/mlx4: Invoke UPDATE_QP for proxy QP1 on MAC changes")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/qp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1153,7 +1153,8 @@ int mlx4_ib_destroy_qp(struct ib_qp *qp)
if (is_qp0(dev, mqp))
mlx4_CLOSE_PORT(dev->dev, mqp->port);
- if (dev->qp1_proxy[mqp->port - 1] == mqp) {
+ if (mqp->mlx4_ib_qp_type == MLX4_IB_QPT_PROXY_GSI &&
+ dev->qp1_proxy[mqp->port - 1] == mqp) {
mutex_lock(&dev->qp1_proxy_lock[mqp->port - 1]);
dev->qp1_proxy[mqp->port - 1] = NULL;
mutex_unlock(&dev->qp1_proxy_lock[mqp->port - 1]);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 161/370] USB: serial: keyspan_pda: verify endpoints at probe
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 033/370] dm rq: fix a race condition in rq_completed() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 143/370] USB: gadgetfs: fix checks of wTotalLength in config descriptors Ben Hutchings
` (256 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5d9b0f859babe96175cd33d7162a9463a875ffde upstream.
Check for the expected endpoints in attach() and fail loudly if not
present.
Note that failing to do this appears to be benign since da280e348866
("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
NULL-pointer dereference in write() by never marking a non-existent
write-urb as free.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/keyspan_pda.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -699,6 +699,19 @@ MODULE_FIRMWARE("keyspan_pda/keyspan_pda
MODULE_FIRMWARE("keyspan_pda/xircom_pgs.fw");
#endif
+static int keyspan_pda_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int keyspan_pda_port_probe(struct usb_serial_port *port)
{
@@ -776,6 +789,7 @@ static struct usb_serial_driver keyspan_
.break_ctl = keyspan_pda_break_ctl,
.tiocmget = keyspan_pda_tiocmget,
.tiocmset = keyspan_pda_tiocmset,
+ .attach = keyspan_pda_attach,
.port_probe = keyspan_pda_port_probe,
.port_remove = keyspan_pda_port_remove,
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 158/370] USB: serial: io_ti: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 091/370] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 002/370] crypto: arm64/ghash-ce - fix for big endian Ben Hutchings
` (230 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a323fefc6f5079844dc62ffeb54f491d0242ca35 upstream.
Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
[<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/io_ti.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2383,6 +2383,13 @@ static int edge_startup(struct usb_seria
struct edgeport_serial *edge_serial;
int status;
+ /* Make sure we have the required endpoints when in download mode. */
+ if (serial->interface->cur_altsetting->desc.bNumEndpoints > 1) {
+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports)
+ return -ENODEV;
+ }
+
/* create our private serial structure */
edge_serial = kzalloc(sizeof(struct edgeport_serial), GFP_KERNEL);
if (!edge_serial)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 109/370] IB/mad: Fix an array index check
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 140/370] usb: gadgetfs: restrict upper bound on device configuration size Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 168/370] USB: serial: mos7840: fix misleading interrupt-URB comment Ben Hutchings
` (209 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Doug Ledford, Sean Hefty, Hal Rosenstock, Bart Van Assche
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit 2fe2f378dd45847d2643638c07a7658822087836 upstream.
The array ib_mad_mgmt_class_table.method_table has MAX_MGMT_CLASS
(80) elements. Hence compare the array index with that value instead
of with IB_MGMT_MAX_METHODS (128). This patch avoids that Coverity
reports the following:
Overrunning array class->method_table of 80 8-byte elements at element index 127 (byte offset 1016) using index convert_mgmt_class(mad_hdr->mgmt_class) (which evaluates to 127).
Fixes: commit b7ab0b19a85f ("IB/mad: Verify mgmt class in received MADs")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Sean Hefty <sean.hefty@intel.com>
Reviewed-by: Hal Rosenstock <hal@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/mad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -1607,7 +1607,7 @@ find_mad_agent(struct ib_mad_port_privat
if (!class)
goto out;
if (convert_mgmt_class(mad->mad_hdr.mgmt_class) >=
- IB_MGMT_MAX_METHODS)
+ ARRAY_SIZE(class->method_table))
goto out;
method = class->method_table[convert_mgmt_class(
mad->mad_hdr.mgmt_class)];
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 061/370] USB: serial: kl5kusb105: abort on open exception path
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 104/370] IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 013/370] usb: add helper to extract bits 12:11 of wMaxPacketSize Ben Hutchings
` (364 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Pan Bian
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pan Bian <bianpan2016@163.com>
commit 3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c upstream.
Function klsi_105_open() calls usb_control_msg() (to "enable read") and
checks its return value. When the return value is unexpected, it only
assigns the error code to the return variable retval, but does not
terminate the exception path. This patch fixes the bug by inserting
"goto err_generic_close;" when the call to usb_control_msg() fails.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pan Bian <bianpan2016@163.com>
[johan: rebase on prerequisite fix and amend commit message]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/kl5kusb105.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -315,6 +315,7 @@ static int klsi_105_open(struct tty_str
if (rc < 0) {
dev_err(&port->dev, "Enabling read failed (error = %d)\n", rc);
retval = rc;
+ goto err_generic_close;
} else
dev_dbg(&port->dev, "%s - enabled reading\n", __func__);
@@ -341,6 +342,7 @@ err_disable_read:
0, /* index */
NULL, 0,
KLSI_TIMEOUT);
+err_generic_close:
usb_serial_generic_close(port);
err_free_cfg:
kfree(cfg);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 164/370] USB: serial: mos7720: fix use-after-free on probe errors
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 112/370] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 167/370] USB: serial: mos7840: fix NULL-deref at open Ben Hutchings
` (241 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream.
The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:
Unable to handle kernel paging request at virtual address 6b6b6be7
...
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)
Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7720.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1946,8 +1946,10 @@ static int mos7720_startup(struct usb_se
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
if (product == MOSCHIP_DEVICE_ID_7715) {
ret_val = mos7715_parport_init(serial);
- if (ret_val < 0)
+ if (ret_val < 0) {
+ usb_kill_urb(serial->port[0]->interrupt_in_urb);
return ret_val;
+ }
}
#endif
/* LSR For Port 1 */
@@ -1959,6 +1961,8 @@ static int mos7720_startup(struct usb_se
static void mos7720_release(struct usb_serial *serial)
{
+ usb_kill_urb(serial->port[0]->interrupt_in_urb);
+
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
/* close the parallel port */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 163/370] USB: serial: mos7720: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 160/370] USB: serial: iuu_phoenix: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 142/370] USB: gadgetfs: fix use-after-free bug Ben Hutchings
` (298 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream.
Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
[<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)
Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7720.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1901,6 +1901,11 @@ static int mos7720_startup(struct usb_se
u16 product;
int ret_val;
+ if (serial->num_bulk_in < 2 || serial->num_bulk_out < 2) {
+ dev_err(&serial->interface->dev, "missing bulk endpoints\n");
+ return -ENODEV;
+ }
+
product = le16_to_cpu(serial->dev->descriptor.idProduct);
dev = serial->dev;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 136/370] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 181/370] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 155/370] USB: serial: cyberjack: fix NULL-deref at open Ben Hutchings
` (233 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Janusz Dziedzic
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit 19ec31230eb3084431bc2e565fd085f79f564274 upstream.
Let's call dwc3_ep0_prepare_one_trb() explicitly
because there are occasions where we will need more
than one TRB to handle an EP0 transfer.
A follow-up patch will fix one bug related to
multiple-TRB Data Phases when it comes to
mapping/unmapping requests for DMA.
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16:
- dwc3_ep0_prepare_one_trb() and dwc3_ep0_start_trans() don't take a
'chain' parameter
- Some of the call sites don't exist here
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/ep0.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -75,8 +75,7 @@ static void dwc3_ep0_prepare_one_trb(str
| DWC3_TRB_CTRL_ISP_IMI);
}
-static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum, dma_addr_t buf_dma,
- u32 len, u32 type)
+static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum)
{
struct dwc3_gadget_ep_cmd_params params;
struct dwc3_ep *dep;
@@ -86,8 +85,6 @@ static int dwc3_ep0_start_trans(struct d
if (dep->flags & DWC3_EP_BUSY)
return 0;
- dwc3_ep0_prepare_one_trb(dwc, epnum, buf_dma, len, type);
-
memset(¶ms, 0, sizeof(params));
params.param0 = upper_32_bits(dwc->ep0_trb_addr);
params.param1 = lower_32_bits(dwc->ep0_trb_addr);
@@ -287,8 +284,9 @@ void dwc3_ep0_out_start(struct dwc3 *dwc
{
int ret;
- ret = dwc3_ep0_start_trans(dwc, 0, dwc->ctrl_req_addr, 8,
+ dwc3_ep0_prepare_one_trb(dwc, 0, dwc->ctrl_req_addr, 8,
DWC3_TRBCTL_CONTROL_SETUP);
+ ret = dwc3_ep0_start_trans(dwc, 0);
WARN_ON(ret < 0);
}
@@ -897,9 +895,10 @@ static void __dwc3_ep0_do_control_data(s
req->direction = !!dep->number;
if (req->request.length == 0) {
- ret = dwc3_ep0_start_trans(dwc, dep->number,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number,
dwc->ctrl_req_addr, 0,
DWC3_TRBCTL_CONTROL_DATA);
+ ret = dwc3_ep0_start_trans(dwc, dep->number);
} else if (!IS_ALIGNED(req->request.length, dep->endpoint.maxpacket)
&& (dep->number == 0)) {
u32 transfer_size;
@@ -927,9 +926,10 @@ static void __dwc3_ep0_do_control_data(s
* DWC3_EP0_BOUNCE_SIZE we will need two chained
* TRBs to handle the transfer.
*/
- ret = dwc3_ep0_start_trans(dwc, dep->number,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number,
dwc->ep0_bounce_addr, transfer_size,
DWC3_TRBCTL_CONTROL_DATA);
+ ret = dwc3_ep0_start_trans(dwc, dep->number);
} else {
ret = usb_gadget_map_request(&dwc->gadget, &req->request,
dep->number);
@@ -938,8 +938,9 @@ static void __dwc3_ep0_do_control_data(s
return;
}
- ret = dwc3_ep0_start_trans(dwc, dep->number, req->request.dma,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number, req->request.dma,
req->request.length, DWC3_TRBCTL_CONTROL_DATA);
+ ret = dwc3_ep0_start_trans(dwc, dep->number);
}
WARN_ON(ret < 0);
@@ -953,8 +954,9 @@ static int dwc3_ep0_start_control_status
type = dwc->three_stage_setup ? DWC3_TRBCTL_CONTROL_STATUS3
: DWC3_TRBCTL_CONTROL_STATUS2;
- return dwc3_ep0_start_trans(dwc, dep->number,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number,
dwc->ctrl_req_addr, 0, type);
+ return dwc3_ep0_start_trans(dwc, dep->number);
}
static void __dwc3_ep0_do_control_status(struct dwc3 *dwc, struct dwc3_ep *dep)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 071/370] USB: cdc-acm: add device id for GW Instek AFG-125
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 165/370] USB: serial: mos7720: fix parport use-after-free on probe errors Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100 Ben Hutchings
` (341 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nathaniel Quillin, Oliver Neukum, Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nathaniel Quillin <ndq@google.com>
commit 301216044e4c27d5a7323c1fa766266fad00db5e upstream.
Add device-id entry for GW Instek AFG-125, which has a byte swapped
bInterfaceSubClass (0x20).
Signed-off-by: Nathaniel Quillin <ndq@google.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1721,6 +1721,7 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */
.driver_info = QUIRK_CONTROL_LINE_STATE, },
{ USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
+ { USB_DEVICE(0x2184, 0x0036) }, /* GW Instek AFG-125 */
{ USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */
},
/* Motorola H24 HSPA module: */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 168/370] USB: serial: mos7840: fix misleading interrupt-URB comment
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 109/370] IB/mad: Fix an array index check Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 137/370] usb: dwc3: gadget: always unmap EP0 requests Ben Hutchings
` (208 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 472d7e55d559aa1cbf58c73b14fcfc4651b1a9f5 upstream.
The interrupt URB is killed at final port close since commit
0de9a7024e7a ("USB: overhaul of mos7840 driver").
Fixes: 0de9a7024e7a ("USB: overhaul of mos7840 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7840.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1037,9 +1037,7 @@ static int mos7840_open(struct tty_struc
serial,
serial->port[0]->interrupt_in_urb->interval);
- /* start interrupt read for mos7840 *
- * will continue as long as mos7840 is connected */
-
+ /* start interrupt read for mos7840 */
response =
usb_submit_urb(serial->port[0]->interrupt_in_urb,
GFP_KERNEL);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 162/370] USB: serial: kobil_sct: fix NULL-deref in write
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 126/370] net, sched: fix soft lockup in tc_classify Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 177/370] mei: move write cb to completion on credentials failures Ben Hutchings
` (280 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream.
Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:
Unable to handle kernel NULL pointer dereference at virtual address 00000054
...
PC is at kobil_write+0x144/0x2a0 [kobil_sct]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/kobil_sct.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/usb/serial/kobil_sct.c
+++ b/drivers/usb/serial/kobil_sct.c
@@ -51,6 +51,7 @@
/* Function prototypes */
+static int kobil_attach(struct usb_serial *serial);
static int kobil_port_probe(struct usb_serial_port *probe);
static int kobil_port_remove(struct usb_serial_port *probe);
static int kobil_open(struct tty_struct *tty, struct usb_serial_port *port);
@@ -86,6 +87,7 @@ static struct usb_serial_driver kobil_de
.description = "KOBIL USB smart card terminal",
.id_table = id_table,
.num_ports = 1,
+ .attach = kobil_attach,
.port_probe = kobil_port_probe,
.port_remove = kobil_port_remove,
.ioctl = kobil_ioctl,
@@ -113,6 +115,16 @@ struct kobil_private {
};
+static int kobil_attach(struct usb_serial *serial)
+{
+ if (serial->num_interrupt_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing interrupt-out endpoint\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int kobil_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 173/370] USB: serial: spcp8x5: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 172/370] USB: serial: quatech2: fix sleep-while-atomic in close Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 182/370] KVM: MIPS: Flush KVM entry code from icache globally Ben Hutchings
` (192 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]
Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/spcp8x5.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/serial/spcp8x5.c
+++ b/drivers/usb/serial/spcp8x5.c
@@ -154,6 +154,19 @@ static int spcp8x5_probe(struct usb_seri
return 0;
}
+static int spcp8x5_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int spcp8x5_port_probe(struct usb_serial_port *port)
{
const struct usb_device_id *id = usb_get_serial_data(port->serial);
@@ -477,6 +490,7 @@ static struct usb_serial_driver spcp8x5_
.tiocmget = spcp8x5_tiocmget,
.tiocmset = spcp8x5_tiocmset,
.probe = spcp8x5_probe,
+ .attach = spcp8x5_attach,
.port_probe = spcp8x5_port_probe,
.port_remove = spcp8x5_port_remove,
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 170/370] USB: serial: oti6858: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 131/370] net/mlx4_en: Fix bad WQE issue Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 050/370] KVM: PPC: Book3S HV: Save/restore XER in checkpointed register state Ben Hutchings
` (218 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream.
Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at oti6858_open+0x30/0x1d0 [oti6858]
Note that a missing interrupt-in endpoint would have caused open() to
fail.
Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42
cable)")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/oti6858.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/usb/serial/oti6858.c
+++ b/drivers/usb/serial/oti6858.c
@@ -134,6 +134,7 @@ static int oti6858_chars_in_buffer(struc
static int oti6858_tiocmget(struct tty_struct *tty);
static int oti6858_tiocmset(struct tty_struct *tty,
unsigned int set, unsigned int clear);
+static int oti6858_attach(struct usb_serial *serial);
static int oti6858_port_probe(struct usb_serial_port *port);
static int oti6858_port_remove(struct usb_serial_port *port);
@@ -158,6 +159,7 @@ static struct usb_serial_driver oti6858_
.write_bulk_callback = oti6858_write_bulk_callback,
.write_room = oti6858_write_room,
.chars_in_buffer = oti6858_chars_in_buffer,
+ .attach = oti6858_attach,
.port_probe = oti6858_port_probe,
.port_remove = oti6858_port_remove,
};
@@ -324,6 +326,20 @@ static void send_data(struct work_struct
usb_serial_port_softint(port);
}
+static int oti6858_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int oti6858_port_probe(struct usb_serial_port *port)
{
struct oti6858_private *priv;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 172/370] USB: serial: quatech2: fix sleep-while-atomic in close
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 024/370] USB: UHCI: report non-PME wakeup signalling for Intel hardware Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 173/370] USB: serial: spcp8x5: fix NULL-deref at open Ben Hutchings
` (193 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f09d1886a41e9063b43da493ef0e845ac8afd2fa upstream.
The write URB was being killed using the synchronous interface while
holding a spin lock in close().
Simply drop the lock and busy-flag update, something which would have
been taken care of by the completion handler if the URB was in flight.
Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/quatech2.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -408,16 +408,12 @@ static void qt2_close(struct usb_serial_
{
struct usb_serial *serial;
struct qt2_port_private *port_priv;
- unsigned long flags;
int i;
serial = port->serial;
port_priv = usb_get_serial_port_data(port);
- spin_lock_irqsave(&port_priv->urb_lock, flags);
usb_kill_urb(port_priv->write_urb);
- port_priv->urb_in_use = false;
- spin_unlock_irqrestore(&port_priv->urb_lock, flags);
/* flush the port transmit buffer */
i = usb_control_msg(serial->dev,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 171/370] USB: serial: pl2303: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 142/370] USB: gadgetfs: fix use-after-free bug Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 030/370] powerpc/pci/rpadlpar: Fix device reference leaks Ben Hutchings
` (296 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream.
Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at pl2303_open+0x38/0xec [pl2303]
Note that a missing interrupt-in endpoint would have caused open() to
fail.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/pl2303.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -216,9 +216,17 @@ static int pl2303_probe(struct usb_seria
static int pl2303_startup(struct usb_serial *serial)
{
struct pl2303_serial_private *spriv;
+ unsigned char num_ports = serial->num_ports;
enum pl2303_type type = TYPE_01;
unsigned char *buf;
+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
spriv = kzalloc(sizeof(*spriv), GFP_KERNEL);
if (!spriv)
return -ENOMEM;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 186/370] USB: fix problems with duplicate endpoint addresses
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 079/370] drm/radeon: add additional pci revision to dpm workaround Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 181/370] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option Ben Hutchings
` (235 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andrey Konovalov, Greg Kroah-Hartman, Alan Stern
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.
When checking a new device's descriptors, the USB core does not check
for duplicate endpoint addresses. This can cause a problem when the
sysfs files for those endpoints are created; trying to create multiple
files with the same name will provoke a WARNING:
WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
sysfs: cannot create duplicate filename
'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
Kernel panic - not syncing: panic_on_warn set ...
CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
[<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
[<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
[<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
[<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
[< inline >] create_dir lib/kobject.c:71
[<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
[< inline >] kobject_add_varg lib/kobject.c:366
[<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
[<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
[<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
[<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
[<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
[<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
[<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
[<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263
This patch prevents the problem by checking for duplicate endpoint
addresses during enumeration and skipping any duplicates.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -205,6 +205,16 @@ static int usb_parse_endpoint(struct dev
if (ifp->desc.bNumEndpoints >= num_ep)
goto skip_to_next_endpoint_or_interface_descriptor;
+ /* Check for duplicate endpoint addresses */
+ for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+ if (ifp->endpoint[i].desc.bEndpointAddress ==
+ d->bEndpointAddress) {
+ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+ goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+ }
+
endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
++ifp->desc.bNumEndpoints;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 101/370] libceph: verify authorize reply on connect
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 056/370] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 159/370] USB: serial: io_ti: fix another NULL-deref at open Ben Hutchings
` (352 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sage Weil, Ilya Dryomov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 5c056fdc5b474329037f2aa18401bd73033e0ce0 upstream.
After sending an authorizer (ceph_x_authorize_a + ceph_x_authorize_b),
the client gets back a ceph_x_authorize_reply, which it is supposed to
verify to ensure the authenticity and protect against replay attacks.
The code for doing this is there (ceph_x_verify_authorizer_reply(),
ceph_auth_verify_authorizer_reply() + plumbing), but it is never
invoked by the the messenger.
AFAICT this goes back to 2009, when ceph authentication protocols
support was added to the kernel client in 4e7a5dcd1bba ("ceph:
negotiate authentication protocol; implement AUTH_NONE protocol").
The second param of ceph_connection_operations::verify_authorizer_reply
is unused all the way down. Pass 0 to facilitate backporting, and kill
it in the next commit.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ceph/messenger.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1977,6 +1977,19 @@ static int process_connect(struct ceph_c
dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
+ if (con->auth_reply_buf) {
+ /*
+ * Any connection that defines ->get_authorizer()
+ * should also define ->verify_authorizer_reply().
+ * See get_connect_authorizer().
+ */
+ ret = con->ops->verify_authorizer_reply(con, 0);
+ if (ret < 0) {
+ con->error_msg = "bad authorize reply";
+ return ret;
+ }
+ }
+
switch (con->in_reply.tag) {
case CEPH_MSGR_TAG_FEATURES:
pr_err("%s%lld %s feature set mismatch,"
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 184/370] usb: hub: Move hub_port_disable() to fix warning if PM is disabled
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 051/370] dm crypt: mark key as invalid until properly loaded Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 117/370] i2c: mux: pca954x: fix i2c mux selection caching Ben Hutchings
` (265 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Geert Uytterhoeven, Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
commit 3bc02bce908c7250781376052248f5cd60a4e3d4 upstream.
If CONFIG_PM=n:
drivers/usb/core/hub.c:107: warning: ‘hub_usb3_port_prepare_disable’ declared inline after being called
drivers/usb/core/hub.c:107: warning: previous declaration of ‘hub_usb3_port_prepare_disable’ was here
To fix this, move hub_port_disable() after
hub_usb3_port_prepare_disable(), and adjust forward declarations.
Fixes: 37be66767e3cae4f ("usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/hub.c | 59 +++++++++++++++++++++++++-------------------------
1 file changed, 29 insertions(+), 30 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -106,8 +106,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rws
static void hub_release(struct kref *kref);
static int usb_reset_and_verify_device(struct usb_device *udev);
-static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
- struct usb_port *port_dev);
+static int hub_port_disable(struct usb_hub *hub, int port1, int set_state);
static inline char *portspeed(struct usb_hub *hub, int portstatus)
{
@@ -878,34 +877,6 @@ static int hub_set_port_link_state(struc
}
/*
- * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
- * a connection with a plugged-in cable but will signal the host when the cable
- * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
- */
-static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
-{
- struct usb_port *port_dev = hub->ports[port1 - 1];
- struct usb_device *hdev = hub->hdev;
- int ret = 0;
-
- if (!hub->error) {
- if (hub_is_superspeed(hub->hdev)) {
- hub_usb3_port_prepare_disable(hub, port_dev);
- ret = hub_set_port_link_state(hub, port_dev->portnum,
- USB_SS_PORT_LS_U3);
- } else {
- ret = usb_clear_port_feature(hdev, port1,
- USB_PORT_FEAT_ENABLE);
- }
- }
- if (port_dev->child && set_state)
- usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
- if (ret && ret != -ENODEV)
- dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
- return ret;
-}
-
-/*
* Disable a port and mark a logical connect-change event, so that some
* time later khubd will disconnect() any existing usb_device on the port
* and will re-enumerate if there actually is a device attached.
@@ -4035,6 +4006,34 @@ static int hub_handle_remote_wakeup(stru
#endif /* CONFIG_PM */
+/*
+ * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
+ * a connection with a plugged-in cable but will signal the host when the cable
+ * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
+ */
+static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
+{
+ struct usb_port *port_dev = hub->ports[port1 - 1];
+ struct usb_device *hdev = hub->hdev;
+ int ret = 0;
+
+ if (!hub->error) {
+ if (hub_is_superspeed(hub->hdev)) {
+ hub_usb3_port_prepare_disable(hub, port_dev);
+ ret = hub_set_port_link_state(hub, port_dev->portnum,
+ USB_SS_PORT_LS_U3);
+ } else {
+ ret = usb_clear_port_feature(hdev, port1,
+ USB_PORT_FEAT_ENABLE);
+ }
+ }
+ if (port_dev->child && set_state)
+ usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
+ if (ret && ret != -ENODEV)
+ dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
+ return ret;
+}
+
/* USB 2.0 spec, 7.1.7.3 / fig 7-29:
*
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 177/370] mei: move write cb to completion on credentials failures
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 162/370] USB: serial: kobil_sct: fix NULL-deref in write Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 151/370] usb: host: xhci: Fix possible wild pointer when handling abort command Ben Hutchings
` (279 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tomas Winkler, Alexander Usyskin, Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit e09ee853c92011860a4bd2fbdf6126f60fc16bd3 upstream.
The credentials handling was pushed to the write handlers
but error handling wasn't done properly.
Move write callbacks to completion queue to destroy them
and to notify a blocked writer about the failure
Fixes: 136698e535cd1 (mei: push credentials inside the irq write handler)
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/misc/mei/client.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -819,7 +819,7 @@ int mei_cl_irq_write(struct mei_cl *cl,
rets = mei_cl_flow_ctrl_creds(cl);
if (rets < 0)
- return rets;
+ goto err;
if (rets == 0) {
cl_dbg(dev, cl, "No flow control credentials: not sending.\n");
@@ -853,23 +853,27 @@ int mei_cl_irq_write(struct mei_cl *cl,
cb->request_buffer.size, cb->buf_idx);
rets = mei_write_message(dev, &mei_hdr, buf->data + cb->buf_idx);
- if (rets) {
- cl->status = rets;
- list_move_tail(&cb->list, &cmpl_list->list);
- return rets;
- }
+ if (rets)
+ goto err;
cl->status = 0;
cl->writing_state = MEI_WRITING;
cb->buf_idx += mei_hdr.length;
if (mei_hdr.msg_complete) {
- if (mei_cl_flow_ctrl_reduce(cl))
- return -EIO;
+ if (mei_cl_flow_ctrl_reduce(cl)) {
+ rets = -EIO;
+ goto err;
+ }
list_move_tail(&cb->list, &dev->write_waiting_list.list);
}
return 0;
+
+err:
+ cl->status = rets;
+ list_move_tail(&cb->list, &cmpl_list->list);
+ return rets;
}
/**
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 176/370] iommu/amd: Fix the left value check of cmd buffer
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 041/370] IB/mlx4: Put non zero value in max_ah device attribute Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 062/370] drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments Ben Hutchings
` (271 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joerg Roedel, Huang Rui
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Huang Rui <ray.huang@amd.com>
commit 432abf68a79332282329286d190e21fe3ac02a31 upstream.
The generic command buffer entry is 128 bits (16 bytes), so the offset
of tail and head pointer should be 16 bytes aligned and increased with
0x10 per command.
When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.
So when left space of cmd buf should be able to store only two
command, we should be issued one COMPLETE_WAIT additionally to wait
all older commands completed. Then the left space should be increased
after IOMMU fetching from cmd buf.
So left check value should be left <= 0x20 (two commands).
Signed-off-by: Huang Rui <ray.huang@amd.com>
Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iommu/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -1044,7 +1044,7 @@ again:
next_tail = (tail + sizeof(*cmd)) % iommu->cmd_buf_size;
left = (head - next_tail) % iommu->cmd_buf_size;
- if (left <= 2) {
+ if (left <= 0x20) {
struct iommu_cmd sync_cmd;
volatile u64 sem = 0;
int ret;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 174/370] USB: serial: ti_usb_3410_5052: fix NULL-deref at open
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 070/370] mmc: sdhci: Fix recovery from tuning timeout Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 104/370] IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs Ben Hutchings
` (366 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ef079936d3cd09e63612834fe2698eeada0d8e3f upstream.
Fix NULL-pointer dereference in open() should a malicious device lack
the expected endpoints:
Unable to handle kernel NULL pointer dereference at virtual address 00000030
..
[<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ti_usb_3410_5052.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -339,6 +339,13 @@ static int ti_startup(struct usb_serial
goto free_tdev;
}
+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ status = -ENODEV;
+ goto free_tdev;
+ }
+
return 0;
free_tdev:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 115/370] scsi: avoid a permanent stop of the scsi device's request queue
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 149/370] xhci: free xhci virtual devices with leaf nodes first Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
` (293 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Wei Fang, Martin K. Petersen, Zengxi Chen, Ewan D. Milne
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <fangwei1@huawei.com>
commit d2a145252c52792bc59e4767b486b26c430af4bb upstream.
A race between scanning and fc_remote_port_delete() may result in a
permanent stop if the device gets blocked before scsi_sysfs_add_sdev()
and unblocked after. The reason is that blocking a device sets both the
SDEV_BLOCKED state and the QUEUE_FLAG_STOPPED. However,
scsi_sysfs_add_sdev() unconditionally sets SDEV_RUNNING which causes the
device to be ignored by scsi_target_unblock() and thus never have its
QUEUE_FLAG_STOPPED cleared leading to a device which is apparently
running but has a stopped queue.
We actually have two places where SDEV_RUNNING is set: once in
scsi_add_lun() which respects the blocked flag and once in
scsi_sysfs_add_sdev() which doesn't. Since the second set is entirely
spurious, simply remove it to fix the problem.
Reported-by: Zengxi Chen <chenzengxi@huawei.com>
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_sysfs.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1002,10 +1002,6 @@ int scsi_sysfs_add_sdev(struct scsi_devi
struct request_queue *rq = sdev->request_queue;
struct scsi_target *starget = sdev->sdev_target;
- error = scsi_device_set_state(sdev, SDEV_RUNNING);
- if (error)
- return error;
-
error = scsi_target_add(starget);
if (error)
return error;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 131/370] net/mlx4_en: Fix bad WQE issue
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 075/370] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 170/370] USB: serial: oti6858: fix NULL-deref at open Ben Hutchings
` (219 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tariq Toukan, David S. Miller, Eugenia Emantayev
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eugenia Emantayev <eugenia@mellanox.com>
commit 6496bbf0ec481966ef9ffe5b6660d8d1b55c60cc upstream.
Single send WQE in RX buffer should be stamped with software
ownership in order to prevent the flow of QP in error in FW
once UPDATE_QP is called.
Fixes: 9f519f68cfff ('mlx4_en: Not using Shared Receive Queues')
Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -437,8 +437,14 @@ int mlx4_en_activate_rx_rings(struct mlx
ring->cqn = priv->rx_cq[ring_ind]->mcq.cqn;
ring->stride = stride;
- if (ring->stride <= TXBB_SIZE)
+ if (ring->stride <= TXBB_SIZE) {
+ /* Stamp first unused send wqe */
+ __be32 *ptr = (__be32 *)ring->buf;
+ __be32 stamp = cpu_to_be32(1 << STAMP_SHIFT);
+ *ptr = stamp;
+ /* Move pointer to start of rx section */
ring->buf += TXBB_SIZE;
+ }
ring->log_stride = ffs(ring->stride) - 1;
ring->buf_size = ring->size * ring->stride;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 107/370] btrfs: limit async_work allocation and worker func duration
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 054/370] regmap: cache: Remove unused 'blksize' variable Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 010/370] [media] ite-cir: initialize use_demodulator before using it Ben Hutchings
` (311 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Maxim Patlasov, Chris Mason
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Patlasov <mpatlasov@virtuozzo.com>
commit 2939e1a86f758b55cdba73e29397dd3d94df13bc upstream.
Problem statement: unprivileged user who has read-write access to more than
one btrfs subvolume may easily consume all kernel memory (eventually
triggering oom-killer).
Reproducer (./mkrmdir below essentially loops over mkdir/rmdir):
[root@kteam1 ~]# cat prep.sh
DEV=/dev/sdb
mkfs.btrfs -f $DEV
mount $DEV /mnt
for i in `seq 1 16`
do
mkdir /mnt/$i
btrfs subvolume create /mnt/SV_$i
ID=`btrfs subvolume list /mnt |grep "SV_$i$" |cut -d ' ' -f 2`
mount -t btrfs -o subvolid=$ID $DEV /mnt/$i
chmod a+rwx /mnt/$i
done
[root@kteam1 ~]# sh prep.sh
[maxim@kteam1 ~]$ for i in `seq 1 16`; do ./mkrmdir /mnt/$i 2000 2000 & done
[root@kteam1 ~]# for i in `seq 1 4`; do grep "kmalloc-128" /proc/slabinfo | grep -v dma; sleep 60; done
kmalloc-128 10144 10144 128 32 1 : tunables 0 0 0 : slabdata 317 317 0
kmalloc-128 9992352 9992352 128 32 1 : tunables 0 0 0 : slabdata 312261 312261 0
kmalloc-128 24226752 24226752 128 32 1 : tunables 0 0 0 : slabdata 757086 757086 0
kmalloc-128 42754240 42754240 128 32 1 : tunables 0 0 0 : slabdata 1336070 1336070 0
The huge numbers above come from insane number of async_work-s allocated
and queued by btrfs_wq_run_delayed_node.
The problem is caused by btrfs_wq_run_delayed_node() queuing more and more
works if the number of delayed items is above BTRFS_DELAYED_BACKGROUND. The
worker func (btrfs_async_run_delayed_root) processes at least
BTRFS_DELAYED_BATCH items (if they are present in the list). So, the machinery
works as expected while the list is almost empty. As soon as it is getting
bigger, worker func starts to process more than one item at a time, it takes
longer, and the chances to have async_works queued more than needed is getting
higher.
The problem above is worsened by another flaw of delayed-inode implementation:
if async_work was queued in a throttling branch (number of items >=
BTRFS_DELAYED_WRITEBACK), corresponding worker func won't quit until
the number of items < BTRFS_DELAYED_BACKGROUND / 2. So, it is possible that
the func occupies CPU infinitely (up to 30sec in my experiments): while the
func is trying to drain the list, the user activity may add more and more
items to the list.
The patch fixes both problems in straightforward way: refuse queuing too
many works in btrfs_wq_run_delayed_node and bail out of worker func if
at least BTRFS_DELAYED_WRITEBACK items are processed.
Changed in v2: remove support of thresh == NO_THRESHOLD.
Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
Signed-off-by: Chris Mason <clm@fb.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/async-thread.c | 14 ++++++++++++++
fs/btrfs/async-thread.h | 1 +
fs/btrfs/delayed-inode.c | 6 ++++--
3 files changed, 19 insertions(+), 2 deletions(-)
--- a/fs/btrfs/async-thread.c
+++ b/fs/btrfs/async-thread.c
@@ -64,6 +64,20 @@ void btrfs_##name(struct work_struct *ar
normal_work_helper(work); \
}
+bool btrfs_workqueue_normal_congested(struct btrfs_workqueue *wq)
+{
+ /*
+ * We could compare wq->normal->pending with num_online_cpus()
+ * to support "thresh == NO_THRESHOLD" case, but it requires
+ * moving up atomic_inc/dec in thresh_queue/exec_hook. Let's
+ * postpone it until someone needs the support of that case.
+ */
+ if (wq->normal->thresh == NO_THRESHOLD)
+ return false;
+
+ return atomic_read(&wq->normal->pending) > wq->normal->thresh * 2;
+}
+
BTRFS_WORK_HELPER(worker_helper);
BTRFS_WORK_HELPER(delalloc_helper);
BTRFS_WORK_HELPER(flush_delalloc_helper);
--- a/fs/btrfs/async-thread.h
+++ b/fs/btrfs/async-thread.h
@@ -77,4 +77,5 @@ void btrfs_queue_work(struct btrfs_workq
void btrfs_destroy_workqueue(struct btrfs_workqueue *wq);
void btrfs_workqueue_set_max(struct btrfs_workqueue *wq, int max);
void btrfs_set_work_high_priority(struct btrfs_work *work);
+bool btrfs_workqueue_normal_congested(struct btrfs_workqueue *wq);
#endif
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1371,7 +1371,8 @@ release_path:
total_done++;
btrfs_release_prepared_delayed_node(delayed_node);
- if (async_work->nr == 0 || total_done < async_work->nr)
+ if ((async_work->nr == 0 && total_done < BTRFS_DELAYED_WRITEBACK) ||
+ total_done < async_work->nr)
goto again;
free_path:
@@ -1387,7 +1388,8 @@ static int btrfs_wq_run_delayed_node(str
{
struct btrfs_async_delayed_work *async_work;
- if (atomic_read(&delayed_root->items) < BTRFS_DELAYED_BACKGROUND)
+ if (atomic_read(&delayed_root->items) < BTRFS_DELAYED_BACKGROUND ||
+ btrfs_workqueue_normal_congested(fs_info->delayed_workers))
return 0;
async_work = kmalloc(sizeof(*async_work), GFP_NOFS);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 103/370] fsnotify: Fix possible use-after-free in inode iteration on umount
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (170 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 113/370] scsi: zfcp: do not trace pure benign residual HBA responses at default level Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 009/370] perf trace: Use the syscall raw_syscalls:sys_enter timestamp Ben Hutchings
` (199 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 5716863e0f8251d3360d4cbfc0e44e08007075df upstream.
fsnotify_unmount_inodes() plays complex tricks to pin next inode in the
sb->s_inodes list when iterating over all inodes. Furthermore the code has a
bug that if the current inode is the last on i_sb_list that does not have e.g.
I_FREEING set, then we leave next_i pointing to inode which may get removed
from the i_sb_list once we drop s_inode_list_lock thus resulting in
use-after-free issues (usually manifesting as infinite looping in
fsnotify_unmount_inodes()).
Fix the problem by keeping current inode pinned somewhat longer. Then we can
make the code much simpler and standard.
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/notify/inode_mark.c | 45 +++++++++------------------------------------
1 file changed, 9 insertions(+), 36 deletions(-)
--- a/fs/notify/inode_mark.c
+++ b/fs/notify/inode_mark.c
@@ -249,12 +249,10 @@ out:
*/
void fsnotify_unmount_inodes(struct list_head *list)
{
- struct inode *inode, *next_i, *need_iput = NULL;
+ struct inode *inode, *iput_inode = NULL;
spin_lock(&inode_sb_list_lock);
- list_for_each_entry_safe(inode, next_i, list, i_sb_list) {
- struct inode *need_iput_tmp;
-
+ list_for_each_entry(inode, list, i_sb_list) {
/*
* We cannot __iget() an inode in state I_FREEING,
* I_WILL_FREE, or I_NEW which is fine because by that point
@@ -277,49 +275,24 @@ void fsnotify_unmount_inodes(struct list
continue;
}
- need_iput_tmp = need_iput;
- need_iput = NULL;
-
- /* In case fsnotify_inode_delete() drops a reference. */
- if (inode != need_iput_tmp)
- __iget(inode);
- else
- need_iput_tmp = NULL;
+ __iget(inode);
spin_unlock(&inode->i_lock);
-
- /* In case the dropping of a reference would nuke next_i. */
- while (&next_i->i_sb_list != list) {
- spin_lock(&next_i->i_lock);
- if (!(next_i->i_state & (I_FREEING | I_WILL_FREE)) &&
- atomic_read(&next_i->i_count)) {
- __iget(next_i);
- need_iput = next_i;
- spin_unlock(&next_i->i_lock);
- break;
- }
- spin_unlock(&next_i->i_lock);
- next_i = list_next_entry(next_i, i_sb_list);
- }
-
- /*
- * We can safely drop inode_sb_list_lock here because either
- * we actually hold references on both inode and next_i or
- * end of list. Also no new inodes will be added since the
- * umount has begun.
- */
spin_unlock(&inode_sb_list_lock);
- if (need_iput_tmp)
- iput(need_iput_tmp);
+ if (iput_inode)
+ iput(iput_inode);
/* for each watch, send FS_UNMOUNT and then remove it */
fsnotify(inode, FS_UNMOUNT, inode, FSNOTIFY_EVENT_INODE, NULL, 0);
fsnotify_inode_delete(inode);
- iput(inode);
+ iput_inode = inode;
spin_lock(&inode_sb_list_lock);
}
spin_unlock(&inode_sb_list_lock);
+
+ if (iput_inode)
+ iput(iput_inode);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 102/370] fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 063/370] powerpc/ps3: Fix system hang with GCC 5 builds Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 126/370] net, sched: fix soft lockup in tc_classify Ben Hutchings
` (282 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Geliang Tang, Jan Kara, Linus Torvalds
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <geliangtang@163.com>
commit 1deaf9d19776916cd1c83191503bf327319a301a upstream.
To make the intention clearer, use list_next_entry instead of
list_entry.
Signed-off-by: Geliang Tang <geliangtang@163.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/notify/inode_mark.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/notify/inode_mark.c
+++ b/fs/notify/inode_mark.c
@@ -298,8 +298,7 @@ void fsnotify_unmount_inodes(struct list
break;
}
spin_unlock(&next_i->i_lock);
- next_i = list_entry(next_i->i_sb_list.next,
- struct inode, i_sb_list);
+ next_i = list_next_entry(next_i, i_sb_list);
}
/*
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 116/370] target/iscsi: Fix double free in lio_target_tiqn_addtpg()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 114/370] scsi: zfcp: fix rport unblock race with LUN recovery Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 058/370] md/raid5: limit request size according to implementation limits Ben Hutchings
` (196 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bart Van Assche, Dan Carpenter, David Disseldorp
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit a91918cd3ea11f91c68e08e1e8ce1b560447a80e upstream.
This iscsit_tpg_add_portal_group() function is only called from
lio_target_tiqn_addtpg(). Both functions free the "tpg" pointer on
error so it's a double free bug. The memory is allocated in the caller
so it should be freed in the caller and not here.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
[ bvanassche: Added "Fix" at start of patch title ]
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/iscsi/iscsi_target_tpg.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/target/iscsi/iscsi_target_tpg.c
+++ b/drivers/target/iscsi/iscsi_target_tpg.c
@@ -261,7 +261,6 @@ err_out:
iscsi_release_param_list(tpg->param_list);
tpg->param_list = NULL;
}
- kfree(tpg);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 100/370] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 093/370] nfs_write_end(): fix handling of short copies Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 039/370] IB/IPoIB: Remove can't use GFP_NOIO warning Ben Hutchings
` (185 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jussi Laako, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jussi Laako <jussi@sonarnerd.net>
commit 995c6a7fd9b9212abdf01160f6ce3193176be503 upstream.
Sampling rate changes after first set one are not reflected to the
hardware, while driver and ALSA think the rate has been changed.
Fix the problem by properly stopping the interface at the beginning of
prepare call, allowing new rate to be set to the hardware. This keeps
the hardware in sync with the driver.
Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/hiface/pcm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -445,6 +445,8 @@ static int hiface_pcm_prepare(struct snd
mutex_lock(&rt->stream_mutex);
+ hiface_pcm_stream_stop(rt);
+
sub->dma_off = 0;
sub->period_off = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 110/370] IPoIB: Avoid reading an uninitialized member variable
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 005/370] crypto: arm64/aes-ccm-ce: fix for big endian Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 180/370] sh_eth: enable RX descriptor word 0 shift on SH7734 Ben Hutchings
` (189 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Erez Shitrit, Doug Ledford, Bart Van Assche
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit 11b642b84e8c43e8597de031678d15c08dd057bc upstream.
This patch avoids that Coverity reports the following:
Using uninitialized value port_attr.state when calling printk
Fixes: commit 94232d9ce817 ("IPoIB: Start multicast join process only on active ports")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -523,8 +523,11 @@ void ipoib_mcast_join_task(struct work_s
if (!test_bit(IPOIB_MCAST_RUN, &priv->flags))
return;
- if (ib_query_port(priv->ca, priv->port, &port_attr) ||
- port_attr.state != IB_PORT_ACTIVE) {
+ if (ib_query_port(priv->ca, priv->port, &port_attr)) {
+ ipoib_dbg(priv, "ib_query_port() failed\n");
+ return;
+ }
+ if (port_attr.state != IB_PORT_ACTIVE) {
ipoib_dbg(priv, "port state is not ACTIVE (state = %d) suspending join task\n",
port_attr.state);
return;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 112/370] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 123/370] Input: i8042 - add Pegatron touchpad to noloop table Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 164/370] USB: serial: mos7720: fix use-after-free on probe errors Ben Hutchings
` (242 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Benjamin Block, Martin K. Petersen, Steffen Maier
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Block <bblock@linux.vnet.ibm.com>
commit dac37e15b7d511e026a9313c8c46794c144103cd upstream.
When SCSI EH invokes zFCP's callbacks for eh_device_reset_handler() and
eh_target_reset_handler(), it expects us to relent the ownership over
the given scsi_cmnd and all other scsi_cmnds within the same scope - LUN
or target - when returning with SUCCESS from the callback ('release'
them). SCSI EH can then reuse those commands.
We did not follow this rule to release commands upon SUCCESS; and if
later a reply arrived for one of those supposed to be released commands,
we would still make use of the scsi_cmnd in our ingress tasklet. This
will at least result in undefined behavior or a kernel panic because of
a wrong kernel pointer dereference.
To fix this, we NULLify all pointers to scsi_cmnds (struct zfcp_fsf_req
*)->data in the matching scope if a TMF was successful. This is done
under the locks (struct zfcp_adapter *)->abort_lock and (struct
zfcp_reqlist *)->lock to prevent the requests from being removed from
the request-hashtable, and the ingress tasklet from making use of the
scsi_cmnd-pointer in zfcp_fsf_fcp_cmnd_handler().
For cases where a reply arrives during SCSI EH, but before we get a
chance to NULLify the pointer - but before we return from the callback
-, we assume that the code is protected from races via the CAS operation
in blk_complete_request() that is called in scsi_done().
The following stacktrace shows an example for a crash resulting from the
previous behavior:
Unable to handle kernel pointer dereference at virtual kernel address fffffee17a672000
Oops: 0038 [#1] SMP
CPU: 2 PID: 0 Comm: swapper/2 Not tainted
task: 00000003f7ff5be0 ti: 00000003f3d38000 task.ti: 00000003f3d38000
Krnl PSW : 0404d00180000000 00000000001156b0 (smp_vcpu_scheduled+0x18/0x40)
R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 EA:3
Krnl GPRS: 000000200000007e 0000000000000000 fffffee17a671fd8 0000000300000015
ffffffff80000000 00000000005dfde8 07000003f7f80e00 000000004fa4e800
000000036ce8d8f8 000000036ce8d9c0 00000003ece8fe00 ffffffff969c9e93
00000003fffffffd 000000036ce8da10 00000000003bf134 00000003f3b07918
Krnl Code: 00000000001156a2: a7190000 lghi %r1,0
00000000001156a6: a7380015 lhi %r3,21
#00000000001156aa: e32050000008 ag %r2,0(%r5)
>00000000001156b0: 482022b0 lh %r2,688(%r2)
00000000001156b4: ae123000 sigp %r1,%r2,0(%r3)
00000000001156b8: b2220020 ipm %r2
00000000001156bc: 8820001c srl %r2,28
00000000001156c0: c02700000001 xilf %r2,1
Call Trace:
([<0000000000000000>] 0x0)
[<000003ff807bdb8e>] zfcp_fsf_fcp_cmnd_handler+0x3de/0x490 [zfcp]
[<000003ff807be30a>] zfcp_fsf_req_complete+0x252/0x800 [zfcp]
[<000003ff807c0a48>] zfcp_fsf_reqid_check+0xe8/0x190 [zfcp]
[<000003ff807c194e>] zfcp_qdio_int_resp+0x66/0x188 [zfcp]
[<000003ff80440c64>] qdio_kick_handler+0xdc/0x310 [qdio]
[<000003ff804463d0>] __tiqdio_inbound_processing+0xf8/0xcd8 [qdio]
[<0000000000141fd4>] tasklet_action+0x9c/0x170
[<0000000000141550>] __do_softirq+0xe8/0x258
[<000000000010ce0a>] do_softirq+0xba/0xc0
[<000000000014187c>] irq_exit+0xc4/0xe8
[<000000000046b526>] do_IRQ+0x146/0x1d8
[<00000000005d6a3c>] io_return+0x0/0x8
[<00000000005d6422>] vtime_stop_cpu+0x4a/0xa0
([<0000000000000000>] 0x0)
[<0000000000103d8a>] arch_cpu_idle+0xa2/0xb0
[<0000000000197f94>] cpu_startup_entry+0x13c/0x1f8
[<0000000000114782>] smp_start_secondary+0xda/0xe8
[<00000000005d6efe>] restart_int_handler+0x56/0x6c
[<0000000000000000>] 0x0
Last Breaking-Event-Address:
[<00000000003bf12e>] arch_spin_lock_wait+0x56/0xb0
Suggested-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Fixes: ea127f9754 ("[PATCH] s390 (7/7): zfcp host adapter.") (tglx/history.git)
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/scsi/zfcp_dbf.h | 11 ++++++++
drivers/s390/scsi/zfcp_reqlist.h | 30 ++++++++++++++++++++-
drivers/s390/scsi/zfcp_scsi.c | 57 ++++++++++++++++++++++++++++++++++++++--
3 files changed, 95 insertions(+), 3 deletions(-)
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -388,4 +388,15 @@ void zfcp_dbf_scsi_devreset(char *tag, s
_zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
}
+/**
+ * zfcp_dbf_scsi_nullcmnd() - trace NULLify of SCSI command in dev/tgt-reset.
+ * @scmnd: SCSI command that was NULLified.
+ * @fsf_req: request that owned @scmnd.
+ */
+static inline void zfcp_dbf_scsi_nullcmnd(struct scsi_cmnd *scmnd,
+ struct zfcp_fsf_req *fsf_req)
+{
+ _zfcp_dbf_scsi("scfc__1", 3, scmnd, fsf_req);
+}
+
#endif /* ZFCP_DBF_H */
--- a/drivers/s390/scsi/zfcp_reqlist.h
+++ b/drivers/s390/scsi/zfcp_reqlist.h
@@ -4,7 +4,7 @@
* Data structure and helper functions for tracking pending FSF
* requests.
*
- * Copyright IBM Corp. 2009
+ * Copyright IBM Corp. 2009, 2016
*/
#ifndef ZFCP_REQLIST_H
@@ -180,4 +180,32 @@ static inline void zfcp_reqlist_move(str
spin_unlock_irqrestore(&rl->lock, flags);
}
+/**
+ * zfcp_reqlist_apply_for_all() - apply a function to every request.
+ * @rl: the requestlist that contains the target requests.
+ * @f: the function to apply to each request; the first parameter of the
+ * function will be the target-request; the second parameter is the same
+ * pointer as given with the argument @data.
+ * @data: freely chosen argument; passed through to @f as second parameter.
+ *
+ * Uses :c:macro:`list_for_each_entry` to iterate over the lists in the hash-
+ * table (not a 'safe' variant, so don't modify the list).
+ *
+ * Holds @rl->lock over the entire request-iteration.
+ */
+static inline void
+zfcp_reqlist_apply_for_all(struct zfcp_reqlist *rl,
+ void (*f)(struct zfcp_fsf_req *, void *), void *data)
+{
+ struct zfcp_fsf_req *req;
+ unsigned long flags;
+ unsigned int i;
+
+ spin_lock_irqsave(&rl->lock, flags);
+ for (i = 0; i < ZFCP_REQ_LIST_BUCKETS; i++)
+ list_for_each_entry(req, &rl->buckets[i], list)
+ f(req, data);
+ spin_unlock_irqrestore(&rl->lock, flags);
+}
+
#endif /* ZFCP_REQLIST_H */
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
*
* Interface to Linux SCSI midlayer.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#define KMSG_COMPONENT "zfcp"
@@ -230,6 +230,57 @@ static int zfcp_scsi_eh_abort_handler(st
return retval;
}
+struct zfcp_scsi_req_filter {
+ u8 tmf_scope;
+ u32 lun_handle;
+ u32 port_handle;
+};
+
+static void zfcp_scsi_forget_cmnd(struct zfcp_fsf_req *old_req, void *data)
+{
+ struct zfcp_scsi_req_filter *filter =
+ (struct zfcp_scsi_req_filter *)data;
+
+ /* already aborted - prevent side-effects - or not a SCSI command */
+ if (old_req->data == NULL || old_req->fsf_command != FSF_QTCB_FCP_CMND)
+ return;
+
+ /* (tmf_scope == FCP_TMF_TGT_RESET || tmf_scope == FCP_TMF_LUN_RESET) */
+ if (old_req->qtcb->header.port_handle != filter->port_handle)
+ return;
+
+ if (filter->tmf_scope == FCP_TMF_LUN_RESET &&
+ old_req->qtcb->header.lun_handle != filter->lun_handle)
+ return;
+
+ zfcp_dbf_scsi_nullcmnd((struct scsi_cmnd *)old_req->data, old_req);
+ old_req->data = NULL;
+}
+
+static void zfcp_scsi_forget_cmnds(struct zfcp_scsi_dev *zsdev, u8 tm_flags)
+{
+ struct zfcp_adapter *adapter = zsdev->port->adapter;
+ struct zfcp_scsi_req_filter filter = {
+ .tmf_scope = FCP_TMF_TGT_RESET,
+ .port_handle = zsdev->port->handle,
+ };
+ unsigned long flags;
+
+ if (tm_flags == FCP_TMF_LUN_RESET) {
+ filter.tmf_scope = FCP_TMF_LUN_RESET;
+ filter.lun_handle = zsdev->lun_handle;
+ }
+
+ /*
+ * abort_lock secures against other processings - in the abort-function
+ * and normal cmnd-handler - of (struct zfcp_fsf_req *)->data
+ */
+ write_lock_irqsave(&adapter->abort_lock, flags);
+ zfcp_reqlist_apply_for_all(adapter->req_list, zfcp_scsi_forget_cmnd,
+ &filter);
+ write_unlock_irqrestore(&adapter->abort_lock, flags);
+}
+
static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
{
struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
@@ -262,8 +313,10 @@ static int zfcp_task_mgmt_function(struc
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
retval = FAILED;
- } else
+ } else {
zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+ zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
+ }
zfcp_fsf_req_free(fsf_req);
return retval;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 114/370] scsi: zfcp: fix rport unblock race with LUN recovery
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 009/370] perf trace: Use the syscall raw_syscalls:sys_enter timestamp Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 116/370] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Ben Hutchings
` (197 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steffen Maier, Martin K. Petersen, Benjamin Block
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Maier <maier@linux.vnet.ibm.com>
commit 6f2ce1c6af37191640ee3ff6e8fc39ea10352f4c upstream.
It is unavoidable that zfcp_scsi_queuecommand() has to finish requests
with DID_IMM_RETRY (like fc_remote_port_chkready()) during the time
window when zfcp detected an unavailable rport but
fc_remote_port_delete(), which is asynchronous via
zfcp_scsi_schedule_rport_block(), has not yet blocked the rport.
However, for the case when the rport becomes available again, we should
prevent unblocking the rport too early. In contrast to other FCP LLDDs,
zfcp has to open each LUN with the FCP channel hardware before it can
send I/O to a LUN. So if a port already has LUNs attached and we
unblock the rport just after port recovery, recoveries of LUNs behind
this port can still be pending which in turn force
zfcp_scsi_queuecommand() to unnecessarily finish requests with
DID_IMM_RETRY.
This also opens a time window with unblocked rport (until the followup
LUN reopen recovery has finished). If a scsi_cmnd timeout occurs during
this time window fc_timed_out() cannot work as desired and such command
would indeed time out and trigger scsi_eh. This prevents a clean and
timely path failover. This should not happen if the path issue can be
recovered on FC transport layer such as path issues involving RSCNs.
Fix this by only calling zfcp_scsi_schedule_rport_register(), to
asynchronously trigger fc_remote_port_add(), after all LUN recoveries as
children of the rport have finished and no new recoveries of equal or
higher order were triggered meanwhile. Finished intentionally includes
any recovery result no matter if successful or failed (still unblock
rport so other successful LUNs work). For simplicity, we check after
each finished LUN recovery if there is another LUN recovery pending on
the same port and then do nothing. We handle the special case of a
successful recovery of a port without LUN children the same way without
changing this case's semantics.
For debugging we introduce 2 new trace records written if the rport
unblock attempt was aborted due to still unfinished or freshly triggered
recovery. The records are only written above the default trace level.
Benjamin noticed the important special case of new recovery that can be
triggered between having given up the erp_lock and before calling
zfcp_erp_action_cleanup() within zfcp_erp_strategy(). We must avoid the
following sequence:
ERP thread rport_work other context
------------------------- -------------- --------------------------------
port is unblocked, rport still blocked,
due to pending/running ERP action,
so ((port->status & ...UNBLOCK) != 0)
and (port->rport == NULL)
unlock ERP
zfcp_erp_action_cleanup()
case ZFCP_ERP_ACTION_REOPEN_LUN:
zfcp_erp_try_rport_unblock()
((status & ...UNBLOCK) != 0) [OLD!]
zfcp_erp_port_reopen()
lock ERP
zfcp_erp_port_block()
port->status clear ...UNBLOCK
unlock ERP
zfcp_scsi_schedule_rport_block()
port->rport_task = RPORT_DEL
queue_work(rport_work)
zfcp_scsi_rport_work()
(port->rport_task != RPORT_ADD)
port->rport_task = RPORT_NONE
zfcp_scsi_rport_block()
if (!port->rport) return
zfcp_scsi_schedule_rport_register()
port->rport_task = RPORT_ADD
queue_work(rport_work)
zfcp_scsi_rport_work()
(port->rport_task == RPORT_ADD)
port->rport_task = RPORT_NONE
zfcp_scsi_rport_register()
(port->rport == NULL)
rport = fc_remote_port_add()
port->rport = rport;
Now the rport was erroneously unblocked while the zfcp_port is blocked.
This is another situation we want to avoid due to scsi_eh
potential. This state would at least remain until the new recovery from
the other context finished successfully, or potentially forever if it
failed. In order to close this race, we take the erp_lock inside
zfcp_erp_try_rport_unblock() when checking the status of zfcp_port or
LUN. With that, the possible corresponding rport state sequences would
be: (unblock[ERP thread],block[other context]) if the ERP thread gets
erp_lock first and still sees ((port->status & ...UNBLOCK) != 0),
(block[other context],NOP[ERP thread]) if the ERP thread gets erp_lock
after the other context has already cleard ...UNBLOCK from port->status.
Since checking fields of struct erp_action is unsafe because they could
have been overwritten (re-used for new recovery) meanwhile, we only
check status of zfcp_port and LUN since these are only changed under
erp_lock elsewhere. Regarding the check of the proper status flags (port
or port_forced are similar to the shown adapter recovery):
[zfcp_erp_adapter_shutdown()]
zfcp_erp_adapter_reopen()
zfcp_erp_adapter_block()
* clear UNBLOCK ---------------------------------------+
zfcp_scsi_schedule_rports_block() |
write_lock_irqsave(&adapter->erp_lock, flags);-------+ |
zfcp_erp_action_enqueue() | |
zfcp_erp_setup_act() | |
* set ERP_INUSE -----------------------------------|--|--+
write_unlock_irqrestore(&adapter->erp_lock, flags);--+ | |
.context-switch. | |
zfcp_erp_thread() | |
zfcp_erp_strategy() | |
write_lock_irqsave(&adapter->erp_lock, flags);------+ | |
... | | |
zfcp_erp_strategy_check_target() | | |
zfcp_erp_strategy_check_adapter() | | |
zfcp_erp_adapter_unblock() | | |
* set UNBLOCK -----------------------------------|--+ |
zfcp_erp_action_dequeue() | |
* clear ERP_INUSE ---------------------------------|-----+
... |
write_unlock_irqrestore(&adapter->erp_lock, flags);-+
Hence, we should check for both UNBLOCK and ERP_INUSE because they are
interleaved. Also we need to explicitly check ERP_FAILED for the link
down case which currently does not clear the UNBLOCK flag in
zfcp_fsf_link_down_info_eval().
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: 8830271c4819 ("[SCSI] zfcp: Dont fail SCSI commands when transitioning to blocked fc_rport")
Fixes: a2fa0aede07c ("[SCSI] zfcp: Block FC transport rports early on errors")
Fixes: 5f852be9e11d ("[SCSI] zfcp: Fix deadlock between zfcp ERP and SCSI")
Fixes: 338151e06608 ("[SCSI] zfcp: make use of fc_remote_port_delete when target port is unavailable")
Fixes: 3859f6a248cb ("[PATCH] zfcp: add rports to enable scsi_add_device to work again")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/scsi/zfcp_dbf.c | 17 +++++++++---
drivers/s390/scsi/zfcp_erp.c | 61 +++++++++++++++++++++++++++++++++++++++++--
drivers/s390/scsi/zfcp_ext.h | 4 ++-
drivers/s390/scsi/zfcp_scsi.c | 4 +--
4 files changed, 77 insertions(+), 9 deletions(-)
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -289,11 +289,12 @@ void zfcp_dbf_rec_trig(char *tag, struct
/**
- * zfcp_dbf_rec_run - trace event related to running recovery
+ * zfcp_dbf_rec_run_lvl - trace event related to running recovery
+ * @level: trace level to be used for event
* @tag: identifier for event
* @erp: erp_action running
*/
-void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
+void zfcp_dbf_rec_run_lvl(int level, char *tag, struct zfcp_erp_action *erp)
{
struct zfcp_dbf *dbf = erp->adapter->dbf;
struct zfcp_dbf_rec *rec = &dbf->rec_buf;
@@ -319,11 +320,21 @@ void zfcp_dbf_rec_run(char *tag, struct
else
rec->u.run.rec_count = atomic_read(&erp->adapter->erp_counter);
- debug_event(dbf->rec, 1, rec, sizeof(*rec));
+ debug_event(dbf->rec, level, rec, sizeof(*rec));
spin_unlock_irqrestore(&dbf->rec_lock, flags);
}
/**
+ * zfcp_dbf_rec_run - trace event related to running recovery
+ * @tag: identifier for event
+ * @erp: erp_action running
+ */
+void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
+{
+ zfcp_dbf_rec_run_lvl(1, tag, erp);
+}
+
+/**
* zfcp_dbf_rec_run_wka - trace wka port event with info like running recovery
* @tag: identifier for event
* @wka_port: well known address port
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -3,7 +3,7 @@
*
* Error Recovery Procedures (ERP).
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#define KMSG_COMPONENT "zfcp"
@@ -1211,6 +1211,62 @@ static void zfcp_erp_action_dequeue(stru
}
}
+/**
+ * zfcp_erp_try_rport_unblock - unblock rport if no more/new recovery
+ * @port: zfcp_port whose fc_rport we should try to unblock
+ */
+static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
+{
+ unsigned long flags;
+ struct zfcp_adapter *adapter = port->adapter;
+ int port_status;
+ struct Scsi_Host *shost = adapter->scsi_host;
+ struct scsi_device *sdev;
+
+ write_lock_irqsave(&adapter->erp_lock, flags);
+ port_status = atomic_read(&port->status);
+ if ((port_status & ZFCP_STATUS_COMMON_UNBLOCKED) == 0 ||
+ (port_status & (ZFCP_STATUS_COMMON_ERP_INUSE |
+ ZFCP_STATUS_COMMON_ERP_FAILED)) != 0) {
+ /* new ERP of severity >= port triggered elsewhere meanwhile or
+ * local link down (adapter erp_failed but not clear unblock)
+ */
+ zfcp_dbf_rec_run_lvl(4, "ertru_p", &port->erp_action);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+ return;
+ }
+ spin_lock(shost->host_lock);
+ __shost_for_each_device(sdev, shost) {
+ struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
+ int lun_status;
+
+ if (zsdev->port != port)
+ continue;
+ /* LUN under port of interest */
+ lun_status = atomic_read(&zsdev->status);
+ if ((lun_status & ZFCP_STATUS_COMMON_ERP_FAILED) != 0)
+ continue; /* unblock rport despite failed LUNs */
+ /* LUN recovery not given up yet [maybe follow-up pending] */
+ if ((lun_status & ZFCP_STATUS_COMMON_UNBLOCKED) == 0 ||
+ (lun_status & ZFCP_STATUS_COMMON_ERP_INUSE) != 0) {
+ /* LUN blocked:
+ * not yet unblocked [LUN recovery pending]
+ * or meanwhile blocked [new LUN recovery triggered]
+ */
+ zfcp_dbf_rec_run_lvl(4, "ertru_l", &zsdev->erp_action);
+ spin_unlock(shost->host_lock);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+ return;
+ }
+ }
+ /* now port has no child or all children have completed recovery,
+ * and no ERP of severity >= port was meanwhile triggered elsewhere
+ */
+ zfcp_scsi_schedule_rport_register(port);
+ spin_unlock(shost->host_lock);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
{
struct zfcp_adapter *adapter = act->adapter;
@@ -1221,6 +1277,7 @@ static void zfcp_erp_action_cleanup(stru
case ZFCP_ERP_ACTION_REOPEN_LUN:
if (!(act->status & ZFCP_STATUS_ERP_NO_REF))
scsi_device_put(sdev);
+ zfcp_erp_try_rport_unblock(port);
break;
case ZFCP_ERP_ACTION_REOPEN_PORT:
@@ -1231,7 +1288,7 @@ static void zfcp_erp_action_cleanup(stru
*/
if (act->step != ZFCP_ERP_STEP_UNINITIALIZED)
if (result == ZFCP_ERP_SUCCEEDED)
- zfcp_scsi_schedule_rport_register(port);
+ zfcp_erp_try_rport_unblock(port);
/* fall through */
case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
put_device(&port->dev);
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -3,7 +3,7 @@
*
* External function declarations.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#ifndef ZFCP_EXT_H
@@ -35,6 +35,8 @@ extern void zfcp_dbf_adapter_unregister(
extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *,
struct zfcp_port *, struct scsi_device *, u8, u8);
extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *);
+extern void zfcp_dbf_rec_run_lvl(int level, char *tag,
+ struct zfcp_erp_action *erp);
extern void zfcp_dbf_rec_run_wka(char *, struct zfcp_fc_wka_port *, u64);
extern void zfcp_dbf_hba_fsf_uss(char *, struct zfcp_fsf_req *);
extern void zfcp_dbf_hba_fsf_res(char *, int, struct zfcp_fsf_req *);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -109,9 +109,7 @@ int zfcp_scsi_queuecommand(struct Scsi_H
}
if (unlikely(!(status & ZFCP_STATUS_COMMON_UNBLOCKED))) {
- /* This could be either
- * open LUN pending: this is temporary, will result in
- * open LUN or ERP_FAILED, so retry command
+ /* This could be
* call to rport_delete pending: mimic retry from
* fc_remote_port_chkready until rport is BLOCKED
*/
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 129/370] net: stmmac: Fix error path after register_netdev move
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 097/370] sparc: leon: Fix a retry loop in leon_init_timers() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 089/370] cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts Ben Hutchings
` (251 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kweh, Hock Leong, David S. Miller, Florian Fainelli
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit b2eb09af7370fedc6b9d9f05762f01625438467a upstream.
Commit 5701659004d6 ("net: stmmac: Fix race between stmmac_drv_probe and
stmmac_open") re-ordered how the MDIO bus registration and the network
device are registered, but missed to unwind the MDIO bus registration in
case we fail to register the network device.
Fixes: 5701659004d6 ("net: stmmac: Fix race between stmmac_drv_probe and stmmac_open")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- stmmac_dvr_probe() returns a pointer
- 'pcs' is a member of struct stmmac_priv, not struct mac_device_info]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2794,12 +2794,19 @@ struct stmmac_priv *stmmac_dvr_probe(str
}
ret = register_netdev(ndev);
- if (ret)
+ if (ret) {
netdev_err(priv->dev, "%s: ERROR %i registering the device\n",
__func__, ret);
+ goto error_netdev_register;
+ }
- return ret ? ERR_PTR(ret) : priv;
+ return priv;
+error_netdev_register:
+ if (priv->pcs != STMMAC_PCS_RGMII &&
+ priv->pcs != STMMAC_PCS_TBI &&
+ priv->pcs != STMMAC_PCS_RTBI)
+ stmmac_mdio_unregister(ndev);
error_mdio_register:
netif_napi_del(&priv->napi);
error_hw_init:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 127/370] net: korina: Fix NAPI versus resources freeing
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 099/370] hwmon: (g762) Fix overflows and crash seen when writing limit attributes Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 052/370] [media] staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs() Ben Hutchings
` (286 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Alexandros C. Couloumbis, Florian Fainelli
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6 upstream.
Commit beb0babfb77e ("korina: disable napi on close and restart")
introduced calls to napi_disable() that were missing before,
unfortunately this leaves a small window during which NAPI has a chance
to run, yet we just freed resources since korina_free_ring() has been
called:
Fix this by disabling NAPI first then freeing resource, and make sure
that we also cancel the restart task before doing the resource freeing.
Fixes: beb0babfb77e ("korina: disable napi on close and restart")
Reported-by: Alexandros C. Couloumbis <alex@ozo.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/korina.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/ethernet/korina.c
+++ b/drivers/net/ethernet/korina.c
@@ -900,10 +900,10 @@ static void korina_restart_task(struct w
DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR,
&lp->rx_dma_regs->dmasm);
- korina_free_ring(dev);
-
napi_disable(&lp->napi);
+ korina_free_ring(dev);
+
if (korina_init(dev) < 0) {
printk(KERN_ERR "%s: cannot restart device\n", dev->name);
return;
@@ -1064,12 +1064,12 @@ static int korina_close(struct net_devic
tmp = tmp | DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR;
writel(tmp, &lp->rx_dma_regs->dmasm);
- korina_free_ring(dev);
-
napi_disable(&lp->napi);
cancel_work_sync(&lp->restart_task);
+ korina_free_ring(dev);
+
free_irq(lp->rx_irq, dev);
free_irq(lp->tx_irq, dev);
free_irq(lp->ovr_irq, dev);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 092/370] fgraph: Handle a case where a tracer ignores set_graph_notrace
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 025/370] regulator: stw481x-vmmc: fix ages old enable error Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 054/370] regmap: cache: Remove unused 'blksize' variable Ben Hutchings
` (313 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (Red Hat), Namhyung Kim
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 794de08a16cf1fc1bf785dc48f66d36218cf6d88 upstream.
Both the wakeup and irqsoff tracers can use the function graph tracer when
the display-graph option is set. The problem is that they ignore the notrace
file, and record the entry of functions that would be ignored by the
function_graph tracer. This causes the trace->depth to be recorded into the
ring buffer. The set_graph_notrace uses a trick by adding a large negative
number to the trace->depth when a graph function is to be ignored.
On trace output, the graph function uses the depth to record a stack of
functions. But since the depth is negative, it accesses the array with a
negative number and causes an out of bounds access that can cause a kernel
oops or corrupt data.
Have the print functions handle cases where a tracer still records functions
even when they are in set_graph_notrace.
Also add warnings if the depth is below zero before accessing the array.
Note, the function graph logic will still prevent the return of these
functions from being recorded, which means that they will be left hanging
without a return. For example:
# echo '*spin*' > set_graph_notrace
# echo 1 > options/display-graph
# echo wakeup > current_tracer
# cat trace
[...]
_raw_spin_lock() {
preempt_count_add() {
do_raw_spin_lock() {
update_rq_clock();
Where it should look like:
_raw_spin_lock() {
preempt_count_add();
do_raw_spin_lock();
}
update_rq_clock();
Cc: Namhyung Kim <namhyung.kim@lge.com>
Fixes: 29ad23b00474 ("ftrace: Add set_graph_notrace filter")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace_functions_graph.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -841,6 +841,10 @@ print_graph_entry_leaf(struct trace_iter
cpu_data = per_cpu_ptr(data->cpu_data, cpu);
+ /* If a graph tracer ignored set_graph_notrace */
+ if (call->depth < -1)
+ call->depth += FTRACE_NOTRACE_DEPTH;
+
/*
* Comments display at + 1 to depth. Since
* this is a leaf function, keep the comments
@@ -849,7 +853,8 @@ print_graph_entry_leaf(struct trace_iter
cpu_data->depth = call->depth - 1;
/* No need to keep this function around for this depth */
- if (call->depth < FTRACE_RETFUNC_DEPTH)
+ if (call->depth < FTRACE_RETFUNC_DEPTH &&
+ !WARN_ON_ONCE(call->depth < 0))
cpu_data->enter_funcs[call->depth] = 0;
}
@@ -886,11 +891,16 @@ print_graph_entry_nested(struct trace_it
struct fgraph_cpu_data *cpu_data;
int cpu = iter->cpu;
+ /* If a graph tracer ignored set_graph_notrace */
+ if (call->depth < -1)
+ call->depth += FTRACE_NOTRACE_DEPTH;
+
cpu_data = per_cpu_ptr(data->cpu_data, cpu);
cpu_data->depth = call->depth;
/* Save this function pointer to see if the exit matches */
- if (call->depth < FTRACE_RETFUNC_DEPTH)
+ if (call->depth < FTRACE_RETFUNC_DEPTH &&
+ !WARN_ON_ONCE(call->depth < 0))
cpu_data->enter_funcs[call->depth] = call->func;
}
@@ -1143,7 +1153,8 @@ print_graph_return(struct ftrace_graph_r
*/
cpu_data->depth = trace->depth - 1;
- if (trace->depth < FTRACE_RETFUNC_DEPTH) {
+ if (trace->depth < FTRACE_RETFUNC_DEPTH &&
+ !WARN_ON_ONCE(trace->depth < 0)) {
if (cpu_data->enter_funcs[trace->depth] != trace->func)
func_match = 0;
cpu_data->enter_funcs[trace->depth] = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 098/370] s390/vmlogrdr: fix IUCV buffer allocation
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 132/370] net/mlx4: Remove BUG_ON from ICM allocation routine Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 088/370] USB: serial: option: add dlink dwm-158 Ben Hutchings
` (223 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin Schwidefsky, Gerald Schaefer
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
commit 5457e03de918f7a3e294eb9d26a608ab8a579976 upstream.
The buffer for iucv_message_receive() needs to be below 2 GB. In
__iucv_message_receive(), the buffer address is casted to an u32, which
would result in either memory corruption or an addressing exception when
using addresses >= 2 GB.
Fix this by using GFP_DMA for the buffer allocation.
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/char/vmlogrdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/s390/char/vmlogrdr.c
+++ b/drivers/s390/char/vmlogrdr.c
@@ -873,7 +873,7 @@ static int __init vmlogrdr_init(void)
goto cleanup;
for (i=0; i < MAXMINOR; ++i ) {
- sys_ser[i].buffer = (char *) get_zeroed_page(GFP_KERNEL);
+ sys_ser[i].buffer = (char *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sys_ser[i].buffer) {
rc = -ENOMEM;
break;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 104/370] IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 174/370] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 061/370] USB: serial: kl5kusb105: abort on open exception path Ben Hutchings
` (365 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Jurgens, Mark Bloch, Leon Romanovsky,
Eran Ben Elisha, Doug Ledford
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eran Ben Elisha <eranbe@mellanox.com>
commit 1f22e454df2eb99ba6b7ace3f594f6805cdf5cbc upstream.
According to the firmware spec, FLOW_STEERING_IB_UC_QP_RANGE command is
supported only if dmfs_ipoib bit is set.
If it isn't set we want to ensure allocating NET_IF QPs fail. We do so
by filling out the allocation bitmap. By thus, the NET_IF QPs allocating
function won't find any free QP and will fail.
Fixes: c1c98501121e ('IB/mlx4: Add support for steerable IB UD QPs')
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/main.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -2159,14 +2159,19 @@ static void *mlx4_ib_add(struct mlx4_dev
goto err_steer_qp_release;
}
- bitmap_zero(ibdev->ib_uc_qpns_bitmap, ibdev->steer_qpn_count);
-
- err = mlx4_FLOW_STEERING_IB_UC_QP_RANGE(
- dev, ibdev->steer_qpn_base,
- ibdev->steer_qpn_base +
- ibdev->steer_qpn_count - 1);
- if (err)
- goto err_steer_free_bitmap;
+ if (dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_DMFS_IPOIB) {
+ bitmap_zero(ibdev->ib_uc_qpns_bitmap,
+ ibdev->steer_qpn_count);
+ err = mlx4_FLOW_STEERING_IB_UC_QP_RANGE(
+ dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_base +
+ ibdev->steer_qpn_count - 1);
+ if (err)
+ goto err_steer_free_bitmap;
+ } else {
+ bitmap_fill(ibdev->ib_uc_qpns_bitmap,
+ ibdev->steer_qpn_count);
+ }
}
if (ib_register_device(&ibdev->ib_dev, NULL))
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 106/370] Btrfs: delayed-inode: replace root args iff only fs_info used
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 090/370] hwmon: (ds620) Fix overflows seen when writing temperature limits Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 019/370] enic: set skb->hash type properly Ben Hutchings
` (303 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniel Dressler, David Sterba
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Dressler <danieru.dressler@gmail.com>
commit a585e94895ed8ab2930bfd5186ffd20301b5c703 upstream.
This is the second independent patch of a larger project to cleanup
btrfs's internal usage of btrfs_root. Many functions take btrfs_root
only to grab the fs_info struct.
By requiring a root these functions cause programmer overhead. That
these functions can accept any valid root is not obvious until
inspection.
This patch reduces the specificity of such functions to accept the
fs_info directly.
These patches can be applied independently and thus are not being
submitted as a patch series. There should be about 26 patches by the
project's completion. Each patch will cleanup between 1 and 34 functions
apiece. Each patch covers a single file's functions.
This patch affects the following function(s):
1) btrfs_wq_run_delayed_node
Signed-off-by: Daniel Dressler <danieru.dressler@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/delayed-inode.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1383,7 +1383,7 @@ out:
static int btrfs_wq_run_delayed_node(struct btrfs_delayed_root *delayed_root,
- struct btrfs_root *root, int nr)
+ struct btrfs_fs_info *fs_info, int nr)
{
struct btrfs_async_delayed_work *async_work;
@@ -1399,7 +1399,7 @@ static int btrfs_wq_run_delayed_node(str
btrfs_async_run_delayed_root, NULL, NULL);
async_work->nr = nr;
- btrfs_queue_work(root->fs_info->delayed_workers, &async_work->work);
+ btrfs_queue_work(fs_info->delayed_workers, &async_work->work);
return 0;
}
@@ -1426,6 +1426,7 @@ static int could_end_wait(struct btrfs_d
void btrfs_balance_delayed_items(struct btrfs_root *root)
{
struct btrfs_delayed_root *delayed_root;
+ struct btrfs_fs_info *fs_info = root->fs_info;
delayed_root = btrfs_get_delayed_root(root);
@@ -1438,7 +1439,7 @@ void btrfs_balance_delayed_items(struct
seq = atomic_read(&delayed_root->items_seq);
- ret = btrfs_wq_run_delayed_node(delayed_root, root, 0);
+ ret = btrfs_wq_run_delayed_node(delayed_root, fs_info, 0);
if (ret)
return;
@@ -1447,7 +1448,7 @@ void btrfs_balance_delayed_items(struct
return;
}
- btrfs_wq_run_delayed_node(delayed_root, root, BTRFS_DELAYED_BATCH);
+ btrfs_wq_run_delayed_node(delayed_root, fs_info, BTRFS_DELAYED_BATCH);
}
/* Will return 0 or -ENOMEM */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 108/370] block_dev: don't test bdev->bd_contains when it is not stable
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 047/370] ext4: fix in-superblock mount options processing Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 003/370] crypto: arm64/sha1-ce - fix for big endian Ben Hutchings
` (325 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, NeilBrown, Jens Axboe
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.com>
commit bcc7f5b4bee8e327689a4d994022765855c807ff upstream.
bdev->bd_contains is not stable before calling __blkdev_get().
When __blkdev_get() is called on a parition with ->bd_openers == 0
it sets
bdev->bd_contains = bdev;
which is not correct for a partition.
After a call to __blkdev_get() succeeds, ->bd_openers will be > 0
and then ->bd_contains is stable.
When FMODE_EXCL is used, blkdev_get() calls
bd_start_claiming() -> bd_prepare_to_claim() -> bd_may_claim()
This call happens before __blkdev_get() is called, so ->bd_contains
is not stable. So bd_may_claim() cannot safely use ->bd_contains.
It currently tries to use it, and this can lead to a BUG_ON().
This happens when a whole device is already open with a bd_holder (in
use by dm in my particular example) and two threads race to open a
partition of that device for the first time, one opening with O_EXCL and
one without.
The thread that doesn't use O_EXCL gets through blkdev_get() to
__blkdev_get(), gains the ->bd_mutex, and sets bdev->bd_contains = bdev;
Immediately thereafter the other thread, using FMODE_EXCL, calls
bd_start_claiming() from blkdev_get(). This should fail because the
whole device has a holder, but because bdev->bd_contains == bdev
bd_may_claim() incorrectly reports success.
This thread continues and blocks on bd_mutex.
The first thread then sets bdev->bd_contains correctly and drops the mutex.
The thread using FMODE_EXCL then continues and when it calls bd_may_claim()
again in:
BUG_ON(!bd_may_claim(bdev, whole, holder));
The BUG_ON fires.
Fix this by removing the dependency on ->bd_contains in
bd_may_claim(). As bd_may_claim() has direct access to the whole
device, it can simply test if the target bdev is the whole device.
Fixes: 6b4517a7913a ("block: implement bd_claiming and claiming block")
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/block_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -698,7 +698,7 @@ static bool bd_may_claim(struct block_de
return true; /* already a holder */
else if (bdev->bd_holder != NULL)
return false; /* held by someone else */
- else if (bdev->bd_contains == bdev)
+ else if (whole == bdev)
return true; /* is a whole device which isn't held */
else if (whole->bd_holder == bd_may_claim)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 113/370] scsi: zfcp: do not trace pure benign residual HBA responses at default level
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 183/370] usb: musb: Fix trying to free already-free IRQ 4 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 103/370] fsnotify: Fix possible use-after-free in inode iteration on umount Ben Hutchings
` (200 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steffen Maier, Martin K. Petersen, Benjamin Block
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Maier <maier@linux.vnet.ibm.com>
commit 56d23ed7adf3974f10e91b643bd230e9c65b5f79 upstream.
Since quite a while, Linux issues enough SCSI commands per scsi_device
which successfully return with FCP_RESID_UNDER, FSF_FCP_RSP_AVAILABLE,
and SAM_STAT_GOOD. This floods the HBA trace area and we cannot see
other and important HBA trace records long enough.
Therefore, do not trace HBA response errors for pure benign residual
under counts at the default trace level.
This excludes benign residual under count combined with other validity
bits set in FCP_RSP_IU, such as FCP_SNS_LEN_VAL. For all those other
cases, we still do want to see both the HBA record and the corresponding
SCSI record by default.
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/scsi/zfcp_dbf.h | 30 ++++++++++++++++++++++++++++--
drivers/s390/scsi/zfcp_fsf.h | 3 ++-
2 files changed, 30 insertions(+), 3 deletions(-)
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
* zfcp device driver
* debug feature declarations
*
- * Copyright IBM Corp. 2008, 2015
+ * Copyright IBM Corp. 2008, 2016
*/
#ifndef ZFCP_DBF_H
@@ -283,6 +283,30 @@ struct zfcp_dbf {
struct zfcp_dbf_scsi scsi_buf;
};
+/**
+ * zfcp_dbf_hba_fsf_resp_suppress - true if we should not trace by default
+ * @req: request that has been completed
+ *
+ * Returns true if FCP response with only benign residual under count.
+ */
+static inline
+bool zfcp_dbf_hba_fsf_resp_suppress(struct zfcp_fsf_req *req)
+{
+ struct fsf_qtcb *qtcb = req->qtcb;
+ u32 fsf_stat = qtcb->header.fsf_status;
+ struct fcp_resp *fcp_rsp;
+ u8 rsp_flags, fr_status;
+
+ if (qtcb->prefix.qtcb_type != FSF_IO_COMMAND)
+ return false; /* not an FCP response */
+ fcp_rsp = (struct fcp_resp *)&qtcb->bottom.io.fcp_rsp;
+ rsp_flags = fcp_rsp->fr_flags;
+ fr_status = fcp_rsp->fr_status;
+ return (fsf_stat == FSF_FCP_RSP_AVAILABLE) &&
+ (rsp_flags == FCP_RESID_UNDER) &&
+ (fr_status == SAM_STAT_GOOD);
+}
+
static inline
void zfcp_dbf_hba_fsf_resp(char *tag, int level, struct zfcp_fsf_req *req)
{
@@ -304,7 +328,9 @@ void zfcp_dbf_hba_fsf_response(struct zf
zfcp_dbf_hba_fsf_resp("fs_perr", 1, req);
} else if (qtcb->header.fsf_status != FSF_GOOD) {
- zfcp_dbf_hba_fsf_resp("fs_ferr", 1, req);
+ zfcp_dbf_hba_fsf_resp("fs_ferr",
+ zfcp_dbf_hba_fsf_resp_suppress(req)
+ ? 5 : 1, req);
} else if ((req->fsf_command == FSF_QTCB_OPEN_PORT_WITH_DID) ||
(req->fsf_command == FSF_QTCB_OPEN_LUN)) {
--- a/drivers/s390/scsi/zfcp_fsf.h
+++ b/drivers/s390/scsi/zfcp_fsf.h
@@ -3,7 +3,7 @@
*
* Interface to the FSF support functions.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#ifndef FSF_H
@@ -78,6 +78,7 @@
#define FSF_APP_TAG_CHECK_FAILURE 0x00000082
#define FSF_REF_TAG_CHECK_FAILURE 0x00000083
#define FSF_ADAPTER_STATUS_AVAILABLE 0x000000AD
+#define FSF_FCP_RSP_AVAILABLE 0x000000AF
#define FSF_UNKNOWN_COMMAND 0x000000E2
#define FSF_UNKNOWN_OP_SUBTYPE 0x000000E3
#define FSF_INVALID_COMMAND_OPTION 0x000000E5
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 074/370] CIFS: Fix a possible memory corruption during reconnect
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 006/370] crypto: arm64/aes-neon - fix for big endian Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 016/370] ARM: dts: imx31: fix clock control module interrupts description Ben Hutchings
` (246 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilov@microsoft.com>
commit 53e0e11efe9289535b060a51d4cf37c25e0d0f2b upstream.
We can not unlock/lock cifs_tcp_ses_lock while walking through ses
and tcon lists because it can corrupt list iterator pointers and
a tcon structure can be released if we don't hold an extra reference.
Fix it by moving a reconnect process to a separate delayed work
and acquiring a reference to every tcon that needs to be reconnected.
Also do not send an echo request on newly established connections.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifsglob.h | 3 +++
fs/cifs/cifsproto.h | 3 +++
fs/cifs/connect.c | 34 +++++++++++++++++++-----
fs/cifs/smb2pdu.c | 75 ++++++++++++++++++++++++++++++++++++-----------------
fs/cifs/smb2proto.h | 1 +
5 files changed, 85 insertions(+), 31 deletions(-)
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -606,6 +606,8 @@ struct TCP_Server_Info {
#ifdef CONFIG_CIFS_SMB2
unsigned int max_read;
unsigned int max_write;
+ struct delayed_work reconnect; /* reconnect workqueue job */
+ struct mutex reconnect_mutex; /* prevent simultaneous reconnects */
#endif /* CONFIG_CIFS_SMB2 */
};
@@ -795,6 +797,7 @@ cap_unix(struct cifs_ses *ses)
struct cifs_tcon {
struct list_head tcon_list;
int tc_count;
+ struct list_head rlist; /* reconnect list */
struct list_head openFileList;
spinlock_t open_file_lock; /* protects list above */
struct cifs_ses *ses; /* pointer to session associated with */
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -203,6 +203,9 @@ extern void cifs_add_pending_open_locked
struct tcon_link *tlink,
struct cifs_pending_open *open);
extern void cifs_del_pending_open(struct cifs_pending_open *open);
+extern void cifs_put_tcp_session(struct TCP_Server_Info *server,
+ int from_reconnect);
+extern void cifs_put_tcon(struct cifs_tcon *tcon);
#if IS_ENABLED(CONFIG_CIFS_DFS_UPCALL)
extern void cifs_dfs_release_automount_timer(void);
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -52,6 +52,9 @@
#include "nterr.h"
#include "rfc1002pdu.h"
#include "fscache.h"
+#ifdef CONFIG_CIFS_SMB2
+#include "smb2proto.h"
+#endif
#define CIFS_PORT 445
#define RFC1001_PORT 139
@@ -2060,8 +2063,8 @@ cifs_find_tcp_session(struct smb_vol *vo
return NULL;
}
-static void
-cifs_put_tcp_session(struct TCP_Server_Info *server)
+void
+cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
{
struct task_struct *task;
@@ -2078,6 +2081,19 @@ cifs_put_tcp_session(struct TCP_Server_I
cancel_delayed_work_sync(&server->echo);
+#ifdef CONFIG_CIFS_SMB2
+ if (from_reconnect)
+ /*
+ * Avoid deadlock here: reconnect work calls
+ * cifs_put_tcp_session() at its end. Need to be sure
+ * that reconnect work does nothing with server pointer after
+ * that step.
+ */
+ cancel_delayed_work(&server->reconnect);
+ else
+ cancel_delayed_work_sync(&server->reconnect);
+#endif
+
spin_lock(&GlobalMid_Lock);
server->tcpStatus = CifsExiting;
spin_unlock(&GlobalMid_Lock);
@@ -2142,6 +2158,10 @@ cifs_get_tcp_session(struct smb_vol *vol
INIT_LIST_HEAD(&tcp_ses->tcp_ses_list);
INIT_LIST_HEAD(&tcp_ses->smb_ses_list);
INIT_DELAYED_WORK(&tcp_ses->echo, cifs_echo_request);
+#ifdef CONFIG_CIFS_SMB2
+ INIT_DELAYED_WORK(&tcp_ses->reconnect, smb2_reconnect_server);
+ mutex_init(&tcp_ses->reconnect_mutex);
+#endif
memcpy(&tcp_ses->srcaddr, &volume_info->srcaddr,
sizeof(tcp_ses->srcaddr));
memcpy(&tcp_ses->dstaddr, &volume_info->dstaddr,
@@ -2294,7 +2314,7 @@ cifs_put_smb_ses(struct cifs_ses *ses)
spin_unlock(&cifs_tcp_ses_lock);
sesInfoFree(ses);
- cifs_put_tcp_session(server);
+ cifs_put_tcp_session(server, 0);
}
#ifdef CONFIG_KEYS
@@ -2467,7 +2487,7 @@ cifs_get_smb_ses(struct TCP_Server_Info
mutex_unlock(&ses->session_mutex);
/* existing SMB ses has a server reference already */
- cifs_put_tcp_session(server);
+ cifs_put_tcp_session(server, 0);
free_xid(xid);
return ses;
}
@@ -2557,7 +2577,7 @@ cifs_find_tcon(struct cifs_ses *ses, con
return NULL;
}
-static void
+void
cifs_put_tcon(struct cifs_tcon *tcon)
{
unsigned int xid;
@@ -3606,7 +3626,7 @@ mount_fail_check:
else if (ses)
cifs_put_smb_ses(ses);
else
- cifs_put_tcp_session(server);
+ cifs_put_tcp_session(server, 0);
bdi_destroy(&cifs_sb->bdi);
}
@@ -3910,7 +3930,7 @@ cifs_construct_tcon(struct cifs_sb_info
ses = cifs_get_smb_ses(master_tcon->ses->server, vol_info);
if (IS_ERR(ses)) {
tcon = (struct cifs_tcon *)ses;
- cifs_put_tcp_session(master_tcon->ses->server);
+ cifs_put_tcp_session(master_tcon->ses->server, 0);
goto out;
}
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1598,6 +1598,54 @@ smb2_echo_callback(struct mid_q_entry *m
add_credits(server, credits_received, CIFS_ECHO_OP);
}
+void smb2_reconnect_server(struct work_struct *work)
+{
+ struct TCP_Server_Info *server = container_of(work,
+ struct TCP_Server_Info, reconnect.work);
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon, *tcon2;
+ struct list_head tmp_list;
+ int tcon_exist = false;
+
+ /* Prevent simultaneous reconnects that can corrupt tcon->rlist list */
+ mutex_lock(&server->reconnect_mutex);
+
+ INIT_LIST_HEAD(&tmp_list);
+ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
+
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+ list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
+ if (tcon->need_reconnect) {
+ tcon->tc_count++;
+ list_add_tail(&tcon->rlist, &tmp_list);
+ tcon_exist = true;
+ }
+ }
+ }
+ /*
+ * Get the reference to server struct to be sure that the last call of
+ * cifs_put_tcon() in the loop below won't release the server pointer.
+ */
+ if (tcon_exist)
+ server->srv_count++;
+
+ spin_unlock(&cifs_tcp_ses_lock);
+
+ list_for_each_entry_safe(tcon, tcon2, &tmp_list, rlist) {
+ smb2_reconnect(SMB2_ECHO, tcon);
+ list_del_init(&tcon->rlist);
+ cifs_put_tcon(tcon);
+ }
+
+ cifs_dbg(FYI, "Reconnecting tcons finished\n");
+ mutex_unlock(&server->reconnect_mutex);
+
+ /* now we can safely release srv struct */
+ if (tcon_exist)
+ cifs_put_tcp_session(server, 1);
+}
+
int
SMB2_echo(struct TCP_Server_Info *server)
{
@@ -1610,32 +1658,11 @@ SMB2_echo(struct TCP_Server_Info *server
cifs_dbg(FYI, "In echo request\n");
if (server->tcpStatus == CifsNeedNegotiate) {
- struct list_head *tmp, *tmp2;
- struct cifs_ses *ses;
- struct cifs_tcon *tcon;
-
- cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
- spin_lock(&cifs_tcp_ses_lock);
- list_for_each(tmp, &server->smb_ses_list) {
- ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
- list_for_each(tmp2, &ses->tcon_list) {
- tcon = list_entry(tmp2, struct cifs_tcon,
- tcon_list);
- /* add check for persistent handle reconnect */
- if (tcon && tcon->need_reconnect) {
- spin_unlock(&cifs_tcp_ses_lock);
- rc = smb2_reconnect(SMB2_ECHO, tcon);
- spin_lock(&cifs_tcp_ses_lock);
- }
- }
- }
- spin_unlock(&cifs_tcp_ses_lock);
+ /* No need to send echo on newly established connections */
+ queue_delayed_work(cifsiod_wq, &server->reconnect, 0);
+ return rc;
}
- /* if no session, renegotiate failed above */
- if (server->tcpStatus == CifsNeedNegotiate)
- return -EIO;
-
rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
if (rc)
return rc;
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -89,6 +89,7 @@ extern int smb2_open_file(const unsigned
extern int smb2_unlock_range(struct cifsFileInfo *cfile,
struct file_lock *flock, const unsigned int xid);
extern int smb2_push_mandatory_locks(struct cifsFileInfo *cfile);
+extern void smb2_reconnect_server(struct work_struct *work);
/*
* SMB2 Worker functions - most of protocol specific implementation details
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 089/370] cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 129/370] net: stmmac: Fix error path after register_netdev move Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 148/370] btrfs: fix locking when we put back a delayed ref that's too new Ben Hutchings
` (250 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johannes Berg
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit e6f462df9acd2a3295e5d34eb29e2823220cf129 upstream.
When mac80211 abandons an association attempt, it may free
all the data structures, but inform cfg80211 and userspace
about it only by sending the deauth frame it received, in
which case cfg80211 has no link to the BSS struct that was
used and will not cfg80211_unhold_bss() it.
Fix this by providing a way to inform cfg80211 of this with
the BSS entry passed, so that it can clean up properly, and
use this ability in the appropriate places in mac80211.
This isn't ideal: some code is more or less duplicated and
tracing is missing. However, it's a fairly small change and
it's thus easier to backport - cleanups can come later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16:
- Drop changes to ieee80211_rx_mgmt_deauth(), ieee80211_mgd_deauth()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -3942,6 +3942,17 @@ void cfg80211_rx_assoc_resp(struct net_d
void cfg80211_assoc_timeout(struct net_device *dev, struct cfg80211_bss *bss);
/**
+ * cfg80211_abandon_assoc - notify cfg80211 of abandoned association attempt
+ * @dev: network device
+ * @bss: The BSS entry with which association was abandoned.
+ *
+ * Call this whenever - for reasons reported through other API, like deauth RX,
+ * an association attempt was abandoned.
+ * This function may sleep. The caller must hold the corresponding wdev's mutex.
+ */
+void cfg80211_abandon_assoc(struct net_device *dev, struct cfg80211_bss *bss);
+
+/**
* cfg80211_tx_mlme_mgmt - notification of transmitted deauth/disassoc frame
* @dev: network device
* @buf: 802.11 frame (header + body)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2458,7 +2458,7 @@ static void ieee80211_get_rates(struct i
}
static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
- bool assoc)
+ bool assoc, bool abandon)
{
struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
@@ -2473,6 +2473,9 @@ static void ieee80211_destroy_assoc_data
mutex_lock(&sdata->local->mtx);
ieee80211_vif_release_channel(sdata);
mutex_unlock(&sdata->local->mtx);
+
+ if (abandon)
+ cfg80211_abandon_assoc(sdata->dev, assoc_data->bss);
}
kfree(assoc_data);
@@ -2779,11 +2782,11 @@ static void ieee80211_rx_mgmt_assoc_resp
if (status_code != WLAN_STATUS_SUCCESS) {
sdata_info(sdata, "%pM denied association (code=%d)\n",
mgmt->sa, status_code);
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
} else {
if (!ieee80211_assoc_success(sdata, bss, mgmt, len)) {
/* oops -- internal error -- send timeout for now */
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
cfg80211_assoc_timeout(sdata->dev, bss);
return;
}
@@ -2794,7 +2797,7 @@ static void ieee80211_rx_mgmt_assoc_resp
* recalc after assoc_data is NULL but before associated
* is set can cause the interface to go idle
*/
- ieee80211_destroy_assoc_data(sdata, true);
+ ieee80211_destroy_assoc_data(sdata, true, false);
}
cfg80211_rx_assoc_resp(sdata->dev, bss, (u8 *)mgmt, len);
@@ -3491,7 +3494,7 @@ void ieee80211_sta_work(struct ieee80211
ieee80211_do_assoc(sdata)) {
struct cfg80211_bss *bss = ifmgd->assoc_data->bss;
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
cfg80211_assoc_timeout(sdata->dev, bss);
}
} else if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started)
@@ -3640,7 +3643,7 @@ void ieee80211_mgd_quiesce(struct ieee80
WLAN_REASON_DEAUTH_LEAVING,
false, frame_buf);
if (ifmgd->assoc_data)
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, true);
if (ifmgd->auth_data)
ieee80211_destroy_auth_data(sdata, false);
cfg80211_tx_mlme_mgmt(sdata->dev, frame_buf,
@@ -4553,7 +4556,7 @@ void ieee80211_mgd_stop(struct ieee80211
sdata_lock(sdata);
if (ifmgd->assoc_data) {
struct cfg80211_bss *bss = ifmgd->assoc_data->bss;
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
cfg80211_assoc_timeout(sdata->dev, bss);
}
if (ifmgd->auth_data)
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -369,6 +369,7 @@ void cfg80211_sme_disassoc(struct wirele
void cfg80211_sme_deauth(struct wireless_dev *wdev);
void cfg80211_sme_auth_timeout(struct wireless_dev *wdev);
void cfg80211_sme_assoc_timeout(struct wireless_dev *wdev);
+void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev);
/* internal helpers */
bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher);
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -148,6 +148,18 @@ void cfg80211_assoc_timeout(struct net_d
}
EXPORT_SYMBOL(cfg80211_assoc_timeout);
+void cfg80211_abandon_assoc(struct net_device *dev, struct cfg80211_bss *bss)
+{
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ struct wiphy *wiphy = wdev->wiphy;
+
+ cfg80211_sme_abandon_assoc(wdev);
+
+ cfg80211_unhold_bss(bss_from_pub(bss));
+ cfg80211_put_bss(wiphy, bss);
+}
+EXPORT_SYMBOL(cfg80211_abandon_assoc);
+
void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -39,6 +39,7 @@ struct cfg80211_conn {
CFG80211_CONN_ASSOCIATING,
CFG80211_CONN_ASSOC_FAILED,
CFG80211_CONN_DEAUTH,
+ CFG80211_CONN_ABANDON,
CFG80211_CONN_CONNECTED,
} state;
u8 bssid[ETH_ALEN], prev_bssid[ETH_ALEN];
@@ -195,6 +196,8 @@ static int cfg80211_conn_do_work(struct
cfg80211_mlme_deauth(rdev, wdev->netdev, params->bssid,
NULL, 0,
WLAN_REASON_DEAUTH_LEAVING, false);
+ /* fall through */
+ case CFG80211_CONN_ABANDON:
/* free directly, disconnected event already sent */
cfg80211_sme_free(wdev);
return 0;
@@ -418,6 +421,17 @@ void cfg80211_sme_assoc_timeout(struct w
schedule_work(&rdev->conn_work);
}
+void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev)
+{
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+
+ if (!wdev->conn)
+ return;
+
+ wdev->conn->state = CFG80211_CONN_ABANDON;
+ schedule_work(&rdev->conn_work);
+}
+
static int cfg80211_sme_connect(struct wireless_dev *wdev,
struct cfg80211_connect_params *connect,
const u8 *prev_bssid)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 073/370] CIFS: Fix a possible memory corruption in push locks
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 095/370] ext4: return -ENOMEM instead of success Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 135/370] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() Ben Hutchings
` (322 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilov@microsoft.com>
commit e3d240e9d505fc67f8f8735836df97a794bbd946 upstream.
If maxBuf is not 0 but less than a size of SMB2 lock structure
we can end up with a memory corruption.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -241,7 +241,7 @@ smb2_push_mandatory_locks(struct cifsFil
* and check it for zero before using.
*/
max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf;
- if (!max_buf) {
+ if (max_buf < sizeof(struct smb2_lock_element)) {
free_xid(xid);
return -EINVAL;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 117/370] i2c: mux: pca954x: fix i2c mux selection caching
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 184/370] usb: hub: Move hub_port_disable() to fix warning if PM is disabled Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 040/370] IB/mlx4: Set traffic class in AH Ben Hutchings
` (264 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Russell King, Wolfram Sang, Peter Rosin
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit 7f638c1cb0a1112dbe0b682a42db30521646686b upstream.
smbus functions return -ve on error, 0 on success. However,
__i2c_transfer() have a different return signature - -ve on error, or
number of buffers transferred (which may be zero or greater.)
The upshot of this is that the sense of the test is reversed when using
the mux on a bus supporting the master_xfer method: we cache the value
and never retry if we fail to transfer any buffers, but if we succeed,
we clear the cached value.
Fix this by making pca954x_reg_write() return a negative error code for
all failure cases.
Fixes: 463e8f845cbf ("i2c: mux: pca954x: retry updating the mux selection on failure")
Acked-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/muxes/i2c-mux-pca954x.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
+++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
@@ -133,6 +133,9 @@ static int pca954x_reg_write(struct i2c_
buf[0] = val;
msg.buf = buf;
ret = adap->algo->master_xfer(adap, &msg, 1);
+
+ if (ret >= 0 && ret != 1)
+ ret = -EREMOTEIO;
} else {
union i2c_smbus_data data;
ret = adap->algo->smbus_xfer(adap, client->addr,
@@ -161,7 +164,7 @@ static int pca954x_select_chan(struct i2
/* Only select the channel if its different from the last channel */
if (data->last_chan != regval) {
ret = pca954x_reg_write(adap, client, regval);
- data->last_chan = ret ? 0 : regval;
+ data->last_chan = ret < 0 ? 0 : regval;
}
return ret;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 121/370] fs: exec: apply CLOEXEC before changing dumpable task flags
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 072/370] CIFS: Fix missing nls unload in smb2_reconnect() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 096/370] kconfig/nconf: Fix hang when editing symbol with a long prompt Ben Hutchings
` (333 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aleksa Sarai, Al Viro, dev, Michael Crosby
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aleksa Sarai <asarai@suse.de>
commit 613cc2b6f272c1a8ad33aefa21cad77af23139f7 upstream.
If you have a process that has set itself to be non-dumpable, and it
then undergoes exec(2), any CLOEXEC file descriptors it has open are
"exposed" during a race window between the dumpable flags of the process
being reset for exec(2) and CLOEXEC being applied to the file
descriptors. This can be exploited by a process by attempting to access
/proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE.
The race in question is after set_dumpable has been (for get_link,
though the trace is basically the same for readlink):
[vfs]
-> proc_pid_link_inode_operations.get_link
-> proc_pid_get_link
-> proc_fd_access_allowed
-> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
Which will return 0, during the race window and CLOEXEC file descriptors
will still be open during this window because do_close_on_exec has not
been called yet. As a result, the ordering of these calls should be
reversed to avoid this race window.
This is of particular concern to container runtimes, where joining a
PID namespace with file descriptors referring to the host filesystem
can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
against access of CLOEXEC file descriptors -- file descriptors which may
reference filesystem objects the container shouldn't have access to).
Cc: dev@opencontainers.org
Reported-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/exec.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -19,7 +19,7 @@
* current->executable is only used by the procfs. This allows a dispatch
* table to check for several different types of binary formats. We keep
* trying until we recognize the file or we run out of supported binary
- * formats.
+ * formats.
*/
#include <linux/slab.h>
@@ -1087,6 +1087,13 @@ int flush_old_exec(struct linux_binprm *
flush_thread();
current->personality &= ~bprm->per_clear;
+ /*
+ * We have to apply CLOEXEC before we change whether the process is
+ * dumpable (in setup_new_exec) to avoid a race with a process in userspace
+ * trying to access the should-be-closed file descriptors of a process
+ * undergoing exec(2).
+ */
+ do_close_on_exec(current->files);
return 0;
out:
@@ -1136,7 +1143,6 @@ void setup_new_exec(struct linux_binprm
group */
current->self_exec_id++;
flush_signal_handlers(current, 0);
- do_close_on_exec(current->files);
}
EXPORT_SYMBOL(setup_new_exec);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 124/370] [media] s5k4ecgx: select CRC32 helper
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 013/370] usb: add helper to extract bits 12:11 of wMaxPacketSize Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 017/370] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Ben Hutchings
` (362 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Mauro Carvalho Chehab
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit c739c0a7c3c2472d7562b8f802cdce44d2597c8b upstream.
A rare randconfig build failure shows up in this driver when
the CRC32 helper is not there:
drivers/media/built-in.o: In function `s5k4ecgx_s_power':
s5k4ecgx.c:(.text+0x9eb4): undefined reference to `crc32_le'
This adds the 'select' that all other users of this function have.
Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/i2c/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/i2c/Kconfig
+++ b/drivers/media/i2c/Kconfig
@@ -590,6 +590,7 @@ config VIDEO_S5K6A3
config VIDEO_S5K4ECGX
tristate "Samsung S5K4ECGX sensor support"
depends on I2C && VIDEO_V4L2 && VIDEO_V4L2_SUBDEV_API
+ select CRC32
---help---
This is a V4L2 sensor-level driver for Samsung S5K4ECGX 5M
camera sensor with an embedded SoC image signal processor.
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 118/370] drivers/gpu/drm/ast: Fix infinite loop if read fails
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 185/370] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 090/370] hwmon: (ds620) Fix overflows seen when writing temperature limits Ben Hutchings
` (305 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joel Stanley, Russell Currey, Daniel Vetter
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell Currey <ruscur@russell.cc>
commit 298360af3dab45659810fdc51aba0c9f4097e4f6 upstream.
ast_get_dram_info() configures a window in order to access BMC memory.
A BMC register can be configured to disallow this, and if so, causes
an infinite loop in the ast driver which renders the system unusable.
Fix this by erroring out if an error is detected. On powerpc systems with
EEH, this leads to the device being fenced and the system continuing to
operate.
Signed-off-by: Russell Currey <ruscur@russell.cc>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161215051241.20815-1-ruscur@russell.cc
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/ast/ast_main.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/ast/ast_main.c
+++ b/drivers/gpu/drm/ast/ast_main.c
@@ -178,7 +178,8 @@ static int ast_get_dram_info(struct drm_
ast_write32(ast, 0x10000, 0xfc600309);
do {
- ;
+ if (pci_channel_offline(dev->pdev))
+ return -EIO;
} while (ast_read32(ast, 0x10000) != 0x01);
data = ast_read32(ast, 0x10004);
@@ -369,7 +370,9 @@ int ast_driver_load(struct drm_device *d
ast_detect_chip(dev);
if (ast->chip != AST1180) {
- ast_get_dram_info(dev);
+ ret = ast_get_dram_info(dev);
+ if (ret)
+ goto out_free;
ast->vram_size = ast_get_vram_info(dev);
DRM_INFO("dram %d %d %d %08x\n", ast->mclk, ast->dram_type, ast->dram_bus_width, ast->vram_size);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 086/370] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 087/370] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 187/370] selftests: do not require bash to run netsocktests testcase Ben Hutchings
` (204 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Con Kolivas, Con Kolivas
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Con Kolivas <con@kolivas.org>
commit 82ffb6fc637150b279f49e174166d2aa3853eaf4 upstream.
The Logitech QuickCam Communicate Deluxe/S7500 microphone fails with the
following warning.
[ 6.778995] usb 2-1.2.2.2: Warning! Unlikely big volume range (=3072),
cval->res is probably wrong.
[ 6.778996] usb 2-1.2.2.2: [5] FU [Mic Capture Volume] ch = 1, val =
4608/7680/1
Adding it to the list of devices in volume_control_quirks makes it work
properly, fixing related typo.
Signed-off-by: Con Kolivas <kernel@kolivas.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/mixer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -916,9 +916,10 @@ static void volume_control_quirks(struct
case USB_ID(0x046d, 0x0826): /* HD Webcam c525 */
case USB_ID(0x046d, 0x08ca): /* Logitech Quickcam Fusion */
case USB_ID(0x046d, 0x0991):
+ case USB_ID(0x046d, 0x09a2): /* QuickCam Communicate Deluxe/S7500 */
/* Most audio usb devices lie about volume resolution.
* Most Logitech webcams have res = 384.
- * Proboly there is some logitech magic behind this number --fishor
+ * Probably there is some logitech magic behind this number --fishor
*/
if (!strcmp(kctl->id.name, "Mic Capture Volume")) {
usb_audio_info(chip,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 035/370] ext4: fix stack memory corruption with 64k block size
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 153/370] usb: xhci: hold lock over xhci_abort_cmd_ring() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 119/370] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Ben Hutchings
` (268 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chandan Rajendra, Jan Kara, Theodore Ts'o
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chandan Rajendra <chandan@linux.vnet.ibm.com>
commit 30a9d7afe70ed6bd9191d3000e2ef1a34fb58493 upstream.
The number of 'counters' elements needed in 'struct sg' is
super_block->s_blocksize_bits + 2. Presently we have 16 'counters'
elements in the array. This is insufficient for block sizes >= 32k. In
such cases the memcpy operation performed in ext4_mb_seq_groups_show()
would cause stack memory corruption.
Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/mballoc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2252,7 +2252,7 @@ static int ext4_mb_seq_groups_show(struc
struct ext4_group_info *grinfo;
struct sg {
struct ext4_group_info info;
- ext4_grpblk_t counters[16];
+ ext4_grpblk_t counters[EXT4_MAX_BLOCK_LOG_SIZE + 2];
} sg;
group--;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 122/370] powerpc: Fix build warning on 32-bit PPC
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 096/370] kconfig/nconf: Fix hang when editing symbol with a long prompt Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 081/370] clk: clk-wm831x: fix a logic error Ben Hutchings
` (331 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Ellerman, Paul Mackerras, linuxppc-dev,
Larry Finger, Linus Torvalds, Benjamin Herrenschmidt,
Nicholas Piggin
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Larry Finger <Larry.Finger@lwfinger.net>
commit 8ae679c4bc2ea2d16d92620da8e3e9332fa4039f upstream.
I am getting the following warning when I build kernel 4.9-git on my
PowerBook G4 with a 32-bit PPC processor:
AS arch/powerpc/kernel/misc_32.o
arch/powerpc/kernel/misc_32.S:299:7: warning: "CONFIG_FSL_BOOKE" is not defined [-Wundef]
This problem is evident after commit 989cea5c14be ("kbuild: prevent
lib-ksyms.o rebuilds"); however, this change in kbuild only exposes an
error that has been in the code since 2005 when this source file was
created. That was with commit 9994a33865f4 ("powerpc: Introduce
entry_{32,64}.S, misc_{32,64}.S, systbl.S").
The offending line does not make a lot of sense. This error does not
seem to cause any errors in the executable, thus I am not recommending
that it be applied to any stable versions.
Thanks to Nicholas Piggin for suggesting this solution.
Fixes: 9994a33865f4 ("powerpc: Introduce entry_{32,64}.S, misc_{32,64}.S, systbl.S")
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/misc_32.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kernel/misc_32.S
+++ b/arch/powerpc/kernel/misc_32.S
@@ -313,7 +313,7 @@ _GLOBAL(flush_instruction_cache)
lis r3, KERNELBASE@h
iccci 0,r3
#endif
-#elif CONFIG_FSL_BOOKE
+#elif defined(CONFIG_FSL_BOOKE)
BEGIN_FTR_SECTION
mfspr r3,SPRN_L1CSR0
ori r3,r3,L1CSR0_CFI|L1CSR0_CLFC
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 126/370] net, sched: fix soft lockup in tc_classify
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 102/370] fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 162/370] USB: serial: kobil_sct: fix NULL-deref in write Ben Hutchings
` (281 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Borkmann, Shahar Klein, Cong Wang, David S. Miller,
Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 628185cfddf1dfb701c4efe2cfd72cf5b09f5702 upstream.
Shahar reported a soft lockup in tc_classify(), where we run into an
endless loop when walking the classifier chain due to tp->next == tp
which is a state we should never run into. The issue only seems to
trigger under load in the tc control path.
What happens is that in tc_ctl_tfilter(), thread A allocates a new
tp, initializes it, sets tp_created to 1, and calls into tp->ops->change()
with it. In that classifier callback we had to unlock/lock the rtnl
mutex and returned with -EAGAIN. One reason why we need to drop there
is, for example, that we need to request an action module to be loaded.
This happens via tcf_exts_validate() -> tcf_action_init/_1() meaning
after we loaded and found the requested action, we need to redo the
whole request so we don't race against others. While we had to unlock
rtnl in that time, thread B's request was processed next on that CPU.
Thread B added a new tp instance successfully to the classifier chain.
When thread A returned grabbing the rtnl mutex again, propagating -EAGAIN
and destroying its tp instance which never got linked, we goto replay
and redo A's request.
This time when walking the classifier chain in tc_ctl_tfilter() for
checking for existing tp instances we had a priority match and found
the tp instance that was created and linked by thread B. Now calling
again into tp->ops->change() with that tp was successful and returned
without error.
tp_created was never cleared in the second round, thus kernel thinks
that we need to link it into the classifier chain (once again). tp and
*back point to the same object due to the match we had earlier on. Thus
for thread B's already public tp, we reset tp->next to tp itself and
link it into the chain, which eventually causes the mentioned endless
loop in tc_classify() once a packet hits the data path.
Fix is to clear tp_created at the beginning of each request, also when
we replay it. On the paths that can cause -EAGAIN we already destroy
the original tp instance we had and on replay we really need to start
from scratch. It seems that this issue was first introduced in commit
12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining
and avoid kernel panic when we use cls_cgroup").
Fixes: 12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel panic when we use cls_cgroup")
Reported-by: Shahar Klein <shahark@mellanox.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Tested-by: Shahar Klein <shahark@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/cls_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -132,13 +132,15 @@ static int tc_ctl_tfilter(struct sk_buff
unsigned long cl;
unsigned long fh;
int err;
- int tp_created = 0;
+ int tp_created;
if ((n->nlmsg_type != RTM_GETTFILTER) &&
!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
return -EPERM;
replay:
+ tp_created = 0;
+
err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL);
if (err < 0)
return err;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 093/370] nfs_write_end(): fix handling of short copies
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (183 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 141/370] USB: gadgetfs: fix unbounded memory allocation bug Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 100/370] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Ben Hutchings
` (186 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c0cf3ef5e0f47e385920450b245d22bead93e7ad upstream.
What matters when deciding if we should make a page uptodate is
not how much we _wanted_ to copy, but how much we actually have
copied. As it is, on architectures that do not zero tail on
short copy we can leave uninitialized data in page marked uptodate.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/file.c
+++ b/fs/nfs/file.c
@@ -403,7 +403,7 @@ static int nfs_write_end(struct file *fi
*/
if (!PageUptodate(page)) {
unsigned pglen = nfs_page_length(page);
- unsigned end = offset + len;
+ unsigned end = offset + copied;
if (pglen == 0) {
zero_user_segments(page, 0, offset,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 096/370] kconfig/nconf: Fix hang when editing symbol with a long prompt
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 121/370] fs: exec: apply CLOEXEC before changing dumpable task flags Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 122/370] powerpc: Fix build warning on 32-bit PPC Ben Hutchings
` (332 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ben Hutchings
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
commit 79e51b5c2deea542b3bb8c66e0d502230b017dde upstream.
Currently it is impossible to edit the value of a config symbol with a
prompt longer than (terminal width - 2) characters. dialog_inputbox()
calculates a negative x-offset for the input window and newwin() fails
as this is invalid. It also doesn't check for this failure, so it
busy-loops calling wgetch(NULL) which immediately returns -1.
The additions in the offset calculations also don't match the intended
size of the window.
Limit the window size and calculate the offset similarly to
show_scroll_win().
Fixes: 692d97c380c6 ("kconfig: new configuration interface (nconfig)")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
scripts/kconfig/nconf.gui.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -364,12 +364,14 @@ int dialog_inputbox(WINDOW *main_window,
WINDOW *prompt_win;
WINDOW *form_win;
PANEL *panel;
- int i, x, y;
+ int i, x, y, lines, columns, win_lines, win_cols;
int res = -1;
int cursor_position = strlen(init);
int cursor_form_win;
char *result = *resultp;
+ getmaxyx(stdscr, lines, columns);
+
if (strlen(init)+1 > *result_len) {
*result_len = strlen(init)+1;
*resultp = result = realloc(result, *result_len);
@@ -386,14 +388,19 @@ int dialog_inputbox(WINDOW *main_window,
if (title)
prompt_width = max(prompt_width, strlen(title));
+ win_lines = min(prompt_lines+6, lines-2);
+ win_cols = min(prompt_width+7, columns-2);
+ prompt_lines = max(win_lines-6, 0);
+ prompt_width = max(win_cols-7, 0);
+
/* place dialog in middle of screen */
- y = (getmaxy(stdscr)-(prompt_lines+4))/2;
- x = (getmaxx(stdscr)-(prompt_width+4))/2;
+ y = (lines-win_lines)/2;
+ x = (columns-win_cols)/2;
strncpy(result, init, *result_len);
/* create the windows */
- win = newwin(prompt_lines+6, prompt_width+7, y, x);
+ win = newwin(win_lines, win_cols, y, x);
prompt_win = derwin(win, prompt_lines+1, prompt_width, 2, 2);
form_win = derwin(win, 1, prompt_width, prompt_lines+3, 2);
keypad(form_win, TRUE);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 097/370] sparc: leon: Fix a retry loop in leon_init_timers()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 188/370] HID: hid-cypress: validate length of report Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 129/370] net: stmmac: Fix error path after register_netdev move Ben Hutchings
` (252 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dan Carpenter
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 601e6e3cc5bf6adb7d076fe24d10f6191a25ba9b upstream.
The original code causes a static checker warning because it has a
continue inside a do { } while (0); loop. In that context, a continue
and a break are equivalent. The intent was to go back to the start of
the loop so the continue was a bug.
I've added a retry label at the start and changed the continue to a goto
retry. Then I removed the do { } while (0) loop and pulled the code in
one indent level.
Fixes: 2791c1a43900 ("SPARC/LEON: added support for selecting Timer Core and Timer within core")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/kernel/leon_kernel.c | 56 ++++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 28 deletions(-)
--- a/arch/sparc/kernel/leon_kernel.c
+++ b/arch/sparc/kernel/leon_kernel.c
@@ -339,37 +339,37 @@ void __init leon_init_timers(void)
/* Find GPTIMER Timer Registers base address otherwise bail out. */
nnp = rootnp;
- do {
- np = of_find_node_by_name(nnp, "GAISLER_GPTIMER");
- if (!np) {
- np = of_find_node_by_name(nnp, "01_011");
- if (!np)
- goto bad;
- }
- ampopts = 0;
- pp = of_find_property(np, "ampopts", &len);
- if (pp) {
- ampopts = *(int *)pp->value;
- if (ampopts == 0) {
- /* Skip this instance, resource already
- * allocated by other OS */
- nnp = np;
- continue;
- }
+retry:
+ np = of_find_node_by_name(nnp, "GAISLER_GPTIMER");
+ if (!np) {
+ np = of_find_node_by_name(nnp, "01_011");
+ if (!np)
+ goto bad;
+ }
+
+ ampopts = 0;
+ pp = of_find_property(np, "ampopts", &len);
+ if (pp) {
+ ampopts = *(int *)pp->value;
+ if (ampopts == 0) {
+ /* Skip this instance, resource already
+ * allocated by other OS */
+ nnp = np;
+ goto retry;
}
+ }
- /* Select Timer-Instance on Timer Core. Default is zero */
- leon3_gptimer_idx = ampopts & 0x7;
+ /* Select Timer-Instance on Timer Core. Default is zero */
+ leon3_gptimer_idx = ampopts & 0x7;
- pp = of_find_property(np, "reg", &len);
- if (pp)
- leon3_gptimer_regs = *(struct leon3_gptimer_regs_map **)
- pp->value;
- pp = of_find_property(np, "interrupts", &len);
- if (pp)
- leon3_gptimer_irq = *(unsigned int *)pp->value;
- } while (0);
+ pp = of_find_property(np, "reg", &len);
+ if (pp)
+ leon3_gptimer_regs = *(struct leon3_gptimer_regs_map **)
+ pp->value;
+ pp = of_find_property(np, "interrupts", &len);
+ if (pp)
+ leon3_gptimer_irq = *(unsigned int *)pp->value;
if (!(leon3_gptimer_regs && leon3_irqctrl_regs && leon3_gptimer_irq))
goto bad;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 065/370] bus: vexpress-config: fix device reference leak
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 044/370] ssb: Fix error routine when fallback SPROM fails Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 072/370] CIFS: Fix missing nls unload in smb2_reconnect() Ben Hutchings
` (335 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sudeep Holla, Arnd Bergmann, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c090959b9dd8c87703e275079aa4b4a824ba3f8e upstream.
Make sure to drop the reference to the parent device taken by
class_find_device() after populating the bus.
Fixes: 3b9334ac835b ("mfd: vexpress: Convert custom func API to regmap")
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bus/vexpress-config.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/bus/vexpress-config.c
+++ b/drivers/bus/vexpress-config.c
@@ -171,6 +171,7 @@ static int vexpress_config_populate(stru
{
struct device_node *bridge;
struct device *parent;
+ int ret;
bridge = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
if (!bridge)
@@ -181,7 +182,11 @@ static int vexpress_config_populate(stru
if (WARN_ON(!parent))
return -ENODEV;
- return of_platform_populate(node, NULL, NULL, parent);
+ ret = of_platform_populate(node, NULL, NULL, parent);
+
+ put_device(parent);
+
+ return ret;
}
static int __init vexpress_config_init(void)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 069/370] powerpc/boot: Request no dynamic linker for boot wrapper
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 052/370] [media] staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 063/370] powerpc/ps3: Fix system hang with GCC 5 builds Ben Hutchings
` (284 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicholas Piggin, Anton Blanchard, Michael Ellerman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin <npiggin@gmail.com>
commit ff45000fcb56b5b0f1a14a865d3541746d838a0a upstream.
The boot wrapper performs its own relocations and does not require
PT_INTERP segment. However currently we don't tell the linker that.
Prior to binutils 2.28 that works OK. But since binutils commit
1a9ccd70f9a7 ("Fix the linker so that it will not silently generate ELF
binaries with invalid program headers. Fix readelf to report such
invalid binaries.") binutils tries to create a program header segment
due to PT_INTERP, and the link fails because there is no space for it:
ld: arch/powerpc/boot/zImage.pseries: Not enough room for program headers, try linking with -N
ld: final link failed: Bad value
So tell the linker not to do that, by passing --no-dynamic-linker.
Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
[mpe: Drop dependency on ld-version.sh and massage change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/boot/wrapper | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
--- a/arch/powerpc/boot/wrapper
+++ b/arch/powerpc/boot/wrapper
@@ -144,6 +144,28 @@ case "$elfformat" in
elf32-powerpc) format=elf32ppc ;;
esac
+ld_version()
+{
+ # Poached from scripts/ld-version.sh, but we don't want to call that because
+ # this script (wrapper) is distributed separately from the kernel source.
+ # Extract linker version number from stdin and turn into single number.
+ awk '{
+ gsub(".*\\)", "");
+ gsub(".*version ", "");
+ gsub("-.*", "");
+ split($1,a, ".");
+ print a[1]*100000000 + a[2]*1000000 + a[3]*10000;
+ exit
+ }'
+}
+
+# Do not include PT_INTERP segment when linking pie. Non-pie linking
+# just ignores this option.
+LD_VERSION=$(${CROSS}ld --version | ld_version)
+LD_NO_DL_MIN_VERSION=$(echo 2.26 | ld_version)
+if [ "$LD_VERSION" -ge "$LD_NO_DL_MIN_VERSION" ] ; then
+ nodl="--no-dynamic-linker"
+fi
platformo=$object/"$platform".o
lds=$object/zImage.lds
@@ -395,7 +417,7 @@ if [ "$platform" != "miboot" ]; then
if [ -n "$link_address" ] ; then
text_start="-Ttext $link_address"
fi
- ${CROSS}ld -m $format -T $lds $text_start $pie -o "$ofile" \
+ ${CROSS}ld -m $format -T $lds $text_start $pie $nodl -o "$ofile" \
$platformo $tmp $object/wrapper.a
rm $tmp
fi
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 099/370] hwmon: (g762) Fix overflows and crash seen when writing limit attributes
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 020/370] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 127/370] net: korina: Fix NAPI versus resources freeing Ben Hutchings
` (287 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnaud Ebalard, Jean Delvare, Guenter Roeck
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 4fccd4a1e8944033bcd7693ea4e8fb478cd2059a upstream.
Fix overflows seen when writing into fan speed limit attributes.
Also fix crash due to division by zero, seen when certain very
large values (such as 2147483648, or 0x80000000) are written
into fan speed limit attributes.
Fixes: 594fbe713bf60 ("Add support for GMT G762/G763 PWM fan controllers")
Cc: Arnaud Ebalard <arno@natisbad.org>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hwmon/g762.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/hwmon/g762.c
+++ b/drivers/hwmon/g762.c
@@ -193,14 +193,17 @@ static inline unsigned int rpm_from_cnt(
* Convert fan RPM value from sysfs into count value for fan controller
* register (FAN_SET_CNT).
*/
-static inline unsigned char cnt_from_rpm(u32 rpm, u32 clk_freq, u16 p,
+static inline unsigned char cnt_from_rpm(unsigned long rpm, u32 clk_freq, u16 p,
u8 clk_div, u8 gear_mult)
{
- if (!rpm) /* to stop the fan, set cnt to 255 */
+ unsigned long f1 = clk_freq * 30 * gear_mult;
+ unsigned long f2 = p * clk_div;
+
+ if (!rpm) /* to stop the fan, set cnt to 255 */
return 0xff;
- return clamp_val(((clk_freq * 30 * gear_mult) / (rpm * p * clk_div)),
- 0, 255);
+ rpm = clamp_val(rpm, f1 / (255 * f2), ULONG_MAX / f2);
+ return DIV_ROUND_CLOSEST(f1, rpm * f2);
}
/* helper to grab and cache data, at most one time per second */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 012/370] usb: gadget: composite: correctly initialize ep->maxpacket
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 064/370] Btrfs: fix tree search logic when replaying directory entry deletes Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 031/370] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Ben Hutchings
` (347 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit e8f29bb719b47a234f33b0af62974d7a9521a52c upstream.
usb_endpoint_maxp() returns wMaxPacketSize in its
raw form. Without taking into consideration that it
also contains other bits reserved for isochronous
endpoints.
This patch fixes one occasion where this is a
problem by making sure that we initialize
ep->maxpacket only with lower 10 bits of the value
returned by usb_endpoint_maxp(). Note that seperate
patches will be necessary to audit all call sites of
usb_endpoint_maxp() and make sure that
usb_endpoint_maxp() only returns lower 10 bits of
wMaxPacketSize.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/composite.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -143,7 +143,7 @@ int config_ep_by_speed(struct usb_gadget
ep_found:
/* commit results */
- _ep->maxpacket = usb_endpoint_maxp(chosen_desc);
+ _ep->maxpacket = usb_endpoint_maxp(chosen_desc) & 0x7ff;
_ep->desc = chosen_desc;
_ep->comp_desc = NULL;
_ep->maxburst = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 094/370] ext4: reject inodes with negative size
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 055/370] f2fs: set ->owner for debugfs status file's file_operations Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 066/370] block: protect iterate_bdevs() against concurrent close Ben Hutchings
` (226 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Darrick J. Wong, Theodore Ts'o
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit 7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58 upstream.
Don't load an inode with a negative size; this causes integer overflow
problems in the VFS.
[ Added EXT4_ERROR_INODE() to mark file system as corrupted. -TYT]
Fixes: a48380f769df (ext4: rename i_dir_acl to i_size_high)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: use EIO instead of EFSCORRUPTED]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4118,6 +4118,7 @@ struct inode *ext4_iget(struct super_blo
struct inode *inode;
journal_t *journal = EXT4_SB(sb)->s_journal;
long ret;
+ loff_t size;
int block;
uid_t i_uid;
gid_t i_gid;
@@ -4209,6 +4210,11 @@ struct inode *ext4_iget(struct super_blo
ei->i_file_acl |=
((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
inode->i_size = ext4_isize(raw_inode);
+ if ((size = i_size_read(inode)) < 0) {
+ EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
+ ret = -EIO;
+ goto bad_inode;
+ }
ei->i_disksize = inode->i_size;
#ifdef CONFIG_QUOTA
ei->i_reserved_quota = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 095/370] ext4: return -ENOMEM instead of success
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 003/370] crypto: arm64/sha1-ce - fix for big endian Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 073/370] CIFS: Fix a possible memory corruption in push locks Ben Hutchings
` (323 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Theodore Ts'o
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 578620f451f836389424833f1454eeeb2ffc9e9f upstream.
We should set the error code if kzalloc() fails.
Fixes: 67cf5b09a46f ("ext4: add the basic function for inline data support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inline.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -340,8 +340,10 @@ static int ext4_update_inline_data(handl
len -= EXT4_MIN_INLINE_DATA_SIZE;
value = kzalloc(len, GFP_NOFS);
- if (!value)
+ if (!value) {
+ error = -ENOMEM;
goto out;
+ }
error = ext4_xattr_ibody_get(inode, i.name_index, i.name,
value, len);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 010/370] [media] ite-cir: initialize use_demodulator before using it
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 107/370] btrfs: limit async_work allocation and worker func duration Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 111/370] IB/multicast: Check ib_find_pkey() return value Ben Hutchings
` (310 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab, Nicolas Iooss
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
commit 7ec03e60ef81c19b5d3a46dd070ee966774b860f upstream.
Function ite_set_carrier_params() uses variable use_demodulator after
having initialized it to false in some if branches, but this variable is
never set to true otherwise.
This bug has been found using clang -Wsometimes-uninitialized warning
flag.
Fixes: 620a32bba4a2 ("[media] rc: New rc-based ite-cir driver for
several ITE CIRs")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/rc/ite-cir.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -263,6 +263,8 @@ static void ite_set_carrier_params(struc
if (allowance > ITE_RXDCR_MAX)
allowance = ITE_RXDCR_MAX;
+
+ use_demodulator = true;
}
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 087/370] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 045/370] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 086/370] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Ben Hutchings
` (205 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Johan Hovold, Daniele Palmas
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit 5b09eff0c379002527ad72ea5ea38f25da8a8650 upstream.
This patch adds support for PIDs 0x1040, 0x1041 of Telit LE922A.
Since the interface positions are the same than the ones used
for other Telit compositions, previous defined blacklists are used.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -271,6 +271,8 @@ static void option_instat_callback(struc
#define TELIT_PRODUCT_CC864_SINGLE 0x1006
#define TELIT_PRODUCT_DE910_DUAL 0x1010
#define TELIT_PRODUCT_UE910_V2 0x1012
+#define TELIT_PRODUCT_LE922_USBCFG1 0x1040
+#define TELIT_PRODUCT_LE922_USBCFG2 0x1041
#define TELIT_PRODUCT_LE922_USBCFG0 0x1042
#define TELIT_PRODUCT_LE922_USBCFG3 0x1043
#define TELIT_PRODUCT_LE922_USBCFG5 0x1045
@@ -1229,6 +1231,10 @@ static const struct usb_device_id option
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0),
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1),
+ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG2),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3),
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 088/370] USB: serial: option: add dlink dwm-158
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 098/370] s390/vmlogrdr: fix IUCV buffer allocation Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 004/370] crypto: arm64/sha2-ce - fix for big endian Ben Hutchings
` (222 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johan Hovold, Greg Kroah-Hartman, Giuseppe Lippolis
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Giuseppe Lippolis <giu.lippolis@gmail.com>
commit d8a12b7117b42fd708f1e908498350232bdbd5ff upstream.
Adding registration for 3G modem DWM-158 in usb-serial-option
Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2006,6 +2006,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) }, /* D-Link DWM-158 */
{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 090/370] hwmon: (ds620) Fix overflows seen when writing temperature limits
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 118/370] drivers/gpu/drm/ast: Fix infinite loop if read fails Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 106/370] Btrfs: delayed-inode: replace root args iff only fs_info used Ben Hutchings
` (304 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jean Delvare, Guenter Roeck
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit e36ce99ee0815d7919a7b589bfb66f3de50b6bc7 upstream.
Module test reports:
temp1_max: Suspected overflow: [160000 vs. 0]
temp1_min: Suspected overflow: [160000 vs. 0]
This is seen because the values passed when writing temperature limits
are unbound.
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Fixes: 6099469805c2 ("hwmon: Support for Dallas Semiconductor DS620")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hwmon/ds620.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/ds620.c
+++ b/drivers/hwmon/ds620.c
@@ -166,7 +166,7 @@ static ssize_t set_temp(struct device *d
if (res)
return res;
- val = (val * 10 / 625) * 8;
+ val = (clamp_val(val, -128000, 128000) * 10 / 625) * 8;
mutex_lock(&data->update_lock);
data->temp[attr->index] = val;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 082/370] hotplug: Make register and unregister notifier API symmetric
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Streetman, Michal Hocko, Thomas Gleixner, linux-mm
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.com>
commit 777c6e0daebb3fcefbbd6f620410a946b07ef6d0 upstream.
Yu Zhao has noticed that __unregister_cpu_notifier only unregisters its
notifiers when HOTPLUG_CPU=y while the registration might succeed even
when HOTPLUG_CPU=n if MODULE is enabled. This means that e.g. zswap
might keep a stale notifier on the list on the manual clean up during
the pool tear down and thus corrupt the list. Resulting in the following
[ 144.964346] BUG: unable to handle kernel paging request at ffff880658a2be78
[ 144.971337] IP: [<ffffffffa290b00b>] raw_notifier_chain_register+0x1b/0x40
<snipped>
[ 145.122628] Call Trace:
[ 145.125086] [<ffffffffa28e5cf8>] __register_cpu_notifier+0x18/0x20
[ 145.131350] [<ffffffffa2a5dd73>] zswap_pool_create+0x273/0x400
[ 145.137268] [<ffffffffa2a5e0fc>] __zswap_param_set+0x1fc/0x300
[ 145.143188] [<ffffffffa2944c1d>] ? trace_hardirqs_on+0xd/0x10
[ 145.149018] [<ffffffffa2908798>] ? kernel_param_lock+0x28/0x30
[ 145.154940] [<ffffffffa2a3e8cf>] ? __might_fault+0x4f/0xa0
[ 145.160511] [<ffffffffa2a5e237>] zswap_compressor_param_set+0x17/0x20
[ 145.167035] [<ffffffffa2908d3c>] param_attr_store+0x5c/0xb0
[ 145.172694] [<ffffffffa290848d>] module_attr_store+0x1d/0x30
[ 145.178443] [<ffffffffa2b2b41f>] sysfs_kf_write+0x4f/0x70
[ 145.183925] [<ffffffffa2b2a5b9>] kernfs_fop_write+0x149/0x180
[ 145.189761] [<ffffffffa2a99248>] __vfs_write+0x18/0x40
[ 145.194982] [<ffffffffa2a9a412>] vfs_write+0xb2/0x1a0
[ 145.200122] [<ffffffffa2a9a732>] SyS_write+0x52/0xa0
[ 145.205177] [<ffffffffa2ff4d97>] entry_SYSCALL_64_fastpath+0x12/0x17
This can be even triggered manually by changing
/sys/module/zswap/parameters/compressor multiple times.
Fix this issue by making unregister APIs symmetric to the register so
there are no surprises.
Fixes: 47e627bc8c9a ("[PATCH] hotplug: Allow modules to use the cpu hotplug notifiers even if !CONFIG_HOTPLUG_CPU")
Reported-and-tested-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Cc: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dan Streetman <ddstreet@ieee.org>
Link: http://lkml.kernel.org/r/20161207135438.4310-1-mhocko@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: keep definition of cpu_notify_nofail() conditional
on CONFIG_HOTPLUG_CPU]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -122,22 +122,16 @@ enum {
{ .notifier_call = fn, .priority = pri }; \
__register_cpu_notifier(&fn##_nb); \
}
-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#ifdef CONFIG_HOTPLUG_CPU
extern int register_cpu_notifier(struct notifier_block *nb);
extern int __register_cpu_notifier(struct notifier_block *nb);
extern void unregister_cpu_notifier(struct notifier_block *nb);
extern void __unregister_cpu_notifier(struct notifier_block *nb);
-#else
-#ifndef MODULE
-extern int register_cpu_notifier(struct notifier_block *nb);
-extern int __register_cpu_notifier(struct notifier_block *nb);
-#else
+#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+
static inline int register_cpu_notifier(struct notifier_block *nb)
{
return 0;
@@ -147,7 +141,6 @@ static inline int __register_cpu_notifie
{
return 0;
}
-#endif
static inline void unregister_cpu_notifier(struct notifier_block *nb)
{
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -210,12 +210,6 @@ static int cpu_notify(unsigned long val,
return __cpu_notify(val, v, -1, NULL);
}
-#ifdef CONFIG_HOTPLUG_CPU
-
-static void cpu_notify_nofail(unsigned long val, void *v)
-{
- BUG_ON(cpu_notify(val, v));
-}
EXPORT_SYMBOL(register_cpu_notifier);
EXPORT_SYMBOL(__register_cpu_notifier);
@@ -233,6 +227,13 @@ void __ref __unregister_cpu_notifier(str
}
EXPORT_SYMBOL(__unregister_cpu_notifier);
+#ifdef CONFIG_HOTPLUG_CPU
+
+static void cpu_notify_nofail(unsigned long val, void *v)
+{
+ BUG_ON(cpu_notify(val, v));
+}
+
/**
* clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
* @cpu: a CPU id
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 091/370] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 155/370] USB: serial: cyberjack: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 158/370] USB: serial: io_ti: fix NULL-deref at open Ben Hutchings
` (231 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Colin Ian King, Steven Rostedt (Red Hat)
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 847fa1a6d3d00f3bdf68ef5fa4a786f644a0dd67 upstream.
With new binutils, gcc may get smart with its optimization and change a jmp
from a 5 byte jump to a 2 byte one even though it was jumping to a global
function. But that global function existed within a 2 byte radius, and gcc
was able to optimize it. Unfortunately, that jump was also being modified
when function graph tracing begins. Since ftrace expected that jump to be 5
bytes, but it was only two, it overwrote code after the jump, causing a
crash.
This was fixed for x86_64 with commit 8329e818f149, with the same subject as
this commit, but nothing was done for x86_32.
