All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 3.16 000/294] 3.16.50-rc1 review
@ 2017-11-06 23:02 Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 277/294] MIPS: BMIPS: Fix ".previous without corresponding .section" warnings Ben Hutchings
                   ` (295 more replies)
  0 siblings, 296 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:02 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm

This is the start of the stable review cycle for the 3.16.50 release.
There are 294 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Nov 08 18:00:00 UTC 2017.
Anything received after that time might be too late.

A combined patch relative to 3.16.49 will be posted as an additional
response to this.  A shortlog and diffstat can be found below.

Ben.

-------------

A Raghavendra Rao (1):
      Staging: wlan-ng: fix sparse warning in prism2fw.c
         [41cb65c4854e14f12b1cbb8215e509d8ad4d0c88]

Aaron Ma (1):
      Input: trackpoint - add new trackpoint firmware ID
         [ec667683c532c93fb41e100e5d61a518971060e2]

Akinobu Mita (1):
      iio: light: tsl2563: use correct event code
         [a3507e48d3f99a93a3056a34a5365f310434570f]

Alan Stern (4):
      USB: Check for dropped connection before switching to full speed
         [94c43b9897abf4ea366ed4dba027494e080c7050]
      USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
         [1c0edc3633b56000e18d82fc241e3995ca18a69e]
      USB: uas: fix bug in handling of alternate settings
         [786de92b3cb26012d3d0f00ee37adf14527f35c4]
      usb: usbtest: fix NULL pointer dereference
         [7c80f9e4a588f1925b07134bb2e3689335f6c6d8]

Alan Swanson (1):
      uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
         [89f23d51defcb94a5026d4b5da13faf4e1150a6f]

Alban Bedel (1):
      MIPS: Fix the build on jz4740 after removing the custom gpio.h
         [5b235dc2647e4977b17b5c41d959d0f455831c3f]

Alex Vesker (1):
      IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp
         [11f74b40359b19f760964e71d04882a6caf530cc]

Alexander Potapenko (1):
      sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
         [b1f5bfc27a19f214006b9b4db7b9126df2dfdf5a]

Andrew Morton (1):
      MODULE_DEVICE_TABLE: fix some callsites
         [0f989f749b51ec1fd94bb5a42f8ad10c8b9f73cb]

Andrey Ryabinin (1):
      module: fix types of device tables aliases
         [6301939d97d079f0d3dbe71e750f4daf5d39fc33]

Andy Lutomirski (1):
      x86/asm/64: Clear AC on NMI entries
         [e93c17301ac55321fc18e0f8316e924e58a83c8c]

Andy Shevchenko (1):
      platform/x86: samsung-laptop: Initialize loca variable
         [0d2c95354a3b63256e92d9fb865c08902d2c9b0b]

Aneesh Kumar K.V (1):
      powerpc/mm/hash: Free the subpage_prot_table correctly
         [0da12a7a81f1e2255e89dc783c565e84801475a2]

Anil Gurumurthy (1):
      bfa: Fix indentation
         [b7f4d6343820af5c2dc3979e91d85e71e638cd3d]

Ard Biesheuvel (2):
      ARM: 8221/1: PJ4: allow building in Thumb-2 mode
         [13d1b9575ac2c2da143cd2236b6cf0fc314570f8]
      ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode
         [5008efc83bf85b647aa1cbc44718b1675bbb7444]

Arend Van Spriel (1):
      brcmfmac: add length check in brcmf_cfg80211_escan_handler()
         [17df6453d4be17910456e99c5a85025aa1b7a246]

Arnd Bergmann (36):
      ARM: 8296/1: cache-l2x0: clean up aurora cache handling
         [20e783e39e55c2615fb61d1b3d139ee9edcf6772]
      ARM: cns3xxx: shut up frame size warning
         [498a92d42596a7a32c042319eb62a4c3d8081cf1]
      ARM: pxa: select both FB and FB_W100 for eseries
         [1d20d8a9fce8f1e2ef00a0f3d068fa18d59ddf8f]
      Disable "frame-address" warning
         [124a3d88fa20e1869fc229d7d8c740cc81944264]
      MIPS: ip22: Fix ip28 build for modern gcc
         [23ca9b522383d3b9b7991d8586db30118992af4a]
      MIPS: jz4740: fix build error in irq.h
         [not upstream; error was fixed by other changes]
      ata: hpt366: fix constant cast warning
         [6ec0a86c645be3fce7ade42f165a6a417c3503b1]
      brcmfmac: avoid gcc-5.1 warning
         [22f44150aad7a1d6b074ab6cf59abee61c7187c6]
      cpmac: remove hopeless #warning
         [d43e6fb4ac4abfe4ef7c102833ed02330ad701e0]
      dm bufio: hide bogus warning
         [not upstream; warning is avoided by other changes]
      gfs2: remove IS_ERR_VALUE abuse
         [287980e49ffc0f6d911601e7e352a812ed27768e]
      hostap: avoid uninitialized variable use in hfa384x_get_rid
         [48dc5fb3ba53b20418de8514700f63d88c5de3a3]
      i2o: hide unsafe ioctl on 64-bit
         [not upstream; driver has been removed]
      iio: adc: fix building on 64-bit
         [e49d99e0ecc88191c2e51a6535b1d0df635f1f3b]
      infiniband: mlx5: avoid a compile-time warning
         [7835bfb5261501590a508b3de3379e2231cb4853]
      iwlegacy: avoid warning about missing braces
         [2cce76c3fab410520610a7d2f52faebc3cfcf843]
      mISDN: avoid arch specific __builtin_return_address call
         [3e7a8716e20b759eec0ad88145255bb33174f0c8]
      mlx5: avoid build warnings on 32-bit
         [065bd8c28ba37d04c9a5b732173c1508954b1f58]
      mtd: cfi: reduce stack size
         [d09957fbb4d0b059b3176b510540df69048ad170]
      mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
         [906b268477bc03daaa04f739844c120fe4dbc991]
      net/xen-netback: disable on 64KB page  granularity
         [d0089e8a0e4c9723d85b01713671358e3d6960df]
      net: am2150: fix nmclan_cs.c shared interrupt handling
         [96a30175f927facfb421655ef08b7a0fe546fbed]
      net: caif: fix misleading indentation
         [8e0cc8c326d99e41468c96fea9785ab78883a281]
      net: tulip: turn compile-time warning into dev_warn()
         [de92718883ddbcd11b738d36ffcf57617b97fa12]
      net: vxge: avoid unused function warnings
         [57e7c8cef224af166b8ec932b5e383641418c005]
      qlge: avoid memcpy buffer overflow
         [e58f95831e7468d25eb6e41f234842ecfe6f014f]
      scsi-tgt: fix type conversion warning
         [not upstream; driver has been removed]
      scsi: advansys: remove #warning message
         [6571fb3f8b7f7e9595174e01b7e7f1b1ba0427d4]
      staging: bcm: add 32-bit host dependency
         [not upstream; driver has been removed]
      staging: imx-drm: fix indentation warning
         [d083c312cba2735566af9598cb281ea2ae6b729a]
      staging: r8192ee: prorperly format  warning message
         [not upstream; driver has been removed]
      staging: vt6655: fix overly large stack  usage
         [67013f2c0e5811a4fd60c51e3233e1f027d1c1e0]
      staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
         [105967ad68d2eb1a041bc041f9cf96af2a653b65]
      tty/isicom: fix big-endian compile warning
         [f3e2d56dce47dbd0bb3f69f84741b439542fef37]
      tty: nozomi: avoid a harmless gcc warning
         [a4f642a8a3c2838ad09fe8313d45db46600e1478]
      video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT
         [9c8ee3c7341393811d5be5eb61b815e76f92c799]

Atsushi Nemoto (2):
      MIPS: TXx9: Delete an unused variable in tx4927_pcibios_setup
         [1bc2d3e38e5bf90af4e9d64e1696f2d39757355a]
      mtd: maps: rbtx4939-flash: delete an unused variable in rbtx4939_flash_remove
         [e4c4c9c15ebe8ec03b7f5bf36e079052cc88217c]

Banajit Goswami (1):
      ASoC: do not close shared backend dailink
         [b1cd2e34c69a2f3988786af451b6e17967c293a0]

Bart Van Assche (2):
      IB/cma: Fix a race condition in iboe_addr_get_sgid()
         [fba332b079029c2f4f7e84c1c1cd8e3867310c90]
      dm: fix printk() rate limiting code
         [604407890ecf624c2fb41013c82b22aade59b455]

Ben Hutchings (3):
      ALSA: seq: Enable 'use' locking in all configurations
         [8009d506a1dd00cf436b0c4cca0dcec130580a21]
      alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
         [cec80d82142ab25c71eee24b529cfeaf17c43062]
      dst: Increase alignment of metrics to allow extra flag on pointers
         [not upstream; only needed in older branches]

Bjorn Andersson (1):
      spmi: Include OF based modalias in device uevent
         [d50daa2af2618dab6d21634e65a5fbcf4ae437d6]

Bodo Stroesser (1):
      scsi: st: fix blk_get_queue usage
         [180efde0a3f43dbe533e4be203c2918793482d4e]

Charles Milette (1):
      staging: rtl8188eu: add RNX-N150NUB support
         [f299aec6ebd747298e35934cff7709c6b119ca52]

Chen Yu (1):
      PM/hibernate: touch NMI watchdog when creating snapshot
         [556b969a1cfe2686aae149137fa1dfcac0eefe54]

Chris Gorman (1):
      i2c: mux: pinctrl: mention correct module name in Kconfig help text
         [d1510a2e5ab6cb3a67f1c55ca5e7a6d2c6dec340]

Chris Wilson (1):
      drm: Release driver tracking before making the object available again
         [fe4600a548f2763dec91b3b27a1245c370ceee2a]

Chuck Lever (1):
      nfsd: Limit end of page list when decoding NFSv4 WRITE
         [fc788f64f1f3eb31e87d4f53bcf1ab76590d5838]

Chunyu Hu (1):
      tracing: Fix kmemleak in instance_rmdir
         [db9108e054700c96322b0f0028546aa4e643cf0b]

Colin Ian King (3):
      Staging: iio: adc: fix indent on break statement
         [b6acb0cfc21293a1bfc283e9217f58f7474ef728]
      netxen: fix incorrect loop counter decrement
         [a120d9ab65354727559b9db75ded8071b7ef19e2]
      usb: storage: return on error to avoid a null pointer dereference
         [446230f52a5bef593554510302465eabab45a372]

Cong Wang (1):
      wl1251: add a missing spin_lock_init()
         [f581a0dd744fe32b0a8805e279c59ec1ac676d60]

Dan Carpenter (11):
      IB/cxgb3: Fix error codes in iwch_alloc_mr()
         [9064d6055c14f700aa13f7c72fd3e63d12bee643]
      RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd()
         [dd75cfa6d3216c79c695f5af13e52208afe374ad]
      RDMA/ocrdma: Fix error codes in ocrdma_create_srq()
         [f0c6e88288d65c93bbc7da4fb6f7d51b2733228a]
      Staging: lustre: missing curly braces in ll_setattr_raw()
         [53bd4a004ee5ff0f71a858de78faac98924b4a87]
      cxgb4: Fix error codes in c4iw_create_cq()
         [6ebedacbb44602d4dec3348dee5ec31dd9b09521]
      drm/i915: cleanup some indenting
         [ba0635ffb7665d76715b43ae8144e014a90c1e63]
      drm/msm: fix an integer overflow test
         [65e93108891e571f177c202add9288eda9ac4100]
      libata: array underflow in ata_find_dev()
         [59a5e266c3f5c1567508888dd61a45b86daed0fa]
      libceph: potential NULL dereference in ceph_msg_data_create()
         [7c40b22f6f84c98a1d36e6d0a4346e58f05e45d8]
      paride: fix the "verbose" module param
         [946e87981942552e526aca9cb6204f02a6c847cb]
      x86/ldt: Fix off by one in get_segment_base()
         [eaa2f87c6b840b83827c40db6eb8481689570259]

Dave Martin (1):
      arm64: fpsimd: Prevent registers leaking across exec
         [096622104e14d8a1db4860bd557717067a0515d2]

David Howells (2):
      KEYS: don't let add_key() update an uninstantiated key
         [60ff5b2f547af3828aebafd54daded44cfb0807a]
      assoc_array: Fix a buggy node-splitting case
         [ea6789980fdaa610d7eb63602c746bf6ec70cd2b]

David Malcolm (1):
      drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer
         [e1395a321eab1a7833d82e952eb8255e0a1f03cb]

David Miller (1):
      netfilter: Fix switch statement warnings with recent gcc.
         [c1f866767777d1c6abae0ec57effffcb72017c00]

David S. Miller (1):
      netfilter; Add some missing default cases to switch statements in nft_reject.
         [129d23a56623eea0947a05288158d76dc7f2f0ac]

Doug Berger (2):
      net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit()
         [876dbadd53a7102e2a84afc84ea2bd3ee6dc5636]
      net: bcmgenet: Free skb after last Tx frag
         [f48bed16a756f5bc0244acd581f61968f7d7c2a4]

Dragos Bogdan (1):
      iio: imu: adis16480: Fix acceleration scale factor for adis16480
         [fdd0d32eb95f135041236a6885d9006315aa9a1d]

Emmanuel Grumbach (1):
      iwlwifi: dvm: prevent an out of bounds access
         [0b0f934e92a8eaed2e6c48a50eae6f84661f74f3]

Eric Biggers (1):
      KEYS: prevent KEYCTL_READ on negative key
         [37863c43b2c6464f252862bf2e9768264e961678]

Eric Dumazet (6):
      af_key: do not use GFP_KERNEL in atomic contexts
         [36f41f8fc6d8aa9f8c9072d66ff7cf9055f5e69b]
      ipv4: add reference counting to metrics
         [3fb07daff8e99243366a081e5129560734de4ada]
      ipv4: fix NULL dereference in free_fib_info_rcu()
         [187e5b3ac84d3421d2de3aca949b2791fbcad554]
      net: reduce skb_warn_bad_offload() noise
         [b2504a5dbef3305ef41988ad270b0e8ec289331c]
      net: skb_needs_check() accepts CHECKSUM_NONE for tx
         [6e7bc478c9a006c701c14476ec9d389a484b4864]
      net_sched: fix error recovery at qdisc creation
         [87b60cfacf9f17cf71933c6e33b66e68160af71d]

Feras Daoud (1):
      IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization
         [d2e46fccc3e3d73a741efe433f00960331280696]

Florian Fainelli (12):
      b44: Initialize 64-bit stats seqcount
         [e43c9f23efadade684773a855675c99da278c862]
      i40e: Initialize 64-bit statistics TX ring seqcount
         [7d6d067790289e4f61f59fa60550ca5918aa25bd]
      irqchip: brcmstb-l2: Define an irq_pm_shutdown function
         [c017d21147848fe017772764a77a7f32c5b017f9]
      ixgbe: Initialize 64-bit stats seqcounts
         [7c3a4626eb65e78ebe208f48ffa21a5002f7f38e]
      net: bcmgenet: Be drop monitor friendly
         [d4fec855905fa8bd5fb1c59f73ad2d74a944876a]
      net: bcmgenet: check harder for out of memory conditions
         [b629be5c8399d7c423b92135eb43a86c924d1cbc]
      net: bcmgenet: fix off-by-one in incrementing read pointer
         [cf377d886f7944a5ccdbd164b89949e13617b096]
      net: bcmgenet: update ring producer index and buffer count in xmit
         [ae67bf0188cbb9d1786bdfcca9e1976cb36ee327]
      net: systemport: Be drop monitor friendly
         [c45182eb967af11e9482168be5be41aa22e5d321]
      net: systemport: Free DMA coherent descriptors on errors
         [c2062ee3d9615828109ffe8089fbf69bed394d05]
      r8169: Be drop monitor friendly
         [7a4b813cb739ce598ffbad2e84d19d13fa23e25d]
      r8169: Do not increment tx_dropped in TX ring cleaning
         [1089650d8837095f63e001bbf14d7b48043d67ad]

FrançOis Romieu (1):
      net: remove open-coded skb_cow_head.
         [a40e0a664bce465a3b8ad1d792153cef8ded9f7d]

Geert Uytterhoeven (2):
      Input: gscps2 - fix MODULE_DEVICE_TABLE invocation
         [6c8afa88adce613c23f27e719f805cc2a6441b07]
      spi: rspi: Remove unused variable in rspi_rz_transfer_one()
         [95029a00886f0c8d79e700cb8983b881c75af0f1]

Gerald Schaefer (1):
      mm/hugetlb: improve locking in dissolve_free_huge_pages()
         [eb03aa008561004257900983193d024e57abdd96]

Greg Kroah-Hartman (1):
      USB: fix out-of-bounds in usb_set_configuration
         [bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb]

Guillaume Nault (8):
      l2tp: define parameters of l2tp_session_get*() as "const"
         [9aaef50c44f132e040dcd7686c8e78a3390037c5]
      l2tp: hold tunnel used while creating sessions with netlink
         [e702c1204eb57788ef189c839c8c779368267d70]
      l2tp: hold tunnel while handling genl TUNNEL_GET commands
         [4e4b21da3acc68a7ea55f850cacc13706b7480e9]
      l2tp: hold tunnel while handling genl tunnel updates
         [8c0e421525c9eb50d68e8f633f703ca31680b746]
      l2tp: hold tunnel while looking up sessions in l2tp_netlink
         [54652eb12c1b72e9602d09cb2821d5760939190f]
      l2tp: hold tunnel while processing genl delete command
         [bb0a32ce4389e17e47e198d2cddaf141561581ad]
      l2tp: initialise session's refcount before making it reachable
         [9ee369a405c57613d7c83a3967780c3e30c52ecc]
      l2tp: remove useless duplicate session detection in l2tp_netlink
         [af87ae465abdc070de0dc35d6c6a9e7a8cd82987]

Hannes Reinecke (1):
      aic94xx: Skip reading user settings if flash is not found
         [36dd5acd196574d41de3e81d8264df475bbb7123]

Hector Martin (1):
      USB: serial: option: add D-Link DWM-222 device ID
         [fd1b8668af59a11bb754a6c9b0051c6c5ce73b74]

Icenowy Zheng (1):
      pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
         [d81ece747d8727bb8b1cfc9a20dbe62f09a4e35a]

Inbar Karmy (1):
      net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support
         [c994f778bb1cca8ebe7a4e528cefec233e93b5cc]

Ingo Molnar (1):
      x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h
         [927392d73a97d8d235bb65400e2e3c7f0bec2b6f]

Iván Briano (1):
      net/packet: Fix Tx queue selection for AF_PACKET
         [ccd4eb49f3392ebf989d58bd013a7bf44cdca4d6]

Jaejoong Kim (1):
      HID: usbhid: fix out-of-bounds bug
         [f043bfc98c193c284e2cd768fefabe18ac2fed9b]

James Bottomley (1):
      ips: remove pointless #warning
         [e03c2da6574223081b786960e39c1e5ecf5d492d]

Jan Kara (3):
      audit: Fix use after free in audit_remove_watch_rule()
         [d76036ab47eafa6ce52b69482e91ca3ba337d6d6]
      ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
         [fcf5ea10992fbac3c7473a1db33d56a139333cd1]
      ocfs2: don't clear SGID when inheriting ACLs
         [19ec8e48582670c021e998b9deb88e39a842ff45]

Jeff Kirsher (2):
      am2150: Update nmclan_cs.c to use update PCMCIA API
         [5f5316fcd08ef74b282adf6774956431fac62663]
      e1000e: fix call to do_div() to use u64 arg
         [30544af5483755b11bb5924736e9e0b45ef0644a]

Jerry Lee (1):
      ext4: fix overflow caused by missing cast in ext4_resize_fs()
         [aec51758ce10a9c847a62a48a168f8c804c6e053]

Jiahau Chang (1):
      xhci: Bad Ethernet performance plugged in ASM1042A host
         [9da5a1092b13468839b1a864b126cacfb72ad016]

Jin Yao (1):
      perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target
         [80f62589fa52f530cffc50e78c0b5a2ae572d61e]

Jiri Olsa (1):
      perf/core: Fix locking for children siblings group read
         [2aeb1883547626d82c597cce2c99f0b9c62e2425]

Joe Perches (2):
      dm: convert DM printk macros to pr_<level> macros
         [d2c3c8dcb5987b8352e82089c79a41b6e17e28d2]
      i40e: Reduce stack in i40e_dbg_dump_desc
         [e6c97234d1b18d4751671df15d52e29daa8a7ba8]

Joerg Roedel (1):
      iommu/amd: Fix schedule-while-atomic BUG in initialization code
         [74ddda71f44c84af62f736a77fb9fcebe5bb436a]

Johan Hovold (1):
      USB: cdc-acm: add device-id for quirky printer
         [fe855789d605590e57f9cd968d85ecce46f5c3fd]

Johannes Berg (1):
      mac80211: accept key reinstall without changing anything
         [fdf7cb4185b60c68e1a75e61691c4afdc15dea0e]

Juergen Gross (1):
      x86/xen: fix upper bound of pmd loop in xen_cleanhighmap()
         [1cf38741308c64d08553602b3374fb39224eeb5a]

Julian Wiedmann (1):
      s390/qeth: fix L3 next-hop in xmit qeth hdr
         [ec2c6726322f0d270bab477e4904bf9496f70ee5]

Kai-Heng Feng (1):
      usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
         [7496cfe5431f21da5d27a8388c326397e3f0a5db]

Kasin Li (1):
      drm/msm: Fix potential buffer overflow issue
         [4a630fadbb29d9efaedb525f1a8f7449ad107641]

Kevin Cernekee (1):
      MIPS: BMIPS: Fix ".previous without corresponding .section" warnings
         [4ec8f9e9b08451303253249e4e302f10ee23d565]

Konrad Zapalowicz (1):
      staging: dgnc: Fix frame size is larger than 1024B
         [ea6e9dea2e72a7abd146a2c5bab726b27f34b36c]

Konstantin Khlebnikov (2):
      net_sched/sfq: update hierarchical backlog when drop packet
         [325d5dc3f7e7c2840b65e4a2988c082c2c0025c5]
      net_sched: fix order of queue length updates in qdisc_replace()
         [68a66d149a8c78ec6720f268597302883e48e9fa]

Lars Ellenberg (1):
      drbd: avoid redefinition of BITS_PER_PAGE
         [2630628b2dbc3fc320aafaf84836119e4e3d62f1]

Laurent Vivier (1):
      powerpc/pseries: Fix of_node_put() underflow during reconfig remove
         [4fd1bd443e80b12f0a01a45fb9a793206b41cb72]

Lee Jones (1):
      mfd: arizona: Rid data size incompatibility warn when building for 64bit
         [942786e6e647cef94cf96dcd836d343be55fc452]

Leon Romanovsky (2):
      IB/ipoib: Remove double pointer assigning
         [1b355094b308f3377c8f574ce86135ee159c6285]
      RDMA/uverbs: Prevent leak of reserved field
         [f7a6cb7b38c6845b26aaa8bbdf519ff6e3090831]

Linus Lüssing (1):
      batman-adv: fix TT sync flag inconsistencies
         [54e22f265e872ae140755b3318521d400a094605]

Linus Torvalds (1):
      Clarify (and fix) MAX_LFS_FILESIZE macros
         [0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad]

Linus Walleij (1):
      gpio: drop retval check enforcing from gpiochip_remove()
         [14c8a620ba436511b1347c592633befa49535176]

Luis de Bethencourt (2):
      mvsas: fix misleading indentation
         [7789cd39274c51bf475411fe22a8ee7255082809]
      staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation
         [8c182ae20791d638c07ff499709c4a1d4697bd7c]

Maciej W. Rozycki (1):
      MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
         [68fe55680d0f3342969f49412fceabb90bdfadba]

Mahesh Bandewar (1):
      ipv4: initialize fib_trie prior to register_netdev_notifier call.
         [8799a221f5944a7d74516ecf46d58c28ec1d1f75]

Manuel Schölling (1):
      xilinx: Fix compiler warning
         [9f8b93cb32e088d3377c86fabb666b884bac0f12]

Mark Brown (7):
      ASoC: adau1977: Fix truncation warning on 64 bit architectures
         [d8df26bb57d2a86365de46a5421b97417401e39a]
      ASoC: imx-audmux: Use uintptr_t for port numbers
         [e5f89768e9bc1f441d18e2299518a2907e5017c9]
      Input: joystick - use get_cycles on ARMv8
         [a6b48699ae50ccce700506ced863ba1f5ce2af11]
      dma: pl08x: Use correct specifier for size_t values
         [6fc8ae787c589245ee3395630d2c428a1afab26c]
      power/reset: xgene-reset: Fix prototype of xgene_restart()
         [d3ed534cca703b2aaeee9277a5b8063ae6eab1d1]
      spi/atmel: Fix pointer to int conversion warnings on 64 bit builds
         [67f08d690aa90e47a0e793fc63e2ecbe95d29839]
      spi/pl022: Explicitly truncate large bitmask
         [d555ea05f9d8ebf567eaa6b4e4cb5776aacf2940]

Mark Rutland (2):
      arm64: mm: abort uaccess retries upon fatal signal
         [289d07a2dc6c6b6f3e4b8a62669320d99dbe6c3d]
      perf/core: Fix group {cpu,task} validation
         [64aee2a965cf2954a038b5522f11d2cd2f0f8f3e]

Martin KaFai Lau (1):
      ipv6: Add rt6_get_cookie() function
         [b197df4f0f3782782e9ea8996e91b65ae33e8dd9]

Masami Hiramatsu (1):
      kprobes/x86: Release insn_slot in failure path
         [38115f2f8cec8087d558c062e779c443a01f87d6]

Mateusz Jurczyk (1):
      fuse: initialize the flock flag in fuse_file on allocation
         [68227c03cba84a24faf8a7277d2b1a03c8959c2c]

Mathias Krause (2):
      xfrm_user: fix info leak in build_aevent()
         [931e79d7a7ddee4709c56b39de169a36804589a1]
      xfrm_user: fix info leak in xfrm_notify_sa()
         [50329c8a340c9dea60d837645fcf13fc36bfb84d]

Mathias Nyman (2):
      xhci: Fix NULL pointer dereference when cleaning up streams for removed host
         [4b895868bb2da60a386a17cde3bf9ecbc70c79f4]
      xhci: fix 20000ms port resume timeout
         [a54408d0a004757789863d74e29c2297edae0b4d]

Max Filippov (3):
      xtensa: don't limit csum_partial export by CONFIG_NET
         [7f81e55c737a8fa82c71f290945d729a4902f8d2]
      xtensa: fix cache aliasing handling code for WT cache
         [6d0f581d1768d3eaba15776e7dd1fdfec10cfe36]
      xtensa: mm/cache: add missing EXPORT_SYMBOLs
         [bc652eb6a0d5cffaea7dc8e8ad488aab2a1bf1ed]

Megha.Dey@Linux.Intel.Com (1):
      crypto: x86/sha1 - Fix reads beyond the number of blocks passed
         [8861249c740fc4af9ddc5aee321eafefb960d7c6]

Michael Ellerman (1):
      powerpc/boot: Fix 64-bit boot wrapper build with non-biarch compiler
         [65c5ec11c25eff6ba6e9b1cbfff014875fddd1e0]

Michael Gugino (1):
      staging: rtl8188eu: add TL-WN722N v2 support
         [5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70]

Michal Kalderon (1):
      IB/cma: Fix reference count leak when no ipv4 addresses are set
         [963916fdb3e5ad4af57ac959b5a03bf23f7568ca]

Michał Mirosław (1):
      gpio: tegra: fix unbalanced chained_irq_enter/exit
         [9e9509e38fbe034782339eb09c915f0b5765ff69]

Moshe Shemesh (1):
      net/mlx5: Fix command bad flow on command entry allocation failure
         [219c81f7d1d5a89656cb3b53d3b4e11e93608d80]

Mustafa Ismail (2):
      RDMA/core: Initialize port_num in qp_attr
         [a62ab66b13a0f9bcb17b7b761f6670941ed5cd62]
      RDMA/uverbs: Fix the check for port number
         [5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3]

Nadav Amit (1):
      mm: migrate: prevent racy access to tlb_flush_pending
         [16af97dc5a8975371a83d9e30a64038b48f40a2d]

Naftali Goldstein (1):
      iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw
         [8addabf8e6e299f790038fdc92ddceaaf76adab8]

Nicholas Bellinger (1):
      iscsi-target: Fix iscsi_np reset hung task during parallel delete
         [978d13d60c34818a41fc35962602bdfa5c03f214]

Nicolin Chen (1):
      ASoC: fsl_sai: Set SYNC bit of TCR2 to Asynchronous Mode
         [855675f6e6a65688a7f4cf45b9b5a98cf6c6f5c3]

Nikolay Aleksandrov (9):
      net: bridge: fix dest lookup when vlan proto doesn't match
         [31a4562d7408493c6377933ff2f7d7302dbdea80]
      sch_cbq: fix null pointer dereferences on init failure
         [3501d059921246ff617b43e86250a719c140bd97]
      sch_fq_codel: avoid double free on init failure
         [30c31d746d0eb458ae327f522bc8e4c44cbea0f0]
      sch_hfsc: fix null pointer deref and double free on init failure
         [3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a]
      sch_hhf: fix null pointer dereference on init failure
         [32db864d33c21fd70a217ba53cb7224889354ffb]
      sch_htb: fix crash on init failure
         [88c2ace69dbef696edba77712882af03879abc9c]
      sch_multiq: fix double free on init failure
         [e89d469e3be3ed3d7124a803211a463ff83d0964]
      sch_netem: avoid null pointer deref on init failure
         [634576a1844dba15bc5e6fc61d72f37e13a21615]
      sch_tbf: fix two null pointer dereferences on init failure
         [c2d6511e6a4f1f3673d711569c00c3849549e9b0]

Nikolay Borisov (1):
      ARM: kexec: Make .text R/W in machine_kexec
         [42d720d1731a9d7035c2812437c35e271ec4dd78]

Ofer Heifetz (1):
      md/raid5: add thread_group worker async_tx_issue_pending_all
         [7e96d559634b73a8158ee99a7abece2eacec2668]

Oleg Nesterov (1):
      epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
         [138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0]

Oliver O'Halloran (1):
      mm/init: fix zone boundary creation
         [90cae1fe1c3540f791d5b8e025985fa5e699b2bb]

Omar Sandoval (1):
      xfs: fix inobt inode allocation search optimization
         [c44245b3d5435f533ca8346ece65918f84c057f9]

Paul Burton (1):
      net: ti: cpmac: Fix compiler warning due to type confusion
         [2f5281ba2a8feaf6f0aee93356f350855bb530fc]

Paul Gortmaker (2):
      modpost: don't emit section mismatch warnings for compiler optimizations
         [4a3893d069b788f3570c19c12d9e986e8e15870f]
      modpost: expand pattern matching to support substring matches
         [09c20c032b0f753969ae778d9783d946f054d7fe]

Paul Mackerras (1):
      KVM: PPC: Book3S HV: Enable TM before accessing TM registers
         [e47057151422a67ce08747176fa21cb3b526a2c9]

Pavel Shilovsky (1):
      CIFS: Fix maximum SMB2 header size
         [9e37b1784f2be9397a903307574ee565bbadfd75]

Peter Zijlstra (2):
      perf/core: Invert perf_read_group() loops
         [fa8c269353d560b7c28119ad7617029f92e40b15]
      perf: Avoid horrible stack usage
         [86038c5ea81b519a8a1fcfcd5e4599aab0cdd119]

Petri Gynther (4):
      net: bcmgenet: cleanup for bcmgenet_xmit_frag()
         [824ba603573d910e32df75fe6a5e7d7ec2a0a6a7]
      net: bcmgenet: fix dev->stats.tx_bytes accounting
         [55868120a3e5420bf5aa26a816c07d691579c9e6]
      net: bcmgenet: rewrite bcmgenet_rx_refill()
         [d6707bec598649450ee0887bf11896e525777874]
      net: bcmgenet: simplify __bcmgenet_tx_reclaim()
         [66d06757d9eb74a29775737b8c770e3b57e536d9]

Prabhakar Lad (1):
      media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
         [da05d52d2f0f6bd61094a0cd045fed94bf7d673a]

Rafael J. Wysocki (1):
      USB: hcd: Mark secondary HCD as dead if the primary one died
         [cd5a6a4fdaba150089af2afc220eae0fef74878a]

Ralf Baechle (3):
      MIPS: DEC: Avoid la pseudo-instruction in delay slots
         [3021773c7c3e75e20b693931a19362681e744ea9]
      MIPS: elf2ecoff: Fix warning due to dead code.
         [2d76e9633b572ae5a64150b638eed77f4afc12db]
      MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers.
         [26f7c4bd05cf34e63a4a794150ab66a40a5a84a9]

Ronnie Sahlberg (2):
      cifs: check MaxPathNameComponentLength != 0 before using it
         [f74bc7c6679200a4a83156bb89cbf6c229fe8ec0]
      cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
         [d3edede29f74d335f81d95a4588f5f136a9f7dcf]

Russell King (1):
      ARM: kexec: fix failure to boot crash kernel
         [0d70262a2d60886da6fe5b1fc8bbcd76cbbc306d]

Rusty Russell (1):
      cpumask_set_cpu_local_first => cpumask_local_spread, lament
         [f36963c9d3f6f415732710da3acdd8608a9fa0e]

Ryusuke Konishi (1):
      nilfs2: fix gcc uninitialized-variable warnings in powerpc build
         [4f05028f8d1af782cfd03d09e0a052e9745dc5ad]

Sabrina Dubroca (1):
      netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry
         [3840538ad384fb7891adeeaf36624f870c51fc0e]

Sachin Prabhu (1):
      cifs: Fix df output for users with quota limits
         [42bec214d8bd432be6d32a1acb0a9079ecd4d142]

Sandeep Singh (1):
      usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
         [e788787ef4f9c24aafefc480a8da5f92b914e5e6]

Sean Young (1):
      media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
         [9f5039ba440e499d85c29b1ddbc3cbc9dc90e44b]

Sergei A. Trusov (1):
      ALSA: hda - Fix speaker output from VAIO VPCL14M1R
         [3f3c371421e601fa93b6cb7fb52da9ad59ec90b4]

Sergey Ryazanov (1):
      MIPS: MSP71xx: remove odd locking in PCI config space access code
         [c4a305374bbf36414515d2ae00d588c67051e67d]

Seunghun Han (1):
      x86/acpi: Prevent out of bound access caused by broken ACPI tables
         [dad5ab0db8deac535d03e3fe3d8f2892173fa6a4]

Shu Wang (1):
      xhci: fix memleak in xhci_run()
         [d6f5f071f1e13cadecf8aef1faa7e5d6fbc9f33b]

Sinclair Yeh (1):
      drm/vmwgfx: Fix gcc-7.1.1 warning
         [fcfffdd8f98ac305285dca568b5065ef86be6458]

Stefan Triller (1):
      USB: serial: cp210x: add support for Qivicon USB ZigBee dongle
         [9585e340db9f6cc1c0928d82c3a23cc4460f0a3f]

Stefan-Gabriel Mirea (1):
      iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits
         [d466d3c1217406b14b834335b5b4b33c0d45bd09]

Stefano Brivio (1):
      ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
         [3de33e1ba0506723ab25734e098cf280ecc34756]

Steffen Klassert (1):
      ipv6: Fix may be used uninitialized warning in rt6_check
         [3614364527daa870264f6dde77f02853cdecd02c]

Stephen Boyd (1):
      of: device: Export of_device_{get_modalias, uvent_modalias} to modules
         [7a3b7cd332db08546f3cdd984f11773e0d1999e7]

Stephen Douthit (2):
      i2c: ismt: Don't duplicate the receive length for block reads
         [b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994]
      i2c: ismt: Return EMSGSIZE for block reads with bogus length
         [ba201c4f5ebe13d7819081756378777d8153f23e]

Stephen Hemminger (1):
      netvsc: fix deadlock betwen link status and removal
         [9b4e946ce14e20d7addbfb7d9139e604f9fda107]

Steve Dickson (1):
      mount: copy the port field into the cloned nfs_server structure.
         [89a6814d9b665b196aa3a102f96b6dc7e8cb669e]

Steve French (1):
      CIFS: remove endian related sparse warning
         [6e3c1529c39e92ed64ca41d53abadabbaa1d5393]

Steven Rostedt (1):
      tracing: Fix freeing of filter in create_filter() when set_str is false
         [8b0db1a5bdfcee0dbfa89607672598ae203c9045]

Takashi Iwai (6):
      ALSA: core: Fix unexpected error at replacing user TLV
         [88c54cdf61f508ebcf8da2d819f5dfc03e954d1d]
      ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
         [bbba6f9d3da357bbabc6fda81e99ff5584500e76]
      ALSA: seq: Fix use-after-free at creating a port
         [71105998845fb012937332fe2e806d443c09e026]
      ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
         [0f174b3525a43bd51f9397394763925e0ebe7bc7]
      ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
         [bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991]
      ALSA: usb-audio: Kill stray URB at exiting
         [124751d5e63c823092060074bd0abaae61aaa9c4]

Tejun Heo (3):
      cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
         [b339752d054fb32863418452dff350a1086885b1]
      workqueue: implicit ordered attribute should be overridable
         [0a94efb5acbb6980d7c9ab604372d93cd507e4d8]
      workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
         [5c0338c68706be53b3dc472e4308961c36e4ece1]

Thomas Bogendoerfer (1):
      parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
         [4098116039911e8870d84c975e2ec22dab65a909]

Tim Gardner (1):
      be2iscsi: Fix bogus WARN_ON length check
         [dd29dae00d39186890a5eaa2fe4ad8768bfd41a9]

Timur Tabi (1):
      ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk()
         [acf2c60a60b3d6d7080854b9483f37d99ded9b23]

Tony Lindgren (1):
      ARM: OMAP: Fix Kconfig warning for omap1
         [52aaac5ae52ad9a7016410ffeedbaf24b722f3a2]

Uwe Kleine-König (3):
      ARM: 8160/1: drop warning about return_address not using unwind tables
         [e16343c47e4276f5ebc77ca16feb5e50ca1918f9]
      clk/efm32gg: fix dt init prototype
         [8ce8ebeb572d70e672a8d158e93ffaac80ea7576]
      mtd: nandsim: remove debugfs entries in error path
         [b974696da1cfc5aa0c29ed97dc8f6c239899e64b]

Varka Bhadram (1):
      ethernet: amd: fix pci device ids
         [ba69a3d78e4f51e65933a86b8b107c86709bb2f5]

Vitaly Mayatskikh (1):
      fix unbalanced page refcounting in bio_map_user_iov
         [95d78c28b5a85bacbc29b8dba7c04babb9b0d467]

Wanpeng Li (1):
      KVM: async_pf: make rcu irq exit if not triggered from idle task
         [337c017ccdf2653d0040099433fc1a2b1beb5926]

Wei Wang (3):
      ipv6: add rcu grace period before freeing fib6_node
         [c5cff8561d2d0006e972bd114afd51f082fee77c]
      ipv6: fix sparse warning on rt6i_node
         [4e587ea71bf924f7dac621f1351653bd41e446cb]
      ipv6: reset fn->rr_ptr when replacing route
         [383143f31d7d3525a1dbff733d52fff917f82f15]

Willem de Bruijn (3):
      net: avoid skb_warn_bad_offload false positives on UFO
         [8d63bee643f1fb53e472f0e135cae4eb99d62d19]
      packet: hold bind lock when rebinding to fanout hook
         [008ba2a13f2d04c947adc536d19debb8fe66f110]
      packet: in packet_do_bind, test fanout with bind_lock held
         [4971613c1639d8e5f102c4e797c3bf8f83a5a69e]

Xiao Ni (1):
      Raid5 should update rdev->sectors after reshape
         [b5d27718f38843a74552e9a93d32e2391fd3999f]

Xin Long (2):
      ipv6: set rt6i_protocol properly in the route when it is installed
         [b91d532928dff2141ea9c107c3e73104d9843767]
      sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
         [6b84202c946cd3da3a8daa92c682510e9ed80321]

Yishai Hadas (1):
      IB/uverbs: Fix device cleanup
         [efdd6f53b10aead0f5cf19a93dd3eb268ac0d991]

Yoshihiro Shimoda (4):
      usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL
         [59a0879a0e17b2e43ecdc5e3299da85b8410d7ce]
      usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()
         [c9eb29503e9655e70448bbbf3697d08a56d24854]
      usb: renesas_usbhs: gadget: disable all eps when the driver stops
         [b8b9c974afee685789fcbb191b52d1790be3608c]
      usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting
         [dfb87b8bfe09f933abaf387693992089f6f9053e]

Zhong Jiang (1):
      mm/mempolicy: fix use after free when calling get_mempolicy
         [73223e4e2e3867ebf033a5a8eb2e5df0158ccc99]

Zubair Lutfullah Kakakhel (1):
      MIPS: Fix a warning for virt_to_page
         [4d5b3bdc0ecb0cf5b1e1598eeaaac4b5cb33868d]

 Documentation/video4linux/v4l2-pci-skeleton.c      |   2 +-
 Makefile                                           |   5 +-
 arch/alpha/include/asm/types.h                     |   1 -
 arch/alpha/include/uapi/asm/types.h                |  12 +-
 arch/arm/include/asm/kexec.h                       |   5 +
 arch/arm/kernel/iwmmxt.S                           |  13 +
 arch/arm/kernel/machine_kexec.c                    |  11 +-
 arch/arm/kernel/pj4-cp0.c                          |   4 +
 arch/arm/kernel/return_address.c                   |   4 -
 arch/arm/mach-cns3xxx/Makefile                     |   1 +
 arch/arm/mach-omap2/Kconfig                        |   3 -
 arch/arm/mach-pxa/Kconfig                          |   1 +
 arch/arm/mm/cache-l2x0.c                           | 111 ++---
 arch/arm/plat-omap/Kconfig                         |   3 +
 arch/arm64/kernel/fpsimd.c                         |   2 +
 arch/arm64/mm/fault.c                              |   5 +-
 arch/mips/boot/elf2ecoff.c                         |  10 +-
 arch/mips/dec/int-handler.S                        |  18 +-
 arch/mips/include/asm/page.h                       |   3 +-
 arch/mips/jz4740/board-qi_lb60.c                   |   1 +
 arch/mips/jz4740/gpio.c                            |   1 +
 arch/mips/jz4740/irq.h                             |   2 +
 arch/mips/kernel/bmips_vec.S                       |   3 -
 arch/mips/pci/ops-pmcmsp.c                         |  12 -
 arch/mips/pci/ops-tx4927.c                         |   2 -
 arch/mips/sgi-ip22/Platform                        |   2 +-
 arch/powerpc/boot/Makefile                         |  16 +-
 arch/powerpc/kvm/book3s_hv.c                       |   2 +
 arch/powerpc/mm/subpage-prot.c                     |   2 +-
 arch/powerpc/platforms/pseries/reconfig.c          |   1 -
 arch/x86/boot/compressed/misc.h                    |  11 +-
 arch/x86/crypto/sha1_avx2_x86_64_asm.S             |  67 +--
 arch/x86/crypto/sha1_ssse3_glue.c                  |   2 +-
 arch/x86/kernel/acpi/boot.c                        |   8 +
 arch/x86/kernel/cpu/perf_event.c                   |   7 +-
 arch/x86/kernel/entry_64.S                         |   2 +
 arch/x86/kernel/kprobes/core.c                     |  10 +-
 arch/x86/kernel/kvm.c                              |   6 +-
 arch/x86/xen/mmu.c                                 |   2 +-
 arch/xtensa/kernel/xtensa_ksyms.c                  |   2 -
 arch/xtensa/mm/cache.c                             |  12 +-
 block/bio.c                                        |   8 +
 drivers/ata/libata-scsi.c                          |   6 +-
 drivers/ata/pata_hpt366.c                          |   4 +-
 drivers/block/drbd/drbd_bitmap.c                   |   6 +
 drivers/block/paride/pg.c                          |   4 +-
 drivers/clk/clk-efm32gg.c                          |   6 +-
 drivers/dma/amba-pl08x.c                           |   4 +-
 drivers/gpio/gpio-tegra.c                          |   6 +-
 drivers/gpu/drm/drm_gem.c                          |   6 +-
 drivers/gpu/drm/i915/i915_debugfs.c                |   5 +-
 drivers/gpu/drm/msm/msm_gem_submit.c               |   7 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c            |   2 +-
 drivers/hid/usbhid/hid-core.c                      |  12 +-
 drivers/i2c/busses/i2c-ismt.c                      |   6 +-
 drivers/i2c/muxes/Kconfig                          |   2 +-
 drivers/iio/adc/exynos_adc.c                       |   2 +-
 drivers/iio/adc/vf610_adc.c                        |   2 +-
 drivers/iio/imu/adis16480.c                        |   2 +-
 drivers/iio/light/tsl2563.c                        |   2 +-
 drivers/infiniband/core/cma.c                      |   2 +
 drivers/infiniband/core/uverbs_cmd.c               |   5 +-
 drivers/infiniband/core/uverbs_main.c              |   3 +-
 drivers/infiniband/hw/cxgb3/iwch_provider.c        |   5 +-
 drivers/infiniband/hw/cxgb4/cq.c                   |   1 +
 drivers/infiniband/hw/mlx5/mem.c                   |   2 +-
 drivers/infiniband/hw/ocrdma/ocrdma_verbs.c        |   4 +-
 drivers/infiniband/ulp/ipoib/ipoib_cm.c            |   1 -
 drivers/infiniband/ulp/ipoib/ipoib_main.c          |   3 +-
 drivers/input/joystick/analog.c                    |   2 +-
 drivers/input/mouse/trackpoint.c                   |   3 +-
 drivers/input/mouse/trackpoint.h                   |   3 +-
 drivers/input/serio/gscps2.c                       |   2 +-
 drivers/iommu/amd_iommu_init.c                     |   2 +-
 drivers/irqchip/irq-brcmstb-l2.c                   |   1 +
 drivers/isdn/hardware/mISDN/mISDNipac.c            |  12 +-
 drivers/isdn/hardware/mISDN/w6692.c                |   6 +-
 drivers/md/dm-bufio.c                              |   1 +
 drivers/md/dm.c                                    |  10 -
 drivers/md/raid5.c                                 |   6 +-
 drivers/media/platform/davinci/vpfe_capture.c      |  22 +-
 drivers/media/rc/ir-lirc-codec.c                   |   2 +-
 drivers/message/i2o/i2o_config.c                   |   4 +-
 drivers/mfd/arizona-core.c                         |   4 +-
 drivers/mfd/arizona-i2c.c                          |   5 +-
 drivers/mfd/arizona-spi.c                          |   3 +-
 drivers/mfd/arizona.h                              |   4 +-
 drivers/mtd/maps/pmcmsp-flash.c                    |   4 +-
 drivers/mtd/maps/rbtx4939-flash.c                  |   2 -
 drivers/mtd/nand/nandsim.c                         |   1 +
 drivers/net/Kconfig                                |   3 +
 drivers/net/ethernet/amd/amd8111e.c                |  19 +-
 drivers/net/ethernet/amd/nmclan_cs.c               |   4 +-
 drivers/net/ethernet/broadcom/b44.c                |   1 +
 drivers/net/ethernet/broadcom/bcmsysport.c         |   4 +-
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     | 456 ++++++++++-----------
 drivers/net/ethernet/broadcom/genet/bcmgenet.h     |   9 +
 drivers/net/ethernet/dec/tulip/tulip_core.c        |   9 +-
 drivers/net/ethernet/dec/tulip/uli526x.c           |   2 +-
 drivers/net/ethernet/dec/tulip/winbond-840.c       |   2 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |   1 -
 drivers/net/ethernet/intel/e1000e/ich8lan.c        |  13 +-
 drivers/net/ethernet/intel/i40e/i40e_debugfs.c     |  30 +-
 drivers/net/ethernet/intel/i40e/i40e_txrx.c        |   2 +
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c  |   4 +
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c    |  15 +-
 drivers/net/ethernet/mellanox/mlx4/en_netdev.c     |  10 +-
 drivers/net/ethernet/mellanox/mlx4/en_tx.c         |   6 +-
 drivers/net/ethernet/mellanox/mlx4/fw.c            |   4 +
 drivers/net/ethernet/mellanox/mlx4/fw.h            |   1 +
 drivers/net/ethernet/mellanox/mlx4/main.c          |   2 +
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c      |  19 +-
 drivers/net/ethernet/mellanox/mlx5/core/debugfs.c  |   6 +-
 drivers/net/ethernet/neterion/vxge/vxge-main.c     |  31 +-
 drivers/net/ethernet/qlogic/netxen/netxen_nic_hw.c |   2 +-
 drivers/net/ethernet/qlogic/qlge/qlge_dbg.c        |   2 +-
 drivers/net/ethernet/realtek/r8169.c               |   5 +-
 drivers/net/ethernet/ti/cpmac.c                    |   7 +-
 drivers/net/ethernet/xilinx/ll_temac_main.c        |   2 +-
 drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c  |   2 +-
 drivers/net/ethernet/xilinx/xilinx_emaclite.c      |   2 +-
 drivers/net/hyperv/netvsc_drv.c                    |   9 +-
 drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c |   2 +-
 .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c  |  18 +-
 drivers/net/wireless/hostap/hostap_hw.c            |  15 +-
 drivers/net/wireless/iwlegacy/3945.c               |   3 +-
 drivers/net/wireless/iwlwifi/dvm/tx.c              |   2 +-
 drivers/net/wireless/iwlwifi/mvm/sta.c             |   3 +-
 drivers/net/wireless/ti/wl1251/main.c              |   1 +
 drivers/of/device.c                                |   2 +
 drivers/parisc/dino.c                              |   2 +-
 drivers/pinctrl/sunxi/pinctrl-sun4i-a10.c          |   1 +
 drivers/platform/x86/samsung-laptop.c              |   2 +-
 drivers/power/reset/xgene-reboot.c                 |   2 +-
 drivers/s390/net/qeth_l3_main.c                    |   4 +-
 drivers/scsi/advansys.c                            |   3 +-
 drivers/scsi/aic94xx/aic94xx_sds.c                 |   5 +-
 drivers/scsi/be2iscsi/be_main.c                    |   3 +-
 drivers/scsi/bfa/bfa_ioc.c                         |  22 +-
 drivers/scsi/ips.c                                 |   9 +-
 drivers/scsi/mvsas/mv_sas.c                        |   4 +-
 drivers/scsi/scsi_tgt_if.c                         |   2 +-
 drivers/scsi/st.c                                  |   4 +-
 drivers/spi/spi-atmel.c                            |   4 +-
 drivers/spi/spi-pl022.c                            |   2 +-
 drivers/spi/spi-rspi.c                             |   1 -
 drivers/spmi/spmi.c                                |  12 +
 drivers/staging/bcm/Kconfig                        |   1 +
 drivers/staging/dgnc/dgnc_tty.c                    |  16 +-
 drivers/staging/iio/adc/ad7192.c                   |   2 +-
 drivers/staging/iio/resolver/ad2s1210.c            |   2 +-
 drivers/staging/imx-drm/imx-hdmi.c                 |   2 +-
 drivers/staging/lustre/lustre/llite/llite_lib.c    |   3 +-
 drivers/staging/rtl8188eu/os_dep/usb_intf.c        |   2 +
 drivers/staging/rtl8192ee/pci.c                    |   4 +-
 drivers/staging/rtl8723au/core/rtw_wlan_util.c     |   2 +-
 drivers/staging/vt6655/device_main.c               |  10 +-
 drivers/staging/wlan-ng/prism2fw.c                 |  33 +-
 drivers/target/iscsi/iscsi_target.c                |   1 +
 drivers/target/iscsi/iscsi_target_core.h           |   1 +
 drivers/target/iscsi/iscsi_target_login.c          |   7 +-
 drivers/tty/isicom.c                               |   2 +-
 drivers/tty/nozomi.c                               |   2 +-
 drivers/usb/class/cdc-acm.c                        |   3 +
 drivers/usb/core/config.c                          |  20 +-
 drivers/usb/core/hcd.c                             |   2 +
 drivers/usb/core/hub.c                             |  10 +-
 drivers/usb/core/quirks.c                          |   4 +
 drivers/usb/host/pci-quirks.c                      |  71 +++-
 drivers/usb/host/pci-quirks.h                      |   2 +
 drivers/usb/host/xhci-hub.c                        |   3 +
 drivers/usb/host/xhci-pci.c                        |   6 +
 drivers/usb/host/xhci-ring.c                       |  11 +-
 drivers/usb/host/xhci.c                            |  10 +-
 drivers/usb/host/xhci.h                            |   1 +
 drivers/usb/misc/usbtest.c                         |   5 +-
 drivers/usb/renesas_usbhs/common.c                 |   4 +-
 drivers/usb/renesas_usbhs/mod_gadget.c             |  42 +-
 drivers/usb/renesas_usbhs/pipe.c                   |  10 +
 drivers/usb/renesas_usbhs/pipe.h                   |   1 +
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/option.c                        |   2 +
 drivers/usb/storage/isd200.c                       |   5 +-
 drivers/usb/storage/uas-detect.h                   |  15 +-
 drivers/usb/storage/uas.c                          |  10 +-
 drivers/usb/storage/unusual_uas.h                  |   4 +-
 drivers/video/fbdev/Kconfig                        |   3 +-
 fs/cifs/dir.c                                      |  19 +-
 fs/cifs/smb2pdu.c                                  |   4 +-
 fs/cifs/smb2pdu.h                                  |   4 +-
 fs/eventpoll.c                                     |  36 +-
 fs/ext4/file.c                                     |   3 +
 fs/ext4/resize.c                                   |   3 +-
 fs/fuse/file.c                                     |   2 +-
 fs/gfs2/dir.c                                      |  11 +-
 fs/nfs/client.c                                    |   1 +
 fs/nfsd/nfs4xdr.c                                  |   6 +-
 fs/nilfs2/btree.c                                  |   2 +-
 fs/nilfs2/recovery.c                               |   4 +-
 fs/nilfs2/super.c                                  |   5 +-
 fs/ocfs2/acl.c                                     |  27 +-
 fs/xfs/xfs_ialloc.c                                |   2 +-
 include/asm-generic/topology.h                     |   6 +-
 include/linux/cpumask.h                            |   6 +-
 include/linux/device-mapper.h                      |  70 ++--
 include/linux/fs.h                                 |   4 +-
 include/linux/ftrace_event.h                       |   2 +-
 include/linux/gpio/driver.h                        |   2 +-
 include/linux/mlx4/device.h                        |   1 +
 include/linux/mm_types.h                           |  31 +-
 include/linux/module.h                             |   2 +-
 include/linux/mtd/map.h                            |  12 +-
 include/linux/perf_event.h                         |  28 +-
 include/linux/workqueue.h                          |   4 +-
 include/net/dst.h                                  |  13 +-
 include/net/ip6_fib.h                              |  35 +-
 include/net/ip6_route.h                            |   2 +-
 include/net/ip_fib.h                               |  10 +-
 include/net/sch_generic.h                          |   5 +-
 include/net/sctp/sctp.h                            |   4 +
 include/rdma/ib_addr.h                             |   6 +-
 include/trace/ftrace.h                             |   7 +-
 include/uapi/linux/usb/ch9.h                       |   1 +
 kernel/audit_watch.c                               |  12 +-
 kernel/events/core.c                               | 135 +++---
 kernel/fork.c                                      |   2 +-
 kernel/sched/core.c                                |   2 +-
 kernel/trace/trace.c                               |   1 +
 kernel/trace/trace_event_perf.c                    |   4 +-
 kernel/trace/trace_events_filter.c                 |   4 +
 kernel/trace/trace_kprobe.c                        |   4 +-
 kernel/trace/trace_syscalls.c                      |   4 +-
 kernel/trace/trace_uprobe.c                        |   2 +-
 kernel/workqueue.c                                 |  23 +-
 lib/assoc_array.c                                  |  51 +--
 lib/cpumask.c                                      |  74 ++--
 mm/hugetlb.c                                       |  12 +-
 mm/mempolicy.c                                     |   5 -
 mm/mprotect.c                                      |   4 +-
 mm/page_alloc.c                                    |  37 +-
 net/batman-adv/translation-table.c                 |  57 ++-
 net/batman-adv/types.h                             |   2 +
 net/bridge/br_device.c                             |   3 +-
 net/bridge/br_input.c                              |   3 +-
 net/bridge/br_netfilter.c                          |   2 +-
 net/caif/cfpkt_skbuff.c                            |   2 +-
 net/ceph/messenger.c                               |   6 +-
 net/core/dev.c                                     |  23 +-
 net/core/dst.c                                     |  45 +-
 net/core/pktgen.c                                  |   2 +-
 net/ipv4/fib_frontend.c                            |   9 +-
 net/ipv4/fib_semantics.c                           |  27 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c                 |   4 +-
 net/ipv4/netfilter/nft_reject_ipv4.c               |   2 +
 net/ipv4/route.c                                   |  10 +-
 net/ipv4/udp_offload.c                             |   2 +-
 net/ipv6/addrconf.c                                |   2 +-
 net/ipv6/ip6_fib.c                                 |  37 +-
 net/ipv6/ip6_tunnel.c                              |   2 +-
 net/ipv6/netfilter/nft_reject_ipv6.c               |   2 +
 net/ipv6/output_core.c                             |   6 +-
 net/ipv6/route.c                                   |  26 +-
 net/ipv6/tcp_ipv6.c                                |   3 +-
 net/ipv6/udp_offload.c                             |   2 +-
 net/ipv6/xfrm6_policy.c                            |   6 +-
 net/key/af_key.c                                   |  48 ++-
 net/l2tp/l2tp_core.c                               |  79 ++--
 net/l2tp/l2tp_core.h                               |  18 +-
 net/l2tp/l2tp_netlink.c                            |  72 ++--
 net/mac80211/key.c                                 |  20 +-
 net/netfilter/ipvs/ip_vs_xmit.c                    |   2 +-
 net/netfilter/nft_compat.c                         |   6 +-
 net/netfilter/nft_ct.c                             |   8 +
 net/netfilter/nft_reject.c                         |   2 +
 net/packet/af_packet.c                             |  30 +-
 net/sched/sch_api.c                                |   2 +
 net/sched/sch_cbq.c                                |  10 +-
 net/sched/sch_fq_codel.c                           |   4 +-
 net/sched/sch_hfsc.c                               |   4 +-
 net/sched/sch_hhf.c                                |  11 +-
 net/sched/sch_htb.c                                |   5 +-
 net/sched/sch_mq.c                                 |  10 +-
 net/sched/sch_mqprio.c                             |  19 +-
 net/sched/sch_multiq.c                             |   9 +-
 net/sched/sch_netem.c                              |   4 +-
 net/sched/sch_sfq.c                                |   8 +-
 net/sched/sch_tbf.c                                |   5 +-
 net/sctp/ipv6.c                                    |   2 +-
 net/xfrm/xfrm_user.c                               |   2 +
 scripts/mod/modpost.c                              |  34 +-
 security/keys/key.c                                |  10 +
 security/keys/keyctl.c                             |   5 +
 sound/core/control.c                               |   2 +-
 sound/core/seq/seq_clientmgr.c                     |   6 +-
 sound/core/seq/seq_lock.c                          |   4 -
 sound/core/seq/seq_lock.h                          |  12 -
 sound/core/seq/seq_ports.c                         |   7 +-
 sound/pci/hda/patch_conexant.c                     |   1 +
 sound/pci/hda/patch_realtek.c                      |   1 +
 sound/soc/codecs/adau1977.c                        |   2 +-
 sound/soc/fsl/fsl_sai.c                            |   3 +-
 sound/soc/fsl/fsl_ssi.c                            |   4 +-
 sound/soc/fsl/imx-audmux.c                         |   8 +-
 sound/soc/soc-pcm.c                                |   4 +
 sound/usb/card.c                                   |  20 +
 sound/usb/mixer.c                                  |  14 +-
 sound/usb/mixer.h                                  |   3 +
 sound/usb/mixer_quirks.c                           |   6 +
 tools/perf/ui/browser.c                            |   2 +-
 309 files changed, 1999 insertions(+), 1321 deletions(-)

-- 
Ben Hutchings
It is a miracle that curiosity survives formal education. - Albert Einstein

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 002/294] iio: light: tsl2563: use correct event code
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (182 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 282/294] MIPS: Fix the build on jz4740 after removing the custom gpio.h Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 042/294] xhci: fix memleak in xhci_run() Ben Hutchings
                   ` (111 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Akinobu Mita

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Akinobu Mita <akinobu.mita@gmail.com>

commit a3507e48d3f99a93a3056a34a5365f310434570f upstream.

The TSL2563 driver provides three iio channels, two of which are raw ADC
channels (channel 0 and channel 1) in the device and the remaining one
is calculated by the two.  The ADC channel 0 only supports programmable
interrupt with threshold settings and this driver supports the event but
the generated event code does not contain the corresponding iio channel
type.

This is going to change userspace ABI.  Hopefully fixing this to be
what it should always have been won't break any userspace code.

Cc: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/light/tsl2563.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/light/tsl2563.c
+++ b/drivers/iio/light/tsl2563.c
@@ -626,7 +626,7 @@ static irqreturn_t tsl2563_event_handler
 	struct tsl2563_chip *chip = iio_priv(dev_info);
 
 	iio_push_event(dev_info,
-		       IIO_UNMOD_EVENT_CODE(IIO_LIGHT,
+		       IIO_UNMOD_EVENT_CODE(IIO_INTENSITY,
 					    0,
 					    IIO_EV_TYPE_THRESH,
 					    IIO_EV_DIR_EITHER),

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 004/294] Raid5 should update rdev->sectors after reshape
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (192 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 211/294] cpumask_set_cpu_local_first => cpumask_local_spread, lament Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 128/294] ALSA: core: Fix unexpected error at replacing user TLV Ben Hutchings
                   ` (101 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Shaohua Li, Xiao Ni, Guoqing Jiang

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xiao Ni <xni@redhat.com>

commit b5d27718f38843a74552e9a93d32e2391fd3999f upstream.

The raid5 md device is created by the disks which we don't use the total size. For example,
the size of the device is 5G and it just uses 3G of the devices to create one raid5 device.
Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid
and assemble it again. It fails.
mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean
mdadm /dev/md0 --grow --chunk=64
wait reshape to finish
mdadm -S /dev/md0
mdadm -As
The error messages:
[197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing!
[197519.821686] md: md_import_device returned -22

After reshape the data offset is changed. It selects backwards direction in this condition.
In function super_1_load it compares the available space of the underlying device with
sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL.
rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based
on rdev->sectors. So add md_finish_reshape in end_reshape.

Signed-off-by: Xiao Ni <xni@redhat.com>
Acked-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/raid5.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6741,12 +6741,10 @@ static void end_reshape(struct r5conf *c
 {
 
 	if (!test_bit(MD_RECOVERY_INTR, &conf->mddev->recovery)) {
-		struct md_rdev *rdev;
 
 		spin_lock_irq(&conf->device_lock);
 		conf->previous_raid_disks = conf->raid_disks;
-		rdev_for_each(rdev, conf->mddev)
-			rdev->data_offset = rdev->new_data_offset;
+		md_finish_reshape(conf->mddev);
 		smp_wmb();
 		conf->reshape_progress = MaxSector;
 		spin_unlock_irq(&conf->device_lock);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 138/294] net: systemport: Be drop monitor friendly
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (166 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 235/294] scsi: advansys: remove #warning message Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 243/294] xilinx: Fix compiler warning Ben Hutchings
                   ` (127 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Florian Fainelli, Eric Dumazet

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit c45182eb967af11e9482168be5be41aa22e5d321 upstream.

Utilize dev_consume_skb_any(cb->skb) in bcm_sysport_free_cb() which is
used when a TX packet is completed, as well as when the RX ring is
cleaned on shutdown. None of these two cases are packet drops, so be
drop monitor friendly.

Suggested-by: Eric Dumazet <edumazet@gmail.com>
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/bcmsysport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -386,7 +386,7 @@ static void bcm_sysport_get_stats(struct
 
 static void bcm_sysport_free_cb(struct bcm_sysport_cb *cb)
 {
-	dev_kfree_skb_any(cb->skb);
+	dev_consume_skb_any(cb->skb);
 	cb->skb = NULL;
 	dma_unmap_addr_set(cb, dma_addr, 0);
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 151/294] xfrm_user: fix info leak in xfrm_notify_sa()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (288 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 178/294] sch_netem: avoid null pointer deref on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 006/294] net: bridge: fix dest lookup when vlan proto doesn't match Ben Hutchings
                   ` (5 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mathias Krause, Herbert Xu, Steffen Klassert

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Krause <minipli@googlemail.com>

commit 50329c8a340c9dea60d837645fcf13fc36bfb84d upstream.

The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the whole struct before filling
it.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_user.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2552,6 +2552,7 @@ static int xfrm_notify_sa(struct xfrm_st
 		struct nlattr *attr;
 
 		id = nlmsg_data(nlh);
+		memset(id, 0, sizeof(*id));
 		memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
 		id->spi = x->id.spi;
 		id->family = x->props.family;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 149/294] r8169: Be drop monitor friendly
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (218 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 061/294] md/raid5: add thread_group worker async_tx_issue_pending_all Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 184/294] fix unbalanced page refcounting in bio_map_user_iov Ben Hutchings
                   ` (75 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 7a4b813cb739ce598ffbad2e84d19d13fa23e25d upstream.

rtl_tx() is the TX reclamation process whereas rtl8169_tx_clear_range() does
the TX ring cleaning during shutdown, both of these functions should call
dev_consume_skb_any() to be drop monitor friendly.

Fixes: cac4b22f3d6a ("r8169: do not account fragments as packets")
Fixes: eb781397904e ("r8169: Do not use dev_kfree_skb in xmit path")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/realtek/r8169.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -5860,7 +5860,7 @@ static void rtl8169_tx_clear_range(struc
 			rtl8169_unmap_tx_skb(&tp->pci_dev->dev, tx_skb,
 					     tp->TxDescArray + entry);
 			if (skb) {
-				dev_kfree_skb_any(skb);
+				dev_consume_skb_any(skb);
 				tx_skb->skb = NULL;
 			}
 		}
@@ -6168,7 +6168,7 @@ static void rtl_tx(struct net_device *de
 			tp->tx_stats.packets++;
 			tp->tx_stats.bytes += tx_skb->skb->len;
 			u64_stats_update_end(&tp->tx_stats.syncp);
-			dev_kfree_skb_any(tx_skb->skb);
+			dev_consume_skb_any(tx_skb->skb);
 			tx_skb->skb = NULL;
 		}
 		dirty_tx++;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 257/294] netfilter: Fix switch statement warnings with recent gcc.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (173 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 252/294] net: vxge: avoid unused function warnings Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 226/294] spi: rspi: Remove unused variable in rspi_rz_transfer_one() Ben Hutchings
                   ` (120 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Pablo Neira Ayuso, David Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Miller <davem@davemloft.net>

commit c1f866767777d1c6abae0ec57effffcb72017c00 upstream.

More recent GCC warns about two kinds of switch statement uses:

1) Switching on an enumeration, but not having an explicit case
   statement for all members of the enumeration.  To show the
   compiler this is intentional, we simply add a default case
   with nothing more than a break statement.

2) Switching on a boolean value.  I think this warning is dumb
   but nevertheless you get it wholesale with -Wswitch.

This patch cures all such warnings in netfilter.

Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/netfilter/nft_reject_ipv4.c | 2 ++
 net/ipv6/netfilter/nft_reject_ipv6.c | 2 ++
 net/netfilter/nft_compat.c           | 6 +++---
 net/netfilter/nft_ct.c               | 8 ++++++++
 4 files changed, 15 insertions(+), 3 deletions(-)

--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -33,6 +33,8 @@ void nft_reject_ipv4_eval(const struct n
 	case NFT_REJECT_TCP_RST:
 		nf_send_reset(pkt->skb, pkt->ops->hooknum);
 		break;
+	default:
+		break;
 	}
 
 	data[NFT_REG_VERDICT].verdict = NF_DROP;
--- a/net/ipv6/netfilter/nft_reject_ipv6.c
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -34,6 +34,8 @@ void nft_reject_ipv6_eval(const struct n
 	case NFT_REJECT_TCP_RST:
 		nf_send_reset6(net, pkt->skb, pkt->ops->hooknum);
 		break;
+	default:
+		break;
 	}
 
 	data[NFT_REG_VERDICT].verdict = NF_DROP;
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -295,11 +295,11 @@ static void nft_match_eval(const struct
 		return;
 	}
 
-	switch(ret) {
-	case true:
+	switch (ret ? 1 : 0) {
+	case 1:
 		data[NFT_REG_VERDICT].verdict = NFT_CONTINUE;
 		break;
-	case false:
+	case 0:
 		data[NFT_REG_VERDICT].verdict = NFT_BREAK;
 		break;
 	}
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -56,6 +56,8 @@ static void nft_ct_get_eval(const struct
 			state = NF_CT_STATE_BIT(ctinfo);
 		dest->data[0] = state;
 		return;
+	default:
+		break;
 	}
 
 	if (ct == NULL)
@@ -117,6 +119,8 @@ static void nft_ct_get_eval(const struct
 		return;
 	}
 #endif
+	default:
+		break;
 	}
 
 	tuple = &ct->tuplehash[priv->dir].tuple;
@@ -141,6 +145,8 @@ static void nft_ct_get_eval(const struct
 	case NFT_CT_PROTO_DST:
 		dest->data[0] = (__force __u16)tuple->dst.u.all;
 		return;
+	default:
+		break;
 	}
 	return;
 err:
@@ -172,6 +178,8 @@ static void nft_ct_set_eval(const struct
 		}
 		break;
 #endif
+	default:
+		break;
 	}
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 222/294] ASoC: fsl_sai: Set SYNC bit of TCR2 to Asynchronous Mode
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 082/294] drm/msm: Fix potential buffer overflow issue Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 027/294] staging: rtl8188eu: add TL-WN722N v2 support Ben Hutchings
                   ` (230 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Nicolin Chen, Nicolin Chen, Mark Brown

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolin Chen <Guangyu.Chen@freescale.com>

commit 855675f6e6a65688a7f4cf45b9b5a98cf6c6f5c3 upstream.

There is one design rule according to SAI's reference manual:
If the transmitter bit clock and frame sync are to be used by both transmitter
and receiver, the transmitter must be configured for asynchronous operation
and the receiver for synchronous operation.

And SYNC of TCR2 is a 2-width control bit:
00 Asynchronous mode.
01 Synchronous with receiver.
10 Synchronous with another SAI transmitter.
11 Synchronous with another SAI receiver.

So the driver should have set SYNC bit of TCR2 to 0x0, and meanwhile set SYNC
bit of RCR2 to 0x1 (Synchronous with transmitter).

Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/fsl_sai.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -333,8 +333,7 @@ static int fsl_sai_trigger(struct snd_pc
 	 * The transmitter bit clock and frame sync are to be
 	 * used by both the transmitter and receiver.
 	 */
-	regmap_update_bits(sai->regmap, FSL_SAI_TCR2, FSL_SAI_CR2_SYNC,
-			   ~FSL_SAI_CR2_SYNC);
+	regmap_update_bits(sai->regmap, FSL_SAI_TCR2, FSL_SAI_CR2_SYNC, 0);
 	regmap_update_bits(sai->regmap, FSL_SAI_RCR2, FSL_SAI_CR2_SYNC,
 			   FSL_SAI_CR2_SYNC);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 253/294] drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (135 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 228/294] spi/pl022: Explicitly truncate large bitmask Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 065/294] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Ben Hutchings
                   ` (158 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, David Malcolm, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Malcolm <dmalcolm@redhat.com>

commit e1395a321eab1a7833d82e952eb8255e0a1f03cb upstream.

This code in drivers/net/ethernet/dec/tulip/uli526x.c
function "uli526x_timer":

  1086          } else
  1087                  if ((tmp_cr12 & 0x3) && db->link_failed) {
  [...snip...]
  1109                  }
  1110                  else if(!(tmp_cr12 & 0x3) && db->link_failed)
  1111                  {
  [...snip...]
  1117                  }
  1118                  db->init=0;

is misleadingly indented: the
  db->init=0
is indented as if part of the else clause at line 1086, but it is
independent of it (no braces before the "if" at line 1087).

This patch fixes the indentation to reflect the actual meaning of the code,
though is it actually meant to be part of the "else" clause?  (I'm a
compiler developer, not a kernel person).  It also adds spaces around
the assignment, to placate checkpatch.pl.

Seen via an experimental new gcc warning I'm working on for gcc 6,
-Wmisleading-indentation, using gcc r223098 adding
-Werror=misleading-indentation to KBUILD_CFLAGS in Makefile.
The experimental GCC emits this warning (as an error), rightly IMHO:

drivers/net/ethernet/dec/tulip/uli526x.c: In function ‘uli526x_timer’:
drivers/net/ethernet/dec/tulip/uli526x.c:1118:3: error: statement is
indented as if it were guarded by... [-Werror=misleading-indentation]
   db->init=0;
    ^
drivers/net/ethernet/dec/tulip/uli526x.c:1086:4: note: ...this ‘else’
clause, but it is not
  } else
     ^

Hope this is helpful
Dave

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/dec/tulip/uli526x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/dec/tulip/uli526x.c
+++ b/drivers/net/ethernet/dec/tulip/uli526x.c
@@ -1115,7 +1115,7 @@ static void uli526x_timer(unsigned long
 				netif_carrier_off(dev);
 			}
 		}
-		db->init=0;
+	db->init = 0;
 
 	/* Timer active again */
 	db->timer.expires = ULI526X_TIMER_WUT;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 201/294] platform/x86: samsung-laptop: Initialize loca variable
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 241/294] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 275/294] ARM: 8160/1: drop warning about return_address not using unwind tables Ben Hutchings
                   ` (285 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Geert Uytterhoeven, Andy Shevchenko

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit 0d2c95354a3b63256e92d9fb865c08902d2c9b0b upstream.

The variable is used uninitialized which might come into unexpected
behaviour on some Samsung laptops.

Initialize it to 0xffff which seems a proper value for non-supported
feature.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/platform/x86/samsung-laptop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/platform/x86/samsung-laptop.c
+++ b/drivers/platform/x86/samsung-laptop.c
@@ -1347,9 +1347,9 @@ static int __init samsung_sabi_init(stru
 	const struct sabi_config *config = NULL;
 	const struct sabi_commands *commands;
 	unsigned int ifaceP;
+	int loca = 0xffff;
 	int ret = 0;
 	int i;
-	int loca;
 
 	samsung->f0000_segment = ioremap_nocache(0xf0000, 0xffff);
 	if (!samsung->f0000_segment) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 224/294] ata: hpt366: fix constant cast warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 150/294] Clarify (and fix) MAX_LFS_FILESIZE macros Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 215/294] power/reset: xgene-reset: Fix prototype of xgene_restart() Ben Hutchings
                   ` (256 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Tejun Heo, Bartlomiej Zolnierkiewicz

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 6ec0a86c645be3fce7ade42f165a6a417c3503b1 upstream.

gcc-5.x warns about a preexisting problem in the hpt36x pata driver:

drivers/ata/pata_hpt366.c: In function 'hpt36x_init_one':
drivers/ata/pata_hpt366.c:376:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]

Other ata drivers have the same problem, as ata_pci_bmdma_init_one
takes a non-const pointer, and they solve it by using a cast to
turn that pointer into a normal non-const pointer.

I also tried to change the ata core code to make host->private_data
a const pointer, but that quickly got out of hand, as some other
drivers expect it to be writable, so I ended up using the same
hack as the others here.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/pata_hpt366.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/ata/pata_hpt366.c
+++ b/drivers/ata/pata_hpt366.c
@@ -352,7 +352,7 @@ static int hpt36x_init_one(struct pci_de
 	};
 	const struct ata_port_info *ppi[] = { &info_hpt366, NULL };
 
-	void *hpriv = NULL;
+	const void *hpriv = NULL;
 	u32 reg1;
 	int rc;
 
@@ -383,7 +383,7 @@ static int hpt36x_init_one(struct pci_de
 		break;
 	}
 	/* Now kick off ATA set up */
-	return ata_pci_bmdma_init_one(dev, ppi, &hpt36x_sht, hpriv, 0);
+	return ata_pci_bmdma_init_one(dev, ppi, &hpt36x_sht, (void *)hpriv, 0);
 }
 
 #ifdef CONFIG_PM_SLEEP

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 214/294] infiniband: mlx5: avoid a compile-time warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (117 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 191/294] packet: in packet_do_bind, test fanout with bind_lock held Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 190/294] packet: hold bind lock when rebinding to fanout hook Ben Hutchings
                   ` (176 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, David S. Miller, Eli Cohen

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 7835bfb5261501590a508b3de3379e2231cb4853 upstream.

The return type of find_first_bit() is architecture specific,
on ARM it is 'unsigned int', while the asm-generic code used
on x86 and a lot of other architectures returns 'unsigned long'.

When building the mlx5 driver on ARM, we get a warning about
this:

infiniband/hw/mlx5/mem.c: In function 'mlx5_ib_cont_pages':
infiniband/hw/mlx5/mem.c:84:143: warning: comparison of distinct pointer types lacks a cast
     m = min(m, find_first_bit(&tmp, sizeof(tmp)));

This patch changes the driver to use min_t to make it behave
the same way on all architectures.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/mlx5/mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -68,7 +68,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
 		for (k = 0; k < len; k++) {
 			if (!(i & mask)) {
 				tmp = (unsigned long)pfn;
-				m = min(m, find_first_bit(&tmp, sizeof(tmp)));
+				m = min_t(unsigned long, m, find_first_bit(&tmp, sizeof(tmp)));
 				skip = 1 << m;
 				mask = skip - 1;
 				base = pfn;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 199/294] ALSA: seq: Enable 'use' locking in all configurations
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 007/294] net/packet: Fix Tx queue selection for AF_PACKET Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 246/294] mISDN: avoid arch specific __builtin_return_address call Ben Hutchings
                   ` (185 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Ben Hutchings

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream.

The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is
enabled.  This might once have been OK in non-preemptible
configurations, but even in that case snd_seq_read() may sleep while
relying on a 'use' lock.  So always use the proper implementations.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/seq/seq_lock.c |  4 ----
 sound/core/seq/seq_lock.h | 12 ------------
 2 files changed, 16 deletions(-)

--- a/sound/core/seq/seq_lock.c
+++ b/sound/core/seq/seq_lock.c
@@ -23,8 +23,6 @@
 #include <sound/core.h>
 #include "seq_lock.h"
 
-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG)
-
 /* wait until all locks are released */
 void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
 {
@@ -42,5 +40,3 @@ void snd_use_lock_sync_helper(snd_use_lo
 }
 
 EXPORT_SYMBOL(snd_use_lock_sync_helper);
-
-#endif
--- a/sound/core/seq/seq_lock.h
+++ b/sound/core/seq/seq_lock.h
@@ -3,8 +3,6 @@
 
 #include <linux/sched.h>
 
-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG)
-
 typedef atomic_t snd_use_lock_t;
 
 /* initialize lock */
@@ -20,14 +18,4 @@ typedef atomic_t snd_use_lock_t;
 void snd_use_lock_sync_helper(snd_use_lock_t *lock, const char *file, int line);
 #define snd_use_lock_sync(lockp) snd_use_lock_sync_helper(lockp, __BASE_FILE__, __LINE__)
 
-#else /* SMP || CONFIG_SND_DEBUG */
-
-typedef spinlock_t snd_use_lock_t;	/* dummy */
-#define snd_use_lock_init(lockp) /**/
-#define snd_use_lock_use(lockp) /**/
-#define snd_use_lock_free(lockp) /**/
-#define snd_use_lock_sync(lockp) /**/
-
-#endif /* SMP || CONFIG_SND_DEBUG */
-
 #endif /* __SND_SEQ_LOCK_H */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 211/294] cpumask_set_cpu_local_first => cpumask_local_spread, lament
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (191 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 009/294] net: bcmgenet: check harder for out of memory conditions Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 004/294] Raid5 should update rdev->sectors after reshape Ben Hutchings
                   ` (102 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Rusty Russell, Amir Vadai, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Rusty Russell <rusty@rustcorp.com.au>

commit f36963c9d3f6f415732710da3acdd8608a9fa0e upstream.

da91309e0a7e (cpumask: Utility function to set n'th cpu...) created a
genuinely weird function.  I never saw it before, it went through DaveM.
(He only does this to make us other maintainers feel better about our own
mistakes.)

cpumask_set_cpu_local_first's purpose is say "I need to spread things
across N online cpus, choose the ones on this numa node first"; you call
it in a loop.

It can fail.  One of the two callers ignores this, the other aborts and
fails the device open.

It can fail in two ways: allocating the off-stack cpumask, or through a
convoluted codepath which AFAICT can only occur if cpu_online_mask
changes.  Which shouldn't happen, because if cpu_online_mask can change
while you call this, it could return a now-offline cpu anyway.

It contains a nonsensical test "!cpumask_of_node(numa_node)".  This was
drawn to my attention by Geert, who said this causes a warning on Sparc.
It sets a single bit in a cpumask instead of returning a cpu number,
because that's what the callers want.

It could be made more efficient by passing the previous cpu rather than
an index, but that would be more invasive to the callers.

Fixes: da91309e0a7e8966d916a74cce42ed170fde06bf
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (then rebased)
Tested-by: Amir Vadai <amirv@mellanox.com>
Acked-by: Amir Vadai <amirv@mellanox.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 10 ++--
 drivers/net/ethernet/mellanox/mlx4/en_tx.c     |  6 +--
 include/linux/cpumask.h                        |  6 +--
 lib/cpumask.c                                  | 74 +++++++++-----------------
 4 files changed, 34 insertions(+), 62 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -1535,17 +1535,13 @@ static int mlx4_en_init_affinity_hint(st
 {
 	struct mlx4_en_rx_ring *ring = priv->rx_ring[ring_idx];
 	int numa_node = priv->mdev->dev->numa_node;
-	int ret = 0;
 
 	if (!zalloc_cpumask_var(&ring->affinity_mask, GFP_KERNEL))
 		return -ENOMEM;
 
-	ret = cpumask_set_cpu_local_first(ring_idx, numa_node,
-					  ring->affinity_mask);
-	if (ret)
-		free_cpumask_var(ring->affinity_mask);
-
-	return ret;
+	cpumask_set_cpu(cpumask_local_spread(ring_idx, numa_node),
+			ring->affinity_mask);
+	return 0;
 }
 
 static void mlx4_en_free_affinity_hint(struct mlx4_en_priv *priv, int ring_idx)
--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
@@ -133,9 +133,9 @@ int mlx4_en_create_tx_ring(struct mlx4_e
 	ring->queue_index = queue_index;
 
 	if (queue_index < priv->num_tx_rings_p_up)
-		cpumask_set_cpu_local_first(queue_index,
-					    priv->mdev->dev->numa_node,
-					    &ring->affinity_mask);
+		cpumask_set_cpu(cpumask_local_spread(queue_index,
+						     priv->mdev->dev->numa_node),
+				&ring->affinity_mask);
 
 	*pring = ring;
 	return 0;
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -142,10 +142,8 @@ static inline unsigned int cpumask_any_b
 	return 1;
 }
 
-static inline int cpumask_set_cpu_local_first(int i, int numa_node, cpumask_t *dstp)
+static inline unsigned int cpumask_local_spread(unsigned int i, int node)
 {
-	set_bit(0, cpumask_bits(dstp));
-
 	return 0;
 }
 
@@ -199,7 +197,7 @@ static inline unsigned int cpumask_next_
 
 int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *);
 int cpumask_any_but(const struct cpumask *mask, unsigned int cpu);
-int cpumask_set_cpu_local_first(int i, int numa_node, cpumask_t *dstp);
+unsigned int cpumask_local_spread(unsigned int i, int node);
 
 /**
  * for_each_cpu - iterate over every cpu in a mask
--- a/lib/cpumask.c
+++ b/lib/cpumask.c
@@ -198,64 +198,42 @@ void __init free_bootmem_cpumask_var(cpu
 #endif
 
 /**
- * cpumask_set_cpu_local_first - set i'th cpu with local numa cpu's first
- *
+ * cpumask_local_spread - select the i'th cpu with local numa cpu's first
  * @i: index number
- * @numa_node: local numa_node
- * @dstp: cpumask with the relevant cpu bit set according to the policy
+ * @node: local numa_node
  *
- * This function sets the cpumask according to a numa aware policy.
- * cpumask could be used as an affinity hint for the IRQ related to a
- * queue. When the policy is to spread queues across cores - local cores
- * first.
+ * This function selects an online CPU according to a numa aware policy;
+ * local cpus are returned first, followed by non-local ones, then it
+ * wraps around.
  *
- * Returns 0 on success, -ENOMEM for no memory, and -EAGAIN when failed to set
- * the cpu bit and need to re-call the function.
+ * It's not very efficient, but useful for setup.
  */
-int cpumask_set_cpu_local_first(int i, int numa_node, cpumask_t *dstp)
+unsigned int cpumask_local_spread(unsigned int i, int node)
 {
-	cpumask_var_t mask;
 	int cpu;
-	int ret = 0;
-
-	if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
-		return -ENOMEM;
 
+	/* Wrap: we always want a cpu. */
 	i %= num_online_cpus();
 
-	if (numa_node == -1 || !cpumask_of_node(numa_node)) {
-		/* Use all online cpu's for non numa aware system */
-		cpumask_copy(mask, cpu_online_mask);
+	if (node == -1) {
+		for_each_cpu(cpu, cpu_online_mask)
+			if (i-- == 0)
+				return cpu;
 	} else {
-		int n;
-
-		cpumask_and(mask,
-			    cpumask_of_node(numa_node), cpu_online_mask);
+		/* NUMA first. */
+		for_each_cpu_and(cpu, cpumask_of_node(node), cpu_online_mask)
+			if (i-- == 0)
+				return cpu;
+
+		for_each_cpu(cpu, cpu_online_mask) {
+			/* Skip NUMA nodes, done above. */
+			if (cpumask_test_cpu(cpu, cpumask_of_node(node)))
+				continue;
 
-		n = cpumask_weight(mask);
-		if (i >= n) {
-			i -= n;
-
-			/* If index > number of local cpu's, mask out local
-			 * cpu's
-			 */
-			cpumask_andnot(mask, cpu_online_mask, mask);
+			if (i-- == 0)
+				return cpu;
 		}
 	}
-
-	for_each_cpu(cpu, mask) {
-		if (--i < 0)
-			goto out;
-	}
-
-	ret = -EAGAIN;
-
-out:
-	free_cpumask_var(mask);
-
-	if (!ret)
-		cpumask_set_cpu(cpu, dstp);
-
-	return ret;
+	BUG();
 }
-EXPORT_SYMBOL(cpumask_set_cpu_local_first);
+EXPORT_SYMBOL(cpumask_local_spread);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 200/294] nilfs2: fix gcc uninitialized-variable warnings in powerpc build
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 119/294] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 082/294] drm/msm: Fix potential buffer overflow issue Ben Hutchings
                   ` (232 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Geert Uytterhoeven, Ryusuke Konishi

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

commit 4f05028f8d1af782cfd03d09e0a052e9745dc5ad upstream.

Some false positive warnings are reported for powerpc build.

The following warnings are reported in
 http://kisskb.ellerman.id.au/kisskb/buildresult/12519703/

   CC      fs/nilfs2/super.o
 fs/nilfs2/super.c: In function 'nilfs_resize_fs':
 fs/nilfs2/super.c:376:2: warning: 'blocknr' may be used uninitialized in this function [-Wuninitialized]
 fs/nilfs2/super.c:362:11: note: 'blocknr' was declared here
   CC      fs/nilfs2/recovery.o
 fs/nilfs2/recovery.c: In function 'nilfs_salvage_orphan_logs':
 fs/nilfs2/recovery.c:631:21: warning: 'sum' may be used uninitialized in this function [-Wuninitialized]
 fs/nilfs2/recovery.c:585:32: note: 'sum' was declared here
 fs/nilfs2/recovery.c: In function 'nilfs_search_super_root':
 fs/nilfs2/recovery.c:873:11: warning: 'sum' may be used uninitialized in this function [-Wuninitialized]

Another similar warning is reported in
 http://kisskb.ellerman.id.au/kisskb/buildresult/12520079/

   CC      fs/nilfs2/btree.o
 fs/nilfs2/btree.c: In function 'nilfs_btree_convert_and_insert':
 include/asm-generic/bitops/non-atomic.h:105:20: warning: 'bh' may be used uninitialized in this function [-Wuninitialized]
 fs/nilfs2/btree.c:1859:22: note: 'bh' was declared here

This cleans out these warnings by forcing the variables to be initialized.

Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nilfs2/btree.c    | 2 +-
 fs/nilfs2/recovery.c | 4 ++--
 fs/nilfs2/super.c    | 5 ++++-
 3 files changed, 7 insertions(+), 4 deletions(-)

--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -1797,7 +1797,7 @@ int nilfs_btree_convert_and_insert(struc
 				   __u64 key, __u64 ptr,
 				   const __u64 *keys, const __u64 *ptrs, int n)
 {
-	struct buffer_head *bh;
+	struct buffer_head *bh = NULL;
 	union nilfs_bmap_ptr_req dreq, nreq, *di, *ni;
 	struct nilfs_bmap_stats stats;
 	int ret;
--- a/fs/nilfs2/recovery.c
+++ b/fs/nilfs2/recovery.c
@@ -582,7 +582,7 @@ static int nilfs_do_roll_forward(struct
 				 struct nilfs_recovery_info *ri)
 {
 	struct buffer_head *bh_sum = NULL;
-	struct nilfs_segment_summary *sum;
+	struct nilfs_segment_summary *sum = NULL;
 	sector_t pseg_start;
 	sector_t seg_start, seg_end;  /* Starting/ending DBN of full segment */
 	unsigned long nsalvaged_blocks = 0;
@@ -814,7 +814,7 @@ int nilfs_search_super_root(struct the_n
 			    struct nilfs_recovery_info *ri)
 {
 	struct buffer_head *bh_sum = NULL;
-	struct nilfs_segment_summary *sum;
+	struct nilfs_segment_summary *sum = NULL;
 	sector_t pseg_start, pseg_end, sr_pseg_start = 0;
 	sector_t seg_start, seg_end; /* range of full segment (block number) */
 	sector_t b, end;
--- a/fs/nilfs2/super.c
+++ b/fs/nilfs2/super.c
@@ -358,7 +358,7 @@ static int nilfs_move_2nd_super(struct s
 	struct nilfs_super_block *nsbp;
 	sector_t blocknr, newblocknr;
 	unsigned long offset;
-	int sb2i = -1;  /* array index of the secondary superblock */
+	int sb2i;  /* array index of the secondary superblock */
 	int ret = 0;
 
 	/* nilfs->ns_sem must be locked by the caller. */
@@ -369,6 +369,9 @@ static int nilfs_move_2nd_super(struct s
 	} else if (nilfs->ns_sbh[0]->b_blocknr > nilfs->ns_first_data_block) {
 		sb2i = 0;
 		blocknr = nilfs->ns_sbh[0]->b_blocknr;
+	} else {
+		sb2i = -1;
+		blocknr = 0;
 	}
 	if (sb2i >= 0 && (u64)blocknr << nilfs->ns_blocksize_bits == sb2off)
 		goto out;  /* super block location is unchanged */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 186/294] assoc_array: Fix a buggy node-splitting case
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 277/294] MIPS: BMIPS: Fix ".previous without corresponding .section" warnings Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 093/294] RDMA/uverbs: Prevent leak of reserved field Ben Hutchings
                   ` (292 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, David Howells

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream.

This fixes CVE-2017-12193.

Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.

What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.

The code that tries to do this gets this wrong in two ways:

 (1) The pointer that should've pointed from N0 to N1 is set to point
     recursively to N0 instead.

 (2) The backpointer from N0 needs to be set correctly in the case N0 is
     either the root node or reached through a shortcut.

Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).

The problem manifests itself as:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: assoc_array_apply_edit+0x59/0xe5

Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 34 deletions(-)

--- a/lib/assoc_array.c
+++ b/lib/assoc_array.c
@@ -597,21 +597,31 @@ static bool assoc_array_insert_into_term
 		if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
 			goto all_leaves_cluster_together;
 
-		/* Otherwise we can just insert a new node ahead of the old
-		 * one.
+		/* Otherwise all the old leaves cluster in the same slot, but
+		 * the new leaf wants to go into a different slot - so we
+		 * create a new node (n0) to hold the new leaf and a pointer to
+		 * a new node (n1) holding all the old leaves.
+		 *
+		 * This can be done by falling through to the node splitting
+		 * path.
 		 */
-		goto present_leaves_cluster_but_not_new_leaf;
+		pr_devel("present leaves cluster but not new leaf\n");
 	}
 
 split_node:
 	pr_devel("split node\n");
 
-	/* We need to split the current node; we know that the node doesn't
-	 * simply contain a full set of leaves that cluster together (it
-	 * contains meta pointers and/or non-clustering leaves).
+	/* We need to split the current node.  The node must contain anything
+	 * from a single leaf (in the one leaf case, this leaf will cluster
+	 * with the new leaf) and the rest meta-pointers, to all leaves, some
+	 * of which may cluster.
+	 *
+	 * It won't contain the case in which all the current leaves plus the
+	 * new leaves want to cluster in the same slot.
 	 *
 	 * We need to expel at least two leaves out of a set consisting of the
-	 * leaves in the node and the new leaf.
+	 * leaves in the node and the new leaf.  The current meta pointers can
+	 * just be copied as they shouldn't cluster with any of the leaves.
 	 *
 	 * We need a new node (n0) to replace the current one and a new node to
 	 * take the expelled nodes (n1).
@@ -716,33 +726,6 @@ found_slot_for_multiple_occupancy:
 	pr_devel("<--%s() = ok [split node]\n", __func__);
 	return true;
 
-present_leaves_cluster_but_not_new_leaf:
-	/* All the old leaves cluster in the same slot, but the new leaf wants
-	 * to go into a different slot, so we create a new node to hold the new
-	 * leaf and a pointer to a new node holding all the old leaves.
-	 */
-	pr_devel("present leaves cluster but not new leaf\n");
-
-	new_n0->back_pointer = node->back_pointer;
-	new_n0->parent_slot = node->parent_slot;
-	new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
-	new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
-	new_n1->parent_slot = edit->segment_cache[0];
-	new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
-	edit->adjust_count_on = new_n0;
-
-	for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
-		new_n1->slots[i] = node->slots[i];
-
-	new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
-	edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
-
-	edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
-	edit->set[0].to = assoc_array_node_to_ptr(new_n0);
-	edit->excised_meta[0] = assoc_array_node_to_ptr(node);
-	pr_devel("<--%s() = ok [insert node before]\n", __func__);
-	return true;
-
 all_leaves_cluster_together:
 	/* All the leaves, new and old, want to cluster together in this node
 	 * in the same slot, so we have to replace this node with a shortcut to

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 196/294] usb: usbtest: fix NULL pointer dereference
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (284 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 022/294] libceph: potential NULL dereference in ceph_msg_data_create() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 126/294] net_sched: fix order of queue length updates in qdisc_replace() Ben Hutchings
                   ` (9 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Andrey Konovalov, Alan Stern

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 7c80f9e4a588f1925b07134bb2e3689335f6c6d8 upstream.

If the usbtest driver encounters a device with an IN bulk endpoint but
no OUT bulk endpoint, it will try to dereference a NULL pointer
(out->desc.bEndpointAddress).  The problem can be solved by adding a
missing test.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/usbtest.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -164,12 +164,13 @@ found:
 			return tmp;
 	}
 
-	if (in) {
+	if (in)
 		dev->in_pipe = usb_rcvbulkpipe(udev,
 			in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+	if (out)
 		dev->out_pipe = usb_sndbulkpipe(udev,
 			out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
-	}
+
 	if (iso_in) {
 		dev->iso_in = &iso_in->desc;
 		dev->in_iso_pipe = usb_rcvisocpipe(udev,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 197/294] HID: usbhid: fix out-of-bounds bug
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (239 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 273/294] ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 074/294] USB: hcd: Mark secondary HCD as dead if the primary one died Ben Hutchings
                   ` (54 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alan Stern, Jiri Kosina, Jaejoong Kim, Andrey Konovalov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream.

The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.

In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].

So check the size of hid descriptor and bNumDescriptors.

	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261

	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
	4.14.0-rc1-42251-gebb2c2437d80 #169
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	__dump_stack lib/dump_stack.c:16
	dump_stack+0x292/0x395 lib/dump_stack.c:52
	print_address_description+0x78/0x280 mm/kasan/report.c:252
	kasan_report_error mm/kasan/report.c:351
	kasan_report+0x22f/0x340 mm/kasan/report.c:409
	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
	hub_port_connect drivers/usb/core/hub.c:4903
	hub_port_connect_change drivers/usb/core/hub.c:5009
	port_event drivers/usb/core/hub.c:5115
	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
	kthread+0x3a1/0x470 kernel/kthread.c:231
	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/usbhid/hid-core.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -975,6 +975,8 @@ static int usbhid_parse(struct hid_devic
 	unsigned int rsize = 0;
 	char *rdesc;
 	int ret, n;
+	int num_descriptors;
+	size_t offset = offsetof(struct hid_descriptor, desc);
 
 	quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor),
 			le16_to_cpu(dev->descriptor.idProduct));
@@ -997,10 +999,18 @@ static int usbhid_parse(struct hid_devic
 		return -ENODEV;
 	}
 
+	if (hdesc->bLength < sizeof(struct hid_descriptor)) {
+		dbg_hid("hid descriptor is too short\n");
+		return -EINVAL;
+	}
+
 	hid->version = le16_to_cpu(hdesc->bcdHID);
 	hid->country = hdesc->bCountryCode;
 
-	for (n = 0; n < hdesc->bNumDescriptors; n++)
+	num_descriptors = min_t(int, hdesc->bNumDescriptors,
+	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
+
+	for (n = 0; n < num_descriptors; n++)
 		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
 			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 198/294] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 083/294] drm/msm: fix an integer overflow test Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 137/294] nfsd: Limit end of page list when decoding NFSv4 WRITE Ben Hutchings
                   ` (210 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Andrey Konovalov, Greg Kroah-Hartman, Alan Stern

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 1c0edc3633b56000e18d82fc241e3995ca18a69e upstream.

Andrey used the syzkaller fuzzer to find an out-of-bounds memory
access in usb_get_bos_descriptor().  The code wasn't checking that the
next usb_dev_cap_header structure could fit into the remaining buffer
space.

This patch fixes the error and also reduces the bNumDeviceCaps field
in the header to match the actual number of capabilities found, in
cases where there are fewer than expected.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/config.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -924,10 +924,12 @@ int usb_get_bos_descriptor(struct usb_de
 	for (i = 0; i < num; i++) {
 		buffer += length;
 		cap = (struct usb_dev_cap_header *)buffer;
-		length = cap->bLength;
 
-		if (total_len < length)
+		if (total_len < sizeof(*cap) || total_len < cap->bLength) {
+			dev->bos->desc->bNumDeviceCaps = i;
 			break;
+		}
+		length = cap->bLength;
 		total_len -= length;
 
 		if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 176/294] sch_cbq: fix null pointer dereferences on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 237/294] be2iscsi: Fix bogus WARN_ON length check Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 223/294] ASoC: adau1977: Fix truncation warning on 64 bit architectures Ben Hutchings
                   ` (238 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nikolay Aleksandrov, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 3501d059921246ff617b43e86250a719c140bd97 upstream.

CBQ can fail on ->init by wrong nl attributes or simply for missing any,
f.e. if it's set as a default qdisc then TCA_OPTIONS (opt) will be NULL
when it is activated. The first thing init does is parse opt but it will
dereference a null pointer if used as a default qdisc, also since init
failure at default qdisc invokes ->reset() which cancels all timers then
we'll also dereference two more null pointers (timer->base) as they were
never initialized.

To reproduce:
$ sysctl net.core.default_qdisc=cbq
$ ip l set ethX up

Crash log of the first null ptr deref:
[44727.907454] BUG: unable to handle kernel NULL pointer dereference at (null)
[44727.907600] IP: cbq_init+0x27/0x205
[44727.907676] PGD 59ff4067
[44727.907677] P4D 59ff4067
[44727.907742] PUD 59c70067
[44727.907807] PMD 0
[44727.907873]
[44727.907982] Oops: 0000 [#1] SMP
[44727.908054] Modules linked in:
[44727.908126] CPU: 1 PID: 21312 Comm: ip Not tainted 4.13.0-rc6+ #60
[44727.908235] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[44727.908477] task: ffff88005ad42700 task.stack: ffff880037214000
[44727.908672] RIP: 0010:cbq_init+0x27/0x205
[44727.908838] RSP: 0018:ffff8800372175f0 EFLAGS: 00010286
[44727.909018] RAX: ffffffff816c3852 RBX: ffff880058c53800 RCX: 0000000000000000
[44727.909222] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff8800372175f8
[44727.909427] RBP: ffff880037217650 R08: ffffffff81b0f380 R09: 0000000000000000
[44727.909631] R10: ffff880037217660 R11: 0000000000000020 R12: ffffffff822a44c0
[44727.909835] R13: ffff880058b92000 R14: 00000000ffffffff R15: 0000000000000001
[44727.910040] FS:  00007ff8bc583740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000
[44727.910339] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[44727.910525] CR2: 0000000000000000 CR3: 00000000371e5000 CR4: 00000000000406e0
[44727.910731] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[44727.910936] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[44727.911141] Call Trace:
[44727.911291]  ? lockdep_init_map+0xb6/0x1ba
[44727.911461]  ? qdisc_alloc+0x14e/0x187
[44727.911626]  qdisc_create_dflt+0x7a/0x94
[44727.911794]  ? dev_activate+0x129/0x129
[44727.911959]  attach_one_default_qdisc+0x36/0x63
[44727.912132]  netdev_for_each_tx_queue+0x3d/0x48
[44727.912305]  dev_activate+0x4b/0x129
[44727.912468]  __dev_open+0xe7/0x104
[44727.912631]  __dev_change_flags+0xc6/0x15c
[44727.912799]  dev_change_flags+0x25/0x59
[44727.912966]  do_setlink+0x30c/0xb3f
[44727.913129]  ? check_chain_key+0xb0/0xfd
[44727.913294]  ? check_chain_key+0xb0/0xfd
[44727.913463]  rtnl_newlink+0x3a4/0x729
[44727.913626]  ? rtnl_newlink+0x117/0x729
[44727.913801]  ? ns_capable_common+0xd/0xb1
[44727.913968]  ? ns_capable+0x13/0x15
[44727.914131]  rtnetlink_rcv_msg+0x188/0x197
[44727.914300]  ? rcu_read_unlock+0x3e/0x5f
[44727.914465]  ? rtnl_newlink+0x729/0x729
[44727.914630]  netlink_rcv_skb+0x6c/0xce
[44727.914796]  rtnetlink_rcv+0x23/0x2a
[44727.914956]  netlink_unicast+0x103/0x181
[44727.915122]  netlink_sendmsg+0x326/0x337
[44727.915291]  sock_sendmsg_nosec+0x14/0x3f
[44727.915459]  sock_sendmsg+0x29/0x2e
[44727.915619]  ___sys_sendmsg+0x209/0x28b
[44727.915784]  ? do_raw_spin_unlock+0xcd/0xf8
[44727.915954]  ? _raw_spin_unlock+0x27/0x31
[44727.916121]  ? __handle_mm_fault+0x651/0xdb1
[44727.916290]  ? check_chain_key+0xb0/0xfd
[44727.916461]  __sys_sendmsg+0x45/0x63
[44727.916626]  ? __sys_sendmsg+0x45/0x63
[44727.916792]  SyS_sendmsg+0x19/0x1b
[44727.916950]  entry_SYSCALL_64_fastpath+0x23/0xc2
[44727.917125] RIP: 0033:0x7ff8bbc96690
[44727.917286] RSP: 002b:00007ffc360991e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[44727.917579] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007ff8bbc96690
[44727.917783] RDX: 0000000000000000 RSI: 00007ffc36099230 RDI: 0000000000000003
[44727.917987] RBP: ffff880037217f98 R08: 0000000000000001 R09: 0000000000000003
[44727.918190] R10: 00007ffc36098fb0 R11: 0000000000000246 R12: 0000000000000006
[44727.918393] R13: 000000000066f1a0 R14: 00007ffc360a12e0 R15: 0000000000000000
[44727.918597]  ? trace_hardirqs_off_caller+0xa7/0xcf
[44727.918774] Code: 41 5f 5d c3 66 66 66 66 90 55 48 8d 56 04 45 31 c9
49 c7 c0 80 f3 b0 81 48 89 e5 41 55 41 54 53 48 89 fb 48 8d 7d a8 48 83
ec 48 <0f> b7 0e be 07 00 00 00 83 e9 04 e8 e6 f7 d8 ff 85 c0 0f 88 bb
[44727.919332] RIP: cbq_init+0x27/0x205 RSP: ffff8800372175f0
[44727.919516] CR2: 0000000000000000

Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Keep using HRTIMER_MODE_ABS
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_cbq.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1364,6 +1364,13 @@ static int cbq_init(struct Qdisc *sch, s
 	struct tc_ratespec *r;
 	int err;
 
+	qdisc_watchdog_init(&q->watchdog, sch);
+	hrtimer_init(&q->delay_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS_PINNED);
+	q->delay_timer.function = cbq_undelay;
+
+	if (!opt)
+		return -EINVAL;
+
 	err = nla_parse_nested(tb, TCA_CBQ_MAX, opt, cbq_policy);
 	if (err < 0)
 		return err;
@@ -1402,9 +1409,6 @@ static int cbq_init(struct Qdisc *sch, s
 	q->link.avpkt = q->link.allot/2;
 	q->link.minidle = -0x7FFFFFFF;
 
-	qdisc_watchdog_init(&q->watchdog, sch);
-	hrtimer_init(&q->delay_timer, CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
-	q->delay_timer.function = cbq_undelay;
 	q->toplevel = TC_CBQ_MAXLEVEL;
 	q->now = psched_get_time();
 	q->now_rt = q->now;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 178/294] sch_netem: avoid null pointer deref on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (287 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 144/294] PM/hibernate: touch NMI watchdog when creating snapshot Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 151/294] xfrm_user: fix info leak in xfrm_notify_sa() Ben Hutchings
                   ` (6 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Nikolay Aleksandrov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream.

netem can fail in ->init due to missing options (either not supplied by
user-space or used as a default qdisc) causing a timer->base null
pointer deref in its ->destroy() and ->reset() callbacks.

Reproduce:
$ sysctl net.core.default_qdisc=netem
$ ip l set ethX up

Crash log:
[ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 1814.847181] IP: hrtimer_active+0x17/0x8a
[ 1814.847270] PGD 59c34067
[ 1814.847271] P4D 59c34067
[ 1814.847337] PUD 37374067
[ 1814.847403] PMD 0
[ 1814.847468]
[ 1814.847582] Oops: 0000 [#1] SMP
[ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O)
[ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G           O 4.13.0-rc6+ #62
[ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000
[ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a
[ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246
[ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000
[ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8
[ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff
[ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000
[ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001
[ 1814.849616] FS:  00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
[ 1814.849919] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0
[ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1814.850723] Call Trace:
[ 1814.850875]  hrtimer_try_to_cancel+0x1a/0x93
[ 1814.851047]  hrtimer_cancel+0x15/0x20
[ 1814.851211]  qdisc_watchdog_cancel+0x12/0x14
[ 1814.851383]  netem_reset+0xe6/0xed [sch_netem]
[ 1814.851561]  qdisc_destroy+0x8b/0xe5
[ 1814.851723]  qdisc_create_dflt+0x86/0x94
[ 1814.851890]  ? dev_activate+0x129/0x129
[ 1814.852057]  attach_one_default_qdisc+0x36/0x63
[ 1814.852232]  netdev_for_each_tx_queue+0x3d/0x48
[ 1814.852406]  dev_activate+0x4b/0x129
[ 1814.852569]  __dev_open+0xe7/0x104
[ 1814.852730]  __dev_change_flags+0xc6/0x15c
[ 1814.852899]  dev_change_flags+0x25/0x59
[ 1814.853064]  do_setlink+0x30c/0xb3f
[ 1814.853228]  ? check_chain_key+0xb0/0xfd
[ 1814.853396]  ? check_chain_key+0xb0/0xfd
[ 1814.853565]  rtnl_newlink+0x3a4/0x729
[ 1814.853728]  ? rtnl_newlink+0x117/0x729
[ 1814.853905]  ? ns_capable_common+0xd/0xb1
[ 1814.854072]  ? ns_capable+0x13/0x15
[ 1814.854234]  rtnetlink_rcv_msg+0x188/0x197
[ 1814.854404]  ? rcu_read_unlock+0x3e/0x5f
[ 1814.854572]  ? rtnl_newlink+0x729/0x729
[ 1814.854737]  netlink_rcv_skb+0x6c/0xce
[ 1814.854902]  rtnetlink_rcv+0x23/0x2a
[ 1814.855064]  netlink_unicast+0x103/0x181
[ 1814.855230]  netlink_sendmsg+0x326/0x337
[ 1814.855398]  sock_sendmsg_nosec+0x14/0x3f
[ 1814.855584]  sock_sendmsg+0x29/0x2e
[ 1814.855747]  ___sys_sendmsg+0x209/0x28b
[ 1814.855912]  ? do_raw_spin_unlock+0xcd/0xf8
[ 1814.856082]  ? _raw_spin_unlock+0x27/0x31
[ 1814.856251]  ? __handle_mm_fault+0x651/0xdb1
[ 1814.856421]  ? check_chain_key+0xb0/0xfd
[ 1814.856592]  __sys_sendmsg+0x45/0x63
[ 1814.856755]  ? __sys_sendmsg+0x45/0x63
[ 1814.856923]  SyS_sendmsg+0x19/0x1b
[ 1814.857083]  entry_SYSCALL_64_fastpath+0x23/0xc2
[ 1814.857256] RIP: 0033:0x7f733b2dd690
[ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690
[ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003
[ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003
[ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002
[ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000
[ 1814.859267]  ? trace_hardirqs_off_caller+0xa7/0xcf
[ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3
31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b
45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89
[ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590
[ 1814.860214] CR2: 0000000000000000

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_netem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -956,11 +956,11 @@ static int netem_init(struct Qdisc *sch,
 	struct netem_sched_data *q = qdisc_priv(sch);
 	int ret;
 
+	qdisc_watchdog_init(&q->watchdog, sch);
+
 	if (!opt)
 		return -EINVAL;
 
-	qdisc_watchdog_init(&q->watchdog, sch);
-
 	q->loss_model = CLG_RANDOM;
 	ret = netem_change(sch, opt);
 	if (ret)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 193/294] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 139/294] net: bcmgenet: Be drop monitor friendly Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 220/294] ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk() Ben Hutchings
                   ` (188 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Andrey Konovalov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 upstream.

When a USB-audio device receives a maliciously adjusted or corrupted
buffer descriptor, the USB-audio driver may access an out-of-bounce
value at its parser.  This was detected by syzkaller, something like:

  BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
  Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
  CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: usb_hub_wq hub_event
  Call Trace:
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x22f/0x340 mm/kasan/report.c:409
   __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
   snd_usb_create_streams sound/usb/card.c:248
   usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
   generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
   usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
   really_probe drivers/base/dd.c:413
   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
   device_add+0xd0b/0x1660 drivers/base/core.c:1835
   usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
   hub_port_connect drivers/usb/core/hub.c:4903
   hub_port_connect_change drivers/usb/core/hub.c:5009
   port_event drivers/usb/core/hub.c:5115
   hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
   process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
   worker_thread+0x221/0x1850 kernel/workqueue.c:2253
   kthread+0x3a1/0x470 kernel/kthread.c:231
   ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

This patch adds the checks of out-of-bounce accesses at appropriate
places and bails out when it goes out of the given buffer.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/card.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -219,6 +219,7 @@ static int snd_usb_create_streams(struct
 	struct usb_interface_descriptor *altsd;
 	void *control_header;
 	int i, protocol;
+	int rest_bytes;
 
 	/* find audiocontrol interface */
 	host_iface = &usb_ifnum_to_if(dev, ctrlif)->altsetting[0];
@@ -233,6 +234,15 @@ static int snd_usb_create_streams(struct
 		return -EINVAL;
 	}
 
+	rest_bytes = (void *)(host_iface->extra + host_iface->extralen) -
+		control_header;
+
+	/* just to be sure -- this shouldn't hit at all */
+	if (rest_bytes <= 0) {
+		dev_err(&dev->dev, "invalid control header\n");
+		return -EINVAL;
+	}
+
 	switch (protocol) {
 	default:
 		dev_warn(&dev->dev,
@@ -243,11 +253,21 @@ static int snd_usb_create_streams(struct
 	case UAC_VERSION_1: {
 		struct uac1_ac_header_descriptor *h1 = control_header;
 
+		if (rest_bytes < sizeof(*h1)) {
+			dev_err(&dev->dev, "too short v1 buffer descriptor\n");
+			return -EINVAL;
+		}
+
 		if (!h1->bInCollection) {
 			dev_info(&dev->dev, "skipping empty audio interface (v1)\n");
 			return -EINVAL;
 		}
 
+		if (rest_bytes < h1->bLength) {
+			dev_err(&dev->dev, "invalid buffer length (v1)\n");
+			return -EINVAL;
+		}
+
 		if (h1->bLength < sizeof(*h1) + h1->bInCollection) {
 			dev_err(&dev->dev, "invalid UAC_HEADER (v1)\n");
 			return -EINVAL;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 191/294] packet: in packet_do_bind, test fanout with bind_lock held
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 255/294] iwlegacy: avoid warning about missing braces Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 214/294] infiniband: mlx5: avoid a compile-time warning Ben Hutchings
                   ` (177 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Willem de Bruijn, Eric Dumazet, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>

commit 4971613c1639d8e5f102c4e797c3bf8f83a5a69e upstream.

Once a socket has po->fanout set, it remains a member of the group
until it is destroyed. The prot_hook must be constant and identical
across sockets in the group.

If fanout_add races with packet_do_bind between the test of po->fanout
and taking the lock, the bind call may make type or dev inconsistent
with that of the fanout group.

Hold po->bind_lock when testing po->fanout to avoid this race.

I had to introduce artificial delay (local_bh_enable) to actually
observe the race.

Fixes: dc99f600698d ("packet: Add fanout support.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2696,13 +2696,15 @@ static int packet_do_bind(struct sock *s
 	int ret = 0;
 	bool unlisted = false;
 
-	if (po->fanout)
-		return -EINVAL;
-
 	lock_sock(sk);
 	spin_lock(&po->bind_lock);
 	rcu_read_lock();
 
+	if (po->fanout) {
+		ret = -EINVAL;
+		goto out_unlock;
+	}
+
 	if (name) {
 		dev = dev_get_by_name_rcu(sock_net(sk), name);
 		if (!dev) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 277/294] MIPS: BMIPS: Fix ".previous without corresponding .section" warnings
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
                   ` (294 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Kevin Cernekee, jfraser, linux-mips, f.fainelli,
	Arnd Bergmann, mbizon, Ralf Baechle, devicetree, jogo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kevin Cernekee <cernekee@gmail.com>

commit 4ec8f9e9b08451303253249e4e302f10ee23d565 upstream.

Commit 078a55fc824c1 ("Delete __cpuinit/__CPUINIT usage from MIPS code")
removed our __CPUINIT directives, so now the ".previous" directives
are superfluous.  Remove them.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Cc: f.fainelli@gmail.com
Cc: mbizon@freebox.fr
Cc: jogo@openwrt.org
Cc: jfraser@broadcom.com
Cc: linux-mips@linux-mips.org
Cc: devicetree@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/8156/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/bmips_vec.S | 3 ---
 1 file changed, 3 deletions(-)

--- a/arch/mips/kernel/bmips_vec.S
+++ b/arch/mips/kernel/bmips_vec.S
@@ -211,7 +211,6 @@ bmips_reset_nmi_vec_end:
 END(bmips_reset_nmi_vec)
 
 	.set	pop
-	.previous
 
 /***********************************************************************
  * CPU1 warm restart vector (used for second and subsequent boots).
@@ -286,5 +285,3 @@ LEAF(bmips_enable_xks01)
 	jr	ra
 
 END(bmips_enable_xks01)
-
-	.previous

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 184/294] fix unbalanced page refcounting in bio_map_user_iov
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (219 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 149/294] r8169: Be drop monitor friendly Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 116/294] ipv4: fix NULL dereference in free_fib_info_rcu() Ben Hutchings
                   ` (74 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro, Vitaly Mayatskikh

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vitaly Mayatskikh <v.mayatskih@gmail.com>

commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream.

bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
IO vector has small consecutive buffers belonging to the same page.
bio_add_pc_page merges them into one, but the page reference is never
dropped.

Signed-off-by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/bio.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/block/bio.c
+++ b/block/bio.c
@@ -1337,6 +1337,7 @@ static struct bio *__bio_map_user_iov(st
 		offset = uaddr & ~PAGE_MASK;
 		for (j = cur_page; j < page_limit; j++) {
 			unsigned int bytes = PAGE_SIZE - offset;
+			unsigned short prev_bi_vcnt = bio->bi_vcnt;
 
 			if (len <= 0)
 				break;
@@ -1351,6 +1352,13 @@ static struct bio *__bio_map_user_iov(st
 					    bytes)
 				break;
 
+			/*
+			 * check if vector was merged with previous
+			 * drop page reference if needed
+			 */
+			if (bio->bi_vcnt == prev_bi_vcnt)
+				put_page(pages[j]);
+
 			len -= bytes;
 			offset = 0;
 		}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 194/294] USB: uas: fix bug in handling of alternate settings
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (271 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 011/294] net: bcmgenet: simplify __bcmgenet_tx_reclaim() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 034/294] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Ben Hutchings
                   ` (22 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alan Stern, Andrey Konovalov, Greg Kroah-Hartman, Oliver Neukum

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 786de92b3cb26012d3d0f00ee37adf14527f35c4 upstream.

The uas driver has a subtle bug in the way it handles alternate
settings.  The uas_find_uas_alt_setting() routine returns an
altsetting value (the bAlternateSetting number in the descriptor), but
uas_use_uas_driver() then treats that value as an index to the
intf->altsetting array, which it isn't.

Normally this doesn't cause any problems because the various
alternate settings have bAlternateSetting values 0, 1, 2, ..., so the
value is equal to the index in the array.  But this is not guaranteed,
and Andrey Konovalov used the syzkaller fuzzer with KASAN to get a
slab-out-of-bounds error by violating this assumption.

This patch fixes the bug by making uas_find_uas_alt_setting() return a
pointer to the altsetting entry rather than either the value or the
index.  Pointers are less subject to misinterpretation.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
CC: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/uas-detect.h | 15 ++++++++-------
 drivers/usb/storage/uas.c        | 10 +++++-----
 2 files changed, 13 insertions(+), 12 deletions(-)

--- a/drivers/usb/storage/uas-detect.h
+++ b/drivers/usb/storage/uas-detect.h
@@ -9,7 +9,8 @@ static int uas_is_interface(struct usb_h
 		intf->desc.bInterfaceProtocol == USB_PR_UAS);
 }
 
-static int uas_find_uas_alt_setting(struct usb_interface *intf)
+static struct usb_host_interface *uas_find_uas_alt_setting(
+		struct usb_interface *intf)
 {
 	int i;
 
@@ -17,10 +18,10 @@ static int uas_find_uas_alt_setting(stru
 		struct usb_host_interface *alt = &intf->altsetting[i];
 
 		if (uas_is_interface(alt))
-			return alt->desc.bAlternateSetting;
+			return alt;
 	}
 
-	return -ENODEV;
+	return NULL;
 }
 
 static int uas_find_endpoints(struct usb_host_interface *alt,
@@ -58,14 +59,14 @@ static int uas_use_uas_driver(struct usb
 	struct usb_device *udev = interface_to_usbdev(intf);
 	struct usb_hcd *hcd = bus_to_hcd(udev->bus);
 	unsigned long flags = id->driver_info;
-	int r, alt;
-
+	struct usb_host_interface *alt;
+	int r;
 
 	alt = uas_find_uas_alt_setting(intf);
-	if (alt < 0)
+	if (!alt)
 		return 0;
 
-	r = uas_find_endpoints(&intf->altsetting[alt], eps);
+	r = uas_find_endpoints(alt, eps);
 	if (r < 0)
 		return 0;
 
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -1034,14 +1034,14 @@ MODULE_DEVICE_TABLE(usb, uas_usb_ids);
 static int uas_switch_interface(struct usb_device *udev,
 				struct usb_interface *intf)
 {
-	int alt;
+	struct usb_host_interface *alt;
 
 	alt = uas_find_uas_alt_setting(intf);
-	if (alt < 0)
-		return alt;
+	if (!alt)
+		return -ENODEV;
 
-	return usb_set_interface(udev,
-			intf->altsetting[0].desc.bInterfaceNumber, alt);
+	return usb_set_interface(udev, alt->desc.bInterfaceNumber,
+			alt->desc.bAlternateSetting);
 }
 
 static int uas_configure_endpoints(struct uas_dev_info *devinfo)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 183/294] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 047/294] RDMA/ocrdma: Fix error codes in ocrdma_create_srq() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 063/294] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Ben Hutchings
                   ` (272 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arend Van Spriel, Kevin Cernekee, Pieter-Paul Giesberts,
	Franky Lin, Hante Meuleman, Kalle Valo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arend Van Spriel <arend.vanspriel@broadcom.com>

commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream.

Upon handling the firmware notification for scans the length was
checked properly and may result in corrupting kernel heap memory
due to buffer overruns. This fix addresses CVE-2017-0786.

Cc: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
 - Use WL_ESCAN_BUF_SIZE instead of BRCMF_ESCAN_BUF_SIZE
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../wireless/brcm80211/brcmfmac/wl_cfg80211.c    | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -2692,6 +2692,7 @@ brcmf_cfg80211_escan_handler(struct brcm
 	s32 status;
 	s32 err = 0;
 	struct brcmf_escan_result_le *escan_result_le;
+	u32 escan_buflen;
 	struct brcmf_bss_info_le *bss_info_le;
 	struct brcmf_bss_info_le *bss = NULL;
 	u32 bi_length;
@@ -2708,11 +2709,23 @@ brcmf_cfg80211_escan_handler(struct brcm
 
 	if (status == BRCMF_E_STATUS_PARTIAL) {
 		brcmf_dbg(SCAN, "ESCAN Partial result\n");
+		if (e->datalen < sizeof(*escan_result_le)) {
+			brcmf_err("invalid event data length\n");
+			goto exit;
+		}
 		escan_result_le = (struct brcmf_escan_result_le *) data;
 		if (!escan_result_le) {
 			brcmf_err("Invalid escan result (NULL pointer)\n");
 			goto exit;
 		}
+		escan_buflen = le32_to_cpu(escan_result_le->buflen);
+		if (escan_buflen > WL_ESCAN_BUF_SIZE ||
+		    escan_buflen > e->datalen ||
+		    escan_buflen < sizeof(*escan_result_le)) {
+			brcmf_err("Invalid escan buffer length: %d\n",
+				  escan_buflen);
+			goto exit;
+		}
 		if (le16_to_cpu(escan_result_le->bss_count) != 1) {
 			brcmf_err("Invalid bss_count %d: ignoring\n",
 				  escan_result_le->bss_count);
@@ -2729,9 +2742,8 @@ brcmf_cfg80211_escan_handler(struct brcm
 		}
 
 		bi_length = le32_to_cpu(bss_info_le->length);
-		if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
-					WL_ESCAN_RESULTS_FIXED_SIZE)) {
-			brcmf_err("Invalid bss_info length %d: ignoring\n",
+		if (bi_length != escan_buflen -	WL_ESCAN_RESULTS_FIXED_SIZE) {
+			brcmf_err("Ignoring invalid bss_info length: %d\n",
 				  bi_length);
 			goto exit;
 		}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 187/294] mac80211: accept key reinstall without changing anything
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (186 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 212/294] gfs2: remove IS_ERR_VALUE abuse Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 181/294] epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() Ben Hutchings
                   ` (107 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johannes Berg

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit fdf7cb4185b60c68e1a75e61691c4afdc15dea0e upstream.

When a key is reinstalled we can reset the replay counters
etc. which can lead to nonce reuse and/or replay detection
being impossible, breaking security properties, as described
in the "KRACK attacks".

In particular, CVE-2017-13080 applies to GTK rekeying that
happened in firmware while the host is in D3, with the second
part of the attack being done after the host wakes up. In
this case, the wpa_supplicant mitigation isn't sufficient
since wpa_supplicant doesn't know the GTK material.

In case this happens, simply silently accept the new key
coming from userspace but don't take any action on it since
it's the same key; this keeps the PN replay counters intact.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/mac80211/key.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -3,6 +3,7 @@
  * Copyright 2005-2006, Devicescape Software, Inc.
  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
  * Copyright 2007-2008	Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2017	Intel Deutschland GmbH
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -487,9 +488,6 @@ int ieee80211_key_link(struct ieee80211_
 
 	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
 	idx = key->conf.keyidx;
-	key->local = sdata->local;
-	key->sdata = sdata;
-	key->sta = sta;
 
 	mutex_lock(&sdata->local->key_mtx);
 
@@ -500,6 +498,21 @@ int ieee80211_key_link(struct ieee80211_
 	else
 		old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
 
+	/*
+	 * Silently accept key re-installation without really installing the
+	 * new version of the key to avoid nonce reuse or replay issues.
+	 */
+	if (old_key && key->conf.keylen == old_key->conf.keylen &&
+	    !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
+		ieee80211_key_free_unused(key);
+		ret = 0;
+		goto out;
+	}
+
+	key->local = sdata->local;
+	key->sdata = sdata;
+	key->sta = sta;
+
 	increment_tailroom_need_count(sdata);
 
 	ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
@@ -515,6 +528,7 @@ int ieee80211_key_link(struct ieee80211_
 		ret = 0;
 	}
 
+ out:
 	mutex_unlock(&sdata->local->key_mtx);
 
 	return ret;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 159/294] l2tp: hold tunnel while handling genl tunnel updates Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 168/294] i2c: ismt: Return EMSGSIZE for block reads with bogus length Ben Hutchings
                   ` (288 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Nikolay Aleksandrov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 30c31d746d0eb458ae327f522bc8e4c44cbea0f0 upstream.

It is very unlikely to happen but the backlogs memory allocation
could fail and will free q->flows, but then ->destroy() will free
q->flows too. For correctness remove the first free and let ->destroy
clean up.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: fq_codel used different alloc/free functions]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_fq_codel.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -411,10 +411,8 @@ static int fq_codel_init(struct Qdisc *s
 		if (!q->flows)
 			return -ENOMEM;
 		q->backlogs = fq_codel_zalloc(q->flows_cnt * sizeof(u32));
-		if (!q->backlogs) {
-			fq_codel_free(q->flows);
+		if (!q->backlogs)
 			return -ENOMEM;
-		}
 		for (i = 0; i < q->flows_cnt; i++) {
 			struct fq_codel_flow *flow = q->flows + i;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 195/294] USB: fix out-of-bounds in usb_set_configuration
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (156 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 287/294] drbd: avoid redefinition of BITS_PER_PAGE Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 239/294] paride: fix the "verbose" module param Ben Hutchings
                   ` (137 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Andrey Konovalov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb upstream.

Andrey Konovalov reported a possible out-of-bounds problem for a USB interface
association descriptor.  He writes:
	It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION
	descriptor. It's only checked that the size is >= 2 in
	usb_parse_configuration(), so find_iad() might do out-of-bounds access
	to intf_assoc->bInterfaceCount.

And he's right, we don't check for crazy descriptors of this type very well, so
resolve this problem.  Yet another issue found by syzkaller...

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/config.c    | 14 +++++++++++---
 include/uapi/linux/usb/ch9.h |  1 +
 2 files changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -607,15 +607,23 @@ static int usb_parse_configuration(struc
 
 		} else if (header->bDescriptorType ==
 				USB_DT_INTERFACE_ASSOCIATION) {
+			struct usb_interface_assoc_descriptor *d;
+
+			d = (struct usb_interface_assoc_descriptor *)header;
+			if (d->bLength < USB_DT_INTERFACE_ASSOCIATION_SIZE) {
+				dev_warn(ddev,
+					 "config %d has an invalid interface association descriptor of length %d, skipping\n",
+					 cfgno, d->bLength);
+				continue;
+			}
+
 			if (iad_num == USB_MAXIADS) {
 				dev_warn(ddev, "found more Interface "
 					       "Association Descriptors "
 					       "than allocated for in "
 					       "configuration %d\n", cfgno);
 			} else {
-				config->intf_assoc[iad_num] =
-					(struct usb_interface_assoc_descriptor
-					*)header;
+				config->intf_assoc[iad_num] = d;
 				iad_num++;
 			}
 
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -724,6 +724,7 @@ struct usb_interface_assoc_descriptor {
 	__u8  iFunction;
 } __attribute__ ((packed));
 
+#define USB_DT_INTERFACE_ASSOCIATION_SIZE	8
 
 /*-------------------------------------------------------------------------*/
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 189/294] KEYS: don't let add_key() update an uninstantiated key
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (275 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 005/294] perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 068/294] sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() Ben Hutchings
                   ` (18 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream.

Currently, when passed a key that already exists, add_key() will call the
key's ->update() method if such exists.  But this is heavily broken in the
case where the key is uninstantiated because it doesn't call
__key_instantiate_and_link().  Consequently, it doesn't do most of the
things that are supposed to happen when the key is instantiated, such as
setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
awakening tasks waiting on it, and incrementing key->user->nikeys.

It also never takes key_construction_mutex, which means that
->instantiate() can run concurrently with ->update() on the same key.  In
the case of the "user" and "logon" key types this causes a memory leak, at
best.  Maybe even worse, the ->update() methods of the "encrypted" and
"trusted" key types actually just dereference a NULL pointer when passed an
uninstantiated key.

Change key_create_or_update() to wait interruptibly for the key to finish
construction before continuing.

This patch only affects *uninstantiated* keys.  For now we still allow a
negatively instantiated key to be updated (thereby positively
instantiating it), although that's broken too (the next patch fixes it)
and I'm not sure that anyone actually uses that functionality either.

Here is a simple reproducer for the bug using the "encrypted" key type
(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
pertained to more than just the "encrypted" key type:

    #include <stdlib.h>
    #include <unistd.h>
    #include <keyutils.h>

    int main(void)
    {
        int ringid = keyctl_join_session_keyring(NULL);

        if (fork()) {
            for (;;) {
                const char payload[] = "update user:foo 32";

                usleep(rand() % 10000);
                add_key("encrypted", "desc", payload, sizeof(payload), ringid);
                keyctl_clear(ringid);
            }
        } else {
            for (;;)
                request_key("encrypted", "desc", "callout_info", ringid);
        }
    }

It causes:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    IP: encrypted_update+0xb0/0x170
    PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
    PREEMPT SMP
    CPU: 0 PID: 340 Comm: reproduce Tainted: G      D         4.14.0-rc1-00025-g428490e38b2e #796
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    task: ffff8a467a39a340 task.stack: ffffb15c40770000
    RIP: 0010:encrypted_update+0xb0/0x170
    RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
    RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
    RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
    R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
    FS:  00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
    Call Trace:
     key_create_or_update+0x2bc/0x460
     SyS_add_key+0x10c/0x1d0
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x7f5d7f211259
    RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
    RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
    RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
    RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
    R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
    R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
    Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
    RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
    CR2: 0000000000000018

Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/keys/key.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -901,6 +901,16 @@ error:
 	 */
 	__key_link_end(keyring, &index_key, edit);
 
+	key = key_ref_to_ptr(key_ref);
+	if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) {
+		ret = wait_for_key_construction(key, true);
+		if (ret < 0) {
+			key_ref_put(key_ref);
+			key_ref = ERR_PTR(ret);
+			goto error_free_prep;
+		}
+	}
+
 	key_ref = __key_update(key_ref, &prep);
 	goto error_free_prep;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 185/294] KEYS: prevent KEYCTL_READ on negative key
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 078/294] iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 229/294] tty: nozomi: avoid a harmless gcc warning Ben Hutchings
                   ` (214 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 37863c43b2c6464f252862bf2e9768264e961678 upstream.

Because keyctl_read_key() looks up the key with no permissions
requested, it may find a negatively instantiated key.  If the key is
also possessed, we went ahead and called ->read() on the key.  But the
key payload will actually contain the ->reject_error rather than the
normal payload.  Thus, the kernel oopses trying to read the
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.

Fortunately the payload data is stored inline, so it shouldn't be
possible to abuse this as an arbitrary memory read primitive...

Reproducer:
    keyctl new_session
    keyctl request2 user desc '' @s
    keyctl read $(keyctl show | awk '/user: desc/ {print $1}')

It causes a crash like the following:
     BUG: unable to handle kernel paging request at 00000000ffffff92
     IP: user_read+0x33/0xa0
     PGD 36a54067 P4D 36a54067 PUD 0
     Oops: 0000 [#1] SMP
     CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
     task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
     RIP: 0010:user_read+0x33/0xa0
     RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
     RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
     RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
     RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
     R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
     R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
     FS:  00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
     Call Trace:
      keyctl_read_key+0xac/0xe0
      SyS_keyctl+0x99/0x120
      entry_SYSCALL_64_fastpath+0x1f/0xbe
     RIP: 0033:0x7f58ec787bb9
     RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
     RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
     RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
     RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
     R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
     R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
     Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
     RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
     CR2: 00000000ffffff92

Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/keys/keyctl.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -735,6 +735,11 @@ long keyctl_read_key(key_serial_t keyid,
 
 	key = key_ref_to_ptr(key_ref);
 
+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
+		ret = -ENOKEY;
+		goto error2;
+	}
+
 	/* see if we can read it directly */
 	ret = key_permission(key_ref, KEY_NEED_READ);
 	if (ret == 0)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 175/294] sch_hfsc: fix null pointer deref and double free on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 155/294] l2tp: initialise session's refcount before making it reachable Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 085/294] b44: Initialize 64-bit stats seqcount Ben Hutchings
                   ` (221 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nikolay Aleksandrov, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 3bdac362a2f89ed3e148fa6f38c5f5d858f50b1a upstream.

Depending on where ->init fails we can get a null pointer deref due to
uninitialized hires timer (watchdog) or a double free of the qdisc hash
because it is already freed by ->destroy().

Fixes: 8d5537387505 ("net/sched/hfsc: allocate tcf block for hfsc root class")
Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: sch_hfsc doesn't use a tcf block]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1432,6 +1432,8 @@ hfsc_init_qdisc(struct Qdisc *sch, struc
 	struct tc_hfsc_qopt *qopt;
 	int err;
 
+	qdisc_watchdog_init(&q->watchdog, sch);
+
 	if (opt == NULL || nla_len(opt) < sizeof(*qopt))
 		return -EINVAL;
 	qopt = nla_data(opt);
@@ -1457,8 +1459,6 @@ hfsc_init_qdisc(struct Qdisc *sch, struc
 	qdisc_class_hash_insert(&q->clhash, &q->root.cl_common);
 	qdisc_class_hash_grow(sch, &q->clhash);
 
-	qdisc_watchdog_init(&q->watchdog, sch);
-
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 179/294] sch_tbf: fix two null pointer dereferences on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (144 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 290/294] MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 132/294] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) Ben Hutchings
                   ` (149 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nikolay Aleksandrov, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream.

sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy
callbacks but it may fail before the timer is initialized due to missing
options (either not supplied by user-space or set as a default qdisc),
also q->qdisc is used by ->reset and ->destroy so we need it initialized.

Reproduce:
$ sysctl net.core.default_qdisc=tbf
$ ip l set ethX up

Crash log:
[  959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[  959.160323] IP: qdisc_reset+0xa/0x5c
[  959.160400] PGD 59cdb067
[  959.160401] P4D 59cdb067
[  959.160466] PUD 59ccb067
[  959.160532] PMD 0
[  959.160597]
[  959.160706] Oops: 0000 [#1] SMP
[  959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem
[  959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62
[  959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[  959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000
[  959.161263] RIP: 0010:qdisc_reset+0xa/0x5c
[  959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286
[  959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000
[  959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000
[  959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff
[  959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0
[  959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001
[  959.162546] FS:  00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000
[  959.162844] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0
[  959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  959.163638] Call Trace:
[  959.163788]  tbf_reset+0x19/0x64 [sch_tbf]
[  959.163957]  qdisc_destroy+0x8b/0xe5
[  959.164119]  qdisc_create_dflt+0x86/0x94
[  959.164284]  ? dev_activate+0x129/0x129
[  959.164449]  attach_one_default_qdisc+0x36/0x63
[  959.164623]  netdev_for_each_tx_queue+0x3d/0x48
[  959.164795]  dev_activate+0x4b/0x129
[  959.164957]  __dev_open+0xe7/0x104
[  959.165118]  __dev_change_flags+0xc6/0x15c
[  959.165287]  dev_change_flags+0x25/0x59
[  959.165451]  do_setlink+0x30c/0xb3f
[  959.165613]  ? check_chain_key+0xb0/0xfd
[  959.165782]  rtnl_newlink+0x3a4/0x729
[  959.165947]  ? rtnl_newlink+0x117/0x729
[  959.166121]  ? ns_capable_common+0xd/0xb1
[  959.166288]  ? ns_capable+0x13/0x15
[  959.166450]  rtnetlink_rcv_msg+0x188/0x197
[  959.166617]  ? rcu_read_unlock+0x3e/0x5f
[  959.166783]  ? rtnl_newlink+0x729/0x729
[  959.166948]  netlink_rcv_skb+0x6c/0xce
[  959.167113]  rtnetlink_rcv+0x23/0x2a
[  959.167273]  netlink_unicast+0x103/0x181
[  959.167439]  netlink_sendmsg+0x326/0x337
[  959.167607]  sock_sendmsg_nosec+0x14/0x3f
[  959.167772]  sock_sendmsg+0x29/0x2e
[  959.167932]  ___sys_sendmsg+0x209/0x28b
[  959.168098]  ? do_raw_spin_unlock+0xcd/0xf8
[  959.168267]  ? _raw_spin_unlock+0x27/0x31
[  959.168432]  ? __handle_mm_fault+0x651/0xdb1
[  959.168602]  ? check_chain_key+0xb0/0xfd
[  959.168773]  __sys_sendmsg+0x45/0x63
[  959.168934]  ? __sys_sendmsg+0x45/0x63
[  959.169100]  SyS_sendmsg+0x19/0x1b
[  959.169260]  entry_SYSCALL_64_fastpath+0x23/0xc2
[  959.169432] RIP: 0033:0x7fcc5097e690
[  959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690
[  959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003
[  959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003
[  959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006
[  959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000
[  959.170900]  ? trace_hardirqs_off_caller+0xa7/0xcf
[  959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24
98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89
e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb
[  959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610
[  959.171821] CR2: 0000000000000018

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_tbf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -431,12 +431,13 @@ static int tbf_init(struct Qdisc *sch, s
 {
 	struct tbf_sched_data *q = qdisc_priv(sch);
 
+	qdisc_watchdog_init(&q->watchdog, sch);
+	q->qdisc = &noop_qdisc;
+
 	if (opt == NULL)
 		return -EINVAL;
 
 	q->t_c = ktime_to_ns(ktime_get());
-	qdisc_watchdog_init(&q->watchdog, sch);
-	q->qdisc = &noop_qdisc;
 
 	return tbf_change(sch, opt);
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 182/294] cifs: check MaxPathNameComponentLength != 0 before using it
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (229 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 172/294] sch_htb: fix crash on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 233/294] scsi-tgt: fix type conversion warning Ben Hutchings
                   ` (64 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steve French, Ronnie Sahlberg, David Disseldorp

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit f74bc7c6679200a4a83156bb89cbf6c229fe8ec0 upstream.

And fix tcon leak in error path.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/dir.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -193,7 +193,8 @@ check_name(struct dentry *direntry, stru
 	struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
 	int i;
 
-	if (unlikely(direntry->d_name.len >
+	if (unlikely(tcon->fsAttrInfo.MaxPathNameComponentLength &&
+		     direntry->d_name.len >
 		     le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength)))
 		return -ENAMETOOLONG;
 
@@ -509,7 +510,7 @@ cifs_atomic_open(struct inode *inode, st
 
 	rc = check_name(direntry, tcon);
 	if (rc)
-		goto out_free_xid;
+		goto out;
 
 	server = tcon->ses->server;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 192/294] ALSA: usb-audio: Kill stray URB at exiting
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 248/294] net: caif: fix misleading indentation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03   ` Ben Hutchings
                   ` (195 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Andrey Konovalov, Takashi Iwai

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream.

USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe.  This leads to a use-after-free
error as spotted by syzkaller like:
  ==================================================================
  BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x23d/0x350 mm/kasan/report.c:409
   __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
   snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   ....

  Allocated by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
   kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
   kmalloc ./include/linux/slab.h:493
   kzalloc ./include/linux/slab.h:666
   snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
   create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
   ....

  Freed by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
   slab_free_hook mm/slub.c:1390
   slab_free_freelist_hook mm/slub.c:1412
   slab_free mm/slub.c:2988
   kfree+0xf6/0x2f0 mm/slub.c:3919
   snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
   snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
   __snd_device_free+0x1ff/0x380 sound/core/device.c:91
   snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
   snd_card_do_free sound/core/init.c:461
   release_card_device+0x47/0x170 sound/core/init.c:181
   device_release+0x13f/0x210 drivers/base/core.c:814
   ....

Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.

In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: snd_usb_mixer_disconnect() takes a pointer to
 usb_mixer_interface::list, not to usb_mixer_interface itself]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/mixer.c | 12 ++++++++++--
 sound/usb/mixer.h |  2 ++
 2 files changed, 12 insertions(+), 2 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2158,6 +2158,9 @@ static int parse_audio_unit(struct mixer
 
 static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
 {
+	/* kill pending URBs */
+	snd_usb_mixer_disconnect(&mixer->list);
+
 	kfree(mixer->id_elems);
 	if (mixer->urb) {
 		kfree(mixer->urb->transfer_buffer);
@@ -2494,8 +2497,13 @@ void snd_usb_mixer_disconnect(struct lis
 	struct usb_mixer_interface *mixer;
 
 	mixer = list_entry(p, struct usb_mixer_interface, list);
-	usb_kill_urb(mixer->urb);
-	usb_kill_urb(mixer->rc_urb);
+	if (mixer->disconnected)
+		return;
+	if (mixer->urb)
+		usb_kill_urb(mixer->urb);
+	if (mixer->rc_urb)
+		usb_kill_urb(mixer->rc_urb);
+	mixer->disconnected = true;
 }
 
 #ifdef CONFIG_PM
--- a/sound/usb/mixer.h
+++ b/sound/usb/mixer.h
@@ -23,6 +23,8 @@ struct usb_mixer_interface {
 
 	u8 audigy2nx_leds[3];
 	u8 xonar_u1_status;
+
+	bool disconnected;
 };
 
 #define MAX_CHANNELS	16	/* max logical channels */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 190/294] packet: hold bind lock when rebinding to fanout hook
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 214/294] infiniband: mlx5: avoid a compile-time warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 209/294] module: fix types of device tables aliases Ben Hutchings
                   ` (175 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Willem de Bruijn, nixioaming, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>

commit 008ba2a13f2d04c947adc536d19debb8fe66f110 upstream.

Packet socket bind operations must hold the po->bind_lock. This keeps
po->running consistent with whether the socket is actually on a ptype
list to receive packets.

fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then
binds the fanout object to receive through packet_rcv_fanout.

Make it hold the po->bind_lock when testing po->running and rebinding.
Else, it can race with other rebind operations, such as that in
packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates
can result in a socket being added to a fanout group twice, causing
use-after-free KASAN bug reports, among others.

Reported independently by both trinity and syzkaller.
Verified that the syzkaller reproducer passes after this patch.

Fixes: dc99f600698d ("packet: Add fanout support.")
Reported-by: nixioaming <nixiaoming@huawei.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: use atomic_read() not refcount_read()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1459,10 +1459,6 @@ static int fanout_add(struct sock *sk, u
 
 	mutex_lock(&fanout_mutex);
 
-	err = -EINVAL;
-	if (!po->running)
-		goto out;
-
 	err = -EALREADY;
 	if (po->fanout)
 		goto out;
@@ -1499,7 +1495,10 @@ static int fanout_add(struct sock *sk, u
 		list_add(&match->list, &fanout_list);
 	}
 	err = -EINVAL;
-	if (match->type == type &&
+
+	spin_lock(&po->bind_lock);
+	if (po->running &&
+	    match->type == type &&
 	    match->prot_hook.type == po->prot_hook.type &&
 	    match->prot_hook.dev == po->prot_hook.dev) {
 		err = -ENOSPC;
@@ -1511,6 +1510,13 @@ static int fanout_add(struct sock *sk, u
 			err = 0;
 		}
 	}
+	spin_unlock(&po->bind_lock);
+
+	if (err && !atomic_read(&match->sk_ref)) {
+		list_del(&match->list);
+		kfree(match);
+	}
+
 out:
 	mutex_unlock(&fanout_mutex);
 	return err;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 180/294] wl1251: add a missing spin_lock_init()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (265 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 120/294] netxen: fix incorrect loop counter decrement Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 124/294] Input: trackpoint - add new trackpoint firmware ID Ben Hutchings
                   ` (28 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Cong Wang, Pavel Machek, David S. Miller, Kalle Valo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.

wl1251: add a missing spin_lock_init()

This fixes the following kernel warning:

 [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
 [ 5668.771850]  lock: 0xce63ef20, .magic: 00000000, .owner: <none>/-1,
 .owner_cpu: 0
 [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G        W
 4.12.0-03002-gec979a4-dirty #40
 [ 5668.772796] Hardware name: Nokia RX-51 board
 [ 5668.773071] Workqueue: phy1 wl1251_irq_work
 [ 5668.773345] [<c010c9e4>] (unwind_backtrace) from [<c010a274>]
 (show_stack+0x10/0x14)
 [ 5668.773803] [<c010a274>] (show_stack) from [<c01545a4>]
 (do_raw_spin_lock+0x6c/0xa0)
 [ 5668.774230] [<c01545a4>] (do_raw_spin_lock) from [<c06ca578>]
 (_raw_spin_lock_irqsave+0x10/0x18)
 [ 5668.774658] [<c06ca578>] (_raw_spin_lock_irqsave) from [<c048c010>]
 (wl1251_op_tx+0x38/0x5c)
 [ 5668.775115] [<c048c010>] (wl1251_op_tx) from [<c06a12e8>]
 (ieee80211_tx_frags+0x188/0x1c0)
 [ 5668.775543] [<c06a12e8>] (ieee80211_tx_frags) from [<c06a138c>]
 (__ieee80211_tx+0x6c/0x130)
 [ 5668.775970] [<c06a138c>] (__ieee80211_tx) from [<c06a3dbc>]
 (ieee80211_tx+0xdc/0x104)
 [ 5668.776367] [<c06a3dbc>] (ieee80211_tx) from [<c06a4af0>]
 (__ieee80211_subif_start_xmit+0x454/0x8c8)
 [ 5668.776824] [<c06a4af0>] (__ieee80211_subif_start_xmit) from
 [<c06a4f94>] (ieee80211_subif_start_xmit+0x30/0x2fc)
 [ 5668.777343] [<c06a4f94>] (ieee80211_subif_start_xmit) from
 [<c0578848>] (dev_hard_start_xmit+0x80/0x118)
...

    by adding the missing spin_lock_init().

Reported-by: Pavel Machek <pavel@ucw.cz>
Cc: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/ti/wl1251/main.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/ti/wl1251/main.c
+++ b/drivers/net/wireless/ti/wl1251/main.c
@@ -1571,6 +1571,7 @@ struct ieee80211_hw *wl1251_alloc_hw(voi
 
 	wl->state = WL1251_STATE_OFF;
 	mutex_init(&wl->mutex);
+	spin_lock_init(&wl->wl_lock);
 
 	wl->tx_mgmt_frm_rate = DEFAULT_HW_GEN_TX_RATE;
 	wl->tx_mgmt_frm_mod = DEFAULT_HW_GEN_MODULATION_TYPE;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 260/294] video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (262 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 106/294] x86/asm/64: Clear AC on NMI entries Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 280/294] MIPS: ip22: Fix ip28 build for modern gcc Ben Hutchings
                   ` (31 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tomi Valkeinen, Alexander Stein,
	Jean-Christophe Plagniol-Villard, Arnd Bergmann, linux-fbdev

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 9c8ee3c7341393811d5be5eb61b815e76f92c799 upstream.

Commit 7edaa761ee81b ("video: mx3fb: Add backlight control support")
changed the mx3fb driver so it always selects the BACKLIGHT_CLASS_DEVICE
symbol, but that is hidden behind BACKLIGHT_LCD_SUPPORT in Kconfig, so
we get a Kconfig warning for multi_v5_defconfig, which doesn't have that:

Warning: (DRM_RADEON && DRM_NOUVEAU && DRM_I915 && DRM_GMA500 &&
DRM_SHMOBILE && DRM_TILCDC && FB_BACKLIGHT && FB_MX3 && USB_APPLEDISPLAY
&& FB_OLPC_DCON && ASUS_LAPTOP && SONY_LAPTOP && THINKPAD_ACPI &&
EEEPC_LAPTOP && ACPI_CMPC && SAMSUNG_Q10) selects BACKLIGHT_CLASS_DEVICE
which has unmet direct dependencies (HAS_IOMEM && BACKLIGHT_LCD_SUPPORT)

This makes sure we always enable both symbols together for mx3fb, like
we do for the other drivers that can't be built without backlight
support. Note that a better solution would be to ensure the driver can
work with or without backlight support.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Alexander Stein <alexander.stein@systec-electronic.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: linux-fbdev@vger.kernel.org
Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/Kconfig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -2330,10 +2330,11 @@ config FB_MSM
 config FB_MX3
 	tristate "MX3 Framebuffer support"
 	depends on FB && MX3_IPU
+	select BACKLIGHT_CLASS_DEVICE
+	select BACKLIGHT_LCD_SUPPORT
 	select FB_CFB_FILLRECT
 	select FB_CFB_COPYAREA
 	select FB_CFB_IMAGEBLIT
-	select BACKLIGHT_CLASS_DEVICE
 	default y
 	help
 	  This is a framebuffer device for the i.MX31 LCD Controller. So

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 188/294] ALSA: seq: Fix use-after-free at creating a port
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (257 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 293/294] MIPS: Fix a warning for virt_to_page Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 256/294] brcmfmac: avoid gcc-5.1 warning Ben Hutchings
                   ` (36 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Linus Torvalds

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 71105998845fb012937332fe2e806d443c09e026 upstream.

There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:

 BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
 =============================================================================
 BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
 -----------------------------------------------------------------------------
 INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
 	___slab_alloc+0x425/0x460
 	__slab_alloc+0x20/0x40
  	kmem_cache_alloc_trace+0x150/0x190
	snd_seq_create_port+0x94/0x9b0 [snd_seq]
	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
 	__slab_free+0x204/0x310
 	kfree+0x15f/0x180
 	port_delete+0x136/0x1a0 [snd_seq]
 	snd_seq_delete_port+0x235/0x350 [snd_seq]
 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 Call Trace:
  [<ffffffff81b03781>] dump_stack+0x63/0x82
  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
  [<ffffffff81536db4>] object_err+0x34/0x40
  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
  .....

We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use.  Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.

This fix covers CVE-2017-15265.

Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/seq/seq_clientmgr.c | 6 +++++-
 sound/core/seq/seq_ports.c     | 7 +++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1260,6 +1260,7 @@ static int snd_seq_ioctl_create_port(str
 	struct snd_seq_client_port *port;
 	struct snd_seq_port_info info;
 	struct snd_seq_port_callback *callback;
+	int port_idx;
 
 	if (copy_from_user(&info, arg, sizeof(info)))
 		return -EFAULT;
@@ -1273,7 +1274,9 @@ static int snd_seq_ioctl_create_port(str
 		return -ENOMEM;
 
 	if (client->type == USER_CLIENT && info.kernel) {
-		snd_seq_delete_port(client, port->addr.port);
+		port_idx = port->addr.port;
+		snd_seq_port_unlock(port);
+		snd_seq_delete_port(client, port_idx);
 		return -EINVAL;
 	}
 	if (client->type == KERNEL_CLIENT) {
@@ -1295,6 +1298,7 @@ static int snd_seq_ioctl_create_port(str
 
 	snd_seq_set_port_info(port, &info);
 	snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
+	snd_seq_port_unlock(port);
 
 	if (copy_to_user(arg, &info, sizeof(info)))
 		return -EFAULT;
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -122,7 +122,9 @@ static void port_subs_info_init(struct s
 }
 
 
-/* create a port, port number is returned (-1 on failure) */
+/* create a port, port number is returned (-1 on failure);
+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
+ */
 struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
 						int port)
 {
@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_crea
 	snd_use_lock_init(&new_port->use_lock);
 	port_subs_info_init(&new_port->c_src);
 	port_subs_info_init(&new_port->c_dest);
+	snd_use_lock_use(&new_port->use_lock);
 
 	num = port >= 0 ? port : 0;
 	mutex_lock(&client->ports_mutex);
@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_crea
 	list_add_tail(&new_port->list, &p->list);
 	client->num_ports++;
 	new_port->addr.port = num;	/* store the port number in the port */
+	sprintf(new_port->name, "port-%d", num);
 	write_unlock_irqrestore(&client->ports_lock, flags);
 	mutex_unlock(&client->ports_mutex);
-	sprintf(new_port->name, "port-%d", num);
 
 	return new_port;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 174/294] sch_hhf: fix null pointer dereference on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (151 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 217/294] Input: joystick - use get_cycles on ARMv8 Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 169/294] CIFS: Fix maximum SMB2 header size Ben Hutchings
                   ` (142 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Nikolay Aleksandrov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream.

If sch_hhf fails in its ->init() function (either due to wrong
user-space arguments as below or memory alloc failure of hh_flows) it
will do a null pointer deref of q->hh_flows in its ->destroy() function.

To reproduce the crash:
$ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000

Crash log:
[  690.654882] BUG: unable to handle kernel NULL pointer dereference at (null)
[  690.655565] IP: hhf_destroy+0x48/0xbc
[  690.655944] PGD 37345067
[  690.655948] P4D 37345067
[  690.656252] PUD 58402067
[  690.656554] PMD 0
[  690.656857]
[  690.657362] Oops: 0000 [#1] SMP
[  690.657696] Modules linked in:
[  690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57
[  690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[  690.659255] task: ffff880058578000 task.stack: ffff88005acbc000
[  690.659747] RIP: 0010:hhf_destroy+0x48/0xbc
[  690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246
[  690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000
[  690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0
[  690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000
[  690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea
[  690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000
[  690.663769] FS:  00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
[  690.667069] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0
[  690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  690.671003] Call Trace:
[  690.671743]  qdisc_create+0x377/0x3fd
[  690.672534]  tc_modify_qdisc+0x4d2/0x4fd
[  690.673324]  rtnetlink_rcv_msg+0x188/0x197
[  690.674204]  ? rcu_read_unlock+0x3e/0x5f
[  690.675091]  ? rtnl_newlink+0x729/0x729
[  690.675877]  netlink_rcv_skb+0x6c/0xce
[  690.676648]  rtnetlink_rcv+0x23/0x2a
[  690.677405]  netlink_unicast+0x103/0x181
[  690.678179]  netlink_sendmsg+0x326/0x337
[  690.678958]  sock_sendmsg_nosec+0x14/0x3f
[  690.679743]  sock_sendmsg+0x29/0x2e
[  690.680506]  ___sys_sendmsg+0x209/0x28b
[  690.681283]  ? __handle_mm_fault+0xc7d/0xdb1
[  690.681915]  ? check_chain_key+0xb0/0xfd
[  690.682449]  __sys_sendmsg+0x45/0x63
[  690.682954]  ? __sys_sendmsg+0x45/0x63
[  690.683471]  SyS_sendmsg+0x19/0x1b
[  690.683974]  entry_SYSCALL_64_fastpath+0x23/0xc2
[  690.684516] RIP: 0033:0x7f8ae529d690
[  690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690
[  690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003
[  690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000
[  690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002
[  690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000
[  690.688475]  ? trace_hardirqs_off_caller+0xa7/0xcf
[  690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83
c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02
00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1
[  690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0
[  690.690636] CR2: 0000000000000000

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_hhf.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -509,6 +509,9 @@ static void hhf_destroy(struct Qdisc *sc
 		hhf_free(q->hhf_valid_bits[i]);
 	}
 
+	if (!q->hh_flows)
+		return;
+
 	for (i = 0; i < HH_FLOWS_CNT; i++) {
 		struct hh_flow_state *flow, *next;
 		struct list_head *head = &q->hh_flows[i];

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 181/294] epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (187 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 187/294] mac80211: accept key reinstall without changing anything Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 279/294] MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression Ben Hutchings
                   ` (106 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, 范龙飞, Oleg Nesterov, Linus Torvalds

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <oleg@redhat.com>

commit 138e4ad67afd5c6c318b056b4d17c17f2c0ca5c0 upstream.

The race was introduced by me in commit 971316f0503a ("epoll:
ep_unregister_pollwait() can use the freed pwq->whead").  I did not
realize that nothing can protect eventpoll after ep_poll_callback() sets
->whead = NULL, only whead->lock can save us from the race with
ep_free() or ep_remove().

Move ->whead = NULL to the end of ep_poll_callback() and add the
necessary barriers.

TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
before this patch.

Hopefully this explains use-after-free reported by syzcaller:

	BUG: KASAN: use-after-free in debug_spin_lock_before
	...
	 _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
	 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148

this is spin_lock(eventpoll->lock),

	...
	Freed by task 17774:
	...
	 kfree+0xe8/0x2c0 mm/slub.c:3883
	 ep_free+0x22c/0x2a0 fs/eventpoll.c:865

Fixes: 971316f0503a ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
Reported-by: 范龙飞 <long7573@126.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: EPOLLEXCLUSIVE is not supported]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -518,8 +518,13 @@ static void ep_remove_wait_queue(struct
 	wait_queue_head_t *whead;
 
 	rcu_read_lock();
-	/* If it is cleared by POLLFREE, it should be rcu-safe */
-	whead = rcu_dereference(pwq->whead);
+	/*
+	 * If it is cleared by POLLFREE, it should be rcu-safe.
+	 * If we read NULL we need a barrier paired with
+	 * smp_store_release() in ep_poll_callback(), otherwise
+	 * we rely on whead->lock.
+	 */
+	whead = smp_load_acquire(&pwq->whead);
 	if (whead)
 		remove_wait_queue(whead, &pwq->wait);
 	rcu_read_unlock();
@@ -1006,17 +1011,6 @@ static int ep_poll_callback(wait_queue_t
 	struct epitem *epi = ep_item_from_wait(wait);
 	struct eventpoll *ep = epi->ep;
 
-	if ((unsigned long)key & POLLFREE) {
-		ep_pwq_from_wait(wait)->whead = NULL;
-		/*
-		 * whead = NULL above can race with ep_remove_wait_queue()
-		 * which can do another remove_wait_queue() after us, so we
-		 * can't use __remove_wait_queue(). whead->lock is held by
-		 * the caller.
-		 */
-		list_del_init(&wait->task_list);
-	}
-
 	spin_lock_irqsave(&ep->lock, flags);
 
 	/*
@@ -1081,6 +1075,22 @@ out_unlock:
 	if (pwake)
 		ep_poll_safewake(&ep->poll_wait);
 
+	if ((unsigned long)key & POLLFREE) {
+		/*
+		 * If we race with ep_remove_wait_queue() it can miss
+		 * ->whead = NULL and do another remove_wait_queue() after
+		 * us, so we can't use __remove_wait_queue().
+		 */
+		list_del_init(&wait->task_list);
+		/*
+		 * ->whead != NULL protects us from the race with ep_free()
+		 * or ep_remove(), ep_remove_wait_queue() takes whead->lock
+		 * held by the caller. Once we nullify it, nothing protects
+		 * ep/epi or even wait.
+		 */
+		smp_store_release(&ep_pwq_from_wait(wait)->whead, NULL);
+	}
+
 	return 1;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 173/294] sch_multiq: fix double free on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (161 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 044/294] cxgb4: Fix error codes in c4iw_create_cq() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 121/294] mm/mempolicy: fix use after free when calling get_mempolicy Ben Hutchings
                   ` (132 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Nikolay Aleksandrov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream.

The below commit added a call to ->destroy() on init failure, but multiq
still frees ->queues on error in init, but ->queues is also freed by
->destroy() thus we get double free and corrupted memory.

Very easy to reproduce (eth0 not multiqueue):
$ tc qdisc add dev eth0 root multiq
RTNETLINK answers: Operation not supported
$ ip l add dumdum type dummy
(crash)

Trace log:
[ 3929.467747] general protection fault: 0000 [#1] SMP
[ 3929.468083] Modules linked in:
[ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56
[ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000
[ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be
[ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246
[ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df
[ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020
[ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000
[ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564
[ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00
[ 3929.471869] FS:  00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
[ 3929.472286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0
[ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3929.474873] Call Trace:
[ 3929.475337]  ? kstrdup_const+0x23/0x25
[ 3929.475863]  kstrdup+0x2e/0x4b
[ 3929.476338]  kstrdup_const+0x23/0x25
[ 3929.478084]  __kernfs_new_node+0x28/0xbc
[ 3929.478478]  kernfs_new_node+0x35/0x55
[ 3929.478929]  kernfs_create_link+0x23/0x76
[ 3929.479478]  sysfs_do_create_link_sd.isra.2+0x85/0xd7
[ 3929.480096]  sysfs_create_link+0x33/0x35
[ 3929.480649]  device_add+0x200/0x589
[ 3929.481184]  netdev_register_kobject+0x7c/0x12f
[ 3929.481711]  register_netdevice+0x373/0x471
[ 3929.482174]  rtnl_newlink+0x614/0x729
[ 3929.482610]  ? rtnl_newlink+0x17f/0x729
[ 3929.483080]  rtnetlink_rcv_msg+0x188/0x197
[ 3929.483533]  ? rcu_read_unlock+0x3e/0x5f
[ 3929.483984]  ? rtnl_newlink+0x729/0x729
[ 3929.484420]  netlink_rcv_skb+0x6c/0xce
[ 3929.484858]  rtnetlink_rcv+0x23/0x2a
[ 3929.485291]  netlink_unicast+0x103/0x181
[ 3929.485735]  netlink_sendmsg+0x326/0x337
[ 3929.486181]  sock_sendmsg_nosec+0x14/0x3f
[ 3929.486614]  sock_sendmsg+0x29/0x2e
[ 3929.486973]  ___sys_sendmsg+0x209/0x28b
[ 3929.487340]  ? do_raw_spin_unlock+0xcd/0xf8
[ 3929.487719]  ? _raw_spin_unlock+0x27/0x31
[ 3929.488092]  ? __handle_mm_fault+0x651/0xdb1
[ 3929.488471]  ? check_chain_key+0xb0/0xfd
[ 3929.488847]  __sys_sendmsg+0x45/0x63
[ 3929.489206]  ? __sys_sendmsg+0x45/0x63
[ 3929.489576]  SyS_sendmsg+0x19/0x1b
[ 3929.489901]  entry_SYSCALL_64_fastpath+0x23/0xc2
[ 3929.490172] RIP: 0033:0x7f0b6fb93690
[ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690
[ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003
[ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000
[ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002
[ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000
[ 3929.492352]  ? trace_hardirqs_off_caller+0xa7/0xcf
[ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44
89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d
8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01
[ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes: f07d1501292b ("multiq: Further multiqueue cleanup")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: delete now-unused 'err' variable]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_multiq.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -250,7 +250,7 @@ static int multiq_tune(struct Qdisc *sch
 static int multiq_init(struct Qdisc *sch, struct nlattr *opt)
 {
 	struct multiq_sched_data *q = qdisc_priv(sch);
-	int i, err;
+	int i;
 
 	q->queues = NULL;
 
@@ -265,12 +265,7 @@ static int multiq_init(struct Qdisc *sch
 	for (i = 0; i < q->max_bands; i++)
 		q->queues[i] = &noop_qdisc;
 
-	err = multiq_tune(sch, opt);
-
-	if (err)
-		kfree(q->queues);
-
-	return err;
+	return multiq_tune(sch, opt);
 }
 
 static int multiq_dump(struct Qdisc *sch, struct sk_buff *skb)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 166/294] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (140 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 250/294] am2150: Update nmclan_cs.c to use update PCMCIA API Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 073/294] xtensa: fix cache aliasing handling code for WT cache Ben Hutchings
                   ` (153 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Matt Turner, Michael Cree

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream.

This fixes compiler errors in perf such as:

tests/attr.c: In function 'store_event':
tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=]
  snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
                           ^

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tested-by: Michael Cree <mcree@orcon.net.nz>
Signed-off-by: Matt Turner <mattst88@gmail.com>
---
 arch/alpha/include/asm/types.h      |  2 +-
 arch/alpha/include/uapi/asm/types.h | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

--- a/arch/alpha/include/asm/types.h
+++ b/arch/alpha/include/asm/types.h
@@ -1,7 +1,6 @@
 #ifndef _ALPHA_TYPES_H
 #define _ALPHA_TYPES_H
 
-#include <asm-generic/int-ll64.h>
 #include <uapi/asm/types.h>
 
 #endif /* _ALPHA_TYPES_H */
--- a/arch/alpha/include/uapi/asm/types.h
+++ b/arch/alpha/include/uapi/asm/types.h
@@ -9,8 +9,18 @@
  * need to be careful to avoid a name clashes.
  */
 
-#ifndef __KERNEL__
+/*
+ * This is here because we used to use l64 for alpha
+ * and we don't want to impact user mode with our change to ll64
+ * in the kernel.
+ *
+ * However, some user programs are fine with this.  They can
+ * flag __SANE_USERSPACE_TYPES__ to get int-ll64.h here.
+ */
+#if !defined(__SANE_USERSPACE_TYPES__) && !defined(__KERNEL__)
 #include <asm-generic/int-l64.h>
+#else
+#include <asm-generic/int-ll64.h>
 #endif
 
 #endif /* _UAPI_ALPHA_TYPES_H */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 161/294] l2tp: remove useless duplicate session detection in l2tp_netlink
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 091/294] ocfs2: don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 051/294] RDMA/core: Initialize port_num in qp_attr Ben Hutchings
                   ` (259 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit af87ae465abdc070de0dc35d6c6a9e7a8cd82987 upstream.

There's no point in checking for duplicate sessions at the beginning of
l2tp_nl_cmd_session_create(); the ->session_create() callbacks already
return -EEXIST when the session already exists.

Furthermore, even if l2tp_session_find() returns NULL, a new session
might be created right after the test. So relying on ->session_create()
to avoid duplicate session is the only sane behaviour.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: also delete the now-unused local variable]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -415,7 +415,6 @@ static int l2tp_nl_cmd_session_create(st
 	u32 peer_session_id;
 	int ret = 0;
 	struct l2tp_tunnel *tunnel;
-	struct l2tp_session *session;
 	struct l2tp_session_cfg cfg = { 0, };
 	struct net *net = genl_info_net(info);
 
@@ -435,11 +434,6 @@ static int l2tp_nl_cmd_session_create(st
 		goto out;
 	}
 	session_id = nla_get_u32(info->attrs[L2TP_ATTR_SESSION_ID]);
-	session = l2tp_session_find(net, tunnel, session_id);
-	if (session) {
-		ret = -EEXIST;
-		goto out;
-	}
 
 	if (!info->attrs[L2TP_ATTR_PEER_SESSION_ID]) {
 		ret = -EINVAL;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 157/294] l2tp: hold tunnel while looking up sessions in l2tp_netlink
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (254 preceding siblings ...)
  2017-11-06 23:03   ` Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 058/294] IB/ipoib: Remove double pointer assigning Ben Hutchings
                   ` (39 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 54652eb12c1b72e9602d09cb2821d5760939190f upstream.

l2tp_tunnel_find() doesn't take a reference on the returned tunnel.
Therefore, it's unsafe to use it because the returned tunnel can go
away on us anytime.