Fixes: d61f82d06672 ("ftrace: use dynamic patching for updating mcount calls")
Reported-by: Colin Ian King <colin.king@canonical.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/entry_32.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1086,8 +1086,8 @@ ftrace_graph_call:
jmp ftrace_stub
#endif
-.globl ftrace_stub
-ftrace_stub:
+/* This is weak to keep gas from relaxing the jumps */
+WEAK(ftrace_stub)
ret
END(ftrace_caller)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 056/370] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 146/370] PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 101/370] libceph: verify authorize reply on connect Ben Hutchings
` (353 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Olaf Hering, Juergen Gross, Boris Ostrovsky, Hugh Dickins
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
commit 30faaafdfa0c754c91bac60f216c9f34a2bfdf7e upstream.
Commit 9c17d96500f7 ("xen/gntdev: Grant maps should not be subject to
NUMA balancing") set VM_IO flag to prevent grant maps from being
subjected to NUMA balancing.
It was discovered recently that this flag causes get_user_pages() to
always fail with -EFAULT.
check_vma_flags
__get_user_pages
__get_user_pages_locked
__get_user_pages_unlocked
get_user_pages_fast
iov_iter_get_pages
dio_refill_pages
do_direct_IO
do_blockdev_direct_IO
do_blockdev_direct_IO
ext4_direct_IO_read
generic_file_read_iter
aio_run_iocb
(which can happen if guest's vdisk has direct-io-safe option).
To avoid this let's use VM_MIXEDMAP flag instead --- it prevents
NUMA balancing just as VM_IO does and has no effect on
check_vma_flags().
Reported-by: Olaf Hering <olaf@aepfle.de>
Suggested-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Acked-by: Hugh Dickins <hughd@google.com>
Tested-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/gntdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -765,7 +765,7 @@ static int gntdev_mmap(struct file *flip
vma->vm_ops = &gntdev_vmops;
- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_MIXEDMAP;
if (use_ptemod)
vma->vm_flags |= VM_DONTCOPY;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 032/370] ARM: zynq: Reserve correct amount of non-DMA RAM
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 078/370] drm/radeon: Hide the HW cursor while it's out of bounds Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 156/370] USB: serial: garmin_gps: fix memory leak on failed URB submit Ben Hutchings
` (259 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nathan Rossi, Michal Simek, Kyle Roeschley
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Roeschley <kyle.roeschley@ni.com>
commit 7a3cc2a7b2c723aa552028f4e66841cec183756d upstream.
On Zynq, we haven't been reserving the correct amount of DMA-incapable
RAM to keep DMA away from it (per the Zynq TRM Section 4.1, it should be
the first 512k). In older kernels, this was masked by the
memblock_reserve call in arm_memblock_init(). Now, reserve the correct
amount excplicitly rather than relying on swapper_pg_dir, which is an
address and not a size anyway.
Fixes: 46f5b96 ("ARM: zynq: Reserve not DMAable space in front of the
kernel")
Signed-off-by: Kyle Roeschley <kyle.roeschley@ni.com>
Tested-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-zynq/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/mach-zynq/common.c
+++ b/arch/arm/mach-zynq/common.c
@@ -59,7 +59,7 @@ void __iomem *zynq_scu_base;
static void __init zynq_memory_init(void)
{
if (!__pa(PAGE_OFFSET))
- memblock_reserve(__pa(PAGE_OFFSET), __pa(swapper_pg_dir));
+ memblock_reserve(__pa(PAGE_OFFSET), 0x80000);
}
static struct platform_device zynq_cpuidle_device = {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 043/370] scsi: mvsas: fix command_active typo
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 060/370] USB: serial: kl5kusb105: fix open error path Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 146/370] PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL Ben Hutchings
` (355 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnd Bergmann, Johannes Thumshirn, Martin K. Petersen
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream.
gcc-7 notices that the condition in mvs_94xx_command_active looks
suspicious:
drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active':
drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]
This was introduced when the mv_printk() statement got added, and leads
to the condition being ignored. This is probably harmless.
Changing '&&' to '&' makes the code look reasonable, as we check the
command bit before setting and printing it.
Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/mvsas/mv_94xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/mvsas/mv_94xx.c
+++ b/drivers/scsi/mvsas/mv_94xx.c
@@ -621,7 +621,7 @@ static void mvs_94xx_command_active(stru
{
u32 tmp;
tmp = mvs_cr32(mvi, MVS_COMMAND_ACTIVE+(slot_idx >> 3));
- if (tmp && 1 << (slot_idx % 32)) {
+ if (tmp & 1 << (slot_idx % 32)) {
mv_printk("command active %08X, slot [%x].\n", tmp, slot_idx);
mvs_cw32(mvi, MVS_COMMAND_ACTIVE + (slot_idx >> 3),
1 << (slot_idx % 32));
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 075/370] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 004/370] crypto: arm64/sha2-ce - fix for big endian Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 131/370] net/mlx4_en: Fix bad WQE issue Ben Hutchings
` (220 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tomas Nilsson, Takashi Iwai, David Henningsson
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Henningsson <david.henningsson@canonical.com>
commit 522a7fa883e04725806308a5b663ce1f570e5870 upstream.
Alsa-info at https://launchpadlibrarian.net/186697318/alsa-info.txt.37fYWkaJRc
Reported-by: Tomas Nilsson <tomas.k.nilsson@gmail.com>
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_conexant.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -3397,6 +3397,7 @@ static const struct hda_model_fixup cxt5
static const struct snd_pci_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 084/370] dm space map metadata: fix 'struct sm_metadata' leak on failed create
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 036/370] IB/core: Save QP in ib_flow structure Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 165/370] USB: serial: mos7720: fix parport use-after-free on probe errors Ben Hutchings
` (343 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Benjamin Marzinski, Mike Snitzer, Joe Thornber
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Marzinski <bmarzins@redhat.com>
commit 314c25c56c1ee5026cf99c570bdfe01847927acb upstream.
In dm_sm_metadata_create() we temporarily change the dm_space_map
operations from 'ops' (whose .destroy function deallocates the
sm_metadata) to 'bootstrap_ops' (whose .destroy function doesn't).
If dm_sm_metadata_create() fails in sm_ll_new_metadata() or
sm_ll_extend(), it exits back to dm_tm_create_internal(), which calls
dm_sm_destroy() with the intention of freeing the sm_metadata, but it
doesn't (because the dm_space_map operations is still set to
'bootstrap_ops').
Fix this by setting the dm_space_map operations back to 'ops' if
dm_sm_metadata_create() fails when it is set to 'bootstrap_ops'.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/persistent-data/dm-space-map-metadata.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -773,17 +773,15 @@ int dm_sm_metadata_create(struct dm_spac
memcpy(&smm->sm, &bootstrap_ops, sizeof(smm->sm));
r = sm_ll_new_metadata(&smm->ll, tm);
+ if (!r) {
+ if (nr_blocks > DM_SM_METADATA_MAX_BLOCKS)
+ nr_blocks = DM_SM_METADATA_MAX_BLOCKS;
+ r = sm_ll_extend(&smm->ll, nr_blocks);
+ }
+ memcpy(&smm->sm, &ops, sizeof(smm->sm));
if (r)
return r;
- if (nr_blocks > DM_SM_METADATA_MAX_BLOCKS)
- nr_blocks = DM_SM_METADATA_MAX_BLOCKS;
- r = sm_ll_extend(&smm->ll, nr_blocks);
- if (r)
- return r;
-
- memcpy(&smm->sm, &ops, sizeof(smm->sm));
-
/*
* Now we need to update the newly created data structures with the
* allocated blocks that they were built from.
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 041/370] IB/mlx4: Put non zero value in max_ah device attribute
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 027/370] ARM: dts: imx6q-cm-fx6: fix fec pinctrl Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 176/370] iommu/amd: Fix the left value check of cmd buffer Ben Hutchings
` (272 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Jurgens, Yuval Shaia, Maor Gottlieb, Mark Bloch,
Leon Romanovsky, Doug Ledford
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maor Gottlieb <maorg@mellanox.com>
commit 731e0415b4af3a133d0316e4dc8ef0ea57dc3fdf upstream.
Use INT_MAX since this is the max value the attribute can hold, though
hardware capability is unlimited.
Fixes: 225c7b1feef1 ('IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -212,6 +212,7 @@ static int mlx4_ib_query_device(struct i
props->max_total_mcast_qp_attach = props->max_mcast_qp_attach *
props->max_mcast_grp;
props->max_map_per_fmr = dev->dev->caps.max_fmr_maps;
+ props->max_ah = INT_MAX;
out:
kfree(in_mad);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 064/370] Btrfs: fix tree search logic when replaying directory entry deletes
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 169/370] USB: serial: omninet: fix NULL-derefs at open and disconnect Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 012/370] usb: gadget: composite: correctly initialize ep->maxpacket Ben Hutchings
` (348 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Robbie Ko, Filipe Manana
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Robbie Ko <robbieko@synology.com>
commit 2a7bf53f577e49c43de4ffa7776056de26db65d9 upstream.
If a log tree has a layout like the following:
leaf N:
...
item 240 key (282 DIR_LOG_ITEM 0) itemoff 8189 itemsize 8
dir log end 1275809046
leaf N + 1:
item 0 key (282 DIR_LOG_ITEM 3936149215) itemoff 16275 itemsize 8
dir log end 18446744073709551615
...
When we pass the value 1275809046 + 1 as the parameter start_ret to the
function tree-log.c:find_dir_range() (done by replay_dir_deletes()), we
end up with path->slots[0] having the value 239 (points to the last item
of leaf N, item 240). Because the dir log item in that position has an
offset value smaller than *start_ret (1275809046 + 1) we need to move on
to the next leaf, however the logic for that is wrong since it compares
the current slot to the number of items in the leaf, which is smaller
and therefore we don't lookup for the next leaf but instead we set the
slot to point to an item that does not exist, at slot 240, and we later
operate on that slot which has unexpected content or in the worst case
can result in an invalid memory access (accessing beyond the last page
of leaf N's extent buffer).
So fix the logic that checks when we need to lookup at the next leaf
by first incrementing the slot and only after to check if that slot
is beyond the last item of the current leaf.
Signed-off-by: Robbie Ko <robbieko@synology.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Fixes: e02119d5a7b4 (Btrfs: Add a write ahead tree log to optimize synchronous operations)
Signed-off-by: Filipe Manana <fdmanana@suse.com>
[Modified changelog for clarity and correctness]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/tree-log.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1778,12 +1778,11 @@ static noinline int find_dir_range(struc
next:
/* check the next slot in the tree to see if it is a valid item */
nritems = btrfs_header_nritems(path->nodes[0]);
+ path->slots[0]++;
if (path->slots[0] >= nritems) {
ret = btrfs_next_leaf(root, path);
if (ret)
goto out;
- } else {
- path->slots[0]++;
}
btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 068/370] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 133/370] ARM: dts: imx31: fix AVIC base address Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 046/370] USB: phy: am335x-control: fix device and of_node leaks Ben Hutchings
` (338 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Brian Foster, Christoph Hellwig, Dave Chinner,
Eric Sandeen, Eric Sandeen
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Sandeen <sandeen@sandeen.net>
commit 6b10b23ca94451fae153a5cc8d62fd721bec2019 upstream.
xlog_recover_clear_agi_bucket didn't set the
type to XFS_BLFT_AGI_BUF, so we got a warning during log
replay (or an ASSERT on a debug build).
XFS (md0): Unknown buffer type 0!
XFS (md0): _xfs_buf_ioapply: no ops on block 0xaea8802/0x1
Fix this, as was done in f19b872b for 2 other locations
with the same problem.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_log_recover.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3813,6 +3813,7 @@ xlog_recover_clear_agi_bucket(
agi->agi_unlinked[bucket] = cpu_to_be32(NULLAGINO);
offset = offsetof(xfs_agi_t, agi_unlinked) +
(sizeof(xfs_agino_t) * bucket);
+ xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
xfs_trans_log_buf(tp, agibp, offset,
(offset + sizeof(xfs_agino_t) - 1));
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 072/370] CIFS: Fix missing nls unload in smb2_reconnect()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 065/370] bus: vexpress-config: fix device reference leak Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 121/370] fs: exec: apply CLOEXEC before changing dumpable task flags Ben Hutchings
` (334 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky, Sachin Prabhu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilov@microsoft.com>
commit 4772c79599564bd08ee6682715a7d3516f67433f upstream.
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -282,7 +282,7 @@ out:
case SMB2_CHANGE_NOTIFY:
case SMB2_QUERY_INFO:
case SMB2_SET_INFO:
- return -EAGAIN;
+ rc = -EAGAIN;
}
unload_nls(nls_codepage);
return rc;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 011/370] perf scripting: Avoid leaking the scripting_context variable
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 026/370] crypto: caam - fix AEAD givenc descriptors Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 083/370] iw_cxgb4: Fix error return code in c4iw_rdev_open() Ben Hutchings
` (359 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnaldo Carvalho de Melo, Jiri Olsa, Tom Zanussi,
Namhyung Kim, Frederic Weisbecker, David Ahern, Adrian Hunter,
Wang Nan
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit cf346d5bd4b9d61656df2f72565c9b354ef3ca0d upstream.
Both register_perl_scripting() and register_python_scripting() allocate
this variable, fix it by checking if it already was.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Tom Zanussi <tzanussi@gmail.com>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 7e4b21b84c43 ("perf/scripts: Add Python scripting engine")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/util/trace-event-scripting.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/tools/perf/util/trace-event-scripting.c
+++ b/tools/perf/util/trace-event-scripting.c
@@ -90,7 +90,8 @@ static void register_python_scripting(st
if (err)
die("error registering py script extension");
- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}
#ifdef NO_LIBPYTHON
@@ -153,7 +154,8 @@ static void register_perl_scripting(stru
if (err)
die("error registering pl script extension");
- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}
#ifdef NO_LIBPERL
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 008/370] net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 040/370] IB/mlx4: Set traffic class in AH Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 150/370] usb: xhci: fix possible wild pointer Ben Hutchings
` (262 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, David S. Miller, Stephen Hemminger, Shmulik Ladkani
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shmulik Ladkani <shmulik.ladkani@gmail.com>
commit d65f2fa680d6f91438461df54c83a331b3a631c9 upstream.
META_COLLECTOR int_vlan_tag() assumes that if the accel tag (vlan_tci)
is zero, then no vlan accel tag is present.
This is incorrect for zero VID vlan accel packets, making the following
match fail:
tc filter add ... basic match 'meta(vlan mask 0xfff eq 0)' ...
Apparently 'int_vlan_tag' was implemented prior VLAN_TAG_PRESENT was
introduced in 05423b2 "vlan: allow null VLAN ID to be used"
(and at time introduced, the 'vlan_tx_tag_get' call in em_meta was not
adapted).
Fix, testing skb_vlan_tag_present instead of testing skb_vlan_tag_get's
value.
Fixes: 05423b2413 ("vlan: allow null VLAN ID to be used")
Fixes: 1a31f2042e ("netsched: Allow meta match on vlan tag on receive")
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: s/skb_vlan_tag/vlan_tx_tag/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/em_meta.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/net/sched/em_meta.c
+++ b/net/sched/em_meta.c
@@ -176,11 +176,12 @@ META_COLLECTOR(int_vlan_tag)
{
unsigned short tag;
- tag = vlan_tx_tag_get(skb);
- if (!tag && __vlan_get_tag(skb, &tag))
- *err = -1;
- else
+ if (vlan_tx_tag_present(skb))
+ dst->value = vlan_tx_tag_get(skb);
+ else if (!__vlan_get_tag(skb, &tag))
dst->value = tag;
+ else
+ *err = -1;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 062/370] drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 176/370] iommu/amd: Fix the left value check of cmd buffer Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 153/370] usb: xhci: hold lock over xhci_abort_cmd_ring() Ben Hutchings
` (270 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Florian Fainelli
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit cd74da957ba2d03787ede1c22bbb183d9c728aad upstream.
The function we are wrapping is named dma_alloc_noncoherent, and
not dma_alloc_non_coherent.
Fixes: 9ac7849e35f70 ("devres: device resource management")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/dma-mapping.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/base/dma-mapping.c
+++ b/drivers/base/dma-mapping.c
@@ -107,13 +107,13 @@ void dmam_free_coherent(struct device *d
EXPORT_SYMBOL(dmam_free_coherent);
/**
- * dmam_alloc_non_coherent - Managed dma_alloc_non_coherent()
+ * dmam_alloc_non_coherent - Managed dma_alloc_noncoherent()
* @dev: Device to allocate non_coherent memory for
* @size: Size of allocation
* @dma_handle: Out argument for allocated DMA handle
* @gfp: Allocation flags
*
- * Managed dma_alloc_non_coherent(). Memory allocated using this
+ * Managed dma_alloc_noncoherent(). Memory allocated using this
* function will be automatically released on driver detach.
*
* RETURNS:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 059/370] thermal: hwmon: Properly report critical temperature in sysfs
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 016/370] ARM: dts: imx31: fix clock control module interrupts description Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 123/370] Input: i8042 - add Pegatron touchpad to noloop table Ben Hutchings
` (244 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Zhang Rui, Krzysztof Kozlowski
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
commit f37fabb8643eaf8e3b613333a72f683770c85eca upstream.
In the critical sysfs entry the thermal hwmon was returning wrong
temperature to the user-space. It was reporting the temperature of the
first trip point instead of the temperature of critical trip point.
For example:
/sys/class/hwmon/hwmon0/temp1_crit:50000
/sys/class/thermal/thermal_zone0/trip_point_0_temp:50000
/sys/class/thermal/thermal_zone0/trip_point_0_type:active
/sys/class/thermal/thermal_zone0/trip_point_3_temp:120000
/sys/class/thermal/thermal_zone0/trip_point_3_type:critical
Since commit e68b16abd91d ("thermal: add hwmon sysfs I/F") the driver
have been registering a sysfs entry if get_crit_temp() callback was
provided. However when accessed, it was calling get_trip_temp() instead
of the get_crit_temp().
Fixes: e68b16abd91d ("thermal: add hwmon sysfs I/F")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/thermal/thermal_hwmon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thermal/thermal_hwmon.c
+++ b/drivers/thermal/thermal_hwmon.c
@@ -98,7 +98,7 @@ temp_crit_show(struct device *dev, struc
long temperature;
int ret;
- ret = tz->ops->get_trip_temp(tz, 0, &temperature);
+ ret = tz->ops->get_crit_temp(tz, &temperature);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 085/370] md: MD_RECOVERY_NEEDED is set for mddev->recovery
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 031/370] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 036/370] IB/core: Save QP in ib_flow structure Ben Hutchings
` (345 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, NeilBrown, Shaohua Li
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shaohua Li <shli@fb.com>
commit 82a301cb0ea2df8a5c88213094a01660067c7fb4 upstream.
Fixes: 90f5f7ad4f38("md: Wait for md_check_recovery before attempting device
removal.")
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/md.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6453,7 +6453,7 @@ static int md_ioctl(struct block_device
/* need to ensure recovery thread has run */
wait_event_interruptible_timeout(mddev->sb_wait,
!test_bit(MD_RECOVERY_NEEDED,
- &mddev->flags),
+ &mddev->recovery),
msecs_to_jiffies(5000));
if (cmd == STOP_ARRAY || cmd == STOP_ARRAY_RO) {
/* Need to flush page cache, and ensure no-one else opens
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 030/370] powerpc/pci/rpadlpar: Fix device reference leaks
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 171/370] USB: serial: pl2303: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 149/370] xhci: free xhci virtual devices with leaf nodes first Ben Hutchings
` (295 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 99e5cde5eae78bef95bfe7c16ccda87fb070149b upstream.
Make sure to drop any device reference taken by vio_find_node() when
adding and removing virtual I/O slots.
Fixes: 5eeb8c63a38f ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/hotplug/rpadlpar_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/pci/hotplug/rpadlpar_core.c
+++ b/drivers/pci/hotplug/rpadlpar_core.c
@@ -258,8 +258,13 @@ static int dlpar_add_phb(char *drc_name,
static int dlpar_add_vio_slot(char *drc_name, struct device_node *dn)
{
- if (vio_find_node(dn))
+ struct vio_dev *vio_dev;
+
+ vio_dev = vio_find_node(dn);
+ if (vio_dev) {
+ put_device(&vio_dev->dev);
return -EINVAL;
+ }
if (!vio_register_device_node(dn)) {
printk(KERN_ERR
@@ -335,6 +340,9 @@ static int dlpar_remove_vio_slot(char *d
return -EINVAL;
vio_unregister_device(vio_dev);
+
+ put_device(&vio_dev->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 083/370] iw_cxgb4: Fix error return code in c4iw_rdev_open()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 011/370] perf scripting: Avoid leaking the scripting_context variable Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 038/370] IB/mlx5: Wait for all async command completions to complete Ben Hutchings
` (358 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Wei Yongjun, Steve Wise, Doug Ledford
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <weiyongjun1@huawei.com>
commit 15f7e3c21b76598bc6e5816d2577ce843b2b963f upstream.
Fix to return error code -ENOMEM from the __get_free_page() error
handling case instead of 0, as done elsewhere in this function.
Fixes: 05eb23893c2c ("cxgb4/iw_cxgb4: Doorbell Drop Avoidance Bug Fixes")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/infiniband/hw/cxgb4/device.c
+++ b/drivers/infiniband/hw/cxgb4/device.c
@@ -694,6 +694,7 @@ static int c4iw_rdev_open(struct c4iw_rd
__get_free_page(GFP_KERNEL);
if (!rdev->status_page) {
pr_err(MOD "error allocating status page\n");
+ err = -ENOMEM;
goto err4;
}
rdev->status_page->db_off = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 055/370] f2fs: set ->owner for debugfs status file's file_operations
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 007/370] crypto: arm64/aes-xts-ce: " Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 094/370] ext4: reject inodes with negative size Ben Hutchings
` (227 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicolai Stange, Jaegeuk Kim, Martin Brandenburg, Mike Marshall
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Stange <nicstange@gmail.com>
commit 05e6ea2685c964db1e675a24a4f4e2adc22d2388 upstream.
The struct file_operations instance serving the f2fs/status debugfs file
lacks an initialization of its ->owner.
This means that although that file might have been opened, the f2fs module
can still get removed. Any further operation on that opened file, releasing
included, will cause accesses to unmapped memory.
Indeed, Mike Marshall reported the following:
BUG: unable to handle kernel paging request at ffffffffa0307430
IP: [<ffffffff8132a224>] full_proxy_release+0x24/0x90
<...>
Call Trace:
[] __fput+0xdf/0x1d0
[] ____fput+0xe/0x10
[] task_work_run+0x8e/0xc0
[] do_exit+0x2ae/0xae0
[] ? __audit_syscall_entry+0xae/0x100
[] ? syscall_trace_enter+0x1ca/0x310
[] do_group_exit+0x44/0xc0
[] SyS_exit_group+0x14/0x20
[] do_syscall_64+0x61/0x150
[] entry_SYSCALL64_slow_path+0x25/0x25
<...>
---[ end trace f22ae883fa3ea6b8 ]---
Fixing recursive fault but reboot is needed!
Fix this by initializing the f2fs/status file_operations' ->owner with
THIS_MODULE.
This will allow debugfs to grab a reference to the f2fs module upon any
open on that file, thus preventing it from getting removed.
Fixes: 902829aa0b72 ("f2fs: move proc files to debugfs")
Reported-by: Mike Marshall <hubcap@omnibond.com>
Reported-by: Martin Brandenburg <martin@omnibond.com>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/f2fs/debug.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -295,6 +295,7 @@ static int stat_open(struct inode *inode
}
static const struct file_operations stat_fops = {
+ .owner = THIS_MODULE,
.open = stat_open,
.read = seq_read,
.llseek = seq_lseek,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 076/370] ALSA: hda - Add the top speaker pin config for HP Spectre x360
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 037/370] IB/mlx5: Put non zero value in max_ah Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 175/370] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Ben Hutchings
` (214 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 0eec880966e77bdbee0112989a2be67d92e39929 upstream.
HP Spectre x360 with CX20724 codec has two speaker outputs while the
BIOS sets up only the bottom one (NID 0x17) and disables the top one
(NID 0x1d).
This patch adds a fixup simply defining the proper pincfg for NID 0x1d
so that the top speaker works as is.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=169071
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_conexant.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -2843,6 +2843,7 @@ enum {
CXT_FIXUP_HP_530,
CXT_FIXUP_CAP_MIX_AMP_5047,
CXT_FIXUP_MUTE_LED_EAPD,
+ CXT_FIXUP_HP_SPECTRE,
};
/* for hda_fixup_thinkpad_acpi() */
@@ -3349,6 +3350,14 @@ static const struct hda_fixup cxt_fixups
.type = HDA_FIXUP_FUNC,
.v.func = cxt_fixup_mute_led_eapd,
},
+ [CXT_FIXUP_HP_SPECTRE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ /* enable NID 0x1d for the speaker on top */
+ { 0x1d, 0x91170111 },
+ { }
+ }
+ },
};
static const struct snd_pci_quirk cxt5045_fixups[] = {
@@ -3398,6 +3407,7 @@ static const struct snd_pci_quirk cxt506
SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 077/370] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 028/370] powerpc/ibmebus: Fix device reference leaks in sysfs interface Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 070/370] mmc: sdhci: Fix recovery from tuning timeout Ben Hutchings
` (368 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit f73cd43ac3b41c0f09a126387f302bbc0d9c726d upstream.
HP Z1 Gen3 AiO with Conexant codec doesn't give an unsolicited event
to the headset mic pin upon the jack plugging, it reports only to the
headphone pin. It results in the missing mic switching. Let's fix up
by simply gating the jack event.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_conexant.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -2844,6 +2844,7 @@ enum {
CXT_FIXUP_CAP_MIX_AMP_5047,
CXT_FIXUP_MUTE_LED_EAPD,
CXT_FIXUP_HP_SPECTRE,
+ CXT_FIXUP_HP_GATE_MIC,
};
/* for hda_fixup_thinkpad_acpi() */
@@ -3217,6 +3218,17 @@ static void cxt_fixup_cap_mix_amp_5047(s
(1 << AC_AMPCAP_MUTE_SHIFT));
}
+static void cxt_fixup_hp_gate_mic_jack(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ /* the mic pin (0x19) doesn't give an unsolicited event;
+ * probe the mic pin together with the headphone pin (0x16)
+ */
+ if (action == HDA_FIXUP_ACT_PROBE)
+ snd_hda_jack_set_gating_jack(codec, 0x19, 0x16);
+}
+
/* ThinkPad X200 & co with cxt5051 */
static const struct hda_pintbl cxt_pincfg_lenovo_x200[] = {
{ 0x16, 0x042140ff }, /* HP (seq# overridden) */
@@ -3358,6 +3370,10 @@ static const struct hda_fixup cxt_fixups
{ }
}
},
+ [CXT_FIXUP_HP_GATE_MIC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = cxt_fixup_hp_gate_mic_jack,
+ },
};
static const struct snd_pci_quirk cxt5045_fixups[] = {
@@ -3408,6 +3424,7 @@ static const struct snd_pci_quirk cxt506
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 080/370] arm/xen: Use alloc_percpu rather than __alloc_percpu
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 111/370] IB/multicast: Check ib_find_pkey() return value Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 023/370] PCI: Check for PME in targeted sleep state Ben Hutchings
` (308 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Julien Grall, Stefano Stabellini, Wei Chen
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julien Grall <julien.grall@arm.com>
commit 24d5373dda7c00a438d26016bce140299fae675e upstream.
The function xen_guest_init is using __alloc_percpu with an alignment
which are not power of two.
However, the percpu allocator never supported alignments which are not power
of two and has always behaved incorectly in thise case.
Commit 3ca45a4 "percpu: ensure requested alignment is power of two"
introduced a check which trigger a warning [1] when booting linux-next
on Xen. But in reality this bug was always present.
This can be fixed by replacing the call to __alloc_percpu with
alloc_percpu. The latter will use an alignment which are a power of two.
[1]
[ 0.023921] illegal size (48) or align (48) for percpu allocation
[ 0.024167] ------------[ cut here ]------------
[ 0.024344] WARNING: CPU: 0 PID: 1 at linux/mm/percpu.c:892 pcpu_alloc+0x88/0x6c0
[ 0.024584] Modules linked in:
[ 0.024708]
[ 0.024804] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
4.9.0-rc7-next-20161128 #473
[ 0.025012] Hardware name: Foundation-v8A (DT)
[ 0.025162] task: ffff80003d870000 task.stack: ffff80003d844000
[ 0.025351] PC is at pcpu_alloc+0x88/0x6c0
[ 0.025490] LR is at pcpu_alloc+0x88/0x6c0
[ 0.025624] pc : [<ffff00000818e678>] lr : [<ffff00000818e678>]
pstate: 60000045
[ 0.025830] sp : ffff80003d847cd0
[ 0.025946] x29: ffff80003d847cd0 x28: 0000000000000000
[ 0.026147] x27: 0000000000000000 x26: 0000000000000000
[ 0.026348] x25: 0000000000000000 x24: 0000000000000000
[ 0.026549] x23: 0000000000000000 x22: 00000000024000c0
[ 0.026752] x21: ffff000008e97000 x20: 0000000000000000
[ 0.026953] x19: 0000000000000030 x18: 0000000000000010
[ 0.027155] x17: 0000000000000a3f x16: 00000000deadbeef
[ 0.027357] x15: 0000000000000006 x14: ffff000088f79c3f
[ 0.027573] x13: ffff000008f79c4d x12: 0000000000000041
[ 0.027782] x11: 0000000000000006 x10: 0000000000000042
[ 0.027995] x9 : ffff80003d847a40 x8 : 6f697461636f6c6c
[ 0.028208] x7 : 6120757063726570 x6 : ffff000008f79c84
[ 0.028419] x5 : 0000000000000005 x4 : 0000000000000000
[ 0.028628] x3 : 0000000000000000 x2 : 000000000000017f
[ 0.028840] x1 : ffff80003d870000 x0 : 0000000000000035
[ 0.029056]
[ 0.029152] ---[ end trace 0000000000000000 ]---
[ 0.029297] Call trace:
[ 0.029403] Exception stack(0xffff80003d847b00 to
0xffff80003d847c30)
[ 0.029621] 7b00: 0000000000000030 0001000000000000
ffff80003d847cd0 ffff00000818e678
[ 0.029901] 7b20: 0000000000000002 0000000000000004
ffff000008f7c060 0000000000000035
[ 0.030153] 7b40: ffff000008f79000 ffff000008c4cd88
ffff80003d847bf0 ffff000008101778
[ 0.030402] 7b60: 0000000000000030 0000000000000000
ffff000008e97000 00000000024000c0
[ 0.030647] 7b80: 0000000000000000 0000000000000000
0000000000000000 0000000000000000
[ 0.030895] 7ba0: 0000000000000035 ffff80003d870000
000000000000017f 0000000000000000
[ 0.031144] 7bc0: 0000000000000000 0000000000000005
ffff000008f79c84 6120757063726570
[ 0.031394] 7be0: 6f697461636f6c6c ffff80003d847a40
0000000000000042 0000000000000006
[ 0.031643] 7c00: 0000000000000041 ffff000008f79c4d
ffff000088f79c3f 0000000000000006
[ 0.031877] 7c20: 00000000deadbeef 0000000000000a3f
[ 0.032051] [<ffff00000818e678>] pcpu_alloc+0x88/0x6c0
[ 0.032229] [<ffff00000818ece8>] __alloc_percpu+0x18/0x20
[ 0.032409] [<ffff000008d9606c>] xen_guest_init+0x174/0x2f4
[ 0.032591] [<ffff0000080830f8>] do_one_initcall+0x38/0x130
[ 0.032783] [<ffff000008d90c34>] kernel_init_freeable+0xe0/0x248
[ 0.032995] [<ffff00000899a890>] kernel_init+0x10/0x100
[ 0.033172] [<ffff000008082ec0>] ret_from_fork+0x10/0x50
Reported-by: Wei Chen <wei.chen@arm.com>
Link: https://lkml.org/lkml/2016/11/28/669
Signed-off-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/xen/enlighten.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/arm/xen/enlighten.c
+++ b/arch/arm/xen/enlighten.c
@@ -291,8 +291,7 @@ static int __init xen_guest_init(void)
* for secondary CPUs as they are brought up.
* For uniformity we use VCPUOP_register_vcpu_info even on cpu0.
*/
- xen_vcpu_info = __alloc_percpu(sizeof(struct vcpu_info),
- sizeof(struct vcpu_info));
+ xen_vcpu_info = alloc_percpu(struct vcpu_info);
if (xen_vcpu_info == NULL)
return -ENOMEM;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 081/370] clk: clk-wm831x: fix a logic error
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 122/370] powerpc: Fix build warning on 32-bit PPC Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 154/370] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Ben Hutchings
` (330 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stephen Boyd, Charles Keepax, Pan Bian
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pan Bian <bianpan2016@163.com>
commit 20979202ee6e4c68dab7bcf408787225a656d18e upstream.
Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188561. Function
wm831x_clkout_is_prepared() returns "true" when it fails to read
CLOCK_CONTROL_1. "true" means the device is already prepared. So
return "true" on the read failure seems improper.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Fixes: f05259a6ffa4 ("clk: wm831x: Add initial WM831x clock driver")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/clk/clk-wm831x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/clk-wm831x.c
+++ b/drivers/clk/clk-wm831x.c
@@ -248,7 +248,7 @@ static int wm831x_clkout_is_prepared(str
if (ret < 0) {
dev_err(wm831x->dev, "Unable to read CLOCK_CONTROL_1: %d\n",
ret);
- return true;
+ return false;
}
return (ret & WM831X_CLKOUT_ENA) != 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 078/370] drm/radeon: Hide the HW cursor while it's out of bounds
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 150/370] usb: xhci: fix possible wild pointer Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 032/370] ARM: zynq: Reserve correct amount of non-DMA RAM Ben Hutchings
` (260 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michel Dänzer, Alex Deucher
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michel Dänzer <michel.daenzer@amd.com>
commit 6b16cf7785a4200b1bddf4f70c9dda2efc49e278 upstream.
Fixes hangs in that case under some circumstances.
v2:
* Only use non-0 x/yorigin if the cursor is (partially) outside of the
top/left edge of the total surface with AVIVO/DCE
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000433
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com> (v1)
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16:
- Drop changes to radeon_crtc_cursor_set2()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/radeon/radeon_cursor.c
+++ b/drivers/gpu/drm/radeon/radeon_cursor.c
@@ -90,6 +90,9 @@ static void radeon_show_cursor(struct dr
struct radeon_crtc *radeon_crtc = to_radeon_crtc(crtc);
struct radeon_device *rdev = crtc->dev->dev_private;
+ if (radeon_crtc->cursor_out_of_bounds)
+ return;
+
if (ASIC_IS_DCE4(rdev)) {
WREG32(RADEON_MM_INDEX, EVERGREEN_CUR_CONTROL + radeon_crtc->crtc_offset);
WREG32(RADEON_MM_DATA, EVERGREEN_CURSOR_EN |
@@ -228,16 +231,17 @@ int radeon_crtc_cursor_move(struct drm_c
x += crtc->x;
y += crtc->y;
}
- DRM_DEBUG("x %d y %d c->x %d c->y %d\n", x, y, crtc->x, crtc->y);
- if (x < 0) {
+ if (x < 0)
xorigin = min(-x, radeon_crtc->max_cursor_width - 1);
- x = 0;
- }
- if (y < 0) {
+ if (y < 0)
yorigin = min(-y, radeon_crtc->max_cursor_height - 1);
- y = 0;
+
+ if (!ASIC_IS_AVIVO(rdev)) {
+ x += crtc->x;
+ y += crtc->y;
}
+ DRM_DEBUG("x %d y %d c->x %d c->y %d\n", x, y, crtc->x, crtc->y);
/* fixed on DCE6 and newer */
if (ASIC_IS_AVIVO(rdev) && !ASIC_IS_DCE6(rdev)) {
@@ -260,27 +264,31 @@ int radeon_crtc_cursor_move(struct drm_c
if (i > 1) {
int cursor_end, frame_end;
- cursor_end = x - xorigin + w;
+ cursor_end = x + w;
frame_end = crtc->x + crtc->mode.crtc_hdisplay;
if (cursor_end >= frame_end) {
w = w - (cursor_end - frame_end);
if (!(frame_end & 0x7f))
w--;
- } else {
- if (!(cursor_end & 0x7f))
- w--;
+ } else if (cursor_end <= 0) {
+ goto out_of_bounds;
+ } else if (!(cursor_end & 0x7f)) {
+ w--;
}
if (w <= 0) {
- w = 1;
- cursor_end = x - xorigin + w;
- if (!(cursor_end & 0x7f)) {
- x--;
- WARN_ON_ONCE(x < 0);
- }
+ goto out_of_bounds;
}
}
}
+ if (x <= (crtc->x - w) || y <= (crtc->y - radeon_crtc->cursor_height) ||
+ x >= (crtc->x + crtc->mode.crtc_hdisplay) ||
+ y >= (crtc->y + crtc->mode.crtc_vdisplay))
+ goto out_of_bounds;
+
+ x += xorigin;
+ y += yorigin;
+
radeon_lock_cursor(crtc, true);
if (ASIC_IS_DCE4(rdev)) {
WREG32(EVERGREEN_CUR_POSITION + radeon_crtc->crtc_offset, (x << 16) | y);
@@ -293,6 +301,9 @@ int radeon_crtc_cursor_move(struct drm_c
WREG32(AVIVO_D1CUR_SIZE + radeon_crtc->crtc_offset,
((w - 1) << 16) | (radeon_crtc->cursor_height - 1));
} else {
+ x -= crtc->x;
+ y -= crtc->y;
+
if (crtc->mode.flags & DRM_MODE_FLAG_DBLSCAN)
y *= 2;
@@ -310,5 +321,18 @@ int radeon_crtc_cursor_move(struct drm_c
}
radeon_lock_cursor(crtc, false);
+ if (radeon_crtc->cursor_out_of_bounds) {
+ radeon_crtc->cursor_out_of_bounds = false;
+ if (radeon_crtc->cursor_bo)
+ radeon_show_cursor(crtc);
+ }
+
+ return 0;
+
+ out_of_bounds:
+ if (!radeon_crtc->cursor_out_of_bounds) {
+ radeon_hide_cursor(crtc);
+ radeon_crtc->cursor_out_of_bounds = true;
+ }
return 0;
}
--- a/drivers/gpu/drm/radeon/radeon_mode.h
+++ b/drivers/gpu/drm/radeon/radeon_mode.h
@@ -318,6 +318,7 @@ struct radeon_crtc {
u16 lut_r[256], lut_g[256], lut_b[256];
bool enabled;
bool can_tile;
+ bool cursor_out_of_bounds;
uint32_t crtc_offset;
struct drm_gem_object *cursor_bo;
uint64_t cursor_addr;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 079/370] drm/radeon: add additional pci revision to dpm workaround
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 157/370] USB: serial: io_edgeport: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 186/370] USB: fix problems with duplicate endpoint addresses Ben Hutchings
` (236 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 8729675c00a8d13cb2094d617d70a4a4da7d83c5 upstream.
New variant.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/si_dpm.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2971,6 +2971,7 @@ static void si_apply_state_adjust_rules(
(rdev->pdev->revision == 0x80) ||
(rdev->pdev->revision == 0x81) ||
(rdev->pdev->revision == 0x83) ||
+ (rdev->pdev->revision == 0x87) ||
(rdev->pdev->device == 0x6604) ||
(rdev->pdev->device == 0x6605)) {
max_sclk = 75000;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 063/370] powerpc/ps3: Fix system hang with GCC 5 builds
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 069/370] powerpc/boot: Request no dynamic linker for boot wrapper Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 102/370] fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes Ben Hutchings
` (283 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Geoff Levand, Michael Ellerman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geoff Levand <geoff@infradead.org>
commit 6dff5b67054e17c91bd630bcdda17cfca5aa4215 upstream.
GCC 5 generates different code for this bootwrapper null check that
causes the PS3 to hang very early in its bootup. This check is of
limited value, so just get rid of it.
Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/boot/ps3-head.S | 5 -----
arch/powerpc/boot/ps3.c | 8 +-------
2 files changed, 1 insertion(+), 12 deletions(-)
--- a/arch/powerpc/boot/ps3-head.S
+++ b/arch/powerpc/boot/ps3-head.S
@@ -57,11 +57,6 @@ __system_reset_overlay:
bctr
1:
- /* Save the value at addr zero for a null pointer write check later. */
-
- li r4, 0
- lwz r3, 0(r4)
-
/* Primary delays then goes to _zimage_start in wrapper. */
or 31, 31, 31 /* db16cyc */
--- a/arch/powerpc/boot/ps3.c
+++ b/arch/powerpc/boot/ps3.c
@@ -119,13 +119,12 @@ void ps3_copy_vectors(void)
flush_cache((void *)0x100, 512);
}
-void platform_init(unsigned long null_check)
+void platform_init(void)
{
const u32 heapsize = 0x1000000 - (u32)_end; /* 16MiB */
void *chosen;
unsigned long ft_addr;
u64 rm_size;
- unsigned long val;
console_ops.write = ps3_console_write;
platform_ops.exit = ps3_exit;
@@ -153,11 +152,6 @@ void platform_init(unsigned long null_ch
printf(" flat tree at 0x%lx\n\r", ft_addr);
- val = *(unsigned long *)0;
-
- if (val != null_check)
- printf("null check failed: %lx != %lx\n\r", val, null_check);
-
((kernel_entry_t)0)(ft_addr, 0, NULL);
ps3_exit();
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 045/370] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 137/370] usb: dwc3: gadget: always unmap EP0 requests Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 087/370] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Ben Hutchings
` (206 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Mathias Nyman, Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 37be66767e3cae4fd16e064d8bb7f9f72bf5c045 upstream.
USB-3 does not have any link state that will avoid negotiating a connection
with a plugged-in cable but will signal the host when the cable is
unplugged.
For USB-3 we used to first set the link to Disabled, then to RxDdetect to
be able to detect cable connects or disconnects. But in RxDetect the
connected device is detected again and eventually enabled.
Instead set the link into U3 and disable remote wakeups for the device.
This is what Windows does, and what Alan Stern suggested.
Cc: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/hub.c | 101 ++++++++++++++++++-------------------------------
1 file changed, 36 insertions(+), 65 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -106,6 +106,8 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rws
static void hub_release(struct kref *kref);
static int usb_reset_and_verify_device(struct usb_device *udev);
+static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+ struct usb_port *port_dev);
static inline char *portspeed(struct usb_hub *hub, int portstatus)
{
@@ -876,82 +878,28 @@ static int hub_set_port_link_state(struc
}
/*
- * If USB 3.0 ports are placed into the Disabled state, they will no longer
- * detect any device connects or disconnects. This is generally not what the
- * USB core wants, since it expects a disabled port to produce a port status
- * change event when a new device connects.
- *
- * Instead, set the link state to Disabled, wait for the link to settle into
- * that state, clear any change bits, and then put the port into the RxDetect
- * state.
+ * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
+ * a connection with a plugged-in cable but will signal the host when the cable
+ * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
*/
-static int hub_usb3_port_disable(struct usb_hub *hub, int port1)
-{
- int ret;
- int total_time;
- u16 portchange, portstatus;
-
- if (!hub_is_superspeed(hub->hdev))
- return -EINVAL;
-
- ret = hub_port_status(hub, port1, &portstatus, &portchange);
- if (ret < 0)
- return ret;
-
- /*
- * USB controller Advanced Micro Devices, Inc. [AMD] FCH USB XHCI
- * Controller [1022:7814] will have spurious result making the following
- * usb 3.0 device hotplugging route to the 2.0 root hub and recognized
- * as high-speed device if we set the usb 3.0 port link state to
- * Disabled. Since it's already in USB_SS_PORT_LS_RX_DETECT state, we
- * check the state here to avoid the bug.
- */
- if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
- USB_SS_PORT_LS_RX_DETECT) {
- dev_dbg(&hub->ports[port1 - 1]->dev,
- "Not disabling port; link state is RxDetect\n");
- return ret;
- }
-
- ret = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_SS_DISABLED);
- if (ret)
- return ret;
-
- /* Wait for the link to enter the disabled state. */
- for (total_time = 0; ; total_time += HUB_DEBOUNCE_STEP) {
- ret = hub_port_status(hub, port1, &portstatus, &portchange);
- if (ret < 0)
- return ret;
-
- if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
- USB_SS_PORT_LS_SS_DISABLED)
- break;
- if (total_time >= HUB_DEBOUNCE_TIMEOUT)
- break;
- msleep(HUB_DEBOUNCE_STEP);
- }
- if (total_time >= HUB_DEBOUNCE_TIMEOUT)
- dev_warn(&hub->ports[port1 - 1]->dev,
- "Could not disable after %d ms\n", total_time);
-
- return hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_RX_DETECT);
-}
-
static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
{
struct usb_port *port_dev = hub->ports[port1 - 1];
struct usb_device *hdev = hub->hdev;
int ret = 0;
- if (port_dev->child && set_state)
- usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
if (!hub->error) {
- if (hub_is_superspeed(hub->hdev))
- ret = hub_usb3_port_disable(hub, port1);
- else
+ if (hub_is_superspeed(hub->hdev)) {
+ hub_usb3_port_prepare_disable(hub, port_dev);
+ ret = hub_set_port_link_state(hub, port_dev->portnum,
+ USB_SS_PORT_LS_U3);
+ } else {
ret = usb_clear_port_feature(hdev, port1,
USB_PORT_FEAT_ENABLE);
+ }
}
+ if (port_dev->child && set_state)
+ usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
if (ret && ret != -ENODEV)
dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
return ret;
@@ -4022,6 +3970,26 @@ void usb_unlocked_enable_lpm(struct usb_
}
EXPORT_SYMBOL_GPL(usb_unlocked_enable_lpm);
+/* usb3 devices use U3 for disabled, make sure remote wakeup is disabled */
+static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+ struct usb_port *port_dev)
+{
+ struct usb_device *udev = port_dev->child;
+ int ret;
+
+ if (udev && udev->port_is_suspended && udev->do_remote_wakeup) {
+ ret = hub_set_port_link_state(hub, port_dev->portnum,
+ USB_SS_PORT_LS_U0);
+ if (!ret) {
+ msleep(USB_RESUME_TIMEOUT);
+ ret = usb_disable_remote_wakeup(udev);
+ }
+ if (ret)
+ dev_warn(&udev->dev,
+ "Port disable: can't disable remote wake\n");
+ udev->do_remote_wakeup = 0;
+ }
+}
#else /* CONFIG_PM */
@@ -4029,6 +3997,9 @@ EXPORT_SYMBOL_GPL(usb_unlocked_enable_lp
#define hub_resume NULL
#define hub_reset_resume NULL
+static inline void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+ struct usb_port *port_dev) { }
+
int usb_disable_lpm(struct usb_device *udev)
{
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 047/370] ext4: fix in-superblock mount options processing
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 014/370] usb: gadget: composite: always set ep->mult to a sensible value Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 108/370] block_dev: don't test bdev->bd_contains when it is not stable Ben Hutchings
` (326 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 5aee0f8a3f42c94c5012f1673420aee96315925a upstream.
Fix a large number of problems with how we handle mount options in the
superblock. For one, if the string in the superblock is long enough
that it is not null terminated, we could run off the end of the string
and try to interpret superblocks fields as characters. It's unlikely
this will cause a security problem, but it could result in an invalid
parse. Also, parse_options is destructive to the string, so in some
cases if there is a comma-separated string, it would be modified in
the superblock. (Fortunately it only happens on file systems with a
1k block size.)
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 38 +++++++++++++++++++++++---------------
1 file changed, 23 insertions(+), 15 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3407,7 +3407,7 @@ static int ext4_fill_super(struct super_
char *orig_data = kstrdup(data, GFP_KERNEL);
struct buffer_head *bh;
struct ext4_super_block *es = NULL;
- struct ext4_sb_info *sbi;
+ struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
ext4_fsblk_t block;
ext4_fsblk_t sb_block = get_sb_block(&data);
ext4_fsblk_t logical_sb_block;
@@ -3427,16 +3427,14 @@ static int ext4_fill_super(struct super_
unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
ext4_group_t first_not_zeroed;
- sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
- if (!sbi)
- goto out_free_orig;
+ if ((data && !orig_data) || !sbi)
+ goto out_free_base;
sbi->s_blockgroup_lock =
kzalloc(sizeof(struct blockgroup_lock), GFP_KERNEL);
- if (!sbi->s_blockgroup_lock) {
- kfree(sbi);
- goto out_free_orig;
- }
+ if (!sbi->s_blockgroup_lock)
+ goto out_free_base;
+
sb->s_fs_info = sbi;
sbi->s_sb = sb;
sbi->s_inode_readahead_blks = EXT4_DEF_INODE_READAHEAD_BLKS;
@@ -3582,11 +3580,19 @@ static int ext4_fill_super(struct super_
*/
sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;
- if (!parse_options((char *) sbi->s_es->s_mount_opts, sb,
- &journal_devnum, &journal_ioprio, 0)) {
- ext4_msg(sb, KERN_WARNING,
- "failed to parse options in superblock: %s",
- sbi->s_es->s_mount_opts);
+ if (sbi->s_es->s_mount_opts[0]) {
+ char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+ sizeof(sbi->s_es->s_mount_opts),
+ GFP_KERNEL);
+ if (!s_mount_opts)
+ goto failed_mount;
+ if (!parse_options(s_mount_opts, sb, &journal_devnum,
+ &journal_ioprio, 0)) {
+ ext4_msg(sb, KERN_WARNING,
+ "failed to parse options in superblock: %s",
+ s_mount_opts);
+ }
+ kfree(s_mount_opts);
}
sbi->s_def_mount_opt = sbi->s_mount_opt;
if (!parse_options((char *) data, sb, &journal_devnum,
@@ -4251,7 +4257,9 @@ no_journal:
}
ext4_msg(sb, KERN_INFO, "mounted filesystem with%s. "
- "Opts: %s%s%s", descr, sbi->s_es->s_mount_opts,
+ "Opts: %.*s%s%s", descr,
+ (int) sizeof(sbi->s_es->s_mount_opts),
+ sbi->s_es->s_mount_opts,
*sbi->s_es->s_mount_opts ? "; " : "", orig_data);
if (es->s_error_count)
@@ -4325,8 +4333,8 @@ failed_mount:
out_fail:
sb->s_fs_info = NULL;
kfree(sbi->s_blockgroup_lock);
+out_free_base:
kfree(sbi);
-out_free_orig:
kfree(orig_data);
return err ? err : ret;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 066/370] block: protect iterate_bdevs() against concurrent close
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 094/370] ext4: reject inodes with negative size Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 132/370] net/mlx4: Remove BUG_ON from ICM allocation routine Ben Hutchings
` (225 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jan Kara, Rabin Vincent, Jens Axboe, Christoph Hellwig
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rabin Vincent <rabinv@axis.com>
commit af309226db916e2c6e08d3eba3fa5c34225200c4 upstream.
If a block device is closed while iterate_bdevs() is handling it, the
following NULL pointer dereference occurs because bdev->b_disk is NULL
in bdev_get_queue(), which is called from blk_get_backing_dev_info() (in
turn called by the mapping_cap_writeback_dirty() call in
__filemap_fdatawrite_range()):
BUG: unable to handle kernel NULL pointer dereference at 0000000000000508
IP: [<ffffffff81314790>] blk_get_backing_dev_info+0x10/0x20
PGD 9e62067 PUD 9ee8067 PMD 0
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in:
CPU: 1 PID: 2422 Comm: sync Not tainted 4.5.0-rc7+ #400
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
task: ffff880009f4d700 ti: ffff880009f5c000 task.ti: ffff880009f5c000
RIP: 0010:[<ffffffff81314790>] [<ffffffff81314790>] blk_get_backing_dev_info+0x10/0x20
RSP: 0018:ffff880009f5fe68 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88000ec17a38 RCX: ffffffff81a4e940
RDX: 7fffffffffffffff RSI: 0000000000000000 RDI: ffff88000ec176c0
RBP: ffff880009f5fe68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88000ec17860
R13: ffffffff811b25c0 R14: ffff88000ec178e0 R15: ffff88000ec17a38
FS: 00007faee505d700(0000) GS:ffff88000fb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000508 CR3: 0000000009e8a000 CR4: 00000000000006e0
Stack:
ffff880009f5feb8 ffffffff8112e7f5 0000000000000000 7fffffffffffffff
0000000000000000 0000000000000000 7fffffffffffffff 0000000000000001
ffff88000ec178e0 ffff88000ec17860 ffff880009f5fec8 ffffffff8112e81f
Call Trace:
[<ffffffff8112e7f5>] __filemap_fdatawrite_range+0x85/0x90
[<ffffffff8112e81f>] filemap_fdatawrite+0x1f/0x30
[<ffffffff811b25d6>] fdatawrite_one_bdev+0x16/0x20
[<ffffffff811bc402>] iterate_bdevs+0xf2/0x130
[<ffffffff811b2763>] sys_sync+0x63/0x90
[<ffffffff815d4272>] entry_SYSCALL_64_fastpath+0x12/0x76
Code: 0f 1f 44 00 00 48 8b 87 f0 00 00 00 55 48 89 e5 <48> 8b 80 08 05 00 00 5d
RIP [<ffffffff81314790>] blk_get_backing_dev_info+0x10/0x20
RSP <ffff880009f5fe68>
CR2: 0000000000000508
---[ end trace 2487336ceb3de62d ]---
The crash is easily reproducible by running the following command, if an
msleep(100) is inserted before the call to func() in iterate_devs():
while :; do head -c1 /dev/nullb0; done > /dev/null & while :; do sync; done
Fix it by holding the bd_mutex across the func() call and only calling
func() if the bdev is opened.
Fixes: 5c0d6b60a0ba ("vfs: Create function for iterating over block devices")
Reported-and-tested-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Rabin Vincent <rabinv@axis.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/block_dev.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1731,6 +1731,7 @@ void iterate_bdevs(void (*func)(struct b
spin_lock(&inode_sb_list_lock);
list_for_each_entry(inode, &blockdev_superblock->s_inodes, i_sb_list) {
struct address_space *mapping = inode->i_mapping;
+ struct block_device *bdev;
spin_lock(&inode->i_lock);
if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW) ||
@@ -1751,8 +1752,12 @@ void iterate_bdevs(void (*func)(struct b
*/
iput(old_inode);
old_inode = inode;
+ bdev = I_BDEV(inode);
- func(I_BDEV(inode), arg);
+ mutex_lock(&bdev->bd_mutex);
+ if (bdev->bd_openers)
+ func(bdev, arg);
+ mutex_unlock(&bdev->bd_mutex);
spin_lock(&inode_sb_list_lock);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 037/370] IB/mlx5: Put non zero value in max_ah
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 001/370] staging: iio: ad7606: fix improper setting of oversampling pins Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 076/370] ALSA: hda - Add the top speaker pin config for HP Spectre x360 Ben Hutchings
` (215 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Maor Gottlieb, Doug Ledford, Leon Romanovsky, Mark Bloch
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maor Gottlieb <maorg@mellanox.com>
commit 86695a6582e3b1c4895de2bde4e1022b3a8fbda0 upstream.
We put INT_MAX since this is the max value that can be held.
Though there is no hardware limitation, this is practically
a large enough number so we can use it.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -319,6 +319,7 @@ static int mlx5_ib_query_device(struct i
props->max_total_mcast_qp_attach = props->max_mcast_qp_attach *
props->max_mcast_grp;
props->max_map_per_fmr = INT_MAX; /* no limit in ConnectIB */
+ props->max_ah = INT_MAX;
out:
kfree(in_mad);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 013/370] usb: add helper to extract bits 12:11 of wMaxPacketSize
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 061/370] USB: serial: kl5kusb105: abort on open exception path Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 124/370] [media] s5k4ecgx: select CRC32 helper Ben Hutchings
` (363 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit 541b6fe63023f3059cf85d47ff2767a3e42a8e44 upstream.
According to USB Specification 2.0 table 9-4,
wMaxPacketSize is a bitfield. Endpoint's maxpacket
is laid out in bits 10:0. For high-speed,
high-bandwidth isochronous endpoints, bits 12:11
contain a multiplier to tell us how many
transactions we want to try per uframe.
This means that if we want an isochronous endpoint
to issue 3 transfers of 1024 bytes per uframe,
wMaxPacketSize should contain the value:
1024 | (2 << 11)
or 5120 (0x1400). In order to make Host and
Peripheral controller drivers' life easier, we're
adding a helper which returns bits 12:11. Note that
no care is made WRT to checking endpoint type and
gadget's speed. That's left for drivers to handle.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/uapi/linux/usb/ch9.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -398,6 +398,11 @@ struct usb_endpoint_descriptor {
#define USB_ENDPOINT_XFER_INT 3
#define USB_ENDPOINT_MAX_ADJUSTABLE 0x80
+#define USB_EP_MAXP_MULT_SHIFT 11
+#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT)
+#define USB_EP_MAXP_MULT(m) \
+ (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT)
+
/* The USB 3.0 spec redefines bits 5:4 of bmAttributes as interrupt ep type. */
#define USB_ENDPOINT_INTRTYPE 0x30
#define USB_ENDPOINT_INTR_PERIODIC (0 << 4)
@@ -605,6 +610,20 @@ static inline int usb_endpoint_maxp(cons
return __le16_to_cpu(epd->wMaxPacketSize);
}
+/**
+ * usb_endpoint_maxp_mult - get endpoint's transactional opportunities
+ * @epd: endpoint to be checked
+ *
+ * Return @epd's wMaxPacketSize[12:11] + 1
+ */
+static inline int
+usb_endpoint_maxp_mult(const struct usb_endpoint_descriptor *epd)
+{
+ int maxp = __le16_to_cpu(epd->wMaxPacketSize);
+
+ return USB_EP_MAXP_MULT(maxp) + 1;
+}
+
static inline int usb_endpoint_interrupt_type(
const struct usb_endpoint_descriptor *epd)
{
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 039/370] IB/IPoIB: Remove can't use GFP_NOIO warning
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 100/370] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 021/370] xfs: fix up xfs_swap_extent_forks inline extent handling Ben Hutchings
` (184 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Doug Ledford, Yuval Shaia, Kamal Heib
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Heib <kamalh@mellanox.com>
commit 0b59970e7d96edcb3c7f651d9d48e1a59af3c3b0 upstream.
Remove the warning print of "can't use of GFP_NOIO" to avoid prints in
each QP creation when devices aren't supporting IB_QP_CREATE_USE_GFP_NOIO.
This print become more annoying when the IPoIB interface is configured
to work in connected mode.
Fixes: 09b93088d750 ('IB: Add a QP creation flag to use GFP_NOIO allocations')
Signed-off-by: Kamal Heib <kamalh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1038,8 +1038,6 @@ static struct ib_qp *ipoib_cm_create_tx_
tx_qp = ib_create_qp(priv->pd, &attr);
if (PTR_ERR(tx_qp) == -EINVAL) {
- ipoib_warn(priv, "can't use GFP_NOIO for QPs on device %s, using GFP_KERNEL\n",
- priv->ca->name);
attr.create_flags &= ~IB_QP_CREATE_USE_GFP_NOIO;
tx_qp = ib_create_qp(priv->pd, &attr);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 040/370] IB/mlx4: Set traffic class in AH
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 117/370] i2c: mux: pca954x: fix i2c mux selection caching Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 008/370] net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames Ben Hutchings
` (263 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Doug Ledford, Mark Bloch, Leon Romanovsky, Maor Gottlieb,
Daniel Jurgens
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maor Gottlieb <maorg@mellanox.com>
commit af4295c117b82a521b05d0daf39ce879d26e6cb1 upstream.
Set traffic class within sl_tclass_flowlabel when create iboe AH.
Without this the TOS value will be empty when running VLAN tagged
traffic, because the TOS value is taken from the traffic class in the
address handle attributes.
Fixes: 9106c4106974 ('IB/mlx4: Fix SL to 802.1Q priority-bits mapping for IBoE')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/ah.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/hw/mlx4/ah.c
+++ b/drivers/infiniband/hw/mlx4/ah.c
@@ -97,7 +97,9 @@ static struct ib_ah *create_iboe_ah(stru
!(1 << ah->av.eth.stat_rate & dev->caps.stat_rate_support))
--ah->av.eth.stat_rate;
}
-
+ ah->av.eth.sl_tclass_flowlabel |=
+ cpu_to_be32((ah_attr->grh.traffic_class << 20) |
+ ah_attr->grh.flow_label);
/*
* HW requires multicast LID so we just choose one.
*/
@@ -105,7 +107,7 @@ static struct ib_ah *create_iboe_ah(stru
ah->av.ib.dlid = cpu_to_be16(0xc000);
memcpy(ah->av.eth.dgid, ah_attr->grh.dgid.raw, 16);
- ah->av.eth.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 29);
+ ah->av.eth.sl_tclass_flowlabel |= cpu_to_be32(ah_attr->sl << 29);
return &ah->ibah;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 014/370] usb: gadget: composite: always set ep->mult to a sensible value
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 152/370] xhci: Handle command completion and timeout race Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 047/370] ext4: fix in-superblock mount options processing Ben Hutchings
` (327 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream.
ep->mult is supposed to be set to Isochronous and
Interrupt Endapoint's multiplier value. This value
is computed from different places depending on the
link speed.
If we're dealing with HighSpeed, then it's part of
bits [12:11] of wMaxPacketSize. This case wasn't
taken into consideration before.
While at that, also make sure the ep->mult defaults
to one so drivers can use it unconditionally and
assume they'll never multiply ep->maxpacket to zero.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/composite.c | 9 +++++++--
drivers/usb/gadget/uvc_video.c | 2 +-
2 files changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -147,7 +147,12 @@ ep_found:
_ep->desc = chosen_desc;
_ep->comp_desc = NULL;
_ep->maxburst = 0;
- _ep->mult = 0;
+ _ep->mult = 1;
+
+ if (g->speed == USB_SPEED_HIGH && (usb_endpoint_xfer_isoc(_ep->desc) ||
+ usb_endpoint_xfer_int(_ep->desc)))
+ _ep->mult = usb_endpoint_maxp_mult(_ep->desc);
+
if (!want_comp_desc)
return 0;
@@ -164,7 +169,7 @@ ep_found:
switch (usb_endpoint_type(_ep->desc)) {
case USB_ENDPOINT_XFER_ISOC:
/* mult: bits 1:0 of bmAttributes */
- _ep->mult = comp_desc->bmAttributes & 0x3;
+ _ep->mult = (comp_desc->bmAttributes & 0x3) + 1;
case USB_ENDPOINT_XFER_BULK:
case USB_ENDPOINT_XFER_INT:
_ep->maxburst = comp_desc->bMaxBurst + 1;
--- a/drivers/usb/gadget/uvc_video.c
+++ b/drivers/usb/gadget/uvc_video.c
@@ -240,7 +240,7 @@ uvc_video_alloc_requests(struct uvc_vide
req_size = video->ep->maxpacket
* max_t(unsigned int, video->ep->maxburst, 1)
- * (video->ep->mult + 1);
+ * (video->ep->mult);
for (i = 0; i < UVC_NUM_REQUESTS; ++i) {
video->req_buffer[i] = kmalloc(req_size, GFP_KERNEL);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 042/370] IB/mlx4: Fix port query for 56Gb Ethernet links
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 144/370] ARM: davinci: da850: don't add emac clock to lookup table twice Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 018/370] drm/gma500: Add compat ioctl Ben Hutchings
` (276 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Saeed Mahameed, Doug Ledford, Leon Romanovsky,
Yishai Hadas, Daniel Jurgens
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Saeed Mahameed <saeedm@mellanox.com>
commit 6fa26208206c406fa529cd73f7ae6bf4181e270b upstream.
Report the correct speed in the port attributes when using a 56Gbps
ethernet link. Without this change the field is incorrectly set to 10.
Fixes: a9c766bb75ee ('IB/mlx4: Fix info returned when querying IBoE ports')
Fixes: 2e96691c31ec ('IB: Use central enum for speed instead of hard-coded values')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/main.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -346,9 +346,11 @@ static int eth_link_query_port(struct ib
if (err)
goto out;
- props->active_width = (((u8 *)mailbox->buf)[5] == 0x40) ?
- IB_WIDTH_4X : IB_WIDTH_1X;
- props->active_speed = IB_SPEED_QDR;
+ props->active_width = (((u8 *)mailbox->buf)[5] == 0x40) ||
+ (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+ IB_WIDTH_4X : IB_WIDTH_1X;
+ props->active_speed = (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+ IB_SPEED_FDR : IB_SPEED_QDR;
props->port_cap_flags = IB_PORT_CM_SUP | IB_PORT_IP_BASED_GIDS;
props->gid_tbl_len = mdev->dev->caps.gid_table_len[port];
props->max_msg_sz = mdev->dev->caps.max_msg_sz;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 036/370] IB/core: Save QP in ib_flow structure
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 085/370] md: MD_RECOVERY_NEEDED is set for mddev->recovery Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 084/370] dm space map metadata: fix 'struct sm_metadata' leak on failed create Ben Hutchings
` (344 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Maor Gottlieb, Doug Ledford, Mark Bloch, Leon Romanovsky
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Bloch <markb@mellanox.com>
commit 8ecc7985b4b15f1f14bce31d8ab45dc426df7da3 upstream.
When we create flow steering rule, we need to save the related QP in the
ib_flow struct. this QP is used in destroy flow.
Move the QP assignment from ib_uverbs_ex_create_flow into ib_create_flow,
this would allow both kernel and userspace consumers to use it.
This bug wasn't seen in the wild because there are no kernel consumers
currently in the kernel.
Fixes: 319a441d1361 ("IB/core: Add receive flow steering support")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/uverbs_cmd.c | 1 -
drivers/infiniband/core/verbs.c | 4 +++-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2764,7 +2764,6 @@ int ib_uverbs_ex_create_flow(struct ib_u
err = PTR_ERR(flow_id);
goto err_free;
}
- flow_id->qp = qp;
flow_id->uobject = uobj;
uobj->object = flow_id;
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1420,8 +1420,10 @@ struct ib_flow *ib_create_flow(struct ib
return ERR_PTR(-ENOSYS);
flow_id = qp->device->create_flow(qp, flow_attr, domain);
- if (!IS_ERR(flow_id))
+ if (!IS_ERR(flow_id)) {
atomic_inc(&qp->usecnt);
+ flow_id->qp = qp;
+ }
return flow_id;
}
EXPORT_SYMBOL(ib_create_flow);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 020/370] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 179/370] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 099/370] hwmon: (g762) Fix overflows and crash seen when writing limit attributes Ben Hutchings
` (288 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, kbuild test robot, Jesper Nilsson, Guenter Roeck
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 328cf6927bb72cadefddebbc9a23c793108147a2 upstream.
If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image
object file is empty. With recent versions of binutils, this results
in the following build error.
cris-linux-objcopy: error:
the input file 'arch/cris/boot/rescue/rescue.o' has no sections
This is seen, for example, when trying to build cris:allnoconfig
with recently generated toolchains.
Since it does not make sense to build a flash rescue image if there is
no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 66ab3a74c5ce ("CRIS: Merge machine dependent boot/compressed ..")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/cris/boot/rescue/Makefile | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/arch/cris/boot/rescue/Makefile
+++ b/arch/cris/boot/rescue/Makefile
@@ -10,6 +10,9 @@
asflags-y += $(LINUXINCLUDE)
ccflags-y += -O2 $(LINUXINCLUDE)
+
+ifdef CONFIG_ETRAX_AXISFLASHMAP
+
arch-$(CONFIG_ETRAX_ARCH_V10) = v10
arch-$(CONFIG_ETRAX_ARCH_V32) = v32
@@ -28,6 +31,11 @@ $(obj)/rescue.bin: $(obj)/rescue.o FORCE
$(call if_changed,objcopy)
cp -p $(obj)/rescue.bin $(objtree)
+else
+$(obj)/rescue.bin:
+
+endif
+
$(obj)/testrescue.bin: $(obj)/testrescue.o
$(OBJCOPY) $(OBJCOPYFLAGS) $(obj)/testrescue.o tr.bin
# Pad it to 784 bytes
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 033/370] dm rq: fix a race condition in rq_completed()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 156/370] USB: serial: garmin_gps: fix memory leak on failed URB submit Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 161/370] USB: serial: keyspan_pda: verify endpoints at probe Ben Hutchings
` (257 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bart Van Assche, Mike Snitzer
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit d15bb3a6467e102e60d954aadda5fb19ce6fd8ec upstream.
It is required to hold the queue lock when calling blk_run_queue_async()
to avoid that a race between blk_run_queue_async() and
blk_cleanup_queue() is triggered.
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -868,6 +868,9 @@ static void end_clone_bio(struct bio *cl
*/
static void rq_completed(struct mapped_device *md, int rw, int run_queue)
{
+ struct request_queue *q = md->queue;
+ unsigned long flags;
+
atomic_dec(&md->pending[rw]);
/* nudge anyone waiting on suspend queue */
@@ -880,8 +883,11 @@ static void rq_completed(struct mapped_d
* back into ->request_fn() could deadlock attempting to grab the
* queue lock again.
*/
- if (run_queue)
- blk_run_queue_async(md->queue);
+ if (run_queue) {
+ spin_lock_irqsave(q->queue_lock, flags);
+ blk_run_queue_async(q);
+ spin_unlock_irqrestore(q->queue_lock, flags);
+ }
/*
* dm_put() must be at the end of this function. See the comment above
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 067/370] NFS: Fix a performance regression in readdir
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 128/370] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 179/370] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Ben Hutchings
` (290 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Benjamin Coddington, Trond Myklebust
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit 79f687a3de9e3ba2518b4ea33f38ca6cbe9133eb upstream.
Ben Coddington reports that commit 311324ad1713, by adding the function
nfs_dir_mapping_need_revalidate() that checks page cache validity on
each call to nfs_readdir() causes a performance regression when
the directory is being modified.
If the directory is changing while we're iterating through the directory,
POSIX does not require us to invalidate the page cache unless the user
calls rewinddir(). However, we still do want to ensure that we use
readdirplus in order to avoid a load of stat() calls when the user
is doing an 'ls -l' workload.
The fix should be to invalidate the page cache immediately when we're
setting the NFS_INO_ADVISE_RDPLUS bit.
Reported-by: Benjamin Coddington <bcodding@redhat.com>
Fixes: 311324ad1713 ("NFS: Be more aggressive in using readdirplus...")
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Tested-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/dir.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -455,7 +455,7 @@ void nfs_force_use_readdirplus(struct in
{
if (!list_empty(&NFS_I(dir)->open_files)) {
nfs_advise_use_readdirplus(dir);
- nfs_zap_mapping(dir, dir->i_mapping);
+ invalidate_mapping_pages(dir->i_mapping, 0, -1);
}
}
@@ -837,17 +837,6 @@ int uncached_readdir(nfs_readdir_descrip
goto out;
}
-static bool nfs_dir_mapping_need_revalidate(struct inode *dir)
-{
- struct nfs_inode *nfsi = NFS_I(dir);
-
- if (nfs_attribute_cache_expired(dir))
- return true;
- if (nfsi->cache_validity & NFS_INO_INVALID_DATA)
- return true;
- return false;
-}
-
/* The file offset position represents the dirent entry number. A
last cookie cache takes care of the common case of reading the
whole directory.
@@ -880,7 +869,7 @@ static int nfs_readdir(struct file *file
desc->plus = nfs_use_readdirplus(inode, ctx) ? 1 : 0;
nfs_block_sillyrename(dentry);
- if (ctx->pos == 0 || nfs_dir_mapping_need_revalidate(inode))
+ if (ctx->pos == 0 || nfs_attribute_cache_expired(inode))
res = nfs_revalidate_mapping(inode, file->f_mapping);
if (res < 0)
goto out;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 031/370] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 012/370] usb: gadget: composite: correctly initialize ep->maxpacket Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 085/370] md: MD_RECOVERY_NEEDED is set for mddev->recovery Ben Hutchings
` (346 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mathias Nyman, Sebastian Andrzej Siewior, Dan Carpenter,
Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream.
We normally use the passed in gfp flags for allocations, it's just these
two which were missed.
Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()")
Cc: Mathias Nyman <mathias.nyman@intel.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2368,7 +2368,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
* "physically contiguous and 64-byte (cache line) aligned".
*/
xhci->dcbaa = dma_alloc_coherent(dev, sizeof(*xhci->dcbaa), &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->dcbaa)
goto fail;
memset(xhci->dcbaa, 0, sizeof *(xhci->dcbaa));
@@ -2464,7 +2464,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
xhci->erst.entries = dma_alloc_coherent(dev,
sizeof(struct xhci_erst_entry) * ERST_NUM_SEGS, &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->erst.entries)
goto fail;
xhci_dbg_trace(xhci, trace_xhci_dbg_init,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 007/370] crypto: arm64/aes-xts-ce: fix for big endian
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 002/370] crypto: arm64/ghash-ce - fix for big endian Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 055/370] f2fs: set ->owner for debugfs status file's file_operations Ben Hutchings
` (228 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ard Biesheuvel, Herbert Xu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit caf4b9e2b326cc2a5005a5c557274306536ace61 upstream.
Emit the XTS tweak literal constants in the appropriate order for a
single 128-bit scalar literal load.
Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/aes-ce.S | 1 +
arch/arm64/crypto/aes-modes.S | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/arch/arm64/crypto/aes-ce.S
+++ b/arch/arm64/crypto/aes-ce.S
@@ -10,6 +10,7 @@
*/
#include <linux/linkage.h>
+#include <asm/assembler.h>
#define AES_ENTRY(func) ENTRY(ce_ ## func)
#define AES_ENDPROC(func) ENDPROC(ce_ ## func)
--- a/arch/arm64/crypto/aes-modes.S
+++ b/arch/arm64/crypto/aes-modes.S
@@ -386,7 +386,8 @@ AES_ENDPROC(aes_ctr_encrypt)
.endm
.Lxts_mul_x:
- .word 1, 0, 0x87, 0
+CPU_LE( .quad 1, 0x87 )
+CPU_BE( .quad 0x87, 1 )
AES_ENTRY(aes_xts_encrypt)
FRAME_PUSH
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 058/370] md/raid5: limit request size according to implementation limits
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (174 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 116/370] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 024/370] USB: UHCI: report non-PME wakeup signalling for Intel hardware Ben Hutchings
` (195 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Konstantin Khlebnikov, Shaohua Li, Neil Brown, Shaohua Li
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
commit e8d7c33232e5fdfa761c3416539bc5b4acd12db5 upstream.
Current implementation employ 16bit counter of active stripes in lower
bits of bio->bi_phys_segments. If request is big enough to overflow
this counter bio will be completed and freed too early.
Fortunately this not happens in default configuration because several
other limits prevent that: stripe_cache_size * nr_disks effectively
limits count of active stripes. And small max_sectors_kb at lower
disks prevent that during normal read/write operations.
Overflow easily happens in discard if it's enabled by module parameter
"devices_handle_discard_safely" and stripe_cache_size is set big enough.
This patch limits requests size with 256Mb - 8Kb to prevent overflows.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Shaohua Li <shli@kernel.org>
Cc: Neil Brown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/raid5.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6222,6 +6222,15 @@ static int run(struct mddev *mddev)
stripe = (stripe | (stripe-1)) + 1;
mddev->queue->limits.discard_alignment = stripe;
mddev->queue->limits.discard_granularity = stripe;
+
+ /*
+ * We use 16-bit counter of active stripes in bi_phys_segments
+ * (minus one for over-loaded initialization)
+ */
+ blk_queue_max_hw_sectors(mddev->queue, 0xfffe * STRIPE_SECTORS);
+ blk_queue_max_discard_sectors(mddev->queue,
+ 0xfffe * STRIPE_SECTORS);
+
/*
* unaligned part of discard request will be ignored, so can't
* guarantee discard_zeroes_data
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 057/370] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 187/370] selftests: do not require bash to run netsocktests testcase Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 183/370] usb: musb: Fix trying to free already-free IRQ 4 Ben Hutchings
` (202 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream.
The function returns -EINVAL even if it builds the stream properly.
The bogus error code sneaked in during the code refactoring, but it
wasn't noticed until now since the returned error code itself is
ignored in anyway. Kill it here, but there is no behavior change by
this patch, obviously.
Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/usb/card.c | 1 -
1 file changed, 1 deletion(-)
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -204,7 +204,6 @@ static int snd_usb_create_stream(struct
if (! snd_usb_parse_audio_interface(chip, interface)) {
usb_set_interface(dev, interface, 0); /* reset the current interface */
usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
- return -EINVAL;
}
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 021/370] xfs: fix up xfs_swap_extent_forks inline extent handling
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 039/370] IB/IPoIB: Remove can't use GFP_NOIO warning Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 235/370] ceph: fix bad endianness handling in parse_reply_info_extra Ben Hutchings
` (183 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Brian Foster, Dave Chinner, Eric Sandeen, Eric Sandeen
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Sandeen <sandeen@sandeen.net>
commit 4dfce57db6354603641132fac3c887614e3ebe81 upstream.
There have been several reports over the years of NULL pointer
dereferences in xfs_trans_log_inode during xfs_fsr processes,
when the process is doing an fput and tearing down extents
on the temporary inode, something like:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr"
[exception RIP: xfs_trans_log_inode+0x10]
#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs]
#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs]
#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs]
#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs]
#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs]
#14 [ffff8800a57bbe00] evict at ffffffff811e1b67
#15 [ffff8800a57bbe28] iput at ffffffff811e23a5
#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8
#17 [ffff8800a57bbe88] dput at ffffffff811dd06c
#18 [ffff8800a57bbea8] __fput at ffffffff811c823b
#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e
#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27
#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c
#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d
As it turns out, this is because the i_itemp pointer, along
with the d_ops pointer, has been overwritten with zeros
when we tear down the extents during truncate. When the in-core
inode fork on the temporary inode used by xfs_fsr was originally
set up during the extent swap, we mistakenly looked at di_nextents
to determine whether all extents fit inline, but this misses extents
generated by speculative preallocation; we should be using if_bytes
instead.
This mistake corrupts the in-memory inode, and code in
xfs_iext_remove_inline eventually gets bad inputs, causing
it to memmove and memset incorrect ranges; this became apparent
because the two values in ifp->if_u2.if_inline_ext[1] contained
what should have been in d_ops and i_itemp; they were memmoved due
to incorrect array indexing and then the original locations
were zeroed with memset, again due to an array overrun.
Fix this by properly using i_df.if_bytes to determine the number
of extents, not di_nextents.
Thanks to dchinner for looking at this with me and spotting the
root cause.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
[bwh: Backported to 3.16: adjust indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_bmap_util.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -1632,6 +1632,7 @@ xfs_swap_extents(
int error = 0;
int aforkblks = 0;
int taforkblks = 0;
+ xfs_extnum_t nextents;
__uint64_t tmp;
int lock_flags;
@@ -1833,7 +1834,8 @@ xfs_swap_extents(
* pointer. Otherwise it's already NULL or
* pointing to the extent.
*/
- if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) {
+ nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
+ if (nextents <= XFS_INLINE_EXTS) {
ifp->if_u1.if_extents =
ifp->if_u2.if_inline_ext;
}
@@ -1852,7 +1854,8 @@ xfs_swap_extents(
* pointer. Otherwise it's already NULL or
* pointing to the extent.
*/
- if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) {
+ nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
+ if (nextents <= XFS_INLINE_EXTS) {
tifp->if_u1.if_extents =
tifp->if_u2.if_inline_ext;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 024/370] USB: UHCI: report non-PME wakeup signalling for Intel hardware
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 058/370] md/raid5: limit request size according to implementation limits Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 172/370] USB: serial: quatech2: fix sleep-while-atomic in close Ben Hutchings
` (194 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bjorn Helgaas, Greg Kroah-Hartman, Alan Stern
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit ccdb6be9ec6580ef69f68949ebe26e0fb58a6fb0 upstream.
The UHCI controllers in Intel chipsets rely on a platform-specific non-PME
mechanism for wakeup signalling. They can generate wakeup signals even
though they don't support PME.
We need to let the USB core know this so that it will enable runtime
suspend for UHCI controllers.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/uhci-pci.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/host/uhci-pci.c
+++ b/drivers/usb/host/uhci-pci.c
@@ -129,6 +129,10 @@ static int uhci_pci_init(struct usb_hcd
if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_HP)
uhci->wait_for_hp = 1;
+ /* Intel controllers use non-PME wakeup signalling */
+ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_INTEL)
+ device_set_run_wake(uhci_dev(uhci), 1);
+
/* Set up pointers to PCI-specific functions */
uhci->reset_hc = uhci_pci_reset_hc;
uhci->check_and_reset_hc = uhci_pci_check_and_reset_hc;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 060/370] USB: serial: kl5kusb105: fix open error path
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 038/370] IB/mlx5: Wait for all async command completions to complete Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 043/370] scsi: mvsas: fix command_active typo Ben Hutchings
` (356 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6774d5f53271d5f60464f824748995b71da401ab upstream.
Kill urbs and disable read before returning from open on failure to
retrieve the line state.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/kl5kusb105.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -300,7 +300,7 @@ static int klsi_105_open(struct tty_str
rc = usb_serial_generic_open(tty, port);
if (rc) {
retval = rc;
- goto exit;
+ goto err_free_cfg;
}
rc = usb_control_msg(port->serial->dev,
@@ -319,17 +319,32 @@ static int klsi_105_open(struct tty_str
dev_dbg(&port->dev, "%s - enabled reading\n", __func__);
rc = klsi_105_get_line_state(port, &line_state);
- if (rc >= 0) {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_state = line_state;
- spin_unlock_irqrestore(&priv->lock, flags);
- dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__, line_state);
- retval = 0;
- } else
+ if (rc < 0) {
retval = rc;
+ goto err_disable_read;
+ }
+
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_state = line_state;
+ spin_unlock_irqrestore(&priv->lock, flags);
+ dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__,
+ line_state);
+
+ return 0;
-exit:
+err_disable_read:
+ usb_control_msg(port->serial->dev,
+ usb_sndctrlpipe(port->serial->dev, 0),
+ KL5KUSB105A_SIO_CONFIGURE,
+ USB_TYPE_VENDOR | USB_DIR_OUT,
+ KL5KUSB105A_SIO_CONFIGURE_READ_OFF,
+ 0, /* index */
+ NULL, 0,
+ KLSI_TIMEOUT);
+ usb_serial_generic_close(port);
+err_free_cfg:
kfree(cfg);
+
return retval;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 054/370] regmap: cache: Remove unused 'blksize' variable
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 092/370] fgraph: Handle a case where a tracer ignores set_graph_notrace Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 107/370] btrfs: limit async_work allocation and worker func duration Ben Hutchings
` (312 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dimitris Papastamos, Mark Brown, Mark Brown, Kirtika Ruchandani
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kirtika Ruchandani <kirtika@chromium.org>
commit daaadbf07433b15c452b2ff411a293b2ccd98e03 upstream.
Commit 2cbbb579bcbe ("regmap: Add the LZO cache support") introduced
'blksize' in regcache_lzo_read() and regcache_lzo_write(), that is
set but not used. Compiling with W=1 gives the following warnings,
fix them.
drivers/base/regmap/regcache-lzo.c: In function ‘regcache_lzo_read’:
drivers/base/regmap/regcache-lzo.c:239:9: warning: variable ‘blksize’ set but not used [-Wunused-but-set-variable]
size_t blksize, tmp_dst_len;
^
drivers/base/regmap/regcache-lzo.c: In function ‘regcache_lzo_write’:
drivers/base/regmap/regcache-lzo.c:278:9: warning: variable ‘blksize’ set but not used [-Wunused-but-set-variable]
size_t blksize, tmp_dst_len;
^
These are harmless warnings and are only being fixed to reduce the
noise with W=1 in the kernel.
Fixes: 2cbbb579bcbe ("regmap: Add the LZO cache support")
Cc: Dimitris Papastamos <dp@opensource.wolfsonmicro.com>
Cc: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Kirtika Ruchandani <kirtika@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/regmap/regcache-lzo.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/drivers/base/regmap/regcache-lzo.c
+++ b/drivers/base/regmap/regcache-lzo.c
@@ -236,15 +236,13 @@ static int regcache_lzo_read(struct regm
{
struct regcache_lzo_ctx *lzo_block, **lzo_blocks;
int ret, blkindex, blkpos;
- size_t blksize, tmp_dst_len;
+ size_t tmp_dst_len;
void *tmp_dst;
/* index of the compressed lzo block */
blkindex = regcache_lzo_get_blkindex(map, reg);
/* register index within the decompressed block */
blkpos = regcache_lzo_get_blkpos(map, reg);
- /* size of the compressed block */
- blksize = regcache_lzo_get_blksize(map);
lzo_blocks = map->cache;
lzo_block = lzo_blocks[blkindex];
@@ -275,15 +273,13 @@ static int regcache_lzo_write(struct reg
{
struct regcache_lzo_ctx *lzo_block, **lzo_blocks;
int ret, blkindex, blkpos;
- size_t blksize, tmp_dst_len;
+ size_t tmp_dst_len;
void *tmp_dst;
/* index of the compressed lzo block */
blkindex = regcache_lzo_get_blkindex(map, reg);
/* register index within the decompressed block */
blkpos = regcache_lzo_get_blkpos(map, reg);
- /* size of the compressed block */
- blksize = regcache_lzo_get_blksize(map);
lzo_blocks = map->cache;
lzo_block = lzo_blocks[blkindex];
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 053/370] [media] DaVinci-VPFE-Capture: fix error handling
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 019/370] enic: set skb->hash type properly Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 049/370] ext4: add sanity checking to count_overhead() Ben Hutchings
` (301 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab, Arnd Bergmann
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit d3d83ee20afda16ad0133ba00f63c11a8d842a35 upstream.
A recent cleanup had the right idea to remove the initialization
of the error variable, but missed the actual benefit of that,
which is that we get warnings if there is a bug in it. Now
we get a warning about a bug that was introduced by this cleanup:
drivers/media/platform/davinci/vpfe_capture.c: In function 'vpfe_probe':
drivers/media/platform/davinci/vpfe_capture.c:1992:9: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]
This adds the missing initialization that the warning is about,
and another one that was preexisting and that we did not get
a warning for. That second bug has existed since the driver
was first added.
Fixes: efb74461f5a6 ("[media] DaVinci-VPFE-Capture: Delete an unnecessary variable initialisation in vpfe_probe()")
Fixes: 7da8a6cb3e5b ("V4L/DVB (12248): v4l: vpfe capture bridge driver for DM355 and DM6446")
[mchehab@s-opensource.com: fix a merge conflict]
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/platform/davinci/vpfe_capture.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/davinci/vpfe_capture.c
+++ b/drivers/media/platform/davinci/vpfe_capture.c
@@ -1967,6 +1967,7 @@ static int vpfe_probe(struct platform_de
v4l2_info(&vpfe_dev->v4l2_dev,
"v4l2 sub device %s register fails\n",
sdinfo->name);
+ ret = -ENXIO;
goto probe_sd_out;
}
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 052/370] [media] staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 127/370] net: korina: Fix NAPI versus resources freeing Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 069/370] powerpc/boot: Request no dynamic linker for boot wrapper Ben Hutchings
` (285 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mauro Carvalho Chehab, Laurent Pinchart, Dan Carpenter
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit c4a407b91f4b644145492e28723f9f880efb1da0 upstream.
We should unlock before returning this error code in vpfe_reqbufs().
Fixes: 622897da67b3 ("[media] davinci: vpfe: add v4l2 video driver support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/media/davinci_vpfe/vpfe_video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
+++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
@@ -1351,7 +1351,7 @@ static int vpfe_reqbufs(struct file *fil
if (ret) {
v4l2_err(&vpfe_dev->v4l2_dev, "vb2_queue_init() failed\n");
vb2_dma_contig_cleanup_ctx(vpfe_dev->pdev);
- return ret;
+ goto unlock_out;
}
fh->io_allowed = 1;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 051/370] dm crypt: mark key as invalid until properly loaded
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 119/370] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 184/370] usb: hub: Move hub_port_disable() to fix warning if PM is disabled Ben Hutchings
` (266 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mikulas Patocka, Ondrej Kozina, Mike Snitzer
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Kozina <okozina@redhat.com>
commit 265e9098bac02bc5e36cda21fdbad34cb5b2f48d upstream.
In crypt_set_key(), if a failure occurs while replacing the old key
(e.g. tfm->setkey() fails) the key must not have DM_CRYPT_KEY_VALID flag
set. Otherwise, the crypto layer would have an invalid key that still
has DM_CRYPT_KEY_VALID flag set.
Signed-off-by: Ondrej Kozina <okozina@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm-crypt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1449,12 +1449,15 @@ static int crypt_set_key(struct crypt_co
if (!cc->key_size && strcmp(key, "-"))
goto out;
+ /* clear the flag since following operations may invalidate previously valid key */
+ clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
+
if (cc->key_size && crypt_decode_key(cc->key, key, cc->key_size) < 0)
goto out;
- set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
-
r = crypt_setkey_allcpus(cc);
+ if (!r)
+ set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
out:
/* Hex key string not needed after here, so wipe it. */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 050/370] KVM: PPC: Book3S HV: Save/restore XER in checkpointed register state
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 170/370] USB: serial: oti6858: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 001/370] staging: iio: ad7606: fix improper setting of oversampling pins Ben Hutchings
` (217 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Thomas Huth, Paul Mackerras
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@ozlabs.org>
commit 0d808df06a44200f52262b6eb72bcb6042f5a7c5 upstream.
When switching from/to a guest that has a transaction in progress,
we need to save/restore the checkpointed register state. Although
XER is part of the CPU state that gets checkpointed, the code that
does this saving and restoring doesn't save/restore XER.
This fixes it by saving and restoring the XER. To allow userspace
to read/write the checkpointed XER value, we also add a new ONE_REG
specifier.
The visible effect of this bug is that the guest may see its XER
value being corrupted when it uses transactions.
Fixes: e4e38121507a ("KVM: PPC: Book3S HV: Add transactional memory support")
Fixes: 0a8eccefcb34 ("KVM: PPC: Book3S HV: Add missing code for transaction reclaim on guest exit")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
[bwh: Backported to 3.16: adjust context, spacing]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/virtual/kvm/api.txt | 1 +
arch/powerpc/include/asm/kvm_host.h | 1 +
arch/powerpc/include/uapi/asm/kvm.h | 1 +
arch/powerpc/kernel/asm-offsets.c | 1 +
arch/powerpc/kvm/book3s_hv.c | 6 ++++++
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 4 ++++
6 files changed, 14 insertions(+)
--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -1891,6 +1891,7 @@ registers, find a list below:
PPC | KVM_REG_PPC_TM_VSCR | 32
PPC | KVM_REG_PPC_TM_DSCR | 64
PPC | KVM_REG_PPC_TM_TAR | 64
+ PPC | KVM_REG_PPC_TM_XER | 64
ARM registers are mapped using the lower 32 bits. The upper 16 of that
is the register group type, or coprocessor number:
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -532,6 +532,7 @@ struct kvm_vcpu_arch {
u64 tfiar;
u32 cr_tm;
+ u64 xer_tm;
u64 lr_tm;
u64 ctr_tm;
u64 amr_tm;
--- a/arch/powerpc/include/uapi/asm/kvm.h
+++ b/arch/powerpc/include/uapi/asm/kvm.h
@@ -580,6 +580,7 @@ struct kvm_get_htab_header {
#define KVM_REG_PPC_TM_VSCR (KVM_REG_PPC_TM | KVM_REG_SIZE_U32 | 0x67)
#define KVM_REG_PPC_TM_DSCR (KVM_REG_PPC_TM | KVM_REG_SIZE_U64 | 0x68)
#define KVM_REG_PPC_TM_TAR (KVM_REG_PPC_TM | KVM_REG_SIZE_U64 | 0x69)
+#define KVM_REG_PPC_TM_XER (KVM_REG_PPC_TM | KVM_REG_SIZE_U64 | 0x6a)
/* PPC64 eXternal Interrupt Controller Specification */
#define KVM_DEV_XICS_GRP_SOURCES 1 /* 64-bit source attributes */
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -572,6 +572,7 @@ int main(void)
DEFINE(VCPU_VRS_TM, offsetof(struct kvm_vcpu, arch.vr_tm.vr));
DEFINE(VCPU_VRSAVE_TM, offsetof(struct kvm_vcpu, arch.vrsave_tm));
DEFINE(VCPU_CR_TM, offsetof(struct kvm_vcpu, arch.cr_tm));
+ DEFINE(VCPU_XER_TM, offsetof(struct kvm_vcpu, arch.xer_tm));
DEFINE(VCPU_LR_TM, offsetof(struct kvm_vcpu, arch.lr_tm));
DEFINE(VCPU_CTR_TM, offsetof(struct kvm_vcpu, arch.ctr_tm));
DEFINE(VCPU_AMR_TM, offsetof(struct kvm_vcpu, arch.amr_tm));
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -988,6 +988,9 @@ static int kvmppc_get_one_reg_hv(struct
case KVM_REG_PPC_TM_CR:
*val = get_reg_val(id, vcpu->arch.cr_tm);
break;
+ case KVM_REG_PPC_TM_XER:
+ *val = get_reg_val(id, vcpu->arch.xer_tm);
+ break;
case KVM_REG_PPC_TM_LR:
*val = get_reg_val(id, vcpu->arch.lr_tm);
break;
@@ -1201,6 +1204,9 @@ static int kvmppc_set_one_reg_hv(struct
case KVM_REG_PPC_TM_CR:
vcpu->arch.cr_tm = set_reg_val(id, *val);
break;
+ case KVM_REG_PPC_TM_XER:
+ vcpu->arch.xer_tm = set_reg_val(id, *val);
+ break;
case KVM_REG_PPC_TM_LR:
vcpu->arch.lr_tm = set_reg_val(id, *val);
break;
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -2356,11 +2356,13 @@ kvmppc_save_tm:
mfctr r7
mfspr r8, SPRN_AMR
mfspr r10, SPRN_TAR
+ mfxer r11
std r5, VCPU_LR_TM(r9)
stw r6, VCPU_CR_TM(r9)
std r7, VCPU_CTR_TM(r9)
std r8, VCPU_AMR_TM(r9)
std r10, VCPU_TAR_TM(r9)
+ std r11, VCPU_XER_TM(r9)
/* Restore r12 as trap number. */
lwz r12, VCPU_TRAP(r9)
@@ -2453,11 +2455,13 @@ kvmppc_restore_tm:
ld r7, VCPU_CTR_TM(r4)
ld r8, VCPU_AMR_TM(r4)
ld r9, VCPU_TAR_TM(r4)
+ ld r10, VCPU_XER_TM(r4)
mtlr r5
mtcr r6
mtctr r7
mtspr SPRN_AMR, r8
mtspr SPRN_TAR, r9
+ mtxer r10
/*
* Load up PPR and DSCR values but don't put them in the actual SPRs
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 002/370] crypto: arm64/ghash-ce - fix for big endian
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 158/370] USB: serial: io_ti: fix NULL-deref at open Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 007/370] crypto: arm64/aes-xts-ce: " Ben Hutchings
` (229 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 9c433ad5083fd4a4a3c721d86cbfbd0b2a2326a5 upstream.
The GHASH key and digest are both pairs of 64-bit quantities, but the
GHASH code does not always refer to them as such, causing failures when
built for big endian. So replace the 16x1 loads and stores with 2x8 ones.
Fixes: b913a6404ce2 ("arm64/crypto: improve performance of GHASH algorithm")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/ghash-ce-core.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/crypto/ghash-ce-core.S b/arch/arm64/crypto/ghash-ce-core.S
index dc457015884e..f0bb9f0b524f 100644
--- a/arch/arm64/crypto/ghash-ce-core.S
+++ b/arch/arm64/crypto/ghash-ce-core.S
@@ -29,8 +29,8 @@
* struct ghash_key const *k, const char *head)
*/
ENTRY(pmull_ghash_update)
- ld1 {SHASH.16b}, [x3]
- ld1 {XL.16b}, [x1]
+ ld1 {SHASH.2d}, [x3]
+ ld1 {XL.2d}, [x1]
movi MASK.16b, #0xe1
ext SHASH2.16b, SHASH.16b, SHASH.16b, #8
shl MASK.2d, MASK.2d, #57
@@ -74,6 +74,6 @@ CPU_LE( rev64 T1.16b, T1.16b )
cbnz w0, 0b
- st1 {XL.16b}, [x1]
+ st1 {XL.2d}, [x1]
ret
ENDPROC(pmull_ghash_update)
^ permalink raw reply related [flat|nested] 390+ messages in thread
* [PATCH 3.16 025/370] regulator: stw481x-vmmc: fix ages old enable error
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 105/370] IB/mlx4: Fix out-of-range array index in destroy qp flow Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 092/370] fgraph: Handle a case where a tracer ignores set_graph_notrace Ben Hutchings
` (314 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Mark Brown
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 295070e9aa015abb9b92cccfbb1e43954e938133 upstream.
The regulator has never been properly enabled, it has been
dormant all the time. It's strange that MMC was working
at all, but it likely worked by the signals going through
the levelshifter and reaching the card anyways.
Fixes: 3615a34ea1a6 ("regulator: add STw481x VMMC driver")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/regulator/stw481x-vmmc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/regulator/stw481x-vmmc.c
+++ b/drivers/regulator/stw481x-vmmc.c
@@ -47,7 +47,8 @@ static struct regulator_desc vmmc_regula
.volt_table = stw481x_vmmc_voltages,
.enable_time = 200, /* FIXME: look this up */
.enable_reg = STW_CONF1,
- .enable_mask = STW_CONF1_PDN_VMMC,
+ .enable_mask = STW_CONF1_PDN_VMMC | STW_CONF1_MMC_LS_STATUS,
+ .enable_val = STW_CONF1_PDN_VMMC,
.vsel_reg = STW_CONF1,
.vsel_mask = STW_CONF1_VMMC_MASK,
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 049/370] ext4: add sanity checking to count_overhead()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 053/370] [media] DaVinci-VPFE-Capture: fix error handling Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 160/370] USB: serial: iuu_phoenix: fix NULL-deref at open Ben Hutchings
` (300 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit c48ae41bafe31e9a66d8be2ced4e42a6b57fa814 upstream.
The commit "ext4: sanity check the block and cluster size at mount
time" should prevent any problems, but in case the superblock is
modified while the file system is mounted, add an extra safety check
to make sure we won't overrun the allocated buffer.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3301,10 +3301,15 @@ static int count_overhead(struct super_b
ext4_set_bit(s++, buf);
count++;
}
- for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) {
- ext4_set_bit(EXT4_B2C(sbi, s++), buf);
- count++;
+ j = ext4_bg_num_gdb(sb, grp);
+ if (s + j > EXT4_BLOCKS_PER_GROUP(sb)) {
+ ext4_error(sb, "Invalid number of block group "
+ "descriptor blocks: %d", j);
+ j = EXT4_BLOCKS_PER_GROUP(sb) - s;
}
+ count += j;
+ for (; j > 0; j--)
+ ext4_set_bit(EXT4_B2C(sbi, s++), buf);
}
if (!count)
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 034/370] ext4: fix mballoc breakage with 64k block size
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 048/370] ext4: use more strict checks for inodes_per_block on mount Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 120/370] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating Ben Hutchings
` (319 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andreas Dilger, Theodore Ts'o, Chandan Rajendra
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chandan Rajendra <chandan@linux.vnet.ibm.com>
commit 69e43e8cc971a79dd1ee5d4343d8e63f82725123 upstream.
'border' variable is set to a value of 2 times the block size of the
underlying filesystem. With 64k block size, the resulting value won't
fit into a 16-bit variable. Hence this commit changes the data type of
'border' to 'unsigned int'.
Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/mballoc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -668,7 +668,7 @@ static void ext4_mb_mark_free_simple(str
ext4_grpblk_t min;
ext4_grpblk_t max;
ext4_grpblk_t chunk;
- unsigned short border;
+ unsigned int border;
BUG_ON(len > EXT4_CLUSTERS_PER_GROUP(sb));
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 038/370] IB/mlx5: Wait for all async command completions to complete
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 083/370] iw_cxgb4: Fix error return code in c4iw_rdev_open() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 060/370] USB: serial: kl5kusb105: fix open error path Ben Hutchings
` (357 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Maor Gottlieb, Leon Romanovsky, Doug Ledford, Eli Cohen
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eli Cohen <eli@mellanox.com>
commit acbda523884dcf45613bf6818d8ead5180df35c2 upstream.
Wait before continuing unload till all pending mkey async creation requests
are done.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/mr.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -590,6 +590,33 @@ int mlx5_mr_cache_init(struct mlx5_ib_de
return 0;
}
+static void wait_for_async_commands(struct mlx5_ib_dev *dev)
+{
+ struct mlx5_mr_cache *cache = &dev->cache;
+ struct mlx5_cache_ent *ent;
+ int total = 0;
+ int i;
+ int j;
+
+ for (i = 0; i < MAX_MR_CACHE_ENTRIES; i++) {
+ ent = &cache->ent[i];
+ for (j = 0 ; j < 1000; j++) {
+ if (!ent->pending)
+ break;
+ msleep(50);
+ }
+ }
+ for (i = 0; i < MAX_MR_CACHE_ENTRIES; i++) {
+ ent = &cache->ent[i];
+ total += ent->pending;
+ }
+
+ if (total)
+ mlx5_ib_warn(dev, "aborted while there are %d pending mr requests\n", total);
+ else
+ mlx5_ib_warn(dev, "done with all pending requests\n");
+}
+
int mlx5_mr_cache_cleanup(struct mlx5_ib_dev *dev)
{
int i;
@@ -603,6 +630,7 @@ int mlx5_mr_cache_cleanup(struct mlx5_ib
clean_keys(dev, i);
destroy_workqueue(dev->cache.wq);
+ wait_for_async_commands(dev);
del_timer_sync(&dev->delay_timer);
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 044/370] ssb: Fix error routine when fallback SPROM fails
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 046/370] USB: phy: am335x-control: fix device and of_node leaks Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 065/370] bus: vexpress-config: fix device reference leak Ben Hutchings
` (336 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Larry Finger, Kalle Valo
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Larry Finger <Larry.Finger@lwfinger.net>
commit 8052d7245b6089992343c80b38b14dbbd8354651 upstream.
When there is a CRC error in the SPROM read from the device, the code
attempts to handle a fallback SPROM. When this also fails, the driver
returns zero rather than an error code.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ssb/pci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ssb/pci.c
+++ b/drivers/ssb/pci.c
@@ -846,6 +846,7 @@ static int ssb_pci_sprom_get(struct ssb_
if (err) {
ssb_warn("WARNING: Using fallback SPROM failed (err %d)\n",
err);
+ goto out_free;
} else {
ssb_dbg("Using SPROM revision %d provided by platform\n",
sprom->revision);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 018/370] drm/gma500: Add compat ioctl
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 042/370] IB/mlx4: Fix port query for 56Gb Ethernet links Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 130/370] net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach Ben Hutchings
` (275 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Patrik Jakobsson, Sean Paul
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
commit 0a97c81a9717431e6c57ea845b59c3c345edce67 upstream.
Hook up drm_compat_ioctl to support 32-bit userspace on 64-bit kernels.
It turns out that N2600 and N2800 comes with 64-bit enabled. We
previously assumed there where no such systems out there.
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20161101144315.2955-1-patrik.r.jakobsson@gmail.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/gma500/psb_drv.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/gma500/psb_drv.c
+++ b/drivers/gpu/drm/gma500/psb_drv.c
@@ -464,6 +464,9 @@ static const struct file_operations psb_
.open = drm_open,
.release = drm_release,
.unlocked_ioctl = psb_unlocked_ioctl,
+#ifdef CONFIG_COMPAT
+ .compat_ioctl = drm_compat_ioctl,
+#endif
.mmap = drm_gem_mmap,
.poll = drm_poll,
.read = drm_read,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 048/370] ext4: use more strict checks for inodes_per_block on mount
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 135/370] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 034/370] ext4: fix mballoc breakage with 64k block size Ben Hutchings
` (320 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Andreas Dilger
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit cd6bb35bf7f6d7d922509bf50265383a0ceabe96 upstream.
Centralize the checks for inodes_per_block and be more strict to make
sure the inodes_per_block_group can't end up being zero.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3756,12 +3756,16 @@ static int ext4_fill_super(struct super_
sbi->s_blocks_per_group = le32_to_cpu(es->s_blocks_per_group);
sbi->s_inodes_per_group = le32_to_cpu(es->s_inodes_per_group);
- if (EXT4_INODE_SIZE(sb) == 0 || EXT4_INODES_PER_GROUP(sb) == 0)
- goto cantfind_ext4;
sbi->s_inodes_per_block = blocksize / EXT4_INODE_SIZE(sb);
if (sbi->s_inodes_per_block == 0)
goto cantfind_ext4;
+ if (sbi->s_inodes_per_group < sbi->s_inodes_per_block ||
+ sbi->s_inodes_per_group > blocksize * 8) {
+ ext4_msg(sb, KERN_ERR, "invalid inodes per group: %lu\n",
+ sbi->s_blocks_per_group);
+ goto failed_mount;
+ }
sbi->s_itb_per_group = sbi->s_inodes_per_group /
sbi->s_inodes_per_block;
sbi->s_desc_per_block = blocksize / EXT4_DESC_SIZE(sb);
@@ -3845,13 +3849,6 @@ static int ext4_fill_super(struct super_
}
sbi->s_cluster_ratio = clustersize / blocksize;
- if (sbi->s_inodes_per_group > blocksize * 8) {
- ext4_msg(sb, KERN_ERR,
- "#inodes per group too big: %lu",
- sbi->s_inodes_per_group);
- goto failed_mount;
- }
-
/* Do we have standard group size of clustersize * 8 blocks ? */
if (sbi->s_blocks_per_group == clustersize << 3)
set_opt2(sb, STD_GROUP_SIZE);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 046/370] USB: phy: am335x-control: fix device and of_node leaks
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 068/370] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 044/370] ssb: Fix error routine when fallback SPROM fails Ben Hutchings
` (337 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Bin Liu, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 015105b12183556771e111e93f5266851e7c5582 upstream.
Make sure to drop the references taken by of_parse_phandle() and
bus_find_device() before returning from am335x_get_phy_control().
Note that there is no guarantee that the devres-managed struct
phy_control will be valid for the lifetime of the sibling phy device
regardless of this change.
Fixes: 3bb869c8b3f1 ("usb: phy: Add AM335x PHY driver")
Acked-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/phy/phy-am335x-control.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/phy/phy-am335x-control.c
+++ b/drivers/usb/phy/phy-am335x-control.c
@@ -126,10 +126,12 @@ struct phy_control *am335x_get_phy_contr
return NULL;
dev = bus_find_device(&platform_bus_type, NULL, node, match);
+ of_node_put(node);
if (!dev)
return NULL;
ctrl_usb = dev_get_drvdata(dev);
+ put_device(dev);
if (!ctrl_usb)
return NULL;
return &ctrl_usb->phy_ctrl;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 017/370] ARM: dts: imx31: move CCM device node to AIPS2 bus devices
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 124/370] [media] s5k4ecgx: select CRC32 helper Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 026/370] crypto: caam - fix AEAD givenc descriptors Ben Hutchings
` (361 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Shawn Guo, Vladimir Zapolskiy, Uwe Kleine-König
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vz@mleia.com>
commit 1f87aee6a2e55eda466a43ba6248a8b75eede153 upstream.
i.MX31 Clock Control Module controller is found on AIPS2 bus, move it
there from SPBA bus to avoid a conflict of device IO space mismatch.
Fixes: ef0e4a606fb6 ("ARM: mx31: Replace clk_register_clkdev with clock DT lookup")
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/imx31.dtsi | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -110,13 +110,6 @@
interrupts = <19>;
clocks = <&clks 25>;
};
-
- clks: ccm@53f80000{
- compatible = "fsl,imx31-ccm";
- reg = <0x53f80000 0x4000>;
- interrupts = <31>, <53>;
- #clock-cells = <1>;
- };
};
aips@53f00000 { /* AIPS2 */
@@ -126,6 +119,13 @@
reg = <0x53f00000 0x100000>;
ranges;
+ clks: ccm@53f80000{
+ compatible = "fsl,imx31-ccm";
+ reg = <0x53f80000 0x4000>;
+ interrupts = <31>, <53>;
+ #clock-cells = <1>;
+ };
+
gpt: timer@53f90000 {
compatible = "fsl,imx31-gpt";
reg = <0x53f90000 0x4000>;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 028/370] powerpc/ibmebus: Fix device reference leaks in sysfs interface
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Michael Ellerman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit fe0f3168169f7c34c29b0cf0c489f126a7f29643 upstream.
Make sure to drop any reference taken by bus_find_device() in the sysfs
callbacks that are used to create and destroy devices based on
device-tree entries.
Fixes: 6bccf755ff53 ("[POWERPC] ibmebus: dynamic addition/removal of adapters, some code cleanup")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/ibmebus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -262,6 +262,7 @@ static ssize_t ibmebus_store_probe(struc
const char *buf, size_t count)
{
struct device_node *dn = NULL;
+ struct device *dev;
char *path;
ssize_t rc = 0;
@@ -269,8 +270,10 @@ static ssize_t ibmebus_store_probe(struc
if (!path)
return -ENOMEM;
- if (bus_find_device(&ibmebus_bus_type, NULL, path,
- ibmebus_match_path)) {
+ dev = bus_find_device(&ibmebus_bus_type, NULL, path,
+ ibmebus_match_path);
+ if (dev) {
+ put_device(dev);
printk(KERN_WARNING "%s: %s has already been probed\n",
__func__, path);
rc = -EEXIST;
@@ -307,6 +310,7 @@ static ssize_t ibmebus_store_remove(stru
if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path,
ibmebus_match_path))) {
of_device_unregister(to_platform_device(dev));
+ put_device(dev);
kfree(path);
return count;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 026/370] crypto: caam - fix AEAD givenc descriptors
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 017/370] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 011/370] perf scripting: Avoid leaking the scripting_context variable Ben Hutchings
` (360 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Porosanu, Horia Geantă, Herbert Xu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Porosanu <alexandru.porosanu@nxp.com>
commit d128af17876d79b87edf048303f98b35f6a53dbc upstream.
The AEAD givenc descriptor relies on moving the IV through the
output FIFO and then back to the CTX2 for authentication. The
SEQ FIFO STORE could be scheduled before the data can be
read from OFIFO, especially since the SEQ FIFO LOAD needs
to wait for the SEQ FIFO LOAD SKIP to finish first. The
SKIP takes more time when the input is SG than when it's
a contiguous buffer. If the SEQ FIFO LOAD is not scheduled
before the STORE, the DECO will hang waiting for data
to be available in the OFIFO so it can be transferred to C2.
In order to overcome this, first force transfer of IV to C2
by starting the "cryptlen" transfer first and then starting to
store data from OFIFO to the output buffer.
Fixes: 1acebad3d8db8 ("crypto: caam - faster aead implementation")
Signed-off-by: Alex Porosanu <alexandru.porosanu@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/caam/caamalg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -590,7 +590,9 @@ static int aead_set_sh_desc(struct crypt
/* Will read cryptlen */
append_math_add(desc, VARSEQINLEN, SEQINLEN, REG0, CAAM_CMD_SZ);
- aead_append_src_dst(desc, FIFOLD_TYPE_MSG1OUT2);
+ append_seq_fifo_load(desc, 0, FIFOLD_CLASS_BOTH | KEY_VLF |
+ FIFOLD_TYPE_MSG1OUT2 | FIFOLD_TYPE_LASTBOTH);
+ append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | KEY_VLF);
/* Write ICV */
append_seq_store(desc, ctx->authsize, LDST_CLASS_2_CCB |
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 027/370] ARM: dts: imx6q-cm-fx6: fix fec pinctrl
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 130/370] net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 041/370] IB/mlx4: Put non zero value in max_ah device attribute Ben Hutchings
` (273 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christopher Spinrath, Shawn Guo
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christopher Spinrath <christopher.spinrath@rwth-aachen.de>
commit 72649a46067903d00f46e2ebef6543768224f1a0 upstream.
According to the schematics of CompuLab's sbc-fx6 baseboard and the
vendor devicetree GPIO_16 is *not* muxed to ENET_REF_CLK but to SPDIF_IN.
Remove the wrong pinctrl setting.
Fixes: 682d055e6ac5 ("ARM: dts: Add initial support for cm-fx6.")
Signed-off-by: Christopher Spinrath <christopher.spinrath@rwth-aachen.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
[bwh: Backported to 3.16: adjust indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/imx6q-cm-fx6.dts | 1 -
1 file changed, 1 deletion(-)
--- a/arch/arm/boot/dts/imx6q-cm-fx6.dts
+++ b/arch/arm/boot/dts/imx6q-cm-fx6.dts
@@ -65,7 +65,6 @@
MX6QDL_PAD_ENET_REF_CLK__ENET_TX_CLK 0x1b0b0
MX6QDL_PAD_ENET_MDIO__ENET_MDIO 0x1b0b0
MX6QDL_PAD_ENET_MDC__ENET_MDC 0x1b0b0
- MX6QDL_PAD_GPIO_16__ENET_REF_CLK 0x4001b0a8
>;
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 023/370] PCI: Check for PME in targeted sleep state
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 080/370] arm/xen: Use alloc_percpu rather than __alloc_percpu Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 185/370] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device Ben Hutchings
` (307 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pierre de Villemereuil, Bjorn Helgaas, Lukas Wunner,
Rafael J. Wysocki, Alan Stern
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 6496ebd7edf446fccf8266a1a70ffcb64252593e upstream.
One some systems, the firmware does not allow certain PCI devices to be put
in deep D-states. This can cause problems for wakeup signalling, if the
device does not support PME# in the deepest allowed suspend state. For
example, Pierre reports that on his system, ACPI does not permit his xHCI
host controller to go into D3 during runtime suspend -- but D3 is the only
state in which the controller can generate PME# signals. As a result, the
controller goes into runtime suspend but never wakes up, so it doesn't work
properly. USB devices plugged into the controller are never detected.
If the device relies on PME# for wakeup signals but is not capable of
generating PME# in the target state, the PCI core should accurately report
that it cannot do wakeup from runtime suspend. This patch modifies the
pci_dev_run_wake() routine to add this check.
Reported-by: Pierre de Villemereuil <flyos@mailoo.org>
Tested-by: Pierre de Villemereuil <flyos@mailoo.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
CC: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/pci.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1982,6 +1982,10 @@ bool pci_dev_run_wake(struct pci_dev *de
if (!dev->pme_support)
return false;
+ /* PME-capable in principle, but not from the intended sleep state */
+ if (!pci_pme_capable(dev, pci_target_state(dev)))
+ return false;
+
while (bus->parent) {
struct pci_dev *bridge = bus->self;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 003/370] crypto: arm64/sha1-ce - fix for big endian
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 108/370] block_dev: don't test bdev->bd_contains when it is not stable Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 095/370] ext4: return -ENOMEM instead of success Ben Hutchings
` (324 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ard Biesheuvel, Herbert Xu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit ee71e5f1e7d25543ee63a80451871f8985b8d431 upstream.
The SHA1 digest is an array of 5 32-bit quantities, so we should refer
to them as such in order for this code to work correctly when built for
big endian. So replace 16 byte scalar loads and stores with 4x4 vector
ones where appropriate.
Fixes: 2c98833a42cd ("arm64/crypto: SHA-1 using ARMv8 Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: use x2 instead of x0]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/sha1-ce-core.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/crypto/sha1-ce-core.S
+++ b/arch/arm64/crypto/sha1-ce-core.S
@@ -78,7 +78,7 @@ ENTRY(sha1_ce_transform)
ld1r {k3.4s}, [x6]
/* load state */
- ldr dga, [x2]
+ ld1 {dgav.4s}, [x2]
ldr dgb, [x2, #16]
/* load partial state (if supplied) */
@@ -147,7 +147,7 @@ CPU_LE( rev32 v11.16b, v11.16b )
b 2b
/* store new state */
-3: str dga, [x2]
+3: st1 {dgav.4s}, [x2]
str dgb, [x2, #16]
ret
ENDPROC(sha1_ce_transform)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 029/370] powerpc/ibmebus: Fix further device reference leaks
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 134/370] mtd: nand: xway: disable module support Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 157/370] USB: serial: io_edgeport: fix NULL-deref at open Ben Hutchings
` (238 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Michael Ellerman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 815a7141c4d1b11610dccb7fcbb38633759824f2 upstream.
Make sure to drop any reference taken by bus_find_device() when creating
devices during init and driver registration.
Fixes: 55347cc9962f ("[POWERPC] ibmebus: Add device creation and bus probing based on of_device")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/ibmebus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -180,6 +180,7 @@ static int ibmebus_create_device(struct
static int ibmebus_create_devices(const struct of_device_id *matches)
{
struct device_node *root, *child;
+ struct device *dev;
int ret = 0;
root = of_find_node_by_path("/");
@@ -188,9 +189,12 @@ static int ibmebus_create_devices(const
if (!of_match_node(matches, child))
continue;
- if (bus_find_device(&ibmebus_bus_type, NULL, child,
- ibmebus_match_node))
+ dev = bus_find_device(&ibmebus_bus_type, NULL, child,
+ ibmebus_match_node);
+ if (dev) {
+ put_device(dev);
continue;
+ }
ret = ibmebus_create_device(child);
if (ret) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 006/370] crypto: arm64/aes-neon - fix for big endian
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 147/370] btrfs: fix error handling when run_delayed_extent_op fails Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 074/370] CIFS: Fix a possible memory corruption during reconnect Ben Hutchings
` (247 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit a2c435cc99862fd3d165e1b66bf48ac72c839c62 upstream.
The AES implementation using pure NEON instructions relies on the generic
AES key schedule generation routines, which store the round keys as arrays
of 32-bit quantities stored in memory using native endianness. This means
we should refer to these round keys using 4x4 loads rather than 16x1 loads.
In addition, the ShiftRows tables are loading using a single scalar load,
which is also affected by endianness, so emit these tables in the correct
order depending on whether we are building for big endian or not.
Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/aes-neon.S | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/arch/arm64/crypto/aes-neon.S
+++ b/arch/arm64/crypto/aes-neon.S
@@ -9,6 +9,7 @@
*/
#include <linux/linkage.h>
+#include <asm/assembler.h>
#define AES_ENTRY(func) ENTRY(neon_ ## func)
#define AES_ENDPROC(func) ENDPROC(neon_ ## func)
@@ -83,13 +84,13 @@
.endm
.macro do_block, enc, in, rounds, rk, rkp, i
- ld1 {v15.16b}, [\rk]
+ ld1 {v15.4s}, [\rk]
add \rkp, \rk, #16
mov \i, \rounds
1111: eor \in\().16b, \in\().16b, v15.16b /* ^round key */
tbl \in\().16b, {\in\().16b}, v13.16b /* ShiftRows */
sub_bytes \in
- ld1 {v15.16b}, [\rkp], #16
+ ld1 {v15.4s}, [\rkp], #16
subs \i, \i, #1
beq 2222f
.if \enc == 1
@@ -229,7 +230,7 @@
.endm
.macro do_block_2x, enc, in0, in1 rounds, rk, rkp, i
- ld1 {v15.16b}, [\rk]
+ ld1 {v15.4s}, [\rk]
add \rkp, \rk, #16
mov \i, \rounds
1111: eor \in0\().16b, \in0\().16b, v15.16b /* ^round key */
@@ -237,7 +238,7 @@
sub_bytes_2x \in0, \in1
tbl \in0\().16b, {\in0\().16b}, v13.16b /* ShiftRows */
tbl \in1\().16b, {\in1\().16b}, v13.16b /* ShiftRows */
- ld1 {v15.16b}, [\rkp], #16
+ ld1 {v15.4s}, [\rkp], #16
subs \i, \i, #1
beq 2222f
.if \enc == 1
@@ -254,7 +255,7 @@
.endm
.macro do_block_4x, enc, in0, in1, in2, in3, rounds, rk, rkp, i
- ld1 {v15.16b}, [\rk]
+ ld1 {v15.4s}, [\rk]
add \rkp, \rk, #16
mov \i, \rounds
1111: eor \in0\().16b, \in0\().16b, v15.16b /* ^round key */
@@ -266,7 +267,7 @@
tbl \in1\().16b, {\in1\().16b}, v13.16b /* ShiftRows */
tbl \in2\().16b, {\in2\().16b}, v13.16b /* ShiftRows */
tbl \in3\().16b, {\in3\().16b}, v13.16b /* ShiftRows */
- ld1 {v15.16b}, [\rkp], #16
+ ld1 {v15.4s}, [\rkp], #16
subs \i, \i, #1
beq 2222f
.if \enc == 1
@@ -306,12 +307,16 @@
.text
.align 4
.LForward_ShiftRows:
- .byte 0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3
- .byte 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb
+CPU_LE( .byte 0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3 )
+CPU_LE( .byte 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb )
+CPU_BE( .byte 0xb, 0x6, 0x1, 0xc, 0x7, 0x2, 0xd, 0x8 )
+CPU_BE( .byte 0x3, 0xe, 0x9, 0x4, 0xf, 0xa, 0x5, 0x0 )
.LReverse_ShiftRows:
- .byte 0x0, 0xd, 0xa, 0x7, 0x4, 0x1, 0xe, 0xb
- .byte 0x8, 0x5, 0x2, 0xf, 0xc, 0x9, 0x6, 0x3
+CPU_LE( .byte 0x0, 0xd, 0xa, 0x7, 0x4, 0x1, 0xe, 0xb )
+CPU_LE( .byte 0x8, 0x5, 0x2, 0xf, 0xc, 0x9, 0x6, 0x3 )
+CPU_BE( .byte 0x3, 0x6, 0x9, 0xc, 0xf, 0x2, 0x5, 0x8 )
+CPU_BE( .byte 0xb, 0xe, 0x1, 0x4, 0x7, 0xa, 0xd, 0x0 )
.LForward_Sbox:
.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 005/370] crypto: arm64/aes-ccm-ce: fix for big endian
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 182/370] KVM: MIPS: Flush KVM entry code from icache globally Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 110/370] IPoIB: Avoid reading an uninitialized member variable Ben Hutchings
` (190 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 56e4e76c68fcb51547b5299e5b66a135935ff414 upstream.
The AES-CCM implementation that uses ARMv8 Crypto Extensions instructions
refers to the AES round keys as pairs of 64-bit quantities, which causes
failures when building the code for big endian. In addition, it byte swaps
the input counter unconditionally, while this is only required for little
endian builds. So fix both issues.
Fixes: 12ac3efe74f8 ("arm64/crypto: use crypto instructions to generate AES key schedule")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/aes-ce-ccm-core.S | 53 +++++++++++++++++++------------------
1 file changed, 27 insertions(+), 26 deletions(-)
--- a/arch/arm64/crypto/aes-ce-ccm-core.S
+++ b/arch/arm64/crypto/aes-ce-ccm-core.S
@@ -9,6 +9,7 @@
*/
#include <linux/linkage.h>
+#include <asm/assembler.h>
.text
.arch armv8-a+crypto
@@ -19,7 +20,7 @@
*/
ENTRY(ce_aes_ccm_auth_data)
ldr w8, [x3] /* leftover from prev round? */
- ld1 {v0.2d}, [x0] /* load mac */
+ ld1 {v0.16b}, [x0] /* load mac */
cbz w8, 1f
sub w8, w8, #16
eor v1.16b, v1.16b, v1.16b
@@ -31,7 +32,7 @@ ENTRY(ce_aes_ccm_auth_data)
beq 8f /* out of input? */
cbnz w8, 0b
eor v0.16b, v0.16b, v1.16b
-1: ld1 {v3.2d}, [x4] /* load first round key */
+1: ld1 {v3.16b}, [x4] /* load first round key */
prfm pldl1strm, [x1]
cmp w5, #12 /* which key size? */
add x6, x4, #16
@@ -41,17 +42,17 @@ ENTRY(ce_aes_ccm_auth_data)
mov v5.16b, v3.16b
b 4f
2: mov v4.16b, v3.16b
- ld1 {v5.2d}, [x6], #16 /* load 2nd round key */
+ ld1 {v5.16b}, [x6], #16 /* load 2nd round key */
3: aese v0.16b, v4.16b
aesmc v0.16b, v0.16b
-4: ld1 {v3.2d}, [x6], #16 /* load next round key */
+4: ld1 {v3.16b}, [x6], #16 /* load next round key */
aese v0.16b, v5.16b
aesmc v0.16b, v0.16b
-5: ld1 {v4.2d}, [x6], #16 /* load next round key */
+5: ld1 {v4.16b}, [x6], #16 /* load next round key */
subs w7, w7, #3
aese v0.16b, v3.16b
aesmc v0.16b, v0.16b
- ld1 {v5.2d}, [x6], #16 /* load next round key */
+ ld1 {v5.16b}, [x6], #16 /* load next round key */
bpl 3b
aese v0.16b, v4.16b
subs w2, w2, #16 /* last data? */
@@ -60,7 +61,7 @@ ENTRY(ce_aes_ccm_auth_data)
ld1 {v1.16b}, [x1], #16 /* load next input block */
eor v0.16b, v0.16b, v1.16b /* xor with mac */
bne 1b
-6: st1 {v0.2d}, [x0] /* store mac */
+6: st1 {v0.16b}, [x0] /* store mac */
beq 10f
adds w2, w2, #16
beq 10f
@@ -79,7 +80,7 @@ ENTRY(ce_aes_ccm_auth_data)
adds w7, w7, #1
bne 9b
eor v0.16b, v0.16b, v1.16b
- st1 {v0.2d}, [x0]
+ st1 {v0.16b}, [x0]
10: str w8, [x3]
ret
ENDPROC(ce_aes_ccm_auth_data)
@@ -89,27 +90,27 @@ ENDPROC(ce_aes_ccm_auth_data)
* u32 rounds);
*/
ENTRY(ce_aes_ccm_final)
- ld1 {v3.2d}, [x2], #16 /* load first round key */
- ld1 {v0.2d}, [x0] /* load mac */
+ ld1 {v3.16b}, [x2], #16 /* load first round key */
+ ld1 {v0.16b}, [x0] /* load mac */
cmp w3, #12 /* which key size? */
sub w3, w3, #2 /* modified # of rounds */
- ld1 {v1.2d}, [x1] /* load 1st ctriv */
+ ld1 {v1.16b}, [x1] /* load 1st ctriv */
bmi 0f
bne 3f
mov v5.16b, v3.16b
b 2f
0: mov v4.16b, v3.16b
-1: ld1 {v5.2d}, [x2], #16 /* load next round key */
+1: ld1 {v5.16b}, [x2], #16 /* load next round key */
aese v0.16b, v4.16b
aese v1.16b, v4.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-2: ld1 {v3.2d}, [x2], #16 /* load next round key */
+2: ld1 {v3.16b}, [x2], #16 /* load next round key */
aese v0.16b, v5.16b
aese v1.16b, v5.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-3: ld1 {v4.2d}, [x2], #16 /* load next round key */
+3: ld1 {v4.16b}, [x2], #16 /* load next round key */
subs w3, w3, #3
aese v0.16b, v3.16b
aese v1.16b, v3.16b
@@ -120,47 +121,47 @@ ENTRY(ce_aes_ccm_final)
aese v1.16b, v4.16b
/* final round key cancels out */
eor v0.16b, v0.16b, v1.16b /* en-/decrypt the mac */
- st1 {v0.2d}, [x0] /* store result */
+ st1 {v0.16b}, [x0] /* store result */
ret
ENDPROC(ce_aes_ccm_final)
.macro aes_ccm_do_crypt,enc
ldr x8, [x6, #8] /* load lower ctr */
- ld1 {v0.2d}, [x5] /* load mac */
- rev x8, x8 /* keep swabbed ctr in reg */
+ ld1 {v0.16b}, [x5] /* load mac */
+CPU_LE( rev x8, x8 ) /* keep swabbed ctr in reg */
0: /* outer loop */
- ld1 {v1.1d}, [x6] /* load upper ctr */
+ ld1 {v1.8b}, [x6] /* load upper ctr */
prfm pldl1strm, [x1]
add x8, x8, #1
rev x9, x8
cmp w4, #12 /* which key size? */
sub w7, w4, #2 /* get modified # of rounds */
ins v1.d[1], x9 /* no carry in lower ctr */
- ld1 {v3.2d}, [x3] /* load first round key */
+ ld1 {v3.16b}, [x3] /* load first round key */
add x10, x3, #16
bmi 1f
bne 4f
mov v5.16b, v3.16b
b 3f
1: mov v4.16b, v3.16b
- ld1 {v5.2d}, [x10], #16 /* load 2nd round key */
+ ld1 {v5.16b}, [x10], #16 /* load 2nd round key */
2: /* inner loop: 3 rounds, 2x interleaved */
aese v0.16b, v4.16b
aese v1.16b, v4.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-3: ld1 {v3.2d}, [x10], #16 /* load next round key */
+3: ld1 {v3.16b}, [x10], #16 /* load next round key */
aese v0.16b, v5.16b
aese v1.16b, v5.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-4: ld1 {v4.2d}, [x10], #16 /* load next round key */
+4: ld1 {v4.16b}, [x10], #16 /* load next round key */
subs w7, w7, #3
aese v0.16b, v3.16b
aese v1.16b, v3.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
- ld1 {v5.2d}, [x10], #16 /* load next round key */
+ ld1 {v5.16b}, [x10], #16 /* load next round key */
bpl 2b
aese v0.16b, v4.16b
aese v1.16b, v4.16b
@@ -177,14 +178,14 @@ ENDPROC(ce_aes_ccm_final)
eor v0.16b, v0.16b, v2.16b /* xor mac with pt ^ rk[last] */
st1 {v1.16b}, [x0], #16 /* write output block */
bne 0b
- rev x8, x8
- st1 {v0.2d}, [x5] /* store mac */
+CPU_LE( rev x8, x8 )
+ st1 {v0.16b}, [x5] /* store mac */
str x8, [x6, #8] /* store lsb end of ctr (BE) */
5: ret
6: eor v0.16b, v0.16b, v5.16b /* final round mac */
eor v1.16b, v1.16b, v5.16b /* final round enc */
- st1 {v0.2d}, [x5] /* store mac */
+ st1 {v0.16b}, [x5] /* store mac */
add w2, w2, #16 /* process partial tail block */
7: ldrb w9, [x1], #1 /* get 1 byte of input */
umov w6, v1.b[0] /* get top crypted ctr byte */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 016/370] ARM: dts: imx31: fix clock control module interrupts description
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 074/370] CIFS: Fix a possible memory corruption during reconnect Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 059/370] thermal: hwmon: Properly report critical temperature in sysfs Ben Hutchings
` (245 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rob Herring, Vladimir Zapolskiy, Shawn Guo
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vz@mleia.com>
commit 2e575cbc930901718cc18e084566ecbb9a4b5ebb upstream.
The type of AVIC interrupt controller found on i.MX31 is one-cell,
namely 31 for CCM DVFS and 53 for CCM, however for clock control
module its interrupts are specified as 3-cells, fix it.
Fixes: ef0e4a606fb6 ("ARM: mx31: Replace clk_register_clkdev with clock DT lookup")
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/devicetree/bindings/clock/imx31-clock.txt | 2 +-
arch/arm/boot/dts/imx31.dtsi | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/Documentation/devicetree/bindings/clock/imx31-clock.txt
+++ b/Documentation/devicetree/bindings/clock/imx31-clock.txt
@@ -77,7 +77,7 @@ Examples:
clks: ccm@53f80000{
compatible = "fsl,imx31-ccm";
reg = <0x53f80000 0x4000>;
- interrupts = <0 31 0x04 0 53 0x04>;
+ interrupts = <31>, <53>;
#clock-cells = <1>;
};
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -114,7 +114,7 @@
clks: ccm@53f80000{
compatible = "fsl,imx31-ccm";
reg = <0x53f80000 0x4000>;
- interrupts = <0 31 0x04 0 53 0x04>;
+ interrupts = <31>, <53>;
#clock-cells = <1>;
};
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 015/370] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 120/370] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 022/370] scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset Ben Hutchings
` (317 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit 6b9018d4c1e5c958625be94a160a5984351d4632 upstream.
In case of High-Speed, High-Bandwidth endpoints, we
need to tell DWC3 that we have more than one packet
per interval. We do that by setting PCM1 field of
Isochronous-First TRB.
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -863,6 +863,8 @@ static void dwc3_prepare_one_trb(struct
{
struct dwc3 *dwc = dep->dwc;
struct dwc3_trb *trb;
+ struct usb_gadget *gadget = &dwc->gadget;
+ enum usb_device_speed speed = gadget->speed;
dev_vdbg(dwc->dev, "%s: req %p dma %08llx length %d%s%s\n",
dep->name, req, (unsigned long long) dma,
@@ -895,10 +897,16 @@ static void dwc3_prepare_one_trb(struct
break;
case USB_ENDPOINT_XFER_ISOC:
- if (!node)
+ if (!node) {
trb->ctrl = DWC3_TRBCTL_ISOCHRONOUS_FIRST;
- else
+
+ if (speed == USB_SPEED_HIGH) {
+ struct usb_ep *ep = &dep->endpoint;
+ trb->size |= DWC3_TRB_SIZE_PCM1(ep->mult - 1);
+ }
+ } else {
trb->ctrl = DWC3_TRBCTL_ISOCHRONOUS;
+ }
break;
case USB_ENDPOINT_XFER_BULK:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 019/370] enic: set skb->hash type properly
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 106/370] Btrfs: delayed-inode: replace root args iff only fs_info used Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 053/370] [media] DaVinci-VPFE-Capture: fix error handling Ben Hutchings
` (302 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Govindarajulu Varadarajan, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Govindarajulu Varadarajan <_govind@gmx.com>
commit 17197236d62c44da127be461c63ac5cc2cce1e53 upstream.
Driver sets the skb l4/l3 hash based on NIC_CFG_RSS_HASH_TYPE_*,
which is bit mask. This is wrong. Hw actually provides us enum.
Use CQ_ENET_RQ_DESC_RSS_TYPE_* to set l3 and l4 hash type.
Fixes: bf751ba802fe ("driver/net: enic: record q_number and rss_hash for skb")
Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: drop the version bump]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -1033,12 +1033,18 @@ static void enic_rq_indicate_buf(struct
skb->protocol = eth_type_trans(skb, netdev);
skb_record_rx_queue(skb, q_number);
if (netdev->features & NETIF_F_RXHASH) {
- skb_set_hash(skb, rss_hash,
- (rss_type &
- (NIC_CFG_RSS_HASH_TYPE_TCP_IPV6_EX |
- NIC_CFG_RSS_HASH_TYPE_TCP_IPV6 |
- NIC_CFG_RSS_HASH_TYPE_TCP_IPV4)) ?
- PKT_HASH_TYPE_L4 : PKT_HASH_TYPE_L3);
+ switch (rss_type) {
+ case CQ_ENET_RQ_DESC_RSS_TYPE_TCP_IPv4:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_TCP_IPv6:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_TCP_IPv6_EX:
+ skb_set_hash(skb, rss_hash, PKT_HASH_TYPE_L4);
+ break;
+ case CQ_ENET_RQ_DESC_RSS_TYPE_IPv4:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_IPv6:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_IPv6_EX:
+ skb_set_hash(skb, rss_hash, PKT_HASH_TYPE_L3);
+ break;
+ }
}
/* Hardware does not provide whole packet checksum. It only
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 009/370] perf trace: Use the syscall raw_syscalls:sys_enter timestamp
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 103/370] fsnotify: Fix possible use-after-free in inode iteration on umount Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 114/370] scsi: zfcp: fix rport unblock race with LUN recovery Ben Hutchings
` (198 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Ahern, Arnaldo Carvalho de Melo, Namhyung Kim,
Adrian Hunter, Jiri Olsa, Wang Nan
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit ecf1e2253ea79c6204f4d6a5e756e8fb4aed5a7e upstream.
Instead of the one when another syscall takes place while another is being
processed (in another CPU, but we show it serialized, so need to "interrupt"
the other), and also when finally showing the sys_enter + sys_exit + duration,
where we were showing the sample->time for the sys_exit, duh.
Before:
# perf trace sleep 1
<SNIP>
0.373 ( 0.001 ms): close(fd: 3 ) = 0
1000.626 (1000.211 ms): nanosleep(rqtp: 0x7ffd6ddddfb0) = 0
1000.653 ( 0.003 ms): close(fd: 1 ) = 0
1000.657 ( 0.002 ms): close(fd: 2 ) = 0
1000.667 ( 0.000 ms): exit_group( )
#
After:
# perf trace sleep 1
<SNIP>
0.336 ( 0.001 ms): close(fd: 3 ) = 0
0.373 (1000.086 ms): nanosleep(rqtp: 0x7ffe303e9550) = 0
1000.481 ( 0.002 ms): close(fd: 1 ) = 0
1000.485 ( 0.001 ms): close(fd: 2 ) = 0
1000.494 ( 0.000 ms): exit_group( )
[root@jouet linux]#
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-ecbzgmu2ni6glc6zkw8p1zmx@git.kernel.org
Fixes: 752fde44fd1c ("perf trace: Support interrupted syscalls")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16:
- Drop changes to trace__printf_interrupted_entry()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1646,7 +1646,7 @@ static int trace__sys_enter(struct trace
if (!strcmp(sc->name, "exit_group") || !strcmp(sc->name, "exit")) {
if (!trace->duration_filter && !trace->summary_only) {
- trace__fprintf_entry_head(trace, thread, 1, sample->time, trace->output);
+ trace__fprintf_entry_head(trace, thread, 1, ttrace->entry_time, trace->output);
fprintf(trace->output, "%-70s\n", ttrace->entry_str);
}
} else
@@ -1701,7 +1701,7 @@ static int trace__sys_exit(struct trace
if (trace->summary_only)
goto out;
- trace__fprintf_entry_head(trace, thread, duration, sample->time, trace->output);
+ trace__fprintf_entry_head(trace, thread, duration, ttrace->entry_time, trace->output);
if (ttrace->entry_pending) {
fprintf(trace->output, "%-70s", ttrace->entry_str);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 082/370] hotplug: Make register and unregister notifier API symmetric
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Streetman, Michal Hocko, Thomas Gleixner, linux-mm
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.com>
commit 777c6e0daebb3fcefbbd6f620410a946b07ef6d0 upstream.
Yu Zhao has noticed that __unregister_cpu_notifier only unregisters its
notifiers when HOTPLUG_CPU=y while the registration might succeed even
when HOTPLUG_CPU=n if MODULE is enabled. This means that e.g. zswap
might keep a stale notifier on the list on the manual clean up during
the pool tear down and thus corrupt the list. Resulting in the following
[ 144.964346] BUG: unable to handle kernel paging request at ffff880658a2be78
[ 144.971337] IP: [<ffffffffa290b00b>] raw_notifier_chain_register+0x1b/0x40
<snipped>
[ 145.122628] Call Trace:
[ 145.125086] [<ffffffffa28e5cf8>] __register_cpu_notifier+0x18/0x20
[ 145.131350] [<ffffffffa2a5dd73>] zswap_pool_create+0x273/0x400
[ 145.137268] [<ffffffffa2a5e0fc>] __zswap_param_set+0x1fc/0x300
[ 145.143188] [<ffffffffa2944c1d>] ? trace_hardirqs_on+0xd/0x10
[ 145.149018] [<ffffffffa2908798>] ? kernel_param_lock+0x28/0x30
[ 145.154940] [<ffffffffa2a3e8cf>] ? __might_fault+0x4f/0xa0
[ 145.160511] [<ffffffffa2a5e237>] zswap_compressor_param_set+0x17/0x20
[ 145.167035] [<ffffffffa2908d3c>] param_attr_store+0x5c/0xb0
[ 145.172694] [<ffffffffa290848d>] module_attr_store+0x1d/0x30
[ 145.178443] [<ffffffffa2b2b41f>] sysfs_kf_write+0x4f/0x70
[ 145.183925] [<ffffffffa2b2a5b9>] kernfs_fop_write+0x149/0x180
[ 145.189761] [<ffffffffa2a99248>] __vfs_write+0x18/0x40
[ 145.194982] [<ffffffffa2a9a412>] vfs_write+0xb2/0x1a0
[ 145.200122] [<ffffffffa2a9a732>] SyS_write+0x52/0xa0
[ 145.205177] [<ffffffffa2ff4d97>] entry_SYSCALL_64_fastpath+0x12/0x17
This can be even triggered manually by changing
/sys/module/zswap/parameters/compressor multiple times.