Fix this by defining l2tp_tunnel_get(), which works like
l2tp_tunnel_find(), but takes a reference on the returned tunnel.
Caller then has to drop this reference using l2tp_tunnel_dec_refcount().

As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's
simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code
has been broken (not even compiling) in May 2012 by
commit a4ca44fa578c ("net: l2tp: Standardize logging styles")
and fixed more than two years later by
commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it
doesn't appear to be used by anyone.

Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h,
let's just simplify things and call kfree_rcu() directly in
l2tp_tunnel_dec_refcount(). Extra assertions and debugging code
provided by l2tp_tunnel_free() didn't help catching any of the
reference counting and socket handling issues found while working on
this series.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: keep using atomic_t functions]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_core.c    | 66 ++++++++++++++++---------------------------------
 net/l2tp/l2tp_core.h    | 13 ++++++++++
 net/l2tp/l2tp_netlink.c |  6 +++--
 3 files changed, 38 insertions(+), 47 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -112,7 +112,6 @@ struct l2tp_net {
 	spinlock_t l2tp_session_hlist_lock;
 };
 
-static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
 
 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
 {
@@ -126,39 +125,6 @@ static inline struct l2tp_net *l2tp_pern
 	return net_generic(net, l2tp_net_id);
 }
 
-/* Tunnel reference counts. Incremented per session that is added to
- * the tunnel.
- */
-static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
-{
-	atomic_inc(&tunnel->ref_count);
-}
-
-static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
-{
-	if (atomic_dec_and_test(&tunnel->ref_count))
-		l2tp_tunnel_free(tunnel);
-}
-#ifdef L2TP_REFCNT_DEBUG
-#define l2tp_tunnel_inc_refcount(_t)					\
-do {									\
-	pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n",	\
-		 __func__, __LINE__, (_t)->name,			\
-		 atomic_read(&_t->ref_count));				\
-	l2tp_tunnel_inc_refcount_1(_t);					\
-} while (0)
-#define l2tp_tunnel_dec_refcount(_t)
-do {									\
-	pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n",	\
-		 __func__, __LINE__, (_t)->name,			\
-		 atomic_read(&_t->ref_count));				\
-	l2tp_tunnel_dec_refcount_1(_t);					\
-} while (0)
-#else
-#define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
-#define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
-#endif
-
 /* Session hash global list for L2TPv3.
  * The session_id SHOULD be random according to RFC3931, but several
  * L2TP implementations use incrementing session_ids.  So we do a real
@@ -277,6 +243,27 @@ struct l2tp_session *l2tp_session_find(s
 }
 EXPORT_SYMBOL_GPL(l2tp_session_find);
 
+/* Lookup a tunnel. A new reference is held on the returned tunnel. */
+struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
+{
+	const struct l2tp_net *pn = l2tp_pernet(net);
+	struct l2tp_tunnel *tunnel;
+
+	rcu_read_lock_bh();
+	list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+		if (tunnel->tunnel_id == tunnel_id) {
+			l2tp_tunnel_inc_refcount(tunnel);
+			rcu_read_unlock_bh();
+
+			return tunnel;
+		}
+	}
+	rcu_read_unlock_bh();
+
+	return NULL;
+}
+EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
+
 /* Like l2tp_session_find() but takes a reference on the returned session.
  * Optionally calls session->ref() too if do_ref is true.
  */
@@ -1396,17 +1383,6 @@ static void l2tp_udp_encap_destroy(struc
 	}
 }
 
-/* Really kill the tunnel.
- * Come here only when all sessions have been cleared from the tunnel.
- */
-static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
-{
-	BUG_ON(atomic_read(&tunnel->ref_count) != 0);
-	BUG_ON(tunnel->sock != NULL);
-	l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
-	kfree_rcu(tunnel, rcu);
-}
-
 /* Workqueue tunnel deletion function */
 static void l2tp_tunnel_del_work(struct work_struct *work)
 {
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -240,6 +240,8 @@ out:
 	return tunnel;
 }
 
+struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
+
 struct l2tp_session *l2tp_session_get(const struct net *net,
 				      struct l2tp_tunnel *tunnel,
 				      u32 session_id, bool do_ref);
@@ -281,6 +283,17 @@ int l2tp_nl_register_ops(enum l2tp_pwtyp
 void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type);
 int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg);
 
+static inline void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel)
+{
+	atomic_inc(&tunnel->ref_count);
+}
+
+static inline void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
+{
+	if (atomic_dec_and_test(&tunnel->ref_count))
+		kfree_rcu(tunnel, rcu);
+}
+
 /* Session reference counts. Incremented when code obtains a reference
  * to a session.
  */
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -60,10 +60,12 @@ static struct l2tp_session *l2tp_nl_sess
 		   (info->attrs[L2TP_ATTR_CONN_ID])) {
 		tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 		session_id = nla_get_u32(info->attrs[L2TP_ATTR_SESSION_ID]);
-		tunnel = l2tp_tunnel_find(net, tunnel_id);
-		if (tunnel)
+		tunnel = l2tp_tunnel_get(net, tunnel_id);
+		if (tunnel) {
 			session = l2tp_session_get(net, tunnel, session_id,
 						   do_ref);
+			l2tp_tunnel_dec_refcount(tunnel);
+		}
 	}
 
 	return session;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 162/294] l2tp: hold tunnel used while creating sessions with netlink
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (231 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 233/294] scsi-tgt: fix type conversion warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 018/294] i2c: mux: pinctrl: mention correct module name in Kconfig help text Ben Hutchings
                   ` (62 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit e702c1204eb57788ef189c839c8c779368267d70 upstream.

Use l2tp_tunnel_get() to retrieve tunnel, so that it can't go away on
us. Otherwise l2tp_tunnel_destruct() might release the last reference
count concurrently, thus freeing the tunnel while we're using it.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_netlink.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -422,8 +422,9 @@ static int l2tp_nl_cmd_session_create(st
 		ret = -EINVAL;
 		goto out;
 	}
+
 	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
+	tunnel = l2tp_tunnel_get(net, tunnel_id);
 	if (!tunnel) {
 		ret = -ENODEV;
 		goto out;
@@ -431,24 +432,24 @@ static int l2tp_nl_cmd_session_create(st
 
 	if (!info->attrs[L2TP_ATTR_SESSION_ID]) {
 		ret = -EINVAL;
-		goto out;
+		goto out_tunnel;
 	}
 	session_id = nla_get_u32(info->attrs[L2TP_ATTR_SESSION_ID]);
 
 	if (!info->attrs[L2TP_ATTR_PEER_SESSION_ID]) {
 		ret = -EINVAL;
-		goto out;
+		goto out_tunnel;
 	}
 	peer_session_id = nla_get_u32(info->attrs[L2TP_ATTR_PEER_SESSION_ID]);
 
 	if (!info->attrs[L2TP_ATTR_PW_TYPE]) {
 		ret = -EINVAL;
-		goto out;
+		goto out_tunnel;
 	}
 	cfg.pw_type = nla_get_u16(info->attrs[L2TP_ATTR_PW_TYPE]);
 	if (cfg.pw_type >= __L2TP_PWTYPE_MAX) {
 		ret = -EINVAL;
-		goto out;
+		goto out_tunnel;
 	}
 
 	if (tunnel->version > 2) {
@@ -470,7 +471,7 @@ static int l2tp_nl_cmd_session_create(st
 			u16 len = nla_len(info->attrs[L2TP_ATTR_COOKIE]);
 			if (len > 8) {
 				ret = -EINVAL;
-				goto out;
+				goto out_tunnel;
 			}
 			cfg.cookie_len = len;
 			memcpy(&cfg.cookie[0], nla_data(info->attrs[L2TP_ATTR_COOKIE]), len);
@@ -479,7 +480,7 @@ static int l2tp_nl_cmd_session_create(st
 			u16 len = nla_len(info->attrs[L2TP_ATTR_PEER_COOKIE]);
 			if (len > 8) {
 				ret = -EINVAL;
-				goto out;
+				goto out_tunnel;
 			}
 			cfg.peer_cookie_len = len;
 			memcpy(&cfg.peer_cookie[0], nla_data(info->attrs[L2TP_ATTR_PEER_COOKIE]), len);
@@ -515,7 +516,7 @@ static int l2tp_nl_cmd_session_create(st
 	if ((l2tp_nl_cmd_ops[cfg.pw_type] == NULL) ||
 	    (l2tp_nl_cmd_ops[cfg.pw_type]->session_create == NULL)) {
 		ret = -EPROTONOSUPPORT;
-		goto out;
+		goto out_tunnel;
 	}
 
 	/* Check that pseudowire-specific params are present */
@@ -525,7 +526,7 @@ static int l2tp_nl_cmd_session_create(st
 	case L2TP_PWTYPE_ETH_VLAN:
 		if (!info->attrs[L2TP_ATTR_VLAN_ID]) {
 			ret = -EINVAL;
-			goto out;
+			goto out_tunnel;
 		}
 		break;
 	case L2TP_PWTYPE_ETH:
@@ -544,6 +545,8 @@ static int l2tp_nl_cmd_session_create(st
 		ret = (*l2tp_nl_cmd_ops[cfg.pw_type]->session_create)(net, tunnel_id,
 			session_id, peer_session_id, &cfg);
 
+out_tunnel:
+	l2tp_tunnel_dec_refcount(tunnel);
 out:
 	return ret;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 158/294] l2tp: hold tunnel while processing genl delete command
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (279 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 216/294] mfd: arizona: Rid data size incompatibility warn when building for 64bit Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 077/294] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver Ben Hutchings
                   ` (14 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit bb0a32ce4389e17e47e198d2cddaf141561581ad upstream.

l2tp_nl_cmd_tunnel_delete() needs to take a reference on the tunnel, to
prevent it from being concurrently freed by l2tp_tunnel_destruct().

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_netlink.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -209,14 +209,16 @@ static int l2tp_nl_cmd_tunnel_delete(str
 	}
 	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel == NULL) {
+	tunnel = l2tp_tunnel_get(net, tunnel_id);
+	if (!tunnel) {
 		ret = -ENODEV;
 		goto out;
 	}
 
 	(void) l2tp_tunnel_delete(tunnel);
 
+	l2tp_tunnel_dec_refcount(tunnel);
+
 out:
 	return ret;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 171/294] net_sched: fix error recovery at qdisc creation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (245 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 130/294] arm64: mm: abort uaccess retries upon fatal signal Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 127/294] drm: Release driver tracking before making the object available again Ben Hutchings
                   ` (48 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Dmitry Vyukov, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 87b60cfacf9f17cf71933c6e33b66e68160af71d upstream.

Dmitry reported uses after free in qdisc code [1]

The problem here is that ops->init() can return an error.

qdisc_create_dflt() then call ops->destroy(),
while qdisc_create() does _not_ call it.

Four qdisc chose to call their own ops->destroy(), assuming their caller
would not.

This patch makes sure qdisc_create() calls ops->destroy()
and fixes the four qdisc to avoid double free.

[1]
BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr ffff8801d415d440
Read of size 8 by task syz-executor2/5030
CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400
 ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898
 ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0
Call Trace:
 [<ffffffff81bbbed4>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81bbbed4>] dump_stack+0x6c/0x98 lib/dump_stack.c:51
 [<ffffffff816682b1>] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [<ffffffff81668524>] print_address_description mm/kasan/report.c:196 [inline]
 [<ffffffff81668524>] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285
 [<ffffffff81668953>] kasan_report mm/kasan/report.c:305 [inline]
 [<ffffffff81668953>] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326
 [<ffffffff82527b02>] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33
 [<ffffffff82524bdd>] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953
 [<ffffffff82524e30>] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848
 [<ffffffff8252550d>] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline]
 [<ffffffff8252550d>] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064
 [<ffffffff824b1db1>] __dev_open+0x221/0x320 net/core/dev.c:1403
 [<ffffffff824b24ce>] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858
 [<ffffffff824b27de>] dev_change_flags+0x8e/0x140 net/core/dev.c:6926
 [<ffffffff824f5bf6>] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260
 [<ffffffff824f61fa>] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546
 [<ffffffff82430509>] sock_do_ioctl+0x99/0xb0 net/socket.c:879
 [<ffffffff82430d30>] sock_ioctl+0x2a0/0x390 net/socket.c:958
 [<ffffffff816f3b68>] vfs_ioctl fs/ioctl.c:44 [inline]
 [<ffffffff816f3b68>] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611
 [<ffffffff816f41a4>] SYSC_ioctl fs/ioctl.c:626 [inline]
 [<ffffffff816f41a4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617
 [<ffffffff8123e357>] entry_SYSCALL_64_fastpath+0x12/0x17

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_api.c    |  2 ++
 net/sched/sch_hhf.c    |  8 ++++++--
 net/sched/sch_mq.c     | 10 +++-------
 net/sched/sch_mqprio.c | 19 ++++++-------------
 net/sched/sch_sfq.c    |  3 ++-
 5 files changed, 19 insertions(+), 23 deletions(-)

--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -978,6 +978,8 @@ qdisc_create(struct net_device *dev, str
 
 		return sch;
 	}
+	/* ops->init() failed, we call ->destroy() like qdisc_create_dflt() */
+	ops->destroy(sch);
 err_out3:
 	dev_put(dev);
 	kfree((char *) sch - sch->padded);
--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -644,7 +644,9 @@ static int hhf_init(struct Qdisc *sch, s
 			q->hhf_arrays[i] = hhf_zalloc(HHF_ARRAYS_LEN *
 						      sizeof(u32));
 			if (!q->hhf_arrays[i]) {
-				hhf_destroy(sch);
+				/* Note: hhf_destroy() will be called
+				 * by our caller.
+				 */
 				return -ENOMEM;
 			}
 		}
@@ -655,7 +657,9 @@ static int hhf_init(struct Qdisc *sch, s
 			q->hhf_valid_bits[i] = hhf_zalloc(HHF_ARRAYS_LEN /
 							  BITS_PER_BYTE);
 			if (!q->hhf_valid_bits[i]) {
-				hhf_destroy(sch);
+				/* Note: hhf_destroy() will be called
+				 * by our caller.
+				 */
 				return -ENOMEM;
 			}
 		}
--- a/net/sched/sch_mq.c
+++ b/net/sched/sch_mq.c
@@ -52,7 +52,7 @@ static int mq_init(struct Qdisc *sch, st
 	/* pre-allocate qdiscs, attachment can't fail */
 	priv->qdiscs = kcalloc(dev->num_tx_queues, sizeof(priv->qdiscs[0]),
 			       GFP_KERNEL);
-	if (priv->qdiscs == NULL)
+	if (!priv->qdiscs)
 		return -ENOMEM;
 
 	for (ntx = 0; ntx < dev->num_tx_queues; ntx++) {
@@ -60,18 +60,14 @@ static int mq_init(struct Qdisc *sch, st
 		qdisc = qdisc_create_dflt(dev_queue, default_qdisc_ops,
 					  TC_H_MAKE(TC_H_MAJ(sch->handle),
 						    TC_H_MIN(ntx + 1)));
-		if (qdisc == NULL)
-			goto err;
+		if (!qdisc)
+			return -ENOMEM;
 		priv->qdiscs[ntx] = qdisc;
 		qdisc->flags |= TCQ_F_ONETXQUEUE;
 	}
 
 	sch->flags |= TCQ_F_MQROOT;
 	return 0;
-
-err:
-	mq_destroy(sch);
-	return -ENOMEM;
 }
 
 static void mq_attach(struct Qdisc *sch)
--- a/net/sched/sch_mqprio.c
+++ b/net/sched/sch_mqprio.c
@@ -117,20 +117,17 @@ static int mqprio_init(struct Qdisc *sch
 	/* pre-allocate qdisc, attachment can't fail */
 	priv->qdiscs = kcalloc(dev->num_tx_queues, sizeof(priv->qdiscs[0]),
 			       GFP_KERNEL);
-	if (priv->qdiscs == NULL) {
-		err = -ENOMEM;
-		goto err;
-	}
+	if (!priv->qdiscs)
+		return -ENOMEM;
 
 	for (i = 0; i < dev->num_tx_queues; i++) {
 		dev_queue = netdev_get_tx_queue(dev, i);
 		qdisc = qdisc_create_dflt(dev_queue, default_qdisc_ops,
 					  TC_H_MAKE(TC_H_MAJ(sch->handle),
 						    TC_H_MIN(i + 1)));
-		if (qdisc == NULL) {
-			err = -ENOMEM;
-			goto err;
-		}
+		if (!qdisc)
+			return -ENOMEM;
+
 		priv->qdiscs[i] = qdisc;
 		qdisc->flags |= TCQ_F_ONETXQUEUE;
 	}
@@ -143,7 +140,7 @@ static int mqprio_init(struct Qdisc *sch
 		priv->hw_owned = 1;
 		err = dev->netdev_ops->ndo_setup_tc(dev, qopt->num_tc);
 		if (err)
-			goto err;
+			return err;
 	} else {
 		netdev_set_num_tc(dev, qopt->num_tc);
 		for (i = 0; i < qopt->num_tc; i++)
@@ -157,10 +154,6 @@ static int mqprio_init(struct Qdisc *sch
 
 	sch->flags |= TCQ_F_MQROOT;
 	return 0;
-
-err:
-	mqprio_destroy(sch);
-	return err;
 }
 
 static void mqprio_attach(struct Qdisc *sch)
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -770,9 +770,10 @@ static int sfq_init(struct Qdisc *sch, s
 	q->ht = sfq_alloc(sizeof(q->ht[0]) * q->divisor);
 	q->slots = sfq_alloc(sizeof(q->slots[0]) * q->maxflows);
 	if (!q->ht || !q->slots) {
-		sfq_destroy(sch);
+		/* Note: sfq_destroy() will be called by our caller */
 		return -ENOMEM;
 	}
+
 	for (i = 0; i < q->divisor; i++)
 		q->ht[i] = SFQ_EMPTY_SLOT;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 172/294] sch_htb: fix crash on init failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (228 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 101/294] net: remove open-coded skb_cow_head Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 182/294] cifs: check MaxPathNameComponentLength != 0 before using it Ben Hutchings
                   ` (65 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Nikolay Aleksandrov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 88c2ace69dbef696edba77712882af03879abc9c upstream.

The commit below added a call to the ->destroy() callback for all qdiscs
which failed in their ->init(), but some were not prepared for such
change and can't handle partially initialized qdisc. HTB is one of them
and if any error occurs before the qdisc watchdog timer and qdisc work are
initialized then we can hit either a null ptr deref (timer->base) when
canceling in ->destroy or lockdep error info about trying to register
a non-static key and a stack dump. So to fix these two move the watchdog
timer and workqueue init before anything that can err out.
To reproduce userspace needs to send broken htb qdisc create request,
tested with a modified tc (q_htb.c).

Trace log:
[ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 2710.897977] IP: hrtimer_active+0x17/0x8a
[ 2710.898174] PGD 58fab067
[ 2710.898175] P4D 58fab067
[ 2710.898353] PUD 586c0067
[ 2710.898531] PMD 0
[ 2710.898710]
[ 2710.899045] Oops: 0000 [#1] SMP
[ 2710.899232] Modules linked in:
[ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54
[ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000
[ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a
[ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246
[ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000
[ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298
[ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001
[ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000
[ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0
[ 2710.901907] FS:  00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000
[ 2710.902277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0
[ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2710.903180] Call Trace:
[ 2710.903332]  hrtimer_try_to_cancel+0x1a/0x93
[ 2710.903504]  hrtimer_cancel+0x15/0x20
[ 2710.903667]  qdisc_watchdog_cancel+0x12/0x14
[ 2710.903866]  htb_destroy+0x2e/0xf7
[ 2710.904097]  qdisc_create+0x377/0x3fd
[ 2710.904330]  tc_modify_qdisc+0x4d2/0x4fd
[ 2710.904511]  rtnetlink_rcv_msg+0x188/0x197
[ 2710.904682]  ? rcu_read_unlock+0x3e/0x5f
[ 2710.904849]  ? rtnl_newlink+0x729/0x729
[ 2710.905017]  netlink_rcv_skb+0x6c/0xce
[ 2710.905183]  rtnetlink_rcv+0x23/0x2a
[ 2710.905345]  netlink_unicast+0x103/0x181
[ 2710.905511]  netlink_sendmsg+0x326/0x337
[ 2710.905679]  sock_sendmsg_nosec+0x14/0x3f
[ 2710.905847]  sock_sendmsg+0x29/0x2e
[ 2710.906010]  ___sys_sendmsg+0x209/0x28b
[ 2710.906176]  ? do_raw_spin_unlock+0xcd/0xf8
[ 2710.906346]  ? _raw_spin_unlock+0x27/0x31
[ 2710.906514]  ? __handle_mm_fault+0x651/0xdb1
[ 2710.906685]  ? check_chain_key+0xb0/0xfd
[ 2710.906855]  __sys_sendmsg+0x45/0x63
[ 2710.907018]  ? __sys_sendmsg+0x45/0x63
[ 2710.907185]  SyS_sendmsg+0x19/0x1b
[ 2710.907344]  entry_SYSCALL_64_fastpath+0x23/0xc2

Note that probably this bug goes further back because the default qdisc
handling always calls ->destroy on init failure too.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_htb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1025,6 +1025,9 @@ static int htb_init(struct Qdisc *sch, s
 	int err;
 	int i;
 
+	qdisc_watchdog_init(&q->watchdog, sch);
+	INIT_WORK(&q->work, htb_work_func);
+
 	if (!opt)
 		return -EINVAL;
 
@@ -1045,8 +1048,6 @@ static int htb_init(struct Qdisc *sch, s
 	for (i = 0; i < TC_HTB_NUMPRIO; i++)
 		INIT_LIST_HEAD(q->drops + i);
 
-	qdisc_watchdog_init(&q->watchdog, sch);
-	INIT_WORK(&q->work, htb_work_func);
 	skb_queue_head_init(&q->direct_queue);
 
 	if (tb[TCA_HTB_DIRECT_QLEN])

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 159/294] l2tp: hold tunnel while handling genl tunnel updates
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 108/294] USB: Check for dropped connection before switching to full speed Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure Ben Hutchings
                   ` (289 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 8c0e421525c9eb50d68e8f633f703ca31680b746 upstream.

We need to make sure the tunnel is not going to be destroyed by
l2tp_tunnel_destruct() concurrently.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_netlink.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -236,8 +236,8 @@ static int l2tp_nl_cmd_tunnel_modify(str
 	}
 	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel == NULL) {
+	tunnel = l2tp_tunnel_get(net, tunnel_id);
+	if (!tunnel) {
 		ret = -ENODEV;
 		goto out;
 	}
@@ -245,6 +245,8 @@ static int l2tp_nl_cmd_tunnel_modify(str
 	if (info->attrs[L2TP_ATTR_DEBUG])
 		tunnel->debug = nla_get_u32(info->attrs[L2TP_ATTR_DEBUG]);
 
+	l2tp_tunnel_dec_refcount(tunnel);
+
 out:
 	return ret;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 163/294] ipv6: fix sparse warning on rt6i_node
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 231/294] i2o: hide unsafe ioctl on 64-bit Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 238/294] mvsas: fix misleading indentation Ben Hutchings
                   ` (182 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Dumazet, Wei Wang, Martin KaFai Lau, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wei Wang <weiwan@google.com>

commit 4e587ea71bf924f7dac621f1351653bd41e446cb upstream.

Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This
generates a new sparse warning on rt->rt6i_node related code:
  net/ipv6/route.c:1394:30: error: incompatible types in comparison
  expression (different address spaces)
  ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
  expression (different address spaces)

This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
rcu API is used for it.
After this fix, sparse no longer generates the above warning.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: drop changes in rt6_cache_allowed_for_pmtu()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -96,7 +96,7 @@ struct rt6_info {
 	 * the same cache line.
 	 */
 	struct fib6_table		*rt6i_table;
-	struct fib6_node		*rt6i_node;
+	struct fib6_node __rcu		*rt6i_node;
 
 	struct in6_addr			rt6i_gateway;
 
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4737,7 +4737,7 @@ static void __ipv6_ifa_notify(int event,
 		 * our DAD process, so we don't need
 		 * to do it again
 		 */
-		if (!(ifp->rt->rt6i_node))
+		if (!rcu_access_pointer(ifp->rt->rt6i_node))
 			ip6_ins_rt(ifp->rt);
 		if (ifp->idev->cnf.forwarding)
 			addrconf_join_anycast(ifp);
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -836,7 +836,7 @@ add:
 		}
 		rt->dst.rt6_next = iter;
 		*ins = rt;
-		rt->rt6i_node = fn;
+		rcu_assign_pointer(rt->rt6i_node, fn);
 		atomic_inc(&rt->rt6i_ref);
 		inet6_rt_notify(RTM_NEWROUTE, rt, info);
 		info->nl_net->ipv6.rt6_stats->fib_rt_entries++;
@@ -861,7 +861,7 @@ add:
 				return err;
 		}
 		*ins = rt;
-		rt->rt6i_node = fn;
+		rcu_assign_pointer(rt->rt6i_node, fn);
 		rt->dst.rt6_next = iter->dst.rt6_next;
 		atomic_inc(&rt->rt6i_ref);
 		inet6_rt_notify(RTM_NEWROUTE, rt, info);
@@ -1413,8 +1413,9 @@ static void fib6_del_route(struct fib6_n
 
 int fib6_del(struct rt6_info *rt, struct nl_info *info)
 {
+	struct fib6_node *fn = rcu_dereference_protected(rt->rt6i_node,
+				    lockdep_is_held(&rt->rt6i_table->tb6_lock));
 	struct net *net = info->nl_net;
-	struct fib6_node *fn = rt->rt6i_node;
 	struct rt6_info **rtp;
 
 #if RT6_DEBUG >= 2
@@ -1593,7 +1594,9 @@ static int fib6_clean_node(struct fib6_w
 			if (res) {
 #if RT6_DEBUG >= 2
 				pr_debug("%s: del failed: rt=%p@%p err=%d\n",
-					 __func__, rt, rt->rt6i_node, res);
+					 __func__, rt,
+					 rcu_access_pointer(rt->rt6i_node),
+					 res);
 #endif
 				continue;
 			}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 170/294] CIFS: remove endian related sparse warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 261/294] staging: bcm: add 32-bit host dependency Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 156/294] l2tp: define parameters of l2tp_session_get*() as "const" Ben Hutchings
                   ` (267 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky, Steve French, Ronnie Sahlberg

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream.

Recent patch had an endian warning ie
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()

Signed-off-by: Steve French <smfrench@gmail.com>
CC: Ronnie Sahlberg <lsahlber@redhat.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -194,7 +194,7 @@ check_name(struct dentry *direntry, stru
 	int i;
 
 	if (unlikely(direntry->d_name.len >
-		     tcon->fsAttrInfo.MaxPathNameComponentLength))
+		     le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength)))
 		return -ENAMETOOLONG;
 
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 137/294] nfsd: Limit end of page list when decoding NFSv4 WRITE
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 198/294] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 054/294] perf/core: Fix locking for children siblings group read Ben Hutchings
                   ` (209 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chuck Lever, J. Bruce Fields

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 upstream.

When processing an NFSv4 WRITE operation, argp->end should never
point past the end of the data in the final page of the page list.
Otherwise, nfsd4_decode_compound can walk into uninitialized memory.

More critical, nfsd4_decode_write is failing to increment argp->pagelen
when it increments argp->pagelist.  This can cause later xdr decoders
to assume more data is available than really is, which can cause server
crashes on malformed requests.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/nfs4xdr.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -134,7 +134,7 @@ static void next_decode_page(struct nfsd
 	argp->p = page_address(argp->pagelist[0]);
 	argp->pagelist++;
 	if (argp->pagelen < PAGE_SIZE) {
-		argp->end = argp->p + (argp->pagelen>>2);
+		argp->end = argp->p + XDR_QUADLEN(argp->pagelen);
 		argp->pagelen = 0;
 	} else {
 		argp->end = argp->p + (PAGE_SIZE>>2);
@@ -1246,9 +1246,7 @@ nfsd4_decode_write(struct nfsd4_compound
 		argp->pagelen -= pages * PAGE_SIZE;
 		len -= pages * PAGE_SIZE;
 
-		argp->p = (__be32 *)page_address(argp->pagelist[0]);
-		argp->pagelist++;
-		argp->end = argp->p + XDR_QUADLEN(PAGE_SIZE);
+		next_decode_page(argp);
 	}
 	argp->p += XDR_QUADLEN(len);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 135/294] tracing: Fix freeing of filter in create_filter() when set_str is false
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 209/294] module: fix types of device tables aliases Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 024/294] spmi: Include OF based modalias in device uevent Ben Hutchings
                   ` (173 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chunyu Hu, Steven Rostedt (VMware)

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 8b0db1a5bdfcee0dbfa89607672598ae203c9045 upstream.

Performing the following task with kmemleak enabled:

 # cd /sys/kernel/tracing/events/irq/irq_handler_entry/
 # echo 'enable_event:kmem:kmalloc:3 if irq >' > trigger
 # echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger
 # echo scan > /sys/kernel/debug/kmemleak
 # cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff8800b9290308 (size 32):
  comm "bash", pid 1114, jiffies 4294848451 (age 141.139s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81cef5aa>] kmemleak_alloc+0x4a/0xa0
    [<ffffffff81357938>] kmem_cache_alloc_trace+0x158/0x290
    [<ffffffff81261c09>] create_filter_start.constprop.28+0x99/0x940
    [<ffffffff812639c9>] create_filter+0xa9/0x160
    [<ffffffff81263bdc>] create_event_filter+0xc/0x10
    [<ffffffff812655e5>] set_trigger_filter+0xe5/0x210
    [<ffffffff812660c4>] event_enable_trigger_func+0x324/0x490
    [<ffffffff812652e2>] event_trigger_write+0x1a2/0x260
    [<ffffffff8138cf87>] __vfs_write+0xd7/0x380
    [<ffffffff8138f421>] vfs_write+0x101/0x260
    [<ffffffff8139187b>] SyS_write+0xab/0x130
    [<ffffffff81cfd501>] entry_SYSCALL_64_fastpath+0x1f/0xbe
    [<ffffffffffffffff>] 0xffffffffffffffff

The function create_filter() is passed a 'filterp' pointer that gets
allocated, and if "set_str" is true, it is up to the caller to free it, even
on error. The problem is that the pointer is not freed by create_filter()
when set_str is false. This is a bug, and it is not up to the caller to free
the filter on error if it doesn't care about the string.

Link: http://lkml.kernel.org/r/1502705898-27571-2-git-send-email-chuhu@redhat.com

Fixes: 38b78eb85 ("tracing: Factorize filter creation")
Reported-by: Chunyu Hu <chuhu@redhat.com>
Tested-by: Chunyu Hu <chuhu@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_events_filter.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1950,6 +1950,10 @@ static int create_filter(struct ftrace_e
 		if (err && set_str)
 			append_filter_err(ps, filter);
 	}
+	if (err && !set_str) {
+		free_event_filter(filter);
+		filter = NULL;
+	}
 	create_filter_finish(ps);
 
 	*filterp = filter;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 148/294] r8169: Do not increment tx_dropped in TX ring cleaning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (226 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 095/294] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 101/294] net: remove open-coded skb_cow_head Ben Hutchings
                   ` (67 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 1089650d8837095f63e001bbf14d7b48043d67ad upstream.

rtl8169_tx_clear_range() is responsible for cleaning up the TX ring
during interface shutdown, incrementing tx_dropped for every SKB that we
left at the time in the ring is misleading.

Fixes: cac4b22f3d6a ("r8169: do not account fragments as packets")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/realtek/r8169.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -5860,7 +5860,6 @@ static void rtl8169_tx_clear_range(struc
 			rtl8169_unmap_tx_skb(&tp->pci_dev->dev, tx_skb,
 					     tp->TxDescArray + entry);
 			if (skb) {
-				tp->dev->stats.tx_dropped++;
 				dev_kfree_skb_any(skb);
 				tx_skb->skb = NULL;
 			}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 154/294] dm: fix printk() rate limiting code
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (132 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 008/294] staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 204/294] modpost: expand pattern matching to support substring matches Ben Hutchings
                   ` (161 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Bart Van Assche, Mike Snitzer

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 604407890ecf624c2fb41013c82b22aade59b455 upstream.

Using the same rate limiting state for different kinds of messages
is wrong because this can cause a high frequency message to suppress
a report of a low frequency message. Hence use a unique rate limiting
state per message type.

Fixes: 71a16736a15e ("dm: use local printk ratelimit")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm.c               | 10 ----------
 include/linux/device-mapper.h | 41 ++++++++++++-----------------------------
 2 files changed, 12 insertions(+), 39 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -24,16 +24,6 @@
 
 #define DM_MSG_PREFIX "core"
 
-#ifdef CONFIG_PRINTK
-/*
- * ratelimit state to be used in DMXXX_LIMIT().
- */
-DEFINE_RATELIMIT_STATE(dm_ratelimit_state,
-		       DEFAULT_RATELIMIT_INTERVAL,
-		       DEFAULT_RATELIMIT_BURST);
-EXPORT_SYMBOL(dm_ratelimit_state);
-#endif
-
 /*
  * Cookies are numeric values sent with CHANGE and REMOVE
  * uevents while resuming, removing or renaming the device.
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -481,46 +481,29 @@ void *dm_vcalloc(unsigned long nmemb, un
  *---------------------------------------------------------------*/
 #define DM_NAME "device-mapper"
 
-#ifdef CONFIG_PRINTK
-extern struct ratelimit_state dm_ratelimit_state;
-
-#define dm_ratelimit()	__ratelimit(&dm_ratelimit_state)
-#else
-#define dm_ratelimit()	0
-#endif
+#define DM_RATELIMIT(pr_func, fmt, ...)					\
+do {									\
+	static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,	\
+				      DEFAULT_RATELIMIT_BURST);		\
+									\
+	if (__ratelimit(&rs))						\
+		pr_func(DM_FMT(fmt), ##__VA_ARGS__);			\
+} while (0)
 
 #define DM_FMT(fmt) DM_NAME ": " DM_MSG_PREFIX ": " fmt "\n"
 
 #define DMCRIT(fmt, ...) pr_crit(DM_FMT(fmt), ##__VA_ARGS__)
 
 #define DMERR(fmt, ...) pr_err(DM_FMT(fmt), ##__VA_ARGS__)
-#define DMERR_LIMIT(fmt, ...)						\
-do {									\
-	if (dm_ratelimit())						\
-		DMERR(fmt, ##__VA_ARGS__);				\
-} while (0)
-
+#define DMERR_LIMIT(fmt, ...) DM_RATELIMIT(pr_err, fmt, ##__VA_ARGS__)
 #define DMWARN(fmt, ...) pr_warn(DM_FMT(fmt), ##__VA_ARGS__)
-#define DMWARN_LIMIT(fmt, ...)						\
-do {									\
-	if (dm_ratelimit())						\
-		DMWARN(fmt, ##__VA_ARGS__);				\
-} while (0)
-
+#define DMWARN_LIMIT(fmt, ...) DM_RATELIMIT(pr_warn, fmt, ##__VA_ARGS__)
 #define DMINFO(fmt, ...) pr_info(DM_FMT(fmt), ##__VA_ARGS__)
-#define DMINFO_LIMIT(fmt, ...)						\
-do {									\
-	if (dm_ratelimit())						\
-		DMINFO(fmt, ##__VA_ARGS__);				\
-} while (0)
+#define DMINFO_LIMIT(fmt, ...) DM_RATELIMIT(pr_info, fmt, ##__VA_ARGS__)
 
 #ifdef CONFIG_DM_DEBUG
 #define DMDEBUG(fmt, ...) printk(KERN_DEBUG DM_FMT(fmt), ##__VA_ARGS__)
-#define DMDEBUG_LIMIT(fmt, ...)						\
-do {									\
-	if (dm_ratelimit())						\
-		DMDEBUG(fmt, ##__VA_ARGS__);				\
-} while (0)
+#define DMDEBUG_LIMIT(fmt, ...) DM_RATELIMIT(pr_debug, fmt, ##__VA_ARGS__)
 #else
 #define DMDEBUG(fmt, ...) no_printk(fmt, ##__VA_ARGS__)
 #define DMDEBUG_LIMIT(fmt, ...) no_printk(fmt, ##__VA_ARGS__)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 169/294] CIFS: Fix maximum SMB2 header size
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (152 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 174/294] sch_hhf: fix null pointer dereference on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads Ben Hutchings
                   ` (141 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky, Steve French, Sachin Prabhu

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <pshilov@microsoft.com>

commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream.

Currently the maximum size of SMB2/3 header is set incorrectly which
leads to hanging of directory listing operations on encrypted SMB3
connections. Fix this by setting the maximum size to 170 bytes that
is calculated as RFC1002 length field size (4) + transform header
size (52) + SMB2 header size (64) + create response size (56).

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/smb2pdu.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -82,8 +82,8 @@
 
 #define NUMBER_OF_SMB2_COMMANDS	0x0013
 
-/* BB FIXME - analyze following length BB */
-#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */
+/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */
+#define MAX_SMB2_HDR_SIZE 0x00b0
 
 #define SMB2_PROTO_NUMBER __constant_cpu_to_le32(0x424d53fe)
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 136/294] qlge: avoid memcpy buffer overflow
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (201 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 015/294] net: bcmgenet: cleanup for bcmgenet_xmit_frag() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 123/294] ipv6: reset fn->rr_ptr when replacing route Ben Hutchings
                   ` (92 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit e58f95831e7468d25eb6e41f234842ecfe6f014f upstream.

gcc-8.0.0 (snapshot) points out that we copy a variable-length string
into a fixed length field using memcpy() with the destination length,
and that ends up copying whatever follows the string:

    inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=]
  memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);

Changing it to use strncpy() will instead zero-pad the destination,
which seems to be the right thing to do here.

The bug is probably harmless, but it seems like a good idea to address
it in stable kernels as well, if only for the purpose of building with
gcc-8 without warnings.

Fixes: a61f80261306 ("qlge: Add ethtool register dump function.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
+++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
@@ -724,7 +724,7 @@ static void ql_build_coredump_seg_header
 	seg_hdr->cookie = MPI_COREDUMP_COOKIE;
 	seg_hdr->segNum = seg_number;
 	seg_hdr->segSize = seg_size;
-	memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
+	strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
 }
 
 /*

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 126/294] net_sched: fix order of queue length updates in qdisc_replace()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (285 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 196/294] usb: usbtest: fix NULL pointer dereference Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 144/294] PM/hibernate: touch NMI watchdog when creating snapshot Ben Hutchings
                   ` (8 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Cong Wang, Konstantin Khlebnikov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit 68a66d149a8c78ec6720f268597302883e48e9fa upstream.

This important to call qdisc_tree_reduce_backlog() after changing queue
length. Parent qdisc should deactivate class in ->qlen_notify() called from
qdisc_tree_reduce_backlog() but this happens only if qdisc->q.qlen in zero.

Missed class deactivations leads to crashes/warnings at picking packets
from empty qdisc and corrupting state at reactivating this class in future.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: 86a7996cc8a0 ("net_sched: introduce qdisc_replace() helper")
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/sch_generic.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -618,8 +618,11 @@ static inline struct Qdisc *qdisc_replac
 	old = *pold;
 	*pold = new;
 	if (old != NULL) {
-		qdisc_tree_reduce_backlog(old, old->q.qlen, old->qstats.backlog);
+		unsigned int qlen = old->q.qlen;
+		unsigned int backlog = old->qstats.backlog;
+
 		qdisc_reset(old);
+		qdisc_tree_reduce_backlog(old, qlen, backlog);
 	}
 	sch_tree_unlock(sch);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 139/294] net: bcmgenet: Be drop monitor friendly
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (104 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 105/294] crypto: x86/sha1 - Fix reads beyond the number of blocks passed Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 193/294] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor Ben Hutchings
                   ` (189 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit d4fec855905fa8bd5fb1c59f73ad2d74a944876a upstream.

There are 3 spots where we call dev_kfree_skb() but we are actually
just doing a normal SKB consumption: __bcmgenet_tx_reclaim() for normal
TX reclamation, bcmgenet_alloc_rx_buffers() during the initial RX ring
setup and bcmgenet_free_rx_buffers() during RX ring cleanup.

Fixes: d6707bec5986 ("net: bcmgenet: rewrite bcmgenet_rx_refill()")
Fixes: f48bed16a756 ("net: bcmgenet: Free skb after last Tx frag")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1037,7 +1037,7 @@ static void __bcmgenet_tx_reclaim(struct
 		if (skb) {
 			pkts_compl++;
 			bytes_compl += GENET_CB(skb)->bytes_sent;
-			dev_kfree_skb_any(skb);
+			dev_consume_skb_any(skb);
 		}
 
 		txbds_processed++;
@@ -1486,7 +1486,7 @@ static int bcmgenet_alloc_rx_buffers(str
 		cb = &priv->rx_cbs[priv->rx_bd_assign_index];
 		skb = bcmgenet_rx_refill(priv, cb);
 		if (skb)
-			dev_kfree_skb_any(skb);
+			dev_consume_skb_any(skb);
 		if (!cb->skb)
 			return -ENOMEM;
 	}
@@ -1505,7 +1505,7 @@ static void bcmgenet_free_rx_buffers(str
 
 		skb = bcmgenet_free_rx_cb(&priv->pdev->dev, cb);
 		if (skb)
-			dev_kfree_skb_any(skb);
+			dev_consume_skb_any(skb);
 	}
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 142/294] netvsc: fix deadlock betwen link status and removal
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (259 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 256/294] brcmfmac: avoid gcc-5.1 warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 129/294] arm64: fpsimd: Prevent registers leaking across exec Ben Hutchings
                   ` (34 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Stephen Hemminger, stephen hemminger, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: stephen hemminger <stephen@networkplumber.org>

commit 9b4e946ce14e20d7addbfb7d9139e604f9fda107 upstream.

There is a deadlock possible when canceling the link status
delayed work queue. The removal process is run with RTNL held,
and the link status callback is acquring RTNL.

Resolve the issue by using trylock and rescheduling.
If cancel is in process, that block it from happening.

Fixes: 122a5f6410f4 ("staging: hv: use delayed_work for netvsc_send_garp()")
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Move assignment of ndev_ctx before this new use
 - LINKCHANGE_INT is not defined; substitute its upstream definition]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -777,9 +777,14 @@ static void netvsc_link_change(struct wo
 	struct rndis_device *rdev;
 	bool notify;
 
-	rtnl_lock();
-
 	ndev_ctx = container_of(w, struct net_device_context, dwork.work);
+
+	/* if changes are happening, comeback later */
+	if (!rtnl_trylock()) {
+		schedule_delayed_work(&ndev_ctx->dwork, 2 * HZ);
+		return;
+	}
+
 	net_device = hv_get_drvdata(ndev_ctx->device_ctx);
 	rdev = net_device->extension;
 	net = net_device->ndev;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 134/294] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (290 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 006/294] net: bridge: fix dest lookup when vlan proto doesn't match Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 037/294] ARM: kexec: Make .text R/W in machine_kexec Ben Hutchings
                   ` (3 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ronnie Sahlberg, Steve French

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream.

Add checking for the path component length and verify it is <= the maximum
that the server advertizes via FileFsAttributeInformation.

With this patch cifs.ko will now return ENAMETOOLONG instead of ENOENT
when users to access an overlong path.

To test this, try to cd into a (non-existing) directory on a CIFS share
that has a too long name:
cd /mnt/aaaaaaaaaaaaaaa...

and it now should show a good error message from the shell:
bash: cd: /mnt/aaaaaaaaaaaaaaaa...aaaaaa: File name too long

rh bz 1153996

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/dir.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -183,15 +183,20 @@ cifs_bp_rename_retry:
 }
 
 /*
+ * Don't allow path components longer than the server max.
  * Don't allow the separator character in a path component.
  * The VFS will not allow "/", but "\" is allowed by posix.
  */
 static int
-check_name(struct dentry *direntry)
+check_name(struct dentry *direntry, struct cifs_tcon *tcon)
 {
 	struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
 	int i;
 
+	if (unlikely(direntry->d_name.len >
+		     tcon->fsAttrInfo.MaxPathNameComponentLength))
+		return -ENAMETOOLONG;
+
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
 		for (i = 0; i < direntry->d_name.len; i++) {
 			if (direntry->d_name.name[i] == '\\') {
@@ -489,10 +494,6 @@ cifs_atomic_open(struct inode *inode, st
 		return finish_no_open(file, res);
 	}
 
-	rc = check_name(direntry);
-	if (rc)
-		return rc;
-
 	xid = get_xid();
 
 	cifs_dbg(FYI, "parent inode = 0x%p name is: %s and dentry = 0x%p\n",
@@ -505,6 +506,11 @@ cifs_atomic_open(struct inode *inode, st
 	}
 
 	tcon = tlink_tcon(tlink);
+
+	rc = check_name(direntry, tcon);
+	if (rc)
+		goto out_free_xid;
+
 	server = tcon->ses->server;
 
 	if (server->ops->new_lease_key)
@@ -752,7 +758,7 @@ cifs_lookup(struct inode *parent_dir_ino
 	}
 	pTcon = tlink_tcon(tlink);
 
-	rc = check_name(direntry);
+	rc = check_name(direntry, pTcon);
 	if (rc)
 		goto lookup_out;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 144/294] PM/hibernate: touch NMI watchdog when creating snapshot
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (286 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 126/294] net_sched: fix order of queue length updates in qdisc_replace() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 178/294] sch_netem: avoid null pointer deref on init failure Ben Hutchings
                   ` (7 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Michal Hocko, Len Brown, Jan Filipcewicz, Chen Yu,
	Rafael J. Wysocki, Linus Torvalds, Dan Williams, Vlastimil Babka,
	Mel Gorman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chen Yu <yu.c.chen@intel.com>

commit 556b969a1cfe2686aae149137fa1dfcac0eefe54 upstream.

There is a problem that when counting the pages for creating the
hibernation snapshot will take significant amount of time, especially on
system with large memory.  Since the counting job is performed with irq
disabled, this might lead to NMI lockup.  The following warning were
found on a system with 1.5TB DRAM:

  Freezing user space processes ... (elapsed 0.002 seconds) done.
  OOM killer disabled.
  PM: Preallocating image memory...
  NMI watchdog: Watchdog detected hard LOCKUP on cpu 27
  CPU: 27 PID: 3128 Comm: systemd-sleep Not tainted 4.13.0-0.rc2.git0.1.fc27.x86_64 #1
  task: ffff9f01971ac000 task.stack: ffffb1a3f325c000
  RIP: 0010:memory_bm_find_bit+0xf4/0x100
  Call Trace:
   swsusp_set_page_free+0x2b/0x30
   mark_free_pages+0x147/0x1c0
   count_data_pages+0x41/0xa0
   hibernate_preallocate_memory+0x80/0x450
   hibernation_snapshot+0x58/0x410
   hibernate+0x17c/0x310
   state_store+0xdf/0xf0
   kobj_attr_store+0xf/0x20
   sysfs_kf_write+0x37/0x40
   kernfs_fop_write+0x11c/0x1a0
   __vfs_write+0x37/0x170
   vfs_write+0xb1/0x1a0
   SyS_write+0x55/0xc0
   entry_SYSCALL_64_fastpath+0x1a/0xa5
  ...
  done (allocated 6590003 pages)
  PM: Allocated 26360012 kbytes in 19.89 seconds (1325.28 MB/s)

It has taken nearly 20 seconds(2.10GHz CPU) thus the NMI lockup was
triggered.  In case the timeout of the NMI watch dog has been set to 1
second, a safe interval should be 6590003/20 = 320k pages in theory.
However there might also be some platforms running at a lower frequency,
so feed the watchdog every 100k pages.

[yu.c.chen@intel.com: simplification]
  Link: http://lkml.kernel.org/r/1503460079-29721-1-git-send-email-yu.c.chen@intel.com
[yu.c.chen@intel.com: use interval of 128k instead of 100k to avoid modulus]
Link: http://lkml.kernel.org/r/1503328098-5120-1-git-send-email-yu.c.chen@intel.com
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Reported-by: Jan Filipcewicz <jan.filipcewicz@intel.com>
Suggested-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Len Brown <lenb@kernel.org>
Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/page_alloc.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -61,6 +61,7 @@
 #include <linux/page-debug-flags.h>
 #include <linux/hugetlb.h>
 #include <linux/sched/rt.h>
+#include <linux/nmi.h>
 
 #include <asm/sections.h>
 #include <asm/tlbflush.h>
@@ -1354,9 +1355,14 @@ void drain_all_pages(void)
 
 #ifdef CONFIG_HIBERNATION
 
+/*
+ * Touch the watchdog for every WD_PAGE_COUNT pages.
+ */
+#define WD_PAGE_COUNT	(128*1024)
+
 void mark_free_pages(struct zone *zone)
 {
-	unsigned long pfn, max_zone_pfn;
+	unsigned long pfn, max_zone_pfn, page_count = WD_PAGE_COUNT;
 	unsigned long flags;
 	unsigned int order, t;
 	struct list_head *curr;
@@ -1371,6 +1377,11 @@ void mark_free_pages(struct zone *zone)
 		if (pfn_valid(pfn)) {
 			struct page *page = pfn_to_page(pfn);
 
+			if (!--page_count) {
+				touch_nmi_watchdog();
+				page_count = WD_PAGE_COUNT;
+			}
+
 			if (!swsusp_page_is_forbidden(page))
 				swsusp_unset_page_free(page);
 		}
@@ -1380,8 +1391,13 @@ void mark_free_pages(struct zone *zone)
 			unsigned long i;
 
 			pfn = page_to_pfn(list_entry(curr, struct page, lru));
-			for (i = 0; i < (1UL << order); i++)
+			for (i = 0; i < (1UL << order); i++) {
+				if (!--page_count) {
+					touch_nmi_watchdog();
+					page_count = WD_PAGE_COUNT;
+				}
 				swsusp_set_page_free(pfn_to_page(pfn + i));
+			}
 		}
 	}
 	spin_unlock_irqrestore(&zone->lock, flags);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 096/294] ext4: fix overflow caused by missing cast in ext4_resize_fs()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (209 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 268/294] staging: dgnc: Fix frame size is larger than 1024B Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 152/294] xfrm_user: fix info leak in build_aevent() Ben Hutchings
                   ` (84 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Jerry Lee

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jerry Lee <jerrylee@qnap.com>

commit aec51758ce10a9c847a62a48a168f8c804c6e053 upstream.

On a 32-bit platform, the value of n_blcoks_count may be wrong during
the file system is resized to size larger than 2^32 blocks.  This may
caused the superblock being corrupted with zero blocks count.

Fixes: 1c6bd7173d66
Signed-off-by: Jerry Lee <jerrylee@qnap.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1929,7 +1929,8 @@ retry:
 			n_desc_blocks = o_desc_blocks +
 				le16_to_cpu(es->s_reserved_gdt_blocks);
 			n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb);
-			n_blocks_count = n_group * EXT4_BLOCKS_PER_GROUP(sb);
+			n_blocks_count = (ext4_fsblk_t)n_group *
+				EXT4_BLOCKS_PER_GROUP(sb);
 			n_group--; /* set to last group number */
 		}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 106/294] x86/asm/64: Clear AC on NMI entries
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (261 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 129/294] arm64: fpsimd: Prevent registers leaking across exec Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 260/294] video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT Ben Hutchings
                   ` (32 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Zijlstra, H. Peter Anvin, Borislav Petkov,
	Brian Gerst, Thomas Gleixner, Josh Poimboeuf, Denys Vlasenko,
	Ingo Molnar, Andy Lutomirski, Linus Torvalds

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit e93c17301ac55321fc18e0f8316e924e58a83c8c upstream.

This closes a hole in our SMAP implementation.

This patch comes from grsecurity. Good catch!

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/314cc9f294e8f14ed85485727556ad4f15bb1659.1502159503.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/entry_64.S | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1476,6 +1476,8 @@ ENTRY(nmi)
 	 * other IST entries.
 	 */
 
+	ASM_CLAC
+
 	/* Use %rdx as out temp variable throughout */
 	pushq_cfi %rdx
 	CFI_REL_OFFSET rdx, 0

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 132/294] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (145 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 179/294] sch_tbf: fix two null pointer dereferences on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 048/294] IB/cma: Fix a race condition in iboe_addr_get_sgid() Ben Hutchings
                   ` (148 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit bbba6f9d3da357bbabc6fda81e99ff5584500e76 upstream.

Lenovo G50-70 (17aa:3978) with Conexant codec chip requires the
similar workaround for the inverted stereo dmic like other Lenovo
models.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1020657
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_conexant.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -3438,6 +3438,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),
+	SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI),
 	SND_PCI_QUIRK(0x1c06, 0x2011, "Lemote A1004", CXT_PINCFG_LEMOTE_A1004),

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 133/294] cifs: Fix df output for users with quota limits
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (204 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 052/294] ipv4: initialize fib_trie prior to register_netdev_notifier call Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task Ben Hutchings
                   ` (89 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Pierguido Lambri, Steve French, Sachin Prabhu

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sachin Prabhu <sprabhu@redhat.com>

commit 42bec214d8bd432be6d32a1acb0a9079ecd4d142 upstream.

The df for a SMB2 share triggers a GetInfo call for
FS_FULL_SIZE_INFORMATION. The values returned are used to populate
struct statfs.

The problem is that none of the information returned by the call
contains the total blocks available on the filesystem. Instead we use
the blocks available to the user ie. quota limitation when filling out
statfs.f_blocks. The information returned does contain Actual free units
on the filesystem and is used to populate statfs.f_bfree. For users with
quota enabled, it can lead to situations where the total free space
reported is more than the total blocks on the system ending up with df
reports like the following

 # df -h /mnt/a
Filesystem         Size  Used Avail Use% Mounted on
//192.168.22.10/a  2.5G -2.3G  2.5G    - /mnt/a

To fix this problem, we instead populate both statfs.f_bfree with the
same value as statfs.f_bavail ie. CallerAvailableAllocationUnits. This
is similar to what is done already in the code for cifs and df now
reports the quota information for the user used to mount the share.

 # df --si /mnt/a
Filesystem         Size  Used Avail Use% Mounted on
//192.168.22.10/a  2.7G  101M  2.6G   4% /mnt/a

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/smb2pdu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2486,8 +2486,8 @@ copy_fs_info_to_kstatfs(struct smb2_fs_f
 	kst->f_bsize = le32_to_cpu(pfs_inf->BytesPerSector) *
 			  le32_to_cpu(pfs_inf->SectorsPerAllocationUnit);
 	kst->f_blocks = le64_to_cpu(pfs_inf->TotalAllocationUnits);
-	kst->f_bfree  = le64_to_cpu(pfs_inf->ActualAvailableAllocationUnits);
-	kst->f_bavail = le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
+	kst->f_bfree  = kst->f_bavail =
+			le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
 	return;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 052/294] ipv4: initialize fib_trie prior to register_netdev_notifier call.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (203 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 123/294] ipv6: reset fn->rr_ptr when replacing route Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 133/294] cifs: Fix df output for users with quota limits Ben Hutchings
                   ` (90 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Mahesh Bandewar, Eric W. Biederman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mahesh Bandewar <maheshb@google.com>

commit 8799a221f5944a7d74516ecf46d58c28ec1d1f75 upstream.

Net stack initialization currently initializes fib-trie after the
first call to netdevice_notifier() call. In fact fib_trie initialization
needs to happen before first rtnl_register(). It does not cause any problem
since there are no devices UP at this moment, but trying to bring 'lo'
UP at initialization would make this assumption wrong and exposes the issue.

Fixes following crash

 Call Trace:
  ? alternate_node_alloc+0x76/0xa0
  fib_table_insert+0x1b7/0x4b0
  fib_magic.isra.17+0xea/0x120
  fib_add_ifaddr+0x7b/0x190
  fib_netdev_event+0xc0/0x130
  register_netdevice_notifier+0x1c1/0x1d0
  ip_fib_init+0x72/0x85
  ip_rt_init+0x187/0x1e9
  ip_init+0xe/0x1a
  inet_init+0x171/0x26c
  ? ipv4_offload_init+0x66/0x66
  do_one_initcall+0x43/0x160
  kernel_init_freeable+0x191/0x219
  ? rest_init+0x80/0x80
  kernel_init+0xe/0x150
  ret_from_fork+0x22/0x30
 Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08
 RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28
 CR2: 0000000000000014

Fixes: 7b1a74fdbb9e ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.")
Fixes: 7f9b80529b8a ("[IPV4]: fib hash|trie initialization")

Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/fib_frontend.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1175,13 +1175,14 @@ static struct pernet_operations fib_net_
 
 void __init ip_fib_init(void)
 {
-	rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL);
-	rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL);
-	rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL);
+	fib_trie_init();
 
 	register_pernet_subsys(&fib_net_ops);
+
 	register_netdevice_notifier(&fib_netdev_notifier);
 	register_inetaddr_notifier(&fib_inetaddr_notifier);
 
-	fib_trie_init();
+	rtnl_register(PF_INET, RTM_NEWROUTE, inet_rtm_newroute, NULL, NULL);
+	rtnl_register(PF_INET, RTM_DELROUTE, inet_rtm_delroute, NULL, NULL);
+	rtnl_register(PF_INET, RTM_GETROUTE, NULL, inet_dump_fib, NULL);
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 070/294] net/mlx5: Fix command bad flow on command entry allocation failure
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (199 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 281/294] MIPS: MSP71xx: remove odd locking in PCI config space access code Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 015/294] net: bcmgenet: cleanup for bcmgenet_xmit_frag() Ben Hutchings
                   ` (94 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, kernel-team, Moshe Shemesh, Saeed Mahameed

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Moshe Shemesh <moshe@mellanox.com>

commit 219c81f7d1d5a89656cb3b53d3b4e11e93608d80 upstream.

When driver fail to allocate an entry to send command to FW, it must
notify the calling function and release the memory allocated for
this command.

Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
Cc: kernel-team@fb.com
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -547,6 +547,10 @@ static void cb_timeout_handler(struct wo
 	mlx5_cmd_comp_handler(dev, 1UL << ent->idx);
 }
 
+static void free_msg(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *msg);
+static void mlx5_free_cmd_msg(struct mlx5_core_dev *dev,
+			      struct mlx5_cmd_msg *msg);
+
 static void cmd_work_handler(struct work_struct *work)
 {
 	struct mlx5_cmd_work_ent *ent = container_of(work, struct mlx5_cmd_work_ent, work);
@@ -555,16 +559,27 @@ static void cmd_work_handler(struct work
 	unsigned long cb_timeout = msecs_to_jiffies(MLX5_CMD_TIMEOUT_MSEC);
 	struct mlx5_cmd_layout *lay;
 	struct semaphore *sem;
+	int alloc_ret;
 
 	sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
 	down(sem);
 	if (!ent->page_queue) {
-		ent->idx = alloc_ent(cmd);
-		if (ent->idx < 0) {
+		alloc_ret = alloc_ent(cmd);
+		if (alloc_ret < 0) {
 			mlx5_core_err(dev, "failed to allocate command entry\n");
+			if (ent->callback) {
+				ent->callback(-EAGAIN, ent->context);
+				mlx5_free_cmd_msg(dev, ent->out);
+				free_msg(dev, ent->in);
+				free_cmd(ent);
+			} else {
+				ent->ret = -EAGAIN;
+				complete(&ent->done);
+			}
 			up(sem);
 			return;
 		}
+		ent->idx = alloc_ret;
 	} else {
 		ent->idx = cmd->max_reg_cmds;
 	}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 097/294] iscsi-target: Fix iscsi_np reset hung task during parallel delete
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (142 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 073/294] xtensa: fix cache aliasing handling code for WT cache Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 290/294] MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers Ben Hutchings
                   ` (151 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Gary Guo, Hannes Reinecke, Nicholas Bellinger, Mike Christie

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 978d13d60c34818a41fc35962602bdfa5c03f214 upstream.

This patch fixes a bug associated with iscsit_reset_np_thread()
that can occur during parallel configfs rmdir of a single iscsi_np
used across multiple iscsi-target instances, that would result in
hung task(s) similar to below where configfs rmdir process context
was blocked indefinately waiting for iscsi_np->np_restart_comp
to finish:

[ 6726.112076] INFO: task dcp_proxy_node_:15550 blocked for more than 120 seconds.
[ 6726.119440]       Tainted: G        W  O     4.1.26-3321 #2
[ 6726.125045] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 6726.132927] dcp_proxy_node_ D ffff8803f202bc88     0 15550      1 0x00000000
[ 6726.140058]  ffff8803f202bc88 ffff88085c64d960 ffff88083b3b1ad0 ffff88087fffeb08
[ 6726.147593]  ffff8803f202c000 7fffffffffffffff ffff88083f459c28 ffff88083b3b1ad0
[ 6726.155132]  ffff88035373c100 ffff8803f202bca8 ffffffff8168ced2 ffff8803f202bcb8
[ 6726.162667] Call Trace:
[ 6726.165150]  [<ffffffff8168ced2>] schedule+0x32/0x80
[ 6726.170156]  [<ffffffff8168f5b4>] schedule_timeout+0x214/0x290
[ 6726.176030]  [<ffffffff810caef2>] ? __send_signal+0x52/0x4a0
[ 6726.181728]  [<ffffffff8168d7d6>] wait_for_completion+0x96/0x100
[ 6726.187774]  [<ffffffff810e7c80>] ? wake_up_state+0x10/0x10
[ 6726.193395]  [<ffffffffa035d6e2>] iscsit_reset_np_thread+0x62/0xe0 [iscsi_target_mod]
[ 6726.201278]  [<ffffffffa0355d86>] iscsit_tpg_disable_portal_group+0x96/0x190 [iscsi_target_mod]
[ 6726.210033]  [<ffffffffa0363f7f>] lio_target_tpg_store_enable+0x4f/0xc0 [iscsi_target_mod]
[ 6726.218351]  [<ffffffff81260c5a>] configfs_write_file+0xaa/0x110
[ 6726.224392]  [<ffffffff811ea364>] vfs_write+0xa4/0x1b0
[ 6726.229576]  [<ffffffff811eb111>] SyS_write+0x41/0xb0
[ 6726.234659]  [<ffffffff8169042e>] system_call_fastpath+0x12/0x71

It would happen because each iscsit_reset_np_thread() sets state
to ISCSI_NP_THREAD_RESET, sends SIGINT, and then blocks waiting
for completion on iscsi_np->np_restart_comp.

However, if iscsi_np was active processing a login request and
more than a single iscsit_reset_np_thread() caller to the same
iscsi_np was blocked on iscsi_np->np_restart_comp, iscsi_np
kthread process context in __iscsi_target_login_thread() would
flush pending signals and only perform a single completion of
np->np_restart_comp before going back to sleep within transport
specific iscsit_transport->iscsi_accept_np code.

To address this bug, add a iscsi_np->np_reset_count and update
__iscsi_target_login_thread() to keep completing np->np_restart_comp
until ->np_reset_count has reached zero.

Reported-by: Gary Guo <ghg@datera.io>
Tested-by: Gary Guo <ghg@datera.io>
Cc: Mike Christie <mchristi@redhat.com>
Cc: Hannes Reinecke <hare@suse.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/target/iscsi/iscsi_target.c       | 1 +
 drivers/target/iscsi/iscsi_target_core.h  | 1 +
 drivers/target/iscsi/iscsi_target_login.c | 7 +++++--
 3 files changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -431,6 +431,7 @@ int iscsit_reset_np_thread(
 		return 0;
 	}
 	np->np_thread_state = ISCSI_NP_THREAD_RESET;
+	atomic_inc(&np->np_reset_count);
 
 	if (np->np_thread) {
 		spin_unlock_bh(&np->np_thread_lock);
--- a/drivers/target/iscsi/iscsi_target_core.h
+++ b/drivers/target/iscsi/iscsi_target_core.h
@@ -792,6 +792,7 @@ struct iscsi_np {
 	int			np_sock_type;
 	enum np_thread_state_table np_thread_state;
 	bool                    enabled;
+	atomic_t		np_reset_count;
 	enum iscsi_timer_flags_table np_login_timer_flags;
 	u32			np_exports;
 	enum np_flags_table	np_flags;
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -1277,9 +1277,11 @@ static int __iscsi_target_login_thread(s
 	flush_signals(current);
 
 	spin_lock_bh(&np->np_thread_lock);
-	if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+	if (atomic_dec_if_positive(&np->np_reset_count) >= 0) {
 		np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
+		spin_unlock_bh(&np->np_thread_lock);
 		complete(&np->np_restart_comp);
+		return 1;
 	} else if (np->np_thread_state == ISCSI_NP_THREAD_SHUTDOWN) {
 		spin_unlock_bh(&np->np_thread_lock);
 		goto exit;
@@ -1312,7 +1314,8 @@ static int __iscsi_target_login_thread(s
 		goto exit;
 	} else if (rc < 0) {
 		spin_lock_bh(&np->np_thread_lock);
-		if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
+		if (atomic_dec_if_positive(&np->np_reset_count) >= 0) {
+			np->np_thread_state = ISCSI_NP_THREAD_ACTIVE;
 			spin_unlock_bh(&np->np_thread_lock);
 			complete(&np->np_restart_comp);
 			iscsit_put_transport(conn->conn_transport);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 021/294] usb: storage: return on error to avoid a null pointer dereference
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 086/294] i40e: Initialize 64-bit statistics TX ring seqcount Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 099/294] s390/qeth: fix L3 next-hop in xmit qeth hdr Ben Hutchings
                   ` (225 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Colin Ian King, Alan Stern

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 446230f52a5bef593554510302465eabab45a372 upstream.

When us->extra is null the driver is not initialized, however, a
later call to osd200_scsi_to_ata is made that dereferences
us->extra, causing a null pointer dereference.  The code
currently detects and reports that the driver is not initialized;
add a return to avoid the subsequent dereference issue in this
check.

Thanks to Alan Stern for pointing out that srb->result needs setting
to DID_ERROR << 16

Detected by CoverityScan, CID#100308 ("Dereference after null check")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/isd200.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/storage/isd200.c
+++ b/drivers/usb/storage/isd200.c
@@ -1522,8 +1522,11 @@ static void isd200_ata_command(struct sc
 
 	/* Make sure driver was initialized */
 
-	if (us->extra == NULL)
+	if (us->extra == NULL) {
 		usb_stor_dbg(us, "ERROR Driver not initialized\n");
+		srb->result = DID_ERROR << 16;
+		return;
+	}
 
 	scsi_set_resid(srb, 0);
 	/* scsi_bufflen might change in protocol translation to ata */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 048/294] IB/cma: Fix a race condition in iboe_addr_get_sgid()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (146 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 132/294] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 040/294] xhci: Bad Ethernet performance plugged in ASM1042A host Ben Hutchings
                   ` (147 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Bart Van Assche, Roland Dreier, Doug Ledford, Or Gerlitz,
	Moni Shoua

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@sandisk.com>

commit fba332b079029c2f4f7e84c1c1cd8e3867310c90 upstream.

Code that dereferences the struct net_device ip_ptr member must be
protected with an in_dev_get() / in_dev_put() pair. Hence insert
calls to these functions.

Fixes: commit 7b85627b9f02 ("IB/cma: IBoE (RoCE) IP-based GID addressing")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Moni Shoua <monis@mellanox.com>
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Cc: Roland Dreier <roland@purestorage.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/rdma/ib_addr.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/include/rdma/ib_addr.h
+++ b/include/rdma/ib_addr.h
@@ -184,10 +184,12 @@ static inline void iboe_addr_get_sgid(st
 
 	dev = dev_get_by_index(&init_net, dev_addr->bound_dev_if);
 	if (dev) {
-		ip4 = (struct in_device *)dev->ip_ptr;
-		if (ip4 && ip4->ifa_list && ip4->ifa_list->ifa_address)
+		ip4 = in_dev_get(dev);
+		if (ip4 && ip4->ifa_list && ip4->ifa_list->ifa_address) {
 			ipv6_addr_set_v4mapped(ip4->ifa_list->ifa_address,
 					       (struct in6_addr *)gid);
+			in_dev_put(ip4);
+		}
 		dev_put(dev);
 	}
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 118/294] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 208/294] Input: gscps2 - fix MODULE_DEVICE_TABLE invocation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 249/294] net: am2150: fix nmclan_cs.c shared interrupt handling Ben Hutchings
                   ` (241 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Helge Deller, Thomas Bogendoerfer

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>

commit 4098116039911e8870d84c975e2ec22dab65a909 upstream.

For 64bit kernels the lmmio_space_offset of the host bridge window
isn't set correctly on systems with dino/cujo PCI host bridges.
This leads to not assigned memory bars and failing drivers, which
need to use these bars.

Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/parisc/dino.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/parisc/dino.c
+++ b/drivers/parisc/dino.c
@@ -954,7 +954,7 @@ static int __init dino_probe(struct pari
 
 	dino_dev->hba.dev = dev;
 	dino_dev->hba.base_addr = ioremap_nocache(hpa, 4096);
-	dino_dev->hba.lmmio_space_offset = 0;	/* CPU addrs == bus addrs */
+	dino_dev->hba.lmmio_space_offset = PCI_F_EXTEND;
 	spin_lock_init(&dino_dev->dinosaur_pen);
 	dino_dev->hba.iommu = ccio_get_iommu(dev);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 094/294] IB/uverbs: Fix device cleanup
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 064/294] media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 284/294] MIPS: elf2ecoff: Fix warning due to dead code Ben Hutchings
                   ` (167 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jason Gunthorpe, Leon Romanovsky, Yishai Hadas,
	Doug Ledford, Matan Barak

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yishai Hadas <yishaih@mellanox.com>

commit efdd6f53b10aead0f5cf19a93dd3eb268ac0d991 upstream.

Uverbs device should be cleaned up only when there is no
potential usage of.

As part of ib_uverbs_remove_one which might be triggered upon reset flow
the device reference count is decreased as expected and leave the final
cleanup to the FDs that were opened.

Current code increases reference count upon opening a new command FD and
decreases it upon closing the file. The event FD is opened internally
and rely on the command FD by taking on it a reference count.

In case that the command FD was closed and just later the event FD we
may ensure that the device resources as of srcu are still alive as they
are still in use.

Fixing the above by moving the reference count decreasing to the place
where the command FD is really freed instead of doing that when it was
just closed.

fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications")
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Reviewed-by: Matan Barak <matanb@mellanox.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_main.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -315,6 +315,7 @@ static void ib_uverbs_release_file(struc
 	if (atomic_dec_and_test(&file->device->refcount))
 		ib_uverbs_comp_dev(file->device);
 
+	kobject_put(&file->device->kobj);
 	kfree(file);
 }
 
@@ -784,7 +785,6 @@ err:
 static int ib_uverbs_close(struct inode *inode, struct file *filp)
 {
 	struct ib_uverbs_file *file = filp->private_data;
-	struct ib_uverbs_device *dev = file->device;
 
 	ib_uverbs_cleanup_ucontext(file, file->ucontext);
 
@@ -792,7 +792,6 @@ static int ib_uverbs_close(struct inode
 		kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
 
 	kref_put(&file->ref, ib_uverbs_release_file);
-	kobject_put(&dev->kobj);
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 092/294] ipv6: set rt6i_protocol properly in the route when it is installed
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 024/294] spmi: Include OF based modalias in device uevent Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 219/294] gpio: drop retval check enforcing from gpiochip_remove() Ben Hutchings
                   ` (171 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Xin Long, David S. Miller, Jianlin Shi, David Ahern

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit b91d532928dff2141ea9c107c3e73104d9843767 upstream.

After commit c2ed1880fd61 ("net: ipv6: check route protocol when
deleting routes"), ipv6 route checks rt protocol when trying to
remove a rt entry.

It introduced a side effect causing 'ip -6 route flush cache' not
to work well. When flushing caches with iproute, all route caches
get dumped from kernel then removed one by one by sending DELROUTE
requests to kernel for each cache.

The thing is iproute sends the request with the cache whose proto
is set with RTPROT_REDIRECT by rt6_fill_node() when kernel dumps
it. But in kernel the rt_cache protocol is still 0, which causes
the cache not to be matched and removed.

So the real reason is rt6i_protocol in the route is not set when
it is allocated. As David Ahern's suggestion, this patch is to
set rt6i_protocol properly in the route when it is installed and
remove the codes setting rtm_protocol according to rt6i_flags in
rt6_fill_node.

This is also an improvement to keep rt6i_protocol consistent with
rtm_protocol.

Fixes: c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes")
Reported-by: Jianlin Shi <jishi@redhat.com>
Suggested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/route.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1843,6 +1843,7 @@ static void rt6_do_redirect(struct dst_e
 	if (on_link)
 		nrt->rt6i_flags &= ~RTF_GATEWAY;
 
+	nrt->rt6i_protocol = RTPROT_REDIRECT;
 	nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key;
 
 	if (ip6_ins_rt(nrt))
@@ -1950,6 +1951,7 @@ static struct rt6_info *rt6_add_route_in
 		.fc_dst_len	= prefixlen,
 		.fc_flags	= RTF_GATEWAY | RTF_ADDRCONF | RTF_ROUTEINFO |
 				  RTF_UP | RTF_PREF(pref),
+		.fc_protocol = RTPROT_RA,
 		.fc_nlinfo.portid = 0,
 		.fc_nlinfo.nlh = NULL,
 		.fc_nlinfo.nl_net = net,
@@ -2000,6 +2002,7 @@ struct rt6_info *rt6_add_dflt_router(con
 		.fc_ifindex	= dev->ifindex,
 		.fc_flags	= RTF_GATEWAY | RTF_ADDRCONF | RTF_DEFAULT |
 				  RTF_UP | RTF_EXPIRES | RTF_PREF(pref),
+		.fc_protocol = RTPROT_RA,
 		.fc_nlinfo.portid = 0,
 		.fc_nlinfo.nlh = NULL,
 		.fc_nlinfo.nl_net = dev_net(dev),
@@ -2591,14 +2594,6 @@ static int rt6_fill_node(struct net *net
 	rtm->rtm_flags = 0;
 	rtm->rtm_scope = RT_SCOPE_UNIVERSE;
 	rtm->rtm_protocol = rt->rt6i_protocol;
-	if (rt->rt6i_flags & RTF_DYNAMIC)
-		rtm->rtm_protocol = RTPROT_REDIRECT;
-	else if (rt->rt6i_flags & RTF_ADDRCONF) {
-		if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ROUTEINFO))
-			rtm->rtm_protocol = RTPROT_RA;
-		else
-			rtm->rtm_protocol = RTPROT_KERNEL;
-	}
 
 	if (rt->rt6i_flags & RTF_CACHE)
 		rtm->rtm_flags |= RTM_F_CLONED;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 115/294] ipv4: add reference counting to metrics
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 272/294] ARM: 8221/1: PJ4: allow building in Thumb-2 mode Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 114/294] dst: Increase alignment of metrics to allow extra flag on pointers Ben Hutchings
                   ` (205 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Andrey Konovalov, Cong Wang, Julian Anastasov,
	Eric Dumazet, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 3fb07daff8e99243366a081e5129560734de4ada upstream.

Andrey Konovalov reported crashes in ipv4_mtu()

I could reproduce the issue with KASAN kernels, between
10.246.7.151 and 10.246.7.152 :

1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 &

2) At the same time run following loop :
while :
do
 ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
 ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
done

Cong Wang attempted to add back rt->fi in commit
82486aa6f1b9 ("ipv4: restore rt->fi for reference counting")
but this proved to add some issues that were complex to solve.

Instead, I suggested to add a refcount to the metrics themselves,
being a standalone object (in particular, no reference to other objects)

I tried to make this patch as small as possible to ease its backport,
instead of being super clean. Note that we believe that only ipv4 dst
need to take care of the metric refcount. But if this is wrong,
this patch adds the basic infrastructure to extend this to other
families.

Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang
for his efforts on this problem.

Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Give DST_METRICS_REFCOUNTED a value of 4 and struct dst_metrics an
   alignment of 8
 - Update dst_metrics cache size
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -108,16 +108,22 @@ struct dst_entry {
 void *dst_alloc_metrics(gfp_t flags);
 void dst_free_metrics(void *metrics);
 u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old);
-extern const u32 dst_default_metrics[];
 
 #define DST_METRICS_READ_ONLY		0x1UL
 #define DST_METRICS_FORCE_OVERWRITE	0x2UL
+#define DST_METRICS_REFCOUNTED		0x4UL
 #define DST_METRICS_FLAGS		0x7UL
 #define DST_METRICS_ALIGNMENT		0x8UL
 #define __DST_METRICS_PTR(Y)	\
 	((u32 *)((Y) & ~DST_METRICS_FLAGS))
 #define DST_METRICS_PTR(X)	__DST_METRICS_PTR((X)->_metrics)
 
+struct dst_metrics {
+	u32		metrics[RTAX_MAX];
+	atomic_t	refcnt;
+} __aligned(DST_METRICS_ALIGNMENT);
+extern const struct dst_metrics dst_default_metrics;
+
 static inline bool dst_metrics_read_only(const struct dst_entry *dst)
 {
 	return dst->_metrics & DST_METRICS_READ_ONLY;
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -108,11 +108,11 @@ struct fib_info {
 	unsigned char		fib_type;
 	__be32			fib_prefsrc;
 	u32			fib_priority;
-	u32			*fib_metrics;
-#define fib_mtu fib_metrics[RTAX_MTU-1]
-#define fib_window fib_metrics[RTAX_WINDOW-1]
-#define fib_rtt fib_metrics[RTAX_RTT-1]
-#define fib_advmss fib_metrics[RTAX_ADVMSS-1]
+	struct dst_metrics	*fib_metrics;
+#define fib_mtu fib_metrics->metrics[RTAX_MTU-1]
+#define fib_window fib_metrics->metrics[RTAX_WINDOW-1]
+#define fib_rtt fib_metrics->metrics[RTAX_RTT-1]
+#define fib_advmss fib_metrics->metrics[RTAX_ADVMSS-1]
 	int			fib_nhs;
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
 	int			fib_power;
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -149,13 +149,13 @@ int dst_discard_sk(struct sock *sk, stru
 }
 EXPORT_SYMBOL(dst_discard_sk);
 
-const u32 dst_default_metrics[RTAX_MAX + 1] __aligned(DST_METRICS_ALIGNMENT) = {
+const struct dst_metrics dst_default_metrics = {
 	/* This initializer is needed to force linker to place this variable
 	 * into const section. Otherwise it might end into bss section.
 	 * We really want to avoid false sharing on this variable, and catch
 	 * any writes on it.
 	 */
-	[RTAX_MAX] = 0xdeadbeef,
+	.refcnt = ATOMIC_INIT(1),
 };
 
 
@@ -176,7 +176,7 @@ void *dst_alloc(struct dst_ops *ops, str
 	if (dev)
 		dev_hold(dev);
 	dst->ops = ops;
-	dst_init_metrics(dst, dst_default_metrics, true);
+	dst_init_metrics(dst, dst_default_metrics.metrics, true);
 	dst->expires = 0UL;
 	dst->path = dst;
 	dst->from = NULL;
@@ -308,25 +308,30 @@ EXPORT_SYMBOL(dst_free_metrics);
 
 u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old)
 {
-	u32 *p = dst_alloc_metrics(GFP_ATOMIC);
+	struct dst_metrics *p = dst_alloc_metrics(GFP_ATOMIC);
 
 	if (p) {
-		u32 *old_p = __DST_METRICS_PTR(old);
+		struct dst_metrics *old_p = (struct dst_metrics *)__DST_METRICS_PTR(old);
 		unsigned long prev, new;
 
-		memcpy(p, old_p, sizeof(u32) * RTAX_MAX);
+		atomic_set(&p->refcnt, 1);
+		memcpy(p->metrics, old_p->metrics, sizeof(p->metrics));
 
 		new = (unsigned long) p;
 		prev = cmpxchg(&dst->_metrics, old, new);
 
 		if (prev != old) {
 			dst_free_metrics(p);
-			p = __DST_METRICS_PTR(prev);
+			p = (struct dst_metrics *)__DST_METRICS_PTR(prev);
 			if (prev & DST_METRICS_READ_ONLY)
 				p = NULL;
+		} else if (prev & DST_METRICS_REFCOUNTED) {
+			if (atomic_dec_and_test(&old_p->refcnt))
+				dst_free_metrics(old_p);
 		}
 	}
-	return p;
+	BUILD_BUG_ON(offsetof(struct dst_metrics, metrics) != 0);
+	return (u32 *)p;
 }
 EXPORT_SYMBOL(dst_cow_metrics_generic);
 
@@ -335,7 +340,7 @@ void __dst_destroy_metrics_generic(struc
 {
 	unsigned long prev, new;
 
-	new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY;
+	new = ((unsigned long) &dst_default_metrics) | DST_METRICS_READ_ONLY;
 	prev = cmpxchg(&dst->_metrics, old, new);
 	if (prev == old)
 		dst_free_metrics(__DST_METRICS_PTR(old));
@@ -434,7 +439,7 @@ void __init dst_init(void)
 {
 	register_netdevice_notifier(&dst_dev_notifier);
 	metrics_cache = kmem_cache_create("dst_metrics",
-					  sizeof(u32) * RTAX_MAX,
+					  sizeof(struct dst_metrics),
 					  DST_METRICS_ALIGNMENT,
 					  SLAB_PANIC, NULL);
 }
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -201,6 +201,7 @@ static void rt_fibinfo_free_cpus(struct
 static void free_fib_info_rcu(struct rcu_head *head)
 {
 	struct fib_info *fi = container_of(head, struct fib_info, rcu);
+	struct dst_metrics *m;
 
 	change_nexthops(fi) {
 		if (nexthop_nh->nh_dev)
@@ -212,8 +213,9 @@ static void free_fib_info_rcu(struct rcu
 	} endfor_nexthops(fi);
 
 	release_net(fi->fib_net);
-	if (fi->fib_metrics != (u32 *) dst_default_metrics)
-		dst_free_metrics(fi->fib_metrics);
+	m = fi->fib_metrics;
+	if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
+		dst_free_metrics(m);
 	kfree(fi);
 }
 
@@ -826,8 +828,9 @@ struct fib_info *fib_create_info(struct
 		fi->fib_metrics = dst_alloc_metrics(GFP_KERNEL | __GFP_ZERO);
 		if (!fi->fib_metrics)
 			goto failure;
+		atomic_set(&fi->fib_metrics->refcnt, 1);
 	} else
-		fi->fib_metrics = (u32 *) dst_default_metrics;
+		fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
 
 	fi->fib_net = hold_net(net);
 	fi->fib_protocol = cfg->fc_protocol;
@@ -864,7 +867,7 @@ struct fib_info *fib_create_info(struct
 					val = 65535 - 15;
 				if (type == RTAX_HOPLIMIT && val > 255)
 					val = 255;
-				fi->fib_metrics[type - 1] = val;
+				fi->fib_metrics->metrics[type - 1] = val;
 			}
 		}
 	}
@@ -1029,7 +1032,7 @@ int fib_dump_info(struct sk_buff *skb, u
 	if (fi->fib_priority &&
 	    nla_put_u32(skb, RTA_PRIORITY, fi->fib_priority))
 		goto nla_put_failure;
-	if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0)
+	if (rtnetlink_put_metrics(skb, fi->fib_metrics->metrics) < 0)
 		goto nla_put_failure;
 
 	if (fi->fib_prefsrc &&
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1344,8 +1344,12 @@ static void rt_add_uncached_list(struct
 
 static void ipv4_dst_destroy(struct dst_entry *dst)
 {
+	struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
 	struct rtable *rt = (struct rtable *) dst;
 
+	if (p != &dst_default_metrics && atomic_dec_and_test(&p->refcnt))
+		dst_free_metrics(p);
+
 	if (!list_empty(&rt->rt_uncached)) {
 		spin_lock_bh(&rt_uncached_lock);
 		list_del(&rt->rt_uncached);
@@ -1392,7 +1396,11 @@ static void rt_set_nexthop(struct rtable
 			rt->rt_gateway = nh->nh_gw;
 			rt->rt_uses_gateway = 1;
 		}
-		dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+		dst_init_metrics(&rt->dst, fi->fib_metrics->metrics, true);
+		if (fi->fib_metrics != &dst_default_metrics) {
+			rt->dst._metrics |= DST_METRICS_REFCOUNTED;
+			atomic_inc(&fi->fib_metrics->refcnt);
+		}
 #ifdef CONFIG_IP_ROUTE_CLASSID
 		rt->dst.tclassid = nh->nh_tclassid;
 #endif

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 112/294] af_key: do not use GFP_KERNEL in atomic contexts
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (197 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 145/294] ipv6: Add rt6_get_cookie() function Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 281/294] MIPS: MSP71xx: remove odd locking in PCI config space access code Ben Hutchings
                   ` (96 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Vyukov, David Ahern, Eric Dumazet, David Ahern,
	David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 36f41f8fc6d8aa9f8c9072d66ff7cf9055f5e69b upstream.

pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].