Fix this issue by making unregister APIs symmetric to the register so
there are no surprises.
Fixes: 47e627bc8c9a ("[PATCH] hotplug: Allow modules to use the cpu hotplug notifiers even if !CONFIG_HOTPLUG_CPU")
Reported-and-tested-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Cc: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dan Streetman <ddstreet@ieee.org>
Link: http://lkml.kernel.org/r/20161207135438.4310-1-mhocko@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: keep definition of cpu_notify_nofail() conditional
on CONFIG_HOTPLUG_CPU]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -122,22 +122,16 @@ enum {
{ .notifier_call = fn, .priority = pri }; \
__register_cpu_notifier(&fn##_nb); \
}
-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#ifdef CONFIG_HOTPLUG_CPU
extern int register_cpu_notifier(struct notifier_block *nb);
extern int __register_cpu_notifier(struct notifier_block *nb);
extern void unregister_cpu_notifier(struct notifier_block *nb);
extern void __unregister_cpu_notifier(struct notifier_block *nb);
-#else
-#ifndef MODULE
-extern int register_cpu_notifier(struct notifier_block *nb);
-extern int __register_cpu_notifier(struct notifier_block *nb);
-#else
+#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+
static inline int register_cpu_notifier(struct notifier_block *nb)
{
return 0;
@@ -147,7 +141,6 @@ static inline int __register_cpu_notifie
{
return 0;
}
-#endif
static inline void unregister_cpu_notifier(struct notifier_block *nb)
{
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -210,12 +210,6 @@ static int cpu_notify(unsigned long val,
return __cpu_notify(val, v, -1, NULL);
}
-#ifdef CONFIG_HOTPLUG_CPU
-
-static void cpu_notify_nofail(unsigned long val, void *v)
-{
- BUG_ON(cpu_notify(val, v));
-}
EXPORT_SYMBOL(register_cpu_notifier);
EXPORT_SYMBOL(__register_cpu_notifier);
@@ -233,6 +227,13 @@ void __ref __unregister_cpu_notifier(str
}
EXPORT_SYMBOL(__unregister_cpu_notifier);
+#ifdef CONFIG_HOTPLUG_CPU
+
+static void cpu_notify_nofail(unsigned long val, void *v)
+{
+ BUG_ON(cpu_notify(val, v));
+}
+
/**
* clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
* @cpu: a CPU id
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 252/370] powerpc: Add missing error check to prom_find_boot_cpu()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (342 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 359/370] macvtap: read vnet_hdr_size once Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 219/370] jump_labels: API for flushing deferred jump label updates Ben Hutchings
` (27 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Darren Stevens
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Darren Stevens <darren@stevens-zone.net>
commit af2b7fa17eb92e52b65f96604448ff7a2a89ee99 upstream.
prom_init.c calls 'instance-to-package' twice, but the return
is not checked during prom_find_boot_cpu(). The result is then
passed to prom_getprop(), which could be PROM_ERROR. Add a return check
to prevent this.
This was found on a pasemi system, where CFE doesn't have a working
'instance-to package' prom call.
Before Commit 5c0484e25ec0 ('powerpc: Endian safe trampoline') the area
around addr 0 was mostly 0's and this doesn't cause a problem. Once the
macro 'FIXUP_ENDIAN' has been added to head_64.S, the low memory area
now has non-zero values, which cause the prom_getprop() call
to hang.
mpe: Also confirmed that under SLOF if 'instance-to-package' did fail
with PROM_ERROR we would crash in SLOF. So the bug is not specific to
CFE, it's just that other open firmwares don't trigger it because they
have a working 'instance-to-package'.
Fixes: 5c0484e25ec0 ("powerpc: Endian safe trampoline")
Signed-off-by: Darren Stevens <darren@stevens-zone.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/prom_init.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/powerpc/kernel/prom_init.c
+++ b/arch/powerpc/kernel/prom_init.c
@@ -2635,6 +2635,9 @@ static void __init prom_find_boot_cpu(vo
cpu_pkg = call_prom("instance-to-package", 1, 1, prom_cpu);
+ if (!PHANDLE_VALID(cpu_pkg))
+ return;
+
prom_getprop(cpu_pkg, "reg", &rval, sizeof(rval));
prom.cpu = be32_to_cpu(rval);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 228/370] net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (263 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 361/370] sit: fix a double free on error path Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 323/370] cdc_ncm: workaround for EM7455 "silent" data interface Ben Hutchings
` (106 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jack Morgenstein, Tariq Toukan, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 9577b174cd0323d287c994ef0891db71666d0765 upstream.
When running SRIOV, warnings for SRQ LIMIT events flood the Hypervisor's
message log when (correct, normally operating) apps use SRQ LIMIT events
as a trigger to post WQEs to SRQs.
Add more information to the existing debug printout for SRQ_LIMIT, and
output the warning messages only for the SRQ CATAS ERROR event.
Fixes: acba2420f9d2 ("mlx4_core: Add wrapper functions and comm channel and slave event support to EQs")
Fixes: e0debf9cb50d ("mlx4_core: Reduce warning message for SRQ_LIMIT event to debug level")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/eq.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
@@ -506,8 +506,9 @@ static int mlx4_eq_int(struct mlx4_dev *
break;
case MLX4_EVENT_TYPE_SRQ_LIMIT:
- mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT\n",
- __func__);
+ mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT. srq_no=0x%x, eq 0x%x\n",
+ __func__, be32_to_cpu(eqe->event.srq.srqn),
+ eq->eqn);
case MLX4_EVENT_TYPE_SRQ_CATAS_ERROR:
if (mlx4_is_master(dev)) {
/* forward only to slave owning the SRQ */
@@ -522,15 +523,19 @@ static int mlx4_eq_int(struct mlx4_dev *
eq->eqn, eq->cons_index, ret);
break;
}
- mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n",
- __func__, slave,
- be32_to_cpu(eqe->event.srq.srqn),
- eqe->type, eqe->subtype);
+ if (eqe->type ==
+ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR)
+ mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n",
+ __func__, slave,
+ be32_to_cpu(eqe->event.srq.srqn),
+ eqe->type, eqe->subtype);
if (!ret && slave != dev->caps.function) {
- mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n",
- __func__, eqe->type,
- eqe->subtype, slave);
+ if (eqe->type ==
+ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR)
+ mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n",
+ __func__, eqe->type,
+ eqe->subtype, slave);
mlx4_slave_event(dev, slave, eqe);
break;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 253/370] USB: serial: option: add device ID for HP lt2523 (Novatel E371)
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (252 preceding siblings ...)
2017-03-10 11:46 ` Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 232/370] selftest/powerpc: Wrong PMC initialized in pmc56_overflow test Ben Hutchings
` (117 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Bjørn Mork
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjørn Mork <bjorn@mork.no>
commit 5d03a2fd2292e71936c4235885c35ccc3c94695b upstream.
Yet another laptop vendor rebranded Novatel E371.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2018,6 +2018,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 363/370] igmp: do not remove igmp souce list info when set link down
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (313 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 213/370] USB: serial: ch341: fix control-message error handling Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 357/370] tun: Fix TUN_PKT_STRIP setting Ben Hutchings
` (56 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Hangbin Liu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit 24803f38a5c0b6c57ed800b47e695f9ce474bc3a upstream.
In commit 24cf3af3fed5 ("igmp: call ip_mc_clear_src..."), we forgot to remove
igmpv3_clear_delrec() in ip_mc_down(), which also called ip_mc_clear_src().
This make us clear all IGMPv3 source filter info after NETDEV_DOWN.
Move igmpv3_clear_delrec() to ip_mc_destroy_dev() and then no need
ip_mc_clear_src() in ip_mc_destroy_dev().
On the other hand, we should restore back instead of free all source filter
info in igmpv3_del_delrec(). Or we will not able to restore IGMPv3 source
filter info after NETDEV_UP and NETDEV_POST_TYPE_CHANGE.
Fixes: 24cf3af3fed5 ("igmp: call ip_mc_clear_src() only when ...")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: use IGMP_Unsolicited_Report_Count instead of
sysctl_igmp_qrv]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -164,7 +164,7 @@ static int unsolicited_report_interval(s
}
static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im);
-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr);
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im);
static void igmpv3_clear_delrec(struct in_device *in_dev);
static int sf_setstate(struct ip_mc_list *pmc);
static void sf_markstate(struct ip_mc_list *pmc);
@@ -1109,10 +1109,14 @@ static void igmpv3_add_delrec(struct in_
spin_unlock_bh(&in_dev->mc_tomb_lock);
}
-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr)
+/*
+ * restore ip_mc_list deleted records
+ */
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im)
{
struct ip_mc_list *pmc, *pmc_prev;
- struct ip_sf_list *psf, *psf_next;
+ struct ip_sf_list *psf;
+ __be32 multiaddr = im->multiaddr;
spin_lock_bh(&in_dev->mc_tomb_lock);
pmc_prev = NULL;
@@ -1128,16 +1132,26 @@ static void igmpv3_del_delrec(struct in_
in_dev->mc_tomb = pmc->next;
}
spin_unlock_bh(&in_dev->mc_tomb_lock);
+
+ spin_lock_bh(&im->lock);
if (pmc) {
- for (psf = pmc->tomb; psf; psf = psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->interface = pmc->interface;
+ im->crcount = in_dev->mr_qrv ?: IGMP_Unsolicited_Report_Count;
+ im->sfmode = pmc->sfmode;
+ if (pmc->sfmode == MCAST_INCLUDE) {
+ im->tomb = pmc->tomb;
+ im->sources = pmc->sources;
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);
- kfree(pmc);
}
+ spin_unlock_bh(&im->lock);
}
+/*
+ * flush ip_mc_list deleted records
+ */
static void igmpv3_clear_delrec(struct in_device *in_dev)
{
struct ip_mc_list *pmc, *nextpmc;
@@ -1335,7 +1349,7 @@ void ip_mc_inc_group(struct in_device *i
ip_mc_hash_add(in_dev, im);
#ifdef CONFIG_IP_MULTICAST
- igmpv3_del_delrec(in_dev, im->multiaddr);
+ igmpv3_del_delrec(in_dev, im);
#endif
igmp_group_added(im);
if (!in_dev->dead)
@@ -1426,8 +1440,12 @@ void ip_mc_remap(struct in_device *in_de
ASSERT_RTNL();
- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}
/* Device going down */
@@ -1448,7 +1466,6 @@ void ip_mc_down(struct in_device *in_dev
in_dev->mr_gq_running = 0;
if (del_timer(&in_dev->mr_gq_timer))
__in_dev_put(in_dev);
- igmpv3_clear_delrec(in_dev);
#endif
ip_mc_dec_group(in_dev, IGMP_ALL_HOSTS);
@@ -1479,8 +1496,12 @@ void ip_mc_up(struct in_device *in_dev)
ip_mc_inc_group(in_dev, IGMP_ALL_HOSTS);
- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}
/*
@@ -1495,13 +1516,13 @@ void ip_mc_destroy_dev(struct in_device
/* Deactivate timers */
ip_mc_down(in_dev);
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_clear_delrec(in_dev);
+#endif
while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
in_dev->mc_list = i->next_rcu;
in_dev->mc_count--;
-
- /* We've dropped the groups in ip_mc_down already */
- ip_mc_clear_src(i);
ip_ma_put(i);
}
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 351/370] qmi_wwan/cdc_ether: add device ID for HP lt2523 (Novatel E371) WWAN card
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (223 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 294/370] net/sock: Add sock_efree() function Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 338/370] sock: fix sendmmsg for partial sendmsg Ben Hutchings
` (146 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Williams, David S. Miller, Bjørn Mork
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjørn Mork <bjorn@mork.no>
[ Upstream commit 5b9f57516337b523f7466a53939aaaea7b78141b ]
Another rebranded Novatel E371. qmi_wwan should drive this device, while
cdc_ether should ignore it. Even though the USB descriptors are plain
CDC-ETHER that USB interface is a QMI interface. Ref commit 7fdb7846c9ca
("qmi_wwan/cdc_ether: add device IDs for Dell 5804 (Novatel E371) WWAN
card")
Cc: Dan Williams <dcbw@redhat.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/usb/cdc_ether.c | 8 ++++++++
drivers/net/usb/qmi_wwan.c | 7 +++++++
2 files changed, 15 insertions(+)
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -502,6 +502,7 @@ static const struct driver_info wwan_inf
#define DELL_VENDOR_ID 0x413C
#define REALTEK_VENDOR_ID 0x0bda
#define SAMSUNG_VENDOR_ID 0x04e8
+#define HP_VENDOR_ID 0x03f0
static const struct usb_device_id products[] = {
/* BLACKLIST !!
@@ -648,6 +649,13 @@ static const struct usb_device_id produc
.driver_info = 0,
},
+/* HP lt2523 (Novatel E371) - handled by qmi_wwan */
+{
+ USB_DEVICE_AND_INTERFACE_INFO(HP_VENDOR_ID, 0x421d, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = 0,
+},
+
/* AnyDATA ADU960S - handled by qmi_wwan */
{
USB_DEVICE_AND_INTERFACE_INFO(0x16d5, 0x650a, USB_CLASS_COMM,
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -535,6 +535,13 @@ static const struct usb_device_id produc
USB_CDC_PROTO_NONE),
.driver_info = (unsigned long)&qmi_wwan_info,
},
+ { /* HP lt2523 (Novatel E371) */
+ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d,
+ USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET,
+ USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&qmi_wwan_info,
+ },
{ /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */
USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x581d, USB_CLASS_VENDOR_SPEC, 1, 7),
.driver_info = (unsigned long)&qmi_wwan_info,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 241/370] arm64: avoid returning from bad_mode
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (272 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 233/370] can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 259/370] USB: Add quirk for WORLDE easykey.25 MIDI keyboard Ben Hutchings
` (97 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Will Deacon, Mark Salter, Catalin Marinas, Mark Rutland
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 7d9e8f71b989230bc613d121ca38507d34ada849 upstream.
Generally, taking an unexpected exception should be a fatal event, and
bad_mode is intended to cater for this. However, it should be possible
to contain unexpected synchronous exceptions from EL0 without bringing
the kernel down, by sending a SIGILL to the task.
We tried to apply this approach in commit 9955ac47f4ba1c95 ("arm64:
don't kill the kernel on a bad esr from el0"), by sending a signal for
any bad_mode call resulting from an EL0 exception.
However, this also applies to other unexpected exceptions, such as
SError and FIQ. The entry paths for these exceptions branch to bad_mode
without configuring the link register, and have no kernel_exit. Thus, if
we take one of these exceptions from EL0, bad_mode will eventually
return to the original user link register value.
This patch fixes this by introducing a new bad_el0_sync handler to cater
for the recoverable case, and restoring bad_mode to its original state,
whereby it calls panic() and never returns. The recoverable case
branches to bad_el0_sync with a bl, and returns to userspace via the
usual ret_to_user mechanism.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 9955ac47f4ba1c95 ("arm64: don't kill the kernel on a bad esr from el0")
Reported-by: Mark Salter <msalter@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[bwh: Backported to 3.16:
- Leave type out of the log message as we don't have esr_get_class_string()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/entry.S | 2 +-
arch/arm64/kernel/traps.c | 28 ++++++++++++++++++++++++----
2 files changed, 25 insertions(+), 5 deletions(-)
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -491,7 +491,7 @@ el0_inv:
mov x0, sp
mov x1, #BAD_SYNC
mrs x2, esr_el1
- b bad_mode
+ b bad_el0_sync
ENDPROC(el0_sync)
.align 6
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -309,16 +309,33 @@ asmlinkage long do_ni_syscall(struct pt_
}
/*
- * bad_mode handles the impossible case in the exception vector.
+ * bad_mode handles the impossible case in the exception vector. This is always
+ * fatal.
*/
asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
{
- siginfo_t info;
- void __user *pc = (void __user *)instruction_pointer(regs);
console_verbose();
pr_crit("Bad mode in %s handler detected, code 0x%08x\n",
handler[reason], esr);
+
+ die("Oops - bad mode", regs, 0);
+ local_irq_disable();
+ panic("bad mode");
+}
+
+/*
+ * bad_el0_sync handles unexpected, but potentially recoverable synchronous
+ * exceptions taken from EL0. Unlike bad_mode, this returns.
+ */
+asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
+{
+ siginfo_t info;
+ void __user *pc = (void __user *)instruction_pointer(regs);
+ console_verbose();
+
+ pr_crit("Bad EL0 synchronous exception detected on CPU%d, code 0x%08x\n",
+ smp_processor_id(), esr);
__show_regs(regs);
info.si_signo = SIGILL;
@@ -326,7 +343,10 @@ asmlinkage void bad_mode(struct pt_regs
info.si_code = ILL_ILLOPC;
info.si_addr = pc;
- arm64_notify_die("Oops - bad mode", regs, &info, 0);
+ current->thread.fault_address = 0;
+ current->thread.fault_code = 0;
+
+ force_sig_info(info.si_signo, &info, current);
}
void __pte_error(const char *file, int line, unsigned long val)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 225/370] be2net: fix status check in be_cmd_pmac_add()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (334 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 293/370] l2tp: do not use udp_ioctl() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 310/370] lib/vsprintf.c: improve sanity check in vsnprintf() Ben Hutchings
` (35 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sathya Perla, Ivan Vecera, Ajit Khaparde, David S. Miller,
Sriharsha Basavapatna, Somnath Kotur
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <cera@cera.cz>
commit fe68d8bfe59c561664aa87d827aa4b320eb08895 upstream.
Return value from be_mcc_notify_wait() contains a base completion status
together with an additional status. The base_status() macro need to be
used to access base status.
Fixes: e3a7ae2 be2net: Changing MAC Address of a VF was broken
Cc: Sathya Perla <sathya.perla@broadcom.com>
Cc: Ajit Khaparde <ajit.khaparde@broadcom.com>
Cc: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Cc: Somnath Kotur <somnath.kotur@broadcom.com>
Signed-off-by: Ivan Vecera <cera@cera.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -1008,7 +1008,7 @@ int be_cmd_pmac_add(struct be_adapter *a
err:
spin_unlock_bh(&adapter->mcc_lock);
- if (status == MCC_STATUS_UNAUTHORIZED_REQUEST)
+ if (base_status(status) == MCC_STATUS_UNAUTHORIZED_REQUEST)
status = -EPERM;
return status;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 365/370] igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (291 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 284/370] ALSA: seq: Fix race at creating a queue Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 239/370] net: fix harmonize_features() vs NETIF_F_HIGHDMA Ben Hutchings
` (78 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniel Borkmann, Hangbin Liu, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit 9c8bb163ae784be4f79ae504e78c862806087c54 upstream.
In function igmpv3/mld_add_delrec() we allocate pmc and put it in
idev->mc_tomb, so we should free it when we don't need it in del_delrec().
But I removed kfree(pmc) incorrectly in latest two patches. Now fix it.
Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when ...")
Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when ...")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/igmp.c | 1 +
net/ipv6/mcast.c | 1 +
2 files changed, 2 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1145,6 +1145,7 @@ static void igmpv3_del_delrec(struct in_
psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);
+ kfree(pmc);
}
spin_unlock_bh(&im->lock);
}
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -814,6 +814,7 @@ static void mld_del_delrec(struct inet6_
psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);
+ kfree(pmc);
}
spin_unlock_bh(&im->mca_lock);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 244/370] nbd: only set MSG_MORE when we have more to send
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (216 preceding siblings ...)
2017-03-10 11:46 ` Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 354/370] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Ben Hutchings
` (153 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Josef Bacik, Jens Axboe
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <jbacik@fb.com>
commit d61b7f972dab2a7d187c38254845546dfc8eed85 upstream.
A user noticed that write performance was horrible over loopback and we
traced it to an inversion of when we need to set MSG_MORE. It should be
set when we have more bvec's to send, not when we are on the last bvec.
This patch made the test go from 20 iops to 78k iops.
Signed-off-by: Josef Bacik <jbacik@fb.com>
Fixes: 429a787be679 ("nbd: fix use-after-free of rq/bio in the xmit path")
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/block/nbd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -239,7 +239,7 @@ static inline int sock_send_bvec(struct
/* always call with the tx_lock held */
static int nbd_send_req(struct nbd_device *nbd, struct request *req)
{
- int result, flags;
+ int result;
struct nbd_request request;
unsigned long size = blk_rq_bytes(req);
struct bio *bio;
@@ -270,7 +270,6 @@ static int nbd_send_req(struct nbd_devic
if (nbd_cmd(req) != NBD_CMD_WRITE)
return 0;
- flags = 0;
bio = req->bio;
while (bio) {
struct bio *next = bio->bi_next;
@@ -279,9 +278,8 @@ static int nbd_send_req(struct nbd_devic
bio_for_each_segment(bvec, bio, iter) {
bool is_last = !next && bio_iter_last(bvec, iter);
+ int flags = is_last ? 0 : MSG_MORE;
- if (is_last)
- flags = MSG_MORE;
dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n",
nbd->disk->disk_name, req, bvec.bv_len);
result = sock_send_bvec(nbd, &bvec, flags);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 368/370] ipc/shm: Fix shmat mmap nil-page protection
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (319 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 334/370] dccp: fix out of bound access in dccp_v4_err() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 353/370] can: Fix kernel panic at security_sock_rcv_skb Ben Hutchings
` (50 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Manfred Spraul, Davidlohr Bueso, Linus Torvalds,
Davidlohr Bueso, Michael Kerrisk, Gareth Evans
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso <dave@stgolabs.net>
commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.
The issue is described here, with a nice testcase:
https://bugzilla.kernel.org/show_bug.cgi?id=192931
The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
the address rounded down to 0. For the regular mmap case, the
protection mentioned above is that the kernel gets to generate the
address -- arch_get_unmapped_area() will always check for MAP_FIXED and
return that address. So by the time we do security_mmap_addr(0) things
get funky for shmat().
The testcase itself shows that while a regular user crashes, root will
not have a problem attaching a nil-page. There are two possible fixes
to this. The first, and which this patch does, is to simply allow root
to crash as well -- this is also regular mmap behavior, ie when hacking
up the testcase and adding mmap(... |MAP_FIXED). While this approach
is the safer option, the second alternative is to ignore SHM_RND if the
rounded address is 0, thus only having MAP_SHARED flags. This makes the
behavior of shmat() identical to the mmap() case. The downside of this
is obviously user visible, but does make sense in that it maintains
semantics after the round-down wrt 0 address and mmap.
Passes shm related ltp tests.
Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
ipc/shm.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1044,8 +1044,8 @@ out_unlock1:
* "raddr" thing points to kernel space, and there has to be a wrapper around
* this.
*/
-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- unsigned long shmlba)
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
+ ulong *raddr, unsigned long shmlba)
{
struct shmid_kernel *shp;
unsigned long addr;
@@ -1066,8 +1066,13 @@ long do_shmat(int shmid, char __user *sh
goto out;
else if ((addr = (ulong)shmaddr)) {
if (addr & (shmlba - 1)) {
- if (shmflg & SHM_RND)
- addr &= ~(shmlba - 1); /* round down */
+ /*
+ * Round down to the nearest multiple of shmlba.
+ * For sane do_mmap_pgoff() parameters, avoid
+ * round downs that trigger nil-page and MAP_FIXED.
+ */
+ if ((shmflg & SHM_RND) && addr >= shmlba)
+ addr &= ~(shmlba - 1);
else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 350/370] ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (192 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 326/370] tcp: fix overflow in __tcp_retransmit_skb() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 339/370] ip6_tunnel: disable caching when the traffic class is inherited Ben Hutchings
` (177 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kefeng Wang, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kefeng Wang <wangkefeng.wang@huawei.com>
[ Upstream commit 03e4deff4987f79c34112c5ba4eb195d4f9382b0 ]
Just like commit 4acd4945cd1e ("ipv6: addrconf: Avoid calling
netdevice notifiers with RCU read-side lock"), it is unnecessary
to make addrconf_disable_change() use RCU iteration over the
netdev list, since it already holds the RTNL lock, or we may meet
Illegal context switch in RCU read-side critical section.
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4837,8 +4837,7 @@ static void addrconf_disable_change(stru
struct net_device *dev;
struct inet6_dev *idev;
- rcu_read_lock();
- for_each_netdev_rcu(net, dev) {
+ for_each_netdev(net, dev) {
idev = __in6_dev_get(dev);
if (idev) {
int changed = (!idev->cnf.disable_ipv6) ^ (!newf);
@@ -4847,7 +4846,6 @@ static void addrconf_disable_change(stru
dev_disable_change(idev);
}
}
- rcu_read_unlock();
}
static int addrconf_disable_ipv6(struct ctl_table *table, int *p, int newf)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 242/370] tcp: initialize max window for a new fastopen socket
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (281 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 362/370] xfs: update MAINTAINERS Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 262/370] nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED" Ben Hutchings
` (88 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexey Kodanev, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
commit 0dbd7ff3ac5017a46033a9d0a87a8267d69119d9 upstream.
Found that if we run LTP netstress test with large MSS (65K),
the first attempt from server to send data comparable to this
MSS on fastopen connection will be delayed by the probe timer.
Here is an example:
< S seq 0:0 win 43690 options [mss 65495 wscale 7 tfo cookie] length 32
> S. seq 0:0 ack 1 win 43690 options [mss 65495 wscale 7] length 0
< . ack 1 win 342 length 0
Inside tcp_sendmsg(), tcp_send_mss() returns max MSS in 'mss_now',
as well as in 'size_goal'. This results the segment not queued for
transmition until all the data copied from user buffer. Then, inside
__tcp_push_pending_frames(), it breaks on send window test and
continues with the check probe timer.
Fragmentation occurs in tcp_write_wakeup()...
+0.2 > P. seq 1:43777 ack 1 win 342 length 43776
< . ack 43777, win 1365 length 0
> P. seq 43777:65001 ack 1 win 342 options [...] length 21224
...
This also contradicts with the fact that we should bound to the half
of the window if it is large.
Fix this flaw by correctly initializing max_window. Before that, it
could have large values that affect further calculations of 'size_goal'.
Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_fastopen.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -164,6 +164,7 @@ static bool tcp_fastopen_create_child(st
* scaled. So correct it appropriately.
*/
tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
+ tp->max_window = tp->snd_wnd;
/* Activate the retrans timer so that SYNACK can be retransmitted.
* The request socket is not added to the SYN table of the parent
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 201/370] USB: serial: ch341: fix modem-control and B0 handling
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (294 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 220/370] KVM: x86: flush pending lapic jump label updates on module unload Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 311/370] decnet: Do not build routes to devices without decnet private data Ben Hutchings
` (75 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 030ee7ae52a46a2be52ccc8242c4a330aba8d38e upstream.
The modem-control signals are managed by the tty-layer during open and
should not be asserted prematurely when set_termios is called from
driver open.
Also make sure that the signals are asserted only when changing speed
from B0.
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -357,10 +357,6 @@ static void ch341_set_termios(struct tty
ctrl = CH341_LCR_ENABLE_RX | CH341_LCR_ENABLE_TX | CH341_LCR_CS8;
if (baud_rate) {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
- spin_unlock_irqrestore(&priv->lock, flags);
-
priv->baud_rate = baud_rate;
r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);
@@ -368,13 +364,14 @@ static void ch341_set_termios(struct tty
priv->baud_rate = tty_termios_baud_rate(old_termios);
tty_termios_copy_hw(&tty->termios, old_termios);
}
- } else {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
- spin_unlock_irqrestore(&priv->lock, flags);
}
- ch341_set_handshake(port->serial->dev, priv->line_control);
+ spin_lock_irqsave(&priv->lock, flags);
+ if (C_BAUD(tty) == B0)
+ priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
+ else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
+ priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
+ spin_unlock_irqrestore(&priv->lock, flags);
/* Unimplemented:
* (cflag & CSIZE) : data bits [5, 8]
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 360/370] mlx4: Invoke softirqs after napi_reschedule
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (267 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 341/370] net/sched: pedit: make sure that offset is valid Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 226/370] net/mlx4_core: Fix racy CQ (Completion Queue) free Ben Hutchings
` (102 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Benjamin Poirier,
Eric Dumazet, Tariq Toukan
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Poirier <bpoirier@suse.com>
[ Upstream commit bd4ce941c8d5b862b2f83364be5dbe8fc8ab48f8 ]
mlx4 may schedule napi from a workqueue. Afterwards, softirqs are not run
in a deterministic time frame and the following message may be logged:
NOHZ: local_softirq_pending 08
The problem is the same as what was described in commit ec13ee80145c
("virtio_net: invoke softirqs after __napi_schedule") and this patch
applies the same fix to mlx4.
Fixes: 07841f9d94c1 ("net/mlx4_en: Schedule napi when RX buffers allocation fails")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -506,8 +506,11 @@ void mlx4_en_recover_from_oom(struct mlx
return;
for (ring = 0; ring < priv->rx_ring_num; ring++) {
- if (mlx4_en_is_ring_empty(priv->rx_ring[ring]))
+ if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) {
+ local_bh_disable();
napi_reschedule(&priv->rx_cq[ring]->napi);
+ local_bh_enable();
+ }
}
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 202/370] USB: serial: ch341: fix open error handling
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (309 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 245/370] ARM: dts: da850-evm: fix read access to SPI flash Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 248/370] platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT Ben Hutchings
` (60 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f2950b78547ffb8475297ada6b92bc2d774d5461 upstream.
Make sure to stop the interrupt URB before returning on errors during
open.
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -318,7 +318,7 @@ static int ch341_open(struct tty_struct
r = ch341_configure(serial->dev, priv);
if (r)
- goto out;
+ return r;
if (tty)
ch341_set_termios(tty, port, NULL);
@@ -328,12 +328,19 @@ static int ch341_open(struct tty_struct
if (r) {
dev_err(&port->dev, "%s - failed to submit interrupt urb: %d\n",
__func__, r);
- goto out;
+ return r;
}
r = usb_serial_generic_open(tty, port);
+ if (r)
+ goto err_kill_interrupt_urb;
+
+ return 0;
+
+err_kill_interrupt_urb:
+ usb_kill_urb(port->interrupt_in_urb);
-out: return r;
+ return r;
}
/* Old_termios contains the original termios settings and
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 245/370] ARM: dts: da850-evm: fix read access to SPI flash
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (308 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 340/370] net: sky2: Fix shutdown crash Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 202/370] USB: serial: ch341: fix open error handling Ben Hutchings
` (61 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Fabien Parent, Olof Johansson, Sekhar Nori, Kevin Hilman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Fabien Parent <fparent@baylibre.com>
commit 43849785e1079f6606a31cb7fda92d1200849728 upstream.
Read access to the SPI flash are broken on da850-evm, i.e. the data
read is not what is actually programmed on the flash.
According to the datasheet for the M25P64 part present on the da850-evm,
if the SPI frequency is higher than 20MHz then the READ command is not
usable anymore and only the FAST_READ command can be used to read data.
This commit specifies in the DTS that we should use FAST_READ command
instead of the READ command.
Tested-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Fabien Parent <fparent@baylibre.com>
[nsekhar@ti.com: subject line adjustment]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/da850-evm.dts | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/da850-evm.dts
+++ b/arch/arm/boot/dts/da850-evm.dts
@@ -59,6 +59,7 @@
#size-cells = <1>;
compatible = "m25p64";
spi-max-frequency = <30000000>;
+ m25p,fast-read;
reg = <0>;
partition@0 {
label = "U-Boot-SPL";
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 341/370] net/sched: pedit: make sure that offset is valid
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (266 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 267/370] perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 360/370] mlx4: Invoke softirqs after napi_reschedule Ben Hutchings
` (103 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Amir Vadai, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Amir Vadai <amir@vadai.me>
[ Upstream commit 95c2027bfeda21a28eb245121e6a249f38d0788e ]
Add a validation function to make sure offset is valid:
1. Not below skb head (could happen when offset is negative).
2. Validate both 'offset' and 'at'.
Signed-off-by: Amir Vadai <amir@vadai.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/act_pedit.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -103,6 +103,17 @@ static void tcf_pedit_cleanup(struct tc_
kfree(keys);
}
+static bool offset_valid(struct sk_buff *skb, int offset)
+{
+ if (offset > 0 && offset > skb->len)
+ return false;
+
+ if (offset < 0 && -offset > skb_headroom(skb))
+ return false;
+
+ return true;
+}
+
static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
struct tcf_result *res)
{
@@ -129,6 +140,11 @@ static int tcf_pedit(struct sk_buff *skb
if (tkey->offmask) {
char *d, _d;
+ if (!offset_valid(skb, off + tkey->at)) {
+ pr_info("tc filter pedit 'at' offset %d out of bounds\n",
+ off + tkey->at);
+ goto bad;
+ }
d = skb_header_pointer(skb, off + tkey->at, 1,
&_d);
if (!d)
@@ -141,10 +157,10 @@ static int tcf_pedit(struct sk_buff *skb
" offset must be on 32 bit boundaries\n");
goto bad;
}
- if (offset > 0 && offset > skb->len) {
- pr_info("tc filter pedit"
- " offset %d can't exceed pkt length %d\n",
- offset, skb->len);
+
+ if (!offset_valid(skb, off + offset)) {
+ pr_info("tc filter pedit offset %d out of bounds\n",
+ offset);
goto bad;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 362/370] xfs: update MAINTAINERS
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (280 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 246/370] powerpc/ptrace: Preserve previous fprs/vsrs on short regset write Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 242/370] tcp: initialize max window for a new fastopen socket Ben Hutchings
` (89 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Darrick J. Wong, Dave Chinner
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Darrick J. Wong" <darrick.wong@oracle.com>
commit 721a0edfbe1f302b93274ce75e0d62843ca63e0d upstream.
I am taking over as XFS maintainer from Dave Chinner[1], so update
contact information and git tree pointers.
[1] http://lkml.iu.edu/hypermail/linux/kernel/1612.1/04390.html
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Dave Chinner <david@fromorbit.com>
---
MAINTAINERS | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10057,11 +10057,11 @@ F: arch/x86/xen/*swiotlb*
F: drivers/xen/*swiotlb*
XFS FILESYSTEM
-M: Dave Chinner <david@fromorbit.com>
+M: Darrick J. Wong <darrick.wong@oracle.com>
M: linux-xfs@vger.kernel.org
L: linux-xfs@vger.kernel.org
W: http://xfs.org/
-T: git git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs.git
+T: git git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git
S: Supported
F: Documentation/filesystems/xfs.txt
F: fs/xfs/
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 198/370] USB: serial: ch341: reinitialize chip on reconfiguration
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (240 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 203/370] USB: serial: ch341: fix resume after reset Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 346/370] drop_monitor: consider inserted data in genlmsg_end Ben Hutchings
` (129 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Aidan Thornton, Grigori Goronzy
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aidan Thornton <makosoft@gmail.com>
commit 4e46c410e050bcac36deadbd8e20449d078204e8 upstream.
Changing the LCR register after initialization does not seem to be reliable
on all chips (particularly not on CH341A). Restructure initialization and
configuration to always reinit the chip on configuration changes instead and
pass the LCR register value directly to the initialization command.
(Note that baud rates above 500kbaud are incorrect, but they're incorrect in
the same way both before and after this patch at least on the CH340G. Fixing
this isn't a priority as higher baud rates don't seem that reliable anyway.)
Cleaned-up version of a patch by Grigori Goronzy
Signed-off-by: Aidan Thornton <makosoft@gmail.com>
Reviewed-by: Grigori Goronzy <greg@chown.ath.cx>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -132,10 +132,10 @@ static int ch341_control_in(struct usb_d
return r;
}
-static int ch341_set_baudrate(struct usb_device *dev,
- struct ch341_private *priv)
+static int ch341_init_set_baudrate(struct usb_device *dev,
+ struct ch341_private *priv, unsigned ctrl)
{
- short a, b;
+ short a;
int r;
unsigned long factor;
short divisor;
@@ -155,11 +155,10 @@ static int ch341_set_baudrate(struct usb
factor = 0x10000 - factor;
a = (factor & 0xff00) | divisor;
- b = factor & 0xff;
- r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
- if (!r)
- r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x0f2c, b);
+ /* 0x9c is "enable SFR_UART Control register and timer" */
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT,
+ 0x9c | (ctrl << 8), a | 0x80);
return r;
}
@@ -218,10 +217,6 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;
- r = ch341_set_baudrate(dev, priv);
- if (r < 0)
- goto out;
-
/* expect two bytes 0x56 0x00 */
r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x2518, 0, buffer, size);
if (r < 0)
@@ -236,11 +231,7 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;
- r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0x501f, 0xd90a);
- if (r < 0)
- goto out;
-
- r = ch341_set_baudrate(dev, priv);
+ r = ch341_init_set_baudrate(dev, priv, 0);
if (r < 0)
goto out;
@@ -355,16 +346,28 @@ static void ch341_set_termios(struct tty
struct ch341_private *priv = usb_get_serial_port_data(port);
unsigned baud_rate;
unsigned long flags;
+ unsigned char ctrl;
+ int r;
+
+ /* redundant changes may cause the chip to lose bytes */
+ if (old_termios && !tty_termios_hw_change(&tty->termios, old_termios))
+ return;
baud_rate = tty_get_baud_rate(tty);
priv->baud_rate = baud_rate;
+ ctrl = CH341_LCR_ENABLE_RX | CH341_LCR_ENABLE_TX | CH341_LCR_CS8;
+
if (baud_rate) {
spin_lock_irqsave(&priv->lock, flags);
priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
spin_unlock_irqrestore(&priv->lock, flags);
- ch341_set_baudrate(port->serial->dev, priv);
+ r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);
+ if (r < 0 && old_termios) {
+ priv->baud_rate = tty_termios_baud_rate(old_termios);
+ tty_termios_copy_hw(&tty->termios, old_termios);
+ }
} else {
spin_lock_irqsave(&priv->lock, flags);
priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 240/370] USB: serial: qcserial: add Dell DW5570 QDL
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (306 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 269/370] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 340/370] net: sky2: Fix shutdown crash Ben Hutchings
` (63 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aleksander Morgado, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Morgado <aleksander@aleksander.es>
commit 24d615a694d649aa2e167c3f97f62bdad07e3f84 upstream.
The Dell DW5570 is a re-branded Sierra Wireless MC8805 which will by
default boot with vid 0x413c and pid 0x81a3. When triggered QDL download
mode, the device switches to pid 0x81a6 and provides the standard TTY
used for firmware upgrade.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/qcserial.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -124,6 +124,7 @@ static const struct usb_device_id id_tab
{USB_DEVICE(0x1410, 0xa021)}, /* Novatel Gobi 3000 Composite */
{USB_DEVICE(0x413c, 0x8193)}, /* Dell Gobi 3000 QDL */
{USB_DEVICE(0x413c, 0x8194)}, /* Dell Gobi 3000 Composite */
+ {USB_DEVICE(0x413c, 0x81a6)}, /* Dell DW5570 QDL (MC8805) */
{USB_DEVICE(0x1199, 0x68a4)}, /* Sierra Wireless QDL */
{USB_DEVICE(0x1199, 0x68a5)}, /* Sierra Wireless Modem */
{USB_DEVICE(0x1199, 0x68a8)}, /* Sierra Wireless QDL */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 353/370] can: Fix kernel panic at security_sock_rcv_skb
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (320 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 368/370] ipc/shm: Fix shmat mmap nil-page protection Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 278/370] pegasus: Use heap buffers for all register access Ben Hutchings
` (49 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Oliver Hartkopp, Zhang Yanmin, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit f1712c73714088a7252d276a57126d56c7d37e64 ]
Zhang Yanmin reported crashes [1] and provided a patch adding a
synchronize_rcu() call in can_rx_unregister()
The main problem seems that the sockets themselves are not RCU
protected.
If CAN uses RCU for delivery, then sockets should be freed only after
one RCU grace period.
Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's
ease stable backports with the following fix instead.
[1]
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0
Call Trace:
<IRQ>
[<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60
[<ffffffff81d55771>] sk_filter+0x41/0x210
[<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0
[<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0
[<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370
[<ffffffff81f07af9>] can_receive+0xd9/0x120
[<ffffffff81f07beb>] can_rcv+0xab/0x100
[<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0
[<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0
[<ffffffff81d37f67>] process_backlog+0x127/0x280
[<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0
[<ffffffff810c88d4>] __do_softirq+0x184/0x440
[<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30
<EOI>
[<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40
[<ffffffff810c8bed>] do_softirq+0x1d/0x20
[<ffffffff81d30085>] netif_rx_ni+0xe5/0x110
[<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520
[<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230
[<ffffffff810e3baf>] process_one_work+0x24f/0x670
[<ffffffff810e44ed>] worker_thread+0x9d/0x6f0
[<ffffffff810e4450>] ? rescuer_thread+0x480/0x480
[<ffffffff810ebafc>] kthread+0x12c/0x150
[<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70
Reported-by: Zhang Yanmin <yanmin.zhang@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/can/core.h | 7 +++----
net/can/af_can.c | 12 ++++++++++--
net/can/af_can.h | 3 ++-
net/can/bcm.c | 4 ++--
net/can/gw.c | 2 +-
net/can/raw.c | 4 ++--
6 files changed, 20 insertions(+), 12 deletions(-)
--- a/include/linux/can/core.h
+++ b/include/linux/can/core.h
@@ -45,10 +45,9 @@ struct can_proto {
extern int can_proto_register(const struct can_proto *cp);
extern void can_proto_unregister(const struct can_proto *cp);
-extern int can_rx_register(struct net_device *dev, canid_t can_id,
- canid_t mask,
- void (*func)(struct sk_buff *, void *),
- void *data, char *ident);
+int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
+ void (*func)(struct sk_buff *, void *),
+ void *data, char *ident, struct sock *sk);
extern void can_rx_unregister(struct net_device *dev, canid_t can_id,
canid_t mask,
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -446,6 +446,7 @@ static struct hlist_head *find_rcv_list(
* @func: callback function on filter match
* @data: returned parameter for callback function
* @ident: string for calling module identification
+ * @sk: socket pointer (might be NULL)
*
* Description:
* Invokes the callback function with the received sk_buff and the given
@@ -469,7 +470,7 @@ static struct hlist_head *find_rcv_list(
*/
int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
void (*func)(struct sk_buff *, void *), void *data,
- char *ident)
+ char *ident, struct sock *sk)
{
struct receiver *r;
struct hlist_head *rl;
@@ -497,6 +498,7 @@ int can_rx_register(struct net_device *d
r->func = func;
r->data = data;
r->ident = ident;
+ r->sk = sk;
hlist_add_head_rcu(&r->list, rl);
d->entries++;
@@ -521,8 +523,11 @@ EXPORT_SYMBOL(can_rx_register);
static void can_rx_delete_receiver(struct rcu_head *rp)
{
struct receiver *r = container_of(rp, struct receiver, rcu);
+ struct sock *sk = r->sk;
kmem_cache_free(rcv_cache, r);
+ if (sk)
+ sock_put(sk);
}
/**
@@ -597,8 +602,11 @@ void can_rx_unregister(struct net_device
spin_unlock(&can_rcvlists_lock);
/* schedule the receiver item for deletion */
- if (r)
+ if (r) {
+ if (r->sk)
+ sock_hold(r->sk);
call_rcu(&r->rcu, can_rx_delete_receiver);
+ }
}
EXPORT_SYMBOL(can_rx_unregister);
--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -50,13 +50,14 @@
struct receiver {
struct hlist_node list;
- struct rcu_head rcu;
canid_t can_id;
canid_t mask;
unsigned long matches;
void (*func)(struct sk_buff *, void *);
void *data;
char *ident;
+ struct sock *sk;
+ struct rcu_head rcu;
};
#define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS)
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1178,7 +1178,7 @@ static int bcm_rx_setup(struct bcm_msg_h
err = can_rx_register(dev, op->can_id,
REGMASK(op->can_id),
bcm_rx_handler, op,
- "bcm");
+ "bcm", sk);
op->rx_reg_dev = dev;
dev_put(dev);
@@ -1187,7 +1187,7 @@ static int bcm_rx_setup(struct bcm_msg_h
} else
err = can_rx_register(NULL, op->can_id,
REGMASK(op->can_id),
- bcm_rx_handler, op, "bcm");
+ bcm_rx_handler, op, "bcm", sk);
if (err) {
/* this bcm rx op is broken -> remove it */
list_del(&op->list);
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -441,7 +441,7 @@ static inline int cgw_register_filter(st
{
return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
gwj->ccgw.filter.can_mask, can_can_gw_rcv,
- gwj, "gw");
+ gwj, "gw", NULL);
}
static inline void cgw_unregister_filter(struct cgw_job *gwj)
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -164,7 +164,7 @@ static int raw_enable_filters(struct net
for (i = 0; i < count; i++) {
err = can_rx_register(dev, filter[i].can_id,
filter[i].can_mask,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);
if (err) {
/* clean up successfully registered filters */
while (--i >= 0)
@@ -185,7 +185,7 @@ static int raw_enable_errfilter(struct n
if (err_mask)
err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);
return err;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 207/370] gro: Disable frag0 optimization on IPv6 ext headers
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (339 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 221/370] i2c: fix kernel memory disclosure in dev interface Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 265/370] parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header Ben Hutchings
` (30 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Slava Shwartsman, Herbert Xu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 57ea52a865144aedbcd619ee0081155e658b6f7d upstream.
The GRO fast path caches the frag0 address. This address becomes
invalid if frag0 is modified by pskb_may_pull or its variants.
So whenever that happens we must disable the frag0 optimization.
This is usually done through the combination of gro_header_hard
and gro_header_slow, however, the IPv6 extension header path did
the pulling directly and would continue to use the GRO fast path
incorrectly.
This patch fixes it by disabling the fast path when we enter the
IPv6 extension header path.
Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
Reported-by: Slava Shwartsman <slavash@mellanox.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netdevice.h | 9 +++++++--
net/ipv6/ip6_offload.c | 1 +
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2016,14 +2016,19 @@ static inline int skb_gro_header_hard(st
return NAPI_GRO_CB(skb)->frag0_len < hlen;
}
+static inline void skb_gro_frag0_invalidate(struct sk_buff *skb)
+{
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+}
+
static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
unsigned int offset)
{
if (!pskb_may_pull(skb, hlen))
return NULL;
- NAPI_GRO_CB(skb)->frag0 = NULL;
- NAPI_GRO_CB(skb)->frag0_len = 0;
+ skb_gro_frag0_invalidate(skb);
return skb->data + offset;
}
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -219,6 +219,7 @@ static struct sk_buff **ipv6_gro_receive
ops = rcu_dereference(inet6_offloads[proto]);
if (!ops || !ops->callbacks.gro_receive) {
__pskb_pull(skb, skb_gro_offset(skb));
+ skb_gro_frag0_invalidate(skb);
proto = ipv6_gso_pull_exthdrs(skb, proto);
skb_gro_pull(skb, -skb_transport_offset(skb));
skb_reset_transport_header(skb);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 361/370] sit: fix a double free on error path
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (262 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 206/370] gro: Enter slow-path if there is no tailroom Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 228/370] net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV Ben Hutchings
` (107 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Vyukov, WANG Cong, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit d7426c69a1942b2b9b709bf66b944ff09f561484 ]
Dmitry reported a double free in sit_init_net():
kernel BUG at mm/percpu.c:689!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 15692 Comm: syz-executor1 Not tainted 4.10.0-rc6-next-20170206 #1
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
task: ffff8801c9cc27c0 task.stack: ffff88017d1d8000
RIP: 0010:pcpu_free_area+0x68b/0x810 mm/percpu.c:689
RSP: 0018:ffff88017d1df488 EFLAGS: 00010046
RAX: 0000000000010000 RBX: 00000000000007c0 RCX: ffffc90002829000
RDX: 0000000000010000 RSI: ffffffff81940efb RDI: ffff8801db841d94
RBP: ffff88017d1df590 R08: dffffc0000000000 R09: 1ffffffff0bb3bdd
R10: dffffc0000000000 R11: 00000000000135dd R12: ffff8801db841d80
R13: 0000000000038e40 R14: 00000000000007c0 R15: 00000000000007c0
FS: 00007f6ea608f700(0000) GS:ffff8801dbe00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000aff8 CR3: 00000001c8d44000 CR4: 00000000001426f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
free_percpu+0x212/0x520 mm/percpu.c:1264
ipip6_dev_free+0x43/0x60 net/ipv6/sit.c:1335
sit_init_net+0x3cb/0xa10 net/ipv6/sit.c:1831
ops_init+0x10a/0x530 net/core/net_namespace.c:115
setup_net+0x2ed/0x690 net/core/net_namespace.c:291
copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
SYSC_unshare kernel/fork.c:2281 [inline]
SyS_unshare+0x64e/0xfc0 kernel/fork.c:2231
entry_SYSCALL_64_fastpath+0x1f/0xc2
This is because when tunnel->dst_cache init fails, we free dev->tstats
once in ipip6_tunnel_init() and twice in sit_init_net(). This looks
redundant but its ndo_uinit() does not seem enough to clean up everything
here. So avoid this by setting dev->tstats to NULL after the first free,
at least for -net.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/sit.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1368,6 +1368,7 @@ static int ipip6_tunnel_init(struct net_
tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst);
if (!tunnel->dst_cache) {
free_percpu(dev->tstats);
+ dev->tstats = NULL;
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 349/370] tcp: fix tcp_fastopen unaligned access complaints on sparc
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (277 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 320/370] sit: correct IP protocol used in ipip6_err Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 264/370] ARC: [arcompact] handle unaligned access delay slot corner case Ben Hutchings
` (92 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Shannon Nelson, Eric Dumazet, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shannon Nelson <shannon.nelson@oracle.com>
[ Upstream commit 003c941057eaa868ca6fedd29a274c863167230d ]
Fix up a data alignment issue on sparc by swapping the order
of the cookie byte array field with the length field in
struct tcp_fastopen_cookie, and making it a proper union
to clean up the typecasting.
This addresses log complaints like these:
log_unaligned: 113 callbacks suppressed
Kernel unaligned access at TPC[976490] tcp_try_fastopen+0x2d0/0x360
Kernel unaligned access at TPC[9764ac] tcp_try_fastopen+0x2ec/0x360
Kernel unaligned access at TPC[9764c8] tcp_try_fastopen+0x308/0x360
Kernel unaligned access at TPC[9764e4] tcp_try_fastopen+0x324/0x360
Kernel unaligned access at TPC[976490] tcp_try_fastopen+0x2d0/0x360
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/tcp.h | 7 ++++++-
net/ipv4/tcp_fastopen.c | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -57,8 +57,13 @@ static inline unsigned int tcp_optlen(co
/* TCP Fast Open Cookie as stored in memory */
struct tcp_fastopen_cookie {
+ union {
+ u8 val[TCP_FASTOPEN_COOKIE_MAX];
+#if IS_ENABLED(CONFIG_IPV6)
+ struct in6_addr addr;
+#endif
+ };
s8 len;
- u8 val[TCP_FASTOPEN_COOKIE_MAX];
};
/* This defines a selective acknowledgement block. */
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -112,7 +112,7 @@ static bool tcp_fastopen_cookie_gen(stru
struct tcp_fastopen_cookie tmp;
if (__tcp_fastopen_cookie_gen(&ip6h->saddr, &tmp)) {
- struct in6_addr *buf = (struct in6_addr *) tmp.val;
+ struct in6_addr *buf = &tmp.addr;
int i = 4;
for (i = 0; i < 4; i++)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 222/370] svcrpc: don't leak contexts on PROC_DESTROY
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (324 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 230/370] ubifs: Fix journal replay wrt. xattr nodes Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 370/370] sctp: deny peeloff operation on asocs with threads sleeping on it Ben Hutchings
` (45 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, J. Bruce Fields, Andy Adamson
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "J. Bruce Fields" <bfields@redhat.com>
commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.
Context expiry times are in units of seconds since boot, not unix time.
The use of get_seconds() here therefore sets the expiry time decades in
the future. This prevents timely freeing of contexts destroyed by
client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually
(when the module is unloaded or the container shut down), but a lot of
contexts could pile up before then.
Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
Reported-by: Andy Adamson <andros@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1479,7 +1479,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
case RPC_GSS_PROC_DESTROY:
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err;
- rsci->h.expiry_time = get_seconds();
+ rsci->h.expiry_time = seconds_since_boot();
set_bit(CACHE_NEGATIVE, &rsci->h.flags);
if (resv->iov_len + 4 > PAGE_SIZE)
goto drop;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 346/370] drop_monitor: consider inserted data in genlmsg_end
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (241 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 198/370] USB: serial: ch341: reinitialize chip on reconfiguration Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 212/370] vme: Fix wrong pointer utilization in ca91cx42_slave_get Ben Hutchings
` (128 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Reiter Wolfgang, Neil Horman, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Reiter Wolfgang <wr0112358@gmail.com>
[ Upstream commit 3b48ab2248e61408910e792fe84d6ec466084c1a ]
Final nlmsg_len field update must reflect inserted net_dm_drop_point
data.
This patch depends on previous patch:
"drop_monitor: add missing call to genlmsg_end"
Signed-off-by: Reiter Wolfgang <wr0112358@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/drop_monitor.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -107,7 +107,6 @@ static struct sk_buff *reset_per_cpu_dat
}
msg = nla_data(nla);
memset(msg, 0, al);
- genlmsg_end(skb, msg_header);
goto out;
err:
@@ -117,6 +116,13 @@ out:
swap(data->skb, skb);
spin_unlock_irqrestore(&data->lock, flags);
+ if (skb) {
+ struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
+ struct genlmsghdr *gnlh = (struct genlmsghdr *)nlmsg_data(nlh);
+
+ genlmsg_end(skb, genlmsg_data(gnlh));
+ }
+
return skb;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 337/370] sctp: assign assoc_id earlier in __sctp_connect
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (236 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 321/370] ipmr/ip6mr: Initialize the last assert time of mfc entries Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 211/370] sysrq: attach sysrq handler correctly for 32-bit kernel Ben Hutchings
` (133 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andrey Konovalov, Marcelo Ricardo Leitner, Neil Horman,
Dmitry Vyukov, Xin Long, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
[ Upstream commit 7233bc84a3aeda835d334499dc00448373caf5c0 ]
sctp_wait_for_connect() currently already holds the asoc to keep it
alive during the sleep, in case another thread release it. But Andrey
Konovalov and Dmitry Vyukov reported an use-after-free in such
situation.
Problem is that __sctp_connect() doesn't get a ref on the asoc and will
do a read on the asoc after calling sctp_wait_for_connect(), but by then
another thread may have closed it and the _put on sctp_wait_for_connect
will actually release it, causing the use-after-free.
Fix is, instead of doing the read after waiting for the connect, do it
before so, and avoid this issue as the socket is still locked by then.
There should be no issue on returning the asoc id in case of failure as
the application shouldn't trust on that number in such situations
anyway.
This issue doesn't exist in sctp_sendmsg() path.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/socket.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1217,9 +1217,12 @@ static int __sctp_connect(struct sock *s
timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK);
- err = sctp_wait_for_connect(asoc, &timeo);
- if ((err == 0 || err == -EINPROGRESS) && assoc_id)
+ if (assoc_id)
*assoc_id = asoc->assoc_id;
+ err = sctp_wait_for_connect(asoc, &timeo);
+ /* Note: the asoc may be freed after the return of
+ * sctp_wait_for_connect.
+ */
/* Don't free association on exit. */
asoc = NULL;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 226/370] net/mlx4_core: Fix racy CQ (Completion Queue) free
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (268 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 360/370] mlx4: Invoke softirqs after napi_reschedule Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
` (101 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matan Barak, Tariq Toukan, Jack Morgenstein, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 291c566a28910614ce42d0ffe82196eddd6346f4 upstream.
In function mlx4_cq_completion() and mlx4_cq_event(), the
radix_tree_lookup requires a rcu_read_lock.
This is mandatory: if another core frees the CQ, it could
run the radix_tree_node_rcu_free() call_rcu() callback while
its being used by the radix tree lookup function.
Additionally, in function mlx4_cq_event(), since we are adding
the rcu lock around the radix-tree lookup, we no longer need to take
the spinlock. Also, the synchronize_irq() call for the async event
eliminates the need for incrementing the cq reference count in
mlx4_cq_event().
Other changes:
1. In function mlx4_cq_free(), replace spin_lock_irq with spin_lock:
we no longer take this spinlock in the interrupt context.
The spinlock here, therefore, simply protects against different
threads simultaneously invoking mlx4_cq_free() for different cq's.
2. In function mlx4_cq_free(), we move the radix tree delete to before
the synchronize_irq() calls. This guarantees that we will not
access this cq during any subsequent interrupts, and therefore can
safely free the CQ after the synchronize_irq calls. The rcu_read_lock
in the interrupt handlers only needs to protect against corrupting the
radix tree; the interrupt handlers may access the cq outside the
rcu_read_lock due to the synchronize_irq calls which protect against
premature freeing of the cq.
3. In function mlx4_cq_event(), we change the mlx_warn message to mlx4_dbg.
4. We leave the cq reference count mechanism in place, because it is
still needed for the cq completion tasklet mechanism.
Fixes: 6d90aa5cf17b ("net/mlx4_core: Make sure there are no pending async events when freeing CQ")
Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Matan Barak <matanb@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/cq.c | 38 +++++++++++++++++----------------
1 file changed, 20 insertions(+), 18 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -56,13 +56,19 @@ void mlx4_cq_completion(struct mlx4_dev
{
struct mlx4_cq *cq;
+ rcu_read_lock();
cq = radix_tree_lookup(&mlx4_priv(dev)->cq_table.tree,
cqn & (dev->caps.num_cqs - 1));
+ rcu_read_unlock();
+
if (!cq) {
mlx4_dbg(dev, "Completion event for bogus CQ %08x\n", cqn);
return;
}
+ /* Acessing the CQ outside of rcu_read_lock is safe, because
+ * the CQ is freed only after interrupt handling is completed.
+ */
++cq->arm_sn;
cq->comp(cq);
@@ -73,23 +79,19 @@ void mlx4_cq_event(struct mlx4_dev *dev,
struct mlx4_cq_table *cq_table = &mlx4_priv(dev)->cq_table;
struct mlx4_cq *cq;
- spin_lock(&cq_table->lock);
-
+ rcu_read_lock();
cq = radix_tree_lookup(&cq_table->tree, cqn & (dev->caps.num_cqs - 1));
- if (cq)
- atomic_inc(&cq->refcount);
-
- spin_unlock(&cq_table->lock);
+ rcu_read_unlock();
if (!cq) {
- mlx4_warn(dev, "Async event for bogus CQ %08x\n", cqn);
+ mlx4_dbg(dev, "Async event for bogus CQ %08x\n", cqn);
return;
}
+ /* Acessing the CQ outside of rcu_read_lock is safe, because
+ * the CQ is freed only after interrupt handling is completed.
+ */
cq->event(cq, event_type);
-
- if (atomic_dec_and_test(&cq->refcount))
- complete(&cq->free);
}
static int mlx4_SW2HW_CQ(struct mlx4_dev *dev, struct mlx4_cmd_mailbox *mailbox,
@@ -256,9 +258,9 @@ int mlx4_cq_alloc(struct mlx4_dev *dev,
if (err)
return err;
- spin_lock_irq(&cq_table->lock);
+ spin_lock(&cq_table->lock);
err = radix_tree_insert(&cq_table->tree, cq->cqn, cq);
- spin_unlock_irq(&cq_table->lock);
+ spin_unlock(&cq_table->lock);
if (err)
goto err_icm;
@@ -297,9 +299,9 @@ int mlx4_cq_alloc(struct mlx4_dev *dev,
return 0;
err_radix:
- spin_lock_irq(&cq_table->lock);
+ spin_lock(&cq_table->lock);
radix_tree_delete(&cq_table->tree, cq->cqn);
- spin_unlock_irq(&cq_table->lock);
+ spin_unlock(&cq_table->lock);
err_icm:
mlx4_cq_free_icm(dev, cq->cqn);
@@ -318,11 +320,11 @@ void mlx4_cq_free(struct mlx4_dev *dev,
if (err)
mlx4_warn(dev, "HW2SW_CQ failed (%d) for CQN %06x\n", err, cq->cqn);
- synchronize_irq(priv->eq_table.eq[cq->vector].irq);
-
- spin_lock_irq(&cq_table->lock);
+ spin_lock(&cq_table->lock);
radix_tree_delete(&cq_table->tree, cq->cqn);
- spin_unlock_irq(&cq_table->lock);
+ spin_unlock(&cq_table->lock);
+
+ synchronize_irq(priv->eq_table.eq[cq->vector].irq);
if (atomic_dec_and_test(&cq->refcount))
complete(&cq->free);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 221/370] i2c: fix kernel memory disclosure in dev interface
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (338 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 290/370] ALSA: hda - adding a new NV HDMI/DP codec ID in the driver Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 207/370] gro: Disable frag0 optimization on IPv6 ext headers Ben Hutchings
` (31 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vlad Tsyrklevich, Wolfram Sang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream.
i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/i2c-dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -334,7 +334,7 @@ static noinline int i2cdev_ioctl_smbus(s
unsigned long arg)
{
struct i2c_smbus_ioctl_data data_arg;
- union i2c_smbus_data temp;
+ union i2c_smbus_data temp = {};
int datasize, res;
if (copy_from_user(&data_arg,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 219/370] jump_labels: API for flushing deferred jump label updates
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (343 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 252/370] powerpc: Add missing error check to prom_find_boot_cpu() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 358/370] tun: read vnet_hdr_sz once Ben Hutchings
` (26 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra (Intel), Paolo Bonzini, David Matlack
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Matlack <dmatlack@google.com>
commit b6416e61012429e0277bd15a229222fd17afc1c1 upstream.
Modules that use static_key_deferred need a way to synchronize with
any delayed work that is still pending when the module is unloaded.
Introduce static_key_deferred_flush() which flushes any pending
jump label updates.
Signed-off-by: David Matlack <dmatlack@google.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/jump_label_ratelimit.h | 5 +++++
kernel/jump_label.c | 7 +++++++
2 files changed, 12 insertions(+)
--- a/include/linux/jump_label_ratelimit.h
+++ b/include/linux/jump_label_ratelimit.h
@@ -14,6 +14,7 @@ struct static_key_deferred {
#ifdef HAVE_JUMP_LABEL
extern void static_key_slow_dec_deferred(struct static_key_deferred *key);
+extern void static_key_deferred_flush(struct static_key_deferred *key);
extern void
jump_label_rate_limit(struct static_key_deferred *key, unsigned long rl);
@@ -26,6 +27,10 @@ static inline void static_key_slow_dec_d
STATIC_KEY_CHECK_USE();
static_key_slow_dec(&key->key);
}
+static inline void static_key_deferred_flush(struct static_key_deferred *key)
+{
+ STATIC_KEY_CHECK_USE();
+}
static inline void
jump_label_rate_limit(struct static_key_deferred *key,
unsigned long rl)
--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -116,6 +116,13 @@ void static_key_slow_dec_deferred(struct
}
EXPORT_SYMBOL_GPL(static_key_slow_dec_deferred);
+void static_key_deferred_flush(struct static_key_deferred *key)
+{
+ STATIC_KEY_CHECK_USE();
+ flush_delayed_work(&key->work);
+}
+EXPORT_SYMBOL_GPL(static_key_deferred_flush);
+
void jump_label_rate_limit(struct static_key_deferred *key,
unsigned long rl)
{
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 359/370] macvtap: read vnet_hdr_size once
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (341 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 265/370] parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 252/370] powerpc: Add missing error check to prom_find_boot_cpu() Ben Hutchings
` (28 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Willem de Bruijn, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit 837585a5375c38d40361cfe64e6fd11e1addb936 ]
When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.
Macvtap functions read the value once, but unless READ_ONCE is used,
the compiler may ignore this and read multiple times. Enforce a single
read and locally cached value to avoid updates between test and use.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: BAckported to 3.16:
- Use ACCESS_ONCE() instead of READ_ONCE()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/macvtap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -657,7 +657,7 @@ static ssize_t macvtap_get_user(struct m
size_t linear;
if (q->flags & IFF_VNET_HDR) {
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);
err = -EINVAL;
if (len < vnet_hdr_len)
@@ -793,7 +793,7 @@ static ssize_t macvtap_put_user(struct m
if (q->flags & IFF_VNET_HDR) {
struct virtio_net_hdr vnet_hdr;
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);
if ((len -= vnet_hdr_len) < 0)
return -EINVAL;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 348/370] r8152: fix the sw rx checksum is unavailable
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (330 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 306/370] printk: use rcuidle console tracepoint Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 223/370] net: systemport: Decouple flow control from __bcm_sysport_tx_reclaim Ben Hutchings
` (39 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, hayeswang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: hayeswang <hayeswang@realtek.com>
[ Upstream commit 19c0f40d4fca3a47b8f784a627f0467f0138ccc8 ]
Fix the hw rx checksum is always enabled, and the user couldn't switch
it to sw rx checksum.
Note that the RTL_VER_01 only support sw rx checksum only. Besides,
the hw rx checksum for RTL_VER_02 is disabled after
commit b9a321b48af4 ("r8152: Fix broken RX checksums."). Re-enable it.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/usb/r8152.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1596,7 +1596,7 @@ static u8 r8152_rx_csum(struct r8152 *tp
u8 checksum = CHECKSUM_NONE;
u32 opts2, opts3;
- if (tp->version == RTL_VER_01)
+ if (!(tp->netdev->features & NETIF_F_RXCSUM))
goto return_result;
opts2 = le32_to_cpu(rx_desc->opts2);
@@ -3454,6 +3454,11 @@ static int rtl8152_probe(struct usb_inte
NETIF_F_TSO | NETIF_F_FRAGLIST |
NETIF_F_IPV6_CSUM | NETIF_F_TSO6;
+ if (tp->version == RTL_VER_01) {
+ netdev->features &= ~NETIF_F_RXCSUM;
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
netdev->ethtool_ops = &ops;
netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 239/370] net: fix harmonize_features() vs NETIF_F_HIGHDMA
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (292 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 365/370] igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 220/370] KVM: x86: flush pending lapic jump label updates on module unload Ben Hutchings
` (77 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, David S. Miller, Pravin Shelar, Ashizuka, Yuusuke
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 7be2c82cfd5d28d7adb66821a992604eb6dd112e upstream.
Ashizuka reported a highmem oddity and sent a patch for freescale
fec driver.
But the problem root cause is that core networking stack
must ensure no skb with highmem fragment is ever sent through
a device that does not assert NETIF_F_HIGHDMA in its features.
We need to call illegal_highdma() from harmonize_features()
regardless of CSUM checks.
Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin Shelar <pshelar@ovn.org>
Reported-by: "Ashizuka, Yuusuke" <ashiduka@jp.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2555,9 +2555,9 @@ static netdev_features_t harmonize_featu
if (skb->ip_summed != CHECKSUM_NONE &&
!can_checksum_protocol(features, type)) {
features &= ~NETIF_F_ALL_CSUM;
- } else if (illegal_highdma(skb->dev, skb)) {
- features &= ~NETIF_F_SG;
}
+ if (illegal_highdma(skb->dev, skb))
+ features &= ~NETIF_F_SG;
return features;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 214/370] gro: use min_t() in skb_gro_reset_offset()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (336 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 310/370] lib/vsprintf.c: improve sanity check in vsnprintf() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 290/370] ALSA: hda - adding a new NV HDMI/DP codec ID in the driver Ben Hutchings
` (33 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, kernel test robot, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 7cfd5fd5a9813f1430290d20c0fead9b4582a307 upstream.
On 32bit arches, (skb->end - skb->data) is not 'unsigned int',
so we shall use min_t() instead of min() to avoid a compiler error.
Fixes: 1272ce87fa01 ("gro: Enter slow-path if there is no tailroom")
Reported-by: kernel test robot <fengguang.wu@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3920,8 +3920,9 @@ static void skb_gro_reset_offset(struct
pinfo->nr_frags &&
!PageHighMem(skb_frag_page(frag0))) {
NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
- NAPI_GRO_CB(skb)->frag0_len = min(skb_frag_size(frag0),
- skb->end - skb->tail);
+ NAPI_GRO_CB(skb)->frag0_len = min_t(unsigned int,
+ skb_frag_size(frag0),
+ skb->end - skb->tail);
}
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 246/370] powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (279 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 264/370] ARC: [arcompact] handle unaligned access delay slot corner case Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 362/370] xfs: update MAINTAINERS Ben Hutchings
` (90 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Dave Martin
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream.
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/ptrace.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -394,6 +394,10 @@ static int fpr_set(struct task_struct *t
flush_fp_to_thread(target);
#ifdef CONFIG_VSX
+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.TS_FPR(i);
+ buf[32] = target->thread.fp_state.fpscr;
+
/* copy to local buffer then write that out */
i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
if (i)
@@ -537,6 +541,9 @@ static int vsr_set(struct task_struct *t
flush_vsx_to_thread(target);
+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.fp_state.fpr[i][TS_VSRLOWOFFSET];
+
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
buf, 0, 32 * sizeof(double));
for (i = 0; i < 32 ; i++)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 243/370] nbd: fix use-after-free of rq/bio in the xmit path
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (345 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 358/370] tun: read vnet_hdr_sz once Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 369/370] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Ben Hutchings
` (24 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jens Axboe, Josef Bacik
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@fb.com>
commit 429a787be6793554ee02aacc7e1f11ebcecc4453 upstream.
For writes, we can get a completion in while we're still iterating
the request and bio chain. If that happens, we're reading freed
memory and we can crash.
Break out after the last segment and avoid having the iterator
read freed memory.
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/block/nbd.c | 32 +++++++++++++++++++++++---------
1 file changed, 23 insertions(+), 9 deletions(-)
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -242,6 +242,7 @@ static int nbd_send_req(struct nbd_devic
int result, flags;
struct nbd_request request;
unsigned long size = blk_rq_bytes(req);
+ struct bio *bio;
memset(&request, 0, sizeof(request));
request.magic = htonl(NBD_REQUEST_MAGIC);
@@ -266,16 +267,20 @@ static int nbd_send_req(struct nbd_devic
goto error_out;
}
- if (nbd_cmd(req) == NBD_CMD_WRITE) {
- struct req_iterator iter;
+ if (nbd_cmd(req) != NBD_CMD_WRITE)
+ return 0;
+
+ flags = 0;
+ bio = req->bio;
+ while (bio) {
+ struct bio *next = bio->bi_next;
+ struct bvec_iter iter;
struct bio_vec bvec;
- /*
- * we are really probing at internals to determine
- * whether to set MSG_MORE or not...
- */
- rq_for_each_segment(bvec, req, iter) {
- flags = 0;
- if (!rq_iter_last(bvec, iter))
+
+ bio_for_each_segment(bvec, bio, iter) {
+ bool is_last = !next && bio_iter_last(bvec, iter);
+
+ if (is_last)
flags = MSG_MORE;
dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n",
nbd->disk->disk_name, req, bvec.bv_len);
@@ -286,7 +291,16 @@ static int nbd_send_req(struct nbd_devic
result);
goto error_out;
}
+ /*
+ * The completion might already have come in,
+ * so break for the last one instead of letting
+ * the iterator do it. This prevents use-after-free
+ * of the bio.
+ */
+ if (is_last)
+ break;
}
+ bio = next;
}
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 336/370] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Arnaldo Carvalho de Melo,
Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 990ff4d84408fc55942ca6644f67e361737b3d8e ]
While fuzzing kernel with syzkaller, Andrey reported a nasty crash
in inet6_bind() caused by DCCP lacking a required method.
Fixes: ab1e0a13d7029 ("[SOCK] proto: Add hashinfo member to struct proto")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/ipv6.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1024,6 +1024,7 @@ static const struct inet_connection_sock
.getsockopt = ipv6_getsockopt,
.addr2sockaddr = inet6_csk_addr2sockaddr,
.sockaddr_len = sizeof(struct sockaddr_in6),
+ .bind_conflict = inet6_csk_bind_conflict,
#ifdef CONFIG_COMPAT
.compat_setsockopt = compat_ipv6_setsockopt,
.compat_getsockopt = compat_ipv6_getsockopt,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 335/370] ipv6: dccp: fix out of bound access in dccp_v6_err()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (245 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 236/370] arm64/ptrace: Preserve previous registers for short regset write Ben Hutchings
` (124 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1aa9d1a0e7eefcc61696e147d123453fc0016005 ]
dccp_v6_err() does not use pskb_may_pull() and might access garbage.
We only need 4 bytes at the beginning of the DCCP header, like TCP,
so the 8 bytes pulled in icmpv6_notify() are more than enough.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: use offsetof() + sizeof() instead of
offsetofend()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/ipv6.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -83,7 +83,7 @@ static void dccp_v6_err(struct sk_buff *
u8 type, u8 code, int offset, __be32 info)
{
const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
- const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
+ const struct dccp_hdr *dh;
struct dccp_sock *dp;
struct ipv6_pinfo *np;
struct sock *sk;
@@ -91,12 +91,13 @@ static void dccp_v6_err(struct sk_buff *
__u64 seq;
struct net *net = dev_net(skb->dev);
- if (skb->len < offset + sizeof(*dh) ||
- skb->len < offset + __dccp_basic_hdr_len(dh)) {
- ICMP6_INC_STATS_BH(net, __in6_dev_get(skb->dev),
- ICMP6_MIB_INERRORS);
- return;
- }
+ /* Only need dccph_dport & dccph_sport which are the first
+ * 4 bytes in dccp header.
+ * Our caller (icmpv6_notify()) already pulled 8 bytes for us.
+ */
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_sport) + sizeof(dh->dccph_sport) > 8);
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_dport) + sizeof(dh->dccph_dport) > 8);
+ dh = (struct dccp_hdr *)(skb->data + offset);
sk = inet6_lookup(net, &dccp_hashinfo,
&hdr->daddr, dh->dccph_dport,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 193/370] drm/radeon: drop verde dpm quirks
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (327 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 238/370] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 325/370] net: fix sk_mem_reclaim_partial() Ben Hutchings
` (42 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Deucher, Adrian Fiergolski, Edward O'Callaghan
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 8a08403bcb39f5d0e733bcf59a8a74f16b538f6e upstream.
fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=98897
https://bugs.launchpad.net/bugs/1651981
Acked-by: Edward O'Callaghan <funfunctor@folklore1984.net>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Adrian Fiergolski <A.Fiergolski@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/si_dpm.c | 13 -------------
1 file changed, 13 deletions(-)
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2953,19 +2953,6 @@ static void si_apply_state_adjust_rules(
(rdev->pdev->device == 0x6817) ||
(rdev->pdev->device == 0x6806))
max_mclk = 120000;
- } else if (rdev->family == CHIP_VERDE) {
- if ((rdev->pdev->revision == 0x81) ||
- (rdev->pdev->revision == 0x83) ||
- (rdev->pdev->revision == 0x87) ||
- (rdev->pdev->device == 0x6820) ||
- (rdev->pdev->device == 0x6821) ||
- (rdev->pdev->device == 0x6822) ||
- (rdev->pdev->device == 0x6823) ||
- (rdev->pdev->device == 0x682A) ||
- (rdev->pdev->device == 0x682B)) {
- max_sclk = 75000;
- max_mclk = 80000;
- }
} else if (rdev->family == CHIP_OLAND) {
if ((rdev->pdev->revision == 0xC7) ||
(rdev->pdev->revision == 0x80) ||
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 356/370] tcp: fix 0 divide in __tcp_select_window()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (231 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 333/370] dccp: do not send reset to already closed sockets Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 210/370] tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done Ben Hutchings
` (138 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Neal Cardwell, Dmitry Vyukov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 06425c308b92eaf60767bc71d359f4cbc7a561f8 ]
syszkaller fuzzer was able to trigger a divide by zero, when
TCP window scaling is not enabled.
SO_RCVBUF can be used not only to increase sk_rcvbuf, also
to decrease it below current receive buffers utilization.
If mss is negative or 0, just return a zero TCP window.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2251,9 +2251,11 @@ u32 __tcp_select_window(struct sock *sk)
int full_space = min_t(int, tp->window_clamp, allowed_space);
int window;
- if (mss > full_space)
+ if (unlikely(mss > full_space)) {
mss = full_space;
-
+ if (mss <= 0)
+ return 0;
+ }
if (free_space < (full_space >> 1)) {
icsk->icsk_ack.quick = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 199/370] USB: serial: ch341: fix initial modem-control state
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (351 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 314/370] sch_dsmark: update backlog as well Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 208/370] ocfs2: fix crash caused by stale lvb with fsdlm plugin Ben Hutchings
` (18 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4e2da44691cffbfffb1535f478d19bc2dca3e62b upstream.
DTR and RTS will be asserted by the tty-layer when the port is opened
and deasserted on close (if HUPCL is set). Make sure the initial state
is not-asserted before the port is first opened as well.
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -257,7 +257,6 @@ static int ch341_port_probe(struct usb_s
spin_lock_init(&priv->lock);
priv->baud_rate = DEFAULT_BAUD_RATE;
- priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR;
r = ch341_configure(port->serial->dev, priv);
if (r < 0)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 364/370] mld: do not remove mld souce list info when set link down
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (214 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 319/370] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
` (155 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Hangbin Liu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
commit 1666d49e1d416fcc2cce708242a52fe3317ea8ba upstream.
This is an IPv6 version of commit 24803f38a5c0 ("igmp: do not remove igmp
souce list..."). In mld_del_delrec(), we will restore back all source filter
info instead of flush them.
Move mld_clear_delrec() from ipv6_mc_down() to ipv6_mc_destroy_dev() since
we should not remove source list info when set link down. Remove
igmp6_group_dropped() in ipv6_mc_destroy_dev() since we have called it in
ipv6_mc_down().
Also clear all source info after igmp6_group_dropped() instead of in it
because ipv6_mc_down() will call igmp6_group_dropped().
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/mcast.c | 51 ++++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 21 deletions(-)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -93,7 +93,7 @@ static void mld_gq_timer_expire(unsigned
static void mld_ifc_timer_expire(unsigned long data);
static void mld_ifc_event(struct inet6_dev *idev);
static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
static void mld_clear_delrec(struct inet6_dev *idev);
static bool mld_in_v1_mode(const struct inet6_dev *idev);
static int sf_setstate(struct ifmcaddr6 *pmc);
@@ -727,9 +727,9 @@ static void igmp6_group_dropped(struct i
dev_mc_del(dev, buf);
}
- if (mc->mca_flags & MAF_NOREPORT)
- goto done;
spin_unlock_bh(&mc->mca_lock);
+ if (mc->mca_flags & MAF_NOREPORT)
+ return;
if (!mc->idev->dead)
igmp6_leave_group(mc);
@@ -737,8 +737,6 @@ static void igmp6_group_dropped(struct i
spin_lock_bh(&mc->mca_lock);
if (del_timer(&mc->mca_timer))
atomic_dec(&mc->mca_refcnt);
-done:
- ip6_mc_clear_src(mc);
spin_unlock_bh(&mc->mca_lock);
}
@@ -783,10 +781,11 @@ static void mld_add_delrec(struct inet6_
spin_unlock_bh(&idev->mc_lock);
}
-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
{
struct ifmcaddr6 *pmc, *pmc_prev;
- struct ip6_sf_list *psf, *psf_next;
+ struct ip6_sf_list *psf;
+ struct in6_addr *pmca = &im->mca_addr;
spin_lock_bh(&idev->mc_lock);
pmc_prev = NULL;
@@ -803,14 +802,20 @@ static void mld_del_delrec(struct inet6_
}
spin_unlock_bh(&idev->mc_lock);
+ spin_lock_bh(&im->mca_lock);
if (pmc) {
- for (psf=pmc->mca_tomb; psf; psf=psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->idev = pmc->idev;
+ im->mca_crcount = idev->mc_qrv;
+ im->mca_sfmode = pmc->mca_sfmode;
+ if (pmc->mca_sfmode == MCAST_INCLUDE) {
+ im->mca_tomb = pmc->mca_tomb;
+ im->mca_sources = pmc->mca_sources;
+ for (psf = im->mca_sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);
- kfree(pmc);
}
+ spin_unlock_bh(&im->mca_lock);
}
static void mld_clear_delrec(struct inet6_dev *idev)
@@ -915,7 +920,7 @@ int ipv6_dev_mc_inc(struct net_device *d
idev->mc_list = mc;
write_unlock_bh(&idev->lock);
- mld_del_delrec(idev, &mc->mca_addr);
+ mld_del_delrec(idev, mc);
igmp6_group_added(mc);
ma_put(mc);
return 0;
@@ -938,6 +943,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *
write_unlock_bh(&idev->lock);
igmp6_group_dropped(ma);
+ ip6_mc_clear_src(ma);
ma_put(ma);
return 0;
@@ -2479,15 +2485,17 @@ void ipv6_mc_down(struct inet6_dev *idev
/* Withdraw multicast list */
read_lock_bh(&idev->lock);
- mld_ifc_stop_timer(idev);
- mld_gq_stop_timer(idev);
- mld_dad_stop_timer(idev);
for (i = idev->mc_list; i; i=i->next)
igmp6_group_dropped(i);
- read_unlock_bh(&idev->lock);
- mld_clear_delrec(idev);
+ /* Should stop timer after group drop. or we will
+ * start timer again in mld_ifc_event()
+ */
+ mld_ifc_stop_timer(idev);
+ mld_gq_stop_timer(idev);
+ mld_dad_stop_timer(idev);
+ read_unlock_bh(&idev->lock);
}
@@ -2500,8 +2508,10 @@ void ipv6_mc_up(struct inet6_dev *idev)
/* Install multicast list, except for all-nodes (already installed) */
read_lock_bh(&idev->lock);
- for (i = idev->mc_list; i; i=i->next)
+ for (i = idev->mc_list; i; i = i->next) {
+ mld_del_delrec(idev, i);
igmp6_group_added(i);
+ }
read_unlock_bh(&idev->lock);
}
@@ -2540,6 +2550,7 @@ void ipv6_mc_destroy_dev(struct inet6_de
/* Deactivate timers */
ipv6_mc_down(idev);
+ mld_clear_delrec(idev);
/* Delete all-nodes address. */
/* We cannot call ipv6_dev_mc_dec() directly, our caller in
@@ -2554,11 +2565,9 @@ void ipv6_mc_destroy_dev(struct inet6_de
write_lock_bh(&idev->lock);
while ((i = idev->mc_list) != NULL) {
idev->mc_list = i->next;
- write_unlock_bh(&idev->lock);
- igmp6_group_dropped(i);
+ write_unlock_bh(&idev->lock);
ma_put(i);
-
write_lock_bh(&idev->lock);
}
write_unlock_bh(&idev->lock);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 369/370] sctp: avoid BUG_ON on sctp_wait_for_sndbuf
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (346 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 243/370] nbd: fix use-after-free of rq/bio in the xmit path Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 268/370] ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write Ben Hutchings
` (23 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marcelo Ricardo Leitner, Xin Long, David S. Miller,
Alexander Popov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
commit 2dcab598484185dea7ec22219c76dcdd59e3cb90 upstream.
Alexander Popov reported that an application may trigger a BUG_ON in
sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
waiting on it to queue more data and meanwhile another thread peels off
the association being used by the first thread.
This patch replaces the BUG_ON call with a proper error handling. It
will return -EPIPE to the original sendmsg call, similarly to what would
have been done if the association wasn't found in the first place.
Acked-by: Alexander Popov <alex.popov@linux.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/socket.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6760,7 +6760,8 @@ static int sctp_wait_for_sndbuf(struct s
*/
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
- BUG_ON(sk != asoc->base.sk);
+ if (sk != asoc->base.sk)
+ goto do_error;
lock_sock(sk);
*timeo_p = current_timeo;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 340/370] net: sky2: Fix shutdown crash
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (307 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 240/370] USB: serial: qcserial: add Dell DW5570 QDL Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 245/370] ARM: dts: da850-evm: fix read access to SPI flash Ben Hutchings
` (62 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jeremy Linton, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Linton <jeremy.linton@arm.com>
[ Upstream commit 06ba3b2133dc203e1e9bc36cee7f0839b79a9e8b ]
The sky2 frequently crashes during machine shutdown with:
sky2_get_stats+0x60/0x3d8 [sky2]
dev_get_stats+0x68/0xd8
rtnl_fill_stats+0x54/0x140
rtnl_fill_ifinfo+0x46c/0xc68
rtmsg_ifinfo_build_skb+0x7c/0xf0
rtmsg_ifinfo.part.22+0x3c/0x70
rtmsg_ifinfo+0x50/0x5c
netdev_state_change+0x4c/0x58
linkwatch_do_dev+0x50/0x88
__linkwatch_run_queue+0x104/0x1a4
linkwatch_event+0x30/0x3c
process_one_work+0x140/0x3e0
worker_thread+0x60/0x44c
kthread+0xdc/0xf0
ret_from_fork+0x10/0x50
This is caused by the sky2 being called after it has been shutdown.
A previous thread about this can be found here:
https://lkml.org/lkml/2016/4/12/410
An alternative fix is to assure that IFF_UP gets cleared by
calling dev_close() during shutdown. This is similar to what the
bnx2/tg3/xgene and maybe others are doing to assure that the driver
isn't being called following _shutdown().
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/marvell/sky2.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/net/ethernet/marvell/sky2.c
+++ b/drivers/net/ethernet/marvell/sky2.c
@@ -5211,6 +5211,19 @@ static SIMPLE_DEV_PM_OPS(sky2_pm_ops, sk
static void sky2_shutdown(struct pci_dev *pdev)
{
+ struct sky2_hw *hw = pci_get_drvdata(pdev);
+ int port;
+
+ for (port = 0; port < hw->ports; port++) {
+ struct net_device *ndev = hw->dev[port];
+
+ rtnl_lock();
+ if (netif_running(ndev)) {
+ dev_close(ndev);
+ netif_device_detach(ndev);
+ }
+ rtnl_unlock();
+ }
sky2_suspend(&pdev->dev);
pci_wake_from_d3(pdev, device_may_wakeup(&pdev->dev));
pci_set_power_state(pdev, PCI_D3hot);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 209/370] mm/hugetlb.c: fix reservation race when freeing surplus pages
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (365 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 343/370] netvsc: reduce maximum GSO size Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 224/370] netfilter: rpfilter: fix incorrect loopback packet judgment Ben Hutchings
` (4 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hillf Danton, Aneesh Kumar, Masayoshi Mizuma,
Linus Torvalds, Naoya Horiguchi, Michal Hocko, Paul Cassella,
Mike Kravetz
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Kravetz <mike.kravetz@oracle.com>
commit e5bbc8a6c992901058bc09e2ce01d16c111ff047 upstream.
return_unused_surplus_pages() decrements the global reservation count,
and frees any unused surplus pages that were backing the reservation.
Commit 7848a4bf51b3 ("mm/hugetlb.c: add cond_resched_lock() in
return_unused_surplus_pages()") added a call to cond_resched_lock in the
loop freeing the pages.
As a result, the hugetlb_lock could be dropped, and someone else could
use the pages that will be freed in subsequent iterations of the loop.
This could result in inconsistent global hugetlb page state, application
api failures (such as mmap) failures or application crashes.
When dropping the lock in return_unused_surplus_pages, make sure that
the global reservation count (resv_huge_pages) remains sufficiently
large to prevent someone else from claiming pages about to be freed.
Analyzed by Paul Cassella.
Fixes: 7848a4bf51b3 ("mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages()")
Link: http://lkml.kernel.org/r/1483991767-6879-1-git-send-email-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Paul Cassella <cassella@cray.com>
Suggested-by: Michal Hocko <mhocko@kernel.org>
Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/hugetlb.c | 37 ++++++++++++++++++++++++++++---------
1 file changed, 28 insertions(+), 9 deletions(-)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1301,23 +1301,32 @@ free:
}
/*
- * When releasing a hugetlb pool reservation, any surplus pages that were
- * allocated to satisfy the reservation must be explicitly freed if they were
- * never used.
- * Called with hugetlb_lock held.
+ * This routine has two main purposes:
+ * 1) Decrement the reservation count (resv_huge_pages) by the value passed
+ * in unused_resv_pages. This corresponds to the prior adjustments made
+ * to the associated reservation map.
+ * 2) Free any unused surplus pages that may have been allocated to satisfy
+ * the reservation. As many as unused_resv_pages may be freed.
+ *
+ * Called with hugetlb_lock held. However, the lock could be dropped (and
+ * reacquired) during calls to cond_resched_lock. Whenever dropping the lock,
+ * we must make sure nobody else can claim pages we are in the process of
+ * freeing. Do this by ensuring resv_huge_page always is greater than the
+ * number of huge pages we plan to free when dropping the lock.
*/
static void return_unused_surplus_pages(struct hstate *h,
unsigned long unused_resv_pages)
{
unsigned long nr_pages;
- /* Uncommit the reservation */
- h->resv_huge_pages -= unused_resv_pages;
-
/* Cannot return gigantic pages currently */
if (hstate_is_gigantic(h))
- return;
+ goto out;
+ /*
+ * Part (or even all) of the reservation could have been backed
+ * by pre-allocated pages. Only free surplus pages.
+ */
nr_pages = min(unused_resv_pages, h->surplus_huge_pages);
/*
@@ -1327,12 +1336,22 @@ static void return_unused_surplus_pages(
* when the nodes with surplus pages have no free pages.
* free_pool_huge_page() will balance the the freed pages across the
* on-line nodes with memory and will handle the hstate accounting.
+ *
+ * Note that we decrement resv_huge_pages as we free the pages. If
+ * we drop the lock, resv_huge_pages will still be sufficiently large
+ * to cover subsequent pages we may free.
*/
while (nr_pages--) {
+ h->resv_huge_pages--;
+ unused_resv_pages--;
if (!free_pool_huge_page(h, &node_states[N_MEMORY], 1))
- break;
+ goto out;
cond_resched_lock(&hugetlb_lock);
}
+
+out:
+ /* Fully uncommit the reservation */
+ h->resv_huge_pages -= unused_resv_pages;
}
/*
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 357/370] tun: Fix TUN_PKT_STRIP setting
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (314 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 363/370] igmp: do not remove igmp souce list info when set link down Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 277/370] ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() Ben Hutchings
` (55 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Herbert Xu
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 2eb783c43e7cf807a45899c10ed556b6dc116625 upstream.
We set the flag TUN_PKT_STRIP if the user buffer provided is too
small to contain the entire packet plus meta-data. However, this
has been broken ever since we added GSO meta-data. VLAN acceleration
also has the same problem.
This patch fixes this by taking both into account when setting the
TUN_PKT_STRIP flag.
The fact that this has been broken for six years without anyone
realising means that nobody actually uses this flag.
Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/tun.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1227,15 +1227,19 @@ static ssize_t tun_put_user(struct tun_s
ssize_t total = 0;
int vlan_offset = 0, copied;
int vlan_hlen = 0;
+ int vnet_hdr_sz = 0;
if (vlan_tx_tag_present(skb))
vlan_hlen = VLAN_HLEN;
+ if (tun->flags & TUN_VNET_HDR)
+ vnet_hdr_sz = tun->vnet_hdr_sz;
+
if (!(tun->flags & TUN_NO_PI)) {
if ((len -= sizeof(pi)) < 0)
return -EINVAL;
- if (len < skb->len) {
+ if (len < skb->len + vlan_hlen + vnet_hdr_sz) {
/* Packet will be striped */
pi.flags |= TUN_PKT_STRIP;
}
@@ -1245,9 +1249,9 @@ static ssize_t tun_put_user(struct tun_s
total += sizeof(pi);
}
- if (tun->flags & TUN_VNET_HDR) {
+ if (vnet_hdr_sz) {
struct virtio_net_hdr gso = { 0 }; /* no info leak */
- if ((len -= tun->vnet_hdr_sz) < 0)
+ if ((len -= vnet_hdr_sz) < 0)
return -EINVAL;
if (skb_is_gso(skb)) {
@@ -1291,7 +1295,7 @@ static ssize_t tun_put_user(struct tun_s
if (unlikely(memcpy_toiovecend(iv, (void *)&gso, total,
sizeof(gso))))
return -EFAULT;
- total += tun->vnet_hdr_sz;
+ total += vnet_hdr_sz;
}
copied = total;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 194/370] x86/boot: Add missing declaration of string functions
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 196/370] USB: ch341: set tty baud speed according to tty struct Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 326/370] tcp: fix overflow in __tcp_retransmit_skb() Ben Hutchings
` (179 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicholas Mc Guire, Thomas Gleixner
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Mc Guire <hofrat@osadl.org>
commit fac69d0efad08fc15e4dbfc116830782acc0dc9a upstream.
Add the missing declarations of basic string functions to string.h to allow
a clean build.
Fixes: 5be865661516 ("String-handling functions for the new x86 setup code.")
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Link: http://lkml.kernel.org/r/1483781911-21399-1-git-send-email-hofrat@osadl.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/boot/string.c | 1 +
arch/x86/boot/string.h | 9 +++++++++
2 files changed, 10 insertions(+)
--- a/arch/x86/boot/string.c
+++ b/arch/x86/boot/string.c
@@ -14,6 +14,7 @@
#include <linux/types.h>
#include "ctype.h"
+#include "string.h"
int memcmp(const void *s1, const void *s2, size_t len)
{
--- a/arch/x86/boot/string.h
+++ b/arch/x86/boot/string.h
@@ -18,4 +18,13 @@ int memcmp(const void *s1, const void *s
#define memset(d,c,l) __builtin_memset(d,c,l)
#define memcmp __builtin_memcmp
+extern int strcmp(const char *str1, const char *str2);
+extern int strncmp(const char *cs, const char *ct, size_t count);
+extern size_t strlen(const char *s);
+extern char *strstr(const char *s1, const char *s2);
+extern size_t strnlen(const char *s, size_t maxlen);
+extern unsigned int atou(const char *s);
+extern unsigned long long simple_strtoull(const char *cp, char **endp,
+ unsigned int base);
+
#endif /* BOOT_STRING_H */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 203/370] USB: serial: ch341: fix resume after reset
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (239 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 234/370] can: ti_hecc: add missing prepare and unprepare of the clock Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 198/370] USB: serial: ch341: reinitialize chip on reconfiguration Ben Hutchings
` (130 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ce5e292828117d1b71cbd3edf9e9137cf31acd30 upstream.
Fix reset-resume handling which failed to resubmit the read and
interrupt URBs, thereby leaving a port that was open before suspend in a
broken state until closed and reopened.
Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after
resume")
Fixes: 2bfd1c96a9fb ("USB: serial: ch341: remove reset_resume callback")
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: open-code tty_port_initialized()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -559,14 +559,23 @@ static int ch341_tiocmget(struct tty_str
static int ch341_reset_resume(struct usb_serial *serial)
{
- struct ch341_private *priv;
-
- priv = usb_get_serial_port_data(serial->port[0]);
+ struct usb_serial_port *port = serial->port[0];
+ struct ch341_private *priv = usb_get_serial_port_data(port);
+ int ret;
/* reconfigure ch341 serial port after bus-reset */
ch341_configure(serial->dev, priv);
- return 0;
+ if (port->port.flags & ASYNC_INITIALIZED) {
+ ret = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO);
+ if (ret) {
+ dev_err(&port->dev, "failed to submit interrupt urb: %d\n",
+ ret);
+ return ret;
+ }
+ }
+
+ return usb_serial_generic_resume(serial);
}
static struct usb_serial_driver ch341_device = {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 195/370] USB: ch341: remove redundant close from open error path
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (348 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 268/370] ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 305/370] packet: Do not call fanout_release from atomic contexts Ben Hutchings
` (21 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 394a10331a9e43100a8ee293255cfc428c7355ac upstream.
Remove redundant call to ch341_close from error path when submission of
the interrupt urb fails in open.
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -328,7 +328,6 @@ static int ch341_open(struct tty_struct
if (r) {
dev_err(&port->dev, "%s - failed to submit interrupt urb: %d\n",
__func__, r);
- ch341_close(port);
goto out;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 200/370] USB: serial: ch341: fix open and resume after B0
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (289 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 295/370] net/llc: avoid BUG_ON() in skb_orphan() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 284/370] ALSA: seq: Fix race at creating a queue Ben Hutchings
` (80 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a20047f36e2f6a1eea4f1fd261aaa55882369868 upstream.
The private baud_rate variable is used to configure the port at open and
reset-resume and must never be set to (and left at) zero or reset-resume
and all further open attempts will fail.
Fixes: aa91def41a7b ("USB: ch341: set tty baud speed according to tty
struct")
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -354,14 +354,15 @@ static void ch341_set_termios(struct tty
baud_rate = tty_get_baud_rate(tty);
- priv->baud_rate = baud_rate;
-
ctrl = CH341_LCR_ENABLE_RX | CH341_LCR_ENABLE_TX | CH341_LCR_CS8;
if (baud_rate) {
spin_lock_irqsave(&priv->lock, flags);
priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
spin_unlock_irqrestore(&priv->lock, flags);
+
+ priv->baud_rate = baud_rate;
+
r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);
if (r < 0 && old_termios) {
priv->baud_rate = tty_termios_baud_rate(old_termios);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 224/370] netfilter: rpfilter: fix incorrect loopback packet judgment
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (366 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 209/370] mm/hugetlb.c: fix reservation race when freeing surplus pages Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 190/370] sh_eth: fix EESIPR values for SH77{34|63} Ben Hutchings
` (3 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Liping Zhang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <zlpnobody@gmail.com>
commit 6443ebc3fdd6f3c766d9442c18be274b3d736050 upstream.
Currently, we check the existing rtable in PREROUTING hook, if RTCF_LOCAL
is set, we assume that the packet is loopback.
But this assumption is incorrect, for example, a packet encapsulated
in ipsec transport mode was received and routed to local, after
decapsulation, it would be delivered to local again, and the rtable
was not dropped, so RTCF_LOCAL check would trigger. But actually, the
packet was not loopback.
So for these normal loopback packets, we can check whether the in device
is IFF_LOOPBACK or not. For these locally generated broadcast/multicast,
we can check whether the skb->pkt_type is PACKET_LOOPBACK or not.
Finally, there's a subtle difference between nft fib expr and xtables
rpfilter extension, user can add the following nft rule to do strict
rpfilter check:
# nft add rule x y meta iif eth0 fib saddr . iif oif != eth0 drop
So when the packet is loopback, it's better to store the in device
instead of the LOOPBACK_IFINDEX, otherwise, after adding the above
nft rule, locally generated broad/multicast packets will be dropped
incorrectly.
Fixes: f83a7ea2075c ("netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too")
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16:
- Drop changs to nftables
- s/xt_in\(par\)/par->in/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -64,10 +64,10 @@ static bool rpfilter_lookup_reverse(stru
return dev_match || flags & XT_RPFILTER_LOOSE;
}
-static bool rpfilter_is_local(const struct sk_buff *skb)
+static bool
+rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in)
{
- const struct rtable *rt = skb_rtable(skb);
- return rt && (rt->rt_flags & RTCF_LOCAL);
+ return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;
}
static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
@@ -80,7 +80,7 @@ static bool rpfilter_mt(const struct sk_
info = par->matchinfo;
invert = info->flags & XT_RPFILTER_INVERT;
- if (rpfilter_is_local(skb))
+ if (rpfilter_is_loopback(skb, par->in))
return true ^ invert;
iph = ip_hdr(skb);
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -72,10 +72,10 @@ static bool rpfilter_lookup_reverse6(con
return ret;
}
-static bool rpfilter_is_local(const struct sk_buff *skb)
+static bool
+rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in)
{
- const struct rt6_info *rt = (const void *) skb_dst(skb);
- return rt && (rt->rt6i_flags & RTF_LOCAL);
+ return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;
}
static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
@@ -85,7 +85,7 @@ static bool rpfilter_mt(const struct sk_
struct ipv6hdr *iph;
bool invert = info->flags & XT_RPFILTER_INVERT;
- if (rpfilter_is_local(skb))
+ if (rpfilter_is_loopback(skb, par->in))
return true ^ invert;
iph = ipv6_hdr(skb);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 191/370] sh_eth: R8A7740 supports packet shecksumming
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (284 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 367/370] kvm: fix page struct leak in handle_vmon Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
` (85 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sergei Shtylyov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit 0f1f9cbc04dbb3cc310f70a11cba0cf1f2109d9c upstream.
The R8A7740 GEther controller supports the packet checksum offloading
but the 'hw_crc' (bad name, I'll fix it) flag isn't set in the R8A7740
data, thus CSMR isn't cleared...
Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/renesas/sh_eth.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -782,6 +782,7 @@ static struct sh_eth_cpu_data r8a7740_da
.rpadir_value = 2 << 16,
.no_trimd = 1,
.no_ade = 1,
+ .hw_crc = 1,
.tsu = 1,
.select_mii = 1,
.shift_rd0 = 1,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 212/370] vme: Fix wrong pointer utilization in ca91cx42_slave_get
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (242 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 346/370] drop_monitor: consider inserted data in genlmsg_end Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 352/370] net: socket: fix recvmmsg not returning error from sock_error Ben Hutchings
` (127 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martyn Welch, Greg Kroah-Hartman, Augusto Mecking Caringi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Augusto Mecking Caringi <augustocaringi@gmail.com>
commit c8a6a09c1c617402cc9254b2bc8da359a0347d75 upstream.
In ca91cx42_slave_get function, the value pointed by vme_base pointer is
set through:
*vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]);
So it must be dereferenced to be used in calculation of pci_base:
*pci_base = (dma_addr_t)*vme_base + pci_offset;
This bug was caught thanks to the following gcc warning:
drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’:
drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
*pci_base = (dma_addr_t)vme_base + pci_offset;
Signed-off-by: Augusto Mecking Caringi <augustocaringi@gmail.com>
Acked-By: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/vme/bridges/vme_ca91cx42.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/vme/bridges/vme_ca91cx42.c
+++ b/drivers/vme/bridges/vme_ca91cx42.c
@@ -468,7 +468,7 @@ static int ca91cx42_slave_get(struct vme
vme_bound = ioread32(bridge->base + CA91CX42_VSI_BD[i]);
pci_offset = ioread32(bridge->base + CA91CX42_VSI_TO[i]);
- *pci_base = (dma_addr_t)vme_base + pci_offset;
+ *pci_base = (dma_addr_t)*vme_base + pci_offset;
*size = (unsigned long long)((vme_bound - *vme_base) + granularity);
*enabled = 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 236/370] arm64/ptrace: Preserve previous registers for short regset write
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (246 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 335/370] ipv6: dccp: fix out of bound access in dccp_v6_err() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 270/370] mmc: sdhci: Ignore unexpected CARD_INT interrupts Ben Hutchings
` (123 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Catalin Marinas, Dave Martin
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream.
Ensure that if userspace supplies insufficient data to
PTRACE_SETREGSET to fill all the registers, the thread's old
registers are preserved.
Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/ptrace.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -491,7 +491,7 @@ static int gpr_set(struct task_struct *t
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct user_pt_regs newregs;
+ struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
if (ret)
@@ -521,7 +521,8 @@ static int fpr_set(struct task_struct *t
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct user_fpsimd_state newstate;
+ struct user_fpsimd_state newstate =
+ target->thread.fpsimd_state.user_fpsimd;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
if (ret)
@@ -545,7 +546,7 @@ static int tls_set(struct task_struct *t
const void *kbuf, const void __user *ubuf)
{
int ret;
- unsigned long tls;
+ unsigned long tls = target->thread.tp_value;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
if (ret)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 192/370] ata: sata_mv:- Handle return value of devm_ioremap.
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (362 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 347/370] igmp: Make igmp group member RFC 3376 compliant Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 292/370] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() Ben Hutchings
` (7 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arvind Yadav, Tejun Heo
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arvind Yadav <arvind.yadav.cs@gmail.com>
commit 064c3db9c564cc5be514ac21fb4aa26cc33db746 upstream.
Here, If devm_ioremap will fail. It will return NULL.
Then hpriv->base = NULL - 0x20000; Kernel can run into
a NULL-pointer dereference. This error check will avoid
NULL pointer dereference.
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/sata_mv.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -4109,6 +4109,9 @@ static int mv_platform_probe(struct plat
host->iomap = NULL;
hpriv->base = devm_ioremap(&pdev->dev, res->start,
resource_size(res));
+ if (!hpriv->base)
+ return -ENOMEM;
+
hpriv->base -= SATAHC0_REG_BASE;
hpriv->clk = clk_get(&pdev->dev, NULL);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 215/370] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (206 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 345/370] drop_monitor: add missing call to genlmsg_end Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 279/370] rtl8150: Use heap buffers for all register access Ben Hutchings
` (163 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bjorn Helgaas, Martin Burnicki
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit 89e9f7bcd8744ea25fcf0ac671b8d72c10d7d790 upstream.
Martin reported that the Supermicro X8DTH-i/6/iF/6F advertises incorrect
host bridge windows via _CRS:
pci_root PNP0A08:00: host bridge window [io 0xf000-0xffff]
pci_root PNP0A08:01: host bridge window [io 0xf000-0xffff]
Both bridges advertise the 0xf000-0xffff window, which cannot be correct.
Work around this by ignoring _CRS on this system. The downside is that we
may not assign resources correctly to hot-added PCI devices (if they are
possible on this system).
Link: https://bugzilla.kernel.org/show_bug.cgi?id=42606
Reported-by: Martin Burnicki <martin.burnicki@meinberg.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/pci/acpi.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -118,6 +118,16 @@ static const struct dmi_system_id pci_cr
DMI_MATCH(DMI_BIOS_VERSION, "6JET85WW (1.43 )"),
},
},
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42606 */
+ {
+ .callback = set_nouse_crs,
+ .ident = "Supermicro X8DTH",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Supermicro"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X8DTH-i/6/iF/6F"),
+ DMI_MATCH(DMI_BIOS_VERSION, "2.0a"),
+ },
+ },
/* https://bugzilla.kernel.org/show_bug.cgi?id=15362 */
{
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 339/370] ip6_tunnel: disable caching when the traffic class is inherited
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (193 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 350/370] ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 281/370] catc: Use heap buffer for memory size test Ben Hutchings
` (176 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hannes Frederic Sowa, David S. Miller, Jiri Slaby,
Liam McBirnie, Paolo Abeni
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit b5c2d49544e5930c96e2632a7eece3f4325a1888 ]
If an ip6 tunnel is configured to inherit the traffic class from
the inner header, the dst_cache must be disabled or it will foul
the policy routing.
The issue is apprently there since at leat Linux-2.6.12-rc2.
Reported-by: Liam McBirnie <liam.mcbirnie@boeing.com>
Cc: Liam McBirnie <liam.mcbirnie@boeing.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_tunnel.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -958,12 +958,21 @@ static int ip6_tnl_xmit2(struct sk_buff
struct ipv6_tel_txoption opt;
struct dst_entry *dst = NULL, *ndst = NULL;
struct net_device *tdev;
+ bool use_cache = false;
int mtu;
unsigned int max_headroom = sizeof(struct ipv6hdr);
u8 proto;
int err = -1;
- if (!fl6->flowi6_mark)
+ if (!(t->parms.flags &
+ (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
+ /* enable the cache only only if the routing decision does
+ * not depend on the current inner header value
+ */
+ use_cache = true;
+ }
+
+ if (use_cache)
dst = ip6_tnl_dst_check(t);
if (!dst) {
ndst = ip6_route_output(net, NULL, fl6);
@@ -1021,7 +1030,7 @@ static int ip6_tnl_xmit2(struct sk_buff
consume_skb(skb);
skb = new_skb;
}
- if (fl6->flowi6_mark) {
+ if (!use_cache) {
skb_dst_set(skb, dst);
ndst = NULL;
} else {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 358/370] tun: read vnet_hdr_sz once
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (344 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 219/370] jump_labels: API for flushing deferred jump label updates Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 243/370] nbd: fix use-after-free of rq/bio in the xmit path Ben Hutchings
` (25 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Willem de Bruijn, David S. Miller, Eric Dumazet, Dmitry Vyukov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit e1edab87faf6ca30cd137e0795bc73aa9a9a22ec ]
When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.
Read this value once and cache locally, as it can be updated between
the test and use (TOCTOU).
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
CC: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Use ACCESS_ONCE() instead of READ_ONCE()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/tun.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1037,9 +1037,11 @@ static ssize_t tun_get_user(struct tun_s
}
if (tun->flags & TUN_VNET_HDR) {
- if (len < tun->vnet_hdr_sz)
+ int vnet_hdr_sz = ACCESS_ONCE(tun->vnet_hdr_sz);
+
+ if (len < vnet_hdr_sz)
return -EINVAL;
- len -= tun->vnet_hdr_sz;
+ len -= vnet_hdr_sz;
if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
return -EFAULT;
@@ -1050,7 +1052,7 @@ static ssize_t tun_get_user(struct tun_s
if (gso.hdr_len > len)
return -EINVAL;
- offset += tun->vnet_hdr_sz;
+ offset += vnet_hdr_sz;
}
if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
@@ -1233,7 +1235,7 @@ static ssize_t tun_put_user(struct tun_s
vlan_hlen = VLAN_HLEN;
if (tun->flags & TUN_VNET_HDR)
- vnet_hdr_sz = tun->vnet_hdr_sz;
+ vnet_hdr_sz = ACCESS_ONCE(tun->vnet_hdr_sz);
if (!(tun->flags & TUN_NO_PI)) {
if ((len -= sizeof(pi)) < 0)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 370/370] sctp: deny peeloff operation on asocs with threads sleeping on it
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (325 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 222/370] svcrpc: don't leak contexts on PROC_DESTROY Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 238/370] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Ben Hutchings
` (44 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alexander Popov, David S. Miller, Xin Long,
Marcelo Ricardo Leitner
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream.
commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
attempted to avoid a BUG_ON call when the association being used for a
sendmsg() is blocked waiting for more sndbuf and another thread did a
peeloff operation on such asoc, moving it to another socket.
As Ben Hutchings noticed, then in such case it would return without
locking back the socket and would cause two unlocks in a row.
Further analysis also revealed that it could allow a double free if the
application managed to peeloff the asoc that is created during the
sendmsg call, because then sctp_sendmsg() would try to free the asoc
that was created only for that call.
This patch takes another approach. It will deny the peeloff operation
if there is a thread sleeping on the asoc, so this situation doesn't
exist anymore. This avoids the issues described above and also honors
the syscalls that are already being handled (it can be multiple sendmsg
calls).
Joint work with Xin Long.
Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
Cc: Alexander Popov <alex.popov@linux.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/socket.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4331,6 +4331,12 @@ int sctp_do_peeloff(struct sock *sk, sct
if (!asoc)
return -EINVAL;
+ /* If there is a thread waiting on more sndbuf space for
+ * sending on this asoc, it cannot be peeled.
+ */
+ if (waitqueue_active(&asoc->wait))
+ return -EBUSY;
+
/* An association cannot be branched off from an already peeled-off
* socket, nor is this supported for tcp style sockets.
*/
@@ -6760,8 +6766,6 @@ static int sctp_wait_for_sndbuf(struct s
*/
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
- if (sk != asoc->base.sk)
- goto do_error;
lock_sock(sk);
*timeo_p = current_timeo;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 196/370] USB: ch341: set tty baud speed according to tty struct
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 327/370] net: avoid sk_forward_alloc overflows Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 194/370] x86/boot: Add missing declaration of string functions Ben Hutchings
` (180 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicolas PLANEL, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas PLANEL <nicolas.planel@enovance.com>
commit aa91def41a7bb1fd65492934ce6bea19202b6080 upstream.
The ch341_set_baudrate() function initialize the device baud speed
according to the value on priv->baud_rate. By default the ch341_open() set
it to a hardcoded value (DEFAULT_BAUD_RATE 9600). Unfortunately, the
tty_struct is not initialized with the same default value. (usually 56700)
This means that the tty_struct and the device baud rate generator are not
synchronized after opening the port.
Fixup is done by calling ch341_set_termios() if tty exist.
Remove unnecessary variable priv->baud_rate setup as it's already done by
ch341_port_probe().
Remove unnecessary call to ch341_set_{handshake,baudrate}() in
ch341_open() as there already called in ch341_configure() and
ch341_set_termios()
Signed-off-by: Nicolas PLANEL <nicolas.planel@enovance.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index 2d72aa3564a3..ede4f5fcfadd 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -84,6 +84,10 @@ struct ch341_private {
u8 line_status; /* active status of modem control inputs */
};
+static void ch341_set_termios(struct tty_struct *tty,
+ struct usb_serial_port *port,
+ struct ktermios *old_termios);
+
static int ch341_control_out(struct usb_device *dev, u8 request,
u16 value, u16 index)
{
@@ -309,19 +313,12 @@ static int ch341_open(struct tty_struct *tty, struct usb_serial_port *port)
struct ch341_private *priv = usb_get_serial_port_data(port);
int r;
- priv->baud_rate = DEFAULT_BAUD_RATE;
-
r = ch341_configure(serial->dev, priv);
if (r)
goto out;
- r = ch341_set_handshake(serial->dev, priv->line_control);
- if (r)
- goto out;
-
- r = ch341_set_baudrate(serial->dev, priv);
- if (r)
- goto out;
+ if (tty)
+ ch341_set_termios(tty, port, NULL);
dev_dbg(&port->dev, "%s - submitting interrupt urb\n", __func__);
r = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL);
^ permalink raw reply related [flat|nested] 390+ messages in thread
* [PATCH 3.16 208/370] ocfs2: fix crash caused by stale lvb with fsdlm plugin
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (352 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 199/370] USB: serial: ch341: fix initial modem-control state Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 309/370] sched/cputime: Fix invalid gtime in proc Ben Hutchings
` (17 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Ren, Joseph Qi, Joel Becker, Linus Torvalds,
Mark Fasheh, Junxiao Bi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Ren <zren@suse.com>
commit e7ee2c089e94067d68475990bdeed211c8852917 upstream.
The crash happens rather often when we reset some cluster nodes while
nodes contend fiercely to do truncate and append.
The crash backtrace is below:
dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover_grant 1 locks on 971 resources
dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover 9 generation 5 done: 4 ms
ocfs2: Begin replay journal (node 318952601, slot 2) on device (253,18)
ocfs2: End replay journal (node 318952601, slot 2) on device (253,18)
ocfs2: Beginning quota recovery on device (253,18) for slot 2
ocfs2: Finishing quota recovery on device (253,18) for slot 2
(truncate,30154,1):ocfs2_truncate_file:470 ERROR: bug expression: le64_to_cpu(fe->i_size) != i_size_read(inode)
(truncate,30154,1):ocfs2_truncate_file:470 ERROR: Inode 290321, inode i_size = 732 != di i_size = 937, i_flags = 0x1
------------[ cut here ]------------
kernel BUG at /usr/src/linux/fs/ocfs2/file.c:470!
invalid opcode: 0000 [#1] SMP
Modules linked in: ocfs2_stack_user(OEN) ocfs2(OEN) ocfs2_nodemanager ocfs2_stackglue(OEN) quota_tree dlm(OEN) configfs fuse sd_mod iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs softdog xfs libcrc32c ppdev parport_pc pcspkr parport joydev virtio_balloon virtio_net i2c_piix4 acpi_cpufreq button processor ext4 crc16 jbd2 mbcache ata_generic cirrus virtio_blk ata_piix drm_kms_helper ahci syscopyarea libahci sysfillrect sysimgblt fb_sys_fops ttm floppy libata drm virtio_pci virtio_ring uhci_hcd virtio ehci_hcd usbcore serio_raw usb_common sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
Supported: No, Unsupported modules are loaded
CPU: 1 PID: 30154 Comm: truncate Tainted: G OE N 4.4.21-69-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
task: ffff88004ff6d240 ti: ffff880074e68000 task.ti: ffff880074e68000
RIP: 0010:[<ffffffffa05c8c30>] [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
RSP: 0018:ffff880074e6bd50 EFLAGS: 00010282
RAX: 0000000000000074 RBX: 000000000000029e RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff880074e6bda8 R08: 000000003675dc7a R09: ffffffff82013414
R10: 0000000000034c50 R11: 0000000000000000 R12: ffff88003aab3448
R13: 00000000000002dc R14: 0000000000046e11 R15: 0000000000000020
FS: 00007f839f965700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f839f97e000 CR3: 0000000036723000 CR4: 00000000000006e0
Call Trace:
ocfs2_setattr+0x698/0xa90 [ocfs2]
notify_change+0x1ae/0x380
do_truncate+0x5e/0x90
do_sys_ftruncate.constprop.11+0x108/0x160
entry_SYSCALL_64_fastpath+0x12/0x6d
Code: 24 28 ba d6 01 00 00 48 c7 c6 30 43 62 a0 8b 41 2c 89 44 24 08 48 8b 41 20 48 c7 c1 78 a3 62 a0 48 89 04 24 31 c0 e8 a0 97 f9 ff <0f> 0b 3d 00 fe ff ff 0f 84 ab fd ff ff 83 f8 fc 0f 84 a2 fd ff
RIP [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
It's because ocfs2_inode_lock() get us stale LVB in which the i_size is
not equal to the disk i_size. We mistakenly trust the LVB because the
underlaying fsdlm dlm_lock() doesn't set lkb_sbflags with
DLM_SBF_VALNOTVALID properly for us. But, why?
The current code tries to downconvert lock without DLM_LKF_VALBLK flag
to tell o2cb don't update RSB's LVB if it's a PR->NULL conversion, even
if the lock resource type needs LVB. This is not the right way for
fsdlm.
The fsdlm plugin behaves different on DLM_LKF_VALBLK, it depends on
DLM_LKF_VALBLK to decide if we care about the LVB in the LKB. If
DLM_LKF_VALBLK is not set, fsdlm will skip recovering RSB's LVB from
this lkb and set the right DLM_SBF_VALNOTVALID appropriately when node
failure happens.
The following diagram briefly illustrates how this crash happens:
RSB1 is inode metadata lock resource with LOCK_TYPE_USES_LVB;
The 1st round:
Node1 Node2
RSB1: PR
RSB1(master): NULL->EX
ocfs2_downconvert_lock(PR->NULL, set_lvb==0)
ocfs2_dlm_lock(no DLM_LKF_VALBLK)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
dlm_lock(no DLM_LKF_VALBLK)
convert_lock(overwrite lkb->lkb_exflags
with no DLM_LKF_VALBLK)
RSB1: NULL RSB1: EX
reset Node2
dlm_recover_rsbs()
recover_lvb()
/* The LVB is not trustable if the node with EX fails and
* no lock >= PR is left. We should set RSB_VALNOTVALID for RSB1.
*/
if(!(kb_exflags & DLM_LKF_VALBLK)) /* This means we miss the chance to
return; * to invalid the LVB here.
*/
The 2nd round:
Node 1 Node2
RSB1(become master from recovery)
ocfs2_setattr()
ocfs2_inode_lock(NULL->EX)
/* dlm_lock() return the stale lvb without setting DLM_SBF_VALNOTVALID */
ocfs2_meta_lvb_is_trustable() return 1 /* so we don't refresh inode from disk */
ocfs2_truncate_file()
mlog_bug_on_msg(disk isize != i_size_read(inode)) /* crash! */
The fix is quite straightforward. We keep to set DLM_LKF_VALBLK flag
for dlm_lock() if the lock resource type needs LVB and the fsdlm plugin
is uesed.
Link: http://lkml.kernel.org/r/1481275846-6604-1-git-send-email-zren@suse.com
Signed-off-by: Eric Ren <zren@suse.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/dlmglue.c | 10 ++++++++++
fs/ocfs2/stackglue.c | 6 ++++++
fs/ocfs2/stackglue.h | 3 +++
3 files changed, 19 insertions(+)
--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -3305,6 +3305,16 @@ static int ocfs2_downconvert_lock(struct
mlog(ML_BASTS, "lockres %s, level %d => %d\n", lockres->l_name,
lockres->l_level, new_level);
+ /*
+ * On DLM_LKF_VALBLK, fsdlm behaves differently with o2cb. It always
+ * expects DLM_LKF_VALBLK being set if the LKB has LVB, so that
+ * we can recover correctly from node failure. Otherwise, we may get
+ * invalid LVB in LKB, but without DLM_SBF_VALNOTVALID being set.
+ */
+ if (!ocfs2_is_o2cb_active() &&
+ lockres->l_ops->flags & LOCK_TYPE_USES_LVB)
+ lvb = 1;
+
if (lvb)
dlm_flags |= DLM_LKF_VALBLK;
--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -48,6 +48,12 @@ static char ocfs2_hb_ctl_path[OCFS2_MAX_
*/
static struct ocfs2_stack_plugin *active_stack;
+inline int ocfs2_is_o2cb_active(void)
+{
+ return !strcmp(active_stack->sp_name, OCFS2_STACK_PLUGIN_O2CB);
+}
+EXPORT_SYMBOL_GPL(ocfs2_is_o2cb_active);
+
static struct ocfs2_stack_plugin *ocfs2_stack_lookup(const char *name)
{
struct ocfs2_stack_plugin *p;
--- a/fs/ocfs2/stackglue.h
+++ b/fs/ocfs2/stackglue.h
@@ -298,4 +298,7 @@ void ocfs2_stack_glue_set_max_proto_vers
int ocfs2_stack_glue_register(struct ocfs2_stack_plugin *plugin);
void ocfs2_stack_glue_unregister(struct ocfs2_stack_plugin *plugin);
+/* In ocfs2_downconvert_lock(), we need to know which stack we are using */
+int ocfs2_is_o2cb_active(void);
+
#endif /* STACKGLUE_H */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 330/370] net: sctp, forbid negative length
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Vlad Yasevich, netdev, linux-sctp,
Neil Horman, Jiri Slaby
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
[ Upstream commit a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf ]
Most of getsockopt handlers in net/sctp/socket.c check len against
sizeof some structure like:
if (len < sizeof(int))
return -EINVAL;
On the first look, the check seems to be correct. But since len is int
and sizeof returns size_t, int gets promoted to unsigned size_t too. So
the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is
false.
Fix this in sctp by explicitly checking len < 0 before any getsockopt
handler is called.
Note that sctp_getsockopt_events already handled the negative case.
Since we added the < 0 check elsewhere, this one can be removed.
If not checked, this is the result:
UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19
shift exponent 52 is too large for 32-bit type 'int'
CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3
ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270
0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422
Call Trace:
[<ffffffffb3051498>] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300
...
[<ffffffffb273f0e4>] ? kmalloc_order+0x24/0x90
[<ffffffffb27416a4>] ? kmalloc_order_trace+0x24/0x220
[<ffffffffb2819a30>] ? __kmalloc+0x330/0x540
[<ffffffffc18c25f4>] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp]
[<ffffffffc18d2bcd>] ? sctp_getsockopt+0x10d/0x1b0 [sctp]
[<ffffffffb37c1219>] ? sock_common_getsockopt+0xb9/0x150
[<ffffffffb37be2f5>] ? SyS_getsockopt+0x1a5/0x270
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-sctp@vger.kernel.org
Cc: netdev@vger.kernel.org
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4280,7 +4280,7 @@ static int sctp_getsockopt_disable_fragm
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
- if (len <= 0)
+ if (len == 0)
return -EINVAL;
if (len > sizeof(struct sctp_event_subscribe))
len = sizeof(struct sctp_event_subscribe);
@@ -5801,6 +5801,9 @@ static int sctp_getsockopt(struct sock *
if (get_user(len, optlen))
return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+
lock_sock(sk);
switch (optname) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 216/370] xhci: fix deadlock at host remove by running watchdog correctly
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 316/370] VSOCK: do not disconnect socket when peer has shutdown SEND only Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 301/370] net: xilinx_emaclite: fix freezes due to unordered I/O Ben Hutchings
` (173 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit d6169d04097fd9ddf811e63eae4e5cd71e6666e2 upstream.
If a URB is killed while the host is removed we can end up in a situation
where the hub thread takes the roothub device lock, and waits for
the URB to be given back by xhci-hcd, blocking the host remove code.
xhci-hcd tries to stop the endpoint and give back the urb, but can't
as the host is removed from PCI bus at the same time, preventing the normal
way of giving back urb.
Instead we need to rely on the stop command timeout function to give back
the urb. This xhci_stop_endpoint_command_watchdog() timeout function
used a XHCI_STATE_DYING flag to indicate if the timeout function is already
running, but later this flag has been taking into use in other places to
mark that xhci is dying.
Remove checks for XHCI_STATE_DYING in xhci_urb_dequeue. We are still
checking that reading from pci state does not return 0xffffffff or that
host is not halted before trying to stop the endpoint.
This whole area of stopping endpoints, giving back URBs, and the wathdog
timeout need rework, this fix focuses on solving a specific deadlock
issue that we can then send to stable before any major rework.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: the checks look slightly different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-ring.c | 11 -----------
drivers/usb/host/xhci.c | 13 -------------
2 files changed, 24 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -878,13 +878,6 @@ void xhci_stop_endpoint_command_watchdog
spin_lock_irqsave(&xhci->lock, flags);
ep->stop_cmds_pending--;
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
- "Stop EP timer ran, but another timer marked "
- "xHCI as DYING, exiting.");
- spin_unlock_irqrestore(&xhci->lock, flags);
- return;
- }
if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) {
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"Stop EP timer ran, but no command pending, "
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1561,19 +1561,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd
xhci_urb_free_priv(xhci, urb_priv);
return ret;
}
- if ((xhci->xhc_state & XHCI_STATE_DYING) ||
- (xhci->xhc_state & XHCI_STATE_HALTED)) {
- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
- "Ep 0x%x: URB %p to be canceled on "
- "non-responsive xHCI host.",
- urb->ep->desc.bEndpointAddress, urb);
- /* Let the stop endpoint command watchdog timer (which set this
- * state) finish cleaning up the endpoint TD lists. We must
- * have caught it in the middle of dropping a lock and giving
- * back an URB.
- */
- goto done;
- }
ep_index = xhci_get_endpoint_index(&urb->ep->desc);
ep = &xhci->devs[urb->dev->slot_id]->eps[ep_index];
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 237/370] arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (317 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 258/370] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 334/370] dccp: fix out of bound access in dccp_v4_err() Ben Hutchings
` (52 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dave Martin, Catalin Marinas, Will Deacon
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream.
This patch adds an explicit __reserved[] field to user_fpsimd_state
to replace what was previously unnamed padding.
This ensures that data in this region are propagated across
assignment rather than being left possibly uninitialised at the
destination.
Fixes: 60ffc30d5652 ("arm64: Exception handling")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/uapi/asm/ptrace.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm64/include/uapi/asm/ptrace.h
+++ b/arch/arm64/include/uapi/asm/ptrace.h
@@ -75,6 +75,7 @@ struct user_fpsimd_state {
__uint128_t vregs[32];
__u32 fpsr;
__u32 fpcr;
+ __u32 __reserved[2];
};
struct user_hwdebug_state {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 223/370] net: systemport: Decouple flow control from __bcm_sysport_tx_reclaim
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (331 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 348/370] r8152: fix the sw rx checksum is unavailable Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 313/370] sch_htb: update backlog as well Ben Hutchings
` (38 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 148d3d021cf9724fcf189ce4e525a094bbf5ce89 upstream.
The __bcm_sysport_tx_reclaim() function is used to reclaim transmit
resources in different places within the driver. Most of them should
not affect the state of the transit flow control.
Introduce bcm_sysport_tx_clean() which cleans the ring, but does not
re-enable flow control towards the networking stack, and make
bcm_sysport_tx_reclaim() do the actual transmit queue flow control.
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/broadcom/bcmsysport.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -587,11 +587,8 @@ static unsigned int __bcm_sysport_tx_rec
unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs;
unsigned int pkts_compl = 0, bytes_compl = 0;
struct bcm_sysport_cb *cb;
- struct netdev_queue *txq;
u32 hw_ind;
- txq = netdev_get_tx_queue(ndev, ring->index);
-
/* Compute how many descriptors have been processed since last call */
hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index));
c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK;
@@ -622,9 +619,6 @@ static unsigned int __bcm_sysport_tx_rec
ring->c_index = c_index;
- if (netif_tx_queue_stopped(txq) && pkts_compl)
- netif_tx_wake_queue(txq);
-
netif_dbg(priv, tx_done, ndev,
"ring=%d c_index=%d pkts_compl=%d, bytes_compl=%d\n",
ring->index, ring->c_index, pkts_compl, bytes_compl);
@@ -636,16 +630,33 @@ static unsigned int __bcm_sysport_tx_rec
static unsigned int bcm_sysport_tx_reclaim(struct bcm_sysport_priv *priv,
struct bcm_sysport_tx_ring *ring)
{
+ struct netdev_queue *txq;
unsigned int released;
unsigned long flags;
+ txq = netdev_get_tx_queue(priv->netdev, ring->index);
+
spin_lock_irqsave(&ring->lock, flags);
released = __bcm_sysport_tx_reclaim(priv, ring);
+ if (released)
+ netif_tx_wake_queue(txq);
+
spin_unlock_irqrestore(&ring->lock, flags);
return released;
}
+/* Locked version of the per-ring TX reclaim, but does not wake the queue */
+static void bcm_sysport_tx_clean(struct bcm_sysport_priv *priv,
+ struct bcm_sysport_tx_ring *ring)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&ring->lock, flags);
+ __bcm_sysport_tx_reclaim(priv, ring);
+ spin_unlock_irqrestore(&ring->lock, flags);
+}
+
static int bcm_sysport_tx_poll(struct napi_struct *napi, int budget)
{
struct bcm_sysport_tx_ring *ring =
@@ -1072,7 +1083,7 @@ static void bcm_sysport_fini_tx_ring(str
napi_disable(&ring->napi);
netif_napi_del(&ring->napi);
- bcm_sysport_tx_reclaim(priv, ring);
+ bcm_sysport_tx_clean(priv, ring);
kfree(ring->cbs);
ring->cbs = NULL;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 220/370] KVM: x86: flush pending lapic jump label updates on module unload
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (293 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 239/370] net: fix harmonize_features() vs NETIF_F_HIGHDMA Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 201/370] USB: serial: ch341: fix modem-control and B0 handling Ben Hutchings
` (76 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Bonzini, David Matlack
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Matlack <dmatlack@google.com>
commit cef84c302fe051744b983a92764d3fcca933415d upstream.
KVM's lapic emulation uses static_key_deferred (apic_{hw,sw}_disabled).
These are implemented with delayed_work structs which can still be
pending when the KVM module is unloaded. We've seen this cause kernel
panics when the kvm_intel module is quickly reloaded.
Use the new static_key_deferred_flush() API to flush pending updates on
module unload.
Signed-off-by: David Matlack <dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/lapic.c | 6 ++++++
arch/x86/kvm/lapic.h | 1 +
arch/x86/kvm/x86.c | 1 +
3 files changed, 8 insertions(+)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1941,3 +1941,9 @@ void kvm_lapic_init(void)
jump_label_rate_limit(&apic_hw_disabled, HZ);
jump_label_rate_limit(&apic_sw_disabled, HZ);
}
+
+void kvm_lapic_exit(void)
+{
+ static_key_deferred_flush(&apic_hw_disabled);
+ static_key_deferred_flush(&apic_sw_disabled);
+}
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -93,6 +93,7 @@ static inline bool kvm_hv_vapic_assist_p
int kvm_lapic_enable_pv_eoi(struct kvm_vcpu *vcpu, u64 data);
void kvm_lapic_init(void);
+void kvm_lapic_exit(void);
static inline u32 kvm_apic_get_reg(struct kvm_lapic *apic, int reg_off)
{
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5677,6 +5677,7 @@ out:
void kvm_arch_exit(void)
{
+ kvm_lapic_exit();
perf_unregister_guest_info_callbacks(&kvm_guest_cbs);
if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC))
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 235/370] ceph: fix bad endianness handling in parse_reply_info_extra
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 021/370] xfs: fix up xfs_swap_extent_forks inline extent handling Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 327/370] net: avoid sk_forward_alloc overflows Ben Hutchings
` (182 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ilya Dryomov, Sage Weil, Jeff Layton
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@redhat.com>
commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.
sparse says:
fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer
The op value is __le32, so we need to convert it before comparing it.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ceph/mds_client.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -262,12 +262,13 @@ static int parse_reply_info_extra(void *
struct ceph_mds_reply_info_parsed *info,
u64 features)
{
- if (info->head->op == CEPH_MDS_OP_GETFILELOCK)
+ u32 op = le32_to_cpu(info->head->op);
+
+ if (op == CEPH_MDS_OP_GETFILELOCK)
return parse_reply_info_filelock(p, end, info, features);
- else if (info->head->op == CEPH_MDS_OP_READDIR ||
- info->head->op == CEPH_MDS_OP_LSSNAP)
+ else if (op == CEPH_MDS_OP_READDIR || op == CEPH_MDS_OP_LSSNAP)
return parse_reply_info_dir(p, end, info, features);
- else if (info->head->op == CEPH_MDS_OP_CREATE)
+ else if (op == CEPH_MDS_OP_CREATE)
return parse_reply_info_create(p, end, info, features);
else
return -EIO;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 345/370] drop_monitor: add missing call to genlmsg_end
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (205 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 261/370] sysctl: fix proc_doulongvec_ms_jiffies_minmax() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 215/370] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Ben Hutchings
` (164 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Reiter Wolfgang, Neil Horman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Reiter Wolfgang <wr0112358@gmail.com>
[ Upstream commit 4200462d88f47f3759bdf4705f87e207b0f5b2e4 ]
Update nlmsg_len field with genlmsg_end to enable userspace processing
using nlmsg_next helper. Also adds error handling.
Signed-off-by: Reiter Wolfgang <wr0112358@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/drop_monitor.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -80,6 +80,7 @@ static struct sk_buff *reset_per_cpu_dat
struct nlattr *nla;
struct sk_buff *skb;
unsigned long flags;
+ void *msg_header;
al = sizeof(struct net_dm_alert_msg);
al += dm_hit_limit * sizeof(struct net_dm_drop_point);
@@ -87,17 +88,31 @@ static struct sk_buff *reset_per_cpu_dat
skb = genlmsg_new(al, GFP_KERNEL);
- if (skb) {
- genlmsg_put(skb, 0, 0, &net_drop_monitor_family,
- 0, NET_DM_CMD_ALERT);
- nla = nla_reserve(skb, NLA_UNSPEC,
- sizeof(struct net_dm_alert_msg));
- msg = nla_data(nla);
- memset(msg, 0, al);
- } else {
- mod_timer(&data->send_timer, jiffies + HZ / 10);
+ if (!skb)
+ goto err;
+
+ msg_header = genlmsg_put(skb, 0, 0, &net_drop_monitor_family,
+ 0, NET_DM_CMD_ALERT);
+ if (!msg_header) {
+ nlmsg_free(skb);
+ skb = NULL;
+ goto err;
+ }
+ nla = nla_reserve(skb, NLA_UNSPEC,
+ sizeof(struct net_dm_alert_msg));
+ if (!nla) {
+ nlmsg_free(skb);
+ skb = NULL;
+ goto err;
}
+ msg = nla_data(nla);
+ memset(msg, 0, al);
+ genlmsg_end(skb, msg_header);
+ goto out;
+err:
+ mod_timer(&data->send_timer, jiffies + HZ / 10);
+out:
spin_lock_irqsave(&data->lock, flags);
swap(data->skb, skb);
spin_unlock_irqrestore(&data->lock, flags);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 312/370] route: do not cache fib route info on local routes with oif
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (298 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 299/370] [media] siano: make it work again with CONFIG_VMAP_STACK Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 317/370] net: bridge: fix old ioctl unlocked net device walk Ben Hutchings
` (71 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Chris Friesen, Julian Anastasov, Allain Legacy
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Friesen <chris.friesen@windriver.com>
[ Upstream commit d6d5e999e5df67f8ec20b6be45e2229455ee3699 ]
For local routes that require a particular output interface we do not want
to cache the result. Caching the result causes incorrect behaviour when
there are multiple source addresses on the interface. The end result
being that if the intended recipient is waiting on that interface for the
packet he won't receive it because it will be delivered on the loopback
interface and the IP_PKTINFO ipi_ifindex will be set to the loopback
interface as well.
This can be tested by running a program such as "dhcp_release" which
attempts to inject a packet on a particular interface so that it is
received by another program on the same board. The receiving process
should see an IP_PKTINFO ipi_ifndex value of the source interface
(e.g., eth1) instead of the loopback interface (e.g., lo). The packet
will still appear on the loopback interface in tcpdump but the important
aspect is that the CMSG info is correct.
Sample dhcp_release command line:
dhcp_release eth1 192.168.204.222 02:11:33:22:44:66
Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
Signed off-by: Chris Friesen <chris.friesen@windriver.com>
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/route.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1968,6 +1968,18 @@ static struct rtable *__mkroute_output(c
*/
if (fi && res->prefixlen < 4)
fi = NULL;
+ } else if ((type == RTN_LOCAL) && (orig_oif != 0) &&
+ (orig_oif != dev_out->ifindex)) {
+ /* For local routes that require a particular output interface
+ * we do not want to cache the result. Caching the result
+ * causes incorrect behaviour when there are multiple source
+ * addresses on the interface, the end result being that if the
+ * intended recipient is waiting on that interface for the
+ * packet he won't receive it because it will be delivered on
+ * the loopback interface and the IP_PKTINFO ipi_ifindex will
+ * be set to the loopback interface as well.
+ */
+ fi = NULL;
}
fnhe = NULL;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 306/370] printk: use rcuidle console tracepoint
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (329 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 325/370] net: fix sk_mem_reclaim_partial() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 348/370] r8152: fix the sw rx checksum is unavailable Ben Hutchings
` (40 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, Paul E. McKenney, Russell King,
Tony Lindgren, Sergey Senozhatsky, Linus Torvalds,
Thomas Gleixner, Steven Rostedt (VMware),
Sergey Senozhatsky, Petr Mladek
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
commit fc98c3c8c9dcafd67adcce69e6ce3191d5306c9c upstream.
Use rcuidle console tracepoint because, apparently, it may be issued
from an idle CPU:
hw-breakpoint: Failed to enable monitor mode on CPU 0.
hw-breakpoint: CPU 0 failed to disable vector catch
===============================
[ ERR: suspicious RCU usage. ]
4.10.0-rc8-next-20170215+ #119 Not tainted
-------------------------------
./include/trace/events/printk.h:32 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
RCU used illegally from idle CPU!
rcu_scheduler_active = 2, debug_locks = 0
RCU used illegally from extended quiescent state!
2 locks held by swapper/0/0:
#0: (cpu_pm_notifier_lock){......}, at: [<c0237e2c>] cpu_pm_exit+0x10/0x54
#1: (console_lock){+.+.+.}, at: [<c01ab350>] vprintk_emit+0x264/0x474
stack backtrace:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.10.0-rc8-next-20170215+ #119
Hardware name: Generic OMAP4 (Flattened Device Tree)
console_unlock
vprintk_emit
vprintk_default
printk
reset_ctrl_regs
dbg_cpu_pm_notify
notifier_call_chain
cpu_pm_exit
omap_enter_idle_coupled
cpuidle_enter_state
cpuidle_enter_state_coupled
do_idle
cpu_startup_entry
start_kernel
This RCU warning, however, is suppressed by lockdep_off() in printk().
lockdep_off() increments the ->lockdep_recursion counter and thus
disables RCU_LOCKDEP_WARN() and debug_lockdep_rcu_enabled(), which want
lockdep to be enabled "current->lockdep_recursion == 0".