This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.

[1] : syzkaller reported :

in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
 #0:  (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
 #1:  (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
 #2:  (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
 #2:  (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
 __might_sleep+0x95/0x190 kernel/sched/core.c:5947
 slab_pre_alloc_hook mm/slab.h:416 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
 skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
 pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
 pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
 dump_sp+0x3d6/0x500 net/key/af_key.c:2685
 xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
 pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
 pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
 pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
 pfkey_process+0x606/0x710 net/key/af_key.c:2814
 pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 ___sys_sendmsg+0x755/0x890 net/socket.c:2035
 __sys_sendmsg+0xe5/0x210 net/socket.c:2069
 SYSC_sendmsg net/socket.c:2080 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2076
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000

Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/key/af_key.c | 48 ++++++++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 22 deletions(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -224,7 +224,7 @@ static int pfkey_broadcast_one(struct sk
 #define BROADCAST_ONE		1
 #define BROADCAST_REGISTERED	2
 #define BROADCAST_PROMISC_ONLY	4
-static int pfkey_broadcast(struct sk_buff *skb,
+static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
 			   int broadcast_flags, struct sock *one_sk,
 			   struct net *net)
 {
@@ -274,7 +274,7 @@ static int pfkey_broadcast(struct sk_buf
 	rcu_read_unlock();
 
 	if (one_sk != NULL)
-		err = pfkey_broadcast_one(skb, &skb2, GFP_KERNEL, one_sk);
+		err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
 
 	kfree_skb(skb2);
 	kfree_skb(skb);
@@ -307,7 +307,7 @@ static int pfkey_do_dump(struct pfkey_so
 		hdr = (struct sadb_msg *) pfk->dump.skb->data;
 		hdr->sadb_msg_seq = 0;
 		hdr->sadb_msg_errno = rc;
-		pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
+		pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
 				&pfk->sk, sock_net(&pfk->sk));
 		pfk->dump.skb = NULL;
 	}
@@ -351,7 +351,7 @@ static int pfkey_error(const struct sadb
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) /
 			     sizeof(uint64_t));
 
-	pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
+	pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ONE, sk, sock_net(sk));
 
 	return 0;
 }
@@ -1394,7 +1394,7 @@ static int pfkey_getspi(struct sock *sk,
 
 	xfrm_state_put(x);
 
-	pfkey_broadcast(resp_skb, BROADCAST_ONE, sk, net);
+	pfkey_broadcast(resp_skb, GFP_KERNEL, BROADCAST_ONE, sk, net);
 
 	return 0;
 }
@@ -1481,7 +1481,7 @@ static int key_notify_sa(struct xfrm_sta
 	hdr->sadb_msg_seq = c->seq;
 	hdr->sadb_msg_pid = c->portid;
 
-	pfkey_broadcast(skb, BROADCAST_ALL, NULL, xs_net(x));
+	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xs_net(x));
 
 	return 0;
 }
@@ -1594,7 +1594,7 @@ static int pfkey_get(struct sock *sk, st
 	out_hdr->sadb_msg_reserved = 0;
 	out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
 	out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
-	pfkey_broadcast(out_skb, BROADCAST_ONE, sk, sock_net(sk));
+	pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
 
 	return 0;
 }
@@ -1699,8 +1699,8 @@ static int pfkey_register(struct sock *s
 		return -ENOBUFS;
 	}
 
-	pfkey_broadcast(supp_skb, BROADCAST_REGISTERED, sk, sock_net(sk));
-
+	pfkey_broadcast(supp_skb, GFP_KERNEL, BROADCAST_REGISTERED, sk,
+			sock_net(sk));
 	return 0;
 }
 
@@ -1718,7 +1718,8 @@ static int unicast_flush_resp(struct soc
 	hdr->sadb_msg_errno = (uint8_t) 0;
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
 
-	return pfkey_broadcast(skb, BROADCAST_ONE, sk, sock_net(sk));
+	return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk,
+			       sock_net(sk));
 }
 
 static int key_notify_sa_flush(const struct km_event *c)
@@ -1739,7 +1740,7 @@ static int key_notify_sa_flush(const str
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
 	hdr->sadb_msg_reserved = 0;
 
-	pfkey_broadcast(skb, BROADCAST_ALL, NULL, c->net);
+	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
 
 	return 0;
 }
@@ -1796,7 +1797,7 @@ static int dump_sa(struct xfrm_state *x,
 	out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
 
 	if (pfk->dump.skb)
-		pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
+		pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
 				&pfk->sk, sock_net(&pfk->sk));
 	pfk->dump.skb = out_skb;
 
@@ -1884,7 +1885,7 @@ static int pfkey_promisc(struct sock *sk
 		new_hdr->sadb_msg_errno = 0;
 	}
 
-	pfkey_broadcast(skb, BROADCAST_ALL, NULL, sock_net(sk));
+	pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
 	return 0;
 }
 
@@ -2218,7 +2219,7 @@ static int key_notify_policy(struct xfrm
 	out_hdr->sadb_msg_errno = 0;
 	out_hdr->sadb_msg_seq = c->seq;
 	out_hdr->sadb_msg_pid = c->portid;
-	pfkey_broadcast(out_skb, BROADCAST_ALL, NULL, xp_net(xp));
+	pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xp_net(xp));
 	return 0;
 
 }
@@ -2438,7 +2439,7 @@ static int key_pol_get_resp(struct sock
 	out_hdr->sadb_msg_errno = 0;
 	out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
 	out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
-	pfkey_broadcast(out_skb, BROADCAST_ONE, sk, xp_net(xp));
+	pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, xp_net(xp));
 	err = 0;
 
 out:
@@ -2692,7 +2693,7 @@ static int dump_sp(struct xfrm_policy *x
 	out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
 
 	if (pfk->dump.skb)
-		pfkey_broadcast(pfk->dump.skb, BROADCAST_ONE,
+		pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
 				&pfk->sk, sock_net(&pfk->sk));
 	pfk->dump.skb = out_skb;
 
@@ -2749,7 +2750,7 @@ static int key_notify_policy_flush(const
 	hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
 	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
 	hdr->sadb_msg_reserved = 0;
-	pfkey_broadcast(skb_out, BROADCAST_ALL, NULL, c->net);
+	pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
 	return 0;
 
 }
@@ -2811,7 +2812,7 @@ static int pfkey_process(struct sock *sk
 	void *ext_hdrs[SADB_EXT_MAX];
 	int err;
 
-	pfkey_broadcast(skb_clone(skb, GFP_KERNEL),
+	pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
 			BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
 
 	memset(ext_hdrs, 0, sizeof(ext_hdrs));
@@ -3033,7 +3034,8 @@ static int key_notify_sa_expire(struct x
 	out_hdr->sadb_msg_seq = 0;
 	out_hdr->sadb_msg_pid = 0;
 
-	pfkey_broadcast(out_skb, BROADCAST_REGISTERED, NULL, xs_net(x));
+	pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
+			xs_net(x));
 	return 0;
 }
 
@@ -3223,7 +3225,8 @@ static int pfkey_send_acquire(struct xfr
 		       xfrm_ctx->ctx_len);
 	}
 
-	return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
+	return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
+			       xs_net(x));
 }
 
 static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
@@ -3421,7 +3424,8 @@ static int pfkey_send_new_mapping(struct
 	n_port->sadb_x_nat_t_port_port = sport;
 	n_port->sadb_x_nat_t_port_reserved = 0;
 
-	return pfkey_broadcast(skb, BROADCAST_REGISTERED, NULL, xs_net(x));
+	return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
+			       xs_net(x));
 }
 
 #ifdef CONFIG_NET_KEY_MIGRATE
@@ -3613,7 +3617,7 @@ static int pfkey_send_migrate(const stru
 	}
 
 	/* broadcast migrate message to sockets */
-	pfkey_broadcast(skb, BROADCAST_ALL, NULL, &init_net);
+	pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
 
 	return 0;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 095/294] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (225 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 079/294] xtensa: don't limit csum_partial export by CONFIG_NET Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 148/294] r8169: Do not increment tx_dropped in TX ring cleaning Ben Hutchings
                   ` (68 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jan Kara, Theodore Ts'o, Andreas Gruenbacher

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit fcf5ea10992fbac3c7473a1db33d56a139333cd1 upstream.

ext4_find_unwritten_pgoff() does not properly handle a situation when
starting index is in the middle of a page and blocksize < pagesize. The
following command shows the bug on filesystem with 1k blocksize:

  xfs_io -f -c "falloc 0 4k" \
            -c "pwrite 1k 1k" \
            -c "pwrite 3k 1k" \
            -c "seek -a -r 0" foo

In this example, neither lseek(fd, 1024, SEEK_HOLE) nor lseek(fd, 2048,
SEEK_DATA) will return the correct result.

Fix the problem by neglecting buffers in a page before starting offset.

Reported-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/file.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -344,6 +344,8 @@ static int ext4_find_unwritten_pgoff(str
 				lastoff = page_offset(page);
 				bh = head = page_buffers(page);
 				do {
+					if (lastoff + bh->b_size <= startoff)
+						goto next;
 					if (buffer_uptodate(bh) ||
 					    buffer_unwritten(bh)) {
 						if (whence == SEEK_DATA)
@@ -358,6 +360,7 @@ static int ext4_find_unwritten_pgoff(str
 						unlock_page(page);
 						goto out;
 					}
+next:
 					lastoff += bh->b_size;
 					bh = bh->b_this_page;
 				} while (bh != head);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 030/294] usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (179 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 010/294] net: bcmgenet: fix off-by-one in incrementing read pointer Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 269/294] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Ben Hutchings
                   ` (114 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 59a0879a0e17b2e43ecdc5e3299da85b8410d7ce upstream.

This patch fixes an issue that some registers may be not initialized
after resume if the USBHSF_RUNTIME_PWCTRL is not set. Otherwise,
if a cable is not connected, the driver will not enable INTENB0.VBSE
after resume. And then, the driver cannot detect the VBUS.

Fixes: ca8a282a5373 ("usb: gadget: renesas_usbhs: add suspend/resume support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/renesas_usbhs/common.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/renesas_usbhs/common.c
+++ b/drivers/usb/renesas_usbhs/common.c
@@ -600,8 +600,10 @@ static int usbhsc_resume(struct device *
 	struct usbhs_priv *priv = dev_get_drvdata(dev);
 	struct platform_device *pdev = usbhs_priv_to_pdev(priv);
 
-	if (!usbhsc_flags_has(priv, USBHSF_RUNTIME_PWCTRL))
+	if (!usbhsc_flags_has(priv, USBHSF_RUNTIME_PWCTRL)) {
 		usbhsc_power_ctrl(priv, 1);
+		usbhs_mod_autonomy_mode(priv);
+	}
 
 	usbhs_platform_call(priv, phy_reset, pdev);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 147/294] ipv6: Fix may be used uninitialized warning in rt6_check
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (189 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 279/294] MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 009/294] net: bcmgenet: check harder for out of memory conditions Ben Hutchings
                   ` (104 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Klassert <steffen.klassert@secunet.com>

commit 3614364527daa870264f6dde77f02853cdecd02c upstream.

rt_cookie might be used uninitialized, fix this by
initializing it.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1090,7 +1090,7 @@ struct dst_entry *ip6_blackhole_route(st
 static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
 {
 	struct rt6_info *rt;
-	u32 rt_cookie;
+	u32 rt_cookie = 0;
 
 	rt = (struct rt6_info *) dst;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 145/294] ipv6: Add rt6_get_cookie() function
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (196 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 056/294] IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 112/294] af_key: do not use GFP_KERNEL in atomic contexts Ben Hutchings
                   ` (97 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hannes Frederic Sowa, Steffen Klassert, David S. Miller,
	Martin KaFai Lau, Julian Anastasov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin KaFai Lau <kafai@fb.com>

commit b197df4f0f3782782e9ea8996e91b65ae33e8dd9 upstream.

Instead of doing the rt6->rt6i_node check whenever we need
to get the route's cookie.  Refactor it into rt6_get_cookie().
It is a prep work to handle FLOWI_FLAG_KNOWN_NH and also
percpu rt6_info later.

Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/ip6_fib.h           | 5 +++++
 include/net/ip6_route.h         | 2 +-
 net/ipv6/ip6_tunnel.c           | 2 +-
 net/ipv6/tcp_ipv6.c             | 3 +--
 net/ipv6/xfrm6_policy.c         | 6 ++----
 net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
 net/sctp/ipv6.c                 | 2 +-
 7 files changed, 12 insertions(+), 10 deletions(-)

--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -193,6 +193,11 @@ static inline void rt6_set_from(struct r
 	rt->dst.from = new;
 }
 
+static inline u32 rt6_get_cookie(const struct rt6_info *rt)
+{
+	return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+}
+
 static inline void ip6_rt_put(struct rt6_info *rt)
 {
 	/* dst_release() accepts a NULL parameter.
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -146,7 +146,7 @@ static inline void __ip6_dst_store(struc
 #ifdef CONFIG_IPV6_SUBTREES
 	np->saddr_cache = saddr;
 #endif
-	np->dst_cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+	np->dst_cookie = rt6_get_cookie(rt);
 }
 
 static inline void ip6_dst_store(struct sock *sk, struct dst_entry *dst,
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -157,7 +157,7 @@ EXPORT_SYMBOL_GPL(ip6_tnl_dst_reset);
 void ip6_tnl_dst_store(struct ip6_tnl *t, struct dst_entry *dst)
 {
 	struct rt6_info *rt = (struct rt6_info *) dst;
-	t->dst_cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+	t->dst_cookie = rt6_get_cookie(rt);
 	dst_release(t->dst_cache);
 	t->dst_cache = dst;
 }
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -98,8 +98,7 @@ static void inet6_sk_rx_dst_set(struct s
 	dst_hold(dst);
 	sk->sk_rx_dst = dst;
 	inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
-	if (rt->rt6i_node)
-		inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
+	inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
 }
 
 static void tcp_v6_hash(struct sock *sk)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -85,8 +85,7 @@ static int xfrm6_init_path(struct xfrm_d
 {
 	if (dst->ops->family == AF_INET6) {
 		struct rt6_info *rt = (struct rt6_info*)dst;
-		if (rt->rt6i_node)
-			path->path_cookie = rt->rt6i_node->fn_sernum;
+		path->path_cookie = rt6_get_cookie(rt);
 	}
 
 	path->u.rt6.rt6i_nfheader_len = nfheader_len;
@@ -116,8 +115,7 @@ static int xfrm6_fill_dst(struct xfrm_ds
 						   RTF_LOCAL);
 	xdst->u.rt6.rt6i_metric = rt->rt6i_metric;
 	xdst->u.rt6.rt6i_node = rt->rt6i_node;
-	if (rt->rt6i_node)
-		xdst->route_cookie = rt->rt6i_node->fn_sernum;
+	xdst->route_cookie = rt6_get_cookie(rt);
 	xdst->u.rt6.rt6i_gateway = rt->rt6i_gateway;
 	xdst->u.rt6.rt6i_dst = rt->rt6i_dst;
 	xdst->u.rt6.rt6i_src = rt->rt6i_src;
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -373,7 +373,7 @@ __ip_vs_get_out_rt_v6(struct sk_buff *sk
 				goto err_unreach;
 			}
 			rt = (struct rt6_info *) dst;
-			cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+			cookie = rt6_get_cookie(rt);
 			__ip_vs_dst_set(dest, dest_dst, &rt->dst, cookie);
 			spin_unlock_bh(&dest->dst_lock);
 			IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -331,7 +331,7 @@ out:
 
 		rt = (struct rt6_info *)dst;
 		t->dst = dst;
-		t->dst_cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+		t->dst_cookie = rt6_get_cookie(rt);
 		pr_debug("rt6_dst:%pI6 rt6_src:%pI6\n", &rt->rt6i_dst.addr,
 			 &fl6->saddr);
 	} else {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 124/294] Input: trackpoint - add new trackpoint firmware ID
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (266 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 180/294] wl1251: add a missing spin_lock_init() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 038/294] ARM: kexec: fix failure to boot crash kernel Ben Hutchings
                   ` (27 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Aaron Ma, Dmitry Torokhov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit ec667683c532c93fb41e100e5d61a518971060e2 upstream.

Synaptics add new TP firmware ID: 0x2 and 0x3, for now both lower 2 bits
are indicated as TP. Change the constant to bitwise values.

This makes trackpoint to be recognized on Lenovo Carbon X1 Gen5 instead
of it being identified as "PS/2 Generic Mouse".

Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/trackpoint.c | 3 ++-
 drivers/input/mouse/trackpoint.h | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/input/mouse/trackpoint.c
+++ b/drivers/input/mouse/trackpoint.c
@@ -263,7 +263,8 @@ static int trackpoint_start_protocol(str
 	if (ps2_command(&psmouse->ps2dev, param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
 		return -1;
 
-	if (param[0] != TP_MAGIC_IDENT)
+	/* add new TP ID. */
+	if (!(param[0] & TP_MAGIC_IDENT))
 		return -1;
 
 	if (firmware_id)
--- a/drivers/input/mouse/trackpoint.h
+++ b/drivers/input/mouse/trackpoint.h
@@ -21,8 +21,9 @@
 #define TP_COMMAND		0xE2	/* Commands start with this */
 
 #define TP_READ_ID		0xE1	/* Sent for device identification */
-#define TP_MAGIC_IDENT		0x01	/* Sent after a TP_READ_ID followed */
+#define TP_MAGIC_IDENT		0x03	/* Sent after a TP_READ_ID followed */
 					/* by the firmware ID */
+					/* Firmware ID includes 0x1, 0x2, 0x3 */
 
 
 /*

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 140/294] net: systemport: Free DMA coherent descriptors on errors
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (137 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 065/294] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 270/294] x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h Ben Hutchings
                   ` (156 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Florian Fainelli, David S. Miller, Eric Dumazet

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit c2062ee3d9615828109ffe8089fbf69bed394d05 upstream.

In case bcm_sysport_init_tx_ring() is not able to allocate ring->cbs, we
would return with an error, and call bcm_sysport_fini_tx_ring() and it
would see that ring->cbs is NULL and do nothing. This would leak the
coherent DMA descriptor area, so we need to free it on error before
returning.

Reported-by: Eric Dumazet <edumazet@gmail.com>
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/bcmsysport.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -1024,6 +1024,8 @@ static int bcm_sysport_init_tx_ring(stru
 
 	ring->cbs = kzalloc(sizeof(struct bcm_sysport_cb) * size, GFP_KERNEL);
 	if (!ring->cbs) {
+		dma_free_coherent(kdev, sizeof(struct dma_desc),
+				  ring->desc_cpu, ring->desc_dma);
 		netif_err(priv, hw, priv->netdev, "CB allocation failed\n");
 		return -ENOMEM;
 	}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 152/294] xfrm_user: fix info leak in build_aevent()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (210 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 096/294] ext4: fix overflow caused by missing cast in ext4_resize_fs() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 263/294] staging: vt6655: fix overly large stack usage Ben Hutchings
                   ` (83 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jamal Hadi Salim, Steffen Klassert, Mathias Krause

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Krause <minipli@googlemail.com>

commit 931e79d7a7ddee4709c56b39de169a36804589a1 upstream.

The memory reserved to dump the ID of the xfrm state includes a padding
byte in struct xfrm_usersa_id added by the compiler for alignment. To
prevent the heap info leak, memset(0) the sa_id before filling it.

Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Fixes: d51d081d6504 ("[IPSEC]: Sync series - user")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_user.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1752,6 +1752,7 @@ static int build_aevent(struct sk_buff *
 		return -EMSGSIZE;
 
 	id = nlmsg_data(nlh);
+	memset(&id->sa_id, 0, sizeof(id->sa_id));
 	memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr));
 	id->sa_id.spi = x->id.spi;
 	id->sa_id.family = x->props.family;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 113/294] audit: Fix use after free in audit_remove_watch_rule()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 100/294] scsi: st: fix blk_get_queue usage Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 072/294] powerpc/boot: Fix 64-bit boot wrapper build with non-biarch compiler Ben Hutchings
                   ` (235 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tony Jones, Jan Kara, Paul Moore

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream.

audit_remove_watch_rule() drops watch's reference to parent but then
continues to work with it. That is not safe as parent can get freed once
we drop our reference. The following is a trivial reproducer:

mount -o loop image /mnt
touch /mnt/file
auditctl -w /mnt/file -p wax
umount /mnt
auditctl -D
<crash in fsnotify_destroy_mark()>

Grab our own reference in audit_remove_watch_rule() earlier to make sure
mark does not get freed under us.

Reported-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Tested-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/audit_watch.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -455,13 +455,15 @@ void audit_remove_watch_rule(struct audi
 	list_del(&krule->rlist);
 
 	if (list_empty(&watch->rules)) {
+		/*
+		 * audit_remove_watch() drops our reference to 'parent' which
+		 * can get freed. Grab our own reference to be safe.
+		 */
+		audit_get_parent(parent);
 		audit_remove_watch(watch);
-
-		if (list_empty(&parent->watches)) {
-			audit_get_parent(parent);
+		if (list_empty(&parent->watches))
 			fsnotify_destroy_mark(&parent->mark, audit_watch_group);
-			audit_put_parent(parent);
-		}
+		audit_put_parent(parent);
 	}
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 128/294] ALSA: core: Fix unexpected error at replacing user TLV
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (193 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 004/294] Raid5 should update rdev->sectors after reshape Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 262/294] staging: imx-drm: fix indentation warning Ben Hutchings
                   ` (100 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 88c54cdf61f508ebcf8da2d819f5dfc03e954d1d upstream.

When user tries to replace the user-defined control TLV, the kernel
checks the change of its content via memcmp().  The problem is that
the kernel passes the return value from memcmp() as is.  memcmp()
gives a non-zero negative value depending on the comparison result,
and this shall be recognized as an error code.

The patch covers that corner-case, return 1 properly for the changed
TLV.

Fixes: 8aa9b586e420 ("[ALSA] Control API - more robust TLV implementation")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/control.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1087,7 +1087,7 @@ static int snd_ctl_elem_user_tlv(struct
 		mutex_lock(&ue->card->user_ctl_lock);
 		change = ue->tlv_data_size != size;
 		if (!change)
-			change = memcmp(ue->tlv_data, new_data, size);
+			change = memcmp(ue->tlv_data, new_data, size) != 0;
 		kfree(ue->tlv_data);
 		ue->tlv_data = new_data;
 		ue->tlv_data_size = size;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 129/294] arm64: fpsimd: Prevent registers leaking across exec
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (260 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 142/294] netvsc: fix deadlock betwen link status and removal Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 106/294] x86/asm/64: Clear AC on NMI entries Ben Hutchings
                   ` (33 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dave Martin, Ard Biesheuvel, Will Deacon

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 096622104e14d8a1db4860bd557717067a0515d2 upstream.

There are some tricky dependencies between the different stages of
flushing the FPSIMD register state during exec, and these can race
with context switch in ways that can cause the old task's regs to
leak across.  In particular, a context switch during the memset() can
cause some of the task's old FPSIMD registers to reappear.

Disabling preemption for this small window would be no big deal for
performance: preemption is already disabled for similar scenarios
like updating the FPSIMD registers in sigreturn.

So, instead of rearranging things in ways that might swap existing
subtle bugs for new ones, this patch just disables preemption
around the FPSIMD state flushing so that races of this type can't
occur here.  This brings fpsimd_flush_thread() into line with other
code paths.

Fixes: 674c242c9323 ("arm64: flush FP/SIMD state correctly after execve()")
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/fpsimd.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -156,9 +156,11 @@ void fpsimd_thread_switch(struct task_st
 
 void fpsimd_flush_thread(void)
 {
+	preempt_disable();
 	memset(&current->thread.fpsimd_state, 0, sizeof(struct fpsimd_state));
 	fpsimd_flush_task_state(current);
 	set_thread_flag(TIF_FOREIGN_FPSTATE);
+	preempt_enable();
 }
 
 /*

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 033/294] libata: array underflow in ata_find_dev()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (158 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 239/294] paride: fix the "verbose" module param Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 088/294] gpio: tegra: fix unbalanced chained_irq_enter/exit Ben Hutchings
                   ` (135 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Dan Carpenter

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream.

My static checker complains that "devno" can be negative, meaning that
we read before the start of the loop.  I've looked at the code, and I
think the warning is right.  This come from /proc so it's root only or
it would be quite a quite a serious bug.  The call tree looks like this:

proc_scsi_write() <- gets id and channel from simple_strtoul()
-> scsi_add_single_device() <- calls shost->transportt->user_scan()
   -> ata_scsi_user_scan()
      -> ata_find_dev()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-scsi.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -2796,10 +2796,12 @@ static unsigned int atapi_xlat(struct at
 static struct ata_device *ata_find_dev(struct ata_port *ap, int devno)
 {
 	if (!sata_pmp_attached(ap)) {
-		if (likely(devno < ata_link_max_devices(&ap->link)))
+		if (likely(devno >= 0 &&
+			   devno < ata_link_max_devices(&ap->link)))
 			return &ap->link.device[devno];
 	} else {
-		if (likely(devno < ap->nr_pmp_links))
+		if (likely(devno >= 0 &&
+			   devno < ap->nr_pmp_links))
 			return &ap->pmp_link[devno].device[0];
 	}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 042/294] xhci: fix memleak in xhci_run()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (183 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 002/294] iio: light: tsl2563: use correct event code Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 258/294] netfilter; Add some missing default cases to switch statements in nft_reject Ben Hutchings
                   ` (110 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mathias Nyman, Greg Kroah-Hartman, Shu Wang

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Shu Wang <shuwang@redhat.com>

commit d6f5f071f1e13cadecf8aef1faa7e5d6fbc9f33b upstream.

Found this issue by kmemleak.
xhci_run() did not check return val and free command for
xhci_queue_vendor_command()

unreferenced object 0xffff88011c0be500 (size 64):
  comm "kworker/0:1", pid 58, jiffies 4294670908 (age 50.420s)
  hex dump (first 32 bytes):
  backtrace:
    [<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0
    [<ffffffff8121801a>] kmem_cache_alloc_trace+0xca/0x1d0
    [<ffffffff81576bf4>] xhci_alloc_command+0x44/0x130
    [<ffffffff8156f1cc>] xhci_run+0x4cc/0x630
    [<ffffffff8153b84b>] usb_add_hcd+0x3bb/0x950
    [<ffffffff8154eac8>] usb_hcd_pci_probe+0x188/0x500
    [<ffffffff815851ac>] xhci_pci_probe+0x2c/0x220
    [<ffffffff813d2ca5>] local_pci_probe+0x45/0xa0
    [<ffffffff810a54e4>] work_for_cpu_fn+0x14/0x20
    [<ffffffff810a8409>] process_one_work+0x149/0x360
    [<ffffffff810a8d08>] worker_thread+0x1d8/0x3c0
    [<ffffffff810ae7d9>] kthread+0x109/0x140
    [<ffffffff8176d585>] ret_from_fork+0x25/0x30
    [<ffffffffffffffff>] 0xffffffffffffffff

Signed-off-by: Shu Wang <shuwang@redhat.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -662,8 +662,10 @@ int xhci_run(struct usb_hcd *hcd)
 		command = xhci_alloc_command(xhci, false, false, GFP_KERNEL);
 		if (!command)
 			return -ENOMEM;
-		xhci_queue_vendor_command(xhci, command, 0, 0, 0,
+		ret = xhci_queue_vendor_command(xhci, command, 0, 0, 0,
 				TRB_TYPE(TRB_NEC_GET_FW));
+		if (ret)
+			xhci_free_command(xhci, command);
 	}
 	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
 			"Finished xhci_run for USB2 roothub");

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 023/294] of: device: Export of_device_{get_modalias, uvent_modalias} to modules
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
@ 2017-11-06 23:03   ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
                     ` (294 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, devicetree, Peter Chen, Rob Herring, Stephen Boyd

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Boyd <stephen.boyd@linaro.org>

commit 7a3b7cd332db08546f3cdd984f11773e0d1999e7 upstream.

The ULPI bus can be built as a module, and it will soon be
calling these functions when it supports probing devices from DT.
Export them so they can be used by the ULPI module.

Acked-by: Rob Herring <robh@kernel.org>
Cc: <devicetree@vger.kernel.org>
Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/device.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/of/device.c
+++ b/drivers/of/device.c
@@ -128,6 +128,7 @@ ssize_t of_device_get_modalias(struct de
 
 	return tsize;
 }
+EXPORT_SYMBOL_GPL(of_device_get_modalias);
 
 /**
  * of_device_uevent - Display OF related uevent information
@@ -190,3 +191,4 @@ int of_device_uevent_modalias(struct dev
 
 	return 0;
 }
+EXPORT_SYMBOL_GPL(of_device_uevent_modalias);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 141/294] mtd: nandsim: remove debugfs entries in error path
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (168 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 243/294] xilinx: Fix compiler warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 041/294] xhci: fix 20000ms port resume timeout Ben Hutchings
                   ` (125 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Brian Norris, Boris Brezillon, Richard Weinberger,
	Uwe Kleine-König

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

commit b974696da1cfc5aa0c29ed97dc8f6c239899e64b upstream.

The debugfs entries must be removed before an error is returned in the
probe function. Otherwise another try to load the module fails and when
the debugfs files are accessed without the module loaded, the kernel
still tries to call a function in that module.

Fixes: 5346c27c5fed ("mtd: nandsim: Introduce debugfs infrastructure")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Richard Weinberger <richard@nod.at>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/nand/nandsim.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/mtd/nand/nandsim.c
+++ b/drivers/mtd/nand/nandsim.c
@@ -2387,6 +2387,7 @@ static int __init ns_init_module(void)
         return 0;
 
 err_exit:
+	nandsim_debugfs_remove(nand);
 	free_nandsim(nand);
 	nand_release(nsmtd);
 	for (i = 0;i < ARRAY_SIZE(nand->partitions); ++i)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 150/294] Clarify (and fix) MAX_LFS_FILESIZE macros
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 051/294] RDMA/core: Initialize port_num in qp_attr Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 224/294] ata: hpt366: fix constant cast warning Ben Hutchings
                   ` (257 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dave Kleikamp, Mark Fasheh, Andreas Dilger, Linus Torvalds,
	Joel Becker

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad upstream.

We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
filesystems (and other IO targets) that know they are 64-bit clean and
don't have any 32-bit limits in their IO path.

It turns out that our 32-bit value for that limit was bogus.  On 32-bit,
the VM layer is limited by the page cache to only 32-bit index values,
but our logic for that was confusing and actually wrong.  We used to
define that value to

	(((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)

which is actually odd in several ways: it limits the index to 31 bits,
and then it limits files so that they can't have data in that last byte
of a page that has the highest 31-bit index (ie page index 0x7fffffff).

Neither of those limitations make sense.  The index is actually the full
32 bit unsigned value, and we can use that whole full page.  So the
maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".

However, we do wan tto avoid the maximum index, because we have code
that iterates over the page indexes, and we don't want that code to
overflow.  So the maximum size of a file on a 32-bit host should
actually be one page less than the full 32-bit index.

So the actual limit is ULONG_MAX << PAGE_SHIFT.  That means that we will
not actually be using the page of that last index (ULONG_MAX), but we
can grow a file up to that limit.

The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
volume.  It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
byte less), but the actual true VM limit is one page less than 16TiB.

This was invisible until commit c2a9737f45e2 ("vfs,mm: fix a dead loop
in truncate_inode_pages_range()"), which started applying that
MAX_LFS_FILESIZE limit to block devices too.

NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
actually just the offset type itself (loff_t), which is signed.  But for
clarity, on 64-bit, just use the maximum signed value, and don't make
people have to count the number of 'f' characters in the hex constant.

So just use LLONG_MAX for the 64-bit case.  That was what the value had
been before too, just written out as a hex constant.

Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
Reported-and-tested-by: Doug Nazar <nazard@nazar.ca>
Cc: Andreas Dilger <adilger@dilger.ca>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Dave Kleikamp <shaggy@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: 32-bit definition still used PAGE_CACHE_SIZE]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/fs.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -809,9 +809,9 @@ static inline struct file *get_file(stru
 /* Page cache limit. The filesystems should put that into their s_maxbytes 
    limits, otherwise bad things can happen in VM. */ 
 #if BITS_PER_LONG==32
-#define MAX_LFS_FILESIZE	(((loff_t)PAGE_CACHE_SIZE << (BITS_PER_LONG-1))-1) 
+#define MAX_LFS_FILESIZE	((loff_t)ULONG_MAX << PAGE_SHIFT)
 #elif BITS_PER_LONG==64
-#define MAX_LFS_FILESIZE 	((loff_t)0x7fffffffffffffffLL)
+#define MAX_LFS_FILESIZE 	((loff_t)LLONG_MAX)
 #endif
 
 #define FL_POSIX	1

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 060/294] kprobes/x86: Release insn_slot in failure path
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 053/294] perf/core: Invert perf_read_group() loops Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 261/294] staging: bcm: add 32-bit host dependency Ben Hutchings
                   ` (269 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, Anil S Keshavamurthy, Ingo Molnar,
	Linus Torvalds, Masami Hiramatsu, Peter Zijlstra,
	Ananth N Mavinakayanahalli, David S . Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 38115f2f8cec8087d558c062e779c443a01f87d6 upstream.

The following commit:

  003002e04ed3 ("kprobes: Fix arch_prepare_kprobe to handle copy insn failures")

returns an error if the copying of the instruction, but does not release
the allocated insn_slot.

Clean up correctly.

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: David S . Miller <davem@davemloft.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 003002e04ed3 ("kprobes: Fix arch_prepare_kprobe to handle copy insn failures")
Link: http://lkml.kernel.org/r/150064834183.6172.11694375818447664416.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/kprobes/core.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -401,6 +401,8 @@ static int arch_copy_kprobe(struct kprob
 
 int arch_prepare_kprobe(struct kprobe *p)
 {
+	int ret;
+
 	if (alternatives_text_reserved(p->addr, p->addr))
 		return -EINVAL;
 
@@ -411,7 +413,13 @@ int arch_prepare_kprobe(struct kprobe *p
 	if (!p->ainsn.insn)
 		return -ENOMEM;
 
-	return arch_copy_kprobe(p);
+	ret = arch_copy_kprobe(p);
+	if (ret) {
+		free_insn_slot(p->ainsn.insn, 0);
+		p->ainsn.insn = NULL;
+	}
+
+	return ret;
 }
 
 void arch_arm_kprobe(struct kprobe *p)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 093/294] RDMA/uverbs: Prevent leak of reserved field
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 186/294] assoc_array: Fix a buggy node-splitting case Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 108/294] USB: Check for dropped connection before switching to full speed Ben Hutchings
                   ` (291 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dennis Dalessandro, Doug Ledford, Leon Romanovsky

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit f7a6cb7b38c6845b26aaa8bbdf519ff6e3090831 upstream.

initialize to zero the response structure to prevent
the leakage of "resp.reserved" field.

drivers/infiniband/core/uverbs_cmd.c:1178 ib_uverbs_resize_cq() warn:
	check that 'resp.reserved' doesn't leak information

Fixes: 33b9b3ee9709 ("IB: Add userspace support for resizing CQs")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1303,7 +1303,7 @@ ssize_t ib_uverbs_resize_cq(struct ib_uv
 			    int out_len)
 {
 	struct ib_uverbs_resize_cq	cmd;
-	struct ib_uverbs_resize_cq_resp	resp;
+	struct ib_uverbs_resize_cq_resp	resp = {};
 	struct ib_udata                 udata;
 	struct ib_cq			*cq;
 	int				ret = -EINVAL;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 087/294] ixgbe: Initialize 64-bit stats seqcounts
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (177 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 245/294] mlx5: avoid build warnings on 32-bit Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 010/294] net: bcmgenet: fix off-by-one in incrementing read pointer Ben Hutchings
                   ` (116 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 7c3a4626eb65e78ebe208f48ffa21a5002f7f38e upstream.

On 32-bit hosts and with CONFIG_DEBUG_LOCK_ALLOC we should be seeing a
lockdep splat indicating this seqcount is not correctly initialized, fix
that.

Fixes: 4197aa7bb818 ("ixgbevf: provide 64 bit statistics")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
@@ -2535,6 +2535,8 @@ int ixgbevf_setup_tx_resources(struct ix
 	if (!tx_ring->tx_buffer_info)
 		goto err;
 
+	u64_stats_init(&tx_ring->syncp);
+
 	/* round up to nearest 4K */
 	tx_ring->size = tx_ring->count * sizeof(union ixgbe_adv_tx_desc);
 	tx_ring->size = ALIGN(tx_ring->size, 4096);
@@ -2595,6 +2597,8 @@ int ixgbevf_setup_rx_resources(struct ix
 	if (!rx_ring->rx_buffer_info)
 		goto err;
 
+	u64_stats_init(&rx_ring->syncp);
+
 	/* Round up to nearest 4K */
 	rx_ring->size = rx_ring->count * sizeof(union ixgbe_adv_rx_desc);
 	rx_ring->size = ALIGN(rx_ring->size, 4096);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 071/294] ARM: pxa: select both FB and FB_W100 for eseries
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 206/294] ethernet: amd: fix pci device ids Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 259/294] drm/i915: cleanup some indenting Ben Hutchings
                   ` (264 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 1d20d8a9fce8f1e2ef00a0f3d068fa18d59ddf8f upstream.

We get a link error trying to access the w100fb_gpio_read/write
functions from the platform when the driver is a loadable module
or not built-in, so the platform already uses 'select' to hard-enable
the driver.

However, that fails if the framebuffer subsystem is disabled
altogether.

I've considered various ways to fix this properly, but they
all seem like too much work or too risky, so this simply
adds another 'select' to force the subsystem on as well.

Fixes: 82427de2c7c3 ("ARM: pxa: PXA_ESERIES depends on FB_W100.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-pxa/Kconfig | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-pxa/Kconfig
+++ b/arch/arm/mach-pxa/Kconfig
@@ -546,6 +546,7 @@ config MACH_ICONTROL
 config ARCH_PXA_ESERIES
 	bool "PXA based Toshiba e-series PDAs"
 	select FB_W100
+	select FB
 	select PXA25x
 
 config MACH_E330

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 031/294] usb: renesas_usbhs: gadget: disable all eps when the driver stops
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (212 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 263/294] staging: vt6655: fix overly large stack usage Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 028/294] usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting Ben Hutchings
                   ` (81 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Yoshihiro Shimoda

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit b8b9c974afee685789fcbb191b52d1790be3608c upstream.

A gadget driver will not disable eps immediately when ->disconnect()
is called. But, since this driver assumes all eps stop after
the ->disconnect(), unexpected behavior happens (especially in system
suspend).
So, this patch disables all eps in usbhsg_try_stop(). After disabling
eps by renesas_usbhs driver, since some functions will be called by
both a gadget and renesas_usbhs driver, renesas_usbhs driver should
protect uep->pipe. To protect uep->pipe easily, this patch adds a new
lock in struct usbhsg_uep.

Fixes: 2f98382dc ("usb: renesas_usbhs: Add Renesas USBHS Gadget")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/renesas_usbhs/mod_gadget.c | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -36,6 +36,7 @@ struct usbhsg_gpriv;
 struct usbhsg_uep {
 	struct usb_ep		 ep;
 	struct usbhs_pipe	*pipe;
+	spinlock_t		lock;	/* protect the pipe */
 
 	char ep_name[EP_NAME_SIZE];
 
@@ -608,10 +609,16 @@ usbhsg_ep_enable_end:
 static int usbhsg_ep_disable(struct usb_ep *ep)
 {
 	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
-	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
+	struct usbhs_pipe *pipe;
+	unsigned long flags;
+	int ret = 0;
 
-	if (!pipe)
-		return -EINVAL;
+	spin_lock_irqsave(&uep->lock, flags);
+	pipe = usbhsg_uep_to_pipe(uep);
+	if (!pipe) {
+		ret = -EINVAL;
+		goto out;
+	}
 
 	usbhsg_pipe_disable(uep);
 	usbhs_pipe_free(pipe);
@@ -619,6 +626,9 @@ static int usbhsg_ep_disable(struct usb_
 	uep->pipe->mod_private	= NULL;
 	uep->pipe		= NULL;
 
+out:
+	spin_unlock_irqrestore(&uep->lock, flags);
+
 	return 0;
 }
 
@@ -668,8 +678,11 @@ static int usbhsg_ep_dequeue(struct usb_
 {
 	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
 	struct usbhsg_request *ureq = usbhsg_req_to_ureq(req);
-	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
+	struct usbhs_pipe *pipe;
+	unsigned long flags;
 
+	spin_lock_irqsave(&uep->lock, flags);
+	pipe = usbhsg_uep_to_pipe(uep);
 	if (pipe)
 		usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
 
@@ -678,6 +691,7 @@ static int usbhsg_ep_dequeue(struct usb_
 	 * even if the pipe is NULL.
 	 */
 	usbhsg_queue_pop(uep, ureq, -ECONNRESET);
+	spin_unlock_irqrestore(&uep->lock, flags);
 
 	return 0;
 }
@@ -804,10 +818,10 @@ static int usbhsg_try_stop(struct usbhs_
 {
 	struct usbhsg_gpriv *gpriv = usbhsg_priv_to_gpriv(priv);
 	struct usbhs_mod *mod = usbhs_mod_get_current(priv);
-	struct usbhsg_uep *dcp = usbhsg_gpriv_to_dcp(gpriv);
+	struct usbhsg_uep *uep;
 	struct device *dev = usbhs_priv_to_dev(priv);
 	unsigned long flags;
-	int ret = 0;
+	int ret = 0, i;
 
 	/********************  spin lock ********************/
 	usbhs_lock(priv, flags);
@@ -839,7 +853,9 @@ static int usbhsg_try_stop(struct usbhs_
 	usbhs_sys_set_test_mode(priv, 0);
 	usbhs_sys_function_ctrl(priv, 0);
 
-	usbhsg_ep_disable(&dcp->ep);
+	/* disable all eps */
+	usbhsg_for_each_uep_with_dcp(uep, gpriv, i)
+		usbhsg_ep_disable(&uep->ep);
 
 	dev_dbg(dev, "stop gadget\n");
 
@@ -959,6 +975,7 @@ int usbhs_mod_gadget_probe(struct usbhs_
 		ret = -ENOMEM;
 		goto usbhs_mod_gadget_probe_err_gpriv;
 	}
+	spin_lock_init(&uep->lock);
 
 	/*
 	 * CAUTION

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 047/294] RDMA/ocrdma: Fix error codes in ocrdma_create_srq()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 081/294] USB: serial: option: add D-Link DWM-222 device ID Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 183/294] brcmfmac: add length check in brcmf_cfg80211_escan_handler() Ben Hutchings
                   ` (273 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Dan Carpenter

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit f0c6e88288d65c93bbc7da4fb6f7d51b2733228a upstream.

If either of these allocations fail then we return ERR_PTR(0).  That's
equivalent to NULL and results in a NULL pointer dereference in the
caller.

Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -1720,6 +1720,7 @@ struct ib_srq *ocrdma_create_srq(struct
 		goto err;
 
 	if (udata == NULL) {
+		status = -ENOMEM;
 		srq->rqe_wr_id_tbl = kzalloc(sizeof(u64) * srq->rq.max_cnt,
 			    GFP_KERNEL);
 		if (srq->rqe_wr_id_tbl == NULL)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 164/294] cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 122/294] staging: rtl8188eu: add RNX-N150NUB support Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 276/294] ARM: 8296/1: cache-l2x0: clean up aurora cache handling Ben Hutchings
                   ` (200 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Tejun Heo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit b339752d054fb32863418452dff350a1086885b1 upstream.

When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of
@node.  The assumption seems that if !NUMA, there shouldn't be more than
one node and thus reporting cpu_online_mask regardless of @node is
correct.  However, that assumption was broken years ago to support
DISCONTIGMEM and whether a system has multiple nodes or not is
separately controlled by NEED_MULTIPLE_NODES.

This means that, on a system with !NUMA && NEED_MULTIPLE_NODES,
cpumask_of_node() will report cpu_online_mask for all possible nodes,
indicating that the CPUs are associated with multiple nodes which is an
impossible configuration.

This bug has been around forever but doesn't look like it has caused any
noticeable symptoms.  However, it triggers a WARN recently added to
workqueue to verify NUMA affinity configuration.

Fix it by reporting empty cpumask on non-zero nodes if !NUMA.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/asm-generic/topology.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/include/asm-generic/topology.h
+++ b/include/asm-generic/topology.h
@@ -48,7 +48,11 @@
 #define parent_node(node)	((void)(node),0)
 #endif
 #ifndef cpumask_of_node
-#define cpumask_of_node(node)	((void)node, cpu_online_mask)
+  #ifdef CONFIG_NEED_MULTIPLE_NODES
+    #define cpumask_of_node(node)	((node) == 0 ? cpu_online_mask : cpu_none_mask)
+  #else
+    #define cpumask_of_node(node)	((void)node, cpu_online_mask)
+  #endif
 #endif
 #ifndef pcibus_to_node
 #define pcibus_to_node(bus)	((void)(bus), -1)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 107/294] usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 229/294] tty: nozomi: avoid a harmless gcc warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 083/294] drm/msm: fix an integer overflow test Ben Hutchings
                   ` (212 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sandeep Singh, Sandeep Singh, Shyam Sundar S K,
	Felipe Balbi, Nehal Shah, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sandeep Singh <sandeep.singh@amd.com>

commit e788787ef4f9c24aafefc480a8da5f92b914e5e6 upstream.

Certain HP keyboards would keep inputting a character automatically which
is the wake-up key after S3 resume

On some AMD platforms USB host fails to respond (by holding resume-K) to
USB device (an HP keyboard) resume request within 1ms (TURSM) and ensures
that resume is signaled for at least 20 ms (TDRSMDN), which is defined in
USB 2.0 spec. The result is that the keyboard is out of function.

In SNPS USB design, the host responds to the resume request only after
system gets back to S0 and the host gets to functional after the internal
HW restore operation that is more than 1 second after the initial resume
request from the USB device.

As a workaround for specific keyboard ID(HP Keyboards), applying port reset
after resume when the keyboard is plugged in.

Signed-off-by: Sandeep Singh <Sandeep.Singh@amd.com>
Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
Reviewed-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c     |  1 +
 drivers/usb/host/pci-quirks.c | 17 ++++++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -246,6 +246,7 @@ static const struct usb_device_id usb_am
 	{ USB_DEVICE(0x093a, 0x2500), .driver_info = USB_QUIRK_RESET_RESUME },
 	{ USB_DEVICE(0x093a, 0x2510), .driver_info = USB_QUIRK_RESET_RESUME },
 	{ USB_DEVICE(0x093a, 0x2521), .driver_info = USB_QUIRK_RESET_RESUME },
+	{ USB_DEVICE(0x03f0, 0x2b4a), .driver_info = USB_QUIRK_RESET_RESUME },
 
 	/* Logitech Optical Mouse M90/M100 */
 	{ USB_DEVICE(0x046d, 0xc05a), .driver_info = USB_QUIRK_RESET_RESUME },
--- a/drivers/usb/host/pci-quirks.c
+++ b/drivers/usb/host/pci-quirks.c
@@ -99,6 +99,7 @@ enum amd_chipset_gen {
 	AMD_CHIPSET_HUDSON2,
 	AMD_CHIPSET_BOLTON,
 	AMD_CHIPSET_YANGTZE,
+	AMD_CHIPSET_TAISHAN,
 	AMD_CHIPSET_UNKNOWN,
 };
 
@@ -142,6 +143,11 @@ static int amd_chipset_sb_type_init(stru
 			pinfo->sb_type.gen = AMD_CHIPSET_SB700;
 		else if (rev >= 0x40 && rev <= 0x4f)
 			pinfo->sb_type.gen = AMD_CHIPSET_SB800;
+	}
+	pinfo->smbus_dev = pci_get_device(PCI_VENDOR_ID_AMD,
+					  0x145c, NULL);
+	if (pinfo->smbus_dev) {
+		pinfo->sb_type.gen = AMD_CHIPSET_TAISHAN;
 	} else {
 		pinfo->smbus_dev = pci_get_device(PCI_VENDOR_ID_AMD,
 				PCI_DEVICE_ID_AMD_HUDSON2_SMBUS, NULL);
@@ -263,11 +269,12 @@ int usb_hcd_amd_remote_wakeup_quirk(stru
 {
 	/* Make sure amd chipset type has already been initialized */
 	usb_amd_find_chipset_info();
-	if (amd_chipset.sb_type.gen != AMD_CHIPSET_YANGTZE)
-		return 0;
-
-	dev_dbg(&pdev->dev, "QUIRK: Enable AMD remote wakeup fix\n");
-	return 1;
+	if (amd_chipset.sb_type.gen == AMD_CHIPSET_YANGTZE ||
+	    amd_chipset.sb_type.gen == AMD_CHIPSET_TAISHAN) {
+		dev_dbg(&pdev->dev, "QUIRK: Enable AMD remote wakeup fix\n");
+		return 1;
+	}
+	return 0;
 }
 EXPORT_SYMBOL_GPL(usb_hcd_amd_remote_wakeup_quirk);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 114/294] dst: Increase alignment of metrics to allow extra flag on pointers
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 115/294] ipv4: add reference counting to metrics Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 117/294] net_sched/sfq: update hierarchical backlog when drop packet Ben Hutchings
                   ` (204 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

For the backport of "ipv4: add reference counting to metrics", we will
need a third flag on metrics pointers.  This was not needed upstream
as the DST_METRICS_FORCE_OVERWRITE flag has been eliminated there.
In order to use three flag bits we need to increase the alignment of
metrics from 4 to 8 bytes.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -105,12 +105,15 @@ struct dst_entry {
 	};
 };
 
+void *dst_alloc_metrics(gfp_t flags);
+void dst_free_metrics(void *metrics);
 u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old);
 extern const u32 dst_default_metrics[];
 
 #define DST_METRICS_READ_ONLY		0x1UL
 #define DST_METRICS_FORCE_OVERWRITE	0x2UL
-#define DST_METRICS_FLAGS		0x3UL
+#define DST_METRICS_FLAGS		0x7UL
+#define DST_METRICS_ALIGNMENT		0x8UL
 #define __DST_METRICS_PTR(Y)	\
 	((u32 *)((Y) & ~DST_METRICS_FLAGS))
 #define DST_METRICS_PTR(X)	__DST_METRICS_PTR((X)->_metrics)
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -155,7 +155,7 @@ static struct dst_ops fake_dst_ops = {
  * ipt_REJECT needs it.  Future netfilter modules might
  * require us to fill additional fields.
  */
-static const u32 br_dst_default_metrics[RTAX_MAX] = {
+static const u32 br_dst_default_metrics[RTAX_MAX] __aligned(DST_METRICS_ALIGNMENT) = {
 	[RTAX_MTU - 1] = 1500,
 };
 
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -149,7 +149,7 @@ int dst_discard_sk(struct sock *sk, stru
 }
 EXPORT_SYMBOL(dst_discard_sk);
 
-const u32 dst_default_metrics[RTAX_MAX + 1] = {
+const u32 dst_default_metrics[RTAX_MAX + 1] __aligned(DST_METRICS_ALIGNMENT) = {
 	/* This initializer is needed to force linker to place this variable
 	 * into const section. Otherwise it might end into bss section.
 	 * We really want to avoid false sharing on this variable, and catch
@@ -292,9 +292,23 @@ void dst_release(struct dst_entry *dst)
 }
 EXPORT_SYMBOL(dst_release);
 
+static struct kmem_cache *metrics_cache;
+
+void *dst_alloc_metrics(gfp_t flags)
+{
+	return kmem_cache_alloc(metrics_cache, flags);
+}
+EXPORT_SYMBOL(dst_alloc_metrics);
+
+void dst_free_metrics(void *metrics)
+{
+	kmem_cache_free(metrics_cache, metrics);
+}
+EXPORT_SYMBOL(dst_free_metrics);
+
 u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old)
 {
-	u32 *p = kmalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC);
+	u32 *p = dst_alloc_metrics(GFP_ATOMIC);
 
 	if (p) {
 		u32 *old_p = __DST_METRICS_PTR(old);
@@ -306,7 +320,7 @@ u32 *dst_cow_metrics_generic(struct dst_
 		prev = cmpxchg(&dst->_metrics, old, new);
 
 		if (prev != old) {
-			kfree(p);
+			dst_free_metrics(p);
 			p = __DST_METRICS_PTR(prev);
 			if (prev & DST_METRICS_READ_ONLY)
 				p = NULL;
@@ -324,7 +338,7 @@ void __dst_destroy_metrics_generic(struc
 	new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY;
 	prev = cmpxchg(&dst->_metrics, old, new);
 	if (prev == old)
-		kfree(__DST_METRICS_PTR(old));
+		dst_free_metrics(__DST_METRICS_PTR(old));
 }
 EXPORT_SYMBOL(__dst_destroy_metrics_generic);
 
@@ -419,4 +433,8 @@ static struct notifier_block dst_dev_not
 void __init dst_init(void)
 {
 	register_netdevice_notifier(&dst_dev_notifier);
+	metrics_cache = kmem_cache_create("dst_metrics",
+					  sizeof(u32) * RTAX_MAX,
+					  DST_METRICS_ALIGNMENT,
+					  SLAB_PANIC, NULL);
 }
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2502,7 +2502,7 @@ static void mod_cur_headers(struct pktge
 
 
 #ifdef CONFIG_XFRM
-static u32 pktgen_dst_metrics[RTAX_MAX + 1] = {
+static u32 pktgen_dst_metrics[RTAX_MAX + 1] __aligned(DST_METRICS_ALIGNMENT) = {
 
 	[RTAX_HOPLIMIT] = 0x5, /* Set a static hoplimit */
 };
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -213,7 +213,7 @@ static void free_fib_info_rcu(struct rcu
 
 	release_net(fi->fib_net);
 	if (fi->fib_metrics != (u32 *) dst_default_metrics)
-		kfree(fi->fib_metrics);
+		dst_free_metrics(fi->fib_metrics);
 	kfree(fi);
 }
 
@@ -823,7 +823,7 @@ struct fib_info *fib_create_info(struct
 		goto failure;
 	fib_info_cnt++;
 	if (cfg->fc_mx) {
-		fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
+		fi->fib_metrics = dst_alloc_metrics(GFP_KERNEL | __GFP_ZERO);
 		if (!fi->fib_metrics)
 			goto failure;
 	} else
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -247,7 +247,7 @@ static struct dst_ops ip6_dst_blackhole_
 	.neigh_lookup		=	ip6_neigh_lookup,
 };
 
-static const u32 ip6_template_metrics[RTAX_MAX] = {
+static const u32 ip6_template_metrics[RTAX_MAX] __aligned(DST_METRICS_ALIGNMENT) = {
 	[RTAX_HOPLIMIT - 1] = 0,
 };
 
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -643,7 +643,7 @@ static int fib6_commit_metrics(struct ds
 	if (dst->flags & DST_HOST) {
 		mp = dst_metrics_write_ptr(dst);
 	} else {
-		mp = kzalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC);
+		mp = dst_alloc_metrics(GFP_ATOMIC | __GFP_ZERO);
 		if (!mp)
 			return -ENOMEM;
 		dst_init_metrics(dst, mp, 0);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 028/294] usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (213 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 031/294] usb: renesas_usbhs: gadget: disable all eps when the driver stops Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 043/294] tracing: Fix kmemleak in instance_rmdir Ben Hutchings
                   ` (80 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Kuninori Morimoto, Felipe Balbi, Yoshihiro Shimoda

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit dfb87b8bfe09f933abaf387693992089f6f9053e upstream.

This patch fixes an issue that the renesas_usbhs driver in gadget mode
cannot work correctly even if I disabled DMAC of the driver when I used
the g_zero driver and the testusb tool.

When a usb cable is re-connected, the renesas_usbhs driver calls the
usbhsp_flags_init() (via usbhs_hotplug() --> usbhs_mod_call(start) -->
usbhsg_try_start() --> usbhs_pipe_init()). However, the driver doesn't
call the usbhsp_flags_init() when usbhsg_ep_disable() is called.
So, if a gadget driver calls usb_ep_enable() and usb_ep_disable() again
and again, the renesas_usbhs driver will output the following log:

  renesas_usbhs renesas_usbhs: can't get pipe (BULK)
  renesas_usbhs renesas_usbhs: wrong recip request

Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/renesas_usbhs/mod_gadget.c |  2 ++
 drivers/usb/renesas_usbhs/pipe.c       | 10 ++++++++++
 drivers/usb/renesas_usbhs/pipe.h       |  1 +
 3 files changed, 13 insertions(+)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -607,11 +607,13 @@ usbhsg_ep_enable_end:
 static int usbhsg_ep_disable(struct usb_ep *ep)
 {
 	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
+	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
 
-	if (!uep->pipe)
+	if (!pipe)
 		return -EINVAL;
 
 	usbhsg_pipe_disable(uep);
+	usbhs_pipe_free(pipe);
 
 	uep->pipe->mod_private	= NULL;
 	uep->pipe		= NULL;
--- a/drivers/usb/renesas_usbhs/pipe.c
+++ b/drivers/usb/renesas_usbhs/pipe.c
@@ -640,6 +640,11 @@ static struct usbhs_pipe *usbhsp_get_pip
 	return pipe;
 }
 
+static void usbhsp_put_pipe(struct usbhs_pipe *pipe)
+{
+	usbhsp_flags_init(pipe);
+}
+
 void usbhs_pipe_init(struct usbhs_priv *priv,
 		     int (*dma_map_ctrl)(struct usbhs_pkt *pkt, int map))
 {
@@ -726,6 +731,11 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
 	return pipe;
 }
 
+void usbhs_pipe_free(struct usbhs_pipe *pipe)
+{
+	usbhsp_put_pipe(pipe);
+}
+
 void usbhs_pipe_select_fifo(struct usbhs_pipe *pipe, struct usbhs_fifo *fifo)
 {
 	if (pipe->fifo)
--- a/drivers/usb/renesas_usbhs/pipe.h
+++ b/drivers/usb/renesas_usbhs/pipe.h
@@ -75,6 +75,7 @@ struct usbhs_pipe_info {
 char *usbhs_pipe_name(struct usbhs_pipe *pipe);
 struct usbhs_pipe
 *usbhs_pipe_malloc(struct usbhs_priv *priv, int endpoint_type, int dir_in);
+void usbhs_pipe_free(struct usbhs_pipe *pipe);
 int usbhs_pipe_probe(struct usbhs_priv *priv);
 void usbhs_pipe_remove(struct usbhs_priv *priv);
 int usbhs_pipe_is_dir_in(struct usbhs_pipe *pipe);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 156/294] l2tp: define parameters of l2tp_session_get*() as "const"
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 170/294] CIFS: remove endian related sparse warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 206/294] ethernet: amd: fix pci device ids Ben Hutchings
                   ` (266 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 9aaef50c44f132e040dcd7686c8e78a3390037c5 upstream.

Make l2tp_pernet()'s parameter constant, so that l2tp_session_get*() can
declare their "net" variable as "const".
Also constify "ifname" in l2tp_session_get_by_ifname().

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_core.c | 7 ++++---
 net/l2tp/l2tp_core.h | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -119,7 +119,7 @@ static inline struct l2tp_tunnel *l2tp_t
 	return sk->sk_user_data;
 }
 
-static inline struct l2tp_net *l2tp_pernet(struct net *net)
+static inline struct l2tp_net *l2tp_pernet(const struct net *net)
 {
 	BUG_ON(!net);
 
@@ -280,7 +280,7 @@ EXPORT_SYMBOL_GPL(l2tp_session_find);
 /* Like l2tp_session_find() but takes a reference on the returned session.
  * Optionally calls session->ref() too if do_ref is true.
  */
-struct l2tp_session *l2tp_session_get(struct net *net,
+struct l2tp_session *l2tp_session_get(const struct net *net,
 				      struct l2tp_tunnel *tunnel,
 				      u32 session_id, bool do_ref)
 {
@@ -355,7 +355,8 @@ EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
 /* Lookup a session by interface name.
  * This is very inefficient but is only used by management interfaces.
  */
-struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
+						const char *ifname,
 						bool do_ref)
 {
 	struct l2tp_net *pn = l2tp_pernet(net);
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -240,7 +240,7 @@ out:
 	return tunnel;
 }
 
-struct l2tp_session *l2tp_session_get(struct net *net,
+struct l2tp_session *l2tp_session_get(const struct net *net,
 				      struct l2tp_tunnel *tunnel,
 				      u32 session_id, bool do_ref);
 struct l2tp_session *l2tp_session_find(struct net *net,
@@ -248,7 +248,8 @@ struct l2tp_session *l2tp_session_find(s
 				       u32 session_id);
 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
 					  bool do_ref);
-struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
+						const char *ifname,
 						bool do_ref);
 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 146/294] ipv6: add rcu grace period before freeing fib6_node
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 275/294] ARM: 8160/1: drop warning about return_address not using unwind tables Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03   ` Ben Hutchings
                   ` (283 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Dumazet, Martin KaFai Lau, David S. Miller, Wei Wang

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wei Wang <weiwan@google.com>

commit c5cff8561d2d0006e972bd114afd51f082fee77c upstream.

We currently keep rt->rt6i_node pointing to the fib6_node for the route.
And some functions make use of this pointer to dereference the fib6_node
from rt structure, e.g. rt6_check(). However, as there is neither
refcount nor rcu taken when dereferencing rt->rt6i_node, it could
potentially cause crashes as rt->rt6i_node could be set to NULL by other
CPUs when doing a route deletion.
This patch introduces an rcu grace period before freeing fib6_node and
makes sure the functions that dereference it takes rcu_read_lock().

Note: there is no "Fixes" tag because this bug was there in a very
early stage.

Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/ip6_fib.h | 30 +++++++++++++++++++++++++++++-
 net/ipv6/ip6_fib.c    | 20 ++++++++++++++++----
 net/ipv6/route.c      | 14 +++++++++++---
 3 files changed, 56 insertions(+), 8 deletions(-)

--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -66,6 +66,7 @@ struct fib6_node {
 	__u16			fn_flags;
 	__u32			fn_sernum;
 	struct rt6_info		*rr_ptr;
+	struct rcu_head		rcu;
 };
 
 #ifndef CONFIG_IPV6_SUBTREES
@@ -193,9 +194,36 @@ static inline void rt6_set_from(struct r
 	rt->dst.from = new;
 }
 
+/* Function to safely get fn->sernum for passed in rt
+ * and store result in passed in cookie.
+ * Return true if we can get cookie safely
+ * Return false if not
+ */
+static inline bool rt6_get_cookie_safe(const struct rt6_info *rt,
+				       u32 *cookie)
+{
+	struct fib6_node *fn;
+	bool status = false;
+
+	rcu_read_lock();
+	fn = rcu_dereference(rt->rt6i_node);
+
+	if (fn) {
+		*cookie = fn->fn_sernum;
+		status = true;
+	}
+
+	rcu_read_unlock();
+	return status;
+}
+
 static inline u32 rt6_get_cookie(const struct rt6_info *rt)
 {
-	return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+	u32 cookie = 0;
+
+	rt6_get_cookie_safe(rt, &cookie);
+
+	return cookie;
 }
 
 static inline void ip6_rt_put(struct rt6_info *rt)
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -151,11 +151,23 @@ static __inline__ struct fib6_node *node
 	return fn;
 }
 
-static __inline__ void node_free(struct fib6_node *fn)
+static void node_free_immediate(struct fib6_node *fn)
 {
 	kmem_cache_free(fib6_node_kmem, fn);
 }
 
+static void node_free_rcu(struct rcu_head *head)
+{
+	struct fib6_node *fn = container_of(head, struct fib6_node, rcu);
+
+	kmem_cache_free(fib6_node_kmem, fn);
+}
+
+static void node_free(struct fib6_node *fn)
+{
+	call_rcu(&fn->rcu, node_free_rcu);
+}
+
 static __inline__ void rt6_release(struct rt6_info *rt)
 {
 	if (atomic_dec_and_test(&rt->rt6i_ref))
@@ -551,9 +563,9 @@ insert_above:
 
 		if (!in || !ln) {
 			if (in)
-				node_free(in);
+				node_free_immediate(in);
 			if (ln)
-				node_free(ln);
+				node_free_immediate(ln);
 			return ERR_PTR(-ENOMEM);
 		}
 
@@ -977,7 +989,7 @@ int fib6_add(struct fib6_node *root, str
 				   root, and then (in st_failure) stale node
 				   in main tree.
 				 */
-				node_free(sfn);
+				node_free_immediate(sfn);
 				err = PTR_ERR(sn);
 				goto st_failure;
 			}
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1090,6 +1090,7 @@ struct dst_entry *ip6_blackhole_route(st
 static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
 {
 	struct rt6_info *rt;
+	u32 rt_cookie;
 
 	rt = (struct rt6_info *) dst;
 
@@ -1097,7 +1098,7 @@ static struct dst_entry *ip6_dst_check(s
 	 * DST_OBSOLETE_FORCE_CHK which forces validation calls down
 	 * into this function always.
 	 */
-	if (!rt->rt6i_node || (rt->rt6i_node->fn_sernum != cookie))
+	if (!rt6_get_cookie_safe(rt, &rt_cookie) || rt_cookie != cookie)
 		return NULL;
 
 	if (rt6_check_expired(rt))
@@ -1136,8 +1137,14 @@ static void ip6_link_failure(struct sk_b
 			dst_hold(&rt->dst);
 			if (ip6_del_rt(rt))
 				dst_free(&rt->dst);
-		} else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) {
-			rt->rt6i_node->fn_sernum = -1;
+		} else {
+			struct fib6_node *fn;
+
+			rcu_read_lock();
+			fn = rcu_dereference(rt->rt6i_node);
+			if (fn && (rt->rt6i_flags & RTF_DEFAULT))
+				fn->fn_sernum = -1;
+			rcu_read_unlock();
 		}
 	}
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 040/294] xhci: Bad Ethernet performance plugged in ASM1042A host
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (147 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 048/294] IB/cma: Fix a race condition in iboe_addr_get_sgid() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 046/294] RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() Ben Hutchings
                   ` (146 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jiahau Chang, Ian Pilcher, Greg Kroah-Hartman,
	Mathias Nyman, Jiahau Chang

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiahau Chang <jiahau@gmail.com>

commit 9da5a1092b13468839b1a864b126cacfb72ad016 upstream.

When USB Ethernet is plugged in ASMEDIA ASM1042A xHCI host, bad
performance was manifesting in Web browser use (like download
large file such as ISO image). It is known limitation of
ASM1042A that is not compatible with driver scheduling,
As a workaround we can modify flow control handling of ASM1042A.
The register we modify is changes the behavior

[use quirk bit 28, usleep_range 40-60us, empty non-pci function -Mathias]
Signed-off-by: Jiahau Chang <Lars_chang@asmedia.com.tw>
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/pci-quirks.c | 54 +++++++++++++++++++++++++++++++++++++++++++
 drivers/usb/host/pci-quirks.h |  2 ++
 drivers/usb/host/xhci-pci.c   |  6 +++++
 drivers/usb/host/xhci.c       |  6 +++++
 drivers/usb/host/xhci.h       |  1 +
 5 files changed, 69 insertions(+)

--- a/drivers/usb/host/pci-quirks.c
+++ b/drivers/usb/host/pci-quirks.c
@@ -78,6 +78,16 @@
 #define USB_INTEL_USB3_PSSEN   0xD8
 #define USB_INTEL_USB3PRM      0xDC
 
+/* ASMEDIA quirk use */
+#define ASMT_DATA_WRITE0_REG	0xF8
+#define ASMT_DATA_WRITE1_REG	0xFC
+#define ASMT_CONTROL_REG	0xE0
+#define ASMT_CONTROL_WRITE_BIT	0x02
+#define ASMT_WRITEREG_CMD	0x10423
+#define ASMT_FLOWCTL_ADDR	0xFA30
+#define ASMT_FLOWCTL_DATA	0xBA
+#define ASMT_PSEUDO_DATA	0
+
 /*
  * amd_chipset_gen values represent AMD different chipset generations
  */
@@ -415,6 +425,50 @@ void usb_amd_quirk_pll_disable(void)
 }
 EXPORT_SYMBOL_GPL(usb_amd_quirk_pll_disable);
 
+static int usb_asmedia_wait_write(struct pci_dev *pdev)
+{
+	unsigned long retry_count;
+	unsigned char value;
+
+	for (retry_count = 1000; retry_count > 0; --retry_count) {
+
+		pci_read_config_byte(pdev, ASMT_CONTROL_REG, &value);
+
+		if (value == 0xff) {
+			dev_err(&pdev->dev, "%s: check_ready ERROR", __func__);
+			return -EIO;
+		}
+
+		if ((value & ASMT_CONTROL_WRITE_BIT) == 0)
+			return 0;
+
+		usleep_range(40, 60);
+	}
+
+	dev_warn(&pdev->dev, "%s: check_write_ready timeout", __func__);
+	return -ETIMEDOUT;
+}
+
+void usb_asmedia_modifyflowcontrol(struct pci_dev *pdev)
+{
+	if (usb_asmedia_wait_write(pdev) != 0)
+		return;
+
+	/* send command and address to device */
+	pci_write_config_dword(pdev, ASMT_DATA_WRITE0_REG, ASMT_WRITEREG_CMD);
+	pci_write_config_dword(pdev, ASMT_DATA_WRITE1_REG, ASMT_FLOWCTL_ADDR);
+	pci_write_config_byte(pdev, ASMT_CONTROL_REG, ASMT_CONTROL_WRITE_BIT);
+
+	if (usb_asmedia_wait_write(pdev) != 0)
+		return;
+
+	/* send data to device */
+	pci_write_config_dword(pdev, ASMT_DATA_WRITE0_REG, ASMT_FLOWCTL_DATA);
+	pci_write_config_dword(pdev, ASMT_DATA_WRITE1_REG, ASMT_PSEUDO_DATA);
+	pci_write_config_byte(pdev, ASMT_CONTROL_REG, ASMT_CONTROL_WRITE_BIT);
+}
+EXPORT_SYMBOL_GPL(usb_asmedia_modifyflowcontrol);
+
 void usb_amd_quirk_pll_enable(void)
 {
 	usb_amd_quirk_pll(0);
--- a/drivers/usb/host/pci-quirks.h
+++ b/drivers/usb/host/pci-quirks.h
@@ -11,6 +11,7 @@ bool usb_amd_prefetch_quirk(void);
 void usb_amd_dev_put(void);
 void usb_amd_quirk_pll_disable(void);
 void usb_amd_quirk_pll_enable(void);
+void usb_asmedia_modifyflowcontrol(struct pci_dev *pdev);
 void usb_enable_intel_xhci_ports(struct pci_dev *xhci_pdev);
 void usb_disable_xhci_ports(struct pci_dev *xhci_pdev);
 void sb800_prefetch(struct device *dev, int on);
@@ -18,6 +19,7 @@ void sb800_prefetch(struct device *dev,
 struct pci_dev;
 static inline void usb_amd_quirk_pll_disable(void) {}
 static inline void usb_amd_quirk_pll_enable(void) {}
+static inline void usb_asmedia_modifyflowcontrol(struct pci_dev *pdev) {}
 static inline void usb_amd_dev_put(void) {}
 static inline void usb_disable_xhci_ports(struct pci_dev *xhci_pdev) {}
 static inline void sb800_prefetch(struct device *dev, int on) {}
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -52,6 +52,8 @@
 #define PCI_DEVICE_ID_AMD_PROMONTORYA_2			0x43bb
 #define PCI_DEVICE_ID_AMD_PROMONTORYA_1			0x43bc
 
+#define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI		0x1142
+
 static const char hcd_name[] = "xhci_hcd";
 
 /* called after powerup, by probe or system-pm "wakeup" */
@@ -198,6 +200,10 @@ static void xhci_pci_quirks(struct devic
 			pdev->device == 0x1142)
 		xhci->quirks |= XHCI_TRUST_TX_LENGTH;
 
+	if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+		pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
+		xhci->quirks |= XHCI_ASMEDIA_MODIFY_FLOWCONTROL;
+
 	if (xhci->quirks & XHCI_RESET_ON_RESUME)
 		xhci_dbg_trace(xhci, trace_xhci_dbg_quirks,
 				"QUIRK: Resetting on resume");
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -191,6 +191,9 @@ int xhci_reset(struct xhci_hcd *xhci)
 	if (ret)
 		return ret;
 
+	if (xhci->quirks & XHCI_ASMEDIA_MODIFY_FLOWCONTROL)
+		usb_asmedia_modifyflowcontrol(to_pci_dev(xhci_to_hcd(xhci)->self.controller));
+
 	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
 			 "Wait for controller to be ready for doorbell rings");
 	/*
@@ -1116,6 +1119,9 @@ int xhci_resume(struct xhci_hcd *xhci, b
 	if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && !comp_timer_running)
 		compliance_mode_recovery_timer_init(xhci);
 
+	if (xhci->quirks & XHCI_ASMEDIA_MODIFY_FLOWCONTROL)
+		usb_asmedia_modifyflowcontrol(to_pci_dev(hcd->self.controller));
+
 	/* Re-enable port polling. */
 	xhci_dbg(xhci, "%s: starting port polling.\n", __func__);
 	set_bit(HCD_FLAG_POLL_RH, &hcd->flags);
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1570,6 +1570,7 @@ struct xhci_hcd {
 #define XHCI_PME_STUCK_QUIRK	(1 << 20)
 #define XHCI_MISSING_CAS	(1 << 24)
 #define XHCI_U2_DISABLE_WAKE	(1 << 27)
+#define XHCI_ASMEDIA_MODIFY_FLOWCONTROL	(1 << 28)
 	unsigned int		num_active_eps;
 	unsigned int		limit_active_eps;
 	/* There are two roothubs to keep track of bus suspend info for */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 130/294] arm64: mm: abort uaccess retries upon fatal signal
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (244 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 254/294] hostap: avoid uninitialized variable use in hfa384x_get_rid Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 171/294] net_sched: fix error recovery at qdisc creation Ben Hutchings
                   ` (49 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mark Rutland, Will Deacon, Catalin Marinas, Laura Abbott,
	James Morse, Steve Capper

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>

commit 289d07a2dc6c6b6f3e4b8a62669320d99dbe6c3d upstream.

When there's a fatal signal pending, arm64's do_page_fault()
implementation returns 0. The intent is that we'll return to the
faulting userspace instruction, delivering the signal on the way.

However, if we take a fatal signal during fixing up a uaccess, this
results in a return to the faulting kernel instruction, which will be
instantly retried, resulting in the same fault being taken forever. As
the task never reaches userspace, the signal is not delivered, and the
task is left unkillable. While the task is stuck in this state, it can
inhibit the forward progress of the system.

To avoid this, we must ensure that when a fatal signal is pending, we
apply any necessary fixup for a faulting kernel instruction. Thus we
will return to an error path, and it is up to that code to make forward
progress towards delivering the fatal signal.

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Laura Abbott <labbott@redhat.com>
Reviewed-by: Steve Capper <steve.capper@arm.com>
Tested-by: Steve Capper <steve.capper@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
Tested-by: James Morse <james.morse@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/mm/fault.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -252,8 +252,11 @@ retry:
 	 * signal first. We do not need to release the mmap_sem because it
 	 * would already be released in __lock_page_or_retry in mm/filemap.c.
 	 */
-	if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current))
+	if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) {
+		if (!user_mode(regs))
+			goto no_context;
 		return 0;
+	}
 
 	/*
 	 * Major/minor page fault accounting is only done on the initial

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (171 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 218/294] dma: pl08x: Use correct specifier for size_t values Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-07  3:19   ` Joe Perches
  2017-11-06 23:03 ` [PATCH 3.16 252/294] net: vxge: avoid unused function warnings Ben Hutchings
                   ` (122 subsequent siblings)
  295 siblings, 1 reply; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mike Snitzer, Joe Perches

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Perches <joe@perches.com>

commit d2c3c8dcb5987b8352e82089c79a41b6e17e28d2 upstream.

Using pr_<level> is the more common logging style.

Standardize style and use new macro DM_FMT.
Use no_printk in DMDEBUG macros when CONFIG_DM_DEBUG is not #defined.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/device-mapper.h | 71 +++++++++++++++++++------------------------
 1 file changed, 32 insertions(+), 39 deletions(-)

--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -489,48 +489,41 @@ extern struct ratelimit_state dm_ratelim
 #define dm_ratelimit()	0
 #endif
 
-#define DMCRIT(f, arg...) \
-	printk(KERN_CRIT DM_NAME ": " DM_MSG_PREFIX ": " f "\n", ## arg)
+#define DM_FMT(fmt) DM_NAME ": " DM_MSG_PREFIX ": " fmt "\n"
 
-#define DMERR(f, arg...) \
-	printk(KERN_ERR DM_NAME ": " DM_MSG_PREFIX ": " f "\n", ## arg)
-#define DMERR_LIMIT(f, arg...) \
-	do { \
-		if (dm_ratelimit())	\
-			printk(KERN_ERR DM_NAME ": " DM_MSG_PREFIX ": " \
-			       f "\n", ## arg); \
-	} while (0)
-
-#define DMWARN(f, arg...) \
-	printk(KERN_WARNING DM_NAME ": " DM_MSG_PREFIX ": " f "\n", ## arg)
-#define DMWARN_LIMIT(f, arg...) \
-	do { \
-		if (dm_ratelimit())	\
-			printk(KERN_WARNING DM_NAME ": " DM_MSG_PREFIX ": " \
-			       f "\n", ## arg); \
-	} while (0)
-
-#define DMINFO(f, arg...) \
-	printk(KERN_INFO DM_NAME ": " DM_MSG_PREFIX ": " f "\n", ## arg)
-#define DMINFO_LIMIT(f, arg...) \
-	do { \
-		if (dm_ratelimit())	\
-			printk(KERN_INFO DM_NAME ": " DM_MSG_PREFIX ": " f \
-			       "\n", ## arg); \
-	} while (0)
+#define DMCRIT(fmt, ...) pr_crit(DM_FMT(fmt), ##__VA_ARGS__)
+
+#define DMERR(fmt, ...) pr_err(DM_FMT(fmt), ##__VA_ARGS__)
+#define DMERR_LIMIT(fmt, ...)						\
+do {									\
+	if (dm_ratelimit())						\
+		DMERR(fmt, ##__VA_ARGS__);				\
+} while (0)
+
+#define DMWARN(fmt, ...) pr_warn(DM_FMT(fmt), ##__VA_ARGS__)
+#define DMWARN_LIMIT(fmt, ...)						\
+do {									\
+	if (dm_ratelimit())						\
+		DMWARN(fmt, ##__VA_ARGS__);				\
+} while (0)
+
+#define DMINFO(fmt, ...) pr_info(DM_FMT(fmt), ##__VA_ARGS__)
+#define DMINFO_LIMIT(fmt, ...)						\
+do {									\
+	if (dm_ratelimit())						\
+		DMINFO(fmt, ##__VA_ARGS__);				\
+} while (0)
 
 #ifdef CONFIG_DM_DEBUG
-#  define DMDEBUG(f, arg...) \
-	printk(KERN_DEBUG DM_NAME ": " DM_MSG_PREFIX " DEBUG: " f "\n", ## arg)
-#  define DMDEBUG_LIMIT(f, arg...) \
-	do { \
-		if (dm_ratelimit())	\
-			printk(KERN_DEBUG DM_NAME ": " DM_MSG_PREFIX ": " f \
-			       "\n", ## arg); \
-	} while (0)
+#define DMDEBUG(fmt, ...) printk(KERN_DEBUG DM_FMT(fmt), ##__VA_ARGS__)
+#define DMDEBUG_LIMIT(fmt, ...)						\
+do {									\
+	if (dm_ratelimit())						\
+		DMDEBUG(fmt, ##__VA_ARGS__);				\
+} while (0)
 #else
-#  define DMDEBUG(f, arg...) do {} while (0)
-#  define DMDEBUG_LIMIT(f, arg...) do {} while (0)
+#define DMDEBUG(fmt, ...) no_printk(fmt, ##__VA_ARGS__)
+#define DMDEBUG_LIMIT(fmt, ...) no_printk(fmt, ##__VA_ARGS__)
 #endif
 
 #define DMEMIT(x...) sz += ((sz >= maxlen) ? \

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 027/294] staging: rtl8188eu: add TL-WN722N v2 support
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 222/294] ASoC: fsl_sai: Set SYNC bit of TCR2 to Asynchronous Mode Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 003/294] iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits Ben Hutchings
                   ` (229 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Michael Gugino

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Gugino <michael.gugino.2@gmail.com>

commit 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 upstream.

Add support for USB Device TP-Link TL-WN722N v2.
VendorID: 0x2357, ProductID: 0x010c

Signed-off-by: Michael Gugino <michael.gugino.2@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -59,6 +59,7 @@ static struct usb_device_id rtw_usb_id_t
 	{USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
 	{USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
+	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
 	{}	/* Terminating entry */
 };

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 098/294] irqchip: brcmstb-l2: Define an irq_pm_shutdown function
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 117/294] net_sched/sfq: update hierarchical backlog when drop packet Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 122/294] staging: rtl8188eu: add RNX-N150NUB support Ben Hutchings
                   ` (202 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, Marc Zyngier, Gregory Fong

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit c017d21147848fe017772764a77a7f32c5b017f9 upstream.

The Broadcom STB platforms support S5 and we allow specific hardware
wake-up events to take us out of this state. Because we were not
defining an irq_pm_shutdown() function pointer, we would not be
correctly masking non-wakeup events, which would result in spurious
wake-ups from sources that were not explicitly configured for wake-up.

Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller")
Acked-by: Gregory Fong <gregory.0xf0@gmail.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/irqchip/irq-brcmstb-l2.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/irqchip/irq-brcmstb-l2.c
+++ b/drivers/irqchip/irq-brcmstb-l2.c
@@ -176,6 +176,7 @@ int __init brcmstb_l2_intc_of_init(struc
 
 	ct->chip.irq_suspend = brcmstb_l2_intc_suspend;
 	ct->chip.irq_resume = brcmstb_l2_intc_resume;
+	ct->chip.irq_pm_shutdown = brcmstb_l2_intc_suspend;
 
 	if (of_property_read_bool(np, "brcm,irq-can-wake")) {
 		data->can_wake = true;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 020/294] USB: cdc-acm: add device-id for quirky printer
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (101 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 057/294] IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 001/294] fuse: initialize the flock flag in fuse_file on allocation Ben Hutchings
                   ` (192 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Oliver Neukum, Anton Avramov, Johan Hovold

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit fe855789d605590e57f9cd968d85ecce46f5c3fd upstream.

Add device-id entry for DATECS FP-2000 fiscal printer needing the
NO_UNION_NORMAL quirk.

Reported-by: Anton Avramov <lukav@lukav.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-acm.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1772,6 +1772,9 @@ static const struct usb_device_id acm_id
 	{ USB_DEVICE(0x1576, 0x03b1), /* Maretron USB100 */
 	.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
 	},
+	{ USB_DEVICE(0xfff0, 0x0100), /* DATECS FP-2000 */
+	.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
+	},
 
 	{ USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
 	.driver_info = CLEAR_HALT_CONDITIONS,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 090/294] net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (223 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 025/294] ASoC: do not close shared backend dailink Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 079/294] xtensa: don't limit csum_partial export by CONFIG_NET Ben Hutchings
                   ` (70 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Inbar Karmy, Tariq Toukan

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Inbar Karmy <inbark@mellanox.com>

commit c994f778bb1cca8ebe7a4e528cefec233e93b5cc upstream.