Link: http://lkml.kernel.org/r/20170217015932.11898-1-sergey.senozhatsky@gmail.com
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reported-by: Tony Lindgren <tony@atomide.com>
Tested-by: Tony Lindgren <tony@atomide.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Russell King <rmk@armlinux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/printk/printk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1356,7 +1356,7 @@ static void call_console_drivers(int lev
{
struct console *con;
- trace_console(text, len);
+ trace_console_rcuidle(text, len);
if (level >= console_loglevel && !ignore_loglevel)
return;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 284/370] ALSA: seq: Fix race at creating a queue
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (290 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 200/370] USB: serial: ch341: fix open and resume after B0 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 365/370] igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() Ben Hutchings
` (79 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dmitry Vyukov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream.
When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it. Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.
The fix is to reference the queue object at the right time.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void)
}
}
+static void queue_use(struct snd_seq_queue *queue, int client, int use);
+
/* allocate a new queue -
* return queue index value or negative value for error
*/
@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int
if (q == NULL)
return -ENOMEM;
q->info_flags = info_flags;
+ queue_use(q, client, 1);
if (queue_list_add(q) < 0) {
queue_delete(q);
return -ENOMEM;
}
- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
return q->queue;
}
@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int qu
return result;
}
-
-/* use or unuse this queue -
- * if it is the first client, starts the timer.
- * if it is not longer used by any clients, stop the timer.
- */
-int snd_seq_queue_use(int queueid, int client, int use)
+/* use or unuse this queue */
+static void queue_use(struct snd_seq_queue *queue, int client, int use)
{
- struct snd_seq_queue *queue;
-
- queue = queueptr(queueid);
- if (queue == NULL)
- return -EINVAL;
- mutex_lock(&queue->timer_mutex);
if (use) {
if (!test_and_set_bit(client, queue->clients_bitmap))
queue->clients++;
@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int c
} else {
snd_seq_timer_close(queue);
}
+}
+
+/* use or unuse this queue -
+ * if it is the first client, starts the timer.
+ * if it is not longer used by any clients, stop the timer.
+ */
+int snd_seq_queue_use(int queueid, int client, int use)
+{
+ struct snd_seq_queue *queue;
+
+ queue = queueptr(queueid);
+ if (queue == NULL)
+ return -EINVAL;
+ mutex_lock(&queue->timer_mutex);
+ queue_use(queue, client, use);
mutex_unlock(&queue->timer_mutex);
queuefree(queue);
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 311/370] decnet: Do not build routes to devices without decnet private data.
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (295 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 201/370] USB: serial: ch341: fix modem-control and B0 handling Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 300/370] net: xilinx_emaclite: fix receive buffer overflow Ben Hutchings
` (74 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit a36a0d4008488fa545c74445d69eaf56377d5d4e ]
In particular, make sure we check for decnet private presence
for loopback devices.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/decnet/dn_route.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -1042,10 +1042,13 @@ source_ok:
if (!fld.daddr) {
fld.daddr = fld.saddr;
- err = -EADDRNOTAVAIL;
if (dev_out)
dev_put(dev_out);
+ err = -EINVAL;
dev_out = init_net.loopback_dev;
+ if (!dev_out->dn_ptr)
+ goto out;
+ err = -EADDRNOTAVAIL;
dev_hold(dev_out);
if (!fld.daddr) {
fld.daddr =
@@ -1118,6 +1121,8 @@ source_ok:
if (dev_out == NULL)
goto out;
dn_db = rcu_dereference_raw(dev_out->dn_ptr);
+ if (!dn_db)
+ goto e_inval;
/* Possible improvement - check all devices for local addr */
if (dn_dev_islocal(dev_out, fld.daddr)) {
dev_put(dev_out);
@@ -1159,6 +1164,8 @@ select_source:
dev_put(dev_out);
dev_out = init_net.loopback_dev;
dev_hold(dev_out);
+ if (!dev_out->dn_ptr)
+ goto e_inval;
fld.flowidn_oif = dev_out->ifindex;
if (res.fi)
dn_fib_info_put(res.fi);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 338/370] sock: fix sendmmsg for partial sendmsg
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (224 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 351/370] qmi_wwan/cdc_ether: add device ID for HP lt2523 (Novatel E371) WWAN card Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 247/370] powerpc: Ignore reserved field in DCSR and PVR reads and writes Ben Hutchings
` (145 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Neal Cardwell, Soheil Hassas Yeganeh, Eric Dumazet,
David S. Miller, Willem de Bruijn, Maciej Żenczykowski
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Soheil Hassas Yeganeh <soheil@google.com>
[ Upstream commit 3023898b7d4aac65987bd2f485cc22390aae6f78 ]
Do not send the next message in sendmmsg for partial sendmsg
invocations.
sendmmsg assumes that it can continue sending the next message
when the return value of the individual sendmsg invocations
is positive. It results in corrupting the data for TCP,
SCTP, and UNIX streams.
For example, sendmmsg([["abcd"], ["efgh"]]) can result in a stream
of "aefgh" if the first sendmsg invocation sends only the first
byte while the second sendmsg goes through.
Datagram sockets either send the entire datagram or fail, so
this patch affects only sockets of type SOCK_STREAM and
SOCK_SEQPACKET.
Fixes: 228e548e6020 ("net: Add sendmmsg socket system call")
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: we don't have the iov_iter API, so make
___sys_sendmsg() calculate and write back the remaining length]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/socket.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/socket.c
+++ b/net/socket.c
@@ -1998,7 +1998,7 @@ static int copy_msghdr_from_user(struct
static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
struct msghdr *msg_sys, unsigned int flags,
- struct used_address *used_address)
+ struct used_address *used_address, int *residue)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -2097,6 +2097,8 @@ static int ___sys_sendmsg(struct socket
memcpy(&used_address->name, msg_sys->msg_name,
used_address->name_len);
}
+ if (residue && err >= 0)
+ *residue = total_len - err;
out_freectl:
if (ctl_buf != ctl)
@@ -2122,7 +2124,7 @@ long __sys_sendmsg(int fd, struct msghdr
if (!sock)
goto out;
- err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL, NULL);
fput_light(sock->file, fput_needed);
out:
@@ -2149,6 +2151,7 @@ int __sys_sendmmsg(int fd, struct mmsghd
struct compat_mmsghdr __user *compat_entry;
struct msghdr msg_sys;
struct used_address used_address;
+ int residue;
if (vlen > UIO_MAXIOV)
vlen = UIO_MAXIOV;
@@ -2167,7 +2170,8 @@ int __sys_sendmmsg(int fd, struct mmsghd
while (datagrams < vlen) {
if (MSG_CMSG_COMPAT & flags) {
err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags, &used_address);
+ &msg_sys, flags, &used_address,
+ &residue);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
@@ -2175,7 +2179,8 @@ int __sys_sendmmsg(int fd, struct mmsghd
} else {
err = ___sys_sendmsg(sock,
(struct msghdr __user *)entry,
- &msg_sys, flags, &used_address);
+ &msg_sys, flags, &used_address,
+ &residue);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
@@ -2185,6 +2190,8 @@ int __sys_sendmmsg(int fd, struct mmsghd
if (err)
break;
++datagrams;
+ if (residue)
+ break;
}
fput_light(sock->file, fput_needed);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 342/370] net/dccp: fix use-after-free in dccp_invalid_packet
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (220 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 315/370] netem: Segment GSO packets on enqueue Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 205/370] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Ben Hutchings
` (149 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, David S. Miller, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 648f0c28df282636c0c8a7a19ca3ce5fc80a39c3 ]
pskb_may_pull() can reallocate skb->head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.
Bug found by Andrey Konovalov using syzkaller.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/ipv4.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -743,6 +743,7 @@ int dccp_invalid_packet(struct sk_buff *
{
const struct dccp_hdr *dh;
unsigned int cscov;
+ u8 dccph_doff;
if (skb->pkt_type != PACKET_HOST)
return 1;
@@ -764,18 +765,19 @@ int dccp_invalid_packet(struct sk_buff *
/*
* If P.Data Offset is too small for packet type, drop packet and return
*/
- if (dh->dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
- DCCP_WARN("P.Data Offset(%u) too small\n", dh->dccph_doff);
+ dccph_doff = dh->dccph_doff;
+ if (dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
+ DCCP_WARN("P.Data Offset(%u) too small\n", dccph_doff);
return 1;
}
/*
* If P.Data Offset is too too large for packet, drop packet and return
*/
- if (!pskb_may_pull(skb, dh->dccph_doff * sizeof(u32))) {
- DCCP_WARN("P.Data Offset(%u) too large\n", dh->dccph_doff);
+ if (!pskb_may_pull(skb, dccph_doff * sizeof(u32))) {
+ DCCP_WARN("P.Data Offset(%u) too large\n", dccph_doff);
return 1;
}
-
+ dh = dccp_hdr(skb);
/*
* If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet
* has short sequence numbers), drop packet and return
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 367/370] kvm: fix page struct leak in handle_vmon
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (283 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 262/370] nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED" Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 191/370] sh_eth: R8A7740 supports packet shecksumming Ben Hutchings
` (86 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Bonzini, Dmitry Vyukov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 06ce521af9558814b8606c0476c54497cf83a653 upstream.
handle_vmon gets a reference on VMXON region page,
but does not release it. Release the reference.
Found by syzkaller; based on a patch by Dmitry.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: use skip_emulated_instruction()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5954,14 +5954,20 @@ static int nested_vmx_check_vmptr(struct
}
page = nested_get_page(vcpu, vmptr);
- if (page == NULL ||
- *(u32 *)kmap(page) != VMCS12_REVISION) {
+ if (page == NULL) {
nested_vmx_failInvalid(vcpu);
+ skip_emulated_instruction(vcpu);
+ return 1;
+ }
+ if (*(u32 *)kmap(page) != VMCS12_REVISION) {
kunmap(page);
+ nested_release_page_clean(page);
+ nested_vmx_failInvalid(vcpu);
skip_emulated_instruction(vcpu);
return 1;
}
kunmap(page);
+ nested_release_page_clean(page);
vmx->nested.vmxon_ptr = vmptr;
break;
case EXIT_REASON_VMCLEAR:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 344/370] ipv6: handle -EFAULT from skb_copy_bits
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (199 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 298/370] packet: fix races in fanout_add() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 257/370] netfilter: nft_log: restrict the log prefix length to 127 Ben Hutchings
` (170 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dave Jones
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Jones <davej@codemonkey.org.uk>
[ Upstream commit a98f91758995cb59611e61318dddd8a6956b52c3 ]
By setting certain socket options on ipv6 raw sockets, we can confuse the
length calculation in rawv6_push_pending_frames triggering a BUG_ON.
RIP: 0010:[<ffffffff817c6390>] [<ffffffff817c6390>] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:ffff881f6c4a7c18 EFLAGS: 00010282
RAX: 00000000fffffff2 RBX: ffff881f6c681680 RCX: 0000000000000002
RDX: ffff881f6c4a7cf8 RSI: 0000000000000030 RDI: ffff881fed0f6a00
RBP: ffff881f6c4a7da8 R08: 0000000000000000 R09: 0000000000000009
R10: ffff881fed0f6a00 R11: 0000000000000009 R12: 0000000000000030
R13: ffff881fed0f6a00 R14: ffff881fee39ba00 R15: ffff881fefa93a80
Call Trace:
[<ffffffff8118ba23>] ? unmap_page_range+0x693/0x830
[<ffffffff81772697>] inet_sendmsg+0x67/0xa0
[<ffffffff816d93f8>] sock_sendmsg+0x38/0x50
[<ffffffff816d982f>] SYSC_sendto+0xef/0x170
[<ffffffff816da27e>] SyS_sendto+0xe/0x10
[<ffffffff81002910>] do_syscall_64+0x50/0xa0
[<ffffffff817f7cbc>] entry_SYSCALL64_slow_path+0x25/0x25
Handle by jumping to the failure path if skb_copy_bits gets an EFAULT.
Reproducer:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define LEN 504
int main(int argc, char* argv[])
{
int fd;
int zero = 0;
char buf[LEN];
memset(buf, 0, LEN);
fd = socket(AF_INET6, SOCK_RAW, 7);
setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);
sendto(fd, buf, 1, 0, (struct sockaddr *) buf, 110);
}
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -588,8 +588,11 @@ static int rawv6_push_pending_frames(str
}
offset += skb_transport_offset(skb);
- if (skb_copy_bits(skb, offset, &csum, 2))
- BUG();
+ err = skb_copy_bits(skb, offset, &csum, 2);
+ if (err < 0) {
+ ip6_flush_pending_frames(sk);
+ goto out;
+ }
/* in case cksum was not initialized */
if (unlikely(csum))
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 313/370] sch_htb: update backlog as well
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (332 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 223/370] net: systemport: Decouple flow control from __bcm_sysport_tx_reclaim Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 293/370] l2tp: do not use udp_ioctl() Ben Hutchings
` (37 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, WANG Cong, David S. Miller, Jamal Hadi Salim
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit 431e3a8e36a05a37126f34b41aa3a5a6456af04e ]
We saw qlen!=0 but backlog==0 on our production machine:
qdisc htb 1: dev eth0 root refcnt 2 r2q 10 default 1 direct_packets_stat 0 ver 3.17
Sent 172680457356 bytes 222469449 pkt (dropped 0, overlimits 123575834 requeues 0)
backlog 0b 72p requeues 0
The problem is we only count qlen for HTB qdisc but not backlog.
We need to update backlog too when we update qlen, so that we
can at least know the average packet length.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: open-code qdisc_qstats_backlog_{inc,dec}()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_htb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -600,6 +600,7 @@ static int htb_enqueue(struct sk_buff *s
htb_activate(q, cl);
}
+ sch->qstats.backlog += qdisc_pkt_len(skb);
sch->q.qlen++;
return NET_XMIT_SUCCESS;
}
@@ -889,6 +890,7 @@ static struct sk_buff *htb_dequeue(struc
ok:
qdisc_bstats_update(sch, skb);
qdisc_unthrottled(sch);
+ sch->qstats.backlog -= qdisc_pkt_len(skb);
sch->q.qlen--;
return skb;
}
@@ -955,6 +957,7 @@ static unsigned int htb_drop(struct Qdis
unsigned int len;
if (cl->un.leaf.q->ops->drop &&
(len = cl->un.leaf.q->ops->drop(cl->un.leaf.q))) {
+ sch->qstats.backlog -= len;
sch->q.qlen--;
if (!cl->un.leaf.q->q.qlen)
htb_deactivate(q, cl);
@@ -984,12 +987,12 @@ static void htb_reset(struct Qdisc *sch)
}
cl->prio_activity = 0;
cl->cmode = HTB_CAN_SEND;
-
}
}
qdisc_watchdog_cancel(&q->watchdog);
__skb_queue_purge(&q->direct_queue);
sch->q.qlen = 0;
+ sch->qstats.backlog = 0;
memset(q->hlevel, 0, sizeof(q->hlevel));
memset(q->row_mask, 0, sizeof(q->row_mask));
for (i = 0; i < TC_HTB_NUMPRIO; i++)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 343/370] netvsc: reduce maximum GSO size
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (364 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 292/370] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 209/370] mm/hugetlb.c: fix reservation race when freeing surplus pages Ben Hutchings
` (5 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, stephen hemminger, Stephen Hemminger, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: stephen hemminger <stephen@networkplumber.org>
[ Upstream commit a50af86dd49ee1851d1ccf06dd0019c05b95e297 ]
Hyper-V (and Azure) support using NVGRE which requires some extra space
for encapsulation headers. Because of this the largest allowed TSO
packet is reduced.
For older releases, hard code a fixed reduced value. For next release,
there is a better solution which uses result of host offload
negotiation.
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/hyperv/netvsc_drv.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -47,6 +47,9 @@ struct net_device_context {
struct work_struct work;
};
+/* Restrict GSO size to account for NVGRE */
+#define NETVSC_GSO_MAX_SIZE 62768
+
#define RING_SIZE_MIN 64
static int ring_size = 128;
module_param(ring_size, int, S_IRUGO);
@@ -839,6 +842,7 @@ static int netvsc_probe(struct hv_device
nvdev = hv_get_drvdata(dev);
netif_set_real_num_tx_queues(net, nvdev->num_chn);
netif_set_real_num_rx_queues(net, nvdev->num_chn);
+ netif_set_gso_max_size(net, NETVSC_GSO_MAX_SIZE);
ret = register_netdev(net);
if (ret != 0) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 329/370] net: Add netdev all_adj_list refcnt propagation to fix panic
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (354 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 309/370] sched/cputime: Fix invalid gtime in proc Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
` (15 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Andrew Collins
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Collins <acollins@cradlepoint.com>
[ Upstream commit 93409033ae653f1c9a949202fb537ab095b2092f ]
This is a respin of a patch to fix a relatively easily reproducible kernel
panic related to the all_adj_list handling for netdevs in recent kernels.
The following sequence of commands will reproduce the issue:
ip link add link eth0 name eth0.100 type vlan id 100
ip link add link eth0 name eth0.200 type vlan id 200
ip link add name testbr type bridge
ip link set eth0.100 master testbr
ip link set eth0.200 master testbr
ip link add link testbr mac0 type macvlan
ip link delete dev testbr
This creates an upper/lower tree of (excuse the poor ASCII art):
/---eth0.100-eth0
mac0-testbr-
\---eth0.200-eth0
When testbr is deleted, the all_adj_lists are walked, and eth0 is deleted twice from
the mac0 list. Unfortunately, during setup in __netdev_upper_dev_link, only one
reference to eth0 is added, so this results in a panic.
This change adds reference count propagation so things are handled properly.
Matthias Schiffer reported a similar crash in batman-adv:
https://github.com/freifunk-gluon/gluon/issues/680
https://www.open-mesh.org/issues/247
which this patch also seems to resolve.
Signed-off-by: Andrew Collins <acollins@cradlepoint.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 68 ++++++++++++++++++++++++++++++++--------------------------
1 file changed, 37 insertions(+), 31 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4812,6 +4812,7 @@ static inline bool netdev_adjacent_is_ne
static int __netdev_adjacent_dev_insert(struct net_device *dev,
struct net_device *adj_dev,
+ u16 ref_nr,
struct list_head *dev_list,
void *private, bool master)
{
@@ -4821,7 +4822,7 @@ static int __netdev_adjacent_dev_insert(
adj = __netdev_find_adj(dev, adj_dev, dev_list);
if (adj) {
- adj->ref_nr++;
+ adj->ref_nr += ref_nr;
return 0;
}
@@ -4831,7 +4832,7 @@ static int __netdev_adjacent_dev_insert(
adj->dev = adj_dev;
adj->master = master;
- adj->ref_nr = 1;
+ adj->ref_nr = ref_nr;
adj->private = private;
dev_hold(adj_dev);
@@ -4870,6 +4871,7 @@ free_adj:
static void __netdev_adjacent_dev_remove(struct net_device *dev,
struct net_device *adj_dev,
+ u16 ref_nr,
struct list_head *dev_list)
{
struct netdev_adjacent *adj;
@@ -4882,10 +4884,10 @@ static void __netdev_adjacent_dev_remove
BUG();
}
- if (adj->ref_nr > 1) {
- pr_debug("%s to %s ref_nr-- = %d\n", dev->name, adj_dev->name,
- adj->ref_nr-1);
- adj->ref_nr--;
+ if (adj->ref_nr > ref_nr) {
+ pr_debug("%s to %s ref_nr-%d = %d\n", dev->name, adj_dev->name,
+ ref_nr, adj->ref_nr-ref_nr);
+ adj->ref_nr -= ref_nr;
return;
}
@@ -4904,21 +4906,22 @@ static void __netdev_adjacent_dev_remove
static int __netdev_adjacent_dev_link_lists(struct net_device *dev,
struct net_device *upper_dev,
+ u16 ref_nr,
struct list_head *up_list,
struct list_head *down_list,
void *private, bool master)
{
int ret;
- ret = __netdev_adjacent_dev_insert(dev, upper_dev, up_list, private,
- master);
+ ret = __netdev_adjacent_dev_insert(dev, upper_dev, ref_nr, up_list,
+ private, master);
if (ret)
return ret;
- ret = __netdev_adjacent_dev_insert(upper_dev, dev, down_list, private,
- false);
+ ret = __netdev_adjacent_dev_insert(upper_dev, dev, ref_nr, down_list,
+ private, false);
if (ret) {
- __netdev_adjacent_dev_remove(dev, upper_dev, up_list);
+ __netdev_adjacent_dev_remove(dev, upper_dev, ref_nr, up_list);
return ret;
}
@@ -4926,9 +4929,10 @@ static int __netdev_adjacent_dev_link_li
}
static int __netdev_adjacent_dev_link(struct net_device *dev,
- struct net_device *upper_dev)
+ struct net_device *upper_dev,
+ u16 ref_nr)
{
- return __netdev_adjacent_dev_link_lists(dev, upper_dev,
+ return __netdev_adjacent_dev_link_lists(dev, upper_dev, ref_nr,
&dev->all_adj_list.upper,
&upper_dev->all_adj_list.lower,
NULL, false);
@@ -4936,17 +4940,19 @@ static int __netdev_adjacent_dev_link(st
static void __netdev_adjacent_dev_unlink_lists(struct net_device *dev,
struct net_device *upper_dev,
+ u16 ref_nr,
struct list_head *up_list,
struct list_head *down_list)
{
- __netdev_adjacent_dev_remove(dev, upper_dev, up_list);
- __netdev_adjacent_dev_remove(upper_dev, dev, down_list);
+ __netdev_adjacent_dev_remove(dev, upper_dev, ref_nr, up_list);
+ __netdev_adjacent_dev_remove(upper_dev, dev, ref_nr, down_list);
}
static void __netdev_adjacent_dev_unlink(struct net_device *dev,
- struct net_device *upper_dev)
+ struct net_device *upper_dev,
+ u16 ref_nr)
{
- __netdev_adjacent_dev_unlink_lists(dev, upper_dev,
+ __netdev_adjacent_dev_unlink_lists(dev, upper_dev, ref_nr,
&dev->all_adj_list.upper,
&upper_dev->all_adj_list.lower);
}
@@ -4955,17 +4961,17 @@ static int __netdev_adjacent_dev_link_ne
struct net_device *upper_dev,
void *private, bool master)
{
- int ret = __netdev_adjacent_dev_link(dev, upper_dev);
+ int ret = __netdev_adjacent_dev_link(dev, upper_dev, 1);
if (ret)
return ret;
- ret = __netdev_adjacent_dev_link_lists(dev, upper_dev,
+ ret = __netdev_adjacent_dev_link_lists(dev, upper_dev, 1,
&dev->adj_list.upper,
&upper_dev->adj_list.lower,
private, master);
if (ret) {
- __netdev_adjacent_dev_unlink(dev, upper_dev);
+ __netdev_adjacent_dev_unlink(dev, upper_dev, 1);
return ret;
}
@@ -4975,8 +4981,8 @@ static int __netdev_adjacent_dev_link_ne
static void __netdev_adjacent_dev_unlink_neighbour(struct net_device *dev,
struct net_device *upper_dev)
{
- __netdev_adjacent_dev_unlink(dev, upper_dev);
- __netdev_adjacent_dev_unlink_lists(dev, upper_dev,
+ __netdev_adjacent_dev_unlink(dev, upper_dev, 1);
+ __netdev_adjacent_dev_unlink_lists(dev, upper_dev, 1,
&dev->adj_list.upper,
&upper_dev->adj_list.lower);
}
@@ -5017,7 +5023,7 @@ static int __netdev_upper_dev_link(struc
list_for_each_entry(j, &upper_dev->all_adj_list.upper, list) {
pr_debug("Interlinking %s with %s, non-neighbour\n",
i->dev->name, j->dev->name);
- ret = __netdev_adjacent_dev_link(i->dev, j->dev);
+ ret = __netdev_adjacent_dev_link(i->dev, j->dev, i->ref_nr);
if (ret)
goto rollback_mesh;
}
@@ -5027,7 +5033,7 @@ static int __netdev_upper_dev_link(struc
list_for_each_entry(i, &upper_dev->all_adj_list.upper, list) {
pr_debug("linking %s's upper device %s with %s\n",
upper_dev->name, i->dev->name, dev->name);
- ret = __netdev_adjacent_dev_link(dev, i->dev);
+ ret = __netdev_adjacent_dev_link(dev, i->dev, i->ref_nr);
if (ret)
goto rollback_upper_mesh;
}
@@ -5036,7 +5042,7 @@ static int __netdev_upper_dev_link(struc
list_for_each_entry(i, &dev->all_adj_list.lower, list) {
pr_debug("linking %s's lower device %s with %s\n", dev->name,
i->dev->name, upper_dev->name);
- ret = __netdev_adjacent_dev_link(i->dev, upper_dev);
+ ret = __netdev_adjacent_dev_link(i->dev, upper_dev, i->ref_nr);
if (ret)
goto rollback_lower_mesh;
}
@@ -5049,7 +5055,7 @@ rollback_lower_mesh:
list_for_each_entry(i, &dev->all_adj_list.lower, list) {
if (i == to_i)
break;
- __netdev_adjacent_dev_unlink(i->dev, upper_dev);
+ __netdev_adjacent_dev_unlink(i->dev, upper_dev, i->ref_nr);
}
i = NULL;
@@ -5059,7 +5065,7 @@ rollback_upper_mesh:
list_for_each_entry(i, &upper_dev->all_adj_list.upper, list) {
if (i == to_i)
break;
- __netdev_adjacent_dev_unlink(dev, i->dev);
+ __netdev_adjacent_dev_unlink(dev, i->dev, i->ref_nr);
}
i = j = NULL;
@@ -5071,7 +5077,7 @@ rollback_mesh:
list_for_each_entry(j, &upper_dev->all_adj_list.upper, list) {
if (i == to_i && j == to_j)
break;
- __netdev_adjacent_dev_unlink(i->dev, j->dev);
+ __netdev_adjacent_dev_unlink(i->dev, j->dev, i->ref_nr);
}
if (i == to_i)
break;
@@ -5147,16 +5153,16 @@ void netdev_upper_dev_unlink(struct net_
*/
list_for_each_entry(i, &dev->all_adj_list.lower, list)
list_for_each_entry(j, &upper_dev->all_adj_list.upper, list)
- __netdev_adjacent_dev_unlink(i->dev, j->dev);
+ __netdev_adjacent_dev_unlink(i->dev, j->dev, i->ref_nr);
/* remove also the devices itself from lower/upper device
* list
*/
list_for_each_entry(i, &dev->all_adj_list.lower, list)
- __netdev_adjacent_dev_unlink(i->dev, upper_dev);
+ __netdev_adjacent_dev_unlink(i->dev, upper_dev, i->ref_nr);
list_for_each_entry(i, &upper_dev->all_adj_list.upper, list)
- __netdev_adjacent_dev_unlink(dev, i->dev);
+ __netdev_adjacent_dev_unlink(dev, i->dev, i->ref_nr);
call_netdevice_notifiers(NETDEV_CHANGEUPPER, dev);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 366/370] Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (248 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 270/370] mmc: sdhci: Ignore unexpected CARD_INT interrupts Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 280/370] catc: Combine failure cleanup code in catc_probe() Ben Hutchings
` (121 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Wheeler
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
This reverts commit a79ed0ed3763b3558b74e7d65fdd8c0215b5b6a2, which was
commit 9dbe6cf941a6fe82933aef565e4095fb10f65023 upstream. It depends on
several other large commits to work, and without them causes a regression.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1408333
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Eric Wheeler <kvm@lists.ewheeler.net>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -892,7 +892,7 @@ static u32 msrs_to_save[] = {
MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
#endif
MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
+ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS
};
static unsigned num_msrs_to_save;
@@ -3994,17 +3994,16 @@ static void kvm_init_msr_list(void)
/*
* Even MSRs that are valid in the host may not be exposed
- * to the guests in some cases.
+ * to the guests in some cases. We could work around this
+ * in VMX with the generic MSR save/load machinery, but it
+ * is not really worthwhile since it will really only
+ * happen with nested virtualization.
*/
switch (msrs_to_save[i]) {
case MSR_IA32_BNDCFGS:
if (!kvm_x86_ops->mpx_supported())
continue;
break;
- case MSR_TSC_AUX:
- if (!kvm_x86_ops->rdtscp_supported())
- continue;
- break;
default:
break;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 355/370] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (301 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 231/370] qla2xxx: Fix crash due to null pointer access Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 227/370] net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions Ben Hutchings
` (68 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 63117f09c768be05a0bf465911297dc76394f686 ]
Casting is a high precedence operation but "off" and "i" are in terms of
bytes so we need to have some parenthesis here.
Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -443,7 +443,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
if (i + sizeof(*tel) > optlen)
break;
- tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 354/370] ipv6: fix ip6_tnl_parse_tlv_enc_lim()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (217 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 244/370] nbd: only set MSG_MORE when we have more to send Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 217/370] mmc: mxs-mmc: Fix additional cycles after transmission stop Ben Hutchings
` (152 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dmitry Vyukov, Willem de Bruijn, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]
This function suffers from multiple issues.
First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.
Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.
With help from Willem de Bruijn.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_tunnel.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -402,18 +402,19 @@ ip6_tnl_dev_uninit(struct net_device *de
__u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
{
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
- __u8 nexthdr = ipv6h->nexthdr;
- __u16 off = sizeof (*ipv6h);
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+ u8 next, nexthdr = ipv6h->nexthdr;
while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
- __u16 optlen = 0;
struct ipv6_opt_hdr *hdr;
- if (raw + off + sizeof (*hdr) > skb->data &&
- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
+ u16 optlen;
+
+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
break;
- hdr = (struct ipv6_opt_hdr *) (raw + off);
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
if (nexthdr == NEXTHDR_FRAGMENT) {
struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
if (frag_hdr->frag_off)
@@ -424,20 +425,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
} else {
optlen = ipv6_optlen(hdr);
}
+ /* cache hdr->nexthdr, since pskb_may_pull() might
+ * invalidate hdr
+ */
+ next = hdr->nexthdr;
if (nexthdr == NEXTHDR_DEST) {
- __u16 i = off + 2;
+ u16 i = 2;
+
+ /* Remember : hdr is no longer valid at this point. */
+ if (!pskb_may_pull(skb, off + optlen))
+ break;
+
while (1) {
struct ipv6_tlv_tnl_enc_lim *tel;
/* No more room for encapsulation limit */
- if (i + sizeof (*tel) > off + optlen)
+ if (i + sizeof(*tel) > optlen)
break;
- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
+ tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
- return i;
+ return i + off - nhoff;
/* else jump to next option */
if (tel->type)
i += tel->length + 2;
@@ -445,7 +455,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
i++;
}
}
- nexthdr = hdr->nexthdr;
+ nexthdr = next;
off += optlen;
}
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 352/370] net: socket: fix recvmmsg not returning error from sock_error
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (243 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 212/370] vme: Fix wrong pointer utilization in ca91cx42_slave_get Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor Ben Hutchings
` (126 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Maxime Jayat
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
[ Upstream commit e623a9e9dec29ae811d11f83d0074ba254aba374 ]
Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
changed the exit path of recvmmsg to always return the datagrams
variable and modified the error paths to set the variable to the error
code returned by recvmsg if necessary.
However in the case sock_error returned an error, the error code was
then ignored, and recvmmsg returned 0.
Change the error path of recvmmsg to correctly return the error code
of sock_error.
The bug was triggered by using recvmmsg on a CAN interface which was
not up. Linux 4.6 and later return 0 in this case while earlier
releases returned -ENETDOWN.
Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/socket.c
+++ b/net/socket.c
@@ -2356,8 +2356,10 @@ int __sys_recvmmsg(int fd, struct mmsghd
return err;
err = sock_error(sock->sk);
- if (err)
+ if (err) {
+ datagrams = err;
goto out_put;
+ }
entry = mmsg;
compat_entry = (struct compat_mmsghdr __user *)mmsg;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 347/370] igmp: Make igmp group member RFC 3376 compliant
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (361 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 255/370] ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 192/370] ata: sata_mv:- Handle return value of devm_ioremap Ben Hutchings
` (8 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michal Tesar, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Tesar <mtesar@redhat.com>
[ Upstream commit 7ababb782690e03b78657e27bd051e20163af2d6 ]
5.2. Action on Reception of a Query
When a system receives a Query, it does not respond immediately.
Instead, it delays its response by a random amount of time, bounded
by the Max Resp Time value derived from the Max Resp Code in the
received Query message. A system may receive a variety of Queries on
different interfaces and of different kinds (e.g., General Queries,
Group-Specific Queries, and Group-and-Source-Specific Queries), each
of which may require its own delayed response.
Before scheduling a response to a Query, the system must first
consider previously scheduled pending responses and in many cases
schedule a combined response. Therefore, the system must be able to
maintain the following state:
o A timer per interface for scheduling responses to General Queries.
o A per-group and interface timer for scheduling responses to Group-
Specific and Group-and-Source-Specific Queries.
o A per-group and interface list of sources to be reported in the
response to a Group-and-Source-Specific Query.
When a new Query with the Router-Alert option arrives on an
interface, provided the system has state to report, a delay for a
response is randomly selected in the range (0, [Max Resp Time]) where
Max Resp Time is derived from Max Resp Code in the received Query
message. The following rules are then used to determine if a Report
needs to be scheduled and the type of Report to schedule. The rules
are considered in order and only the first matching rule is applied.
1. If there is a pending response to a previous General Query
scheduled sooner than the selected delay, no additional response
needs to be scheduled.
2. If the received Query is a General Query, the interface timer is
used to schedule a response to the General Query after the
selected delay. Any previously pending response to a General
Query is canceled.
--8<--
Currently the timer is rearmed with new random expiration time for
every incoming query regardless of possibly already pending report.
Which is not aligned with the above RFE.
It also might happen that higher rate of incoming queries can
postpone the report after the expiration time of the first query
causing group membership loss.
Now the per interface general query timer is rearmed only
when there is no pending report already scheduled on that interface or
the newly selected expiration time is before the already pending
scheduled report.
Signed-off-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/igmp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -221,9 +221,14 @@ static void igmp_start_timer(struct ip_m
static void igmp_gq_start_timer(struct in_device *in_dev)
{
int tv = prandom_u32() % in_dev->mr_maxdelay;
+ unsigned long exp = jiffies + tv + 2;
+
+ if (in_dev->mr_gq_running &&
+ time_after_eq(exp, (in_dev->mr_gq_timer).expires))
+ return;
in_dev->mr_gq_running = 1;
- if (!mod_timer(&in_dev->mr_gq_timer, jiffies+tv+2))
+ if (!mod_timer(&in_dev->mr_gq_timer, exp))
in_dev_hold(in_dev);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 316/370] VSOCK: do not disconnect socket when peer has shutdown SEND only
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (195 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 281/370] catc: Use heap buffer for memory size test Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 216/370] xhci: fix deadlock at host remove by running watchdog correctly Ben Hutchings
` (174 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Adit Ranadive, Dmitry Torokhov, Stefan Hajnoczi,
Jorgen Hansen, David S. Miller, Claudio Imbrenda, Ian Campbell,
netdev, Andy King
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Campbell <ian.campbell@docker.com>
[ Upstream commit dedc58e067d8c379a15a8a183c5db318201295bb ]
The peer may be expecting a reply having sent a request and then done a
shutdown(SHUT_WR), so tearing down the whole socket at this point seems
wrong and breaks for me with a client which does a SHUT_WR.
Looking at other socket family's stream_recvmsg callbacks doing a shutdown
here does not seem to be the norm and removing it does not seem to have
had any adverse effects that I can see.
I'm using Stefan's RFC virtio transport patches, I'm unsure of the impact
on the vmci transport.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
Cc: Andy King <acking@vmware.com>
Cc: Dmitry Torokhov <dtor@vmware.com>
Cc: Jorgen Hansen <jhansen@vmware.com>
Cc: Adit Ranadive <aditr@vmware.com>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/vmw_vsock/af_vsock.c | 21 +--------------------
1 file changed, 1 insertion(+), 20 deletions(-)
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1796,27 +1796,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb
else if (sk->sk_shutdown & RCV_SHUTDOWN)
err = 0;
- if (copied > 0) {
- /* We only do these additional bookkeeping/notification steps
- * if we actually copied something out of the queue pair
- * instead of just peeking ahead.
- */
-
- if (!(flags & MSG_PEEK)) {
- /* If the other side has shutdown for sending and there
- * is nothing more to read, then modify the socket
- * state.
- */
- if (vsk->peer_shutdown & SEND_SHUTDOWN) {
- if (vsock_stream_has_data(vsk) <= 0) {
- sk->sk_state = SS_UNCONNECTED;
- sock_set_flag(sk, SOCK_DONE);
- sk->sk_state_change(sk);
- }
- }
- }
+ if (copied > 0)
err = copied;
- }
out_wait:
finish_wait(sk_sleep(sk), &wait);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 308/370] irda: Fix lockdep annotations in hashbin_delete().
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (311 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 248/370] platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 213/370] USB: serial: ch341: fix control-message error handling Ben Hutchings
` (58 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dmitry Vyukov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
commit 4c03b862b12f980456f9de92db6d508a4999b788 upstream.
A nested lock depth was added to the hasbin_delete() code but it
doesn't actually work some well and results in tons of lockdep splats.
Fix the code instead to properly drop the lock around the operation
and just keep peeking the head of the hashbin queue.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/irda/irqueue.c | 34 ++++++++++++++++------------------
1 file changed, 16 insertions(+), 18 deletions(-)
--- a/net/irda/irqueue.c
+++ b/net/irda/irqueue.c
@@ -385,9 +385,6 @@ EXPORT_SYMBOL(hashbin_new);
* for deallocating this structure if it's complex. If not the user can
* just supply kfree, which should take care of the job.
*/
-#ifdef CONFIG_LOCKDEP
-static int hashbin_lock_depth = 0;
-#endif
int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
{
irda_queue_t* queue;
@@ -398,22 +395,27 @@ int hashbin_delete( hashbin_t* hashbin,
IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
/* Synchronize */
- if ( hashbin->hb_type & HB_LOCK ) {
- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
- hashbin_lock_depth++);
- }
+ if (hashbin->hb_type & HB_LOCK)
+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
/*
* Free the entries in the hashbin, TODO: use hashbin_clear when
* it has been shown to work
*/
for (i = 0; i < HASHBIN_SIZE; i ++ ) {
- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
- while (queue ) {
- if (free_func)
- (*free_func)(queue);
- queue = dequeue_first(
- (irda_queue_t**) &hashbin->hb_queue[i]);
+ while (1) {
+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+
+ if (!queue)
+ break;
+
+ if (free_func) {
+ if (hashbin->hb_type & HB_LOCK)
+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+ free_func(queue);
+ if (hashbin->hb_type & HB_LOCK)
+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+ }
}
}
@@ -422,12 +424,8 @@ int hashbin_delete( hashbin_t* hashbin,
hashbin->magic = ~HB_MAGIC;
/* Release lock */
- if ( hashbin->hb_type & HB_LOCK) {
+ if (hashbin->hb_type & HB_LOCK)
spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
-#ifdef CONFIG_LOCKDEP
- hashbin_lock_depth--;
-#endif
- }
/*
* Free the hashbin structure
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 317/370] net: bridge: fix old ioctl unlocked net device walk
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (299 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 312/370] route: do not cache fib route info on local routes with oif Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 231/370] qla2xxx: Fix crash due to null pointer access Ben Hutchings
` (70 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nikolay Aleksandrov, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
[ Upstream commit 31ca0458a61a502adb7ed192bf9716c6d05791a5 ]
get_bridge_ifindices() is used from the old "deviceless" bridge ioctl
calls which aren't called with rtnl held. The comment above says that it is
called with rtnl but that is not really the case.
Here's a sample output from a test ASSERT_RTNL() which I put in
get_bridge_ifindices and executed "brctl show":
[ 957.422726] RTNL: assertion failed at net/bridge//br_ioctl.c (30)
[ 957.422925] CPU: 0 PID: 1862 Comm: brctl Tainted: G W O
4.6.0-rc4+ #157
[ 957.423009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.8.1-20150318_183358- 04/01/2014
[ 957.423009] 0000000000000000 ffff880058adfdf0 ffffffff8138dec5
0000000000000400
[ 957.423009] ffffffff81ce8380 ffff880058adfe58 ffffffffa05ead32
0000000000000001
[ 957.423009] 00007ffec1a444b0 0000000000000400 ffff880053c19130
0000000000008940
[ 957.423009] Call Trace:
[ 957.423009] [<ffffffff8138dec5>] dump_stack+0x85/0xc0
[ 957.423009] [<ffffffffa05ead32>]
br_ioctl_deviceless_stub+0x212/0x2e0 [bridge]
[ 957.423009] [<ffffffff81515beb>] sock_ioctl+0x22b/0x290
[ 957.423009] [<ffffffff8126ba75>] do_vfs_ioctl+0x95/0x700
[ 957.423009] [<ffffffff8126c159>] SyS_ioctl+0x79/0x90
[ 957.423009] [<ffffffff8163a4c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Since it only reads bridge ifindices, we can use rcu to safely walk the net
device list. Also remove the wrong rtnl comment above.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/br_ioctl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -21,18 +21,19 @@
#include <asm/uaccess.h>
#include "br_private.h"
-/* called with RTNL */
static int get_bridge_ifindices(struct net *net, int *indices, int num)
{
struct net_device *dev;
int i = 0;
- for_each_netdev(net, dev) {
+ rcu_read_lock();
+ for_each_netdev_rcu(net, dev) {
if (i >= num)
break;
if (dev->priv_flags & IFF_EBRIDGE)
indices[i++] = dev->ifindex;
}
+ rcu_read_unlock();
return i;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 333/370] dccp: do not send reset to already closed sockets
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (230 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 318/370] udp: prevent skbs lingering in tunnel socket queues Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 356/370] tcp: fix 0 divide in __tcp_select_window() Ben Hutchings
` (139 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, David S. Miller, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 346da62cc186c4b4b1ac59f87f4482b47a047388 ]
Andrey reported following warning while fuzzing with syzkaller
WARNING: CPU: 1 PID: 21072 at net/dccp/proto.c:83 dccp_set_state+0x229/0x290
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 21072 Comm: syz-executor Not tainted 4.9.0-rc1+ #293
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88003d4c7738 ffffffff81b474f4 0000000000000003 dffffc0000000000
ffffffff844f8b00 ffff88003d4c7804 ffff88003d4c7800 ffffffff8140c06a
0000000041b58ab3 ffffffff8479ab7d ffffffff8140beae ffffffff8140cd00
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81b474f4>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
[<ffffffff8140c06a>] panic+0x1bc/0x39d kernel/panic.c:179
[<ffffffff8111125c>] __warn+0x1cc/0x1f0 kernel/panic.c:542
[<ffffffff8111144c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff8389e5d9>] dccp_set_state+0x229/0x290 net/dccp/proto.c:83
[<ffffffff838a0aa2>] dccp_close+0x612/0xc10 net/dccp/proto.c:1016
[<ffffffff8316bf1f>] inet_release+0xef/0x1c0 net/ipv4/af_inet.c:415
[<ffffffff82b6e89e>] sock_release+0x8e/0x1d0 net/socket.c:570
[<ffffffff82b6e9f6>] sock_close+0x16/0x20 net/socket.c:1017
[<ffffffff815256ad>] __fput+0x29d/0x720 fs/file_table.c:208
[<ffffffff81525bb5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff811727d8>] task_work_run+0xf8/0x170 kernel/task_work.c:116
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff8111bc53>] do_exit+0x883/0x2ac0 kernel/exit.c:828
[<ffffffff811221fe>] do_group_exit+0x10e/0x340 kernel/exit.c:931
[<ffffffff81143c94>] get_signal+0x634/0x15a0 kernel/signal.c:2307
[<ffffffff81054aad>] do_signal+0x8d/0x1a30 arch/x86/kernel/signal.c:807
[<ffffffff81003a05>] exit_to_usermode_loop+0xe5/0x130
arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[<ffffffff81006298>] syscall_return_slowpath+0x1a8/0x1e0
arch/x86/entry/common.c:259
[<ffffffff83fc1a62>] entry_SYSCALL_64_fastpath+0xc0/0xc2
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Fix this the same way we did for TCP in commit 565b7b2d2e63
("tcp: do not send reset to already closed sockets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/proto.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -1012,6 +1012,10 @@ void dccp_close(struct sock *sk, long ti
__kfree_skb(skb);
}
+ /* If socket has been already reset kill it. */
+ if (sk->sk_state == DCCP_CLOSED)
+ goto adjudge_to_death;
+
if (data_was_unread) {
/* Unread data was tossed, send an appropriate Reset Code */
DCCP_WARN("ABORT with %u bytes unread\n", data_was_unread);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 320/370] sit: correct IP protocol used in ipip6_err
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (276 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 272/370] svcrpc: fix oops in absence of krb5 module Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 349/370] tcp: fix tcp_fastopen unaligned access complaints on sparc Ben Hutchings
` (93 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, YOSHIFUJI Hideaki, Simon Horman, David S. Miller,
Dinan Gunawardena
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <simon.horman@netronome.com>
[ Upstream commit d5d8760b78d0cfafe292f965f599988138b06a70 ]
Since 32b8a8e59c9c ("sit: add IPv4 over IPv4 support")
ipip6_err() may be called for packets whose IP protocol is
IPPROTO_IPIP as well as those whose IP protocol is IPPROTO_IPV6.
In the case of IPPROTO_IPIP packets the correct protocol value is not
passed to ipv4_update_pmtu() or ipv4_redirect().
This patch resolves this problem by using the IP protocol of the packet
rather than a hard-coded value. This appears to be consistent
with the usage of the protocol of a packet by icmp_socket_deliver()
the caller of ipip6_err().
I was able to exercise the redirect case by using a setup where an ICMP
redirect was received for the destination of the encapsulated packet.
However, it appears that although incorrect the protocol field is not used
in this case and thus no problem manifests. On inspection it does not
appear that a problem will manifest in the fragmentation needed/update pmtu
case either.
In short I believe this is a cosmetic fix. None the less, the use of
IPPROTO_IPV6 seems wrong and confusing.
Reviewed-by: Dinan Gunawardena <dinan.gunawardena@netronome.com>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/sit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -559,13 +559,13 @@ static int ipip6_err(struct sk_buff *skb
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
ipv4_update_pmtu(skb, dev_net(skb->dev), info,
- t->parms.link, 0, IPPROTO_IPV6, 0);
+ t->parms.link, 0, iph->protocol, 0);
err = 0;
goto out;
}
if (type == ICMP_REDIRECT) {
ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
- IPPROTO_IPV6, 0);
+ iph->protocol, 0);
err = 0;
goto out;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 334/370] dccp: fix out of bound access in dccp_v4_err()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (318 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 237/370] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 368/370] ipc/shm: Fix shmat mmap nil-page protection Ben Hutchings
` (51 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6706a97fec963d6cb3f7fc2978ec1427b4651214 ]
dccp_v4_err() does not use pskb_may_pull() and might access garbage.
We only need 4 bytes at the beginning of the DCCP header, like TCP,
so the 8 bytes pulled in icmp_socket_deliver() are more than enough.
This patch might allow to process more ICMP messages, as some routers
are still limiting the size of reflected bytes to 28 (RFC 792), instead
of extended lengths (RFC 1812 4.3.2.3)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: use offsetof() + sizeof() instead of
offsetofend()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/ipv4.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -213,7 +213,7 @@ static void dccp_v4_err(struct sk_buff *
{
const struct iphdr *iph = (struct iphdr *)skb->data;
const u8 offset = iph->ihl << 2;
- const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
+ const struct dccp_hdr *dh;
struct dccp_sock *dp;
struct inet_sock *inet;
const int type = icmp_hdr(skb)->type;
@@ -223,11 +223,13 @@ static void dccp_v4_err(struct sk_buff *
int err;
struct net *net = dev_net(skb->dev);
- if (skb->len < offset + sizeof(*dh) ||
- skb->len < offset + __dccp_basic_hdr_len(dh)) {
- ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
- return;
- }
+ /* Only need dccph_dport & dccph_sport which are the first
+ * 4 bytes in dccp header.
+ * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
+ */
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_sport) + sizeof(dh->dccph_sport) > 8);
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_dport) + sizeof(dh->dccph_dport) > 8);
+ dh = (struct dccp_hdr *)(skb->data + offset);
sk = inet_lookup(net, &dccp_hashinfo,
iph->daddr, dh->dccph_dport,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 291/370] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (260 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 249/370] iio: dht11: Use usleep_range instead of msleep for start signal Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 206/370] gro: Enter slow-path if there is no tailroom Ben Hutchings
` (109 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jens Remus, Benjamin Block, Steffen Maier,
Martin K. Petersen, Dan Carpenter
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Maier <maier@linux.vnet.ibm.com>
commit 2dfa6688aafdc3f74efeb1cf05fb871465d67f79 upstream.
Dan Carpenter kindly reported:
<quote>
The patch d27a7cb91960: "zfcp: trace on request for open and close of
WKA port" from Aug 10, 2016, leads to the following static checker
warning:
drivers/s390/scsi/zfcp_fsf.c:1615 zfcp_fsf_open_wka_port()
warn: 'req' was already freed.
drivers/s390/scsi/zfcp_fsf.c
1609 zfcp_fsf_start_timer(req, ZFCP_FSF_REQUEST_TIMEOUT);
1610 retval = zfcp_fsf_req_send(req);
1611 if (retval)
1612 zfcp_fsf_req_free(req);
^^^
Freed.
1613 out:
1614 spin_unlock_irq(&qdio->req_q_lock);
1615 if (req && !IS_ERR(req))
1616 zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
^^^^^^^^^^^
Use after free.
1617 return retval;
1618 }
Same thing for zfcp_fsf_close_wka_port() as well.
</quote>
Rather than relying on req being NULL (or ERR_PTR) for all cases where
we don't want to trace or should not trace,
simply check retval which is unconditionally initialized with -EIO != 0
and it can only become 0 on successful retval = zfcp_fsf_req_send(req).
With that we can also remove the then again unnecessary unconditional
initialization of req which was introduced with that earlier commit.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Suggested-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: d27a7cb91960 ("zfcp: trace on request for open and close of WKA port")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Reviewed-by: Jens Remus <jremus@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/scsi/zfcp_fsf.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -1584,7 +1584,7 @@ out:
int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
{
struct zfcp_qdio *qdio = wka_port->adapter->qdio;
- struct zfcp_fsf_req *req = NULL;
+ struct zfcp_fsf_req *req;
int retval = -EIO;
spin_lock_irq(&qdio->req_q_lock);
@@ -1613,7 +1613,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_f
zfcp_fsf_req_free(req);
out:
spin_unlock_irq(&qdio->req_q_lock);
- if (req && !IS_ERR(req))
+ if (!retval)
zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
return retval;
}
@@ -1639,7 +1639,7 @@ static void zfcp_fsf_close_wka_port_hand
int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
{
struct zfcp_qdio *qdio = wka_port->adapter->qdio;
- struct zfcp_fsf_req *req = NULL;
+ struct zfcp_fsf_req *req;
int retval = -EIO;
spin_lock_irq(&qdio->req_q_lock);
@@ -1668,7 +1668,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_
zfcp_fsf_req_free(req);
out:
spin_unlock_irq(&qdio->req_q_lock);
- if (req && !IS_ERR(req))
+ if (!retval)
zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
return retval;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 323/370] cdc_ncm: workaround for EM7455 "silent" data interface
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (264 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 228/370] net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 267/370] perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory Ben Hutchings
` (105 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andreas Fett, Rasmus Lerdorf, Bjørn Mork, Samo Ratnik,
David S. Miller, Ralph Plawetzki, Stefan Armbruster
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjørn Mork <bjorn@mork.no>
[ Upstream commit c086e7096170390594c425114d98172bc9aceb8a ]
Several Lenovo users have reported problems with their Sierra
Wireless EM7455 modem. The driver has loaded successfully and
the MBIM management channel has appeared to work, including
establishing a connection to the mobile network. But no frames
have been received over the data interface.
The problem affects all EM7455 and MC7455, and is assumed to
affect other modems based on the same Qualcomm chipset and
baseband firmware.
Testing narrowed the problem down to what seems to be a
firmware timing bug during initialization. Adding a short sleep
while probing is sufficient to make the problem disappear.
Experiments have shown that 1-2 ms is too little to have any
effect, while 10-20 ms is enough to reliably succeed.
Reported-by: Stefan Armbruster <ml001@armbruster-it.de>
Reported-by: Ralph Plawetzki <ralph@purejava.org>
Reported-by: Andreas Fett <andreas.fett@secunet.com>
Reported-by: Rasmus Lerdorf <rasmus@lerdorf.com>
Reported-by: Samo Ratnik <samo.ratnik@gmail.com>
Reported-and-tested-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/usb/cdc_ncm.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -830,6 +830,13 @@ advance:
if (cdc_ncm_init(dev))
goto error2;
+ /* Some firmwares need a pause here or they will silently fail
+ * to set up the interface properly. This value was decided
+ * empirically on a Sierra Wireless MC7455 running 02.08.02.00
+ * firmware.
+ */
+ usleep_range(10000, 20000);
+
/* configure data interface */
temp = usb_set_interface(dev->udev, iface_no, data_altsetting);
if (temp) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 326/370] tcp: fix overflow in __tcp_retransmit_skb()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 194/370] x86/boot: Add missing declaration of string functions Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 350/370] ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock Ben Hutchings
` (178 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ffb4d6c8508657824bcef68a36b2a0f9d8c09d10 ]
If a TCP socket gets a large write queue, an overflow can happen
in a test in __tcp_retransmit_skb() preventing all retransmits.
The flow then stalls and resets after timeouts.
Tested:
sysctl -w net.core.wmem_max=1000000000
netperf -H dest -- -s 1000000000
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2437,7 +2437,8 @@ int __tcp_retransmit_skb(struct sock *sk
* copying overhead: fragmentation, tunneling, mangling etc.
*/
if (atomic_read(&sk->sk_wmem_alloc) >
- min(sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2), sk->sk_sndbuf))
+ min_t(u32, sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2),
+ sk->sk_sndbuf))
return -EAGAIN;
if (skb_still_in_host_queue(sk, skb))
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 332/370] net: mangle zero checksum in skb_checksum_help()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (228 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 287/370] target: Fix COMPARE_AND_WRITE ref leak for non GOOD status Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 318/370] udp: prevent skbs lingering in tunnel socket queues Ben Hutchings
` (141 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Maciej Żenczykowski, Willem de Bruijn,
David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4f2e4ad56a65f3b7d64c258e373cb71e8d2499f4 ]
Sending zero checksum is ok for TCP, but not for UDP.
UDPv6 receiver should by default drop a frame with a 0 checksum,
and UDPv4 would not verify the checksum and might accept a corrupted
packet.
Simply replace such checksum by 0xffff, regardless of transport.
This error was caught on SIT tunnels, but seems generic.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2282,7 +2282,7 @@ int skb_checksum_help(struct sk_buff *sk
goto out;
}
- *(__sum16 *)(skb->data + offset) = csum_fold(csum);
+ *(__sum16 *)(skb->data + offset) = csum_fold(csum) ?: CSUM_MANGLED_0;
out_set_summed:
skb->ip_summed = CHECKSUM_NONE;
out:
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 298/370] packet: fix races in fanout_add()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 301/370] net: xilinx_emaclite: fix freezes due to unordered I/O Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 344/370] ipv6: handle -EFAULT from skb_copy_bits Ben Hutchings
` (171 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Willem de Bruijn
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit d199fab63c11998a602205f7ee7ff7c05c97164b upstream.
Multiple threads can call fanout_add() at the same time.
We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po->rollover that was set by another thread.
Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.
Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- No rollover queue stats
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1451,13 +1451,16 @@ static int fanout_add(struct sock *sk, u
return -EINVAL;
}
+ mutex_lock(&fanout_mutex);
+
+ err = -EINVAL;
if (!po->running)
- return -EINVAL;
+ goto out;
+ err = -EALREADY;
if (po->fanout)
- return -EALREADY;
+ goto out;
- mutex_lock(&fanout_mutex);
match = NULL;
list_for_each_entry(f, &fanout_list, list) {
if (f->id == id &&
@@ -1513,17 +1516,16 @@ static void fanout_release(struct sock *
struct packet_sock *po = pkt_sk(sk);
struct packet_fanout *f;
- f = po->fanout;
- if (!f)
- return;
-
mutex_lock(&fanout_mutex);
- po->fanout = NULL;
+ f = po->fanout;
+ if (f) {
+ po->fanout = NULL;
- if (atomic_dec_and_test(&f->sk_ref)) {
- list_del(&f->list);
- dev_remove_pack(&f->prot_hook);
- kfree(f);
+ if (atomic_dec_and_test(&f->sk_ref)) {
+ list_del(&f->list);
+ dev_remove_pack(&f->prot_hook);
+ kfree(f);
+ }
}
mutex_unlock(&fanout_mutex);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 268/370] ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (347 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 369/370] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 195/370] USB: ch341: remove redundant close from open error path Ben Hutchings
` (22 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Russell King, Russell King, Dave Martin
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit 228dbbfb5d77f8e047b2a1d78da14b7158433027 upstream.
Ensure that if userspace supplies insufficient data to
PTRACE_SETREGSET to fill all the registers, the thread's old
registers are preserved.
Fixes: 5be6f62b0059 ("ARM: 6883/1: ptrace: Migrate to regsets framework")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *t
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct pt_regs newregs;
+ struct pt_regs newregs = *task_pt_regs(target);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&newregs,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 321/370] ipmr/ip6mr: Initialize the last assert time of mfc entries.
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (235 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 328/370] tcp: fix wrong checksum calculation on MTU probing Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 337/370] sctp: assign assoc_id earlier in __sctp_connect Ben Hutchings
` (134 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tom Goff, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tom Goff <thomas.goff@ll.mit.edu>
[ Upstream commit 70a0dec45174c976c64b4c8c1d0898581f759948 ]
This fixes wrong-interface signaling on 32-bit platforms for entries
created when jiffies > 2^31 + MFC_ASSERT_THRESH.
Signed-off-by: Tom Goff <thomas.goff@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ipmr.c | 4 +++-
net/ipv6/ip6mr.c | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -883,8 +883,10 @@ static struct mfc_cache *ipmr_cache_allo
{
struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
- if (c)
+ if (c) {
+ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
c->mfc_un.res.minvif = MAXVIFS;
+ }
return c;
}
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1076,6 +1076,7 @@ static struct mfc6_cache *ip6mr_cache_al
struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
if (c == NULL)
return NULL;
+ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
c->mfc_un.res.minvif = MAXMIFS;
return c;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 325/370] net: fix sk_mem_reclaim_partial()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (328 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 193/370] drm/radeon: drop verde dpm quirks Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 306/370] printk: use rcuidle console tracepoint Ben Hutchings
` (41 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 1a24e04e4b50939daa3041682b38b82c896ca438 upstream.
sk_mem_reclaim_partial() goal is to ensure each socket has
one SK_MEM_QUANTUM forward allocation. This is needed both for
performance and better handling of memory pressure situations in
follow up patches.
SK_MEM_QUANTUM is currently a page, but might be reduced to 4096 bytes
as some arches have 64KB pages.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/sock.h | 6 +++---
net/core/sock.c | 9 +++++----
2 files changed, 8 insertions(+), 7 deletions(-)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1411,7 +1411,7 @@ static inline struct inode *SOCK_INODE(s
* Functions for memory accounting
*/
int __sk_mem_schedule(struct sock *sk, int size, int kind);
-void __sk_mem_reclaim(struct sock *sk);
+void __sk_mem_reclaim(struct sock *sk, int amount);
#define SK_MEM_QUANTUM ((int)PAGE_SIZE)
#define SK_MEM_QUANTUM_SHIFT ilog2(SK_MEM_QUANTUM)
@@ -1452,7 +1452,7 @@ static inline void sk_mem_reclaim(struct
if (!sk_has_account(sk))
return;
if (sk->sk_forward_alloc >= SK_MEM_QUANTUM)
- __sk_mem_reclaim(sk);
+ __sk_mem_reclaim(sk, sk->sk_forward_alloc);
}
static inline void sk_mem_reclaim_partial(struct sock *sk)
@@ -1460,7 +1460,7 @@ static inline void sk_mem_reclaim_partia
if (!sk_has_account(sk))
return;
if (sk->sk_forward_alloc > SK_MEM_QUANTUM)
- __sk_mem_reclaim(sk);
+ __sk_mem_reclaim(sk, sk->sk_forward_alloc - 1);
}
static inline void sk_mem_charge(struct sock *sk, int size)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2125,12 +2125,13 @@ EXPORT_SYMBOL(__sk_mem_schedule);
/**
* __sk_reclaim - reclaim memory_allocated
* @sk: socket
+ * @amount: number of bytes (rounded down to a SK_MEM_QUANTUM multiple)
*/
-void __sk_mem_reclaim(struct sock *sk)
+void __sk_mem_reclaim(struct sock *sk, int amount)
{
- sk_memory_allocated_sub(sk,
- sk->sk_forward_alloc >> SK_MEM_QUANTUM_SHIFT);
- sk->sk_forward_alloc &= SK_MEM_QUANTUM - 1;
+ amount >>= SK_MEM_QUANTUM_SHIFT;
+ sk_memory_allocated_sub(sk, amount);
+ sk->sk_forward_alloc -= amount << SK_MEM_QUANTUM_SHIFT;
if (sk_under_memory_pressure(sk) &&
(sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)))
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 327/370] net: avoid sk_forward_alloc overflows
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 235/370] ceph: fix bad endianness handling in parse_reply_info_extra Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 196/370] USB: ch341: set tty baud speed according to tty struct Ben Hutchings
` (181 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d ]
A malicious TCP receiver, sending SACK, can force the sender to split
skbs in write queue and increase its memory usage.
Then, when socket is closed and its write queue purged, we might
overflow sk_forward_alloc (It becomes negative)
sk_mem_reclaim() does nothing in this case, and more than 2GB
are leaked from TCP perspective (tcp_memory_allocated is not changed)
Then warnings trigger from inet_sock_destruct() and
sk_stream_kill_queues() seeing a not zero sk_forward_alloc
All TCP stack can be stuck because TCP is under memory pressure.
A simple fix is to preemptively reclaim from sk_mem_uncharge().
This makes sure a socket wont have more than 2 MB forward allocated,
after burst and idle period.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/sock.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1475,6 +1475,16 @@ static inline void sk_mem_uncharge(struc
if (!sk_has_account(sk))
return;
sk->sk_forward_alloc += size;
+
+ /* Avoid a possible overflow.
+ * TCP send queues can make this happen, if sk_mem_reclaim()
+ * is not called and more than 2 GBytes are released at once.
+ *
+ * If we reach 2 MBytes, reclaim 1 MBytes right now, there is
+ * no need to hold that much forward allocation anyway.
+ */
+ if (unlikely(sk->sk_forward_alloc >= 1 << 21))
+ __sk_mem_reclaim(sk, 1 << 20);
}
static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 331/370] net: clear sk_err_soft in sk_clone_lock()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (250 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 280/370] catc: Combine failure cleanup code in catc_probe() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
` (119 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Soheil Hassas Yeganeh
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e551c32d57c88923f99f8f010e89ca7ed0735e83 ]
At accept() time, it is possible the parent has a non zero
sk_err_soft, leftover from a prior error.
Make sure we do not leave this value in the child, as it
makes future getsockopt(SO_ERROR) calls quite unreliable.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/sock.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1560,6 +1560,7 @@ struct sock *sk_clone_lock(const struct
}
newsk->sk_err = 0;
+ newsk->sk_err_soft = 0;
newsk->sk_priority = 0;
/*
* Before updating sk_refcnt, we must commit prior changes to memory
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 328/370] tcp: fix wrong checksum calculation on MTU probing
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (234 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 285/370] target: Use correct SCSI status during EXTENDED_COPY exception Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 321/370] ipmr/ip6mr: Initialize the last assert time of mfc entries Ben Hutchings
` (135 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Douglas Caetano dos Santos, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Caetano dos Santos <douglascs@taghos.com.br>
[ Upstream commit 2fe664f1fcf7c4da6891f95708a7a56d3c024354 ]
With TCP MTU probing enabled and offload TX checksumming disabled,
tcp_mtu_probe() calculated the wrong checksum when a fragment being copied
into the probe's SKB had an odd length. This was caused by the direct use
of skb_copy_and_csum_bits() to calculate the checksum, as it pads the
fragment being copied, if needed. When this fragment was not the last, a
subsequent call used the previous checksum without considering this
padding.
The effect was a stale connection in one way, as even retransmissions
wouldn't solve the problem, because the checksum was never recalculated for
the full SKB length.
Signed-off-by: Douglas Caetano dos Santos <douglascs@taghos.com.br>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1821,12 +1821,14 @@ static int tcp_mtu_probe(struct sock *sk
len = 0;
tcp_for_write_queue_from_safe(skb, next, sk) {
copy = min_t(int, skb->len, probe_size - len);
- if (nskb->ip_summed)
+ if (nskb->ip_summed) {
skb_copy_bits(skb, 0, skb_put(nskb, copy), copy);
- else
- nskb->csum = skb_copy_and_csum_bits(skb, 0,
- skb_put(nskb, copy),
- copy, nskb->csum);
+ } else {
+ __wsum csum = skb_copy_and_csum_bits(skb, 0,
+ skb_put(nskb, copy),
+ copy, 0);
+ nskb->csum = csum_block_add(nskb->csum, csum, len);
+ }
if (skb->len <= copy) {
/* We've eaten all the data from this skb.
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 271/370] USB: serial: pl2303: add ATEN device ID
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (304 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 263/370] ISDN: eicon: silence misleading array-bounds warning Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 269/370] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval Ben Hutchings
` (65 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Marcel J.E. Mol
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Marcel J.E. Mol" <marcel@mesa.nl>
commit d07830db1bdb254e4b50d366010b219286b8c937 upstream.
Seems that ATEN serial-to-usb devices using pl2303 exist with
different device ids. This patch adds a missing device ID so it
is recognised by the driver.
Signed-off-by: Marcel J.E. Mol <marcel@mesa.nl>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -49,6 +49,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) },
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) },
{ USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID) },
+ { USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID2) },
{ USB_DEVICE(ATEN_VENDOR_ID2, ATEN_PRODUCT_ID) },
{ USB_DEVICE(ELCOM_VENDOR_ID, ELCOM_PRODUCT_ID) },
{ USB_DEVICE(ELCOM_VENDOR_ID, ELCOM_PRODUCT_ID_UCSGT) },
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -27,6 +27,7 @@
#define ATEN_VENDOR_ID 0x0557
#define ATEN_VENDOR_ID2 0x0547
#define ATEN_PRODUCT_ID 0x2008
+#define ATEN_PRODUCT_ID2 0x2118
#define IODATA_VENDOR_ID 0x04bb
#define IODATA_PRODUCT_ID 0x0a03
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 273/370] net: use a work queue to defer net_disable_timestamp() work
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (212 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 307/370] Fix missing sanity check in /dev/sg Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 319/370] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid Ben Hutchings
` (157 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dmitry Vyukov, Cong Wang, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 5fa8bbda38c668e56b0c6cdecced2eac2fe36dec upstream.
Dmitry reported a warning [1] showing that we were calling
net_disable_timestamp() -> static_key_slow_dec() from a non
process context.
Grabbing a mutex while holding a spinlock or rcu_read_lock()
is not allowed.
As Cong suggested, we now use a work queue.
It is possible netstamp_clear() exits while netstamp_needed_deferred
is not zero, but it is probably not worth trying to do better than that.
netstamp_needed_deferred atomic tracks the exact number of deferred
decrements.
[1]
[ INFO: suspicious RCU usage. ]
4.10.0-rc5+ #192 Not tainted
-------------------------------
./include/linux/rcupdate.h:561 Illegal context switch in RCU read-side
critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
2 locks held by syz-executor14/23111:
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83a35c35>] lock_sock
include/net/sock.h:1454 [inline]
#0: (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff83a35c35>]
rawv6_sendmsg+0x1e65/0x3ec0 net/ipv6/raw.c:919
#1: (rcu_read_lock){......}, at: [<ffffffff83ae2678>] nf_hook
include/linux/netfilter.h:201 [inline]
#1: (rcu_read_lock){......}, at: [<ffffffff83ae2678>]
__ip6_local_out+0x258/0x840 net/ipv6/output_core.c:160
stack backtrace:
CPU: 2 PID: 23111 Comm: syz-executor14 Not tainted 4.10.0-rc5+ #192
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
lockdep_rcu_suspicious+0x139/0x180 kernel/locking/lockdep.c:4452
rcu_preempt_sleep_check include/linux/rcupdate.h:560 [inline]
___might_sleep+0x560/0x650 kernel/sched/core.c:7748
__might_sleep+0x95/0x1a0 kernel/sched/core.c:7739
mutex_lock_nested+0x24f/0x1730 kernel/locking/mutex.c:752
atomic_dec_and_mutex_lock+0x119/0x160 kernel/locking/mutex.c:1060
__static_key_slow_dec+0x7a/0x1e0 kernel/jump_label.c:149
static_key_slow_dec+0x51/0x90 kernel/jump_label.c:174
net_disable_timestamp+0x3b/0x50 net/core/dev.c:1728
sock_disable_timestamp+0x98/0xc0 net/core/sock.c:403
__sk_destruct+0x27d/0x6b0 net/core/sock.c:1441
sk_destruct+0x47/0x80 net/core/sock.c:1460
__sk_free+0x57/0x230 net/core/sock.c:1468
sock_wfree+0xae/0x120 net/core/sock.c:1645
skb_release_head_state+0xfc/0x200 net/core/skbuff.c:655
skb_release_all+0x15/0x60 net/core/skbuff.c:668
__kfree_skb+0x15/0x20 net/core/skbuff.c:684
kfree_skb+0x16e/0x4c0 net/core/skbuff.c:705
inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
inet_frag_put include/net/inet_frag.h:133 [inline]
nf_ct_frag6_gather+0x1106/0x3840
net/ipv6/netfilter/nf_conntrack_reasm.c:617
ipv6_defrag+0x1be/0x2b0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
nf_hook_entry_hookfn include/linux/netfilter.h:102 [inline]
nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
nf_hook include/linux/netfilter.h:212 [inline]
__ip6_local_out+0x489/0x840 net/ipv6/output_core.c:160
ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
rawv6_push_pending_frames net/ipv6/raw.c:613 [inline]
rawv6_sendmsg+0x2d1a/0x3ec0 net/ipv6/raw.c:927
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
sock_write_iter+0x326/0x600 net/socket.c:848
do_iter_readv_writev+0x2e3/0x5b0 fs/read_write.c:695
do_readv_writev+0x42c/0x9b0 fs/read_write.c:872
vfs_writev+0x87/0xc0 fs/read_write.c:911
do_writev+0x110/0x2c0 fs/read_write.c:944
SYSC_writev fs/read_write.c:1017 [inline]
SyS_writev+0x27/0x30 fs/read_write.c:1014
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x445559
RSP: 002b:00007f6f46fceb58 EFLAGS: 00000292 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000445559
RDX: 0000000000000001 RSI: 0000000020f1eff0 RDI: 0000000000000005
RBP: 00000000006e19c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000700000
R13: 0000000020f59000 R14: 0000000000000015 R15: 0000000000020400
BUG: sleeping function called from invalid context at
kernel/locking/mutex.c:752
in_atomic(): 1, irqs_disabled(): 0, pid: 23111, name: syz-executor14
INFO: lockdep is turned off.
CPU: 2 PID: 23111 Comm: syz-executor14 Not tainted 4.10.0-rc5+ #192
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
___might_sleep+0x47e/0x650 kernel/sched/core.c:7780
__might_sleep+0x95/0x1a0 kernel/sched/core.c:7739
mutex_lock_nested+0x24f/0x1730 kernel/locking/mutex.c:752
atomic_dec_and_mutex_lock+0x119/0x160 kernel/locking/mutex.c:1060
__static_key_slow_dec+0x7a/0x1e0 kernel/jump_label.c:149
static_key_slow_dec+0x51/0x90 kernel/jump_label.c:174
net_disable_timestamp+0x3b/0x50 net/core/dev.c:1728
sock_disable_timestamp+0x98/0xc0 net/core/sock.c:403
__sk_destruct+0x27d/0x6b0 net/core/sock.c:1441
sk_destruct+0x47/0x80 net/core/sock.c:1460
__sk_free+0x57/0x230 net/core/sock.c:1468
sock_wfree+0xae/0x120 net/core/sock.c:1645
skb_release_head_state+0xfc/0x200 net/core/skbuff.c:655
skb_release_all+0x15/0x60 net/core/skbuff.c:668
__kfree_skb+0x15/0x20 net/core/skbuff.c:684
kfree_skb+0x16e/0x4c0 net/core/skbuff.c:705
inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
inet_frag_put include/net/inet_frag.h:133 [inline]
nf_ct_frag6_gather+0x1106/0x3840
net/ipv6/netfilter/nf_conntrack_reasm.c:617
ipv6_defrag+0x1be/0x2b0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
nf_hook_entry_hookfn include/linux/netfilter.h:102 [inline]
nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
nf_hook include/linux/netfilter.h:212 [inline]
__ip6_local_out+0x489/0x840 net/ipv6/output_core.c:160
ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
rawv6_push_pending_frames net/ipv6/raw.c:613 [inline]
rawv6_sendmsg+0x2d1a/0x3ec0 net/ipv6/raw.c:927
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
sock_write_iter+0x326/0x600 net/socket.c:848
do_iter_readv_writev+0x2e3/0x5b0 fs/read_write.c:695
do_readv_writev+0x42c/0x9b0 fs/read_write.c:872
vfs_writev+0x87/0xc0 fs/read_write.c:911
do_writev+0x110/0x2c0 fs/read_write.c:944
SYSC_writev fs/read_write.c:1017 [inline]
SyS_writev+0x27/0x30 fs/read_write.c:1014
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x445559
Fixes: b90e5794c5bd ("net: dont call jump_label_dec from irq context")
Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 31 +++++++++++++------------------
1 file changed, 13 insertions(+), 18 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1600,24 +1600,19 @@ EXPORT_SYMBOL(call_netdevice_notifiers);
static struct static_key netstamp_needed __read_mostly;
#ifdef HAVE_JUMP_LABEL
-/* We are not allowed to call static_key_slow_dec() from irq context
- * If net_disable_timestamp() is called from irq context, defer the
- * static_key_slow_dec() calls.
- */
static atomic_t netstamp_needed_deferred;
-#endif
-
-void net_enable_timestamp(void)
+static void netstamp_clear(struct work_struct *work)
{
-#ifdef HAVE_JUMP_LABEL
int deferred = atomic_xchg(&netstamp_needed_deferred, 0);
- if (deferred) {
- while (--deferred)
- static_key_slow_dec(&netstamp_needed);
- return;
- }
+ while (deferred--)
+ static_key_slow_dec(&netstamp_needed);
+}
+static DECLARE_WORK(netstamp_work, netstamp_clear);
#endif
+
+void net_enable_timestamp(void)
+{
static_key_slow_inc(&netstamp_needed);
}
EXPORT_SYMBOL(net_enable_timestamp);
@@ -1625,12 +1620,12 @@ EXPORT_SYMBOL(net_enable_timestamp);
void net_disable_timestamp(void)
{
#ifdef HAVE_JUMP_LABEL
- if (in_interrupt()) {
- atomic_inc(&netstamp_needed_deferred);
- return;
- }
-#endif
+ /* net_disable_timestamp() can be called from non process context */
+ atomic_inc(&netstamp_needed_deferred);
+ schedule_work(&netstamp_work);
+#else
static_key_slow_dec(&netstamp_needed);
+#endif
}
EXPORT_SYMBOL(net_disable_timestamp);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 248/370] platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (310 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 202/370] USB: serial: ch341: fix open error handling Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 308/370] irda: Fix lockdep annotations in hashbin_delete() Ben Hutchings
` (59 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andy Shevchenko
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 5a00b6c2438460b870a451f14593fc40d3c7edf6 upstream.
The commit 1c6c69525b40 ("genirq: Reject bogus threaded irq requests")
starts refusing misconfigured interrupt handlers. This makes
intel_mid_powerbtn not working anymore.
Add a mandatory flag to a threaded IRQ request in the driver.
Fixes: 1c6c69525b40 ("genirq: Reject bogus threaded irq requests")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/platform/x86/intel_mid_powerbtn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/intel_mid_powerbtn.c
+++ b/drivers/platform/x86/intel_mid_powerbtn.c
@@ -76,7 +76,7 @@ static int mfld_pb_probe(struct platform
input_set_capability(input, EV_KEY, KEY_POWER);
- error = request_threaded_irq(irq, NULL, mfld_pb_isr, IRQF_NO_SUSPEND,
+ error = request_threaded_irq(irq, NULL, mfld_pb_isr, IRQF_NO_SUSPEND | IRQF_ONESHOT,
DRIVER_NAME, input);
if (error) {
dev_err(&pdev->dev, "Unable to request irq %d for mfld power"
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 297/370] mmc: core: fix multi-bit bus width without high-speed mode
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (202 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 254/370] nfs: Don't increment lock sequence ID after NFS4ERR_MOVED Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 286/370] target: Fix early transport_generic_handle_tmr abort scenario Ben Hutchings
` (167 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Ulf Hansson
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit 3d4ef329757cfd5e0b23cce97cdeca7e2df89c99 upstream.
Commit 577fb13199b1 ("mmc: rework selection of bus speed mode")
refactored bus width selection code to mmc_select_bus_width().
However, it also altered the behavior to not call the selection code in
non-high-speed modes anymore.
This causes 1-bit mode to always be used when the high-speed mode is not
enabled, even though 4-bit and 8-bit bus are valid bus widths in the
backwards-compatibility (legacy) mode as well (see e.g. 5.3.2 Bus Speed
Modes in JEDEC 84-B50). This results in a significant regression in
transfer speeds.
Fix the code to allow 4-bit and 8-bit widths even without high-speed
mode, as before.
Tested with a Zynq-7000 PicoZed 7020 board.
Fixes: 577fb13199b1 ("mmc: rework selection of bus speed mode")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/core/mmc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1391,10 +1391,10 @@ static int mmc_init_card(struct mmc_host
err = mmc_select_hs400(card);
if (err)
goto err;
- } else if (mmc_card_hs(card)) {
+ } else {
/* Select the desired bus width optionally */
err = mmc_select_bus_width(card);
- if (!IS_ERR_VALUE(err)) {
+ if (!IS_ERR_VALUE(err) && mmc_card_hs(card)) {
err = mmc_select_hs_ddr(card);
if (err)
goto err;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 299/370] [media] siano: make it work again with CONFIG_VMAP_STACK
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (297 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 300/370] net: xilinx_emaclite: fix receive buffer overflow Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 312/370] route: do not cache fib route info on local routes with oif Ben Hutchings
` (72 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
commit f9c85ee67164b37f9296eab3b754e543e4e96a1c upstream.
Reported as a Kaffeine bug:
https://bugs.kde.org/show_bug.cgi?id=375811
The USB control messages require DMA to work. We cannot pass
a stack-allocated buffer, as it is not warranted that the
stack would be into a DMA enabled area.
On Kernel 4.9, the default is to not accept DMA on stack anymore
on x86 architecture. On other architectures, this has been a
requirement since Kernel 2.2. So, after this patch, this driver
should likely work fine on all archs.
Tested with USB ID 2040:5510: Hauppauge Windham
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/siano/smsusb.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -206,22 +206,30 @@ static int smsusb_start_streaming(struct
static int smsusb_sendrequest(void *context, void *buffer, size_t size)
{
struct smsusb_device_t *dev = (struct smsusb_device_t *) context;
- struct sms_msg_hdr *phdr = (struct sms_msg_hdr *) buffer;
- int dummy;
+ struct sms_msg_hdr *phdr;
+ int dummy, ret;
if (dev->state != SMSUSB_ACTIVE) {
sms_debug("Device not active yet");
return -ENOENT;
}
+ phdr = kmalloc(size, GFP_KERNEL);
+ if (!phdr)
+ return -ENOMEM;
+ memcpy(phdr, buffer, size);
+
sms_debug("sending %s(%d) size: %d",
smscore_translate_msg(phdr->msg_type), phdr->msg_type,
phdr->msg_length);
smsendian_handle_tx_message((struct sms_msg_data *) phdr);
- smsendian_handle_message_header((struct sms_msg_hdr *)buffer);
- return usb_bulk_msg(dev->udev, usb_sndbulkpipe(dev->udev, 2),
- buffer, size, &dummy, 1000);
+ smsendian_handle_message_header((struct sms_msg_hdr *)phdr);
+ ret = usb_bulk_msg(dev->udev, usb_sndbulkpipe(dev->udev, 2),
+ phdr, size, &dummy, 1000);
+
+ kfree(phdr);
+ return ret;
}
static char *smsusb1_fw_lkup[] = {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 266/370] can: bcm: fix hrtimer/tasklet termination in bcm op removal
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (257 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 275/370] netlabel: out of bound access in cipso_v4_validate() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 204/370] USB: serial: ch341: fix baud rate and line-control handling Ben Hutchings
` (112 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Josenhans, Oliver Hartkopp, Marc Kleine-Budde
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit a06393ed03167771246c4c43192d9c264bc48412 upstream.
When removing a bcm tx operation either a hrtimer or a tasklet might run.
As the hrtimer triggers its associated tasklet and vice versa we need to
take care to mutually terminate both handlers.
Reported-by: Michael Josenhans <michael.josenhans@web.de>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Tested-by: Michael Josenhans <michael.josenhans@web.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/can/bcm.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -706,14 +706,23 @@ static struct bcm_op *bcm_find_op(struct
static void bcm_remove_op(struct bcm_op *op)
{
- hrtimer_cancel(&op->timer);
- hrtimer_cancel(&op->thrtimer);
+ if (op->tsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
+ hrtimer_active(&op->timer)) {
+ hrtimer_cancel(&op->timer);
+ tasklet_kill(&op->tsklet);
+ }
+ }
- if (op->tsklet.func)
- tasklet_kill(&op->tsklet);
-
- if (op->thrtsklet.func)
- tasklet_kill(&op->thrtsklet);
+ if (op->thrtsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
+ hrtimer_active(&op->thrtimer)) {
+ hrtimer_cancel(&op->thrtimer);
+ tasklet_kill(&op->thrtsklet);
+ }
+ }
if ((op->frames) && (op->frames != &op->sframe))
kfree(op->frames);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 322/370] net: alx: Work around the DMA RX overflow issue
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Ole Lukoie, Feng Tang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Feng Tang <feng.tang@intel.com>
[ Upstream commit 881d0327db37ad917a367c77aff1afa1ee41e0a9 ]
Note: This is a verified backported patch for stable 4.4 kernel, and it
could also be applied to 4.3/4.2/4.1/3.18/3.16
There is a problem with alx devices, that the network link will be
lost in 1-5 minutes after the device is up.
>From debugging without datasheet, we found the error always
happen when the DMA RX address is set to 0x....fc0, which is very
likely to be a HW/silicon problem.
This patch will apply rx skb with 64 bytes longer space, and if the
allocated skb has a 0x...fc0 address, it will use skb_resever(skb, 64)
to advance the address, so that the RX overflow can be avoided.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=70761
Signed-off-by: Feng Tang <feng.tang@intel.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Tested-by: Ole Lukoie <olelukoie@mail.ru>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/atheros/alx/main.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/atheros/alx/main.c
+++ b/drivers/net/ethernet/atheros/alx/main.c
@@ -86,9 +86,14 @@ static int alx_refill_rx_ring(struct alx
while (!cur_buf->skb && next != rxq->read_idx) {
struct alx_rfd *rfd = &rxq->rfd[cur];
- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
+ skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size + 64, gfp);
if (!skb)
break;
+
+ /* Workround for the HW RX DMA overflow issue */
+ if (((unsigned long)skb->data & 0xfff) == 0xfc0)
+ skb_reserve(skb, 64);
+
dma = dma_map_single(&alx->hw.pdev->dev,
skb->data, alx->rxbuf_size,
DMA_FROM_DEVICE);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 309/370] sched/cputime: Fix invalid gtime in proc
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (353 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 208/370] ocfs2: fix crash caused by stale lvb with fsdlm plugin Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 329/370] net: Add netdev all_adj_list refcnt propagation to fix panic Ben Hutchings
` (16 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Christoph Lameter, Mike Galbraith,
Luiz Capitulino, Linus Torvalds, Chris Metcalf,
Frederic Weisbecker, Paul E . McKenney, Hiroshi Shimamoto,
Peter Zijlstra (Intel),
Rik van Riel, Ingo Molnar
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
commit 2541117b0cf79977fa11a0d6e17d61010677bd7b upstream.
/proc/stats shows invalid gtime when the thread is running in guest.
When vtime accounting is not enabled, we cannot get a valid delta.
The delta is calculated with now - tsk->vtime_snap, but tsk->vtime_snap
is only updated when vtime accounting is runtime enabled.
This patch makes task_gtime() just return gtime without computing the
buggy non-existing tickless delta when vtime accounting is not enabled.
Use context_tracking_is_enabled() to check if vtime is accounting on
some cpu, in which case only we need to check the tickless delta. This
way we fix the gtime value regression on machines not running nohz full.
The kernel config contains CONFIG_VIRT_CPU_ACCOUNTING_GEN=y and
CONFIG_NO_HZ_FULL_ALL=n and boot without nohz_full.
I ran and stop a busy loop in VM and see the gtime in host.
Dump the 43rd field which shows the gtime in every second:
# while :; do awk '{print $3" "$43}' /proc/3955/task/4014/stat; sleep 1; done
S 4348
R 7064566
R 7064766
R 7064967
R 7065168
S 4759
S 4759
During running busy loop, it returns large value.
After applying this patch, we can see right gtime.
# while :; do awk '{print $3" "$43}' /proc/10913/task/10956/stat; sleep 1; done
S 5338
R 5365
R 5465
R 5566
R 5666
S 5726
S 5726
Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Paul E . McKenney <paulmck@linux.vnet.ibm.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1447948054-28668-2-git-send-email-fweisbec@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/cputime.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -753,6 +753,9 @@ cputime_t task_gtime(struct task_struct
unsigned int seq;
cputime_t gtime;
+ if (!context_tracking_is_enabled())
+ return t->gtime;
+
do {
seq = read_seqbegin(&t->vtime_seqlock);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 315/370] netem: Segment GSO packets on enqueue
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (219 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 217/370] mmc: mxs-mmc: Fix additional cycles after transmission stop Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 342/370] net/dccp: fix use-after-free in dccp_invalid_packet Ben Hutchings
` (150 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, netem, eric.dumazet, Neil Horman, stephen,
Jamal Hadi Salim, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Neil Horman <nhorman@tuxdriver.com>
[ Upstream commit 6071bd1aa13ed9e41824bafad845b7b7f4df5cfd ]
This was recently reported to me, and reproduced on the latest net kernel,
when attempting to run netperf from a host that had a netem qdisc attached
to the egress interface:
[ 788.073771] ---------------------[ cut here ]---------------------------
[ 788.096716] WARNING: at net/core/dev.c:2253 skb_warn_bad_offload+0xcd/0xda()
[ 788.129521] bnx2: caps=(0x00000001801949b3, 0x0000000000000000) len=2962
data_len=0 gso_size=1448 gso_type=1 ip_summed=3
[ 788.182150] Modules linked in: sch_netem kvm_amd kvm crc32_pclmul ipmi_ssif
ghash_clmulni_intel sp5100_tco amd64_edac_mod aesni_intel lrw gf128mul
glue_helper ablk_helper edac_mce_amd cryptd pcspkr sg edac_core hpilo ipmi_si
i2c_piix4 k10temp fam15h_power hpwdt ipmi_msghandler shpchp acpi_power_meter
pcc_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c
sd_mod crc_t10dif crct10dif_generic mgag200 syscopyarea sysfillrect sysimgblt
i2c_algo_bit drm_kms_helper ahci ata_generic pata_acpi ttm libahci
crct10dif_pclmul pata_atiixp tg3 libata crct10dif_common drm crc32c_intel ptp
serio_raw bnx2 r8169 hpsa pps_core i2c_core mii dm_mirror dm_region_hash dm_log
dm_mod
[ 788.465294] CPU: 16 PID: 0 Comm: swapper/16 Tainted: G W
------------ 3.10.0-327.el7.x86_64 #1
[ 788.511521] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/17/2012
[ 788.542260] ffff880437c036b8 f7afc56532a53db9 ffff880437c03670
ffffffff816351f1
[ 788.576332] ffff880437c036a8 ffffffff8107b200 ffff880633e74200
ffff880231674000
[ 788.611943] 0000000000000001 0000000000000003 0000000000000000
ffff880437c03710
[ 788.647241] Call Trace:
[ 788.658817] <IRQ> [<ffffffff816351f1>] dump_stack+0x19/0x1b
[ 788.686193] [<ffffffff8107b200>] warn_slowpath_common+0x70/0xb0
[ 788.713803] [<ffffffff8107b29c>] warn_slowpath_fmt+0x5c/0x80
[ 788.741314] [<ffffffff812f92f3>] ? ___ratelimit+0x93/0x100
[ 788.767018] [<ffffffff81637f49>] skb_warn_bad_offload+0xcd/0xda
[ 788.796117] [<ffffffff8152950c>] skb_checksum_help+0x17c/0x190
[ 788.823392] [<ffffffffa01463a1>] netem_enqueue+0x741/0x7c0 [sch_netem]
[ 788.854487] [<ffffffff8152cb58>] dev_queue_xmit+0x2a8/0x570
[ 788.880870] [<ffffffff8156ae1d>] ip_finish_output+0x53d/0x7d0
...
The problem occurs because netem is not prepared to handle GSO packets (as it
uses skb_checksum_help in its enqueue path, which cannot manipulate these
frames).
The solution I think is to simply segment the skb in a simmilar fashion to the
way we do in __dev_queue_xmit (via validate_xmit_skb), with some minor changes.
When we decide to corrupt an skb, if the frame is GSO, we segment it, corrupt
the first segment, and enqueue the remaining ones.
tested successfully by myself on the latest net kernel, to which this applies
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Jamal Hadi Salim <jhs@mojatatu.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netem@lists.linux-foundation.org
CC: eric.dumazet@gmail.com
CC: stephen@networkplumber.org
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: open-code qdisc_qstats_drop()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_netem.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 59 insertions(+), 2 deletions(-)
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -408,6 +408,25 @@ static void tfifo_enqueue(struct sk_buff
sch->q.qlen++;
}
+/* netem can't properly corrupt a megapacket (like we get from GSO), so instead
+ * when we statistically choose to corrupt one, we instead segment it, returning
+ * the first packet to be corrupted, and re-enqueue the remaining frames
+ */
+static struct sk_buff *netem_segment(struct sk_buff *skb, struct Qdisc *sch)
+{
+ struct sk_buff *segs;
+ netdev_features_t features = netif_skb_features(skb);
+
+ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+
+ if (IS_ERR_OR_NULL(segs)) {
+ qdisc_reshape_fail(skb, sch);
+ return NULL;
+ }
+ consume_skb(skb);
+ return segs;
+}
+
/*
* Insert one skb into qdisc.
* Note: parent depends on return value to account for queue length.
@@ -420,7 +439,11 @@ static int netem_enqueue(struct sk_buff
/* We don't fill cb now as skb_unshare() may invalidate it */
struct netem_skb_cb *cb;
struct sk_buff *skb2;
+ struct sk_buff *segs = NULL;
+ unsigned int len = 0, last_len, prev_len = qdisc_pkt_len(skb);
+ int nb = 0;
int count = 1;
+ int rc = NET_XMIT_SUCCESS;
/* Random duplication */
if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor))
@@ -466,10 +489,23 @@ static int netem_enqueue(struct sk_buff
* do it now in software before we mangle it.
*/
if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) {
+ if (skb_is_gso(skb)) {
+ segs = netem_segment(skb, sch);
+ if (!segs)
+ return NET_XMIT_DROP;
+ } else {
+ segs = skb;
+ }
+
+ skb = segs;
+ segs = segs->next;
+
if (!(skb = skb_unshare(skb, GFP_ATOMIC)) ||
(skb->ip_summed == CHECKSUM_PARTIAL &&
- skb_checksum_help(skb)))
- return qdisc_drop(skb, sch);
+ skb_checksum_help(skb))) {
+ rc = qdisc_drop(skb, sch);
+ goto finish_segs;
+ }
skb->data[prandom_u32() % skb_headlen(skb)] ^=
1<<(prandom_u32() % 8);
@@ -529,6 +565,27 @@ static int netem_enqueue(struct sk_buff
sch->qstats.requeues++;
}
+finish_segs:
+ if (segs) {
+ while (segs) {
+ skb2 = segs->next;
+ segs->next = NULL;
+ qdisc_skb_cb(segs)->pkt_len = segs->len;
+ last_len = segs->len;
+ rc = qdisc_enqueue(segs, sch);
+ if (rc != NET_XMIT_SUCCESS) {
+ if (net_xmit_drop_count(rc))
+ sch->qstats.drops++;
+ } else {
+ nb++;
+ len += last_len;
+ }
+ segs = skb2;
+ }
+ sch->q.qlen += nb;
+ if (nb > 1)
+ qdisc_tree_reduce_backlog(sch, 1 - nb, prev_len - len);
+ }
return NET_XMIT_SUCCESS;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 324/370] bonding: set carrier off for devices created through netlink
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (358 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 274/370] mm, fs: check for fatal signals in do_generic_file_read() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 256/370] SUNRPC: cleanup ida information when removing sunrpc module Ben Hutchings
` (11 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Beniamino Galvani, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Beniamino Galvani <bgalvani@redhat.com>
[ Upstream commit 005db31d5f5f7c31cfdc43505d77eb3ca5cf8ec6 ]
Commit e826eafa65c6 ("bonding: Call netif_carrier_off after
register_netdevice") moved netif_carrier_off() from bond_init() to
bond_create(), but the latter is called only for initial default
devices and ones created through sysfs:
$ modprobe bonding
$ echo +bond1 > /sys/class/net/bonding_masters
$ ip link add bond2 type bond
$ grep "MII Status" /proc/net/bonding/*
/proc/net/bonding/bond0:MII Status: down
/proc/net/bonding/bond1:MII Status: down
/proc/net/bonding/bond2:MII Status: up
Ensure that carrier is initially off also for devices created through
netlink.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/bonding/bond_netlink.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -365,7 +365,11 @@ static int bond_newlink(struct net *src_
if (err < 0)
return err;
- return register_netdevice(bond_dev);
+ err = register_netdevice(bond_dev);
+
+ netif_carrier_off(bond_dev);
+
+ return err;
}
static size_t bond_get_size(const struct net_device *bond_dev)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 314/370] sch_dsmark: update backlog as well
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (350 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 305/370] packet: Do not call fanout_release from atomic contexts Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 199/370] USB: serial: ch341: fix initial modem-control state Ben Hutchings
` (19 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, WANG Cong, David S. Miller, Jamal Hadi Salim
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit bdf17661f63a79c3cb4209b970b1cc39e34f7543 ]
Similarly, we need to update backlog too when we update qlen.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: open-code qdisc_qstats_backlog_{inc,dec}()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_dsmark.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -255,6 +255,7 @@ static int dsmark_enqueue(struct sk_buff
return err;
}
+ sch->qstats.backlog += qdisc_pkt_len(skb);
sch->q.qlen++;
return NET_XMIT_SUCCESS;
@@ -277,6 +278,7 @@ static struct sk_buff *dsmark_dequeue(st
return NULL;
qdisc_bstats_update(sch, skb);
+ sch->qstats.backlog -= qdisc_pkt_len(skb);
sch->q.qlen--;
index = skb->tc_index & (p->indices - 1);
@@ -392,6 +394,7 @@ static void dsmark_reset(struct Qdisc *s
pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p);
qdisc_reset(p->q);
+ sch->qstats.backlog = 0;
sch->q.qlen = 0;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 310/370] lib/vsprintf.c: improve sanity check in vsnprintf()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (335 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 225/370] be2net: fix status check in be_cmd_pmac_add() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 214/370] gro: use min_t() in skb_gro_reset_offset() Ben Hutchings
` (34 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Willy Tarreau, Linus Torvalds, Jiri Kosina, Randy Dunlap,
Rasmus Villemoes
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
commit 2aa2f9e21e4eb25c720b2e7d80f8929638f6ad73 upstream.
On 64 bit, size may very well be huge even if bit 31 happens to be 0.
Somehow it doesn't feel right that one can pass a 5 GiB buffer but not a
3 GiB one. So cap at INT_MAX as was probably the intention all along.
This is also the made-up value passed by sprintf and vsprintf.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Willy Tarreau <w@1wt.eu>
---
lib/vsprintf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1657,7 +1657,7 @@ int vsnprintf(char *buf, size_t size, co
/* Reject out-of-range values early. Large positive sizes are
used for unknown buffer sizes. */
- if (WARN_ON_ONCE((int) size < 0))
+ if (WARN_ON_ONCE(size > INT_MAX))
return 0;
str = buf;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 282/370] ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Jo-Philipp Wich, Vineet Gupta,
Vineet Gupta, linux-snps-arc
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
commit a524c218bc94c705886a0e0fedeee45d1931da32 upstream.
Reported-by: Jo-Philipp Wich <jo@mein.io>
Fixes: 9aed02feae57bf7 ("ARC: [arcompact] handle unaligned access delay slot")
Cc: linux-kernel@vger.kernel.org
Cc: linux-snps-arc@lists.infradead.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/unaligned.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arc/kernel/unaligned.c
+++ b/arch/arc/kernel/unaligned.c
@@ -242,7 +242,7 @@ int misaligned_fixup(unsigned long addre
/* clear any remanants of delay slot */
if (delay_mode(regs)) {
- regs->ret = regs->bta ~1U;
+ regs->ret = regs->bta & ~1U;
regs->status32 &= ~STATUS_DE_MASK;
} else {
regs->ret += state.instr_len;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 283/370] drm/i915: fix use-after-free in page_flip_completed()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (368 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 190/370] sh_eth: fix EESIPR values for SH77{34|63} Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 12:49 ` [PATCH 3.16 000/370] 3.16.42-rc1 review Guenter Roeck
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andrey Ryabinin, Daniel Vetter, Chris Wilson, Jani Nikula
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
commit 5351fbb1bf1413f6024892093528280769ca852f upstream.
page_flip_completed() dereferences 'work' variable after executing
queue_work(). This is not safe as the 'work' item might be already freed
by queued work:
BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90
Call Trace:
__asan_report_load8_noabort+0x59/0x80
page_flip_completed+0x3ff/0x490
intel_finish_page_flip_mmio+0xe3/0x130
intel_pipe_handle_vblank+0x2d/0x40
gen8_irq_handler+0x4a7/0xed0
__handle_irq_event_percpu+0xf6/0x860
handle_irq_event_percpu+0x6b/0x160
handle_irq_event+0xc7/0x1b0
handle_edge_irq+0x1f4/0xa50
handle_irq+0x41/0x70
do_IRQ+0x9a/0x200
common_interrupt+0x89/0x89
Freed:
kfree+0x113/0x4d0
intel_unpin_work_fn+0x29a/0x3b0
process_one_work+0x79e/0x1b70
worker_thread+0x611/0x1460
kthread+0x241/0x3a0
ret_from_fork+0x27/0x40
Move queue_work() after trace_i915_flip_complete() to fix this.
Fixes: e5510fac98a7 ("drm/i915: add tracepoints for flip requests & completions")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com
(cherry picked from commit 05c41f926fcc7ef838c80a6a99d84f67b4e0b824)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_display.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8913,9 +8913,9 @@ static void do_intel_finish_page_flip(st
wake_up_all(&dev_priv->pending_flip_queue);
- queue_work(dev_priv->wq, &work->work);
-
trace_i915_flip_complete(intel_crtc->plane, work->pending_flip_obj);
+
+ queue_work(dev_priv->wq, &work->work);
}
void intel_finish_page_flip(struct drm_device *dev, int pipe)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 318/370] udp: prevent skbs lingering in tunnel socket queues
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (229 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 332/370] net: mangle zero checksum in skb_checksum_help() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 333/370] dccp: do not send reset to already closed sockets Ben Hutchings
` (140 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hannes Frederic Sowa, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit e5aed006be918af163eb397e45aa5ea6cefd5e01 ]
In case we find a socket with encapsulation enabled we should call
the encap_recv function even if just a udp header without payload is
available. The callbacks are responsible for correctly verifying and
dropping the packets.
Also, in case the header validation fails for geneve and vxlan we
shouldn't put the skb back into the socket queue, no one will pick
them up there. Instead we can simply discard them in the respective
encap_recv functions.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Drop changes to geneve
- vxlan error checking looked a bit different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1146,7 +1146,7 @@ static int vxlan_udp_encap_recv(struct s
/* Need Vxlan and inner Ethernet header to be present */
if (!pskb_may_pull(skb, VXLAN_HLEN))
- goto error;
+ goto drop;
/* Return packets with reserved bits set */
vxh = (struct vxlanhdr *)(udp_hdr(skb) + 1);
@@ -1154,7 +1154,7 @@ static int vxlan_udp_encap_recv(struct s
(vxh->vx_vni & htonl(0xff))) {
netdev_dbg(skb->dev, "invalid vxlan flags=%#x vni=%#x\n",
ntohl(vxh->vx_flags), ntohl(vxh->vx_vni));
- goto error;
+ goto drop;
}
if (iptunnel_pull_header(skb, VXLAN_HLEN, htons(ETH_P_TEB)))
@@ -1173,10 +1173,6 @@ drop:
/* Consume bad packet */
kfree_skb(skb);
return 0;
-
-error:
- /* Return non vxlan pkt */
- return 1;
}
static void vxlan_rcv(struct vxlan_sock *vs,
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1533,7 +1533,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
/* if we're overly short, let UDP handle it */
encap_rcv = ACCESS_ONCE(up->encap_rcv);
- if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) {
+ if (encap_rcv) {
int ret;
/* Verify checksum before giving to encap */
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -631,7 +631,7 @@ int udpv6_queue_rcv_skb(struct sock *sk,
/* if we're overly short, let UDP handle it */
encap_rcv = ACCESS_ONCE(up->encap_rcv);
- if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) {
+ if (encap_rcv) {
int ret;
/* Verify checksum before giving to encap */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 319/370] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (213 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 273/370] net: use a work queue to defer net_disable_timestamp() work Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 364/370] mld: do not remove mld souce list info when set link down Ben Hutchings
` (156 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Jakub Sitnicki, Jan Tluka, Hannes Frederic Sowa
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Sitnicki <jkbs@redhat.com>
[ Upstream commit 00bc0ef5880dc7b82f9c320dead4afaad48e47be ]
At present we perform an xfrm_lookup() for each UDPv6 message we
send. The lookup involves querying the flow cache (flow_cache_lookup)
and, in case of a cache miss, creating an XFRM bundle.
If we miss the flow cache, we can end up creating a new bundle and
deriving the path MTU (xfrm_init_pmtu) from on an already transformed
dst_entry, which we pass from the socket cache (sk->sk_dst_cache) down
to xfrm_lookup(). This can happen only if we're caching the dst_entry
in the socket, that is when we're using a connected UDP socket.
To put it another way, the path MTU shrinks each time we miss the flow
cache, which later on leads to incorrectly fragmented payload. It can
be observed with ESPv6 in transport mode:
1) Set up a transformation and lower the MTU to trigger fragmentation
# ip xfrm policy add dir out src ::1 dst ::1 \
tmpl src ::1 dst ::1 proto esp spi 1
# ip xfrm state add src ::1 dst ::1 \
proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
# ip link set dev lo mtu 1500
2) Monitor the packet flow and set up an UDP sink
# tcpdump -ni lo -ttt &
# socat udp6-listen:12345,fork /dev/null &
3) Send a datagram that needs fragmentation with a connected socket
# perl -e 'print "@" x 1470 | socat - udp6:[::1]:12345
2016/06/07 18:52:52 socat[724] E read(3, 0x555bb3d5ba00, 8192): Protocol error
00:00:00.000000 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x2), length 1448
00:00:00.000014 IP6 ::1 > ::1: frag (1448|32)
00:00:00.000050 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x3), length 1272
(^ ICMPv6 Parameter Problem)
00:00:00.000022 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x5), length 136
4) Compare it to a non-connected socket
# perl -e 'print "@" x 1500' | socat - udp6-sendto:[::1]:12345
00:00:40.535488 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x6), length 1448
00:00:00.000010 IP6 ::1 > ::1: frag (1448|64)
What happens in step (3) is:
1) when connecting the socket in __ip6_datagram_connect(), we
perform an XFRM lookup, miss the flow cache, create an XFRM
bundle, and cache the destination,
2) afterwards, when sending the datagram, we perform an XFRM lookup,
again, miss the flow cache (due to mismatch of flowi6_iif and
flowi6_oif, which is an issue of its own), and recreate an XFRM
bundle based on the cached (and already transformed) destination.
To prevent the recreation of an XFRM bundle, avoid an XFRM lookup
altogether whenever we already have a destination entry cached in the
socket. This prevents the path MTU shrinkage and brings us on par with
UDPv4.
The fix also benefits connected PINGv6 sockets, another user of
ip6_sk_dst_lookup_flow(), who also suffer messages being transformed
twice.
Joint work with Hannes Frederic Sowa.
Reported-by: Jan Tluka <jtluka@redhat.com>
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: deleted code is slightly different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_output.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1031,17 +1031,12 @@ struct dst_entry *ip6_sk_dst_lookup_flow
const struct in6_addr *final_dst)
{
struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
- int err;
dst = ip6_sk_dst_check(sk, dst, fl6);
+ if (!dst)
+ dst = ip6_dst_lookup_flow(sk, fl6, final_dst);
- err = ip6_dst_lookup_tail(sk, &dst, fl6);
- if (err)
- return ERR_PTR(err);
- if (final_dst)
- fl6->daddr = *final_dst;
-
- return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
+ return dst;
}
EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 304/370] packet: call fanout_release, while UNREGISTERING a netdev
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (270 preceding siblings ...)
2017-03-10 11:46 ` Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 233/370] can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer Ben Hutchings
` (99 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Anoob Soman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anoob Soman <anoob.soman@citrix.com>
commit 6664498280cf17a59c3e7cf1a931444c02633ed1 upstream.
If a socket has FANOUT sockopt set, a new proto_hook is registered
as part of fanout_add(). When processing a NETDEV_UNREGISTER event in
af_packet, __fanout_unlink is called for all sockets, but prot_hook which was
registered as part of fanout_add is not removed. Call fanout_release, on a
NETDEV_UNREGISTER, which removes prot_hook and removes fanout from the
fanout_list.
This fixes BUG_ON(!list_empty(&dev->ptype_specific)) in netdev_run_todo()
Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3578,6 +3578,7 @@ static int packet_notifier(struct notifi
}
if (msg == NETDEV_UNREGISTER) {
packet_cached_dev_reset(po);
+ fanout_release(sk);
po->ifindex = -1;
if (po->prot_hook.dev)
dev_put(po->prot_hook.dev);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 279/370] rtl8150: Use heap buffers for all register access
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (207 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 215/370] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 303/370] vfs: fix uninitialized flags in splice_to_pipe() Ben Hutchings
` (162 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 7926aff5c57b577ab0f43364ff0c59d968f6a414 upstream.
Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/usb/rtl8150.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -155,16 +155,36 @@ static const char driver_name [] = "rtl8
*/
static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
{
- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
+ indx, 0, buf, size, 500);
+ if (ret > 0 && ret <= size)
+ memcpy(data, buf, ret);
+ kfree(buf);
+ return ret;
}
-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
{
- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
+ indx, 0, buf, size, 500);
+ kfree(buf);
+ return ret;
}
static void async_set_reg_cb(struct urb *urb)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 305/370] packet: Do not call fanout_release from atomic contexts
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (349 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 195/370] USB: ch341: remove redundant close from open error path Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 314/370] sch_dsmark: update backlog as well Ben Hutchings
` (20 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Anoob Soman, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anoob Soman <anoob.soman@citrix.com>
commit 2bd624b4611ffee36422782d16e1c944d1351e98 upstream.
Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.
1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.
[ ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[ ]
[ ] rcu_scheduler_active = 1, debug_locks = 0
[ ] 4 locks held by ovs-vswitchd/1969:
[ ] #0: (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
[ ] #1: (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[ ] #2: (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
[ ] #3: (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
[ ]
[ ] Call Trace:
[ ] [<ffffffff813770c1>] dump_stack+0x85/0xc4
[ ] [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
[ ] [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
[ ] [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
[ ] [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
[ ] [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
[ ] [<ffffffff81186e88>] ? printk+0x4d/0x4f
[ ] [<ffffffff816106dd>] fanout_release+0x1d/0xe0
[ ] [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
"sleeping function called from invalid context"
[ ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[ ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[ ] INFO: lockdep is turned off.
[ ] Call Trace:
[ ] [<ffffffff813770c1>] dump_stack+0x85/0xc4
[ ] [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
[ ] [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
[ ] [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
[ ] [<ffffffff816106dd>] fanout_release+0x1d/0xe0
[ ] [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
3. calling dev_remove_pack(&fanout->prot_hook), from inside
spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-> synchronize_net(), which might sleep.
[ ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[ ] INFO: lockdep is turned off.
[ ] Call Trace:
[ ] [<ffffffff813770c1>] dump_stack+0x85/0xc4
[ ] [<ffffffff81186274>] __schedule_bug+0x64/0x73
[ ] [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
[ ] [<ffffffff8162c5db>] schedule+0x6b/0x80
[ ] [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
[ ] [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
[ ] [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
[ ] [<ffffffff8154eab5>] synchronize_net+0x35/0x50
[ ] [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
[ ] [<ffffffff8161077e>] fanout_release+0xbe/0xe0
[ ] [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
4. fanout_release() races with calls from different CPU.
To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout->prot_hook is removed as well.
Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Don't call fanout_release_data()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/packet/af_packet.c | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1402,6 +1402,8 @@ static void __fanout_link(struct sock *s
f->arr[f->num_members] = sk;
smp_wmb();
f->num_members++;
+ if (f->num_members == 1)
+ dev_add_pack(&f->prot_hook);
spin_unlock(&f->lock);
}
@@ -1418,6 +1420,8 @@ static void __fanout_unlink(struct sock
BUG_ON(i >= f->num_members);
f->arr[i] = f->arr[f->num_members - 1];
f->num_members--;
+ if (f->num_members == 0)
+ __dev_remove_pack(&f->prot_hook);
spin_unlock(&f->lock);
}
@@ -1490,7 +1494,6 @@ static int fanout_add(struct sock *sk, u
match->prot_hook.func = packet_rcv_fanout;
match->prot_hook.af_packet_priv = match;
match->prot_hook.id_match = match_fanout_group;
- dev_add_pack(&match->prot_hook);
list_add(&match->list, &fanout_list);
}
err = -EINVAL;
@@ -1511,7 +1514,12 @@ out:
return err;
}
-static void fanout_release(struct sock *sk)
+/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes
+ * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout.
+ * It is the responsibility of the caller to call fanout_release_data() and
+ * free the returned packet_fanout (after synchronize_net())
+ */
+static struct packet_fanout *fanout_release(struct sock *sk)
{
struct packet_sock *po = pkt_sk(sk);
struct packet_fanout *f;
@@ -1521,13 +1529,14 @@ static void fanout_release(struct sock *
if (f) {
po->fanout = NULL;
- if (atomic_dec_and_test(&f->sk_ref)) {
+ if (atomic_dec_and_test(&f->sk_ref))
list_del(&f->list);
- dev_remove_pack(&f->prot_hook);
- kfree(f);
- }
+ else
+ f = NULL;
}
mutex_unlock(&fanout_mutex);
+
+ return f;
}
static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
@@ -2606,6 +2615,7 @@ static int packet_release(struct socket
{
struct sock *sk = sock->sk;
struct packet_sock *po;
+ struct packet_fanout *f;
struct net *net;
union tpacket_req_u req_u;
@@ -2645,9 +2655,12 @@ static int packet_release(struct socket
packet_set_ring(sk, &req_u, 1, 1);
}
- fanout_release(sk);
+ f = fanout_release(sk);
synchronize_net();
+
+ kfree(f);
+
/*
* Now the socket is dead. No more input will appear.
*/
@@ -3577,7 +3590,6 @@ static int packet_notifier(struct notifi
}
if (msg == NETDEV_UNREGISTER) {
packet_cached_dev_reset(po);
- fanout_release(sk);
po->ifindex = -1;
if (po->prot_hook.dev)
dev_put(po->prot_hook.dev);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 269/370] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (305 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 271/370] USB: serial: pl2303: add ATEN device ID Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 240/370] USB: serial: qcserial: add Dell DW5570 QDL Ben Hutchings
` (64 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ilia Mirkin, Ben Skeggs
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilia Mirkin <imirkin@alum.mit.edu>
commit 24bf7ae359b8cca165bb30742d2b1c03a1eb23af upstream.
Based on the xf86-video-nv code, NFORCE (NV1A) and NFORCE2 (NV1F) have a
different way of retrieving clocks. See the
nv_hw.c:nForceUpdateArbitrationSettings function in the original code
for how these clocks were accessed.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54587
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/dispnv04/hw.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/dispnv04/hw.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/hw.c
@@ -225,6 +225,7 @@ nouveau_hw_get_clock(struct drm_device *
uint32_t mpllP;
pci_read_config_dword(pci_get_bus_and_slot(0, 3), 0x6c, &mpllP);
+ mpllP = (mpllP >> 8) & 0xf;
if (!mpllP)
mpllP = 4;
@@ -235,7 +236,7 @@ nouveau_hw_get_clock(struct drm_device *
uint32_t clock;
pci_read_config_dword(pci_get_bus_and_slot(0, 5), 0x4c, &clock);
- return clock;
+ return clock / 1000;
}
ret = nouveau_hw_get_pllvals(dev, plltype, &pllvals);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 281/370] catc: Use heap buffer for memory size test
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 339/370] ip6_tunnel: disable caching when the traffic class is inherited Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 316/370] VSOCK: do not disconnect socket when peer has shutdown SEND only Ben Hutchings
` (175 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478 upstream.
Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/usb/catc.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/net/usb/catc.c
+++ b/drivers/net/usb/catc.c
@@ -777,7 +777,7 @@ static int catc_probe(struct usb_interfa
struct net_device *netdev;
struct catc *catc;
u8 broadcast[ETH_ALEN];
- int i, pktsz, ret;
+ int pktsz, ret;
if (usb_set_interface(usbdev,
intf->altsetting->desc.bInterfaceNumber, 1)) {
@@ -841,15 +841,24 @@ static int catc_probe(struct usb_interfa
catc->irq_buf, 2, catc_irq_done, catc, 1);
if (!catc->is_f5u011) {
+ u32 *buf;
+ int i;
+
dev_dbg(dev, "Checking memory size\n");
- i = 0x12345678;
- catc_write_mem(catc, 0x7a80, &i, 4);
- i = 0x87654321;
- catc_write_mem(catc, 0xfa80, &i, 4);
- catc_read_mem(catc, 0x7a80, &i, 4);
+ buf = kmalloc(4, GFP_KERNEL);
+ if (!buf) {
+ ret = -ENOMEM;
+ goto fail_free;
+ }
+
+ *buf = 0x12345678;
+ catc_write_mem(catc, 0x7a80, buf, 4);
+ *buf = 0x87654321;
+ catc_write_mem(catc, 0xfa80, buf, 4);
+ catc_read_mem(catc, 0x7a80, buf, 4);
- switch (i) {
+ switch (*buf) {
case 0x12345678:
catc_set_reg(catc, TxBufCount, 8);
catc_set_reg(catc, RxBufCount, 32);
@@ -864,6 +873,8 @@ static int catc_probe(struct usb_interfa
dev_dbg(dev, "32k Memory\n");
break;
}
+
+ kfree(buf);
dev_dbg(dev, "Getting MAC from SEEROM.\n");
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 278/370] pegasus: Use heap buffers for all register access
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (321 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 353/370] can: Fix kernel panic at security_sock_rcv_skb Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 250/370] crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg Ben Hutchings
` (48 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Lisandro Damián Nicanor Pérez Meyer
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 5593523f968bc86d42a035c6df47d5e0979b5ace upstream.
Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
References: https://bugs.debian.org/852556
Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/usb/pegasus.c | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct u
static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
{
+ u8 *buf;
int ret;
+ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
- indx, data, size, 1000);
+ indx, buf, size, 1000);
if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ else if (ret <= size)
+ memcpy(data, buf, ret);
+ kfree(buf);
return ret;
}
-static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
+ const void *data)
{
+ u8 *buf;
int ret;
+ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
- indx, data, size, 100);
+ indx, buf, size, 100);
if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ kfree(buf);
return ret;
}
static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
{
+ u8 *buf;
int ret;
+ buf = kmemdup(&data, 1, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
- indx, &data, 1, 1000);
+ indx, buf, 1, 1000);
if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ kfree(buf);
return ret;
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 307/370] Fix missing sanity check in /dev/sg
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (211 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 251/370] crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 273/370] net: use a work queue to defer net_disable_timestamp() work Ben Hutchings
` (158 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoph Hellwig, Linus Torvalds, Dmitry Vyukov, Al Viro, Al Viro
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit 137d01df511b3afe1f05499aea05f3bafc0fb221 upstream.
What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len. Or with ->dxferp pointing
to an array full of empty iovecs.
Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...
Found by Dmitry Vyukov and syzkaller.
[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
underlying issue. - Linus ]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: we're not using iov_iter, but can check the
byte length after truncation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/sg.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1716,6 +1716,10 @@ static int sg_start_req(Sg_request *srp,
iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
len = hp->dxfer_len;
}
+ if (len == 0) {
+ kfree(iov);
+ return -EINVAL;
+ }
res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
iov_count,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 274/370] mm, fs: check for fatal signals in do_generic_file_read()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (357 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 189/370] tile/ptrace: Preserve previous registers for short regset write Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 324/370] bonding: set carrier off for devices created through netlink Ben Hutchings
` (12 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoph Hellwig, Linus Torvalds, Al Viro, Michal Hocko,
Tetsuo Handa
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.com>
commit 5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6 upstream.
do_generic_file_read() can be told to perform a large request from
userspace. If the system is under OOM and the reading task is the OOM
victim then it has an access to memory reserves and finishing the full
request can lead to the full memory depletion which is dangerous. Make
sure we rather go with a short read and allow the killed task to
terminate.
Link: http://lkml.kernel.org/r/20170201092706.9966-3-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/filemap.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1482,6 +1482,11 @@ static ssize_t do_generic_file_read(stru
cond_resched();
find_page:
+ if (fatal_signal_pending(current)) {
+ error = -EINTR;
+ goto out;
+ }
+
page = find_get_page(mapping, index);
if (!page) {
page_cache_sync_readahead(mapping,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 296/370] futex: Move futex_init() to core_initcall
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (255 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 288/370] btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 275/370] netlabel: out of bound access in cipso_v4_validate() Ben Hutchings
` (114 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, jiang.zhengxiong, zhong.weidong, deng.huali,
Peter Zijlstra, jiang.biao2, Thomas Gleixner, Yang Yang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yang <yang.yang29@zte.com.cn>
commit 25f71d1c3e98ef0e52371746220d66458eac75bc upstream.
The UEVENT user mode helper is enabled before the initcalls are executed
and is available when the root filesystem has been mounted.
The user mode helper is triggered by device init calls and the executable
might use the futex syscall.
futex_init() is marked __initcall which maps to device_initcall, but there
is no guarantee that futex_init() is invoked _before_ the first device init
call which triggers the UEVENT user mode helper.
If the user mode helper uses the futex syscall before futex_init() then the
syscall crashes with a NULL pointer dereference because the futex subsystem
has not been initialized yet.
Move futex_init() to core_initcall so futexes are initialized before the
root filesystem is mounted and the usermode helper becomes available.
[ tglx: Rewrote changelog ]
Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
Cc: jiang.biao2@zte.com.cn
Cc: jiang.zhengxiong@zte.com.cn
Cc: zhong.weidong@zte.com.cn
Cc: deng.huali@zte.com.cn
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1483085875-6130-1-git-send-email-yang.yang29@zte.com.cn
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/futex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3085,4 +3085,4 @@ static int __init futex_init(void)
return 0;
}
-__initcall(futex_init);
+core_initcall(futex_init);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 277/370] ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (315 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 357/370] tun: Fix TUN_PKT_STRIP setting Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 258/370] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Ben Hutchings
` (54 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Vyukov, Takashi Iwai
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream.
snd_seq_pool_done() syncs with closing of all opened threads, but it
aborts the wait loop with a timeout, and proceeds to the release
resource even if not all threads have been closed. The timeout was 5
seconds, and if you run a crazy stuff, it can exceed easily, and may
result in the access of the invalid memory address -- this is what
syzkaller detected in a bug report.
As a fix, let the code graduate from naiveness, simply remove the loop
timeout.
BugLink: http://lkml.kernel.org/r/CACT4Y+YdhDV2H5LLzDTJDVF-qiYHUHhtRaW4rbb4gUhTCQB81w@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_memory.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_poo
{
unsigned long flags;
struct snd_seq_event_cell *ptr;
- int max_count = 5 * HZ;
if (snd_BUG_ON(!pool))
return -EINVAL;
@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_poo
if (waitqueue_active(&pool->output_sleep))
wake_up(&pool->output_sleep);
- while (atomic_read(&pool->counter) > 0) {
- if (max_count == 0) {
- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter));
- break;
- }
+ while (atomic_read(&pool->counter) > 0)
schedule_timeout_uninterruptible(1);
- max_count--;
- }
/* release all resources */
spin_lock_irqsave(&pool->lock, flags);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 261/370] sysctl: fix proc_doulongvec_ms_jiffies_minmax()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (204 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 286/370] target: Fix early transport_generic_handle_tmr abort scenario Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 345/370] drop_monitor: add missing call to genlmsg_end Ben Hutchings
` (165 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit ff9f8a7cf935468a94d9927c68b00daae701667e upstream.
We perform the conversion between kernel jiffies and ms only when
exporting kernel value to user space.
We need to do the opposite operation when value is written by user.
Only matters when HZ != 1000
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sysctl.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2317,6 +2317,7 @@ static int __do_proc_doulongvec_minmax(v
break;
if (neg)
continue;
+ val = convmul * val / convdiv;
if ((min && val < *min) || (max && val > *max))
continue;
*i = val;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 289/370] ping: fix a null pointer dereference
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (274 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 259/370] USB: Add quirk for WORLDE easykey.25 MIDI keyboard Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 272/370] svcrpc: fix oops in absence of krb5 module Ben Hutchings
` (95 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andrey Konovalov, WANG Cong, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 upstream.
Andrey reported a kernel crash:
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880060048040 task.stack: ffff880069be8000
RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
FS: 00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
Call Trace:
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
SYSC_sendto+0x660/0x810 net/socket.c:1687
SyS_sendto+0x40/0x50 net/socket.c:1655
entry_SYSCALL_64_fastpath+0x1f/0xc2
This is because we miss a check for NULL pointer for skb_peek() when
the queue is empty. Other places already have the same check.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ping.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -646,6 +646,8 @@ static int ping_v4_push_pending_frames(s
{
struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
+ if (!skb)
+ return 0;
pfh->wcheck = csum_partial((char *)&pfh->icmph,
sizeof(struct icmphdr), pfh->wcheck);
pfh->icmph.checksum = csum_fold(pfh->wcheck);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 300/370] net: xilinx_emaclite: fix receive buffer overflow
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (296 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 311/370] decnet: Do not build routes to devices without decnet private data Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 299/370] [media] siano: make it work again with CONFIG_VMAP_STACK Ben Hutchings
` (73 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit cd224553641848dd17800fe559e4ff5d208553e8 upstream.
xilinx_emaclite looks at the received data to try to determine the
Ethernet packet length but does not properly clamp it if
proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
overflow and a panic via skb_panic() as the length exceeds the allocated
skb size.
Fix those cases.
Also add an additional unconditional check with WARN_ON() at the end.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -371,7 +371,7 @@ static int xemaclite_send_data(struct ne
*
* Return: Total number of bytes received
*/
-static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
+static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data, int maxlen)
{
void __iomem *addr;
u16 length, proto_type;
@@ -411,7 +411,7 @@ static u16 xemaclite_recv_data(struct ne
/* Check if received ethernet frame is a raw ethernet frame
* or an IP packet or an ARP packet */
- if (proto_type > (ETH_FRAME_LEN + ETH_FCS_LEN)) {
+ if (proto_type > ETH_DATA_LEN) {
if (proto_type == ETH_P_IP) {
length = ((ntohl(__raw_readl(addr +
@@ -419,6 +419,7 @@ static u16 xemaclite_recv_data(struct ne
XEL_RXBUFF_OFFSET)) >>
XEL_HEADER_SHIFT) &
XEL_RPLR_LENGTH_MASK);
+ length = min_t(u16, length, ETH_DATA_LEN);
length += ETH_HLEN + ETH_FCS_LEN;
} else if (proto_type == ETH_P_ARP)
@@ -431,6 +432,9 @@ static u16 xemaclite_recv_data(struct ne
/* Use the length in the frame, plus the header and trailer */
length = proto_type + ETH_HLEN + ETH_FCS_LEN;
+ if (WARN_ON(length > maxlen))
+ length = maxlen;
+
/* Read from the EmacLite device */
xemaclite_aligned_read((u32 __force *) (addr + XEL_RXBUFF_OFFSET),
data, length);
@@ -605,7 +609,7 @@ static void xemaclite_rx_handler(struct
skb_reserve(skb, 2);
- len = xemaclite_recv_data(lp, (u8 *) skb->data);
+ len = xemaclite_recv_data(lp, (u8 *) skb->data, len);
if (!len) {
dev->stats.rx_errors++;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 270/370] mmc: sdhci: Ignore unexpected CARD_INT interrupts
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (247 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 236/370] arm64/ptrace: Preserve previous registers for short regset write Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 366/370] Revert "KVM: x86: expose MSR_TSC_AUX to userspace" Ben Hutchings
` (122 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Adrian Hunter, Gabriel Krisman Bertazi, Ulf Hansson
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
commit 161e6d44a5e2d3f85365cb717d60e363171b39e6 upstream.
One of our kernelCI boxes hanged at boot because a faulty eSDHC device
was triggering spurious CARD_INT interrupts for SD cards, causing CMD52
reads, which are not allowed for SD devices. This adds a sanity check
to the interruption path, preventing that illegal command from getting
sent if the CARD_INT interruption should be disabled.
This quirk allows that particular machine to resume boot despite the
faulty hardware, instead of getting hung dealing with thousands of
mishandled interrupts.
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/host/sdhci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2485,7 +2485,8 @@ static irqreturn_t sdhci_irq(int irq, vo
pr_err("%s: Card is consuming too much power!\n",
mmc_hostname(host->mmc));
- if (intmask & SDHCI_INT_CARD_INT) {
+ if ((intmask & SDHCI_INT_CARD_INT) &&
+ (host->ier & SDHCI_INT_CARD_INT)) {
sdhci_enable_sdio_irq_nolock(host, false);
host->thread_isr |= SDHCI_INT_CARD_INT;
result = IRQ_WAKE_THREAD;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 301/370] net: xilinx_emaclite: fix freezes due to unordered I/O
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (197 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 216/370] xhci: fix deadlock at host remove by running watchdog correctly Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 298/370] packet: fix races in fanout_add() Ben Hutchings
` (172 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit acf138f1b00bdd1b7cd9894562ed0c2a1670888e upstream.
The xilinx_emaclite uses __raw_writel and __raw_readl for register
accesses. Those functions do not imply any kind of memory barriers and
they may be reordered.
The driver does not seem to take that into account, though, and the
driver does not satisfy the ordering requirements of the hardware.
For clear examples, see xemaclite_mdio_write() and xemaclite_mdio_read()
which try to set MDIO address before initiating the transaction.
I'm seeing system freezes with the driver with GCC 5.4 and current
Linux kernels on Zynq-7000 SoC immediately when trying to use the
interface.
In commit 123c1407af87 ("net: emaclite: Do not use microblaze and ppc
IO functions") the driver was switched from non-generic
in_be32/out_be32 (memory barriers, big endian) to
__raw_readl/__raw_writel (no memory barriers, native endian), so
apparently the device follows system endianness and the driver was
originally written with the assumption of memory barriers.
Rather than try to hunt for each case of missing barrier, just switch
the driver to use iowrite32/ioread32/iowrite32be/ioread32be depending
on endianness instead.
Tested on little-endian Zynq-7000 ARM SoC FPGA.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Fixes: 123c1407af87 ("net: emaclite: Do not use microblaze and ppc IO
functions")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 116 ++++++++++++++------------
1 file changed, 62 insertions(+), 54 deletions(-)
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -100,6 +100,14 @@
/* BUFFER_ALIGN(adr) calculates the number of bytes to the next alignment. */
#define BUFFER_ALIGN(adr) ((ALIGNMENT - ((u32) adr)) % ALIGNMENT)
+#ifdef __BIG_ENDIAN
+#define xemaclite_readl ioread32be
+#define xemaclite_writel iowrite32be
+#else
+#define xemaclite_readl ioread32
+#define xemaclite_writel iowrite32
+#endif
+
/**
* struct net_local - Our private per device data
* @ndev: instance of the network device
@@ -158,15 +166,15 @@ static void xemaclite_enable_interrupts(
u32 reg_data;
/* Enable the Tx interrupts for the first Buffer */
- reg_data = __raw_readl(drvdata->base_addr + XEL_TSR_OFFSET);
- __raw_writel(reg_data | XEL_TSR_XMIT_IE_MASK,
- drvdata->base_addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(drvdata->base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data | XEL_TSR_XMIT_IE_MASK,
+ drvdata->base_addr + XEL_TSR_OFFSET);
/* Enable the Rx interrupts for the first buffer */
- __raw_writel(XEL_RSR_RECV_IE_MASK, drvdata->base_addr + XEL_RSR_OFFSET);
+ xemaclite_writel(XEL_RSR_RECV_IE_MASK, drvdata->base_addr + XEL_RSR_OFFSET);
/* Enable the Global Interrupt Enable */
- __raw_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
+ xemaclite_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
}
/**
@@ -181,17 +189,17 @@ static void xemaclite_disable_interrupts
u32 reg_data;
/* Disable the Global Interrupt Enable */
- __raw_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
+ xemaclite_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
/* Disable the Tx interrupts for the first buffer */
- reg_data = __raw_readl(drvdata->base_addr + XEL_TSR_OFFSET);
- __raw_writel(reg_data & (~XEL_TSR_XMIT_IE_MASK),
- drvdata->base_addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(drvdata->base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data & (~XEL_TSR_XMIT_IE_MASK),
+ drvdata->base_addr + XEL_TSR_OFFSET);
/* Disable the Rx interrupts for the first buffer */
- reg_data = __raw_readl(drvdata->base_addr + XEL_RSR_OFFSET);
- __raw_writel(reg_data & (~XEL_RSR_RECV_IE_MASK),
- drvdata->base_addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(drvdata->base_addr + XEL_RSR_OFFSET);
+ xemaclite_writel(reg_data & (~XEL_RSR_RECV_IE_MASK),
+ drvdata->base_addr + XEL_RSR_OFFSET);
}
/**
@@ -323,7 +331,7 @@ static int xemaclite_send_data(struct ne
byte_count = ETH_FRAME_LEN;
/* Check if the expected buffer is available */
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
if ((reg_data & (XEL_TSR_XMIT_BUSY_MASK |
XEL_TSR_XMIT_ACTIVE_MASK)) == 0) {
@@ -336,7 +344,7 @@ static int xemaclite_send_data(struct ne
addr = (void __iomem __force *)((u32 __force)addr ^
XEL_BUFFER_OFFSET);
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
if ((reg_data & (XEL_TSR_XMIT_BUSY_MASK |
XEL_TSR_XMIT_ACTIVE_MASK)) != 0)
@@ -347,16 +355,16 @@ static int xemaclite_send_data(struct ne
/* Write the frame to the buffer */
xemaclite_aligned_write(data, (u32 __force *) addr, byte_count);
- __raw_writel((byte_count & XEL_TPLR_LENGTH_MASK),
- addr + XEL_TPLR_OFFSET);
+ xemaclite_writel((byte_count & XEL_TPLR_LENGTH_MASK),
+ addr + XEL_TPLR_OFFSET);
/* Update the Tx Status Register to indicate that there is a
* frame to send. Set the XEL_TSR_XMIT_ACTIVE_MASK flag which
* is used by the interrupt handler to check whether a frame
* has been transmitted */
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
reg_data |= (XEL_TSR_XMIT_BUSY_MASK | XEL_TSR_XMIT_ACTIVE_MASK);
- __raw_writel(reg_data, addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data, addr + XEL_TSR_OFFSET);
return 0;
}
@@ -381,7 +389,7 @@ static u16 xemaclite_recv_data(struct ne
addr = (drvdata->base_addr + drvdata->next_rx_buf_to_use);
/* Verify which buffer has valid data */
- reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
if ((reg_data & XEL_RSR_RECV_DONE_MASK) == XEL_RSR_RECV_DONE_MASK) {
if (drvdata->rx_ping_pong != 0)
@@ -398,14 +406,14 @@ static u16 xemaclite_recv_data(struct ne
return 0; /* No data was available */
/* Verify that buffer has valid data */
- reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
if ((reg_data & XEL_RSR_RECV_DONE_MASK) !=
XEL_RSR_RECV_DONE_MASK)
return 0; /* No data was available */
}
/* Get the protocol type of the ethernet frame that arrived */
- proto_type = ((ntohl(__raw_readl(addr + XEL_HEADER_OFFSET +
+ proto_type = ((ntohl(xemaclite_readl(addr + XEL_HEADER_OFFSET +
XEL_RXBUFF_OFFSET)) >> XEL_HEADER_SHIFT) &
XEL_RPLR_LENGTH_MASK);
@@ -414,7 +422,7 @@ static u16 xemaclite_recv_data(struct ne
if (proto_type > ETH_DATA_LEN) {
if (proto_type == ETH_P_IP) {
- length = ((ntohl(__raw_readl(addr +
+ length = ((ntohl(xemaclite_readl(addr +
XEL_HEADER_IP_LENGTH_OFFSET +
XEL_RXBUFF_OFFSET)) >>
XEL_HEADER_SHIFT) &
@@ -440,9 +448,9 @@ static u16 xemaclite_recv_data(struct ne
data, length);
/* Acknowledge the frame */
- reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
reg_data &= ~XEL_RSR_RECV_DONE_MASK;
- __raw_writel(reg_data, addr + XEL_RSR_OFFSET);
+ xemaclite_writel(reg_data, addr + XEL_RSR_OFFSET);
return length;
}
@@ -469,14 +477,14 @@ static void xemaclite_update_address(str
xemaclite_aligned_write(address_ptr, (u32 __force *) addr, ETH_ALEN);
- __raw_writel(ETH_ALEN, addr + XEL_TPLR_OFFSET);
+ xemaclite_writel(ETH_ALEN, addr + XEL_TPLR_OFFSET);
/* Update the MAC address in the EmacLite */
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
- __raw_writel(reg_data | XEL_TSR_PROG_MAC_ADDR, addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data | XEL_TSR_PROG_MAC_ADDR, addr + XEL_TSR_OFFSET);
/* Wait for EmacLite to finish with the MAC address update */
- while ((__raw_readl(addr + XEL_TSR_OFFSET) &
+ while ((xemaclite_readl(addr + XEL_TSR_OFFSET) &
XEL_TSR_PROG_MAC_ADDR) != 0)
;
}
@@ -646,32 +654,32 @@ static irqreturn_t xemaclite_interrupt(i
u32 tx_status;
/* Check if there is Rx Data available */
- if ((__raw_readl(base_addr + XEL_RSR_OFFSET) &
+ if ((xemaclite_readl(base_addr + XEL_RSR_OFFSET) &
XEL_RSR_RECV_DONE_MASK) ||
- (__raw_readl(base_addr + XEL_BUFFER_OFFSET + XEL_RSR_OFFSET)
+ (xemaclite_readl(base_addr + XEL_BUFFER_OFFSET + XEL_RSR_OFFSET)
& XEL_RSR_RECV_DONE_MASK))
xemaclite_rx_handler(dev);
/* Check if the Transmission for the first buffer is completed */
- tx_status = __raw_readl(base_addr + XEL_TSR_OFFSET);
+ tx_status = xemaclite_readl(base_addr + XEL_TSR_OFFSET);
if (((tx_status & XEL_TSR_XMIT_BUSY_MASK) == 0) &&
(tx_status & XEL_TSR_XMIT_ACTIVE_MASK) != 0) {
tx_status &= ~XEL_TSR_XMIT_ACTIVE_MASK;
- __raw_writel(tx_status, base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(tx_status, base_addr + XEL_TSR_OFFSET);
tx_complete = true;
}
/* Check if the Transmission for the second buffer is completed */
- tx_status = __raw_readl(base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
+ tx_status = xemaclite_readl(base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
if (((tx_status & XEL_TSR_XMIT_BUSY_MASK) == 0) &&
(tx_status & XEL_TSR_XMIT_ACTIVE_MASK) != 0) {
tx_status &= ~XEL_TSR_XMIT_ACTIVE_MASK;
- __raw_writel(tx_status, base_addr + XEL_BUFFER_OFFSET +
- XEL_TSR_OFFSET);
+ xemaclite_writel(tx_status, base_addr + XEL_BUFFER_OFFSET +
+ XEL_TSR_OFFSET);
tx_complete = true;
}
@@ -704,7 +712,7 @@ static int xemaclite_mdio_wait(struct ne
/* wait for the MDIO interface to not be busy or timeout
after some time.
*/
- while (__raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET) &
+ while (xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET) &
XEL_MDIOCTRL_MDIOSTS_MASK) {
if (time_before_eq(end, jiffies)) {
WARN_ON(1);
@@ -740,17 +748,17 @@ static int xemaclite_mdio_read(struct mi
* MDIO Address register. Set the Status bit in the MDIO Control
* register to start a MDIO read transaction.
*/
- ctrl_reg = __raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
- __raw_writel(XEL_MDIOADDR_OP_MASK |
- ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
- lp->base_addr + XEL_MDIOADDR_OFFSET);
- __raw_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
- lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ ctrl_reg = xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ xemaclite_writel(XEL_MDIOADDR_OP_MASK |
+ ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
+ lp->base_addr + XEL_MDIOADDR_OFFSET);
+ xemaclite_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
+ lp->base_addr + XEL_MDIOCTRL_OFFSET);
if (xemaclite_mdio_wait(lp))
return -ETIMEDOUT;
- rc = __raw_readl(lp->base_addr + XEL_MDIORD_OFFSET);
+ rc = xemaclite_readl(lp->base_addr + XEL_MDIORD_OFFSET);
dev_dbg(&lp->ndev->dev,
"xemaclite_mdio_read(phy_id=%i, reg=%x) == %x\n",
@@ -787,13 +795,13 @@ static int xemaclite_mdio_write(struct m
* Data register. Finally, set the Status bit in the MDIO Control
* register to start a MDIO write transaction.
*/
- ctrl_reg = __raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
- __raw_writel(~XEL_MDIOADDR_OP_MASK &
- ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
- lp->base_addr + XEL_MDIOADDR_OFFSET);
- __raw_writel(val, lp->base_addr + XEL_MDIOWR_OFFSET);
- __raw_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
- lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ ctrl_reg = xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ xemaclite_writel(~XEL_MDIOADDR_OP_MASK &
+ ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
+ lp->base_addr + XEL_MDIOADDR_OFFSET);
+ xemaclite_writel(val, lp->base_addr + XEL_MDIOWR_OFFSET);
+ xemaclite_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
+ lp->base_addr + XEL_MDIOCTRL_OFFSET);
return 0;
}
@@ -838,8 +846,8 @@ static int xemaclite_mdio_setup(struct n
/* Enable the MDIO bus by asserting the enable bit in MDIO Control
* register.
*/
- __raw_writel(XEL_MDIOCTRL_MDIOEN_MASK,
- lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ xemaclite_writel(XEL_MDIOCTRL_MDIOEN_MASK,
+ lp->base_addr + XEL_MDIOCTRL_OFFSET);
bus = mdiobus_alloc();
if (!bus) {
@@ -1142,8 +1150,8 @@ static int xemaclite_of_probe(struct pla
dev_warn(dev, "No MAC address found\n");
/* Clear the Tx CSR's in case this is a restart */
- __raw_writel(0, lp->base_addr + XEL_TSR_OFFSET);
- __raw_writel(0, lp->base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
+ xemaclite_writel(0, lp->base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(0, lp->base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
/* Set the MAC address in the EmacLite device */
xemaclite_update_address(lp, ndev->dev_addr);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 272/370] svcrpc: fix oops in absence of krb5 module
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (275 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 289/370] ping: fix a null pointer dereference Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 320/370] sit: correct IP protocol used in ipip6_err Ben Hutchings
` (94 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simo Sorce, J. Bruce Fields, Olga Kornievskaia
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "J. Bruce Fields" <bfields@redhat.com>
commit 034dd34ff4916ec1f8f74e39ca3efb04eab2f791 upstream.
Olga Kornievskaia says: "I ran into this oops in the nfsd (below)
(4.10-rc3 kernel). To trigger this I had a client (unsuccessfully) try
to mount the server with krb5 where the server doesn't have the
rpcsec_gss_krb5 module built."
The problem is that rsci.cred is copied from a svc_cred structure that
gss_proxy didn't properly initialize. Fix that.
[120408.542387] general protection fault: 0000 [#1] SMP
...
[120408.565724] CPU: 0 PID: 3601 Comm: nfsd Not tainted 4.10.0-rc3+ #16
[120408.567037] Hardware name: VMware, Inc. VMware Virtual =
Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[120408.569225] task: ffff8800776f95c0 task.stack: ffffc90003d58000
[120408.570483] RIP: 0010:gss_mech_put+0xb/0x20 [auth_rpcgss]
...
[120408.584946] ? rsc_free+0x55/0x90 [auth_rpcgss]
[120408.585901] gss_proxy_save_rsc+0xb2/0x2a0 [auth_rpcgss]
[120408.587017] svcauth_gss_proxy_init+0x3cc/0x520 [auth_rpcgss]
[120408.588257] ? __enqueue_entity+0x6c/0x70
[120408.589101] svcauth_gss_accept+0x391/0xb90 [auth_rpcgss]
[120408.590212] ? try_to_wake_up+0x4a/0x360
[120408.591036] ? wake_up_process+0x15/0x20
[120408.592093] ? svc_xprt_do_enqueue+0x12e/0x2d0 [sunrpc]
[120408.593177] svc_authenticate+0xe1/0x100 [sunrpc]
[120408.594168] svc_process_common+0x203/0x710 [sunrpc]
[120408.595220] svc_process+0x105/0x1c0 [sunrpc]
[120408.596278] nfsd+0xe9/0x160 [nfsd]
[120408.597060] kthread+0x101/0x140
[120408.597734] ? nfsd_destroy+0x60/0x60 [nfsd]
[120408.598626] ? kthread_park+0x90/0x90
[120408.599448] ret_from_fork+0x22/0x30
Fixes: 1d658336b05f "SUNRPC: Add RPC based upcall mechanism for RPCGSS auth"
Cc: Simo Sorce <simo@redhat.com>
Reported-by: Olga Kornievskaia <kolga@netapp.com>
Tested-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sunrpc/auth_gss/gss_rpc_xdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -260,7 +260,7 @@ static int gssx_dec_option_array(struct
if (!oa->data)
return -ENOMEM;
- creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL);
+ creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL);
if (!creds) {
kfree(oa->data);
return -ENOMEM;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 303/370] vfs: fix uninitialized flags in splice_to_pipe()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (208 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 279/370] rtl8150: Use heap buffers for all register access Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 197/370] USB: serial: ch341: add register and USB request definitions Ben Hutchings
` (161 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Miklos Szeredi
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 5a81e6a171cdbd1fa8bc1fdd80c23d3d71816fac upstream.
Flags (PIPE_BUF_FLAG_PACKET, PIPE_BUF_FLAG_GIFT) could remain on the
unused part of the pipe ring buffer. Previously splice_to_pipe() left
the flags value alone, which could result in incorrect behavior.
Uninitialized flags appears to have been there from the introduction of
the splice syscall.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/splice.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -212,6 +212,7 @@ ssize_t splice_to_pipe(struct pipe_inode
buf->len = spd->partial[page_nr].len;
buf->private = spd->partial[page_nr].private;
buf->ops = spd->ops;
+ buf->flags = 0;
if (spd->flags & SPLICE_F_GIFT)
buf->flags |= PIPE_BUF_FLAG_GIFT;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (244 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 352/370] net: socket: fix recvmmsg not returning error from sock_error Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-13 3:35 ` Michel Dänzer
2017-03-10 11:46 ` [PATCH 3.16 335/370] ipv6: dccp: fix out of bound access in dccp_v6_err() Ben Hutchings
` (125 subsequent siblings)
371 siblings, 1 reply; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michel Dänzer, Sonny Jiang, Ashutosh Kumar, Alex Deucher
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michel Dänzer <michel.daenzer@amd.com>
commit d74c67dd7800fc7aae381f272875c337f268806c upstream.
The crtc_h/vdisplay fields may not match the CRTC viewport dimensions
with special modes such as interlaced ones.
Fixes the HW cursor disappearing in the bottom half of the screen with
interlaced modes.
Fixes: 6b16cf7785a4 ("drm/radeon: Hide the HW cursor while it's out of bounds")
Reported-by: Ashutosh Kumar <ashutosh.kumar@amd.com>
Tested-by: Sonny Jiang <sonny.jiang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_cursor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_cursor.c
+++ b/drivers/gpu/drm/radeon/radeon_cursor.c
@@ -282,8 +282,8 @@ int radeon_crtc_cursor_move(struct drm_c
}
if (x <= (crtc->x - w) || y <= (crtc->y - radeon_crtc->cursor_height) ||
- x >= (crtc->x + crtc->mode.crtc_hdisplay) ||
- y >= (crtc->y + crtc->mode.crtc_vdisplay))
+ x >= (crtc->x + crtc->mode.hdisplay) ||
+ y >= (crtc->y + crtc->mode.vdisplay))
goto out_of_bounds;
x += xorigin;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 292/370] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (363 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 192/370] ata: sata_mv:- Handle return value of devm_ioremap Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 343/370] netvsc: reduce maximum GSO size Ben Hutchings
` (6 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Boris Ostrovsky, Juergen Gross
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
commit 74470954857c264168d2b5a113904cf0cfd27d18 upstream.
rx_refill_timer should be deleted as soon as we disconnect from the
backend since otherwise it is possible for the timer to go off before
we get to xennet_destroy_queues(). If this happens we may dereference
queue->rx.sring which is set to NULL in xennet_disconnect_backend().
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: del_timer_sync() was called from xennet_remove()
but that's also too late]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1440,6 +1440,8 @@ static void xennet_disconnect_backend(st
for (i = 0; i < num_queues; ++i) {
struct netfront_queue *queue = &info->queues[i];
+ del_timer_sync(&queue->rx_refill_timer);
+
if (queue->tx_irq && (queue->tx_irq == queue->rx_irq))
unbind_from_irqhandler(queue->tx_irq, queue);
if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) {
@@ -2360,8 +2362,6 @@ static int xennet_remove(struct xenbus_d
{
struct netfront_info *info = dev_get_drvdata(&dev->dev);
unsigned int num_queues = info->netdev->real_num_tx_queues;
- struct netfront_queue *queue = NULL;
- unsigned int i = 0;
dev_dbg(&dev->dev, "%s\n", dev->nodename);
@@ -2371,11 +2371,6 @@ static int xennet_remove(struct xenbus_d
unregister_netdev(info->netdev);
- for (i = 0; i < num_queues; ++i) {
- queue = &info->queues[i];
- del_timer_sync(&queue->rx_refill_timer);
- }
-
if (num_queues) {
kfree(info->queues);
info->queues = NULL;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 294/370] net/sock: Add sock_efree() function
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (222 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 205/370] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 351/370] qmi_wwan/cdc_ether: add device ID for HP lt2523 (Novatel E371) WWAN card Ben Hutchings
` (147 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
Extracted from commit 62bccb8cdb69 ("net-timestamp: Make the clone operation
stand-alone from phy timestamping").
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1569,6 +1569,7 @@ struct sk_buff *sock_wmalloc(struct sock
void sock_wfree(struct sk_buff *skb);
void skb_orphan_partial(struct sk_buff *skb);
void sock_rfree(struct sk_buff *skb);
+void sock_efree(struct sk_buff *skb);
void sock_edemux(struct sk_buff *skb);
int sock_setsockopt(struct socket *sock, int level, int op,
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1678,6 +1678,12 @@ void sock_rfree(struct sk_buff *skb)
}
EXPORT_SYMBOL(sock_rfree);
+void sock_efree(struct sk_buff *skb)
+{
+ sock_put(skb->sk);
+}
+EXPORT_SYMBOL(sock_efree);
+
void sock_edemux(struct sk_buff *skb)
{
struct sock *sk = skb->sk;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 293/370] l2tp: do not use udp_ioctl()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (333 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 313/370] sch_htb: update backlog as well Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 225/370] be2net: fix status check in be_cmd_pmac_add() Ben Hutchings
` (36 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andrey Konovalov, Paolo Abeni, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 72fb96e7bdbbdd4421b0726992496531060f3636 upstream.
udp_ioctl(), as its name suggests, is used by UDP protocols,
but is also used by L2TP :(
L2TP should use its own handler, because it really does not
look the same.
SIOCINQ for instance should not assume UDP checksum or headers.
Thanks to Andrey and syzkaller team for providing the report
and a nice reproducer.
While crashes only happen on recent kernels (after commit
7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")), this
probably needs to be backported to older kernels.
Fixes: 7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")
Fixes: 85584672012e ("udp: Fix udp_poll() and ioctl()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.h | 1 +
net/l2tp/l2tp_ip.c | 27 ++++++++++++++++++++++++++-
net/l2tp/l2tp_ip6.c | 2 +-
3 files changed, 28 insertions(+), 2 deletions(-)
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -273,6 +273,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
int l2tp_nl_register_ops(enum l2tp_pwtype pw_type,
const struct l2tp_nl_cmd_ops *ops);
void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type);
+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg);
/* Session reference counts. Incremented when code obtains a reference
* to a session.
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -11,6 +11,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <asm/ioctls.h>
#include <linux/icmp.h>
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -555,6 +556,30 @@ out:
return err ? err : copied;
}
+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg)
+{
+ struct sk_buff *skb;
+ int amount;
+
+ switch (cmd) {
+ case SIOCOUTQ:
+ amount = sk_wmem_alloc_get(sk);
+ break;
+ case SIOCINQ:
+ spin_lock_bh(&sk->sk_receive_queue.lock);
+ skb = skb_peek(&sk->sk_receive_queue);
+ amount = skb ? skb->len : 0;
+ spin_unlock_bh(&sk->sk_receive_queue.lock);
+ break;
+
+ default:
+ return -ENOIOCTLCMD;
+ }
+
+ return put_user(amount, (int __user *)arg);
+}
+EXPORT_SYMBOL(l2tp_ioctl);
+
static struct proto l2tp_ip_prot = {
.name = "L2TP/IP",
.owner = THIS_MODULE,
@@ -563,7 +588,7 @@ static struct proto l2tp_ip_prot = {
.bind = l2tp_ip_bind,
.connect = l2tp_ip_connect,
.disconnect = l2tp_ip_disconnect,
- .ioctl = udp_ioctl,
+ .ioctl = l2tp_ioctl,
.destroy = l2tp_ip_destroy_sock,
.setsockopt = ip_setsockopt,
.getsockopt = ip_getsockopt,
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -716,7 +716,7 @@ static struct proto l2tp_ip6_prot = {
.bind = l2tp_ip6_bind,
.connect = l2tp_ip6_connect,
.disconnect = l2tp_ip6_disconnect,
- .ioctl = udp_ioctl,
+ .ioctl = l2tp_ioctl,
.destroy = l2tp_ip6_destroy_sock,
.setsockopt = ipv6_setsockopt,
.getsockopt = ipv6_getsockopt,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 295/370] net/llc: avoid BUG_ON() in skb_orphan()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (288 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 218/370] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 200/370] USB: serial: ch341: fix open and resume after B0 Ben Hutchings
` (81 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, David S. Miller, Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 8b74d439e1697110c5e5c600643e823eb1dd0762 upstream.
It seems nobody used LLC since linux-3.12.
Fortunately fuzzers like syzkaller still know how to run this code,
otherwise it would be no fun.
Setting skb->sk without skb->destructor leads to all kinds of
bugs, we now prefer to be very strict about it.
Ideally here we would use skb_set_owner() but this helper does not exist yet,
only CAN seems to have a private helper for that.
Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/llc/llc_conn.c | 3 +++
net/llc/llc_sap.c | 3 +++
2 files changed, 6 insertions(+)
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa
* another trick required to cope with how the PROCOM state
* machine works. -acme
*/
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
}
if (!sock_owned_by_user(sk))
llc_conn_rcv(sk, skb);
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *
ev->type = LLC_SAP_EV_TYPE_PDU;
ev->reason = 0;
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
llc_sap_state_process(sap, skb);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 232/370] selftest/powerpc: Wrong PMC initialized in pmc56_overflow test
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (253 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 253/370] USB: serial: option: add device ID for HP lt2523 (Novatel E371) Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 288/370] btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls Ben Hutchings
` (116 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Madhavan Srinivasan, Michael Ellerman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
commit df21d2fa733035e4d414379960f94b2516b41296 upstream.
Test uses PMC2 to count the event. But PMC1 is being initialized.
Patch to fix it.
Fixes: 3752e453f6ba ('selftests/powerpc: Add tests of PMU EBBs')
Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c
+++ b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c
@@ -64,7 +64,7 @@ int pmc56_overflow(void)
FAIL_IF(ebb_event_enable(&event));
- mtspr(SPRN_PMC1, pmc_sample_period(sample_period));
+ mtspr(SPRN_PMC2, pmc_sample_period(sample_period));
mtspr(SPRN_PMC5, 0);
mtspr(SPRN_PMC6, 0);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 259/370] USB: Add quirk for WORLDE easykey.25 MIDI keyboard
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (273 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 241/370] arm64: avoid returning from bad_mode Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 289/370] ping: fix a null pointer dereference Ben Hutchings
` (96 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lukáš Lalinský, Greg Kroah-Hartman
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukáš Lalinský <lukas@oxygene.sk>
commit d9b2997e4a0a874e452df7cdd7de5a54502bd0aa upstream.
Add a quirk for WORLDE easykey.25 MIDI keyboard (idVendor=0218,
idProduct=0401). The device reports that it has config string
descriptor at index 3, but when the system selects the configuration
and tries to get the description, it returns a -EPROTO error,
the communication restarts and this keeps repeating over and over again.
Not requesting the string descriptor makes the device work correctly.
Relevant info from Wireshark:
[...]
CONFIGURATION DESCRIPTOR
bLength: 9
bDescriptorType: 0x02 (CONFIGURATION)
wTotalLength: 101
bNumInterfaces: 2
bConfigurationValue: 1
iConfiguration: 3
Configuration bmAttributes: 0xc0 SELF-POWERED NO REMOTE-WAKEUP
1... .... = Must be 1: Must be 1 for USB 1.1 and higher
.1.. .... = Self-Powered: This device is SELF-POWERED
..0. .... = Remote Wakeup: This device does NOT support remote wakeup
bMaxPower: 50 (100mA)
[...]
45 0.369104 host 2.38.0 USB 64 GET DESCRIPTOR Request STRING
[...]
URB setup
bmRequestType: 0x80
1... .... = Direction: Device-to-host
.00. .... = Type: Standard (0x00)
...0 0000 = Recipient: Device (0x00)
bRequest: GET DESCRIPTOR (6)
Descriptor Index: 0x03
bDescriptorType: 0x03
Language Id: English (United States) (0x0409)
wLength: 255
46 0.369255 2.38.0 host USB 64 GET DESCRIPTOR Response STRING[Malformed Packet]
[...]
Frame 46: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
USB URB
[Source: 2.38.0]
[Destination: host]
URB id: 0xffff88021f62d480
URB type: URB_COMPLETE ('C')
URB transfer type: URB_CONTROL (0x02)
Endpoint: 0x80, Direction: IN
Device: 38
URB bus id: 2
Device setup request: not relevant ('-')
Data: present (0)
URB sec: 1484896277
URB usec: 455031
URB status: Protocol error (-EPROTO) (-71)
URB length [bytes]: 0
Data length [bytes]: 0
[Request in: 45]
[Time from request: 0.000151000 seconds]
Unused Setup Header
Interval: 0
Start frame: 0
Copy of Transfer Flags: 0x00000200
Number of ISO descriptors: 0
[Malformed Packet: USB]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Signed-off-by: Lukáš Lalinský <lukas@oxygene.sk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -37,6 +37,10 @@ static const struct usb_device_id usb_qu
/* CBM - Flash disk */
{ USB_DEVICE(0x0204, 0x6025), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* WORLDE easy key (easykey.25) MIDI controller */
+ { USB_DEVICE(0x0218, 0x0401), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* HP 5300/5370C scanner */
{ USB_DEVICE(0x03f0, 0x0701), .driver_info =
USB_QUIRK_STRING_FETCH_255 },
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 288/370] btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (254 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 232/370] selftest/powerpc: Wrong PMC initialized in pmc56_overflow test Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 296/370] futex: Move futex_init() to core_initcall Ben Hutchings
` (115 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jeff Mahoney, David Sterba
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <jeffm@suse.com>
commit 2a362249187a8d0f6d942d6e1d763d150a296f47 upstream.
Commit 4c63c2454ef incorrectly assumed that returning -ENOIOCTLCMD would
cause the native ioctl to be called. The ->compat_ioctl callback is
expected to handle all ioctls, not just compat variants. As a result,
when using 32-bit userspace on 64-bit kernels, everything except those
three ioctls would return -ENOTTY.
Fixes: 4c63c2454ef ("btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl")
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ioctl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -5536,6 +5536,10 @@ long btrfs_ioctl(struct file *file, unsi
#ifdef CONFIG_COMPAT
long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
+ /*
+ * These all access 32-bit values anyway so no further
+ * handling is necessary.
+ */
switch (cmd) {
case FS_IOC32_GETFLAGS:
cmd = FS_IOC_GETFLAGS;
@@ -5546,8 +5550,6 @@ long btrfs_compat_ioctl(struct file *fil
case FS_IOC32_GETVERSION:
cmd = FS_IOC_GETVERSION;
break;
- default:
- return -ENOIOCTLCMD;
}
return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 285/370] target: Use correct SCSI status during EXTENDED_COPY exception
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (233 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 210/370] tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 328/370] tcp: fix wrong checksum calculation on MTU probing Ben Hutchings
` (136 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoph Hellwig, Nicholas Bellinger, Nixon Vincent
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 0583c261e6325f392c1f7a1b9112e31298e1a4bd upstream.
This patch adds the missing target_complete_cmd() SCSI status
parameter change in target_xcopy_do_work(), that was originally
missing in commit 926317de33.
It correctly propigates up the correct SCSI status during
EXTENDED_COPY exception cases, instead of always using the
hardcoded SAM_STAT_CHECK_CONDITION from original code.
This is required for ESX host environments that expect to
hit SAM_STAT_RESERVATION_CONFLICT for certain scenarios,
and SAM_STAT_CHECK_CONDITION results in non-retriable
status for these cases.
Reported-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
Tested-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/target_core_xcopy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -881,7 +881,7 @@ out:
" CHECK_CONDITION -> sending response\n", rc);
ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
}
- target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
+ target_complete_cmd(ec_cmd, ec_cmd->scsi_status);
}
sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 286/370] target: Fix early transport_generic_handle_tmr abort scenario
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (203 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 297/370] mmc: core: fix multi-bit bus width without high-speed mode Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 261/370] sysctl: fix proc_doulongvec_ms_jiffies_minmax() Ben Hutchings
` (166 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicholas Bellinger, Rob Millner, Christoph Hellwig
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit c54eeffbe9338fa982dc853d816fda9202a13b5a upstream.
This patch fixes a bug where incoming task management requests
can be explicitly aborted during an active LUN_RESET, but who's
struct work_struct are canceled in-flight before execution.
This occurs when core_tmr_drain_tmr_list() invokes cancel_work_sync()
for the incoming se_tmr_req->task_cmd->work, resulting in cmd->work
for target_tmr_work() never getting invoked and the aborted TMR
waiting indefinately within transport_wait_for_tasks().
To address this case, perform a CMD_T_ABORTED check early in
transport_generic_handle_tmr(), and invoke the normal path via
transport_cmd_check_stop_to_fabric() to complete any TMR kthreads
blocked waiting for CMD_T_STOP in transport_wait_for_tasks().
Also, move the TRANSPORT_ISTATE_PROCESSING assignment earlier
into transport_generic_handle_tmr() so the existing check in
core_tmr_drain_tmr_list() avoids attempting abort the incoming
se_tmr_req->task_cmd->work if it has already been queued into
se_device->tmr_wq.
Reported-by: Rob Millner <rlm@daterainc.com>
Tested-by: Rob Millner <rlm@daterainc.com>
Cc: Rob Millner <rlm@daterainc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.16:
- Tags are 32-bit; print them with %u
- Command tag must be looked up with get_task_tag op]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/target_core_transport.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -3093,7 +3093,6 @@ static void target_tmr_work(struct work_
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
goto check_stop;
}
- cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
cmd->se_tfo->queue_tm_rsp(cmd);
@@ -3106,11 +3105,25 @@ int transport_generic_handle_tmr(
struct se_cmd *cmd)
{
unsigned long flags;
+ bool aborted = false;
spin_lock_irqsave(&cmd->t_state_lock, flags);
- cmd->transport_state |= CMD_T_ACTIVE;
+ if (cmd->transport_state & CMD_T_ABORTED) {
+ aborted = true;
+ } else {
+ cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
+ cmd->transport_state |= CMD_T_ACTIVE;
+ }
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+ if (aborted) {
+ pr_warn_ratelimited("handle_tmr caught CMD_T_ABORTED TMR %d"
+ "ref_tag: %u tag: %u\n", cmd->se_tmr_req->function,
+ cmd->se_tmr_req->ref_task_tag, cmd->se_tfo->get_task_tag(cmd));
+ transport_cmd_check_stop_to_fabric(cmd);
+ return 0;
+ }
+
INIT_WORK(&cmd->work, target_tmr_work);
queue_work(cmd->se_dev->tmr_wq, &cmd->work);
return 0;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 287/370] target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (227 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 276/370] mac80211: Fix adding of mesh vendor IEs Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 332/370] net: mangle zero checksum in skb_checksum_help() Ben Hutchings
` (142 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Donald White, Nicholas Bellinger, Christoph Hellwig, Gary Guo
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 9b2792c3da1e80f2d460167d319302a24c9ca2b7 upstream.
This patch addresses a long standing bug where the commit phase
of COMPARE_AND_WRITE would result in a se_cmd->cmd_kref reference
leak if se_cmd->scsi_status returned non SAM_STAT_GOOD.
This would manifest first as a lost SCSI response, and eventual
hung task during fabric driver logout or re-login, as existing
shutdown logic waited for the COMPARE_AND_WRITE se_cmd->cmd_kref
to reach zero.
To address this bug, compare_and_write_post() has been changed
to drop the incorrect !cmd->scsi_status conditional that was
preventing *post_ret = 1 for being set during non SAM_STAT_GOOD
status.
This patch has been tested with SAM_STAT_CHECK_CONDITION status
from normal target_complete_cmd() callback path, as well as the
incoming __target_execute_cmd() submission failure path when
se_cmd->execute_cmd() returns non zero status.
Reported-by: Donald White <dew@datera.io>
Cc: Donald White <dew@datera.io>
Tested-by: Gary Guo <ghg@datera.io>
Cc: Gary Guo <ghg@datera.io>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/target_core_sbc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -368,6 +368,7 @@ static sense_reason_t compare_and_write_
int *post_ret)
{
struct se_device *dev = cmd->se_dev;
+ sense_reason_t ret = TCM_NO_SENSE;
/*
* Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through
@@ -375,9 +376,12 @@ static sense_reason_t compare_and_write_
* sent to the backend driver.
*/
spin_lock_irq(&cmd->t_state_lock);
- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) {
+ if (cmd->transport_state & CMD_T_SENT) {
cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST;
*post_ret = 1;
+
+ if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION)
+ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
}
spin_unlock_irq(&cmd->t_state_lock);
@@ -387,7 +391,7 @@ static sense_reason_t compare_and_write_
*/
up(&dev->caw_sem);
- return TCM_NO_SENSE;
+ return ret;
}
static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 290/370] ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (337 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 214/370] gro: use min_t() in skb_gro_reset_offset() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 221/370] i2c: fix kernel memory disclosure in dev interface Ben Hutchings
` (32 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Hui Wang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hui Wang <hui.wang@canonical.com>
commit af677166cf63c179dc2485053166e02c4aea01eb upstream.
Without this change, the HDMI/DP codec will be recognised as a
generic codec, and there is no sound when playing through this codec.
As suggested by NVidia side, after adding the new ID in the driver,
the sound playing works well.
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: don't use HDA_CODEC_ENTRY()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -3345,6 +3345,7 @@ static const struct hda_codec_preset snd
{ .id = 0x10de0071, .name = "GPU 71 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de0072, .name = "GPU 72 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de007d, .name = "GPU 7d HDMI/DP", .patch = patch_nvhdmi },
+{ .id = 0x10de0080, .name = "GPU 80 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de0082, .name = "GPU 82 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de0083, .name = "GPU 83 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de8001, .name = "MCP73 HDMI", .patch = patch_nvhdmi_2ch },
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 275/370] netlabel: out of bound access in cipso_v4_validate()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (256 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 296/370] futex: Move futex_init() to core_initcall Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 266/370] can: bcm: fix hrtimer/tasklet termination in bcm op removal Ben Hutchings
` (113 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Paul Moore, Dmitry Vyukov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit d71b7896886345c53ef1d84bda2bc758554f5d61 upstream.
syzkaller found another out of bound access in ip_options_compile(),
or more exactly in cipso_v4_validate()
Fixes: 20e2a8648596 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/cipso_ipv4.h | 4 ++++
net/ipv4/cipso_ipv4.c | 4 ++++
2 files changed, 8 insertions(+)
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -302,6 +302,10 @@ static inline int cipso_v4_validate(cons
}
for (opt_iter = 6; opt_iter < opt_len;) {
+ if (opt_iter + 1 == opt_len) {
+ err_offset = opt_iter;
+ goto out;
+ }
tag_len = opt[opt_iter + 1];
if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) {
err_offset = opt_iter + 1;
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1645,6 +1645,10 @@ int cipso_v4_validate(const struct sk_bu
goto validate_return_locked;
}
+ if (opt_iter + 1 == opt_len) {
+ err_offset = opt_iter;
+ goto validate_return_locked;
+ }
tag_len = tag[1];
if (tag_len > (opt_len - opt_iter)) {
err_offset = opt_iter + 1;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 276/370] mac80211: Fix adding of mesh vendor IEs
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (226 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 247/370] powerpc: Ignore reserved field in DCSR and PVR reads and writes Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 287/370] target: Fix COMPARE_AND_WRITE ref leak for non GOOD status Ben Hutchings
` (143 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thorsten Horstmann, Sven Eckelmann, Simon Wunderlich,
Johannes Berg, Mathias Kretschmer
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Horstmann <thorsten@defutech.de>
commit da7061c82e4a1bc6a5e134ef362c86261906c860 upstream.
The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
return value in mesh_add_vendor_ies must therefore be checked against
ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
WLAN_EID_VENDOR_SPECIFIC will be rejected.
Fixes: 082ebb0c258d ("mac80211: fix mesh beacon format")
Signed-off-by: Thorsten Horstmann <thorsten@defutech.de>
Signed-off-by: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[sven@narfation.org: Add commit message]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/mac80211/mesh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -352,7 +352,7 @@ int mesh_add_vendor_ies(struct ieee80211
/* fast-forward to vendor IEs */
offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0);
- if (offset) {
+ if (offset < ifmsh->ie_len) {
len = ifmsh->ie_len - offset;
data = ifmsh->ie + offset;
if (skb_tailroom(skb) < len)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 267/370] perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (265 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 323/370] cdc_ncm: workaround for EM7455 "silent" data interface Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 341/370] net/sched: pedit: make sure that offset is valid Ben Hutchings
` (104 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Stephane Eranian, Andres Freund, Ingo Molnar,
Peter Zijlstra, Stephane Eranian, Don, namhyung,
Alexander Shishkin, Linus Torvalds, Jiri Olsa,
Arnaldo Carvalho de Melo, Thomas Gleixner, anton, acme
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 0b3589be9b98994ce3d5aeca52445d1f5627c4ba upstream.
Andres reported that MMAP2 records for anonymous memory always have
their protection field 0.
Turns out, someone daft put the prot/flags generation code in the file
branch, leaving them unset for anonymous memory.
Reported-by: Andres Freund <andres@anarazel.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Don Zickus <dzickus@redhat.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@gmail.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@kernel.org
Cc: anton@ozlabs.org
Cc: namhyung@kernel.org
Fixes: f972eb63b100 ("perf: Pass protection and flags bits through mmap2 interface")
Link: http://lkml.kernel.org/r/20170126221508.GF6536@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/events/core.c | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5472,6 +5472,27 @@ static void perf_event_mmap_event(struct
char *buf = NULL;
char *name;
+ if (vma->vm_flags & VM_READ)
+ prot |= PROT_READ;
+ if (vma->vm_flags & VM_WRITE)
+ prot |= PROT_WRITE;
+ if (vma->vm_flags & VM_EXEC)
+ prot |= PROT_EXEC;
+
+ if (vma->vm_flags & VM_MAYSHARE)
+ flags = MAP_SHARED;
+ else
+ flags = MAP_PRIVATE;
+
+ if (vma->vm_flags & VM_DENYWRITE)
+ flags |= MAP_DENYWRITE;
+ if (vma->vm_flags & VM_MAYEXEC)
+ flags |= MAP_EXECUTABLE;
+ if (vma->vm_flags & VM_LOCKED)
+ flags |= MAP_LOCKED;
+ if (vma->vm_flags & VM_HUGETLB)
+ flags |= MAP_HUGETLB;
+
if (file) {
struct inode *inode;
dev_t dev;
@@ -5498,27 +5519,6 @@ static void perf_event_mmap_event(struct
maj = MAJOR(dev);
min = MINOR(dev);
- if (vma->vm_flags & VM_READ)
- prot |= PROT_READ;
- if (vma->vm_flags & VM_WRITE)
- prot |= PROT_WRITE;
- if (vma->vm_flags & VM_EXEC)
- prot |= PROT_EXEC;
-
- if (vma->vm_flags & VM_MAYSHARE)
- flags = MAP_SHARED;
- else
- flags = MAP_PRIVATE;
-
- if (vma->vm_flags & VM_DENYWRITE)
- flags |= MAP_DENYWRITE;
- if (vma->vm_flags & VM_MAYEXEC)
- flags |= MAP_EXECUTABLE;
- if (vma->vm_flags & VM_LOCKED)
- flags |= MAP_LOCKED;
- if (vma->vm_flags & VM_HUGETLB)
- flags |= MAP_HUGETLB;
-
goto got_name;
} else {
name = (char *)arch_vma_name(vma);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 280/370] catc: Combine failure cleanup code in catc_probe()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (249 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 366/370] Revert "KVM: x86: expose MSR_TSC_AUX to userspace" Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 331/370] net: clear sk_err_soft in sk_clone_lock() Ben Hutchings
` (120 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit d41149145f98fe26dcd0bfd1d6cc095e6e041418 upstream.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/net/usb/catc.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
--- a/drivers/net/usb/catc.c
+++ b/drivers/net/usb/catc.c
@@ -777,7 +777,7 @@ static int catc_probe(struct usb_interfa
struct net_device *netdev;
struct catc *catc;
u8 broadcast[ETH_ALEN];
- int i, pktsz;
+ int i, pktsz, ret;
if (usb_set_interface(usbdev,
intf->altsetting->desc.bInterfaceNumber, 1)) {
@@ -812,12 +812,8 @@ static int catc_probe(struct usb_interfa
if ((!catc->ctrl_urb) || (!catc->tx_urb) ||
(!catc->rx_urb) || (!catc->irq_urb)) {
dev_err(&intf->dev, "No free urbs available.\n");
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto fail_free;
}
/* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */
@@ -914,16 +910,21 @@ static int catc_probe(struct usb_interfa
usb_set_intfdata(intf, catc);
SET_NETDEV_DEV(netdev, &intf->dev);
- if (register_netdev(netdev) != 0) {
- usb_set_intfdata(intf, NULL);
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -EIO;
- }
+ ret = register_netdev(netdev);
+ if (ret)
+ goto fail_clear_intfdata;
+
return 0;
+
+fail_clear_intfdata:
+ usb_set_intfdata(intf, NULL);
+fail_free:
+ usb_free_urb(catc->ctrl_urb);
+ usb_free_urb(catc->tx_urb);
+ usb_free_urb(catc->rx_urb);
+ usb_free_urb(catc->irq_urb);
+ free_netdev(netdev);
+ return ret;
}
static void catc_disconnect(struct usb_interface *intf)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 258/370] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (316 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 277/370] ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 237/370] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Ben Hutchings
` (53 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Thelen, Hugh Dickins, Nicholas Piggin, Kees Cook,
Oleg Nesterov, Willy Tarreau, Keno Fischer, Linus Torvalds,
Kirill A. Shutemov, Michal Hocko, Andy Lutomirski
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Keno Fischer <keno@juliacomputing.com>
commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream.
In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE
after a COW was resolved to setting the (newly introduced) FOLL_COW
instead. Simultaneously, the check in gup.c was updated to still allow
writes with FOLL_FORCE set if FOLL_COW had also been set.
However, a similar check in huge_memory.c was forgotten. As a result,
remote memory writes to ro regions of memory backed by transparent huge
pages cause an infinite loop in the kernel (handle_mm_fault sets
FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails
out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is
true.
While in this state the process is stil SIGKILLable, but little else
works (e.g. no ptrace attach, no other signals). This is easily
reproduced with the following code (assuming thp are set to always):
#include <assert.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define TEST_SIZE 5 * 1024 * 1024
int main(void) {
int status;
pid_t child;
int fd = open("/proc/self/mem", O_RDWR);
void *addr = mmap(NULL, TEST_SIZE, PROT_READ,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
assert(addr != MAP_FAILED);
pid_t parent_pid = getpid();
if ((child = fork()) == 0) {
void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
assert(addr2 != MAP_FAILED);
memset(addr2, 'a', TEST_SIZE);
pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr);
return 0;
}
assert(child == waitpid(child, &status, 0));
assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
return 0;
}
Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously
to the update in gup.c in the original commit. The same pattern exists
in follow_devmap_pmd. However, we should not be able to reach that
check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we
ever do.
[akpm@linux-foundation.org: coding-style fixes]
Link: http://lkml.kernel.org/r/20170106015025.GA38411@juliacomputing.com
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Drop change to follow_devmap_pmd()
- pmd_dirty() is not available; check the page flags as in older
backports of can_follow_write_pte()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1192,6 +1192,18 @@ out_unlock:
return ret;
}
+/*
+ * FOLL_FORCE can write to even unwritable pmd's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pmd(pmd_t pmd, struct page *page,
+ unsigned int flags)
+{
+ return pmd_write(pmd) ||
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) &&
+ page && PageAnon(page));
+}
+
struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
unsigned long addr,
pmd_t *pmd,
@@ -1202,9 +1214,6 @@ struct page *follow_trans_huge_pmd(struc
assert_spin_locked(pmd_lockptr(mm, pmd));
- if (flags & FOLL_WRITE && !pmd_write(*pmd))
- goto out;
-
/* Avoid dumping huge zero page */
if ((flags & FOLL_DUMP) && is_huge_zero_pmd(*pmd))
return ERR_PTR(-EFAULT);
@@ -1215,6 +1224,10 @@ struct page *follow_trans_huge_pmd(struc
page = pmd_page(*pmd);
VM_BUG_ON_PAGE(!PageHead(page), page);
+
+ if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, page, flags))
+ goto out;
+
if (flags & FOLL_TOUCH) {
pmd_t _pmd;
/*
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 218/370] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (287 preceding siblings ...)
2017-03-10 11:46 ` Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 295/370] net/llc: avoid BUG_ON() in skb_orphan() Ben Hutchings
` (82 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Daniel Lezcano, Linus Walleij
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit f0e8faa7a5e894b0fc99d24be1b18685a92ea466 upstream.
This function clearly never worked and always returns true,
as pointed out by gcc-7:
arch/arm/mach-ux500/pm.c: In function 'prcmu_is_cpu_in_wfi':
arch/arm/mach-ux500/pm.c:137:212: error: ?:
using integer constants in boolean context, the expression
will always evaluate to 'true' [-Werror=int-in-bool-context]
With the added braces, the condition actually makes sense.
Fixes: 34fe6f107eab ("mfd : Check if the other db8500 core is in WFI")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-ux500/pm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/mach-ux500/pm.c
+++ b/arch/arm/mach-ux500/pm.c
@@ -131,8 +131,8 @@ bool prcmu_pending_irq(void)
*/
bool prcmu_is_cpu_in_wfi(int cpu)
{
- return readl(PRCM_ARM_WFI_STANDBY) & cpu ? PRCM_ARM_WFI_STANDBY_WFI1 :
- PRCM_ARM_WFI_STANDBY_WFI0;
+ return readl(PRCM_ARM_WFI_STANDBY) &
+ (cpu ? PRCM_ARM_WFI_STANDBY_WFI1 : PRCM_ARM_WFI_STANDBY_WFI0);
}
/*
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 260/370] drm/i915: Don't leak edid in intel_crt_detect_ddc()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
` (370 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jani Nikula, Jani Nikula, Daniel Vetter, intel-gfx,
Daniel Vetter, Ander Conselvan de Oliveira, Chris Wilson,
Ville Syrjälä
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
commit c34f078675f505c4437919bb1897b1351f16a050 upstream.
In the path where intel_crt_detect_ddc() detects a CRT, if would return
true without freeing the edid.
Fixes: a2bd1f541f19 ("drm/i915: check whether we actually received an edid in detect_ddc")
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-1-git-send-email-ander.conselvan.de.oliveira@intel.com
(cherry picked from commit c96b63a6a7ac4bd670ec2e663793a9a31418b790)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_crt.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/i915/intel_crt.c
+++ b/drivers/gpu/drm/i915/intel_crt.c
@@ -477,6 +477,7 @@ static bool intel_crt_detect_ddc(struct
struct drm_i915_private *dev_priv = crt->base.base.dev->dev_private;
struct edid *edid;
struct i2c_adapter *i2c;
+ bool ret = false;
BUG_ON(crt->base.type != INTEL_OUTPUT_ANALOG);
@@ -493,17 +494,17 @@ static bool intel_crt_detect_ddc(struct
*/
if (!is_digital) {
DRM_DEBUG_KMS("CRT detected via DDC:0x50 [EDID]\n");
- return true;
+ ret = true;
+ } else {
+ DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n");
}
-
- DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n");
} else {
DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [no valid EDID found]\n");
}
kfree(edid);
- return false;
+ return ret;
}
static enum drm_connector_status
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 263/370] ISDN: eicon: silence misleading array-bounds warning
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (303 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 227/370] net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 271/370] USB: serial: pl2303: add ATEN device ID Ben Hutchings
` (66 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 950eabbd6ddedc1b08350b9169a6a51b130ebaaf upstream.
With some gcc versions, we get a warning about the eicon driver,
and that currently shows up as the only remaining warning in one
of the build bots:
In file included from ../drivers/isdn/hardware/eicon/message.c:30:0:
eicon/message.c: In function 'mixer_notify_update':
eicon/platform.h:333:18: warning: array subscript is above array bounds [-Warray-bounds]
The code is easily changed to open-code the unusual PUT_WORD() line
causing this to avoid the warning.
Link: http://arm-soc.lixom.net/buildlogs/stable-rc/v4.4.45/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/isdn/hardware/eicon/message.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/isdn/hardware/eicon/message.c
+++ b/drivers/isdn/hardware/eicon/message.c
@@ -11304,7 +11304,8 @@ static void mixer_notify_update(PLCI *pl
((CAPI_MSG *) msg)->header.ncci = 0;
((CAPI_MSG *) msg)->info.facility_req.Selector = SELECTOR_LINE_INTERCONNECT;
((CAPI_MSG *) msg)->info.facility_req.structs[0] = 3;
- PUT_WORD(&(((CAPI_MSG *) msg)->info.facility_req.structs[1]), LI_REQ_SILENT_UPDATE);
+ ((CAPI_MSG *) msg)->info.facility_req.structs[1] = LI_REQ_SILENT_UPDATE & 0xff;
+ ((CAPI_MSG *) msg)->info.facility_req.structs[2] = LI_REQ_SILENT_UPDATE >> 8;
((CAPI_MSG *) msg)->info.facility_req.structs[3] = 0;
w = api_put(notify_plci->appl, (CAPI_MSG *) msg);
if (w != _QUEUE_FULL)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 229/370] clocksource/exynos_mct: Clear interrupt when cpu is shut down
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 028/370] powerpc/ibmebus: Fix device reference leaks in sysfs interface Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 077/370] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Ben Hutchings
` (369 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, daniel.lezcano, kgene, Thomas Gleixner, Seung-Woo Kim,
linux-arm-kernel, javier, cw00.choi, krzk, linux-samsung-soc,
Joonyoung Shim
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joonyoung Shim <jy0922.shim@samsung.com>
commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.
[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[ 51.289348] task: ee942d00 task.stack: ee960000
[ 51.293861] PC is at tick_periodic+0x38/0xb0
[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
Clear the pending interrupt in the cpu dying path.
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc@vger.kernel.org
Cc: cw00.choi@samsung.com
Cc: daniel.lezcano@linaro.org
Cc: javier@osg.samsung.com
Cc: kgene@kernel.org
Cc: krzk@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: add definition of the 'mevt' variable, added earlier
upstream]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -458,10 +458,15 @@ static int exynos4_local_timer_setup(str
static void exynos4_local_timer_stop(struct clock_event_device *evt)
{
+ struct mct_clock_event_device *mevt;
+
+ mevt = container_of(evt, struct mct_clock_event_device, evt);
+
evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 262/370] nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (282 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 242/370] tcp: initialize max window for a new fastopen socket Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 367/370] kvm: fix page struct leak in handle_vmon Ben Hutchings
` (87 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chuck Lever, Xuan Qi, Trond Myklebust
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 406dab8450ec76eca88a1af2fc15d18a2b36ca49 upstream.
Lock sequence IDs are bumped in decode_lock by calling
nfs_increment_seqid(). nfs_increment_sequid() does not use the
seqid_mutating_err() function fixed in commit 059aa7348241 ("Don't
increment lock sequence ID after NFS4ERR_MOVED").
Fixes: 059aa7348241 ("Don't increment lock sequence ID after ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Xuan Qi <xuan.qi@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/nfs4state.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1086,6 +1086,7 @@ static void nfs_increment_seqid(int stat
case -NFS4ERR_BADXDR:
case -NFS4ERR_RESOURCE:
case -NFS4ERR_NOFILEHANDLE:
+ case -NFS4ERR_MOVED:
/* Non-seqid mutating errors */
return;
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 264/370] ARC: [arcompact] handle unaligned access delay slot corner case
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (278 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 349/370] tcp: fix tcp_fastopen unaligned access complaints on sparc Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 246/370] powerpc/ptrace: Preserve previous fprs/vsrs on short regset write Ben Hutchings
` (91 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vineet Gupta
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <vgupta@synopsys.com>
commit 9aed02feae57bf7a40cb04ea0e3017cb7a998db4 upstream.
After emulating an unaligned access in delay slot of a branch, we
pretend as the delay slot never happened - so return back to actual
branch target (or next PC if branch was not taken).
Curently we did this by handling STATUS32.DE, we also need to clear the
BTA.T bit, which is disregarded when returning from original misaligned
exception, but could cause weirdness if it took the interrupt return
path (in case interrupt was acive too)
One ARC700 customer ran into this when enabling unaligned access fixup
for kernel mode accesses as well
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/unaligned.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/arc/kernel/unaligned.c
+++ b/arch/arc/kernel/unaligned.c
@@ -240,8 +240,9 @@ int misaligned_fixup(unsigned long addre
if (state.fault)
goto fault;
+ /* clear any remanants of delay slot */
if (delay_mode(regs)) {
- regs->ret = regs->bta;
+ regs->ret = regs->bta ~1U;
regs->status32 &= ~STATUS_DE_MASK;
} else {
regs->ret += state.instr_len;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 265/370] parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (340 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 207/370] gro: Disable frag0 optimization on IPv6 ext headers Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 359/370] macvtap: read vnet_hdr_size once Ben Hutchings
` (29 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Helge Deller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 2ad5d52d42810bed95100a3d912679d8864421ec upstream.
In swab.h the "#if BITS_PER_LONG > 32" breaks compiling userspace programs if
BITS_PER_LONG is #defined by userspace with the sizeof() compiler builtin.
Solve this problem by using __BITS_PER_LONG instead. Since we now
#include asm/bitsperlong.h avoid further potential userspace pollution
by moving the #define of SHIFT_PER_LONG to bitops.h which is not
exported to userspace.
This patch unbreaks compiling qemu on hppa/parisc.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/include/asm/bitops.h | 8 +++++++-
arch/parisc/include/uapi/asm/bitsperlong.h | 2 --
arch/parisc/include/uapi/asm/swab.h | 5 +++--
3 files changed, 10 insertions(+), 5 deletions(-)
--- a/arch/parisc/include/asm/bitops.h
+++ b/arch/parisc/include/asm/bitops.h
@@ -6,7 +6,7 @@
#endif
#include <linux/compiler.h>
-#include <asm/types.h> /* for BITS_PER_LONG/SHIFT_PER_LONG */
+#include <asm/types.h>
#include <asm/byteorder.h>
#include <asm/barrier.h>
#include <linux/atomic.h>
@@ -17,6 +17,12 @@
* to include/asm-i386/bitops.h or kerneldoc
*/
+#if __BITS_PER_LONG == 64
+#define SHIFT_PER_LONG 6
+#else
+#define SHIFT_PER_LONG 5
+#endif
+
#define CHOP_SHIFTCOUNT(x) (((unsigned long) (x)) & (BITS_PER_LONG - 1))
--- a/arch/parisc/include/uapi/asm/bitsperlong.h
+++ b/arch/parisc/include/uapi/asm/bitsperlong.h
@@ -9,10 +9,8 @@
*/
#if (defined(__KERNEL__) && defined(CONFIG_64BIT)) || defined (__LP64__)
#define __BITS_PER_LONG 64
-#define SHIFT_PER_LONG 6
#else
#define __BITS_PER_LONG 32
-#define SHIFT_PER_LONG 5
#endif
#include <asm-generic/bitsperlong.h>
--- a/arch/parisc/include/uapi/asm/swab.h
+++ b/arch/parisc/include/uapi/asm/swab.h
@@ -1,6 +1,7 @@
#ifndef _PARISC_SWAB_H
#define _PARISC_SWAB_H
+#include <asm/bitsperlong.h>
#include <linux/types.h>
#include <linux/compiler.h>
@@ -38,7 +39,7 @@ static inline __attribute_const__ __u32
}
#define __arch_swab32 __arch_swab32
-#if BITS_PER_LONG > 32
+#if __BITS_PER_LONG > 32
/*
** From "PA-RISC 2.0 Architecture", HP Professional Books.
** See Appendix I page 8 , "Endian Byte Swapping".
@@ -61,6 +62,6 @@ static inline __attribute_const__ __u64
return x;
}
#define __arch_swab64 __arch_swab64
-#endif /* BITS_PER_LONG > 32 */
+#endif /* __BITS_PER_LONG > 32 */
#endif /* _PARISC_SWAB_H */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 249/370] iio: dht11: Use usleep_range instead of msleep for start signal
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (259 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 204/370] USB: serial: ch341: fix baud rate and line-control handling Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 291/370] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send Ben Hutchings
` (110 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Harald Geyer, John Brooks, Jonathan Cameron
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John Brooks <john@fastquake.com>
commit 5c113b5e0082e90d2e1c7b12e96a7b8cf0623e27 upstream.
The DHT22 (AM2302) datasheet specifies that the LOW start pulse should not
exceed 20ms. However, observations with an oscilloscope of an RPi Model 2B
(rev 1.1) communicating with a DHT22 sensor showed that the driver was
consistently sending start pulses longer than 20ms:
Kernel 4.7.10-v7+ (n=132):
Minimum pulse length: 20.20ms
Maximum: 29.84ms
Mean: 24.96ms
StDev: 2.82ms
Sensor response rate: 100%
Read success rate: 76%
On kernel 4.8, the start pulse was so long that the sensor would not even
respond 97% of the time:
Kernel 4.8.16-v7+ (n=100):
Minimum pulse length: 30.4ms
Maximum: 74.4ms
Mean: 39.3ms
StDev: 10.2ms
Sensor response rate: 3%
Read success rate: 3%
The driver would return ETIMEDOUT and write log messages like this:
[ 51.430987] dht11 dht11@0: Only 1 signal edges detected
[ 66.311019] dht11 dht11@0: Only 0 signal edges detected
Replacing msleep(18) with usleep_range(18000, 20000) made the pulse length
sane again and restored responsiveness:
Kernel 4.8.16-v7+ with usleep_range (n=123):
Minimum pulse length: 18.16ms
Maximum: 20.20ms
Mean: 19.85ms
StDev: 0.51ms
Sensor response rate: 100%
Read success rate: 84%
Signed-off-by: John Brooks <john@fastquake.com>
Reviewed-by: Harald Geyer <harald@ccbib.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/humidity/dht11.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/iio/humidity/dht11.c
+++ b/drivers/iio/humidity/dht11.c
@@ -44,7 +44,8 @@
#define DHT11_EDGES_PER_READ (2*DHT11_BITS_PER_READ + DHT11_EDGES_PREAMBLE + 1)
/* Data transmission timing (nano seconds) */
-#define DHT11_START_TRANSMISSION 18 /* ms */
+#define DHT11_START_TRANSMISSION_MIN 18000 /* us */
+#define DHT11_START_TRANSMISSION_MAX 20000 /* us */
#define DHT11_SENSOR_RESPONSE 80000
#define DHT11_START_BIT 50000
#define DHT11_DATA_BIT_LOW 27000
@@ -152,7 +153,8 @@ static int dht11_read_raw(struct iio_dev
ret = gpio_direction_output(dht11->gpio, 0);
if (ret)
goto err;
- msleep(DHT11_START_TRANSMISSION);
+ usleep_range(DHT11_START_TRANSMISSION_MIN,
+ DHT11_START_TRANSMISSION_MAX);
ret = gpio_direction_input(dht11->gpio);
if (ret)
goto err;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 251/370] crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (210 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 197/370] USB: serial: ch341: add register and USB request definitions Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 307/370] Fix missing sanity check in /dev/sg Ben Hutchings
` (159 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 11e3b725cfc282efe9d4a354153e99d86a16af08 upstream.
Update the ARMv8 Crypto Extensions and the plain NEON AES implementations
in CBC and CTR modes to return the next IV back to the skcipher API client.
This is necessary for chaining to work correctly.
Note that for CTR, this is only done if the request is a round multiple of
the block size, since otherwise, chaining is impossible anyway.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/aes-modes.S | 88 +++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 46 deletions(-)
--- a/arch/arm64/crypto/aes-modes.S
+++ b/arch/arm64/crypto/aes-modes.S
@@ -193,15 +193,16 @@ AES_ENTRY(aes_cbc_encrypt)
cbz w6, .Lcbcencloop
ld1 {v0.16b}, [x5] /* get iv */
- enc_prepare w3, x2, x5
+ enc_prepare w3, x2, x6
.Lcbcencloop:
ld1 {v1.16b}, [x1], #16 /* get next pt block */
eor v0.16b, v0.16b, v1.16b /* ..and xor with iv */
- encrypt_block v0, w3, x2, x5, w6
+ encrypt_block v0, w3, x2, x6, w7
st1 {v0.16b}, [x0], #16
subs w4, w4, #1
bne .Lcbcencloop
+ st1 {v0.16b}, [x5] /* return iv */
ret
AES_ENDPROC(aes_cbc_encrypt)
@@ -211,7 +212,7 @@ AES_ENTRY(aes_cbc_decrypt)
cbz w6, .LcbcdecloopNx
ld1 {v7.16b}, [x5] /* get iv */
- dec_prepare w3, x2, x5
+ dec_prepare w3, x2, x6
.LcbcdecloopNx:
#if INTERLEAVE >= 2
@@ -248,7 +249,7 @@ AES_ENTRY(aes_cbc_decrypt)
.Lcbcdecloop:
ld1 {v1.16b}, [x1], #16 /* get next ct block */
mov v0.16b, v1.16b /* ...and copy to v0 */
- decrypt_block v0, w3, x2, x5, w6
+ decrypt_block v0, w3, x2, x6, w7
eor v0.16b, v0.16b, v7.16b /* xor with iv => pt */
mov v7.16b, v1.16b /* ct is next iv */
st1 {v0.16b}, [x0], #16
@@ -256,6 +257,7 @@ AES_ENTRY(aes_cbc_decrypt)
bne .Lcbcdecloop
.Lcbcdecout:
FRAME_POP
+ st1 {v7.16b}, [x5] /* return iv */
ret
AES_ENDPROC(aes_cbc_decrypt)
@@ -267,24 +269,15 @@ AES_ENDPROC(aes_cbc_decrypt)
AES_ENTRY(aes_ctr_encrypt)
FRAME_PUSH
- cbnz w6, .Lctrfirst /* 1st time around? */
- umov x5, v4.d[1] /* keep swabbed ctr in reg */
- rev x5, x5
-#if INTERLEAVE >= 2
- cmn w5, w4 /* 32 bit overflow? */
- bcs .Lctrinc
- add x5, x5, #1 /* increment BE ctr */
- b .LctrincNx
-#else
- b .Lctrinc
-#endif
-.Lctrfirst:
+ cbz w6, .Lctrnotfirst /* 1st time around? */
enc_prepare w3, x2, x6
ld1 {v4.16b}, [x5]
- umov x5, v4.d[1] /* keep swabbed ctr in reg */
- rev x5, x5
+
+.Lctrnotfirst:
+ umov x8, v4.d[1] /* keep swabbed ctr in reg */
+ rev x8, x8
#if INTERLEAVE >= 2
- cmn w5, w4 /* 32 bit overflow? */
+ cmn w8, w4 /* 32 bit overflow? */
bcs .Lctrloop
.LctrloopNx:
subs w4, w4, #INTERLEAVE
@@ -292,11 +285,11 @@ AES_ENTRY(aes_ctr_encrypt)
#if INTERLEAVE == 2
mov v0.8b, v4.8b
mov v1.8b, v4.8b
- rev x7, x5
- add x5, x5, #1
+ rev x7, x8
+ add x8, x8, #1
ins v0.d[1], x7
- rev x7, x5
- add x5, x5, #1
+ rev x7, x8
+ add x8, x8, #1
ins v1.d[1], x7
ld1 {v2.16b-v3.16b}, [x1], #32 /* get 2 input blocks */
do_encrypt_block2x
@@ -305,7 +298,7 @@ AES_ENTRY(aes_ctr_encrypt)
st1 {v0.16b-v1.16b}, [x0], #32
#else
ldr q8, =0x30000000200000001 /* addends 1,2,3[,0] */
- dup v7.4s, w5
+ dup v7.4s, w8
mov v0.16b, v4.16b
add v7.4s, v7.4s, v8.4s
mov v1.16b, v4.16b
@@ -323,18 +316,12 @@ AES_ENTRY(aes_ctr_encrypt)
eor v2.16b, v7.16b, v2.16b
eor v3.16b, v5.16b, v3.16b
st1 {v0.16b-v3.16b}, [x0], #64
- add x5, x5, #INTERLEAVE
+ add x8, x8, #INTERLEAVE
#endif
- cbz w4, .LctroutNx
-.LctrincNx:
- rev x7, x5
+ rev x7, x8
ins v4.d[1], x7
+ cbz w4, .Lctrout
b .LctrloopNx
-.LctroutNx:
- sub x5, x5, #1
- rev x7, x5
- ins v4.d[1], x7
- b .Lctrout
.Lctr1x:
adds w4, w4, #INTERLEAVE
beq .Lctrout
@@ -342,30 +329,39 @@ AES_ENTRY(aes_ctr_encrypt)
.Lctrloop:
mov v0.16b, v4.16b
encrypt_block v0, w3, x2, x6, w7
+
+ adds x8, x8, #1 /* increment BE ctr */
+ rev x7, x8
+ ins v4.d[1], x7
+ bcs .Lctrcarry /* overflow? */
+
+.Lctrcarrydone:
subs w4, w4, #1
bmi .Lctrhalfblock /* blocks < 0 means 1/2 block */
ld1 {v3.16b}, [x1], #16
eor v3.16b, v0.16b, v3.16b
st1 {v3.16b}, [x0], #16
- beq .Lctrout
-.Lctrinc:
- adds x5, x5, #1 /* increment BE ctr */
- rev x7, x5
- ins v4.d[1], x7
- bcc .Lctrloop /* no overflow? */
- umov x7, v4.d[0] /* load upper word of ctr */
- rev x7, x7 /* ... to handle the carry */
- add x7, x7, #1
- rev x7, x7
- ins v4.d[0], x7
- b .Lctrloop
+ bne .Lctrloop
+
+.Lctrout:
+ st1 {v4.16b}, [x5] /* return next CTR value */
+ FRAME_POP
+ ret
+
.Lctrhalfblock:
ld1 {v3.8b}, [x1]
eor v3.8b, v0.8b, v3.8b
st1 {v3.8b}, [x0]
-.Lctrout:
FRAME_POP
ret
+
+.Lctrcarry:
+ umov x7, v4.d[0] /* load upper word of ctr */
+ rev x7, x7 /* ... to handle the carry */
+ add x7, x7, #1
+ rev x7, x7
+ ins v4.d[0], x7
+ b .Lctrcarrydone
AES_ENDPROC(aes_ctr_encrypt)
.ltorg
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 255/370] ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (360 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 256/370] SUNRPC: cleanup ida information when removing sunrpc module Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 347/370] igmp: Make igmp group member RFC 3376 compliant Ben Hutchings
` (9 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Kozlov, David S. Miller, Eric Dumazet
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 21b995a9cb093fff33ec91d7cb3822b882a90a1e upstream.
Since ip6_tnl_parse_tlv_enc_lim() can call pskb_may_pull(),
we must reload any pointer that was related to skb->head
(or skb->data), or risk use after free.
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Dmitry Kozlov <xeb@mail.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_gre.c | 3 +++
net/ipv6/ip6_tunnel.c | 2 ++
2 files changed, 5 insertions(+)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -819,6 +819,9 @@ static inline int ip6gre_xmit_ipv6(struc
return -1;
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+ ipv6h = ipv6_hdr(skb);
+
if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel;
tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1118,6 +1118,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
return -1;
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+ ipv6h = ipv6_hdr(skb);
if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel;
tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 231/370] qla2xxx: Fix crash due to null pointer access
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (300 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 317/370] net: bridge: fix old ioctl unlocked net device walk Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 355/370] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Ben Hutchings
` (69 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Quinn Tran, Himanshu Madhani, Bart Van Assche, Christoph Hellwig
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Quinn Tran <quinn.tran@cavium.com>
commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream.
During code inspection, while investigating following stack trace
seen on one of the test setup, we found out there was possibility
of memory leak becuase driver was not unwinding the stack properly.
This issue has not been reproduced in a test environment or on a
customer setup.
Here's stack trace that was seen.
[1469877.797315] Call Trace:
[1469877.799940] [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
[1469877.806980] [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
[1469877.814013] [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
[1469877.820265] [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
[1469877.826776] [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
[1469877.833720] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
[1469877.839885] [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
[1469877.846830] [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
[1469877.852562] [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
[1469877.858727] [<ffffffff81319c89>] pci_call_probe+0x89/0xb0
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
[ bvanassche: Fixed spelling in patch description ]
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/qla2xxx/qla_os.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3393,7 +3393,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
sizeof(struct ct6_dsd), 0,
SLAB_HWCACHE_ALIGN, NULL);
if (!ctx_cachep)
- goto fail_free_gid_list;
+ goto fail_free_srb_mempool;
}
ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
ctx_cachep);
@@ -3546,7 +3546,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
GFP_KERNEL);
if (!ha->loop_id_map)
- goto fail_async_pd;
+ goto fail_loop_id_map;
else {
qla2x00_set_reserved_loop_ids(ha);
ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
@@ -3555,6 +3555,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha
return 0;
+fail_loop_id_map:
+ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
fail_async_pd:
dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
fail_ex_init_cb:
@@ -3582,6 +3584,10 @@ fail_free_ms_iocb:
dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
ha->ms_iocb = NULL;
ha->ms_iocb_dma = 0;
+
+ if (ha->sns_cmd)
+ dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
+ ha->sns_cmd, ha->sns_cmd_dma);
fail_dma_pool:
if (IS_QLA82XX(ha) || ql2xenabledif) {
dma_pool_destroy(ha->fcp_cmnd_dma_pool);
@@ -3599,10 +3605,12 @@ fail_free_nvram:
kfree(ha->nvram);
ha->nvram = NULL;
fail_free_ctx_mempool:
- mempool_destroy(ha->ctx_mempool);
+ if (ha->ctx_mempool)
+ mempool_destroy(ha->ctx_mempool);
ha->ctx_mempool = NULL;
fail_free_srb_mempool:
- mempool_destroy(ha->srb_mempool);
+ if (ha->srb_mempool)
+ mempool_destroy(ha->srb_mempool);
ha->srb_mempool = NULL;
fail_free_gid_list:
dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 233/370] can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (271 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 304/370] packet: call fanout_release, while UNREGISTERING a netdev Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 241/370] arm64: avoid returning from bad_mode Ben Hutchings
` (98 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Einar Jón
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Einar Jón <tolvupostur@gmail.com>
commit c97c52be78b8463ac5407f1cf1f22f8f6cf93a37 upstream.
The priv->device pointer for c_can_pci is never set, but it is used
without a NULL check in c_can_start(). Setting it in c_can_pci_probe()
like c_can_plat_probe() prevents c_can_pci.ko from crashing, with and
without CONFIG_PM.
This might also cause the pm_runtime_*() functions in c_can.c to
actually be executed for c_can_pci devices - they are the only other
place where priv->device is used, but they all contain a null check.
Signed-off-by: Einar Jón <tolvupostur@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/c_can/c_can_pci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/can/c_can/c_can_pci.c
+++ b/drivers/net/can/c_can/c_can_pci.c
@@ -161,6 +161,7 @@ static int c_can_pci_probe(struct pci_de
dev->irq = pdev->irq;
priv->base = addr;
+ priv->device = &pdev->dev;
if (!c_can_pci_data->freq) {
dev_err(&pdev->dev, "no clock frequency defined\n");
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 254/370] nfs: Don't increment lock sequence ID after NFS4ERR_MOVED
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (201 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 257/370] netfilter: nft_log: restrict the log prefix length to 127 Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 297/370] mmc: core: fix multi-bit bus width without high-speed mode Ben Hutchings
` (168 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chuck Lever, Xuan Qi, Trond Myklebust
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 059aa734824165507c65fd30a55ff000afd14983 upstream.
Xuan Qi reports that the Linux NFSv4 client failed to lock a file
that was migrated. The steps he observed on the wire:
1. The client sent a LOCK request to the source server
2. The source server replied NFS4ERR_MOVED
3. The client switched to the destination server
4. The client sent the same LOCK request to the destination
server with a bumped lock sequence ID
5. The destination server rejected the LOCK request with
NFS4ERR_BAD_SEQID
RFC 3530 section 8.1.5 provides a list of NFS errors which do not
bump a lock sequence ID.
However, RFC 3530 is now obsoleted by RFC 7530. In RFC 7530 section
9.1.7, this list has been updated by the addition of NFS4ERR_MOVED.
Reported-by: Xuan Qi <xuan.qi@oracle.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/nfs4.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -243,7 +243,7 @@ enum nfsstat4 {
static inline bool seqid_mutating_err(u32 err)
{
- /* rfc 3530 section 8.1.5: */
+ /* See RFC 7530, section 9.1.7 */
switch (err) {
case NFS4ERR_STALE_CLIENTID:
case NFS4ERR_STALE_STATEID:
@@ -252,6 +252,7 @@ static inline bool seqid_mutating_err(u3
case NFS4ERR_BADXDR:
case NFS4ERR_RESOURCE:
case NFS4ERR_NOFILEHANDLE:
+ case NFS4ERR_MOVED:
return false;
};
return true;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 247/370] powerpc: Ignore reserved field in DCSR and PVR reads and writes
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (225 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 338/370] sock: fix sendmmsg for partial sendmsg Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 276/370] mac80211: Fix adding of mesh vendor IEs Ben Hutchings
` (144 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Anton Blanchard
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anton Blanchard <anton@samba.org>
commit 178f358208ceb8b38e5cff3f815e0db4a6a70a07 upstream.
IBM bit 31 (for the rest of us - bit 0) is a reserved field in the
instruction definition of mtspr and mfspr. Hardware is encouraged to
(and does) ignore it.
As a result, if userspace executes an mtspr DSCR with the reserved bit
set, we get a DSCR facility unavailable exception. The kernel fails to
match against the expected value/mask, and we silently return to
userspace to try and re-execute the same mtspr DSCR instruction. We
loop forever until the process is killed.
We should do something here, and it seems mirroring what hardware does
is the better option vs killing the process. While here, relax the
matching of mfspr PVR too.
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/ppc-opcode.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/powerpc/include/asm/ppc-opcode.h
+++ b/arch/powerpc/include/asm/ppc-opcode.h
@@ -149,7 +149,7 @@
#define PPC_INST_MCRXR 0x7c000400
#define PPC_INST_MCRXR_MASK 0xfc0007fe
#define PPC_INST_MFSPR_PVR 0x7c1f42a6
-#define PPC_INST_MFSPR_PVR_MASK 0xfc1fffff
+#define PPC_INST_MFSPR_PVR_MASK 0xfc1ffffe
#define PPC_INST_MSGSND 0x7c00019c
#define PPC_INST_MSGSNDP 0x7c00011c
#define PPC_INST_NOP 0x60000000
@@ -161,13 +161,13 @@
#define PPC_INST_RFDI 0x4c00004e
#define PPC_INST_RFMCI 0x4c00004c
#define PPC_INST_MFSPR_DSCR 0x7c1102a6
-#define PPC_INST_MFSPR_DSCR_MASK 0xfc1fffff
+#define PPC_INST_MFSPR_DSCR_MASK 0xfc1ffffe
#define PPC_INST_MTSPR_DSCR 0x7c1103a6
-#define PPC_INST_MTSPR_DSCR_MASK 0xfc1fffff
+#define PPC_INST_MTSPR_DSCR_MASK 0xfc1ffffe
#define PPC_INST_MFSPR_DSCR_USER 0x7c0302a6
-#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1fffff
+#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1ffffe
#define PPC_INST_MTSPR_DSCR_USER 0x7c0303a6
-#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1fffff
+#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1ffffe
#define PPC_INST_SLBFEE 0x7c0007a7
#define PPC_INST_STRING 0x7c00042a
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 230/370] ubifs: Fix journal replay wrt. xattr nodes
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (323 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 250/370] crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 222/370] svcrpc: don't leak contexts on PROC_DESTROY Ben Hutchings
` (46 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, David Gstir, Rock Lee
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.
When replaying the journal it can happen that a journal entry points to
a garbage collected node.
This is the case when a power-cut occurred between a garbage collect run
and a commit. In such a case nodes have to be read using the failable
read functions to detect whether the found node matches what we expect.
One corner case was forgotten, when the journal contains an entry to
remove an inode all xattrs have to be removed too. UBIFS models xattr
like directory entries, so the TNC code iterates over
all xattrs of the inode and removes them too. This code re-uses the
functions for walking directories and calls ubifs_tnc_next_ent().
ubifs_tnc_next_ent() expects to be used only after the journal and
aborts when a node does not match the expected result. This behavior can
render an UBIFS volume unmountable after a power-cut when xattrs are
used.
Fix this issue by using failable read functions in ubifs_tnc_next_ent()
too when replaying the journal.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Reported-by: Rock Lee <rockdotlee@gmail.com>
Reviewed-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ubifs/tnc.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -34,6 +34,11 @@
#include <linux/slab.h>
#include "ubifs.h"
+static int try_read_node(const struct ubifs_info *c, void *buf, int type,
+ int len, int lnum, int offs);
+static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
+ struct ubifs_zbranch *zbr, void *node);
+
/*
* Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
* @NAME_LESS: name corresponding to the first argument is less than second
@@ -403,7 +408,19 @@ static int tnc_read_node_nm(struct ubifs
return 0;
}
- err = ubifs_tnc_read_node(c, zbr, node);
+ if (c->replaying) {
+ err = fallible_read_node(c, &zbr->key, zbr, node);
+ /*
+ * When the node was not found, return -ENOENT, 0 otherwise.
+ * Negative return codes stay as-is.
+ */
+ if (err == 0)
+ err = -ENOENT;
+ else if (err == 1)
+ err = 0;
+ } else {
+ err = ubifs_tnc_read_node(c, zbr, node);
+ }
if (err)
return err;
@@ -2767,7 +2784,11 @@ struct ubifs_dent_node *ubifs_tnc_next_e
if (nm->name) {
if (err) {
/* Handle collisions */
- err = resolve_collision(c, key, &znode, &n, nm);
+ if (c->replaying)
+ err = fallible_resolve_collision(c, key, &znode, &n,
+ nm, 0);
+ else
+ err = resolve_collision(c, key, &znode, &n, nm);
dbg_tnc("rc returned %d, znode %p, n %d",
err, znode, n);
if (unlikely(err < 0))
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 250/370] crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (322 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 278/370] pegasus: Use heap buffers for all register access Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 230/370] ubifs: Fix journal replay wrt. xattr nodes Ben Hutchings
` (47 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Salvatore Benedetto
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Salvatore Benedetto <salvatore.benedetto@intel.com>
commit d6040764adcb5cb6de1489422411d701c158bb69 upstream.
Make sure CRYPTO_ALG_DEAD bit is cleared before proceeding with
the algorithm registration. This fixes qat-dh registration when
driver is restarted
Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/algapi.c | 1 +
1 file changed, 1 insertion(+)
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -337,6 +337,7 @@ int crypto_register_alg(struct crypto_al
struct crypto_larval *larval;
int err;
+ alg->cra_flags &= ~CRYPTO_ALG_DEAD;
err = crypto_check_alg(alg);
if (err)
return err;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 227/370] net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (302 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 355/370] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 263/370] ISDN: eicon: silence misleading array-bounds warning Ben Hutchings
` (67 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Tariq Toukan, Jack Morgenstein
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 7c3945bc2073554bb2ecf983e073dee686679c53 upstream.
Save the qp context flags byte containing the flag disabling vlan stripping
in the RESET to INIT qp transition, rather than in the INIT to RTR
transition. Per the firmware spec, the flags in this byte are active
in the RESET to INIT transition.
As a result of saving the flags in the incorrect qp transition, when
switching dynamically from VGT to VST and back to VGT, the vlan
remained stripped (as is required for VST) and did not return to
not-stripped (as is required for VGT).
Fixes: f0f829bf42cd ("net/mlx4_core: Add immediate activate for VGT->VST->VGT")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2733,6 +2733,9 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4
put_res(dev, slave, srqn, RES_SRQ);
qp->srq = srq;
}
+
+ /* Save param3 for dynamic changes from VST back to VGT */
+ qp->param3 = qpc->param3;
put_res(dev, slave, rcqn, RES_CQ);
put_res(dev, slave, mtt_base, RES_MTT);
res_end_move(dev, slave, RES_QP, qpn);
@@ -3495,7 +3498,6 @@ int mlx4_INIT2RTR_QP_wrapper(struct mlx4
int qpn = vhcr->in_modifier & 0x7fffff;
struct res_qp *qp;
u8 orig_sched_queue;
- __be32 orig_param3 = qpc->param3;
u8 orig_vlan_control = qpc->pri_path.vlan_control;
u8 orig_fvl_rx = qpc->pri_path.fvl_rx;
u8 orig_pri_path_fl = qpc->pri_path.fl;
@@ -3536,7 +3538,6 @@ out:
*/
if (!err) {
qp->sched_queue = orig_sched_queue;
- qp->param3 = orig_param3;
qp->vlan_control = orig_vlan_control;
qp->fvl_rx = orig_fvl_rx;
qp->pri_path_fl = orig_pri_path_fl;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 256/370] SUNRPC: cleanup ida information when removing sunrpc module
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (359 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 324/370] bonding: set carrier off for devices created through netlink Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 255/370] ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() Ben Hutchings
` (10 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Trond Myklebust, Kinglong Mee
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kinglong Mee <kinglongmee@gmail.com>
commit c929ea0b910355e1876c64431f3d5802f95b3d75 upstream.
After removing sunrpc module, I get many kmemleak information as,
unreferenced object 0xffff88003316b1e0 (size 544):
comm "gssproxy", pid 2148, jiffies 4294794465 (age 4200.081s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffb0cfb58a>] kmemleak_alloc+0x4a/0xa0
[<ffffffffb03507fe>] kmem_cache_alloc+0x15e/0x1f0
[<ffffffffb0639baa>] ida_pre_get+0xaa/0x150
[<ffffffffb0639cfd>] ida_simple_get+0xad/0x180
[<ffffffffc06054fb>] nlmsvc_lookup_host+0x4ab/0x7f0 [lockd]
[<ffffffffc0605e1d>] lockd+0x4d/0x270 [lockd]
[<ffffffffc06061e5>] param_set_timeout+0x55/0x100 [lockd]
[<ffffffffc06cba24>] svc_defer+0x114/0x3f0 [sunrpc]
[<ffffffffc06cbbe7>] svc_defer+0x2d7/0x3f0 [sunrpc]
[<ffffffffc06c71da>] rpc_show_info+0x8a/0x110 [sunrpc]
[<ffffffffb044a33f>] proc_reg_write+0x7f/0xc0
[<ffffffffb038e41f>] __vfs_write+0xdf/0x3c0
[<ffffffffb0390f1f>] vfs_write+0xef/0x240
[<ffffffffb0392fbd>] SyS_write+0xad/0x130
[<ffffffffb0d06c37>] entry_SYSCALL_64_fastpath+0x1a/0xa9
[<ffffffffffffffff>] 0xffffffffffffffff
I found, the ida information (dynamic memory) isn't cleanup.
Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
Fixes: 2f048db4680a ("SUNRPC: Add an identifier for struct rpc_clnt")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/sunrpc/clnt.h | 1 +
net/sunrpc/clnt.c | 5 +++++
net/sunrpc/sunrpc_syms.c | 1 +
3 files changed, 7 insertions(+)
--- a/include/linux/sunrpc/clnt.h
+++ b/include/linux/sunrpc/clnt.h
@@ -175,6 +175,7 @@ void rpc_force_rebind(struct rpc_clnt *
size_t rpc_peeraddr(struct rpc_clnt *, struct sockaddr *, size_t);
const char *rpc_peeraddr2str(struct rpc_clnt *, enum rpc_display_format_t);
int rpc_localaddr(struct rpc_clnt *, struct sockaddr *, size_t);
+void rpc_cleanup_clids(void);
#endif /* __KERNEL__ */
#endif /* _LINUX_SUNRPC_CLNT_H */
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -336,6 +336,11 @@ out:
static DEFINE_IDA(rpc_clids);
+void rpc_cleanup_clids(void)
+{
+ ida_destroy(&rpc_clids);
+}
+
static int rpc_alloc_clid(struct rpc_clnt *clnt)
{
int clid;
--- a/net/sunrpc/sunrpc_syms.c
+++ b/net/sunrpc/sunrpc_syms.c
@@ -117,6 +117,7 @@ out:
static void __exit
cleanup_sunrpc(void)
{
+ rpc_cleanup_clids();
rpcauth_remove_module();
cleanup_socket_xprt();
svc_cleanup_xprt_sock();
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 257/370] netfilter: nft_log: restrict the log prefix length to 127
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (200 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 344/370] ipv6: handle -EFAULT from skb_copy_bits Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 254/370] nfs: Don't increment lock sequence ID after NFS4ERR_MOVED Ben Hutchings
` (169 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Liping Zhang, Pablo Neira Ayuso
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <zlpnobody@gmail.com>
commit 5ce6b04ce96896e8a79e6f60740ced911eaac7a4 upstream.
First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127,
at nf_log_packet(), so the extra part is useless.
Second, after adding a log rule with a very very long prefix, we will
fail to dump the nft rules after this _special_ one, but acctually,
they do exist. For example:
# name_65000=$(printf "%0.sQ" {1..65000})
# nft add rule filter output log prefix "$name_65000"
# nft add rule filter output counter
# nft add rule filter output counter
# nft list chain filter output
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
}
}
So now, restrict the log prefix length to NF_LOG_PREFIXLEN-1.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/netfilter/nf_log.h | 2 ++
net/netfilter/nf_log.c | 1 -
net/netfilter/nft_log.c | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -12,6 +12,8 @@
#define NF_LOG_UID 0x08 /* Log UID owning local socket */
#define NF_LOG_MASK 0x0f
+#define NF_LOG_PREFIXLEN 128
+
#define NF_LOG_TYPE_LOG 0x01
#define NF_LOG_TYPE_ULOG 0x02
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -13,7 +13,6 @@
/* Internal logging interface, which relies on the real
LOG target modules */
-#define NF_LOG_PREFIXLEN 128
#define NFLOGGER_NAME_LEN 64
static struct list_head nf_loggers_l[NFPROTO_NUMPROTO] __read_mostly;
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -38,7 +38,8 @@ static void nft_log_eval(const struct nf
static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
[NFTA_LOG_GROUP] = { .type = NLA_U16 },
- [NFTA_LOG_PREFIX] = { .type = NLA_STRING },
+ [NFTA_LOG_PREFIX] = { .type = NLA_STRING,
+ .len = NF_LOG_PREFIXLEN - 1 },
[NFTA_LOG_SNAPLEN] = { .type = NLA_U32 },
[NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 },
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 234/370] can: ti_hecc: add missing prepare and unprepare of the clock
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (238 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 211/370] sysrq: attach sysrq handler correctly for 32-bit kernel Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 203/370] USB: serial: ch341: fix resume after reset Ben Hutchings
` (131 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Yegor Yefremov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yegor Yefremov <yegorslists@googlemail.com>
commit befa60113ce7ea270cb51eada28443ca2756f480 upstream.
In order to make the driver work with the common clock framework, this
patch converts the clk_enable()/clk_disable() to
clk_prepare_enable()/clk_disable_unprepare().
Also add error checking for clk_prepare_enable().
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/ti_hecc.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -950,7 +950,12 @@ static int ti_hecc_probe(struct platform
netif_napi_add(ndev, &priv->napi, ti_hecc_rx_poll,
HECC_DEF_NAPI_WEIGHT);
- clk_enable(priv->clk);
+ err = clk_prepare_enable(priv->clk);
+ if (err) {
+ dev_err(&pdev->dev, "clk_prepare_enable() failed\n");
+ goto probe_exit_clk;
+ }
+
err = register_candev(ndev);
if (err) {
dev_err(&pdev->dev, "register_candev() failed\n");
@@ -983,7 +988,7 @@ static int ti_hecc_remove(struct platfor
struct ti_hecc_priv *priv = netdev_priv(ndev);
unregister_candev(ndev);
- clk_disable(priv->clk);
+ clk_disable_unprepare(priv->clk);
clk_put(priv->clk);
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
iounmap(priv->base);
@@ -1008,7 +1013,7 @@ static int ti_hecc_suspend(struct platfo
hecc_set_bit(priv, HECC_CANMC, HECC_CANMC_PDR);
priv->can.state = CAN_STATE_SLEEPING;
- clk_disable(priv->clk);
+ clk_disable_unprepare(priv->clk);
return 0;
}
@@ -1017,8 +1022,11 @@ static int ti_hecc_resume(struct platfor
{
struct net_device *dev = platform_get_drvdata(pdev);
struct ti_hecc_priv *priv = netdev_priv(dev);
+ int err;
- clk_enable(priv->clk);
+ err = clk_prepare_enable(priv->clk);
+ if (err)
+ return err;
hecc_clear_bit(priv, HECC_CANMC, HECC_CANMC_PDR);
priv->can.state = CAN_STATE_ERROR_ACTIVE;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 210/370] tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (232 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 356/370] tcp: fix 0 divide in __tcp_select_window() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 285/370] target: Use correct SCSI status during EXTENDED_COPY exception Ben Hutchings
` (137 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alexandre Belloni, Richard Genoud, Greg Kroah-Hartman, Gil Weber
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Genoud <richard.genoud@gmail.com>
commit b389f173aaa1204d6dc1f299082a162eb0491545 upstream.
When using RS485 in half duplex, RX should be enabled when TX is
finished, and stopped when TX starts.
Before commit 0058f0871efe7b01c6 ("tty/serial: atmel: fix RS485 half
duplex with DMA"), RX was not disabled in atmel_start_tx() if the DMA
was used. So, collisions could happened.
But disabling RX in atmel_start_tx() uncovered another bug:
RX was enabled again in the wrong place (in atmel_tx_dma) instead of
being enabled when TX is finished (in atmel_complete_tx_dma), so the
transmission simply stopped.
This bug was not triggered before commit 0058f0871efe7b01c6
("tty/serial: atmel: fix RS485 half duplex with DMA") because RX was
never disabled before.
Moving atmel_start_rx() in atmel_complete_tx_dma() corrects the problem.
Reported-by: Gil Weber <webergil@gmail.com>
Fixes: 0058f0871efe7b01c6
Tested-by: Gil Weber <webergil@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- s/port->rs485/atmel_port->rs485/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/atmel_serial.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -734,6 +734,11 @@ static void atmel_complete_tx_dma(void *
/* Do we really need this? */
if (!uart_circ_empty(xmit))
tasklet_schedule(&atmel_port->tasklet);
+ else if ((atmel_port->rs485.flags & SER_RS485_ENABLED) &&
+ !(atmel_port->rs485.flags & SER_RS485_RX_DURING_TX)) {
+ /* DMA done, stop TX, start RX for RS485 */
+ atmel_start_rx(port);
+ }
spin_unlock_irqrestore(&port->lock, flags);
}
@@ -806,12 +811,6 @@ static void atmel_tx_dma(struct uart_por
desc->callback = atmel_complete_tx_dma;
desc->callback_param = atmel_port;
atmel_port->cookie_tx = dmaengine_submit(desc);
-
- } else {
- if (atmel_port->rs485.flags & SER_RS485_ENABLED) {
- /* DMA done, stop TX, start RX for RS485 */
- atmel_start_rx(port);
- }
}
if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 238/370] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (326 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 370/370] sctp: deny peeloff operation on asocs with threads sleeping on it Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 193/370] drm/radeon: drop verde dpm quirks Ben Hutchings
` (43 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Dave Martin, Catalin Marinas
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream.
We cannot preserve partial fields for hardware breakpoints, because
the values written by userspace to the hardware breakpoint
registers can't subsequently be recovered intact from the hardware.
So, just reject attempts to write incomplete fields with -EINVAL.
Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/ptrace.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -446,6 +446,8 @@ static int hw_break_set(struct task_stru
/* (address, ctrl) registers */
limit = regset->n * regset->size;
while (count && offset < limit) {
+ if (count < PTRACE_HBP_ADDR_SZ)
+ return -EINVAL;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
offset, offset + PTRACE_HBP_ADDR_SZ);
if (ret)
@@ -455,6 +457,8 @@ static int hw_break_set(struct task_stru
return ret;
offset += PTRACE_HBP_ADDR_SZ;
+ if (!count)
+ break;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
offset, offset + PTRACE_HBP_CTRL_SZ);
if (ret)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 217/370] mmc: mxs-mmc: Fix additional cycles after transmission stop
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (218 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 354/370] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 315/370] netem: Segment GSO packets on enqueue Ben Hutchings
` (151 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Stefan Wahren
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Wahren <stefan.wahren@i2se.com>
commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.
According to the code the intention is to append 8 SCK cycles
instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
will never happened because it's an AC command not an ADTC command.
So fix this by moving the statement into the right function.
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/host/mxs-mmc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/mxs-mmc.c
+++ b/drivers/mmc/host/mxs-mmc.c
@@ -308,6 +308,9 @@ static void mxs_mmc_ac(struct mxs_mmc_ho
cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
cmd1 = cmd->arg;
+ if (cmd->opcode == MMC_STOP_TRANSMISSION)
+ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+
if (host->sdio_irq_en) {
ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
@@ -416,8 +419,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_
ssp->base + HW_SSP_BLOCK_SIZE);
}
- if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
- (cmd->opcode == SD_IO_RW_EXTENDED))
+ if (cmd->opcode == SD_IO_RW_EXTENDED)
cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
cmd1 = cmd->arg;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 206/370] gro: Enter slow-path if there is no tailroom
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (261 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 291/370] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 361/370] sit: fix a double free on error path Ben Hutchings
` (108 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Slava Shwartsman, Herbert Xu, Eric Dumazet, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 1272ce87fa017ca4cf32920764d879656b7a005a upstream.
The GRO path has a fast-path where we avoid calling pskb_may_pull
and pskb_expand by directly accessing frag0. However, this should
only be done if we have enough tailroom in the skb as otherwise
we'll have to expand it later anyway.
This patch adds the check by capping frag0_len with the skb tailroom.
Fixes: cb18978cbf45 ("gro: Open-code final pskb_may_pull")
Reported-by: Slava Shwartsman <slavash@mellanox.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3920,7 +3920,8 @@ static void skb_gro_reset_offset(struct
pinfo->nr_frags &&
!PageHighMem(skb_frag_page(frag0))) {
NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
- NAPI_GRO_CB(skb)->frag0_len = skb_frag_size(frag0);
+ NAPI_GRO_CB(skb)->frag0_len = min(skb_frag_size(frag0),
+ skb->end - skb->tail);
}
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 213/370] USB: serial: ch341: fix control-message error handling
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (312 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 308/370] irda: Fix lockdep annotations in hashbin_delete() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 363/370] igmp: do not remove igmp souce list info when set link down Ben Hutchings
` (57 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae upstream.
A short control transfer would currently fail to be detected, something
which could lead to stale buffer data being used as valid input.
Check for short transfers, and make sure to log any transfer errors.
Note that this also avoids leaking heap data to user space (TIOCMGET)
and the remote device (break control).
Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -112,6 +112,8 @@ static int ch341_control_out(struct usb_
r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
value, index, NULL, 0, DEFAULT_TIMEOUT);
+ if (r < 0)
+ dev_err(&dev->dev, "failed to send control message: %d\n", r);
return r;
}
@@ -129,7 +131,20 @@ static int ch341_control_in(struct usb_d
r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
value, index, buf, bufsize, DEFAULT_TIMEOUT);
- return r;
+ if (r < bufsize) {
+ if (r >= 0) {
+ dev_err(&dev->dev,
+ "short control message received (%d < %u)\n",
+ r, bufsize);
+ r = -EIO;
+ }
+
+ dev_err(&dev->dev, "failed to receive control message: %d\n",
+ r);
+ return r;
+ }
+
+ return 0;
}
static int ch341_set_baudrate_lcr(struct usb_device *dev,
@@ -180,9 +195,9 @@ static int ch341_set_handshake(struct us
static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
unsigned long flags;
buffer = kmalloc(size, GFP_KERNEL);
@@ -193,14 +208,9 @@ static int ch341_get_status(struct usb_d
if (r < 0)
goto out;
- /* setup the private status if available */
- if (r == 2) {
- r = 0;
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
- spin_unlock_irqrestore(&priv->lock, flags);
- } else
- r = -EPROTO;
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
+ spin_unlock_irqrestore(&priv->lock, flags);
out: kfree(buffer);
return r;
@@ -210,9 +220,9 @@ out: kfree(buffer);
static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
buffer = kmalloc(size, GFP_KERNEL);
if (!buffer)
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 197/370] USB: serial: ch341: add register and USB request definitions
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (209 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 303/370] vfs: fix uninitialized flags in splice_to_pipe() Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 251/370] crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes Ben Hutchings
` (160 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Grigori Goronzy, Aidan Thornton, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aidan Thornton <makosoft@gmail.com>
commit 6fde8d29b0424f292a4ec5dbce01458ad759a41f upstream.
No functional changes, this just gives names to some registers and USB
requests based on Grigori Goronzy's work and WinChipTech's Linux driver
(which reassuringly agree), then uses them in place of magic numbers.
This also renames the misnamed BREAK2 register (actually UART config)
Signed-off-by: Aidan Thornton <makosoft@gmail.com>
Reviewed-by: Grigori Goronzy <greg@chown.ath.cx>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 51 +++++++++++++++++++++++++++++-----------------
1 file changed, 32 insertions(+), 19 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -61,13 +61,26 @@
* the Net/FreeBSD uchcom.c driver by Takanori Watanabe. Domo arigato.
*/
+#define CH341_REQ_READ_VERSION 0x5F
#define CH341_REQ_WRITE_REG 0x9A
#define CH341_REQ_READ_REG 0x95
-#define CH341_REG_BREAK1 0x05
-#define CH341_REG_BREAK2 0x18
-#define CH341_NBREAK_BITS_REG1 0x01
-#define CH341_NBREAK_BITS_REG2 0x40
+#define CH341_REQ_SERIAL_INIT 0xA1
+#define CH341_REQ_MODEM_CTRL 0xA4
+#define CH341_REG_BREAK 0x05
+#define CH341_REG_LCR 0x18
+#define CH341_NBREAK_BITS 0x01
+
+#define CH341_LCR_ENABLE_RX 0x80
+#define CH341_LCR_ENABLE_TX 0x40
+#define CH341_LCR_MARK_SPACE 0x20
+#define CH341_LCR_PAR_EVEN 0x10
+#define CH341_LCR_ENABLE_PAR 0x08
+#define CH341_LCR_STOP_BITS_2 0x04
+#define CH341_LCR_CS8 0x03
+#define CH341_LCR_CS7 0x02
+#define CH341_LCR_CS6 0x01
+#define CH341_LCR_CS5 0x00
static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x4348, 0x5523) },
@@ -144,16 +157,16 @@ static int ch341_set_baudrate(struct usb
a = (factor & 0xff00) | divisor;
b = factor & 0xff;
- r = ch341_control_out(dev, 0x9a, 0x1312, a);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
if (!r)
- r = ch341_control_out(dev, 0x9a, 0x0f2c, b);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x0f2c, b);
return r;
}
static int ch341_set_handshake(struct usb_device *dev, u8 control)
{
- return ch341_control_out(dev, 0xa4, ~control, 0);
+ return ch341_control_out(dev, CH341_REQ_MODEM_CTRL, ~control, 0);
}
static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
@@ -167,7 +180,7 @@ static int ch341_get_status(struct usb_d
if (!buffer)
return -ENOMEM;
- r = ch341_control_in(dev, 0x95, 0x0706, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x0706, 0, buffer, size);
if (r < 0)
goto out;
@@ -197,11 +210,11 @@ static int ch341_configure(struct usb_de
return -ENOMEM;
/* expect two bytes 0x27 0x00 */
- r = ch341_control_in(dev, 0x5f, 0, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_VERSION, 0, 0, buffer, size);
if (r < 0)
goto out;
- r = ch341_control_out(dev, 0xa1, 0, 0);
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0, 0);
if (r < 0)
goto out;
@@ -210,11 +223,11 @@ static int ch341_configure(struct usb_de
goto out;
/* expect two bytes 0x56 0x00 */
- r = ch341_control_in(dev, 0x95, 0x2518, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x2518, 0, buffer, size);
if (r < 0)
goto out;
- r = ch341_control_out(dev, 0x9a, 0x2518, 0x0050);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, 0x0050);
if (r < 0)
goto out;
@@ -223,7 +236,7 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;
- r = ch341_control_out(dev, 0xa1, 0x501f, 0xd90a);
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0x501f, 0xd90a);
if (r < 0)
goto out;
@@ -370,7 +383,7 @@ static void ch341_set_termios(struct tty
static void ch341_break_ctl(struct tty_struct *tty, int break_state)
{
const uint16_t ch341_break_reg =
- CH341_REG_BREAK1 | ((uint16_t) CH341_REG_BREAK2 << 8);
+ ((uint16_t) CH341_REG_LCR << 8) | CH341_REG_BREAK;
struct usb_serial_port *port = tty->driver_data;
int r;
uint16_t reg_contents;
@@ -391,12 +404,12 @@ static void ch341_break_ctl(struct tty_s
__func__, break_reg[0], break_reg[1]);
if (break_state != 0) {
dev_dbg(&port->dev, "%s - Enter break state requested\n", __func__);
- break_reg[0] &= ~CH341_NBREAK_BITS_REG1;
- break_reg[1] &= ~CH341_NBREAK_BITS_REG2;
+ break_reg[0] &= ~CH341_NBREAK_BITS;
+ break_reg[1] &= ~CH341_LCR_ENABLE_TX;
} else {
dev_dbg(&port->dev, "%s - Leave break state requested\n", __func__);
- break_reg[0] |= CH341_NBREAK_BITS_REG1;
- break_reg[1] |= CH341_NBREAK_BITS_REG2;
+ break_reg[0] |= CH341_NBREAK_BITS;
+ break_reg[1] |= CH341_LCR_ENABLE_TX;
}
dev_dbg(&port->dev, "%s - New ch341 break register contents - reg1: %x, reg2: %x\n",
__func__, break_reg[0], break_reg[1]);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 205/370] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (221 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 342/370] net/dccp: fix use-after-free in dccp_invalid_packet Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 294/370] net/sock: Add sock_efree() function Ben Hutchings
` (148 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Russell King, Mark Rutland, Stephen Boyd, Russell King,
Linus Walleij, Will Deacon
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit ddc37832a1349f474c4532de381498020ed71d31 upstream.
On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
undefined instruction trap within write_wb_reg. This is because Scorpion
CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
watchpoint registers are treated as undefined.
It's possible to trigger similar crashes later on from userspace, by
requesting the kernel to install a breakpoint or watchpoint, as we can
go idle at any point between the reset of the debug registers and their
later use. This has always been the case.
Given that this has always been broken, no-one has complained until now,
and there is no clear workaround, disable hardware breakpoints and
watchpoints on Scorpion to avoid these issues.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[bwh: Backported to 3.16: open-code read_cpuid_part()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/include/asm/cputype.h | 3 +++
arch/arm/kernel/hw_breakpoint.c | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
--- a/arch/arm/include/asm/cputype.h
+++ b/arch/arm/include/asm/cputype.h
@@ -79,6 +79,9 @@
#define ARM_CPU_XSCALE_ARCH_V2 0x4000
#define ARM_CPU_XSCALE_ARCH_V3 0x6000
+/* Qualcomm implemented cores */
+#define ARM_CPU_PART_SCORPION 0x510002d0
+
extern unsigned int processor_id;
#ifdef CONFIG_CPU_CP15
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -1067,6 +1067,22 @@ static int __init arch_hw_breakpoint_ini
return 0;
}
+ /*
+ * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
+ * whenever a WFI is issued, even if the core is not powered down, in
+ * violation of the architecture. When DBGPRSR.SPD is set, accesses to
+ * breakpoint and watchpoint registers are treated as undefined, so
+ * this results in boot time and runtime failures when these are
+ * accessed and we unexpectedly take a trap.
+ *
+ * It's not clear if/how this can be worked around, so we blacklist
+ * Scorpion CPUs to avoid these issues.
+ */
+ if ((read_cpuid_id() & 0xff00fff0) == ARM_CPU_PART_SCORPION) {
+ pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
+ return 0;
+ }
+
has_ossr = core_has_os_save_restore();
/* Determine how many BRPs/WRPs are available. */
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 204/370] USB: serial: ch341: fix baud rate and line-control handling
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (258 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 266/370] can: bcm: fix hrtimer/tasklet termination in bcm op removal Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 249/370] iio: dht11: Use usleep_range instead of msleep for start signal Ben Hutchings
` (111 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 55fa15b5987db22b4f35d3f0798928c126be5f1c upstream.
Revert to using direct register writes to set the divisor and
line-control registers.
A recent change switched to using the init vendor command to update
these registers, something which also enabled support for CH341A
devices. It turns out that simply setting bit 7 in the divisor register
is sufficient to support CH341A and specifically prevent data from being
buffered until a full endpoint-size packet (32 bytes) has been received.
Using the init command also had the side-effect of temporarily
deasserting the DTR/RTS signals on every termios change (including
initialisation on open) something which for example could cause problems
in setups where DTR is used to trigger a reset.
Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on
reconfiguration")
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ch341.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -132,8 +132,8 @@ static int ch341_control_in(struct usb_d
return r;
}
-static int ch341_init_set_baudrate(struct usb_device *dev,
- struct ch341_private *priv, unsigned ctrl)
+static int ch341_set_baudrate_lcr(struct usb_device *dev,
+ struct ch341_private *priv, u8 lcr)
{
short a;
int r;
@@ -156,9 +156,19 @@ static int ch341_init_set_baudrate(struc
factor = 0x10000 - factor;
a = (factor & 0xff00) | divisor;
- /* 0x9c is "enable SFR_UART Control register and timer" */
- r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT,
- 0x9c | (ctrl << 8), a | 0x80);
+ /*
+ * CH341A buffers data until a full endpoint-size packet (32 bytes)
+ * has been received unless bit 7 is set.
+ */
+ a |= BIT(7);
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
+ if (r)
+ return r;
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, lcr);
+ if (r)
+ return r;
return r;
}
@@ -231,7 +241,7 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;
- r = ch341_init_set_baudrate(dev, priv, 0);
+ r = ch341_set_baudrate_lcr(dev, priv, 0);
if (r < 0)
goto out;
@@ -366,7 +376,7 @@ static void ch341_set_termios(struct tty
if (baud_rate) {
priv->baud_rate = baud_rate;
- r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);
+ r = ch341_set_baudrate_lcr(port->serial->dev, priv, ctrl);
if (r < 0 && old_termios) {
priv->baud_rate = tty_termios_baud_rate(old_termios);
tty_termios_copy_hw(&tty->termios, old_termios);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 211/370] sysrq: attach sysrq handler correctly for 32-bit kernel
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (237 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 337/370] sctp: assign assoc_id earlier in __sctp_connect Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 234/370] can: ti_hecc: add missing prepare and unprepare of the clock Ben Hutchings
` (132 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Akinobu Mita, Jiri Slaby, Greg Kroah-Hartman, Dmitry Torokhov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Akinobu Mita <akinobu.mita@gmail.com>
commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream.
The sysrq input handler should be attached to the input device which has
a left alt key.
On 32-bit kernels, some input devices which has a left alt key cannot
attach sysrq handler. Because the keybit bitmap in struct input_device_id
for sysrq is not correctly initialized. KEY_LEFTALT is 56 which is
greater than BITS_PER_LONG on 32-bit kernels.
I found this problem when using a matrix keypad device which defines
a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32).
Cc: Jiri Slaby <jslaby@suse.com>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/sysrq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -933,8 +933,8 @@ static const struct input_device_id sysr
{
.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
INPUT_DEVICE_ID_MATCH_KEYBIT,
- .evbit = { BIT_MASK(EV_KEY) },
- .keybit = { BIT_MASK(KEY_LEFTALT) },
+ .evbit = { [BIT_WORD(EV_KEY)] = BIT_MASK(EV_KEY) },
+ .keybit = { [BIT_WORD(KEY_LEFTALT)] = BIT_MASK(KEY_LEFTALT) },
},
{ },
};
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 189/370] tile/ptrace: Preserve previous registers for short regset write
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (356 preceding siblings ...)
2017-03-10 11:46 ` Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 274/370] mm, fs: check for fatal signals in do_generic_file_read() Ben Hutchings
` (13 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dave Martin, Chris Metcalf
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit fd7c99142d77dc4a851879a66715abf12a3193fb upstream.
Ensure that if userspace supplies insufficient data to
PTRACE_SETREGSET to fill all the registers, the thread's old
registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/tile/kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/tile/kernel/ptrace.c
+++ b/arch/tile/kernel/ptrace.c
@@ -110,7 +110,7 @@ static int tile_gpr_set(struct task_stru
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct pt_regs regs;
+ struct pt_regs regs = *task_pt_regs(target);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, ®s, 0,
sizeof(regs));
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 190/370] sh_eth: fix EESIPR values for SH77{34|63}
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (367 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 224/370] netfilter: rpfilter: fix incorrect loopback packet judgment Ben Hutchings
@ 2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 283/370] drm/i915: fix use-after-free in page_flip_completed() Ben Hutchings
` (2 subsequent siblings)
371 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sergei Shtylyov, David S. Miller
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit 978d3639fd13d987950e4ce85c8737ae92154b2c upstream.
As the SH77{34|63} manuals are freely available, I've checked the EESIPR
values written against the manuals, and they appeared to set the reserved
bits 11-15 (which should be 0 on write). Fix those EESIPR values.
Fixes: 380af9e390ec ("net: sh_eth: CPU dependency code collect to "struct sh_eth_cpu_data"")
Fixes: f5d12767c8fd ("sh_eth: get SH77{34|63} support out of #ifdef")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -696,7 +696,7 @@ static struct sh_eth_cpu_data sh7734_dat
.ecsr_value = ECSR_ICD | ECSR_MPD,
.ecsipr_value = ECSIPR_LCHNGIP | ECSIPR_ICDIP | ECSIPR_MPDIP,
- .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
+ .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003f07ff,
.tx_check = EESR_TC1 | EESR_FTC,
.eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
@@ -726,7 +726,7 @@ static struct sh_eth_cpu_data sh7763_dat
.ecsr_value = ECSR_ICD | ECSR_MPD,
.ecsipr_value = ECSIPR_LCHNGIP | ECSIPR_ICDIP | ECSIPR_MPDIP,
- .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
+ .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003f07ff,
.tx_check = EESR_TC1 | EESR_FTC,
.eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 330/370] net: sctp, forbid negative length
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Vlad Yasevich, netdev, linux-sctp,
Neil Horman, Jiri Slaby
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
[ Upstream commit a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf ]
Most of getsockopt handlers in net/sctp/socket.c check len against
sizeof some structure like:
if (len < sizeof(int))
return -EINVAL;
On the first look, the check seems to be correct. But since len is int
and sizeof returns size_t, int gets promoted to unsigned size_t too. So
the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is
false.
Fix this in sctp by explicitly checking len < 0 before any getsockopt
handler is called.
Note that sctp_getsockopt_events already handled the negative case.
Since we added the < 0 check elsewhere, this one can be removed.
If not checked, this is the result:
UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19
shift exponent 52 is too large for 32-bit type 'int'
CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3
ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270
0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422
Call Trace:
[<ffffffffb3051498>] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300
...
[<ffffffffb273f0e4>] ? kmalloc_order+0x24/0x90
[<ffffffffb27416a4>] ? kmalloc_order_trace+0x24/0x220
[<ffffffffb2819a30>] ? __kmalloc+0x330/0x540
[<ffffffffc18c25f4>] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp]
[<ffffffffc18d2bcd>] ? sctp_getsockopt+0x10d/0x1b0 [sctp]
[<ffffffffb37c1219>] ? sock_common_getsockopt+0xb9/0x150
[<ffffffffb37be2f5>] ? SyS_getsockopt+0x1a5/0x270
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-sctp@vger.kernel.org
Cc: netdev@vger.kernel.org
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4280,7 +4280,7 @@ static int sctp_getsockopt_disable_fragm
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
- if (len <= 0)
+ if (len = 0)
return -EINVAL;
if (len > sizeof(struct sctp_event_subscribe))
len = sizeof(struct sctp_event_subscribe);
@@ -5801,6 +5801,9 @@ static int sctp_getsockopt(struct sock *
if (get_user(len, optlen))
return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+
lock_sock(sk);
switch (optname) {
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 322/370] net: alx: Work around the DMA RX overflow issue
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Ole Lukoie, Feng Tang
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Feng Tang <feng.tang@intel.com>
[ Upstream commit 881d0327db37ad917a367c77aff1afa1ee41e0a9 ]
Note: This is a verified backported patch for stable 4.4 kernel, and it
could also be applied to 4.3/4.2/4.1/3.18/3.16
There is a problem with alx devices, that the network link will be
lost in 1-5 minutes after the device is up.
>>From debugging without datasheet, we found the error always
happen when the DMA RX address is set to 0x....fc0, which is very
likely to be a HW/silicon problem.
This patch will apply rx skb with 64 bytes longer space, and if the
allocated skb has a 0x...fc0 address, it will use skb_resever(skb, 64)
to advance the address, so that the RX overflow can be avoided.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=70761
Signed-off-by: Feng Tang <feng.tang@intel.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Tested-by: Ole Lukoie <olelukoie@mail.ru>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/atheros/alx/main.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/atheros/alx/main.c
+++ b/drivers/net/ethernet/atheros/alx/main.c
@@ -86,9 +86,14 @@ static int alx_refill_rx_ring(struct alx
while (!cur_buf->skb && next != rxq->read_idx) {
struct alx_rfd *rfd = &rxq->rfd[cur];
- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
+ skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size + 64, gfp);
if (!skb)
break;
+
+ /* Workround for the HW RX DMA overflow issue */
+ if (((unsigned long)skb->data & 0xfff) == 0xfc0)
+ skb_reserve(skb, 64);
+
dma = dma_map_single(&alx->hw.pdev->dev,
skb->data, alx->rxbuf_size,
DMA_FROM_DEVICE);
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 336/370] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Eric Dumazet, Arnaldo Carvalho de Melo,
Andrey Konovalov
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 990ff4d84408fc55942ca6644f67e361737b3d8e ]
While fuzzing kernel with syzkaller, Andrey reported a nasty crash
in inet6_bind() caused by DCCP lacking a required method.
Fixes: ab1e0a13d7029 ("[SOCK] proto: Add hashinfo member to struct proto")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/ipv6.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1024,6 +1024,7 @@ static const struct inet_connection_sock
.getsockopt = ipv6_getsockopt,
.addr2sockaddr = inet6_csk_addr2sockaddr,
.sockaddr_len = sizeof(struct sockaddr_in6),
+ .bind_conflict = inet6_csk_bind_conflict,
#ifdef CONFIG_COMPAT
.compat_setsockopt = compat_ipv6_setsockopt,
.compat_getsockopt = compat_ipv6_getsockopt,
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 229/370] clocksource/exynos_mct: Clear interrupt when cpu is shut down
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: linux-samsung-soc, Joonyoung Shim, cw00.choi, daniel.lezcano,
Seung-Woo Kim, krzk, javier, kgene, akpm, Thomas Gleixner,
linux-arm-kernel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joonyoung Shim <jy0922.shim@samsung.com>
commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.
[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[ 51.289348] task: ee942d00 task.stack: ee960000
[ 51.293861] PC is at tick_periodic+0x38/0xb0
[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
Clear the pending interrupt in the cpu dying path.
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc@vger.kernel.org
Cc: cw00.choi@samsung.com
Cc: daniel.lezcano@linaro.org
Cc: javier@osg.samsung.com
Cc: kgene@kernel.org
Cc: krzk@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: add definition of the 'mevt' variable, added earlier
upstream]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -458,10 +458,15 @@ static int exynos4_local_timer_setup(str
static void exynos4_local_timer_stop(struct clock_event_device *evt)
{
+ struct mct_clock_event_device *mevt;
+
+ mevt = container_of(evt, struct mct_clock_event_device, evt);
+
evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 282/370] ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-snps-arc
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
commit a524c218bc94c705886a0e0fedeee45d1931da32 upstream.
Reported-by: Jo-Philipp Wich <jo at mein.io>
Fixes: 9aed02feae57bf7 ("ARC: [arcompact] handle unaligned access delay slot")
Cc: linux-kernel at vger.kernel.org
Cc: linux-snps-arc at lists.infradead.org
Signed-off-by: Vineet Gupta <vgupta at synopsys.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
arch/arc/kernel/unaligned.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arc/kernel/unaligned.c
+++ b/arch/arc/kernel/unaligned.c
@@ -242,7 +242,7 @@ int misaligned_fixup(unsigned long addre
/* clear any remanants of delay slot */
if (delay_mode(regs)) {
- regs->ret = regs->bta ~1U;
+ regs->ret = regs->bta & ~1U;
regs->status32 &= ~STATUS_DE_MASK;
} else {
regs->ret += state.instr_len;
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 229/370] clocksource/exynos_mct: Clear interrupt when cpu is shut down
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-arm-kernel
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joonyoung Shim <jy0922.shim@samsung.com>
commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.
When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.
[ 51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[ 51.289348] task: ee942d00 task.stack: ee960000
[ 51.293861] PC is at tick_periodic+0x38/0xb0
[ 51.298102] LR is at tick_handle_periodic+0x1c/0x90
Clear the pending interrupt in the cpu dying path.
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc at vger.kernel.org
Cc: cw00.choi at samsung.com
Cc: daniel.lezcano at linaro.org
Cc: javier at osg.samsung.com
Cc: kgene at kernel.org
Cc: krzk at kernel.org
Cc: linux-arm-kernel at lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim at samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: add definition of the 'mevt' variable, added earlier
upstream]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -458,10 +458,15 @@ static int exynos4_local_timer_setup(str
static void exynos4_local_timer_stop(struct clock_event_device *evt)
{
+ struct mct_clock_event_device *mevt;
+
+ mevt = container_of(evt, struct mct_clock_event_device, evt);
+
evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 260/370] drm/i915: Don't leak edid in intel_crt_detect_ddc()
@ 2017-03-10 11:46 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 11:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ander Conselvan de Oliveira, Jani Nikula, Daniel Vetter,
intel-gfx, Daniel Vetter, akpm
3.16.42-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
commit c34f078675f505c4437919bb1897b1351f16a050 upstream.
In the path where intel_crt_detect_ddc() detects a CRT, if would return
true without freeing the edid.
Fixes: a2bd1f541f19 ("drm/i915: check whether we actually received an edid in detect_ddc")
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1484922525-6131-1-git-send-email-ander.conselvan.de.oliveira@intel.com
(cherry picked from commit c96b63a6a7ac4bd670ec2e663793a9a31418b790)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_crt.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/i915/intel_crt.c
+++ b/drivers/gpu/drm/i915/intel_crt.c
@@ -477,6 +477,7 @@ static bool intel_crt_detect_ddc(struct
struct drm_i915_private *dev_priv = crt->base.base.dev->dev_private;
struct edid *edid;
struct i2c_adapter *i2c;
+ bool ret = false;
BUG_ON(crt->base.type != INTEL_OUTPUT_ANALOG);
@@ -493,17 +494,17 @@ static bool intel_crt_detect_ddc(struct
*/
if (!is_digital) {
DRM_DEBUG_KMS("CRT detected via DDC:0x50 [EDID]\n");
- return true;
+ ret = true;
+ } else {
+ DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n");
}
-
- DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n");
} else {
DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [no valid EDID found]\n");
}
kfree(edid);
- return false;
+ return ret;
}
static enum drm_connector_status
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100
2017-03-10 11:46 ` [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100 Ben Hutchings
@ 2017-03-10 12:10 ` Geert Uytterhoeven
2017-03-11 23:50 ` Ben Hutchings
0 siblings, 1 reply; 390+ messages in thread
From: Geert Uytterhoeven @ 2017-03-10 12:10 UTC (permalink / raw)
To: Ben Hutchings
Cc: linux-kernel, stable, Andrew Morton, Chris Brandt, Stephen Boyd,
Kuninori Morimoto, Geert Uytterhoeven
Hi Ben,
On Fri, Mar 10, 2017 at 12:46 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> 3.16.42-rc1 review patch. If anyone has any objections, please let me know.
No objections, but you also want
commit f59de563358eb9351b7f8f0ba2d3be2ebb70b93d
Author: Chris Brandt <chris.brandt@renesas.com>
Date: Tue Feb 14 11:08:05 2017 -0500
clk: renesas: mstp: ensure register writes complete
> ------------------
>
> From: Chris Brandt <chris.brandt@renesas.com>
>
> commit e2a33c34ddff22ee208d80abdd12b88a98d6cb60 upstream.
>
> The RZ/A1 is different than the other Renesas SOCs because the MSTP
> registers are 8-bit instead of 32-bit and if you try writing values as
> 32-bit nothing happens...meaning this driver never worked for r7s72100.
>
> Fixes: b6face404f38 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi")
> Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
> Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
> Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
> Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
> [bwh: Backported to 3.16: adjust filename]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 000/370] 3.16.42-rc1 review
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (369 preceding siblings ...)
2017-03-10 11:46 ` [PATCH 3.16 283/370] drm/i915: fix use-after-free in page_flip_completed() Ben Hutchings
@ 2017-03-10 12:49 ` Guenter Roeck
2017-03-10 13:04 ` Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
371 siblings, 1 reply; 390+ messages in thread
From: Guenter Roeck @ 2017-03-10 12:49 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm
On 03/10/2017 03:46 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.42 release.
> There are 370 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
> Anything received after that time might be too late.
>
Build results:
total: 140 pass: 140 fail: 0
Qemu test results:
total: 107 pass: 107 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 000/370] 3.16.42-rc1 review
2017-03-10 12:49 ` [PATCH 3.16 000/370] 3.16.42-rc1 review Guenter Roeck
@ 2017-03-10 13:04 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-10 13:04 UTC (permalink / raw)
To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
On Fri, 2017-03-10 at 04:49 -0800, Guenter Roeck wrote:
> On 03/10/2017 03:46 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.42
> > release.
> > There are 370 patches in this series, which will be posted as
> > responses
> > to this one. If anyone has any issues with these being applied,
> > please
> > let me know.
> >
> > Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 140 pass: 140 fail: 0
> Qemu test results:
> total: 107 pass: 107 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 000/372] 3.16.42-rc2 review
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
` (370 preceding siblings ...)
2017-03-10 12:49 ` [PATCH 3.16 000/370] 3.16.42-rc1 review Guenter Roeck
@ 2017-03-11 15:15 ` Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 372/372] tty: n_hdlc: get rid of racy n_hdlc.tbuf Ben Hutchings
` (3 more replies)
371 siblings, 4 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-11 15:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
I've added two more patches to the queue for this release, which
will be sent as replies to this message.
Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
Anything received after that time might be too late.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
^ permalink raw reply [flat|nested] 390+ messages in thread
* [PATCH 3.16 372/372] tty: n_hdlc: get rid of racy n_hdlc.tbuf
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
@ 2017-03-11 15:15 ` Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 371/372] TTY: n_hdlc, fix lockdep false positive Ben Hutchings
` (2 subsequent siblings)
3 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-11 15:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexander Popov, Greg Kroah-Hartman
3.16.42-rc2 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Popov <alex.popov@linux.com>
commit 82f2341c94d270421f383641b7cd670e474db56b upstream.
Currently N_HDLC line discipline uses a self-made singly linked list for
data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error.
The commit be10eb7589337e5defbe214dae038a53dd21add8
("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
one data buffer to tx_free_buf_list twice. That causes double free in
n_hdlc_release().
Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
in case of tx error put current data buffer after the head of tx_buf_list.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
1 file changed, 69 insertions(+), 63 deletions(-)
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 1bacbc3b19a0..e94aea8c0d05 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -114,7 +114,7 @@
#define DEFAULT_TX_BUF_COUNT 3
struct n_hdlc_buf {
- struct n_hdlc_buf *link;
+ struct list_head list_item;
int count;
char buf[1];
};
@@ -122,8 +122,7 @@ struct n_hdlc_buf {
#define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
struct n_hdlc_buf_list {
- struct n_hdlc_buf *head;
- struct n_hdlc_buf *tail;
+ struct list_head list;
int count;
spinlock_t spinlock;
};
@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
* @backup_tty - TTY to use if tty gets closed
* @tbusy - reentrancy flag for tx wakeup code
* @woke_up - FIXME: describe this field
- * @tbuf - currently transmitting tx buffer
* @tx_buf_list - list of pending transmit frame buffers
* @rx_buf_list - list of received frame buffers
* @tx_free_buf_list - list unused transmit frame buffers
@@ -149,7 +147,6 @@ struct n_hdlc {
struct tty_struct *backup_tty;
int tbusy;
int woke_up;
- struct n_hdlc_buf *tbuf;
struct n_hdlc_buf_list tx_buf_list;
struct n_hdlc_buf_list rx_buf_list;
struct n_hdlc_buf_list tx_free_buf_list;
@@ -159,6 +156,8 @@ struct n_hdlc {
/*
* HDLC buffer list manipulation functions
*/
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+ struct n_hdlc_buf *buf);
static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
struct n_hdlc_buf *buf);
static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
{
struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
struct n_hdlc_buf *buf;
- unsigned long flags;
while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
- if (n_hdlc->tbuf) {
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
- n_hdlc->tbuf = NULL;
- }
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
}
static struct tty_ldisc_ops n_hdlc_ldisc = {
@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
} else
break;
}
- kfree(n_hdlc->tbuf);
kfree(n_hdlc);
} /* end of n_hdlc_release() */
@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
n_hdlc->woke_up = 0;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- /* get current transmit buffer or get new transmit */
- /* buffer from list of pending transmit buffers */
-
- tbuf = n_hdlc->tbuf;
- if (!tbuf)
- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
-
+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
while (tbuf) {
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)sending frame %p, count=%d\n",
@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
/* rollback was possible and has been done */
if (actual == -ERESTARTSYS) {
- n_hdlc->tbuf = tbuf;
+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
break;
}
/* if transmit error, throw frame away by */
@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
/* free current transmit buffer */
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
-
- /* this tx buffer is done */
- n_hdlc->tbuf = NULL;
-
+
/* wait up sleeping writers */
wake_up_interruptible(&tty->write_wait);
@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)frame %p pending\n",
__FILE__,__LINE__,tbuf);
-
- /* buffer not accepted by driver */
- /* set this buffer as pending buffer */
- n_hdlc->tbuf = tbuf;
+
+ /*
+ * the buffer was not accepted by driver,
+ * return it back into tx queue
+ */
+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
break;
}
}
@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
int error = 0;
int count;
unsigned long flags;
-
+ struct n_hdlc_buf *buf = NULL;
+
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
__FILE__,__LINE__,cmd);
@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
/* report count of read data available */
/* in next available frame (if any) */
spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
- if (n_hdlc->rx_buf_list.head)
- count = n_hdlc->rx_buf_list.head->count;
+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
+ struct n_hdlc_buf, list_item);
+ if (buf)
+ count = buf->count;
else
count = 0;
spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
count = tty_chars_in_buffer(tty);
/* add size of next output frame in queue */
spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
- if (n_hdlc->tx_buf_list.head)
- count += n_hdlc->tx_buf_list.head->count;
+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
+ struct n_hdlc_buf, list_item);
+ if (buf)
+ count += buf->count;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
error = put_user(count, (int __user *)arg);
break;
@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
poll_wait(filp, &tty->write_wait, wait);
/* set bits for operations that won't block */
- if (n_hdlc->rx_buf_list.head)
+ if (!list_empty(&n_hdlc->rx_buf_list.list))
mask |= POLLIN | POLLRDNORM; /* readable */
if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
mask |= POLLHUP;
if (tty_hung_up_p(filp))
mask |= POLLHUP;
if (!tty_is_writelocked(tty) &&
- n_hdlc->tx_free_buf_list.head)
+ !list_empty(&n_hdlc->tx_free_buf_list.list))
mask |= POLLOUT | POLLWRNORM; /* writable */
}
return mask;
@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
-
+
+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
+
/* allocate free rx buffer list */
for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
} /* end of n_hdlc_alloc() */
/**
+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
+ * @buf_list - pointer to the buffer list
+ * @buf - pointer to the buffer
+ */
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+ struct n_hdlc_buf *buf)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ list_add(&buf->list_item, &buf_list->list);
+ buf_list->count++;
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
+}
+
+/**
* n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
- * @list - pointer to buffer list
+ * @buf_list - pointer to buffer list
* @buf - pointer to buffer
*/
-static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
struct n_hdlc_buf *buf)
{
unsigned long flags;
- spin_lock_irqsave(&list->spinlock,flags);
-
- buf->link=NULL;
- if (list->tail)
- list->tail->link = buf;
- else
- list->head = buf;
- list->tail = buf;
- (list->count)++;
-
- spin_unlock_irqrestore(&list->spinlock,flags);
-
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ list_add_tail(&buf->list_item, &buf_list->list);
+ buf_list->count++;
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
} /* end of n_hdlc_buf_put() */
/**
* n_hdlc_buf_get - remove and return an HDLC buffer from list
- * @list - pointer to HDLC buffer list
+ * @buf_list - pointer to HDLC buffer list
*
* Remove and return an HDLC buffer from the head of the specified HDLC buffer
* list.
* Returns a pointer to HDLC buffer if available, otherwise %NULL.
*/
-static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
{
unsigned long flags;
struct n_hdlc_buf *buf;
- spin_lock_irqsave(&list->spinlock,flags);
-
- buf = list->head;
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ buf = list_first_entry_or_null(&buf_list->list,
+ struct n_hdlc_buf, list_item);
if (buf) {
- list->head = buf->link;
- (list->count)--;
+ list_del(&buf->list_item);
+ buf_list->count--;
}
- if (!list->head)
- list->tail = NULL;
-
- spin_unlock_irqrestore(&list->spinlock,flags);
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
return buf;
-
} /* end of n_hdlc_buf_get() */
static char hdlc_banner[] __initdata =
^ permalink raw reply related [flat|nested] 390+ messages in thread
* [PATCH 3.16 371/372] TTY: n_hdlc, fix lockdep false positive
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 372/372] tty: n_hdlc: get rid of racy n_hdlc.tbuf Ben Hutchings
@ 2017-03-11 15:15 ` Ben Hutchings
2017-03-11 16:53 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
2017-03-12 18:18 ` Guenter Roeck
3 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-11 15:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Dmitry Vyukov, Jiri Slaby
3.16.42-rc2 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit e9b736d88af1a143530565929390cadf036dc799 upstream.
The class of 4 n_hdls buf locks is the same because a single function
n_hdlc_buf_list_init is used to init all the locks. But since
flush_tx_queue takes n_hdlc->tx_buf_list.spinlock and then calls
n_hdlc_buf_put which takes n_hdlc->tx_free_buf_list.spinlock, lockdep
emits a warning:
=============================================
[ INFO: possible recursive locking detected ]
4.3.0-25.g91e30a7-default #1 Not tainted
---------------------------------------------
a.out/1248 is trying to acquire lock:
(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
but task is already holding lock:
(&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(&list->spinlock)->rlock);
lock(&(&list->spinlock)->rlock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by a.out/1248:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff814c9eb0>] tty_ldisc_ref_wait+0x20/0x50
#1: (&(&list->spinlock)->rlock){......}, at: [<ffffffffa01fdc07>] n_hdlc_tty_ioctl+0x127/0x1d0 [n_hdlc]
...
Call Trace:
...
[<ffffffff81738fd0>] _raw_spin_lock_irqsave+0x50/0x70
[<ffffffffa01fd020>] n_hdlc_buf_put+0x20/0x60 [n_hdlc]
[<ffffffffa01fdc24>] n_hdlc_tty_ioctl+0x144/0x1d0 [n_hdlc]
[<ffffffff814c25c1>] tty_ioctl+0x3f1/0xe40
...
Fix it by initializing the spin_locks separately. This removes also
reduntand memset of a freshly kzallocated space.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/n_hdlc.c | 19 ++++---------------
1 file changed, 4 insertions(+), 15 deletions(-)
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index bbc4ce66c2c1..bcaba17688f6 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -159,7 +159,6 @@ struct n_hdlc {
/*
* HDLC buffer list manipulation functions
*/
-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
struct n_hdlc_buf *buf);
static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
@@ -853,10 +852,10 @@ static struct n_hdlc *n_hdlc_alloc(void)
if (!n_hdlc)
return NULL;
- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
/* allocate free rx buffer list */
for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
@@ -885,16 +884,6 @@ static struct n_hdlc *n_hdlc_alloc(void)
} /* end of n_hdlc_alloc() */
/**
- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
- * @list - pointer to buffer list
- */
-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
-{
- memset(list, 0, sizeof(*list));
- spin_lock_init(&list->spinlock);
-} /* end of n_hdlc_buf_list_init() */
-
-/**
* n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
* @list - pointer to buffer list
* @buf - pointer to buffer
^ permalink raw reply related [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 000/372] 3.16.42-rc2 review
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 372/372] tty: n_hdlc: get rid of racy n_hdlc.tbuf Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 371/372] TTY: n_hdlc, fix lockdep false positive Ben Hutchings
@ 2017-03-11 16:53 ` Ben Hutchings
2017-03-12 18:18 ` Guenter Roeck
3 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-11 16:53 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
[-- Attachment #1.1: Type: text/plain, Size: 165 bytes --]
This is the combined diff for 3.16.42-rc2 relative to 3.16.41.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
[-- Attachment #1.2: linux-3.16.42-rc2.patch --]
[-- Type: text/x-patch, Size: 394047 bytes --]
diff --git a/Documentation/devicetree/bindings/clock/imx31-clock.txt b/Documentation/devicetree/bindings/clock/imx31-clock.txt
index 19df842c694f..8163d565f697 100644
--- a/Documentation/devicetree/bindings/clock/imx31-clock.txt
+++ b/Documentation/devicetree/bindings/clock/imx31-clock.txt
@@ -77,7 +77,7 @@ Examples:
clks: ccm@53f80000{
compatible = "fsl,imx31-ccm";
reg = <0x53f80000 0x4000>;
- interrupts = <0 31 0x04 0 53 0x04>;
+ interrupts = <31>, <53>;
#clock-cells = <1>;
};
diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
index 769c2cb7f9b3..e86da4377402 100644
--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -1891,6 +1891,7 @@ registers, find a list below:
PPC | KVM_REG_PPC_TM_VSCR | 32
PPC | KVM_REG_PPC_TM_DSCR | 64
PPC | KVM_REG_PPC_TM_TAR | 64
+ PPC | KVM_REG_PPC_TM_XER | 64
ARM registers are mapped using the lower 32 bits. The upper 16 of that
is the register group type, or coprocessor number:
diff --git a/MAINTAINERS b/MAINTAINERS
index 65791c0891a9..b2a5243e9d0b 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10057,11 +10057,11 @@ F: arch/x86/xen/*swiotlb*
F: drivers/xen/*swiotlb*
XFS FILESYSTEM
-M: Dave Chinner <david@fromorbit.com>
+M: Darrick J. Wong <darrick.wong@oracle.com>
M: linux-xfs@vger.kernel.org
L: linux-xfs@vger.kernel.org
W: http://xfs.org/
-T: git git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs.git
+T: git git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git
S: Supported
F: Documentation/filesystems/xfs.txt
F: fs/xfs/
diff --git a/Makefile b/Makefile
index 1edbcba47f75..f77dbda0bec6 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 3
PATCHLEVEL = 16
-SUBLEVEL = 41
-EXTRAVERSION =
+SUBLEVEL = 42
+EXTRAVERSION = -rc2
NAME = Museum of Fishiegoodies
# *DOCUMENTATION*
diff --git a/arch/arc/kernel/unaligned.c b/arch/arc/kernel/unaligned.c
index 7ff5b5c183bb..2cc82b6ec23d 100644
--- a/arch/arc/kernel/unaligned.c
+++ b/arch/arc/kernel/unaligned.c
@@ -240,8 +240,9 @@ int misaligned_fixup(unsigned long address, struct pt_regs *regs,
if (state.fault)
goto fault;
+ /* clear any remanants of delay slot */
if (delay_mode(regs)) {
- regs->ret = regs->bta;
+ regs->ret = regs->bta & ~1U;
regs->status32 &= ~STATUS_DE_MASK;
} else {
regs->ret += state.instr_len;
diff --git a/arch/arm/boot/dts/da850-evm.dts b/arch/arm/boot/dts/da850-evm.dts
index 1e11e5a5f723..21342ab78ff5 100644
--- a/arch/arm/boot/dts/da850-evm.dts
+++ b/arch/arm/boot/dts/da850-evm.dts
@@ -59,6 +59,7 @@
#size-cells = <1>;
compatible = "m25p64";
spi-max-frequency = <30000000>;
+ m25p,fast-read;
reg = <0>;
partition@0 {
label = "U-Boot-SPL";
diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index c34f82581248..626e5e374572 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -30,11 +30,11 @@
};
};
- avic: avic-interrupt-controller@60000000 {
+ avic: interrupt-controller@68000000 {
compatible = "fsl,imx31-avic", "fsl,avic";
interrupt-controller;
#interrupt-cells = <1>;
- reg = <0x60000000 0x100000>;
+ reg = <0x68000000 0x100000>;
};
soc {
@@ -110,13 +110,6 @@
interrupts = <19>;
clocks = <&clks 25>;
};
-
- clks: ccm@53f80000{
- compatible = "fsl,imx31-ccm";
- reg = <0x53f80000 0x4000>;
- interrupts = <0 31 0x04 0 53 0x04>;
- #clock-cells = <1>;
- };
};
aips@53f00000 { /* AIPS2 */
@@ -126,6 +119,13 @@
reg = <0x53f00000 0x100000>;
ranges;
+ clks: ccm@53f80000{
+ compatible = "fsl,imx31-ccm";
+ reg = <0x53f80000 0x4000>;
+ interrupts = <31>, <53>;
+ #clock-cells = <1>;
+ };
+
gpt: timer@53f90000 {
compatible = "fsl,imx31-gpt";
reg = <0x53f90000 0x4000>;
diff --git a/arch/arm/boot/dts/imx6q-cm-fx6.dts b/arch/arm/boot/dts/imx6q-cm-fx6.dts
index 99b46f8030ad..172579a14aae 100644
--- a/arch/arm/boot/dts/imx6q-cm-fx6.dts
+++ b/arch/arm/boot/dts/imx6q-cm-fx6.dts
@@ -65,7 +65,6 @@
MX6QDL_PAD_ENET_REF_CLK__ENET_TX_CLK 0x1b0b0
MX6QDL_PAD_ENET_MDIO__ENET_MDIO 0x1b0b0
MX6QDL_PAD_ENET_MDC__ENET_MDC 0x1b0b0
- MX6QDL_PAD_GPIO_16__ENET_REF_CLK 0x4001b0a8
>;
};
diff --git a/arch/arm/include/asm/cputype.h b/arch/arm/include/asm/cputype.h
index 8c2b7321a478..4b401f1092f3 100644
--- a/arch/arm/include/asm/cputype.h
+++ b/arch/arm/include/asm/cputype.h
@@ -79,6 +79,9 @@
#define ARM_CPU_XSCALE_ARCH_V2 0x4000
#define ARM_CPU_XSCALE_ARCH_V3 0x6000
+/* Qualcomm implemented cores */
+#define ARM_CPU_PART_SCORPION 0x510002d0
+
extern unsigned int processor_id;
#ifdef CONFIG_CPU_CP15
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index 4d963fb66e3f..5c7404326b7c 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -1067,6 +1067,22 @@ static int __init arch_hw_breakpoint_init(void)
return 0;
}
+ /*
+ * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
+ * whenever a WFI is issued, even if the core is not powered down, in
+ * violation of the architecture. When DBGPRSR.SPD is set, accesses to
+ * breakpoint and watchpoint registers are treated as undefined, so
+ * this results in boot time and runtime failures when these are
+ * accessed and we unexpectedly take a trap.
+ *
+ * It's not clear if/how this can be worked around, so we blacklist
+ * Scorpion CPUs to avoid these issues.
+ */
+ if ((read_cpuid_id() & 0xff00fff0) == ARM_CPU_PART_SCORPION) {
+ pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
+ return 0;
+ }
+
has_ossr = core_has_os_save_restore();
/* Determine how many BRPs/WRPs are available. */
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index a20ebfeac471..e81c15665f10 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -600,7 +600,7 @@ static int gpr_set(struct task_struct *target,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct pt_regs newregs;
+ struct pt_regs newregs = *task_pt_regs(target);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&newregs,
diff --git a/arch/arm/mach-davinci/da850.c b/arch/arm/mach-davinci/da850.c
index 45ce065e7170..1180a75cd707 100644
--- a/arch/arm/mach-davinci/da850.c
+++ b/arch/arm/mach-davinci/da850.c
@@ -297,6 +297,16 @@ static struct clk emac_clk = {
.gpsc = 1,
};
+/*
+ * In order to avoid adding the emac_clk to the clock lookup table twice (and
+ * screwing up the linked list in the process) create a separate clock for
+ * mdio inheriting the rate from emac_clk.
+ */
+static struct clk mdio_clk = {
+ .name = "mdio",
+ .parent = &emac_clk,
+};
+
static struct clk mcasp_clk = {
.name = "mcasp",
.parent = &pll0_sysclk2,
@@ -461,7 +471,7 @@ static struct clk_lookup da850_clks[] = {
CLK(NULL, "arm", &arm_clk),
CLK(NULL, "rmii", &rmii_clk),
CLK("davinci_emac.1", NULL, &emac_clk),
- CLK("davinci_mdio.0", "fck", &emac_clk),
+ CLK("davinci_mdio.0", "fck", &mdio_clk),
CLK("davinci-mcasp.0", NULL, &mcasp_clk),
CLK("da8xx_lcdc.0", "fck", &lcdc_clk),
CLK("da830-mmc.0", NULL, &mmcsd0_clk),
diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
index b80a9a2e356e..ac32ad229429 100644
--- a/arch/arm/mach-ux500/pm.c
+++ b/arch/arm/mach-ux500/pm.c
@@ -131,8 +131,8 @@ bool prcmu_pending_irq(void)
*/
bool prcmu_is_cpu_in_wfi(int cpu)
{
- return readl(PRCM_ARM_WFI_STANDBY) & cpu ? PRCM_ARM_WFI_STANDBY_WFI1 :
- PRCM_ARM_WFI_STANDBY_WFI0;
+ return readl(PRCM_ARM_WFI_STANDBY) &
+ (cpu ? PRCM_ARM_WFI_STANDBY_WFI1 : PRCM_ARM_WFI_STANDBY_WFI0);
}
/*
diff --git a/arch/arm/mach-zynq/common.c b/arch/arm/mach-zynq/common.c
index 31a6fa40ba37..b4214cf082b1 100644
--- a/arch/arm/mach-zynq/common.c
+++ b/arch/arm/mach-zynq/common.c
@@ -59,7 +59,7 @@ void __iomem *zynq_scu_base;
static void __init zynq_memory_init(void)
{
if (!__pa(PAGE_OFFSET))
- memblock_reserve(__pa(PAGE_OFFSET), __pa(swapper_pg_dir));
+ memblock_reserve(__pa(PAGE_OFFSET), 0x80000);
}
static struct platform_device zynq_cpuidle_device = {
diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
index 1e632430570b..e4d719ff71f6 100644
--- a/arch/arm/xen/enlighten.c
+++ b/arch/arm/xen/enlighten.c
@@ -291,8 +291,7 @@ static int __init xen_guest_init(void)
* for secondary CPUs as they are brought up.
* For uniformity we use VCPUOP_register_vcpu_info even on cpu0.