Currently when WoL is supported but disabled, ethtool reports:
"Supports Wake-on: d".
Fix the indication of Wol support, so that the indication
remains "g" all the time if the NIC supports WoL.

Tested:
As accepted, when NIC supports WoL- ethtool reports:
	Supports Wake-on: g
	Wake-on: d
when NIC doesn't support WoL- ethtool reports:
        Supports Wake-on: d
        Wake-on: d

Fixes: 14c07b1358ed ("mlx4: Wake on LAN support")
Signed-off-by: Inbar Karmy <inbark@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 15 ++++++++-------
 drivers/net/ethernet/mellanox/mlx4/fw.c         |  4 ++++
 drivers/net/ethernet/mellanox/mlx4/fw.h         |  1 +
 drivers/net/ethernet/mellanox/mlx4/main.c       |  2 ++
 include/linux/mlx4/device.h                     |  1 +
 5 files changed, 16 insertions(+), 7 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -142,6 +142,7 @@ static void mlx4_en_get_wol(struct net_d
 			    struct ethtool_wolinfo *wol)
 {
 	struct mlx4_en_priv *priv = netdev_priv(netdev);
+	struct mlx4_caps *caps = &priv->mdev->dev->caps;
 	int err = 0;
 	u64 config = 0;
 	u64 mask;
@@ -154,24 +155,24 @@ static void mlx4_en_get_wol(struct net_d
 	mask = (priv->port == 1) ? MLX4_DEV_CAP_FLAG_WOL_PORT1 :
 		MLX4_DEV_CAP_FLAG_WOL_PORT2;
 
-	if (!(priv->mdev->dev->caps.flags & mask)) {
+	if (!(caps->flags & mask)) {
 		wol->supported = 0;
 		wol->wolopts = 0;
 		return;
 	}
 
+	if (caps->wol_port[priv->port])
+		wol->supported = WAKE_MAGIC;
+	else
+		wol->supported = 0;
+
 	err = mlx4_wol_read(priv->mdev->dev, &config, priv->port);
 	if (err) {
 		en_err(priv, "Failed to get WoL information\n");
 		return;
 	}
 
-	if (config & MLX4_EN_WOL_MAGIC)
-		wol->supported = WAKE_MAGIC;
-	else
-		wol->supported = 0;
-
-	if (config & MLX4_EN_WOL_ENABLED)
+	if ((config & MLX4_EN_WOL_ENABLED) && (config & MLX4_EN_WOL_MAGIC))
 		wol->wolopts = WAKE_MAGIC;
 	else
 		wol->wolopts = 0;
--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
@@ -532,6 +532,7 @@ int mlx4_QUERY_DEV_CAP(struct mlx4_dev *
 #define QUERY_DEV_CAP_CQ_TS_SUPPORT_OFFSET	0x3e
 #define QUERY_DEV_CAP_MAX_PKEY_OFFSET		0x3f
 #define QUERY_DEV_CAP_EXT_FLAGS_OFFSET		0x40
+#define QUERY_DEV_CAP_WOL_OFFSET		0x43
 #define QUERY_DEV_CAP_FLAGS_OFFSET		0x44
 #define QUERY_DEV_CAP_RSVD_UAR_OFFSET		0x48
 #define QUERY_DEV_CAP_UAR_SZ_OFFSET		0x49
@@ -658,6 +659,9 @@ int mlx4_QUERY_DEV_CAP(struct mlx4_dev *
 	MLX4_GET(ext_flags, outbox, QUERY_DEV_CAP_EXT_FLAGS_OFFSET);
 	MLX4_GET(flags, outbox, QUERY_DEV_CAP_FLAGS_OFFSET);
 	dev_cap->flags = flags | (u64)ext_flags << 32;
+	MLX4_GET(field, outbox, QUERY_DEV_CAP_WOL_OFFSET);
+	dev_cap->wol_port[1] = !!(field & 0x20);
+	dev_cap->wol_port[2] = !!(field & 0x40);
 	MLX4_GET(field, outbox, QUERY_DEV_CAP_RSVD_UAR_OFFSET);
 	dev_cap->reserved_uars = field >> 4;
 	MLX4_GET(field, outbox, QUERY_DEV_CAP_UAR_SZ_OFFSET);
--- a/drivers/net/ethernet/mellanox/mlx4/fw.h
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.h
@@ -120,6 +120,7 @@ struct mlx4_dev_cap {
 	u8  log_max_macs[MLX4_MAX_PORTS + 1];
 	u8  log_max_vlans[MLX4_MAX_PORTS + 1];
 	u32 max_counters;
+	bool wol_port[MLX4_MAX_PORTS + 1];
 };
 
 struct mlx4_func_cap {
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -279,6 +279,8 @@ static int mlx4_dev_cap(struct mlx4_dev
 	dev->caps.stat_rate_support  = dev_cap->stat_rate_support;
 	dev->caps.max_gso_sz	     = dev_cap->max_gso_sz;
 	dev->caps.max_rss_tbl_sz     = dev_cap->max_rss_tbl_sz;
+	dev->caps.wol_port[1]          = dev_cap->wol_port[1];
+	dev->caps.wol_port[2]          = dev_cap->wol_port[2];
 
 	/* Sense port always allowed on supported devices for ConnectX-1 and -2 */
 	if (mlx4_priv(dev)->pci_dev_data & MLX4_PCI_DEV_FORCE_SENSE_PORT)
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -467,6 +467,7 @@ struct mlx4_caps {
 	u16			hca_core_clock;
 	u64			phys_port_id[MLX4_MAX_PORTS + 1];
 	int			tunnel_offload_mode;
+	bool			wol_port[MLX4_MAX_PORTS + 1];
 };
 
 struct mlx4_buf_list {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 065/294] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (136 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 253/294] drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 140/294] net: systemport: Free DMA coherent descriptors on errors Ben Hutchings
                   ` (157 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Prabhakar Lad, Hans Verkuil

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Prabhakar Lad <prabhakar.csengg@gmail.com>

commit da05d52d2f0f6bd61094a0cd045fed94bf7d673a upstream.

this patch makes sure VPFE_CMD_S_CCDC_RAW_PARAMS ioctl no longer works
for vpfe_capture driver with a minimal patch suitable for backporting.

- This ioctl was never in public api and was only defined in kernel header.
- The function set_params constantly mixes up pointers and phys_addr_t
  numbers.
- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
  described as an 'experimental ioctl that will change in future kernels'.
- The code to allocate the table never gets called after we copy_from_user
  the user input over the kernel settings, and then compare them
  for inequality.
- We then go on to use an address provided by user space as both the
  __user pointer for input and pass it through phys_to_virt to come up
  with a kernel pointer to copy the data to. This looks like a trivially
  exploitable root hole.

Due to these reasons we make sure this ioctl now returns -EINVAL and backport
this patch as far as possible.

Fixes: 5f15fbb68fd7 ("V4L/DVB (12251): v4l: dm644x ccdc module for vpfe capture driver")

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/platform/davinci/vpfe_capture.c | 22 ++--------------------
 1 file changed, 2 insertions(+), 20 deletions(-)

--- a/drivers/media/platform/davinci/vpfe_capture.c
+++ b/drivers/media/platform/davinci/vpfe_capture.c
@@ -1708,27 +1708,9 @@ static long vpfe_param_handler(struct fi
 
 	switch (cmd) {
 	case VPFE_CMD_S_CCDC_RAW_PARAMS:
+		ret = -EINVAL;
 		v4l2_warn(&vpfe_dev->v4l2_dev,
-			  "VPFE_CMD_S_CCDC_RAW_PARAMS: experimental ioctl\n");
-		if (ccdc_dev->hw_ops.set_params) {
-			ret = ccdc_dev->hw_ops.set_params(param);
-			if (ret) {
-				v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-					"Error setting parameters in CCDC\n");
-				goto unlock_out;
-			}
-			ret = vpfe_get_ccdc_image_format(vpfe_dev,
-							 &vpfe_dev->fmt);
-			if (ret < 0) {
-				v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-					"Invalid image format at CCDC\n");
-				goto unlock_out;
-			}
-		} else {
-			ret = -EINVAL;
-			v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-				"VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
-		}
+			"VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
 		break;
 	default:
 		ret = -ENOTTY;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 101/294] net: remove open-coded skb_cow_head.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (227 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 148/294] r8169: Do not increment tx_dropped in TX ring cleaning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 172/294] sch_htb: fix crash on init failure Ben Hutchings
                   ` (66 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, françois romieu, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: françois romieu <romieu@fr.zoreil.com>

commit a40e0a664bce465a3b8ad1d792153cef8ded9f7d upstream.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2437,8 +2437,8 @@ struct sk_buff *__skb_gso_segment(struct
 
 		skb_warn_bad_offload(skb);
 
-		if (skb_header_cloned(skb) &&
-		    (err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
+		err = skb_cow_head(skb, 0);
+		if (err < 0)
 			return ERR_PTR(err);
 	}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 068/294] sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (276 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 189/294] KEYS: don't let add_key() update an uninstantiated key Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 202/294] mm/init: fix zone boundary creation Ben Hutchings
                   ` (17 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alexander Potapenko, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Potapenko <glider@google.com>

commit b1f5bfc27a19f214006b9b4db7b9126df2dfdf5a upstream.

If the length field of the iterator (|pos.p| or |err|) is past the end
of the chunk, we shouldn't access it.

This bug has been detected by KMSAN. For the following pair of system
calls:

  socket(PF_INET6, SOCK_STREAM, 0x84 /* IPPROTO_??? */) = 3
  sendto(3, "A", 1, MSG_OOB, {sa_family=AF_INET6, sin6_port=htons(0),
         inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0,
         sin6_scope_id=0}, 28) = 1

the tool has reported a use of uninitialized memory:

  ==================================================================
  BUG: KMSAN: use of uninitialized memory in sctp_rcv+0x17b8/0x43b0
  CPU: 1 PID: 2940 Comm: probe Not tainted 4.11.0-rc5+ #2926
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
  01/01/2011
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x172/0x1c0 lib/dump_stack.c:52
   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927
   __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469
   __sctp_rcv_init_lookup net/sctp/input.c:1074
   __sctp_rcv_lookup_harder net/sctp/input.c:1233
   __sctp_rcv_lookup net/sctp/input.c:1255
   sctp_rcv+0x17b8/0x43b0 net/sctp/input.c:170
   sctp6_rcv+0x32/0x70 net/sctp/ipv6.c:984
   ip6_input_finish+0x82f/0x1ee0 net/ipv6/ip6_input.c:279
   NF_HOOK ./include/linux/netfilter.h:257
   ip6_input+0x239/0x290 net/ipv6/ip6_input.c:322
   dst_input ./include/net/dst.h:492
   ip6_rcv_finish net/ipv6/ip6_input.c:69
   NF_HOOK ./include/linux/netfilter.h:257
   ipv6_rcv+0x1dbd/0x22e0 net/ipv6/ip6_input.c:203
   __netif_receive_skb_core+0x2f6f/0x3a20 net/core/dev.c:4208
   __netif_receive_skb net/core/dev.c:4246
   process_backlog+0x667/0xba0 net/core/dev.c:4866
   napi_poll net/core/dev.c:5268
   net_rx_action+0xc95/0x1590 net/core/dev.c:5333
   __do_softirq+0x485/0x942 kernel/softirq.c:284
   do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
   </IRQ>
   do_softirq kernel/softirq.c:328
   __local_bh_enable_ip+0x25b/0x290 kernel/softirq.c:181
   local_bh_enable+0x37/0x40 ./include/linux/bottom_half.h:31
   rcu_read_unlock_bh ./include/linux/rcupdate.h:931
   ip6_finish_output2+0x19b2/0x1cf0 net/ipv6/ip6_output.c:124
   ip6_finish_output+0x764/0x970 net/ipv6/ip6_output.c:149
   NF_HOOK_COND ./include/linux/netfilter.h:246
   ip6_output+0x456/0x520 net/ipv6/ip6_output.c:163
   dst_output ./include/net/dst.h:486
   NF_HOOK ./include/linux/netfilter.h:257
   ip6_xmit+0x1841/0x1c00 net/ipv6/ip6_output.c:261
   sctp_v6_xmit+0x3b7/0x470 net/sctp/ipv6.c:225
   sctp_packet_transmit+0x38cb/0x3a20 net/sctp/output.c:632
   sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885
   sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750
   sctp_side_effects net/sctp/sm_sideeffect.c:1773
   sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147
   sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88
   sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954
   inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
   sock_sendmsg_nosec net/socket.c:633
   sock_sendmsg net/socket.c:643
   SYSC_sendto+0x608/0x710 net/socket.c:1696
   SyS_sendto+0x8a/0xb0 net/socket.c:1664
   do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285
   entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
  RIP: 0033:0x401133
  RSP: 002b:00007fff6d99cd38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
  RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401133
  RDX: 0000000000000001 RSI: 0000000000494088 RDI: 0000000000000003
  RBP: 00007fff6d99cd90 R08: 00007fff6d99cd50 R09: 000000000000001c
  R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
  R13: 00000000004063d0 R14: 0000000000406460 R15: 0000000000000000
  origin:
   save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59
   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302
   kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198
   kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:211
   slab_alloc_node mm/slub.c:2743
   __kmalloc_node_track_caller+0x200/0x360 mm/slub.c:4351
   __kmalloc_reserve net/core/skbuff.c:138
   __alloc_skb+0x26b/0x840 net/core/skbuff.c:231
   alloc_skb ./include/linux/skbuff.h:933
   sctp_packet_transmit+0x31e/0x3a20 net/sctp/output.c:570
   sctp_outq_flush+0xeb3/0x46e0 net/sctp/outqueue.c:885
   sctp_outq_uncork+0xb2/0xd0 net/sctp/outqueue.c:750
   sctp_side_effects net/sctp/sm_sideeffect.c:1773
   sctp_do_sm+0x6962/0x6ec0 net/sctp/sm_sideeffect.c:1147
   sctp_primitive_ASSOCIATE+0x12c/0x160 net/sctp/primitive.c:88
   sctp_sendmsg+0x43e5/0x4f90 net/sctp/socket.c:1954
   inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
   sock_sendmsg_nosec net/socket.c:633
   sock_sendmsg net/socket.c:643
   SYSC_sendto+0x608/0x710 net/socket.c:1696
   SyS_sendto+0x8a/0xb0 net/socket.c:1664
   do_syscall_64+0xe6/0x130 arch/x86/entry/common.c:285
   return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
  ==================================================================

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/sctp/sctp.h | 4 ++++
 1 file changed, 4 insertions(+)

--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -448,6 +448,8 @@ _sctp_walk_params((pos), (chunk), ntohs(
 
 #define _sctp_walk_params(pos, chunk, end, member)\
 for (pos.v = chunk->member;\
+     (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <\
+      (void *)chunk + end) &&\
      pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
      ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
      pos.v += WORD_ROUND(ntohs(pos.p->length)))
@@ -458,6 +460,8 @@ _sctp_walk_errors((err), (chunk_hdr), nt
 #define _sctp_walk_errors(err, chunk_hdr, end)\
 for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
 	    sizeof(sctp_chunkhdr_t));\
+     ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\
+      (void *)chunk_hdr + end) &&\
      (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
      ntohs(err->length) >= sizeof(sctp_errhdr_t); \
      err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length))))

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 131/294] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 035/294] mount: copy the port field into the cloned nfs_server structure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit Ben Hutchings
                   ` (248 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Stefano Brivio, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit 3de33e1ba0506723ab25734e098cf280ecc34756 upstream.

A packet length of exactly IPV6_MAXPLEN is allowed, we should
refuse parsing options only if the size is 64KiB or more.

While at it, remove one extra variable and one assignment which
were also introduced by the commit that introduced the size
check. Checking the sum 'offset + len' and only later adding
'len' to 'offset' doesn't provide any advantage over directly
summing to 'offset' and checking it.

Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/output_core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -52,7 +52,6 @@ int ip6_find_1stfragopt(struct sk_buff *
 
 	while (offset <= packet_len) {
 		struct ipv6_opt_hdr *exthdr;
-		unsigned int len;
 
 		switch (**nexthdr) {
 
@@ -78,10 +77,9 @@ int ip6_find_1stfragopt(struct sk_buff *
 
 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
 						 offset);
-		len = ipv6_optlen(exthdr);
-		if (len + offset >= IPV6_MAXPLEN)
+		offset += ipv6_optlen(exthdr);
+		if (offset > IPV6_MAXPLEN)
 			return -EINVAL;
-		offset += len;
 		*nexthdr = &exthdr->nexthdr;
 	}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 117/294] net_sched/sfq: update hierarchical backlog when drop packet
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 114/294] dst: Increase alignment of metrics to allow extra flag on pointers Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 098/294] irqchip: brcmstb-l2: Define an irq_pm_shutdown function Ben Hutchings
                   ` (203 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Konstantin Khlebnikov, David S. Miller, Eric Dumazet

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit 325d5dc3f7e7c2840b65e4a2988c082c2c0025c5 upstream.

When sfq_enqueue() drops head packet or packet from another queue it
have to update backlog at upper qdiscs too.

Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_sfq.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -460,6 +460,7 @@ congestion_drop:
 		qdisc_drop(head, sch);
 
 		slot_queue_add(slot, skb);
+		qdisc_tree_reduce_backlog(sch, 0, delta);
 		return NET_XMIT_CN;
 	}
 
@@ -491,8 +492,10 @@ enqueue:
 	/* Return Congestion Notification only if we dropped a packet
 	 * from this flow.
 	 */
-	if (qlen != slot->qlen)
+	if (qlen != slot->qlen) {
+		qdisc_tree_reduce_backlog(sch, 0, dropped - qdisc_pkt_len(skb));
 		return NET_XMIT_CN;
+	}
 
 	/* As we dropped a packet, better let upper stack know this */
 	qdisc_tree_reduce_backlog(sch, 1, dropped);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 099/294] s390/qeth: fix L3 next-hop in xmit qeth hdr
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 021/294] usb: storage: return on error to avoid a null pointer dereference Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 292/294] e1000e: fix call to do_div() to use u64 arg Ben Hutchings
                   ` (224 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ursula Braun, Julian Wiedmann, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.vnet.ibm.com>

commit ec2c6726322f0d270bab477e4904bf9496f70ee5 upstream.

On L3, the qeth_hdr struct needs to be filled with the next-hop
IP address.
The current code accesses rtable->rt_gateway without checking that
rtable is a valid address. The accidental access to a lowcore area
results in a random next-hop address in the qeth_hdr.
rtable (or more precisely, skb_dst(skb)) can be NULL in rare cases
(for instance together with AF_PACKET sockets).
This patch adds the missing NULL-ptr checks.

Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Fixes: 87e7597b5a3 qeth: Move away from using neighbour entries in qeth_l3_fill_header()
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/net/qeth_l3_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -2816,7 +2816,7 @@ static void qeth_l3_fill_header(struct q
 		struct rtable *rt = (struct rtable *) dst;
 		__be32 *pkey = &ip_hdr(skb)->daddr;
 
-		if (rt->rt_gateway)
+		if (rt && rt->rt_gateway)
 			pkey = &rt->rt_gateway;
 
 		/* IPv4 */
@@ -2827,7 +2827,7 @@ static void qeth_l3_fill_header(struct q
 		struct rt6_info *rt = (struct rt6_info *) dst;
 		struct in6_addr *pkey = &ipv6_hdr(skb)->daddr;
 
-		if (!ipv6_addr_any(&rt->rt6i_gateway))
+		if (rt && !ipv6_addr_any(&rt->rt6i_gateway))
 			pkey = &rt->rt6i_gateway;
 
 		/* IPv6 */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 045/294] IB/cxgb3: Fix error codes in iwch_alloc_mr()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (252 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03   ` Ben Hutchings
                   ` (41 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Steve Wise, Doug Ledford

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 9064d6055c14f700aa13f7c72fd3e63d12bee643 upstream.

We accidentally don't set the error code on some error paths.  It means
return ERR_PTR(0) which is NULL and results in a NULL dereference in the
caller.

Fixes: 13a239330abd ("RDMA/cxgb3: Don't ignore insert_handle() failures")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: drop inapplicable hunk]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/infiniband/hw/cxgb3/iwch_provider.c
+++ b/drivers/infiniband/hw/cxgb3/iwch_provider.c
@@ -794,7 +794,7 @@ static struct ib_mr *iwch_alloc_fast_reg
 	struct iwch_mr *mhp;
 	u32 mmid;
 	u32 stag = 0;
-	int ret = 0;
+	int ret = -ENOMEM;
 
 	php = to_iwch_pd(pd);
 	rhp = php->rhp;
@@ -817,7 +817,8 @@ static struct ib_mr *iwch_alloc_fast_reg
 	mhp->attr.state = 1;
 	mmid = (stag) >> 8;
 	mhp->ibmr.rkey = mhp->ibmr.lkey = stag;
-	if (insert_handle(rhp, &rhp->mmidr, mhp, mmid))
+	ret = insert_handle(rhp, &rhp->mmidr, mhp, mmid);
+	if (ret)
 		goto err3;
 
 	PDBG("%s mmid 0x%x mhp %p stag 0x%x\n", __func__, mmid, mhp, stag);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 057/294] IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2017-11-06 23:03   ` Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 020/294] USB: cdc-acm: add device-id for quirky printer Ben Hutchings
                   ` (193 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Feras Daoud, Alex Vesker, Leon Romanovsky

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Feras Daoud <ferasda@mellanox.com>

commit d2e46fccc3e3d73a741efe433f00960331280696 upstream.

Set IPOIB_NEIGH_TBL_FLUSH bit after initializing the neighbor
flushed completion, otherwise the garbage collector may signal
a completion while it is not initialized yet.

Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path")
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -1235,6 +1235,7 @@ static void ipoib_flush_neighs(struct ip
 	int i, wait_flushed = 0;
 
 	init_completion(&priv->ntbl.flushed);
+	set_bit(IPOIB_NEIGH_TBL_FLUSH, &priv->flags);
 
 	spin_lock_irqsave(&priv->lock, flags);
 
@@ -1279,7 +1280,6 @@ static void ipoib_neigh_hash_uninit(stru
 
 	ipoib_dbg(priv, "ipoib_neigh_hash_uninit\n");
 	init_completion(&priv->ntbl.deleted);
-	set_bit(IPOIB_NEIGH_TBL_FLUSH, &priv->flags);
 
 	/* Stop GC if called at init fail need to cancel work */
 	stopped = test_and_set_bit(IPOIB_STOP_NEIGH_GC, &priv->flags);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 085/294] b44: Initialize 64-bit stats seqcount
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 175/294] sch_hfsc: fix null pointer deref and double free on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 227/294] spi/atmel: Fix pointer to int conversion warnings on 64 bit builds Ben Hutchings
                   ` (220 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Florian Fainelli, Michael Chan, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit e43c9f23efadade684773a855675c99da278c862 upstream.

On 32-bit hosts and with CONFIG_DEBUG_LOCK_ALLOC we should be seeing a
lockdep splat indicating this seqcount is not correctly initialized, fix
that.

Fixes: eeda8585522b ("b44: add 64 bit stats")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/b44.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/broadcom/b44.c
+++ b/drivers/net/ethernet/broadcom/b44.c
@@ -2372,6 +2372,7 @@ static int b44_init_one(struct ssb_devic
 	bp->msg_enable = netif_msg_init(b44_debug, B44_DEF_MSG_ENABLE);
 
 	spin_lock_init(&bp->lock);
+	u64_stats_init(&bp->hw_stats.syncp);
 
 	bp->rx_pending = B44_DEF_RX_RING_PENDING;
 	bp->tx_pending = B44_DEF_TX_RING_PENDING;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 069/294] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 109/294] usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 288/294] perf: Avoid horrible stack usage Ben Hutchings
                   ` (276 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Neil Horman, David S. Miller, Xin Long

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit 6b84202c946cd3da3a8daa92c682510e9ed80321 upstream.

Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.

But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'

This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.

The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.

Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/sctp/sctp.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -448,7 +448,7 @@ _sctp_walk_params((pos), (chunk), ntohs(
 
 #define _sctp_walk_params(pos, chunk, end, member)\
 for (pos.v = chunk->member;\
-     (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <\
+     (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <=\
       (void *)chunk + end) &&\
      pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
      ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
@@ -460,7 +460,7 @@ _sctp_walk_errors((err), (chunk_hdr), nt
 #define _sctp_walk_errors(err, chunk_hdr, end)\
 for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
 	    sizeof(sctp_chunkhdr_t));\
-     ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\
+     ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <=\
       (void *)chunk_hdr + end) &&\
      (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
      ntohs(err->length) >= sizeof(sctp_errhdr_t); \

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 044/294] cxgb4: Fix error codes in c4iw_create_cq()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (160 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 088/294] gpio: tegra: fix unbalanced chained_irq_enter/exit Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 173/294] sch_multiq: fix double free on init failure Ben Hutchings
                   ` (133 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steve Wise, Doug Ledford, Dan Carpenter

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 6ebedacbb44602d4dec3348dee5ec31dd9b09521 upstream.

If one of these kmalloc() calls fails then we return ERR_PTR(0) which is
NULL.  It results in a NULL dereference in the callers.

Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/cxgb4/cq.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/infiniband/hw/cxgb4/cq.c
+++ b/drivers/infiniband/hw/cxgb4/cq.c
@@ -938,6 +938,7 @@ struct ib_cq *c4iw_create_cq(struct ib_d
 		goto err2;
 
 	if (ucontext) {
+		ret = -ENOMEM;
 		mm = kmalloc(sizeof *mm, GFP_KERNEL);
 		if (!mm)
 			goto err3;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 063/294] powerpc/pseries: Fix of_node_put() underflow during reconfig remove
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 183/294] brcmfmac: add length check in brcmf_cfg80211_escan_handler() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 053/294] perf/core: Invert perf_read_group() loops Ben Hutchings
                   ` (271 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, David Gibson, Laurent Vivier

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Vivier <lvivier@redhat.com>

commit 4fd1bd443e80b12f0a01a45fb9a793206b41cb72 upstream.

As for commit 68baf692c435 ("powerpc/pseries: Fix of_node_put()
underflow during DLPAR remove"), the call to of_node_put() must be
removed from pSeries_reconfig_remove_node().

dlpar_detach_node() and pSeries_reconfig_remove_node() both call
of_detach_node(), and thus the node should not be released in both
cases.

Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes")
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/platforms/pseries/reconfig.c | 1 -
 1 file changed, 1 deletion(-)

--- a/arch/powerpc/platforms/pseries/reconfig.c
+++ b/arch/powerpc/platforms/pseries/reconfig.c
@@ -112,7 +112,6 @@ static int pSeries_reconfig_remove_node(
 
 	of_detach_node(np);
 	of_node_put(parent);
-	of_node_put(np); /* Must decrement the refcount */
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 111/294] xfs: fix inobt inode allocation search optimization
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (241 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 074/294] USB: hcd: Mark secondary HCD as dead if the primary one died Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 016/294] net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit() Ben Hutchings
                   ` (52 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Darrick J. Wong, Omar Sandoval, Christoph Hellwig

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit c44245b3d5435f533ca8346ece65918f84c057f9 upstream.

When we try to allocate a free inode by searching the inobt, we try to
find the inode nearest the parent inode by searching chunks both left
and right of the chunk containing the parent. As an optimization, we
cache the leftmost and rightmost records that we previously searched; if
we do another allocation with the same parent inode, we'll pick up the
search where it last left off.

There's a bug in the case where we found a free inode to the left of the
parent's chunk: we need to update the cached left and right records, but
because we already reassigned the right record to point to the left, we
end up assigning the left record to both the cached left and right
records.

This isn't a correctness problem strictly, but it can result in the next
allocation rechecking chunks unnecessarily or allocating inodes further
away from the parent than it needs to. Fix it by swapping the record
pointer after we update the cached left and right records.

Fixes: bd169565993b ("xfs: speed up free inode search")
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/xfs/xfs_ialloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/xfs/xfs_ialloc.c
+++ b/fs/xfs/xfs_ialloc.c
@@ -854,13 +854,13 @@ xfs_dialloc_ag_inobt(
 
 			/* free inodes to the left? */
 			if (useleft && trec.ir_freecount) {
-				rec = trec;
 				xfs_btree_del_cursor(cur, XFS_BTREE_NOERROR);
 				cur = tcur;
 
 				pag->pagl_leftrec = trec.ir_startino;
 				pag->pagl_rightrec = rec.ir_startino;
 				pag->pagl_pagino = pagino;
+				rec = trec;
 				goto alloc_inode;
 			}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 026/294] drm/vmwgfx: Fix gcc-7.1.1 warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 236/294] bfa: Fix indentation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 008/294] staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read Ben Hutchings
                   ` (163 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sinclair Yeh, Brian Paul, Linus Torvalds, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sinclair Yeh <syeh@vmware.com>

commit fcfffdd8f98ac305285dca568b5065ef86be6458 upstream.

The current code does not look correct, and the reason for it is
probably lost.  Since this now generates a compiler warning,
fix it to what makes sense.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -285,7 +285,7 @@ static int vmw_cmd_invalid(struct vmw_pr
 			   struct vmw_sw_context *sw_context,
 			   SVGA3dCmdHeader *header)
 {
-	return capable(CAP_SYS_ADMIN) ? : -EINVAL;
+	return -EINVAL;
 }
 
 static int vmw_cmd_ok(struct vmw_private *dev_priv,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 025/294] ASoC: do not close shared backend dailink
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (222 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 017/294] net: bcmgenet: Free skb after last Tx frag Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 090/294] net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support Ben Hutchings
                   ` (71 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mark Brown, Banajit Goswami, Patrick Lai, Gopikrishnaiah Anandan

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Banajit Goswami <bgoswami@codeaurora.org>

commit b1cd2e34c69a2f3988786af451b6e17967c293a0 upstream.

Multiple frontend dailinks may be connected to a backend
dailink at the same time. When one of frontend dailinks is
closed, the associated backend dailink should not be closed
if it is connected to other active frontend dailinks. Change
ensures that backend dailink is closed only after all
connected frontend dailinks are closed.

Signed-off-by: Gopikrishnaiah Anandan <agopik@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Signed-off-by: Patrick Lai <plai@codeaurora.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/soc-pcm.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -150,6 +150,10 @@ int dpcm_dapm_stream_event(struct snd_so
 		dev_dbg(be->dev, "ASoC: BE %s event %d dir %d\n",
 				be->dai_link->name, event, dir);
 
+		if ((event == SND_SOC_DAPM_STREAM_STOP) &&
+		    (be->dpcm[dir].users >= 1))
+			continue;
+
 		snd_soc_dapm_stream_event(be, dir, event);
 	}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 083/294] drm/msm: fix an integer overflow test
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 107/294] usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 198/294] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() Ben Hutchings
                   ` (211 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Rob Clark, Dan Carpenter, Jordan Crouse

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 65e93108891e571f177c202add9288eda9ac4100 upstream.

We recently added an integer overflow check but it needs an additional
tweak to work properly on 32 bit systems.

The problem is that we're doing the right hand side of the assignment as
type unsigned long so the max it will have an integer overflow instead
of being larger than SIZE_MAX.  That means the "sz > SIZE_MAX" condition
is never true even on 32 bit systems.  We need to first cast it to u64
and then do the math.

Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
[bwh: Backported to 3.16: submit_create() only supports a variable number of bos]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -37,7 +37,7 @@ static struct msm_gem_submit *submit_cre
 		struct msm_gpu *gpu, uint32_t nr)
 {
 	struct msm_gem_submit *submit;
-	uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
+	uint64_t sz = sizeof(*submit) + ((u64)nr * sizeof(submit->bos[0]));
 
 	if (sz > SIZE_MAX)
 		return NULL;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 029/294] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (175 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 226/294] spi: rspi: Remove unused variable in rspi_rz_transfer_one() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 245/294] mlx5: avoid build warnings on 32-bit Ben Hutchings
                   ` (118 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit c9eb29503e9655e70448bbbf3697d08a56d24854 upstream.

This patch fixes an issue that NULL pointer dereference happens when
a gadget driver calls usb_ep_dequeue() for ep0 after disconnected
a usb cable. This is because that usbhsg_try_stop() will call
usbhsg_ep_disable(&dcp->ep) when a usb cable is disconnected and
the pipe of dcp (ep0) is set to NULL.

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/renesas_usbhs/mod_gadget.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -126,7 +126,8 @@ static void usbhsg_queue_pop(struct usbh
 	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
 	struct device *dev = usbhsg_gpriv_to_dev(gpriv);
 
-	dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));
+	if (pipe)
+		dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));
 
 	ureq->req.status = status;
 	ureq->req.complete(&uep->ep, &ureq->req);
@@ -669,7 +670,13 @@ static int usbhsg_ep_dequeue(struct usb_
 	struct usbhsg_request *ureq = usbhsg_req_to_ureq(req);
 	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
 
-	usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
+	if (pipe)
+		usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
+
+	/*
+	 * To dequeue a request, this driver should call the usbhsg_queue_pop()
+	 * even if the pipe is NULL.
+	 */
 	usbhsg_queue_pop(uep, ureq, -ECONNRESET);
 
 	return 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 119/294] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 072/294] powerpc/boot: Fix 64-bit boot wrapper build with non-biarch compiler Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 200/294] nilfs2: fix gcc uninitialized-variable warnings in powerpc build Ben Hutchings
                   ` (233 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 0f174b3525a43bd51f9397394763925e0ebe7bc7 upstream.

C-Media devices (at least some models) mute the playback stream when
volumes are set to the minimum value.  But this isn't informed via TLV
and the user-space, typically PulseAudio, gets confused as if it's
still played in a low volume.

This patch adds the new flag, min_mute, to struct usb_mixer_elem_info
for indicating that the mixer element is with the minimum-mute volume.
This flag is set for known C-Media devices in
snd_usb_mixer_fu_apply_quirk() in turn.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196669
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/mixer.c        | 2 ++
 sound/usb/mixer.h        | 1 +
 sound/usb/mixer_quirks.c | 6 ++++++
 3 files changed, 9 insertions(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -533,6 +533,8 @@ int snd_usb_mixer_vol_tlv(struct snd_kco
 
 	if (size < sizeof(scale))
 		return -ENOMEM;
+	if (cval->min_mute)
+		scale[0] = SNDRV_CTL_TLVT_DB_MINMAX_MUTE;
 	scale[2] = cval->dBmin;
 	scale[3] = cval->dBmax;
 	if (copy_to_user(_tlv, scale, sizeof(scale)))
--- a/sound/usb/mixer.h
+++ b/sound/usb/mixer.h
@@ -53,6 +53,7 @@ struct usb_mixer_elem_info {
 	int cached;
 	int cache_val[MAX_CHANNELS];
 	u8 initialized;
+	u8 min_mute;
 };
 
 int snd_usb_create_mixer(struct snd_usb_audio *chip, int ctrlif,
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1759,6 +1759,12 @@ void snd_usb_mixer_fu_apply_quirk(struct
 		if (unitid == 7 && cval->control == UAC_FU_VOLUME)
 			snd_dragonfly_quirk_db_scale(mixer, cval, kctl);
 		break;
+	/* lowest playback value is muted on C-Media devices */
+	case USB_ID(0x0d8c, 0x000c):
+	case USB_ID(0x0d8c, 0x0014):
+		if (strstr(kctl->id.name, "Playback"))
+			cval->min_mute = 1;
+		break;
 	}
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 080/294] xtensa: mm/cache: add missing EXPORT_SYMBOLs
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (234 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 210/294] mm/hugetlb: improve locking in dissolve_free_huge_pages() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 271/294] ARM: cns3xxx: shut up frame size warning Ben Hutchings
                   ` (59 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Max Filippov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit bc652eb6a0d5cffaea7dc8e8ad488aab2a1bf1ed upstream.

Functions clear_user_highpage, copy_user_highpage, flush_dcache_page,
local_flush_cache_range and local_flush_cache_page may be used from
modules. Export them.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
[bwh: Backported to 3.16: drop exports of {clear,copy}_user_highpage()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/xtensa/mm/cache.c
+++ b/arch/xtensa/mm/cache.c
@@ -116,7 +116,7 @@ void flush_dcache_page(struct page *page
 
 	/* There shouldn't be an entry in the cache for this page anymore. */
 }
-
+EXPORT_SYMBOL(flush_dcache_page);
 
 /*
  * For now, flush the whole cache. FIXME??
@@ -128,6 +128,7 @@ void local_flush_cache_range(struct vm_a
 	__flush_invalidate_dcache_all();
 	__invalidate_icache_all();
 }
+EXPORT_SYMBOL(local_flush_cache_range);
 
 /* 
  * Remove any entry in the cache for this page. 
@@ -147,6 +148,7 @@ void local_flush_cache_page(struct vm_ar
 	__flush_invalidate_dcache_page_alias(virt, phys);
 	__invalidate_icache_page_alias(virt, phys);
 }
+EXPORT_SYMBOL(local_flush_cache_page);
 
 #endif /* DCACHE_WAY_SIZE > PAGE_SIZE */
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 079/294] xtensa: don't limit csum_partial export by CONFIG_NET
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (224 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 090/294] net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 095/294] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Ben Hutchings
                   ` (69 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Max Filippov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 7f81e55c737a8fa82c71f290945d729a4902f8d2 upstream.

csum_partial and csum_partial_copy_generic are defined unconditionally
and are available even when CONFIG_NET is disabled. They are used not
only by the network drivers, but also by scsi and media.
Don't limit these functions export by CONFIG_NET.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/kernel/xtensa_ksyms.c | 2 --
 1 file changed, 2 deletions(-)

--- a/arch/xtensa/kernel/xtensa_ksyms.c
+++ b/arch/xtensa/kernel/xtensa_ksyms.c
@@ -94,13 +94,11 @@ unsigned long __sync_fetch_and_or_4(unsi
 }
 EXPORT_SYMBOL(__sync_fetch_and_or_4);
 
-#ifdef CONFIG_NET
 /*
  * Networking support
  */
 EXPORT_SYMBOL(csum_partial);
 EXPORT_SYMBOL(csum_partial_copy_generic);
-#endif /* CONFIG_NET */
 
 /*
  * Architecture-specific symbols

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 058/294] IB/ipoib: Remove double pointer assigning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (255 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 157/294] l2tp: hold tunnel while looking up sessions in l2tp_netlink Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 293/294] MIPS: Fix a warning for virt_to_page Ben Hutchings
                   ` (38 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 1b355094b308f3377c8f574ce86135ee159c6285 upstream.

There is no need to assign "p" pointer twice.

This patch fixes the following smatch warning:
drivers/infiniband/ulp/ipoib/ipoib_cm.c:517 ipoib_cm_rx_handler() warn:
	missing break? reassigning 'p->id'

Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/ipoib/ipoib_cm.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -508,7 +508,6 @@ static int ipoib_cm_rx_handler(struct ib
 	case IB_CM_REQ_RECEIVED:
 		return ipoib_cm_req_handler(cm_id, event);
 	case IB_CM_DREQ_RECEIVED:
-		p = cm_id->context;
 		ib_send_cm_drep(cm_id, NULL, 0);
 		/* Fall through */
 	case IB_CM_REJ_RECEIVED:

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 102/294] net: reduce skb_warn_bad_offload() noise
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (207 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 285/294] staging: r8192ee: prorperly format warning message Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 268/294] staging: dgnc: Fix frame size is larger than 1024B Ben Hutchings
                   ` (86 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Willem de Bruijn, Eric Dumazet, Dmitry Vyukov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit b2504a5dbef3305ef41988ad270b0e8ec289331c upstream.

Dmitry reported warnings occurring in __skb_gso_segment() [1]

All SKB_GSO_DODGY producers can allow user space to feed
packets that trigger the current check.

We could prevent them from doing so, rejecting packets, but
this might add regressions to existing programs.

It turns out our SKB_GSO_DODGY handlers properly set up checksum
information that is needed anyway when packets needs to be segmented.

By checking again skb_needs_check() after skb_mac_gso_segment(),
we should remove these pesky warnings, at a very minor cost.

With help from Willem de Bruijn

[1]
WARNING: CPU: 1 PID: 6768 at net/core/dev.c:2439 skb_warn_bad_offload+0x2af/0x390 net/core/dev.c:2434
lo: caps=(0x000000a2803b7c69, 0x0000000000000000) len=138 data_len=0 gso_size=15883 gso_type=4 ip_summed=0
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 6768 Comm: syz-executor1 Not tainted 4.9.0 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c063ecd8 ffffffff82346bdf ffffffff00000001 1ffff100380c7d2e
 ffffed00380c7d26 0000000041b58ab3 ffffffff84b37e38 ffffffff823468f1
 ffffffff84820740 ffffffff84f289c0 dffffc0000000000 ffff8801c063ee20
Call Trace:
 [<ffffffff82346bdf>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff82346bdf>] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
 [<ffffffff81827e34>] panic+0x1fb/0x412 kernel/panic.c:179
 [<ffffffff8141f704>] __warn+0x1c4/0x1e0 kernel/panic.c:542
 [<ffffffff8141f7e5>] warn_slowpath_fmt+0xc5/0x100 kernel/panic.c:565
 [<ffffffff8356cbaf>] skb_warn_bad_offload+0x2af/0x390 net/core/dev.c:2434
 [<ffffffff83585cd2>] __skb_gso_segment+0x482/0x780 net/core/dev.c:2706
 [<ffffffff83586f19>] skb_gso_segment include/linux/netdevice.h:3985 [inline]
 [<ffffffff83586f19>] validate_xmit_skb+0x5c9/0xc20 net/core/dev.c:2969
 [<ffffffff835892bb>] __dev_queue_xmit+0xe6b/0x1e70 net/core/dev.c:3383
 [<ffffffff8358a2d7>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3424
 [<ffffffff83ad161d>] packet_snd net/packet/af_packet.c:2930 [inline]
 [<ffffffff83ad161d>] packet_sendmsg+0x32ed/0x4d30 net/packet/af_packet.c:2955
 [<ffffffff834f0aaa>] sock_sendmsg_nosec net/socket.c:621 [inline]
 [<ffffffff834f0aaa>] sock_sendmsg+0xca/0x110 net/socket.c:631
 [<ffffffff834f329a>] ___sys_sendmsg+0x8fa/0x9f0 net/socket.c:1954
 [<ffffffff834f5e58>] __sys_sendmsg+0x138/0x300 net/socket.c:1988
 [<ffffffff834f604d>] SYSC_sendmsg net/socket.c:1999 [inline]
 [<ffffffff834f604d>] SyS_sendmsg+0x2d/0x50 net/socket.c:1995
 [<ffffffff84371941>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov  <dvyukov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2432,11 +2432,12 @@ static inline bool skb_needs_check(struc
 struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
 				  netdev_features_t features, bool tx_path)
 {
+	struct sk_buff *segs;
+
 	if (unlikely(skb_needs_check(skb, tx_path))) {
 		int err;
 
-		skb_warn_bad_offload(skb);
-
+		/* We're going to init ->check field in TCP or UDP header */
 		err = skb_cow_head(skb, 0);
 		if (err < 0)
 			return ERR_PTR(err);
@@ -2448,7 +2449,12 @@ struct sk_buff *__skb_gso_segment(struct
 	skb_reset_mac_header(skb);
 	skb_reset_mac_len(skb);
 
-	return skb_mac_gso_segment(skb, features);
+	segs = skb_mac_gso_segment(skb, features);
+
+	if (unlikely(skb_needs_check(skb, tx_path)))
+		skb_warn_bad_offload(skb);
+
+	return segs;
 }
 EXPORT_SYMBOL(__skb_gso_segment);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 032/294] netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 062/294] workqueue: implicit ordered attribute should be overridable Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc Ben Hutchings
                   ` (253 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Xin Long, Sabrina Dubroca

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

commit 3840538ad384fb7891adeeaf36624f870c51fc0e upstream.

When we delete a netns with a CLUSTERIP rule, clusterip_net_exit() is
called first, removing /proc/net/ipt_CLUSTERIP.
Then clusterip_config_entry_put() is called from clusterip_tg_destroy(),
and tries to remove its entry under /proc/net/ipt_CLUSTERIP/.

Fix this by checking that the parent directory of the entry to remove
hasn't already been deleted.

The following triggers a KASAN splat (stealing the reproducer from
202f59afd441, thanks to Jianlin Shi and Xin Long):

    ip netns add test
    ip link add veth0_in type veth peer name veth0_out
    ip link set veth0_in netns test
    ip netns exec test ip link set lo up
    ip netns exec test ip link set veth0_in up
    ip netns exec test iptables -I INPUT -d 1.2.3.4 -i veth0_in -j     \
        CLUSTERIP --new --clustermac 89:d4:47:eb:9a:fa --total-nodes 3 \
        --local-node 1 --hashmode sourceip-sourceport
    ip netns del test

Fixes: ce4ff76c15a8 ("netfilter: ipt_CLUSTERIP: make proc directory per net namespace")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -115,7 +115,8 @@ clusterip_config_entry_put(struct cluste
 		 * functions are also incrementing the refcount on their own,
 		 * so it's safe to remove the entry even if it's in use. */
 #ifdef CONFIG_PROC_FS
-		proc_remove(c->pde);
+		if (cn->procdir)
+			proc_remove(c->pde);
 #endif
 		return;
 	}
@@ -735,6 +736,7 @@ static void clusterip_net_exit(struct ne
 #ifdef CONFIG_PROC_FS
 	struct clusterip_net *cn = net_generic(net, clusterip_net_id);
 	proc_remove(cn->procdir);
+	cn->procdir = NULL;
 #endif
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 059/294] KVM: PPC: Book3S HV: Enable TM before accessing TM registers
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 219/294] gpio: drop retval check enforcing from gpiochip_remove() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 064/294] media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds Ben Hutchings
                   ` (169 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Stancek, Paul Mackerras

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Mackerras <paulus@ozlabs.org>

commit e47057151422a67ce08747176fa21cb3b526a2c9 upstream.

Commit 46a704f8409f ("KVM: PPC: Book3S HV: Preserve userspace HTM state
properly", 2017-06-15) added code to read transactional memory (TM)
registers but forgot to enable TM before doing so.  The result is
that if userspace does have live values in the TM registers, a KVM_RUN
ioctl will cause a host kernel crash like this:

[  181.328511] Unrecoverable TM Unavailable Exception f60 at d00000001e7d9980
[  181.328605] Oops: Unrecoverable TM Unavailable Exception, sig: 6 [#1]
[  181.328613] SMP NR_CPUS=2048
[  181.328613] NUMA
[  181.328618] PowerNV
[  181.328646] Modules linked in: vhost_net vhost tap nfs_layout_nfsv41_files rpcsec_gss_krb5 nfsv4 dns_resolver nfs
+fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat
+nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun ebtable_filter ebtables
+ip6table_filter ip6_tables iptable_filter bridge stp llc kvm_hv kvm nfsd ses enclosure scsi_transport_sas ghash_generic
+auth_rpcgss gf128mul xts sg ctr nfs_acl lockd vmx_crypto shpchp ipmi_powernv i2c_opal grace ipmi_devintf i2c_core
+powernv_rng sunrpc ipmi_msghandler ibmpowernv uio_pdrv_genirq uio leds_powernv powernv_op_panel ip_tables xfs sd_mod
+lpfc ipr bnx2x libata mdio ptp pps_core scsi_transport_fc libcrc32c dm_mirror dm_region_hash dm_log dm_mod
[  181.329278] CPU: 40 PID: 9926 Comm: CPU 0/KVM Not tainted 4.12.0+ #1
[  181.329337] task: c000003fc6980000 task.stack: c000003fe4d80000
[  181.329396] NIP: d00000001e7d9980 LR: d00000001e77381c CTR: d00000001e7d98f0
[  181.329465] REGS: c000003fe4d837e0 TRAP: 0f60   Not tainted  (4.12.0+)
[  181.329523] MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE>
[  181.329527]   CR: 24022448  XER: 00000000
[  181.329608] CFAR: d00000001e773818 SOFTE: 1
[  181.329608] GPR00: d00000001e77381c c000003fe4d83a60 d00000001e7ef410 c000003fdcfe0000
[  181.329608] GPR04: c000003fe4f00000 0000000000000000 0000000000000000 c000003fd7954800
[  181.329608] GPR08: 0000000000000001 c000003fc6980000 0000000000000000 d00000001e7e2880
[  181.329608] GPR12: d00000001e7d98f0 c000000007b19000 00000001295220e0 00007fffc0ce2090
[  181.329608] GPR16: 0000010011886608 00007fff8c89f260 0000000000000001 00007fff8c080028
[  181.329608] GPR20: 0000000000000000 00000100118500a6 0000010011850000 0000010011850000
[  181.329608] GPR24: 00007fffc0ce1b48 0000010011850000 00000000d673b901 0000000000000000
[  181.329608] GPR28: 0000000000000000 c000003fdcfe0000 c000003fdcfe0000 c000003fe4f00000
[  181.330199] NIP [d00000001e7d9980] kvmppc_vcpu_run_hv+0x90/0x6b0 [kvm_hv]
[  181.330264] LR [d00000001e77381c] kvmppc_vcpu_run+0x2c/0x40 [kvm]
[  181.330322] Call Trace:
[  181.330351] [c000003fe4d83a60] [d00000001e773478] kvmppc_set_one_reg+0x48/0x340 [kvm] (unreliable)
[  181.330437] [c000003fe4d83b30] [d00000001e77381c] kvmppc_vcpu_run+0x2c/0x40 [kvm]
[  181.330513] [c000003fe4d83b50] [d00000001e7700b4] kvm_arch_vcpu_ioctl_run+0x114/0x2a0 [kvm]
[  181.330586] [c000003fe4d83bd0] [d00000001e7642f8] kvm_vcpu_ioctl+0x598/0x7a0 [kvm]
[  181.330658] [c000003fe4d83d40] [c0000000003451b8] do_vfs_ioctl+0xc8/0x8b0
[  181.330717] [c000003fe4d83de0] [c000000000345a64] SyS_ioctl+0xc4/0x120
[  181.330776] [c000003fe4d83e30] [c00000000000b004] system_call+0x58/0x6c
[  181.330833] Instruction dump:
[  181.330869] e92d0260 e9290b50 e9290108 792807e3 41820058 e92d0260 e9290b50 e9290108
[  181.330941] 792ae8a4 794a1f87 408204f4 e92d0260 <7d4022a6> f9490ff0 e92d0260 7d4122a6
[  181.331013] ---[ end trace 6f6ddeb4bfe92a92 ]---

The fix is just to turn on the TM bit in the MSR before accessing the
registers.

Fixes: 46a704f8409f ("KVM: PPC: Book3S HV: Preserve userspace HTM state properly")
Reported-by: Jan Stancek <jstancek@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kvm/book3s_hv.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1816,6 +1816,8 @@ static int kvmppc_vcpu_run_hv(struct kvm
 			run->fail_entry.hardware_entry_failure_reason = 0;
 			return -EINVAL;
 		}
+		/* Enable TM so we can read the TM SPRs */
+		mtmsr(mfmsr() | MSR_TM);
 		current->thread.tm_tfhar = mfspr(SPRN_TFHAR);
 		current->thread.tm_tfiar = mfspr(SPRN_TFIAR);
 		current->thread.tm_texasr = mfspr(SPRN_TEXASR);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 122/294] staging: rtl8188eu: add RNX-N150NUB support
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 098/294] irqchip: brcmstb-l2: Define an irq_pm_shutdown function Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 164/294] cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs Ben Hutchings
                   ` (201 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Charles Milette, Greg Kroah-Hartman, Charles Milette

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Charles Milette <charlesmilette@gmail.com>

commit f299aec6ebd747298e35934cff7709c6b119ca52 upstream.

Add support for USB Device Rosewill RNX-N150NUB.
VendorID: 0x0bda, ProductID: 0xffef

Signed-off-by: Charles Milette <charles.milette@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -61,6 +61,7 @@ static struct usb_device_id rtw_usb_id_t
 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
 	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
+	{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
 	{}	/* Terminating entry */
 };
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 155/294] l2tp: initialise session's refcount before making it reachable
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 292/294] e1000e: fix call to do_div() to use u64 arg Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 175/294] sch_hfsc: fix null pointer deref and double free on init failure Ben Hutchings
                   ` (222 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 9ee369a405c57613d7c83a3967780c3e30c52ecc upstream.

Sessions must be fully initialised before calling
l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
where partially initialised sessions can be accessed by external users.

Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: keep using l2tp_session_inc_refcount()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1929,6 +1929,8 @@ struct l2tp_session *l2tp_session_create
 
 		l2tp_session_set_header_len(session, tunnel->version);
 
+		l2tp_session_inc_refcount(session);
+
 		err = l2tp_session_add_to_tunnel(tunnel, session);
 		if (err) {
 			kfree(session);
@@ -1936,10 +1938,6 @@ struct l2tp_session *l2tp_session_create
 			return ERR_PTR(err);
 		}
 
-		/* Bump the reference count. The session context is deleted
-		 * only when this drops to zero.
-		 */
-		l2tp_session_inc_refcount(session);
 		l2tp_tunnel_inc_refcount(tunnel);
 
 		/* Ensure tunnel socket isn't deleted */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 066/294] iommu/amd: Fix schedule-while-atomic BUG in initialization code
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (248 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 274/294] ARM: OMAP: Fix Kconfig warning for omap1 Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 267/294] Staging: wlan-ng: fix sparse warning in prism2fw.c Ben Hutchings
                   ` (45 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Artem Savkov, Joerg Roedel, Thomas Gleixner

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joerg Roedel <jroedel@suse.de>

commit 74ddda71f44c84af62f736a77fb9fcebe5bb436a upstream.

The register_syscore_ops() function takes a mutex and might
sleep. In the IOMMU initialization code it is invoked during
irq-remapping setup already, where irqs are disabled.

This causes a schedule-while-atomic bug:

 BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747
 in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: swapper/0
 no locks held by swapper/0/1.
 irq event stamp: 304
 hardirqs last  enabled at (303): [<ffffffff818a87b6>] _raw_spin_unlock_irqrestore+0x36/0x60
 hardirqs last disabled at (304): [<ffffffff8235d440>] enable_IR_x2apic+0x79/0x196
 softirqs last  enabled at (36): [<ffffffff818ae75f>] __do_softirq+0x35f/0x4ec
 softirqs last disabled at (31): [<ffffffff810c1955>] irq_exit+0x105/0x120
 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.13.0-rc2.1.el7a.test.x86_64.debug #1
 Hardware name:          PowerEdge C6145 /040N24, BIOS 3.5.0 10/28/2014
 Call Trace:
  dump_stack+0x85/0xca
  ___might_sleep+0x22a/0x260
  __might_sleep+0x4a/0x80
  __mutex_lock+0x58/0x960
  ? iommu_completion_wait.part.17+0xb5/0x160
  ? register_syscore_ops+0x1d/0x70
  ? iommu_flush_all_caches+0x120/0x150
  mutex_lock_nested+0x1b/0x20
  register_syscore_ops+0x1d/0x70
  state_next+0x119/0x910
  iommu_go_to_state+0x29/0x30
  amd_iommu_enable+0x13/0x23

Fix it by moving the register_syscore_ops() call to the next
initialization step, which runs with irqs enabled.

Reported-by: Artem Savkov <asavkov@redhat.com>
Tested-by: Artem Savkov <asavkov@redhat.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Fixes: 2c0ae1720c09 ('iommu/amd: Convert iommu initialization to state machine')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iommu/amd_iommu_init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -2027,11 +2027,11 @@ static int __init state_next(void)
 		break;
 	case IOMMU_ACPI_FINISHED:
 		early_enable_iommus();
-		register_syscore_ops(&amd_iommu_syscore_ops);
 		x86_platform.iommu_shutdown = disable_iommus;
 		init_state = IOMMU_ENABLED;
 		break;
 	case IOMMU_ENABLED:
+		register_syscore_ops(&amd_iommu_syscore_ops);
 		ret = amd_iommu_init_pci();
 		init_state = ret ? IOMMU_INIT_ERROR : IOMMU_PCI_INIT;
 		enable_iommus_v2();

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 046/294] RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (148 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 040/294] xhci: Bad Ethernet performance plugged in ASM1042A host Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 089/294] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Ben Hutchings
                   ` (145 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Dan Carpenter

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit dd75cfa6d3216c79c695f5af13e52208afe374ad upstream.

We should preserve the original "status" error code instead of resetting
it to zero.  Returning ERR_PTR(0) is the same as NULL and results in a
NULL dereference in the callers.  I added a printk() on error instead.

Fixes: 45e86b33ec8b ("RDMA/ocrdma: Cache recv DB until QP moved to RTR")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: keep calling ocrdma_mbx_dealloc_pd()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -565,7 +565,8 @@ err:
 	if (is_uctx_pd) {
 		ocrdma_release_ucontext_pd(uctx);
 	} else {
-		status = ocrdma_mbx_dealloc_pd(dev, pd);
+		if (ocrdma_mbx_dealloc_pd(dev, pd))
+			pr_err("%s: ocrdma_mbx_dealloc_pd() failed\n", __func__);
 		kfree(pd);
 	}
 exit:

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 072/294] powerpc/boot: Fix 64-bit boot wrapper build with non-biarch compiler
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 113/294] audit: Fix use after free in audit_remove_watch_rule() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 119/294] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices Ben Hutchings
                   ` (234 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Cyril Bur, Michael Ellerman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 65c5ec11c25eff6ba6e9b1cbfff014875fddd1e0 upstream.

Historically the boot wrapper was always built 32-bit big endian, even
for 64-bit kernels. That was because old firmwares didn't necessarily
support booting a 64-bit image. Because of that arch/powerpc/boot/Makefile
uses CROSS32CC for compilation.

However when we added 64-bit little endian support, we also added
support for building the boot wrapper 64-bit. However we kept using
CROSS32CC, because in most cases it is just CC and everything works.

However if the user doesn't specify CROSS32_COMPILE (which no one ever
does AFAIK), and CC is *not* biarch (32/64-bit capable), then CROSS32CC
becomes just "gcc". On native systems that is probably OK, but if we're
cross building it definitely isn't, leading to eg:

  gcc ... -m64 -mlittle-endian -mabi=elfv2 ... arch/powerpc/boot/cpm-serial.c
  gcc: error: unrecognized argument in option ‘-mabi=elfv2’
  gcc: error: unrecognized command line option ‘-mlittle-endian’
  make: *** [zImage] Error 2

To fix it, stop using CROSS32CC, because we may or may not be building
32-bit. Instead setup a BOOTCC, which defaults to CC, and only use
CROSS32_COMPILE if it's set and we're building for 32-bit.

Fixes: 147c05168fc8 ("powerpc/boot: Add support for 64bit little endian wrapper")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/powerpc/boot/Makefile
+++ b/arch/powerpc/boot/Makefile
@@ -21,11 +21,19 @@ all: $(obj)/zImage
 
 BOOTCFLAGS    := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
 		 -fno-strict-aliasing -Os -msoft-float -pipe \
-		 -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
-		 -isystem $(shell $(CROSS32CC) -print-file-name=include)
+		 -fomit-frame-pointer -fno-builtin -fPIC -nostdinc
+BOOTCC := $(CC)
 ifdef CONFIG_PPC64_BOOT_WRAPPER
 BOOTCFLAGS	+= -m64
+else
+BOOTCFLAGS	+= -m32
+ifdef CROSS32_COMPILE
+    BOOTCC := $(CROSS32_COMPILE)gcc
+endif
 endif
+
+BOOTCFLAGS	+= -isystem $(shell $(BOOTCC) -print-file-name=include)
+
 ifdef CONFIG_CPU_BIG_ENDIAN
 BOOTCFLAGS	+= -mbig-endian
 else
@@ -165,10 +173,10 @@ clean-files := $(zlib) $(zlibheader) $(z
 		empty.c zImage.coff.lds zImage.ps3.lds zImage.lds
 
 quiet_cmd_bootcc = BOOTCC  $@
-      cmd_bootcc = $(CROSS32CC) -Wp,-MD,$(depfile) $(BOOTCFLAGS) -c -o $@ $<
+      cmd_bootcc = $(BOOTCC) -Wp,-MD,$(depfile) $(BOOTCFLAGS) -c -o $@ $<
 
 quiet_cmd_bootas = BOOTAS  $@
-      cmd_bootas = $(CROSS32CC) -Wp,-MD,$(depfile) $(BOOTAFLAGS) -c -o $@ $<
+      cmd_bootas = $(BOOTCC) -Wp,-MD,$(depfile) $(BOOTAFLAGS) -c -o $@ $<
 
 quiet_cmd_bootar = BOOTAR  $@
       cmd_bootar = $(CROSS32AR) -cr$(KBUILD_ARFLAGS) $@.$$$$ $(filter-out FORCE,$^); mv $@.$$$$ $@

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 056/294] IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (195 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 262/294] staging: imx-drm: fix indentation warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 145/294] ipv6: Add rt6_get_cookie() function Ben Hutchings
                   ` (98 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Alex Vesker

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Vesker <valex@mellanox.com>

commit 11f74b40359b19f760964e71d04882a6caf530cc upstream.

Don't allow negative values to max_nonsrq_conn_qp. There is no functional
impact on a negative value but it is logicically incorrect.

Fixes: 68e995a29572 ("IPoIB/cm: Add connected mode support for devices without SRQs")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -1768,6 +1768,7 @@ static int __init ipoib_init_module(void
 	ipoib_sendq_size = max3(ipoib_sendq_size, 2 * MAX_SEND_CQE, IPOIB_MIN_QUEUE_SIZE);
 #ifdef CONFIG_INFINIBAND_IPOIB_CM
 	ipoib_max_conn_qp = min(ipoib_max_conn_qp, IPOIB_CM_MAX_CONN_QP);
+	ipoib_max_conn_qp = max(ipoib_max_conn_qp, 0);
 #endif
 
 	/*

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 104/294] net: avoid skb_warn_bad_offload false positives on UFO
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 039/294] xhci: Fix NULL pointer dereference when cleaning up streams for removed host Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 091/294] ocfs2: don't clear SGID when inheriting ACLs Ben Hutchings
                   ` (261 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Willem de Bruijn, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>

commit 8d63bee643f1fb53e472f0e135cae4eb99d62d19 upstream.

skb_warn_bad_offload triggers a warning when an skb enters the GSO
stack at __skb_gso_segment that does not have CHECKSUM_PARTIAL
checksum offload set.

Commit b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise")
observed that SKB_GSO_DODGY producers can trigger the check and
that passing those packets through the GSO handlers will fix it
up. But, the software UFO handler will set ip_summed to
CHECKSUM_NONE.

When __skb_gso_segment is called from the receive path, this
triggers the warning again.

Make UFO set CHECKSUM_UNNECESSARY instead of CHECKSUM_NONE. On
Tx these two are equivalent. On Rx, this better matches the
skb state (checksum computed), as CHECKSUM_NONE here means no
checksum computed.

See also this thread for context:
http://patchwork.ozlabs.org/patch/799015/

Fixes: b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c         | 2 +-
 net/ipv4/udp_offload.c | 2 +-
 net/ipv6/udp_offload.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2414,7 +2414,7 @@ static inline bool skb_needs_check(struc
 {
 	if (tx_path)
 		return skb->ip_summed != CHECKSUM_PARTIAL &&
-		       skb->ip_summed != CHECKSUM_NONE;
+		       skb->ip_summed != CHECKSUM_UNNECESSARY;
 
 	return skb->ip_summed == CHECKSUM_NONE;
 }
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -93,7 +93,7 @@ static struct sk_buff *udp4_ufo_fragment
 	csum = skb_checksum(skb, offset, skb->len - offset, 0);
 	offset += skb->csum_offset;
 	*(__sum16 *)(skb->data + offset) = csum_fold(csum);
-	skb->ip_summed = CHECKSUM_NONE;
+	skb->ip_summed = CHECKSUM_UNNECESSARY;
 
 	/* Fragment the skb. IP headers of the fragments are updated in
 	 * inet_gso_segment()
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -90,7 +90,7 @@ static struct sk_buff *udp6_ufo_fragment
 		csum = skb_checksum(skb, offset, skb->len - offset, 0);
 		offset += skb->csum_offset;
 		*(__sum16 *)(skb->data + offset) = csum_fold(csum);
-		skb->ip_summed = CHECKSUM_NONE;
+		skb->ip_summed = CHECKSUM_UNNECESSARY;
 
 		/* Check if there is enough headroom to insert fragment header. */
 		tnl_hlen = skb_tnl_header_len(skb);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 077/294] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (280 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 158/294] l2tp: hold tunnel while processing genl delete command Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 266/294] staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation Ben Hutchings
                   ` (13 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chen-Yu Tsai, Linus Walleij, Icenowy Zheng

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Icenowy Zheng <icenowy@aosc.io>

commit d81ece747d8727bb8b1cfc9a20dbe62f09a4e35a upstream.

The PH16 pin has a function with mux id 0x5, which is the DET pin of the
"sim" (smart card reader) IP block.

This function is missing in old versions of A10/A20 SoCs' datasheets and
user manuals, so it's also missing in the old drivers. The newest A10
Datasheet V1.70 and A20 Datasheet V1.41 contain this pin function, and
it's discovered during implementing R40 pinctrl driver.

Add it to the driver. As we now merged A20 pinctrl driver to the A10
one, we need to only fix the A10 driver now.

Fixes: f2821b1ca3a2 ("pinctrl: sunxi: Move Allwinner A10 pinctrl
driver to a driver of its own")

Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Reviewed-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pinctrl/sunxi/pinctrl-sun4i-a10.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/pinctrl/sunxi/pinctrl-sun4i-a10.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sun4i-a10.c
@@ -800,6 +800,7 @@ static const struct sunxi_desc_pin sun4i
 		  SUNXI_FUNCTION(0x2, "lcd1"),		/* D16 */
 		  SUNXI_FUNCTION(0x3, "pata"),		/* ATAD12 */
 		  SUNXI_FUNCTION(0x4, "keypad"),	/* IN6 */
+		  SUNXI_FUNCTION(0x5, "sim"),		/* DET */
 		  SUNXI_FUNCTION_IRQ(0x6, 16),		/* EINT16 */
 		  SUNXI_FUNCTION(0x7, "csi1")),		/* D16 */
 	SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 17),

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (251 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 050/294] RDMA/uverbs: Fix the check for port number Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-07  1:16     ` [B.A.T.M.A.N.] " Linus Lüssing
  2017-11-06 23:03 ` [PATCH 3.16 045/294] IB/cxgb3: Fix error codes in iwch_alloc_mr() Ben Hutchings
                   ` (42 subsequent siblings)
  295 siblings, 1 reply; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Antonio Quartulli, Simon Wunderlich, Linus Lüssing

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Lüssing <linus.luessing@c0d3.blue>

commit 54e22f265e872ae140755b3318521d400a094605 upstream.

This patch fixes an issue in the translation table code potentially
leading to a TT Request + Response storm. The issue may occur for nodes
involving BLA and an inconsistent configuration of the batman-adv AP
isolation feature. However, since the new multicast optimizations, a
single, malformed packet may lead to a mesh-wide, persistent
Denial-of-Service, too.

The issue occurs because nodes are currently OR-ing the TT sync flags of
all originators announcing a specific MAC address via the
translation table. When an intermediate node now receives a TT Request
and wants to answer this on behalf of the destination node, then this
intermediate node now responds with an altered flag field and broken
CRC. The next OGM of the real destination will lead to a CRC mismatch
and triggering a TT Request and Response again.

Furthermore, the OR-ing is currently never undone as long as at least
one originator announcing the according MAC address remains, leading to
the potential persistency of this issue.

This patch fixes this issue by storing the flags used in the CRC
calculation on a a per TT orig entry basis to be able to respond with
the correct, original flags in an intermediate TT Response for one
thing. And to be able to correctly unset sync flags once all nodes
announcing a sync flag vanish for another.

Fixes: e9c00136a475 ("batman-adv: fix tt_global_entries flags update")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Acked-by: Antonio Quartulli <a@unstable.cc>
[sw: typo in commit message]
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
 - Drop changes to batadv_tt_global_dump_subentry()
 - Use batadv_tt_orig_list_entry_free_ref() instead of
   batadv_tt_orig_list_entry_put()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 60 ++++++++++++++++++++++++++++++++------
 net/batman-adv/types.h             |  2 ++
 2 files changed, 53 insertions(+), 9 deletions(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1233,9 +1233,41 @@ batadv_tt_global_entry_has_orig(const st
 	return found;
 }
 
+/**
+ * batadv_tt_global_sync_flags - update TT sync flags
+ * @tt_global: the TT global entry to update sync flags in
+ *
+ * Updates the sync flag bits in the tt_global flag attribute with a logical
+ * OR of all sync flags from any of its TT orig entries.
+ */
+static void
+batadv_tt_global_sync_flags(struct batadv_tt_global_entry *tt_global)
+{
+	struct batadv_tt_orig_list_entry *orig_entry;
+	const struct hlist_head *head;
+	u16 flags = BATADV_NO_FLAGS;
+
+	rcu_read_lock();
+	head = &tt_global->orig_list;
+	hlist_for_each_entry_rcu(orig_entry, head, list)
+		flags |= orig_entry->flags;
+	rcu_read_unlock();
+
+	flags |= tt_global->common.flags & (~BATADV_TT_SYNC_MASK);
+	tt_global->common.flags = flags;
+}
+
+/**
+ * batadv_tt_global_orig_entry_add - add or update a TT orig entry
+ * @tt_global: the TT global entry to add an orig entry in
+ * @orig_node: the originator to add an orig entry for
+ * @ttvn: translation table version number of this changeset
+ * @flags: TT sync flags
+ */
 static void
 batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
-				struct batadv_orig_node *orig_node, int ttvn)
+				struct batadv_orig_node *orig_node, int ttvn,
+				u8 flags)
 {
 	struct batadv_tt_orig_list_entry *orig_entry;
 
@@ -1245,7 +1277,8 @@ batadv_tt_global_orig_entry_add(struct b
 		 * was added during a "temporary client detection"
 		 */
 		orig_entry->ttvn = ttvn;
-		goto out;
+		orig_entry->flags = flags;
+		goto sync_flags;
 	}
 
 	orig_entry = kzalloc(sizeof(*orig_entry), GFP_ATOMIC);
@@ -1257,6 +1290,7 @@ batadv_tt_global_orig_entry_add(struct b
 	batadv_tt_global_size_inc(orig_node, tt_global->common.vid);
 	orig_entry->orig_node = orig_node;
 	orig_entry->ttvn = ttvn;
+	orig_entry->flags = flags;
 	atomic_set(&orig_entry->refcount, 2);
 
 	spin_lock_bh(&tt_global->list_lock);
@@ -1265,6 +1299,8 @@ batadv_tt_global_orig_entry_add(struct b
 	spin_unlock_bh(&tt_global->list_lock);
 	atomic_inc(&tt_global->orig_list_count);
 
+sync_flags:
+	batadv_tt_global_sync_flags(tt_global);
 out:
 	if (orig_entry)
 		batadv_tt_orig_list_entry_free_ref(orig_entry);
@@ -1379,10 +1415,10 @@ static bool batadv_tt_global_add(struct
 		common->flags &= ~BATADV_TT_CLIENT_TEMP;
 
 		/* the change can carry possible "attribute" flags like the
-		 * TT_CLIENT_WIFI, therefore they have to be copied in the
+		 * TT_CLIENT_TEMP, therefore they have to be copied in the
 		 * client entry
 		 */
-		tt_global_entry->common.flags |= flags;
+		tt_global_entry->common.flags |= flags & (~BATADV_TT_SYNC_MASK);
 
 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
 		 * one originator left in the list and we previously received a
@@ -1399,7 +1435,8 @@ static bool batadv_tt_global_add(struct
 	}
 add_orig_entry:
 	/* add the new orig_entry (if needed) or update it */
-	batadv_tt_global_orig_entry_add(tt_global_entry, orig_node, ttvn);
+	batadv_tt_global_orig_entry_add(tt_global_entry, orig_node, ttvn,
+					flags & BATADV_TT_SYNC_MASK);
 
 	batadv_dbg(BATADV_DBG_TT, bat_priv,
 		   "Creating new global tt entry: %pM (vid: %d, via %pM)\n",
@@ -2045,6 +2082,7 @@ static uint32_t batadv_tt_global_crc(str
 				     unsigned short vid)
 {
 	struct batadv_hashtable *hash = bat_priv->tt.global_hash;
+	struct batadv_tt_orig_list_entry *tt_orig;
 	struct batadv_tt_common_entry *tt_common;
 	struct batadv_tt_global_entry *tt_global;
 	struct hlist_head *head;
@@ -2083,8 +2121,9 @@ static uint32_t batadv_tt_global_crc(str
 			/* find out if this global entry is announced by this
 			 * originator
 			 */
-			if (!batadv_tt_global_entry_has_orig(tt_global,
-							     orig_node))
+			tt_orig = batadv_tt_global_orig_entry_find(tt_global,
+								   orig_node);
+			if (!tt_orig)
 				continue;
 
 			/* use network order to read the VID: this ensures that
@@ -2096,10 +2135,12 @@ static uint32_t batadv_tt_global_crc(str
 			/* compute the CRC on flags that have to be kept in sync
 			 * among nodes
 			 */
-			flags = tt_common->flags & BATADV_TT_SYNC_MASK;
+			flags = tt_orig->flags;
 			crc_tmp = crc32c(crc_tmp, &flags, sizeof(flags));
 
 			crc ^= crc32c(crc_tmp, tt_common->addr, ETH_ALEN);
+
+			batadv_tt_orig_list_entry_free_ref(tt_orig);
 		}
 		rcu_read_unlock();
 	}
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -968,6 +968,7 @@ struct batadv_tt_global_entry {
  * struct batadv_tt_orig_list_entry - orig node announcing a non-mesh client
  * @orig_node: pointer to orig node announcing this non-mesh client
  * @ttvn: translation table version number which added the non-mesh client
+ * @flags: per orig entry TT sync flags
  * @list: list node for batadv_tt_global_entry::orig_list
  * @refcount: number of contexts the object is used
  * @rcu: struct used for freeing in an RCU-safe manner
@@ -975,6 +976,7 @@ struct batadv_tt_global_entry {
 struct batadv_tt_orig_list_entry {
 	struct batadv_orig_node *orig_node;
 	uint8_t ttvn;
+	u8 flags;
 	struct hlist_node list;
 	atomic_t refcount;
 	struct rcu_head rcu;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 121/294] mm/mempolicy: fix use after free when calling get_mempolicy
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (162 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 173/294] sch_multiq: fix double free on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 014/294] net: bcmgenet: fix dev->stats.tx_bytes accounting Ben Hutchings
                   ` (131 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Vlastimil Babka, Mel Gorman, David Rientjes, Minchan Kim,
	zhong jiang, Michal Hocko, Linus Torvalds

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: zhong jiang <zhongjiang@huawei.com>

commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream.

I hit a use after free issue when executing trinity and repoduced it
with KASAN enabled.  The related call trace is as follows.

  BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
  Read of size 2 by task syz-executor1/798

  INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
     __slab_alloc+0x768/0x970
     kmem_cache_alloc+0x2e7/0x450
     mpol_new.part.2+0x74/0x160
     mpol_new+0x66/0x80
     SyS_mbind+0x267/0x9f0
     system_call_fastpath+0x16/0x1b
  INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
     __slab_free+0x495/0x8e0
     kmem_cache_free+0x2f3/0x4c0
     __mpol_put+0x2b/0x40
     SyS_mbind+0x383/0x9f0
     system_call_fastpath+0x16/0x1b
  INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
  INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600

  Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
  Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
  Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5                          kkkkkkk.
  Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb                          ........
  Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
  Memory state around the buggy address:
  ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc

!shared memory policy is not protected against parallel removal by other
thread which is normally protected by the mmap_sem.  do_get_mempolicy,
however, drops the lock midway while we can still access it later.

Early premature up_read is a historical artifact from times when
put_user was called in this path see https://lwn.net/Articles/124754/
but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
layering in the memory policy layer.").  but when we have the the
current mempolicy ref count model.  The issue was introduced
accordingly.

Fix the issue by removing the premature release.

Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/mempolicy.c | 5 -----
 1 file changed, 5 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -957,11 +957,6 @@ static long do_get_mempolicy(int *policy
 		*policy |= (pol->flags & MPOL_MODE_FLAGS);
 	}
 
-	if (vma) {
-		up_read(&current->mm->mmap_sem);
-		vma = NULL;
-	}
-
 	err = 0;
 	if (nmask) {
 		if (mpol_store_user_nodemask(pol)) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 053/294] perf/core: Invert perf_read_group() loops
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 063/294] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 060/294] kprobes/x86: Release insn_slot in failure path Ben Hutchings
                   ` (270 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnaldo Carvalho de Melo, Michael Ellerman, Linus Torvalds,
	Ingo Molnar, Jiri Olsa, Thomas Gleixner, Sukadev Bhattiprolu,
	Vince Weaver, Stephane Eranian, Arnaldo Carvalho de Melo,
	Peter Zijlstra

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit fa8c269353d560b7c28119ad7617029f92e40b15 upstream.

In order to enable the use of perf_event_read(.group = true), we need
to invert the sibling-child loop nesting of perf_read_group().

Currently we iterate the child list for each sibling, this precludes
using group reads. Flip things around so we iterate each group for
each child.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
[ Made the patch compile and things. ]
Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1441336073-22750-7-git-send-email-sukadev@linux.vnet.ibm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16 as a dependency of commit 2aeb18835476 ("perf/core: Fix
 locking for children siblings group read"):
 - Keep the function name perf_event_read_group()
 - Keep using perf_event_read_value()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -3565,50 +3565,71 @@ u64 perf_event_read_value(struct perf_ev
 }
 EXPORT_SYMBOL_GPL(perf_event_read_value);
 
-static int perf_event_read_group(struct perf_event *event,
-				   u64 read_format, char __user *buf)
+static void __perf_read_group_add(struct perf_event *leader,
+					u64 read_format, u64 *values)
 {
-	struct perf_event *leader = event->group_leader, *sub;
-	struct perf_event_context *ctx = leader->ctx;
-	int n = 0, size = 0, ret;
+	struct perf_event *sub;
+	int n = 1; /* skip @nr */
 	u64 count, enabled, running;
-	u64 values[5];
-
-	lockdep_assert_held(&ctx->mutex);
 
 	count = perf_event_read_value(leader, &enabled, &running);
 
-	values[n++] = 1 + leader->nr_siblings;
+	/*
+	 * Since we co-schedule groups, {enabled,running} times of siblings
+	 * will be identical to those of the leader, so we only publish one
+	 * set.
+	 */
 	if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED)
 		values[n++] = enabled;
 	if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING)
 		values[n++] = running;
-	values[n++] = count;
+
+	/*
+	 * Write {count,id} tuples for every sibling.
+	 */
+	values[n++] += count;
 	if (read_format & PERF_FORMAT_ID)
 		values[n++] = primary_event_id(leader);
 
-	size = n * sizeof(u64);
-
-	if (copy_to_user(buf, values, size))
-		return -EFAULT;
-
-	ret = size;
-
 	list_for_each_entry(sub, &leader->sibling_list, group_entry) {
-		n = 0;
-
 		values[n++] = perf_event_read_value(sub, &enabled, &running);
 		if (read_format & PERF_FORMAT_ID)
 			values[n++] = primary_event_id(sub);
+	}
+}
 
-		size = n * sizeof(u64);
+static int perf_event_read_group(struct perf_event *event,
+				   u64 read_format, char __user *buf)
+{
+	struct perf_event *leader = event->group_leader, *child;
+	struct perf_event_context *ctx = leader->ctx;
+	int ret = event->read_size;
+	u64 *values;
 
-		if (copy_to_user(buf + ret, values, size)) {
-			return -EFAULT;
-		}
+	lockdep_assert_held(&ctx->mutex);
 
-		ret += size;
-	}
+	values = kzalloc(event->read_size, GFP_KERNEL);
+	if (!values)
+		return -ENOMEM;
+
+	values[0] = 1 + leader->nr_siblings;
+
+	/*
+	 * By locking the child_mutex of the leader we effectively
+	 * lock the child list of all siblings.. XXX explain how.
+	 */
+	mutex_lock(&leader->child_mutex);
+
+	__perf_read_group_add(leader, read_format, values);
+	list_for_each_entry(child, &leader->child_list, child_list)
+		__perf_read_group_add(child, read_format, values);
+
+	mutex_unlock(&leader->child_mutex);
+
+	if (copy_to_user(buf, values, event->read_size))
+		ret = -EFAULT;
+
+	kfree(values);
 
 	return ret;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 088/294] gpio: tegra: fix unbalanced chained_irq_enter/exit
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (159 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 033/294] libata: array underflow in ata_find_dev() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 044/294] cxgb4: Fix error codes in c4iw_create_cq() Ben Hutchings
                   ` (134 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michał Mirosław, Linus Walleij

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>

commit 9e9509e38fbe034782339eb09c915f0b5765ff69 upstream.

When more than one GPIO IRQs are triggered simultaneously,
tegra_gpio_irq_handler() called chained_irq_exit() multiple
times for one chained_irq_enter().

Fixes: 3c92db9ac0ca3eee8e46e2424b6c074e2e394ad9
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
[Also changed the variable to a bool]
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpio/gpio-tegra.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpio/gpio-tegra.c
+++ b/drivers/gpio/gpio-tegra.c
@@ -271,7 +271,7 @@ static void tegra_gpio_irq_handler(unsig
 	struct tegra_gpio_bank *bank;
 	int port;
 	int pin;
-	int unmasked = 0;
+	bool unmasked = false;
 	struct irq_chip *chip = irq_desc_get_chip(desc);
 
 	chained_irq_enter(chip, desc);
@@ -291,8 +291,8 @@ static void tegra_gpio_irq_handler(unsig
 			 * before executing the hander so that we don't
 			 * miss edges
 			 */
-			if (lvl & (0x100 << pin)) {
-				unmasked = 1;
+			if (!unmasked && lvl & (0x100 << pin)) {
+				unmasked = true;
 				chained_irq_exit(chip, desc);
 			}
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 105/294] crypto: x86/sha1 - Fix reads beyond the number of blocks passed
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (103 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 001/294] fuse: initialize the flock flag in fuse_file on allocation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 139/294] net: bcmgenet: Be drop monitor friendly Ben Hutchings
                   ` (190 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Herbert Xu, megha.dey, Jan Stancek

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "megha.dey@linux.intel.com" <megha.dey@linux.intel.com>

commit 8861249c740fc4af9ddc5aee321eafefb960d7c6 upstream.

It was reported that the sha1 AVX2 function(sha1_transform_avx2) is
reading ahead beyond its intended data, and causing a crash if the next
block is beyond page boundary:
http://marc.info/?l=linux-crypto-vger&m=149373371023377

This patch makes sure that there is no overflow for any buffer length.