*/
- xen_vcpu_info = __alloc_percpu(sizeof(struct vcpu_info),
- sizeof(struct vcpu_info));
+ xen_vcpu_info = alloc_percpu(struct vcpu_info);
if (xen_vcpu_info == NULL)
return -ENOMEM;
diff --git a/arch/arm64/crypto/aes-ce-ccm-core.S b/arch/arm64/crypto/aes-ce-ccm-core.S
index 432e4841cd81..d04eb27746d2 100644
--- a/arch/arm64/crypto/aes-ce-ccm-core.S
+++ b/arch/arm64/crypto/aes-ce-ccm-core.S
@@ -9,6 +9,7 @@
*/
#include <linux/linkage.h>
+#include <asm/assembler.h>
.text
.arch armv8-a+crypto
@@ -19,7 +20,7 @@
*/
ENTRY(ce_aes_ccm_auth_data)
ldr w8, [x3] /* leftover from prev round? */
- ld1 {v0.2d}, [x0] /* load mac */
+ ld1 {v0.16b}, [x0] /* load mac */
cbz w8, 1f
sub w8, w8, #16
eor v1.16b, v1.16b, v1.16b
@@ -31,7 +32,7 @@ ENTRY(ce_aes_ccm_auth_data)
beq 8f /* out of input? */
cbnz w8, 0b
eor v0.16b, v0.16b, v1.16b
-1: ld1 {v3.2d}, [x4] /* load first round key */
+1: ld1 {v3.16b}, [x4] /* load first round key */
prfm pldl1strm, [x1]
cmp w5, #12 /* which key size? */
add x6, x4, #16
@@ -41,17 +42,17 @@ ENTRY(ce_aes_ccm_auth_data)
mov v5.16b, v3.16b
b 4f
2: mov v4.16b, v3.16b
- ld1 {v5.2d}, [x6], #16 /* load 2nd round key */
+ ld1 {v5.16b}, [x6], #16 /* load 2nd round key */
3: aese v0.16b, v4.16b
aesmc v0.16b, v0.16b
-4: ld1 {v3.2d}, [x6], #16 /* load next round key */
+4: ld1 {v3.16b}, [x6], #16 /* load next round key */
aese v0.16b, v5.16b
aesmc v0.16b, v0.16b
-5: ld1 {v4.2d}, [x6], #16 /* load next round key */
+5: ld1 {v4.16b}, [x6], #16 /* load next round key */
subs w7, w7, #3
aese v0.16b, v3.16b
aesmc v0.16b, v0.16b
- ld1 {v5.2d}, [x6], #16 /* load next round key */
+ ld1 {v5.16b}, [x6], #16 /* load next round key */
bpl 3b
aese v0.16b, v4.16b
subs w2, w2, #16 /* last data? */
@@ -60,7 +61,7 @@ ENTRY(ce_aes_ccm_auth_data)
ld1 {v1.16b}, [x1], #16 /* load next input block */
eor v0.16b, v0.16b, v1.16b /* xor with mac */
bne 1b
-6: st1 {v0.2d}, [x0] /* store mac */
+6: st1 {v0.16b}, [x0] /* store mac */
beq 10f
adds w2, w2, #16
beq 10f
@@ -79,7 +80,7 @@ ENTRY(ce_aes_ccm_auth_data)
adds w7, w7, #1
bne 9b
eor v0.16b, v0.16b, v1.16b
- st1 {v0.2d}, [x0]
+ st1 {v0.16b}, [x0]
10: str w8, [x3]
ret
ENDPROC(ce_aes_ccm_auth_data)
@@ -89,27 +90,27 @@ ENDPROC(ce_aes_ccm_auth_data)
* u32 rounds);
*/
ENTRY(ce_aes_ccm_final)
- ld1 {v3.2d}, [x2], #16 /* load first round key */
- ld1 {v0.2d}, [x0] /* load mac */
+ ld1 {v3.16b}, [x2], #16 /* load first round key */
+ ld1 {v0.16b}, [x0] /* load mac */
cmp w3, #12 /* which key size? */
sub w3, w3, #2 /* modified # of rounds */
- ld1 {v1.2d}, [x1] /* load 1st ctriv */
+ ld1 {v1.16b}, [x1] /* load 1st ctriv */
bmi 0f
bne 3f
mov v5.16b, v3.16b
b 2f
0: mov v4.16b, v3.16b
-1: ld1 {v5.2d}, [x2], #16 /* load next round key */
+1: ld1 {v5.16b}, [x2], #16 /* load next round key */
aese v0.16b, v4.16b
aese v1.16b, v4.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-2: ld1 {v3.2d}, [x2], #16 /* load next round key */
+2: ld1 {v3.16b}, [x2], #16 /* load next round key */
aese v0.16b, v5.16b
aese v1.16b, v5.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-3: ld1 {v4.2d}, [x2], #16 /* load next round key */
+3: ld1 {v4.16b}, [x2], #16 /* load next round key */
subs w3, w3, #3
aese v0.16b, v3.16b
aese v1.16b, v3.16b
@@ -120,47 +121,47 @@ ENTRY(ce_aes_ccm_final)
aese v1.16b, v4.16b
/* final round key cancels out */
eor v0.16b, v0.16b, v1.16b /* en-/decrypt the mac */
- st1 {v0.2d}, [x0] /* store result */
+ st1 {v0.16b}, [x0] /* store result */
ret
ENDPROC(ce_aes_ccm_final)
.macro aes_ccm_do_crypt,enc
ldr x8, [x6, #8] /* load lower ctr */
- ld1 {v0.2d}, [x5] /* load mac */
- rev x8, x8 /* keep swabbed ctr in reg */
+ ld1 {v0.16b}, [x5] /* load mac */
+CPU_LE( rev x8, x8 ) /* keep swabbed ctr in reg */
0: /* outer loop */
- ld1 {v1.1d}, [x6] /* load upper ctr */
+ ld1 {v1.8b}, [x6] /* load upper ctr */
prfm pldl1strm, [x1]
add x8, x8, #1
rev x9, x8
cmp w4, #12 /* which key size? */
sub w7, w4, #2 /* get modified # of rounds */
ins v1.d[1], x9 /* no carry in lower ctr */
- ld1 {v3.2d}, [x3] /* load first round key */
+ ld1 {v3.16b}, [x3] /* load first round key */
add x10, x3, #16
bmi 1f
bne 4f
mov v5.16b, v3.16b
b 3f
1: mov v4.16b, v3.16b
- ld1 {v5.2d}, [x10], #16 /* load 2nd round key */
+ ld1 {v5.16b}, [x10], #16 /* load 2nd round key */
2: /* inner loop: 3 rounds, 2x interleaved */
aese v0.16b, v4.16b
aese v1.16b, v4.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-3: ld1 {v3.2d}, [x10], #16 /* load next round key */
+3: ld1 {v3.16b}, [x10], #16 /* load next round key */
aese v0.16b, v5.16b
aese v1.16b, v5.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
-4: ld1 {v4.2d}, [x10], #16 /* load next round key */
+4: ld1 {v4.16b}, [x10], #16 /* load next round key */
subs w7, w7, #3
aese v0.16b, v3.16b
aese v1.16b, v3.16b
aesmc v0.16b, v0.16b
aesmc v1.16b, v1.16b
- ld1 {v5.2d}, [x10], #16 /* load next round key */
+ ld1 {v5.16b}, [x10], #16 /* load next round key */
bpl 2b
aese v0.16b, v4.16b
aese v1.16b, v4.16b
@@ -177,14 +178,14 @@ ENDPROC(ce_aes_ccm_final)
eor v0.16b, v0.16b, v2.16b /* xor mac with pt ^ rk[last] */
st1 {v1.16b}, [x0], #16 /* write output block */
bne 0b
- rev x8, x8
- st1 {v0.2d}, [x5] /* store mac */
+CPU_LE( rev x8, x8 )
+ st1 {v0.16b}, [x5] /* store mac */
str x8, [x6, #8] /* store lsb end of ctr (BE) */
5: ret
6: eor v0.16b, v0.16b, v5.16b /* final round mac */
eor v1.16b, v1.16b, v5.16b /* final round enc */
- st1 {v0.2d}, [x5] /* store mac */
+ st1 {v0.16b}, [x5] /* store mac */
add w2, w2, #16 /* process partial tail block */
7: ldrb w9, [x1], #1 /* get 1 byte of input */
umov w6, v1.b[0] /* get top crypted ctr byte */
diff --git a/arch/arm64/crypto/aes-ce.S b/arch/arm64/crypto/aes-ce.S
index 685a18f731eb..56a258d4bada 100644
--- a/arch/arm64/crypto/aes-ce.S
+++ b/arch/arm64/crypto/aes-ce.S
@@ -10,6 +10,7 @@
*/
#include <linux/linkage.h>
+#include <asm/assembler.h>
#define AES_ENTRY(func) ENTRY(ce_ ## func)
#define AES_ENDPROC(func) ENDPROC(ce_ ## func)
diff --git a/arch/arm64/crypto/aes-modes.S b/arch/arm64/crypto/aes-modes.S
index f6e372c528eb..838dad5c209f 100644
--- a/arch/arm64/crypto/aes-modes.S
+++ b/arch/arm64/crypto/aes-modes.S
@@ -193,15 +193,16 @@ AES_ENTRY(aes_cbc_encrypt)
cbz w6, .Lcbcencloop
ld1 {v0.16b}, [x5] /* get iv */
- enc_prepare w3, x2, x5
+ enc_prepare w3, x2, x6
.Lcbcencloop:
ld1 {v1.16b}, [x1], #16 /* get next pt block */
eor v0.16b, v0.16b, v1.16b /* ..and xor with iv */
- encrypt_block v0, w3, x2, x5, w6
+ encrypt_block v0, w3, x2, x6, w7
st1 {v0.16b}, [x0], #16
subs w4, w4, #1
bne .Lcbcencloop
+ st1 {v0.16b}, [x5] /* return iv */
ret
AES_ENDPROC(aes_cbc_encrypt)
@@ -211,7 +212,7 @@ AES_ENTRY(aes_cbc_decrypt)
cbz w6, .LcbcdecloopNx
ld1 {v7.16b}, [x5] /* get iv */
- dec_prepare w3, x2, x5
+ dec_prepare w3, x2, x6
.LcbcdecloopNx:
#if INTERLEAVE >= 2
@@ -248,7 +249,7 @@ AES_ENTRY(aes_cbc_decrypt)
.Lcbcdecloop:
ld1 {v1.16b}, [x1], #16 /* get next ct block */
mov v0.16b, v1.16b /* ...and copy to v0 */
- decrypt_block v0, w3, x2, x5, w6
+ decrypt_block v0, w3, x2, x6, w7
eor v0.16b, v0.16b, v7.16b /* xor with iv => pt */
mov v7.16b, v1.16b /* ct is next iv */
st1 {v0.16b}, [x0], #16
@@ -256,6 +257,7 @@ AES_ENTRY(aes_cbc_decrypt)
bne .Lcbcdecloop
.Lcbcdecout:
FRAME_POP
+ st1 {v7.16b}, [x5] /* return iv */
ret
AES_ENDPROC(aes_cbc_decrypt)
@@ -267,24 +269,15 @@ AES_ENDPROC(aes_cbc_decrypt)
AES_ENTRY(aes_ctr_encrypt)
FRAME_PUSH
- cbnz w6, .Lctrfirst /* 1st time around? */
- umov x5, v4.d[1] /* keep swabbed ctr in reg */
- rev x5, x5
-#if INTERLEAVE >= 2
- cmn w5, w4 /* 32 bit overflow? */
- bcs .Lctrinc
- add x5, x5, #1 /* increment BE ctr */
- b .LctrincNx
-#else
- b .Lctrinc
-#endif
-.Lctrfirst:
+ cbz w6, .Lctrnotfirst /* 1st time around? */
enc_prepare w3, x2, x6
ld1 {v4.16b}, [x5]
- umov x5, v4.d[1] /* keep swabbed ctr in reg */
- rev x5, x5
+
+.Lctrnotfirst:
+ umov x8, v4.d[1] /* keep swabbed ctr in reg */
+ rev x8, x8
#if INTERLEAVE >= 2
- cmn w5, w4 /* 32 bit overflow? */
+ cmn w8, w4 /* 32 bit overflow? */
bcs .Lctrloop
.LctrloopNx:
subs w4, w4, #INTERLEAVE
@@ -292,11 +285,11 @@ AES_ENTRY(aes_ctr_encrypt)
#if INTERLEAVE == 2
mov v0.8b, v4.8b
mov v1.8b, v4.8b
- rev x7, x5
- add x5, x5, #1
+ rev x7, x8
+ add x8, x8, #1
ins v0.d[1], x7
- rev x7, x5
- add x5, x5, #1
+ rev x7, x8
+ add x8, x8, #1
ins v1.d[1], x7
ld1 {v2.16b-v3.16b}, [x1], #32 /* get 2 input blocks */
do_encrypt_block2x
@@ -305,7 +298,7 @@ AES_ENTRY(aes_ctr_encrypt)
st1 {v0.16b-v1.16b}, [x0], #32
#else
ldr q8, =0x30000000200000001 /* addends 1,2,3[,0] */
- dup v7.4s, w5
+ dup v7.4s, w8
mov v0.16b, v4.16b
add v7.4s, v7.4s, v8.4s
mov v1.16b, v4.16b
@@ -323,18 +316,12 @@ AES_ENTRY(aes_ctr_encrypt)
eor v2.16b, v7.16b, v2.16b
eor v3.16b, v5.16b, v3.16b
st1 {v0.16b-v3.16b}, [x0], #64
- add x5, x5, #INTERLEAVE
+ add x8, x8, #INTERLEAVE
#endif
- cbz w4, .LctroutNx
-.LctrincNx:
- rev x7, x5
+ rev x7, x8
ins v4.d[1], x7
+ cbz w4, .Lctrout
b .LctrloopNx
-.LctroutNx:
- sub x5, x5, #1
- rev x7, x5
- ins v4.d[1], x7
- b .Lctrout
.Lctr1x:
adds w4, w4, #INTERLEAVE
beq .Lctrout
@@ -342,30 +329,39 @@ AES_ENTRY(aes_ctr_encrypt)
.Lctrloop:
mov v0.16b, v4.16b
encrypt_block v0, w3, x2, x6, w7
+
+ adds x8, x8, #1 /* increment BE ctr */
+ rev x7, x8
+ ins v4.d[1], x7
+ bcs .Lctrcarry /* overflow? */
+
+.Lctrcarrydone:
subs w4, w4, #1
bmi .Lctrhalfblock /* blocks < 0 means 1/2 block */
ld1 {v3.16b}, [x1], #16
eor v3.16b, v0.16b, v3.16b
st1 {v3.16b}, [x0], #16
- beq .Lctrout
-.Lctrinc:
- adds x5, x5, #1 /* increment BE ctr */
- rev x7, x5
- ins v4.d[1], x7
- bcc .Lctrloop /* no overflow? */
- umov x7, v4.d[0] /* load upper word of ctr */
- rev x7, x7 /* ... to handle the carry */
- add x7, x7, #1
- rev x7, x7
- ins v4.d[0], x7
- b .Lctrloop
+ bne .Lctrloop
+
+.Lctrout:
+ st1 {v4.16b}, [x5] /* return next CTR value */
+ FRAME_POP
+ ret
+
.Lctrhalfblock:
ld1 {v3.8b}, [x1]
eor v3.8b, v0.8b, v3.8b
st1 {v3.8b}, [x0]
-.Lctrout:
FRAME_POP
ret
+
+.Lctrcarry:
+ umov x7, v4.d[0] /* load upper word of ctr */
+ rev x7, x7 /* ... to handle the carry */
+ add x7, x7, #1
+ rev x7, x7
+ ins v4.d[0], x7
+ b .Lctrcarrydone
AES_ENDPROC(aes_ctr_encrypt)
.ltorg
@@ -386,7 +382,8 @@ AES_ENDPROC(aes_ctr_encrypt)
.endm
.Lxts_mul_x:
- .word 1, 0, 0x87, 0
+CPU_LE( .quad 1, 0x87 )
+CPU_BE( .quad 0x87, 1 )
AES_ENTRY(aes_xts_encrypt)
FRAME_PUSH
diff --git a/arch/arm64/crypto/aes-neon.S b/arch/arm64/crypto/aes-neon.S
index b93170e1cc93..85f07ead7c5c 100644
--- a/arch/arm64/crypto/aes-neon.S
+++ b/arch/arm64/crypto/aes-neon.S
@@ -9,6 +9,7 @@
*/
#include <linux/linkage.h>
+#include <asm/assembler.h>
#define AES_ENTRY(func) ENTRY(neon_ ## func)
#define AES_ENDPROC(func) ENDPROC(neon_ ## func)
@@ -83,13 +84,13 @@
.endm
.macro do_block, enc, in, rounds, rk, rkp, i
- ld1 {v15.16b}, [\rk]
+ ld1 {v15.4s}, [\rk]
add \rkp, \rk, #16
mov \i, \rounds
1111: eor \in\().16b, \in\().16b, v15.16b /* ^round key */
tbl \in\().16b, {\in\().16b}, v13.16b /* ShiftRows */
sub_bytes \in
- ld1 {v15.16b}, [\rkp], #16
+ ld1 {v15.4s}, [\rkp], #16
subs \i, \i, #1
beq 2222f
.if \enc == 1
@@ -229,7 +230,7 @@
.endm
.macro do_block_2x, enc, in0, in1 rounds, rk, rkp, i
- ld1 {v15.16b}, [\rk]
+ ld1 {v15.4s}, [\rk]
add \rkp, \rk, #16
mov \i, \rounds
1111: eor \in0\().16b, \in0\().16b, v15.16b /* ^round key */
@@ -237,7 +238,7 @@
sub_bytes_2x \in0, \in1
tbl \in0\().16b, {\in0\().16b}, v13.16b /* ShiftRows */
tbl \in1\().16b, {\in1\().16b}, v13.16b /* ShiftRows */
- ld1 {v15.16b}, [\rkp], #16
+ ld1 {v15.4s}, [\rkp], #16
subs \i, \i, #1
beq 2222f
.if \enc == 1
@@ -254,7 +255,7 @@
.endm
.macro do_block_4x, enc, in0, in1, in2, in3, rounds, rk, rkp, i
- ld1 {v15.16b}, [\rk]
+ ld1 {v15.4s}, [\rk]
add \rkp, \rk, #16
mov \i, \rounds
1111: eor \in0\().16b, \in0\().16b, v15.16b /* ^round key */
@@ -266,7 +267,7 @@
tbl \in1\().16b, {\in1\().16b}, v13.16b /* ShiftRows */
tbl \in2\().16b, {\in2\().16b}, v13.16b /* ShiftRows */
tbl \in3\().16b, {\in3\().16b}, v13.16b /* ShiftRows */
- ld1 {v15.16b}, [\rkp], #16
+ ld1 {v15.4s}, [\rkp], #16
subs \i, \i, #1
beq 2222f
.if \enc == 1
@@ -306,12 +307,16 @@
.text
.align 4
.LForward_ShiftRows:
- .byte 0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3
- .byte 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb
+CPU_LE( .byte 0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3 )
+CPU_LE( .byte 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb )
+CPU_BE( .byte 0xb, 0x6, 0x1, 0xc, 0x7, 0x2, 0xd, 0x8 )
+CPU_BE( .byte 0x3, 0xe, 0x9, 0x4, 0xf, 0xa, 0x5, 0x0 )
.LReverse_ShiftRows:
- .byte 0x0, 0xd, 0xa, 0x7, 0x4, 0x1, 0xe, 0xb
- .byte 0x8, 0x5, 0x2, 0xf, 0xc, 0x9, 0x6, 0x3
+CPU_LE( .byte 0x0, 0xd, 0xa, 0x7, 0x4, 0x1, 0xe, 0xb )
+CPU_LE( .byte 0x8, 0x5, 0x2, 0xf, 0xc, 0x9, 0x6, 0x3 )
+CPU_BE( .byte 0x3, 0x6, 0x9, 0xc, 0xf, 0x2, 0x5, 0x8 )
+CPU_BE( .byte 0xb, 0xe, 0x1, 0x4, 0x7, 0xa, 0xd, 0x0 )
.LForward_Sbox:
.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5
diff --git a/arch/arm64/crypto/ghash-ce-core.S b/arch/arm64/crypto/ghash-ce-core.S
index dc457015884e..f0bb9f0b524f 100644
--- a/arch/arm64/crypto/ghash-ce-core.S
+++ b/arch/arm64/crypto/ghash-ce-core.S
@@ -29,8 +29,8 @@
* struct ghash_key const *k, const char *head)
*/
ENTRY(pmull_ghash_update)
- ld1 {SHASH.16b}, [x3]
- ld1 {XL.16b}, [x1]
+ ld1 {SHASH.2d}, [x3]
+ ld1 {XL.2d}, [x1]
movi MASK.16b, #0xe1
ext SHASH2.16b, SHASH.16b, SHASH.16b, #8
shl MASK.2d, MASK.2d, #57
@@ -74,6 +74,6 @@ CPU_LE( rev64 T1.16b, T1.16b )
cbnz w0, 0b
- st1 {XL.16b}, [x1]
+ st1 {XL.2d}, [x1]
ret
ENDPROC(pmull_ghash_update)
diff --git a/arch/arm64/crypto/sha1-ce-core.S b/arch/arm64/crypto/sha1-ce-core.S
index 09d57d98609c..1fb70893ce55 100644
--- a/arch/arm64/crypto/sha1-ce-core.S
+++ b/arch/arm64/crypto/sha1-ce-core.S
@@ -78,7 +78,7 @@ ENTRY(sha1_ce_transform)
ld1r {k3.4s}, [x6]
/* load state */
- ldr dga, [x2]
+ ld1 {dgav.4s}, [x2]
ldr dgb, [x2, #16]
/* load partial state (if supplied) */
@@ -147,7 +147,7 @@ CPU_LE( rev32 v11.16b, v11.16b )
b 2b
/* store new state */
-3: str dga, [x2]
+3: st1 {dgav.4s}, [x2]
str dgb, [x2, #16]
ret
ENDPROC(sha1_ce_transform)
diff --git a/arch/arm64/crypto/sha2-ce-core.S b/arch/arm64/crypto/sha2-ce-core.S
index 7f29fc031ea8..0acd61ef8cb2 100644
--- a/arch/arm64/crypto/sha2-ce-core.S
+++ b/arch/arm64/crypto/sha2-ce-core.S
@@ -85,7 +85,7 @@ ENTRY(sha2_ce_transform)
ld1 {v12.4s-v15.4s}, [x8]
/* load state */
- ldp dga, dgb, [x2]
+ ld1 {dgav.4s, dgbv.4s}, [x2]
/* load partial input (if supplied) */
cbz x3, 0f
@@ -151,6 +151,6 @@ CPU_LE( rev32 v19.16b, v19.16b )
b 2b
/* store new state */
-3: stp dga, dgb, [x2]
+3: st1 {dgav.4s, dgbv.4s}, [x2]
ret
ENDPROC(sha2_ce_transform)
diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
index 6913643bbe54..c136fd53c847 100644
--- a/arch/arm64/include/uapi/asm/ptrace.h
+++ b/arch/arm64/include/uapi/asm/ptrace.h
@@ -75,6 +75,7 @@ struct user_fpsimd_state {
__uint128_t vregs[32];
__u32 fpsr;
__u32 fpcr;
+ __u32 __reserved[2];
};
struct user_hwdebug_state {
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 8993a69099c7..67738737be9d 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -491,7 +491,7 @@ el0_inv:
mov x0, sp
mov x1, #BAD_SYNC
mrs x2, esr_el1
- b bad_mode
+ b bad_el0_sync
ENDPROC(el0_sync)
.align 6
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index d2b9a3f7457d..07c5f63a3362 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -446,6 +446,8 @@ static int hw_break_set(struct task_struct *target,
/* (address, ctrl) registers */
limit = regset->n * regset->size;
while (count && offset < limit) {
+ if (count < PTRACE_HBP_ADDR_SZ)
+ return -EINVAL;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
offset, offset + PTRACE_HBP_ADDR_SZ);
if (ret)
@@ -455,6 +457,8 @@ static int hw_break_set(struct task_struct *target,
return ret;
offset += PTRACE_HBP_ADDR_SZ;
+ if (!count)
+ break;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
offset, offset + PTRACE_HBP_CTRL_SZ);
if (ret)
@@ -491,7 +495,7 @@ static int gpr_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct user_pt_regs newregs;
+ struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
if (ret)
@@ -521,7 +525,8 @@ static int fpr_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct user_fpsimd_state newstate;
+ struct user_fpsimd_state newstate =
+ target->thread.fpsimd_state.user_fpsimd;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
if (ret)
@@ -545,7 +550,7 @@ static int tls_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf)
{
int ret;
- unsigned long tls;
+ unsigned long tls = target->thread.tp_value;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
if (ret)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index c43cfa9b8304..c1c2ad6a1c94 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -309,16 +309,33 @@ asmlinkage long do_ni_syscall(struct pt_regs *regs)
}
/*
- * bad_mode handles the impossible case in the exception vector.
+ * bad_mode handles the impossible case in the exception vector. This is always
+ * fatal.
*/
asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
{
- siginfo_t info;
- void __user *pc = (void __user *)instruction_pointer(regs);
console_verbose();
pr_crit("Bad mode in %s handler detected, code 0x%08x\n",
handler[reason], esr);
+
+ die("Oops - bad mode", regs, 0);
+ local_irq_disable();
+ panic("bad mode");
+}
+
+/*
+ * bad_el0_sync handles unexpected, but potentially recoverable synchronous
+ * exceptions taken from EL0. Unlike bad_mode, this returns.
+ */
+asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
+{
+ siginfo_t info;
+ void __user *pc = (void __user *)instruction_pointer(regs);
+ console_verbose();
+
+ pr_crit("Bad EL0 synchronous exception detected on CPU%d, code 0x%08x\n",
+ smp_processor_id(), esr);
__show_regs(regs);
info.si_signo = SIGILL;
@@ -326,7 +343,10 @@ asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
info.si_code = ILL_ILLOPC;
info.si_addr = pc;
- arm64_notify_die("Oops - bad mode", regs, &info, 0);
+ current->thread.fault_address = 0;
+ current->thread.fault_code = 0;
+
+ force_sig_info(info.si_signo, &info, current);
}
void __pte_error(const char *file, int line, unsigned long val)
diff --git a/arch/cris/boot/rescue/Makefile b/arch/cris/boot/rescue/Makefile
index 52bd0bd1dd22..d98edbb30a18 100644
--- a/arch/cris/boot/rescue/Makefile
+++ b/arch/cris/boot/rescue/Makefile
@@ -10,6 +10,9 @@
asflags-y += $(LINUXINCLUDE)
ccflags-y += -O2 $(LINUXINCLUDE)
+
+ifdef CONFIG_ETRAX_AXISFLASHMAP
+
arch-$(CONFIG_ETRAX_ARCH_V10) = v10
arch-$(CONFIG_ETRAX_ARCH_V32) = v32
@@ -28,6 +31,11 @@ $(obj)/rescue.bin: $(obj)/rescue.o FORCE
$(call if_changed,objcopy)
cp -p $(obj)/rescue.bin $(objtree)
+else
+$(obj)/rescue.bin:
+
+endif
+
$(obj)/testrescue.bin: $(obj)/testrescue.o
$(OBJCOPY) $(OBJCOPYFLAGS) $(obj)/testrescue.o tr.bin
# Pad it to 784 bytes
diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c
index 72aad2a9a6b4..263c6c1c9bbb 100644
--- a/arch/mips/kvm/kvm_mips.c
+++ b/arch/mips/kvm/kvm_mips.c
@@ -343,8 +343,8 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
mips32_GuestExceptionEnd - mips32_GuestException);
/* Invalidate the icache for these ranges */
- local_flush_icache_range((unsigned long)gebase,
- (unsigned long)gebase + ALIGN(size, PAGE_SIZE));
+ flush_icache_range((unsigned long)gebase,
+ (unsigned long)gebase + ALIGN(size, PAGE_SIZE));
/* Allocate comm page for guest kernel, a TLB will be reserved for mapping GVA @ 0xFFFF8000 to this page */
vcpu->arch.kseg0_commpage = kzalloc(PAGE_SIZE << 1, GFP_KERNEL);
diff --git a/arch/parisc/include/asm/bitops.h b/arch/parisc/include/asm/bitops.h
index 3f9406d9b9d6..da87943328a5 100644
--- a/arch/parisc/include/asm/bitops.h
+++ b/arch/parisc/include/asm/bitops.h
@@ -6,7 +6,7 @@
#endif
#include <linux/compiler.h>
-#include <asm/types.h> /* for BITS_PER_LONG/SHIFT_PER_LONG */
+#include <asm/types.h>
#include <asm/byteorder.h>
#include <asm/barrier.h>
#include <linux/atomic.h>
@@ -17,6 +17,12 @@
* to include/asm-i386/bitops.h or kerneldoc
*/
+#if __BITS_PER_LONG == 64
+#define SHIFT_PER_LONG 6
+#else
+#define SHIFT_PER_LONG 5
+#endif
+
#define CHOP_SHIFTCOUNT(x) (((unsigned long) (x)) & (BITS_PER_LONG - 1))
diff --git a/arch/parisc/include/uapi/asm/bitsperlong.h b/arch/parisc/include/uapi/asm/bitsperlong.h
index 75196b415d3f..540c94de4427 100644
--- a/arch/parisc/include/uapi/asm/bitsperlong.h
+++ b/arch/parisc/include/uapi/asm/bitsperlong.h
@@ -9,10 +9,8 @@
*/
#if (defined(__KERNEL__) && defined(CONFIG_64BIT)) || defined (__LP64__)
#define __BITS_PER_LONG 64
-#define SHIFT_PER_LONG 6
#else
#define __BITS_PER_LONG 32
-#define SHIFT_PER_LONG 5
#endif
#include <asm-generic/bitsperlong.h>
diff --git a/arch/parisc/include/uapi/asm/swab.h b/arch/parisc/include/uapi/asm/swab.h
index e78403b129ef..928e1bbac98f 100644
--- a/arch/parisc/include/uapi/asm/swab.h
+++ b/arch/parisc/include/uapi/asm/swab.h
@@ -1,6 +1,7 @@
#ifndef _PARISC_SWAB_H
#define _PARISC_SWAB_H
+#include <asm/bitsperlong.h>
#include <linux/types.h>
#include <linux/compiler.h>
@@ -38,7 +39,7 @@ static inline __attribute_const__ __u32 __arch_swab32(__u32 x)
}
#define __arch_swab32 __arch_swab32
-#if BITS_PER_LONG > 32
+#if __BITS_PER_LONG > 32
/*
** From "PA-RISC 2.0 Architecture", HP Professional Books.
** See Appendix I page 8 , "Endian Byte Swapping".
@@ -61,6 +62,6 @@ static inline __attribute_const__ __u64 __arch_swab64(__u64 x)
return x;
}
#define __arch_swab64 __arch_swab64
-#endif /* BITS_PER_LONG > 32 */
+#endif /* __BITS_PER_LONG > 32 */
#endif /* _PARISC_SWAB_H */
diff --git a/arch/powerpc/boot/ps3-head.S b/arch/powerpc/boot/ps3-head.S
index b6fcbaf5027b..3dc44b05fb97 100644
--- a/arch/powerpc/boot/ps3-head.S
+++ b/arch/powerpc/boot/ps3-head.S
@@ -57,11 +57,6 @@ __system_reset_overlay:
bctr
1:
- /* Save the value at addr zero for a null pointer write check later. */
-
- li r4, 0
- lwz r3, 0(r4)
-
/* Primary delays then goes to _zimage_start in wrapper. */
or 31, 31, 31 /* db16cyc */
diff --git a/arch/powerpc/boot/ps3.c b/arch/powerpc/boot/ps3.c
index 4ec2d86d3c50..a05558a7e51a 100644
--- a/arch/powerpc/boot/ps3.c
+++ b/arch/powerpc/boot/ps3.c
@@ -119,13 +119,12 @@ void ps3_copy_vectors(void)
flush_cache((void *)0x100, 512);
}
-void platform_init(unsigned long null_check)
+void platform_init(void)
{
const u32 heapsize = 0x1000000 - (u32)_end; /* 16MiB */
void *chosen;
unsigned long ft_addr;
u64 rm_size;
- unsigned long val;
console_ops.write = ps3_console_write;
platform_ops.exit = ps3_exit;
@@ -153,11 +152,6 @@ void platform_init(unsigned long null_check)
printf(" flat tree at 0x%lx\n\r", ft_addr);
- val = *(unsigned long *)0;
-
- if (val != null_check)
- printf("null check failed: %lx != %lx\n\r", val, null_check);
-
((kernel_entry_t)0)(ft_addr, 0, NULL);
ps3_exit();
diff --git a/arch/powerpc/boot/wrapper b/arch/powerpc/boot/wrapper
index ae0f88ec4a32..c70210d9fb89 100755
--- a/arch/powerpc/boot/wrapper
+++ b/arch/powerpc/boot/wrapper
@@ -144,6 +144,28 @@ case "$elfformat" in
elf32-powerpc) format=elf32ppc ;;
esac
+ld_version()
+{
+ # Poached from scripts/ld-version.sh, but we don't want to call that because
+ # this script (wrapper) is distributed separately from the kernel source.
+ # Extract linker version number from stdin and turn into single number.
+ awk '{
+ gsub(".*\\)", "");
+ gsub(".*version ", "");
+ gsub("-.*", "");
+ split($1,a, ".");
+ print a[1]*100000000 + a[2]*1000000 + a[3]*10000;
+ exit
+ }'
+}
+
+# Do not include PT_INTERP segment when linking pie. Non-pie linking
+# just ignores this option.
+LD_VERSION=$(${CROSS}ld --version | ld_version)
+LD_NO_DL_MIN_VERSION=$(echo 2.26 | ld_version)
+if [ "$LD_VERSION" -ge "$LD_NO_DL_MIN_VERSION" ] ; then
+ nodl="--no-dynamic-linker"
+fi
platformo=$object/"$platform".o
lds=$object/zImage.lds
@@ -395,7 +417,7 @@ if [ "$platform" != "miboot" ]; then
if [ -n "$link_address" ] ; then
text_start="-Ttext $link_address"
fi
- ${CROSS}ld -m $format -T $lds $text_start $pie -o "$ofile" \
+ ${CROSS}ld -m $format -T $lds $text_start $pie $nodl -o "$ofile" \
$platformo $tmp $object/wrapper.a
rm $tmp
fi
diff --git a/arch/powerpc/include/asm/kvm_host.h b/arch/powerpc/include/asm/kvm_host.h
index 2149dbcf8931..c2a82045d64e 100644
--- a/arch/powerpc/include/asm/kvm_host.h
+++ b/arch/powerpc/include/asm/kvm_host.h
@@ -532,6 +532,7 @@ struct kvm_vcpu_arch {
u64 tfiar;
u32 cr_tm;
+ u64 xer_tm;
u64 lr_tm;
u64 ctr_tm;
u64 amr_tm;
diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h
index 3132bb9365f3..f47c3d9cb997 100644
--- a/arch/powerpc/include/asm/ppc-opcode.h
+++ b/arch/powerpc/include/asm/ppc-opcode.h
@@ -149,7 +149,7 @@
#define PPC_INST_MCRXR 0x7c000400
#define PPC_INST_MCRXR_MASK 0xfc0007fe
#define PPC_INST_MFSPR_PVR 0x7c1f42a6
-#define PPC_INST_MFSPR_PVR_MASK 0xfc1fffff
+#define PPC_INST_MFSPR_PVR_MASK 0xfc1ffffe
#define PPC_INST_MSGSND 0x7c00019c
#define PPC_INST_MSGSNDP 0x7c00011c
#define PPC_INST_NOP 0x60000000
@@ -161,13 +161,13 @@
#define PPC_INST_RFDI 0x4c00004e
#define PPC_INST_RFMCI 0x4c00004c
#define PPC_INST_MFSPR_DSCR 0x7c1102a6
-#define PPC_INST_MFSPR_DSCR_MASK 0xfc1fffff
+#define PPC_INST_MFSPR_DSCR_MASK 0xfc1ffffe
#define PPC_INST_MTSPR_DSCR 0x7c1103a6
-#define PPC_INST_MTSPR_DSCR_MASK 0xfc1fffff
+#define PPC_INST_MTSPR_DSCR_MASK 0xfc1ffffe
#define PPC_INST_MFSPR_DSCR_USER 0x7c0302a6
-#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1fffff
+#define PPC_INST_MFSPR_DSCR_USER_MASK 0xfc1ffffe
#define PPC_INST_MTSPR_DSCR_USER 0x7c0303a6
-#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1fffff
+#define PPC_INST_MTSPR_DSCR_USER_MASK 0xfc1ffffe
#define PPC_INST_SLBFEE 0x7c0007a7
#define PPC_INST_STRING 0x7c00042a
diff --git a/arch/powerpc/include/uapi/asm/kvm.h b/arch/powerpc/include/uapi/asm/kvm.h
index de7d426a9b0c..93783f7cf729 100644
--- a/arch/powerpc/include/uapi/asm/kvm.h
+++ b/arch/powerpc/include/uapi/asm/kvm.h
@@ -580,6 +580,7 @@ struct kvm_get_htab_header {
#define KVM_REG_PPC_TM_VSCR (KVM_REG_PPC_TM | KVM_REG_SIZE_U32 | 0x67)
#define KVM_REG_PPC_TM_DSCR (KVM_REG_PPC_TM | KVM_REG_SIZE_U64 | 0x68)
#define KVM_REG_PPC_TM_TAR (KVM_REG_PPC_TM | KVM_REG_SIZE_U64 | 0x69)
+#define KVM_REG_PPC_TM_XER (KVM_REG_PPC_TM | KVM_REG_SIZE_U64 | 0x6a)
/* PPC64 eXternal Interrupt Controller Specification */
#define KVM_DEV_XICS_GRP_SOURCES 1 /* 64-bit source attributes */
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
index 88abea889876..213fcaf4168d 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -572,6 +572,7 @@ int main(void)
DEFINE(VCPU_VRS_TM, offsetof(struct kvm_vcpu, arch.vr_tm.vr));
DEFINE(VCPU_VRSAVE_TM, offsetof(struct kvm_vcpu, arch.vrsave_tm));
DEFINE(VCPU_CR_TM, offsetof(struct kvm_vcpu, arch.cr_tm));
+ DEFINE(VCPU_XER_TM, offsetof(struct kvm_vcpu, arch.xer_tm));
DEFINE(VCPU_LR_TM, offsetof(struct kvm_vcpu, arch.lr_tm));
DEFINE(VCPU_CTR_TM, offsetof(struct kvm_vcpu, arch.ctr_tm));
DEFINE(VCPU_AMR_TM, offsetof(struct kvm_vcpu, arch.amr_tm));
diff --git a/arch/powerpc/kernel/ibmebus.c b/arch/powerpc/kernel/ibmebus.c
index 1114d13ac19f..99ed2cc4c92f 100644
--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -180,6 +180,7 @@ static int ibmebus_create_device(struct device_node *dn)
static int ibmebus_create_devices(const struct of_device_id *matches)
{
struct device_node *root, *child;
+ struct device *dev;
int ret = 0;
root = of_find_node_by_path("/");
@@ -188,9 +189,12 @@ static int ibmebus_create_devices(const struct of_device_id *matches)
if (!of_match_node(matches, child))
continue;
- if (bus_find_device(&ibmebus_bus_type, NULL, child,
- ibmebus_match_node))
+ dev = bus_find_device(&ibmebus_bus_type, NULL, child,
+ ibmebus_match_node);
+ if (dev) {
+ put_device(dev);
continue;
+ }
ret = ibmebus_create_device(child);
if (ret) {
@@ -262,6 +266,7 @@ static ssize_t ibmebus_store_probe(struct bus_type *bus,
const char *buf, size_t count)
{
struct device_node *dn = NULL;
+ struct device *dev;
char *path;
ssize_t rc = 0;
@@ -269,8 +274,10 @@ static ssize_t ibmebus_store_probe(struct bus_type *bus,
if (!path)
return -ENOMEM;
- if (bus_find_device(&ibmebus_bus_type, NULL, path,
- ibmebus_match_path)) {
+ dev = bus_find_device(&ibmebus_bus_type, NULL, path,
+ ibmebus_match_path);
+ if (dev) {
+ put_device(dev);
printk(KERN_WARNING "%s: %s has already been probed\n",
__func__, path);
rc = -EEXIST;
@@ -307,6 +314,7 @@ static ssize_t ibmebus_store_remove(struct bus_type *bus,
if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path,
ibmebus_match_path))) {
of_device_unregister(to_platform_device(dev));
+ put_device(dev);
kfree(path);
return count;
diff --git a/arch/powerpc/kernel/misc_32.S b/arch/powerpc/kernel/misc_32.S
index 7c6bb4b17b49..2c70bbcb006f 100644
--- a/arch/powerpc/kernel/misc_32.S
+++ b/arch/powerpc/kernel/misc_32.S
@@ -313,7 +313,7 @@ _GLOBAL(flush_instruction_cache)
lis r3, KERNELBASE@h
iccci 0,r3
#endif
-#elif CONFIG_FSL_BOOKE
+#elif defined(CONFIG_FSL_BOOKE)
BEGIN_FTR_SECTION
mfspr r3,SPRN_L1CSR0
ori r3,r3,L1CSR0_CFI|L1CSR0_CLFC
diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
index 69be680f7184..c49a85c5fc6b 100644
--- a/arch/powerpc/kernel/prom_init.c
+++ b/arch/powerpc/kernel/prom_init.c
@@ -2635,6 +2635,9 @@ static void __init prom_find_boot_cpu(void)
cpu_pkg = call_prom("instance-to-package", 1, 1, prom_cpu);
+ if (!PHANDLE_VALID(cpu_pkg))
+ return;
+
prom_getprop(cpu_pkg, "reg", &rval, sizeof(rval));
prom.cpu = be32_to_cpu(rval);
diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index 665ff668d8ae..1b3f715db647 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -394,6 +394,10 @@ static int fpr_set(struct task_struct *target, const struct user_regset *regset,
flush_fp_to_thread(target);
#ifdef CONFIG_VSX
+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.TS_FPR(i);
+ buf[32] = target->thread.fp_state.fpscr;
+
/* copy to local buffer then write that out */
i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
if (i)
@@ -537,6 +541,9 @@ static int vsr_set(struct task_struct *target, const struct user_regset *regset,
flush_vsx_to_thread(target);
+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.fp_state.fpr[i][TS_VSRLOWOFFSET];
+
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
buf, 0, 32 * sizeof(double));
for (i = 0; i < 32 ; i++)
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index a416b6bb0d6a..d39faa230eb1 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -988,6 +988,9 @@ static int kvmppc_get_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
case KVM_REG_PPC_TM_CR:
*val = get_reg_val(id, vcpu->arch.cr_tm);
break;
+ case KVM_REG_PPC_TM_XER:
+ *val = get_reg_val(id, vcpu->arch.xer_tm);
+ break;
case KVM_REG_PPC_TM_LR:
*val = get_reg_val(id, vcpu->arch.lr_tm);
break;
@@ -1201,6 +1204,9 @@ static int kvmppc_set_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
case KVM_REG_PPC_TM_CR:
vcpu->arch.cr_tm = set_reg_val(id, *val);
break;
+ case KVM_REG_PPC_TM_XER:
+ vcpu->arch.xer_tm = set_reg_val(id, *val);
+ break;
case KVM_REG_PPC_TM_LR:
vcpu->arch.lr_tm = set_reg_val(id, *val);
break;
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index ab69a5f242d1..da1aa24d586f 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -2356,11 +2356,13 @@ kvmppc_save_tm:
mfctr r7
mfspr r8, SPRN_AMR
mfspr r10, SPRN_TAR
+ mfxer r11
std r5, VCPU_LR_TM(r9)
stw r6, VCPU_CR_TM(r9)
std r7, VCPU_CTR_TM(r9)
std r8, VCPU_AMR_TM(r9)
std r10, VCPU_TAR_TM(r9)
+ std r11, VCPU_XER_TM(r9)
/* Restore r12 as trap number. */
lwz r12, VCPU_TRAP(r9)
@@ -2453,11 +2455,13 @@ kvmppc_restore_tm:
ld r7, VCPU_CTR_TM(r4)
ld r8, VCPU_AMR_TM(r4)
ld r9, VCPU_TAR_TM(r4)
+ ld r10, VCPU_XER_TM(r4)
mtlr r5
mtcr r6
mtctr r7
mtspr SPRN_AMR, r8
mtspr SPRN_TAR, r9
+ mtxer r10
/*
* Load up PPR and DSCR values but don't put them in the actual SPRs
diff --git a/arch/sparc/kernel/leon_kernel.c b/arch/sparc/kernel/leon_kernel.c
index 683c4af999de..6b46d2f1c741 100644
--- a/arch/sparc/kernel/leon_kernel.c
+++ b/arch/sparc/kernel/leon_kernel.c
@@ -339,37 +339,37 @@ void __init leon_init_timers(void)
/* Find GPTIMER Timer Registers base address otherwise bail out. */
nnp = rootnp;
- do {
- np = of_find_node_by_name(nnp, "GAISLER_GPTIMER");
- if (!np) {
- np = of_find_node_by_name(nnp, "01_011");
- if (!np)
- goto bad;
- }
- ampopts = 0;
- pp = of_find_property(np, "ampopts", &len);
- if (pp) {
- ampopts = *(int *)pp->value;
- if (ampopts == 0) {
- /* Skip this instance, resource already
- * allocated by other OS */
- nnp = np;
- continue;
- }
+retry:
+ np = of_find_node_by_name(nnp, "GAISLER_GPTIMER");
+ if (!np) {
+ np = of_find_node_by_name(nnp, "01_011");
+ if (!np)
+ goto bad;
+ }
+
+ ampopts = 0;
+ pp = of_find_property(np, "ampopts", &len);
+ if (pp) {
+ ampopts = *(int *)pp->value;
+ if (ampopts == 0) {
+ /* Skip this instance, resource already
+ * allocated by other OS */
+ nnp = np;
+ goto retry;
}
+ }
+
+ /* Select Timer-Instance on Timer Core. Default is zero */
+ leon3_gptimer_idx = ampopts & 0x7;
- /* Select Timer-Instance on Timer Core. Default is zero */
- leon3_gptimer_idx = ampopts & 0x7;
-
- pp = of_find_property(np, "reg", &len);
- if (pp)
- leon3_gptimer_regs = *(struct leon3_gptimer_regs_map **)
- pp->value;
- pp = of_find_property(np, "interrupts", &len);
- if (pp)
- leon3_gptimer_irq = *(unsigned int *)pp->value;
- } while (0);
+ pp = of_find_property(np, "reg", &len);
+ if (pp)
+ leon3_gptimer_regs = *(struct leon3_gptimer_regs_map **)
+ pp->value;
+ pp = of_find_property(np, "interrupts", &len);
+ if (pp)
+ leon3_gptimer_irq = *(unsigned int *)pp->value;
if (!(leon3_gptimer_regs && leon3_irqctrl_regs && leon3_gptimer_irq))
goto bad;
diff --git a/arch/tile/kernel/ptrace.c b/arch/tile/kernel/ptrace.c
index de98c6ddf136..2343126c4ad2 100644
--- a/arch/tile/kernel/ptrace.c
+++ b/arch/tile/kernel/ptrace.c
@@ -110,7 +110,7 @@ static int tile_gpr_set(struct task_struct *target,
const void *kbuf, const void __user *ubuf)
{
int ret;
- struct pt_regs regs;
+ struct pt_regs regs = *task_pt_regs(target);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, ®s, 0,
sizeof(regs));
diff --git a/arch/x86/boot/string.c b/arch/x86/boot/string.c
index 493f3fd9f139..847f56c734b4 100644
--- a/arch/x86/boot/string.c
+++ b/arch/x86/boot/string.c
@@ -14,6 +14,7 @@
#include <linux/types.h>
#include "ctype.h"
+#include "string.h"
int memcmp(const void *s1, const void *s2, size_t len)
{
diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h
index 725e820602b1..113588ddb43f 100644
--- a/arch/x86/boot/string.h
+++ b/arch/x86/boot/string.h
@@ -18,4 +18,13 @@ int memcmp(const void *s1, const void *s2, size_t len);
#define memset(d,c,l) __builtin_memset(d,c,l)
#define memcmp __builtin_memcmp
+extern int strcmp(const char *str1, const char *str2);
+extern int strncmp(const char *cs, const char *ct, size_t count);
+extern size_t strlen(const char *s);
+extern char *strstr(const char *s1, const char *s2);
+extern size_t strnlen(const char *s, size_t maxlen);
+extern unsigned int atou(const char *s);
+extern unsigned long long simple_strtoull(const char *cp, char **endp,
+ unsigned int base);
+
#endif /* BOOT_STRING_H */
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 3b12b4d1a560..b0f4cfef81c4 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1105,7 +1105,7 @@ static __init int setup_disablecpuid(char *arg)
{
int bit;
- if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
setup_clear_cpu_cap(bit);
else
return 0;
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 0d0c9d4ab6d5..2c123171944a 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1086,8 +1086,8 @@ ftrace_graph_call:
jmp ftrace_stub
#endif
-.globl ftrace_stub
-ftrace_stub:
+/* This is weak to keep gas from relaxing the jumps */
+WEAK(ftrace_stub)
ret
END(ftrace_caller)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 1f4e8e4ea865..d03a88cb3129 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1941,3 +1941,9 @@ void kvm_lapic_init(void)
jump_label_rate_limit(&apic_hw_disabled, HZ);
jump_label_rate_limit(&apic_sw_disabled, HZ);
}
+
+void kvm_lapic_exit(void)
+{
+ static_key_deferred_flush(&apic_hw_disabled);
+ static_key_deferred_flush(&apic_sw_disabled);
+}
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index 72051730caf1..776e9919e910 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -93,6 +93,7 @@ static inline bool kvm_hv_vapic_assist_page_enabled(struct kvm_vcpu *vcpu)
int kvm_lapic_enable_pv_eoi(struct kvm_vcpu *vcpu, u64 data);
void kvm_lapic_init(void);
+void kvm_lapic_exit(void);
static inline u32 kvm_apic_get_reg(struct kvm_lapic *apic, int reg_off)
{
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 7b16666d6ed4..dad945386800 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5954,14 +5954,20 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason,
}
page = nested_get_page(vcpu, vmptr);
- if (page == NULL ||
- *(u32 *)kmap(page) != VMCS12_REVISION) {
+ if (page == NULL) {
nested_vmx_failInvalid(vcpu);
+ skip_emulated_instruction(vcpu);
+ return 1;
+ }
+ if (*(u32 *)kmap(page) != VMCS12_REVISION) {
kunmap(page);
+ nested_release_page_clean(page);
+ nested_vmx_failInvalid(vcpu);
skip_emulated_instruction(vcpu);
return 1;
}
kunmap(page);
+ nested_release_page_clean(page);
vmx->nested.vmxon_ptr = vmptr;
break;
case EXIT_REASON_VMCLEAR:
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index e0a27d684d29..7dcb958a8054 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -892,7 +892,7 @@ static u32 msrs_to_save[] = {
MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
#endif
MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
+ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS
};
static unsigned num_msrs_to_save;
@@ -3994,17 +3994,16 @@ static void kvm_init_msr_list(void)
/*
* Even MSRs that are valid in the host may not be exposed
- * to the guests in some cases.
+ * to the guests in some cases. We could work around this
+ * in VMX with the generic MSR save/load machinery, but it
+ * is not really worthwhile since it will really only
+ * happen with nested virtualization.
*/
switch (msrs_to_save[i]) {
case MSR_IA32_BNDCFGS:
if (!kvm_x86_ops->mpx_supported())
continue;
break;
- case MSR_TSC_AUX:
- if (!kvm_x86_ops->rdtscp_supported())
- continue;
- break;
default:
break;
}
@@ -5677,6 +5676,7 @@ out:
void kvm_arch_exit(void)
{
+ kvm_lapic_exit();
perf_unregister_guest_info_callbacks(&kvm_guest_cbs);
if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC))
diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
index 0f8002ca2a5c..45bf431a06af 100644
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -118,6 +118,16 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = {
DMI_MATCH(DMI_BIOS_VERSION, "6JET85WW (1.43 )"),
},
},
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42606 */
+ {
+ .callback = set_nouse_crs,
+ .ident = "Supermicro X8DTH",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Supermicro"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X8DTH-i/6/iF/6F"),
+ DMI_MATCH(DMI_BIOS_VERSION, "2.0a"),
+ },
+ },
/* https://bugzilla.kernel.org/show_bug.cgi?id=15362 */
{
diff --git a/crypto/algapi.c b/crypto/algapi.c
index daf2f653b131..8ea7a5dc3839 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -337,6 +337,7 @@ int crypto_register_alg(struct crypto_alg *alg)
struct crypto_larval *larval;
int err;
+ alg->cra_flags &= ~CRYPTO_ALG_DEAD;
err = crypto_check_alg(alg);
if (err)
return err;
diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
index 391cfda1e83f..8c3c4ea760fb 100644
--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -4109,6 +4109,9 @@ static int mv_platform_probe(struct platform_device *pdev)
host->iomap = NULL;
hpriv->base = devm_ioremap(&pdev->dev, res->start,
resource_size(res));
+ if (!hpriv->base)
+ return -ENOMEM;
+
hpriv->base -= SATAHC0_REG_BASE;
hpriv->clk = clk_get(&pdev->dev, NULL);
diff --git a/drivers/base/dma-mapping.c b/drivers/base/dma-mapping.c
index 6cd08e145bfa..036a05b28eb5 100644
--- a/drivers/base/dma-mapping.c
+++ b/drivers/base/dma-mapping.c
@@ -107,13 +107,13 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr,
EXPORT_SYMBOL(dmam_free_coherent);
/**
- * dmam_alloc_non_coherent - Managed dma_alloc_non_coherent()
+ * dmam_alloc_non_coherent - Managed dma_alloc_noncoherent()
* @dev: Device to allocate non_coherent memory for
* @size: Size of allocation
* @dma_handle: Out argument for allocated DMA handle
* @gfp: Allocation flags
*
- * Managed dma_alloc_non_coherent(). Memory allocated using this
+ * Managed dma_alloc_noncoherent(). Memory allocated using this
* function will be automatically released on driver detach.
*
* RETURNS:
diff --git a/drivers/base/regmap/regcache-lzo.c b/drivers/base/regmap/regcache-lzo.c
index e210a6d1406a..6ac6b7c02ecf 100644
--- a/drivers/base/regmap/regcache-lzo.c
+++ b/drivers/base/regmap/regcache-lzo.c
@@ -236,15 +236,13 @@ static int regcache_lzo_read(struct regmap *map,
{
struct regcache_lzo_ctx *lzo_block, **lzo_blocks;
int ret, blkindex, blkpos;
- size_t blksize, tmp_dst_len;
+ size_t tmp_dst_len;
void *tmp_dst;
/* index of the compressed lzo block */
blkindex = regcache_lzo_get_blkindex(map, reg);
/* register index within the decompressed block */
blkpos = regcache_lzo_get_blkpos(map, reg);
- /* size of the compressed block */
- blksize = regcache_lzo_get_blksize(map);
lzo_blocks = map->cache;
lzo_block = lzo_blocks[blkindex];
@@ -275,15 +273,13 @@ static int regcache_lzo_write(struct regmap *map,
{
struct regcache_lzo_ctx *lzo_block, **lzo_blocks;
int ret, blkindex, blkpos;
- size_t blksize, tmp_dst_len;
+ size_t tmp_dst_len;
void *tmp_dst;
/* index of the compressed lzo block */
blkindex = regcache_lzo_get_blkindex(map, reg);
/* register index within the decompressed block */
blkpos = regcache_lzo_get_blkpos(map, reg);
- /* size of the compressed block */
- blksize = regcache_lzo_get_blksize(map);
lzo_blocks = map->cache;
lzo_block = lzo_blocks[blkindex];
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 7be44e464462..a1ecedfc9d39 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -239,9 +239,10 @@ static inline int sock_send_bvec(struct nbd_device *nbd, struct bio_vec *bvec,
/* always call with the tx_lock held */
static int nbd_send_req(struct nbd_device *nbd, struct request *req)
{
- int result, flags;
+ int result;
struct nbd_request request;
unsigned long size = blk_rq_bytes(req);
+ struct bio *bio;
memset(&request, 0, sizeof(request));
request.magic = htonl(NBD_REQUEST_MAGIC);
@@ -266,17 +267,19 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req)
goto error_out;
}
- if (nbd_cmd(req) == NBD_CMD_WRITE) {
- struct req_iterator iter;
+ if (nbd_cmd(req) != NBD_CMD_WRITE)
+ return 0;
+
+ bio = req->bio;
+ while (bio) {
+ struct bio *next = bio->bi_next;
+ struct bvec_iter iter;
struct bio_vec bvec;
- /*
- * we are really probing at internals to determine
- * whether to set MSG_MORE or not...
- */
- rq_for_each_segment(bvec, req, iter) {
- flags = 0;
- if (!rq_iter_last(bvec, iter))
- flags = MSG_MORE;
+
+ bio_for_each_segment(bvec, bio, iter) {
+ bool is_last = !next && bio_iter_last(bvec, iter);
+ int flags = is_last ? 0 : MSG_MORE;
+
dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n",
nbd->disk->disk_name, req, bvec.bv_len);
result = sock_send_bvec(nbd, &bvec, flags);
@@ -286,7 +289,16 @@ static int nbd_send_req(struct nbd_device *nbd, struct request *req)
result);
goto error_out;
}
+ /*
+ * The completion might already have come in,
+ * so break for the last one instead of letting
+ * the iterator do it. This prevents use-after-free
+ * of the bio.
+ */
+ if (is_last)
+ break;
}
+ bio = next;
}
return 0;
diff --git a/drivers/bus/vexpress-config.c b/drivers/bus/vexpress-config.c
index a64763b6b5fd..a803e5d84baf 100644
--- a/drivers/bus/vexpress-config.c
+++ b/drivers/bus/vexpress-config.c
@@ -171,6 +171,7 @@ static int vexpress_config_populate(struct device_node *node)
{
struct device_node *bridge;
struct device *parent;
+ int ret;
bridge = of_parse_phandle(node, "arm,vexpress,config-bridge", 0);
if (!bridge)
@@ -181,7 +182,11 @@ static int vexpress_config_populate(struct device_node *node)
if (WARN_ON(!parent))
return -ENODEV;
- return of_platform_populate(node, NULL, NULL, parent);
+ ret = of_platform_populate(node, NULL, NULL, parent);
+
+ put_device(parent);
+
+ return ret;
}
static int __init vexpress_config_init(void)
diff --git a/drivers/clk/clk-wm831x.c b/drivers/clk/clk-wm831x.c
index b131041c8f48..093dfe159dfb 100644
--- a/drivers/clk/clk-wm831x.c
+++ b/drivers/clk/clk-wm831x.c
@@ -248,7 +248,7 @@ static int wm831x_clkout_is_prepared(struct clk_hw *hw)
if (ret < 0) {
dev_err(wm831x->dev, "Unable to read CLOCK_CONTROL_1: %d\n",
ret);
- return true;
+ return false;
}
return (ret & WM831X_CLKOUT_ENA) != 0;
diff --git a/drivers/clk/shmobile/clk-mstp.c b/drivers/clk/shmobile/clk-mstp.c
index 2d2fe773ac81..a9e02a38093e 100644
--- a/drivers/clk/shmobile/clk-mstp.c
+++ b/drivers/clk/shmobile/clk-mstp.c
@@ -31,12 +31,14 @@
* @smstpcr: module stop control register
* @mstpsr: module stop status register (optional)
* @lock: protects writes to SMSTPCR
+ * @width_8bit: registers are 8-bit, not 32-bit
*/
struct mstp_clock_group {
struct clk_onecell_data data;
void __iomem *smstpcr;
void __iomem *mstpsr;
spinlock_t lock;
+ bool width_8bit;
};
/**
@@ -53,6 +55,18 @@ struct mstp_clock {
#define to_mstp_clock(_hw) container_of(_hw, struct mstp_clock, hw)
+static inline u32 cpg_mstp_read(struct mstp_clock_group *group,
+ u32 __iomem *reg)
+{
+ return group->width_8bit ? readb(reg) : clk_readl(reg);
+}
+
+static inline void cpg_mstp_write(struct mstp_clock_group *group, u32 val,
+ u32 __iomem *reg)
+{
+ group->width_8bit ? writeb(val, reg) : clk_writel(val, reg);
+}
+
static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable)
{
struct mstp_clock *clock = to_mstp_clock(hw);
@@ -64,12 +78,12 @@ static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable)
spin_lock_irqsave(&group->lock, flags);
- value = clk_readl(group->smstpcr);
+ value = cpg_mstp_read(group, group->smstpcr);
if (enable)
value &= ~bitmask;
else
value |= bitmask;
- clk_writel(value, group->smstpcr);
+ cpg_mstp_write(group, value, group->smstpcr);
spin_unlock_irqrestore(&group->lock, flags);
@@ -77,7 +91,7 @@ static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable)
return 0;
for (i = 1000; i > 0; --i) {
- if (!(clk_readl(group->mstpsr) & bitmask))
+ if (!(cpg_mstp_read(group, group->mstpsr) & bitmask))
break;
cpu_relax();
}
@@ -108,9 +122,9 @@ static int cpg_mstp_clock_is_enabled(struct clk_hw *hw)
u32 value;
if (group->mstpsr)
- value = clk_readl(group->mstpsr);
+ value = cpg_mstp_read(group, group->mstpsr);
else
- value = clk_readl(group->smstpcr);
+ value = cpg_mstp_read(group, group->smstpcr);
return !(value & BIT(clock->bit_index));
}
@@ -182,6 +196,9 @@ static void __init cpg_mstp_clocks_init(struct device_node *np)
return;
}
+ if (of_device_is_compatible(np, "renesas,r7s72100-mstp-clocks"))
+ group->width_8bit = true;
+
for (i = 0; i < MSTP_MAX_CLOCKS; ++i)
clks[i] = ERR_PTR(-ENOENT);
diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index 5d1b7f64947c..2163a5145518 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -458,10 +458,15 @@ static int exynos4_local_timer_setup(struct clock_event_device *evt)
static void exynos4_local_timer_stop(struct clock_event_device *evt)
{
+ struct mct_clock_event_device *mevt;
+
+ mevt = container_of(evt, struct mct_clock_event_device, evt);
+
evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
if (mct_int_type == MCT_INT_SPI) {
if (evt->irq != -1)
disable_irq_nosync(evt->irq);
+ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
} else {
disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
}
diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
index c09ce1f040d3..1690cc09f905 100644
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -590,7 +590,9 @@ static int aead_set_sh_desc(struct crypto_aead *aead)
/* Will read cryptlen */
append_math_add(desc, VARSEQINLEN, SEQINLEN, REG0, CAAM_CMD_SZ);
- aead_append_src_dst(desc, FIFOLD_TYPE_MSG1OUT2);
+ append_seq_fifo_load(desc, 0, FIFOLD_CLASS_BOTH | KEY_VLF |
+ FIFOLD_TYPE_MSG1OUT2 | FIFOLD_TYPE_LASTBOTH);
+ append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | KEY_VLF);
/* Write ICV */
append_seq_store(desc, ctx->authsize, LDST_CLASS_2_CCB |
diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index ba850eb2d275..3ec5509b1433 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -502,22 +502,29 @@ struct devfreq *devfreq_add_device(struct device *dev,
list_add(&devfreq->node, &devfreq_list);
governor = find_devfreq_governor(devfreq->governor_name);
- if (!IS_ERR(governor))
- devfreq->governor = governor;
- if (devfreq->governor)
- err = devfreq->governor->event_handler(devfreq,
- DEVFREQ_GOV_START, NULL);
- mutex_unlock(&devfreq_list_lock);
+ if (IS_ERR(governor)) {
+ dev_err(dev, "%s: Unable to find governor for the device\n",
+ __func__);
+ err = PTR_ERR(governor);
+ goto err_init;
+ }
+
+ devfreq->governor = governor;
+ err = devfreq->governor->event_handler(devfreq, DEVFREQ_GOV_START,
+ NULL);
if (err) {
dev_err(dev, "%s: Unable to start governor for the device\n",
__func__);
goto err_init;
}
+ mutex_unlock(&devfreq_list_lock);
return devfreq;
err_init:
list_del(&devfreq->node);
+ mutex_unlock(&devfreq_list_lock);
+
device_unregister(&devfreq->dev);
err_dev:
kfree(devfreq);
diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c
index cb6d626dad02..18152350b32f 100644
--- a/drivers/gpu/drm/ast/ast_main.c
+++ b/drivers/gpu/drm/ast/ast_main.c
@@ -178,7 +178,8 @@ static int ast_get_dram_info(struct drm_device *dev)
ast_write32(ast, 0x10000, 0xfc600309);
do {
- ;
+ if (pci_channel_offline(dev->pdev))
+ return -EIO;
} while (ast_read32(ast, 0x10000) != 0x01);
data = ast_read32(ast, 0x10004);
@@ -369,7 +370,9 @@ int ast_driver_load(struct drm_device *dev, unsigned long flags)
ast_detect_chip(dev);
if (ast->chip != AST1180) {
- ast_get_dram_info(dev);
+ ret = ast_get_dram_info(dev);
+ if (ret)
+ goto out_free;
ast->vram_size = ast_get_vram_info(dev);
DRM_INFO("dram %d %d %d %08x\n", ast->mclk, ast->dram_type, ast->dram_bus_width, ast->vram_size);
}
diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c
index 6e8fe9ec02b5..efe5c3c7e8e2 100644
--- a/drivers/gpu/drm/gma500/psb_drv.c
+++ b/drivers/gpu/drm/gma500/psb_drv.c
@@ -464,6 +464,9 @@ static const struct file_operations psb_gem_fops = {
.open = drm_open,
.release = drm_release,
.unlocked_ioctl = psb_unlocked_ioctl,
+#ifdef CONFIG_COMPAT
+ .compat_ioctl = drm_compat_ioctl,
+#endif
.mmap = drm_gem_mmap,
.poll = drm_poll,
.read = drm_read,
diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c
index bb3a6209b245..a0e7a2e20111 100644
--- a/drivers/gpu/drm/i915/intel_crt.c
+++ b/drivers/gpu/drm/i915/intel_crt.c
@@ -477,6 +477,7 @@ static bool intel_crt_detect_ddc(struct drm_connector *connector)
struct drm_i915_private *dev_priv = crt->base.base.dev->dev_private;
struct edid *edid;
struct i2c_adapter *i2c;
+ bool ret = false;
BUG_ON(crt->base.type != INTEL_OUTPUT_ANALOG);
@@ -493,17 +494,17 @@ static bool intel_crt_detect_ddc(struct drm_connector *connector)
*/
if (!is_digital) {
DRM_DEBUG_KMS("CRT detected via DDC:0x50 [EDID]\n");
- return true;
+ ret = true;
+ } else {
+ DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n");
}
-
- DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [EDID reports a digital panel]\n");
} else {
DRM_DEBUG_KMS("CRT not detected via DDC:0x50 [no valid EDID found]\n");
}
kfree(edid);
- return false;
+ return ret;
}
static enum drm_connector_status
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 2041c5bbb929..03c76d17f0de 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8913,9 +8913,9 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
wake_up_all(&dev_priv->pending_flip_queue);
- queue_work(dev_priv->wq, &work->work);
-
trace_i915_flip_complete(intel_crtc->plane, work->pending_flip_obj);
+
+ queue_work(dev_priv->wq, &work->work);
}
void intel_finish_page_flip(struct drm_device *dev, int pipe)
diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
index 5010e2c32c23..aa83a835965c 100644
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -5346,7 +5346,16 @@ static void valleyview_init_clock_gating(struct drm_device *dev)
DRM_DEBUG_DRIVER("Current CD clock rate: %d MHz",
dev_priv->vlv_cdclk_freq);
- I915_WRITE(DSPCLK_GATE_D, VRHUNIT_CLOCK_GATE_DISABLE);
+ /*
+ * On driver load, a pipe may be active and driving a DSI display.
+ * Preserve DPOUNIT_CLOCK_GATE_DISABLE to avoid the pipe getting stuck
+ * (and never recovering) in this case. intel_dsi_post_disable() will
+ * clear it when we turn off the display.
+ */
+ val = I915_READ(DSPCLK_GATE_D);
+ val &= DPOUNIT_CLOCK_GATE_DISABLE;
+ val |= VRHUNIT_CLOCK_GATE_DISABLE;
+ I915_WRITE(DSPCLK_GATE_D, val);
/* WaDisableEarlyCull:vlv */
I915_WRITE(_3D_CHICKEN3,
diff --git a/drivers/gpu/drm/nouveau/dispnv04/hw.c b/drivers/gpu/drm/nouveau/dispnv04/hw.c
index aca76af115b3..1ddb10b32bbe 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/hw.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/hw.c
@@ -225,6 +225,7 @@ nouveau_hw_get_clock(struct drm_device *dev, enum nvbios_pll_type plltype)
uint32_t mpllP;
pci_read_config_dword(pci_get_bus_and_slot(0, 3), 0x6c, &mpllP);
+ mpllP = (mpllP >> 8) & 0xf;
if (!mpllP)
mpllP = 4;
@@ -235,7 +236,7 @@ nouveau_hw_get_clock(struct drm_device *dev, enum nvbios_pll_type plltype)
uint32_t clock;
pci_read_config_dword(pci_get_bus_and_slot(0, 5), 0x4c, &clock);
- return clock;
+ return clock / 1000;
}
ret = nouveau_hw_get_pllvals(dev, plltype, &pllvals);
diff --git a/drivers/gpu/drm/radeon/radeon_cursor.c b/drivers/gpu/drm/radeon/radeon_cursor.c
index 9630e8d95fb4..faacc400d6fa 100644
--- a/drivers/gpu/drm/radeon/radeon_cursor.c
+++ b/drivers/gpu/drm/radeon/radeon_cursor.c
@@ -90,6 +90,9 @@ static void radeon_show_cursor(struct drm_crtc *crtc)
struct radeon_crtc *radeon_crtc = to_radeon_crtc(crtc);
struct radeon_device *rdev = crtc->dev->dev_private;
+ if (radeon_crtc->cursor_out_of_bounds)
+ return;
+
if (ASIC_IS_DCE4(rdev)) {
WREG32(RADEON_MM_INDEX, EVERGREEN_CUR_CONTROL + radeon_crtc->crtc_offset);
WREG32(RADEON_MM_DATA, EVERGREEN_CURSOR_EN |
@@ -228,16 +231,17 @@ int radeon_crtc_cursor_move(struct drm_crtc *crtc,
x += crtc->x;
y += crtc->y;
}
- DRM_DEBUG("x %d y %d c->x %d c->y %d\n", x, y, crtc->x, crtc->y);
- if (x < 0) {
+ if (x < 0)
xorigin = min(-x, radeon_crtc->max_cursor_width - 1);
- x = 0;
- }
- if (y < 0) {
+ if (y < 0)
yorigin = min(-y, radeon_crtc->max_cursor_height - 1);
- y = 0;
+
+ if (!ASIC_IS_AVIVO(rdev)) {
+ x += crtc->x;
+ y += crtc->y;
}
+ DRM_DEBUG("x %d y %d c->x %d c->y %d\n", x, y, crtc->x, crtc->y);
/* fixed on DCE6 and newer */
if (ASIC_IS_AVIVO(rdev) && !ASIC_IS_DCE6(rdev)) {
@@ -260,27 +264,31 @@ int radeon_crtc_cursor_move(struct drm_crtc *crtc,
if (i > 1) {
int cursor_end, frame_end;
- cursor_end = x - xorigin + w;
+ cursor_end = x + w;
frame_end = crtc->x + crtc->mode.crtc_hdisplay;
if (cursor_end >= frame_end) {
w = w - (cursor_end - frame_end);
if (!(frame_end & 0x7f))
w--;
- } else {
- if (!(cursor_end & 0x7f))
- w--;
+ } else if (cursor_end <= 0) {
+ goto out_of_bounds;
+ } else if (!(cursor_end & 0x7f)) {
+ w--;
}
if (w <= 0) {
- w = 1;
- cursor_end = x - xorigin + w;
- if (!(cursor_end & 0x7f)) {
- x--;
- WARN_ON_ONCE(x < 0);
- }
+ goto out_of_bounds;
}
}
}
+ if (x <= (crtc->x - w) || y <= (crtc->y - radeon_crtc->cursor_height) ||
+ x >= (crtc->x + crtc->mode.hdisplay) ||
+ y >= (crtc->y + crtc->mode.vdisplay))
+ goto out_of_bounds;
+
+ x += xorigin;
+ y += yorigin;
+
radeon_lock_cursor(crtc, true);
if (ASIC_IS_DCE4(rdev)) {
WREG32(EVERGREEN_CUR_POSITION + radeon_crtc->crtc_offset, (x << 16) | y);
@@ -293,6 +301,9 @@ int radeon_crtc_cursor_move(struct drm_crtc *crtc,
WREG32(AVIVO_D1CUR_SIZE + radeon_crtc->crtc_offset,
((w - 1) << 16) | (radeon_crtc->cursor_height - 1));
} else {
+ x -= crtc->x;
+ y -= crtc->y;
+
if (crtc->mode.flags & DRM_MODE_FLAG_DBLSCAN)
y *= 2;
@@ -310,5 +321,18 @@ int radeon_crtc_cursor_move(struct drm_crtc *crtc,
}
radeon_lock_cursor(crtc, false);
+ if (radeon_crtc->cursor_out_of_bounds) {
+ radeon_crtc->cursor_out_of_bounds = false;
+ if (radeon_crtc->cursor_bo)
+ radeon_show_cursor(crtc);
+ }
+
+ return 0;
+
+ out_of_bounds:
+ if (!radeon_crtc->cursor_out_of_bounds) {
+ radeon_hide_cursor(crtc);
+ radeon_crtc->cursor_out_of_bounds = true;
+ }
return 0;
}
diff --git a/drivers/gpu/drm/radeon/radeon_mode.h b/drivers/gpu/drm/radeon/radeon_mode.h
index 0592ddb0904b..43c4fd754cbd 100644
--- a/drivers/gpu/drm/radeon/radeon_mode.h
+++ b/drivers/gpu/drm/radeon/radeon_mode.h
@@ -318,6 +318,7 @@ struct radeon_crtc {
u16 lut_r[256], lut_g[256], lut_b[256];
bool enabled;
bool can_tile;
+ bool cursor_out_of_bounds;
uint32_t crtc_offset;
struct drm_gem_object *cursor_bo;
uint64_t cursor_addr;
diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
index c9b290b5b52b..2b04749ad314 100644
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2953,24 +2953,12 @@ static void si_apply_state_adjust_rules(struct radeon_device *rdev,
(rdev->pdev->device == 0x6817) ||
(rdev->pdev->device == 0x6806))
max_mclk = 120000;
- } else if (rdev->family == CHIP_VERDE) {
- if ((rdev->pdev->revision == 0x81) ||
- (rdev->pdev->revision == 0x83) ||
- (rdev->pdev->revision == 0x87) ||
- (rdev->pdev->device == 0x6820) ||
- (rdev->pdev->device == 0x6821) ||
- (rdev->pdev->device == 0x6822) ||
- (rdev->pdev->device == 0x6823) ||
- (rdev->pdev->device == 0x682A) ||
- (rdev->pdev->device == 0x682B)) {
- max_sclk = 75000;
- max_mclk = 80000;
- }
} else if (rdev->family == CHIP_OLAND) {
if ((rdev->pdev->revision == 0xC7) ||
(rdev->pdev->revision == 0x80) ||
(rdev->pdev->revision == 0x81) ||
(rdev->pdev->revision == 0x83) ||
+ (rdev->pdev->revision == 0x87) ||
(rdev->pdev->device == 0x6604) ||
(rdev->pdev->device == 0x6605)) {
max_sclk = 75000;
diff --git a/drivers/hid/hid-cypress.c b/drivers/hid/hid-cypress.c
index c4ef3bc726e3..e299576004ce 100644
--- a/drivers/hid/hid-cypress.c
+++ b/drivers/hid/hid-cypress.c
@@ -39,6 +39,9 @@ static __u8 *cp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
return rdesc;
+ if (*rsize < 4)
+ return rdesc;
+
for (i = 0; i < *rsize - 4; i++)
if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
__u8 tmp;
diff --git a/drivers/hwmon/ds620.c b/drivers/hwmon/ds620.c
index 0918b9136588..2a50ab613238 100644
--- a/drivers/hwmon/ds620.c
+++ b/drivers/hwmon/ds620.c
@@ -166,7 +166,7 @@ static ssize_t set_temp(struct device *dev, struct device_attribute *da,
if (res)
return res;
- val = (val * 10 / 625) * 8;
+ val = (clamp_val(val, -128000, 128000) * 10 / 625) * 8;
mutex_lock(&data->update_lock);
data->temp[attr->index] = val;
diff --git a/drivers/hwmon/g762.c b/drivers/hwmon/g762.c
index 98a8618d8fbf..2811db085366 100644
--- a/drivers/hwmon/g762.c
+++ b/drivers/hwmon/g762.c
@@ -193,14 +193,17 @@ static inline unsigned int rpm_from_cnt(u8 cnt, u32 clk_freq, u16 p,
* Convert fan RPM value from sysfs into count value for fan controller
* register (FAN_SET_CNT).
*/
-static inline unsigned char cnt_from_rpm(u32 rpm, u32 clk_freq, u16 p,
+static inline unsigned char cnt_from_rpm(unsigned long rpm, u32 clk_freq, u16 p,
u8 clk_div, u8 gear_mult)
{
- if (!rpm) /* to stop the fan, set cnt to 255 */
+ unsigned long f1 = clk_freq * 30 * gear_mult;
+ unsigned long f2 = p * clk_div;
+
+ if (!rpm) /* to stop the fan, set cnt to 255 */
return 0xff;
- return clamp_val(((clk_freq * 30 * gear_mult) / (rpm * p * clk_div)),
- 0, 255);
+ rpm = clamp_val(rpm, f1 / (255 * f2), ULONG_MAX / f2);
+ return DIV_ROUND_CLOSEST(f1, rpm * f2);
}
/* helper to grab and cache data, at most one time per second */
diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 80b47e8ce030..3baf4af1413a 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -334,7 +334,7 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
unsigned long arg)
{
struct i2c_smbus_ioctl_data data_arg;
- union i2c_smbus_data temp;
+ union i2c_smbus_data temp = {};
int datasize, res;
if (copy_from_user(&data_arg,
diff --git a/drivers/i2c/muxes/i2c-mux-pca954x.c b/drivers/i2c/muxes/i2c-mux-pca954x.c
index f1b945509477..5419a356bfdd 100644
--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
+++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
@@ -133,6 +133,9 @@ static int pca954x_reg_write(struct i2c_adapter *adap,
buf[0] = val;
msg.buf = buf;
ret = adap->algo->master_xfer(adap, &msg, 1);
+
+ if (ret >= 0 && ret != 1)
+ ret = -EREMOTEIO;
} else {
union i2c_smbus_data data;
ret = adap->algo->smbus_xfer(adap, client->addr,
@@ -161,7 +164,7 @@ static int pca954x_select_chan(struct i2c_adapter *adap,
/* Only select the channel if its different from the last channel */
if (data->last_chan != regval) {
ret = pca954x_reg_write(adap, client, regval);
- data->last_chan = ret ? 0 : regval;
+ data->last_chan = ret < 0 ? 0 : regval;
}
return ret;
diff --git a/drivers/iio/humidity/dht11.c b/drivers/iio/humidity/dht11.c
index d8771f546bf2..bd7c386d5878 100644
--- a/drivers/iio/humidity/dht11.c
+++ b/drivers/iio/humidity/dht11.c
@@ -44,7 +44,8 @@
#define DHT11_EDGES_PER_READ (2*DHT11_BITS_PER_READ + DHT11_EDGES_PREAMBLE + 1)
/* Data transmission timing (nano seconds) */
-#define DHT11_START_TRANSMISSION 18 /* ms */
+#define DHT11_START_TRANSMISSION_MIN 18000 /* us */
+#define DHT11_START_TRANSMISSION_MAX 20000 /* us */
#define DHT11_SENSOR_RESPONSE 80000
#define DHT11_START_BIT 50000
#define DHT11_DATA_BIT_LOW 27000
@@ -152,7 +153,8 @@ static int dht11_read_raw(struct iio_dev *iio_dev,
ret = gpio_direction_output(dht11->gpio, 0);
if (ret)
goto err;
- msleep(DHT11_START_TRANSMISSION);
+ usleep_range(DHT11_START_TRANSMISSION_MIN,
+ DHT11_START_TRANSMISSION_MAX);
ret = gpio_direction_input(dht11->gpio);
if (ret)
goto err;
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index ab31f136d04b..5b66fedaacc3 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -1607,7 +1607,7 @@ find_mad_agent(struct ib_mad_port_private *port_priv,
if (!class)
goto out;
if (convert_mgmt_class(mad->mad_hdr.mgmt_class) >=
- IB_MGMT_MAX_METHODS)
+ ARRAY_SIZE(class->method_table))
goto out;
method = class->method_table[convert_mgmt_class(
mad->mad_hdr.mgmt_class)];
diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
index 180d7f436ed5..2f861b59cbc1 100644
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -516,8 +516,11 @@ static void join_handler(int status, struct ib_sa_mcmember_rec *rec,
if (status)
process_join_error(group, status);
else {
- ib_find_pkey(group->port->dev->device, group->port->port_num,
- be16_to_cpu(rec->pkey), &pkey_index);
+
+ if (ib_find_pkey(group->port->dev->device,
+ group->port->port_num, be16_to_cpu(rec->pkey),
+ &pkey_index))
+ pkey_index = MCAST_INVALID_PKEY_INDEX;
spin_lock_irq(&group->port->lock);
group->rec = *rec;
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 5e66eab292d8..ce649a7ffa56 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2764,7 +2764,6 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file,
err = PTR_ERR(flow_id);
goto err_free;
}
- flow_id->qp = qp;
flow_id->uobject = uobj;
uobj->object = flow_id;
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index c2b89cc5dbca..0c859f7fb7a4 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1420,8 +1420,10 @@ struct ib_flow *ib_create_flow(struct ib_qp *qp,
return ERR_PTR(-ENOSYS);
flow_id = qp->device->create_flow(qp, flow_attr, domain);
- if (!IS_ERR(flow_id))
+ if (!IS_ERR(flow_id)) {
atomic_inc(&qp->usecnt);
+ flow_id->qp = qp;
+ }
return flow_id;
}
EXPORT_SYMBOL(ib_create_flow);
diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c
index 7db82b24302b..ea8ce383e57d 100644
--- a/drivers/infiniband/hw/cxgb4/device.c
+++ b/drivers/infiniband/hw/cxgb4/device.c
@@ -694,6 +694,7 @@ static int c4iw_rdev_open(struct c4iw_rdev *rdev)
__get_free_page(GFP_KERNEL);
if (!rdev->status_page) {
pr_err(MOD "error allocating status page\n");
+ err = -ENOMEM;
goto err4;
}
rdev->status_page->db_off = 0;
diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
index 4c2686514ced..62aa7d9422a4 100644
--- a/drivers/infiniband/hw/mlx4/ah.c
+++ b/drivers/infiniband/hw/mlx4/ah.c
@@ -97,7 +97,9 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr
!(1 << ah->av.eth.stat_rate & dev->caps.stat_rate_support))
--ah->av.eth.stat_rate;
}
-
+ ah->av.eth.sl_tclass_flowlabel |=
+ cpu_to_be32((ah_attr->grh.traffic_class << 20) |
+ ah_attr->grh.flow_label);
/*
* HW requires multicast LID so we just choose one.
*/
@@ -105,7 +107,7 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr
ah->av.ib.dlid = cpu_to_be16(0xc000);
memcpy(ah->av.eth.dgid, ah_attr->grh.dgid.raw, 16);
- ah->av.eth.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 29);
+ ah->av.eth.sl_tclass_flowlabel |= cpu_to_be32(ah_attr->sl << 29);
return &ah->ibah;
}
diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
index 85c47a0e524c..1397da73f636 100644
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -212,6 +212,7 @@ static int mlx4_ib_query_device(struct ib_device *ibdev,
props->max_total_mcast_qp_attach = props->max_mcast_qp_attach *
props->max_mcast_grp;
props->max_map_per_fmr = dev->dev->caps.max_fmr_maps;
+ props->max_ah = INT_MAX;
out:
kfree(in_mad);
@@ -345,9 +346,11 @@ static int eth_link_query_port(struct ib_device *ibdev, u8 port,
if (err)
goto out;
- props->active_width = (((u8 *)mailbox->buf)[5] == 0x40) ?
- IB_WIDTH_4X : IB_WIDTH_1X;
- props->active_speed = IB_SPEED_QDR;
+ props->active_width = (((u8 *)mailbox->buf)[5] == 0x40) ||
+ (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+ IB_WIDTH_4X : IB_WIDTH_1X;
+ props->active_speed = (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+ IB_SPEED_FDR : IB_SPEED_QDR;
props->port_cap_flags = IB_PORT_CM_SUP | IB_PORT_IP_BASED_GIDS;
props->gid_tbl_len = mdev->dev->caps.gid_table_len[port];
props->max_msg_sz = mdev->dev->caps.max_msg_sz;
@@ -2156,14 +2159,19 @@ static void *mlx4_ib_add(struct mlx4_dev *dev)
goto err_steer_qp_release;
}
- bitmap_zero(ibdev->ib_uc_qpns_bitmap, ibdev->steer_qpn_count);
-
- err = mlx4_FLOW_STEERING_IB_UC_QP_RANGE(
- dev, ibdev->steer_qpn_base,
- ibdev->steer_qpn_base +
- ibdev->steer_qpn_count - 1);
- if (err)
- goto err_steer_free_bitmap;
+ if (dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_DMFS_IPOIB) {
+ bitmap_zero(ibdev->ib_uc_qpns_bitmap,
+ ibdev->steer_qpn_count);
+ err = mlx4_FLOW_STEERING_IB_UC_QP_RANGE(
+ dev, ibdev->steer_qpn_base,
+ ibdev->steer_qpn_base +
+ ibdev->steer_qpn_count - 1);
+ if (err)
+ goto err_steer_free_bitmap;
+ } else {
+ bitmap_fill(ibdev->ib_uc_qpns_bitmap,
+ ibdev->steer_qpn_count);
+ }
}
if (ib_register_device(&ibdev->ib_dev, NULL))
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 6f50a21331ed..3e1ea0323983 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1153,7 +1153,8 @@ int mlx4_ib_destroy_qp(struct ib_qp *qp)
if (is_qp0(dev, mqp))
mlx4_CLOSE_PORT(dev->dev, mqp->port);
- if (dev->qp1_proxy[mqp->port - 1] == mqp) {
+ if (mqp->mlx4_ib_qp_type == MLX4_IB_QPT_PROXY_GSI &&
+ dev->qp1_proxy[mqp->port - 1] == mqp) {
mutex_lock(&dev->qp1_proxy_lock[mqp->port - 1]);
dev->qp1_proxy[mqp->port - 1] = NULL;
mutex_unlock(&dev->qp1_proxy_lock[mqp->port - 1]);
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index cad8cab43559..cb938822a91c 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -319,6 +319,7 @@ static int mlx5_ib_query_device(struct ib_device *ibdev,
props->max_total_mcast_qp_attach = props->max_mcast_qp_attach *
props->max_mcast_grp;
props->max_map_per_fmr = INT_MAX; /* no limit in ConnectIB */
+ props->max_ah = INT_MAX;
out:
kfree(in_mad);
diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
index bf75b943bc31..d1fd8b8f65f0 100644
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -590,6 +590,33 @@ int mlx5_mr_cache_init(struct mlx5_ib_dev *dev)
return 0;
}
+static void wait_for_async_commands(struct mlx5_ib_dev *dev)
+{
+ struct mlx5_mr_cache *cache = &dev->cache;
+ struct mlx5_cache_ent *ent;
+ int total = 0;
+ int i;
+ int j;
+
+ for (i = 0; i < MAX_MR_CACHE_ENTRIES; i++) {
+ ent = &cache->ent[i];
+ for (j = 0 ; j < 1000; j++) {
+ if (!ent->pending)
+ break;
+ msleep(50);
+ }
+ }
+ for (i = 0; i < MAX_MR_CACHE_ENTRIES; i++) {
+ ent = &cache->ent[i];
+ total += ent->pending;
+ }
+
+ if (total)
+ mlx5_ib_warn(dev, "aborted while there are %d pending mr requests\n", total);
+ else
+ mlx5_ib_warn(dev, "done with all pending requests\n");
+}
+
int mlx5_mr_cache_cleanup(struct mlx5_ib_dev *dev)
{
int i;
@@ -603,6 +630,7 @@ int mlx5_mr_cache_cleanup(struct mlx5_ib_dev *dev)
clean_keys(dev, i);
destroy_workqueue(dev->cache.wq);
+ wait_for_async_commands(dev);
del_timer_sync(&dev->delay_timer);
return 0;
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
index 9bf0c8f59d54..6f29bd05441f 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1038,8 +1038,6 @@ static struct ib_qp *ipoib_cm_create_tx_qp(struct net_device *dev, struct ipoib_
tx_qp = ib_create_qp(priv->pd, &attr);
if (PTR_ERR(tx_qp) == -EINVAL) {
- ipoib_warn(priv, "can't use GFP_NOIO for QPs on device %s, using GFP_KERNEL\n",
- priv->ca->name);
attr.create_flags &= ~IB_QP_CREATE_USE_GFP_NOIO;
tx_qp = ib_create_qp(priv->pd, &attr);
}
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index d4e005720d01..0b0f2c77d74d 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -523,8 +523,11 @@ void ipoib_mcast_join_task(struct work_struct *work)
if (!test_bit(IPOIB_MCAST_RUN, &priv->flags))
return;
- if (ib_query_port(priv->ca, priv->port, &port_attr) ||
- port_attr.state != IB_PORT_ACTIVE) {
+ if (ib_query_port(priv->ca, priv->port, &port_attr)) {
+ ipoib_dbg(priv, "ib_query_port() failed\n");
+ return;
+ }
+ if (port_attr.state != IB_PORT_ACTIVE) {
ipoib_dbg(priv, "port state is not ACTIVE (state = %d) suspending join task\n",
port_attr.state);
return;
diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
index ccb36fb565de..3f3c517f2039 100644
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -211,6 +211,12 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "C15B"),
+ },
+ },
{ }
};
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index 76c71ecba656..07af55cc2dcc 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -1044,7 +1044,7 @@ again:
next_tail = (tail + sizeof(*cmd)) % iommu->cmd_buf_size;
left = (head - next_tail) % iommu->cmd_buf_size;
- if (left <= 2) {
+ if (left <= 0x20) {
struct iommu_cmd sync_cmd;
volatile u64 sem = 0;
int ret;
diff --git a/drivers/isdn/hardware/eicon/message.c b/drivers/isdn/hardware/eicon/message.c
index a82e542ffc21..fecbf1d2f60b 100644
--- a/drivers/isdn/hardware/eicon/message.c
+++ b/drivers/isdn/hardware/eicon/message.c
@@ -11304,7 +11304,8 @@ static void mixer_notify_update(PLCI *plci, byte others)
((CAPI_MSG *) msg)->header.ncci = 0;
((CAPI_MSG *) msg)->info.facility_req.Selector = SELECTOR_LINE_INTERCONNECT;
((CAPI_MSG *) msg)->info.facility_req.structs[0] = 3;
- PUT_WORD(&(((CAPI_MSG *) msg)->info.facility_req.structs[1]), LI_REQ_SILENT_UPDATE);
+ ((CAPI_MSG *) msg)->info.facility_req.structs[1] = LI_REQ_SILENT_UPDATE & 0xff;
+ ((CAPI_MSG *) msg)->info.facility_req.structs[2] = LI_REQ_SILENT_UPDATE >> 8;
((CAPI_MSG *) msg)->info.facility_req.structs[3] = 0;
w = api_put(notify_plci->appl, (CAPI_MSG *) msg);
if (w != _QUEUE_FULL)
diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 34e7db1e7304..c43187b4dc0e 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1449,12 +1449,15 @@ static int crypt_set_key(struct crypt_config *cc, char *key)
if (!cc->key_size && strcmp(key, "-"))
goto out;
+ /* clear the flag since following operations may invalidate previously valid key */
+ clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
+
if (cc->key_size && crypt_decode_key(cc->key, key, cc->key_size) < 0)
goto out;
- set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
-
r = crypt_setkey_allcpus(cc);
+ if (!r)
+ set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
out:
/* Hex key string not needed after here, so wipe it. */
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 35caa4c17c3d..d043e50ebea7 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -868,6 +868,9 @@ static void end_clone_bio(struct bio *clone, int error)
*/
static void rq_completed(struct mapped_device *md, int rw, int run_queue)
{
+ struct request_queue *q = md->queue;
+ unsigned long flags;
+
atomic_dec(&md->pending[rw]);
/* nudge anyone waiting on suspend queue */
@@ -880,8 +883,11 @@ static void rq_completed(struct mapped_device *md, int rw, int run_queue)
* back into ->request_fn() could deadlock attempting to grab the
* queue lock again.
*/
- if (run_queue)
- blk_run_queue_async(md->queue);
+ if (run_queue) {
+ spin_lock_irqsave(q->queue_lock, flags);
+ blk_run_queue_async(q);
+ spin_unlock_irqrestore(q->queue_lock, flags);
+ }
/*
* dm_put() must be at the end of this function. See the comment above
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 60d57bad30bb..4db092cf3a1d 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6453,7 +6453,7 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
/* need to ensure recovery thread has run */
wait_event_interruptible_timeout(mddev->sb_wait,
!test_bit(MD_RECOVERY_NEEDED,
- &mddev->flags),
+ &mddev->recovery),
msecs_to_jiffies(5000));
if (cmd == STOP_ARRAY || cmd == STOP_ARRAY_RO) {
/* Need to flush page cache, and ensure no-one else opens
diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
index 032ee39a0e9b..8114a29839c4 100644
--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -773,17 +773,15 @@ int dm_sm_metadata_create(struct dm_space_map *sm,
memcpy(&smm->sm, &bootstrap_ops, sizeof(smm->sm));
r = sm_ll_new_metadata(&smm->ll, tm);
+ if (!r) {
+ if (nr_blocks > DM_SM_METADATA_MAX_BLOCKS)
+ nr_blocks = DM_SM_METADATA_MAX_BLOCKS;
+ r = sm_ll_extend(&smm->ll, nr_blocks);
+ }
+ memcpy(&smm->sm, &ops, sizeof(smm->sm));
if (r)
return r;
- if (nr_blocks > DM_SM_METADATA_MAX_BLOCKS)
- nr_blocks = DM_SM_METADATA_MAX_BLOCKS;
- r = sm_ll_extend(&smm->ll, nr_blocks);
- if (r)
- return r;
-
- memcpy(&smm->sm, &ops, sizeof(smm->sm));
-
/*
* Now we need to update the newly created data structures with the
* allocated blocks that they were built from.
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 9d9d757a3488..63a094166138 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6222,6 +6222,15 @@ static int run(struct mddev *mddev)
stripe = (stripe | (stripe-1)) + 1;
mddev->queue->limits.discard_alignment = stripe;
mddev->queue->limits.discard_granularity = stripe;
+
+ /*
+ * We use 16-bit counter of active stripes in bi_phys_segments
+ * (minus one for over-loaded initialization)
+ */
+ blk_queue_max_hw_sectors(mddev->queue, 0xfffe * STRIPE_SECTORS);
+ blk_queue_max_discard_sectors(mddev->queue,
+ 0xfffe * STRIPE_SECTORS);
+
/*
* unaligned part of discard request will be ignored, so can't
* guarantee discard_zeroes_data
diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig
index 441053be7f55..42be1e944b88 100644
--- a/drivers/media/i2c/Kconfig
+++ b/drivers/media/i2c/Kconfig
@@ -590,6 +590,7 @@ config VIDEO_S5K6A3
config VIDEO_S5K4ECGX
tristate "Samsung S5K4ECGX sensor support"
depends on I2C && VIDEO_V4L2 && VIDEO_V4L2_SUBDEV_API
+ select CRC32
---help---
This is a V4L2 sensor-level driver for Samsung S5K4ECGX 5M
camera sensor with an embedded SoC image signal processor.
diff --git a/drivers/media/platform/davinci/vpfe_capture.c b/drivers/media/platform/davinci/vpfe_capture.c
index a51bda2fb637..ff10c2e90a5a 100644
--- a/drivers/media/platform/davinci/vpfe_capture.c
+++ b/drivers/media/platform/davinci/vpfe_capture.c
@@ -1967,6 +1967,7 @@ static int vpfe_probe(struct platform_device *pdev)
v4l2_info(&vpfe_dev->v4l2_dev,
"v4l2 sub device %s register fails\n",
sdinfo->name);
+ ret = -ENXIO;
goto probe_sd_out;
}
}
diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
index ab24cc6d3655..65740093403e 100644
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -263,6 +263,8 @@ static void ite_set_carrier_params(struct ite_dev *dev)
if (allowance > ITE_RXDCR_MAX)
allowance = ITE_RXDCR_MAX;
+
+ use_demodulator = true;
}
}
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 89c86ee2b225..dcb8d14e5bf5 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -206,22 +206,30 @@ static int smsusb_start_streaming(struct smsusb_device_t *dev)
static int smsusb_sendrequest(void *context, void *buffer, size_t size)
{
struct smsusb_device_t *dev = (struct smsusb_device_t *) context;
- struct sms_msg_hdr *phdr = (struct sms_msg_hdr *) buffer;
- int dummy;
+ struct sms_msg_hdr *phdr;
+ int dummy, ret;
if (dev->state != SMSUSB_ACTIVE) {
sms_debug("Device not active yet");
return -ENOENT;
}
+ phdr = kmalloc(size, GFP_KERNEL);
+ if (!phdr)
+ return -ENOMEM;
+ memcpy(phdr, buffer, size);
+
sms_debug("sending %s(%d) size: %d",
smscore_translate_msg(phdr->msg_type), phdr->msg_type,
phdr->msg_length);
smsendian_handle_tx_message((struct sms_msg_data *) phdr);
- smsendian_handle_message_header((struct sms_msg_hdr *)buffer);
- return usb_bulk_msg(dev->udev, usb_sndbulkpipe(dev->udev, 2),
- buffer, size, &dummy, 1000);
+ smsendian_handle_message_header((struct sms_msg_hdr *)phdr);
+ ret = usb_bulk_msg(dev->udev, usb_sndbulkpipe(dev->udev, 2),
+ phdr, size, &dummy, 1000);
+
+ kfree(phdr);
+ return ret;
}
static char *smsusb1_fw_lkup[] = {
diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c
index a4afa996d413..ed845efa8fd4 100644
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -819,7 +819,7 @@ int mei_cl_irq_write(struct mei_cl *cl, struct mei_cl_cb *cb,
rets = mei_cl_flow_ctrl_creds(cl);
if (rets < 0)
- return rets;
+ goto err;
if (rets == 0) {
cl_dbg(dev, cl, "No flow control credentials: not sending.\n");
@@ -853,23 +853,27 @@ int mei_cl_irq_write(struct mei_cl *cl, struct mei_cl_cb *cb,
cb->request_buffer.size, cb->buf_idx);
rets = mei_write_message(dev, &mei_hdr, buf->data + cb->buf_idx);
- if (rets) {
- cl->status = rets;
- list_move_tail(&cb->list, &cmpl_list->list);
- return rets;
- }
+ if (rets)
+ goto err;
cl->status = 0;
cl->writing_state = MEI_WRITING;
cb->buf_idx += mei_hdr.length;
if (mei_hdr.msg_complete) {
- if (mei_cl_flow_ctrl_reduce(cl))
- return -EIO;
+ if (mei_cl_flow_ctrl_reduce(cl)) {
+ rets = -EIO;
+ goto err;
+ }
list_move_tail(&cb->list, &dev->write_waiting_list.list);
}
return 0;
+
+err:
+ cl->status = rets;
+ list_move_tail(&cb->list, &cmpl_list->list);
+ return rets;
}
/**
diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
index 094ba8b8dc3a..d87f81f3eae4 100644
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1391,10 +1391,10 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr,
err = mmc_select_hs400(card);
if (err)
goto err;
- } else if (mmc_card_hs(card)) {
+ } else {
/* Select the desired bus width optionally */
err = mmc_select_bus_width(card);
- if (!IS_ERR_VALUE(err)) {
+ if (!IS_ERR_VALUE(err) && mmc_card_hs(card)) {
err = mmc_select_hs_ddr(card);
if (err)
goto err;
diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c
index ad32f235bdb8..5bbc0e64bab5 100644
--- a/drivers/mmc/host/mxs-mmc.c
+++ b/drivers/mmc/host/mxs-mmc.c
@@ -308,6 +308,9 @@ static void mxs_mmc_ac(struct mxs_mmc_host *host)
cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
cmd1 = cmd->arg;
+ if (cmd->opcode == MMC_STOP_TRANSMISSION)
+ cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+
if (host->sdio_irq_en) {
ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
@@ -416,8 +419,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_host *host)
ssp->base + HW_SSP_BLOCK_SIZE);
}
- if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
- (cmd->opcode == SD_IO_RW_EXTENDED))
+ if (cmd->opcode == SD_IO_RW_EXTENDED)
cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
cmd1 = cmd->arg;
diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
index 5114206df053..79d7a10028be 100644
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1959,7 +1959,27 @@ static int sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode)
ctrl &= ~SDHCI_CTRL_EXEC_TUNING;
sdhci_writew(host, ctrl, SDHCI_HOST_CONTROL2);
+ sdhci_do_reset(host, SDHCI_RESET_CMD);
+ sdhci_do_reset(host, SDHCI_RESET_DATA);
+
err = -EIO;
+
+ if (cmd.opcode != MMC_SEND_TUNING_BLOCK_HS200)
+ goto out;
+
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
+
+ spin_unlock_irqrestore(&host->lock, flags);
+
+ memset(&cmd, 0, sizeof(cmd));
+ cmd.opcode = MMC_STOP_TRANSMISSION;
+ cmd.flags = MMC_RSP_SPI_R1B | MMC_RSP_R1B | MMC_CMD_AC;
+ cmd.busy_timeout = 50;
+ mmc_wait_for_cmd(mmc, &cmd, 0);
+
+ spin_lock_irqsave(&host->lock, flags);
+
goto out;
}
@@ -2465,7 +2485,8 @@ static irqreturn_t sdhci_irq(int irq, void *dev_id)
pr_err("%s: Card is consuming too much power!\n",
mmc_hostname(host->mmc));
- if (intmask & SDHCI_INT_CARD_INT) {
+ if ((intmask & SDHCI_INT_CARD_INT) &&
+ (host->ier & SDHCI_INT_CARD_INT)) {
sdhci_enable_sdio_irq_nolock(host, false);
host->thread_isr |= SDHCI_INT_CARD_INT;
result = IRQ_WAKE_THREAD;
diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig
index f1cf503517fd..fa1bb0223a02 100644
--- a/drivers/mtd/nand/Kconfig
+++ b/drivers/mtd/nand/Kconfig
@@ -506,7 +506,7 @@ config MTD_NAND_FSMC
Flexible Static Memory Controller (FSMC)
config MTD_NAND_XWAY
- tristate "Support for NAND on Lantiq XWAY SoC"
+ bool "Support for NAND on Lantiq XWAY SoC"
depends on LANTIQ && SOC_TYPE_XWAY
select MTD_NAND_PLATFORM
help
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 8626bc0cb2af..1b7545680eae 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -365,7 +365,11 @@ static int bond_newlink(struct net *src_net, struct net_device *bond_dev,
if (err < 0)
return err;
- return register_netdevice(bond_dev);
+ err = register_netdevice(bond_dev);
+
+ netif_carrier_off(bond_dev);
+
+ return err;
}
static size_t bond_get_size(const struct net_device *bond_dev)
diff --git a/drivers/net/can/c_can/c_can_pci.c b/drivers/net/can/c_can/c_can_pci.c
index 5d11e0e4225b..b997508ea7c6 100644
--- a/drivers/net/can/c_can/c_can_pci.c
+++ b/drivers/net/can/c_can/c_can_pci.c
@@ -161,6 +161,7 @@ static int c_can_pci_probe(struct pci_dev *pdev,
dev->irq = pdev->irq;
priv->base = addr;
+ priv->device = &pdev->dev;
if (!c_can_pci_data->freq) {
dev_err(&pdev->dev, "no clock frequency defined\n");
diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
index 258b9c4856ec..386d2c02e18f 100644
--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -950,7 +950,12 @@ static int ti_hecc_probe(struct platform_device *pdev)
netif_napi_add(ndev, &priv->napi, ti_hecc_rx_poll,
HECC_DEF_NAPI_WEIGHT);
- clk_enable(priv->clk);
+ err = clk_prepare_enable(priv->clk);
+ if (err) {
+ dev_err(&pdev->dev, "clk_prepare_enable() failed\n");
+ goto probe_exit_clk;
+ }
+
err = register_candev(ndev);
if (err) {
dev_err(&pdev->dev, "register_candev() failed\n");
@@ -983,7 +988,7 @@ static int ti_hecc_remove(struct platform_device *pdev)
struct ti_hecc_priv *priv = netdev_priv(ndev);
unregister_candev(ndev);
- clk_disable(priv->clk);
+ clk_disable_unprepare(priv->clk);
clk_put(priv->clk);
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
iounmap(priv->base);
@@ -1008,7 +1013,7 @@ static int ti_hecc_suspend(struct platform_device *pdev, pm_message_t state)
hecc_set_bit(priv, HECC_CANMC, HECC_CANMC_PDR);
priv->can.state = CAN_STATE_SLEEPING;
- clk_disable(priv->clk);
+ clk_disable_unprepare(priv->clk);
return 0;
}
@@ -1017,8 +1022,11 @@ static int ti_hecc_resume(struct platform_device *pdev)
{
struct net_device *dev = platform_get_drvdata(pdev);
struct ti_hecc_priv *priv = netdev_priv(dev);
+ int err;
- clk_enable(priv->clk);
+ err = clk_prepare_enable(priv->clk);
+ if (err)
+ return err;
hecc_clear_bit(priv, HECC_CANMC, HECC_CANMC_PDR);
priv->can.state = CAN_STATE_ERROR_ACTIVE;
diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
index e751b5db0132..04c85b94754f 100644
--- a/drivers/net/ethernet/atheros/alx/main.c
+++ b/drivers/net/ethernet/atheros/alx/main.c
@@ -86,9 +86,14 @@ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
while (!cur_buf->skb && next != rxq->read_idx) {
struct alx_rfd *rfd = &rxq->rfd[cur];
- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
+ skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size + 64, gfp);
if (!skb)
break;
+
+ /* Workround for the HW RX DMA overflow issue */
+ if (((unsigned long)skb->data & 0xfff) == 0xfc0)
+ skb_reserve(skb, 64);
+
dma = dma_map_single(&alx->hw.pdev->dev,
skb->data, alx->rxbuf_size,
DMA_FROM_DEVICE);
diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
index 3cca6047578b..4d762138eb39 100644
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -587,11 +587,8 @@ static unsigned int __bcm_sysport_tx_reclaim(struct bcm_sysport_priv *priv,
unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs;
unsigned int pkts_compl = 0, bytes_compl = 0;
struct bcm_sysport_cb *cb;
- struct netdev_queue *txq;
u32 hw_ind;
- txq = netdev_get_tx_queue(ndev, ring->index);
-
/* Compute how many descriptors have been processed since last call */
hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index));
c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK;
@@ -622,9 +619,6 @@ static unsigned int __bcm_sysport_tx_reclaim(struct bcm_sysport_priv *priv,
ring->c_index = c_index;
- if (netif_tx_queue_stopped(txq) && pkts_compl)
- netif_tx_wake_queue(txq);
-
netif_dbg(priv, tx_done, ndev,
"ring=%d c_index=%d pkts_compl=%d, bytes_compl=%d\n",
ring->index, ring->c_index, pkts_compl, bytes_compl);
@@ -636,16 +630,33 @@ static unsigned int __bcm_sysport_tx_reclaim(struct bcm_sysport_priv *priv,
static unsigned int bcm_sysport_tx_reclaim(struct bcm_sysport_priv *priv,
struct bcm_sysport_tx_ring *ring)
{
+ struct netdev_queue *txq;
unsigned int released;
unsigned long flags;
+ txq = netdev_get_tx_queue(priv->netdev, ring->index);
+
spin_lock_irqsave(&ring->lock, flags);
released = __bcm_sysport_tx_reclaim(priv, ring);
+ if (released)
+ netif_tx_wake_queue(txq);
+
spin_unlock_irqrestore(&ring->lock, flags);
return released;
}
+/* Locked version of the per-ring TX reclaim, but does not wake the queue */
+static void bcm_sysport_tx_clean(struct bcm_sysport_priv *priv,
+ struct bcm_sysport_tx_ring *ring)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&ring->lock, flags);
+ __bcm_sysport_tx_reclaim(priv, ring);
+ spin_unlock_irqrestore(&ring->lock, flags);
+}
+
static int bcm_sysport_tx_poll(struct napi_struct *napi, int budget)
{
struct bcm_sysport_tx_ring *ring =
@@ -843,15 +854,6 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
goto out;
}
- /* Insert TSB and checksum infos */
- if (priv->tsb_en) {
- skb = bcm_sysport_insert_tsb(skb, dev);
- if (!skb) {
- ret = NETDEV_TX_OK;
- goto out;
- }
- }
-
/* The Ethernet switch we are interfaced with needs packets to be at
* least 64 bytes (including FCS) otherwise they will be discarded when
* they enter the switch port logic. When Broadcom tags are enabled, we
@@ -864,6 +866,15 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
goto out;
}
+ /* Insert TSB and checksum infos */
+ if (priv->tsb_en) {
+ skb = bcm_sysport_insert_tsb(skb, dev);
+ if (!skb) {
+ ret = NETDEV_TX_OK;
+ goto out;
+ }
+ }
+
skb_len = skb->len < ETH_ZLEN + ENET_BRCM_TAG_LEN ?
ETH_ZLEN + ENET_BRCM_TAG_LEN : skb->len;
@@ -1072,7 +1083,7 @@ static void bcm_sysport_fini_tx_ring(struct bcm_sysport_priv *priv,
napi_disable(&ring->napi);
netif_napi_del(&ring->napi);
- bcm_sysport_tx_reclaim(priv, ring);
+ bcm_sysport_tx_clean(priv, ring);
kfree(ring->cbs);
ring->cbs = NULL;
diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index fb9708d4b8b5..720eed57d255 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -1033,12 +1033,18 @@ static void enic_rq_indicate_buf(struct vnic_rq *rq,
skb->protocol = eth_type_trans(skb, netdev);
skb_record_rx_queue(skb, q_number);
if (netdev->features & NETIF_F_RXHASH) {
- skb_set_hash(skb, rss_hash,
- (rss_type &
- (NIC_CFG_RSS_HASH_TYPE_TCP_IPV6_EX |
- NIC_CFG_RSS_HASH_TYPE_TCP_IPV6 |
- NIC_CFG_RSS_HASH_TYPE_TCP_IPV4)) ?
- PKT_HASH_TYPE_L4 : PKT_HASH_TYPE_L3);
+ switch (rss_type) {
+ case CQ_ENET_RQ_DESC_RSS_TYPE_TCP_IPv4:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_TCP_IPv6:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_TCP_IPv6_EX:
+ skb_set_hash(skb, rss_hash, PKT_HASH_TYPE_L4);
+ break;
+ case CQ_ENET_RQ_DESC_RSS_TYPE_IPv4:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_IPv6:
+ case CQ_ENET_RQ_DESC_RSS_TYPE_IPv6_EX:
+ skb_set_hash(skb, rss_hash, PKT_HASH_TYPE_L3);
+ break;
+ }
}
/* Hardware does not provide whole packet checksum. It only
diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
index f4ea3490f446..8dc7f7221fa1 100644
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -1008,7 +1008,7 @@ int be_cmd_pmac_add(struct be_adapter *adapter, u8 *mac_addr,
err:
spin_unlock_bh(&adapter->mcc_lock);
- if (status == MCC_STATUS_UNAUTHORIZED_REQUEST)
+ if (base_status(status) == MCC_STATUS_UNAUTHORIZED_REQUEST)
status = -EPERM;
return status;
diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
index d74f5f4e5782..07eabf72c480 100644
--- a/drivers/net/ethernet/korina.c
+++ b/drivers/net/ethernet/korina.c
@@ -900,10 +900,10 @@ static void korina_restart_task(struct work_struct *work)
DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR,
&lp->rx_dma_regs->dmasm);
- korina_free_ring(dev);
-
napi_disable(&lp->napi);
+ korina_free_ring(dev);
+
if (korina_init(dev) < 0) {
printk(KERN_ERR "%s: cannot restart device\n", dev->name);
return;
@@ -1064,12 +1064,12 @@ static int korina_close(struct net_device *dev)
tmp = tmp | DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR;
writel(tmp, &lp->rx_dma_regs->dmasm);
- korina_free_ring(dev);
-
napi_disable(&lp->napi);
cancel_work_sync(&lp->restart_task);
+ korina_free_ring(dev);
+
free_irq(lp->rx_irq, dev);
free_irq(lp->tx_irq, dev);
free_irq(lp->ovr_irq, dev);
diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
index 69693384b58c..d72c33cbaeeb 100644
--- a/drivers/net/ethernet/marvell/sky2.c
+++ b/drivers/net/ethernet/marvell/sky2.c
@@ -5211,6 +5211,19 @@ static SIMPLE_DEV_PM_OPS(sky2_pm_ops, sky2_suspend, sky2_resume);
static void sky2_shutdown(struct pci_dev *pdev)
{
+ struct sky2_hw *hw = pci_get_drvdata(pdev);
+ int port;
+
+ for (port = 0; port < hw->ports; port++) {
+ struct net_device *ndev = hw->dev[port];
+
+ rtnl_lock();
+ if (netif_running(ndev)) {
+ dev_close(ndev);
+ netif_device_detach(ndev);
+ }
+ rtnl_unlock();
+ }
sky2_suspend(&pdev->dev);
pci_wake_from_d3(pdev, device_may_wakeup(&pdev->dev));
pci_set_power_state(pdev, PCI_D3hot);
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index 56022d647837..6bb0521b09a3 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -56,13 +56,19 @@ void mlx4_cq_completion(struct mlx4_dev *dev, u32 cqn)
{
struct mlx4_cq *cq;
+ rcu_read_lock();
cq = radix_tree_lookup(&mlx4_priv(dev)->cq_table.tree,
cqn & (dev->caps.num_cqs - 1));
+ rcu_read_unlock();
+
if (!cq) {
mlx4_dbg(dev, "Completion event for bogus CQ %08x\n", cqn);
return;
}
+ /* Acessing the CQ outside of rcu_read_lock is safe, because
+ * the CQ is freed only after interrupt handling is completed.
+ */
++cq->arm_sn;
cq->comp(cq);
@@ -73,23 +79,19 @@ void mlx4_cq_event(struct mlx4_dev *dev, u32 cqn, int event_type)
struct mlx4_cq_table *cq_table = &mlx4_priv(dev)->cq_table;
struct mlx4_cq *cq;
- spin_lock(&cq_table->lock);
-
+ rcu_read_lock();
cq = radix_tree_lookup(&cq_table->tree, cqn & (dev->caps.num_cqs - 1));
- if (cq)
- atomic_inc(&cq->refcount);
-
- spin_unlock(&cq_table->lock);
+ rcu_read_unlock();
if (!cq) {
- mlx4_warn(dev, "Async event for bogus CQ %08x\n", cqn);
+ mlx4_dbg(dev, "Async event for bogus CQ %08x\n", cqn);
return;
}
+ /* Acessing the CQ outside of rcu_read_lock is safe, because
+ * the CQ is freed only after interrupt handling is completed.
+ */
cq->event(cq, event_type);
-
- if (atomic_dec_and_test(&cq->refcount))
- complete(&cq->free);
}
static int mlx4_SW2HW_CQ(struct mlx4_dev *dev, struct mlx4_cmd_mailbox *mailbox,
@@ -256,9 +258,9 @@ int mlx4_cq_alloc(struct mlx4_dev *dev, int nent,
if (err)
return err;
- spin_lock_irq(&cq_table->lock);
+ spin_lock(&cq_table->lock);
err = radix_tree_insert(&cq_table->tree, cq->cqn, cq);
- spin_unlock_irq(&cq_table->lock);
+ spin_unlock(&cq_table->lock);
if (err)
goto err_icm;
@@ -297,9 +299,9 @@ int mlx4_cq_alloc(struct mlx4_dev *dev, int nent,
return 0;
err_radix:
- spin_lock_irq(&cq_table->lock);
+ spin_lock(&cq_table->lock);
radix_tree_delete(&cq_table->tree, cq->cqn);
- spin_unlock_irq(&cq_table->lock);
+ spin_unlock(&cq_table->lock);
err_icm:
mlx4_cq_free_icm(dev, cq->cqn);
@@ -318,11 +320,11 @@ void mlx4_cq_free(struct mlx4_dev *dev, struct mlx4_cq *cq)
if (err)
mlx4_warn(dev, "HW2SW_CQ failed (%d) for CQN %06x\n", err, cq->cqn);
- synchronize_irq(priv->eq_table.eq[cq->vector].irq);
-
- spin_lock_irq(&cq_table->lock);
+ spin_lock(&cq_table->lock);
radix_tree_delete(&cq_table->tree, cq->cqn);
- spin_unlock_irq(&cq_table->lock);
+ spin_unlock(&cq_table->lock);
+
+ synchronize_irq(priv->eq_table.eq[cq->vector].irq);
if (atomic_dec_and_test(&cq->refcount))
complete(&cq->free);
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
index 76879a1cca6f..b07f4c0d617b 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -437,8 +437,14 @@ int mlx4_en_activate_rx_rings(struct mlx4_en_priv *priv)
ring->cqn = priv->rx_cq[ring_ind]->mcq.cqn;
ring->stride = stride;
- if (ring->stride <= TXBB_SIZE)
+ if (ring->stride <= TXBB_SIZE) {
+ /* Stamp first unused send wqe */
+ __be32 *ptr = (__be32 *)ring->buf;
+ __be32 stamp = cpu_to_be32(1 << STAMP_SHIFT);
+ *ptr = stamp;
+ /* Move pointer to start of rx section */
ring->buf += TXBB_SIZE;
+ }
ring->log_stride = ffs(ring->stride) - 1;
ring->buf_size = ring->size * ring->stride;
@@ -500,8 +506,11 @@ void mlx4_en_recover_from_oom(struct mlx4_en_priv *priv)
return;
for (ring = 0; ring < priv->rx_ring_num; ring++) {
- if (mlx4_en_is_ring_empty(priv->rx_ring[ring]))
+ if (mlx4_en_is_ring_empty(priv->rx_ring[ring])) {
+ local_bh_disable();
napi_reschedule(&priv->rx_cq[ring]->napi);
+ local_bh_enable();
+ }
}
}
diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c
index c26eec5f33c3..e79dbd9ff066 100644
--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
@@ -506,8 +506,9 @@ static int mlx4_eq_int(struct mlx4_dev *dev, struct mlx4_eq *eq)
break;
case MLX4_EVENT_TYPE_SRQ_LIMIT:
- mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT\n",
- __func__);
+ mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT. srq_no=0x%x, eq 0x%x\n",
+ __func__, be32_to_cpu(eqe->event.srq.srqn),
+ eq->eqn);
case MLX4_EVENT_TYPE_SRQ_CATAS_ERROR:
if (mlx4_is_master(dev)) {
/* forward only to slave owning the SRQ */
@@ -522,15 +523,19 @@ static int mlx4_eq_int(struct mlx4_dev *dev, struct mlx4_eq *eq)
eq->eqn, eq->cons_index, ret);
break;
}
- mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n",
- __func__, slave,
- be32_to_cpu(eqe->event.srq.srqn),
- eqe->type, eqe->subtype);
+ if (eqe->type ==
+ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR)
+ mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n",
+ __func__, slave,
+ be32_to_cpu(eqe->event.srq.srqn),
+ eqe->type, eqe->subtype);
if (!ret && slave != dev->caps.function) {
- mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n",
- __func__, eqe->type,
- eqe->subtype, slave);
+ if (eqe->type ==
+ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR)
+ mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n",
+ __func__, eqe->type,
+ eqe->subtype, slave);
mlx4_slave_event(dev, slave, eqe);
break;
}
diff --git a/drivers/net/ethernet/mellanox/mlx4/icm.c b/drivers/net/ethernet/mellanox/mlx4/icm.c
index 97c9b1db1d27..27f22cd3b071 100644
--- a/drivers/net/ethernet/mellanox/mlx4/icm.c
+++ b/drivers/net/ethernet/mellanox/mlx4/icm.c
@@ -117,8 +117,13 @@ static int mlx4_alloc_icm_coherent(struct device *dev, struct scatterlist *mem,
if (!buf)
return -ENOMEM;
+ if (offset_in_page(buf)) {
+ dma_free_coherent(dev, PAGE_SIZE << order,
+ buf, sg_dma_address(mem));
+ return -ENOMEM;
+ }
+
sg_set_buf(mem, buf, PAGE_SIZE << order);
- BUG_ON(mem->offset);
sg_dma_len(mem) = PAGE_SIZE << order;
return 0;
}
diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
index 90269b3013b6..bee566803b5d 100644
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2733,6 +2733,9 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4_dev *dev, int slave,
put_res(dev, slave, srqn, RES_SRQ);
qp->srq = srq;
}
+
+ /* Save param3 for dynamic changes from VST back to VGT */
+ qp->param3 = qpc->param3;
put_res(dev, slave, rcqn, RES_CQ);
put_res(dev, slave, mtt_base, RES_MTT);
res_end_move(dev, slave, RES_QP, qpn);
@@ -3495,7 +3498,6 @@ int mlx4_INIT2RTR_QP_wrapper(struct mlx4_dev *dev, int slave,
int qpn = vhcr->in_modifier & 0x7fffff;
struct res_qp *qp;
u8 orig_sched_queue;
- __be32 orig_param3 = qpc->param3;
u8 orig_vlan_control = qpc->pri_path.vlan_control;
u8 orig_fvl_rx = qpc->pri_path.fvl_rx;
u8 orig_pri_path_fl = qpc->pri_path.fl;
@@ -3536,7 +3538,6 @@ out:
*/
if (!err) {
qp->sched_queue = orig_sched_queue;
- qp->param3 = orig_param3;
qp->vlan_control = orig_vlan_control;
qp->fvl_rx = orig_fvl_rx;
qp->pri_path_fl = orig_pri_path_fl;
@@ -4091,6 +4092,7 @@ int mlx4_QP_FLOW_STEERING_DETACH_wrapper(struct mlx4_dev *dev, int slave,
int err;
struct res_qp *rqp;
struct res_fs_rule *rrule;
+ int qpn;
if (dev->caps.steering_mode !=
MLX4_STEERING_MODE_DEVICE_MANAGED)
@@ -4099,9 +4101,10 @@ int mlx4_QP_FLOW_STEERING_DETACH_wrapper(struct mlx4_dev *dev, int slave,
err = get_res(dev, slave, vhcr->in_param, RES_FS_RULE, &rrule);
if (err)
return err;
+ qpn = rrule->qpn;
/* Release the rule form busy state before removal */
put_res(dev, slave, vhcr->in_param, RES_FS_RULE);
- err = get_res(dev, slave, rrule->qpn, RES_QP, &rqp);
+ err = get_res(dev, slave, qpn, RES_QP, &rqp);
if (err)
return err;
@@ -4117,7 +4120,7 @@ int mlx4_QP_FLOW_STEERING_DETACH_wrapper(struct mlx4_dev *dev, int slave,
if (!err)
atomic_dec(&rqp->ref_count);
out:
- put_res(dev, slave, rrule->qpn, RES_QP);
+ put_res(dev, slave, qpn, RES_QP);
return err;
}
diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index f1ebb1f50f1c..9a03bfd51397 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -696,7 +696,7 @@ static struct sh_eth_cpu_data sh7734_data = {
.ecsr_value = ECSR_ICD | ECSR_MPD,
.ecsipr_value = ECSIPR_LCHNGIP | ECSIPR_ICDIP | ECSIPR_MPDIP,
- .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
+ .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003f07ff,
.tx_check = EESR_TC1 | EESR_FTC,
.eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
@@ -713,6 +713,7 @@ static struct sh_eth_cpu_data sh7734_data = {
.tsu = 1,
.hw_crc = 1,
.select_mii = 1,
+ .shift_rd0 = 1,
};
/* SH7763 */
@@ -725,7 +726,7 @@ static struct sh_eth_cpu_data sh7763_data = {
.ecsr_value = ECSR_ICD | ECSR_MPD,
.ecsipr_value = ECSIPR_LCHNGIP | ECSIPR_ICDIP | ECSIPR_MPDIP,
- .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003fffff,
+ .eesipr_value = DMAC_M_RFRMER | DMAC_M_ECI | 0x003f07ff,
.tx_check = EESR_TC1 | EESR_FTC,
.eesr_err_check = EESR_TWB1 | EESR_TWB | EESR_TABT | EESR_RABT |
@@ -781,6 +782,7 @@ static struct sh_eth_cpu_data r8a7740_data = {
.rpadir_value = 2 << 16,
.no_trimd = 1,
.no_ade = 1,
+ .hw_crc = 1,
.tsu = 1,
.select_mii = 1,
.shift_rd0 = 1,
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 641086fc14b5..76fd3a2fa742 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2769,12 +2769,6 @@ struct stmmac_priv *stmmac_dvr_probe(struct device *device,
spin_lock_init(&priv->lock);
spin_lock_init(&priv->tx_lock);
- ret = register_netdev(ndev);
- if (ret) {
- pr_err("%s: ERROR %i registering the device\n", __func__, ret);
- goto error_netdev_register;
- }
-
/* If a specific clk_csr value is passed from the platform
* this means that the CSR Clock Range selection cannot be
* changed at run-time and it is fixed. Viceversa the driver'll try to
@@ -2799,11 +2793,21 @@ struct stmmac_priv *stmmac_dvr_probe(struct device *device,
}
}
+ ret = register_netdev(ndev);
+ if (ret) {
+ netdev_err(priv->dev, "%s: ERROR %i registering the device\n",
+ __func__, ret);
+ goto error_netdev_register;
+ }
+
return priv;
-error_mdio_register:
- unregister_netdev(ndev);
error_netdev_register:
+ if (priv->pcs != STMMAC_PCS_RGMII &&
+ priv->pcs != STMMAC_PCS_TBI &&
+ priv->pcs != STMMAC_PCS_RTBI)
+ stmmac_mdio_unregister(ndev);
+error_mdio_register:
netif_napi_del(&priv->napi);
error_hw_init:
clk_disable_unprepare(priv->stmmac_clk);
diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
index 8c4aed3053eb..06b5e4132040 100644
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -100,6 +100,14 @@
/* BUFFER_ALIGN(adr) calculates the number of bytes to the next alignment. */
#define BUFFER_ALIGN(adr) ((ALIGNMENT - ((u32) adr)) % ALIGNMENT)
+#ifdef __BIG_ENDIAN
+#define xemaclite_readl ioread32be
+#define xemaclite_writel iowrite32be
+#else
+#define xemaclite_readl ioread32
+#define xemaclite_writel iowrite32
+#endif
+
/**
* struct net_local - Our private per device data
* @ndev: instance of the network device
@@ -158,15 +166,15 @@ static void xemaclite_enable_interrupts(struct net_local *drvdata)
u32 reg_data;
/* Enable the Tx interrupts for the first Buffer */
- reg_data = __raw_readl(drvdata->base_addr + XEL_TSR_OFFSET);
- __raw_writel(reg_data | XEL_TSR_XMIT_IE_MASK,
- drvdata->base_addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(drvdata->base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data | XEL_TSR_XMIT_IE_MASK,
+ drvdata->base_addr + XEL_TSR_OFFSET);
/* Enable the Rx interrupts for the first buffer */
- __raw_writel(XEL_RSR_RECV_IE_MASK, drvdata->base_addr + XEL_RSR_OFFSET);
+ xemaclite_writel(XEL_RSR_RECV_IE_MASK, drvdata->base_addr + XEL_RSR_OFFSET);
/* Enable the Global Interrupt Enable */
- __raw_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
+ xemaclite_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
}
/**
@@ -181,17 +189,17 @@ static void xemaclite_disable_interrupts(struct net_local *drvdata)
u32 reg_data;
/* Disable the Global Interrupt Enable */
- __raw_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
+ xemaclite_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
/* Disable the Tx interrupts for the first buffer */
- reg_data = __raw_readl(drvdata->base_addr + XEL_TSR_OFFSET);
- __raw_writel(reg_data & (~XEL_TSR_XMIT_IE_MASK),
- drvdata->base_addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(drvdata->base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data & (~XEL_TSR_XMIT_IE_MASK),
+ drvdata->base_addr + XEL_TSR_OFFSET);
/* Disable the Rx interrupts for the first buffer */
- reg_data = __raw_readl(drvdata->base_addr + XEL_RSR_OFFSET);
- __raw_writel(reg_data & (~XEL_RSR_RECV_IE_MASK),
- drvdata->base_addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(drvdata->base_addr + XEL_RSR_OFFSET);
+ xemaclite_writel(reg_data & (~XEL_RSR_RECV_IE_MASK),
+ drvdata->base_addr + XEL_RSR_OFFSET);
}
/**
@@ -323,7 +331,7 @@ static int xemaclite_send_data(struct net_local *drvdata, u8 *data,
byte_count = ETH_FRAME_LEN;
/* Check if the expected buffer is available */
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
if ((reg_data & (XEL_TSR_XMIT_BUSY_MASK |
XEL_TSR_XMIT_ACTIVE_MASK)) == 0) {
@@ -336,7 +344,7 @@ static int xemaclite_send_data(struct net_local *drvdata, u8 *data,
addr = (void __iomem __force *)((u32 __force)addr ^
XEL_BUFFER_OFFSET);
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
if ((reg_data & (XEL_TSR_XMIT_BUSY_MASK |
XEL_TSR_XMIT_ACTIVE_MASK)) != 0)
@@ -347,16 +355,16 @@ static int xemaclite_send_data(struct net_local *drvdata, u8 *data,
/* Write the frame to the buffer */
xemaclite_aligned_write(data, (u32 __force *) addr, byte_count);
- __raw_writel((byte_count & XEL_TPLR_LENGTH_MASK),
- addr + XEL_TPLR_OFFSET);
+ xemaclite_writel((byte_count & XEL_TPLR_LENGTH_MASK),
+ addr + XEL_TPLR_OFFSET);
/* Update the Tx Status Register to indicate that there is a
* frame to send. Set the XEL_TSR_XMIT_ACTIVE_MASK flag which
* is used by the interrupt handler to check whether a frame
* has been transmitted */
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
reg_data |= (XEL_TSR_XMIT_BUSY_MASK | XEL_TSR_XMIT_ACTIVE_MASK);
- __raw_writel(reg_data, addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data, addr + XEL_TSR_OFFSET);
return 0;
}
@@ -371,7 +379,7 @@ static int xemaclite_send_data(struct net_local *drvdata, u8 *data,
*
* Return: Total number of bytes received
*/
-static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
+static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data, int maxlen)
{
void __iomem *addr;
u16 length, proto_type;
@@ -381,7 +389,7 @@ static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
addr = (drvdata->base_addr + drvdata->next_rx_buf_to_use);
/* Verify which buffer has valid data */
- reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
if ((reg_data & XEL_RSR_RECV_DONE_MASK) == XEL_RSR_RECV_DONE_MASK) {
if (drvdata->rx_ping_pong != 0)
@@ -398,27 +406,28 @@ static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
return 0; /* No data was available */
/* Verify that buffer has valid data */
- reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
if ((reg_data & XEL_RSR_RECV_DONE_MASK) !=
XEL_RSR_RECV_DONE_MASK)
return 0; /* No data was available */
}
/* Get the protocol type of the ethernet frame that arrived */
- proto_type = ((ntohl(__raw_readl(addr + XEL_HEADER_OFFSET +
+ proto_type = ((ntohl(xemaclite_readl(addr + XEL_HEADER_OFFSET +
XEL_RXBUFF_OFFSET)) >> XEL_HEADER_SHIFT) &
XEL_RPLR_LENGTH_MASK);
/* Check if received ethernet frame is a raw ethernet frame
* or an IP packet or an ARP packet */
- if (proto_type > (ETH_FRAME_LEN + ETH_FCS_LEN)) {
+ if (proto_type > ETH_DATA_LEN) {
if (proto_type == ETH_P_IP) {
- length = ((ntohl(__raw_readl(addr +
+ length = ((ntohl(xemaclite_readl(addr +
XEL_HEADER_IP_LENGTH_OFFSET +
XEL_RXBUFF_OFFSET)) >>
XEL_HEADER_SHIFT) &
XEL_RPLR_LENGTH_MASK);
+ length = min_t(u16, length, ETH_DATA_LEN);
length += ETH_HLEN + ETH_FCS_LEN;
} else if (proto_type == ETH_P_ARP)
@@ -431,14 +440,17 @@ static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
/* Use the length in the frame, plus the header and trailer */
length = proto_type + ETH_HLEN + ETH_FCS_LEN;
+ if (WARN_ON(length > maxlen))
+ length = maxlen;
+
/* Read from the EmacLite device */
xemaclite_aligned_read((u32 __force *) (addr + XEL_RXBUFF_OFFSET),
data, length);
/* Acknowledge the frame */
- reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
reg_data &= ~XEL_RSR_RECV_DONE_MASK;
- __raw_writel(reg_data, addr + XEL_RSR_OFFSET);
+ xemaclite_writel(reg_data, addr + XEL_RSR_OFFSET);
return length;
}
@@ -465,14 +477,14 @@ static void xemaclite_update_address(struct net_local *drvdata,
xemaclite_aligned_write(address_ptr, (u32 __force *) addr, ETH_ALEN);
- __raw_writel(ETH_ALEN, addr + XEL_TPLR_OFFSET);
+ xemaclite_writel(ETH_ALEN, addr + XEL_TPLR_OFFSET);
/* Update the MAC address in the EmacLite */
- reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
- __raw_writel(reg_data | XEL_TSR_PROG_MAC_ADDR, addr + XEL_TSR_OFFSET);
+ reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
+ xemaclite_writel(reg_data | XEL_TSR_PROG_MAC_ADDR, addr + XEL_TSR_OFFSET);
/* Wait for EmacLite to finish with the MAC address update */
- while ((__raw_readl(addr + XEL_TSR_OFFSET) &
+ while ((xemaclite_readl(addr + XEL_TSR_OFFSET) &
XEL_TSR_PROG_MAC_ADDR) != 0)
;
}
@@ -605,7 +617,7 @@ static void xemaclite_rx_handler(struct net_device *dev)
skb_reserve(skb, 2);
- len = xemaclite_recv_data(lp, (u8 *) skb->data);
+ len = xemaclite_recv_data(lp, (u8 *) skb->data, len);
if (!len) {
dev->stats.rx_errors++;
@@ -642,32 +654,32 @@ static irqreturn_t xemaclite_interrupt(int irq, void *dev_id)
u32 tx_status;
/* Check if there is Rx Data available */
- if ((__raw_readl(base_addr + XEL_RSR_OFFSET) &
+ if ((xemaclite_readl(base_addr + XEL_RSR_OFFSET) &
XEL_RSR_RECV_DONE_MASK) ||
- (__raw_readl(base_addr + XEL_BUFFER_OFFSET + XEL_RSR_OFFSET)
+ (xemaclite_readl(base_addr + XEL_BUFFER_OFFSET + XEL_RSR_OFFSET)
& XEL_RSR_RECV_DONE_MASK))
xemaclite_rx_handler(dev);
/* Check if the Transmission for the first buffer is completed */
- tx_status = __raw_readl(base_addr + XEL_TSR_OFFSET);
+ tx_status = xemaclite_readl(base_addr + XEL_TSR_OFFSET);
if (((tx_status & XEL_TSR_XMIT_BUSY_MASK) == 0) &&
(tx_status & XEL_TSR_XMIT_ACTIVE_MASK) != 0) {
tx_status &= ~XEL_TSR_XMIT_ACTIVE_MASK;
- __raw_writel(tx_status, base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(tx_status, base_addr + XEL_TSR_OFFSET);
tx_complete = true;
}
/* Check if the Transmission for the second buffer is completed */
- tx_status = __raw_readl(base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
+ tx_status = xemaclite_readl(base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
if (((tx_status & XEL_TSR_XMIT_BUSY_MASK) == 0) &&
(tx_status & XEL_TSR_XMIT_ACTIVE_MASK) != 0) {
tx_status &= ~XEL_TSR_XMIT_ACTIVE_MASK;
- __raw_writel(tx_status, base_addr + XEL_BUFFER_OFFSET +
- XEL_TSR_OFFSET);
+ xemaclite_writel(tx_status, base_addr + XEL_BUFFER_OFFSET +
+ XEL_TSR_OFFSET);
tx_complete = true;
}
@@ -700,7 +712,7 @@ static int xemaclite_mdio_wait(struct net_local *lp)
/* wait for the MDIO interface to not be busy or timeout
after some time.
*/
- while (__raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET) &
+ while (xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET) &
XEL_MDIOCTRL_MDIOSTS_MASK) {
if (time_before_eq(end, jiffies)) {
WARN_ON(1);
@@ -736,17 +748,17 @@ static int xemaclite_mdio_read(struct mii_bus *bus, int phy_id, int reg)
* MDIO Address register. Set the Status bit in the MDIO Control
* register to start a MDIO read transaction.
*/
- ctrl_reg = __raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
- __raw_writel(XEL_MDIOADDR_OP_MASK |
- ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
- lp->base_addr + XEL_MDIOADDR_OFFSET);
- __raw_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
- lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ ctrl_reg = xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ xemaclite_writel(XEL_MDIOADDR_OP_MASK |
+ ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
+ lp->base_addr + XEL_MDIOADDR_OFFSET);
+ xemaclite_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
+ lp->base_addr + XEL_MDIOCTRL_OFFSET);
if (xemaclite_mdio_wait(lp))
return -ETIMEDOUT;
- rc = __raw_readl(lp->base_addr + XEL_MDIORD_OFFSET);
+ rc = xemaclite_readl(lp->base_addr + XEL_MDIORD_OFFSET);
dev_dbg(&lp->ndev->dev,
"xemaclite_mdio_read(phy_id=%i, reg=%x) == %x\n",
@@ -783,13 +795,13 @@ static int xemaclite_mdio_write(struct mii_bus *bus, int phy_id, int reg,
* Data register. Finally, set the Status bit in the MDIO Control
* register to start a MDIO write transaction.
*/
- ctrl_reg = __raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
- __raw_writel(~XEL_MDIOADDR_OP_MASK &
- ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
- lp->base_addr + XEL_MDIOADDR_OFFSET);
- __raw_writel(val, lp->base_addr + XEL_MDIOWR_OFFSET);
- __raw_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
- lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ ctrl_reg = xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ xemaclite_writel(~XEL_MDIOADDR_OP_MASK &
+ ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
+ lp->base_addr + XEL_MDIOADDR_OFFSET);
+ xemaclite_writel(val, lp->base_addr + XEL_MDIOWR_OFFSET);
+ xemaclite_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
+ lp->base_addr + XEL_MDIOCTRL_OFFSET);
return 0;
}
@@ -834,8 +846,8 @@ static int xemaclite_mdio_setup(struct net_local *lp, struct device *dev)
/* Enable the MDIO bus by asserting the enable bit in MDIO Control
* register.
*/
- __raw_writel(XEL_MDIOCTRL_MDIOEN_MASK,
- lp->base_addr + XEL_MDIOCTRL_OFFSET);
+ xemaclite_writel(XEL_MDIOCTRL_MDIOEN_MASK,
+ lp->base_addr + XEL_MDIOCTRL_OFFSET);
bus = mdiobus_alloc();
if (!bus) {
@@ -1138,8 +1150,8 @@ static int xemaclite_of_probe(struct platform_device *ofdev)
dev_warn(dev, "No MAC address found\n");
/* Clear the Tx CSR's in case this is a restart */
- __raw_writel(0, lp->base_addr + XEL_TSR_OFFSET);
- __raw_writel(0, lp->base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
+ xemaclite_writel(0, lp->base_addr + XEL_TSR_OFFSET);
+ xemaclite_writel(0, lp->base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
/* Set the MAC address in the EmacLite device */
xemaclite_update_address(lp, ndev->dev_addr);
diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index 7e3331821200..ab68d940a2c7 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -47,6 +47,9 @@ struct net_device_context {
struct work_struct work;
};
+/* Restrict GSO size to account for NVGRE */
+#define NETVSC_GSO_MAX_SIZE 62768
+
#define RING_SIZE_MIN 64
static int ring_size = 128;
module_param(ring_size, int, S_IRUGO);
@@ -839,6 +842,7 @@ static int netvsc_probe(struct hv_device *dev,
nvdev = hv_get_drvdata(dev);
netif_set_real_num_tx_queues(net, nvdev->num_chn);
netif_set_real_num_rx_queues(net, nvdev->num_chn);
+ netif_set_gso_max_size(net, NETVSC_GSO_MAX_SIZE);
ret = register_netdev(net);
if (ret != 0) {
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index faa79040d336..b787d1ceeba6 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -657,7 +657,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
size_t linear;
if (q->flags & IFF_VNET_HDR) {
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);
err = -EINVAL;
if (len < vnet_hdr_len)
@@ -793,7 +793,7 @@ static ssize_t macvtap_put_user(struct macvtap_queue *q,
if (q->flags & IFF_VNET_HDR) {
struct virtio_net_hdr vnet_hdr;
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);
if ((len -= vnet_hdr_len) < 0)
return -EINVAL;
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 343a71ad865b..1c843a4ac7a4 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1037,9 +1037,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
}
if (tun->flags & TUN_VNET_HDR) {
- if (len < tun->vnet_hdr_sz)
+ int vnet_hdr_sz = ACCESS_ONCE(tun->vnet_hdr_sz);
+
+ if (len < vnet_hdr_sz)
return -EINVAL;
- len -= tun->vnet_hdr_sz;
+ len -= vnet_hdr_sz;
if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
return -EFAULT;
@@ -1050,7 +1052,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
if (gso.hdr_len > len)
return -EINVAL;
- offset += tun->vnet_hdr_sz;
+ offset += vnet_hdr_sz;
}
if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
@@ -1227,15 +1229,19 @@ static ssize_t tun_put_user(struct tun_struct *tun,
ssize_t total = 0;
int vlan_offset = 0, copied;
int vlan_hlen = 0;
+ int vnet_hdr_sz = 0;
if (vlan_tx_tag_present(skb))
vlan_hlen = VLAN_HLEN;
+ if (tun->flags & TUN_VNET_HDR)
+ vnet_hdr_sz = ACCESS_ONCE(tun->vnet_hdr_sz);
+
if (!(tun->flags & TUN_NO_PI)) {
if ((len -= sizeof(pi)) < 0)
return -EINVAL;
- if (len < skb->len) {
+ if (len < skb->len + vlan_hlen + vnet_hdr_sz) {
/* Packet will be striped */
pi.flags |= TUN_PKT_STRIP;
}
@@ -1245,9 +1251,9 @@ static ssize_t tun_put_user(struct tun_struct *tun,
total += sizeof(pi);
}
- if (tun->flags & TUN_VNET_HDR) {
+ if (vnet_hdr_sz) {
struct virtio_net_hdr gso = { 0 }; /* no info leak */
- if ((len -= tun->vnet_hdr_sz) < 0)
+ if ((len -= vnet_hdr_sz) < 0)
return -EINVAL;
if (skb_is_gso(skb)) {
@@ -1291,7 +1297,7 @@ static ssize_t tun_put_user(struct tun_struct *tun,
if (unlikely(memcpy_toiovecend(iv, (void *)&gso, total,
sizeof(gso))))
return -EFAULT;
- total += tun->vnet_hdr_sz;
+ total += vnet_hdr_sz;
}
copied = total;
diff --git a/drivers/net/usb/catc.c b/drivers/net/usb/catc.c
index 8cfc3bb0c6a6..436da0c3ce3b 100644
--- a/drivers/net/usb/catc.c
+++ b/drivers/net/usb/catc.c
@@ -777,7 +777,7 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
struct net_device *netdev;
struct catc *catc;
u8 broadcast[ETH_ALEN];
- int i, pktsz;
+ int pktsz, ret;
if (usb_set_interface(usbdev,
intf->altsetting->desc.bInterfaceNumber, 1)) {
@@ -812,12 +812,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
if ((!catc->ctrl_urb) || (!catc->tx_urb) ||
(!catc->rx_urb) || (!catc->irq_urb)) {
dev_err(&intf->dev, "No free urbs available.\n");
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto fail_free;
}
/* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */
@@ -845,15 +841,24 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
catc->irq_buf, 2, catc_irq_done, catc, 1);
if (!catc->is_f5u011) {
+ u32 *buf;
+ int i;
+
dev_dbg(dev, "Checking memory size\n");
- i = 0x12345678;
- catc_write_mem(catc, 0x7a80, &i, 4);
- i = 0x87654321;
- catc_write_mem(catc, 0xfa80, &i, 4);
- catc_read_mem(catc, 0x7a80, &i, 4);
+ buf = kmalloc(4, GFP_KERNEL);
+ if (!buf) {
+ ret = -ENOMEM;
+ goto fail_free;
+ }
+
+ *buf = 0x12345678;
+ catc_write_mem(catc, 0x7a80, buf, 4);
+ *buf = 0x87654321;
+ catc_write_mem(catc, 0xfa80, buf, 4);
+ catc_read_mem(catc, 0x7a80, buf, 4);
- switch (i) {
+ switch (*buf) {
case 0x12345678:
catc_set_reg(catc, TxBufCount, 8);
catc_set_reg(catc, RxBufCount, 32);
@@ -868,6 +873,8 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
dev_dbg(dev, "32k Memory\n");
break;
}
+
+ kfree(buf);
dev_dbg(dev, "Getting MAC from SEEROM.\n");
@@ -914,16 +921,21 @@ static int catc_probe(struct usb_interface *intf, const struct usb_device_id *id
usb_set_intfdata(intf, catc);
SET_NETDEV_DEV(netdev, &intf->dev);
- if (register_netdev(netdev) != 0) {
- usb_set_intfdata(intf, NULL);
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -EIO;
- }
+ ret = register_netdev(netdev);
+ if (ret)
+ goto fail_clear_intfdata;
+
return 0;
+
+fail_clear_intfdata:
+ usb_set_intfdata(intf, NULL);
+fail_free:
+ usb_free_urb(catc->ctrl_urb);
+ usb_free_urb(catc->tx_urb);
+ usb_free_urb(catc->rx_urb);
+ usb_free_urb(catc->irq_urb);
+ free_netdev(netdev);
+ return ret;
}
static void catc_disconnect(struct usb_interface *intf)
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 2a32d9167d3b..610b2858c5c3 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -502,6 +502,7 @@ static const struct driver_info wwan_info = {
#define DELL_VENDOR_ID 0x413C
#define REALTEK_VENDOR_ID 0x0bda
#define SAMSUNG_VENDOR_ID 0x04e8
+#define HP_VENDOR_ID 0x03f0
static const struct usb_device_id products[] = {
/* BLACKLIST !!
@@ -648,6 +649,13 @@ static const struct usb_device_id products[] = {
.driver_info = 0,
},
+/* HP lt2523 (Novatel E371) - handled by qmi_wwan */
+{
+ USB_DEVICE_AND_INTERFACE_INFO(HP_VENDOR_ID, 0x421d, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = 0,
+},
+
/* AnyDATA ADU960S - handled by qmi_wwan */
{
USB_DEVICE_AND_INTERFACE_INFO(0x16d5, 0x650a, USB_CLASS_COMM,
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index 58990934f192..73c5b0976f65 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -830,6 +830,13 @@ advance:
if (cdc_ncm_init(dev))
goto error2;
+ /* Some firmwares need a pause here or they will silently fail
+ * to set up the interface properly. This value was decided
+ * empirically on a Sierra Wireless MC7455 running 02.08.02.00
+ * firmware.
+ */
+ usleep_range(10000, 20000);
+
/* configure data interface */
temp = usb_set_interface(dev->udev, iface_no, data_altsetting);
if (temp) {
diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index f84080215915..17fac0121e56 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
{
+ u8 *buf;
int ret;
+ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
- indx, data, size, 1000);
+ indx, buf, size, 1000);
if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ else if (ret <= size)
+ memcpy(data, buf, ret);
+ kfree(buf);
return ret;
}
-static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
+ const void *data)
{
+ u8 *buf;
int ret;
+ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
- indx, data, size, 100);
+ indx, buf, size, 100);
if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ kfree(buf);
return ret;
}
static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
{
+ u8 *buf;
int ret;
+ buf = kmemdup(&data, 1, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
- indx, &data, 1, 1000);
+ indx, buf, 1, 1000);
if (ret < 0)
netif_dbg(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ kfree(buf);
return ret;
}
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index f6caedf0920c..f07777eb09b1 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -535,6 +535,13 @@ static const struct usb_device_id products[] = {
USB_CDC_PROTO_NONE),
.driver_info = (unsigned long)&qmi_wwan_info,
},
+ { /* HP lt2523 (Novatel E371) */
+ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d,
+ USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET,
+ USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&qmi_wwan_info,
+ },
{ /* HP lt4112 LTE/HSPA+ Gobi 4G Module (Huawei me906e) */
USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x581d, USB_CLASS_VENDOR_SPEC, 1, 7),
.driver_info = (unsigned long)&qmi_wwan_info,
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 3eab74c7c554..580793a8190e 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1596,7 +1596,7 @@ static u8 r8152_rx_csum(struct r8152 *tp, struct rx_desc *rx_desc)
u8 checksum = CHECKSUM_NONE;
u32 opts2, opts3;
- if (tp->version == RTL_VER_01)
+ if (!(tp->netdev->features & NETIF_F_RXCSUM))
goto return_result;
opts2 = le32_to_cpu(rx_desc->opts2);
@@ -3454,6 +3454,11 @@ static int rtl8152_probe(struct usb_interface *intf,
NETIF_F_TSO | NETIF_F_FRAGLIST |
NETIF_F_IPV6_CSUM | NETIF_F_TSO6;
+ if (tp->version == RTL_VER_01) {
+ netdev->features &= ~NETIF_F_RXCSUM;
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
netdev->ethtool_ops = &ops;
netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 6e87e5710048..eab8fba1f8c9 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -155,16 +155,36 @@ static const char driver_name [] = "rtl8150";
*/
static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
{
- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
+ indx, 0, buf, size, 500);
+ if (ret > 0 && ret <= size)
+ memcpy(data, buf, ret);
+ kfree(buf);
+ return ret;
}
-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
{
- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
+ indx, 0, buf, size, 500);
+ kfree(buf);
+ return ret;
}
static void async_set_reg_cb(struct urb *urb)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 74dccfa00a5c..7badf2aa3f61 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1146,7 +1146,7 @@ static int vxlan_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
/* Need Vxlan and inner Ethernet header to be present */
if (!pskb_may_pull(skb, VXLAN_HLEN))
- goto error;
+ goto drop;
/* Return packets with reserved bits set */
vxh = (struct vxlanhdr *)(udp_hdr(skb) + 1);
@@ -1154,7 +1154,7 @@ static int vxlan_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
(vxh->vx_vni & htonl(0xff))) {
netdev_dbg(skb->dev, "invalid vxlan flags=%#x vni=%#x\n",
ntohl(vxh->vx_flags), ntohl(vxh->vx_vni));
- goto error;
+ goto drop;
}
if (iptunnel_pull_header(skb, VXLAN_HLEN, htons(ETH_P_TEB)))
@@ -1173,10 +1173,6 @@ drop:
/* Consume bad packet */
kfree_skb(skb);
return 0;
-
-error:
- /* Return non vxlan pkt */
- return 1;
}
static void vxlan_rcv(struct vxlan_sock *vs,
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 567d5c31dfd2..ea6b55abd42d 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1440,6 +1440,8 @@ static void xennet_disconnect_backend(struct netfront_info *info)
for (i = 0; i < num_queues; ++i) {
struct netfront_queue *queue = &info->queues[i];
+ del_timer_sync(&queue->rx_refill_timer);
+
if (queue->tx_irq && (queue->tx_irq == queue->rx_irq))
unbind_from_irqhandler(queue->tx_irq, queue);
if (queue->tx_irq && (queue->tx_irq != queue->rx_irq)) {
@@ -2360,8 +2362,6 @@ static int xennet_remove(struct xenbus_device *dev)
{
struct netfront_info *info = dev_get_drvdata(&dev->dev);
unsigned int num_queues = info->netdev->real_num_tx_queues;
- struct netfront_queue *queue = NULL;
- unsigned int i = 0;
dev_dbg(&dev->dev, "%s\n", dev->nodename);
@@ -2371,11 +2371,6 @@ static int xennet_remove(struct xenbus_device *dev)
unregister_netdev(info->netdev);
- for (i = 0; i < num_queues; ++i) {
- queue = &info->queues[i];
- del_timer_sync(&queue->rx_refill_timer);
- }
-
if (num_queues) {
kfree(info->queues);
info->queues = NULL;
diff --git a/drivers/pci/hotplug/rpadlpar_core.c b/drivers/pci/hotplug/rpadlpar_core.c
index 7660232ef460..6d82498f1e60 100644
--- a/drivers/pci/hotplug/rpadlpar_core.c
+++ b/drivers/pci/hotplug/rpadlpar_core.c
@@ -258,8 +258,13 @@ static int dlpar_add_phb(char *drc_name, struct device_node *dn)
static int dlpar_add_vio_slot(char *drc_name, struct device_node *dn)
{
- if (vio_find_node(dn))
+ struct vio_dev *vio_dev;
+
+ vio_dev = vio_find_node(dn);
+ if (vio_dev) {
+ put_device(&vio_dev->dev);
return -EINVAL;
+ }
if (!vio_register_device_node(dn)) {
printk(KERN_ERR
@@ -335,6 +340,9 @@ static int dlpar_remove_vio_slot(char *drc_name, struct device_node *dn)
return -EINVAL;
vio_unregister_device(vio_dev);
+
+ put_device(&vio_dev->dev);
+
return 0;
}
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 3e981329c7a9..2e54269f5458 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1982,6 +1982,10 @@ bool pci_dev_run_wake(struct pci_dev *dev)
if (!dev->pme_support)
return false;
+ /* PME-capable in principle, but not from the intended sleep state */
+ if (!pci_pme_capable(dev, pci_target_state(dev)))
+ return false;
+
while (bus->parent) {
struct pci_dev *bridge = bus->self;
diff --git a/drivers/platform/x86/intel_mid_powerbtn.c b/drivers/platform/x86/intel_mid_powerbtn.c
index 8d6775266d66..04dc5ab2e30d 100644
--- a/drivers/platform/x86/intel_mid_powerbtn.c
+++ b/drivers/platform/x86/intel_mid_powerbtn.c
@@ -76,7 +76,7 @@ static int mfld_pb_probe(struct platform_device *pdev)
input_set_capability(input, EV_KEY, KEY_POWER);
- error = request_threaded_irq(irq, NULL, mfld_pb_isr, IRQF_NO_SUSPEND,
+ error = request_threaded_irq(irq, NULL, mfld_pb_isr, IRQF_NO_SUSPEND | IRQF_ONESHOT,
DRIVER_NAME, input);
if (error) {
dev_err(&pdev->dev, "Unable to request irq %d for mfld power"
diff --git a/drivers/regulator/stw481x-vmmc.c b/drivers/regulator/stw481x-vmmc.c
index a7e152696a02..f140b42956a4 100644
--- a/drivers/regulator/stw481x-vmmc.c
+++ b/drivers/regulator/stw481x-vmmc.c
@@ -47,7 +47,8 @@ static struct regulator_desc vmmc_regulator = {
.volt_table = stw481x_vmmc_voltages,
.enable_time = 200, /* FIXME: look this up */
.enable_reg = STW_CONF1,
- .enable_mask = STW_CONF1_PDN_VMMC,
+ .enable_mask = STW_CONF1_PDN_VMMC | STW_CONF1_MMC_LS_STATUS,
+ .enable_val = STW_CONF1_PDN_VMMC,
.vsel_reg = STW_CONF1,
.vsel_mask = STW_CONF1_VMMC_MASK,
};
diff --git a/drivers/s390/char/vmlogrdr.c b/drivers/s390/char/vmlogrdr.c
index a8848db7b09d..064ffed2589d 100644
--- a/drivers/s390/char/vmlogrdr.c
+++ b/drivers/s390/char/vmlogrdr.c
@@ -873,7 +873,7 @@ static int __init vmlogrdr_init(void)
goto cleanup;
for (i=0; i < MAXMINOR; ++i ) {
- sys_ser[i].buffer = (char *) get_zeroed_page(GFP_KERNEL);
+ sys_ser[i].buffer = (char *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sys_ser[i].buffer) {
rc = -ENOMEM;
break;
diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index 7b1fbd303c29..598b577760ef 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -289,11 +289,12 @@ void zfcp_dbf_rec_trig(char *tag, struct zfcp_adapter *adapter,
/**
- * zfcp_dbf_rec_run - trace event related to running recovery
+ * zfcp_dbf_rec_run_lvl - trace event related to running recovery
+ * @level: trace level to be used for event
* @tag: identifier for event
* @erp: erp_action running
*/
-void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
+void zfcp_dbf_rec_run_lvl(int level, char *tag, struct zfcp_erp_action *erp)
{
struct zfcp_dbf *dbf = erp->adapter->dbf;
struct zfcp_dbf_rec *rec = &dbf->rec_buf;
@@ -319,11 +320,21 @@ void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
else
rec->u.run.rec_count = atomic_read(&erp->adapter->erp_counter);
- debug_event(dbf->rec, 1, rec, sizeof(*rec));
+ debug_event(dbf->rec, level, rec, sizeof(*rec));
spin_unlock_irqrestore(&dbf->rec_lock, flags);
}
/**
+ * zfcp_dbf_rec_run - trace event related to running recovery
+ * @tag: identifier for event
+ * @erp: erp_action running
+ */
+void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
+{
+ zfcp_dbf_rec_run_lvl(1, tag, erp);
+}
+
+/**
* zfcp_dbf_rec_run_wka - trace wka port event with info like running recovery
* @tag: identifier for event
* @wka_port: well known address port
diff --git a/drivers/s390/scsi/zfcp_dbf.h b/drivers/s390/scsi/zfcp_dbf.h
index 36d07584271d..db186d44cfaf 100644
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
* zfcp device driver
* debug feature declarations
*
- * Copyright IBM Corp. 2008, 2015
+ * Copyright IBM Corp. 2008, 2016
*/
#ifndef ZFCP_DBF_H
@@ -283,6 +283,30 @@ struct zfcp_dbf {
struct zfcp_dbf_scsi scsi_buf;
};
+/**
+ * zfcp_dbf_hba_fsf_resp_suppress - true if we should not trace by default
+ * @req: request that has been completed
+ *
+ * Returns true if FCP response with only benign residual under count.
+ */
+static inline
+bool zfcp_dbf_hba_fsf_resp_suppress(struct zfcp_fsf_req *req)
+{
+ struct fsf_qtcb *qtcb = req->qtcb;
+ u32 fsf_stat = qtcb->header.fsf_status;
+ struct fcp_resp *fcp_rsp;
+ u8 rsp_flags, fr_status;
+
+ if (qtcb->prefix.qtcb_type != FSF_IO_COMMAND)
+ return false; /* not an FCP response */
+ fcp_rsp = (struct fcp_resp *)&qtcb->bottom.io.fcp_rsp;
+ rsp_flags = fcp_rsp->fr_flags;
+ fr_status = fcp_rsp->fr_status;
+ return (fsf_stat == FSF_FCP_RSP_AVAILABLE) &&
+ (rsp_flags == FCP_RESID_UNDER) &&
+ (fr_status == SAM_STAT_GOOD);
+}
+
static inline
void zfcp_dbf_hba_fsf_resp(char *tag, int level, struct zfcp_fsf_req *req)
{
@@ -304,7 +328,9 @@ void zfcp_dbf_hba_fsf_response(struct zfcp_fsf_req *req)
zfcp_dbf_hba_fsf_resp("fs_perr", 1, req);
} else if (qtcb->header.fsf_status != FSF_GOOD) {
- zfcp_dbf_hba_fsf_resp("fs_ferr", 1, req);
+ zfcp_dbf_hba_fsf_resp("fs_ferr",
+ zfcp_dbf_hba_fsf_resp_suppress(req)
+ ? 5 : 1, req);
} else if ((req->fsf_command == FSF_QTCB_OPEN_PORT_WITH_DID) ||
(req->fsf_command == FSF_QTCB_OPEN_LUN)) {
@@ -388,4 +414,15 @@ void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag)
_zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
}
+/**
+ * zfcp_dbf_scsi_nullcmnd() - trace NULLify of SCSI command in dev/tgt-reset.
+ * @scmnd: SCSI command that was NULLified.
+ * @fsf_req: request that owned @scmnd.
+ */
+static inline void zfcp_dbf_scsi_nullcmnd(struct scsi_cmnd *scmnd,
+ struct zfcp_fsf_req *fsf_req)
+{
+ _zfcp_dbf_scsi("scfc__1", 3, scmnd, fsf_req);
+}
+
#endif /* ZFCP_DBF_H */
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index ac86ff90c897..acb0b8c3989d 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -3,7 +3,7 @@
*
* Error Recovery Procedures (ERP).
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#define KMSG_COMPONENT "zfcp"
@@ -1211,6 +1211,62 @@ static void zfcp_erp_action_dequeue(struct zfcp_erp_action *erp_action)
}
}
+/**
+ * zfcp_erp_try_rport_unblock - unblock rport if no more/new recovery
+ * @port: zfcp_port whose fc_rport we should try to unblock
+ */
+static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
+{
+ unsigned long flags;
+ struct zfcp_adapter *adapter = port->adapter;
+ int port_status;
+ struct Scsi_Host *shost = adapter->scsi_host;
+ struct scsi_device *sdev;
+
+ write_lock_irqsave(&adapter->erp_lock, flags);
+ port_status = atomic_read(&port->status);
+ if ((port_status & ZFCP_STATUS_COMMON_UNBLOCKED) == 0 ||
+ (port_status & (ZFCP_STATUS_COMMON_ERP_INUSE |
+ ZFCP_STATUS_COMMON_ERP_FAILED)) != 0) {
+ /* new ERP of severity >= port triggered elsewhere meanwhile or
+ * local link down (adapter erp_failed but not clear unblock)
+ */
+ zfcp_dbf_rec_run_lvl(4, "ertru_p", &port->erp_action);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+ return;
+ }
+ spin_lock(shost->host_lock);
+ __shost_for_each_device(sdev, shost) {
+ struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
+ int lun_status;
+
+ if (zsdev->port != port)
+ continue;
+ /* LUN under port of interest */
+ lun_status = atomic_read(&zsdev->status);
+ if ((lun_status & ZFCP_STATUS_COMMON_ERP_FAILED) != 0)
+ continue; /* unblock rport despite failed LUNs */
+ /* LUN recovery not given up yet [maybe follow-up pending] */
+ if ((lun_status & ZFCP_STATUS_COMMON_UNBLOCKED) == 0 ||
+ (lun_status & ZFCP_STATUS_COMMON_ERP_INUSE) != 0) {
+ /* LUN blocked:
+ * not yet unblocked [LUN recovery pending]
+ * or meanwhile blocked [new LUN recovery triggered]
+ */
+ zfcp_dbf_rec_run_lvl(4, "ertru_l", &zsdev->erp_action);
+ spin_unlock(shost->host_lock);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+ return;
+ }
+ }
+ /* now port has no child or all children have completed recovery,
+ * and no ERP of severity >= port was meanwhile triggered elsewhere
+ */
+ zfcp_scsi_schedule_rport_register(port);
+ spin_unlock(shost->host_lock);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
{
struct zfcp_adapter *adapter = act->adapter;
@@ -1221,6 +1277,7 @@ static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
case ZFCP_ERP_ACTION_REOPEN_LUN:
if (!(act->status & ZFCP_STATUS_ERP_NO_REF))
scsi_device_put(sdev);
+ zfcp_erp_try_rport_unblock(port);
break;
case ZFCP_ERP_ACTION_REOPEN_PORT:
@@ -1231,7 +1288,7 @@ static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
*/
if (act->step != ZFCP_ERP_STEP_UNINITIALIZED)
if (result == ZFCP_ERP_SUCCEEDED)
- zfcp_scsi_schedule_rport_register(port);
+ zfcp_erp_try_rport_unblock(port);
/* fall through */
case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
put_device(&port->dev);
diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
index 1f1fe41ecb97..0c8c8b8fc1de 100644
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -3,7 +3,7 @@
*
* External function declarations.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#ifndef ZFCP_EXT_H
@@ -35,6 +35,8 @@ extern void zfcp_dbf_adapter_unregister(struct zfcp_adapter *);
extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *,
struct zfcp_port *, struct scsi_device *, u8, u8);
extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *);
+extern void zfcp_dbf_rec_run_lvl(int level, char *tag,
+ struct zfcp_erp_action *erp);
extern void zfcp_dbf_rec_run_wka(char *, struct zfcp_fc_wka_port *, u64);
extern void zfcp_dbf_hba_fsf_uss(char *, struct zfcp_fsf_req *);
extern void zfcp_dbf_hba_fsf_res(char *, int, struct zfcp_fsf_req *);
diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
index 6065212fdeed..36cf11cafee7 100644
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -1584,7 +1584,7 @@ out:
int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
{
struct zfcp_qdio *qdio = wka_port->adapter->qdio;
- struct zfcp_fsf_req *req = NULL;
+ struct zfcp_fsf_req *req;
int retval = -EIO;
spin_lock_irq(&qdio->req_q_lock);
@@ -1613,7 +1613,7 @@ int zfcp_fsf_open_wka_port(struct zfcp_fc_wka_port *wka_port)
zfcp_fsf_req_free(req);
out:
spin_unlock_irq(&qdio->req_q_lock);
- if (req && !IS_ERR(req))
+ if (!retval)
zfcp_dbf_rec_run_wka("fsowp_1", wka_port, req->req_id);
return retval;
}
@@ -1639,7 +1639,7 @@ static void zfcp_fsf_close_wka_port_handler(struct zfcp_fsf_req *req)
int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
{
struct zfcp_qdio *qdio = wka_port->adapter->qdio;
- struct zfcp_fsf_req *req = NULL;
+ struct zfcp_fsf_req *req;
int retval = -EIO;
spin_lock_irq(&qdio->req_q_lock);
@@ -1668,7 +1668,7 @@ int zfcp_fsf_close_wka_port(struct zfcp_fc_wka_port *wka_port)
zfcp_fsf_req_free(req);
out:
spin_unlock_irq(&qdio->req_q_lock);
- if (req && !IS_ERR(req))
+ if (!retval)
zfcp_dbf_rec_run_wka("fscwp_1", wka_port, req->req_id);
return retval;
}
diff --git a/drivers/s390/scsi/zfcp_fsf.h b/drivers/s390/scsi/zfcp_fsf.h
index be1c04b334c5..ea3c76ac0de1 100644
--- a/drivers/s390/scsi/zfcp_fsf.h
+++ b/drivers/s390/scsi/zfcp_fsf.h
@@ -3,7 +3,7 @@
*
* Interface to the FSF support functions.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#ifndef FSF_H
@@ -78,6 +78,7 @@
#define FSF_APP_TAG_CHECK_FAILURE 0x00000082
#define FSF_REF_TAG_CHECK_FAILURE 0x00000083
#define FSF_ADAPTER_STATUS_AVAILABLE 0x000000AD
+#define FSF_FCP_RSP_AVAILABLE 0x000000AF
#define FSF_UNKNOWN_COMMAND 0x000000E2
#define FSF_UNKNOWN_OP_SUBTYPE 0x000000E3
#define FSF_INVALID_COMMAND_OPTION 0x000000E5
diff --git a/drivers/s390/scsi/zfcp_reqlist.h b/drivers/s390/scsi/zfcp_reqlist.h
index 7c2c6194dfca..703fce59befe 100644
--- a/drivers/s390/scsi/zfcp_reqlist.h
+++ b/drivers/s390/scsi/zfcp_reqlist.h
@@ -4,7 +4,7 @@
* Data structure and helper functions for tracking pending FSF
* requests.
*
- * Copyright IBM Corp. 2009
+ * Copyright IBM Corp. 2009, 2016
*/
#ifndef ZFCP_REQLIST_H
@@ -180,4 +180,32 @@ static inline void zfcp_reqlist_move(struct zfcp_reqlist *rl,
spin_unlock_irqrestore(&rl->lock, flags);
}
+/**
+ * zfcp_reqlist_apply_for_all() - apply a function to every request.
+ * @rl: the requestlist that contains the target requests.
+ * @f: the function to apply to each request; the first parameter of the
+ * function will be the target-request; the second parameter is the same
+ * pointer as given with the argument @data.
+ * @data: freely chosen argument; passed through to @f as second parameter.
+ *
+ * Uses :c:macro:`list_for_each_entry` to iterate over the lists in the hash-
+ * table (not a 'safe' variant, so don't modify the list).
+ *
+ * Holds @rl->lock over the entire request-iteration.
+ */
+static inline void
+zfcp_reqlist_apply_for_all(struct zfcp_reqlist *rl,
+ void (*f)(struct zfcp_fsf_req *, void *), void *data)
+{
+ struct zfcp_fsf_req *req;
+ unsigned long flags;
+ unsigned int i;
+
+ spin_lock_irqsave(&rl->lock, flags);
+ for (i = 0; i < ZFCP_REQ_LIST_BUCKETS; i++)
+ list_for_each_entry(req, &rl->buckets[i], list)
+ f(req, data);
+ spin_unlock_irqrestore(&rl->lock, flags);
+}
+
#endif /* ZFCP_REQLIST_H */
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index 38ee0df633a3..66c37e77ac7c 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
*
* Interface to Linux SCSI midlayer.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/
#define KMSG_COMPONENT "zfcp"
@@ -109,9 +109,7 @@ int zfcp_scsi_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *scpnt)
}
if (unlikely(!(status & ZFCP_STATUS_COMMON_UNBLOCKED))) {
- /* This could be either
- * open LUN pending: this is temporary, will result in
- * open LUN or ERP_FAILED, so retry command
+ /* This could be
* call to rport_delete pending: mimic retry from
* fc_remote_port_chkready until rport is BLOCKED
*/
@@ -230,6 +228,57 @@ static int zfcp_scsi_eh_abort_handler(struct scsi_cmnd *scpnt)
return retval;
}
+struct zfcp_scsi_req_filter {
+ u8 tmf_scope;
+ u32 lun_handle;
+ u32 port_handle;
+};
+
+static void zfcp_scsi_forget_cmnd(struct zfcp_fsf_req *old_req, void *data)
+{
+ struct zfcp_scsi_req_filter *filter =
+ (struct zfcp_scsi_req_filter *)data;
+
+ /* already aborted - prevent side-effects - or not a SCSI command */
+ if (old_req->data == NULL || old_req->fsf_command != FSF_QTCB_FCP_CMND)
+ return;
+
+ /* (tmf_scope == FCP_TMF_TGT_RESET || tmf_scope == FCP_TMF_LUN_RESET) */
+ if (old_req->qtcb->header.port_handle != filter->port_handle)
+ return;
+
+ if (filter->tmf_scope == FCP_TMF_LUN_RESET &&
+ old_req->qtcb->header.lun_handle != filter->lun_handle)
+ return;
+
+ zfcp_dbf_scsi_nullcmnd((struct scsi_cmnd *)old_req->data, old_req);
+ old_req->data = NULL;
+}
+
+static void zfcp_scsi_forget_cmnds(struct zfcp_scsi_dev *zsdev, u8 tm_flags)
+{
+ struct zfcp_adapter *adapter = zsdev->port->adapter;
+ struct zfcp_scsi_req_filter filter = {
+ .tmf_scope = FCP_TMF_TGT_RESET,
+ .port_handle = zsdev->port->handle,
+ };
+ unsigned long flags;
+
+ if (tm_flags == FCP_TMF_LUN_RESET) {
+ filter.tmf_scope = FCP_TMF_LUN_RESET;
+ filter.lun_handle = zsdev->lun_handle;
+ }
+
+ /*
+ * abort_lock secures against other processings - in the abort-function
+ * and normal cmnd-handler - of (struct zfcp_fsf_req *)->data
+ */
+ write_lock_irqsave(&adapter->abort_lock, flags);
+ zfcp_reqlist_apply_for_all(adapter->req_list, zfcp_scsi_forget_cmnd,
+ &filter);
+ write_unlock_irqrestore(&adapter->abort_lock, flags);
+}
+
static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
{
struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
@@ -262,8 +311,10 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
retval = FAILED;
- } else
+ } else {
zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+ zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
+ }
zfcp_fsf_req_free(fsf_req);
return retval;
diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
index 560bbbd03788..5f335917f477 100644
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2291,6 +2291,7 @@ int megasas_wait_for_outstanding_fusion(struct megasas_instance *instance,
printk("megaraid_sas: pending commands remain after waiting, "
"will reset adapter scsi%d.\n",
instance->host->host_no);
+ *convert = 1;
retval = 1;
}
out:
diff --git a/drivers/scsi/mvsas/mv_94xx.c b/drivers/scsi/mvsas/mv_94xx.c
index 9270d15ff1a4..7353ac8d0d39 100644
--- a/drivers/scsi/mvsas/mv_94xx.c
+++ b/drivers/scsi/mvsas/mv_94xx.c
@@ -621,7 +621,7 @@ static void mvs_94xx_command_active(struct mvs_info *mvi, u32 slot_idx)
{
u32 tmp;
tmp = mvs_cr32(mvi, MVS_COMMAND_ACTIVE+(slot_idx >> 3));
- if (tmp && 1 << (slot_idx % 32)) {
+ if (tmp & 1 << (slot_idx % 32)) {
mv_printk("command active %08X, slot [%x].\n", tmp, slot_idx);
mvs_cw32(mvi, MVS_COMMAND_ACTIVE + (slot_idx >> 3),
1 << (slot_idx % 32));
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 5072251cdb8b..c770ef886dc2 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3393,7 +3393,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
sizeof(struct ct6_dsd), 0,
SLAB_HWCACHE_ALIGN, NULL);
if (!ctx_cachep)
- goto fail_free_gid_list;
+ goto fail_free_srb_mempool;
}
ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
ctx_cachep);
@@ -3546,7 +3546,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
GFP_KERNEL);
if (!ha->loop_id_map)
- goto fail_async_pd;
+ goto fail_loop_id_map;
else {
qla2x00_set_reserved_loop_ids(ha);
ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
@@ -3555,6 +3555,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
return 0;
+fail_loop_id_map:
+ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
fail_async_pd:
dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
fail_ex_init_cb:
@@ -3582,6 +3584,10 @@ fail_free_ms_iocb:
dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
ha->ms_iocb = NULL;
ha->ms_iocb_dma = 0;
+
+ if (ha->sns_cmd)
+ dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
+ ha->sns_cmd, ha->sns_cmd_dma);
fail_dma_pool:
if (IS_QLA82XX(ha) || ql2xenabledif) {
dma_pool_destroy(ha->fcp_cmnd_dma_pool);
@@ -3599,10 +3605,12 @@ fail_free_nvram:
kfree(ha->nvram);
ha->nvram = NULL;
fail_free_ctx_mempool:
- mempool_destroy(ha->ctx_mempool);
+ if (ha->ctx_mempool)
+ mempool_destroy(ha->ctx_mempool);
ha->ctx_mempool = NULL;
fail_free_srb_mempool:
- mempool_destroy(ha->srb_mempool);
+ if (ha->srb_mempool)
+ mempool_destroy(ha->srb_mempool);
ha->srb_mempool = NULL;
fail_free_gid_list:
dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 1b30a65554f9..ae280e7d3831 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1002,10 +1002,6 @@ int scsi_sysfs_add_sdev(struct scsi_device *sdev)
struct request_queue *rq = sdev->request_queue;
struct scsi_target *starget = sdev->sdev_target;
- error = scsi_device_set_state(sdev, SDEV_RUNNING);
- if (error)
- return error;
-
error = scsi_target_add(starget);
if (error)
return error;
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index b4d50662fc6f..0206b495b65e 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1716,6 +1716,10 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
iov_count = iov_shorten(iov, iov_count, hp->dxfer_len);
len = hp->dxfer_len;
}
+ if (len == 0) {
+ kfree(iov);
+ return -EINVAL;
+ }
res = blk_rq_map_user_iov(q, rq, md, (struct sg_iovec *)iov,
iov_count,
diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c
index a8dc95ebf2d6..7700cef5e177 100644
--- a/drivers/ssb/pci.c
+++ b/drivers/ssb/pci.c
@@ -846,6 +846,7 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus,
if (err) {
ssb_warn("WARNING: Using fallback SPROM failed (err %d)\n",
err);
+ goto out_free;
} else {
ssb_dbg("Using SPROM revision %d provided by platform\n",
sprom->revision);
diff --git a/drivers/staging/iio/adc/ad7606_core.c b/drivers/staging/iio/adc/ad7606_core.c
index f0f05f195d2c..d4598ef48543 100644
--- a/drivers/staging/iio/adc/ad7606_core.c
+++ b/drivers/staging/iio/adc/ad7606_core.c
@@ -186,7 +186,7 @@ static ssize_t ad7606_store_oversampling_ratio(struct device *dev,
mutex_lock(&indio_dev->mlock);
gpio_set_value(st->pdata->gpio_os0, (ret >> 0) & 1);
gpio_set_value(st->pdata->gpio_os1, (ret >> 1) & 1);
- gpio_set_value(st->pdata->gpio_os1, (ret >> 2) & 1);
+ gpio_set_value(st->pdata->gpio_os2, (ret >> 2) & 1);
st->oversampling = lval;
mutex_unlock(&indio_dev->mlock);
diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c
index d95c427043d4..3c1d1401522f 100644
--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
+++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
@@ -1351,7 +1351,7 @@ static int vpfe_reqbufs(struct file *file, void *priv,
if (ret) {
v4l2_err(&vpfe_dev->v4l2_dev, "vb2_queue_init() failed\n");
vb2_dma_contig_cleanup_ctx(vpfe_dev->pdev);
- return ret;
+ goto unlock_out;
}
fh->io_allowed = 1;
diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c
index c3cb5c15efda..48cd3cf741df 100644
--- a/drivers/target/iscsi/iscsi_target_tpg.c
+++ b/drivers/target/iscsi/iscsi_target_tpg.c
@@ -261,7 +261,6 @@ err_out:
iscsi_release_param_list(tpg->param_list);
tpg->param_list = NULL;
}
- kfree(tpg);
return -ENOMEM;
}
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index f4865901263f..a29fdfab0d3a 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -368,6 +368,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
int *post_ret)
{
struct se_device *dev = cmd->se_dev;
+ sense_reason_t ret = TCM_NO_SENSE;
/*
* Only set SCF_COMPARE_AND_WRITE_POST to force a response fall-through
@@ -375,9 +376,12 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
* sent to the backend driver.
*/
spin_lock_irq(&cmd->t_state_lock);
- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) {
+ if (cmd->transport_state & CMD_T_SENT) {
cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST;
*post_ret = 1;
+
+ if (cmd->scsi_status == SAM_STAT_CHECK_CONDITION)
+ ret = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
}
spin_unlock_irq(&cmd->t_state_lock);
@@ -387,7 +391,7 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
*/
up(&dev->caw_sem);
- return TCM_NO_SENSE;
+ return ret;
}
static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success,
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index d3f65523a19d..589f9df574f2 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -3093,7 +3093,6 @@ static void target_tmr_work(struct work_struct *work)
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
goto check_stop;
}
- cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
cmd->se_tfo->queue_tm_rsp(cmd);
@@ -3106,11 +3105,25 @@ int transport_generic_handle_tmr(
struct se_cmd *cmd)
{
unsigned long flags;
+ bool aborted = false;
spin_lock_irqsave(&cmd->t_state_lock, flags);
- cmd->transport_state |= CMD_T_ACTIVE;
+ if (cmd->transport_state & CMD_T_ABORTED) {
+ aborted = true;
+ } else {
+ cmd->t_state = TRANSPORT_ISTATE_PROCESSING;
+ cmd->transport_state |= CMD_T_ACTIVE;
+ }
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+ if (aborted) {
+ pr_warn_ratelimited("handle_tmr caught CMD_T_ABORTED TMR %d"
+ "ref_tag: %u tag: %u\n", cmd->se_tmr_req->function,
+ cmd->se_tmr_req->ref_task_tag, cmd->se_tfo->get_task_tag(cmd));
+ transport_cmd_check_stop_to_fabric(cmd);
+ return 0;
+ }
+
INIT_WORK(&cmd->work, target_tmr_work);
queue_work(cmd->se_dev->tmr_wq, &cmd->work);
return 0;
diff --git a/drivers/target/target_core_xcopy.c b/drivers/target/target_core_xcopy.c
index 60e611df4818..f9b28a5a52a4 100644
--- a/drivers/target/target_core_xcopy.c
+++ b/drivers/target/target_core_xcopy.c
@@ -881,7 +881,7 @@ out:
" CHECK_CONDITION -> sending response\n", rc);
ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
}
- target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
+ target_complete_cmd(ec_cmd, ec_cmd->scsi_status);
}
sense_reason_t target_do_xcopy(struct se_cmd *se_cmd)
diff --git a/drivers/thermal/thermal_hwmon.c b/drivers/thermal/thermal_hwmon.c
index 1967bee4f076..9035fbc5e98d 100644
--- a/drivers/thermal/thermal_hwmon.c
+++ b/drivers/thermal/thermal_hwmon.c
@@ -98,7 +98,7 @@ temp_crit_show(struct device *dev, struct device_attribute *attr, char *buf)
long temperature;
int ret;
- ret = tz->ops->get_trip_temp(tz, 0, &temperature);
+ ret = tz->ops->get_crit_temp(tz, &temperature);
if (ret)
return ret;
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 644ddb841d9f..6d1e2f746ab4 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -114,7 +114,7 @@
#define DEFAULT_TX_BUF_COUNT 3
struct n_hdlc_buf {
- struct n_hdlc_buf *link;
+ struct list_head list_item;
int count;
char buf[1];
};
@@ -122,8 +122,7 @@ struct n_hdlc_buf {
#define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
struct n_hdlc_buf_list {
- struct n_hdlc_buf *head;
- struct n_hdlc_buf *tail;
+ struct list_head list;
int count;
spinlock_t spinlock;
};
@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
* @backup_tty - TTY to use if tty gets closed
* @tbusy - reentrancy flag for tx wakeup code
* @woke_up - FIXME: describe this field
- * @tbuf - currently transmitting tx buffer
* @tx_buf_list - list of pending transmit frame buffers
* @rx_buf_list - list of received frame buffers
* @tx_free_buf_list - list unused transmit frame buffers
@@ -149,7 +147,6 @@ struct n_hdlc {
struct tty_struct *backup_tty;
int tbusy;
int woke_up;
- struct n_hdlc_buf *tbuf;
struct n_hdlc_buf_list tx_buf_list;
struct n_hdlc_buf_list rx_buf_list;
struct n_hdlc_buf_list tx_free_buf_list;
@@ -159,7 +156,8 @@ struct n_hdlc {
/*
* HDLC buffer list manipulation functions
*/
-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list);
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+ struct n_hdlc_buf *buf);
static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
struct n_hdlc_buf *buf);
static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
@@ -209,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
{
struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
struct n_hdlc_buf *buf;
- unsigned long flags;
while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
- spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
- if (n_hdlc->tbuf) {
- n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
- n_hdlc->tbuf = NULL;
- }
- spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
}
static struct tty_ldisc_ops n_hdlc_ldisc = {
@@ -284,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
} else
break;
}
- kfree(n_hdlc->tbuf);
kfree(n_hdlc);
} /* end of n_hdlc_release() */
@@ -403,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
n_hdlc->woke_up = 0;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
- /* get current transmit buffer or get new transmit */
- /* buffer from list of pending transmit buffers */
-
- tbuf = n_hdlc->tbuf;
- if (!tbuf)
- tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
-
+ tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
while (tbuf) {
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)sending frame %p, count=%d\n",
@@ -421,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
/* rollback was possible and has been done */
if (actual == -ERESTARTSYS) {
- n_hdlc->tbuf = tbuf;
+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
break;
}
/* if transmit error, throw frame away by */
@@ -436,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
/* free current transmit buffer */
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
-
- /* this tx buffer is done */
- n_hdlc->tbuf = NULL;
-
+
/* wait up sleeping writers */
wake_up_interruptible(&tty->write_wait);
@@ -449,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)frame %p pending\n",
__FILE__,__LINE__,tbuf);
-
- /* buffer not accepted by driver */
- /* set this buffer as pending buffer */
- n_hdlc->tbuf = tbuf;
+
+ /*
+ * the buffer was not accepted by driver,
+ * return it back into tx queue
+ */
+ n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
break;
}
}
@@ -750,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
int error = 0;
int count;
unsigned long flags;
-
+ struct n_hdlc_buf *buf = NULL;
+
if (debuglevel >= DEBUG_LEVEL_INFO)
printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
__FILE__,__LINE__,cmd);
@@ -764,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
/* report count of read data available */
/* in next available frame (if any) */
spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
- if (n_hdlc->rx_buf_list.head)
- count = n_hdlc->rx_buf_list.head->count;
+ buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
+ struct n_hdlc_buf, list_item);
+ if (buf)
+ count = buf->count;
else
count = 0;
spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
@@ -777,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
count = tty_chars_in_buffer(tty);
/* add size of next output frame in queue */
spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
- if (n_hdlc->tx_buf_list.head)
- count += n_hdlc->tx_buf_list.head->count;
+ buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
+ struct n_hdlc_buf, list_item);
+ if (buf)
+ count += buf->count;
spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
error = put_user(count, (int __user *)arg);
break;
@@ -826,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
poll_wait(filp, &tty->write_wait, wait);
/* set bits for operations that won't block */
- if (n_hdlc->rx_buf_list.head)
+ if (!list_empty(&n_hdlc->rx_buf_list.list))
mask |= POLLIN | POLLRDNORM; /* readable */
if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
mask |= POLLHUP;
if (tty_hung_up_p(filp))
mask |= POLLHUP;
if (!tty_is_writelocked(tty) &&
- n_hdlc->tx_free_buf_list.head)
+ !list_empty(&n_hdlc->tx_free_buf_list.list))
mask |= POLLOUT | POLLWRNORM; /* writable */
}
return mask;
@@ -853,11 +841,16 @@ static struct n_hdlc *n_hdlc_alloc(void)
if (!n_hdlc)
return NULL;
- n_hdlc_buf_list_init(&n_hdlc->rx_free_buf_list);
- n_hdlc_buf_list_init(&n_hdlc->tx_free_buf_list);
- n_hdlc_buf_list_init(&n_hdlc->rx_buf_list);
- n_hdlc_buf_list_init(&n_hdlc->tx_buf_list);
-
+ spin_lock_init(&n_hdlc->rx_free_buf_list.spinlock);
+ spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
+ spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
+ spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
+
+ INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
+ INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
+
/* allocate free rx buffer list */
for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
@@ -885,63 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
} /* end of n_hdlc_alloc() */
/**
- * n_hdlc_buf_list_init - initialize specified HDLC buffer list
- * @list - pointer to buffer list
+ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
+ * @buf_list - pointer to the buffer list
+ * @buf - pointer to the buffer
*/
-static void n_hdlc_buf_list_init(struct n_hdlc_buf_list *list)
+static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
+ struct n_hdlc_buf *buf)
{
- memset(list, 0, sizeof(*list));
- spin_lock_init(&list->spinlock);
-} /* end of n_hdlc_buf_list_init() */
+ unsigned long flags;
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ list_add(&buf->list_item, &buf_list->list);
+ buf_list->count++;
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
+}
/**
* n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
- * @list - pointer to buffer list
+ * @buf_list - pointer to buffer list
* @buf - pointer to buffer
*/
-static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
+static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
struct n_hdlc_buf *buf)
{
unsigned long flags;
- spin_lock_irqsave(&list->spinlock,flags);
-
- buf->link=NULL;
- if (list->tail)
- list->tail->link = buf;
- else
- list->head = buf;
- list->tail = buf;
- (list->count)++;
-
- spin_unlock_irqrestore(&list->spinlock,flags);
-
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ list_add_tail(&buf->list_item, &buf_list->list);
+ buf_list->count++;
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
} /* end of n_hdlc_buf_put() */
/**
* n_hdlc_buf_get - remove and return an HDLC buffer from list
- * @list - pointer to HDLC buffer list
+ * @buf_list - pointer to HDLC buffer list
*
* Remove and return an HDLC buffer from the head of the specified HDLC buffer
* list.
* Returns a pointer to HDLC buffer if available, otherwise %NULL.
*/
-static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
+static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
{
unsigned long flags;
struct n_hdlc_buf *buf;
- spin_lock_irqsave(&list->spinlock,flags);
-
- buf = list->head;
+
+ spin_lock_irqsave(&buf_list->spinlock, flags);
+
+ buf = list_first_entry_or_null(&buf_list->list,
+ struct n_hdlc_buf, list_item);
if (buf) {
- list->head = buf->link;
- (list->count)--;
+ list_del(&buf->list_item);
+ buf_list->count--;
}
- if (!list->head)
- list->tail = NULL;
-
- spin_unlock_irqrestore(&list->spinlock,flags);
+
+ spin_unlock_irqrestore(&buf_list->spinlock, flags);
return buf;
-
} /* end of n_hdlc_buf_get() */
static char hdlc_banner[] __initdata =
diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
index d806657ca53e..56a3cc42a4b0 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -734,6 +734,11 @@ static void atmel_complete_tx_dma(void *arg)
/* Do we really need this? */
if (!uart_circ_empty(xmit))
tasklet_schedule(&atmel_port->tasklet);
+ else if ((atmel_port->rs485.flags & SER_RS485_ENABLED) &&
+ !(atmel_port->rs485.flags & SER_RS485_RX_DURING_TX)) {
+ /* DMA done, stop TX, start RX for RS485 */
+ atmel_start_rx(port);
+ }
spin_unlock_irqrestore(&port->lock, flags);
}
@@ -806,12 +811,6 @@ static void atmel_tx_dma(struct uart_port *port)
desc->callback = atmel_complete_tx_dma;
desc->callback_param = atmel_port;
atmel_port->cookie_tx = dmaengine_submit(desc);
-
- } else {
- if (atmel_port->rs485.flags & SER_RS485_ENABLED) {
- /* DMA done, stop TX, start RX for RS485 */
- atmel_start_rx(port);
- }
}
if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 0c79f95383c0..4317a19d60be 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -933,8 +933,8 @@ static const struct input_device_id sysrq_ids[] = {
{
.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
INPUT_DEVICE_ID_MATCH_KEYBIT,
- .evbit = { BIT_MASK(EV_KEY) },
- .keybit = { BIT_MASK(KEY_LEFTALT) },
+ .evbit = { [BIT_WORD(EV_KEY)] = BIT_MASK(EV_KEY) },
+ .keybit = { [BIT_WORD(KEY_LEFTALT)] = BIT_MASK(KEY_LEFTALT) },
},
{ },
};
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 8c779ee044d8..919dc6a1bdf3 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1721,6 +1721,7 @@ static const struct usb_device_id acm_ids[] = {
{ USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */
.driver_info = QUIRK_CONTROL_LINE_STATE, },
{ USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
+ { USB_DEVICE(0x2184, 0x0036) }, /* GW Instek AFG-125 */
{ USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */
},
/* Motorola H24 HSPA module: */
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 8de16f982f55..13d8c60c286a 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -205,6 +205,16 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
if (ifp->desc.bNumEndpoints >= num_ep)
goto skip_to_next_endpoint_or_interface_descriptor;
+ /* Check for duplicate endpoint addresses */
+ for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+ if (ifp->endpoint[i].desc.bEndpointAddress ==
+ d->bEndpointAddress) {
+ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+ goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+ }
+
endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
++ifp->desc.bNumEndpoints;
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 554cc219ac34..624378404b37 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -106,6 +106,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
static void hub_release(struct kref *kref);
static int usb_reset_and_verify_device(struct usb_device *udev);
+static int hub_port_disable(struct usb_hub *hub, int port1, int set_state);
static inline char *portspeed(struct usb_hub *hub, int portstatus)
{
@@ -876,88 +877,6 @@ static int hub_set_port_link_state(struct usb_hub *hub, int port1,
}
/*
- * If USB 3.0 ports are placed into the Disabled state, they will no longer
- * detect any device connects or disconnects. This is generally not what the
- * USB core wants, since it expects a disabled port to produce a port status
- * change event when a new device connects.
- *
- * Instead, set the link state to Disabled, wait for the link to settle into
- * that state, clear any change bits, and then put the port into the RxDetect
- * state.
- */
-static int hub_usb3_port_disable(struct usb_hub *hub, int port1)
-{
- int ret;
- int total_time;
- u16 portchange, portstatus;
-
- if (!hub_is_superspeed(hub->hdev))
- return -EINVAL;
-
- ret = hub_port_status(hub, port1, &portstatus, &portchange);
- if (ret < 0)
- return ret;
-
- /*
- * USB controller Advanced Micro Devices, Inc. [AMD] FCH USB XHCI
- * Controller [1022:7814] will have spurious result making the following
- * usb 3.0 device hotplugging route to the 2.0 root hub and recognized
- * as high-speed device if we set the usb 3.0 port link state to
- * Disabled. Since it's already in USB_SS_PORT_LS_RX_DETECT state, we
- * check the state here to avoid the bug.
- */
- if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
- USB_SS_PORT_LS_RX_DETECT) {
- dev_dbg(&hub->ports[port1 - 1]->dev,
- "Not disabling port; link state is RxDetect\n");
- return ret;
- }
-
- ret = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_SS_DISABLED);
- if (ret)
- return ret;
-
- /* Wait for the link to enter the disabled state. */
- for (total_time = 0; ; total_time += HUB_DEBOUNCE_STEP) {
- ret = hub_port_status(hub, port1, &portstatus, &portchange);
- if (ret < 0)
- return ret;
-
- if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
- USB_SS_PORT_LS_SS_DISABLED)
- break;
- if (total_time >= HUB_DEBOUNCE_TIMEOUT)
- break;
- msleep(HUB_DEBOUNCE_STEP);
- }
- if (total_time >= HUB_DEBOUNCE_TIMEOUT)
- dev_warn(&hub->ports[port1 - 1]->dev,
- "Could not disable after %d ms\n", total_time);
-
- return hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_RX_DETECT);
-}
-
-static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
-{
- struct usb_port *port_dev = hub->ports[port1 - 1];
- struct usb_device *hdev = hub->hdev;
- int ret = 0;
-
- if (port_dev->child && set_state)
- usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
- if (!hub->error) {
- if (hub_is_superspeed(hub->hdev))
- ret = hub_usb3_port_disable(hub, port1);
- else
- ret = usb_clear_port_feature(hdev, port1,
- USB_PORT_FEAT_ENABLE);
- }
- if (ret && ret != -ENODEV)
- dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
- return ret;
-}
-
-/*
* Disable a port and mark a logical connect-change event, so that some
* time later khubd will disconnect() any existing usb_device on the port
* and will re-enumerate if there actually is a device attached.
@@ -4022,6 +3941,26 @@ void usb_unlocked_enable_lpm(struct usb_device *udev)
}
EXPORT_SYMBOL_GPL(usb_unlocked_enable_lpm);
+/* usb3 devices use U3 for disabled, make sure remote wakeup is disabled */
+static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+ struct usb_port *port_dev)
+{
+ struct usb_device *udev = port_dev->child;
+ int ret;
+
+ if (udev && udev->port_is_suspended && udev->do_remote_wakeup) {
+ ret = hub_set_port_link_state(hub, port_dev->portnum,
+ USB_SS_PORT_LS_U0);
+ if (!ret) {
+ msleep(USB_RESUME_TIMEOUT);
+ ret = usb_disable_remote_wakeup(udev);
+ }
+ if (ret)
+ dev_warn(&udev->dev,
+ "Port disable: can't disable remote wake\n");
+ udev->do_remote_wakeup = 0;
+ }
+}
#else /* CONFIG_PM */
@@ -4029,6 +3968,9 @@ EXPORT_SYMBOL_GPL(usb_unlocked_enable_lpm);
#define hub_resume NULL
#define hub_reset_resume NULL
+static inline void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+ struct usb_port *port_dev) { }
+
int usb_disable_lpm(struct usb_device *udev)
{
return 0;
@@ -4064,6 +4006,34 @@ static int hub_handle_remote_wakeup(struct usb_hub *hub, unsigned int port,
#endif /* CONFIG_PM */
+/*
+ * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
+ * a connection with a plugged-in cable but will signal the host when the cable
+ * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
+ */
+static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
+{
+ struct usb_port *port_dev = hub->ports[port1 - 1];
+ struct usb_device *hdev = hub->hdev;
+ int ret = 0;
+
+ if (!hub->error) {
+ if (hub_is_superspeed(hub->hdev)) {
+ hub_usb3_port_prepare_disable(hub, port_dev);
+ ret = hub_set_port_link_state(hub, port_dev->portnum,
+ USB_SS_PORT_LS_U3);
+ } else {
+ ret = usb_clear_port_feature(hdev, port1,
+ USB_PORT_FEAT_ENABLE);
+ }
+ }
+ if (port_dev->child && set_state)
+ usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
+ if (ret && ret != -ENODEV)
+ dev_err(&port_dev->dev, "cannot disable (err = %d)\n", ret);
+ return ret;
+}
+
/* USB 2.0 spec, 7.1.7.3 / fig 7-29:
*
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index 6c7e47f67dd4..3a010c19e0ec 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -37,6 +37,10 @@ static const struct usb_device_id usb_quirk_list[] = {
/* CBM - Flash disk */
{ USB_DEVICE(0x0204, 0x6025), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* WORLDE easy key (easykey.25) MIDI controller */
+ { USB_DEVICE(0x0218, 0x0401), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* HP 5300/5370C scanner */
{ USB_DEVICE(0x03f0, 0x0701), .driver_info =
USB_QUIRK_STRING_FETCH_255 },
diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
index ba35201e19fe..096c9e91724e 100644
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -54,20 +54,13 @@ static const char *dwc3_ep0_state_string(enum dwc3_ep0_state state)
}
}
-static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum, dma_addr_t buf_dma,
- u32 len, u32 type)
+static void dwc3_ep0_prepare_one_trb(struct dwc3 *dwc, u8 epnum,
+ dma_addr_t buf_dma, u32 len, u32 type)
{
- struct dwc3_gadget_ep_cmd_params params;
struct dwc3_trb *trb;
struct dwc3_ep *dep;
- int ret;
-
dep = dwc->eps[epnum];
- if (dep->flags & DWC3_EP_BUSY) {
- dev_vdbg(dwc->dev, "%s: still busy\n", dep->name);
- return 0;
- }
trb = dwc->ep0_trb;
@@ -80,6 +73,17 @@ static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum, dma_addr_t buf_dma,
| DWC3_TRB_CTRL_LST
| DWC3_TRB_CTRL_IOC
| DWC3_TRB_CTRL_ISP_IMI);
+}
+
+static int dwc3_ep0_start_trans(struct dwc3 *dwc, u8 epnum)
+{
+ struct dwc3_gadget_ep_cmd_params params;
+ struct dwc3_ep *dep;
+ int ret;
+
+ dep = dwc->eps[epnum];
+ if (dep->flags & DWC3_EP_BUSY)
+ return 0;
memset(¶ms, 0, sizeof(params));
params.param0 = upper_32_bits(dwc->ep0_trb_addr);
@@ -280,8 +284,9 @@ void dwc3_ep0_out_start(struct dwc3 *dwc)
{
int ret;
- ret = dwc3_ep0_start_trans(dwc, 0, dwc->ctrl_req_addr, 8,
+ dwc3_ep0_prepare_one_trb(dwc, 0, dwc->ctrl_req_addr, 8,
DWC3_TRBCTL_CONTROL_SETUP);
+ ret = dwc3_ep0_start_trans(dwc, 0);
WARN_ON(ret < 0);
}
@@ -890,9 +895,10 @@ static void __dwc3_ep0_do_control_data(struct dwc3 *dwc,
req->direction = !!dep->number;
if (req->request.length == 0) {
- ret = dwc3_ep0_start_trans(dwc, dep->number,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number,
dwc->ctrl_req_addr, 0,
DWC3_TRBCTL_CONTROL_DATA);
+ ret = dwc3_ep0_start_trans(dwc, dep->number);
} else if (!IS_ALIGNED(req->request.length, dep->endpoint.maxpacket)
&& (dep->number == 0)) {
u32 transfer_size;
@@ -920,9 +926,10 @@ static void __dwc3_ep0_do_control_data(struct dwc3 *dwc,
* DWC3_EP0_BOUNCE_SIZE we will need two chained
* TRBs to handle the transfer.
*/
- ret = dwc3_ep0_start_trans(dwc, dep->number,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number,
dwc->ep0_bounce_addr, transfer_size,
DWC3_TRBCTL_CONTROL_DATA);
+ ret = dwc3_ep0_start_trans(dwc, dep->number);
} else {
ret = usb_gadget_map_request(&dwc->gadget, &req->request,
dep->number);
@@ -931,8 +938,9 @@ static void __dwc3_ep0_do_control_data(struct dwc3 *dwc,
return;
}
- ret = dwc3_ep0_start_trans(dwc, dep->number, req->request.dma,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number, req->request.dma,
req->request.length, DWC3_TRBCTL_CONTROL_DATA);
+ ret = dwc3_ep0_start_trans(dwc, dep->number);
}
WARN_ON(ret < 0);
@@ -946,8 +954,9 @@ static int dwc3_ep0_start_control_status(struct dwc3_ep *dep)
type = dwc->three_stage_setup ? DWC3_TRBCTL_CONTROL_STATUS3
: DWC3_TRBCTL_CONTROL_STATUS2;
- return dwc3_ep0_start_trans(dwc, dep->number,
+ dwc3_ep0_prepare_one_trb(dwc, dep->number,
dwc->ctrl_req_addr, 0, type);
+ return dwc3_ep0_start_trans(dwc, dep->number);
}
static void __dwc3_ep0_do_control_status(struct dwc3 *dwc, struct dwc3_ep *dep)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index ede2814702c4..e81cda1129a3 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -257,11 +257,11 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
if (req->request.status == -EINPROGRESS)
req->request.status = status;
- if (dwc->ep0_bounced && dep->number == 0)
+ if (dwc->ep0_bounced && dep->number <= 1)
dwc->ep0_bounced = false;
- else
- usb_gadget_unmap_request(&dwc->gadget, &req->request,
- req->direction);
+
+ usb_gadget_unmap_request(&dwc->gadget,
+ &req->request, req->direction);
dev_dbg(dwc->dev, "request %p from %s completed %d/%d ===> %d\n",
req, dep->name, req->request.actual,
@@ -863,6 +863,8 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
{
struct dwc3 *dwc = dep->dwc;
struct dwc3_trb *trb;
+ struct usb_gadget *gadget = &dwc->gadget;
+ enum usb_device_speed speed = gadget->speed;
dev_vdbg(dwc->dev, "%s: req %p dma %08llx length %d%s%s\n",
dep->name, req, (unsigned long long) dma,
@@ -895,10 +897,16 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
break;
case USB_ENDPOINT_XFER_ISOC:
- if (!node)
+ if (!node) {
trb->ctrl = DWC3_TRBCTL_ISOCHRONOUS_FIRST;
- else
+
+ if (speed == USB_SPEED_HIGH) {
+ struct usb_ep *ep = &dep->endpoint;
+ trb->size |= DWC3_TRB_SIZE_PCM1(ep->mult - 1);
+ }
+ } else {
trb->ctrl = DWC3_TRBCTL_ISOCHRONOUS;
+ }
break;
case USB_ENDPOINT_XFER_BULK:
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 9536b6abf65b..b8a961ba1d2b 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -143,11 +143,16 @@ int config_ep_by_speed(struct usb_gadget *g,
ep_found:
/* commit results */
- _ep->maxpacket = usb_endpoint_maxp(chosen_desc);
+ _ep->maxpacket = usb_endpoint_maxp(chosen_desc) & 0x7ff;
_ep->desc = chosen_desc;
_ep->comp_desc = NULL;
_ep->maxburst = 0;
- _ep->mult = 0;
+ _ep->mult = 1;
+
+ if (g->speed == USB_SPEED_HIGH && (usb_endpoint_xfer_isoc(_ep->desc) ||
+ usb_endpoint_xfer_int(_ep->desc)))
+ _ep->mult = usb_endpoint_maxp_mult(_ep->desc);
+
if (!want_comp_desc)
return 0;
@@ -164,7 +169,7 @@ ep_found:
switch (usb_endpoint_type(_ep->desc)) {
case USB_ENDPOINT_XFER_ISOC:
/* mult: bits 1:0 of bmAttributes */
- _ep->mult = comp_desc->bmAttributes & 0x3;
+ _ep->mult = (comp_desc->bmAttributes & 0x3) + 1;
case USB_ENDPOINT_XFER_BULK:
case USB_ENDPOINT_XFER_INT:
_ep->maxburst = comp_desc->bMaxBurst + 1;
@@ -1516,9 +1521,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
value = min(w_length, (u16) 1);
break;
- /* function drivers must handle get/set altsetting; if there's
- * no get() method, we know only altsetting zero works.
- */
+ /* function drivers must handle get/set altsetting */
case USB_REQ_SET_INTERFACE:
if (ctrl->bRequestType != USB_RECIP_INTERFACE)
goto unknown;
@@ -1527,7 +1530,13 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
f = cdev->config->interface[intf];
if (!f)
break;
- if (w_value && !f->set_alt)
+
+ /*
+ * If there's no get_alt() method, we know only altsetting zero
+ * works. There is no need to check if set_alt() is not NULL
+ * as we check this in usb_add_function().
+ */
+ if (w_value && !f->get_alt)
break;
value = f->set_alt(f, w_index, w_value);
if (value == USB_GADGET_DELAYED_STATUS) {
diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c
index 2b54955d3166..b0da9552b3b0 100644
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -266,7 +266,7 @@ static void nuke(struct dummy *dum, struct dummy_ep *ep)
/* caller must hold lock */
static void stop_activity(struct dummy *dum)
{
- struct dummy_ep *ep;
+ int i;
/* prevent any more requests */
dum->address = 0;
@@ -274,8 +274,8 @@ static void stop_activity(struct dummy *dum)
/* The timer is left running so that outstanding URBs can fail */
/* nuke any pending requests first, so driver i/o is quiesced */
- list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
- nuke(dum, ep);
+ for (i = 0; i < DUMMY_ENDPOINTS; ++i)
+ nuke(dum, &dum->ep[i]);
/* driver now does any non-usb quiescing necessary */
}
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 1ceaf0e6a859..ac3c91c7e627 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1200,7 +1200,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
/* data and/or status stage for control request */
} else if (dev->state == STATE_DEV_SETUP) {
- /* IN DATA+STATUS caller makes len <= wLength */
+ len = min_t(size_t, len, dev->setup_wLength);
if (dev->setup_in) {
retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) {
@@ -1842,10 +1842,12 @@ static struct usb_gadget_driver probe_driver = {
* such as configuration notifications.
*/
-static int is_valid_config (struct usb_config_descriptor *config)
+static int is_valid_config(struct usb_config_descriptor *config,
+ unsigned int total)
{
return config->bDescriptorType == USB_DT_CONFIG
&& config->bLength == USB_DT_CONFIG_SIZE
+ && total >= USB_DT_CONFIG_SIZE
&& config->bConfigurationValue != 0
&& (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
&& (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
@@ -1862,7 +1864,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
u32 tag;
char *kbuf;
- if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
+ if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
+ (len > PAGE_SIZE * 4))
return -EINVAL;
/* we might need to change message format someday */
@@ -1886,7 +1889,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
/* full or low speed config */
dev->config = (void *) kbuf;
total = le16_to_cpu(dev->config->wTotalLength);
- if (!is_valid_config (dev->config) || total >= length)
+ if (!is_valid_config(dev->config, total) ||
+ total > length - USB_DT_DEVICE_SIZE)
goto fail;
kbuf += total;
length -= total;
@@ -1895,10 +1899,13 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
if (kbuf [1] == USB_DT_CONFIG) {
dev->hs_config = (void *) kbuf;
total = le16_to_cpu(dev->hs_config->wTotalLength);
- if (!is_valid_config (dev->hs_config) || total >= length)
+ if (!is_valid_config(dev->hs_config, total) ||
+ total > length - USB_DT_DEVICE_SIZE)
goto fail;
kbuf += total;
length -= total;
+ } else {
+ dev->hs_config = NULL;
}
/* could support multiple configs, using another encoding! */
diff --git a/drivers/usb/gadget/uvc_video.c b/drivers/usb/gadget/uvc_video.c
index 71e896d4c5ae..43e8c65fd9ed 100644
--- a/drivers/usb/gadget/uvc_video.c
+++ b/drivers/usb/gadget/uvc_video.c
@@ -240,7 +240,7 @@ uvc_video_alloc_requests(struct uvc_video *video)
req_size = video->ep->maxpacket
* max_t(unsigned int, video->ep->maxburst, 1)
- * (video->ep->mult + 1);
+ * (video->ep->mult);
for (i = 0; i < UVC_NUM_REQUESTS; ++i) {
video->req_buffer[i] = kmalloc(req_size, GFP_KERNEL);
diff --git a/drivers/usb/host/uhci-pci.c b/drivers/usb/host/uhci-pci.c
index 940304c33224..02260cfdedb1 100644
--- a/drivers/usb/host/uhci-pci.c
+++ b/drivers/usb/host/uhci-pci.c
@@ -129,6 +129,10 @@ static int uhci_pci_init(struct usb_hcd *hcd)
if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_HP)
uhci->wait_for_hp = 1;
+ /* Intel controllers use non-PME wakeup signalling */
+ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_INTEL)
+ device_set_run_wake(uhci_dev(uhci), 1);
+
/* Set up pointers to PCI-specific functions */
uhci->reset_hc = uhci_pci_reset_hc;
uhci->check_and_reset_hc = uhci_pci_check_and_reset_hc;
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index e46c3b1414b9..0333ccc27b13 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -965,6 +965,40 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id)
xhci->devs[slot_id] = NULL;
}
+/*
+ * Free a virt_device structure.
+ * If the virt_device added a tt_info (a hub) and has children pointing to
+ * that tt_info, then free the child first. Recursive.
+ * We can't rely on udev at this point to find child-parent relationships.
+ */
+void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id)
+{
+ struct xhci_virt_device *vdev;
+ struct list_head *tt_list_head;
+ struct xhci_tt_bw_info *tt_info, *next;
+ int i;
+
+ vdev = xhci->devs[slot_id];
+ if (!vdev)
+ return;
+
+ tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts);
+ list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) {
+ /* is this a hub device that added a tt_info to the tts list */
+ if (tt_info->slot_id == slot_id) {
+ /* are any devices using this tt_info? */
+ for (i = 1; i < HCS_MAX_SLOTS(xhci->hcs_params1); i++) {
+ vdev = xhci->devs[i];
+ if (vdev && (vdev->tt_info == tt_info))
+ xhci_free_virt_devices_depth_first(
+ xhci, i);
+ }
+ }
+ }
+ /* we are now at a leaf device */
+ xhci_free_virt_device(xhci, slot_id);
+}
+
int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,
struct usb_device *udev, gfp_t flags)
{
@@ -1828,8 +1862,8 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
}
}
- for (i = 1; i < MAX_HC_SLOTS; ++i)
- xhci_free_virt_device(xhci, i);
+ for (i = HCS_MAX_SLOTS(xhci->hcs_params1); i > 0; i--)
+ xhci_free_virt_devices_depth_first(xhci, i);
if (xhci->segment_pool)
dma_pool_destroy(xhci->segment_pool);
@@ -2368,7 +2402,7 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
* "physically contiguous and 64-byte (cache line) aligned".
*/
xhci->dcbaa = dma_alloc_coherent(dev, sizeof(*xhci->dcbaa), &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->dcbaa)
goto fail;
memset(xhci->dcbaa, 0, sizeof *(xhci->dcbaa));
@@ -2464,7 +2498,7 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
xhci->erst.entries = dma_alloc_coherent(dev,
sizeof(struct xhci_erst_entry) * ERST_NUM_SEGS, &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->erst.entries)
goto fail;
xhci_dbg_trace(xhci, trace_xhci_dbg_init,
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index e808d8078b2d..63d4f2897f00 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -150,7 +150,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI ||
- pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI)) {
+ pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI)) {
xhci->quirks |= XHCI_PME_STUCK_QUIRK;
}
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 58edc5478d6e..6db00d804d0e 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -878,13 +878,6 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
spin_lock_irqsave(&xhci->lock, flags);
ep->stop_cmds_pending--;
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
- "Stop EP timer ran, but another timer marked "
- "xHCI as DYING, exiting.");
- spin_unlock_irqrestore(&xhci->lock, flags);
- return;
- }
if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) {
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"Stop EP timer ran, but no command pending, "
@@ -1292,33 +1285,44 @@ void xhci_handle_command_timeout(unsigned long data)
struct xhci_command *cur_cmd = NULL;
xhci = (struct xhci_hcd *) data;
- /* mark this command to be cancelled */
spin_lock_irqsave(&xhci->lock, flags);
- if (xhci->current_cmd) {
- cur_cmd = xhci->current_cmd;
- cur_cmd->status = COMP_CMD_ABORT;
+
+ /*
+ * If timeout work is pending, or current_cmd is NULL, it means we
+ * raced with command completion. Command is handled so just return.
+ */
+ if (!xhci->current_cmd || timer_pending(&xhci->cmd_timer)) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
}
+ /* mark this command to be cancelled */
+ cur_cmd = xhci->current_cmd;
+ cur_cmd->status = COMP_CMD_ABORT;
/* Make sure command ring is running before aborting it */
hw_ring_state = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
if ((xhci->cmd_ring_state & CMD_RING_STATE_RUNNING) &&
(hw_ring_state & CMD_RING_RUNNING)) {
-
- spin_unlock_irqrestore(&xhci->lock, flags);
xhci_dbg(xhci, "Command timeout\n");
ret = xhci_abort_cmd_ring(xhci);
if (unlikely(ret == -ESHUTDOWN)) {
xhci_err(xhci, "Abort command ring failed\n");
xhci_cleanup_command_queue(xhci);
+ spin_unlock_irqrestore(&xhci->lock, flags);
usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
xhci_dbg(xhci, "xHCI host controller is dead.\n");
+
+ return;
}
- return;
+
+ goto time_out_completed;
}
/* command timeout on stopped ring, ring can't be aborted */
xhci_dbg(xhci, "Command timeout on stopped ring\n");
xhci_handle_stopped_cmd_ring(xhci, xhci->current_cmd);
+
+time_out_completed:
spin_unlock_irqrestore(&xhci->lock, flags);
return;
}
@@ -1377,8 +1381,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
*/
if (cmd_comp_code == COMP_CMD_ABORT) {
xhci->cmd_ring_state = CMD_RING_STATE_STOPPED;
- if (cmd->status == COMP_CMD_ABORT)
+ if (cmd->status == COMP_CMD_ABORT) {
+ if (xhci->current_cmd == cmd)
+ xhci->current_cmd = NULL;
goto event_handled;
+ }
}
cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3]));
@@ -1440,6 +1447,8 @@ static void handle_cmd_completion(struct xhci_hcd *xhci,
xhci->current_cmd = list_entry(cmd->cmd_list.next,
struct xhci_command, cmd_list);
mod_timer(&xhci->cmd_timer, jiffies + XHCI_CMD_DEFAULT_TIMEOUT);
+ } else if (xhci->current_cmd == cmd) {
+ xhci->current_cmd = NULL;
}
event_handled:
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index e89d09458789..c92869b3ab56 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1561,19 +1561,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
xhci_urb_free_priv(xhci, urb_priv);
return ret;
}
- if ((xhci->xhc_state & XHCI_STATE_DYING) ||
- (xhci->xhc_state & XHCI_STATE_HALTED)) {
- xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
- "Ep 0x%x: URB %p to be canceled on "
- "non-responsive xHCI host.",
- urb->ep->desc.bEndpointAddress, urb);
- /* Let the stop endpoint command watchdog timer (which set this
- * state) finish cleaning up the endpoint TD lists. We must
- * have caught it in the middle of dropping a lock and giving
- * back an URB.
- */
- goto done;
- }
ep_index = xhci_get_endpoint_index(&urb->ep->desc);
ep = &xhci->devs[urb->dev->slot_id]->eps[ep_index];
diff --git a/drivers/usb/musb/musbhsdma.h b/drivers/usb/musb/musbhsdma.h
index f7b13fd25257..a3dcbd55e436 100644
--- a/drivers/usb/musb/musbhsdma.h
+++ b/drivers/usb/musb/musbhsdma.h
@@ -157,5 +157,5 @@ struct musb_dma_controller {
void __iomem *base;
u8 channel_count;
u8 used_channels;
- u8 irq;
+ int irq;
};
diff --git a/drivers/usb/phy/phy-am335x-control.c b/drivers/usb/phy/phy-am335x-control.c
index d5eca7b9c555..887ee660fa35 100644
--- a/drivers/usb/phy/phy-am335x-control.c
+++ b/drivers/usb/phy/phy-am335x-control.c
@@ -126,10 +126,12 @@ struct phy_control *am335x_get_phy_control(struct device *dev)
return NULL;
dev = bus_find_device(&platform_bus_type, NULL, node, match);
+ of_node_put(node);
if (!dev)
return NULL;
ctrl_usb = dev_get_drvdata(dev);
+ put_device(dev);
if (!ctrl_usb)
return NULL;
return &ctrl_usb->phy_ctrl;
diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index 2d72aa3564a3..6a8044291ab4 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -61,13 +61,26 @@
* the Net/FreeBSD uchcom.c driver by Takanori Watanabe. Domo arigato.
*/
+#define CH341_REQ_READ_VERSION 0x5F
#define CH341_REQ_WRITE_REG 0x9A
#define CH341_REQ_READ_REG 0x95
-#define CH341_REG_BREAK1 0x05
-#define CH341_REG_BREAK2 0x18
-#define CH341_NBREAK_BITS_REG1 0x01
-#define CH341_NBREAK_BITS_REG2 0x40
-
+#define CH341_REQ_SERIAL_INIT 0xA1
+#define CH341_REQ_MODEM_CTRL 0xA4
+
+#define CH341_REG_BREAK 0x05
+#define CH341_REG_LCR 0x18
+#define CH341_NBREAK_BITS 0x01
+
+#define CH341_LCR_ENABLE_RX 0x80
+#define CH341_LCR_ENABLE_TX 0x40
+#define CH341_LCR_MARK_SPACE 0x20
+#define CH341_LCR_PAR_EVEN 0x10
+#define CH341_LCR_ENABLE_PAR 0x08
+#define CH341_LCR_STOP_BITS_2 0x04
+#define CH341_LCR_CS8 0x03
+#define CH341_LCR_CS7 0x02
+#define CH341_LCR_CS6 0x01
+#define CH341_LCR_CS5 0x00
static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x4348, 0x5523) },
@@ -84,6 +97,10 @@ struct ch341_private {
u8 line_status; /* active status of modem control inputs */
};
+static void ch341_set_termios(struct tty_struct *tty,
+ struct usb_serial_port *port,
+ struct ktermios *old_termios);
+
static int ch341_control_out(struct usb_device *dev, u8 request,
u16 value, u16 index)
{
@@ -95,6 +112,8 @@ static int ch341_control_out(struct usb_device *dev, u8 request,
r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
value, index, NULL, 0, DEFAULT_TIMEOUT);
+ if (r < 0)
+ dev_err(&dev->dev, "failed to send control message: %d\n", r);
return r;
}
@@ -112,13 +131,26 @@ static int ch341_control_in(struct usb_device *dev,
r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
value, index, buf, bufsize, DEFAULT_TIMEOUT);
- return r;
+ if (r < bufsize) {
+ if (r >= 0) {
+ dev_err(&dev->dev,
+ "short control message received (%d < %u)\n",
+ r, bufsize);
+ r = -EIO;
+ }
+
+ dev_err(&dev->dev, "failed to receive control message: %d\n",
+ r);
+ return r;
+ }
+
+ return 0;
}
-static int ch341_set_baudrate(struct usb_device *dev,
- struct ch341_private *priv)
+static int ch341_set_baudrate_lcr(struct usb_device *dev,
+ struct ch341_private *priv, u8 lcr)
{
- short a, b;
+ short a;
int r;
unsigned long factor;
short divisor;
@@ -138,43 +170,47 @@ static int ch341_set_baudrate(struct usb_device *dev,
factor = 0x10000 - factor;
a = (factor & 0xff00) | divisor;
- b = factor & 0xff;
- r = ch341_control_out(dev, 0x9a, 0x1312, a);
- if (!r)
- r = ch341_control_out(dev, 0x9a, 0x0f2c, b);
+ /*
+ * CH341A buffers data until a full endpoint-size packet (32 bytes)
+ * has been received unless bit 7 is set.
+ */
+ a |= BIT(7);
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
+ if (r)
+ return r;
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, lcr);
+ if (r)
+ return r;
return r;
}
static int ch341_set_handshake(struct usb_device *dev, u8 control)
{
- return ch341_control_out(dev, 0xa4, ~control, 0);
+ return ch341_control_out(dev, CH341_REQ_MODEM_CTRL, ~control, 0);
}
static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
unsigned long flags;
buffer = kmalloc(size, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
- r = ch341_control_in(dev, 0x95, 0x0706, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x0706, 0, buffer, size);
if (r < 0)
goto out;
- /* setup the private status if available */
- if (r == 2) {
- r = 0;
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
- spin_unlock_irqrestore(&priv->lock, flags);
- } else
- r = -EPROTO;
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
+ spin_unlock_irqrestore(&priv->lock, flags);
out: kfree(buffer);
return r;
@@ -184,33 +220,29 @@ out: kfree(buffer);
static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
buffer = kmalloc(size, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
/* expect two bytes 0x27 0x00 */
- r = ch341_control_in(dev, 0x5f, 0, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_VERSION, 0, 0, buffer, size);
if (r < 0)
goto out;
- r = ch341_control_out(dev, 0xa1, 0, 0);
- if (r < 0)
- goto out;
-
- r = ch341_set_baudrate(dev, priv);
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0, 0);
if (r < 0)
goto out;
/* expect two bytes 0x56 0x00 */
- r = ch341_control_in(dev, 0x95, 0x2518, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x2518, 0, buffer, size);
if (r < 0)
goto out;
- r = ch341_control_out(dev, 0x9a, 0x2518, 0x0050);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, 0x0050);
if (r < 0)
goto out;
@@ -219,11 +251,7 @@ static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
if (r < 0)
goto out;
- r = ch341_control_out(dev, 0xa1, 0x501f, 0xd90a);
- if (r < 0)
- goto out;
-
- r = ch341_set_baudrate(dev, priv);
+ r = ch341_set_baudrate_lcr(dev, priv, 0);
if (r < 0)
goto out;
@@ -249,7 +277,6 @@ static int ch341_port_probe(struct usb_serial_port *port)
spin_lock_init(&priv->lock);
priv->baud_rate = DEFAULT_BAUD_RATE;
- priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR;
r = ch341_configure(port->serial->dev, priv);
if (r < 0)
@@ -309,32 +336,31 @@ static int ch341_open(struct tty_struct *tty, struct usb_serial_port *port)
struct ch341_private *priv = usb_get_serial_port_data(port);
int r;
- priv->baud_rate = DEFAULT_BAUD_RATE;
-
r = ch341_configure(serial->dev, priv);
if (r)
- goto out;
-
- r = ch341_set_handshake(serial->dev, priv->line_control);
- if (r)
- goto out;
+ return r;
- r = ch341_set_baudrate(serial->dev, priv);
- if (r)
- goto out;
+ if (tty)
+ ch341_set_termios(tty, port, NULL);
dev_dbg(&port->dev, "%s - submitting interrupt urb\n", __func__);
r = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL);
if (r) {
dev_err(&port->dev, "%s - failed to submit interrupt urb: %d\n",
__func__, r);
- ch341_close(port);
- goto out;
+ return r;
}
r = usb_serial_generic_open(tty, port);
+ if (r)
+ goto err_kill_interrupt_urb;
+
+ return 0;
+
+err_kill_interrupt_urb:
+ usb_kill_urb(port->interrupt_in_urb);
-out: return r;
+ return r;
}
/* Old_termios contains the original termios settings and
@@ -346,23 +372,33 @@ static void ch341_set_termios(struct tty_struct *tty,
struct ch341_private *priv = usb_get_serial_port_data(port);
unsigned baud_rate;
unsigned long flags;
+ unsigned char ctrl;
+ int r;
+
+ /* redundant changes may cause the chip to lose bytes */
+ if (old_termios && !tty_termios_hw_change(&tty->termios, old_termios))
+ return;
baud_rate = tty_get_baud_rate(tty);
- priv->baud_rate = baud_rate;
+ ctrl = CH341_LCR_ENABLE_RX | CH341_LCR_ENABLE_TX | CH341_LCR_CS8;
if (baud_rate) {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
- spin_unlock_irqrestore(&priv->lock, flags);
- ch341_set_baudrate(port->serial->dev, priv);
- } else {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
- spin_unlock_irqrestore(&priv->lock, flags);
+ priv->baud_rate = baud_rate;
+
+ r = ch341_set_baudrate_lcr(port->serial->dev, priv, ctrl);
+ if (r < 0 && old_termios) {
+ priv->baud_rate = tty_termios_baud_rate(old_termios);
+ tty_termios_copy_hw(&tty->termios, old_termios);
+ }
}
- ch341_set_handshake(port->serial->dev, priv->line_control);
+ spin_lock_irqsave(&priv->lock, flags);
+ if (C_BAUD(tty) == B0)
+ priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
+ else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
+ priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
+ spin_unlock_irqrestore(&priv->lock, flags);
/* Unimplemented:
* (cflag & CSIZE) : data bits [5, 8]
@@ -374,7 +410,7 @@ static void ch341_set_termios(struct tty_struct *tty,
static void ch341_break_ctl(struct tty_struct *tty, int break_state)
{
const uint16_t ch341_break_reg =
- CH341_REG_BREAK1 | ((uint16_t) CH341_REG_BREAK2 << 8);
+ ((uint16_t) CH341_REG_LCR << 8) | CH341_REG_BREAK;
struct usb_serial_port *port = tty->driver_data;
int r;
uint16_t reg_contents;
@@ -395,12 +431,12 @@ static void ch341_break_ctl(struct tty_struct *tty, int break_state)
__func__, break_reg[0], break_reg[1]);
if (break_state != 0) {
dev_dbg(&port->dev, "%s - Enter break state requested\n", __func__);
- break_reg[0] &= ~CH341_NBREAK_BITS_REG1;
- break_reg[1] &= ~CH341_NBREAK_BITS_REG2;
+ break_reg[0] &= ~CH341_NBREAK_BITS;
+ break_reg[1] &= ~CH341_LCR_ENABLE_TX;
} else {
dev_dbg(&port->dev, "%s - Leave break state requested\n", __func__);
- break_reg[0] |= CH341_NBREAK_BITS_REG1;
- break_reg[1] |= CH341_NBREAK_BITS_REG2;
+ break_reg[0] |= CH341_NBREAK_BITS;
+ break_reg[1] |= CH341_LCR_ENABLE_TX;
}
dev_dbg(&port->dev, "%s - New ch341 break register contents - reg1: %x, reg2: %x\n",
__func__, break_reg[0], break_reg[1]);
@@ -543,14 +579,23 @@ static int ch341_tiocmget(struct tty_struct *tty)
static int ch341_reset_resume(struct usb_serial *serial)
{
- struct ch341_private *priv;
-
- priv = usb_get_serial_port_data(serial->port[0]);
+ struct usb_serial_port *port = serial->port[0];
+ struct ch341_private *priv = usb_get_serial_port_data(port);
+ int ret;
/* reconfigure ch341 serial port after bus-reset */
ch341_configure(serial->dev, priv);
- return 0;
+ if (port->port.flags & ASYNC_INITIALIZED) {
+ ret = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO);
+ if (ret) {
+ dev_err(&port->dev, "failed to submit interrupt urb: %d\n",
+ ret);
+ return ret;
+ }
+ }
+
+ return usb_serial_generic_resume(serial);
}
static struct usb_serial_driver ch341_device = {
diff --git a/drivers/usb/serial/cyberjack.c b/drivers/usb/serial/cyberjack.c
index 2916dea3ede8..8948f375e75d 100644
--- a/drivers/usb/serial/cyberjack.c
+++ b/drivers/usb/serial/cyberjack.c
@@ -50,6 +50,7 @@
#define CYBERJACK_PRODUCT_ID 0x0100
/* Function prototypes */
+static int cyberjack_attach(struct usb_serial *serial);
static int cyberjack_port_probe(struct usb_serial_port *port);
static int cyberjack_port_remove(struct usb_serial_port *port);
static int cyberjack_open(struct tty_struct *tty,
@@ -77,6 +78,7 @@ static struct usb_serial_driver cyberjack_device = {
.description = "Reiner SCT Cyberjack USB card reader",
.id_table = id_table,
.num_ports = 1,
+ .attach = cyberjack_attach,
.port_probe = cyberjack_port_probe,
.port_remove = cyberjack_port_remove,
.open = cyberjack_open,
@@ -100,6 +102,14 @@ struct cyberjack_private {
short wrsent; /* Data already sent */
};
+static int cyberjack_attach(struct usb_serial *serial)
+{
+ if (serial->num_bulk_out < serial->num_ports)
+ return -ENODEV;
+
+ return 0;
+}
+
static int cyberjack_port_probe(struct usb_serial_port *port)
{
struct cyberjack_private *priv;
diff --git a/drivers/usb/serial/garmin_gps.c b/drivers/usb/serial/garmin_gps.c
index db591d19d416..37d0e8cc7af6 100644
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1044,6 +1044,7 @@ static int garmin_write_bulk(struct usb_serial_port *port,
"%s - usb_submit_urb(write bulk) failed with status = %d\n",
__func__, status);
count = status;
+ kfree(buffer);
}
/* we are done with this urb, so let the host driver
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 1947ea0e0988..b63a6c3899c5 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2761,6 +2761,11 @@ static int edge_startup(struct usb_serial *serial)
EDGE_COMPATIBILITY_MASK1,
EDGE_COMPATIBILITY_MASK2 };
+ if (serial->num_bulk_in < 1 || serial->num_interrupt_in < 1) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
dev = serial->dev;
/* create our private serial structure */
diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index c0a42e9e6777..eea16550e582 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1376,7 +1376,7 @@ stayinbootmode:
dev_dbg(dev, "%s - STAYING IN BOOT MODE\n", __func__);
serial->product_info.TiMode = TI_MODE_BOOT;
- return 0;
+ return 1;
}
@@ -2383,6 +2383,13 @@ static int edge_startup(struct usb_serial *serial)
struct edgeport_serial *edge_serial;
int status;
+ /* Make sure we have the required endpoints when in download mode. */
+ if (serial->interface->cur_altsetting->desc.bNumEndpoints > 1) {
+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports)
+ return -ENODEV;
+ }
+
/* create our private serial structure */
edge_serial = kzalloc(sizeof(struct edgeport_serial), GFP_KERNEL);
if (!edge_serial)
@@ -2393,11 +2400,14 @@ static int edge_startup(struct usb_serial *serial)
usb_set_serial_data(serial, edge_serial);
status = download_fw(edge_serial);
- if (status) {
+ if (status < 0) {
kfree(edge_serial);
return status;
}
+ if (status > 0)
+ return 1; /* bind but do not register any ports */
+
return 0;
}
diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index 5ad4a0fb4b26..7ed7d33d6c10 100644
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -68,6 +68,16 @@ struct iuu_private {
u32 clk;
};
+static int iuu_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_in < num_ports || serial->num_bulk_out < num_ports)
+ return -ENODEV;
+
+ return 0;
+}
+
static int iuu_port_probe(struct usb_serial_port *port)
{
struct iuu_private *priv;
@@ -1196,6 +1206,7 @@ static struct usb_serial_driver iuu_device = {
.tiocmset = iuu_tiocmset,
.set_termios = iuu_set_termios,
.init_termios = iuu_init_termios,
+ .attach = iuu_attach,
.port_probe = iuu_port_probe,
.port_remove = iuu_port_remove,
};
diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c
index 4f7e072e4e00..930be98d59b3 100644
--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -699,6 +699,19 @@ MODULE_FIRMWARE("keyspan_pda/keyspan_pda.fw");
MODULE_FIRMWARE("keyspan_pda/xircom_pgs.fw");
#endif
+static int keyspan_pda_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int keyspan_pda_port_probe(struct usb_serial_port *port)
{
@@ -776,6 +789,7 @@ static struct usb_serial_driver keyspan_pda_device = {
.break_ctl = keyspan_pda_break_ctl,
.tiocmget = keyspan_pda_tiocmget,
.tiocmset = keyspan_pda_tiocmset,
+ .attach = keyspan_pda_attach,
.port_probe = keyspan_pda_port_probe,
.port_remove = keyspan_pda_port_remove,
};
diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c
index ca843033170c..85e074c34623 100644
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -300,7 +300,7 @@ static int klsi_105_open(struct tty_struct *tty, struct usb_serial_port *port)
rc = usb_serial_generic_open(tty, port);
if (rc) {
retval = rc;
- goto exit;
+ goto err_free_cfg;
}
rc = usb_control_msg(port->serial->dev,
@@ -315,21 +315,38 @@ static int klsi_105_open(struct tty_struct *tty, struct usb_serial_port *port)
if (rc < 0) {
dev_err(&port->dev, "Enabling read failed (error = %d)\n", rc);
retval = rc;
+ goto err_generic_close;
} else
dev_dbg(&port->dev, "%s - enabled reading\n", __func__);
rc = klsi_105_get_line_state(port, &line_state);
- if (rc >= 0) {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_state = line_state;
- spin_unlock_irqrestore(&priv->lock, flags);
- dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__, line_state);
- retval = 0;
- } else
+ if (rc < 0) {
retval = rc;
+ goto err_disable_read;
+ }
+
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_state = line_state;
+ spin_unlock_irqrestore(&priv->lock, flags);
+ dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__,
+ line_state);
+
+ return 0;
-exit:
+err_disable_read:
+ usb_control_msg(port->serial->dev,
+ usb_sndctrlpipe(port->serial->dev, 0),
+ KL5KUSB105A_SIO_CONFIGURE,
+ USB_TYPE_VENDOR | USB_DIR_OUT,
+ KL5KUSB105A_SIO_CONFIGURE_READ_OFF,
+ 0, /* index */
+ NULL, 0,
+ KLSI_TIMEOUT);
+err_generic_close:
+ usb_serial_generic_close(port);
+err_free_cfg:
kfree(cfg);
+
return retval;
}
diff --git a/drivers/usb/serial/kobil_sct.c b/drivers/usb/serial/kobil_sct.c
index a31ff1503a99..95795ef7ecd5 100644
--- a/drivers/usb/serial/kobil_sct.c
+++ b/drivers/usb/serial/kobil_sct.c
@@ -51,6 +51,7 @@
/* Function prototypes */
+static int kobil_attach(struct usb_serial *serial);
static int kobil_port_probe(struct usb_serial_port *probe);
static int kobil_port_remove(struct usb_serial_port *probe);
static int kobil_open(struct tty_struct *tty, struct usb_serial_port *port);
@@ -86,6 +87,7 @@ static struct usb_serial_driver kobil_device = {
.description = "KOBIL USB smart card terminal",
.id_table = id_table,
.num_ports = 1,
+ .attach = kobil_attach,
.port_probe = kobil_port_probe,
.port_remove = kobil_port_remove,
.ioctl = kobil_ioctl,
@@ -113,6 +115,16 @@ struct kobil_private {
};
+static int kobil_attach(struct usb_serial *serial)
+{
+ if (serial->num_interrupt_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing interrupt-out endpoint\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int kobil_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index c3b8ae360424..56c4f6d074ca 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -65,8 +65,6 @@ struct moschip_port {
struct urb *write_urb_pool[NUM_URBS];
};
-static struct usb_serial_driver moschip7720_2port_driver;
-
#define USB_VENDOR_ID_MOSCHIP 0x9710
#define MOSCHIP_DEVICE_ID_7720 0x7720
#define MOSCHIP_DEVICE_ID_7715 0x7715
@@ -962,25 +960,6 @@ static void mos7720_bulk_out_data_callback(struct urb *urb)
tty_port_tty_wakeup(&mos7720_port->port->port);
}
-/*
- * mos77xx_probe
- * this function installs the appropriate read interrupt endpoint callback
- * depending on whether the device is a 7720 or 7715, thus avoiding costly
- * run-time checks in the high-frequency callback routine itself.
- */
-static int mos77xx_probe(struct usb_serial *serial,
- const struct usb_device_id *id)
-{
- if (id->idProduct == MOSCHIP_DEVICE_ID_7715)
- moschip7720_2port_driver.read_int_callback =
- mos7715_interrupt_callback;
- else
- moschip7720_2port_driver.read_int_callback =
- mos7720_interrupt_callback;
-
- return 0;
-}
-
static int mos77xx_calc_num_ports(struct usb_serial *serial)
{
u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
@@ -1901,6 +1880,11 @@ static int mos7720_startup(struct usb_serial *serial)
u16 product;
int ret_val;
+ if (serial->num_bulk_in < 2 || serial->num_bulk_out < 2) {
+ dev_err(&serial->interface->dev, "missing bulk endpoints\n");
+ return -ENODEV;
+ }
+
product = le16_to_cpu(serial->dev->descriptor.idProduct);
dev = serial->dev;
@@ -1925,19 +1909,18 @@ static int mos7720_startup(struct usb_serial *serial)
tmp->interrupt_in_endpointAddress;
serial->port[1]->interrupt_in_urb = NULL;
serial->port[1]->interrupt_in_buffer = NULL;
+
+ if (serial->port[0]->interrupt_in_urb) {
+ struct urb *urb = serial->port[0]->interrupt_in_urb;
+
+ urb->complete = mos7715_interrupt_callback;
+ }
}
/* setting configuration feature to one */
usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
- /* start the interrupt urb */
- ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
- if (ret_val)
- dev_err(&dev->dev,
- "%s - Error %d submitting control urb\n",
- __func__, ret_val);
-
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
if (product == MOSCHIP_DEVICE_ID_7715) {
ret_val = mos7715_parport_init(serial);
@@ -1945,6 +1928,13 @@ static int mos7720_startup(struct usb_serial *serial)
return ret_val;
}
#endif
+ /* start the interrupt urb */
+ ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
+ if (ret_val) {
+ dev_err(&dev->dev, "failed to submit interrupt urb: %d\n",
+ ret_val);
+ }
+
/* LSR For Port 1 */
read_mos_reg(serial, 0, LSR, &data);
dev_dbg(&dev->dev, "LSR:%x\n", data);
@@ -1954,6 +1944,8 @@ static int mos7720_startup(struct usb_serial *serial)
static void mos7720_release(struct usb_serial *serial)
{
+ usb_kill_urb(serial->port[0]->interrupt_in_urb);
+
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
/* close the parallel port */
@@ -2036,7 +2028,6 @@ static struct usb_serial_driver moschip7720_2port_driver = {
.close = mos7720_close,
.throttle = mos7720_throttle,
.unthrottle = mos7720_unthrottle,
- .probe = mos77xx_probe,
.attach = mos7720_startup,
.release = mos7720_release,
.port_probe = mos7720_port_probe,
@@ -2050,7 +2041,7 @@ static struct usb_serial_driver moschip7720_2port_driver = {
.chars_in_buffer = mos7720_chars_in_buffer,
.break_ctl = mos7720_break,
.read_bulk_callback = mos7720_bulk_in_callback,
- .read_int_callback = NULL /* dynamically assigned in probe() */
+ .read_int_callback = mos7720_interrupt_callback,
};
static struct usb_serial_driver * const serial_drivers[] = {
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index f5f3b49ff9d5..7cb48d3af1f4 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1037,9 +1037,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
serial,
serial->port[0]->interrupt_in_urb->interval);
- /* start interrupt read for mos7840 *
- * will continue as long as mos7840 is connected */
-
+ /* start interrupt read for mos7840 */
response =
usb_submit_urb(serial->port[0]->interrupt_in_urb,
GFP_KERNEL);
@@ -2179,6 +2177,17 @@ static int mos7840_calc_num_ports(struct usb_serial *serial)
return mos7840_num_ports;
}
+static int mos7840_attach(struct usb_serial *serial)
+{
+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int mos7840_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
@@ -2457,6 +2466,7 @@ static struct usb_serial_driver moschip7840_4port_device = {
.tiocmset = mos7840_tiocmset,
.tiocmiwait = usb_serial_generic_tiocmiwait,
.get_icount = usb_serial_generic_get_icount,
+ .attach = mos7840_attach,
.port_probe = mos7840_port_probe,
.port_remove = mos7840_port_remove,
.read_bulk_callback = mos7840_bulk_in_callback,
diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c
index f6c6900bccf0..a180b17d2432 100644
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -38,6 +38,7 @@ static int omninet_write(struct tty_struct *tty, struct usb_serial_port *port,
const unsigned char *buf, int count);
static int omninet_write_room(struct tty_struct *tty);
static void omninet_disconnect(struct usb_serial *serial);
+static int omninet_attach(struct usb_serial *serial);
static int omninet_port_probe(struct usb_serial_port *port);
static int omninet_port_remove(struct usb_serial_port *port);
@@ -56,6 +57,7 @@ static struct usb_serial_driver zyxel_omninet_device = {
.description = "ZyXEL - omni.net lcd plus usb",
.id_table = id_table,
.num_ports = 1,
+ .attach = omninet_attach,
.port_probe = omninet_port_probe,
.port_remove = omninet_port_remove,
.open = omninet_open,
@@ -104,6 +106,17 @@ struct omninet_data {
__u8 od_outseq; /* Sequence number for bulk_out URBs */
};
+static int omninet_attach(struct usb_serial *serial)
+{
+ /* The second bulk-out endpoint is used for writing. */
+ if (serial->num_bulk_out < 2) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int omninet_port_probe(struct usb_serial_port *port)
{
struct omninet_data *od;
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index f243c734eb05..2c53775226c5 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -271,6 +271,8 @@ static void option_instat_callback(struct urb *urb);
#define TELIT_PRODUCT_CC864_SINGLE 0x1006
#define TELIT_PRODUCT_DE910_DUAL 0x1010
#define TELIT_PRODUCT_UE910_V2 0x1012
+#define TELIT_PRODUCT_LE922_USBCFG1 0x1040
+#define TELIT_PRODUCT_LE922_USBCFG2 0x1041
#define TELIT_PRODUCT_LE922_USBCFG0 0x1042
#define TELIT_PRODUCT_LE922_USBCFG3 0x1043
#define TELIT_PRODUCT_LE922_USBCFG5 0x1045
@@ -1229,6 +1231,10 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0),
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1),
+ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG2),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3),
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff),
@@ -2000,6 +2006,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) }, /* D-Link DWM-158 */
{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
@@ -2011,6 +2018,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
diff --git a/drivers/usb/serial/oti6858.c b/drivers/usb/serial/oti6858.c
index a4b88bc038b6..b8bf52bf7a94 100644
--- a/drivers/usb/serial/oti6858.c
+++ b/drivers/usb/serial/oti6858.c
@@ -134,6 +134,7 @@ static int oti6858_chars_in_buffer(struct tty_struct *tty);
static int oti6858_tiocmget(struct tty_struct *tty);
static int oti6858_tiocmset(struct tty_struct *tty,
unsigned int set, unsigned int clear);
+static int oti6858_attach(struct usb_serial *serial);
static int oti6858_port_probe(struct usb_serial_port *port);
static int oti6858_port_remove(struct usb_serial_port *port);
@@ -158,6 +159,7 @@ static struct usb_serial_driver oti6858_device = {
.write_bulk_callback = oti6858_write_bulk_callback,
.write_room = oti6858_write_room,
.chars_in_buffer = oti6858_chars_in_buffer,
+ .attach = oti6858_attach,
.port_probe = oti6858_port_probe,
.port_remove = oti6858_port_remove,
};
@@ -324,6 +326,20 @@ static void send_data(struct work_struct *work)
usb_serial_port_softint(port);
}
+static int oti6858_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int oti6858_port_probe(struct usb_serial_port *port)
{
struct oti6858_private *priv;
diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
index 521959370b66..4455b1fd8b70 100644
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -49,6 +49,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) },
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) },
{ USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID) },
+ { USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID2) },
{ USB_DEVICE(ATEN_VENDOR_ID2, ATEN_PRODUCT_ID) },
{ USB_DEVICE(ELCOM_VENDOR_ID, ELCOM_PRODUCT_ID) },
{ USB_DEVICE(ELCOM_VENDOR_ID, ELCOM_PRODUCT_ID_UCSGT) },
@@ -216,9 +217,17 @@ static int pl2303_probe(struct usb_serial *serial,
static int pl2303_startup(struct usb_serial *serial)
{
struct pl2303_serial_private *spriv;
+ unsigned char num_ports = serial->num_ports;
enum pl2303_type type = TYPE_01;
unsigned char *buf;
+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
spriv = kzalloc(sizeof(*spriv), GFP_KERNEL);
if (!spriv)
return -ENOMEM;
diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
index e3b7af8adfb7..09d9be88209e 100644
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -27,6 +27,7 @@
#define ATEN_VENDOR_ID 0x0557
#define ATEN_VENDOR_ID2 0x0547
#define ATEN_PRODUCT_ID 0x2008
+#define ATEN_PRODUCT_ID2 0x2118
#define IODATA_VENDOR_ID 0x04bb
#define IODATA_PRODUCT_ID 0x0a03
diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index f0a2ad15a992..e08ae0505ad2 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -124,6 +124,7 @@ static const struct usb_device_id id_table[] = {
{USB_DEVICE(0x1410, 0xa021)}, /* Novatel Gobi 3000 Composite */
{USB_DEVICE(0x413c, 0x8193)}, /* Dell Gobi 3000 QDL */
{USB_DEVICE(0x413c, 0x8194)}, /* Dell Gobi 3000 Composite */
+ {USB_DEVICE(0x413c, 0x81a6)}, /* Dell DW5570 QDL (MC8805) */
{USB_DEVICE(0x1199, 0x68a4)}, /* Sierra Wireless QDL */
{USB_DEVICE(0x1199, 0x68a5)}, /* Sierra Wireless Modem */
{USB_DEVICE(0x1199, 0x68a8)}, /* Sierra Wireless QDL */
diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c
index b18974cbd995..a3ed07c58754 100644
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -408,16 +408,12 @@ static void qt2_close(struct usb_serial_port *port)
{
struct usb_serial *serial;
struct qt2_port_private *port_priv;
- unsigned long flags;
int i;
serial = port->serial;
port_priv = usb_get_serial_port_data(port);
- spin_lock_irqsave(&port_priv->urb_lock, flags);
usb_kill_urb(port_priv->write_urb);
- port_priv->urb_in_use = false;
- spin_unlock_irqrestore(&port_priv->urb_lock, flags);
/* flush the port transmit buffer */
i = usb_control_msg(serial->dev,
diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
index ef0dbf0703c5..475e6c31b266 100644
--- a/drivers/usb/serial/spcp8x5.c
+++ b/drivers/usb/serial/spcp8x5.c
@@ -154,6 +154,19 @@ static int spcp8x5_probe(struct usb_serial *serial,
return 0;
}
+static int spcp8x5_attach(struct usb_serial *serial)
+{
+ unsigned char num_ports = serial->num_ports;
+
+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
+ return 0;
+}
+
static int spcp8x5_port_probe(struct usb_serial_port *port)
{
const struct usb_device_id *id = usb_get_serial_data(port->serial);
@@ -477,6 +490,7 @@ static struct usb_serial_driver spcp8x5_device = {
.tiocmget = spcp8x5_tiocmget,
.tiocmset = spcp8x5_tiocmset,
.probe = spcp8x5_probe,
+ .attach = spcp8x5_attach,
.port_probe = spcp8x5_port_probe,
.port_remove = spcp8x5_port_remove,
};
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index 7a1f446ab204..f60a1c8f2e66 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -339,6 +339,13 @@ static int ti_startup(struct usb_serial *serial)
goto free_tdev;
}
+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ status = -ENODEV;
+ goto free_tdev;
+ }
+
return 0;
free_tdev:
diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index 8a49c47657f4..96379e715d4b 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1990,6 +1990,13 @@ UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x0114,
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_BROKEN_FUA ),
+/* Reported-by George Cherian <george.cherian@cavium.com> */
+UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
+ "JMicron",
+ "JMS56x",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_OPCODES),
+
/* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI)
* and Mac USB Dock USB-SCSI */
UNUSUAL_DEV( 0x1645, 0x0007, 0x0100, 0x0133,
diff --git a/drivers/vme/bridges/vme_ca91cx42.c b/drivers/vme/bridges/vme_ca91cx42.c
index bfb2d3f06738..674b972216c2 100644
--- a/drivers/vme/bridges/vme_ca91cx42.c
+++ b/drivers/vme/bridges/vme_ca91cx42.c
@@ -468,7 +468,7 @@ static int ca91cx42_slave_get(struct vme_slave_resource *image, int *enabled,
vme_bound = ioread32(bridge->base + CA91CX42_VSI_BD[i]);
pci_offset = ioread32(bridge->base + CA91CX42_VSI_TO[i]);
- *pci_base = (dma_addr_t)vme_base + pci_offset;
+ *pci_base = (dma_addr_t)*vme_base + pci_offset;
*size = (unsigned long long)((vme_bound - *vme_base) + granularity);
*enabled = 0;
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 7ffbb9390628..1102fd09637d 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -765,7 +765,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
vma->vm_ops = &gntdev_vmops;
- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_MIXEDMAP;
if (use_ptemod)
vma->vm_flags |= VM_DONTCOPY;
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 6d7274619bf9..ab8652b89577 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -698,7 +698,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
return true; /* already a holder */
else if (bdev->bd_holder != NULL)
return false; /* held by someone else */
- else if (bdev->bd_contains == bdev)
+ else if (whole == bdev)
return true; /* is a whole device which isn't held */
else if (whole->bd_holder == bd_may_claim)
@@ -1731,6 +1731,7 @@ void iterate_bdevs(void (*func)(struct block_device *, void *), void *arg)
spin_lock(&inode_sb_list_lock);
list_for_each_entry(inode, &blockdev_superblock->s_inodes, i_sb_list) {
struct address_space *mapping = inode->i_mapping;
+ struct block_device *bdev;
spin_lock(&inode->i_lock);
if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW) ||
@@ -1751,8 +1752,12 @@ void iterate_bdevs(void (*func)(struct block_device *, void *), void *arg)
*/
iput(old_inode);
old_inode = inode;
+ bdev = I_BDEV(inode);
- func(I_BDEV(inode), arg);
+ mutex_lock(&bdev->bd_mutex);
+ if (bdev->bd_openers)
+ func(bdev, arg);
+ mutex_unlock(&bdev->bd_mutex);
spin_lock(&inode_sb_list_lock);
}
diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
index fbd76ded9a34..f540d163586d 100644
--- a/fs/btrfs/async-thread.c
+++ b/fs/btrfs/async-thread.c
@@ -64,6 +64,20 @@ void btrfs_##name(struct work_struct *arg) \
normal_work_helper(work); \
}
+bool btrfs_workqueue_normal_congested(struct btrfs_workqueue *wq)
+{
+ /*
+ * We could compare wq->normal->pending with num_online_cpus()
+ * to support "thresh == NO_THRESHOLD" case, but it requires
+ * moving up atomic_inc/dec in thresh_queue/exec_hook. Let's
+ * postpone it until someone needs the support of that case.
+ */
+ if (wq->normal->thresh == NO_THRESHOLD)
+ return false;
+
+ return atomic_read(&wq->normal->pending) > wq->normal->thresh * 2;
+}
+
BTRFS_WORK_HELPER(worker_helper);
BTRFS_WORK_HELPER(delalloc_helper);
BTRFS_WORK_HELPER(flush_delalloc_helper);
diff --git a/fs/btrfs/async-thread.h b/fs/btrfs/async-thread.h
index e9e31c94758f..703989cd53ca 100644
--- a/fs/btrfs/async-thread.h
+++ b/fs/btrfs/async-thread.h
@@ -77,4 +77,5 @@ void btrfs_queue_work(struct btrfs_workqueue *wq,
void btrfs_destroy_workqueue(struct btrfs_workqueue *wq);
void btrfs_workqueue_set_max(struct btrfs_workqueue *wq, int max);
void btrfs_set_work_high_priority(struct btrfs_work *work);
+bool btrfs_workqueue_normal_congested(struct btrfs_workqueue *wq);
#endif
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 30289bf0601a..61f87c7edbb8 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1371,7 +1371,8 @@ release_path:
total_done++;
btrfs_release_prepared_delayed_node(delayed_node);
- if (async_work->nr == 0 || total_done < async_work->nr)
+ if ((async_work->nr == 0 && total_done < BTRFS_DELAYED_WRITEBACK) ||
+ total_done < async_work->nr)
goto again;
free_path:
@@ -1383,11 +1384,12 @@ out:
static int btrfs_wq_run_delayed_node(struct btrfs_delayed_root *delayed_root,
- struct btrfs_root *root, int nr)
+ struct btrfs_fs_info *fs_info, int nr)
{
struct btrfs_async_delayed_work *async_work;
- if (atomic_read(&delayed_root->items) < BTRFS_DELAYED_BACKGROUND)
+ if (atomic_read(&delayed_root->items) < BTRFS_DELAYED_BACKGROUND ||
+ btrfs_workqueue_normal_congested(fs_info->delayed_workers))
return 0;
async_work = kmalloc(sizeof(*async_work), GFP_NOFS);
@@ -1399,7 +1401,7 @@ static int btrfs_wq_run_delayed_node(struct btrfs_delayed_root *delayed_root,
btrfs_async_run_delayed_root, NULL, NULL);
async_work->nr = nr;
- btrfs_queue_work(root->fs_info->delayed_workers, &async_work->work);
+ btrfs_queue_work(fs_info->delayed_workers, &async_work->work);
return 0;
}
@@ -1426,6 +1428,7 @@ static int could_end_wait(struct btrfs_delayed_root *delayed_root, int seq)
void btrfs_balance_delayed_items(struct btrfs_root *root)
{
struct btrfs_delayed_root *delayed_root;
+ struct btrfs_fs_info *fs_info = root->fs_info;
delayed_root = btrfs_get_delayed_root(root);
@@ -1438,7 +1441,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root)
seq = atomic_read(&delayed_root->items_seq);
- ret = btrfs_wq_run_delayed_node(delayed_root, root, 0);
+ ret = btrfs_wq_run_delayed_node(delayed_root, fs_info, 0);
if (ret)
return;
@@ -1447,7 +1450,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root)
return;
}
- btrfs_wq_run_delayed_node(delayed_root, root, BTRFS_DELAYED_BATCH);
+ btrfs_wq_run_delayed_node(delayed_root, fs_info, BTRFS_DELAYED_BATCH);
}
/* Will return 0 or -ENOMEM */
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 482ebbcd1d72..fd518dffe6d3 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -2429,11 +2429,11 @@ static noinline int __btrfs_run_delayed_refs(struct btrfs_trans_handle *trans,
if (ref && ref->seq &&
btrfs_check_delayed_seq(fs_info, delayed_refs, ref->seq)) {
spin_unlock(&locked_ref->lock);
- btrfs_delayed_ref_unlock(locked_ref);
spin_lock(&delayed_refs->lock);
locked_ref->processing = 0;
delayed_refs->num_heads_ready++;
spin_unlock(&delayed_refs->lock);
+ btrfs_delayed_ref_unlock(locked_ref);
locked_ref = NULL;
cond_resched();
count++;
@@ -2479,7 +2479,10 @@ static noinline int __btrfs_run_delayed_refs(struct btrfs_trans_handle *trans,
*/
if (must_insert_reserved)
locked_ref->must_insert_reserved = 1;
+ spin_lock(&delayed_refs->lock);
locked_ref->processing = 0;
+ delayed_refs->num_heads_ready++;
+ spin_unlock(&delayed_refs->lock);
btrfs_debug(fs_info, "run_delayed_extent_op returned %d", ret);
btrfs_delayed_ref_unlock(locked_ref);
return ret;
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index eb4348781a97..cde876a98fb8 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -5536,6 +5536,10 @@ long btrfs_ioctl(struct file *file, unsigned int
#ifdef CONFIG_COMPAT
long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
+ /*
+ * These all access 32-bit values anyway so no further
+ * handling is necessary.
+ */
switch (cmd) {
case FS_IOC32_GETFLAGS:
cmd = FS_IOC_GETFLAGS;
@@ -5546,8 +5550,6 @@ long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
case FS_IOC32_GETVERSION:
cmd = FS_IOC_GETVERSION;
break;
- default:
- return -ENOIOCTLCMD;
}
return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 023c5d905aac..a0fa16033006 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1778,12 +1778,11 @@ static noinline int find_dir_range(struct btrfs_root *root,
next:
/* check the next slot in the tree to see if it is a valid item */
nritems = btrfs_header_nritems(path->nodes[0]);
+ path->slots[0]++;
if (path->slots[0] >= nritems) {
ret = btrfs_next_leaf(root, path);
if (ret)
goto out;
- } else {
- path->slots[0]++;
}
btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 8f5835c89194..61266439b603 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -262,12 +262,13 @@ static int parse_reply_info_extra(void **p, void *end,
struct ceph_mds_reply_info_parsed *info,
u64 features)
{
- if (info->head->op == CEPH_MDS_OP_GETFILELOCK)
+ u32 op = le32_to_cpu(info->head->op);
+
+ if (op == CEPH_MDS_OP_GETFILELOCK)
return parse_reply_info_filelock(p, end, info, features);
- else if (info->head->op == CEPH_MDS_OP_READDIR ||
- info->head->op == CEPH_MDS_OP_LSSNAP)
+ else if (op == CEPH_MDS_OP_READDIR || op == CEPH_MDS_OP_LSSNAP)
return parse_reply_info_dir(p, end, info, features);
- else if (info->head->op == CEPH_MDS_OP_CREATE)
+ else if (op == CEPH_MDS_OP_CREATE)
return parse_reply_info_create(p, end, info, features);
else
return -EIO;
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 1c663a16f78a..ba4b92846cf0 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -606,6 +606,8 @@ struct TCP_Server_Info {
#ifdef CONFIG_CIFS_SMB2
unsigned int max_read;
unsigned int max_write;
+ struct delayed_work reconnect; /* reconnect workqueue job */
+ struct mutex reconnect_mutex; /* prevent simultaneous reconnects */
#endif /* CONFIG_CIFS_SMB2 */
};
@@ -795,6 +797,7 @@ cap_unix(struct cifs_ses *ses)
struct cifs_tcon {
struct list_head tcon_list;
int tc_count;
+ struct list_head rlist; /* reconnect list */
struct list_head openFileList;
spinlock_t open_file_lock; /* protects list above */
struct cifs_ses *ses; /* pointer to session associated with */
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index 05ce3072fb09..ea1cbff2932f 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -203,6 +203,9 @@ extern void cifs_add_pending_open_locked(struct cifs_fid *fid,
struct tcon_link *tlink,
struct cifs_pending_open *open);
extern void cifs_del_pending_open(struct cifs_pending_open *open);
+extern void cifs_put_tcp_session(struct TCP_Server_Info *server,
+ int from_reconnect);
+extern void cifs_put_tcon(struct cifs_tcon *tcon);
#if IS_ENABLED(CONFIG_CIFS_DFS_UPCALL)
extern void cifs_dfs_release_automount_timer(void);
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4392296e6f3f..b8c5b541c813 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -52,6 +52,9 @@
#include "nterr.h"
#include "rfc1002pdu.h"
#include "fscache.h"
+#ifdef CONFIG_CIFS_SMB2
+#include "smb2proto.h"
+#endif
#define CIFS_PORT 445
#define RFC1001_PORT 139
@@ -2060,8 +2063,8 @@ cifs_find_tcp_session(struct smb_vol *vol)
return NULL;
}
-static void
-cifs_put_tcp_session(struct TCP_Server_Info *server)
+void
+cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
{
struct task_struct *task;
@@ -2078,6 +2081,19 @@ cifs_put_tcp_session(struct TCP_Server_Info *server)
cancel_delayed_work_sync(&server->echo);
+#ifdef CONFIG_CIFS_SMB2
+ if (from_reconnect)
+ /*
+ * Avoid deadlock here: reconnect work calls
+ * cifs_put_tcp_session() at its end. Need to be sure
+ * that reconnect work does nothing with server pointer after
+ * that step.
+ */
+ cancel_delayed_work(&server->reconnect);
+ else
+ cancel_delayed_work_sync(&server->reconnect);
+#endif
+
spin_lock(&GlobalMid_Lock);
server->tcpStatus = CifsExiting;
spin_unlock(&GlobalMid_Lock);
@@ -2142,6 +2158,10 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
INIT_LIST_HEAD(&tcp_ses->tcp_ses_list);
INIT_LIST_HEAD(&tcp_ses->smb_ses_list);
INIT_DELAYED_WORK(&tcp_ses->echo, cifs_echo_request);
+#ifdef CONFIG_CIFS_SMB2
+ INIT_DELAYED_WORK(&tcp_ses->reconnect, smb2_reconnect_server);
+ mutex_init(&tcp_ses->reconnect_mutex);
+#endif
memcpy(&tcp_ses->srcaddr, &volume_info->srcaddr,
sizeof(tcp_ses->srcaddr));
memcpy(&tcp_ses->dstaddr, &volume_info->dstaddr,
@@ -2294,7 +2314,7 @@ cifs_put_smb_ses(struct cifs_ses *ses)
spin_unlock(&cifs_tcp_ses_lock);
sesInfoFree(ses);
- cifs_put_tcp_session(server);
+ cifs_put_tcp_session(server, 0);
}
#ifdef CONFIG_KEYS
@@ -2467,7 +2487,7 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
mutex_unlock(&ses->session_mutex);
/* existing SMB ses has a server reference already */
- cifs_put_tcp_session(server);
+ cifs_put_tcp_session(server, 0);
free_xid(xid);
return ses;
}
@@ -2557,7 +2577,7 @@ cifs_find_tcon(struct cifs_ses *ses, const char *unc)
return NULL;
}
-static void
+void
cifs_put_tcon(struct cifs_tcon *tcon)
{
unsigned int xid;
@@ -3606,7 +3626,7 @@ mount_fail_check:
else if (ses)
cifs_put_smb_ses(ses);
else
- cifs_put_tcp_session(server);
+ cifs_put_tcp_session(server, 0);
bdi_destroy(&cifs_sb->bdi);
}
@@ -3910,7 +3930,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid)
ses = cifs_get_smb_ses(master_tcon->ses->server, vol_info);
if (IS_ERR(ses)) {
tcon = (struct cifs_tcon *)ses;
- cifs_put_tcp_session(master_tcon->ses->server);
+ cifs_put_tcp_session(master_tcon->ses->server, 0);
goto out;
}
diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index 45992944e238..b87b07504947 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -241,7 +241,7 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile)
* and check it for zero before using.
*/
max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf;
- if (!max_buf) {
+ if (max_buf < sizeof(struct smb2_lock_element)) {
free_xid(xid);
return -EINVAL;
}
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 1da1622aa1ea..2256a992389f 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -282,7 +282,7 @@ out:
case SMB2_CHANGE_NOTIFY:
case SMB2_QUERY_INFO:
case SMB2_SET_INFO:
- return -EAGAIN;
+ rc = -EAGAIN;
}
unload_nls(nls_codepage);
return rc;
@@ -1598,6 +1598,54 @@ smb2_echo_callback(struct mid_q_entry *mid)
add_credits(server, credits_received, CIFS_ECHO_OP);
}
+void smb2_reconnect_server(struct work_struct *work)
+{
+ struct TCP_Server_Info *server = container_of(work,
+ struct TCP_Server_Info, reconnect.work);
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon, *tcon2;
+ struct list_head tmp_list;
+ int tcon_exist = false;
+
+ /* Prevent simultaneous reconnects that can corrupt tcon->rlist list */
+ mutex_lock(&server->reconnect_mutex);
+
+ INIT_LIST_HEAD(&tmp_list);
+ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
+
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+ list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
+ if (tcon->need_reconnect) {
+ tcon->tc_count++;
+ list_add_tail(&tcon->rlist, &tmp_list);
+ tcon_exist = true;
+ }
+ }
+ }
+ /*
+ * Get the reference to server struct to be sure that the last call of
+ * cifs_put_tcon() in the loop below won't release the server pointer.
+ */
+ if (tcon_exist)
+ server->srv_count++;
+
+ spin_unlock(&cifs_tcp_ses_lock);
+
+ list_for_each_entry_safe(tcon, tcon2, &tmp_list, rlist) {
+ smb2_reconnect(SMB2_ECHO, tcon);
+ list_del_init(&tcon->rlist);
+ cifs_put_tcon(tcon);
+ }
+
+ cifs_dbg(FYI, "Reconnecting tcons finished\n");
+ mutex_unlock(&server->reconnect_mutex);
+
+ /* now we can safely release srv struct */
+ if (tcon_exist)
+ cifs_put_tcp_session(server, 1);
+}
+
int
SMB2_echo(struct TCP_Server_Info *server)
{
@@ -1610,32 +1658,11 @@ SMB2_echo(struct TCP_Server_Info *server)
cifs_dbg(FYI, "In echo request\n");
if (server->tcpStatus == CifsNeedNegotiate) {
- struct list_head *tmp, *tmp2;
- struct cifs_ses *ses;
- struct cifs_tcon *tcon;
-
- cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
- spin_lock(&cifs_tcp_ses_lock);
- list_for_each(tmp, &server->smb_ses_list) {
- ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
- list_for_each(tmp2, &ses->tcon_list) {
- tcon = list_entry(tmp2, struct cifs_tcon,
- tcon_list);
- /* add check for persistent handle reconnect */
- if (tcon && tcon->need_reconnect) {
- spin_unlock(&cifs_tcp_ses_lock);
- rc = smb2_reconnect(SMB2_ECHO, tcon);
- spin_lock(&cifs_tcp_ses_lock);
- }
- }
- }
- spin_unlock(&cifs_tcp_ses_lock);
+ /* No need to send echo on newly established connections */
+ queue_delayed_work(cifsiod_wq, &server->reconnect, 0);
+ return rc;
}
- /* if no session, renegotiate failed above */
- if (server->tcpStatus == CifsNeedNegotiate)
- return -EIO;
-
rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
if (rc)
return rc;
diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
index 8e0d57bf446b..98d9b36ea3e2 100644
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -89,6 +89,7 @@ extern int smb2_open_file(const unsigned int xid,
extern int smb2_unlock_range(struct cifsFileInfo *cfile,
struct file_lock *flock, const unsigned int xid);
extern int smb2_push_mandatory_locks(struct cifsFileInfo *cfile);
+extern void smb2_reconnect_server(struct work_struct *work);
/*
* SMB2 Worker functions - most of protocol specific implementation details
diff --git a/fs/exec.c b/fs/exec.c
index 993ed0aba99a..5b653a126b20 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -19,7 +19,7 @@
* current->executable is only used by the procfs. This allows a dispatch
* table to check for several different types of binary formats. We keep
* trying until we recognize the file or we run out of supported binary
- * formats.
+ * formats.
*/
#include <linux/slab.h>
@@ -1087,6 +1087,13 @@ int flush_old_exec(struct linux_binprm * bprm)
flush_thread();
current->personality &= ~bprm->per_clear;
+ /*
+ * We have to apply CLOEXEC before we change whether the process is
+ * dumpable (in setup_new_exec) to avoid a race with a process in userspace
+ * trying to access the should-be-closed file descriptors of a process
+ * undergoing exec(2).
+ */
+ do_close_on_exec(current->files);
return 0;
out:
@@ -1136,7 +1143,6 @@ void setup_new_exec(struct linux_binprm * bprm)
group */
current->self_exec_id++;
flush_signal_handlers(current, 0);
- do_close_on_exec(current->files);
}
EXPORT_SYMBOL(setup_new_exec);
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 7af6a3dcbb1f..7bd13f3d1790 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -340,8 +340,10 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
len -= EXT4_MIN_INLINE_DATA_SIZE;
value = kzalloc(len, GFP_NOFS);
- if (!value)
+ if (!value) {
+ error = -ENOMEM;
goto out;
+ }
error = ext4_xattr_ibody_get(inode, i.name_index, i.name,
value, len);
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index c37dd715060f..898e9659ebf1 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4118,6 +4118,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
struct inode *inode;
journal_t *journal = EXT4_SB(sb)->s_journal;
long ret;
+ loff_t size;
int block;
uid_t i_uid;
gid_t i_gid;
@@ -4209,6 +4210,11 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
ei->i_file_acl |=
((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
inode->i_size = ext4_isize(raw_inode);
+ if ((size = i_size_read(inode)) < 0) {
+ EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
+ ret = -EIO;
+ goto bad_inode;
+ }
ei->i_disksize = inode->i_size;
#ifdef CONFIG_QUOTA
ei->i_reserved_quota = 0;
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 62d0c5cbcad6..425dd618a9e2 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -668,7 +668,7 @@ static void ext4_mb_mark_free_simple(struct super_block *sb,
ext4_grpblk_t min;
ext4_grpblk_t max;
ext4_grpblk_t chunk;
- unsigned short border;
+ unsigned int border;
BUG_ON(len > EXT4_CLUSTERS_PER_GROUP(sb));
@@ -2252,7 +2252,7 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v)
struct ext4_group_info *grinfo;
struct sg {
struct ext4_group_info info;
- ext4_grpblk_t counters[16];
+ ext4_grpblk_t counters[EXT4_MAX_BLOCK_LOG_SIZE + 2];
} sg;
group--;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 13a33c3047f4..c608d805f509 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3301,10 +3301,15 @@ static int count_overhead(struct super_block *sb, ext4_group_t grp,
ext4_set_bit(s++, buf);
count++;
}
- for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) {
- ext4_set_bit(EXT4_B2C(sbi, s++), buf);
- count++;
+ j = ext4_bg_num_gdb(sb, grp);
+ if (s + j > EXT4_BLOCKS_PER_GROUP(sb)) {
+ ext4_error(sb, "Invalid number of block group "
+ "descriptor blocks: %d", j);
+ j = EXT4_BLOCKS_PER_GROUP(sb) - s;
}
+ count += j;
+ for (; j > 0; j--)
+ ext4_set_bit(EXT4_B2C(sbi, s++), buf);
}
if (!count)
return 0;
@@ -3407,7 +3412,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
char *orig_data = kstrdup(data, GFP_KERNEL);
struct buffer_head *bh;
struct ext4_super_block *es = NULL;
- struct ext4_sb_info *sbi;
+ struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
ext4_fsblk_t block;
ext4_fsblk_t sb_block = get_sb_block(&data);
ext4_fsblk_t logical_sb_block;
@@ -3427,16 +3432,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
ext4_group_t first_not_zeroed;
- sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
- if (!sbi)
- goto out_free_orig;
+ if ((data && !orig_data) || !sbi)
+ goto out_free_base;
sbi->s_blockgroup_lock =
kzalloc(sizeof(struct blockgroup_lock), GFP_KERNEL);
- if (!sbi->s_blockgroup_lock) {
- kfree(sbi);
- goto out_free_orig;
- }
+ if (!sbi->s_blockgroup_lock)
+ goto out_free_base;
+
sb->s_fs_info = sbi;
sbi->s_sb = sb;
sbi->s_inode_readahead_blks = EXT4_DEF_INODE_READAHEAD_BLKS;
@@ -3582,11 +3585,19 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
*/
sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;
- if (!parse_options((char *) sbi->s_es->s_mount_opts, sb,
- &journal_devnum, &journal_ioprio, 0)) {
- ext4_msg(sb, KERN_WARNING,
- "failed to parse options in superblock: %s",
- sbi->s_es->s_mount_opts);
+ if (sbi->s_es->s_mount_opts[0]) {
+ char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+ sizeof(sbi->s_es->s_mount_opts),
+ GFP_KERNEL);
+ if (!s_mount_opts)
+ goto failed_mount;
+ if (!parse_options(s_mount_opts, sb, &journal_devnum,
+ &journal_ioprio, 0)) {
+ ext4_msg(sb, KERN_WARNING,
+ "failed to parse options in superblock: %s",
+ s_mount_opts);
+ }
+ kfree(s_mount_opts);
}
sbi->s_def_mount_opt = sbi->s_mount_opt;
if (!parse_options((char *) data, sb, &journal_devnum,
@@ -3750,12 +3761,16 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
sbi->s_blocks_per_group = le32_to_cpu(es->s_blocks_per_group);
sbi->s_inodes_per_group = le32_to_cpu(es->s_inodes_per_group);
- if (EXT4_INODE_SIZE(sb) == 0 || EXT4_INODES_PER_GROUP(sb) == 0)
- goto cantfind_ext4;
sbi->s_inodes_per_block = blocksize / EXT4_INODE_SIZE(sb);
if (sbi->s_inodes_per_block == 0)
goto cantfind_ext4;
+ if (sbi->s_inodes_per_group < sbi->s_inodes_per_block ||
+ sbi->s_inodes_per_group > blocksize * 8) {
+ ext4_msg(sb, KERN_ERR, "invalid inodes per group: %lu\n",
+ sbi->s_blocks_per_group);
+ goto failed_mount;
+ }
sbi->s_itb_per_group = sbi->s_inodes_per_group /
sbi->s_inodes_per_block;
sbi->s_desc_per_block = blocksize / EXT4_DESC_SIZE(sb);
@@ -3839,13 +3854,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
}
sbi->s_cluster_ratio = clustersize / blocksize;
- if (sbi->s_inodes_per_group > blocksize * 8) {
- ext4_msg(sb, KERN_ERR,
- "#inodes per group too big: %lu",
- sbi->s_inodes_per_group);
- goto failed_mount;
- }
-
/* Do we have standard group size of clustersize * 8 blocks ? */
if (sbi->s_blocks_per_group == clustersize << 3)
set_opt2(sb, STD_GROUP_SIZE);
@@ -4251,7 +4259,9 @@ no_journal:
}
ext4_msg(sb, KERN_INFO, "mounted filesystem with%s. "
- "Opts: %s%s%s", descr, sbi->s_es->s_mount_opts,
+ "Opts: %.*s%s%s", descr,
+ (int) sizeof(sbi->s_es->s_mount_opts),
+ sbi->s_es->s_mount_opts,
*sbi->s_es->s_mount_opts ? "; " : "", orig_data);
if (es->s_error_count)
@@ -4325,8 +4335,8 @@ failed_mount:
out_fail:
sb->s_fs_info = NULL;
kfree(sbi->s_blockgroup_lock);
+out_free_base:
kfree(sbi);
-out_free_orig:
kfree(orig_data);
return err ? err : ret;
}
diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
index b52c12cf5873..df18edb33601 100644
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -295,6 +295,7 @@ static int stat_open(struct inode *inode, struct file *file)
}
static const struct file_operations stat_fops = {
+ .owner = THIS_MODULE,
.open = stat_open,
.read = seq_read,
.llseek = seq_lseek,
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index c832599669bc..5cbdbb6aedde 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -455,7 +455,7 @@ void nfs_force_use_readdirplus(struct inode *dir)
{
if (!list_empty(&NFS_I(dir)->open_files)) {
nfs_advise_use_readdirplus(dir);
- nfs_zap_mapping(dir, dir->i_mapping);
+ invalidate_mapping_pages(dir->i_mapping, 0, -1);
}
}
@@ -837,17 +837,6 @@ int uncached_readdir(nfs_readdir_descriptor_t *desc)
goto out;
}
-static bool nfs_dir_mapping_need_revalidate(struct inode *dir)
-{
- struct nfs_inode *nfsi = NFS_I(dir);
-
- if (nfs_attribute_cache_expired(dir))
- return true;
- if (nfsi->cache_validity & NFS_INO_INVALID_DATA)
- return true;
- return false;
-}
-
/* The file offset position represents the dirent entry number. A
last cookie cache takes care of the common case of reading the
whole directory.
@@ -880,7 +869,7 @@ static int nfs_readdir(struct file *file, struct dir_context *ctx)
desc->plus = nfs_use_readdirplus(inode, ctx) ? 1 : 0;
nfs_block_sillyrename(dentry);
- if (ctx->pos == 0 || nfs_dir_mapping_need_revalidate(inode))
+ if (ctx->pos == 0 || nfs_attribute_cache_expired(inode))
res = nfs_revalidate_mapping(inode, file->f_mapping);
if (res < 0)
goto out;
diff --git a/fs/nfs/file.c b/fs/nfs/file.c
index 4042ff58fe3f..19cfc636b691 100644
--- a/fs/nfs/file.c
+++ b/fs/nfs/file.c
@@ -403,7 +403,7 @@ static int nfs_write_end(struct file *file, struct address_space *mapping,
*/
if (!PageUptodate(page)) {
unsigned pglen = nfs_page_length(page);
- unsigned end = offset + len;
+ unsigned end = offset + copied;
if (pglen == 0) {
zero_user_segments(page, 0, offset,
diff --git a/fs/nfs/filelayout/filelayoutdev.c b/fs/nfs/filelayout/filelayoutdev.c
index 44bf0140a4c7..651b171387e2 100644
--- a/fs/nfs/filelayout/filelayoutdev.c
+++ b/fs/nfs/filelayout/filelayoutdev.c
@@ -827,7 +827,8 @@ nfs4_fl_prepare_ds(struct pnfs_layout_segment *lseg, u32 ds_idx)
nfs4_wait_ds_connect(ds);
}
out_test_devid:
- if (filelayout_test_devid_unavailable(devid))
+ if (ret->ds_clp == NULL ||
+ filelayout_test_devid_unavailable(devid))
ret = NULL;
out:
return ret;
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 3d88bc967c8e..f96c66b4d504 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1086,6 +1086,7 @@ static void nfs_increment_seqid(int status, struct nfs_seqid *seqid)
case -NFS4ERR_BADXDR:
case -NFS4ERR_RESOURCE:
case -NFS4ERR_NOFILEHANDLE:
+ case -NFS4ERR_MOVED:
/* Non-seqid mutating errors */
return;
};
diff --git a/fs/notify/inode_mark.c b/fs/notify/inode_mark.c
index fbb9dfb7b1d2..12c6ff070cd8 100644
--- a/fs/notify/inode_mark.c
+++ b/fs/notify/inode_mark.c
@@ -249,12 +249,10 @@ out:
*/
void fsnotify_unmount_inodes(struct list_head *list)
{
- struct inode *inode, *next_i, *need_iput = NULL;
+ struct inode *inode, *iput_inode = NULL;
spin_lock(&inode_sb_list_lock);
- list_for_each_entry_safe(inode, next_i, list, i_sb_list) {
- struct inode *need_iput_tmp;
-
+ list_for_each_entry(inode, list, i_sb_list) {
/*
* We cannot __iget() an inode in state I_FREEING,
* I_WILL_FREE, or I_NEW which is fine because by that point
@@ -277,50 +275,24 @@ void fsnotify_unmount_inodes(struct list_head *list)
continue;
}
- need_iput_tmp = need_iput;
- need_iput = NULL;
-
- /* In case fsnotify_inode_delete() drops a reference. */
- if (inode != need_iput_tmp)
- __iget(inode);
- else
- need_iput_tmp = NULL;
+ __iget(inode);
spin_unlock(&inode->i_lock);
-
- /* In case the dropping of a reference would nuke next_i. */
- while (&next_i->i_sb_list != list) {
- spin_lock(&next_i->i_lock);
- if (!(next_i->i_state & (I_FREEING | I_WILL_FREE)) &&
- atomic_read(&next_i->i_count)) {
- __iget(next_i);
- need_iput = next_i;
- spin_unlock(&next_i->i_lock);
- break;
- }
- spin_unlock(&next_i->i_lock);
- next_i = list_entry(next_i->i_sb_list.next,
- struct inode, i_sb_list);
- }
-
- /*
- * We can safely drop inode_sb_list_lock here because either
- * we actually hold references on both inode and next_i or
- * end of list. Also no new inodes will be added since the
- * umount has begun.
- */
spin_unlock(&inode_sb_list_lock);
- if (need_iput_tmp)
- iput(need_iput_tmp);
+ if (iput_inode)
+ iput(iput_inode);
/* for each watch, send FS_UNMOUNT and then remove it */
fsnotify(inode, FS_UNMOUNT, inode, FSNOTIFY_EVENT_INODE, NULL, 0);
fsnotify_inode_delete(inode);
- iput(inode);
+ iput_inode = inode;
spin_lock(&inode_sb_list_lock);
}
spin_unlock(&inode_sb_list_lock);
+
+ if (iput_inode)
+ iput(iput_inode);
}
diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
index 118a494a323e..3c4d6f5811e8 100644
--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -3305,6 +3305,16 @@ static int ocfs2_downconvert_lock(struct ocfs2_super *osb,
mlog(ML_BASTS, "lockres %s, level %d => %d\n", lockres->l_name,
lockres->l_level, new_level);
+ /*
+ * On DLM_LKF_VALBLK, fsdlm behaves differently with o2cb. It always
+ * expects DLM_LKF_VALBLK being set if the LKB has LVB, so that
+ * we can recover correctly from node failure. Otherwise, we may get
+ * invalid LVB in LKB, but without DLM_SBF_VALNOTVALID being set.
+ */
+ if (!ocfs2_is_o2cb_active() &&
+ lockres->l_ops->flags & LOCK_TYPE_USES_LVB)
+ lvb = 1;
+
if (lvb)
dlm_flags |= DLM_LKF_VALBLK;
diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
index 5d965e83bd43..783bcdce5666 100644
--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -48,6 +48,12 @@ static char ocfs2_hb_ctl_path[OCFS2_MAX_HB_CTL_PATH] = "/sbin/ocfs2_hb_ctl";
*/
static struct ocfs2_stack_plugin *active_stack;
+inline int ocfs2_is_o2cb_active(void)
+{
+ return !strcmp(active_stack->sp_name, OCFS2_STACK_PLUGIN_O2CB);
+}
+EXPORT_SYMBOL_GPL(ocfs2_is_o2cb_active);
+
static struct ocfs2_stack_plugin *ocfs2_stack_lookup(const char *name)
{
struct ocfs2_stack_plugin *p;
diff --git a/fs/ocfs2/stackglue.h b/fs/ocfs2/stackglue.h
index 66334a30cea8..e1b30931974d 100644
--- a/fs/ocfs2/stackglue.h
+++ b/fs/ocfs2/stackglue.h
@@ -298,4 +298,7 @@ void ocfs2_stack_glue_set_max_proto_version(struct ocfs2_protocol_version *max_p
int ocfs2_stack_glue_register(struct ocfs2_stack_plugin *plugin);
void ocfs2_stack_glue_unregister(struct ocfs2_stack_plugin *plugin);
+/* In ocfs2_downconvert_lock(), we need to know which stack we are using */
+int ocfs2_is_o2cb_active(void);
+
#endif /* STACKGLUE_H */
diff --git a/fs/splice.c b/fs/splice.c
index 962c7f7e03f6..41f10ce929dd 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -212,6 +212,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
buf->len = spd->partial[page_nr].len;
buf->private = spd->partial[page_nr].private;
buf->ops = spd->ops;
+ buf->flags = 0;
if (spd->flags & SPLICE_F_GIFT)
buf->flags |= PIPE_BUF_FLAG_GIFT;
diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
index 8a40cf9c02d7..f07596463cde 100644
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -34,6 +34,11 @@
#include <linux/slab.h>
#include "ubifs.h"
+static int try_read_node(const struct ubifs_info *c, void *buf, int type,
+ int len, int lnum, int offs);
+static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
+ struct ubifs_zbranch *zbr, void *node);
+
/*
* Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
* @NAME_LESS: name corresponding to the first argument is less than second
@@ -403,7 +408,19 @@ static int tnc_read_node_nm(struct ubifs_info *c, struct ubifs_zbranch *zbr,
return 0;
}
- err = ubifs_tnc_read_node(c, zbr, node);
+ if (c->replaying) {
+ err = fallible_read_node(c, &zbr->key, zbr, node);
+ /*
+ * When the node was not found, return -ENOENT, 0 otherwise.