It passes the tests written by Jan Stancek that revealed this problem:
https://github.com/jstancek/sha1-avx2-crash

I have re-enabled sha1-avx2 by reverting commit
b82ce24426a4071da9529d726057e4e642948667

Fixes: b82ce24426a4 ("crypto: sha1-ssse3 - Disable avx2")
Originally-by: Ilya Albrekht <ilya.albrekht@intel.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Megha Dey <megha.dey@linux.intel.com>
Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/crypto/sha1_avx2_x86_64_asm.S | 67 ++++++++++++++++++----------------
 arch/x86/crypto/sha1_ssse3_glue.c      |  2 +-
 2 files changed, 37 insertions(+), 32 deletions(-)

--- a/arch/x86/crypto/sha1_avx2_x86_64_asm.S
+++ b/arch/x86/crypto/sha1_avx2_x86_64_asm.S
@@ -117,11 +117,10 @@
 	.set T1, REG_T1
 .endm
 
-#define K_BASE		%r8
 #define HASH_PTR	%r9
+#define BLOCKS_CTR	%r8
 #define BUFFER_PTR	%r10
 #define BUFFER_PTR2	%r13
-#define BUFFER_END	%r11
 
 #define PRECALC_BUF	%r14
 #define WK_BUF		%r15
@@ -205,14 +204,14 @@
 		 * blended AVX2 and ALU instruction scheduling
 		 * 1 vector iteration per 8 rounds
 		 */
-		vmovdqu ((i * 2) + PRECALC_OFFSET)(BUFFER_PTR), W_TMP
+		vmovdqu (i * 2)(BUFFER_PTR), W_TMP
 	.elseif ((i & 7) == 1)
-		vinsertf128 $1, (((i-1) * 2)+PRECALC_OFFSET)(BUFFER_PTR2),\
+		vinsertf128 $1, ((i-1) * 2)(BUFFER_PTR2),\
 			 WY_TMP, WY_TMP
 	.elseif ((i & 7) == 2)
 		vpshufb YMM_SHUFB_BSWAP, WY_TMP, WY
 	.elseif ((i & 7) == 4)
-		vpaddd  K_XMM(K_BASE), WY, WY_TMP
+		vpaddd  K_XMM + K_XMM_AR(%rip), WY, WY_TMP
 	.elseif ((i & 7) == 7)
 		vmovdqu  WY_TMP, PRECALC_WK(i&~7)
 
@@ -255,7 +254,7 @@
 		vpxor	WY, WY_TMP, WY_TMP
 	.elseif ((i & 7) == 7)
 		vpxor	WY_TMP2, WY_TMP, WY
-		vpaddd	K_XMM(K_BASE), WY, WY_TMP
+		vpaddd  K_XMM + K_XMM_AR(%rip), WY, WY_TMP
 		vmovdqu	WY_TMP, PRECALC_WK(i&~7)
 
 		PRECALC_ROTATE_WY
@@ -291,7 +290,7 @@
 		vpsrld	$30, WY, WY
 		vpor	WY, WY_TMP, WY
 	.elseif ((i & 7) == 7)
-		vpaddd	K_XMM(K_BASE), WY, WY_TMP
+		vpaddd  K_XMM + K_XMM_AR(%rip), WY, WY_TMP
 		vmovdqu	WY_TMP, PRECALC_WK(i&~7)
 
 		PRECALC_ROTATE_WY
@@ -446,6 +445,16 @@
 
 .endm
 
+/* Add constant only if (%2 > %3) condition met (uses RTA as temp)
+ * %1 + %2 >= %3 ? %4 : 0
+ */
+.macro ADD_IF_GE a, b, c, d
+	mov     \a, RTA
+	add     $\d, RTA
+	cmp     $\c, \b
+	cmovge  RTA, \a
+.endm
+
 /*
  * macro implements 80 rounds of SHA-1, for multiple blocks with s/w pipelining
  */
@@ -463,13 +472,16 @@
 	lea	(2*4*80+32)(%rsp), WK_BUF
 
 	# Precalc WK for first 2 blocks
-	PRECALC_OFFSET = 0
+	ADD_IF_GE BUFFER_PTR2, BLOCKS_CTR, 2, 64
 	.set i, 0
 	.rept    160
 		PRECALC i
 		.set i, i + 1
 	.endr
-	PRECALC_OFFSET = 128
+
+	/* Go to next block if needed */
+	ADD_IF_GE BUFFER_PTR, BLOCKS_CTR, 3, 128
+	ADD_IF_GE BUFFER_PTR2, BLOCKS_CTR, 4, 128
 	xchg	WK_BUF, PRECALC_BUF
 
 	.align 32
@@ -479,8 +491,8 @@ _loop:
 	 * we use K_BASE value as a signal of a last block,
 	 * it is set below by: cmovae BUFFER_PTR, K_BASE
 	 */
-	cmp	K_BASE, BUFFER_PTR
-	jne	_begin
+	test BLOCKS_CTR, BLOCKS_CTR
+	jnz _begin
 	.align 32
 	jmp	_end
 	.align 32
@@ -512,10 +524,10 @@ _loop0:
 		.set j, j+2
 	.endr
 
-	add	$(2*64), BUFFER_PTR       /* move to next odd-64-byte block */
-	cmp	BUFFER_END, BUFFER_PTR    /* is current block the last one? */
-	cmovae	K_BASE, BUFFER_PTR	/* signal the last iteration smartly */
-
+	/* Update Counter */
+	sub $1, BLOCKS_CTR
+	/* Move to the next block only if needed*/
+	ADD_IF_GE BUFFER_PTR, BLOCKS_CTR, 4, 128
 	/*
 	 * rounds
 	 * 60,62,64,66,68
@@ -532,8 +544,8 @@ _loop0:
 	UPDATE_HASH	12(HASH_PTR), D
 	UPDATE_HASH	16(HASH_PTR), E
 
-	cmp	K_BASE, BUFFER_PTR	/* is current block the last one? */
-	je	_loop
+	test	BLOCKS_CTR, BLOCKS_CTR
+	jz	_loop
 
 	mov	TB, B
 
@@ -575,10 +587,10 @@ _loop2:
 		.set j, j+2
 	.endr
 
-	add	$(2*64), BUFFER_PTR2      /* move to next even-64-byte block */
-
-	cmp	BUFFER_END, BUFFER_PTR2   /* is current block the last one */
-	cmovae	K_BASE, BUFFER_PTR       /* signal the last iteration smartly */
+	/* update counter */
+	sub     $1, BLOCKS_CTR
+	/* Move to the next block only if needed*/
+	ADD_IF_GE BUFFER_PTR2, BLOCKS_CTR, 4, 128
 
 	jmp	_loop3
 _loop3:
@@ -641,19 +653,12 @@ _loop3:
 
 	avx2_zeroupper
 
-	lea	K_XMM_AR(%rip), K_BASE
-
+	/* Setup initial values */
 	mov	CTX, HASH_PTR
 	mov	BUF, BUFFER_PTR
-	lea	64(BUF), BUFFER_PTR2
-
-	shl	$6, CNT			/* mul by 64 */
-	add	BUF, CNT
-	add	$64, CNT
-	mov	CNT, BUFFER_END
 
-	cmp	BUFFER_END, BUFFER_PTR2
-	cmovae	K_BASE, BUFFER_PTR2
+	mov	BUF, BUFFER_PTR2
+	mov	CNT, BLOCKS_CTR
 
 	xmm_mov	BSWAP_SHUFB_CTL(%rip), YMM_SHUFB_BSWAP
 
--- a/arch/x86/crypto/sha1_ssse3_glue.c
+++ b/arch/x86/crypto/sha1_ssse3_glue.c
@@ -224,7 +224,7 @@ static bool __init avx_usable(void)
 #ifdef CONFIG_AS_AVX2
 static bool __init avx2_usable(void)
 {
-	if (false && avx_usable() && cpu_has_avx2 &&
+	if (avx_usable() && cpu_has_avx2 &&
 	    boot_cpu_has(X86_FEATURE_BMI1) &&
 	    boot_cpu_has(X86_FEATURE_BMI2))
 		return true;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 100/294] scsi: st: fix blk_get_queue usage
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 223/294] ASoC: adau1977: Fix truncation warning on 64 bit architectures Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 113/294] audit: Fix use after free in audit_remove_watch_rule() Ben Hutchings
                   ` (236 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Kai Mäkisara, Bodo Stroesser, Hannes Reinecke,
	Shirish Pargaonkar, Martin K. Petersen, Ewan D. Milne

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bodo Stroesser <bstroesser@ts.fujitsu.com>

commit 180efde0a3f43dbe533e4be203c2918793482d4e upstream.

If blk_queue_get() in st_probe fails, disk->queue must not be set to
SDp->request_queue, as that would result in put_disk() dropping a not
taken reference.

Thus, disk->queue should be set only after a successful blk_queue_get().

Fixes: 2b5bebccd282 ("st: Take additional queue ref in st_probe")
Signed-off-by: Bodo Stroesser <bstroesser@ts.fujitsu.com>
Acked-by: Shirish Pargaonkar <spargaonkar@suse.com>
Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/st.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -4115,11 +4115,11 @@ static int st_probe(struct device *dev)
 	kref_init(&tpnt->kref);
 	tpnt->disk = disk;
 	disk->private_data = &tpnt->driver;
-	disk->queue = SDp->request_queue;
 	/* SCSI tape doesn't register this gendisk via add_disk().  Manually
 	 * take queue reference that release_disk() expects. */
-	if (!blk_get_queue(disk->queue))
+	if (!blk_get_queue(SDp->request_queue))
 		goto out_put_disk;
+	disk->queue = SDp->request_queue;
 	tpnt->driver = &st_template;
 
 	tpnt->device = SDp;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 074/294] USB: hcd: Mark secondary HCD as dead if the primary one died
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (240 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 197/294] HID: usbhid: fix out-of-bounds bug Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 111/294] xfs: fix inobt inode allocation search optimization Ben Hutchings
                   ` (53 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alan Stern, Greg Kroah-Hartman, Rafael J. Wysocki

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

commit cd5a6a4fdaba150089af2afc220eae0fef74878a upstream.

Make usb_hc_died() clear the HCD_FLAG_RH_RUNNING flag for the shared
HCD and set HCD_FLAG_DEAD for it, in analogy with what is done for
the primary one.

Among other thigs, this prevents check_root_hub_suspended() from
returning -EBUSY for dead HCDs which helps to work around system
suspend issues in some situations.

This actually fixes occasional suspend failures on one of my test
machines.

Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hcd.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -2402,6 +2402,8 @@ void usb_hc_died (struct usb_hcd *hcd)
 	}
 	if (usb_hcd_is_primary_hcd(hcd) && hcd->shared_hcd) {
 		hcd = hcd->shared_hcd;
+		clear_bit(HCD_FLAG_RH_RUNNING, &hcd->flags);
+		set_bit(HCD_FLAG_DEAD, &hcd->flags);
 		if (hcd->rh_registered) {
 			clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 168/294] i2c: ismt: Return EMSGSIZE for block reads with bogus length
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 241/294] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy Ben Hutchings
                   ` (287 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wolfram Sang, Neil Horman, Stephen Douthit, Dan Priamo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Douthit <stephend@adiengineering.com>

commit ba201c4f5ebe13d7819081756378777d8153f23e upstream.

Compare the number of bytes actually seen on the wire to the byte
count field returned by the slave device.

Previously we just overwrote the byte count returned by the slave
with the real byte count and let the caller figure out if the
message was sane.

Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
Tested-by: Dan Priamo <danp@adiengineering.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/i2c/busses/i2c-ismt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -344,8 +344,10 @@ static int ismt_process_desc(const struc
 			break;
 		case I2C_SMBUS_BLOCK_DATA:
 		case I2C_SMBUS_I2C_BLOCK_DATA:
+			if (desc->rxbytes != dma_buffer[0] + 1)
+				return -EMSGSIZE;
+
 			memcpy(data->block, dma_buffer, desc->rxbytes);
-			data->block[0] = desc->rxbytes - 1;
 			break;
 		}
 		return 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 039/294] xhci: Fix NULL pointer dereference when cleaning up streams for removed host
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 259/294] drm/i915: cleanup some indenting Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 104/294] net: avoid skb_warn_bad_offload false positives on UFO Ben Hutchings
                   ` (262 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, rocko r, Mathias Nyman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 4b895868bb2da60a386a17cde3bf9ecbc70c79f4 upstream.

This off by one in stream_id indexing caused NULL pointer dereference and
soft lockup on machines with USB attached SCSI devices connected to a
hotpluggable xhci controller.

The code that cleans up pending URBs for dead hosts tried to dereference
a stream ring at the invalid stream_id 0.
ep->stream_info->stream_rings[0] doesn't point to a ring.

Start looping stream_id from 1 like in all the other places in the driver,
and check that the ring exists before trying to kill URBs on it.

Reported-by: rocko r <rockorequin@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-ring.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -821,13 +821,16 @@ static void xhci_kill_endpoint_urbs(stru
 			(ep->ep_state & EP_GETTING_NO_STREAMS)) {
 		int stream_id;
 
-		for (stream_id = 0; stream_id < ep->stream_info->num_streams;
+		for (stream_id = 1; stream_id < ep->stream_info->num_streams;
 				stream_id++) {
+			ring = ep->stream_info->stream_rings[stream_id];
+			if (!ring)
+				continue;
+
 			xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
 					"Killing URBs for slot ID %u, ep index %u, stream %u",
-					slot_id, ep_index, stream_id + 1);
-			xhci_kill_ring_urbs(xhci,
-					ep->stream_info->stream_rings[stream_id]);
+					slot_id, ep_index, stream_id);
+			xhci_kill_ring_urbs(xhci, ring);
 		}
 	} else {
 		ring = ep->ring;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 143/294] perf/core: Fix group {cpu,task} validation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (216 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 232/294] dm bufio: hide bogus warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 061/294] md/raid5: add thread_group worker async_tx_issue_pending_all Ben Hutchings
                   ` (77 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnaldo Carvalho de Melo, Ingo Molnar, Zhou Chengming,
	Linus Torvalds, Thomas Gleixner, Mark Rutland,
	Alexander Shishkin, Peter Zijlstra (Intel)

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>

commit 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e upstream.

Regardless of which events form a group, it does not make sense for the
events to target different tasks and/or CPUs, as this leaves the group
inconsistent and impossible to schedule. The core perf code assumes that
these are consistent across (successfully intialised) groups.

Core perf code only verifies this when moving SW events into a HW
context. Thus, we can violate this requirement for pure SW groups and
pure HW groups, unless the relevant PMU driver happens to perform this
verification itself. These mismatched groups subsequently wreak havoc
elsewhere.

For example, we handle watchpoints as SW events, and reserve watchpoint
HW on a per-CPU basis at pmu::event_init() time to ensure that any event
that is initialised is guaranteed to have a slot at pmu::add() time.
However, the core code only checks the group leader's cpu filter (via
event_filter_match()), and can thus install follower events onto CPUs
violating thier (mismatched) CPU filters, potentially installing them
into a CPU without sufficient reserved slots.

This can be triggered with the below test case, resulting in warnings
from arch backends.

  #define _GNU_SOURCE
  #include <linux/hw_breakpoint.h>
  #include <linux/perf_event.h>
  #include <sched.h>
  #include <stdio.h>
  #include <sys/prctl.h>
  #include <sys/syscall.h>
  #include <unistd.h>

  static int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu,
			   int group_fd, unsigned long flags)
  {
	return syscall(__NR_perf_event_open, attr, pid, cpu, group_fd, flags);
  }

  char watched_char;

  struct perf_event_attr wp_attr = {
	.type = PERF_TYPE_BREAKPOINT,
	.bp_type = HW_BREAKPOINT_RW,
	.bp_addr = (unsigned long)&watched_char,
	.bp_len = 1,
	.size = sizeof(wp_attr),
  };

  int main(int argc, char *argv[])
  {
	int leader, ret;
	cpu_set_t cpus;

	/*
	 * Force use of CPU0 to ensure our CPU0-bound events get scheduled.
	 */
	CPU_ZERO(&cpus);
	CPU_SET(0, &cpus);
	ret = sched_setaffinity(0, sizeof(cpus), &cpus);
	if (ret) {
		printf("Unable to set cpu affinity\n");
		return 1;
	}

	/* open leader event, bound to this task, CPU0 only */
	leader = perf_event_open(&wp_attr, 0, 0, -1, 0);
	if (leader < 0) {
		printf("Couldn't open leader: %d\n", leader);
		return 1;
	}

	/*
	 * Open a follower event that is bound to the same task, but a
	 * different CPU. This means that the group should never be possible to
	 * schedule.
	 */
	ret = perf_event_open(&wp_attr, 0, 1, leader, 0);
	if (ret < 0) {
		printf("Couldn't open mismatched follower: %d\n", ret);
		return 1;
	} else {
		printf("Opened leader/follower with mismastched CPUs\n");
	}

	/*
	 * Open as many independent events as we can, all bound to the same
	 * task, CPU0 only.
	 */
	do {
		ret = perf_event_open(&wp_attr, 0, 0, -1, 0);
	} while (ret >= 0);

	/*
	 * Force enable/disble all events to trigger the erronoeous
	 * installation of the follower event.
	 */
	printf("Opened all events. Toggling..\n");
	for (;;) {
		prctl(PR_TASK_PERF_EVENTS_DISABLE, 0, 0, 0, 0);
		prctl(PR_TASK_PERF_EVENTS_ENABLE, 0, 0, 0, 0);
	}

	return 0;
  }

Fix this by validating this requirement regardless of whether we're
moving events.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Zhou Chengming <zhouchengming1@huawei.com>
Link: http://lkml.kernel.org/r/1498142498-15758-1-git-send-email-mark.rutland@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/events/core.c | 39 +++++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 20 deletions(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7541,28 +7541,27 @@ SYSCALL_DEFINE5(perf_event_open,
 		if (group_leader->group_leader != group_leader)
 			goto err_context;
 		/*
-		 * Do not allow to attach to a group in a different
-		 * task or CPU context:
+		 * Make sure we're both events for the same CPU;
+		 * grouping events for different CPUs is broken; since
+		 * you can never concurrently schedule them anyhow.
 		 */
-		if (move_group) {
-			/*
-			 * Make sure we're both on the same task, or both
-			 * per-cpu events.
-			 */
-			if (group_leader->ctx->task != ctx->task)
-				goto err_context;
+		if (group_leader->cpu != event->cpu)
+			goto err_context;
+
+		/*
+		 * Make sure we're both on the same task, or both
+		 * per-CPU events.
+		 */
+		if (group_leader->ctx->task != ctx->task)
+			goto err_context;
 
-			/*
-			 * Make sure we're both events for the same CPU;
-			 * grouping events for different CPUs is broken; since
-			 * you can never concurrently schedule them anyhow.
-			 */
-			if (group_leader->cpu != event->cpu)
-				goto err_context;
-		} else {
-			if (group_leader->ctx != ctx)
-				goto err_context;
-		}
+		/*
+		 * Do not allow to attach to a group in a different task
+		 * or CPU context. If we're moving SW events, we'll fix
+		 * this up later, so allow that.
+		 */
+		if (!move_group && group_leader->ctx != ctx)
+			goto err_context;
 
 		/*
 		 * Only a group leader can be exclusive or pinned

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 120/294] netxen: fix incorrect loop counter decrement
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (264 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 280/294] MIPS: ip22: Fix ip28 build for modern gcc Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 180/294] wl1251: add a missing spin_lock_init() Ben Hutchings
                   ` (29 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Colin Ian King

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit a120d9ab65354727559b9db75ded8071b7ef19e2 upstream.

The loop counter k is currently being decremented from zero which
is incorrect. Fix this by incrementing k instead

Detected by CoverityScan, CID#401847 ("Infinite loop")

Fixes: 83f18a557c6d ("netxen_nic: fw dump support")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/qlogic/netxen/netxen_nic_hw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_hw.c
+++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_hw.c
@@ -2332,7 +2332,7 @@ netxen_md_rdqueue(struct netxen_adapter
 				 loop_cnt++) {
 		NX_WR_DUMP_REG(select_addr, adapter->ahw.pci_base0, queue_id);
 		read_addr = queueEntry->read_addr;
-		for (k = 0; k < read_cnt; k--) {
+		for (k = 0; k < read_cnt; k++) {
 			NX_RD_DUMP_REG(read_addr, adapter->ahw.pci_base0,
 							&read_value);
 			*data_buff++ = read_value;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 091/294] ocfs2: don't clear SGID when inheriting ACLs
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 104/294] net: avoid skb_warn_bad_offload false positives on UFO Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 161/294] l2tp: remove useless duplicate session detection in l2tp_netlink Ben Hutchings
                   ` (260 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Joel Becker, Linus Torvalds, Joseph Qi, Jan Kara,
	Mark Fasheh, Junxiao Bi

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 19ec8e48582670c021e998b9deb88e39a842ff45 upstream.

When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0').  However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.

Fix the problem by moving posix_acl_update_mode() out of ocfs2_set_acl()
into ocfs2_iop_set_acl().  That way the function will not be called when
inheriting ACLs which is what we want as it prevents SGID bit clearing
and the mode has been properly set by posix_acl_create() anyway.  Also
posix_acl_chmod() that is calling ocfs2_set_acl() takes care of updating
mode itself.

Fixes: 073931017b4 ("posix_acl: Clear SGID bit when setting file permissions")
Link: http://lkml.kernel.org/r/20170801141252.19675-3-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - ocfs2_iop_set_acl() doesn't take a lock, so simply return on error
 - Add the status variable in ocfs2_iop_set_acl()
 - Pass NULL as the bh argument to ocfs2_acl_set_mode()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -240,19 +240,6 @@ int ocfs2_set_acl(handle_t *handle,
 	switch (type) {
 	case ACL_TYPE_ACCESS:
 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
-		if (acl) {
-			umode_t mode;
-			ret = posix_acl_update_mode(inode, &mode, &acl);
-			if (ret)
-				return ret;
-			else {
-				ret = ocfs2_acl_set_mode(inode, di_bh,
-							 handle, mode);
-				if (ret)
-					return ret;
-
-			}
-		}
 		break;
 	case ACL_TYPE_DEFAULT:
 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT;
@@ -283,6 +270,20 @@ int ocfs2_set_acl(handle_t *handle,
 
 int ocfs2_iop_set_acl(struct inode *inode, struct posix_acl *acl, int type)
 {
+	int status;
+
+	if (type == ACL_TYPE_ACCESS && acl) {
+		umode_t mode;
+
+		status = posix_acl_update_mode(inode, &mode, &acl);
+		if (status)
+			return status;
+
+		status = ocfs2_acl_set_mode(inode, NULL, NULL, mode);
+		if (status)
+			return status;
+	}
+
 	return ocfs2_set_acl(NULL, inode, NULL, type, acl, NULL, NULL);
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 277/294] MIPS: BMIPS: Fix ".previous without corresponding .section" warnings Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 186/294] assoc_array: Fix a buggy node-splitting case Ben Hutchings
                   ` (293 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alan Swanson, Oliver Neukum, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Swanson <reiver@improbability.net>

commit 89f23d51defcb94a5026d4b5da13faf4e1150a6f upstream.

Similar to commit d595259fbb7a ("usb-storage: Add ignore-residue quirk for
Initio INIC-3619") for INIC-3169 in unusual_devs.h but INIC-3069 already
present in unusual_uas.h. Both in same controller IC family.

Issue is that MakeMKV fails during key exchange with installed bluray drive
with following error:

002004:0000 Error 'Scsi error - ILLEGAL REQUEST:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED'
occurred while issuing SCSI command AD010..080002400 to device 'SG:dev_11:0'

Signed-off-by: Alan Swanson <reiver@improbability.net>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/unusual_uas.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -113,9 +113,9 @@ UNUSUAL_DEV(0x0bc2, 0xab2a, 0x0000, 0x99
 /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
 UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
 		"Initio Corporation",
-		"",
+		"INIC-3069",
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-		US_FL_NO_ATA_1X),
+		US_FL_NO_ATA_1X | US_FL_IGNORE_RESIDUE),
 
 /* Reported-by: Tom Arild Naess <tanaess@gmail.com> */
 UNUSUAL_DEV(0x152d, 0x0539, 0x0000, 0x9999,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 050/294] RDMA/uverbs: Fix the check for port number
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (250 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 267/294] Staging: wlan-ng: fix sparse warning in prism2fw.c Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies Ben Hutchings
                   ` (43 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mike Marciniszyn, Ismail, Mustafa, Steve Wise, Doug Ledford

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Ismail, Mustafa" <mustafa.ismail@intel.com>

commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream.

The port number is only valid if IB_QP_PORT is set in the mask.
So only check port number if it is valid to prevent modify_qp from
failing due to an invalid port number.

Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: command structure is cmd not cmd->base]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1915,7 +1915,8 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
 		goto out;
 	}
 
-	if (!rdma_is_port_valid(qp->device, cmd.port_num)) {
+	if ((cmd.attr_mask & IB_QP_PORT) &&
+	    !rdma_is_port_valid(qp->device, cmd.port_num)) {
 		ret = -EINVAL;
 		goto release_qp;
 	}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 022/294] libceph: potential NULL dereference in ceph_msg_data_create()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (283 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 240/294] aic94xx: Skip reading user settings if flash is not found Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 196/294] usb: usbtest: fix NULL pointer dereference Ben Hutchings
                   ` (10 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Ilya Dryomov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 7c40b22f6f84c98a1d36e6d0a4346e58f05e45d8 upstream.

If kmem_cache_zalloc() returns NULL then the INIT_LIST_HEAD(&data->links);
will Oops.  The callers aren't really prepared for NULL returns so it
doesn't make a lot of difference in real life.

Fixes: 5240d9f95dfe ("libceph: replace message data pointer with list")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ceph/messenger.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -3075,8 +3075,10 @@ static struct ceph_msg_data *ceph_msg_da
 		return NULL;
 
 	data = kmem_cache_zalloc(ceph_msg_data_cache, GFP_NOFS);
-	if (data)
-		data->type = type;
+	if (!data)
+		return NULL;
+
+	data->type = type;
 	INIT_LIST_HEAD(&data->links);
 
 	return data;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 109/294] usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 160/294] l2tp: hold tunnel while handling genl TUNNEL_GET commands Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 069/294] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Ben Hutchings
                   ` (277 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kai-Heng Feng, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 7496cfe5431f21da5d27a8388c326397e3f0a5db upstream.

Moshi USB to Ethernet Adapter internally uses a Genesys Logic hub to
connect to Realtek r8153.

The Realtek r8153 ethernet does not work on the internal hub, no-lpm quirk
can make it work.

Since another r8153 dongle at my hand does not have the issue, so add
the quirk to the Genesys Logic hub instead.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -147,6 +147,9 @@ static const struct usb_device_id usb_qu
 	/* appletouch */
 	{ USB_DEVICE(0x05ac, 0x021a), .driver_info = USB_QUIRK_RESET_RESUME },
 
+	/* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */
+	{ USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Avision AV600U */
 	{ USB_DEVICE(0x0638, 0x0a13), .driver_info =
 	  USB_QUIRK_STRING_FETCH_255 },

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 108/294] USB: Check for dropped connection before switching to full speed
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 093/294] RDMA/uverbs: Prevent leak of reserved field Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 159/294] l2tp: hold tunnel while handling genl tunnel updates Ben Hutchings
                   ` (290 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Guenter Roeck, Alan Stern

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 94c43b9897abf4ea366ed4dba027494e080c7050 upstream.

Some buggy USB disk adapters disconnect and reconnect multiple times
during the enumeration procedure.  This may lead to a device
connecting at full speed instead of high speed, because when the USB
stack sees that a device isn't able to enumerate at high speed, it
tries to hand the connection over to a full-speed companion
controller.

The logic for doing this is careful to check that the device is still
connected.  But this check is inadequate if the device disconnects and
reconnects before the check is done.  The symptom is that a device
works, but much more slowly than it is capable of operating.

The situation was made worse recently by commit 22547c4cc4fe ("usb:
hub: Wait for connection to be reestablished after port reset"), which
increases the delay following a reset before a disconnect is
recognized, thus giving the device more time to reconnect.

This patch makes the check more robust.  If the device was
disconnected at any time during enumeration, we will now skip the
full-speed handover.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Zdenek Kabelac <zkabelac@redhat.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4602,7 +4602,8 @@ hub_power_remaining (struct usb_hub *hub
 static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 		u16 portchange)
 {
-	int status, i;
+	int status = -ENODEV;
+	int i;
 	unsigned unit_load;
 	struct usb_device *hdev = hub->hdev;
 	struct usb_hcd *hcd = bus_to_hcd(hdev->bus);
@@ -4799,9 +4800,10 @@ loop:
 
 done:
 	hub_port_disable(hub, port1, 1);
-	if (hcd->driver->relinquish_port && !hub->hdev->parent)
-		hcd->driver->relinquish_port(hcd, port1);
-
+	if (hcd->driver->relinquish_port && !hub->hdev->parent) {
+		if (status != -ENOTCONN && status != -ENODEV)
+			hcd->driver->relinquish_port(hcd, port1);
+	}
 }
 
 /* Handle physical or logical connection change events.

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (205 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 133/294] cifs: Fix df output for users with quota limits Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-07 10:37   ` Paolo Bonzini
  2017-11-06 23:03 ` [PATCH 3.16 285/294] staging: r8192ee: prorperly format warning message Ben Hutchings
                   ` (88 subsequent siblings)
  295 siblings, 1 reply; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Radim Krčmář,
	Paul E. McKenney, Wanpeng Li, Paolo Bonzini

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpeng.li@hotmail.com>

commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream.

 WARNING: CPU: 5 PID: 1242 at kernel/rcu/tree_plugin.h:323 rcu_note_context_switch+0x207/0x6b0
 CPU: 5 PID: 1242 Comm: unity-settings- Not tainted 4.13.0-rc2+ #1
 RIP: 0010:rcu_note_context_switch+0x207/0x6b0
 Call Trace:
  __schedule+0xda/0xba0
  ? kvm_async_pf_task_wait+0x1b2/0x270
  schedule+0x40/0x90
  kvm_async_pf_task_wait+0x1cc/0x270
  ? prepare_to_swait+0x22/0x70
  do_async_page_fault+0x77/0xb0
  ? do_async_page_fault+0x77/0xb0
  async_page_fault+0x28/0x30
 RIP: 0010:__d_lookup_rcu+0x90/0x1e0

I encounter this when trying to stress the async page fault in L1 guest w/
L2 guests running.

Commit 9b132fbe5419 (Add rcu user eqs exception hooks for async page
fault) adds rcu_irq_enter/exit() to kvm_async_pf_task_wait() to exit cpu
idle eqs when needed, to protect the code that needs use rcu.  However,
we need to call the pair even if the function calls schedule(), as seen
from the above backtrace.

This patch fixes it by informing the RCU subsystem exit/enter the irq
towards/away from idle for both n.halted and !n.halted.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/kvm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -150,6 +150,8 @@ void kvm_async_pf_task_wait(u32 token)
 		if (hlist_unhashed(&n.link))
 			break;
 
+		rcu_irq_exit();
+
 		if (!n.halted) {
 			local_irq_enable();
 			schedule();
@@ -158,11 +160,11 @@ void kvm_async_pf_task_wait(u32 token)
 			/*
 			 * We cannot reschedule. So halt.
 			 */
-			rcu_irq_exit();
 			native_safe_halt();
 			local_irq_disable();
-			rcu_irq_enter();
 		}
+
+		rcu_irq_enter();
 	}
 	if (!n.halted)
 		finish_wait(&n.wq, &wait);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 110/294] mm: migrate: prevent racy access to tlb_flush_pending
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2017-11-06 23:03   ` Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 213/294] iio: adc: fix building on 64-bit Ben Hutchings
                   ` (281 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Russell King, Jeff Dike, Minchan Kim, Martin Schwidefsky,
	Andrea Arcangeli, Sergey Senozhatsky, Heiko Carstens,
	Linus Torvalds, Mel Gorman, Tony Luck, Hugh Dickins,
	Yoshinori Sato, Nadav Amit, Nadav Amit, David S. Miller,
	Rik van Riel, Andy Lutomirski, Ingo Molnar, Mel Gorman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nadav Amit <nadav.amit@gmail.com>

commit 16af97dc5a8975371a83d9e30a64038b48f40a2d upstream.

Patch series "fixes of TLB batching races", v6.

It turns out that Linux TLB batching mechanism suffers from various
races.  Races that are caused due to batching during reclamation were
recently handled by Mel and this patch-set deals with others.  The more
fundamental issue is that concurrent updates of the page-tables allow
for TLB flushes to be batched on one core, while another core changes
the page-tables.  This other core may assume a PTE change does not
require a flush based on the updated PTE value, while it is unaware that
TLB flushes are still pending.

This behavior affects KSM (which may result in memory corruption) and
MADV_FREE and MADV_DONTNEED (which may result in incorrect behavior).  A
proof-of-concept can easily produce the wrong behavior of MADV_DONTNEED.
Memory corruption in KSM is harder to produce in practice, but was
observed by hacking the kernel and adding a delay before flushing and
replacing the KSM page.

Finally, there is also one memory barrier missing, which may affect
architectures with weak memory model.

This patch (of 7):

Setting and clearing mm->tlb_flush_pending can be performed by multiple
threads, since mmap_sem may only be acquired for read in
task_numa_work().  If this happens, tlb_flush_pending might be cleared
while one of the threads still changes PTEs and batches TLB flushes.

This can lead to the same race between migration and
change_protection_range() that led to the introduction of
tlb_flush_pending.  The result of this race was data corruption, which
means that this patch also addresses a theoretically possible data
corruption.

An actual data corruption was not observed, yet the race was was
confirmed by adding assertion to check tlb_flush_pending is not set by
two threads, adding artificial latency in change_protection_range() and
using sysctl to reduce kernel.numa_balancing_scan_delay_ms.

Link: http://lkml.kernel.org/r/20170802000818.4760-2-namit@vmware.com
Fixes: 20841405940e ("mm: fix TLB flush race between migration, and
change_protection_range")
Signed-off-by: Nadav Amit <namit@vmware.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Drop change to dump_mm()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -451,7 +451,7 @@ struct mm_struct {
 	 * can move process memory needs to flush the TLB when moving a
 	 * PROT_NONE or PROT_NUMA mapped page.
 	 */
-	bool tlb_flush_pending;
+	atomic_t tlb_flush_pending;
 #endif
 	struct uprobes_state uprobes_state;
 };
@@ -479,33 +479,46 @@ static inline cpumask_t *mm_cpumask(stru
 static inline bool mm_tlb_flush_pending(struct mm_struct *mm)
 {
 	barrier();
-	return mm->tlb_flush_pending;
+	return atomic_read(&mm->tlb_flush_pending) > 0;
 }
-static inline void set_tlb_flush_pending(struct mm_struct *mm)
+
+static inline void init_tlb_flush_pending(struct mm_struct *mm)
 {
-	mm->tlb_flush_pending = true;
+	atomic_set(&mm->tlb_flush_pending, 0);
+}
+
+static inline void inc_tlb_flush_pending(struct mm_struct *mm)
+{
+	atomic_inc(&mm->tlb_flush_pending);
 
 	/*
-	 * Guarantee that the tlb_flush_pending store does not leak into the
+	 * Guarantee that the tlb_flush_pending increase does not leak into the
 	 * critical section updating the page tables
 	 */
 	smp_mb__before_spinlock();
 }
+
 /* Clearing is done after a TLB flush, which also provides a barrier. */
-static inline void clear_tlb_flush_pending(struct mm_struct *mm)
+static inline void dec_tlb_flush_pending(struct mm_struct *mm)
 {
 	barrier();
-	mm->tlb_flush_pending = false;
+	atomic_dec(&mm->tlb_flush_pending);
 }
 #else
 static inline bool mm_tlb_flush_pending(struct mm_struct *mm)
 {
 	return false;
 }
-static inline void set_tlb_flush_pending(struct mm_struct *mm)
+
+static inline void init_tlb_flush_pending(struct mm_struct *mm)
 {
 }
-static inline void clear_tlb_flush_pending(struct mm_struct *mm)
+
+static inline void inc_tlb_flush_pending(struct mm_struct *mm)
+{
+}
+
+static inline void dec_tlb_flush_pending(struct mm_struct *mm)
 {
 }
 #endif
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -539,7 +539,7 @@ static struct mm_struct *mm_init(struct
 	spin_lock_init(&mm->page_table_lock);
 	mm_init_aio(mm);
 	mm_init_owner(mm, p);
-	clear_tlb_flush_pending(mm);
+	init_tlb_flush_pending(mm);
 
 	if (current->mm) {
 		mm->flags = current->mm->flags & MMF_INIT_MASK;
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -225,7 +225,7 @@ static unsigned long change_protection_r
 	BUG_ON(addr >= end);
 	pgd = pgd_offset(mm, addr);
 	flush_cache_range(vma, addr, end);
-	set_tlb_flush_pending(mm);
+	inc_tlb_flush_pending(mm);
 	do {
 		next = pgd_addr_end(addr, end);
 		if (pgd_none_or_clear_bad(pgd))
@@ -237,7 +237,7 @@ static unsigned long change_protection_r
 	/* Only flush the TLB if we actually modified any entries: */
 	if (pages)
 		flush_tlb_range(vma, start, end);
-	clear_tlb_flush_pending(mm);
+	dec_tlb_flush_pending(mm);
 
 	return pages;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 062/294] workqueue: implicit ordered attribute should be overridable
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 215/294] power/reset: xgene-reset: Fix prototype of xgene_restart() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 032/294] netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry Ben Hutchings
                   ` (254 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tejun Heo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 0a94efb5acbb6980d7c9ab604372d93cd507e4d8 upstream.

5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be
ordered") automatically enabled ordered attribute for unbound
workqueues w/ max_active == 1.  Because ordered workqueues reject
max_active and some attribute changes, this implicit ordered mode
broke cases where the user creates an unbound workqueue w/ max_active
== 1 and later explicitly changes the related attributes.

This patch distinguishes explicit and implicit ordered setting and
overrides from attribute changes if implict.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered")
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/workqueue.h |  4 +++-
 kernel/workqueue.c        | 13 +++++++++----
 2 files changed, 12 insertions(+), 5 deletions(-)

--- a/include/linux/workqueue.h
+++ b/include/linux/workqueue.h
@@ -315,6 +315,7 @@ enum {
 
 	__WQ_DRAINING		= 1 << 16, /* internal: workqueue is draining */
 	__WQ_ORDERED		= 1 << 17, /* internal: workqueue is ordered */
+	__WQ_ORDERED_EXPLICIT	= 1 << 18, /* internal: alloc_ordered_workqueue() */
 
 	WQ_MAX_ACTIVE		= 512,	  /* I like 512, better ideas? */
 	WQ_MAX_UNBOUND_PER_CPU	= 4,	  /* 4 * #cpus for unbound wq */
@@ -412,7 +413,8 @@ __alloc_workqueue_key(const char *fmt, u
  * Pointer to the allocated workqueue on success, %NULL on failure.
  */
 #define alloc_ordered_workqueue(fmt, flags, args...)			\
-	alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED | (flags), 1, ##args)
+	alloc_workqueue(fmt, WQ_UNBOUND | __WQ_ORDERED |		\
+			__WQ_ORDERED_EXPLICIT | (flags), 1, ##args)
 
 #define create_workqueue(name)						\
 	alloc_workqueue("%s", WQ_MEM_RECLAIM, 1, (name))
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3324,7 +3324,7 @@ int workqueue_sysfs_register(struct work
 	 * attributes breaks ordering guarantee.  Disallow exposing ordered
 	 * workqueues.
 	 */
-	if (WARN_ON(wq->flags & __WQ_ORDERED))
+	if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT))
 		return -EINVAL;
 
 	wq->wq_dev = wq_dev = kzalloc(sizeof(*wq_dev), GFP_KERNEL);
@@ -3907,8 +3907,12 @@ int apply_workqueue_attrs(struct workque
 		return -EINVAL;
 
 	/* creating multiple pwqs breaks ordering guarantee */
-	if (WARN_ON((wq->flags & __WQ_ORDERED) && !list_empty(&wq->pwqs)))
-		return -EINVAL;
+	if (!list_empty(&wq->pwqs)) {
+		if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT))
+			return -EINVAL;
+
+		wq->flags &= ~__WQ_ORDERED;
+	}
 
 	pwq_tbl = kzalloc(wq_numa_tbl_len * sizeof(pwq_tbl[0]), GFP_KERNEL);
 	new_attrs = alloc_workqueue_attrs(GFP_KERNEL);
@@ -4354,13 +4358,14 @@ void workqueue_set_max_active(struct wor
 	struct pool_workqueue *pwq;
 
 	/* disallow meddling with max_active for ordered workqueues */
-	if (WARN_ON(wq->flags & __WQ_ORDERED))
+	if (WARN_ON(wq->flags & __WQ_ORDERED_EXPLICIT))
 		return;
 
 	max_active = wq_clamp_max_active(max_active, wq->flags, wq->name);
 
 	mutex_lock(&wq->mutex);
 
+	wq->flags &= ~__WQ_ORDERED;
 	wq->saved_max_active = max_active;
 
 	for_each_pwq(pwq, wq)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 034/294] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (272 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 194/294] USB: uas: fix bug in handling of alternate settings Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 291/294] net: ti: cpmac: Fix compiler warning due to type confusion Ben Hutchings
                   ` (21 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alexei Potashnik, Tejun Heo, Christoph Hellwig

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 5c0338c68706be53b3dc472e4308961c36e4ece1 upstream.

The combination of WQ_UNBOUND and max_active == 1 used to imply
ordered execution.  After NUMA affinity 4c16bd327c74 ("workqueue:
implement NUMA affinity for unbound workqueues"), this is no longer
true due to per-node worker pools.

While the right way to create an ordered workqueue is
alloc_ordered_workqueue(), the documentation has been misleading for a
long time and people do use WQ_UNBOUND and max_active == 1 for ordered
workqueues which can lead to subtle bugs which are very difficult to
trigger.

It's unlikely that we'd see noticeable performance impact by enforcing
ordering on WQ_UNBOUND / max_active == 1 workqueues.  Let's
automatically set __WQ_ORDERED for those workqueues.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Christoph Hellwig <hch@infradead.org>
Reported-by: Alexei Potashnik <alexei@purestorage.com>
Fixes: 4c16bd327c74 ("workqueue: implement NUMA affinity for unbound workqueues")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/workqueue.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4152,6 +4152,16 @@ struct workqueue_struct *__alloc_workque
 	struct workqueue_struct *wq;
 	struct pool_workqueue *pwq;
 
+	/*
+	 * Unbound && max_active == 1 used to imply ordered, which is no
+	 * longer the case on NUMA machines due to per-node pools.  While
+	 * alloc_ordered_workqueue() is the right way to create an ordered
+	 * workqueue, keep the previous behavior to avoid subtle breakages
+	 * on NUMA.
+	 */
+	if ((flags & WQ_UNBOUND) && max_active == 1)
+		flags |= __WQ_ORDERED;
+
 	/* see the comment above the definition of WQ_POWER_EFFICIENT */
 	if ((flags & WQ_POWER_EFFICIENT) && wq_power_efficient)
 		flags |= WQ_UNBOUND;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 054/294] perf/core: Fix locking for children siblings group read
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 137/294] nfsd: Limit end of page list when decoding NFSv4 WRITE Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 286/294] mtd: cfi: reduce stack size Ben Hutchings
                   ` (208 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Linus Torvalds,
	Ingo Molnar, Andi Kleen, Jiri Olsa, Peter Zijlstra, Jiri Olsa,
	Thomas Gleixner

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@kernel.org>

commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 upstream.

We're missing ctx lock when iterating children siblings
within the perf_read path for group reading. Following
race and crash can happen:

User space doing read syscall on event group leader:

T1:
  perf_read
    lock event->ctx->mutex
    perf_read_group
      lock leader->child_mutex
      __perf_read_group_add(child)
        list_for_each_entry(sub, &leader->sibling_list, group_entry)

---->   sub might be invalid at this point, because it could
        get removed via perf_event_exit_task_context in T2

Child exiting and cleaning up its events:

T2:
  perf_event_exit_task_context
    lock ctx->mutex
    list_for_each_entry_safe(child_event, next, &child_ctx->event_list,...
      perf_event_exit_event(child)
        lock ctx->lock
        perf_group_detach(child)
        unlock ctx->lock

---->   child is removed from sibling_list without any sync
        with T1 path above

        ...
        free_event(child)

Before the child is removed from the leader's child_list,
(and thus is omitted from perf_read_group processing), we
need to ensure that perf_read_group touches child's
siblings under its ctx->lock.

Peter further notes:

| One additional note; this bug got exposed by commit:
|
|   ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
|
| which made it possible to actually trigger this code-path.

Tested-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP")
Link: http://lkml.kernel.org/r/20170720141455.2106-1-jolsa@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -3568,7 +3568,9 @@ EXPORT_SYMBOL_GPL(perf_event_read_value)
 static void __perf_read_group_add(struct perf_event *leader,
 					u64 read_format, u64 *values)
 {
+	struct perf_event_context *ctx = leader->ctx;
 	struct perf_event *sub;
+	unsigned long flags;
 	int n = 1; /* skip @nr */
 	u64 count, enabled, running;
 
@@ -3591,11 +3593,15 @@ static void __perf_read_group_add(struct
 	if (read_format & PERF_FORMAT_ID)
 		values[n++] = primary_event_id(leader);
 
+	raw_spin_lock_irqsave(&ctx->lock, flags);
+
 	list_for_each_entry(sub, &leader->sibling_list, group_entry) {
 		values[n++] = perf_event_read_value(sub, &enabled, &running);
 		if (read_format & PERF_FORMAT_ID)
 			values[n++] = primary_event_id(sub);
 	}
+
+	raw_spin_unlock_irqrestore(&ctx->lock, flags);
 }
 
 static int perf_event_read_group(struct perf_event *event,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 067/294] powerpc/mm/hash: Free the subpage_prot_table correctly
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 247/294] cpmac: remove hopeless #warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 035/294] mount: copy the port field into the cloned nfs_server structure Ben Hutchings
                   ` (250 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ram Pai, Aneesh Kumar K.V, Michael Ellerman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>

commit 0da12a7a81f1e2255e89dc783c565e84801475a2 upstream.

Fixes: dad6f37c2602e ("powerpc: subpage_protect: Increase the array size to take care of 64TB")
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Tested-by: Ram Pai <linuxram@us.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/mm/subpage-prot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/mm/subpage-prot.c
+++ b/arch/powerpc/mm/subpage-prot.c
@@ -36,7 +36,7 @@ void subpage_prot_free(struct mm_struct
 		}
 	}
 	addr = 0;
-	for (i = 0; i < 2; ++i) {
+	for (i = 0; i < (TASK_SIZE_USER64 >> 43); ++i) {
 		p = spt->protptrs[i];
 		if (!p)
 			continue;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 123/294] ipv6: reset fn->rr_ptr when replacing route
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (202 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 136/294] qlge: avoid memcpy buffer overflow Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 052/294] ipv4: initialize fib_trie prior to register_netdev_notifier call Ben Hutchings
                   ` (91 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Wei Wang, David S. Miller, Eric Dumazet

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wei Wang <weiwan@google.com>

commit 383143f31d7d3525a1dbff733d52fff917f82f15 upstream.

syzcaller reported the following use-after-free issue in rt6_select():
BUG: KASAN: use-after-free in rt6_select net/ipv6/route.c:755 [inline] at addr ffff8800bc6994e8
BUG: KASAN: use-after-free in ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084 at addr ffff8800bc6994e8
Read of size 4 by task syz-executor1/439628
CPU: 0 PID: 439628 Comm: syz-executor1 Not tainted 4.3.5+ #8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 ffff88018fe435b0 ffffffff81ca384d ffff8801d3588c00
 ffff8800bc699380 ffff8800bc699500 dffffc0000000000 ffff8801d40a47c0
 ffff88018fe435d8 ffffffff81735751 ffff88018fe43660 ffff8800bc699380
Call Trace:
 [<ffffffff81ca384d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81ca384d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
sctp: [Deprecated]: syz-executor0 (pid 439615) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
 [<ffffffff81735751>] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [<ffffffff817359c4>] print_address_description mm/kasan/report.c:196 [inline]
 [<ffffffff817359c4>] kasan_report_error+0x1b4/0x4a0 mm/kasan/report.c:285
 [<ffffffff81735d93>] kasan_report mm/kasan/report.c:305 [inline]
 [<ffffffff81735d93>] __asan_report_load4_noabort+0x43/0x50 mm/kasan/report.c:325
 [<ffffffff82a28e39>] rt6_select net/ipv6/route.c:755 [inline]
 [<ffffffff82a28e39>] ip6_pol_route.isra.46+0x1429/0x1470 net/ipv6/route.c:1084
 [<ffffffff82a28fb1>] ip6_pol_route_output+0x81/0xb0 net/ipv6/route.c:1203
 [<ffffffff82ab0a50>] fib6_rule_action+0x1f0/0x680 net/ipv6/fib6_rules.c:95
 [<ffffffff8265cbb6>] fib_rules_lookup+0x2a6/0x7a0 net/core/fib_rules.c:223
 [<ffffffff82ab1430>] fib6_rule_lookup+0xd0/0x250 net/ipv6/fib6_rules.c:41
 [<ffffffff82a22006>] ip6_route_output+0x1d6/0x2c0 net/ipv6/route.c:1224
 [<ffffffff829e83d2>] ip6_dst_lookup_tail+0x4d2/0x890 net/ipv6/ip6_output.c:943
 [<ffffffff829e889a>] ip6_dst_lookup_flow+0x9a/0x250 net/ipv6/ip6_output.c:1079
 [<ffffffff82a9f7d8>] ip6_datagram_dst_update+0x538/0xd40 net/ipv6/datagram.c:91
 [<ffffffff82aa0978>] __ip6_datagram_connect net/ipv6/datagram.c:251 [inline]
 [<ffffffff82aa0978>] ip6_datagram_connect+0x518/0xe50 net/ipv6/datagram.c:272
 [<ffffffff82aa1313>] ip6_datagram_connect_v6_only+0x63/0x90 net/ipv6/datagram.c:284
 [<ffffffff8292f790>] inet_dgram_connect+0x170/0x1f0 net/ipv4/af_inet.c:564
 [<ffffffff82565547>] SYSC_connect+0x1a7/0x2f0 net/socket.c:1582
 [<ffffffff8256a649>] SyS_connect+0x29/0x30 net/socket.c:1563
 [<ffffffff82c72032>] entry_SYSCALL_64_fastpath+0x12/0x17
Object at ffff8800bc699380, in cache ip6_dst_cache size: 384

The root cause of it is that in fib6_add_rt2node(), when it replaces an
existing route with the new one, it does not update fn->rr_ptr.
This commit resets fn->rr_ptr to NULL when it points to a route which is
replaced in fib6_add_rt2node().

Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/ip6_fib.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -859,6 +859,8 @@ add:
 		}
 		nsiblings = iter->rt6i_nsiblings;
 		fib6_purge_rt(iter, fn, info->nl_net);
+		if (fn->rr_ptr == iter)
+			fn->rr_ptr = NULL;
 		rt6_release(iter);
 
 		if (nsiblings) {
@@ -871,6 +873,8 @@ add:
 				if (rt6_qualify_for_ecmp(iter)) {
 					*ins = iter->dst.rt6_next;
 					fib6_purge_rt(iter, fn, info->nl_net);
+					if (fn->rr_ptr == iter)
+						fn->rr_ptr = NULL;
 					rt6_release(iter);
 					nsiblings--;
 				} else {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 043/294] tracing: Fix kmemleak in instance_rmdir
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (214 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 028/294] usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 232/294] dm bufio: hide bogus warning Ben Hutchings
                   ` (79 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), Chunyu Hu

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chunyu Hu <chuhu@redhat.com>

commit db9108e054700c96322b0f0028546aa4e643cf0b upstream.

Hit the kmemleak when executing instance_rmdir, it forgot releasing
mem of tracing_cpumask. With this fix, the warn does not appear any
more.

unreferenced object 0xffff93a8dfaa7c18 (size 8):
  comm "mkdir", pid 1436, jiffies 4294763622 (age 9134.308s)
  hex dump (first 8 bytes):
    ff ff ff ff ff ff ff ff                          ........
  backtrace:
    [<ffffffff88b6567a>] kmemleak_alloc+0x4a/0xa0
    [<ffffffff8861ea41>] __kmalloc_node+0xf1/0x280
    [<ffffffff88b505d3>] alloc_cpumask_var_node+0x23/0x30
    [<ffffffff88b5060e>] alloc_cpumask_var+0xe/0x10
    [<ffffffff88571ab0>] instance_mkdir+0x90/0x240
    [<ffffffff886e5100>] tracefs_syscall_mkdir+0x40/0x70
    [<ffffffff886565c9>] vfs_mkdir+0x109/0x1b0
    [<ffffffff8865b1d0>] SyS_mkdir+0xd0/0x100
    [<ffffffff88403857>] do_syscall_64+0x67/0x150
    [<ffffffff88b710e7>] return_from_SYSCALL_64+0x0/0x6a
    [<ffffffffffffffff>] 0xffffffffffffffff

Link: http://lkml.kernel.org/r/1500546969-12594-1-git-send-email-chuhu@redhat.com

Fixes: ccfe9e42e451 ("tracing: Make tracing_cpumask available for all instances")
Signed-off-by: Chunyu Hu <chuhu@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6373,6 +6373,7 @@ static int instance_delete(const char *n
 	debugfs_remove_recursive(tr->dir);
 	free_trace_buffers(tr);
 
+	free_cpumask_var(tr->tracing_cpumask);
 	kfree(tr->name);
 	kfree(tr);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 160/294] l2tp: hold tunnel while handling genl TUNNEL_GET commands
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 283/294] MIPS: TXx9: Delete an unused variable in tx4927_pcibios_setup Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 109/294] usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter Ben Hutchings
                   ` (278 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 4e4b21da3acc68a7ea55f850cacc13706b7480e9 upstream.

Use l2tp_tunnel_get() instead of l2tp_tunnel_find() so that we get
a reference on the tunnel, preventing l2tp_tunnel_destruct() from
freeing it from under us.

Also move l2tp_tunnel_get() below nlmsg_new() so that we only take
the reference when needed.

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_netlink.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -349,34 +349,37 @@ static int l2tp_nl_cmd_tunnel_get(struct
 
 	if (!info->attrs[L2TP_ATTR_CONN_ID]) {
 		ret = -EINVAL;
-		goto out;
+		goto err;
 	}
 
 	tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
 
-	tunnel = l2tp_tunnel_find(net, tunnel_id);
-	if (tunnel == NULL) {
-		ret = -ENODEV;
-		goto out;
-	}
-
 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
 	if (!msg) {
 		ret = -ENOMEM;
-		goto out;
+		goto err;
+	}
+
+	tunnel = l2tp_tunnel_get(net, tunnel_id);
+	if (!tunnel) {
+		ret = -ENODEV;
+		goto err_nlmsg;
 	}
 
 	ret = l2tp_nl_tunnel_send(msg, info->snd_portid, info->snd_seq,
 				  NLM_F_ACK, tunnel);
 	if (ret < 0)
-		goto err_out;
+		goto err_nlmsg_tunnel;
+
+	l2tp_tunnel_dec_refcount(tunnel);
 
 	return genlmsg_unicast(net, msg, info->snd_portid);
 
-err_out:
+err_nlmsg_tunnel:
+	l2tp_tunnel_dec_refcount(tunnel);
+err_nlmsg:
 	nlmsg_free(msg);
-
-out:
+err:
 	return ret;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 061/294] md/raid5: add thread_group worker async_tx_issue_pending_all
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (217 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 143/294] perf/core: Fix group {cpu,task} validation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 149/294] r8169: Be drop monitor friendly Ben Hutchings
                   ` (76 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ofer Heifetz, Shaohua Li

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ofer Heifetz <oferh@marvell.com>

commit 7e96d559634b73a8158ee99a7abece2eacec2668 upstream.

Since thread_group worker and raid5d kthread are not in sync, if
worker writes stripe before raid5d then requests will be waiting
for issue_pendig.

Issue observed when building raid5 with ext4, in some build runs
jbd2 would get hung and requests were waiting in the HW engine
waiting to be issued.

Fix this by adding a call to async_tx_issue_pending_all in the
raid5_do_work.

Signed-off-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/raid5.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -5240,6 +5240,8 @@ static void raid5_do_work(struct work_st
 	pr_debug("%d stripes handled\n", handled);
 
 	spin_unlock_irq(&conf->device_lock);
+
+	async_tx_issue_pending_all();
 	blk_finish_plug(&plug);
 
 	pr_debug("--- raid5worker inactive\n");

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 081/294] USB: serial: option: add D-Link DWM-222 device ID
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 288/294] perf: Avoid horrible stack usage Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 047/294] RDMA/ocrdma: Fix error codes in ocrdma_create_srq() Ben Hutchings
                   ` (274 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Hector Martin

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hector Martin <marcan@marcan.st>

commit fd1b8668af59a11bb754a6c9b0051c6c5ce73b74 upstream.

Add device id for D-Link DWM-222.

Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2036,6 +2036,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) },			/* D-Link DWM-158 */
 	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff),			/* D-Link DWM-221 B1 */
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff),			/* D-Link DWM-222 */
+	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 073/294] xtensa: fix cache aliasing handling code for WT cache
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (141 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 166/294] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__ Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 097/294] iscsi-target: Fix iscsi_np reset hung task during parallel delete Ben Hutchings
                   ` (152 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Max Filippov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 6d0f581d1768d3eaba15776e7dd1fdfec10cfe36 upstream.

Currently building kernel for xtensa core with aliasing WT cache fails
with the following messages:

  mm/memory.c:2152: undefined reference to `flush_dcache_page'
  mm/memory.c:2332: undefined reference to `local_flush_cache_page'
  mm/memory.c:1919: undefined reference to `local_flush_cache_range'
  mm/memory.c:4179: undefined reference to `copy_to_user_page'
  mm/memory.c:4183: undefined reference to `copy_from_user_page'

This happens because implementation of these functions is only compiled
when data cache is WB, which looks wrong: even when data cache doesn't
need flushing it still needs invalidation. The functions like
__flush_[invalidate_]dcache_* are correctly defined for both WB and WT
caches (and even if they weren't that'd still be ok, just slower).

Fix this by providing the same implementation of the above functions for
both WB and WT cache.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/xtensa/mm/cache.c
+++ b/arch/xtensa/mm/cache.c
@@ -63,7 +63,7 @@
 #error "HIGHMEM is not supported on cores with aliasing cache."
 #endif
 
-#if (DCACHE_WAY_SIZE > PAGE_SIZE) && XCHAL_DCACHE_IS_WRITEBACK
+#if (DCACHE_WAY_SIZE > PAGE_SIZE)
 
 /*
  * Any time the kernel writes to a user page cache page, or it is about to
@@ -148,7 +148,7 @@ void local_flush_cache_page(struct vm_ar
 	__invalidate_icache_page_alias(virt, phys);
 }
 
-#endif
+#endif /* DCACHE_WAY_SIZE > PAGE_SIZE */
 
 void
 update_mmu_cache(struct vm_area_struct * vma, unsigned long addr, pte_t *ptep)
@@ -165,7 +165,7 @@ update_mmu_cache(struct vm_area_struct *
 
 	flush_tlb_page(vma, addr);
 
-#if (DCACHE_WAY_SIZE > PAGE_SIZE) && XCHAL_DCACHE_IS_WRITEBACK
+#if (DCACHE_WAY_SIZE > PAGE_SIZE)
 
 	if (!PageReserved(page) && test_bit(PG_arch_1, &page->flags)) {
 
@@ -197,7 +197,7 @@ update_mmu_cache(struct vm_area_struct *
  * flush_dcache_page() on the page.
  */
 
-#if (DCACHE_WAY_SIZE > PAGE_SIZE) && XCHAL_DCACHE_IS_WRITEBACK
+#if (DCACHE_WAY_SIZE > PAGE_SIZE)
 
 void copy_to_user_page(struct vm_area_struct *vma, struct page *page,
 		unsigned long vaddr, void *dst, const void *src,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 038/294] ARM: kexec: fix failure to boot crash kernel
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (267 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 124/294] Input: trackpoint - add new trackpoint firmware ID Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 036/294] x86/acpi: Prevent out of bound access caused by broken ACPI tables Ben Hutchings
                   ` (26 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Keerthy, Russell King

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 0d70262a2d60886da6fe5b1fc8bbcd76cbbc306d upstream.

When kexec was converted to DTB, the dtb address was passed between
machine_kexec_prepare() and machine_kexec() using a static variable.
This is bad news if you load a crash kernel followed by a normal
kernel or vice versa - the last loaded kernel overwrites the dtb
address.

This can result in kexec failures, as (eg) we try to boot the crash
kernel with the last loaded dtb.  For example, with:

the crash kernel fails to find the dtb.

Avoid this by defining a kimage architecture structure, and store
the address to be passed in r2 there, which will either be the ATAGs
or the dtb blob.

Fixes: 4cabd1d9625c ("ARM: 7539/1: kexec: scan for dtb magic in segments")
Fixes: 42d720d1731a ("ARM: kexec: Make .text R/W in machine_kexec")
Reported-by: Keerthy <j-keerthy@ti.com>
Tested-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/include/asm/kexec.h    |  5 +++++
 arch/arm/kernel/machine_kexec.c | 11 ++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

--- a/arch/arm/include/asm/kexec.h
+++ b/arch/arm/include/asm/kexec.h
@@ -19,6 +19,11 @@
 
 #ifndef __ASSEMBLY__
 
+#define ARCH_HAS_KIMAGE_ARCH
+struct kimage_arch {
+	u32 kernel_r2;
+};
+
 /**
  * crash_setup_regs() - save registers for the panic kernel
  * @newregs: registers are saved here
--- a/arch/arm/kernel/machine_kexec.c
+++ b/arch/arm/kernel/machine_kexec.c
@@ -29,7 +29,6 @@ extern unsigned long kexec_boot_atags;
 
 static atomic_t waiting_for_crash_ipi;
 
-static unsigned long dt_mem;
 /*
  * Provide a dummy crash_notes definition while crash dump arrives to arm.
  * This prevents breakage of crash_notes attribute in kernel/ksysfs.c.
@@ -41,6 +40,9 @@ int machine_kexec_prepare(struct kimage
 	__be32 header;
 	int i, err;
 
+	image->arch.kernel_r2 = image->start - KEXEC_ARM_ZIMAGE_OFFSET
+				     + KEXEC_ARM_ATAGS_OFFSET;
+
 	/*
 	 * Validate that if the current HW supports SMP, then the SW supports
 	 * and implements CPU hotplug for the current HW. If not, we won't be
@@ -64,8 +66,8 @@ int machine_kexec_prepare(struct kimage
 		if (err)
 			return err;
 
-		if (be32_to_cpu(header) == OF_DT_HEADER)
-			dt_mem = current_segment->mem;
+		if (header == cpu_to_be32(OF_DT_HEADER))
+			image->arch.kernel_r2 = current_segment->mem;
 	}
 	return 0;
 }
@@ -167,8 +169,7 @@ void machine_kexec(struct kimage *image)
 	kexec_start_address = image->start;
 	kexec_indirection_page = page_list;
 	kexec_mach_type = machine_arch_type;
-	kexec_boot_atags = dt_mem ?: image->start - KEXEC_ARM_ZIMAGE_OFFSET
-				     + KEXEC_ARM_ATAGS_OFFSET;
+	kexec_boot_atags = image->arch.kernel_r2;
 
 	/* copy our kernel relocation code to the control code page */
 	reboot_entry = fncpy(reboot_code_buffer,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 086/294] i40e: Initialize 64-bit statistics TX ring seqcount
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 230/294] tty/isicom: fix big-endian compile warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 021/294] usb: storage: return on error to avoid a null pointer dereference Ben Hutchings
                   ` (226 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 7d6d067790289e4f61f59fa60550ca5918aa25bd upstream.

On 32-bit hosts and with CONFIG_DEBUG_LOCK_ALLOC we should be seeing a
lockdep splat indicating this seqcount is not correctly initialized, fix
that.

Fixes: 980e9b118642 ("i40e: Add support for 64 bit netstats")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -914,6 +914,8 @@ int i40e_setup_tx_descriptors(struct i40
 	if (!tx_ring->tx_bi)
 		goto err;
 
+	u64_stats_init(&tx_ring->syncp);
+
 	/* round up to nearest 4K */
 	tx_ring->size = tx_ring->count * sizeof(struct i40e_tx_desc);
 	/* add u32 for head writeback, align after this takes care of

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 024/294] spmi: Include OF based modalias in device uevent
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (121 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 135/294] tracing: Fix freeing of filter in create_filter() when set_str is false Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 092/294] ipv6: set rt6i_protocol properly in the route when it is installed Ben Hutchings
                   ` (172 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Stephen Boyd, Rob Clark, Bjorn Andersson

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bjorn Andersson <bjorn.andersson@linaro.org>

commit d50daa2af2618dab6d21634e65a5fbcf4ae437d6 upstream.

Include the OF-based modalias in the uevent sent when registering SPMI
devices, so that user space has a chance to autoload the kernel module
for the device.

Tested-by: Rob Clark <robdclark@gmail.com>
Reported-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spmi/spmi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/spmi/spmi.c
+++ b/drivers/spmi/spmi.c
@@ -354,11 +354,23 @@ static int spmi_drv_remove(struct device
 	return 0;
 }
 
+static int spmi_drv_uevent(struct device *dev, struct kobj_uevent_env *env)
+{
+	int ret;
+
+	ret = of_device_uevent_modalias(dev, env);
+	if (ret != -ENODEV)
+		return ret;
+
+	return 0;
+}
+
 static struct bus_type spmi_bus_type = {
 	.name		= "spmi",
 	.match		= spmi_device_match,
 	.probe		= spmi_drv_probe,
 	.remove		= spmi_drv_remove,
+	.uevent		= spmi_drv_uevent,
 };
 
 /**

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 049/294] IB/cma: Fix reference count leak when no ipv4 addresses are set
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (154 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 287/294] drbd: avoid redefinition of BITS_PER_PAGE Ben Hutchings
                   ` (139 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ariel Elior, Kalderon, Michal, Doug Ledford

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Kalderon, Michal" <Michal.Kalderon@cavium.com>

commit 963916fdb3e5ad4af57ac959b5a03bf23f7568ca upstream.

Once in_dev_get is called to receive in_device pointer, the
in_device reference counter is increased, but if there are
no ipv4 addresses configured on the net-device the ifa_list
will be null, resulting in a flow that doesn't call in_dev_put
to decrease the ref_cnt.
This was exposed when running RoCE over ipv6 without any ipv4
addresses configured

Fixes: commit 8e3867310c90 ("IB/cma: Fix a race condition in iboe_addr_get_sgid()")

Signed-off-by: Michal Kalderon <Michal.Kalderon@cavium.com>
Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/rdma/ib_addr.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/include/rdma/ib_addr.h
+++ b/include/rdma/ib_addr.h
@@ -185,11 +185,13 @@ static inline void iboe_addr_get_sgid(st
 	dev = dev_get_by_index(&init_net, dev_addr->bound_dev_if);
 	if (dev) {
 		ip4 = in_dev_get(dev);
-		if (ip4 && ip4->ifa_list && ip4->ifa_list->ifa_address) {
+		if (ip4 && ip4->ifa_list && ip4->ifa_list->ifa_address)
 			ipv6_addr_set_v4mapped(ip4->ifa_list->ifa_address,
 					       (struct in6_addr *)gid);
+
+		if (ip4)
 			in_dev_put(ip4);
-		}
+
 		dev_put(dev);
 	}
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 116/294] ipv4: fix NULL dereference in free_fib_info_rcu()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (220 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 184/294] fix unbalanced page refcounting in bio_map_user_iov Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 017/294] net: bcmgenet: Free skb after last Tx frag Ben Hutchings
                   ` (73 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Eric Dumazet, Dmitry Vyukov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 187e5b3ac84d3421d2de3aca949b2791fbcad554 upstream.

If fi->fib_metrics could not be allocated in fib_create_info()
we attempt to dereference a NULL pointer in free_fib_info_rcu() :

    m = fi->fib_metrics;
    if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
            kfree(m);

Before my recent patch, we used to call kfree(NULL) and nothing wrong
happened.

Instead of using RCU to defer freeing while we are under memory stress,
it seems better to take immediate action.

This was reported by syzkaller team.

Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/fib_semantics.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -823,15 +823,17 @@ struct fib_info *fib_create_info(struct
 	fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
 	if (fi == NULL)
 		goto failure;
-	fib_info_cnt++;
 	if (cfg->fc_mx) {
 		fi->fib_metrics = dst_alloc_metrics(GFP_KERNEL | __GFP_ZERO);
-		if (!fi->fib_metrics)
-			goto failure;
+		if (unlikely(!fi->fib_metrics)) {
+			kfree(fi);
+			return ERR_PTR(err);
+		}
 		atomic_set(&fi->fib_metrics->refcnt, 1);
-	} else
+	} else {
 		fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
-
+	}
+	fib_info_cnt++;
 	fi->fib_net = hold_net(net);
 	fi->fib_protocol = cfg->fc_protocol;
 	fi->fib_scope = cfg->fc_scope;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 037/294] ARM: kexec: Make .text R/W in machine_kexec
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (291 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 134/294] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 278/294] MIPS: DEC: Avoid la pseudo-instruction in delay slots Ben Hutchings
                   ` (2 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Nikolay Borisov, Kees Cook, Will Deacon, Nicolas Pitre

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Borisov <Nikolay.Borisov@arm.com>

commit 42d720d1731a9d7035c2812437c35e271ec4dd78 upstream.

With the introduction of Kees Cook's patch to make the kernel .text
read-only the existing method by which kexec works got broken since it
directly pokes some values in the template code, which resides in the
.text section.

The current patch changes the way those values are inserted so that poking
.text section occurs only in machine_kexec (e.g when we are about to nuke
the old kernel and are beyond the point of return). This allows to use
set_kernel_text_rw() to directly patch the values in the .text section.

I had already sent a patch which achieved this but it was significantly
more complicated, so this is a cleaner/straight-forward approach.

Signed-off-by: Nikolay Borisov <Nikolay.Borisov@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
[kees: collapsed kexec_boot_atags (will.daecon)]
[kees: for bisectability, moved set_kernel_text_rw() to RODATA patch]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/kernel/machine_kexec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/kernel/machine_kexec.c
+++ b/arch/arm/kernel/machine_kexec.c
@@ -29,6 +29,7 @@ extern unsigned long kexec_boot_atags;
 
 static atomic_t waiting_for_crash_ipi;
 
+static unsigned long dt_mem;
 /*
  * Provide a dummy crash_notes definition while crash dump arrives to arm.
  * This prevents breakage of crash_notes attribute in kernel/ksysfs.c.
@@ -64,7 +65,7 @@ int machine_kexec_prepare(struct kimage
 			return err;
 
 		if (be32_to_cpu(header) == OF_DT_HEADER)
-			kexec_boot_atags = current_segment->mem;
+			dt_mem = current_segment->mem;
 	}
 	return 0;
 }
@@ -166,9 +167,8 @@ void machine_kexec(struct kimage *image)
 	kexec_start_address = image->start;
 	kexec_indirection_page = page_list;
 	kexec_mach_type = machine_arch_type;
-	if (!kexec_boot_atags)
-		kexec_boot_atags = image->start - KEXEC_ARM_ZIMAGE_OFFSET + KEXEC_ARM_ATAGS_OFFSET;
-
+	kexec_boot_atags = dt_mem ?: image->start - KEXEC_ARM_ZIMAGE_OFFSET
+				     + KEXEC_ARM_ATAGS_OFFSET;
 
 	/* copy our kernel relocation code to the control code page */
 	reboot_entry = fncpy(reboot_code_buffer,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (153 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 169/294] CIFS: Fix maximum SMB2 header size Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-07 16:24   ` Stephen Douthit
  2017-11-06 23:03 ` [PATCH 3.16 049/294] IB/cma: Fix reference count leak when no ipv4 addresses are set Ben Hutchings
                   ` (140 subsequent siblings)
  295 siblings, 1 reply; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dan Priamo, Stephen Douthit, Neil Horman, Wolfram Sang

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Douthit <stephend@adiengineering.com>

commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream.

According to Table 15-14 of the C2000 EDS (Intel doc #510524) the
rx data pointed to by the descriptor dptr contains the byte count.

desc->rxbytes reports all bytes read on the wire, including the
"byte count" byte.  So if a device sends 4 bytes in response to a
block read, on the wire and in the DMA buffer we see:

count data1 data2 data3 data4
 0x04  0xde  0xad  0xbe  0xef

That's what we want to return in data->block to the next level.

Instead we were actually prefixing that with desc->rxbytes:

bad
count count data1 data2 data3 data4
 0x05  0x04  0xde  0xad  0xbe  0xef

This was discovered while developing a BMC solution relying on the
ipmi_ssif.c driver which was trying to interpret the bogus length
field as part of the IPMI response.

Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
Tested-by: Dan Priamo <danp@adiengineering.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/i2c/busses/i2c-ismt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -344,8 +344,8 @@ static int ismt_process_desc(const struc
 			break;
 		case I2C_SMBUS_BLOCK_DATA:
 		case I2C_SMBUS_I2C_BLOCK_DATA:
-			memcpy(&data->block[1], dma_buffer, desc->rxbytes);
-			data->block[0] = desc->rxbytes;
+			memcpy(data->block, dma_buffer, desc->rxbytes);
+			data->block[0] = desc->rxbytes - 1;
 			break;
 		}
 		return 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 055/294] iwlwifi: dvm: prevent an out of bounds access
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (164 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 014/294] net: bcmgenet: fix dev->stats.tx_bytes accounting Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 235/294] scsi: advansys: remove #warning message Ben Hutchings
                   ` (129 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Seraphime Kirkovski, Emmanuel Grumbach, Luca Coelho

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream.

iwlagn_check_ratid_empty takes the tid as a parameter, but
it doesn't check that it is not IWL_TID_NON_QOS.
Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array
with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS]
is a bad idea.
This happened in iwlagn_rx_reply_tx. Since
iwlagn_check_ratid_empty is relevant only to check whether
we can open A-MPDU, this flow is irrelevant if tid is
IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside
the
	if (tid != IWL_TID_NON_QOS)

a few lines earlier in the function.

Reported-by: Seraphime Kirkovski <kirkseraph@gmail.com>
Tested-by: Seraphime Kirkovski <kirkseraph@gmail.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/iwlwifi/dvm/tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/dvm/tx.c
+++ b/drivers/net/wireless/iwlwifi/dvm/tx.c
@@ -1190,11 +1190,11 @@ int iwlagn_rx_reply_tx(struct iwl_priv *
 				next_reclaimed;
 			IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
 						  next_reclaimed);
+			iwlagn_check_ratid_empty(priv, sta_id, tid);
 		}
 
 		iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
 
-		iwlagn_check_ratid_empty(priv, sta_id, tid);
 		freed = 0;
 
 		/* process frames */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 089/294] ALSA: hda - Fix speaker output from VAIO VPCL14M1R
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (149 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 046/294] RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 217/294] Input: joystick - use get_cycles on ARMv8 Ben Hutchings
                   ` (144 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitriy, Takashi Iwai, Sergei A. Trusov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Sergei A. Trusov" <sergei.a.trusov@ya.ru>

commit 3f3c371421e601fa93b6cb7fb52da9ad59ec90b4 upstream.

Sony VAIO VPCL14M1R needs the quirk to make the speaker working properly.

Tested-by: Dmitriy <mexx400@yandex.ru>
Signed-off-by: Sergei A. Trusov <sergei.a.trusov@ya.ru>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_realtek.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2285,6 +2285,7 @@ static const struct snd_pci_quirk alc882
 	SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
 	SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT),
 	SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP),
+	SND_PCI_QUIRK(0x104d, 0x9060, "Sony Vaio VPCL14M1R", ALC882_FIXUP_NO_PRIMARY_HP),
 	SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP),
 	SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP),
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 165/294] x86/ldt: Fix off by one in get_segment_base()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
@ 2017-11-06 23:03   ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
                     ` (294 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, kernel-janitors, Arnaldo Carvalho de Melo, Ingo Molnar,
	Andy Lutomirski, Alexander Shishkin, Peter Zijlstra,
	Dan Carpenter, Thomas Gleixner, Linus Torvalds

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit eaa2f87c6b840b83827c40db6eb8481689570259 upstream.

ldt->entries[] is allocated in alloc_ldt_struct().  It has
ldt->nr_entries elements and ldt->nr_entries is capped at LDT_ENTRIES.
So if "idx" is == ldt->nr_entries then we're reading beyond the end of
the buffer.  It seems duplicative to have two limit checks when one
would work just as well so I removed the check against LDT_ENTRIES.

The gdt_page.gdt[] array has GDT_ENTRIES entries.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-janitors@vger.kernel.org
Fixes: d07bdfd322d3 ("perf/x86: Fix USER/KERNEL tagging of samples properly")
Link: http://lkml.kernel.org/r/20170818102516.gqwm4xdvvuvjw5ho@mwanda
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/perf_event.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -2009,17 +2009,14 @@ static unsigned long get_segment_base(un
 	if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
 		struct ldt_struct *ldt;
 
-		if (idx > LDT_ENTRIES)
-			return 0;
-
 		/* IRQs are off, so this synchronizes with smp_store_release */
 		ldt = lockless_dereference(current->active_mm->context.ldt);
-		if (!ldt || idx > ldt->size)
+		if (!ldt || idx >= ldt->size)
 			return 0;
 
 		desc = &ldt->entries[idx];
 	} else {
-		if (idx > GDT_ENTRIES)
+		if (idx >= GDT_ENTRIES)
 			return 0;
 
 		desc = __this_cpu_ptr(&gdt_page.gdt[0]) + idx;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 051/294] RDMA/core: Initialize port_num in qp_attr
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 161/294] l2tp: remove useless duplicate session detection in l2tp_netlink Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 150/294] Clarify (and fix) MAX_LFS_FILESIZE macros Ben Hutchings
                   ` (258 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steve Wise, Doug Ledford, Ismail, Mustafa, Mike Marciniszyn

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Ismail, Mustafa" <mustafa.ismail@intel.com>

commit a62ab66b13a0f9bcb17b7b761f6670941ed5cd62 upstream.

Initialize the port_num for iWARP in rdma_init_qp_attr.

Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/cma.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -753,6 +753,8 @@ int rdma_init_qp_attr(struct rdma_cm_id
 		} else
 			ret = iw_cm_init_qp_attr(id_priv->cm_id.iw, qp_attr,
 						 qp_attr_mask);
+		qp_attr->port_num = id_priv->id.port_num;
+		*qp_attr_mask |= IB_QP_PORT;
 		break;
 	default:
 		ret = -ENOSYS;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 064/294] media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (125 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 059/294] KVM: PPC: Book3S HV: Enable TM before accessing TM registers Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 094/294] IB/uverbs: Fix device cleanup Ben Hutchings
                   ` (168 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Derek, Mauro Carvalho Chehab, Sean Young

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Young <sean@mess.org>

commit 9f5039ba440e499d85c29b1ddbc3cbc9dc90e44b upstream.

Since commit e8f4818895b3 ("[media] lirc: advertise
LIRC_CAN_GET_REC_RESOLUTION and improve") lircd uses the ioctl
LIRC_GET_REC_RESOLUTION to determine the shortest pulse or space that
the hardware can detect. This breaks decoding in lirc because lircd
expects the answer in microseconds, but nanoseconds is returned.

Reported-by: Derek <user.vdr@gmail.com>
Tested-by: Derek <user.vdr@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/rc/ir-lirc-codec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/rc/ir-lirc-codec.c
+++ b/drivers/media/rc/ir-lirc-codec.c
@@ -257,7 +257,7 @@ static long ir_lirc_ioctl(struct file *f
 		return 0;
 
 	case LIRC_GET_REC_RESOLUTION:
-		val = dev->rx_resolution;
+		val = dev->rx_resolution / 1000;
 		break;
 
 	case LIRC_SET_WIDEBAND_RECEIVER:

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 041/294] xhci: fix 20000ms port resume timeout
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (169 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 141/294] mtd: nandsim: remove debugfs entries in error path Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 218/294] dma: pl08x: Use correct specifier for size_t values Ben Hutchings
                   ` (124 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit a54408d0a004757789863d74e29c2297edae0b4d upstream.

A uncleared PLC (port link change) bit will prevent furuther port event
interrupts for that port. Leaving it uncleared caused get_port_status()
to timeout after 20000ms while waiting to get the final port event
interrupt for resume -> U0 state change.

This is a targeted fix for a specific case where we get a port resume event
racing with xhci resume. The port event interrupt handler notices xHC is
not yet running and bails out early, leaving PLC uncleared.

The whole xhci port resuming needs more attention, but while working on it
it anyways makes sense to always ensure PLC is cleared in get_port_status
before setting a new link state and waiting for its completion.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-hub.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -644,6 +644,9 @@ static u32 xhci_get_port_status(struct u
 			clear_bit(wIndex, &bus_state->resuming_ports);
 
 			set_bit(wIndex, &bus_state->rexit_ports);
+
+			xhci_test_and_clear_bit(xhci, port_array, wIndex,
+						PORT_PLC);
 			xhci_set_link_state(xhci, port_array, wIndex,
 					XDEV_U0);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 035/294] mount: copy the port field into the cloned nfs_server structure.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 067/294] powerpc/mm/hash: Free the subpage_prot_table correctly Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 131/294] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Ben Hutchings
                   ` (249 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anna Schumaker, Steve Dickson

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve Dickson <steved@redhat.com>

commit 89a6814d9b665b196aa3a102f96b6dc7e8cb669e upstream.

Doing this copy eliminates the "port=0" entry in
the /proc/mounts entries

Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=69241

Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/client.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -931,6 +931,7 @@ void nfs_server_copy_userdata(struct nfs
 	target->caps = source->caps;
 	target->options = source->options;
 	target->auth_info = source->auth_info;
+	target->port = source->port;
 }
 EXPORT_SYMBOL_GPL(nfs_server_copy_userdata);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 036/294] x86/acpi: Prevent out of bound access caused by broken ACPI tables
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (268 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 038/294] ARM: kexec: fix failure to boot crash kernel Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 234/294] ips: remove pointless #warning Ben Hutchings
                   ` (25 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, security, Thomas Gleixner, Seunghun Han,
	Rafael J. Wysocki

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Seunghun Han <kkamagui@gmail.com>

commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream.

The bus_irq argument of mp_override_legacy_irq() is used as the index into
the isa_irq_to_gsi[] array. The bus_irq argument originates from
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
tables, but is nowhere sanity checked.

That allows broken or malicious ACPI tables to overwrite memory, which
might cause malfunction, panic or arbitrary code execution.

Add a sanity check and emit a warning when that triggers.

[ tglx: Added warning and rewrote changelog ]

Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: security@kernel.org
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/acpi/boot.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -910,6 +910,14 @@ void __init mp_override_legacy_irq(u8 bu
 	struct mpc_intsrc mp_irq;
 
 	/*
+	 * Check bus_irq boundary.
+	 */
+	if (bus_irq >= NR_IRQS_LEGACY) {
+		pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
+		return;
+	}
+
+	/*
 	 * Convert 'gsi' to 'ioapic.pin'.
 	 */
 	ioapic = mp_find_ioapic(gsi);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 103/294] net: skb_needs_check() accepts CHECKSUM_NONE for tx
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 276/294] ARM: 8296/1: cache-l2x0: clean up aurora cache handling Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 012/294] net: bcmgenet: rewrite bcmgenet_rx_refill() Ben Hutchings
                   ` (198 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Eric Dumazet, Willem de Bruijn

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 6e7bc478c9a006c701c14476ec9d389a484b4864 upstream.

My recent change missed fact that UFO would perform a complete
UDP checksum before segmenting in frags.

In this case skb->ip_summed is set to CHECKSUM_NONE.

We need to add this valid case to skb_needs_check()

Fixes: b2504a5dbef3 ("net: reduce skb_warn_bad_offload() noise")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2413,9 +2413,10 @@ EXPORT_SYMBOL(skb_mac_gso_segment);
 static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path)
 {
 	if (tx_path)
-		return skb->ip_summed != CHECKSUM_PARTIAL;
-	else
-		return skb->ip_summed == CHECKSUM_NONE;
+		return skb->ip_summed != CHECKSUM_PARTIAL &&
+		       skb->ip_summed != CHECKSUM_NONE;
+
+	return skb->ip_summed == CHECKSUM_NONE;
 }
 
 /**

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 078/294] iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 125/294] iio: imu: adis16480: Fix acceleration scale factor for adis16480 Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 185/294] KEYS: prevent KEYCTL_READ on negative key Ben Hutchings
                   ` (215 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Naftali Goldstein, Luca Coelho

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Naftali Goldstein <naftali.goldstein@intel.com>

commit 8addabf8e6e299f790038fdc92ddceaaf76adab8 upstream.

Set the STA_FLG_RTS_MIMO_PROT bit in station_flags_msk of the add sta
command, so that when smps mode changes, the FW will know about it.

In particular, in AP mode, clients are added upon receival of an auth
request, at which point there's no knowledge of the client's smps mode.
When the assoc request arrives, the add_sta command is resent to modify
the station parameters. At this point the driver knows the smps mode,
but since the corresponding bit in the mask is not set, the fw doesn't
update this field so there's no rts protection for mimo.