+ * Negative return codes stay as-is.
+ */
+ if (err == 0)
+ err = -ENOENT;
+ else if (err == 1)
+ err = 0;
+ } else {
+ err = ubifs_tnc_read_node(c, zbr, node);
+ }
if (err)
return err;
@@ -2767,7 +2784,11 @@ struct ubifs_dent_node *ubifs_tnc_next_ent(struct ubifs_info *c,
if (nm->name) {
if (err) {
/* Handle collisions */
- err = resolve_collision(c, key, &znode, &n, nm);
+ if (c->replaying)
+ err = fallible_resolve_collision(c, key, &znode, &n,
+ nm, 0);
+ else
+ err = resolve_collision(c, key, &znode, &n, nm);
dbg_tnc("rc returned %d, znode %p, n %d",
err, znode, n);
if (unlikely(err < 0))
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index 3d807ef4f821..09dc999a7e4e 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -1632,6 +1632,7 @@ xfs_swap_extents(
int error = 0;
int aforkblks = 0;
int taforkblks = 0;
+ xfs_extnum_t nextents;
__uint64_t tmp;
int lock_flags;
@@ -1833,7 +1834,8 @@ xfs_swap_extents(
* pointer. Otherwise it's already NULL or
* pointing to the extent.
*/
- if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) {
+ nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
+ if (nextents <= XFS_INLINE_EXTS) {
ifp->if_u1.if_extents =
ifp->if_u2.if_inline_ext;
}
@@ -1852,7 +1854,8 @@ xfs_swap_extents(
* pointer. Otherwise it's already NULL or
* pointing to the extent.
*/
- if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) {
+ nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
+ if (nextents <= XFS_INLINE_EXTS) {
tifp->if_u1.if_extents =
tifp->if_u2.if_inline_ext;
}
diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 4b973653a0e8..21737d4bab7c 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3813,6 +3813,7 @@ xlog_recover_clear_agi_bucket(
agi->agi_unlinked[bucket] = cpu_to_be32(NULLAGINO);
offset = offsetof(xfs_agi_t, agi_unlinked) +
(sizeof(xfs_agino_t) * bucket);
+ xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
xfs_trans_log_buf(tp, agibp, offset,
(offset + sizeof(xfs_agino_t) - 1));
diff --git a/include/linux/can/core.h b/include/linux/can/core.h
index a0875001b13c..df08a41d5be5 100644
--- a/include/linux/can/core.h
+++ b/include/linux/can/core.h
@@ -45,10 +45,9 @@ struct can_proto {
extern int can_proto_register(const struct can_proto *cp);
extern void can_proto_unregister(const struct can_proto *cp);
-extern int can_rx_register(struct net_device *dev, canid_t can_id,
- canid_t mask,
- void (*func)(struct sk_buff *, void *),
- void *data, char *ident);
+int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
+ void (*func)(struct sk_buff *, void *),
+ void *data, char *ident, struct sock *sk);
extern void can_rx_unregister(struct net_device *dev, canid_t can_id,
canid_t mask,
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 285111f95464..3b73e762b2f5 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -122,22 +122,16 @@ enum {
{ .notifier_call = fn, .priority = pri }; \
__register_cpu_notifier(&fn##_nb); \
}
-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#ifdef CONFIG_HOTPLUG_CPU
extern int register_cpu_notifier(struct notifier_block *nb);
extern int __register_cpu_notifier(struct notifier_block *nb);
extern void unregister_cpu_notifier(struct notifier_block *nb);
extern void __unregister_cpu_notifier(struct notifier_block *nb);
-#else
-#ifndef MODULE
-extern int register_cpu_notifier(struct notifier_block *nb);
-extern int __register_cpu_notifier(struct notifier_block *nb);
-#else
+#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+#define cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+#define __cpu_notifier(fn, pri) do { (void)(fn); } while (0)
+
static inline int register_cpu_notifier(struct notifier_block *nb)
{
return 0;
@@ -147,7 +141,6 @@ static inline int __register_cpu_notifier(struct notifier_block *nb)
{
return 0;
}
-#endif
static inline void unregister_cpu_notifier(struct notifier_block *nb)
{
diff --git a/include/linux/jump_label_ratelimit.h b/include/linux/jump_label_ratelimit.h
index 089f70f83e97..23da3af459fe 100644
--- a/include/linux/jump_label_ratelimit.h
+++ b/include/linux/jump_label_ratelimit.h
@@ -14,6 +14,7 @@ struct static_key_deferred {
#ifdef HAVE_JUMP_LABEL
extern void static_key_slow_dec_deferred(struct static_key_deferred *key);
+extern void static_key_deferred_flush(struct static_key_deferred *key);
extern void
jump_label_rate_limit(struct static_key_deferred *key, unsigned long rl);
@@ -26,6 +27,10 @@ static inline void static_key_slow_dec_deferred(struct static_key_deferred *key)
STATIC_KEY_CHECK_USE();
static_key_slow_dec(&key->key);
}
+static inline void static_key_deferred_flush(struct static_key_deferred *key)
+{
+ STATIC_KEY_CHECK_USE();
+}
static inline void
jump_label_rate_limit(struct static_key_deferred *key,
unsigned long rl)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index b3404718fda1..e5145f8e4004 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -2016,14 +2016,19 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
return NAPI_GRO_CB(skb)->frag0_len < hlen;
}
+static inline void skb_gro_frag0_invalidate(struct sk_buff *skb)
+{
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+}
+
static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
unsigned int offset)
{
if (!pskb_may_pull(skb, hlen))
return NULL;
- NAPI_GRO_CB(skb)->frag0 = NULL;
- NAPI_GRO_CB(skb)->frag0_len = 0;
+ skb_gro_frag0_invalidate(skb);
return skb->data + offset;
}
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index a1e3064a8d99..b17c7031d2bb 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -243,7 +243,7 @@ enum nfsstat4 {
static inline bool seqid_mutating_err(u32 err)
{
- /* rfc 3530 section 8.1.5: */
+ /* See RFC 7530, section 9.1.7 */
switch (err) {
case NFS4ERR_STALE_CLIENTID:
case NFS4ERR_STALE_STATEID:
@@ -252,6 +252,7 @@ static inline bool seqid_mutating_err(u32 err)
case NFS4ERR_BADXDR:
case NFS4ERR_RESOURCE:
case NFS4ERR_NOFILEHANDLE:
+ case NFS4ERR_MOVED:
return false;
};
return true;
diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h
index 70736b98c721..c2a0ecf02d27 100644
--- a/include/linux/sunrpc/clnt.h
+++ b/include/linux/sunrpc/clnt.h
@@ -175,6 +175,7 @@ void rpc_force_rebind(struct rpc_clnt *);
size_t rpc_peeraddr(struct rpc_clnt *, struct sockaddr *, size_t);
const char *rpc_peeraddr2str(struct rpc_clnt *, enum rpc_display_format_t);
int rpc_localaddr(struct rpc_clnt *, struct sockaddr *, size_t);
+void rpc_cleanup_clids(void);
#endif /* __KERNEL__ */
#endif /* _LINUX_SUNRPC_CLNT_H */
diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index a0513210798f..d7da0cf3332b 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -57,8 +57,13 @@ static inline unsigned int tcp_optlen(const struct sk_buff *skb)
/* TCP Fast Open Cookie as stored in memory */
struct tcp_fastopen_cookie {
+ union {
+ u8 val[TCP_FASTOPEN_COOKIE_MAX];
+#if IS_ENABLED(CONFIG_IPV6)
+ struct in6_addr addr;
+#endif
+ };
s8 len;
- u8 val[TCP_FASTOPEN_COOKIE_MAX];
};
/* This defines a selective acknowledgement block. */
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index e46c437944f7..024ab92822fd 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -3942,6 +3942,17 @@ void cfg80211_rx_assoc_resp(struct net_device *dev,
void cfg80211_assoc_timeout(struct net_device *dev, struct cfg80211_bss *bss);
/**
+ * cfg80211_abandon_assoc - notify cfg80211 of abandoned association attempt
+ * @dev: network device
+ * @bss: The BSS entry with which association was abandoned.
+ *
+ * Call this whenever - for reasons reported through other API, like deauth RX,
+ * an association attempt was abandoned.
+ * This function may sleep. The caller must hold the corresponding wdev's mutex.
+ */
+void cfg80211_abandon_assoc(struct net_device *dev, struct cfg80211_bss *bss);
+
+/**
* cfg80211_tx_mlme_mgmt - notification of transmitted deauth/disassoc frame
* @dev: network device
* @buf: 802.11 frame (header + body)
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index a6fd939f202d..c8b8852ce9b8 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -302,6 +302,10 @@ static inline int cipso_v4_validate(const struct sk_buff *skb,
}
for (opt_iter = 6; opt_iter < opt_len;) {
+ if (opt_iter + 1 == opt_len) {
+ err_offset = opt_iter;
+ goto out;
+ }
tag_len = opt[opt_iter + 1];
if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) {
err_offset = opt_iter + 1;
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 99eac12d040b..6e11c346137d 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -12,6 +12,8 @@
#define NF_LOG_UID 0x08 /* Log UID owning local socket */
#define NF_LOG_MASK 0x0f
+#define NF_LOG_PREFIXLEN 128
+
#define NF_LOG_TYPE_LOG 0x01
#define NF_LOG_TYPE_ULOG 0x02
diff --git a/include/net/sock.h b/include/net/sock.h
index 07ede95596bb..ae9dc6ce5712 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1411,7 +1411,7 @@ static inline struct inode *SOCK_INODE(struct socket *socket)
* Functions for memory accounting
*/
int __sk_mem_schedule(struct sock *sk, int size, int kind);
-void __sk_mem_reclaim(struct sock *sk);
+void __sk_mem_reclaim(struct sock *sk, int amount);
#define SK_MEM_QUANTUM ((int)PAGE_SIZE)
#define SK_MEM_QUANTUM_SHIFT ilog2(SK_MEM_QUANTUM)
@@ -1452,7 +1452,7 @@ static inline void sk_mem_reclaim(struct sock *sk)
if (!sk_has_account(sk))
return;
if (sk->sk_forward_alloc >= SK_MEM_QUANTUM)
- __sk_mem_reclaim(sk);
+ __sk_mem_reclaim(sk, sk->sk_forward_alloc);
}
static inline void sk_mem_reclaim_partial(struct sock *sk)
@@ -1460,7 +1460,7 @@ static inline void sk_mem_reclaim_partial(struct sock *sk)
if (!sk_has_account(sk))
return;
if (sk->sk_forward_alloc > SK_MEM_QUANTUM)
- __sk_mem_reclaim(sk);
+ __sk_mem_reclaim(sk, sk->sk_forward_alloc - 1);
}
static inline void sk_mem_charge(struct sock *sk, int size)
@@ -1475,6 +1475,16 @@ static inline void sk_mem_uncharge(struct sock *sk, int size)
if (!sk_has_account(sk))
return;
sk->sk_forward_alloc += size;
+
+ /* Avoid a possible overflow.
+ * TCP send queues can make this happen, if sk_mem_reclaim()
+ * is not called and more than 2 GBytes are released at once.
+ *
+ * If we reach 2 MBytes, reclaim 1 MBytes right now, there is
+ * no need to hold that much forward allocation anyway.
+ */
+ if (unlikely(sk->sk_forward_alloc >= 1 << 21))
+ __sk_mem_reclaim(sk, 1 << 20);
}
static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb)
@@ -1569,6 +1579,7 @@ struct sk_buff *sock_wmalloc(struct sock *sk, unsigned long size, int force,
void sock_wfree(struct sk_buff *skb);
void skb_orphan_partial(struct sk_buff *skb);
void sock_rfree(struct sk_buff *skb);
+void sock_efree(struct sk_buff *skb);
void sock_edemux(struct sk_buff *skb);
int sock_setsockopt(struct socket *sock, int level, int op,
diff --git a/include/uapi/linux/usb/ch9.h b/include/uapi/linux/usb/ch9.h
index aa33fd1b2d4f..a81f5473a801 100644
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -398,6 +398,11 @@ struct usb_endpoint_descriptor {
#define USB_ENDPOINT_XFER_INT 3
#define USB_ENDPOINT_MAX_ADJUSTABLE 0x80
+#define USB_EP_MAXP_MULT_SHIFT 11
+#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT)
+#define USB_EP_MAXP_MULT(m) \
+ (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT)
+
/* The USB 3.0 spec redefines bits 5:4 of bmAttributes as interrupt ep type. */
#define USB_ENDPOINT_INTRTYPE 0x30
#define USB_ENDPOINT_INTR_PERIODIC (0 << 4)
@@ -605,6 +610,20 @@ static inline int usb_endpoint_maxp(const struct usb_endpoint_descriptor *epd)
return __le16_to_cpu(epd->wMaxPacketSize);
}
+/**
+ * usb_endpoint_maxp_mult - get endpoint's transactional opportunities
+ * @epd: endpoint to be checked
+ *
+ * Return @epd's wMaxPacketSize[12:11] + 1
+ */
+static inline int
+usb_endpoint_maxp_mult(const struct usb_endpoint_descriptor *epd)
+{
+ int maxp = __le16_to_cpu(epd->wMaxPacketSize);
+
+ return USB_EP_MAXP_MULT(maxp) + 1;
+}
+
static inline int usb_endpoint_interrupt_type(
const struct usb_endpoint_descriptor *epd)
{
diff --git a/ipc/shm.c b/ipc/shm.c
index 471f730e8640..f8bb7b3fdd49 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1044,8 +1044,8 @@ out_unlock1:
* "raddr" thing points to kernel space, and there has to be a wrapper around
* this.
*/
-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- unsigned long shmlba)
+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
+ ulong *raddr, unsigned long shmlba)
{
struct shmid_kernel *shp;
unsigned long addr;
@@ -1066,8 +1066,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
goto out;
else if ((addr = (ulong)shmaddr)) {
if (addr & (shmlba - 1)) {
- if (shmflg & SHM_RND)
- addr &= ~(shmlba - 1); /* round down */
+ /*
+ * Round down to the nearest multiple of shmlba.
+ * For sane do_mmap_pgoff() parameters, avoid
+ * round downs that trigger nil-page and MAP_FIXED.
+ */
+ if ((shmflg & SHM_RND) && addr >= shmlba)
+ addr &= ~(shmlba - 1);
else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 247d8dd17a2c..e160b9b065e6 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -210,12 +210,6 @@ static int cpu_notify(unsigned long val, void *v)
return __cpu_notify(val, v, -1, NULL);
}
-#ifdef CONFIG_HOTPLUG_CPU
-
-static void cpu_notify_nofail(unsigned long val, void *v)
-{
- BUG_ON(cpu_notify(val, v));
-}
EXPORT_SYMBOL(register_cpu_notifier);
EXPORT_SYMBOL(__register_cpu_notifier);
@@ -233,6 +227,13 @@ void __ref __unregister_cpu_notifier(struct notifier_block *nb)
}
EXPORT_SYMBOL(__unregister_cpu_notifier);
+#ifdef CONFIG_HOTPLUG_CPU
+
+static void cpu_notify_nofail(unsigned long val, void *v)
+{
+ BUG_ON(cpu_notify(val, v));
+}
+
/**
* clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
* @cpu: a CPU id
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 7413ddd1de57..2faaed3ba61b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5472,6 +5472,27 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
char *buf = NULL;
char *name;
+ if (vma->vm_flags & VM_READ)
+ prot |= PROT_READ;
+ if (vma->vm_flags & VM_WRITE)
+ prot |= PROT_WRITE;
+ if (vma->vm_flags & VM_EXEC)
+ prot |= PROT_EXEC;
+
+ if (vma->vm_flags & VM_MAYSHARE)
+ flags = MAP_SHARED;
+ else
+ flags = MAP_PRIVATE;
+
+ if (vma->vm_flags & VM_DENYWRITE)
+ flags |= MAP_DENYWRITE;
+ if (vma->vm_flags & VM_MAYEXEC)
+ flags |= MAP_EXECUTABLE;
+ if (vma->vm_flags & VM_LOCKED)
+ flags |= MAP_LOCKED;
+ if (vma->vm_flags & VM_HUGETLB)
+ flags |= MAP_HUGETLB;
+
if (file) {
struct inode *inode;
dev_t dev;
@@ -5498,27 +5519,6 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
maj = MAJOR(dev);
min = MINOR(dev);
- if (vma->vm_flags & VM_READ)
- prot |= PROT_READ;
- if (vma->vm_flags & VM_WRITE)
- prot |= PROT_WRITE;
- if (vma->vm_flags & VM_EXEC)
- prot |= PROT_EXEC;
-
- if (vma->vm_flags & VM_MAYSHARE)
- flags = MAP_SHARED;
- else
- flags = MAP_PRIVATE;
-
- if (vma->vm_flags & VM_DENYWRITE)
- flags |= MAP_DENYWRITE;
- if (vma->vm_flags & VM_MAYEXEC)
- flags |= MAP_EXECUTABLE;
- if (vma->vm_flags & VM_LOCKED)
- flags |= MAP_LOCKED;
- if (vma->vm_flags & VM_HUGETLB)
- flags |= MAP_HUGETLB;
-
goto got_name;
} else {
name = (char *)arch_vma_name(vma);
diff --git a/kernel/futex.c b/kernel/futex.c
index af67d3eaf232..1d1ccb0e87a7 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3085,4 +3085,4 @@ static int __init futex_init(void)
return 0;
}
-__initcall(futex_init);
+core_initcall(futex_init);
diff --git a/kernel/jump_label.c b/kernel/jump_label.c
index 9019f15deab2..7d4d0a917d13 100644
--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -116,6 +116,13 @@ void static_key_slow_dec_deferred(struct static_key_deferred *key)
}
EXPORT_SYMBOL_GPL(static_key_slow_dec_deferred);
+void static_key_deferred_flush(struct static_key_deferred *key)
+{
+ STATIC_KEY_CHECK_USE();
+ flush_delayed_work(&key->work);
+}
+EXPORT_SYMBOL_GPL(static_key_deferred_flush);
+
void jump_label_rate_limit(struct static_key_deferred *key,
unsigned long rl)
{
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 627bf25048c6..e4c6905db298 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1356,7 +1356,7 @@ static void call_console_drivers(int level, const char *text, size_t len)
{
struct console *con;
- trace_console(text, len);
+ trace_console_rcuidle(text, len);
if (level >= console_loglevel && !ignore_loglevel)
return;
diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c
index 349ada9a7fa5..ed0d9b8b666a 100644
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -753,6 +753,9 @@ cputime_t task_gtime(struct task_struct *t)
unsigned int seq;
cputime_t gtime;
+ if (!context_tracking_is_enabled())
+ return t->gtime;
+
do {
seq = read_seqbegin(&t->vtime_seqlock);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index f9293694b52a..3a3172559b22 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2317,6 +2317,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
break;
if (neg)
continue;
+ val = convmul * val / convdiv;
if ((min && val < *min) || (max && val > *max))
continue;
*i = val;
diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
index 4de3e57f723c..319cf14c92d3 100644
--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -841,6 +841,10 @@ print_graph_entry_leaf(struct trace_iterator *iter,
cpu_data = per_cpu_ptr(data->cpu_data, cpu);
+ /* If a graph tracer ignored set_graph_notrace */
+ if (call->depth < -1)
+ call->depth += FTRACE_NOTRACE_DEPTH;
+
/*
* Comments display at + 1 to depth. Since
* this is a leaf function, keep the comments
@@ -849,7 +853,8 @@ print_graph_entry_leaf(struct trace_iterator *iter,
cpu_data->depth = call->depth - 1;
/* No need to keep this function around for this depth */
- if (call->depth < FTRACE_RETFUNC_DEPTH)
+ if (call->depth < FTRACE_RETFUNC_DEPTH &&
+ !WARN_ON_ONCE(call->depth < 0))
cpu_data->enter_funcs[call->depth] = 0;
}
@@ -886,11 +891,16 @@ print_graph_entry_nested(struct trace_iterator *iter,
struct fgraph_cpu_data *cpu_data;
int cpu = iter->cpu;
+ /* If a graph tracer ignored set_graph_notrace */
+ if (call->depth < -1)
+ call->depth += FTRACE_NOTRACE_DEPTH;
+
cpu_data = per_cpu_ptr(data->cpu_data, cpu);
cpu_data->depth = call->depth;
/* Save this function pointer to see if the exit matches */
- if (call->depth < FTRACE_RETFUNC_DEPTH)
+ if (call->depth < FTRACE_RETFUNC_DEPTH &&
+ !WARN_ON_ONCE(call->depth < 0))
cpu_data->enter_funcs[call->depth] = call->func;
}
@@ -1143,7 +1153,8 @@ print_graph_return(struct ftrace_graph_ret *trace, struct trace_seq *s,
*/
cpu_data->depth = trace->depth - 1;
- if (trace->depth < FTRACE_RETFUNC_DEPTH) {
+ if (trace->depth < FTRACE_RETFUNC_DEPTH &&
+ !WARN_ON_ONCE(trace->depth < 0)) {
if (cpu_data->enter_funcs[trace->depth] != trace->func)
func_match = 0;
cpu_data->enter_funcs[trace->depth] = 0;
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 6fe2c84eb055..ce12a88a8fd1 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1657,7 +1657,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
/* Reject out-of-range values early. Large positive sizes are
used for unknown buffer sizes. */
- if (WARN_ON_ONCE((int) size < 0))
+ if (WARN_ON_ONCE(size > INT_MAX))
return 0;
str = buf;
diff --git a/mm/filemap.c b/mm/filemap.c
index a5024d71fcc3..31b5b25c3d2d 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1482,6 +1482,11 @@ static ssize_t do_generic_file_read(struct file *filp, loff_t *ppos,
cond_resched();
find_page:
+ if (fatal_signal_pending(current)) {
+ error = -EINTR;
+ goto out;
+ }
+
page = find_get_page(mapping, index);
if (!page) {
page_cache_sync_readahead(mapping,
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index dc528a51ccbf..abc04a803aa8 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1192,6 +1192,18 @@ out_unlock:
return ret;
}
+/*
+ * FOLL_FORCE can write to even unwritable pmd's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pmd(pmd_t pmd, struct page *page,
+ unsigned int flags)
+{
+ return pmd_write(pmd) ||
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) &&
+ page && PageAnon(page));
+}
+
struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
unsigned long addr,
pmd_t *pmd,
@@ -1202,9 +1214,6 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
assert_spin_locked(pmd_lockptr(mm, pmd));
- if (flags & FOLL_WRITE && !pmd_write(*pmd))
- goto out;
-
/* Avoid dumping huge zero page */
if ((flags & FOLL_DUMP) && is_huge_zero_pmd(*pmd))
return ERR_PTR(-EFAULT);
@@ -1215,6 +1224,10 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
page = pmd_page(*pmd);
VM_BUG_ON_PAGE(!PageHead(page), page);
+
+ if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, page, flags))
+ goto out;
+
if (flags & FOLL_TOUCH) {
pmd_t _pmd;
/*
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index fca6c6c91d76..467d04b62948 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1301,23 +1301,32 @@ free:
}
/*
- * When releasing a hugetlb pool reservation, any surplus pages that were
- * allocated to satisfy the reservation must be explicitly freed if they were
- * never used.
- * Called with hugetlb_lock held.
+ * This routine has two main purposes:
+ * 1) Decrement the reservation count (resv_huge_pages) by the value passed
+ * in unused_resv_pages. This corresponds to the prior adjustments made
+ * to the associated reservation map.
+ * 2) Free any unused surplus pages that may have been allocated to satisfy
+ * the reservation. As many as unused_resv_pages may be freed.
+ *
+ * Called with hugetlb_lock held. However, the lock could be dropped (and
+ * reacquired) during calls to cond_resched_lock. Whenever dropping the lock,
+ * we must make sure nobody else can claim pages we are in the process of
+ * freeing. Do this by ensuring resv_huge_page always is greater than the
+ * number of huge pages we plan to free when dropping the lock.
*/
static void return_unused_surplus_pages(struct hstate *h,
unsigned long unused_resv_pages)
{
unsigned long nr_pages;
- /* Uncommit the reservation */
- h->resv_huge_pages -= unused_resv_pages;
-
/* Cannot return gigantic pages currently */
if (hstate_is_gigantic(h))
- return;
+ goto out;
+ /*
+ * Part (or even all) of the reservation could have been backed
+ * by pre-allocated pages. Only free surplus pages.
+ */
nr_pages = min(unused_resv_pages, h->surplus_huge_pages);
/*
@@ -1327,12 +1336,22 @@ static void return_unused_surplus_pages(struct hstate *h,
* when the nodes with surplus pages have no free pages.
* free_pool_huge_page() will balance the the freed pages across the
* on-line nodes with memory and will handle the hstate accounting.
+ *
+ * Note that we decrement resv_huge_pages as we free the pages. If
+ * we drop the lock, resv_huge_pages will still be sufficiently large
+ * to cover subsequent pages we may free.
*/
while (nr_pages--) {
+ h->resv_huge_pages--;
+ unused_resv_pages--;
if (!free_pool_huge_page(h, &node_states[N_MEMORY], 1))
- break;
+ goto out;
cond_resched_lock(&hugetlb_lock);
}
+
+out:
+ /* Fully uncommit the reservation */
+ h->resv_huge_pages -= unused_resv_pages;
}
/*
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 8d423bc649b9..f876f707fd9e 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -21,18 +21,19 @@
#include <asm/uaccess.h>
#include "br_private.h"
-/* called with RTNL */
static int get_bridge_ifindices(struct net *net, int *indices, int num)
{
struct net_device *dev;
int i = 0;
- for_each_netdev(net, dev) {
+ rcu_read_lock();
+ for_each_netdev_rcu(net, dev) {
if (i >= num)
break;
if (dev->priv_flags & IFF_EBRIDGE)
indices[i++] = dev->ifindex;
}
+ rcu_read_unlock();
return i;
}
diff --git a/net/can/af_can.c b/net/can/af_can.c
index d6030d6949df..ee6eee7a8b42 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -446,6 +446,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask,
* @func: callback function on filter match
* @data: returned parameter for callback function
* @ident: string for calling module identification
+ * @sk: socket pointer (might be NULL)
*
* Description:
* Invokes the callback function with the received sk_buff and the given
@@ -469,7 +470,7 @@ static struct hlist_head *find_rcv_list(canid_t *can_id, canid_t *mask,
*/
int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
void (*func)(struct sk_buff *, void *), void *data,
- char *ident)
+ char *ident, struct sock *sk)
{
struct receiver *r;
struct hlist_head *rl;
@@ -497,6 +498,7 @@ int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
r->func = func;
r->data = data;
r->ident = ident;
+ r->sk = sk;
hlist_add_head_rcu(&r->list, rl);
d->entries++;
@@ -521,8 +523,11 @@ EXPORT_SYMBOL(can_rx_register);
static void can_rx_delete_receiver(struct rcu_head *rp)
{
struct receiver *r = container_of(rp, struct receiver, rcu);
+ struct sock *sk = r->sk;
kmem_cache_free(rcv_cache, r);
+ if (sk)
+ sock_put(sk);
}
/**
@@ -597,8 +602,11 @@ void can_rx_unregister(struct net_device *dev, canid_t can_id, canid_t mask,
spin_unlock(&can_rcvlists_lock);
/* schedule the receiver item for deletion */
- if (r)
+ if (r) {
+ if (r->sk)
+ sock_hold(r->sk);
call_rcu(&r->rcu, can_rx_delete_receiver);
+ }
}
EXPORT_SYMBOL(can_rx_unregister);
diff --git a/net/can/af_can.h b/net/can/af_can.h
index fca0fe9fc45a..b86f5129e838 100644
--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -50,13 +50,14 @@
struct receiver {
struct hlist_node list;
- struct rcu_head rcu;
canid_t can_id;
canid_t mask;
unsigned long matches;
void (*func)(struct sk_buff *, void *);
void *data;
char *ident;
+ struct sock *sk;
+ struct rcu_head rcu;
};
#define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index b96434d09177..468dfa12eebe 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -706,14 +706,23 @@ static struct bcm_op *bcm_find_op(struct list_head *ops, canid_t can_id,
static void bcm_remove_op(struct bcm_op *op)
{
- hrtimer_cancel(&op->timer);
- hrtimer_cancel(&op->thrtimer);
-
- if (op->tsklet.func)
- tasklet_kill(&op->tsklet);
+ if (op->tsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
+ hrtimer_active(&op->timer)) {
+ hrtimer_cancel(&op->timer);
+ tasklet_kill(&op->tsklet);
+ }
+ }
- if (op->thrtsklet.func)
- tasklet_kill(&op->thrtsklet);
+ if (op->thrtsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
+ hrtimer_active(&op->thrtimer)) {
+ hrtimer_cancel(&op->thrtimer);
+ tasklet_kill(&op->thrtsklet);
+ }
+ }
if ((op->frames) && (op->frames != &op->sframe))
kfree(op->frames);
@@ -1169,7 +1178,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
err = can_rx_register(dev, op->can_id,
REGMASK(op->can_id),
bcm_rx_handler, op,
- "bcm");
+ "bcm", sk);
op->rx_reg_dev = dev;
dev_put(dev);
@@ -1178,7 +1187,7 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
} else
err = can_rx_register(NULL, op->can_id,
REGMASK(op->can_id),
- bcm_rx_handler, op, "bcm");
+ bcm_rx_handler, op, "bcm", sk);
if (err) {
/* this bcm rx op is broken -> remove it */
list_del(&op->list);
diff --git a/net/can/gw.c b/net/can/gw.c
index 050a2110d43f..d4921582d3bd 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -441,7 +441,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj)
{
return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
gwj->ccgw.filter.can_mask, can_can_gw_rcv,
- gwj, "gw");
+ gwj, "gw", NULL);
}
static inline void cgw_unregister_filter(struct cgw_job *gwj)
diff --git a/net/can/raw.c b/net/can/raw.c
index 9f5ee3a6b666..59e4cab9cd76 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -164,7 +164,7 @@ static int raw_enable_filters(struct net_device *dev, struct sock *sk,
for (i = 0; i < count; i++) {
err = can_rx_register(dev, filter[i].can_id,
filter[i].can_mask,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);
if (err) {
/* clean up successfully registered filters */
while (--i >= 0)
@@ -185,7 +185,7 @@ static int raw_enable_errfilter(struct net_device *dev, struct sock *sk,
if (err_mask)
err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);
return err;
}
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index f2ea1a093800..a1244a228811 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1977,6 +1977,19 @@ static int process_connect(struct ceph_connection *con)
dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
+ if (con->auth_reply_buf) {
+ /*
+ * Any connection that defines ->get_authorizer()
+ * should also define ->verify_authorizer_reply().
+ * See get_connect_authorizer().
+ */
+ ret = con->ops->verify_authorizer_reply(con, 0);
+ if (ret < 0) {
+ con->error_msg = "bad authorize reply";
+ return ret;
+ }
+ }
+
switch (con->in_reply.tag) {
case CEPH_MSGR_TAG_FEATURES:
pr_err("%s%lld %s feature set mismatch,"
diff --git a/net/core/dev.c b/net/core/dev.c
index 75be7e226268..c14258a3841e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1600,24 +1600,19 @@ EXPORT_SYMBOL(call_netdevice_notifiers);
static struct static_key netstamp_needed __read_mostly;
#ifdef HAVE_JUMP_LABEL
-/* We are not allowed to call static_key_slow_dec() from irq context
- * If net_disable_timestamp() is called from irq context, defer the
- * static_key_slow_dec() calls.
- */
static atomic_t netstamp_needed_deferred;
-#endif
-
-void net_enable_timestamp(void)
+static void netstamp_clear(struct work_struct *work)
{
-#ifdef HAVE_JUMP_LABEL
int deferred = atomic_xchg(&netstamp_needed_deferred, 0);
- if (deferred) {
- while (--deferred)
- static_key_slow_dec(&netstamp_needed);
- return;
- }
+ while (deferred--)
+ static_key_slow_dec(&netstamp_needed);
+}
+static DECLARE_WORK(netstamp_work, netstamp_clear);
#endif
+
+void net_enable_timestamp(void)
+{
static_key_slow_inc(&netstamp_needed);
}
EXPORT_SYMBOL(net_enable_timestamp);
@@ -1625,12 +1620,12 @@ EXPORT_SYMBOL(net_enable_timestamp);
void net_disable_timestamp(void)
{
#ifdef HAVE_JUMP_LABEL
- if (in_interrupt()) {
- atomic_inc(&netstamp_needed_deferred);
- return;
- }
-#endif
+ /* net_disable_timestamp() can be called from non process context */
+ atomic_inc(&netstamp_needed_deferred);
+ schedule_work(&netstamp_work);
+#else
static_key_slow_dec(&netstamp_needed);
+#endif
}
EXPORT_SYMBOL(net_disable_timestamp);
@@ -2287,7 +2282,7 @@ int skb_checksum_help(struct sk_buff *skb)
goto out;
}
- *(__sum16 *)(skb->data + offset) = csum_fold(csum);
+ *(__sum16 *)(skb->data + offset) = csum_fold(csum) ?: CSUM_MANGLED_0;
out_set_summed:
skb->ip_summed = CHECKSUM_NONE;
out:
@@ -2555,9 +2550,9 @@ static netdev_features_t harmonize_features(struct sk_buff *skb,
if (skb->ip_summed != CHECKSUM_NONE &&
!can_checksum_protocol(features, type)) {
features &= ~NETIF_F_ALL_CSUM;
- } else if (illegal_highdma(skb->dev, skb)) {
- features &= ~NETIF_F_SG;
}
+ if (illegal_highdma(skb->dev, skb))
+ features &= ~NETIF_F_SG;
return features;
}
@@ -3920,7 +3915,9 @@ static void skb_gro_reset_offset(struct sk_buff *skb)
pinfo->nr_frags &&
!PageHighMem(skb_frag_page(frag0))) {
NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
- NAPI_GRO_CB(skb)->frag0_len = skb_frag_size(frag0);
+ NAPI_GRO_CB(skb)->frag0_len = min_t(unsigned int,
+ skb_frag_size(frag0),
+ skb->end - skb->tail);
}
}
@@ -4815,6 +4812,7 @@ static inline bool netdev_adjacent_is_neigh_list(struct net_device *dev,
static int __netdev_adjacent_dev_insert(struct net_device *dev,
struct net_device *adj_dev,
+ u16 ref_nr,
struct list_head *dev_list,
void *private, bool master)
{
@@ -4824,7 +4822,7 @@ static int __netdev_adjacent_dev_insert(struct net_device *dev,
adj = __netdev_find_adj(dev, adj_dev, dev_list);
if (adj) {
- adj->ref_nr++;
+ adj->ref_nr += ref_nr;
return 0;
}
@@ -4834,7 +4832,7 @@ static int __netdev_adjacent_dev_insert(struct net_device *dev,
adj->dev = adj_dev;
adj->master = master;
- adj->ref_nr = 1;
+ adj->ref_nr = ref_nr;
adj->private = private;
dev_hold(adj_dev);
@@ -4873,6 +4871,7 @@ free_adj:
static void __netdev_adjacent_dev_remove(struct net_device *dev,
struct net_device *adj_dev,
+ u16 ref_nr,
struct list_head *dev_list)
{
struct netdev_adjacent *adj;
@@ -4885,10 +4884,10 @@ static void __netdev_adjacent_dev_remove(struct net_device *dev,
BUG();
}
- if (adj->ref_nr > 1) {
- pr_debug("%s to %s ref_nr-- = %d\n", dev->name, adj_dev->name,
- adj->ref_nr-1);
- adj->ref_nr--;
+ if (adj->ref_nr > ref_nr) {
+ pr_debug("%s to %s ref_nr-%d = %d\n", dev->name, adj_dev->name,
+ ref_nr, adj->ref_nr-ref_nr);
+ adj->ref_nr -= ref_nr;
return;
}
@@ -4907,21 +4906,22 @@ static void __netdev_adjacent_dev_remove(struct net_device *dev,
static int __netdev_adjacent_dev_link_lists(struct net_device *dev,
struct net_device *upper_dev,
+ u16 ref_nr,
struct list_head *up_list,
struct list_head *down_list,
void *private, bool master)
{
int ret;
- ret = __netdev_adjacent_dev_insert(dev, upper_dev, up_list, private,
- master);
+ ret = __netdev_adjacent_dev_insert(dev, upper_dev, ref_nr, up_list,
+ private, master);
if (ret)
return ret;
- ret = __netdev_adjacent_dev_insert(upper_dev, dev, down_list, private,
- false);
+ ret = __netdev_adjacent_dev_insert(upper_dev, dev, ref_nr, down_list,
+ private, false);
if (ret) {
- __netdev_adjacent_dev_remove(dev, upper_dev, up_list);
+ __netdev_adjacent_dev_remove(dev, upper_dev, ref_nr, up_list);
return ret;
}
@@ -4929,9 +4929,10 @@ static int __netdev_adjacent_dev_link_lists(struct net_device *dev,
}
static int __netdev_adjacent_dev_link(struct net_device *dev,
- struct net_device *upper_dev)
+ struct net_device *upper_dev,
+ u16 ref_nr)
{
- return __netdev_adjacent_dev_link_lists(dev, upper_dev,
+ return __netdev_adjacent_dev_link_lists(dev, upper_dev, ref_nr,
&dev->all_adj_list.upper,
&upper_dev->all_adj_list.lower,
NULL, false);
@@ -4939,17 +4940,19 @@ static int __netdev_adjacent_dev_link(struct net_device *dev,
static void __netdev_adjacent_dev_unlink_lists(struct net_device *dev,
struct net_device *upper_dev,
+ u16 ref_nr,
struct list_head *up_list,
struct list_head *down_list)
{
- __netdev_adjacent_dev_remove(dev, upper_dev, up_list);
- __netdev_adjacent_dev_remove(upper_dev, dev, down_list);
+ __netdev_adjacent_dev_remove(dev, upper_dev, ref_nr, up_list);
+ __netdev_adjacent_dev_remove(upper_dev, dev, ref_nr, down_list);
}
static void __netdev_adjacent_dev_unlink(struct net_device *dev,
- struct net_device *upper_dev)
+ struct net_device *upper_dev,
+ u16 ref_nr)
{
- __netdev_adjacent_dev_unlink_lists(dev, upper_dev,
+ __netdev_adjacent_dev_unlink_lists(dev, upper_dev, ref_nr,
&dev->all_adj_list.upper,
&upper_dev->all_adj_list.lower);
}
@@ -4958,17 +4961,17 @@ static int __netdev_adjacent_dev_link_neighbour(struct net_device *dev,
struct net_device *upper_dev,
void *private, bool master)
{
- int ret = __netdev_adjacent_dev_link(dev, upper_dev);
+ int ret = __netdev_adjacent_dev_link(dev, upper_dev, 1);
if (ret)
return ret;
- ret = __netdev_adjacent_dev_link_lists(dev, upper_dev,
+ ret = __netdev_adjacent_dev_link_lists(dev, upper_dev, 1,
&dev->adj_list.upper,
&upper_dev->adj_list.lower,
private, master);
if (ret) {
- __netdev_adjacent_dev_unlink(dev, upper_dev);
+ __netdev_adjacent_dev_unlink(dev, upper_dev, 1);
return ret;
}
@@ -4978,8 +4981,8 @@ static int __netdev_adjacent_dev_link_neighbour(struct net_device *dev,
static void __netdev_adjacent_dev_unlink_neighbour(struct net_device *dev,
struct net_device *upper_dev)
{
- __netdev_adjacent_dev_unlink(dev, upper_dev);
- __netdev_adjacent_dev_unlink_lists(dev, upper_dev,
+ __netdev_adjacent_dev_unlink(dev, upper_dev, 1);
+ __netdev_adjacent_dev_unlink_lists(dev, upper_dev, 1,
&dev->adj_list.upper,
&upper_dev->adj_list.lower);
}
@@ -5020,7 +5023,7 @@ static int __netdev_upper_dev_link(struct net_device *dev,
list_for_each_entry(j, &upper_dev->all_adj_list.upper, list) {
pr_debug("Interlinking %s with %s, non-neighbour\n",
i->dev->name, j->dev->name);
- ret = __netdev_adjacent_dev_link(i->dev, j->dev);
+ ret = __netdev_adjacent_dev_link(i->dev, j->dev, i->ref_nr);
if (ret)
goto rollback_mesh;
}
@@ -5030,7 +5033,7 @@ static int __netdev_upper_dev_link(struct net_device *dev,
list_for_each_entry(i, &upper_dev->all_adj_list.upper, list) {
pr_debug("linking %s's upper device %s with %s\n",
upper_dev->name, i->dev->name, dev->name);
- ret = __netdev_adjacent_dev_link(dev, i->dev);
+ ret = __netdev_adjacent_dev_link(dev, i->dev, i->ref_nr);
if (ret)
goto rollback_upper_mesh;
}
@@ -5039,7 +5042,7 @@ static int __netdev_upper_dev_link(struct net_device *dev,
list_for_each_entry(i, &dev->all_adj_list.lower, list) {
pr_debug("linking %s's lower device %s with %s\n", dev->name,
i->dev->name, upper_dev->name);
- ret = __netdev_adjacent_dev_link(i->dev, upper_dev);
+ ret = __netdev_adjacent_dev_link(i->dev, upper_dev, i->ref_nr);
if (ret)
goto rollback_lower_mesh;
}
@@ -5052,7 +5055,7 @@ rollback_lower_mesh:
list_for_each_entry(i, &dev->all_adj_list.lower, list) {
if (i == to_i)
break;
- __netdev_adjacent_dev_unlink(i->dev, upper_dev);
+ __netdev_adjacent_dev_unlink(i->dev, upper_dev, i->ref_nr);
}
i = NULL;
@@ -5062,7 +5065,7 @@ rollback_upper_mesh:
list_for_each_entry(i, &upper_dev->all_adj_list.upper, list) {
if (i == to_i)
break;
- __netdev_adjacent_dev_unlink(dev, i->dev);
+ __netdev_adjacent_dev_unlink(dev, i->dev, i->ref_nr);
}
i = j = NULL;
@@ -5074,7 +5077,7 @@ rollback_mesh:
list_for_each_entry(j, &upper_dev->all_adj_list.upper, list) {
if (i == to_i && j == to_j)
break;
- __netdev_adjacent_dev_unlink(i->dev, j->dev);
+ __netdev_adjacent_dev_unlink(i->dev, j->dev, i->ref_nr);
}
if (i == to_i)
break;
@@ -5150,16 +5153,16 @@ void netdev_upper_dev_unlink(struct net_device *dev,
*/
list_for_each_entry(i, &dev->all_adj_list.lower, list)
list_for_each_entry(j, &upper_dev->all_adj_list.upper, list)
- __netdev_adjacent_dev_unlink(i->dev, j->dev);
+ __netdev_adjacent_dev_unlink(i->dev, j->dev, i->ref_nr);
/* remove also the devices itself from lower/upper device
* list
*/
list_for_each_entry(i, &dev->all_adj_list.lower, list)
- __netdev_adjacent_dev_unlink(i->dev, upper_dev);
+ __netdev_adjacent_dev_unlink(i->dev, upper_dev, i->ref_nr);
list_for_each_entry(i, &upper_dev->all_adj_list.upper, list)
- __netdev_adjacent_dev_unlink(dev, i->dev);
+ __netdev_adjacent_dev_unlink(dev, i->dev, i->ref_nr);
call_netdevice_notifiers(NETDEV_CHANGEUPPER, dev);
}
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index e70301eb7a4a..add0544a571a 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -80,6 +80,7 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
struct nlattr *nla;
struct sk_buff *skb;
unsigned long flags;
+ void *msg_header;
al = sizeof(struct net_dm_alert_msg);
al += dm_hit_limit * sizeof(struct net_dm_drop_point);
@@ -87,21 +88,41 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
skb = genlmsg_new(al, GFP_KERNEL);
- if (skb) {
- genlmsg_put(skb, 0, 0, &net_drop_monitor_family,
- 0, NET_DM_CMD_ALERT);
- nla = nla_reserve(skb, NLA_UNSPEC,
- sizeof(struct net_dm_alert_msg));
- msg = nla_data(nla);
- memset(msg, 0, al);
- } else {
- mod_timer(&data->send_timer, jiffies + HZ / 10);
+ if (!skb)
+ goto err;
+
+ msg_header = genlmsg_put(skb, 0, 0, &net_drop_monitor_family,
+ 0, NET_DM_CMD_ALERT);
+ if (!msg_header) {
+ nlmsg_free(skb);
+ skb = NULL;
+ goto err;
+ }
+ nla = nla_reserve(skb, NLA_UNSPEC,
+ sizeof(struct net_dm_alert_msg));
+ if (!nla) {
+ nlmsg_free(skb);
+ skb = NULL;
+ goto err;
}
+ msg = nla_data(nla);
+ memset(msg, 0, al);
+ goto out;
+err:
+ mod_timer(&data->send_timer, jiffies + HZ / 10);
+out:
spin_lock_irqsave(&data->lock, flags);
swap(data->skb, skb);
spin_unlock_irqrestore(&data->lock, flags);
+ if (skb) {
+ struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
+ struct genlmsghdr *gnlh = (struct genlmsghdr *)nlmsg_data(nlh);
+
+ genlmsg_end(skb, genlmsg_data(gnlh));
+ }
+
return skb;
}
diff --git a/net/core/sock.c b/net/core/sock.c
index 9cb00d1ea140..af856f01cc8f 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1560,6 +1560,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
}
newsk->sk_err = 0;
+ newsk->sk_err_soft = 0;
newsk->sk_priority = 0;
/*
* Before updating sk_refcnt, we must commit prior changes to memory
@@ -1678,6 +1679,12 @@ void sock_rfree(struct sk_buff *skb)
}
EXPORT_SYMBOL(sock_rfree);
+void sock_efree(struct sk_buff *skb)
+{
+ sock_put(skb->sk);
+}
+EXPORT_SYMBOL(sock_efree);
+
void sock_edemux(struct sk_buff *skb)
{
struct sock *sk = skb->sk;
@@ -2119,12 +2126,13 @@ EXPORT_SYMBOL(__sk_mem_schedule);
/**
* __sk_reclaim - reclaim memory_allocated
* @sk: socket
+ * @amount: number of bytes (rounded down to a SK_MEM_QUANTUM multiple)
*/
-void __sk_mem_reclaim(struct sock *sk)
+void __sk_mem_reclaim(struct sock *sk, int amount)
{
- sk_memory_allocated_sub(sk,
- sk->sk_forward_alloc >> SK_MEM_QUANTUM_SHIFT);
- sk->sk_forward_alloc &= SK_MEM_QUANTUM - 1;
+ amount >>= SK_MEM_QUANTUM_SHIFT;
+ sk_memory_allocated_sub(sk, amount);
+ sk->sk_forward_alloc -= amount << SK_MEM_QUANTUM_SHIFT;
if (sk_under_memory_pressure(sk) &&
(sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)))
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index b371341d899d..7d9b21a7dbb6 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -213,7 +213,7 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
{
const struct iphdr *iph = (struct iphdr *)skb->data;
const u8 offset = iph->ihl << 2;
- const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
+ const struct dccp_hdr *dh;
struct dccp_sock *dp;
struct inet_sock *inet;
const int type = icmp_hdr(skb)->type;
@@ -223,11 +223,13 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
int err;
struct net *net = dev_net(skb->dev);
- if (skb->len < offset + sizeof(*dh) ||
- skb->len < offset + __dccp_basic_hdr_len(dh)) {
- ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
- return;
- }
+ /* Only need dccph_dport & dccph_sport which are the first
+ * 4 bytes in dccp header.
+ * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
+ */
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_sport) + sizeof(dh->dccph_sport) > 8);
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_dport) + sizeof(dh->dccph_dport) > 8);
+ dh = (struct dccp_hdr *)(skb->data + offset);
sk = inet_lookup(net, &dccp_hashinfo,
iph->daddr, dh->dccph_dport,
@@ -741,6 +743,7 @@ int dccp_invalid_packet(struct sk_buff *skb)
{
const struct dccp_hdr *dh;
unsigned int cscov;
+ u8 dccph_doff;
if (skb->pkt_type != PACKET_HOST)
return 1;
@@ -762,18 +765,19 @@ int dccp_invalid_packet(struct sk_buff *skb)
/*
* If P.Data Offset is too small for packet type, drop packet and return
*/
- if (dh->dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
- DCCP_WARN("P.Data Offset(%u) too small\n", dh->dccph_doff);
+ dccph_doff = dh->dccph_doff;
+ if (dccph_doff < dccp_hdr_len(skb) / sizeof(u32)) {
+ DCCP_WARN("P.Data Offset(%u) too small\n", dccph_doff);
return 1;
}
/*
* If P.Data Offset is too too large for packet, drop packet and return
*/
- if (!pskb_may_pull(skb, dh->dccph_doff * sizeof(u32))) {
- DCCP_WARN("P.Data Offset(%u) too large\n", dh->dccph_doff);
+ if (!pskb_may_pull(skb, dccph_doff * sizeof(u32))) {
+ DCCP_WARN("P.Data Offset(%u) too large\n", dccph_doff);
return 1;
}
-
+ dh = dccp_hdr(skb);
/*
* If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet
* has short sequence numbers), drop packet and return
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 9f2dc1d15e43..b42151be8afa 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -83,7 +83,7 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
u8 type, u8 code, int offset, __be32 info)
{
const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
- const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
+ const struct dccp_hdr *dh;
struct dccp_sock *dp;
struct ipv6_pinfo *np;
struct sock *sk;
@@ -91,12 +91,13 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
__u64 seq;
struct net *net = dev_net(skb->dev);
- if (skb->len < offset + sizeof(*dh) ||
- skb->len < offset + __dccp_basic_hdr_len(dh)) {
- ICMP6_INC_STATS_BH(net, __in6_dev_get(skb->dev),
- ICMP6_MIB_INERRORS);
- return;
- }
+ /* Only need dccph_dport & dccph_sport which are the first
+ * 4 bytes in dccp header.
+ * Our caller (icmpv6_notify()) already pulled 8 bytes for us.
+ */
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_sport) + sizeof(dh->dccph_sport) > 8);
+ BUILD_BUG_ON(offsetof(struct dccp_hdr, dccph_dport) + sizeof(dh->dccph_dport) > 8);
+ dh = (struct dccp_hdr *)(skb->data + offset);
sk = inet6_lookup(net, &dccp_hashinfo,
&hdr->daddr, dh->dccph_dport,
@@ -1023,6 +1024,7 @@ static const struct inet_connection_sock_af_ops dccp_ipv6_mapped = {
.getsockopt = ipv6_getsockopt,
.addr2sockaddr = inet6_csk_addr2sockaddr,
.sockaddr_len = sizeof(struct sockaddr_in6),
+ .bind_conflict = inet6_csk_bind_conflict,
#ifdef CONFIG_COMPAT
.compat_setsockopt = compat_ipv6_setsockopt,
.compat_getsockopt = compat_ipv6_getsockopt,
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index de2c1e719305..f8fa2d15115e 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -1012,6 +1012,10 @@ void dccp_close(struct sock *sk, long timeout)
__kfree_skb(skb);
}
+ /* If socket has been already reset kill it. */
+ if (sk->sk_state == DCCP_CLOSED)
+ goto adjudge_to_death;
+
if (data_was_unread) {
/* Unread data was tossed, send an appropriate Reset Code */
DCCP_WARN("ABORT with %u bytes unread\n", data_was_unread);
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index daccc4a36d80..4047341f6c07 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -1042,10 +1042,13 @@ source_ok:
if (!fld.daddr) {
fld.daddr = fld.saddr;
- err = -EADDRNOTAVAIL;
if (dev_out)
dev_put(dev_out);
+ err = -EINVAL;
dev_out = init_net.loopback_dev;
+ if (!dev_out->dn_ptr)
+ goto out;
+ err = -EADDRNOTAVAIL;
dev_hold(dev_out);
if (!fld.daddr) {
fld.daddr =
@@ -1118,6 +1121,8 @@ source_ok:
if (dev_out == NULL)
goto out;
dn_db = rcu_dereference_raw(dev_out->dn_ptr);
+ if (!dn_db)
+ goto e_inval;
/* Possible improvement - check all devices for local addr */
if (dn_dev_islocal(dev_out, fld.daddr)) {
dev_put(dev_out);
@@ -1159,6 +1164,8 @@ select_source:
dev_put(dev_out);
dev_out = init_net.loopback_dev;
dev_hold(dev_out);
+ if (!dev_out->dn_ptr)
+ goto e_inval;
fld.flowidn_oif = dev_out->ifindex;
if (res.fi)
dn_fib_info_put(res.fi);
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 69e77c8ff285..25be314d0e17 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1645,6 +1645,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
goto validate_return_locked;
}
+ if (opt_iter + 1 == opt_len) {
+ err_offset = opt_iter;
+ goto validate_return_locked;
+ }
tag_len = tag[1];
if (tag_len > (opt_len - opt_iter)) {
err_offset = opt_iter + 1;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 727447c17954..8f1ee4bb4c51 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -164,7 +164,7 @@ static int unsolicited_report_interval(struct in_device *in_dev)
}
static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im);
-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr);
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im);
static void igmpv3_clear_delrec(struct in_device *in_dev);
static int sf_setstate(struct ip_mc_list *pmc);
static void sf_markstate(struct ip_mc_list *pmc);
@@ -221,9 +221,14 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
static void igmp_gq_start_timer(struct in_device *in_dev)
{
int tv = prandom_u32() % in_dev->mr_maxdelay;
+ unsigned long exp = jiffies + tv + 2;
+
+ if (in_dev->mr_gq_running &&
+ time_after_eq(exp, (in_dev->mr_gq_timer).expires))
+ return;
in_dev->mr_gq_running = 1;
- if (!mod_timer(&in_dev->mr_gq_timer, jiffies+tv+2))
+ if (!mod_timer(&in_dev->mr_gq_timer, exp))
in_dev_hold(in_dev);
}
@@ -1104,10 +1109,14 @@ static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im)
spin_unlock_bh(&in_dev->mc_tomb_lock);
}
-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr)
+/*
+ * restore ip_mc_list deleted records
+ */
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im)
{
struct ip_mc_list *pmc, *pmc_prev;
- struct ip_sf_list *psf, *psf_next;
+ struct ip_sf_list *psf;
+ __be32 multiaddr = im->multiaddr;
spin_lock_bh(&in_dev->mc_tomb_lock);
pmc_prev = NULL;
@@ -1123,16 +1132,27 @@ static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr)
in_dev->mc_tomb = pmc->next;
}
spin_unlock_bh(&in_dev->mc_tomb_lock);
+
+ spin_lock_bh(&im->lock);
if (pmc) {
- for (psf = pmc->tomb; psf; psf = psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->interface = pmc->interface;
+ im->crcount = in_dev->mr_qrv ?: IGMP_Unsolicited_Report_Count;
+ im->sfmode = pmc->sfmode;
+ if (pmc->sfmode == MCAST_INCLUDE) {
+ im->tomb = pmc->tomb;
+ im->sources = pmc->sources;
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);
kfree(pmc);
}
+ spin_unlock_bh(&im->lock);
}
+/*
+ * flush ip_mc_list deleted records
+ */
static void igmpv3_clear_delrec(struct in_device *in_dev)
{
struct ip_mc_list *pmc, *nextpmc;
@@ -1330,7 +1350,7 @@ void ip_mc_inc_group(struct in_device *in_dev, __be32 addr)
ip_mc_hash_add(in_dev, im);
#ifdef CONFIG_IP_MULTICAST
- igmpv3_del_delrec(in_dev, im->multiaddr);
+ igmpv3_del_delrec(in_dev, im);
#endif
igmp_group_added(im);
if (!in_dev->dead)
@@ -1421,8 +1441,12 @@ void ip_mc_remap(struct in_device *in_dev)
ASSERT_RTNL();
- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}
/* Device going down */
@@ -1443,7 +1467,6 @@ void ip_mc_down(struct in_device *in_dev)
in_dev->mr_gq_running = 0;
if (del_timer(&in_dev->mr_gq_timer))
__in_dev_put(in_dev);
- igmpv3_clear_delrec(in_dev);
#endif
ip_mc_dec_group(in_dev, IGMP_ALL_HOSTS);
@@ -1474,8 +1497,12 @@ void ip_mc_up(struct in_device *in_dev)
ip_mc_inc_group(in_dev, IGMP_ALL_HOSTS);
- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}
/*
@@ -1490,13 +1517,13 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
/* Deactivate timers */
ip_mc_down(in_dev);
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_clear_delrec(in_dev);
+#endif
while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
in_dev->mc_list = i->next_rcu;
in_dev->mc_count--;
-
- /* We've dropped the groups in ip_mc_down already */
- ip_mc_clear_src(i);
ip_ma_put(i);
}
}
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 65a28620006c..643ec0bb80a5 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -883,8 +883,10 @@ static struct mfc_cache *ipmr_cache_alloc(void)
{
struct mfc_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
- if (c)
+ if (c) {
+ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
c->mfc_un.res.minvif = MAXVIFS;
+ }
return c;
}
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 60f27b1e46f6..d0b38aa58ca7 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -64,10 +64,10 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
return dev_match || flags & XT_RPFILTER_LOOSE;
}
-static bool rpfilter_is_local(const struct sk_buff *skb)
+static bool
+rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in)
{
- const struct rtable *rt = skb_rtable(skb);
- return rt && (rt->rt_flags & RTCF_LOCAL);
+ return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;
}
static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
@@ -80,7 +80,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
info = par->matchinfo;
invert = info->flags & XT_RPFILTER_INVERT;
- if (rpfilter_is_local(skb))
+ if (rpfilter_is_loopback(skb, par->in))
return true ^ invert;
iph = ip_hdr(skb);
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 181d5de8ba52..571dabfe9ef3 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -646,6 +646,8 @@ static int ping_v4_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh,
{
struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
+ if (!skb)
+ return 0;
pfh->wcheck = csum_partial((char *)&pfh->icmph,
sizeof(struct icmphdr), pfh->wcheck);
pfh->icmph.checksum = csum_fold(pfh->wcheck);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 7cd37b04f3a6..77bf6bde38cc 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1968,6 +1968,18 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
*/
if (fi && res->prefixlen < 4)
fi = NULL;
+ } else if ((type == RTN_LOCAL) && (orig_oif != 0) &&
+ (orig_oif != dev_out->ifindex)) {
+ /* For local routes that require a particular output interface
+ * we do not want to cache the result. Caching the result
+ * causes incorrect behaviour when there are multiple source
+ * addresses on the interface, the end result being that if the
+ * intended recipient is waiting on that interface for the
+ * packet he won't receive it because it will be delivered on
+ * the loopback interface and the IP_PKTINFO ipi_ifindex will
+ * be set to the loopback interface as well.
+ */
+ fi = NULL;
}
fnhe = NULL;
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 2b986576e5ad..0b23c4ec653f 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -112,7 +112,7 @@ static bool tcp_fastopen_cookie_gen(struct request_sock *req,
struct tcp_fastopen_cookie tmp;
if (__tcp_fastopen_cookie_gen(&ip6h->saddr, &tmp)) {
- struct in6_addr *buf = (struct in6_addr *) tmp.val;
+ struct in6_addr *buf = &tmp.addr;
int i = 4;
for (i = 0; i < 4; i++)
@@ -164,6 +164,7 @@ static bool tcp_fastopen_create_child(struct sock *sk,
* scaled. So correct it appropriately.
*/
tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
+ tp->max_window = tp->snd_wnd;
/* Activate the retrans timer so that SYNACK can be retransmitted.
* The request socket is not added to the SYN table of the parent
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 8b5c457b40cd..f8ee2fc404cd 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1821,12 +1821,14 @@ static int tcp_mtu_probe(struct sock *sk)
len = 0;
tcp_for_write_queue_from_safe(skb, next, sk) {
copy = min_t(int, skb->len, probe_size - len);
- if (nskb->ip_summed)
+ if (nskb->ip_summed) {
skb_copy_bits(skb, 0, skb_put(nskb, copy), copy);
- else
- nskb->csum = skb_copy_and_csum_bits(skb, 0,
- skb_put(nskb, copy),
- copy, nskb->csum);
+ } else {
+ __wsum csum = skb_copy_and_csum_bits(skb, 0,
+ skb_put(nskb, copy),
+ copy, 0);
+ nskb->csum = csum_block_add(nskb->csum, csum, len);
+ }
if (skb->len <= copy) {
/* We've eaten all the data from this skb.
@@ -2249,9 +2251,11 @@ u32 __tcp_select_window(struct sock *sk)
int full_space = min_t(int, tp->window_clamp, allowed_space);
int window;
- if (mss > full_space)
+ if (unlikely(mss > full_space)) {
mss = full_space;
-
+ if (mss <= 0)
+ return 0;
+ }
if (free_space < (full_space >> 1)) {
icsk->icsk_ack.quick = 0;
@@ -2437,7 +2441,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
* copying overhead: fragmentation, tunneling, mangling etc.
*/
if (atomic_read(&sk->sk_wmem_alloc) >
- min(sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2), sk->sk_sndbuf))
+ min_t(u32, sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2),
+ sk->sk_sndbuf))
return -EAGAIN;
if (skb_still_in_host_queue(sk, skb))
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 716475fc884b..59ddab1fce28 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1533,7 +1533,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
/* if we're overly short, let UDP handle it */
encap_rcv = ACCESS_ONCE(up->encap_rcv);
- if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) {
+ if (encap_rcv) {
int ret;
/* Verify checksum before giving to encap */
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 011a4c710c94..cd12b63faf10 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4837,8 +4837,7 @@ static void addrconf_disable_change(struct net *net, __s32 newf)
struct net_device *dev;
struct inet6_dev *idev;
- rcu_read_lock();
- for_each_netdev_rcu(net, dev) {
+ for_each_netdev(net, dev) {
idev = __in6_dev_get(dev);
if (idev) {
int changed = (!idev->cnf.disable_ipv6) ^ (!newf);
@@ -4847,7 +4846,6 @@ static void addrconf_disable_change(struct net *net, __s32 newf)
dev_disable_change(idev);
}
}
- rcu_read_unlock();
}
static int addrconf_disable_ipv6(struct ctl_table *table, int *p, int newf)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 42dd7c0c4283..f204efd21f50 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -819,6 +819,9 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev)
return -1;
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+ ipv6h = ipv6_hdr(skb);
+
if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel;
tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index ef590d4e0171..f987e8a1282b 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -219,6 +219,7 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
ops = rcu_dereference(inet6_offloads[proto]);
if (!ops || !ops->callbacks.gro_receive) {
__pskb_pull(skb, skb_gro_offset(skb));
+ skb_gro_frag0_invalidate(skb);
proto = ipv6_gso_pull_exthdrs(skb, proto);
skb_gro_pull(skb, -skb_transport_offset(skb));
skb_reset_transport_header(skb);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index cdd0bc79383a..7046af25d6be 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1031,17 +1031,12 @@ struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
const struct in6_addr *final_dst)
{
struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
- int err;
dst = ip6_sk_dst_check(sk, dst, fl6);
+ if (!dst)
+ dst = ip6_dst_lookup_flow(sk, fl6, final_dst);
- err = ip6_dst_lookup_tail(sk, &dst, fl6);
- if (err)
- return ERR_PTR(err);
- if (final_dst)
- fl6->daddr = *final_dst;
-
- return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
+ return dst;
}
EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index e9399e5c1709..2879eb9a6049 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -402,18 +402,19 @@ ip6_tnl_dev_uninit(struct net_device *dev)
__u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
{
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
- __u8 nexthdr = ipv6h->nexthdr;
- __u16 off = sizeof (*ipv6h);
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+ u8 next, nexthdr = ipv6h->nexthdr;
while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
- __u16 optlen = 0;
struct ipv6_opt_hdr *hdr;
- if (raw + off + sizeof (*hdr) > skb->data &&
- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
+ u16 optlen;
+
+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
break;
- hdr = (struct ipv6_opt_hdr *) (raw + off);
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
if (nexthdr == NEXTHDR_FRAGMENT) {
struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
if (frag_hdr->frag_off)
@@ -424,20 +425,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
} else {
optlen = ipv6_optlen(hdr);
}
+ /* cache hdr->nexthdr, since pskb_may_pull() might
+ * invalidate hdr
+ */
+ next = hdr->nexthdr;
if (nexthdr == NEXTHDR_DEST) {
- __u16 i = off + 2;
+ u16 i = 2;
+
+ /* Remember : hdr is no longer valid at this point. */
+ if (!pskb_may_pull(skb, off + optlen))
+ break;
+
while (1) {
struct ipv6_tlv_tnl_enc_lim *tel;
/* No more room for encapsulation limit */
- if (i + sizeof (*tel) > off + optlen)
+ if (i + sizeof(*tel) > optlen)
break;
- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
- return i;
+ return i + off - nhoff;
/* else jump to next option */
if (tel->type)
i += tel->length + 2;
@@ -445,7 +455,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
i++;
}
}
- nexthdr = hdr->nexthdr;
+ nexthdr = next;
off += optlen;
}
return 0;
@@ -958,12 +968,21 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
struct ipv6_tel_txoption opt;
struct dst_entry *dst = NULL, *ndst = NULL;
struct net_device *tdev;
+ bool use_cache = false;
int mtu;
unsigned int max_headroom = sizeof(struct ipv6hdr);
u8 proto;
int err = -1;
- if (!fl6->flowi6_mark)
+ if (!(t->parms.flags &
+ (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
+ /* enable the cache only only if the routing decision does
+ * not depend on the current inner header value
+ */
+ use_cache = true;
+ }
+
+ if (use_cache)
dst = ip6_tnl_dst_check(t);
if (!dst) {
ndst = ip6_route_output(net, NULL, fl6);
@@ -1021,7 +1040,7 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
consume_skb(skb);
skb = new_skb;
}
- if (fl6->flowi6_mark) {
+ if (!use_cache) {
skb_dst_set(skb, dst);
ndst = NULL;
} else {
@@ -1118,6 +1137,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
return -1;
offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
+ /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+ ipv6h = ipv6_hdr(skb);
if (offset > 0) {
struct ipv6_tlv_tnl_enc_lim *tel;
tel = (struct ipv6_tlv_tnl_enc_lim *)&skb_network_header(skb)[offset];
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 17049f81c750..6d2f7be65f4f 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1076,6 +1076,7 @@ static struct mfc6_cache *ip6mr_cache_alloc(void)
struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
if (c == NULL)
return NULL;
+ c->mfc_un.res.last_assert = jiffies - MFC_ASSERT_THRESH - 1;
c->mfc_un.res.minvif = MAXMIFS;
return c;
}
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index ad84e7dec433..23575a0ac6f9 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -93,7 +93,7 @@ static void mld_gq_timer_expire(unsigned long data);
static void mld_ifc_timer_expire(unsigned long data);
static void mld_ifc_event(struct inet6_dev *idev);
static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
static void mld_clear_delrec(struct inet6_dev *idev);
static bool mld_in_v1_mode(const struct inet6_dev *idev);
static int sf_setstate(struct ifmcaddr6 *pmc);
@@ -727,9 +727,9 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc)
dev_mc_del(dev, buf);
}
- if (mc->mca_flags & MAF_NOREPORT)
- goto done;
spin_unlock_bh(&mc->mca_lock);
+ if (mc->mca_flags & MAF_NOREPORT)
+ return;
if (!mc->idev->dead)
igmp6_leave_group(mc);
@@ -737,8 +737,6 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc)
spin_lock_bh(&mc->mca_lock);
if (del_timer(&mc->mca_timer))
atomic_dec(&mc->mca_refcnt);
-done:
- ip6_mc_clear_src(mc);
spin_unlock_bh(&mc->mca_lock);
}
@@ -783,10 +781,11 @@ static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
spin_unlock_bh(&idev->mc_lock);
}
-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
{
struct ifmcaddr6 *pmc, *pmc_prev;
- struct ip6_sf_list *psf, *psf_next;
+ struct ip6_sf_list *psf;
+ struct in6_addr *pmca = &im->mca_addr;
spin_lock_bh(&idev->mc_lock);
pmc_prev = NULL;
@@ -803,14 +802,21 @@ static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
}
spin_unlock_bh(&idev->mc_lock);
+ spin_lock_bh(&im->mca_lock);
if (pmc) {
- for (psf=pmc->mca_tomb; psf; psf=psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->idev = pmc->idev;
+ im->mca_crcount = idev->mc_qrv;
+ im->mca_sfmode = pmc->mca_sfmode;
+ if (pmc->mca_sfmode == MCAST_INCLUDE) {
+ im->mca_tomb = pmc->mca_tomb;
+ im->mca_sources = pmc->mca_sources;
+ for (psf = im->mca_sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);
kfree(pmc);
}
+ spin_unlock_bh(&im->mca_lock);
}
static void mld_clear_delrec(struct inet6_dev *idev)
@@ -915,7 +921,7 @@ int ipv6_dev_mc_inc(struct net_device *dev, const struct in6_addr *addr)
idev->mc_list = mc;
write_unlock_bh(&idev->lock);
- mld_del_delrec(idev, &mc->mca_addr);
+ mld_del_delrec(idev, mc);
igmp6_group_added(mc);
ma_put(mc);
return 0;
@@ -938,6 +944,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *idev, const struct in6_addr *addr)
write_unlock_bh(&idev->lock);
igmp6_group_dropped(ma);
+ ip6_mc_clear_src(ma);
ma_put(ma);
return 0;
@@ -2479,15 +2486,17 @@ void ipv6_mc_down(struct inet6_dev *idev)
/* Withdraw multicast list */
read_lock_bh(&idev->lock);
- mld_ifc_stop_timer(idev);
- mld_gq_stop_timer(idev);
- mld_dad_stop_timer(idev);
for (i = idev->mc_list; i; i=i->next)
igmp6_group_dropped(i);
- read_unlock_bh(&idev->lock);
- mld_clear_delrec(idev);
+ /* Should stop timer after group drop. or we will
+ * start timer again in mld_ifc_event()
+ */
+ mld_ifc_stop_timer(idev);
+ mld_gq_stop_timer(idev);
+ mld_dad_stop_timer(idev);
+ read_unlock_bh(&idev->lock);
}
@@ -2500,8 +2509,10 @@ void ipv6_mc_up(struct inet6_dev *idev)
/* Install multicast list, except for all-nodes (already installed) */
read_lock_bh(&idev->lock);
- for (i = idev->mc_list; i; i=i->next)
+ for (i = idev->mc_list; i; i = i->next) {
+ mld_del_delrec(idev, i);
igmp6_group_added(i);
+ }
read_unlock_bh(&idev->lock);
}
@@ -2540,6 +2551,7 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev)
/* Deactivate timers */
ipv6_mc_down(idev);
+ mld_clear_delrec(idev);
/* Delete all-nodes address. */
/* We cannot call ipv6_dev_mc_dec() directly, our caller in
@@ -2554,11 +2566,9 @@ void ipv6_mc_destroy_dev(struct inet6_dev *idev)
write_lock_bh(&idev->lock);
while ((i = idev->mc_list) != NULL) {
idev->mc_list = i->next;
- write_unlock_bh(&idev->lock);
- igmp6_group_dropped(i);
+ write_unlock_bh(&idev->lock);
ma_put(i);
-
write_lock_bh(&idev->lock);
}
write_unlock_bh(&idev->lock);
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 790e0c6b19e1..a8af693b717d 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -72,10 +72,10 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
return ret;
}
-static bool rpfilter_is_local(const struct sk_buff *skb)
+static bool
+rpfilter_is_loopback(const struct sk_buff *skb, const struct net_device *in)
{
- const struct rt6_info *rt = (const void *) skb_dst(skb);
- return rt && (rt->rt6i_flags & RTF_LOCAL);
+ return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;
}
static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
@@ -85,7 +85,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
struct ipv6hdr *iph;
bool invert = info->flags & XT_RPFILTER_INVERT;
- if (rpfilter_is_local(skb))
+ if (rpfilter_is_loopback(skb, par->in))
return true ^ invert;
iph = ipv6_hdr(skb);
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 1463757e8682..edff1d1c74cb 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -588,8 +588,11 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
}
offset += skb_transport_offset(skb);
- if (skb_copy_bits(skb, offset, &csum, 2))
- BUG();
+ err = skb_copy_bits(skb, offset, &csum, 2);
+ if (err < 0) {
+ ip6_flush_pending_frames(sk);
+ goto out;
+ }
/* in case cksum was not initialized */
if (unlikely(csum))
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index b5bdd2aeb2f8..96b442ea904a 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -559,13 +559,13 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
ipv4_update_pmtu(skb, dev_net(skb->dev), info,
- t->parms.link, 0, IPPROTO_IPV6, 0);
+ t->parms.link, 0, iph->protocol, 0);
err = 0;
goto out;
}
if (type == ICMP_REDIRECT) {
ipv4_redirect(skb, dev_net(skb->dev), t->parms.link, 0,
- IPPROTO_IPV6, 0);
+ iph->protocol, 0);
err = 0;
goto out;
}
@@ -1368,6 +1368,7 @@ static int ipip6_tunnel_init(struct net_device *dev)
tunnel->dst_cache = alloc_percpu(struct ip_tunnel_dst);
if (!tunnel->dst_cache) {
free_percpu(dev->tstats);
+ dev->tstats = NULL;
return -ENOMEM;
}
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 8eb38558e157..067011cff207 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -631,7 +631,7 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
/* if we're overly short, let UDP handle it */
encap_rcv = ACCESS_ONCE(up->encap_rcv);
- if (skb->len > sizeof(struct udphdr) && encap_rcv != NULL) {
+ if (encap_rcv) {
int ret;
/* Verify checksum before giving to encap */
diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
index 7152624ed5f1..26ccd65cdcab 100644
--- a/net/irda/irqueue.c
+++ b/net/irda/irqueue.c
@@ -385,9 +385,6 @@ EXPORT_SYMBOL(hashbin_new);
* for deallocating this structure if it's complex. If not the user can
* just supply kfree, which should take care of the job.
*/
-#ifdef CONFIG_LOCKDEP
-static int hashbin_lock_depth = 0;
-#endif
int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
{
irda_queue_t* queue;
@@ -398,22 +395,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
/* Synchronize */
- if ( hashbin->hb_type & HB_LOCK ) {
- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
- hashbin_lock_depth++);
- }
+ if (hashbin->hb_type & HB_LOCK)
+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
/*
* Free the entries in the hashbin, TODO: use hashbin_clear when
* it has been shown to work
*/
for (i = 0; i < HASHBIN_SIZE; i ++ ) {
- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
- while (queue ) {
- if (free_func)
- (*free_func)(queue);
- queue = dequeue_first(
- (irda_queue_t**) &hashbin->hb_queue[i]);
+ while (1) {
+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+
+ if (!queue)
+ break;
+
+ if (free_func) {
+ if (hashbin->hb_type & HB_LOCK)
+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+ free_func(queue);
+ if (hashbin->hb_type & HB_LOCK)
+ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+ }
}
}
@@ -422,12 +424,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
hashbin->magic = ~HB_MAGIC;
/* Release lock */
- if ( hashbin->hb_type & HB_LOCK) {
+ if (hashbin->hb_type & HB_LOCK)
spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
-#ifdef CONFIG_LOCKDEP
- hashbin_lock_depth--;
-#endif
- }
/*
* Free the hashbin structure
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 68aa9ffd4ae4..e9ec7d2cc357 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -273,6 +273,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb,
int l2tp_nl_register_ops(enum l2tp_pwtype pw_type,
const struct l2tp_nl_cmd_ops *ops);
void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type);
+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg);
/* Session reference counts. Incremented when code obtains a reference
* to a session.
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 5d53249a2e84..5fc8b6899b90 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -11,6 +11,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <asm/ioctls.h>
#include <linux/icmp.h>
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -555,6 +556,30 @@ out:
return err ? err : copied;
}
+int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg)
+{
+ struct sk_buff *skb;
+ int amount;
+
+ switch (cmd) {
+ case SIOCOUTQ:
+ amount = sk_wmem_alloc_get(sk);
+ break;
+ case SIOCINQ:
+ spin_lock_bh(&sk->sk_receive_queue.lock);
+ skb = skb_peek(&sk->sk_receive_queue);
+ amount = skb ? skb->len : 0;
+ spin_unlock_bh(&sk->sk_receive_queue.lock);
+ break;
+
+ default:
+ return -ENOIOCTLCMD;
+ }
+
+ return put_user(amount, (int __user *)arg);
+}
+EXPORT_SYMBOL(l2tp_ioctl);
+
static struct proto l2tp_ip_prot = {
.name = "L2TP/IP",
.owner = THIS_MODULE,
@@ -563,7 +588,7 @@ static struct proto l2tp_ip_prot = {
.bind = l2tp_ip_bind,
.connect = l2tp_ip_connect,
.disconnect = l2tp_ip_disconnect,
- .ioctl = udp_ioctl,
+ .ioctl = l2tp_ioctl,
.destroy = l2tp_ip_destroy_sock,
.setsockopt = ip_setsockopt,
.getsockopt = ip_getsockopt,
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index a6e69677a6a1..0531450657d2 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -716,7 +716,7 @@ static struct proto l2tp_ip6_prot = {
.bind = l2tp_ip6_bind,
.connect = l2tp_ip6_connect,
.disconnect = l2tp_ip6_disconnect,
- .ioctl = udp_ioctl,
+ .ioctl = l2tp_ioctl,
.destroy = l2tp_ip6_destroy_sock,
.setsockopt = ipv6_setsockopt,
.getsockopt = ipv6_getsockopt,
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 42dc2e45c921..9c68d0bca046 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
* another trick required to cope with how the PROCOM state
* machine works. -acme
*/
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
}
if (!sock_owned_by_user(sk))
llc_conn_rcv(sk, skb);
diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
index 06033f6c845f..cdc1b620cbe1 100644
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
ev->type = LLC_SAP_EV_TYPE_PDU;
ev->reason = 0;
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
llc_sap_state_process(sap, skb);
}
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 27b5b3b43744..58f5f34a7af1 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -352,7 +352,7 @@ int mesh_add_vendor_ies(struct ieee80211_sub_if_data *sdata,
/* fast-forward to vendor IEs */
offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0);
- if (offset) {
+ if (offset < ifmsh->ie_len) {
len = ifmsh->ie_len - offset;
data = ifmsh->ie + offset;
if (skb_tailroom(skb) < len)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ff3dac855100..58fab5951b22 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2458,7 +2458,7 @@ static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
}
static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
- bool assoc)
+ bool assoc, bool abandon)
{
struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
@@ -2473,6 +2473,9 @@ static void ieee80211_destroy_assoc_data(struct ieee80211_sub_if_data *sdata,
mutex_lock(&sdata->local->mtx);
ieee80211_vif_release_channel(sdata);
mutex_unlock(&sdata->local->mtx);
+
+ if (abandon)
+ cfg80211_abandon_assoc(sdata->dev, assoc_data->bss);
}
kfree(assoc_data);
@@ -2779,11 +2782,11 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
if (status_code != WLAN_STATUS_SUCCESS) {
sdata_info(sdata, "%pM denied association (code=%d)\n",
mgmt->sa, status_code);
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
} else {
if (!ieee80211_assoc_success(sdata, bss, mgmt, len)) {
/* oops -- internal error -- send timeout for now */
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
cfg80211_assoc_timeout(sdata->dev, bss);
return;
}
@@ -2794,7 +2797,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
* recalc after assoc_data is NULL but before associated
* is set can cause the interface to go idle
*/
- ieee80211_destroy_assoc_data(sdata, true);
+ ieee80211_destroy_assoc_data(sdata, true, false);
}
cfg80211_rx_assoc_resp(sdata->dev, bss, (u8 *)mgmt, len);
@@ -3491,7 +3494,7 @@ void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
ieee80211_do_assoc(sdata)) {
struct cfg80211_bss *bss = ifmgd->assoc_data->bss;
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
cfg80211_assoc_timeout(sdata->dev, bss);
}
} else if (ifmgd->assoc_data && ifmgd->assoc_data->timeout_started)
@@ -3640,7 +3643,7 @@ void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata)
WLAN_REASON_DEAUTH_LEAVING,
false, frame_buf);
if (ifmgd->assoc_data)
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, true);
if (ifmgd->auth_data)
ieee80211_destroy_auth_data(sdata, false);
cfg80211_tx_mlme_mgmt(sdata->dev, frame_buf,
@@ -4553,7 +4556,7 @@ void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata)
sdata_lock(sdata);
if (ifmgd->assoc_data) {
struct cfg80211_bss *bss = ifmgd->assoc_data->bss;
- ieee80211_destroy_assoc_data(sdata, false);
+ ieee80211_destroy_assoc_data(sdata, false, false);
cfg80211_assoc_timeout(sdata->dev, bss);
}
if (ifmgd->auth_data)
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 85296d4eac0e..4e6245f09ee4 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -13,7 +13,6 @@
/* Internal logging interface, which relies on the real
LOG target modules */
-#define NF_LOG_PREFIXLEN 128
#define NFLOGGER_NAME_LEN 64
static struct list_head nf_loggers_l[NFPROTO_NUMPROTO] __read_mostly;
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index 10cfb156cdf4..8c24270e08e1 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -38,7 +38,8 @@ static void nft_log_eval(const struct nft_expr *expr,
static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
[NFTA_LOG_GROUP] = { .type = NLA_U16 },
- [NFTA_LOG_PREFIX] = { .type = NLA_STRING },
+ [NFTA_LOG_PREFIX] = { .type = NLA_STRING,
+ .len = NF_LOG_PREFIXLEN - 1 },
[NFTA_LOG_SNAPLEN] = { .type = NLA_U32 },
[NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 },
};
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 062624c1be7e..193eac992814 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1402,6 +1402,8 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po)
f->arr[f->num_members] = sk;
smp_wmb();
f->num_members++;
+ if (f->num_members == 1)
+ dev_add_pack(&f->prot_hook);
spin_unlock(&f->lock);
}
@@ -1418,6 +1420,8 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
BUG_ON(i >= f->num_members);
f->arr[i] = f->arr[f->num_members - 1];
f->num_members--;
+ if (f->num_members == 0)
+ __dev_remove_pack(&f->prot_hook);
spin_unlock(&f->lock);
}
@@ -1451,13 +1455,16 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
return -EINVAL;
}
+ mutex_lock(&fanout_mutex);
+
+ err = -EINVAL;
if (!po->running)
- return -EINVAL;
+ goto out;
+ err = -EALREADY;
if (po->fanout)
- return -EALREADY;
+ goto out;
- mutex_lock(&fanout_mutex);
match = NULL;
list_for_each_entry(f, &fanout_list, list) {
if (f->id == id &&
@@ -1487,7 +1494,6 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
match->prot_hook.func = packet_rcv_fanout;
match->prot_hook.af_packet_priv = match;
match->prot_hook.id_match = match_fanout_group;
- dev_add_pack(&match->prot_hook);
list_add(&match->list, &fanout_list);
}
err = -EINVAL;
@@ -1508,24 +1514,29 @@ out:
return err;
}
-static void fanout_release(struct sock *sk)
+/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes
+ * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout.
+ * It is the responsibility of the caller to call fanout_release_data() and
+ * free the returned packet_fanout (after synchronize_net())
+ */
+static struct packet_fanout *fanout_release(struct sock *sk)
{
struct packet_sock *po = pkt_sk(sk);
struct packet_fanout *f;
- f = po->fanout;
- if (!f)
- return;
-
mutex_lock(&fanout_mutex);
- po->fanout = NULL;
+ f = po->fanout;
+ if (f) {
+ po->fanout = NULL;
- if (atomic_dec_and_test(&f->sk_ref)) {
- list_del(&f->list);
- dev_remove_pack(&f->prot_hook);
- kfree(f);
+ if (atomic_dec_and_test(&f->sk_ref))
+ list_del(&f->list);
+ else
+ f = NULL;
}
mutex_unlock(&fanout_mutex);
+
+ return f;
}
static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
@@ -2604,6 +2615,7 @@ static int packet_release(struct socket *sock)
{
struct sock *sk = sock->sk;
struct packet_sock *po;
+ struct packet_fanout *f;
struct net *net;
union tpacket_req_u req_u;
@@ -2643,9 +2655,12 @@ static int packet_release(struct socket *sock)
packet_set_ring(sk, &req_u, 1, 1);
}
- fanout_release(sk);
+ f = fanout_release(sk);
synchronize_net();
+
+ kfree(f);
+
/*
* Now the socket is dead. No more input will appear.
*/
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 27662e19c3bd..8f357a6eb150 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -103,6 +103,17 @@ static void tcf_pedit_cleanup(struct tc_action *a, int bind)
kfree(keys);
}
+static bool offset_valid(struct sk_buff *skb, int offset)
+{
+ if (offset > 0 && offset > skb->len)
+ return false;
+
+ if (offset < 0 && -offset > skb_headroom(skb))
+ return false;
+
+ return true;
+}
+
static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
struct tcf_result *res)
{
@@ -129,6 +140,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
if (tkey->offmask) {
char *d, _d;
+ if (!offset_valid(skb, off + tkey->at)) {
+ pr_info("tc filter pedit 'at' offset %d out of bounds\n",
+ off + tkey->at);
+ goto bad;
+ }
d = skb_header_pointer(skb, off + tkey->at, 1,
&_d);
if (!d)
@@ -141,10 +157,10 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
" offset must be on 32 bit boundaries\n");
goto bad;
}
- if (offset > 0 && offset > skb->len) {
- pr_info("tc filter pedit"
- " offset %d can't exceed pkt length %d\n",
- offset, skb->len);
+
+ if (!offset_valid(skb, off + offset)) {
+ pr_info("tc filter pedit offset %d out of bounds\n",
+ offset);
goto bad;
}
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 3b2617aa6bcd..7e4e15075c81 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -132,13 +132,15 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
unsigned long cl;
unsigned long fh;
int err;
- int tp_created = 0;
+ int tp_created;
if ((n->nlmsg_type != RTM_GETTFILTER) &&
!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
return -EPERM;
replay:
+ tp_created = 0;
+
err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL);
if (err < 0)
return err;
diff --git a/net/sched/em_meta.c b/net/sched/em_meta.c
index 9b8c0b0e60d7..386b2971df1b 100644
--- a/net/sched/em_meta.c
+++ b/net/sched/em_meta.c
@@ -176,11 +176,12 @@ META_COLLECTOR(int_vlan_tag)
{
unsigned short tag;
- tag = vlan_tx_tag_get(skb);
- if (!tag && __vlan_get_tag(skb, &tag))
- *err = -1;
- else
+ if (vlan_tx_tag_present(skb))
+ dst->value = vlan_tx_tag_get(skb);
+ else if (!__vlan_get_tag(skb, &tag))
dst->value = tag;
+ else
+ *err = -1;
}
diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
index 5b766242af94..5d8180269dc9 100644
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -255,6 +255,7 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch)
return err;
}
+ sch->qstats.backlog += qdisc_pkt_len(skb);
sch->q.qlen++;
return NET_XMIT_SUCCESS;
@@ -277,6 +278,7 @@ static struct sk_buff *dsmark_dequeue(struct Qdisc *sch)
return NULL;
qdisc_bstats_update(sch, skb);
+ sch->qstats.backlog -= qdisc_pkt_len(skb);
sch->q.qlen--;
index = skb->tc_index & (p->indices - 1);
@@ -392,6 +394,7 @@ static void dsmark_reset(struct Qdisc *sch)
pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p);
qdisc_reset(p->q);
+ sch->qstats.backlog = 0;
sch->q.qlen = 0;
}
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 718b015da5c3..b169a8a05a5d 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -600,6 +600,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch)
htb_activate(q, cl);
}
+ sch->qstats.backlog += qdisc_pkt_len(skb);
sch->q.qlen++;
return NET_XMIT_SUCCESS;
}
@@ -889,6 +890,7 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch)
ok:
qdisc_bstats_update(sch, skb);
qdisc_unthrottled(sch);
+ sch->qstats.backlog -= qdisc_pkt_len(skb);
sch->q.qlen--;
return skb;
}
@@ -955,6 +957,7 @@ static unsigned int htb_drop(struct Qdisc *sch)
unsigned int len;
if (cl->un.leaf.q->ops->drop &&
(len = cl->un.leaf.q->ops->drop(cl->un.leaf.q))) {
+ sch->qstats.backlog -= len;
sch->q.qlen--;
if (!cl->un.leaf.q->q.qlen)
htb_deactivate(q, cl);
@@ -984,12 +987,12 @@ static void htb_reset(struct Qdisc *sch)
}
cl->prio_activity = 0;
cl->cmode = HTB_CAN_SEND;
-
}
}
qdisc_watchdog_cancel(&q->watchdog);
__skb_queue_purge(&q->direct_queue);
sch->q.qlen = 0;
+ sch->qstats.backlog = 0;
memset(q->hlevel, 0, sizeof(q->hlevel));
memset(q->row_mask, 0, sizeof(q->row_mask));
for (i = 0; i < TC_HTB_NUMPRIO; i++)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 73f1db8e8039..aa9e07816feb 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -408,6 +408,25 @@ static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
sch->q.qlen++;
}
+/* netem can't properly corrupt a megapacket (like we get from GSO), so instead
+ * when we statistically choose to corrupt one, we instead segment it, returning
+ * the first packet to be corrupted, and re-enqueue the remaining frames
+ */
+static struct sk_buff *netem_segment(struct sk_buff *skb, struct Qdisc *sch)
+{
+ struct sk_buff *segs;
+ netdev_features_t features = netif_skb_features(skb);
+
+ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+
+ if (IS_ERR_OR_NULL(segs)) {
+ qdisc_reshape_fail(skb, sch);
+ return NULL;
+ }
+ consume_skb(skb);
+ return segs;
+}
+
/*
* Insert one skb into qdisc.
* Note: parent depends on return value to account for queue length.
@@ -420,7 +439,11 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
/* We don't fill cb now as skb_unshare() may invalidate it */
struct netem_skb_cb *cb;
struct sk_buff *skb2;
+ struct sk_buff *segs = NULL;
+ unsigned int len = 0, last_len, prev_len = qdisc_pkt_len(skb);
+ int nb = 0;
int count = 1;
+ int rc = NET_XMIT_SUCCESS;
/* Random duplication */
if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor))
@@ -466,10 +489,23 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
* do it now in software before we mangle it.
*/
if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) {
+ if (skb_is_gso(skb)) {
+ segs = netem_segment(skb, sch);
+ if (!segs)
+ return NET_XMIT_DROP;
+ } else {
+ segs = skb;
+ }
+
+ skb = segs;
+ segs = segs->next;
+
if (!(skb = skb_unshare(skb, GFP_ATOMIC)) ||
(skb->ip_summed == CHECKSUM_PARTIAL &&
- skb_checksum_help(skb)))
- return qdisc_drop(skb, sch);
+ skb_checksum_help(skb))) {
+ rc = qdisc_drop(skb, sch);
+ goto finish_segs;
+ }
skb->data[prandom_u32() % skb_headlen(skb)] ^=
1<<(prandom_u32() % 8);
@@ -529,6 +565,27 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
sch->qstats.requeues++;
}
+finish_segs:
+ if (segs) {
+ while (segs) {
+ skb2 = segs->next;
+ segs->next = NULL;
+ qdisc_skb_cb(segs)->pkt_len = segs->len;
+ last_len = segs->len;
+ rc = qdisc_enqueue(segs, sch);
+ if (rc != NET_XMIT_SUCCESS) {
+ if (net_xmit_drop_count(rc))
+ sch->qstats.drops++;
+ } else {
+ nb++;
+ len += last_len;
+ }
+ segs = skb2;
+ }
+ sch->q.qlen += nb;
+ if (nb > 1)
+ qdisc_tree_reduce_backlog(sch, 1 - nb, prev_len - len);
+ }
return NET_XMIT_SUCCESS;
}
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index adfb4b58831f..ad0292262581 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1217,9 +1217,12 @@ static int __sctp_connect(struct sock *sk,
timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK);
- err = sctp_wait_for_connect(asoc, &timeo);
- if ((err == 0 || err == -EINPROGRESS) && assoc_id)
+ if (assoc_id)
*assoc_id = asoc->assoc_id;
+ err = sctp_wait_for_connect(asoc, &timeo);
+ /* Note: the asoc may be freed after the return of
+ * sctp_wait_for_connect.
+ */
/* Don't free association on exit. */
asoc = NULL;
@@ -4280,7 +4283,7 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
int __user *optlen)
{
- if (len <= 0)
+ if (len == 0)
return -EINVAL;
if (len > sizeof(struct sctp_event_subscribe))
len = sizeof(struct sctp_event_subscribe);
@@ -4328,6 +4331,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
if (!asoc)
return -EINVAL;
+ /* If there is a thread waiting on more sndbuf space for
+ * sending on this asoc, it cannot be peeled.
+ */
+ if (waitqueue_active(&asoc->wait))
+ return -EBUSY;
+
/* An association cannot be branched off from an already peeled-off
* socket, nor is this supported for tcp style sockets.
*/
@@ -5801,6 +5810,9 @@ static int sctp_getsockopt(struct sock *sk, int level, int optname,
if (get_user(len, optlen))
return -EFAULT;
+ if (len < 0)
+ return -EINVAL;
+
lock_sock(sk);
switch (optname) {
@@ -6754,7 +6766,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
*/
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
- BUG_ON(sk != asoc->base.sk);
lock_sock(sk);
*timeo_p = current_timeo;
diff --git a/net/socket.c b/net/socket.c
index 8da2e2ea4151..ccfaebcdba66 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1998,7 +1998,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
struct msghdr *msg_sys, unsigned int flags,
- struct used_address *used_address)
+ struct used_address *used_address, int *residue)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -2097,6 +2097,8 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
memcpy(&used_address->name, msg_sys->msg_name,
used_address->name_len);
}
+ if (residue && err >= 0)
+ *residue = total_len - err;
out_freectl:
if (ctl_buf != ctl)
@@ -2122,7 +2124,7 @@ long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
if (!sock)
goto out;
- err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+ err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL, NULL);
fput_light(sock->file, fput_needed);
out:
@@ -2149,6 +2151,7 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
struct compat_mmsghdr __user *compat_entry;
struct msghdr msg_sys;
struct used_address used_address;
+ int residue;
if (vlen > UIO_MAXIOV)
vlen = UIO_MAXIOV;
@@ -2167,7 +2170,8 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
while (datagrams < vlen) {
if (MSG_CMSG_COMPAT & flags) {
err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags, &used_address);
+ &msg_sys, flags, &used_address,
+ &residue);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
@@ -2175,7 +2179,8 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
} else {
err = ___sys_sendmsg(sock,
(struct msghdr __user *)entry,
- &msg_sys, flags, &used_address);
+ &msg_sys, flags, &used_address,
+ &residue);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
@@ -2185,6 +2190,8 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
if (err)
break;
++datagrams;
+ if (residue)
+ break;
}
fput_light(sock->file, fput_needed);
@@ -2349,8 +2356,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
return err;
err = sock_error(sock->sk);
- if (err)
+ if (err) {
+ datagrams = err;
goto out_put;
+ }
entry = mmsg;
compat_entry = (struct compat_mmsghdr __user *)mmsg;
diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
index eeeba5adee6d..2410d557ae39 100644
--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -260,7 +260,7 @@ static int gssx_dec_option_array(struct xdr_stream *xdr,
if (!oa->data)
return -ENOMEM;
- creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL);
+ creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL);
if (!creds) {
kfree(oa->data);
return -ENOMEM;
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index efac1201c55d..8bc077f3e91f 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1479,7 +1479,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
case RPC_GSS_PROC_DESTROY:
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err;
- rsci->h.expiry_time = get_seconds();
+ rsci->h.expiry_time = seconds_since_boot();
set_bit(CACHE_NEGATIVE, &rsci->h.flags);
if (resv->iov_len + 4 > PAGE_SIZE)
goto drop;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 70273ab30e85..710d4191e9d5 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -336,6 +336,11 @@ out:
static DEFINE_IDA(rpc_clids);
+void rpc_cleanup_clids(void)
+{
+ ida_destroy(&rpc_clids);
+}
+
static int rpc_alloc_clid(struct rpc_clnt *clnt)
{
int clid;
diff --git a/net/sunrpc/sunrpc_syms.c b/net/sunrpc/sunrpc_syms.c
index cd30120de9e4..aefb4488880f 100644
--- a/net/sunrpc/sunrpc_syms.c
+++ b/net/sunrpc/sunrpc_syms.c
@@ -117,6 +117,7 @@ out:
static void __exit
cleanup_sunrpc(void)
{
+ rpc_cleanup_clids();
rpcauth_remove_module();
cleanup_socket_xprt();
svc_cleanup_xprt_sock();
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 85d232bed87d..e8d3313ea2c9 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1796,27 +1796,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb,
else if (sk->sk_shutdown & RCV_SHUTDOWN)
err = 0;
- if (copied > 0) {
- /* We only do these additional bookkeeping/notification steps
- * if we actually copied something out of the queue pair
- * instead of just peeking ahead.
- */
-
- if (!(flags & MSG_PEEK)) {
- /* If the other side has shutdown for sending and there
- * is nothing more to read, then modify the socket
- * state.
- */
- if (vsk->peer_shutdown & SEND_SHUTDOWN) {
- if (vsock_stream_has_data(vsk) <= 0) {
- sk->sk_state = SS_UNCONNECTED;
- sock_set_flag(sk, SOCK_DONE);
- sk->sk_state_change(sk);
- }
- }
- }
+ if (copied > 0)
err = copied;
- }
out_wait:
finish_wait(sk_sleep(sk), &wait);
diff --git a/net/wireless/core.h b/net/wireless/core.h
index c4d4b0c4f0e6..805aaab05ffc 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -369,6 +369,7 @@ void cfg80211_sme_disassoc(struct wireless_dev *wdev);
void cfg80211_sme_deauth(struct wireless_dev *wdev);
void cfg80211_sme_auth_timeout(struct wireless_dev *wdev);
void cfg80211_sme_assoc_timeout(struct wireless_dev *wdev);
+void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev);
/* internal helpers */
bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher);
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 266766b8d80b..66dd9bfe5a96 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -148,6 +148,18 @@ void cfg80211_assoc_timeout(struct net_device *dev, struct cfg80211_bss *bss)
}
EXPORT_SYMBOL(cfg80211_assoc_timeout);
+void cfg80211_abandon_assoc(struct net_device *dev, struct cfg80211_bss *bss)
+{
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ struct wiphy *wiphy = wdev->wiphy;
+
+ cfg80211_sme_abandon_assoc(wdev);
+
+ cfg80211_unhold_bss(bss_from_pub(bss));
+ cfg80211_put_bss(wiphy, bss);
+}
+EXPORT_SYMBOL(cfg80211_abandon_assoc);
+
void cfg80211_tx_mlme_mgmt(struct net_device *dev, const u8 *buf, size_t len)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 8bbeeb302216..c74505c1a320 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -39,6 +39,7 @@ struct cfg80211_conn {
CFG80211_CONN_ASSOCIATING,
CFG80211_CONN_ASSOC_FAILED,
CFG80211_CONN_DEAUTH,
+ CFG80211_CONN_ABANDON,
CFG80211_CONN_CONNECTED,
} state;
u8 bssid[ETH_ALEN], prev_bssid[ETH_ALEN];
@@ -195,6 +196,8 @@ static int cfg80211_conn_do_work(struct wireless_dev *wdev)
cfg80211_mlme_deauth(rdev, wdev->netdev, params->bssid,
NULL, 0,
WLAN_REASON_DEAUTH_LEAVING, false);
+ /* fall through */
+ case CFG80211_CONN_ABANDON:
/* free directly, disconnected event already sent */
cfg80211_sme_free(wdev);
return 0;
@@ -418,6 +421,17 @@ void cfg80211_sme_assoc_timeout(struct wireless_dev *wdev)
schedule_work(&rdev->conn_work);
}
+void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev)
+{
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+
+ if (!wdev->conn)
+ return;
+
+ wdev->conn->state = CFG80211_CONN_ABANDON;
+ schedule_work(&rdev->conn_work);
+}
+
static int cfg80211_sme_connect(struct wireless_dev *wdev,
struct cfg80211_connect_params *connect,
const u8 *prev_bssid)
diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 8275f0e55106..4b2f44c20caf 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -364,12 +364,14 @@ int dialog_inputbox(WINDOW *main_window,
WINDOW *prompt_win;
WINDOW *form_win;
PANEL *panel;
- int i, x, y;
+ int i, x, y, lines, columns, win_lines, win_cols;
int res = -1;
int cursor_position = strlen(init);
int cursor_form_win;
char *result = *resultp;
+ getmaxyx(stdscr, lines, columns);
+
if (strlen(init)+1 > *result_len) {
*result_len = strlen(init)+1;
*resultp = result = realloc(result, *result_len);
@@ -386,14 +388,19 @@ int dialog_inputbox(WINDOW *main_window,
if (title)
prompt_width = max(prompt_width, strlen(title));
+ win_lines = min(prompt_lines+6, lines-2);
+ win_cols = min(prompt_width+7, columns-2);
+ prompt_lines = max(win_lines-6, 0);
+ prompt_width = max(win_cols-7, 0);
+
/* place dialog in middle of screen */
- y = (getmaxy(stdscr)-(prompt_lines+4))/2;
- x = (getmaxx(stdscr)-(prompt_width+4))/2;
+ y = (lines-win_lines)/2;
+ x = (columns-win_cols)/2;
strncpy(result, init, *result_len);
/* create the windows */
- win = newwin(prompt_lines+6, prompt_width+7, y, x);
+ win = newwin(win_lines, win_cols, y, x);
prompt_win = derwin(win, prompt_lines+1, prompt_width, 2, 2);
form_win = derwin(win, 1, prompt_width, prompt_lines+3, 2);
keypad(form_win, TRUE);
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index 04ef9b5351f9..15331bb173f2 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -419,7 +419,6 @@ int snd_seq_pool_done(struct snd_seq_pool *pool)
{
unsigned long flags;
struct snd_seq_event_cell *ptr;
- int max_count = 5 * HZ;
if (snd_BUG_ON(!pool))
return -EINVAL;
@@ -432,14 +431,8 @@ int snd_seq_pool_done(struct snd_seq_pool *pool)
if (waitqueue_active(&pool->output_sleep))
wake_up(&pool->output_sleep);
- while (atomic_read(&pool->counter) > 0) {
- if (max_count == 0) {
- pr_warn("ALSA: snd_seq_pool_done timeout: %d cells remain\n", atomic_read(&pool->counter));
- break;
- }
+ while (atomic_read(&pool->counter) > 0)
schedule_timeout_uninterruptible(1);
- max_count--;
- }
/* release all resources */
spin_lock_irqsave(&pool->lock, flags);
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
index 77ec21420355..f676ae53c477 100644
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -181,6 +181,8 @@ void __exit snd_seq_queues_delete(void)
}
}
+static void queue_use(struct snd_seq_queue *queue, int client, int use);
+
/* allocate a new queue -
* return queue index value or negative value for error
*/
@@ -192,11 +194,11 @@ int snd_seq_queue_alloc(int client, int locked, unsigned int info_flags)
if (q == NULL)
return -ENOMEM;
q->info_flags = info_flags;
+ queue_use(q, client, 1);
if (queue_list_add(q) < 0) {
queue_delete(q);
return -ENOMEM;
}
- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
return q->queue;
}
@@ -502,19 +504,9 @@ int snd_seq_queue_timer_set_tempo(int queueid, int client,
return result;
}
-
-/* use or unuse this queue -
- * if it is the first client, starts the timer.
- * if it is not longer used by any clients, stop the timer.
- */
-int snd_seq_queue_use(int queueid, int client, int use)
+/* use or unuse this queue */
+static void queue_use(struct snd_seq_queue *queue, int client, int use)
{
- struct snd_seq_queue *queue;
-
- queue = queueptr(queueid);
- if (queue == NULL)
- return -EINVAL;
- mutex_lock(&queue->timer_mutex);
if (use) {
if (!test_and_set_bit(client, queue->clients_bitmap))
queue->clients++;
@@ -529,6 +521,21 @@ int snd_seq_queue_use(int queueid, int client, int use)
} else {
snd_seq_timer_close(queue);
}
+}
+
+/* use or unuse this queue -
+ * if it is the first client, starts the timer.
+ * if it is not longer used by any clients, stop the timer.
+ */
+int snd_seq_queue_use(int queueid, int client, int use)
+{
+ struct snd_seq_queue *queue;
+
+ queue = queueptr(queueid);
+ if (queue == NULL)
+ return -EINVAL;
+ mutex_lock(&queue->timer_mutex);
+ queue_use(queue, client, use);
mutex_unlock(&queue->timer_mutex);
queuefree(queue);
return 0;
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 9b54e936aae7..ced54249c171 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -2843,6 +2843,8 @@ enum {
CXT_FIXUP_HP_530,
CXT_FIXUP_CAP_MIX_AMP_5047,
CXT_FIXUP_MUTE_LED_EAPD,
+ CXT_FIXUP_HP_SPECTRE,
+ CXT_FIXUP_HP_GATE_MIC,
};
/* for hda_fixup_thinkpad_acpi() */
@@ -3216,6 +3218,17 @@ static void cxt_fixup_cap_mix_amp_5047(struct hda_codec *codec,
(1 << AC_AMPCAP_MUTE_SHIFT));
}
+static void cxt_fixup_hp_gate_mic_jack(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ /* the mic pin (0x19) doesn't give an unsolicited event;
+ * probe the mic pin together with the headphone pin (0x16)
+ */
+ if (action == HDA_FIXUP_ACT_PROBE)
+ snd_hda_jack_set_gating_jack(codec, 0x19, 0x16);
+}
+
/* ThinkPad X200 & co with cxt5051 */
static const struct hda_pintbl cxt_pincfg_lenovo_x200[] = {
{ 0x16, 0x042140ff }, /* HP (seq# overridden) */
@@ -3349,6 +3362,18 @@ static const struct hda_fixup cxt_fixups[] = {
.type = HDA_FIXUP_FUNC,
.v.func = cxt_fixup_mute_led_eapd,
},
+ [CXT_FIXUP_HP_SPECTRE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ /* enable NID 0x1d for the speaker on top */
+ { 0x1d, 0x91170111 },
+ { }
+ }
+ },
+ [CXT_FIXUP_HP_GATE_MIC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = cxt_fixup_hp_gate_mic_jack,
+ },
};
static const struct snd_pci_quirk cxt5045_fixups[] = {
@@ -3397,6 +3422,9 @@ static const struct hda_model_fixup cxt5051_fixup_models[] = {
static const struct snd_pci_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index c4f149ca1a72..06b990727f68 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -3345,6 +3345,7 @@ static const struct hda_codec_preset snd_hda_preset_hdmi[] = {
{ .id = 0x10de0071, .name = "GPU 71 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de0072, .name = "GPU 72 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de007d, .name = "GPU 7d HDMI/DP", .patch = patch_nvhdmi },
+{ .id = 0x10de0080, .name = "GPU 80 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de0082, .name = "GPU 82 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de0083, .name = "GPU 83 HDMI/DP", .patch = patch_nvhdmi },
{ .id = 0x10de8001, .name = "MCP73 HDMI", .patch = patch_nvhdmi_2ch },
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index b76f4ff117a2..1b8fa72a6302 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2282,6 +2282,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC),
SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601),
SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS),
+ SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT),
SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP),
SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP),
@@ -6126,6 +6127,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
SND_PCI_QUIRK(0x1043, 0x177d, "ASUS N551", ALC668_FIXUP_ASUS_Nx51),
SND_PCI_QUIRK(0x1043, 0x17bd, "ASUS N751", ALC668_FIXUP_ASUS_Nx51),
+ SND_PCI_QUIRK(0x1043, 0x1963, "ASUS X71SL", ALC662_FIXUP_ASUS_MODE8),
SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16),
SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 34f934095ddd..8887f4e19956 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -204,7 +204,6 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
if (! snd_usb_parse_audio_interface(chip, interface)) {
usb_set_interface(dev, interface, 0); /* reset the current interface */
usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
- return -EINVAL;
}
return 0;
diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
index 2c44139b4041..33db205dd12b 100644
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -445,6 +445,8 @@ static int hiface_pcm_prepare(struct snd_pcm_substream *alsa_sub)
mutex_lock(&rt->stream_mutex);
+ hiface_pcm_stream_stop(rt);
+
sub->dma_off = 0;
sub->period_off = 0;
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 21c60eff920e..5d249caf3349 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -916,9 +916,10 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
case USB_ID(0x046d, 0x0826): /* HD Webcam c525 */
case USB_ID(0x046d, 0x08ca): /* Logitech Quickcam Fusion */
case USB_ID(0x046d, 0x0991):
+ case USB_ID(0x046d, 0x09a2): /* QuickCam Communicate Deluxe/S7500 */
/* Most audio usb devices lie about volume resolution.
* Most Logitech webcams have res = 384.
- * Proboly there is some logitech magic behind this number --fishor
+ * Probably there is some logitech magic behind this number --fishor
*/
if (!strcmp(kctl->id.name, "Mic Capture Volume")) {
usb_audio_info(chip,
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index f954c26de231..0dbb69a404fe 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1646,7 +1646,7 @@ static int trace__sys_enter(struct trace *trace, struct perf_evsel *evsel,
if (!strcmp(sc->name, "exit_group") || !strcmp(sc->name, "exit")) {
if (!trace->duration_filter && !trace->summary_only) {
- trace__fprintf_entry_head(trace, thread, 1, sample->time, trace->output);
+ trace__fprintf_entry_head(trace, thread, 1, ttrace->entry_time, trace->output);
fprintf(trace->output, "%-70s\n", ttrace->entry_str);
}
} else
@@ -1701,7 +1701,7 @@ static int trace__sys_exit(struct trace *trace, struct perf_evsel *evsel,
if (trace->summary_only)
goto out;
- trace__fprintf_entry_head(trace, thread, duration, sample->time, trace->output);
+ trace__fprintf_entry_head(trace, thread, duration, ttrace->entry_time, trace->output);
if (ttrace->entry_pending) {
fprintf(trace->output, "%-70s", ttrace->entry_str);
diff --git a/tools/perf/util/trace-event-scripting.c b/tools/perf/util/trace-event-scripting.c
index 57aaccc1692e..6a1fe83386ea 100644
--- a/tools/perf/util/trace-event-scripting.c
+++ b/tools/perf/util/trace-event-scripting.c
@@ -90,7 +90,8 @@ static void register_python_scripting(struct scripting_ops *scripting_ops)
if (err)
die("error registering py script extension");
- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}
#ifdef NO_LIBPYTHON
@@ -153,7 +154,8 @@ static void register_perl_scripting(struct scripting_ops *scripting_ops)
if (err)
die("error registering pl script extension");
- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}
#ifdef NO_LIBPERL
diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests
index c09a682df56a..16058bbea7a8 100644
--- a/tools/testing/selftests/net/run_netsocktests
+++ b/tools/testing/selftests/net/run_netsocktests
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
echo "--------------------"
echo "running socket test"
diff --git a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c
index a503fa70c950..9be22e932cc4 100644
--- a/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c
+++ b/tools/testing/selftests/powerpc/pmu/ebb/pmc56_overflow_test.c
@@ -64,7 +64,7 @@ int pmc56_overflow(void)
FAIL_IF(ebb_event_enable(&event));
- mtspr(SPRN_PMC1, pmc_sample_period(sample_period));
+ mtspr(SPRN_PMC2, pmc_sample_period(sample_period));
mtspr(SPRN_PMC5, 0);
mtspr(SPRN_PMC6, 0);
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100
2017-03-10 12:10 ` Geert Uytterhoeven
@ 2017-03-11 23:50 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-11 23:50 UTC (permalink / raw)
To: Geert Uytterhoeven
Cc: linux-kernel, stable, Andrew Morton, Chris Brandt, Stephen Boyd,
Kuninori Morimoto, Geert Uytterhoeven
[-- Attachment #1: Type: text/plain, Size: 793 bytes --]
On Fri, 2017-03-10 at 13:10 +0100, Geert Uytterhoeven wrote:
> Hi Ben,
>
> > On Fri, Mar 10, 2017 at 12:46 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> > 3.16.42-rc1 review patch. If anyone has any objections, please let me know.
>
> No objections, but you also want
>
> commit f59de563358eb9351b7f8f0ba2d3be2ebb70b93d
> Author: Chris Brandt <chris.brandt@renesas.com>
> Date: Tue Feb 14 11:08:05 2017 -0500
>
> clk: renesas: mstp: ensure register writes complete
[...]
I've only looked for 'cc: stable' and 'fixes:' in commits up to 4.10 so
far. Since that commit went into 4.11-rc1, I haven't overlooked it but
will pick it up in the next batch.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 000/372] 3.16.42-rc2 review
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
` (2 preceding siblings ...)
2017-03-11 16:53 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
@ 2017-03-12 18:18 ` Guenter Roeck
3 siblings, 0 replies; 390+ messages in thread
From: Guenter Roeck @ 2017-03-12 18:18 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm
On 03/11/2017 07:15 AM, Ben Hutchings wrote:
> I've added two more patches to the queue for this release, which
> will be sent as replies to this message.
>
> Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
> Anything received after that time might be too late.
>
Still looks good.
Guenter
^ permalink raw reply [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
2017-03-10 11:46 ` [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor Ben Hutchings
@ 2017-03-13 3:35 ` Michel Dänzer
2017-03-14 16:50 ` Ben Hutchings
0 siblings, 1 reply; 390+ messages in thread
From: Michel Dänzer @ 2017-03-13 3:35 UTC (permalink / raw)
To: Ben Hutchings
Cc: linux-kernel, stable, akpm, Michel Dänzer, Sonny Jiang,
Ashutosh Kumar, Alex Deucher
On 10/03/17 08:46 PM, Ben Hutchings wrote:
> 3.16.42-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Michel Dänzer <michel.daenzer@amd.com>
>
> commit d74c67dd7800fc7aae381f272875c337f268806c upstream.
>
> The crtc_h/vdisplay fields may not match the CRTC viewport dimensions
> with special modes such as interlaced ones.
>
> Fixes the HW cursor disappearing in the bottom half of the screen with
> interlaced modes.
>
> Fixes: 6b16cf7785a4 ("drm/radeon: Hide the HW cursor while it's out of bounds")
It might make sense to squash together the backports of this commit and
6b16cf7785a4, or at least move them closer together in the series, to
prevent people from hitting the regressed state.
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
^ permalink raw reply [flat|nested] 390+ messages in thread
* Re: [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
2017-03-13 3:35 ` Michel Dänzer
@ 2017-03-14 16:50 ` Ben Hutchings
0 siblings, 0 replies; 390+ messages in thread
From: Ben Hutchings @ 2017-03-14 16:50 UTC (permalink / raw)
To: Michel Dänzer
Cc: linux-kernel, stable, akpm, Michel Dänzer, Sonny Jiang,
Ashutosh Kumar, Alex Deucher
[-- Attachment #1: Type: text/plain, Size: 1305 bytes --]
On Mon, 2017-03-13 at 12:35 +0900, Michel Dänzer wrote:
> On 10/03/17 08:46 PM, Ben Hutchings wrote:
> > 3.16.42-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > > > From: Michel Dänzer <michel.daenzer@amd.com>
> >
> > commit d74c67dd7800fc7aae381f272875c337f268806c upstream.
> >
> > The crtc_h/vdisplay fields may not match the CRTC viewport dimensions
> > with special modes such as interlaced ones.
> >
> > Fixes the HW cursor disappearing in the bottom half of the screen with
> > interlaced modes.
> >
> > Fixes: 6b16cf7785a4 ("drm/radeon: Hide the HW cursor while it's out of bounds")
>
> It might make sense to squash together the backports of this commit and
> 6b16cf7785a4, or at least move them closer together in the series, to
> prevent people from hitting the regressed state.
I hardly ever squash commits together, as it's easier to keep track of
what has been applied if there is a one-to-one mapping.
I will move these two together in the series, but there are lots of
other cases like this on stable branches.
Ben.
--
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption]
would be
development of an easy way to factor large prime numbers. - Bill Gates
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 390+ messages in thread
end of thread, other threads:[~2017-03-14 16:50 UTC | newest]
Thread overview: 390+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-10 11:46 [PATCH 3.16 000/370] 3.16.42-rc1 review Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 028/370] powerpc/ibmebus: Fix device reference leaks in sysfs interface Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 145/370] PM / devfreq: Add proper locking around list_del() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 077/370] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 070/370] mmc: sdhci: Fix recovery from tuning timeout Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 174/370] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 104/370] IB/mlx4: When no DMFS for IPoIB, don't allow NET_IF QPs Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 061/370] USB: serial: kl5kusb105: abort on open exception path Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 013/370] usb: add helper to extract bits 12:11 of wMaxPacketSize Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 124/370] [media] s5k4ecgx: select CRC32 helper Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 017/370] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 026/370] crypto: caam - fix AEAD givenc descriptors Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 011/370] perf scripting: Avoid leaking the scripting_context variable Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 083/370] iw_cxgb4: Fix error return code in c4iw_rdev_open() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 038/370] IB/mlx5: Wait for all async command completions to complete Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 060/370] USB: serial: kl5kusb105: fix open error path Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 043/370] scsi: mvsas: fix command_active typo Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 146/370] PM / devfreq: Fix the bug of devfreq_add_device when governor is NULL Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 056/370] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 101/370] libceph: verify authorize reply on connect Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 159/370] USB: serial: io_ti: fix another NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 138/370] usb: gadget: composite: Test get_alt() presence instead of set_alt() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 169/370] USB: serial: omninet: fix NULL-derefs at open and disconnect Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 064/370] Btrfs: fix tree search logic when replaying directory entry deletes Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 012/370] usb: gadget: composite: correctly initialize ep->maxpacket Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 031/370] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 085/370] md: MD_RECOVERY_NEEDED is set for mddev->recovery Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 036/370] IB/core: Save QP in ib_flow structure Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 084/370] dm space map metadata: fix 'struct sm_metadata' leak on failed create Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 165/370] USB: serial: mos7720: fix parport use-after-free on probe errors Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 071/370] USB: cdc-acm: add device id for GW Instek AFG-125 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 125/370] clk: renesas: mstp: Support 8-bit registers for r7s72100 Ben Hutchings
2017-03-10 12:10 ` Geert Uytterhoeven
2017-03-11 23:50 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 133/370] ARM: dts: imx31: fix AVIC base address Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 068/370] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 046/370] USB: phy: am335x-control: fix device and of_node leaks Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 044/370] ssb: Fix error routine when fallback SPROM fails Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 065/370] bus: vexpress-config: fix device reference leak Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 072/370] CIFS: Fix missing nls unload in smb2_reconnect() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 121/370] fs: exec: apply CLOEXEC before changing dumpable task flags Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 096/370] kconfig/nconf: Fix hang when editing symbol with a long prompt Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 122/370] powerpc: Fix build warning on 32-bit PPC Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 081/370] clk: clk-wm831x: fix a logic error Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 154/370] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 152/370] xhci: Handle command completion and timeout race Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 014/370] usb: gadget: composite: always set ep->mult to a sensible value Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 047/370] ext4: fix in-superblock mount options processing Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 108/370] block_dev: don't test bdev->bd_contains when it is not stable Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 003/370] crypto: arm64/sha1-ce - fix for big endian Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 095/370] ext4: return -ENOMEM instead of success Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 073/370] CIFS: Fix a possible memory corruption in push locks Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 135/370] usb: dwc3: ep0: add dwc3_ep0_prepare_one_trb() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 048/370] ext4: use more strict checks for inodes_per_block on mount Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 034/370] ext4: fix mballoc breakage with 64k block size Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 120/370] drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 015/370] usb: dwc3: gadget: set PCM1 field of isochronous-first TRBs Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 022/370] scsi: megaraid_sas: For SRIOV enabled firmware, ensure VF driver waits for 30secs before reset Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 105/370] IB/mlx4: Fix out-of-range array index in destroy qp flow Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 025/370] regulator: stw481x-vmmc: fix ages old enable error Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 092/370] fgraph: Handle a case where a tracer ignores set_graph_notrace Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 054/370] regmap: cache: Remove unused 'blksize' variable Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 107/370] btrfs: limit async_work allocation and worker func duration Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 010/370] [media] ite-cir: initialize use_demodulator before using it Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 111/370] IB/multicast: Check ib_find_pkey() return value Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 080/370] arm/xen: Use alloc_percpu rather than __alloc_percpu Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 023/370] PCI: Check for PME in targeted sleep state Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 185/370] usb: storage: unusual_uas: Add JMicron JMS56x to unusual device Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 118/370] drivers/gpu/drm/ast: Fix infinite loop if read fails Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 090/370] hwmon: (ds620) Fix overflows seen when writing temperature limits Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 106/370] Btrfs: delayed-inode: replace root args iff only fs_info used Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 019/370] enic: set skb->hash type properly Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 053/370] [media] DaVinci-VPFE-Capture: fix error handling Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 049/370] ext4: add sanity checking to count_overhead() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 160/370] USB: serial: iuu_phoenix: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 163/370] USB: serial: mos7720: " Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 142/370] USB: gadgetfs: fix use-after-free bug Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 171/370] USB: serial: pl2303: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 030/370] powerpc/pci/rpadlpar: Fix device reference leaks Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 149/370] xhci: free xhci virtual devices with leaf nodes first Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 115/370] scsi: avoid a permanent stop of the scsi device's request queue Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 082/370] hotplug: Make register and unregister notifier API symmetric Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 128/370] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 067/370] NFS: Fix a performance regression in readdir Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 179/370] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 020/370] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 099/370] hwmon: (g762) Fix overflows and crash seen when writing limit attributes Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 127/370] net: korina: Fix NAPI versus resources freeing Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 052/370] [media] staging: media: davinci_vpfe: unlock on error in vpfe_reqbufs() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 069/370] powerpc/boot: Request no dynamic linker for boot wrapper Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 063/370] powerpc/ps3: Fix system hang with GCC 5 builds Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 102/370] fs/notify/inode_mark.c: use list_next_entry in fsnotify_unmount_inodes Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 126/370] net, sched: fix soft lockup in tc_classify Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 162/370] USB: serial: kobil_sct: fix NULL-deref in write Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 177/370] mei: move write cb to completion on credentials failures Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 151/370] usb: host: xhci: Fix possible wild pointer when handling abort command Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 144/370] ARM: davinci: da850: don't add emac clock to lookup table twice Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 042/370] IB/mlx4: Fix port query for 56Gb Ethernet links Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 018/370] drm/gma500: Add compat ioctl Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 130/370] net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 027/370] ARM: dts: imx6q-cm-fx6: fix fec pinctrl Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 041/370] IB/mlx4: Put non zero value in max_ah device attribute Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 176/370] iommu/amd: Fix the left value check of cmd buffer Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 062/370] drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 153/370] usb: xhci: hold lock over xhci_abort_cmd_ring() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 035/370] ext4: fix stack memory corruption with 64k block size Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 119/370] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 051/370] dm crypt: mark key as invalid until properly loaded Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 184/370] usb: hub: Move hub_port_disable() to fix warning if PM is disabled Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 117/370] i2c: mux: pca954x: fix i2c mux selection caching Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 040/370] IB/mlx4: Set traffic class in AH Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 008/370] net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 150/370] usb: xhci: fix possible wild pointer Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 078/370] drm/radeon: Hide the HW cursor while it's out of bounds Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 032/370] ARM: zynq: Reserve correct amount of non-DMA RAM Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 156/370] USB: serial: garmin_gps: fix memory leak on failed URB submit Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 033/370] dm rq: fix a race condition in rq_completed() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 161/370] USB: serial: keyspan_pda: verify endpoints at probe Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 143/370] USB: gadgetfs: fix checks of wTotalLength in config descriptors Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 139/370] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 188/370] HID: hid-cypress: validate length of report Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 097/370] sparc: leon: Fix a retry loop in leon_init_timers() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 129/370] net: stmmac: Fix error path after register_netdev move Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 089/370] cfg80211/mac80211: fix BSS leaks when abandoning assoc attempts Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 148/370] btrfs: fix locking when we put back a delayed ref that's too new Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 147/370] btrfs: fix error handling when run_delayed_extent_op fails Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 006/370] crypto: arm64/aes-neon - fix for big endian Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 074/370] CIFS: Fix a possible memory corruption during reconnect Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 016/370] ARM: dts: imx31: fix clock control module interrupts description Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 059/370] thermal: hwmon: Properly report critical temperature in sysfs Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 123/370] Input: i8042 - add Pegatron touchpad to noloop table Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 112/370] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 164/370] USB: serial: mos7720: fix use-after-free on probe errors Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 167/370] USB: serial: mos7840: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 134/370] mtd: nand: xway: disable module support Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 029/370] powerpc/ibmebus: Fix further device reference leaks Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 157/370] USB: serial: io_edgeport: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 079/370] drm/radeon: add additional pci revision to dpm workaround Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 186/370] USB: fix problems with duplicate endpoint addresses Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 181/370] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 136/370] usb: dwc3: ep0: explicitly call dwc3_ep0_prepare_one_trb() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 155/370] USB: serial: cyberjack: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 091/370] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 158/370] USB: serial: io_ti: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 002/370] crypto: arm64/ghash-ce - fix for big endian Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 007/370] crypto: arm64/aes-xts-ce: " Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 055/370] f2fs: set ->owner for debugfs status file's file_operations Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 094/370] ext4: reject inodes with negative size Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 066/370] block: protect iterate_bdevs() against concurrent close Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 132/370] net/mlx4: Remove BUG_ON from ICM allocation routine Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 098/370] s390/vmlogrdr: fix IUCV buffer allocation Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 088/370] USB: serial: option: add dlink dwm-158 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 004/370] crypto: arm64/sha2-ce - fix for big endian Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 075/370] ALSA: hda - Add inverted internal mic for Asus Aspire 4830T Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 131/370] net/mlx4_en: Fix bad WQE issue Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 170/370] USB: serial: oti6858: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 050/370] KVM: PPC: Book3S HV: Save/restore XER in checkpointed register state Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 001/370] staging: iio: ad7606: fix improper setting of oversampling pins Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 037/370] IB/mlx5: Put non zero value in max_ah Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 076/370] ALSA: hda - Add the top speaker pin config for HP Spectre x360 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 175/370] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 166/370] USB: serial: mos7720: fix parallel probe Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 178/370] net: systemport: Pad packet before inserting TSB Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 140/370] usb: gadgetfs: restrict upper bound on device configuration size Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 109/370] IB/mad: Fix an array index check Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 168/370] USB: serial: mos7840: fix misleading interrupt-URB comment Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 137/370] usb: dwc3: gadget: always unmap EP0 requests Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 045/370] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 087/370] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 086/370] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 187/370] selftests: do not require bash to run netsocktests testcase Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 057/370] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 183/370] usb: musb: Fix trying to free already-free IRQ 4 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 113/370] scsi: zfcp: do not trace pure benign residual HBA responses at default level Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 103/370] fsnotify: Fix possible use-after-free in inode iteration on umount Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 009/370] perf trace: Use the syscall raw_syscalls:sys_enter timestamp Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 114/370] scsi: zfcp: fix rport unblock race with LUN recovery Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 116/370] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 058/370] md/raid5: limit request size according to implementation limits Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 024/370] USB: UHCI: report non-PME wakeup signalling for Intel hardware Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 172/370] USB: serial: quatech2: fix sleep-while-atomic in close Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 173/370] USB: serial: spcp8x5: fix NULL-deref at open Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 182/370] KVM: MIPS: Flush KVM entry code from icache globally Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 005/370] crypto: arm64/aes-ccm-ce: fix for big endian Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 110/370] IPoIB: Avoid reading an uninitialized member variable Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 180/370] sh_eth: enable RX descriptor word 0 shift on SH7734 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 141/370] USB: gadgetfs: fix unbounded memory allocation bug Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 093/370] nfs_write_end(): fix handling of short copies Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 100/370] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 039/370] IB/IPoIB: Remove can't use GFP_NOIO warning Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 021/370] xfs: fix up xfs_swap_extent_forks inline extent handling Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 235/370] ceph: fix bad endianness handling in parse_reply_info_extra Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 327/370] net: avoid sk_forward_alloc overflows Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 196/370] USB: ch341: set tty baud speed according to tty struct Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 194/370] x86/boot: Add missing declaration of string functions Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 326/370] tcp: fix overflow in __tcp_retransmit_skb() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 350/370] ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 339/370] ip6_tunnel: disable caching when the traffic class is inherited Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 281/370] catc: Use heap buffer for memory size test Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 316/370] VSOCK: do not disconnect socket when peer has shutdown SEND only Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 216/370] xhci: fix deadlock at host remove by running watchdog correctly Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 301/370] net: xilinx_emaclite: fix freezes due to unordered I/O Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 298/370] packet: fix races in fanout_add() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 344/370] ipv6: handle -EFAULT from skb_copy_bits Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 257/370] netfilter: nft_log: restrict the log prefix length to 127 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 254/370] nfs: Don't increment lock sequence ID after NFS4ERR_MOVED Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 297/370] mmc: core: fix multi-bit bus width without high-speed mode Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 286/370] target: Fix early transport_generic_handle_tmr abort scenario Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 261/370] sysctl: fix proc_doulongvec_ms_jiffies_minmax() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 345/370] drop_monitor: add missing call to genlmsg_end Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 215/370] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 279/370] rtl8150: Use heap buffers for all register access Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 303/370] vfs: fix uninitialized flags in splice_to_pipe() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 197/370] USB: serial: ch341: add register and USB request definitions Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 251/370] crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 307/370] Fix missing sanity check in /dev/sg Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 273/370] net: use a work queue to defer net_disable_timestamp() work Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 319/370] ipv6: Skip XFRM lookup if dst_entry in socket cache is valid Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 364/370] mld: do not remove mld souce list info when set link down Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 336/370] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 244/370] nbd: only set MSG_MORE when we have more to send Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 354/370] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 217/370] mmc: mxs-mmc: Fix additional cycles after transmission stop Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 315/370] netem: Segment GSO packets on enqueue Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 342/370] net/dccp: fix use-after-free in dccp_invalid_packet Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 205/370] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 294/370] net/sock: Add sock_efree() function Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 351/370] qmi_wwan/cdc_ether: add device ID for HP lt2523 (Novatel E371) WWAN card Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 338/370] sock: fix sendmmsg for partial sendmsg Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 247/370] powerpc: Ignore reserved field in DCSR and PVR reads and writes Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 276/370] mac80211: Fix adding of mesh vendor IEs Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 287/370] target: Fix COMPARE_AND_WRITE ref leak for non GOOD status Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 332/370] net: mangle zero checksum in skb_checksum_help() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 318/370] udp: prevent skbs lingering in tunnel socket queues Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 333/370] dccp: do not send reset to already closed sockets Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 356/370] tcp: fix 0 divide in __tcp_select_window() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 210/370] tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 285/370] target: Use correct SCSI status during EXTENDED_COPY exception Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 328/370] tcp: fix wrong checksum calculation on MTU probing Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 321/370] ipmr/ip6mr: Initialize the last assert time of mfc entries Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 337/370] sctp: assign assoc_id earlier in __sctp_connect Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 211/370] sysrq: attach sysrq handler correctly for 32-bit kernel Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 234/370] can: ti_hecc: add missing prepare and unprepare of the clock Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 203/370] USB: serial: ch341: fix resume after reset Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 198/370] USB: serial: ch341: reinitialize chip on reconfiguration Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 346/370] drop_monitor: consider inserted data in genlmsg_end Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 212/370] vme: Fix wrong pointer utilization in ca91cx42_slave_get Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 352/370] net: socket: fix recvmmsg not returning error from sock_error Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 302/370] drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor Ben Hutchings
2017-03-13 3:35 ` Michel Dänzer
2017-03-14 16:50 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 335/370] ipv6: dccp: fix out of bound access in dccp_v6_err() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 236/370] arm64/ptrace: Preserve previous registers for short regset write Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 270/370] mmc: sdhci: Ignore unexpected CARD_INT interrupts Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 366/370] Revert "KVM: x86: expose MSR_TSC_AUX to userspace" Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 280/370] catc: Combine failure cleanup code in catc_probe() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 331/370] net: clear sk_err_soft in sk_clone_lock() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 322/370] net: alx: Work around the DMA RX overflow issue Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 253/370] USB: serial: option: add device ID for HP lt2523 (Novatel E371) Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 232/370] selftest/powerpc: Wrong PMC initialized in pmc56_overflow test Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 288/370] btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 296/370] futex: Move futex_init() to core_initcall Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 275/370] netlabel: out of bound access in cipso_v4_validate() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 266/370] can: bcm: fix hrtimer/tasklet termination in bcm op removal Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 204/370] USB: serial: ch341: fix baud rate and line-control handling Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 249/370] iio: dht11: Use usleep_range instead of msleep for start signal Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 291/370] scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 206/370] gro: Enter slow-path if there is no tailroom Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 361/370] sit: fix a double free on error path Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 228/370] net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 323/370] cdc_ncm: workaround for EM7455 "silent" data interface Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 267/370] perf/core: Fix PERF_RECORD_MMAP2 prot/flags for anonymous memory Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 341/370] net/sched: pedit: make sure that offset is valid Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 360/370] mlx4: Invoke softirqs after napi_reschedule Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 226/370] net/mlx4_core: Fix racy CQ (Completion Queue) free Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 282/370] ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 304/370] packet: call fanout_release, while UNREGISTERING a netdev Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 233/370] can: c_can_pci: fix null-pointer-deref in c_can_start() - set device pointer Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 241/370] arm64: avoid returning from bad_mode Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 259/370] USB: Add quirk for WORLDE easykey.25 MIDI keyboard Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 289/370] ping: fix a null pointer dereference Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 272/370] svcrpc: fix oops in absence of krb5 module Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 320/370] sit: correct IP protocol used in ipip6_err Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 349/370] tcp: fix tcp_fastopen unaligned access complaints on sparc Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 264/370] ARC: [arcompact] handle unaligned access delay slot corner case Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 246/370] powerpc/ptrace: Preserve previous fprs/vsrs on short regset write Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 362/370] xfs: update MAINTAINERS Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 242/370] tcp: initialize max window for a new fastopen socket Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 262/370] nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED" Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 367/370] kvm: fix page struct leak in handle_vmon Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 191/370] sh_eth: R8A7740 supports packet shecksumming Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 330/370] net: sctp, forbid negative length Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 260/370] drm/i915: Don't leak edid in intel_crt_detect_ddc() Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 218/370] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 295/370] net/llc: avoid BUG_ON() in skb_orphan() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 200/370] USB: serial: ch341: fix open and resume after B0 Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 284/370] ALSA: seq: Fix race at creating a queue Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 365/370] igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 239/370] net: fix harmonize_features() vs NETIF_F_HIGHDMA Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 220/370] KVM: x86: flush pending lapic jump label updates on module unload Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 201/370] USB: serial: ch341: fix modem-control and B0 handling Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 311/370] decnet: Do not build routes to devices without decnet private data Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 300/370] net: xilinx_emaclite: fix receive buffer overflow Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 299/370] [media] siano: make it work again with CONFIG_VMAP_STACK Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 312/370] route: do not cache fib route info on local routes with oif Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 317/370] net: bridge: fix old ioctl unlocked net device walk Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 231/370] qla2xxx: Fix crash due to null pointer access Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 355/370] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 227/370] net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT transitions Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 263/370] ISDN: eicon: silence misleading array-bounds warning Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 271/370] USB: serial: pl2303: add ATEN device ID Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 269/370] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 240/370] USB: serial: qcserial: add Dell DW5570 QDL Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 340/370] net: sky2: Fix shutdown crash Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 245/370] ARM: dts: da850-evm: fix read access to SPI flash Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 202/370] USB: serial: ch341: fix open error handling Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 248/370] platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 308/370] irda: Fix lockdep annotations in hashbin_delete() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 213/370] USB: serial: ch341: fix control-message error handling Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 363/370] igmp: do not remove igmp souce list info when set link down Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 357/370] tun: Fix TUN_PKT_STRIP setting Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 277/370] ALSA: seq: Don't handle loop timeout at snd_seq_pool_done() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 258/370] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 237/370] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 334/370] dccp: fix out of bound access in dccp_v4_err() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 368/370] ipc/shm: Fix shmat mmap nil-page protection Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 353/370] can: Fix kernel panic at security_sock_rcv_skb Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 278/370] pegasus: Use heap buffers for all register access Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 250/370] crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 230/370] ubifs: Fix journal replay wrt. xattr nodes Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 222/370] svcrpc: don't leak contexts on PROC_DESTROY Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 370/370] sctp: deny peeloff operation on asocs with threads sleeping on it Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 238/370] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 193/370] drm/radeon: drop verde dpm quirks Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 325/370] net: fix sk_mem_reclaim_partial() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 306/370] printk: use rcuidle console tracepoint Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 348/370] r8152: fix the sw rx checksum is unavailable Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 223/370] net: systemport: Decouple flow control from __bcm_sysport_tx_reclaim Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 313/370] sch_htb: update backlog as well Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 293/370] l2tp: do not use udp_ioctl() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 225/370] be2net: fix status check in be_cmd_pmac_add() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 310/370] lib/vsprintf.c: improve sanity check in vsnprintf() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 214/370] gro: use min_t() in skb_gro_reset_offset() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 290/370] ALSA: hda - adding a new NV HDMI/DP codec ID in the driver Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 221/370] i2c: fix kernel memory disclosure in dev interface Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 207/370] gro: Disable frag0 optimization on IPv6 ext headers Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 265/370] parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 359/370] macvtap: read vnet_hdr_size once Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 252/370] powerpc: Add missing error check to prom_find_boot_cpu() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 219/370] jump_labels: API for flushing deferred jump label updates Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 358/370] tun: read vnet_hdr_sz once Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 243/370] nbd: fix use-after-free of rq/bio in the xmit path Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 369/370] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 268/370] ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 195/370] USB: ch341: remove redundant close from open error path Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 305/370] packet: Do not call fanout_release from atomic contexts Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 314/370] sch_dsmark: update backlog as well Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 199/370] USB: serial: ch341: fix initial modem-control state Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 208/370] ocfs2: fix crash caused by stale lvb with fsdlm plugin Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 309/370] sched/cputime: Fix invalid gtime in proc Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 329/370] net: Add netdev all_adj_list refcnt propagation to fix panic Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 229/370] clocksource/exynos_mct: Clear interrupt when cpu is shut down Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 189/370] tile/ptrace: Preserve previous registers for short regset write Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 274/370] mm, fs: check for fatal signals in do_generic_file_read() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 324/370] bonding: set carrier off for devices created through netlink Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 256/370] SUNRPC: cleanup ida information when removing sunrpc module Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 255/370] ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 347/370] igmp: Make igmp group member RFC 3376 compliant Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 192/370] ata: sata_mv:- Handle return value of devm_ioremap Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 292/370] xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 343/370] netvsc: reduce maximum GSO size Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 209/370] mm/hugetlb.c: fix reservation race when freeing surplus pages Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 224/370] netfilter: rpfilter: fix incorrect loopback packet judgment Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 190/370] sh_eth: fix EESIPR values for SH77{34|63} Ben Hutchings
2017-03-10 11:46 ` [PATCH 3.16 283/370] drm/i915: fix use-after-free in page_flip_completed() Ben Hutchings
2017-03-10 12:49 ` [PATCH 3.16 000/370] 3.16.42-rc1 review Guenter Roeck
2017-03-10 13:04 ` Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 372/372] tty: n_hdlc: get rid of racy n_hdlc.tbuf Ben Hutchings
2017-03-11 15:15 ` [PATCH 3.16 371/372] TTY: n_hdlc, fix lockdep false positive Ben Hutchings
2017-03-11 16:53 ` [PATCH 3.16 000/372] 3.16.42-rc2 review Ben Hutchings
2017-03-12 18:18 ` Guenter Roeck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.