Fixes: 5bc5aaad407c ("iwlwifi: mvm: set up initial SMPS/NSS station info")
Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.16: adjust filename, context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/iwlwifi/mvm/sta.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/iwlwifi/mvm/sta.c
@@ -114,7 +114,8 @@ int iwl_mvm_sta_send_to_fw(struct iwl_mv
 	add_sta_cmd.add_modify = update ? 1 : 0;
 
 	add_sta_cmd.station_flags_msk |= cpu_to_le32(STA_FLG_FAT_EN_MSK |
-						     STA_FLG_MIMO_EN_MSK);
+						     STA_FLG_MIMO_EN_MSK |
+						     STA_FLG_RTS_MIMO_PROT);
 
 	switch (sta->bandwidth) {
 	case IEEE80211_STA_RX_BW_160:

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 127/294] drm: Release driver tracking before making the object available again
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (246 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 171/294] net_sched: fix error recovery at qdisc creation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 274/294] ARM: OMAP: Fix Kconfig warning for omap1 Ben Hutchings
                   ` (47 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Airlie, Chris Wilson, Joonas Lahtinen, Daniel Vetter,
	Daniel Vetter, Ville Syrjälä,
	Thierry Reding, Rob Clark

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit fe4600a548f2763dec91b3b27a1245c370ceee2a upstream.

This is the same bug as we fixed in commit f6cd7daecff5 ("drm: Release
driver references to handle before making it available again"), but now
the exposure is via the PRIME lookup tables. If we remove the
object/handle from the PRIME lut, then a new request for the same
object/fd will generate a new handle, thus for a short window that
object is known to userspace by two different handles. Fix this by
releasing the driver tracking before PRIME.

Fixes: 0ff926c7d4f0 ("drm/prime: add exported buffers to current fprivs
imported buffer list (v2)")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Rob Clark <robdclark@gmail.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Thierry Reding <treding@nvidia.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20170819120558.6465-1-chris@chris-wilson.co.uk
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/drm_gem.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -698,13 +698,13 @@ drm_gem_object_release_handle(int id, vo
 	struct drm_gem_object *obj = ptr;
 	struct drm_device *dev = obj->dev;
 
+	if (dev->driver->gem_close_object)
+		dev->driver->gem_close_object(obj, file_priv);
+
 	if (drm_core_check_feature(dev, DRIVER_PRIME))
 		drm_gem_remove_prime_handles(obj, file_priv);
 	drm_vma_node_revoke(&obj->vma_node, file_priv->filp);
 
-	if (dev->driver->gem_close_object)
-		dev->driver->gem_close_object(obj, file_priv);
-
 	drm_gem_object_handle_unreference_unlocked(obj);
 
 	return 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 125/294] iio: imu: adis16480: Fix acceleration scale factor for adis16480
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 264/294] Staging: iio: adc: fix indent on break statement Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 078/294] iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw Ben Hutchings
                   ` (216 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Lars-Peter Clausen, Jonathan Cameron, Dragos Bogdan

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dragos Bogdan <dragos.bogdan@analog.com>

commit fdd0d32eb95f135041236a6885d9006315aa9a1d upstream.

According to the datasheet, the range of the acceleration is [-10 g, + 10 g],
so the scale factor should be 10 instead of 5.

Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/imu/adis16480.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/imu/adis16480.c
+++ b/drivers/iio/imu/adis16480.c
@@ -724,7 +724,7 @@ static const struct adis16480_chip_info
 		.gyro_max_val = IIO_RAD_TO_DEGREE(22500),
 		.gyro_max_scale = 450,
 		.accel_max_val = IIO_M_S_2_TO_G(12500),
-		.accel_max_scale = 5,
+		.accel_max_scale = 10,
 	},
 	[ADIS16485] = {
 		.channels = adis16485_channels,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 082/294] drm/msm: Fix potential buffer overflow issue
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 200/294] nilfs2: fix gcc uninitialized-variable warnings in powerpc build Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 222/294] ASoC: fsl_sai: Set SYNC bit of TCR2 to Asynchronous Mode Ben Hutchings
                   ` (231 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jordan Crouse, Rob Clark, Kasin Li

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kasin Li <donglil@codeaurora.org>

commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream.

In function submit_create, if nr_cmds or nr_bos is assigned with
negative value, the allocated buffer may be small than intended.
Using this buffer will lead to buffer overflow issue.

Signed-off-by: Kasin Li <donglil@codeaurora.org>
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
[bwh: Backported to 3.16: submit_create() only supports a variable number of bos]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -34,10 +34,13 @@ static inline void __user *to_user_ptr(u
 }
 
 static struct msm_gem_submit *submit_create(struct drm_device *dev,
-		struct msm_gpu *gpu, int nr)
+		struct msm_gpu *gpu, uint32_t nr)
 {
 	struct msm_gem_submit *submit;
-	int sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
+	uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
+
+	if (sz > SIZE_MAX)
+		return NULL;
 
 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
 	if (submit) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 019/294] USB: serial: cp210x: add support for Qivicon USB ZigBee dongle
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (237 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 221/294] ASoC: imx-audmux: Use uintptr_t for port numbers Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 273/294] ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode Ben Hutchings
                   ` (56 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Frans Klaver, Johan Hovold, Stefan Triller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Triller <github@stefantriller.de>

commit 9585e340db9f6cc1c0928d82c3a23cc4460f0a3f upstream.

The German Telekom offers a ZigBee USB Stick under the brand name Qivicon
for their SmartHome Home Base in its 1. Generation. The productId is not
known by the according kernel module, this patch adds support for it.

Signed-off-by: Stefan Triller <github@stefantriller.de>
Reviewed-by: Frans Klaver <fransklaver@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -135,6 +135,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
 	{ USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
 	{ USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
+	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
 	{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
 	{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
 	{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 226/294] spi: rspi: Remove unused variable in rspi_rz_transfer_one()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (174 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 257/294] netfilter: Fix switch statement warnings with recent gcc Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 029/294] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue() Ben Hutchings
                   ` (119 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Mark Brown, Geert Uytterhoeven, Geert Uytterhoeven

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert@linux-m68k.org>

commit 95029a00886f0c8d79e700cb8983b881c75af0f1 upstream.

Introduced by commit 8b983e90ea1a3dd82070f96c062ad521a06b7cc0 ("spi: rspi:
Extract rspi_common_transfer()"), which removed its users.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-rspi.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/spi/spi-rspi.c
+++ b/drivers/spi/spi-rspi.c
@@ -630,7 +630,6 @@ static int rspi_rz_transfer_one(struct s
 				struct spi_transfer *xfer)
 {
 	struct rspi_data *rspi = spi_master_get_devdata(master);
-	int ret;
 
 	rspi_rz_receive_init(rspi);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 280/294] MIPS: ip22: Fix ip28 build for modern gcc
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (263 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 260/294] video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 120/294] netxen: fix incorrect loop counter decrement Ben Hutchings
                   ` (30 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Ralf Baechle, linux-mips

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 23ca9b522383d3b9b7991d8586db30118992af4a upstream.

kernelci reports a failure of the ip28_defconfig build after upgrading its
gcc version:

arch/mips/sgi-ip22/Platform:29: *** gcc doesn't support needed option -mr10k-cache-barrier=store.  Stop.

The problem apparently is that the -mr10k-cache-barrier=store option is now
rejected for CPUs other than r10k. Explicitly including the CPU in the
check fixes this and is safe because both options were introduced in
gcc-4.4.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/15049/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/sgi-ip22/Platform | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/sgi-ip22/Platform
+++ b/arch/mips/sgi-ip22/Platform
@@ -25,7 +25,7 @@ endif
 # Simplified: what IP22 does at 128MB+ in ksegN, IP28 does at 512MB+ in xkphys
 #
 ifdef CONFIG_SGI_IP28
-  ifeq ($(call cc-option-yn,-mr10k-cache-barrier=store), n)
+  ifeq ($(call cc-option-yn,-march=r10000 -mr10k-cache-barrier=store), n)
       $(error gcc doesn't support needed option -mr10k-cache-barrier=store)
   endif
 endif

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 278/294] MIPS: DEC: Avoid la pseudo-instruction in delay slots
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (292 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 037/294] ARM: kexec: Make .text R/W in machine_kexec Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-07 14:17 ` [PATCH 3.16 000/294] 3.16.50-rc1 review Guenter Roeck
  2017-11-09 11:55 ` Arnd Bergmann
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ralf@linux-mips.org>

commit 3021773c7c3e75e20b693931a19362681e744ea9 upstream.

When expanding the la or dla pseudo-instruction in a delay slot the GNU
assembler will complain should the pseudo-instruction expand to multiple
actual instructions, since only the first of them will be in the delay
slot leading to the pseudo-instruction being only partially executed if
the branch is taken. Use of PTR_LA in the dec int-handler.S leads to
such warnings:

  arch/mips/dec/int-handler.S: Assembler messages:
  arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot
  arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot

Avoid this by open coding the PTR_LA macros.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

--- a/arch/mips/dec/int-handler.S
+++ b/arch/mips/dec/int-handler.S
@@ -146,7 +146,25 @@
 		/*
 		 * Find irq with highest priority
 		 */
-		 PTR_LA	t1,cpu_mask_nr_tbl
+		# open coded PTR_LA t1, cpu_mask_nr_tbl
+#if (_MIPS_SZPTR == 32)
+		# open coded la t1, cpu_mask_nr_tbl
+		lui	t1, %hi(cpu_mask_nr_tbl)
+		addiu	t1, %lo(cpu_mask_nr_tbl)
+
+#endif
+#if (_MIPS_SZPTR == 64)
+		# open coded dla t1, cpu_mask_nr_tbl
+		.set	push
+		.set	noat
+		lui	t1, %highest(cpu_mask_nr_tbl)
+		lui	AT, %hi(cpu_mask_nr_tbl)
+		daddiu	t1, t1, %higher(cpu_mask_nr_tbl)
+		daddiu	AT, AT, %lo(cpu_mask_nr_tbl)
+		dsll	t1, 32
+		daddu	t1, t1, AT
+		.set	pop
+#endif
 1:		lw	t2,(t1)
 		nop
 		and	t2,t0
@@ -195,7 +213,25 @@
 		/*
 		 * Find irq with highest priority
 		 */
-		 PTR_LA	t1,asic_mask_nr_tbl
+		# open coded PTR_LA t1,asic_mask_nr_tbl
+#if (_MIPS_SZPTR == 32)
+		# open coded la t1, asic_mask_nr_tbl
+		lui	t1, %hi(asic_mask_nr_tbl)
+		addiu	t1, %lo(asic_mask_nr_tbl)
+
+#endif
+#if (_MIPS_SZPTR == 64)
+		# open coded dla t1, asic_mask_nr_tbl
+		.set	push
+		.set	noat
+		lui	t1, %highest(asic_mask_nr_tbl)
+		lui	AT, %hi(asic_mask_nr_tbl)
+		daddiu	t1, t1, %higher(asic_mask_nr_tbl)
+		daddiu	AT, AT, %lo(asic_mask_nr_tbl)
+		dsll	t1, 32
+		daddu	t1, t1, AT
+		.set	pop
+#endif
 2:		lw	t2,(t1)
 		nop
 		and	t2,t0

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 225/294] clk/efm32gg: fix dt init prototype
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 227/294] spi/atmel: Fix pointer to int conversion warnings on 64 bit builds Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 264/294] Staging: iio: adc: fix indent on break statement Ben Hutchings
                   ` (218 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Rob Herring, Arnd Bergmann, Uwe Kleine-König,
	Mike Turquette, Bryan Hundven

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

commit 8ce8ebeb572d70e672a8d158e93ffaac80ea7576 upstream.

Since commit 54196ccbe0ba (of: consolidate linker section OF match table
declarations) which went into 3.16-rc1 the following compiler warning is
generated:

	In file included from drivers/clk/clk-efm32gg.c:12:0: include/linux/of.h:772:20:
	warning: comparison of distinct pointer types lacks a cast [enabled by default]
		.data = (fn == (fn_type)NULL) ? fn : fn  }
			    ^
	include/linux/of.h:785:3: note: in expansion of macro '_OF_DECLARE'
	   _OF_DECLARE(table, name, compat, fn, of_init_fn_1)
	   ^
	include/linux/clk-provider.h:545:42: note: in expansion of macro 'OF_DECLARE_1'
	 #define CLK_OF_DECLARE(name, compat, fn) OF_DECLARE_1(clk, name, compat, fn)
						  ^
	drivers/clk/clk-efm32gg.c:81:1: note: in expansion of macro 'CLK_OF_DECLARE'
	 CLK_OF_DECLARE(efm32ggcmu, "efm32gg,cmu", efm32gg_cmu_init);
	 ^

Fix it by making efm32gg_cmu_init return void.

Cc: Rob Herring <robh@kernel.org>
Reported-by: Bryan Hundven <bryanhundven@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Mike Turquette <mturquette@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/clk-efm32gg.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/clk/clk-efm32gg.c
+++ b/drivers/clk/clk-efm32gg.c
@@ -22,7 +22,7 @@ static struct clk_onecell_data clk_data
 	.clk_num = ARRAY_SIZE(clk),
 };
 
-static int __init efm32gg_cmu_init(struct device_node *np)
+static void __init efm32gg_cmu_init(struct device_node *np)
 {
 	int i;
 	void __iomem *base;
@@ -33,7 +33,7 @@ static int __init efm32gg_cmu_init(struc
 	base = of_iomap(np, 0);
 	if (!base) {
 		pr_warn("Failed to map address range for efm32gg,cmu node\n");
-		return -EADDRNOTAVAIL;
+		return;
 	}
 
 	clk[clk_HFXO] = clk_register_fixed_rate(NULL, "HFXO", NULL,
@@ -76,6 +76,6 @@ static int __init efm32gg_cmu_init(struc
 	clk[clk_HFPERCLKDAC0] = clk_register_gate(NULL, "HFPERCLK.DAC0",
 			"HFXO", 0, base + CMU_HFPERCLKEN0, 17, 0, NULL);
 
-	return of_clk_add_provider(np, of_clk_src_onecell_get, &clk_data);
+	of_clk_add_provider(np, of_clk_src_onecell_get, &clk_data);
 }
 CLK_OF_DECLARE(efm32ggcmu, "efm32gg,cmu", efm32gg_cmu_init);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 281/294] MIPS: MSP71xx: remove odd locking in PCI config space access code
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (198 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 112/294] af_key: do not use GFP_KERNEL in atomic contexts Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 070/294] net/mlx5: Fix command bad flow on command entry allocation failure Ben Hutchings
                   ` (95 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sergey Ryazanov, Ralf Baechle, Arnd Bergmann, Linux MIPS

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergey Ryazanov <ryazanov.s.a@gmail.com>

commit c4a305374bbf36414515d2ae00d588c67051e67d upstream.

Caller (generic PCI code) already do proper locking so no need to add
another one here.

Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
Cc: Linux MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/7601/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/pci/ops-pmcmsp.c | 12 ------------
 1 file changed, 12 deletions(-)

--- a/arch/mips/pci/ops-pmcmsp.c
+++ b/arch/mips/pci/ops-pmcmsp.c
@@ -193,8 +193,6 @@ static void pci_proc_init(void)
 }
 #endif /* CONFIG_PROC_FS && PCI_COUNTERS */
 
-static DEFINE_SPINLOCK(bpci_lock);
-
 /*****************************************************************************
  *
  *  STRUCT: pci_io_resource
@@ -368,7 +366,6 @@ int msp_pcibios_config_access(unsigned c
 	struct msp_pci_regs *preg = (void *)PCI_BASE_REG;
 	unsigned char bus_num = bus->number;
 	unsigned char dev_fn = (unsigned char)devfn;
-	unsigned long flags;
 	unsigned long intr;
 	unsigned long value;
 	static char pciirqflag;
@@ -401,10 +398,7 @@ int msp_pcibios_config_access(unsigned c
 	}
 
 #if defined(CONFIG_PMC_MSP7120_GW) || defined(CONFIG_PMC_MSP7120_EVAL)
-	local_irq_save(flags);
 	vpe_status = dvpe();
-#else
-	spin_lock_irqsave(&bpci_lock, flags);
 #endif
 
 	/*
@@ -457,9 +451,6 @@ int msp_pcibios_config_access(unsigned c
 
 #if defined(CONFIG_PMC_MSP7120_GW) || defined(CONFIG_PMC_MSP7120_EVAL)
 		evpe(vpe_status);
-		local_irq_restore(flags);
-#else
-		spin_unlock_irqrestore(&bpci_lock, flags);
 #endif
 
 		return -1;
@@ -467,9 +458,6 @@ int msp_pcibios_config_access(unsigned c
 
 #if defined(CONFIG_PMC_MSP7120_GW) || defined(CONFIG_PMC_MSP7120_EVAL)
 	evpe(vpe_status);
-	local_irq_restore(flags);
-#else
-	spin_unlock_irqrestore(&bpci_lock, flags);
 #endif
 
 	return PCIBIOS_SUCCESSFUL;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 223/294] ASoC: adau1977: Fix truncation warning on 64 bit architectures
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 176/294] sch_cbq: fix null pointer dereferences on init failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 100/294] scsi: st: fix blk_get_queue usage Ben Hutchings
                   ` (237 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mark Brown, Arnd Bergmann, Lars-Peter Clausen

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit d8df26bb57d2a86365de46a5421b97417401e39a upstream.

Negating ADAU1977_BLOCK_POWER_SAI_LDO_EN creates an unsigned long constant
with all bits set which on 64 bit architectures needs to be truncated to
an unsigned int, generating a warning. Add an explicit cast since we know
this is OK.

Signed-off-by: Mark Brown <broonie@linaro.org>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/codecs/adau1977.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/codecs/adau1977.c
+++ b/sound/soc/codecs/adau1977.c
@@ -968,7 +968,7 @@ int adau1977_probe(struct device *dev, s
 	if (adau1977->dvdd_reg)
 		power_off_mask = ~0;
 	else
-		power_off_mask = ~ADAU1977_BLOCK_POWER_SAI_LDO_EN;
+		power_off_mask = (unsigned int)~ADAU1977_BLOCK_POWER_SAI_LDO_EN;
 
 	ret = regmap_update_bits(adau1977->regmap, ADAU1977_REG_BLOCK_POWER_SAI,
 				power_off_mask, 0x00);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 256/294] brcmfmac: avoid gcc-5.1 warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (258 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 188/294] ALSA: seq: Fix use-after-free at creating a port Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 142/294] netvsc: fix deadlock betwen link status and removal Ben Hutchings
                   ` (35 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 22f44150aad7a1d6b074ab6cf59abee61c7187c6 upstream.

gcc-5.0 gained a new warning in the fwsignal portion of the brcmfmac
driver:

drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c: In function 'brcmf_fws_txs_process':
drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c:1478:8: warning: 'skb' may be used uninitialized in this function [-Wmaybe-uninitialized]

This is a false positive, and marking the brcmf_fws_hanger_poppkt function
as 'static inline' makes the warning go away. I have checked the object
file output and while a little code gets moved around, the size of
the binary remains identical.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c
@@ -607,7 +607,7 @@ static int brcmf_fws_hanger_pushpkt(stru
 	return 0;
 }
 
-static int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h,
+static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h,
 					  u32 slot_id, struct sk_buff **pktout,
 					  bool remove_item)
 {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 010/294] net: bcmgenet: fix off-by-one in incrementing read pointer
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (178 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 087/294] ixgbe: Initialize 64-bit stats seqcounts Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 030/294] usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL Ben Hutchings
                   ` (115 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Florian Fainelli, Petri Gynther, Jaedon Shin

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit cf377d886f7944a5ccdbd164b89949e13617b096 upstream.

Commit b629be5c8399d7c423b92135eb43a86c924d1cbc ("net: bcmgenet: check
harder for out of memory conditions") moved the increment of the local
read pointer *before* reading from the hardware descriptor using
dmadesc_get_length_status(), which creates an off-by-one situation.

Fix this by moving again the read_ptr increment after we have read the
hardware descriptor to get both the control block and the read pointer
back in sync.

Fixes: b629be5c8399 ("net: bcmgenet: check harder for out of memory conditions")
Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Petri Gynther <pgynther@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1354,11 +1354,6 @@ static unsigned int bcmgenet_desc_rx(str
 		cb = &priv->rx_cbs[priv->rx_read_ptr];
 		skb = cb->skb;
 
-		rxpktprocessed++;
-
-		priv->rx_read_ptr++;
-		priv->rx_read_ptr &= (priv->num_rx_bds - 1);
-
 		/* We do not have a backing SKB, so we do not have a
 		 * corresponding DMA mapping for this incoming packet since
 		 * bcmgenet_rx_refill always either has both skb and mapping or
@@ -1471,6 +1466,10 @@ refill:
 		err = bcmgenet_rx_refill(priv, cb);
 		if (err)
 			netif_err(priv, rx_err, dev, "Rx refill failed\n");
+
+		rxpktprocessed++;
+		priv->rx_read_ptr++;
+		priv->rx_read_ptr &= (priv->num_rx_bds - 1);
 	}
 
 	return rxpktprocessed;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 251/294] net: tulip: turn compile-time warning into dev_warn()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (113 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 238/294] mvsas: fix misleading indentation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 242/294] mtd: maps: rbtx4939-flash: delete an unused variable in rbtx4939_flash_remove Ben Hutchings
                   ` (180 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Grant Grundler, Arnd Bergmann, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit de92718883ddbcd11b738d36ffcf57617b97fa12 upstream.

The tulip driver causes annoying build-time warnings for allmodconfig
builds for all recent architectures:

dec/tulip/winbond-840.c:910:2: warning: #warning Processor architecture undefined
dec/tulip/tulip_core.c:101:2: warning: #warning Processor architecture undefined!

This is the last remaining warning for arm64, and I'd like to get rid of
it. We don't really know the cache line size, architecturally it would
be at least 16 bytes, but all implementations I found have 64 or 128
bytes. Configuring tulip for 32-byte lines as we do on ARM32 seems to
be the safe but slow default, and nobody who cares about performance these
days would use a tulip chip anyway, so we can just use that.

To save the next person the job of trying to find out what this is for
and picking a default for their architecture just to kill off the warning,
I'm now removing the preprocessor #warning and turning it into a pr_warn
or dev_warn that prints the equivalent information when the driver gets
loaded.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Grant Grundler <grundler@parisc-linux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/dec/tulip/tulip_core.c  | 9 +++++++--
 drivers/net/ethernet/dec/tulip/winbond-840.c | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/dec/tulip/tulip_core.c
+++ b/drivers/net/ethernet/dec/tulip/tulip_core.c
@@ -98,8 +98,7 @@ static int csr0 = 0x01A00000 | 0x4800;
 #elif defined(__mips__)
 static int csr0 = 0x00200000 | 0x4000;
 #else
-#warning Processor architecture undefined!
-static int csr0 = 0x00A00000 | 0x4800;
+static int csr0;
 #endif
 
 /* Operational parameters that usually are not changed. */
@@ -1982,6 +1981,12 @@ static int __init tulip_init (void)
 	pr_info("%s", version);
 #endif
 
+	if (!csr0) {
+		pr_warn("tulip: unknown CPU architecture, using default csr0\n");
+		/* default to 8 longword cache line alignment */
+		csr0 = 0x00A00000 | 0x4800;
+	}
+
 	/* copy module parms into globals */
 	tulip_rx_copybreak = rx_copybreak;
 	tulip_max_interrupt_work = max_interrupt_work;
--- a/drivers/net/ethernet/dec/tulip/winbond-840.c
+++ b/drivers/net/ethernet/dec/tulip/winbond-840.c
@@ -907,7 +907,7 @@ static void init_registers(struct net_de
 #elif defined(CONFIG_SPARC) || defined (CONFIG_PARISC)
 	i |= 0x4800;
 #else
-#warning Processor architecture undefined
+	dev_warn(&dev->dev, "unknown CPU architecture, using default csr0 setting\n");
 	i |= 0x4800;
 #endif
 	iowrite32(i, ioaddr + PCIBusCfg);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 229/294] tty: nozomi: avoid a harmless gcc warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 185/294] KEYS: prevent KEYCTL_READ on negative key Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 107/294] usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume Ben Hutchings
                   ` (213 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit a4f642a8a3c2838ad09fe8313d45db46600e1478 upstream.

The nozomi wireless data driver has its own helper function to
transfer data from a FIFO, doing an extra byte swap on big-endian
architectures, presumably to bring the data back into byte-serial
order after readw() or readl() perform their implicit byteswap.

This helper function is used in the receive_data() function to
first read the length into a 32-bit variable, which causes
a compile-time warning:

drivers/tty/nozomi.c: In function 'receive_data':
drivers/tty/nozomi.c:857:9: warning: 'size' may be used uninitialized in this function [-Wmaybe-uninitialized]

The problem is that gcc is unsure whether the data was actually
read or not. We know that it is at this point, so we can replace
it with a single readl() to shut up that warning.

I am leaving the byteswap in there, to preserve the existing
behavior, even though this seems fishy: Reading the length of
the data into a cpu-endian variable should normally not use
a second byteswap on big-endian systems, unless the hardware
is aware of the CPU endianess.

There appears to be a lot more confusion about endianess in this
driver, so it probably has not worked on big-endian systems in
a long time, if ever, and I have no way to test it. It's well
possible that this driver has not been used by anyone in a while,
the last patch that looks like it was tested on the hardware is
from 2008.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/nozomi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/nozomi.c
+++ b/drivers/tty/nozomi.c
@@ -823,7 +823,7 @@ static int receive_data(enum port_type i
 	struct tty_struct *tty = tty_port_tty_get(&port->port);
 	int i, ret;
 
-	read_mem32((u32 *) &size, addr, 4);
+	size = __le32_to_cpu(readl(addr));
 	/*  DBG1( "%d bytes port: %d", size, index); */
 
 	if (tty && test_bit(TTY_THROTTLED, &tty->flags)) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 282/294] MIPS: Fix the build on jz4740 after removing the custom gpio.h
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (181 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 269/294] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 002/294] iio: light: tsl2563: use correct event code Ben Hutchings
                   ` (112 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Walleij, Thomas Gleixner, Alban Bedel, Ralf Baechle,
	Lars-Peter Clausen, Arnd Bergmann, Paul Burton, Brian Norris,
	linux-mips

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alban Bedel <albeu@free.fr>

commit 5b235dc2647e4977b17b5c41d959d0f455831c3f upstream.

Somehow the wrong version of the patch to remove the use of custom
gpio.h on mips has been merged. This patch add the missing fixes for a
build error on jz4740 because linux/gpio.h doesn't provide any machine
specfics definitions anymore.

Signed-off-by: Alban Bedel <albeu@free.fr>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/11089/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/jz4740/board-qi_lb60.c | 1 +
 arch/mips/jz4740/gpio.c          | 1 +
 2 files changed, 2 insertions(+)

--- a/arch/mips/jz4740/board-qi_lb60.c
+++ b/arch/mips/jz4740/board-qi_lb60.c
@@ -25,6 +25,7 @@
 #include <linux/power/jz4740-battery.h>
 #include <linux/power/gpio-charger.h>
 
+#include <asm/mach-jz4740/gpio.h>
 #include <asm/mach-jz4740/jz4740_fb.h>
 #include <asm/mach-jz4740/jz4740_mmc.h>
 #include <asm/mach-jz4740/jz4740_nand.h>
--- a/arch/mips/jz4740/gpio.c
+++ b/arch/mips/jz4740/gpio.c
@@ -27,6 +27,7 @@
 #include <linux/seq_file.h>
 
 #include <asm/mach-jz4740/base.h>
+#include <asm/mach-jz4740/gpio.h>
 
 #include "irq.h"
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 230/294] tty/isicom: fix big-endian compile warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 003/294] iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 086/294] i40e: Initialize 64-bit statistics TX ring seqcount Ben Hutchings
                   ` (227 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit f3e2d56dce47dbd0bb3f69f84741b439542fef37 upstream.

Building an arm allmodconfig kernel triggers a lengthy but harmless
warning in the isicom driver:

drvers/tty/isicom.c: In function 'isicom_send_break':
uapi/linux/swab.h:13:15: warning: integer overflow in expression [-Woverflow]
  (((__u16)(x) & (__u16)0x00ffU) << 8) |   \
               ^
uapi/linux/swab.h:107:2: note: in expansion of macro '___constant_swab16'
  ___constant_swab16(x) :   \
  ^
uapi/linux/byteorder/big_endian.h:34:43: note: in expansion of macro '__swab16'
 #define __cpu_to_le16(x) ((__force __le16)__swab16((x)))
                                           ^
linux/byteorder/generic.h:89:21: note: in expansion of macro '__cpu_to_le16'
 #define cpu_to_le16 __cpu_to_le16
                     ^
include/asm/io.h:270:6: note: in expansion of macro 'cpu_to_le16'
      cpu_to_le16(v),__io(p)); })
      ^
drivers/tty/isicom.c:1058:2: note: in expansion of macro 'outw'
  outw((length & 0xff00), base);
  ^

Apparently, the problem is related to the fact that the value 0xff00,
when used as a 16-bit number, is negative and passed into bitwise
operands of the generic byte swapping code.

Marking the input argument as unsigned in both technically correct
and avoids the warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/isicom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/isicom.c
+++ b/drivers/tty/isicom.c
@@ -1055,7 +1055,7 @@ static int isicom_send_break(struct tty_
 
 	outw(0x8000 | ((port->channel) << (card->shift_count)) | 0x3, base);
 	outw((length & 0xff) << 8 | 0x00, base);
-	outw((length & 0xff00), base);
+	outw((length & 0xff00u), base);
 	InterruptTheCard(base);
 
 	unlock_card(card);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 289/294] MIPS: jz4740: fix build error in irq.h
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 284/294] MIPS: elf2ecoff: Fix warning due to dead code Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 236/294] bfa: Fix indentation Ben Hutchings
                   ` (165 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Lars-Peter Clausen

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

kernelci found build error on the 3.16 and 3.18 stable trees that don't
show up in later versions:

arch/mips/jz4740/irq.h:21:38: error: 'struct irq_data' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
arch/mips/jz4740/irq.h:20:39: error: 'struct irq_data' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
include/linux/irqdesc.h:92:33: error: 'NR_IRQS' undeclared here (not in a function)
arch/mips/jz4740/irq.c:91:41: error: 'JZ4740_IRQ_BASE' undeclared (first use in this function)
arch/mips/jz4740/irq.c:68:6: error: conflicting types for 'jz4740_irq_resume'
arch/mips/jz4740/irq.c:62:6: error: conflicting types for 'jz4740_irq_suspend'
arch/mips/jz4740/irq.c:49:39: error: 'JZ4740_IRQ_BASE' undeclared (first use in this function)
arch/mips/jz4740/gpio.c:47:32: error: initializer element is not constant
arch/mips/jz4740/gpio.c:46:32: error: initializer element is not constant
arch/mips/jz4740/gpio.c:45:32: error: initializer element is not constant
arch/mips/jz4740/gpio.c:44:32: error: initializer element is not constant
arch/mips/jz4740/gpio.c:447:22: error: assignment from incompatible pointer type [-Werror=incompatible-pointer-types]
arch/mips/jz4740/gpio.c:446:23: error: assignment from incompatible pointer type [-Werror=incompatible-pointer-types]
arch/mips/jz4740/gpio.c:427:14: error: implicit declaration of function 'JZ4740_IRQ_INTC_GPIO' [-Werror=implicit-function-declaration]
arch/mips/jz4740/gpio.c:269:9: error: implicit declaration of function 'JZ4740_IRQ_GPIO' [-Werror=implicit-function-declaration]

The problem seems to be caused by commit 83bc76920080 ("MIPS: JZ4740: Use
generic irq chip") from linux-3.2, but only showed up in a defconfig
build when qi_lb60_defconfig was added in linux-3.13 and that configuration
never successfully built.

The code has changed in a number of ways before 4.4, which builds fine.
While I did not bisect the problem to a specific change, I found a simple
fix by including the obviously missing header.

Cc: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/jz4740/irq.h | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/mips/jz4740/irq.h
+++ b/arch/mips/jz4740/irq.h
@@ -16,7 +16,9 @@
 #define __MIPS_JZ4740_IRQ_H__
 
 #include <linux/irq.h>
+#include <asm/mach-jz4740/irq.h>
 
+struct irq_data;
 extern void jz4740_irq_suspend(struct irq_data *data);
 extern void jz4740_irq_resume(struct irq_data *data);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 283/294] MIPS: TXx9: Delete an unused variable in tx4927_pcibios_setup
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 213/294] iio: adc: fix building on 64-bit Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 160/294] l2tp: hold tunnel while handling genl TUNNEL_GET commands Ben Hutchings
                   ` (279 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Atsushi Nemoto, linux-mips, Ralf Baechle, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Atsushi Nemoto <anemo@mba.ocn.ne.jp>

commit 1bc2d3e38e5bf90af4e9d64e1696f2d39757355a upstream.

Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7216/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/pci/ops-tx4927.c | 2 --
 1 file changed, 2 deletions(-)

--- a/arch/mips/pci/ops-tx4927.c
+++ b/arch/mips/pci/ops-tx4927.c
@@ -199,8 +199,6 @@ static struct {
 
 char *tx4927_pcibios_setup(char *str)
 {
-	unsigned long val;
-
 	if (!strncmp(str, "trdyto=", 7)) {
 		u8 val = 0;
 		if (kstrtou8(str + 7, 0, &val) == 0)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 287/294] drbd: avoid redefinition of BITS_PER_PAGE
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (155 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 049/294] IB/cma: Fix reference count leak when no ipv4 addresses are set Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 195/294] USB: fix out-of-bounds in usb_set_configuration Ben Hutchings
                   ` (138 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jens Axboe, Arnd Bergmann, Lars Ellenberg, Philipp Reisner

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lars Ellenberg <lars.ellenberg@linbit.com>

commit 2630628b2dbc3fc320aafaf84836119e4e3d62f1 upstream.

Apparently we now implicitly get definitions for BITS_PER_PAGE and
BITS_PER_PAGE_MASK from the pid_namespace.h

Instead of renaming our defines, I chose to define only if not yet
defined, but to double check the value if already defined.

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/block/drbd/drbd_bitmap.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/block/drbd/drbd_bitmap.c
+++ b/drivers/block/drbd/drbd_bitmap.c
@@ -478,8 +478,14 @@ void drbd_bm_cleanup(struct drbd_device
  * this masks out the remaining bits.
  * Returns the number of bits cleared.
  */
+#ifndef BITS_PER_PAGE
 #define BITS_PER_PAGE		(1UL << (PAGE_SHIFT + 3))
 #define BITS_PER_PAGE_MASK	(BITS_PER_PAGE - 1)
+#else
+# if BITS_PER_PAGE != (1UL << (PAGE_SHIFT + 3))
+#  error "ambiguous BITS_PER_PAGE"
+# endif
+#endif
 #define BITS_PER_LONG_MASK	(BITS_PER_LONG - 1)
 static int bm_clear_surplus(struct drbd_bitmap *b)
 {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 285/294] staging: r8192ee: prorperly format  warning message
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (206 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 102/294] net: reduce skb_warn_bad_offload() noise Ben Hutchings
                   ` (87 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

In stable/linux-3.16.y, we get a warning for 64-bit architectures:

drivers/staging/rtl8192ee/pci.c: In function '_rtl_pci_rx_interrupt':
include/linux/kern_levels.h:4:18: warning: format '%d' expects argument of type 'int', but argument 2 has type 'sk_buff_data_t {aka unsigned char *}' [-Wformat=]
include/linux/kern_levels.h:4:18: warning: format '%d' expects argument of type 'int', but argument 3 has type 'sk_buff_data_t {aka unsigned char *}' [-Wformat=]

The driver was removed in 3.18 before this was fixed, so there is no
workaround to backport, but it's easy enough to avoid the problem
by changing the printk message to something similar that uses
proper accessors for the skb fields.

Fixes: 78de2c063710 ("staging: r8192ee: Add source files for core driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/rtl8192ee/pci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/rtl8192ee/pci.c
+++ b/drivers/staging/rtl8192ee/pci.c
@@ -882,8 +882,8 @@ static void _rtl_pci_rx_interrupt(struct
 
 		} else {
 			if (err_count++ < 10) {
-				pr_info("skb->end (%d) - skb->tail (%d) > len (%d)\n",
-					skb->end, skb->tail, len);
+				pr_info("skb end: %d) - tailroom (%d) > len (%d)\n",
+					skb_end_offset(skb), skb_tailroom(skb), len);
 				RT_PRINT_DATA(rtlpriv, COMP_CMD, DBG_EMERG,
 					      "RX desc\n",
 					      (u8 *)pdesc, 32);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 209/294] module: fix types of device tables aliases
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 190/294] packet: hold bind lock when rebinding to fanout hook Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 135/294] tracing: Fix freeing of filter in create_filter() when set_str is false Ben Hutchings
                   ` (174 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Vyukov, Pekka Enberg, Christoph Lameter,
	David Rientjes, Konstantin Khlebnikov, Sasha Levin,
	Andrey Konovalov, Joonsoo Kim, Konstantin Serebryany,
	H. Peter Anvin, Thomas Gleixner, Dmitry Chernenkov, Ingo Molnar,
	Andi Kleen, Arnd Bergmann, Greg Kroah-Hartman, Linus Torvalds,
	Yuri Gribov, Andrey Ryabinin, Dave Hansen

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <a.ryabinin@samsung.com>

commit 6301939d97d079f0d3dbe71e750f4daf5d39fc33 upstream.

MODULE_DEVICE_TABLE() macro used to create aliases to device tables.
Normally alias should have the same type as aliased symbol.

Device tables are arrays, so they have 'struct type##_device_id[x]'
types. Alias created by MODULE_DEVICE_TABLE() will have non-array type -
	'struct type##_device_id'.

This inconsistency confuses compiler, it could make a wrong assumption
about variable's size which leads KASan to produce a false positive report
about out of bounds access.

For every global variable compiler calls __asan_register_globals() passing
information about global variable (address, size, size with redzone, name
...) __asan_register_globals() poison symbols redzone to detect possible
out of bounds accesses.

When symbol has an alias __asan_register_globals() will be called as for
symbol so for alias.  Compiler determines size of variable by size of
variable's type.  Alias and symbol have the same address, so if alias have
the wrong size part of memory that actually belongs to the symbol could be
poisoned as redzone of alias symbol.

By fixing type of alias symbol we will fix size of it, so
__asan_register_globals() will not poison valid memory.

Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Konstantin Serebryany <kcc@google.com>
Cc: Dmitry Chernenkov <dmitryc@google.com>
Signed-off-by: Andrey Konovalov <adech.fo@gmail.com>
Cc: Yuri Gribov <tetra2005@gmail.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/module.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/module.h
+++ b/include/linux/module.h
@@ -135,7 +135,7 @@ void trim_init_extable(struct module *m)
 #ifdef MODULE
 /* Creates an alias so file2alias.c can find device table. */
 #define MODULE_DEVICE_TABLE(type, name)					\
-  extern const struct type##_device_id __mod_##type##__##name##_device_table \
+extern const typeof(name) __mod_##type##__##name##_device_table		\
   __attribute__ ((unused, alias(__stringify(name))))
 #else  /* !MODULE */
 #define MODULE_DEVICE_TABLE(type, name)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 284/294] MIPS: elf2ecoff: Fix warning due to dead code.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (127 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 094/294] IB/uverbs: Fix device cleanup Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 289/294] MIPS: jz4740: fix build error in irq.h Ben Hutchings
                   ` (166 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Ralf Baechle

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ralf@linux-mips.org>

commit 2d76e9633b572ae5a64150b638eed77f4afc12db upstream.

  HOSTCC  arch/mips/boot/elf2ecoff
arch/mips/boot/elf2ecoff.c: In function ‘main’:
arch/mips/boot/elf2ecoff.c:271:8: warning: variable ‘shstrtab’ set but not used [-Wunused-but-set-variable]
  char *shstrtab;

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/boot/elf2ecoff.c | 4 ----
 1 file changed, 4 deletions(-)

--- a/arch/mips/boot/elf2ecoff.c
+++ b/arch/mips/boot/elf2ecoff.c
@@ -267,7 +267,6 @@ int main(int argc, char *argv[])
 	Elf32_Ehdr ex;
 	Elf32_Phdr *ph;
 	Elf32_Shdr *sh;
-	char *shstrtab;
 	int i, pad;
 	struct sect text, data, bss;
 	struct filehdr efh;
@@ -335,9 +334,6 @@ int main(int argc, char *argv[])
 				     "sh");
 	if (must_convert_endian)
 		convert_elf_shdrs(sh, ex.e_shnum);
-	/* Read in the section string table. */
-	shstrtab = saveRead(infile, sh[ex.e_shstrndx].sh_offset,
-			    sh[ex.e_shstrndx].sh_size, "shstrtab");
 
 	/* Figure out if we can cram the program header into an ECOFF
 	   header...  Basically, we can't handle anything but loadable

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 252/294] net: vxge: avoid unused function warnings
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (172 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 257/294] netfilter: Fix switch statement warnings with recent gcc Ben Hutchings
                   ` (121 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 57e7c8cef224af166b8ec932b5e383641418c005 upstream.

When CONFIG_PCI_MSI is disabled, we get warnings about unused functions
in the vxge driver:

drivers/net/ethernet/neterion/vxge/vxge-main.c:2121:13: warning: 'adaptive_coalesce_tx_interrupts' defined but not used [-Wunused-function]
drivers/net/ethernet/neterion/vxge/vxge-main.c:2149:13: warning: 'adaptive_coalesce_rx_interrupts' defined but not used [-Wunused-function]

We could add another #ifdef here, but it's nicer to avoid those warnings
for good by converting the existing #ifdef to if(IS_ENABLED()), which has
the same effect but provides better compile-time coverage in general,
and lets the compiler understand better when the function is intentionally
unused.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/neterion/vxge/vxge-main.c | 31 ++++++++++----------------
 1 file changed, 12 insertions(+), 19 deletions(-)

--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c
+++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c
@@ -2224,8 +2224,6 @@ static irqreturn_t vxge_isr_napi(int irq
 	return IRQ_NONE;
 }
 
-#ifdef CONFIG_PCI_MSI
-
 static irqreturn_t vxge_tx_msix_handle(int irq, void *dev_id)
 {
 	struct vxge_fifo *fifo = (struct vxge_fifo *)dev_id;
@@ -2443,16 +2441,13 @@ static void vxge_rem_msix_isr(struct vxg
 	if (vdev->config.intr_type == MSI_X)
 		pci_disable_msix(vdev->pdev);
 }
-#endif
 
 static void vxge_rem_isr(struct vxgedev *vdev)
 {
-#ifdef CONFIG_PCI_MSI
-	if (vdev->config.intr_type == MSI_X) {
+	if (IS_ENABLED(CONFIG_PCI_MSI) &&
+	    vdev->config.intr_type == MSI_X) {
 		vxge_rem_msix_isr(vdev);
-	} else
-#endif
-	if (vdev->config.intr_type == INTA) {
+	} else if (vdev->config.intr_type == INTA) {
 			synchronize_irq(vdev->pdev->irq);
 			free_irq(vdev->pdev->irq, vdev);
 	}
@@ -2461,11 +2456,10 @@ static void vxge_rem_isr(struct vxgedev
 static int vxge_add_isr(struct vxgedev *vdev)
 {
 	int ret = 0;
-#ifdef CONFIG_PCI_MSI
 	int vp_idx = 0, intr_idx = 0, intr_cnt = 0, msix_idx = 0, irq_req = 0;
 	int pci_fun = PCI_FUNC(vdev->pdev->devfn);
 
-	if (vdev->config.intr_type == MSI_X)
+	if (IS_ENABLED(CONFIG_PCI_MSI) && vdev->config.intr_type == MSI_X)
 		ret = vxge_enable_msix(vdev);
 
 	if (ret) {
@@ -2476,7 +2470,7 @@ static int vxge_add_isr(struct vxgedev *
 		vdev->config.intr_type = INTA;
 	}
 
-	if (vdev->config.intr_type == MSI_X) {
+	if (IS_ENABLED(CONFIG_PCI_MSI) && vdev->config.intr_type == MSI_X) {
 		for (intr_idx = 0;
 		     intr_idx < (vdev->no_of_vpath *
 			VXGE_HW_VPATH_MSIX_ACTIVE); intr_idx++) {
@@ -2577,9 +2571,8 @@ static int vxge_add_isr(struct vxgedev *
 		vdev->vxge_entries[intr_cnt].in_use = 1;
 		vdev->vxge_entries[intr_cnt].arg = &vdev->vpaths[0];
 	}
-INTA_MODE:
-#endif
 
+INTA_MODE:
 	if (vdev->config.intr_type == INTA) {
 		snprintf(vdev->desc[0], VXGE_INTR_STRLEN,
 			"%s:vxge:INTA", vdev->ndev->name);
@@ -3890,12 +3883,12 @@ static void vxge_device_config_init(stru
 	if (max_mac_vpath > VXGE_MAX_MAC_ADDR_COUNT)
 		max_mac_vpath = VXGE_MAX_MAC_ADDR_COUNT;
 
-#ifndef CONFIG_PCI_MSI
-	vxge_debug_init(VXGE_ERR,
-		"%s: This Kernel does not support "
-		"MSI-X. Defaulting to INTA", VXGE_DRIVER_NAME);
-	*intr_type = INTA;
-#endif
+	if (!IS_ENABLED(CONFIG_PCI_MSI)) {
+		vxge_debug_init(VXGE_ERR,
+			"%s: This Kernel does not support "
+			"MSI-X. Defaulting to INTA", VXGE_DRIVER_NAME);
+		*intr_type = INTA;
+	}
 
 	/* Configure whether MSI-X or IRQL. */
 	switch (*intr_type) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 288/294] perf: Avoid horrible stack usage
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 069/294] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 081/294] USB: serial: option: add D-Link DWM-222 device ID Ben Hutchings
                   ` (275 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steven Rostedt, Oleg Nesterov, Peter Zijlstra (Intel),
	Tom Zanussi, Paul Mackerras, Mathieu Desnoyers,
	Vaibhav Nagarnaik, Arnd Bergmann, Linus Torvalds, Petr Mladek,
	Javi Merino, Arnaldo Carvalho de Melo, Ingo Molnar

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Peter Zijlstra (Intel)" <peterz@infradead.org>

commit 86038c5ea81b519a8a1fcfcd5e4599aab0cdd119 upstream.

Both Linus (most recent) and Steve (a while ago) reported that perf
related callbacks have massive stack bloat.

The problem is that software events need a pt_regs in order to
properly report the event location and unwind stack. And because we
could not assume one was present we allocated one on stack and filled
it with minimal bits required for operation.

Now, pt_regs is quite large, so this is undesirable. Furthermore it
turns out that most sites actually have a pt_regs pointer available,
making this even more onerous, as the stack space is pointless waste.

This patch addresses the problem by observing that software events
have well defined nesting semantics, therefore we can use static
per-cpu storage instead of on-stack.

Linus made the further observation that all but the scheduler callers
of perf_sw_event() have a pt_regs available, so we change the regular
perf_sw_event() to require a valid pt_regs (where it used to be
optional) and add perf_sw_event_sched() for the scheduler.

We have a scheduler specific call instead of a more generic _noregs()
like construct because we can assume non-recursion from the scheduler
and thereby simplify the code further (_noregs would have to put the
recursion context call inline in order to assertain which __perf_regs
element to use).

One last note on the implementation of perf_trace_buf_prepare(); we
allow .regs = NULL for those cases where we already have a pt_regs
pointer available and do not need another.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Javi Merino <javi.merino@arm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Petr Mladek <pmladek@suse.cz>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Vaibhav Nagarnaik <vnagarnaik@google.com>
Link: http://lkml.kernel.org/r/20141216115041.GW3337@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/ftrace_event.h    |  2 +-
 include/linux/perf_event.h      | 28 +++++++++++++++++++++-------
 include/trace/ftrace.h          |  7 ++++---
 kernel/events/core.c            | 23 +++++++++++++++++------
 kernel/sched/core.c             |  2 +-
 kernel/trace/trace_event_perf.c |  4 +++-
 kernel/trace/trace_kprobe.c     |  4 ++--
 kernel/trace/trace_syscalls.c   |  4 ++--
 kernel/trace/trace_uprobe.c     |  2 +-
 9 files changed, 52 insertions(+), 24 deletions(-)

--- a/include/linux/ftrace_event.h
+++ b/include/linux/ftrace_event.h
@@ -621,7 +621,7 @@ extern int  ftrace_profile_set_filter(st
 				     char *filter_str);
 extern void ftrace_profile_free_filter(struct perf_event *event);
 extern void *perf_trace_buf_prepare(int size, unsigned short type,
-				    struct pt_regs *regs, int *rctxp);
+				    struct pt_regs **regs, int *rctxp);
 
 static inline void
 perf_trace_buf_submit(void *raw_data, int size, int rctx, u64 addr,
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -642,6 +642,7 @@ static inline int is_software_event(stru
 
 extern struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX];
 
+extern void ___perf_sw_event(u32, u64, struct pt_regs *, u64);
 extern void __perf_sw_event(u32, u64, struct pt_regs *, u64);
 
 #ifndef perf_arch_fetch_caller_regs
@@ -666,14 +667,25 @@ static inline void perf_fetch_caller_reg
 static __always_inline void
 perf_sw_event(u32 event_id, u64 nr, struct pt_regs *regs, u64 addr)
 {
-	struct pt_regs hot_regs;
+	if (static_key_false(&perf_swevent_enabled[event_id]))
+		__perf_sw_event(event_id, nr, regs, addr);
+}
+
+DECLARE_PER_CPU(struct pt_regs, __perf_regs[4]);
 
+/*
+ * 'Special' version for the scheduler, it hard assumes no recursion,
+ * which is guaranteed by us not actually scheduling inside other swevents
+ * because those disable preemption.
+ */
+static __always_inline void
+perf_sw_event_sched(u32 event_id, u64 nr, u64 addr)
+{
 	if (static_key_false(&perf_swevent_enabled[event_id])) {
-		if (!regs) {
-			perf_fetch_caller_regs(&hot_regs);
-			regs = &hot_regs;
-		}
-		__perf_sw_event(event_id, nr, regs, addr);
+		struct pt_regs *regs = this_cpu_ptr(&__perf_regs[0]);
+
+		perf_fetch_caller_regs(regs);
+		___perf_sw_event(event_id, nr, regs, addr);
 	}
 }
 
@@ -689,7 +701,7 @@ static inline void perf_event_task_sched
 static inline void perf_event_task_sched_out(struct task_struct *prev,
 					     struct task_struct *next)
 {
-	perf_sw_event(PERF_COUNT_SW_CONTEXT_SWITCHES, 1, NULL, 0);
+	perf_sw_event_sched(PERF_COUNT_SW_CONTEXT_SWITCHES, 1, 0);
 
 	if (static_key_false(&perf_sched_events.key))
 		__perf_event_task_sched_out(prev, next);
@@ -800,6 +812,8 @@ static inline int perf_event_refresh(str
 static inline void
 perf_sw_event(u32 event_id, u64 nr, struct pt_regs *regs, u64 addr)	{ }
 static inline void
+perf_sw_event_sched(u32 event_id, u64 nr, u64 addr)			{ }
+static inline void
 perf_bp_event(struct perf_event *event, void *data)			{ }
 
 static inline int perf_register_guest_info_callbacks
--- a/include/trace/ftrace.h
+++ b/include/trace/ftrace.h
@@ -765,7 +765,7 @@ perf_trace_##call(void *__data, proto)
 	struct ftrace_event_call *event_call = __data;			\
 	struct ftrace_data_offsets_##call __maybe_unused __data_offsets;\
 	struct ftrace_raw_##call *entry;				\
-	struct pt_regs __regs;						\
+	struct pt_regs *__regs;						\
 	u64 __addr = 0, __count = 1;					\
 	struct task_struct *__task = NULL;				\
 	struct hlist_head *head;					\
@@ -784,18 +784,19 @@ perf_trace_##call(void *__data, proto)
 			     sizeof(u64));				\
 	__entry_size -= sizeof(u32);					\
 									\
-	perf_fetch_caller_regs(&__regs);				\
 	entry = perf_trace_buf_prepare(__entry_size,			\
 			event_call->event.type, &__regs, &rctx);	\
 	if (!entry)							\
 		return;							\
 									\
+	perf_fetch_caller_regs(__regs);					\
+									\
 	tstruct								\
 									\
 	{ assign; }							\
 									\
 	perf_trace_buf_submit(entry, __entry_size, rctx, __addr,	\
-		__count, &__regs, head, __task);			\
+		__count, __regs, head, __task);				\
 }
 
 /*
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -5965,6 +5965,8 @@ end:
 	rcu_read_unlock();
 }
 
+DEFINE_PER_CPU(struct pt_regs, __perf_regs[4]);
+
 int perf_swevent_get_recursion_context(void)
 {
 	struct swevent_htable *swhash = &__get_cpu_var(swevent_htable);
@@ -5980,21 +5982,30 @@ inline void perf_swevent_put_recursion_c
 	put_recursion_context(swhash->recursion, rctx);
 }
 
-void __perf_sw_event(u32 event_id, u64 nr, struct pt_regs *regs, u64 addr)
+void ___perf_sw_event(u32 event_id, u64 nr, struct pt_regs *regs, u64 addr)
 {
 	struct perf_sample_data data;
-	int rctx;
 
-	preempt_disable_notrace();
-	rctx = perf_swevent_get_recursion_context();
-	if (rctx < 0)
+	if (WARN_ON_ONCE(!regs))
 		return;
 
 	perf_sample_data_init(&data, addr, 0);
-
 	do_perf_sw_event(PERF_TYPE_SOFTWARE, event_id, nr, &data, regs);
+}
+
+void __perf_sw_event(u32 event_id, u64 nr, struct pt_regs *regs, u64 addr)
+{
+	int rctx;
+
+	preempt_disable_notrace();
+	rctx = perf_swevent_get_recursion_context();
+	if (unlikely(rctx < 0))
+		goto fail;
+
+	___perf_sw_event(event_id, nr, regs, addr);
 
 	perf_swevent_put_recursion_context(rctx);
+fail:
 	preempt_enable_notrace();
 }
 
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1083,7 +1083,7 @@ void set_task_cpu(struct task_struct *p,
 		if (p->sched_class->migrate_task_rq)
 			p->sched_class->migrate_task_rq(p, new_cpu);
 		p->se.nr_migrations++;
-		perf_sw_event(PERF_COUNT_SW_CPU_MIGRATIONS, 1, NULL, 0);
+		perf_sw_event_sched(PERF_COUNT_SW_CPU_MIGRATIONS, 1, 0);
 
 		tmn.task = p;
 		tmn.from_cpu = task_cpu(p);
--- a/kernel/trace/trace_event_perf.c
+++ b/kernel/trace/trace_event_perf.c
@@ -249,7 +249,7 @@ void perf_trace_del(struct perf_event *p
 }
 
 void *perf_trace_buf_prepare(int size, unsigned short type,
-			     struct pt_regs *regs, int *rctxp)
+			     struct pt_regs **regs, int *rctxp)
 {
 	struct trace_entry *entry;
 	unsigned long flags;
@@ -268,6 +268,8 @@ void *perf_trace_buf_prepare(int size, u
 	if (*rctxp < 0)
 		return NULL;
 
+	if (regs)
+		*regs = this_cpu_ptr(&__perf_regs[*rctxp]);
 	raw_data = this_cpu_ptr(perf_trace_buf[*rctxp]);
 
 	/* zero the dead bytes from align to not leak stack to user */
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -1155,7 +1155,7 @@ kprobe_perf_func(struct trace_kprobe *tk
 	size = ALIGN(__size + sizeof(u32), sizeof(u64));
 	size -= sizeof(u32);
 
-	entry = perf_trace_buf_prepare(size, call->event.type, regs, &rctx);
+	entry = perf_trace_buf_prepare(size, call->event.type, NULL, &rctx);
 	if (!entry)
 		return;
 
@@ -1186,7 +1186,7 @@ kretprobe_perf_func(struct trace_kprobe
 	size = ALIGN(__size + sizeof(u32), sizeof(u64));
 	size -= sizeof(u32);
 
-	entry = perf_trace_buf_prepare(size, call->event.type, regs, &rctx);
+	entry = perf_trace_buf_prepare(size, call->event.type, NULL, &rctx);
 	if (!entry)
 		return;
 
--- a/kernel/trace/trace_syscalls.c
+++ b/kernel/trace/trace_syscalls.c
@@ -586,7 +586,7 @@ static void perf_syscall_enter(void *ign
 	size -= sizeof(u32);
 
 	rec = (struct syscall_trace_enter *)perf_trace_buf_prepare(size,
-				sys_data->enter_event->event.type, regs, &rctx);
+				sys_data->enter_event->event.type, NULL, &rctx);
 	if (!rec)
 		return;
 
@@ -659,7 +659,7 @@ static void perf_syscall_exit(void *igno
 	size -= sizeof(u32);
 
 	rec = (struct syscall_trace_exit *)perf_trace_buf_prepare(size,
-				sys_data->exit_event->event.type, regs, &rctx);
+				sys_data->exit_event->event.type, NULL, &rctx);
 	if (!rec)
 		return;
 
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -1116,7 +1116,7 @@ static void __uprobe_perf_func(struct tr
 	if (hlist_empty(head))
 		goto out;
 
-	entry = perf_trace_buf_prepare(size, call->event.type, regs, &rctx);
+	entry = perf_trace_buf_prepare(size, call->event.type, NULL, &rctx);
 	if (!entry)
 		goto out;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 291/294] net: ti: cpmac: Fix compiler warning due to type confusion
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (273 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 034/294] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 005/294] perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target Ben Hutchings
                   ` (20 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Paul Burton, Greg Kroah-Hartman, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@imgtec.com>

commit 2f5281ba2a8feaf6f0aee93356f350855bb530fc upstream.

cpmac_start_xmit() used the max() macro on skb->len (an unsigned int)
and ETH_ZLEN (a signed int literal). This led to the following compiler
warning:

  In file included from include/linux/list.h:8:0,
                   from include/linux/module.h:9,
                   from drivers/net/ethernet/ti/cpmac.c:19:
  drivers/net/ethernet/ti/cpmac.c: In function 'cpmac_start_xmit':
  include/linux/kernel.h:748:17: warning: comparison of distinct pointer
  types lacks a cast
    (void) (&_max1 == &_max2);  \
                   ^
  drivers/net/ethernet/ti/cpmac.c:560:8: note: in expansion of macro 'max'
    len = max(skb->len, ETH_ZLEN);
          ^

On top of this, it assigned the result of the max() macro to a signed
integer whilst all further uses of it result in it being cast to varying
widths of unsigned integer.

Fix this up by using max_t to ensure the comparison is performed as
unsigned integers, and for consistency change the type of the len
variable to unsigned int.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/ti/cpmac.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/ti/cpmac.c
+++ b/drivers/net/ethernet/ti/cpmac.c
@@ -543,7 +543,8 @@ fatal_error:
 
 static int cpmac_start_xmit(struct sk_buff *skb, struct net_device *dev)
 {
-	int queue, len;
+	int queue;
+	unsigned int len;
 	struct cpmac_desc *desc;
 	struct cpmac_priv *priv = netdev_priv(dev);
 
@@ -553,7 +554,7 @@ static int cpmac_start_xmit(struct sk_bu
 	if (unlikely(skb_padto(skb, ETH_ZLEN)))
 		return NETDEV_TX_OK;
 
-	len = max(skb->len, ETH_ZLEN);
+	len = max_t(unsigned int, skb->len, ETH_ZLEN);
 	queue = skb_get_queue_mapping(skb);
 	netif_stop_subqueue(dev, queue);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 269/294] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (180 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 030/294] usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 282/294] MIPS: Fix the build on jz4740 after removing the custom gpio.h Ben Hutchings
                   ` (113 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Vrabel, Juergen Gross, Linus Torvalds,
	Greg Kroah-Hartman, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 1cf38741308c64d08553602b3374fb39224eeb5a upstream.

xen_cleanhighmap() is operating on level2_kernel_pgt only. The upper
bound of the loop setting non-kernel-image entries to zero should not
exceed the size of level2_kernel_pgt.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/xen/mmu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -1187,7 +1187,7 @@ static void __init xen_cleanhighmap(unsi
 
 	/* NOTE: The loop is more greedy than the cleanup_highmap variant.
 	 * We include the PMD passed in on _both_ boundaries. */
-	for (; vaddr <= vaddr_end && (pmd < (level2_kernel_pgt + PAGE_SIZE));
+	for (; vaddr <= vaddr_end && (pmd < (level2_kernel_pgt + PTRS_PER_PMD));
 			pmd++, vaddr += PMD_SIZE) {
 		if (pmd_none(*pmd))
 			continue;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 293/294] MIPS: Fix a warning for virt_to_page
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (256 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 058/294] IB/ipoib: Remove double pointer assigning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 188/294] ALSA: seq: Fix use-after-free at creating a port Ben Hutchings
                   ` (37 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, linux-mips, Ralf Baechle, Zubair Lutfullah Kakakhel, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>

commit 4d5b3bdc0ecb0cf5b1e1598eeaaac4b5cb33868d upstream.

Compiling mm/highmem.c gives a warning: passing argument 1 of
'virt_to_phys' makes pointer from integer without a cast

Fixed by casting to void*

Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7337/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/page.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/mips/include/asm/page.h
+++ b/arch/mips/include/asm/page.h
@@ -223,7 +223,8 @@ static inline int pfn_valid(unsigned lon
 
 #endif
 
-#define virt_to_page(kaddr)	pfn_to_page(PFN_DOWN(virt_to_phys(kaddr)))
+#define virt_to_page(kaddr)	pfn_to_page(PFN_DOWN(virt_to_phys((void *)     \
+								  (kaddr))))
 
 extern int __virt_addr_valid(const volatile void *kaddr);
 #define virt_addr_valid(kaddr)						\

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 018/294] i2c: mux: pinctrl: mention correct module name in Kconfig help text
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (232 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 162/294] l2tp: hold tunnel used while creating sessions with netlink Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 210/294] mm/hugetlb: improve locking in dissolve_free_huge_pages() Ben Hutchings
                   ` (61 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Peter Rosin, Chris Gorman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Gorman <chrisjohgorman@gmail.com>

commit d1510a2e5ab6cb3a67f1c55ca5e7a6d2c6dec340 upstream.

Kconfig says the resulting module is pinctrl-i2cmux, but the module when
built is i2c-mux-pinctrl.

Fixes: ae58d1e40698 ("i2c: Add generic I2C multiplexer using pinctrl API")
Signed-off-by: Chris Gorman <chrisjohgorman@gmail.com>
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/i2c/muxes/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/muxes/Kconfig
+++ b/drivers/i2c/muxes/Kconfig
@@ -58,6 +58,6 @@ config I2C_MUX_PINCTRL
 	  different sets of pins at run-time.
 
 	  This driver can also be built as a module. If so, the module will be
-	  called pinctrl-i2cmux.
+	  called i2c-mux-pinctrl.
 
 endmenu

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 259/294] drm/i915: cleanup some indenting
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 071/294] ARM: pxa: select both FB and FB_W100 for eseries Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 039/294] xhci: Fix NULL pointer dereference when cleaning up streams for removed host Ben Hutchings
                   ` (263 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Daniel Vetter, Greg Kroah-Hartman, Jani Nikula,
	Arnd Bergmann, Dan Carpenter

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit ba0635ffb7665d76715b43ae8144e014a90c1e63 upstream.

Static checkers complain that we should probably add curly braces
because, from the indenting, it looks like seq_printf() should be inside
the list_for_each_entry() loop.  But the code is actually correct, it's
just the indenting which is off.

Besides fixing the indenting on seq_printf(), I did add curly braces,
because generally mult-line indents should have curly braces to make
them more readable.

The unintended indent was left behind and not unindented in

commit d7f46fc4e7323887494db13f063a8e59861fefb0
Author: Ben Widawsky <benjamin.widawsky@intel.com>
Date:   Fri Dec 6 14:10:55 2013 -0800

    drm/i915: Make pin count per VMA
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/i915/i915_debugfs.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i915/i915_debugfs.c
+++ b/drivers/gpu/drm/i915/i915_debugfs.c
@@ -141,10 +141,11 @@ describe_obj(struct seq_file *m, struct
 		   obj->madv == I915_MADV_DONTNEED ? " purgeable" : "");
 	if (obj->base.name)
 		seq_printf(m, " (name: %d)", obj->base.name);
-	list_for_each_entry(vma, &obj->vma_list, vma_link)
+	list_for_each_entry(vma, &obj->vma_list, vma_link) {
 		if (vma->pin_count > 0)
 			pin_count++;
-		seq_printf(m, " (pinned x %d)", pin_count);
+	}
+	seq_printf(m, " (pinned x %d)", pin_count);
 	if (obj->pin_display)
 		seq_printf(m, " (display)");
 	if (obj->fence_reg != I915_FENCE_REG_NONE)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 271/294] ARM: cns3xxx: shut up frame size warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (235 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 080/294] xtensa: mm/cache: add missing EXPORT_SYMBOLs Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 221/294] ASoC: imx-audmux: Use uintptr_t for port numbers Ben Hutchings
                   ` (58 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

This shuts up a warning in the 3.18-stable series that has been fixed
in newer kernels with commit 498a92d42596 ("ARM: cns3xxx: pci: avoid
potential stack overflow"):

arch/arm/mach-cns3xxx/pcie.c: In function 'cns3xxx_pcie_hw_init':
arch/arm/mach-cns3xxx/pcie.c:313:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]

The fix that went into v4.4 is known to be buggy and was later
fixed again with commit 88e9da9a2a70 ("CNS3xxx: Fix PCI
cns3xxx_write_config()"). While we could backport both to 3.18,
they are fairly invasive and the warning is definitely harmless
here as the call chain is known to not overflow the stack of the
init task.

This simply adds a Makefile flag to extend the limit for this one
file.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
We do want 88e9da9a2a70 ("CNS3xxx: Fix PCI cns3xxx_write_config()")
backported into v4.4 though.
---
 arch/arm/mach-cns3xxx/Makefile | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-cns3xxx/Makefile
+++ b/arch/arm/mach-cns3xxx/Makefile
@@ -2,4 +2,5 @@ obj-$(CONFIG_ARCH_CNS3XXX)		+= cns3xxx.o
 cns3xxx-y				+= core.o pm.o
 cns3xxx-$(CONFIG_ATAGS)			+= devices.o
 cns3xxx-$(CONFIG_PCI)			+= pcie.o
+CFLAGS_pcie.o				+= -Wframe-larger-than=1536 # override default 1024, this is safe here
 cns3xxx-$(CONFIG_MACH_CNS3420VB)	+= cns3420vb.o

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 258/294] netfilter; Add some missing default cases to switch statements in nft_reject.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (184 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 042/294] xhci: fix memleak in xhci_run() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 212/294] gfs2: remove IS_ERR_VALUE abuse Ben Hutchings
                   ` (109 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Arnd Bergmann, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "David S. Miller" <davem@davemloft.net>

commit 129d23a56623eea0947a05288158d76dc7f2f0ac upstream.

This fixes:

====================
net/netfilter/nft_reject.c: In function ‘nft_reject_dump’:
net/netfilter/nft_reject.c:61:2: warning: enumeration value ‘NFT_REJECT_TCP_RST’ not handled in switch [-Wswitch]
  switch (priv->type) {
  ^
net/netfilter/nft_reject.c:61:2: warning: enumeration value ‘NFT_REJECT_ICMPX_UNREACH’ not handled in switch [-Wswi\
tch]
net/netfilter/nft_reject_inet.c: In function ‘nft_reject_inet_dump’:
net/netfilter/nft_reject_inet.c:105:2: warning: enumeration value ‘NFT_REJECT_TCP_RST’ not handled in switch [-Wswi\
tch]
  switch (priv->type) {
  ^
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nft_reject.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -61,6 +61,8 @@ int nft_reject_dump(struct sk_buff *skb,
 		if (nla_put_u8(skb, NFTA_REJECT_ICMP_CODE, priv->icmp_code))
 			goto nla_put_failure;
 		break;
+	default:
+		break;
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 292/294] e1000e: fix call to do_div() to use u64 arg
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 099/294] s390/qeth: fix L3 next-hop in xmit qeth hdr Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 155/294] l2tp: initialise session's refcount before making it reachable Ben Hutchings
                   ` (223 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Aaron Brown, Jeff Kirsher, Arnd Bergmann, Yanir Lubetkin,
	Yanjiang Jin

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

commit 30544af5483755b11bb5924736e9e0b45ef0644a upstream.

We were using s64 for lat_ns (latency nano-second value) since in
our calculations a negative value could be a resultant.  For negative
values, we then assign lat_ns to be zero, so the value passed to
do_div() was never negative, but do_div() expects the argument type
to be u64, so do a cast to resolve a compile warning seen on
PowerPC.

CC: Yanjiang Jin <yanjiang.jin@windriver.com>
CC: Yanir Lubetkin <yanirx.lubetkin@intel.com>
Reported-by: Yanjiang Jin <yanjiang.jin@windriver.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/intel/e1000e/ich8lan.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -984,7 +984,7 @@ static s32 e1000_platform_pm_pch_lpt(str
 		u16 max_snoop, max_nosnoop;
 		u16 max_ltr_enc;	/* max LTR latency encoded */
 		s64 lat_ns;	/* latency (ns) */
-		s64 value;
+		u64 value;
 		u32 rxa;
 
 		if (!hw->adapter->max_frame_size) {
@@ -1011,12 +1011,13 @@ static s32 e1000_platform_pm_pch_lpt(str
 		 */
 		lat_ns = ((s64)rxa * 1024 -
 			  (2 * (s64)hw->adapter->max_frame_size)) * 8 * 1000;
-		if (lat_ns < 0)
-			lat_ns = 0;
-		else
-			do_div(lat_ns, speed);
+		if (lat_ns < 0) {
+			value = 0;
+		} else {
+			value = lat_ns;
+			do_div(value, speed);
+		}
 
-		value = lat_ns;
 		while (value > PCI_LTR_VALUE_MASK) {
 			scale++;
 			value = DIV_ROUND_UP(value, (1 << 5));

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 276/294] ARM: 8296/1: cache-l2x0: clean up aurora cache handling
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 164/294] cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 103/294] net: skb_needs_check() accepts CHECKSUM_NONE for tx Ben Hutchings
                   ` (199 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Russell King, Thomas Petazzoni

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 20e783e39e55c2615fb61d1b3d139ee9edcf6772 upstream.

The aurora cache controller is the only remaining user of a couple
of functions in this file and are completely unused when that is
disabled, leading to build warnings:

arch/arm/mm/cache-l2x0.c:167:13: warning: 'l2x0_cache_sync' defined but not used [-Wunused-function]
arch/arm/mm/cache-l2x0.c:184:13: warning: 'l2x0_flush_all' defined but not used [-Wunused-function]
arch/arm/mm/cache-l2x0.c:194:13: warning: 'l2x0_disable' defined but not used [-Wunused-function]

With the knowledge that the code is now aurora-specific, we can
simplify it noticeably:

- The pl310 errata workarounds are not needed on aurora and can be removed
- As confirmed by Thomas Petazzoni from the data sheet, the cache_wait()
  macro is never needed.
- No need to hold the lock across atomic cache sync
- We can load the l2x0_base into a local variable across operations

There should be no functional change in this patch, but readability
and the generated object code improves, along with avoiding the
warnings.

 (on Armada 370 RD and Armada XP GP, boot tested, plus a little bit of
 DMA traffic by reading data from a SD card)

Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mm/cache-l2x0.c | 111 ++++++++++++++++-------------------------------
 1 file changed, 38 insertions(+), 73 deletions(-)

--- a/arch/arm/mm/cache-l2x0.c
+++ b/arch/arm/mm/cache-l2x0.c
@@ -135,73 +135,6 @@ static void l2c_disable(void)
 	dsb(st);
 }
 
-#ifdef CONFIG_CACHE_PL310
-static inline void cache_wait(void __iomem *reg, unsigned long mask)
-{
-	/* cache operations by line are atomic on PL310 */
-}
-#else
-#define cache_wait	l2c_wait_mask
-#endif
-
-static inline void cache_sync(void)
-{
-	void __iomem *base = l2x0_base;
-
-	writel_relaxed(0, base + sync_reg_offset);
-	cache_wait(base + L2X0_CACHE_SYNC, 1);
-}
-
-#if defined(CONFIG_PL310_ERRATA_588369) || defined(CONFIG_PL310_ERRATA_727915)
-static inline void debug_writel(unsigned long val)
-{
-	l2c_set_debug(l2x0_base, val);
-}
-#else
-/* Optimised out for non-errata case */
-static inline void debug_writel(unsigned long val)
-{
-}
-#endif
-
-static void l2x0_cache_sync(void)
-{
-	unsigned long flags;
-
-	raw_spin_lock_irqsave(&l2x0_lock, flags);
-	cache_sync();
-	raw_spin_unlock_irqrestore(&l2x0_lock, flags);
-}
-
-static void __l2x0_flush_all(void)
-{
-	debug_writel(0x03);
-	__l2c_op_way(l2x0_base + L2X0_CLEAN_INV_WAY);
-	cache_sync();
-	debug_writel(0x00);
-}
-
-static void l2x0_flush_all(void)
-{
-	unsigned long flags;
-
-	/* clean all ways */
-	raw_spin_lock_irqsave(&l2x0_lock, flags);
-	__l2x0_flush_all();
-	raw_spin_unlock_irqrestore(&l2x0_lock, flags);
-}
-
-static void l2x0_disable(void)
-{
-	unsigned long flags;
-
-	raw_spin_lock_irqsave(&l2x0_lock, flags);
-	__l2x0_flush_all();
-	l2c_write_sec(0, l2x0_base, L2X0_CTRL);
-	dsb(st);
-	raw_spin_unlock_irqrestore(&l2x0_lock, flags);
-}
-
 static void l2c_save(void __iomem *base)
 {
 	l2x0_saved_regs.aux_ctrl = readl_relaxed(l2x0_base + L2X0_AUX_CTRL);
@@ -1126,14 +1059,15 @@ static unsigned long calc_range_end(unsi
 static void aurora_pa_range(unsigned long start, unsigned long end,
 			unsigned long offset)
 {
+	void __iomem *base = l2x0_base;
 	unsigned long flags;
 
 	raw_spin_lock_irqsave(&l2x0_lock, flags);
-	writel_relaxed(start, l2x0_base + AURORA_RANGE_BASE_ADDR_REG);
-	writel_relaxed(end, l2x0_base + offset);
+	writel_relaxed(start, base + AURORA_RANGE_BASE_ADDR_REG);
+	writel_relaxed(end, base + offset);
 	raw_spin_unlock_irqrestore(&l2x0_lock, flags);
 
-	cache_sync();
+	writel_relaxed(0, base + AURORA_SYNC_REG);
 }
 
 static void aurora_inv_range(unsigned long start, unsigned long end)
@@ -1193,6 +1127,37 @@ static void aurora_flush_range(unsigned
 	}
 }
 
+static void aurora_flush_all(void)
+{
+	void __iomem *base = l2x0_base;
+	unsigned long flags;
+
+	/* clean all ways */
+	raw_spin_lock_irqsave(&l2x0_lock, flags);
+	__l2c_op_way(base + L2X0_CLEAN_INV_WAY);
+	raw_spin_unlock_irqrestore(&l2x0_lock, flags);
+
+	writel_relaxed(0, base + AURORA_SYNC_REG);
+}
+
+static void aurora_cache_sync(void)
+{
+	writel_relaxed(0, l2x0_base + AURORA_SYNC_REG);
+}
+
+static void aurora_disable(void)
+{
+	void __iomem *base = l2x0_base;
+	unsigned long flags;
+
+	raw_spin_lock_irqsave(&l2x0_lock, flags);
+	__l2c_op_way(base + L2X0_CLEAN_INV_WAY);
+	writel_relaxed(0, base + AURORA_SYNC_REG);
+	l2c_write_sec(0, base, L2X0_CTRL);
+	dsb(st);
+	raw_spin_unlock_irqrestore(&l2x0_lock, flags);
+}
+
 static void aurora_save(void __iomem *base)
 {
 	l2x0_saved_regs.ctrl = readl_relaxed(base + L2X0_CTRL);
@@ -1267,9 +1232,9 @@ static const struct l2c_init_data of_aur
 		.inv_range   = aurora_inv_range,
 		.clean_range = aurora_clean_range,
 		.flush_range = aurora_flush_range,
-		.flush_all   = l2x0_flush_all,
-		.disable     = l2x0_disable,
-		.sync        = l2x0_cache_sync,
+		.flush_all   = aurora_flush_all,
+		.disable     = aurora_disable,
+		.sync	     = aurora_cache_sync,
 		.resume      = aurora_resume,
 	},
 };

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 294/294] net/xen-netback: disable on 64KB page  granularity
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
@ 2017-11-06 23:03   ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
                     ` (294 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

Building the linux-3.16 stable branch, I ran into this warning that
shows a serious problem in the xen-netback driver:

drivers/net/xen-netback/netback.c: In function 'xenvif_dealloc_kthread':
drivers/net/xen-netback/netback.c:2002:1: error: the frame size of 16384 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]

The bug was fixed in linux-4.4, but for any older stable kernel we
either need to backport that fix, or not use the driver when the page
size is set to 64KB. As the proper fix is way bigger than the usual limit
for stable backport patches, this adds a Kconfig dependency.

Fixes: d0089e8a0e4c ("net/xen-netback: Make it running on 64KB page granularity")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/Kconfig | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -331,6 +331,9 @@ config XEN_NETDEV_FRONTEND
 config XEN_NETDEV_BACKEND
 	tristate "Xen backend network device"
 	depends on XEN_BACKEND
+	depends on !(PAGE_SIZE_64KB || ARM64_64K_PAGES || \
+		     IA64_PAGE_SIZE_64KB || MICROBLAZE_64K_PAGES || \
+		     PARISC_PAGE_SIZE_64KB || PPC_64K_PAGES)
 	help
 	  This driver allows the kernel to act as a Xen network driver
 	  domain which exports paravirtual network devices to other

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 263/294] staging: vt6655: fix overly large stack  usage
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (211 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 152/294] xfrm_user: fix info leak in build_aevent() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 031/294] usb: renesas_usbhs: gadget: disable all eps when the driver stops Ben Hutchings
                   ` (82 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

We get a warning for the large stack usage in some configurations:

drivers/staging/vt6655/device_main.c: In function 'device_ioctl':
drivers/staging/vt6655/device_main.c:2974:1: warning: the frame size of 1304 bytes is larger than 1024 bytes [-Wframe-larger-than=]

This is addressed in linux-3.19 with commit 67013f2c0e58 ("staging: vt6655:
mac80211 conversion add main mac80211 functions"), which obsoletes the
device_ioctl() function, but as that does not apply to stable kernels,
this picks an easier way out by using dynamic allocation.

The driver was merged in 2.6.31, and the fix applies to all versions
before 3.19.

Fixes: 5449c685a4b3 ("Staging: Add pristine upstream vt6655 driver sources")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/vt6655/device_main.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -2933,11 +2933,13 @@ static int  device_ioctl(struct net_devi
 		DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO " SIOCSIWSENS \n");
 		rc = -EOPNOTSUPP;
 		break;
-
 	case SIOCGIWAPLIST: {
-		char buffer[IW_MAX_AP * (sizeof(struct sockaddr) + sizeof(struct iw_quality))];
+		char *buffer = kzalloc(IW_MAX_AP * (sizeof(struct sockaddr) +
+				       sizeof(struct iw_quality)), GFP_KERNEL);
 
-		if (wrq->u.data.pointer) {
+		if (!buffer) {
+			rc = -ENOMEM;
+		} else if (wrq->u.data.pointer) {
 			rc = iwctl_giwaplist(dev, NULL, &(wrq->u.data), buffer);
 			if (rc == 0) {
 				if (copy_to_user(wrq->u.data.pointer,
@@ -2947,6 +2949,7 @@ static int  device_ioctl(struct net_devi
 					rc = -EFAULT;
 			}
 		}
+		kfree(buffer);
 	}
 	break;
 
@@ -2993,7 +2996,6 @@ static int  device_ioctl(struct net_devi
 		DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO " SIOCGIWGENIE \n");
 		rc = iwctl_giwgenie(dev, NULL, &(wrq->u.data), wrq->u.data.pointer);
 		break;
-
 	case SIOCSIWENCODEEXT: {
 		char extra[sizeof(struct iw_encode_ext)+MAX_KEY_LEN+1];
 		DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO " SIOCSIWENCODEEXT \n");

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 279/294] MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (188 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 181/294] epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 147/294] ipv6: Fix may be used uninitialized warning in rt6_check Ben Hutchings
                   ` (105 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, linux-mips, Ralf Baechle, Maciej W. Rozycki

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit 68fe55680d0f3342969f49412fceabb90bdfadba upstream.

Fix a commit 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in
delay slots") regression and remove assembly errors:

arch/mips/dec/int-handler.S: Assembler messages:
arch/mips/dec/int-handler.S:162: Error: Macro used $at after ".set noat"
arch/mips/dec/int-handler.S:163: Error: Macro used $at after ".set noat"
arch/mips/dec/int-handler.S:229: Error: Macro used $at after ".set noat"
arch/mips/dec/int-handler.S:230: Error: Macro used $at after ".set noat"

triggering with with the CPU_DADDI_WORKAROUNDS option set and the DADDIU
instruction.  This is because with that option in place the instruction
becomes a macro, which expands to an LI/DADDU (or actually ADDIU/DADDU)
sequence that uses $at as a temporary register.

With CPU_DADDI_WORKAROUNDS we only support `-msym32' compilation though,
and this is already enforced in arch/mips/Makefile, so choose the 32-bit
expansion variant for the supported configurations and then replace the
64-bit variant with #error just in case.

Fixes: 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in delay slots")
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16893/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/dec/int-handler.S | 34 ++++++----------------------------
 1 file changed, 6 insertions(+), 28 deletions(-)

--- a/arch/mips/dec/int-handler.S
+++ b/arch/mips/dec/int-handler.S
@@ -147,23 +147,12 @@
 		 * Find irq with highest priority
 		 */
 		# open coded PTR_LA t1, cpu_mask_nr_tbl
-#if (_MIPS_SZPTR == 32)
+#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32)
 		# open coded la t1, cpu_mask_nr_tbl
 		lui	t1, %hi(cpu_mask_nr_tbl)
 		addiu	t1, %lo(cpu_mask_nr_tbl)
-
-#endif
-#if (_MIPS_SZPTR == 64)
-		# open coded dla t1, cpu_mask_nr_tbl
-		.set	push
-		.set	noat
-		lui	t1, %highest(cpu_mask_nr_tbl)
-		lui	AT, %hi(cpu_mask_nr_tbl)
-		daddiu	t1, t1, %higher(cpu_mask_nr_tbl)
-		daddiu	AT, AT, %lo(cpu_mask_nr_tbl)
-		dsll	t1, 32
-		daddu	t1, t1, AT
-		.set	pop
+#else
+#error GCC `-msym32' option required for 64-bit DECstation builds
 #endif
 1:		lw	t2,(t1)
 		nop
@@ -214,23 +203,12 @@
 		 * Find irq with highest priority
 		 */
 		# open coded PTR_LA t1,asic_mask_nr_tbl
-#if (_MIPS_SZPTR == 32)
+#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32)
 		# open coded la t1, asic_mask_nr_tbl
 		lui	t1, %hi(asic_mask_nr_tbl)
 		addiu	t1, %lo(asic_mask_nr_tbl)
-
-#endif
-#if (_MIPS_SZPTR == 64)
-		# open coded dla t1, asic_mask_nr_tbl
-		.set	push
-		.set	noat
-		lui	t1, %highest(asic_mask_nr_tbl)
-		lui	AT, %hi(asic_mask_nr_tbl)
-		daddiu	t1, t1, %higher(asic_mask_nr_tbl)
-		daddiu	AT, AT, %lo(asic_mask_nr_tbl)
-		dsll	t1, 32
-		daddu	t1, t1, AT
-		.set	pop
+#else
+#error GCC `-msym32' option required for 64-bit DECstation builds
 #endif
 2:		lw	t2,(t1)
 		nop

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 274/294] ARM: OMAP: Fix Kconfig warning for omap1
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (247 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 127/294] drm: Release driver tracking before making the object available again Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 066/294] iommu/amd: Fix schedule-while-atomic BUG in initialization code Ben Hutchings
                   ` (46 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Tony Lindgren, Andreas Ruprecht

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Lindgren <tony@atomide.com>

commit 52aaac5ae52ad9a7016410ffeedbaf24b722f3a2 upstream.

Commit 21278aeafbfa ("ARM: use menuconfig for sub-arch menus") improved
the sub-arch menus, but accidentally caused new warnings for omap1.
This was because the commit added a menu entry around config ARCH_OMAP
bool entry where the menu had depends on ARCH_MULTI_V6 || ARCH_MULTI_V7.

As ARCH_OMAP is shared between omap1 and omap2plus, let's fix the
issue by defining ARCH_OMAP in the shared plat-omap/Kconfig.

Fixes: 21278aeafbfa ("ARM: use menuconfig for sub-arch menus")
Reported-by: Andreas Ruprecht <rupran@einserver.de>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-omap2/Kconfig | 3 ---
 arch/arm/plat-omap/Kconfig  | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm/mach-omap2/Kconfig
+++ b/arch/arm/mach-omap2/Kconfig
@@ -1,9 +1,6 @@
 menu "TI OMAP/AM/DM/DRA Family"
 	depends on ARCH_MULTI_V6 || ARCH_MULTI_V7
 
-config ARCH_OMAP
-	bool
-
 config ARCH_OMAP2
 	bool "TI OMAP2"
 	depends on ARCH_MULTI_V6
--- a/arch/arm/plat-omap/Kconfig
+++ b/arch/arm/plat-omap/Kconfig
@@ -1,3 +1,6 @@
+config ARCH_OMAP
+	bool
+
 if ARCH_OMAP
 
 menu "TI OMAP Common Features"

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 290/294] MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers.
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (143 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 097/294] iscsi-target: Fix iscsi_np reset hung task during parallel delete Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 179/294] sch_tbf: fix two null pointer dereferences on init failure Ben Hutchings
                   ` (150 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ralf@linux-mips.org>

commit 26f7c4bd05cf34e63a4a794150ab66a40a5a84a9 upstream.

These are generated by very recent toolchains and result in an error
message when attenpting to convert a kernel from ELF to ECOFF.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/boot/elf2ecoff.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/mips/boot/elf2ecoff.c
+++ b/arch/mips/boot/elf2ecoff.c
@@ -49,7 +49,8 @@
 /*
  * Some extra ELF definitions
  */
-#define PT_MIPS_REGINFO 0x70000000	/* Register usage information */
+#define PT_MIPS_REGINFO 	0x70000000	/* Register usage information */
+#define PT_MIPS_ABIFLAGS	0x70000003	/* Records ABI related flags  */
 
 /* -------------------------------------------------------------------- */
 
@@ -347,7 +348,8 @@ int main(int argc, char *argv[])
 		/* Section types we can ignore... */
 		if (ph[i].p_type == PT_NULL || ph[i].p_type == PT_NOTE ||
 		    ph[i].p_type == PT_PHDR
-		    || ph[i].p_type == PT_MIPS_REGINFO)
+		    || ph[i].p_type == PT_MIPS_REGINFO
+		    || ph[i].p_type == PT_MIPS_ABIFLAGS)
 			continue;
 		/* Section types we can't handle... */
 		else if (ph[i].p_type != PT_LOAD) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 262/294] staging: imx-drm: fix indentation warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (194 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 128/294] ALSA: core: Fix unexpected error at replacing user TLV Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 056/294] IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp Ben Hutchings
                   ` (99 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

gcc-6 produces a harmless warning:

drivers/staging/imx-drm/imx-hdmi.c: In function 'hdmi_config_AVI':
drivers/staging/imx-drm/imx-hdmi.c:967:2: error: this 'else' clause does not guard... [-Werror=misleading-indentation]

Commit d083c312cba2 ("drm: bridge/dw_hdmi: simplify hdmi_config_AVI() a little")
in linux-4.3 fixes this with a larger rewrite that is not applicable here.
After that rewrite, the variable that gets assigned here no longer exists.

The assignment is rather pointless here, as we just set a variable to zero
that is later added into another variable using a bitwise or operator, and
that has no effect, so I'm just changing the indentation here to shut up
the warning.

The driver was originally merged in linux-3.13, and the fix applies
to all versions between that and 4.2.

Fixes: 9aaf880ed4ee ("imx-drm: Add mx6 hdmi transmitter support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/imx-drm/imx-hdmi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/imx-drm/imx-hdmi.c
+++ b/drivers/staging/imx-drm/imx-hdmi.c
@@ -968,7 +968,7 @@ static void hdmi_config_AVI(struct imx_h
 	else
 		pix_fmt = HDMI_FC_AVICONF0_PIX_FMT_RGB;
 
-		under_scan =  HDMI_FC_AVICONF0_SCAN_INFO_NODATA;
+	under_scan =  HDMI_FC_AVICONF0_SCAN_INFO_NODATA;
 
 	/*
 	 * Active format identification data is present in the AVI InfoFrame.

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 272/294] ARM: 8221/1: PJ4: allow building in Thumb-2 mode
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 286/294] mtd: cfi: reduce stack size Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 115/294] ipv4: add reference counting to metrics Ben Hutchings
                   ` (206 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Nicolas Pitre, Ard Biesheuvel, Arnd Bergmann,
	Olof Johansson, Russell King

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit 13d1b9575ac2c2da143cd2236b6cf0fc314570f8 upstream.

Two files that get included when building the multi_v7_defconfig target
fail to build when selecting THUMB2_KERNEL for this configuration.

In both cases, we can just build the file as ARM code, as none of its
symbols are exported to modules, so there are no interworking concerns.
In the iwmmxt.S case, add ENDPROC() declarations so the symbols are
annotated as functions, resulting in the linker to emit the appropriate
mode switches.

Acked-by: Nicolas Pitre <nico@linaro.org>
Tested-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/kernel/Makefile |  1 +
 arch/arm/kernel/iwmmxt.S | 13 +++++++++++++
 2 files changed, 14 insertions(+)

--- a/arch/arm/kernel/Makefile
+++ b/arch/arm/kernel/Makefile
@@ -84,6 +84,7 @@ obj-$(CONFIG_CPU_PJ4B)		+= pj4-cp0.o
 obj-$(CONFIG_IWMMXT)		+= iwmmxt.o
 obj-$(CONFIG_PERF_EVENTS)	+= perf_regs.o
 obj-$(CONFIG_HW_PERF_EVENTS)	+= perf_event.o perf_event_cpu.o
+CFLAGS_pj4-cp0.o		:= -marm
 AFLAGS_iwmmxt.o			:= -Wa,-mcpu=iwmmxt
 obj-$(CONFIG_ARM_CPU_TOPOLOGY)  += topology.o
 
--- a/arch/arm/kernel/iwmmxt.S
+++ b/arch/arm/kernel/iwmmxt.S
@@ -58,6 +58,7 @@
 #define MMX_SIZE		(0x98)
 
 	.text
+	.arm
 
 /*
  * Lazy switching of Concan coprocessor context
@@ -182,6 +183,8 @@ concan_load:
 	tmcr	wCon, r2
 	mov	pc, lr
 
+ENDPROC(iwmmxt_task_enable)
+
 /*
  * Back up Concan regs to save area and disable access to them
  * (mainly for gdb or sleep mode usage)
@@ -232,6 +235,8 @@ ENTRY(iwmmxt_task_disable)
 1:	msr	cpsr_c, ip			@ restore interrupt mode
 	ldmfd	sp!, {r4, pc}
 
+ENDPROC(iwmmxt_task_disable)
+
 /*
  * Copy Concan state to given memory address
  *
@@ -268,6 +273,8 @@ ENTRY(iwmmxt_task_copy)
 	msr	cpsr_c, ip			@ restore interrupt mode
 	mov	pc, r3
 
+ENDPROC(iwmmxt_task_copy)
+
 /*
  * Restore Concan state from given memory address
  *
@@ -304,6 +311,8 @@ ENTRY(iwmmxt_task_restore)
 	msr	cpsr_c, ip			@ restore interrupt mode
 	mov	pc, r3
 
+ENDPROC(iwmmxt_task_restore)
+
 /*
  * Concan handling on task switch
  *
@@ -335,6 +344,8 @@ ENTRY(iwmmxt_task_switch)
 	mrc	p15, 0, r1, c2, c0, 0
 	sub	pc, lr, r1, lsr #32		@ cpwait and return
 
+ENDPROC(iwmmxt_task_switch)
+
 /*
  * Remove Concan ownership of given task
  *
@@ -353,6 +364,8 @@ ENTRY(iwmmxt_task_release)
 	msr	cpsr_c, r2			@ restore interrupts
 	mov	pc, lr
 
+ENDPROC(iwmmxt_task_release)
+
 	.data
 concan_owner:
 	.word	0

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 270/294] x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (138 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 140/294] net: systemport: Free DMA coherent descriptors on errors Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 250/294] am2150: Update nmclan_cs.c to use update PCMCIA API Ben Hutchings
                   ` (155 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, H. Peter Anvin, Thomas Gleixner,
	Linus Torvalds, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ingo Molnar <mingo@kernel.org>

commit 927392d73a97d8d235bb65400e2e3c7f0bec2b6f upstream.

Linus reported the following new warning on x86 allmodconfig with GCC 5.1:

  > ./arch/x86/include/asm/spinlock.h: In function ‘arch_spin_lock’:
  > ./arch/x86/include/asm/spinlock.h:119:3: warning: implicit declaration
  > of function ‘__ticket_lock_spinning’ [-Wimplicit-function-declaration]
  >    __ticket_lock_spinning(lock, inc.tail);
  >    ^

This warning triggers because of these hacks in misc.h:

  /*
   * we have to be careful, because no indirections are allowed here, and
   * paravirt_ops is a kind of one. As it will only run in baremetal anyway,
   * we just keep it from happening
   */
  #undef CONFIG_PARAVIRT
  #undef CONFIG_KASAN

But these hacks were not updated when CONFIG_PARAVIRT_SPINLOCKS was added,
and eventually (with the introduction of queued paravirt spinlocks in
recent kernels) this created an invalid Kconfig combination and broke
the build.

So add a CONFIG_PARAVIRT_SPINLOCKS #undef line as well.

Also remove the _ASM_X86_DESC_H quirk: that undocumented quirk
was originally added ages ago, in:

  099e1377269a ("x86: use ELF format in compressed images.")

and I went back to that kernel (and fixed up the main Makefile
which didn't build anymore) and checked what failure it
avoided: it avoided an include file dependencies related
build failure related to our old x86-platforms code.

That old code is long gone, the header dependencies got cleaned
up, and the build does not fail anymore with the totality of
asm/desc.h included - so remove the quirk.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/boot/compressed/misc.h | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/arch/x86/boot/compressed/misc.h
+++ b/arch/x86/boot/compressed/misc.h
@@ -2,14 +2,13 @@
 #define BOOT_COMPRESSED_MISC_H
 
 /*
- * we have to be careful, because no indirections are allowed here, and
- * paravirt_ops is a kind of one. As it will only run in baremetal anyway,
- * we just keep it from happening
+ * Special hack: we have to be careful, because no indirections are allowed here,
+ * and paravirt_ops is a kind of one. As it will only run in baremetal anyway,
+ * we just keep it from happening. (This list needs to be extended when new
+ * paravirt and debugging variants are added.)
  */
 #undef CONFIG_PARAVIRT
-#ifdef CONFIG_X86_32
-#define _ASM_X86_DESC_H 1
-#endif
+#undef CONFIG_PARAVIRT_SPINLOCKS
 
 #include <linux/linkage.h>
 #include <linux/screen_info.h>

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 286/294] mtd: cfi: reduce stack size
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 054/294] perf/core: Fix locking for children siblings group read Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 272/294] ARM: 8221/1: PJ4: allow building in Thumb-2 mode Ben Hutchings
                   ` (207 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Brian Norris, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit d09957fbb4d0b059b3176b510540df69048ad170 upstream.

The cfi_staa_write_buffers function uses a large amount of kernel stack
whenever CONFIG_MTD_MAP_BANK_WIDTH_32 is set, and that results in a
warning on ARM allmodconfig builds:

drivers/mtd/chips/cfi_cmdset_0020.c: In function 'cfi_staa_write_buffers':
drivers/mtd/chips/cfi_cmdset_0020.c:651:1: warning: the frame size of 1208 bytes is larger than 1024 bytes [-Wframe-larger-than=]

It turns out that this is largely a result of a suboptimal implementation
of map_word_andequal(). Replacing this function with a straightforward
one reduces the stack size in this function by exactly 200 bytes,
shrinks the .text segment for this file from 27648 bytes to 26608 bytes,
and makes the warning go away.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/mtd/map.h | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/include/linux/mtd/map.h
+++ b/include/linux/mtd/map.h
@@ -317,7 +317,17 @@ static inline map_word map_word_or(struc
 	return r;
 }
 
-#define map_word_andequal(m, a, b, z) map_word_equal(m, z, map_word_and(m, a, b))
+static inline int map_word_andequal(struct map_info *map, map_word val1, map_word val2, map_word val3)
+{
+	int i;
+
+	for (i = 0; i < map_words(map); i++) {
+		if ((val1.x[i] & val2.x[i]) != val3.x[i])
+			return 0;
+	}
+
+	return 1;
+}
 
 static inline int map_word_bitsset(struct map_info *map, map_word val1, map_word val2)
 {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 264/294] Staging: iio: adc: fix indent on break statement
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 225/294] clk/efm32gg: fix dt init prototype Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 125/294] iio: imu: adis16480: Fix acceleration scale factor for adis16480 Ben Hutchings
                   ` (217 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jonathan Cameron, Greg Kroah-Hartman, Arnd Bergmann,
	Colin Ian King

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit b6acb0cfc21293a1bfc283e9217f58f7474ef728 upstream.

Fix indent warning when building with gcc 6:
drivers/staging/iio/adc/ad7192.c:239:4: warning: statement is indented
  as if it were guarded by... [-Wmisleading-indentation]

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/adc/ad7192.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -236,7 +236,7 @@ static int ad7192_setup(struct ad7192_st
 			st->mclk = pdata->ext_clk_Hz;
 		else
 			st->mclk = AD7192_INT_FREQ_MHz;
-			break;
+		break;
 	default:
 		ret = -EINVAL;
 		goto out;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 275/294] ARM: 8160/1: drop warning about return_address not using unwind tables
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 201/294] platform/x86: samsung-laptop: Initialize loca variable Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 146/294] ipv6: add rcu grace period before freeing fib6_node Ben Hutchings
                   ` (284 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Russell King, Uwe Kleine-König, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

commit e16343c47e4276f5ebc77ca16feb5e50ca1918f9 upstream.

The warning was introduced in 2009 (commit 4bf1fa5a34aa ([ARM] 5613/1:
implement CALLER_ADDRESSx)). The only "problem" here is that
CALLER_ADDRESSx for x > 1 returns NULL which doesn't do much harm.

The drawback of implementing a fix (i.e. use unwind tables to implement CALLER_ADDRESSx) is that much of the unwinder code would need to be marked as not
traceable.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/kernel/return_address.c | 4 ----
 1 file changed, 4 deletions(-)

--- a/arch/arm/kernel/return_address.c
+++ b/arch/arm/kernel/return_address.c
@@ -59,10 +59,6 @@ void *return_address(unsigned int level)
 
 #else /* if defined(CONFIG_FRAME_POINTER) && !defined(CONFIG_ARM_UNWIND) */
 
-#if defined(CONFIG_ARM_UNWIND)
-#warning "TODO: return_address should use unwind tables"
-#endif
-
 void *return_address(unsigned int level)
 {
 	return NULL;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 268/294] staging: dgnc: Fix frame size is larger than 1024B
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (208 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 102/294] net: reduce skb_warn_bad_offload() noise Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 096/294] ext4: fix overflow caused by missing cast in ext4_resize_fs() Ben Hutchings
                   ` (85 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Konrad Zapalowicz, Arnd Bergmann, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Zapalowicz <bergo.torino@gmail.com>

commit ea6e9dea2e72a7abd146a2c5bab726b27f34b36c upstream.

This comit fixes the following sparse warnign:

drivers/staging/dgnc/dgnc_tty.c:572:1:
    warning: the frame size of 1060 bytes is larger than 1024 bytes
    [-Wframe-larger-than=]

This was caused by having buffer as an automatic variable. This commit
moves it from the stack to the heap.

Signed-off-by: Konrad Zapalowicz <bergo.torino@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/dgnc/dgnc_tty.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/staging/dgnc/dgnc_tty.c
+++ b/drivers/staging/dgnc/dgnc_tty.c
@@ -481,13 +481,18 @@ void dgnc_sniff_nowait_nolock(struct cha
 	int nbuf;
 	int i;
 	int tmpbuflen;
-	char tmpbuf[TMPBUFLEN];
-	char *p = tmpbuf;
+	char *tmpbuf;
+	char *p;
 	int too_much_data;
 
+	tmpbuf = kzalloc(TMPBUFLEN, GFP_KERNEL);
+	if (!tmpbuf)
+		return;
+	p = tmpbuf;
+
 	/* Leave if sniff not open */
 	if (!(ch->ch_sniff_flags & SNIFF_OPEN))
-		return;
+		goto exit;
 
 	do_gettimeofday(&tv);
 
@@ -534,7 +539,7 @@ void dgnc_sniff_nowait_nolock(struct cha
 			 * function was probably called by the interrupt/timer routines!
 			 */
 			if (n == 0)
-				return;
+				goto exit;
 
 			/*
 			 * Copy as much data as will fit.
@@ -579,6 +584,9 @@ void dgnc_sniff_nowait_nolock(struct cha
 		}
 
 	} while (too_much_data);
+
+exit:
+	kfree(tmpbuf);
 }
 
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 232/294] dm bufio: hide bogus warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (215 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 043/294] tracing: Fix kmemleak in instance_rmdir Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 143/294] perf/core: Fix group {cpu,task} validation Ben Hutchings
                   ` (78 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

mips-gcc-5.3 warns about correct code on linux-3.18 and earlier:

In file included from ../include/linux/blkdev.h:4:0,
                 from ../drivers/md/dm-bufio.h:12,
                 from ../drivers/md/dm-bufio.c:9:
../drivers/md/dm-bufio.c: In function 'alloc_buffer':
../include/linux/sched.h:1975:56: warning: 'noio_flag' may be used uninitialized in this function [-Wmaybe-uninitialized]
  current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags;
                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~
../drivers/md/dm-bufio.c:325:11: note: 'noio_flag' was declared here

The warning disappeared on later kernels with this commit: be0c37c985ed
("MIPS: Rearrange PTE bits into fixed positions.")  I assume this only
happened because it changed some inlining decisions.

On 3.18.y, we can shut up the warning by adding an extra initialization.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-bufio.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -349,6 +349,7 @@ static void *alloc_buffer_data(struct dm
 	 * as if GFP_NOIO was specified.
 	 */
 
+	noio_flag = 0;
 	if (gfp_mask & __GFP_NORETRY)
 		noio_flag = memalloc_noio_save();
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 267/294] Staging: wlan-ng: fix sparse warning in prism2fw.c
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (249 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 066/294] iommu/amd: Fix schedule-while-atomic BUG in initialization code Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 050/294] RDMA/uverbs: Fix the check for port number Ben Hutchings
                   ` (44 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, A Raghavendra Rao, Arnd Bergmann,
	A Raghavendra Rao

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: A Raghavendra Rao <raghav3276@gmail.com>

commit 41cb65c4854e14f12b1cbb8215e509d8ad4d0c88 upstream.

Fix the following sparse warning :

In file included from drivers/staging/wlan-ng/prism2usb.c:5:0:
drivers/staging/wlan-ng/prism2fw.c: In function
‘read_cardpda.constprop.43’:
drivers/staging/wlan-ng/prism2fw.c:792:1: warning: the frame size of
1068 bytes is larger than 1024 bytes [-Wframe-larger-than=]

The variable to 'struct p80211msg_p2req_readpda' was previously being created
on the stack, which inturn exeeded the frame size limit, resulting in a
sparse warning. This patch alloctes the memory to the structure dynamically
and the operations are left unchanged.

Signed-off-by: A Raghavendra Rao <arrao@cdac.in>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/wlan-ng/prism2fw.c | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

--- a/drivers/staging/wlan-ng/prism2fw.c
+++ b/drivers/staging/wlan-ng/prism2fw.c
@@ -763,30 +763,35 @@ static int plugimage(struct imgchunk *fc
 static int read_cardpda(struct pda *pda, wlandevice_t *wlandev)
 {
 	int result = 0;
-	struct p80211msg_p2req_readpda msg;
+	struct p80211msg_p2req_readpda *msg;
+
+	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
+	if (!msg)
+		return -ENOMEM;
 
 	/* set up the msg */
-	msg.msgcode = DIDmsg_p2req_readpda;
-	msg.msglen = sizeof(msg);
-	strcpy(msg.devname, wlandev->name);
-	msg.pda.did = DIDmsg_p2req_readpda_pda;
-	msg.pda.len = HFA384x_PDA_LEN_MAX;
-	msg.pda.status = P80211ENUM_msgitem_status_no_value;
-	msg.resultcode.did = DIDmsg_p2req_readpda_resultcode;
-	msg.resultcode.len = sizeof(u32);
-	msg.resultcode.status = P80211ENUM_msgitem_status_no_value;
+	msg->msgcode = DIDmsg_p2req_readpda;
+	msg->msglen = sizeof(msg);
+	strcpy(msg->devname, wlandev->name);
+	msg->pda.did = DIDmsg_p2req_readpda_pda;
+	msg->pda.len = HFA384x_PDA_LEN_MAX;
+	msg->pda.status = P80211ENUM_msgitem_status_no_value;
+	msg->resultcode.did = DIDmsg_p2req_readpda_resultcode;
+	msg->resultcode.len = sizeof(u32);
+	msg->resultcode.status = P80211ENUM_msgitem_status_no_value;
 
-	if (prism2mgmt_readpda(wlandev, &msg) != 0) {
+	if (prism2mgmt_readpda(wlandev, msg) != 0) {
 		/* prism2mgmt_readpda prints an errno if appropriate */
 		result = -1;
-	} else if (msg.resultcode.data == P80211ENUM_resultcode_success) {
-		memcpy(pda->buf, msg.pda.data, HFA384x_PDA_LEN_MAX);
+	} else if (msg->resultcode.data == P80211ENUM_resultcode_success) {
+		memcpy(pda->buf, msg->pda.data, HFA384x_PDA_LEN_MAX);
 		result = mkpdrlist(pda);
 	} else {
 		/* resultcode must've been something other than success */
 		result = -1;
 	}
 
+	kfree(msg);
 	return result;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 237/294] be2iscsi: Fix bogus WARN_ON length check
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 249/294] net: am2150: fix nmclan_cs.c shared interrupt handling Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 176/294] sch_cbq: fix null pointer dereferences on init failure Ben Hutchings
                   ` (239 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Joel Stanley, Manoj Kumar,
	Jayamohan Kallickal, James E.J. Bottomley, Tim Gardner,
	Martin K. Petersen, Minh Tran, John Soni Jose

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tim Gardner <tim.gardner@canonical.com>

commit dd29dae00d39186890a5eaa2fe4ad8768bfd41a9 upstream.

drivers/scsi/be2iscsi/be_main.c: In function 'be_sgl_create_contiguous':
drivers/scsi/be2iscsi/be_main.c:3187:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]
  WARN_ON(!length > 0);

gcc version 5.2.1

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Cc: Jayamohan Kallickal <jayamohan.kallickal@avagotech.com>
Cc: Minh Tran <minh.tran@avagotech.com>
Cc: John Soni Jose <sony.john-n@avagotech.com>
Cc: "James E.J. Bottomley" <JBottomley@odin.com>
Reported-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Manoj Kumar <manoj@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/be2iscsi/be_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -3152,7 +3152,7 @@ be_sgl_create_contiguous(void *virtual_a
 {
 	WARN_ON(!virtual_address);
 	WARN_ON(!physical_address);
-	WARN_ON(!length > 0);
+	WARN_ON(!length);
 	WARN_ON(!sgl);
 
 	sgl->va = virtual_address;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 202/294] mm/init: fix zone boundary creation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (277 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 068/294] sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 216/294] mfd: arizona: Rid data size incompatibility warn when building for 64bit Ben Hutchings
                   ` (16 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Greg Kroah-Hartman, Arnd Bergmann,
	Oliver O'Halloran, Paul Mackerras, Mel Gorman,
	Anton Blanchard, Benjamin Herrenschmidt

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver O'Halloran <oohall@gmail.com>

commit 90cae1fe1c3540f791d5b8e025985fa5e699b2bb upstream.

As a part of memory initialisation the architecture passes an array to
free_area_init_nodes() which specifies the max PFN of each memory zone.
This array is not necessarily monotonic (due to unused zones) so this
array is parsed to build monotonic lists of the min and max PFN for each
zone.  ZONE_MOVABLE is special cased here as its limits are managed by
the mm subsystem rather than the architecture.  Unfortunately, this
special casing is broken when ZONE_MOVABLE is the not the last zone in
the zone list.  The core of the issue is:

	if (i == ZONE_MOVABLE)
		continue;
	arch_zone_lowest_possible_pfn[i] =
		arch_zone_highest_possible_pfn[i-1];

As ZONE_MOVABLE is skipped the lowest_possible_pfn of the next zone will
be set to zero.  This patch fixes this bug by adding explicitly tracking
where the next zone should start rather than relying on the contents
arch_zone_highest_possible_pfn[].

Thie is low priority.  To get bitten by this you need to enable a zone
that appears after ZONE_MOVABLE in the zone_type enum.  As far as I can
tell this means running a kernel with ZONE_DEVICE or ZONE_CMA enabled,
so I can't see this affecting too many people.

I only noticed this because I've been fiddling with ZONE_DEVICE on
powerpc and 4.6 broke my test kernel.  This bug, in conjunction with the
changes in Taku Izumi's kernelcore=mirror patch (d91749c1dda71) and
powerpc being the odd architecture which initialises max_zone_pfn[] to
~0ul instead of 0 caused all of system memory to be placed into
ZONE_DEVICE at boot, followed a panic since device memory cannot be used
for kernel allocations.  I've already submitted a patch to fix the
powerpc specific bits, but I figured this should be fixed too.

Link: http://lkml.kernel.org/r/1462435033-15601-1-git-send-email-oohall@gmail.com
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Cc: Anton Blanchard <anton@samba.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/page_alloc.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -5335,15 +5335,18 @@ void __init free_area_init_nodes(unsigne
 				sizeof(arch_zone_lowest_possible_pfn));
 	memset(arch_zone_highest_possible_pfn, 0,
 				sizeof(arch_zone_highest_possible_pfn));
-	arch_zone_lowest_possible_pfn[0] = find_min_pfn_with_active_regions();
-	arch_zone_highest_possible_pfn[0] = max_zone_pfn[0];
-	for (i = 1; i < MAX_NR_ZONES; i++) {
+
+	start_pfn = find_min_pfn_with_active_regions();
+
+	for (i = 0; i < MAX_NR_ZONES; i++) {
 		if (i == ZONE_MOVABLE)
 			continue;
-		arch_zone_lowest_possible_pfn[i] =
-			arch_zone_highest_possible_pfn[i-1];
-		arch_zone_highest_possible_pfn[i] =
-			max(max_zone_pfn[i], arch_zone_lowest_possible_pfn[i]);
+
+		end_pfn = max(max_zone_pfn[i], start_pfn);
+		arch_zone_lowest_possible_pfn[i] = start_pfn;
+		arch_zone_highest_possible_pfn[i] = end_pfn;
+
+		start_pfn = end_pfn;
 	}
 	arch_zone_lowest_possible_pfn[ZONE_MOVABLE] = 0;
 	arch_zone_highest_possible_pfn[ZONE_MOVABLE] = 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 273/294] ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (238 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 019/294] USB: serial: cp210x: add support for Qivicon USB ZigBee dongle Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 197/294] HID: usbhid: fix out-of-bounds bug Ben Hutchings
                   ` (55 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Nicolas Pitre, Russell King, Ard Biesheuvel, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit 5008efc83bf85b647aa1cbc44718b1675bbb7444 upstream.

The PJ4 inline asm sequence to write to cp15 cannot be built in Thumb-2
mode, due to the way it performs arithmetic on the program counter, so it
is built in ARM mode instead. However, building C files in ARM mode under
CONFIG_THUMB2_KERNEL is problematic, since the instrumentation performed
by subsystems like ftrace does not expect having to deal with interworking
branches.

Since the sequence in question is simply a poor man's ISB instruction,
let's use a straight 'isb' instead when building in Thumb2 mode. Thumb2
implies V7, so 'isb' should always be supported in that case.

Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/kernel/Makefile  | 1 -
 arch/arm/kernel/pj4-cp0.c | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)

--- a/arch/arm/kernel/Makefile
+++ b/arch/arm/kernel/Makefile
@@ -84,7 +84,6 @@ obj-$(CONFIG_CPU_PJ4B)		+= pj4-cp0.o
 obj-$(CONFIG_IWMMXT)		+= iwmmxt.o
 obj-$(CONFIG_PERF_EVENTS)	+= perf_regs.o
 obj-$(CONFIG_HW_PERF_EVENTS)	+= perf_event.o perf_event_cpu.o
-CFLAGS_pj4-cp0.o		:= -marm
 AFLAGS_iwmmxt.o			:= -Wa,-mcpu=iwmmxt
 obj-$(CONFIG_ARM_CPU_TOPOLOGY)  += topology.o
 
--- a/arch/arm/kernel/pj4-cp0.c
+++ b/arch/arm/kernel/pj4-cp0.c
@@ -66,9 +66,13 @@ static void __init pj4_cp_access_write(u
 
 	__asm__ __volatile__ (
 		"mcr	p15, 0, %1, c1, c0, 2\n\t"
+#ifdef CONFIG_THUMB2_KERNEL
+		"isb\n\t"
+#else
 		"mrc	p15, 0, %0, c1, c0, 2\n\t"
 		"mov	%0, %0\n\t"
 		"sub	pc, pc, #4\n\t"
+#endif
 		: "=r" (temp) : "r" (value));
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 206/294] ethernet: amd: fix pci device ids
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 156/294] l2tp: define parameters of l2tp_session_get*() as "const" Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 071/294] ARM: pxa: select both FB and FB_W100 for eseries Ben Hutchings
                   ` (265 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Varka Bhadram, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Varka Bhadram <varkab@cdac.in>

commit ba69a3d78e4f51e65933a86b8b107c86709bb2f5 upstream.

Normally any device ids will be above the corresponding device driver
structure. This patch moves the pci device ids and MODULE_DEVICE_TABLE()
above the pci driver structure.

Signed-off-by: Varka Bhadram <varkab@cdac.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/amd/amd8111e.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

--- a/drivers/net/ethernet/amd/amd8111e.c
+++ b/drivers/net/ethernet/amd/amd8111e.c
@@ -101,7 +101,6 @@ Revision History:
 MODULE_AUTHOR("Advanced Micro Devices, Inc.");
 MODULE_DESCRIPTION ("AMD8111 based 10/100 Ethernet Controller. Driver Version "MODULE_VERS);
 MODULE_LICENSE("GPL");
-MODULE_DEVICE_TABLE(pci, amd8111e_pci_tbl);
 module_param_array(speed_duplex, int, NULL, 0);
 MODULE_PARM_DESC(speed_duplex, "Set device speed and duplex modes, 0: Auto Negotiate, 1: 10Mbps Half Duplex, 2: 10Mbps Full Duplex, 3: 100Mbps Half Duplex, 4: 100Mbps Full Duplex");
 module_param_array(coalesce, bool, NULL, 0);
@@ -109,13 +108,6 @@ MODULE_PARM_DESC(coalesce, "Enable or Di
 module_param_array(dynamic_ipg, bool, NULL, 0);
 MODULE_PARM_DESC(dynamic_ipg, "Enable or Disable dynamic IPG, 1: Enable, 0: Disable");
 
-static DEFINE_PCI_DEVICE_TABLE(amd8111e_pci_tbl) = {
-
-	{ PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD8111E_7462,
-	 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0UL },
-	{ 0, }
-
-};
 /*
 This function will read the PHY registers.
 */
@@ -1970,6 +1962,17 @@ err_disable_pdev:
 
 }
 
+static const struct pci_device_id amd8111e_pci_tbl[] = {
+	{
+	 .vendor = PCI_VENDOR_ID_AMD,
+	 .device = PCI_DEVICE_ID_AMD8111E_7462,
+	},
+	{
+	 .vendor = 0,
+	}
+};
+MODULE_DEVICE_TABLE(pci, amd8111e_pci_tbl);
+
 static struct pci_driver amd8111e_driver = {
 	.name   	= MODULE_NAME,
 	.id_table	= amd8111e_pci_tbl,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 231/294] i2o: hide unsafe ioctl on 64-bit
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 246/294] mISDN: avoid arch specific __builtin_return_address call Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 163/294] ipv6: fix sparse warning on rt6i_node Ben Hutchings
                   ` (183 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

We get a warning about a broken pointer conversion on 64-bit architectures:

drivers/message/i2o/i2o_config.c: In function 'i2o_cfg_passthru':
drivers/message/i2o/i2o_config.c:893:19: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
         (p->virt, (void __user *)sg[i].addr_bus,
                   ^
drivers/message/i2o/i2o_config.c:953:10: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
         ((void __user *)sg[j].addr_bus, sg_list[j].virt,
          ^

This has clearly never worked right, so we can add an #ifdef around the code.
The driver was moved to staging in linux-4.0 and finally removed in 4.2,
so upstream does not have a fix for it.

The driver originally got this mostly right, though probably by accident.

Fixes: f4c2c15b930b ("[PATCH] Convert i2o to compat_ioctl")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/message/i2o/i2o_config.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/message/i2o/i2o_config.c
+++ b/drivers/message/i2o/i2o_config.c
@@ -772,7 +772,7 @@ static long i2o_cfg_compat_ioctl(struct
 
 #endif
 
-#ifdef CONFIG_I2O_EXT_ADAPTEC
+#if defined(CONFIG_I2O_EXT_ADAPTEC) && !defined(CONFIG_64BIT)
 static int i2o_cfg_passthru(unsigned long arg)
 {
 	struct i2o_cmd_passthru __user *cmd =
@@ -1045,7 +1045,7 @@ static long i2o_cfg_ioctl(struct file *f
 		ret = i2o_cfg_evt_get(arg, fp);
 		break;
 
-#ifdef CONFIG_I2O_EXT_ADAPTEC
+#if defined(CONFIG_I2O_EXT_ADAPTEC) && !defined(CONFIG_64BIT)
 	case I2OPASSTHRU:
 		ret = i2o_cfg_passthru(arg);
 		break;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 235/294] scsi: advansys: remove #warning message
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (165 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 055/294] iwlwifi: dvm: prevent an out of bounds access Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 138/294] net: systemport: Be drop monitor friendly Ben Hutchings
                   ` (128 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Hannes Reinecke

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

The advansys driver was converted to the proper DMA API in linux-4.2, but
the 3.18-stable kernel still warns about this:

drivers/scsi/advansys.c:71:2: warning: #warning this driver is still not properly converted to the DMA API [-Wcpp]

The warning clearly is not helpful in 3.18 any more, it just clutters up
the build log. This removes the warning instead, and clarifies the
comment above it.

Cc: Hannes Reinecke <hare@suse.de>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[bwh: Changed comment to say 3.16]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/advansys.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/scsi/advansys.c
+++ b/drivers/scsi/advansys.c
@@ -49,7 +49,7 @@
 #include <scsi/scsi.h>
 #include <scsi/scsi_host.h>
 
-/* FIXME:
+/* Fixed in linux-4.2, not backported to 3.16:
  *
  *  1. Although all of the necessary command mapping places have the
  *     appropriate dma_map.. APIs, the driver still processes its internal
@@ -68,7 +68,6 @@
  *  7. advansys_info is not safe against multiple simultaneous callers
  *  8. Add module_param to override ISA/VLB ioport array
  */
-#warning this driver is still not properly converted to the DMA API
 
 /* Enable driver /proc statistics. */
 #define ADVANSYS_STATS

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 254/294] hostap: avoid uninitialized variable use in hfa384x_get_rid
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (243 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 016/294] net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 130/294] arm64: mm: abort uaccess retries upon fatal signal Ben Hutchings
                   ` (50 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Kalle Valo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 48dc5fb3ba53b20418de8514700f63d88c5de3a3 upstream.

The driver reads a value from hfa384x_from_bap(), which may fail,
and then assigns the value to a local variable. gcc detects that
in in the failure case, the 'rlen' variable now contains
uninitialized data:

In file included from ../drivers/net/wireless/intersil/hostap/hostap_pci.c:220:0:
drivers/net/wireless/intersil/hostap/hostap_hw.c: In function 'hfa384x_get_rid':
drivers/net/wireless/intersil/hostap/hostap_hw.c:842:5: warning: 'rec' may be used uninitialized in this function [-Wmaybe-uninitialized]
  if (le16_to_cpu(rec.len) == 0) {

This restructures the function as suggested by Russell King, to
make it more readable and get more reliable error handling, by
handling each failure mode using a goto.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/hostap/hostap_hw.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/net/wireless/hostap/hostap_hw.c
+++ b/drivers/net/wireless/hostap/hostap_hw.c
@@ -836,25 +836,30 @@ static int hfa384x_get_rid(struct net_de
 	spin_lock_bh(&local->baplock);
 
 	res = hfa384x_setup_bap(dev, BAP0, rid, 0);
-	if (!res)
-		res = hfa384x_from_bap(dev, BAP0, &rec, sizeof(rec));
+	if (res)
+		goto unlock;
+
+	res = hfa384x_from_bap(dev, BAP0, &rec, sizeof(rec));
+	if (res)
+		goto unlock;
 
 	if (le16_to_cpu(rec.len) == 0) {
 		/* RID not available */
 		res = -ENODATA;
+		goto unlock;
 	}
 
 	rlen = (le16_to_cpu(rec.len) - 1) * 2;
-	if (!res && exact_len && rlen != len) {
+	if (exact_len && rlen != len) {
 		printk(KERN_DEBUG "%s: hfa384x_get_rid - RID len mismatch: "
 		       "rid=0x%04x, len=%d (expected %d)\n",
 		       dev->name, rid, rlen, len);
 		res = -ENODATA;
 	}
 
-	if (!res)
-		res = hfa384x_from_bap(dev, BAP0, buf, len);
+	res = hfa384x_from_bap(dev, BAP0, buf, len);
 
+unlock:
 	spin_unlock_bh(&local->baplock);
 	mutex_unlock(&local->rid_bap_mtx);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 236/294] bfa: Fix indentation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (129 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 289/294] MIPS: jz4740: fix build error in irq.h Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 026/294] drm/vmwgfx: Fix gcc-7.1.1 warning Ben Hutchings
                   ` (164 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ewan D. Milne, Arnd Bergmann, Anil Gurumurthy, James Bottomley

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anil Gurumurthy <anil.gurumurthy@qlogic.com>

commit b7f4d6343820af5c2dc3979e91d85e71e638cd3d upstream.

Signed-off-by: Anil Gurumurthy <anil.gurumurthy@qlogic.com>
Tested-by : Sudarasana Kalluru <sudarsana.kalluru@qlogic.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: James Bottomley <JBottomley@Odin.com>

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/bfa/bfa_ioc.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

--- a/drivers/scsi/bfa/bfa_ioc.c
+++ b/drivers/scsi/bfa/bfa_ioc.c
@@ -3665,19 +3665,19 @@ bfa_cb_sfp_state_query(struct bfa_sfp_s
 		if (sfp->state_query_cbfn)
 			sfp->state_query_cbfn(sfp->state_query_cbarg,
 					sfp->status);
-			sfp->media = NULL;
-		}
+		sfp->media = NULL;
+	}
 
-		if (sfp->portspeed) {
-			sfp->status = bfa_sfp_speed_valid(sfp, sfp->portspeed);
-			if (sfp->state_query_cbfn)
-				sfp->state_query_cbfn(sfp->state_query_cbarg,
-						sfp->status);
-				sfp->portspeed = BFA_PORT_SPEED_UNKNOWN;
-		}
+	if (sfp->portspeed) {
+		sfp->status = bfa_sfp_speed_valid(sfp, sfp->portspeed);
+		if (sfp->state_query_cbfn)
+			sfp->state_query_cbfn(sfp->state_query_cbarg,
+					sfp->status);
+		sfp->portspeed = BFA_PORT_SPEED_UNKNOWN;
+	}
 
-		sfp->state_query_lock = 0;
-		sfp->state_query_cbfn = NULL;
+	sfp->state_query_lock = 0;
+	sfp->state_query_cbfn = NULL;
 }
 
 /*

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 255/294] iwlegacy: avoid warning about missing braces
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 242/294] mtd: maps: rbtx4939-flash: delete an unused variable in rbtx4939_flash_remove Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 191/294] packet: in packet_do_bind, test fanout with bind_lock held Ben Hutchings
                   ` (178 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Arnd Bergmann, Stanislaw Gruszka, Kalle Valo

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 2cce76c3fab410520610a7d2f52faebc3cfcf843 upstream.

gcc-6 warns about code in il3945_hw_txq_ctx_free() being
somewhat ambiguous:

drivers/net/wireless/intel/iwlegacy/3945.c:1022:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses]

This adds a set of curly braces to avoid the warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/iwlegacy/3945.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlegacy/3945.c
+++ b/drivers/net/wireless/iwlegacy/3945.c
@@ -1019,12 +1019,13 @@ il3945_hw_txq_ctx_free(struct il_priv *i
 	int txq_id;
 
 	/* Tx queues */
-	if (il->txq)
+	if (il->txq) {
 		for (txq_id = 0; txq_id < il->hw_params.max_txq_num; txq_id++)
 			if (txq_id == IL39_CMD_QUEUE_NUM)
 				il_cmd_queue_free(il);
 			else
 				il_tx_queue_free(il, txq_id);
+	}
 
 	/* free tx queue structure */
 	il_free_txq_mem(il);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 249/294] net: am2150: fix nmclan_cs.c shared interrupt handling
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 118/294] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 237/294] be2iscsi: Fix bogus WARN_ON length check Ben Hutchings
                   ` (240 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 96a30175f927facfb421655ef08b7a0fe546fbed upstream.

A recent patch tried to work around a valid warning for the use of a
deprecated interface by blindly changing from the old
pcmcia_request_exclusive_irq() interface to pcmcia_request_irq().

This driver has an interrupt handler that is not currently aware
of shared interrupts, but can be easily converted to be.
At the moment, the driver reads the interrupt status register
repeatedly until it contains only zeroes in the interesting bits,
and handles each bit individually.

This patch adds the missing part of returning IRQ_NONE in case none
of the bits are set to start with, so we can move on to the next
interrupt source.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 5f5316fcd08ef7 ("am2150: Update nmclan_cs.c to use update PCMCIA API")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/amd/nmclan_cs.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/amd/nmclan_cs.c
+++ b/drivers/net/ethernet/amd/nmclan_cs.c
@@ -952,6 +952,8 @@ static irqreturn_t mace_interrupt(int ir
   do {
     /* WARNING: MACE_IR is a READ/CLEAR port! */
     status = inb(ioaddr + AM2150_MACE_BASE + MACE_IR);
+    if (!(status & ~MACE_IMR_DEFAULT) && IntrCnt == MACE_MAX_IR_ITERATIONS)
+      return IRQ_NONE;
 
     pr_debug("mace_interrupt: irq 0x%X status 0x%X.\n", irq, status);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 261/294] staging: bcm: add 32-bit host dependency
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 060/294] kprobes/x86: Release insn_slot in failure path Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 170/294] CIFS: remove endian related sparse warning Ben Hutchings
                   ` (268 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

The driver uses a 32-bit variable to store a pointer, causing a couple of
warnings:

../drivers/staging/bcm/CmHost.c: In function 'StoreCmControlResponseMessage':
../drivers/staging/bcm/CmHost.c:1503:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
   (struct bcm_connect_mgr_params *) ntohl(
   ^
../drivers/staging/bcm/CmHost.c:1546:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
   (struct bcm_connect_mgr_params *) ntohl(
   ^
../drivers/staging/bcm/CmHost.c:1564:3: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
   (struct bcm_connect_mgr_params *) ntohl(

I fixed other warnings in an earlier commit 9f1c75ac2dba ("staging/bcm: fix most
build warnings"), but couldn't figure out what was the intended behavior on
64-bit machines here.

The driver was removed in linux-3.19, commit d09e9b160fc1 ("staging: bcm: remove
driver") which explains that it never worked on 64-bit machines. This adds
a Kconfig dependency instead to prevent it from being built in the known
broken configuration. This workaround applies to v2.6.37 or higher.

Fixes: f8942e07a3db ("staging: Beeceem USB Wimax driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/bcm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/bcm/Kconfig
+++ b/drivers/staging/bcm/Kconfig
@@ -1,6 +1,7 @@
 config BCM_WIMAX
        tristate "Beceem BCS200/BCS220-3 and BCSM250 wimax support"
        depends on USB && NET
+	depends on !64BIT
        help
          This is an experimental driver for the Beceem WIMAX chipset used
 	 by Sprint 4G.

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 265/294] Staging: lustre: missing curly braces in ll_setattr_raw()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
@ 2017-11-06 23:03   ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
                     ` (294 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dan Carpenter, Greg Kroah-Hartman, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 53bd4a004ee5ff0f71a858de78faac98924b4a87 upstream.

>From the indenting, it looks like curly braces were intended here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/lustre/lustre/llite/llite_lib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/staging/lustre/lustre/llite/llite_lib.c
+++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
@@ -1489,7 +1489,7 @@ int ll_setattr_raw(struct dentry *dentry
 
 	if (attr->ia_valid & (ATTR_SIZE |
 			      ATTR_ATIME | ATTR_ATIME_SET |
-			      ATTR_MTIME | ATTR_MTIME_SET))
+			      ATTR_MTIME | ATTR_MTIME_SET)) {
 		/* For truncate and utimes sending attributes to OSTs, setting
 		 * mtime/atime to the past will be performed under PW [0:EOF]
 		 * extent lock (new_size:EOF for truncate).  It may seem
@@ -1501,6 +1501,7 @@ int ll_setattr_raw(struct dentry *dentry
 		rc = ll_setattr_ost(inode, attr);
 		if (attr->ia_valid & ATTR_SIZE)
 			up_write(&lli->lli_trunc_sem);
+	}
 out:
 	if (op_data) {
 		if (op_data->op_ioepoch) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 266/294] staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (281 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 077/294] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 240/294] aic94xx: Skip reading user settings if flash is not found Ben Hutchings
                   ` (12 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Luis de Bethencourt, Jes Sorensen, Arnd Bergmann,
	Greg Kroah-Hartman

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Luis de Bethencourt <luisbg@osg.samsung.com>

commit 8c182ae20791d638c07ff499709c4a1d4697bd7c upstream.

For loop is outside of the else branch of the above conditional statement.
Fixing misleading indentation.

Fix a smatch warning:
drivers/staging/rtl8723au/core/rtw_wlan_util.c:528
WMMOnAssocRsp23a() warn: curly braces intended?

Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Acked-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/rtl8723au/core/rtw_wlan_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8723au/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723au/core/rtw_wlan_util.c
@@ -546,7 +546,7 @@ void WMMOnAssocRsp23a(struct rtw_adapter
 	else
 		aSifsTime = 16;
 
-		for (i = 0; i < 4; i++) {
+	for (i = 0; i < 4; i++) {
 		ACI = (pmlmeinfo->WMM_param.ac_param[i].ACI_AIFSN >> 5) & 0x03;
 		ACM = (pmlmeinfo->WMM_param.ac_param[i].ACI_AIFSN >> 4) & 0x01;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 234/294] ips: remove pointless #warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (269 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 036/294] x86/acpi: Prevent out of bound access caused by broken ACPI tables Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 011/294] net: bcmgenet: simplify __bcmgenet_tx_reclaim() Ben Hutchings
                   ` (24 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, James Bottomley, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Bottomley <JBottomley@Odin.com>

commit e03c2da6574223081b786960e39c1e5ecf5d492d upstream.

non-x86 builds want the #warning in the IPS code about compiling on the wrong
architecture removed because it keeps triggering on their platforms build
farms.  Transform from a compile time warning into a runtime one with taint to
preserve the original intent of the authors.

Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/ips.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/scsi/ips.c
+++ b/drivers/scsi/ips.c
@@ -206,10 +206,6 @@ module_param(ips, charp, 0);
 #define IPS_VERSION_HIGH        IPS_VER_MAJOR_STRING "." IPS_VER_MINOR_STRING
 #define IPS_VERSION_LOW         "." IPS_VER_BUILD_STRING " "
 
-#if !defined(__i386__) && !defined(__ia64__) && !defined(__x86_64__)
-#warning "This driver has only been tested on the x86/ia64/x86_64 platforms"
-#endif
-
 #define IPS_DMA_DIR(scb) ((!scb->scsi_cmd || ips_is_passthru(scb->scsi_cmd) || \
                          DMA_NONE == scb->scsi_cmd->sc_data_direction) ? \
                          PCI_DMA_BIDIRECTIONAL : \
@@ -6789,6 +6785,11 @@ ips_remove_device(struct pci_dev *pci_de
 static int __init
 ips_module_init(void)
 {
+#if !defined(__i386__) && !defined(__ia64__) && !defined(__x86_64__)
+	printk(KERN_ERR "ips: This driver has only been tested on the x86/ia64/x86_64 platforms\n");
+	add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK);
+#endif
+
 	if (pci_register_driver(&ips_pci_driver) < 0)
 		return -ENODEV;
 	ips_driver_template.module = THIS_MODULE;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 242/294] mtd: maps: rbtx4939-flash: delete an unused variable in rbtx4939_flash_remove
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 251/294] net: tulip: turn compile-time warning into dev_warn() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 255/294] iwlegacy: avoid warning about missing braces Ben Hutchings
                   ` (179 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Brian Norris, Atsushi Nemoto, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Atsushi Nemoto <anemo@mba.ocn.ne.jp>

commit e4c4c9c15ebe8ec03b7f5bf36e079052cc88217c upstream.

Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/maps/rbtx4939-flash.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/mtd/maps/rbtx4939-flash.c
+++ b/drivers/mtd/maps/rbtx4939-flash.c
@@ -35,8 +35,6 @@ static int rbtx4939_flash_remove(struct
 		return 0;
 
 	if (info->mtd) {
-		struct rbtx4939_flash_data *pdata = dev_get_platdata(&dev->dev);
-
 		mtd_device_unregister(info->mtd);
 		map_destroy(info->mtd);
 	}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 233/294] scsi-tgt: fix type conversion warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (230 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 182/294] cifs: check MaxPathNameComponentLength != 0 before using it Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 162/294] l2tp: hold tunnel used while creating sessions with netlink Ben Hutchings
                   ` (63 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

In 3.16-stable, we get this warning:

drivers/scsi/scsi_tgt_if.c:289:36: warning: passing argument 1 of 'virt_to_phys' makes pointer from integer without a cast [-Wint-conversion]

The driver was removed in 3.17, so the bug was never fixed, but the code
works correctly and is only lacking a cast to build cleanly on all architectures.

Fixes: 97f78759ea1c ("[SCSI] scsi tgt: scsi target user and kernel communication interface")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/scsi_tgt_if.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/scsi_tgt_if.c
+++ b/drivers/scsi/scsi_tgt_if.c
@@ -286,7 +286,7 @@ static int uspace_ring_map(struct vm_are
 	int i, err;
 
 	for (i = 0; i < TGT_RING_PAGES; i++) {
-		struct page *page = virt_to_page(ring->tr_pages[i]);
+		struct page *page = virt_to_page((void *)ring->tr_pages[i]);
 		err = vm_insert_page(vma, addr, page);
 		if (err)
 			return err;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 250/294] am2150: Update nmclan_cs.c to use update PCMCIA API
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (139 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 270/294] x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 166/294] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__ Ben Hutchings
                   ` (154 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Roger Pao, Jeff Kirsher, David S. Miller, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

commit 5f5316fcd08ef74b282adf6774956431fac62663 upstream.

Resolves compile warning about use of a deprecated function call:
drivers/net/ethernet/amd/nmclan_cs.c: In function ‘nmclan_config’:
drivers/net/ethernet/amd/nmclan_cs.c:624:3: warning: ‘pcmcia_request_exclusive_irq’ is deprecated (declared at include/pcmcia/ds.h:213) [-Wdeprecated-declarations]
   ret = pcmcia_request_exclusive_irq(link, mace_interrupt);

Updates pcmcia_request_exclusive_irq() to pcmcia_request_irq().

CC: Roger Pao <rpao@paonet.org>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/amd/nmclan_cs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/amd/nmclan_cs.c
+++ b/drivers/net/ethernet/amd/nmclan_cs.c
@@ -621,7 +621,7 @@ static int nmclan_config(struct pcmcia_d
   ret = pcmcia_request_io(link);
   if (ret)
 	  goto failed;
-  ret = pcmcia_request_exclusive_irq(link, mace_interrupt);
+  ret = pcmcia_request_irq(link, mace_interrupt);
   if (ret)
 	  goto failed;
   ret = pcmcia_enable_device(link);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 240/294] aic94xx: Skip reading user settings if flash is not found
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (282 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 266/294] staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 022/294] libceph: potential NULL dereference in ceph_msg_data_create() Ben Hutchings
                   ` (11 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Christoph Hellwig, James Bottomley, Hannes Reinecke

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hannes Reinecke <hare@suse.de>

commit 36dd5acd196574d41de3e81d8264df475bbb7123 upstream.

If no user settings are found it's pointless trying to
read them from flash. So skip that step.
This also fixes a compilation warning about uninitialized variables in
aic94xx.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/aic94xx/aic94xx_sds.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/aic94xx/aic94xx_sds.c
+++ b/drivers/scsi/aic94xx/aic94xx_sds.c
@@ -983,7 +983,7 @@ static int asd_process_ctrl_a_user(struc
 {
 	int err, i;
 	u32 offs, size;
-	struct asd_ll_el *el;
+	struct asd_ll_el *el = NULL;
 	struct asd_ctrla_phy_settings *ps;
 	struct asd_ctrla_phy_settings dflt_ps;
 
@@ -1004,6 +1004,7 @@ static int asd_process_ctrl_a_user(struc
 
 		size = sizeof(struct asd_ctrla_phy_settings);
 		ps = &dflt_ps;
+		goto out_process;
 	}
 
 	if (size == 0)
@@ -1028,7 +1029,7 @@ static int asd_process_ctrl_a_user(struc
 		ASD_DPRINTK("couldn't find ctrla phy settings struct\n");
 		goto out2;
 	}
-
+out_process:
 	err = asd_process_ctrla_phy_settings(asd_ha, ps);
 	if (err) {
 		ASD_DPRINTK("couldn't process ctrla phy settings\n");

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 247/294] cpmac: remove hopeless #warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 067/294] powerpc/mm/hash: Free the subpage_prot_table correctly Ben Hutchings
                   ` (251 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit d43e6fb4ac4abfe4ef7c102833ed02330ad701e0 upstream.

The #warning was present 10 years ago when the driver first got merged.
As the platform is rather obsolete by now, it seems very unlikely that
the warning will cause anyone to fix the code properly.

kernelci.org reports the warning for every build in the meantime, so
I think it's better to just turn it into a code comment to reduce
noise.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/ti/cpmac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/ti/cpmac.c
+++ b/drivers/net/ethernet/ti/cpmac.c
@@ -1226,7 +1226,7 @@ int cpmac_init(void)
 		goto fail_alloc;
 	}
 
-#warning FIXME: unhardcode gpio&reset bits
+	/* FIXME: unhardcode gpio&reset bits */
 	ar7_gpio_disable(26);
 	ar7_gpio_disable(27);
 	ar7_device_reset(AR7_RESET_BIT_CPMAC_LO);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 205/294] modpost: don't emit section mismatch warnings for compiler optimizations
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 203/294] Disable "frame-address" warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 208/294] Input: gscps2 - fix MODULE_DEVICE_TABLE invocation Ben Hutchings
                   ` (243 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Paul Gortmaker, Rusty Russell, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 4a3893d069b788f3570c19c12d9e986e8e15870f upstream.

Currently an allyesconfig build [gcc-4.9.1] can generate the following:

   WARNING: vmlinux.o(.text.unlikely+0x3864): Section mismatch in
   reference from the function cpumask_empty.constprop.3() to the
   variable .init.data:nmi_ipi_mask

which comes from the cpumask_empty usage in arch/x86/kernel/nmi_selftest.c.

Normally we would not see a symbol entry for cpumask_empty since it is:

	static inline bool cpumask_empty(const struct cpumask *srcp)

however in this case, the variant of the symbol gets emitted when GCC does
constant propagation optimization.

Fix things up so that any locally optimized constprop variants don't warn
when accessing variables that live in the __init sections.

[arnd: adapted text_sections definition to 3.18]

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/mod/modpost.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -930,6 +930,10 @@ static const char *init_sections[] = { A
 static const char *init_exit_sections[] =
 	{ALL_INIT_SECTIONS, ALL_EXIT_SECTIONS, NULL };
 
+/* all text sections */
+static const char *const text_sections[] = { ALL_INIT_TEXT_SECTIONS,
+				ALL_EXIT_TEXT_SECTIONS, TEXT_SECTIONS, NULL };
+
 /* data section */
 static const char *data_sections[] = { DATA_SECTIONS, NULL };
 
@@ -948,6 +952,7 @@ static const char *data_sections[] = { D
 static const char *head_sections[] = { ".head.text*", NULL };
 static const char *linker_symbols[] =
 	{ "__init_begin", "_sinittext", "_einittext", NULL };
+static const char *const optim_symbols[] = { "*.constprop.*", NULL };
 
 enum mismatch {
 	TEXT_TO_ANY_INIT,
@@ -1105,6 +1110,17 @@ static const struct sectioncheck *sectio
  *   This pattern is identified by
  *   refsymname = __init_begin, _sinittext, _einittext
  *
+ * Pattern 5:
+ *   GCC may optimize static inlines when fed constant arg(s) resulting
+ *   in functions like cpumask_empty() -- generating an associated symbol
+ *   cpumask_empty.constprop.3 that appears in the audit.  If the const that
+ *   is passed in comes from __init, like say nmi_ipi_mask, we get a
+ *   meaningless section warning.  May need to add isra symbols too...
+ *   This pattern is identified by
+ *   tosec   = init section
+ *   fromsec = text section
+ *   refsymname = *.constprop.*
+ *
  **/
 static int secref_whitelist(const struct sectioncheck *mismatch,
 			    const char *fromsec, const char *fromsym,
@@ -1137,6 +1153,12 @@ static int secref_whitelist(const struct
 	if (match(tosym, linker_symbols))
 		return 0;
 
+	/* Check for pattern 5 */
+	if (match(fromsec, text_sections) &&
+	    match(tosec, init_sections) &&
+	    match(fromsym, optim_symbols))
+		return 0;
+
 	return 1;
 }
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 248/294] net: caif: fix misleading indentation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 012/294] net: bcmgenet: rewrite bcmgenet_rx_refill() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 192/294] ALSA: usb-audio: Kill stray URB at exiting Ben Hutchings
                   ` (196 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Greg Kroah-Hartman, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 8e0cc8c326d99e41468c96fea9785ab78883a281 upstream.

gcc points out code that is not indented the way it is
interpreted:

net/caif/cfpkt_skbuff.c: In function 'cfpkt_setlen':
net/caif/cfpkt_skbuff.c:289:4: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]
    return cfpkt_getlen(pkt);
    ^~~~~~
net/caif/cfpkt_skbuff.c:286:3: note: ...this 'else' clause, but it is not
   else
   ^~~~

It is clear from the context that not returning here would be
a bug, as we'd end up passing a negative length into a function
that takes a u16 length, so it is not missing curly braces
here, and I'm assuming that the indentation is the only part
that's wrong about it.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/caif/cfpkt_skbuff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/caif/cfpkt_skbuff.c
+++ b/net/caif/cfpkt_skbuff.c
@@ -286,7 +286,7 @@ int cfpkt_setlen(struct cfpkt *pkt, u16
 		else
 			skb_trim(skb, len);
 
-			return cfpkt_getlen(pkt);
+		return cfpkt_getlen(pkt);
 	}
 
 	/* Need to expand SKB */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 243/294] xilinx: Fix compiler warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (167 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 138/294] net: systemport: Be drop monitor friendly Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 141/294] mtd: nandsim: remove debugfs entries in error path Ben Hutchings
                   ` (126 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Manuel Schölling, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Manuel Schölling <manuel.schoelling@gmx.de>

commit 9f8b93cb32e088d3377c86fabb666b884bac0f12 upstream.

The time comparsion functions require arguments of type unsigned long
instead of (signed) long.

Signed-off-by: Manuel Schölling <manuel.schoelling@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/xilinx/ll_temac_main.c       | 2 +-
 drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c | 2 +-
 drivers/net/ethernet/xilinx/xilinx_emaclite.c     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
+++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
@@ -72,7 +72,7 @@ void temac_iow(struct temac_local *lp, i
 
 int temac_indirect_busywait(struct temac_local *lp)
 {
-	long end = jiffies + 2;
+	unsigned long end = jiffies + 2;
 
 	while (!(temac_ior(lp, XTE_RDY0_OFFSET) & XTE_RDY0_HARD_ACS_RDY_MASK)) {
 		if (time_before_eq(end, jiffies)) {
--- a/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
+++ b/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c
@@ -19,7 +19,7 @@
 /* Wait till MDIO interface is ready to accept a new transaction.*/
 int axienet_mdio_wait_until_ready(struct axienet_local *lp)
 {
-	long end = jiffies + 2;
+	unsigned long end = jiffies + 2;
 	while (!(axienet_ior(lp, XAE_MDIO_MCR_OFFSET) &
 		 XAE_MDIO_MCR_READY_MASK)) {
 		if (time_before_eq(end, jiffies)) {
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -707,7 +707,7 @@ static irqreturn_t xemaclite_interrupt(i
 
 static int xemaclite_mdio_wait(struct net_local *lp)
 {
-	long end = jiffies + 2;
+	unsigned long end = jiffies + 2;
 
 	/* wait for the MDIO interface to not be busy or timeout
 	   after some time.

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 246/294] mISDN: avoid arch specific __builtin_return_address call
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 199/294] ALSA: seq: Enable 'use' locking in all configurations Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 231/294] i2o: hide unsafe ioctl on 64-bit Ben Hutchings
                   ` (184 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 3e7a8716e20b759eec0ad88145255bb33174f0c8 upstream.

Not all architectures are able to call __builtin_return_address().
On ARM, the mISDN code produces this warning:

hardware/mISDN/w6692.c: In function 'w6692_dctrl':
hardware/mISDN/w6692.c:1181:75: warning: unsupported argument to '__builtin_return_address'
  pr_debug("%s: %s dev(%d) open from %p\n", card->name, __func__,
                                                                           ^
hardware/mISDN/mISDNipac.c: In function 'open_dchannel':
hardware/mISDN/mISDNipac.c:759:75: warning: unsupported argument to '__builtin_return_address'
  pr_debug("%s: %s dev(%d) open from %p\n", isac->name, __func__,
                                                                           ^

In a lot of cases, this is relatively easy to work around by
passing the value of __builtin_return_address(0) from the
callers into the functions that want it. One exception is
the indirect 'open' function call in struct isac_hw. While it
would be possible to fix this as well, this patch only addresses
the other callers properly and lets this one return the direct
parent function, which should be good enough.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/isdn/hardware/mISDN/mISDNipac.c | 12 +++++++++---
 drivers/isdn/hardware/mISDN/w6692.c     |  6 +++---
 2 files changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/isdn/hardware/mISDN/mISDNipac.c
+++ b/drivers/isdn/hardware/mISDN/mISDNipac.c
@@ -754,10 +754,10 @@ dbusy_timer_handler(struct isac_hw *isac
 }
 
 static int
-open_dchannel(struct isac_hw *isac, struct channel_req *rq)
+open_dchannel_caller(struct isac_hw *isac, struct channel_req *rq, void *caller)
 {
 	pr_debug("%s: %s dev(%d) open from %p\n", isac->name, __func__,
-		 isac->dch.dev.id, __builtin_return_address(1));
+		 isac->dch.dev.id, caller);
 	if (rq->protocol != ISDN_P_TE_S0)
 		return -EINVAL;
 	if (rq->adr.channel == 1)
@@ -771,6 +771,12 @@ open_dchannel(struct isac_hw *isac, stru
 	return 0;
 }
 
+static int
+open_dchannel(struct isac_hw *isac, struct channel_req *rq)
+{
+	return open_dchannel_caller(isac, rq, __builtin_return_address(0));
+}
+
 static const char *ISACVer[] =
 {"2086/2186 V1.1", "2085 B1", "2085 B2",
  "2085 V2.3"};
@@ -1547,7 +1553,7 @@ ipac_dctrl(struct mISDNchannel *ch, u32
 	case OPEN_CHANNEL:
 		rq = arg;
 		if (rq->protocol == ISDN_P_TE_S0)
-			err = open_dchannel(isac, rq);
+			err = open_dchannel_caller(isac, rq, __builtin_return_address(0));
 		else
 			err = open_bchannel(ipac, rq);
 		if (err)
--- a/drivers/isdn/hardware/mISDN/w6692.c
+++ b/drivers/isdn/hardware/mISDN/w6692.c
@@ -1176,10 +1176,10 @@ w6692_l1callback(struct dchannel *dch, u
 }
 
 static int
-open_dchannel(struct w6692_hw *card, struct channel_req *rq)
+open_dchannel(struct w6692_hw *card, struct channel_req *rq, void *caller)
 {
 	pr_debug("%s: %s dev(%d) open from %p\n", card->name, __func__,
-		 card->dch.dev.id, __builtin_return_address(1));
+		 card->dch.dev.id, caller);
 	if (rq->protocol != ISDN_P_TE_S0)
 		return -EINVAL;
 	if (rq->adr.channel == 1)
@@ -1207,7 +1207,7 @@ w6692_dctrl(struct mISDNchannel *ch, u32
 	case OPEN_CHANNEL:
 		rq = arg;
 		if (rq->protocol == ISDN_P_TE_S0)
-			err = open_dchannel(card, rq);
+			err = open_dchannel(card, rq, __builtin_return_address(0));
 		else
 			err = open_bchannel(card, rq);
 		if (err)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 131/294] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03   ` Ben Hutchings
                   ` (247 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Florian Fainelli, David S. Miller, Petri Gynther

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit ae67bf0188cbb9d1786bdfcca9e1976cb36ee327 upstream.

There is no need to have both bcmgenet_xmit_single() and
bcmgenet_xmit_frag() perform a free_bds decrement and a prod_index
increment by one. In case one of these functions fails to map a SKB or
fragment for transmit, we will return and exit bcmgenet_xmit() with an
error.

We can therefore safely use our local copy of nr_frags to know by how
much we should decrement the number of free buffers available, and by
how much the producer count must be incremented and do this in the tail
of bcmgenet_xmit().

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Petri Gynther <pgynther@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1071,11 +1071,6 @@ static int bcmgenet_xmit_single(struct n
 
 	dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping, length_status);
 
-	/* Decrement total BD count and advance our write pointer */
-	ring->free_bds -= 1;
-	ring->prod_index += 1;
-	ring->prod_index &= DMA_P_INDEX_MASK;
-
 	return 0;
 }
 
@@ -1113,11 +1108,6 @@ static int bcmgenet_xmit_frag(struct net
 			(frag->size << DMA_BUFLENGTH_SHIFT) | dma_desc_flags |
 			(priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT));
 
-
-	ring->free_bds -= 1;
-	ring->prod_index += 1;
-	ring->prod_index &= DMA_P_INDEX_MASK;
-
 	return 0;
 }
 
@@ -1258,9 +1248,11 @@ static netdev_tx_t bcmgenet_xmit(struct
 
 	skb_tx_timestamp(skb);
 
-	/* we kept a software copy of how much we should advance the TDMA
-	 * producer index, now write it down to the hardware
-	 */
+	/* Decrement total BD count and advance our write pointer */
+	ring->free_bds -= nr_frags + 1;
+	ring->prod_index += nr_frags + 1;
+	ring->prod_index &= DMA_P_INDEX_MASK;
+
 	bcmgenet_tdma_ring_writel(priv, ring->index,
 			ring->prod_index, TDMA_PROD_INDEX);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 017/294] net: bcmgenet: Free skb after last Tx frag
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (221 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 116/294] ipv4: fix NULL dereference in free_fib_info_rcu() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 025/294] ASoC: do not close shared backend dailink Ben Hutchings
                   ` (72 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Doug Berger

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Berger <opendmb@gmail.com>

commit f48bed16a756f5bc0244acd581f61968f7d7c2a4 upstream.

Since the skb is attached to the first control block of a fragmented
skb it is possible that the skb could be freed when reclaiming that
control block before all fragments of the skb have been consumed by
the hardware and unmapped.

This commit introduces first_cb and last_cb pointers to the skb
control block used by the driver to keep track of which transmit
control blocks within a transmit ring are the first and last ones
associated with the skb.

It then splits the bcmgenet_free_cb() function into transmit
(bcmgenet_free_tx_cb) and receive (bcmgenet_free_rx_cb) versions
that can handle the unmapping of dma mapped memory and cleaning up
the corresponding control block structure so that the skb is only
freed after the last associated transmit control block is reclaimed.

Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 142 ++++++++++++++-----------
 drivers/net/ethernet/broadcom/genet/bcmgenet.h |   2 +
 2 files changed, 84 insertions(+), 60 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -917,14 +917,6 @@ static struct enet_cb *bcmgenet_put_txcb
 	return tx_cb_ptr;
 }
 
-/* Simple helper to free a control block's resources */
-static void bcmgenet_free_cb(struct enet_cb *cb)
-{
-	dev_kfree_skb_any(cb->skb);
-	cb->skb = NULL;
-	dma_unmap_addr_set(cb, dma_addr, 0);
-}
-
 static inline void bcmgenet_tx_ring16_int_disable(struct bcmgenet_priv *priv,
 						  struct bcmgenet_tx_ring *ring)
 {
@@ -957,19 +949,73 @@ static inline void bcmgenet_tx_ring_int_
 	priv->int1_mask |= (1 << ring->index);
 }
 
+/* Simple helper to free a transmit control block's resources
+ * Returns an skb when the last transmit control block associated with the
+ * skb is freed.  The skb should be freed by the caller if necessary.
+ */
+static struct sk_buff *bcmgenet_free_tx_cb(struct device *dev,
+					   struct enet_cb *cb)
+{
+	struct sk_buff *skb;
+
+	skb = cb->skb;
+
+	if (skb) {
+		cb->skb = NULL;
+		if (cb == GENET_CB(skb)->first_cb)
+			dma_unmap_single(dev, dma_unmap_addr(cb, dma_addr),
+					 dma_unmap_len(cb, dma_len),
+					 DMA_TO_DEVICE);
+		else
+			dma_unmap_page(dev, dma_unmap_addr(cb, dma_addr),
+				       dma_unmap_len(cb, dma_len),
+				       DMA_TO_DEVICE);
+		dma_unmap_addr_set(cb, dma_addr, 0);
+
+		if (cb == GENET_CB(skb)->last_cb)
+			return skb;
+
+	} else if (dma_unmap_addr(cb, dma_addr)) {
+		dma_unmap_page(dev,
+			       dma_unmap_addr(cb, dma_addr),
+			       dma_unmap_len(cb, dma_len),
+			       DMA_TO_DEVICE);
+		dma_unmap_addr_set(cb, dma_addr, 0);
+	}
+
+	return 0;
+}
+
+/* Simple helper to free a receive control block's resources */
+static struct sk_buff *bcmgenet_free_rx_cb(struct device *dev,
+					   struct enet_cb *cb)
+{
+	struct sk_buff *skb;
+
+	skb = cb->skb;
+	cb->skb = NULL;
+
+	if (dma_unmap_addr(cb, dma_addr)) {
+		dma_unmap_single(dev, dma_unmap_addr(cb, dma_addr),
+				 dma_unmap_len(cb, dma_len), DMA_FROM_DEVICE);
+		dma_unmap_addr_set(cb, dma_addr, 0);
+	}
+
+	return skb;
+}
+
 /* Unlocked version of the reclaim routine */
 static void __bcmgenet_tx_reclaim(struct net_device *dev,
 				struct bcmgenet_tx_ring *ring)
 {
 	struct bcmgenet_priv *priv = netdev_priv(dev);
-	struct device *kdev = &priv->pdev->dev;
-	struct enet_cb *tx_cb_ptr;
 	struct netdev_queue *txq;
-	unsigned int pkts_compl = 0;
+	unsigned int txbds_processed = 0;
 	unsigned int bytes_compl = 0;
-	unsigned int c_index;
+	unsigned int pkts_compl = 0;
 	unsigned int txbds_ready;
-	unsigned int txbds_processed = 0;
+	unsigned int c_index;
+	struct sk_buff *skb;
 
 	/* Compute how many buffers are transmited since last xmit call */
 	c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX);
@@ -986,21 +1032,12 @@ static void __bcmgenet_tx_reclaim(struct
 
 	/* Reclaim transmitted buffers */
 	while (txbds_processed < txbds_ready) {
-		tx_cb_ptr = &priv->tx_cbs[ring->clean_ptr];
-		if (tx_cb_ptr->skb) {
+		skb = bcmgenet_free_tx_cb(&priv->pdev->dev,
+					  &priv->tx_cbs[ring->clean_ptr]);
+		if (skb) {
 			pkts_compl++;
-			bytes_compl += GENET_CB(tx_cb_ptr->skb)->bytes_sent;
-			dma_unmap_single(kdev,
-					dma_unmap_addr(tx_cb_ptr, dma_addr),
-					dma_unmap_len(tx_cb_ptr, dma_len),
-					DMA_TO_DEVICE);
-			bcmgenet_free_cb(tx_cb_ptr);
-		} else if (dma_unmap_addr(tx_cb_ptr, dma_addr)) {
-			dma_unmap_page(kdev,
-					dma_unmap_addr(tx_cb_ptr, dma_addr),
-					dma_unmap_len(tx_cb_ptr, dma_len),
-					DMA_TO_DEVICE);
-			dma_unmap_addr_set(tx_cb_ptr, dma_addr, 0);
+			bytes_compl += GENET_CB(skb)->bytes_sent;
+			dev_kfree_skb_any(skb);
 		}
 
 		txbds_processed++;
@@ -1178,13 +1215,12 @@ static netdev_tx_t bcmgenet_xmit(struct
 
 		if (!i) {
 			/* Transmit single SKB or head of fragment list */
-			tx_cb_ptr->skb = skb;
+			GENET_CB(skb)->first_cb = tx_cb_ptr;
 			size = skb_headlen(skb);
 			mapping = dma_map_single(kdev, skb->data, size,
 						 DMA_TO_DEVICE);
 		} else {
 			/* xmit fragment */
-			tx_cb_ptr->skb = NULL;
 			frag = &skb_shinfo(skb)->frags[i - 1];
 			size = skb_frag_size(frag);
 			mapping = skb_frag_dma_map(kdev, frag, 0, size,
@@ -1200,6 +1236,8 @@ static netdev_tx_t bcmgenet_xmit(struct
 		dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
 		dma_unmap_len_set(tx_cb_ptr, dma_len, size);
 
+		tx_cb_ptr->skb = skb;
+
 		len_stat = (size << DMA_BUFLENGTH_SHIFT) |
 			   (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT);
 
@@ -1214,6 +1252,7 @@ static netdev_tx_t bcmgenet_xmit(struct
 		dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping, len_stat);
 	}
 
+	GENET_CB(skb)->last_cb = tx_cb_ptr;
 	skb_tx_timestamp(skb);
 
 	/* Decrement total BD count and advance our write pointer */
@@ -1241,18 +1280,7 @@ out_unmap_frags:
 	/* Unmap successfully mapped control blocks */
 	while (i-- > 0) {
 		tx_cb_ptr = bcmgenet_put_txcb(priv, ring);
-		if (tx_cb_ptr->skb)
-			dma_unmap_single(kdev,
-					 dma_unmap_addr(tx_cb_ptr, dma_addr),
-					 dma_unmap_len(tx_cb_ptr, dma_len),
-					 DMA_TO_DEVICE);
-		else
-			dma_unmap_page(kdev,
-				       dma_unmap_addr(tx_cb_ptr, dma_addr),
-				       dma_unmap_len(tx_cb_ptr, dma_len),
-				       DMA_TO_DEVICE);
-		dma_unmap_addr_set(tx_cb_ptr, dma_addr, 0);
-		tx_cb_ptr->skb = NULL;
+		bcmgenet_free_tx_cb(kdev, tx_cb_ptr);
 	}
 
 	dev_kfree_skb(skb);
@@ -1287,14 +1315,12 @@ static struct sk_buff *bcmgenet_rx_refil
 	}
 
 	/* Grab the current Rx skb from the ring and DMA-unmap it */
-	rx_skb = cb->skb;
-	if (likely(rx_skb))
-		dma_unmap_single(kdev, dma_unmap_addr(cb, dma_addr),
-				 priv->rx_buf_len, DMA_FROM_DEVICE);
+	rx_skb = bcmgenet_free_rx_cb(kdev, cb);
 
 	/* Put the new Rx skb on the ring */
 	cb->skb = skb;
 	dma_unmap_addr_set(cb, dma_addr, mapping);
+	dma_unmap_len_set(cb, dma_len, priv->rx_buf_len);
 	/* assign packet, prepare descriptor, and advance pointer */
 
 	dmadesc_set_addr(priv, priv->rx_bd_assign_ptr, mapping);
@@ -1470,22 +1496,16 @@ static int bcmgenet_alloc_rx_buffers(str
 
 static void bcmgenet_free_rx_buffers(struct bcmgenet_priv *priv)
 {
-	struct device *kdev = &priv->pdev->dev;
+	struct sk_buff *skb;
 	struct enet_cb *cb;
 	int i;
 
 	for (i = 0; i < priv->num_rx_bds; i++) {
 		cb = &priv->rx_cbs[i];
 
-		if (dma_unmap_addr(cb, dma_addr)) {
-			dma_unmap_single(kdev,
-					dma_unmap_addr(cb, dma_addr),
-					priv->rx_buf_len, DMA_FROM_DEVICE);
-			dma_unmap_addr_set(cb, dma_addr, 0);
-		}
-
-		if (cb->skb)
-			bcmgenet_free_cb(cb);
+		skb = bcmgenet_free_rx_cb(&priv->pdev->dev, cb);
+		if (skb)
+			dev_kfree_skb_any(skb);
 	}
 }
 
@@ -1762,6 +1782,8 @@ static void bcmgenet_init_multiq(struct
 
 static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
 {
+	struct sk_buff *skb;
+	struct enet_cb *cb;
 	int i;
 
 	/* disable DMA */
@@ -1769,10 +1791,10 @@ static void bcmgenet_fini_dma(struct bcm
 	bcmgenet_tdma_writel(priv, 0, DMA_CTRL);
 
 	for (i = 0; i < priv->num_tx_bds; i++) {
-		if (priv->tx_cbs[i].skb != NULL) {
-			dev_kfree_skb(priv->tx_cbs[i].skb);
-			priv->tx_cbs[i].skb = NULL;
-		}
+		cb = priv->tx_cbs + i;
+		skb = bcmgenet_free_tx_cb(&priv->pdev->dev, cb);
+		if (skb)
+			dev_kfree_skb(skb);
 	}
 
 	bcmgenet_free_rx_buffers(priv);
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -505,6 +505,8 @@ struct bcmgenet_hw_params {
 };
 
 struct bcmgenet_skb_cb {
+	struct enet_cb *first_cb;	/* First control block of SKB */
+	struct enet_cb *last_cb;	/* Last control block of SKB */
 	unsigned int bytes_sent;	/* bytes on the wire (no TSB) */
 };
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 032/294] netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 247/294] cpmac: remove hopeless #warning Ben Hutchings
                   ` (252 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Jeff Kirsher, Jim Young, Joe Perches

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Perches <joe@perches.com>

commit e6c97234d1b18d4751671df15d52e29daa8a7ba8 upstream.

Reduce stack use by using kmemdup and not using a very
large struct on stack.

In function ‘i40e_dbg_dump_desc’:
warning: the frame size of 8192 bytes is larger than 2048 bytes [-Wframe-larger-than=]

Signed-off-by: Joe Perches <joe@perches.com>
Tested-by: Jim Young <jamesx.m.young@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 30 +++++++++++++++-----------
 1 file changed, 17 insertions(+), 13 deletions(-)

--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c
@@ -754,7 +754,7 @@ static void i40e_dbg_dump_desc(int cnt,
 {
 	struct i40e_tx_desc *txd;
 	union i40e_rx_desc *rxd;
-	struct i40e_ring ring;
+	struct i40e_ring *ring;
 	struct i40e_vsi *vsi;
 	int i;
 
@@ -773,29 +773,32 @@ static void i40e_dbg_dump_desc(int cnt,
 			 vsi_seid);
 		return;
 	}
-	if (is_rx_ring)
-		ring = *vsi->rx_rings[ring_id];
-	else
-		ring = *vsi->tx_rings[ring_id];
+
+	ring = kmemdup(is_rx_ring
+		       ? vsi->rx_rings[ring_id] : vsi->tx_rings[ring_id],
+		       sizeof(*ring), GFP_KERNEL);
+	if (!ring)
+		return;
+
 	if (cnt == 2) {
 		dev_info(&pf->pdev->dev, "vsi = %02i %s ring = %02i\n",
 			 vsi_seid, is_rx_ring ? "rx" : "tx", ring_id);
-		for (i = 0; i < ring.count; i++) {
+		for (i = 0; i < ring->count; i++) {
 			if (!is_rx_ring) {
-				txd = I40E_TX_DESC(&ring, i);
+				txd = I40E_TX_DESC(ring, i);
 				dev_info(&pf->pdev->dev,
 					 "   d[%03i] = 0x%016llx 0x%016llx\n",
 					 i, txd->buffer_addr,
 					 txd->cmd_type_offset_bsz);
 			} else if (sizeof(union i40e_rx_desc) ==
 				   sizeof(union i40e_16byte_rx_desc)) {
-				rxd = I40E_RX_DESC(&ring, i);
+				rxd = I40E_RX_DESC(ring, i);
 				dev_info(&pf->pdev->dev,
 					 "   d[%03i] = 0x%016llx 0x%016llx\n",
 					 i, rxd->read.pkt_addr,
 					 rxd->read.hdr_addr);
 			} else {
-				rxd = I40E_RX_DESC(&ring, i);
+				rxd = I40E_RX_DESC(ring, i);
 				dev_info(&pf->pdev->dev,
 					 "   d[%03i] = 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
 					 i, rxd->read.pkt_addr,
@@ -804,26 +807,26 @@ static void i40e_dbg_dump_desc(int cnt,
 			}
 		}
 	} else if (cnt == 3) {
-		if (desc_n >= ring.count || desc_n < 0) {
+		if (desc_n >= ring->count || desc_n < 0) {
 			dev_info(&pf->pdev->dev,
 				 "descriptor %d not found\n", desc_n);
 			return;
 		}
 		if (!is_rx_ring) {
-			txd = I40E_TX_DESC(&ring, desc_n);
+			txd = I40E_TX_DESC(ring, desc_n);
 			dev_info(&pf->pdev->dev,
 				 "vsi = %02i tx ring = %02i d[%03i] = 0x%016llx 0x%016llx\n",
 				 vsi_seid, ring_id, desc_n,
 				 txd->buffer_addr, txd->cmd_type_offset_bsz);
 		} else if (sizeof(union i40e_rx_desc) ==
 			   sizeof(union i40e_16byte_rx_desc)) {
-			rxd = I40E_RX_DESC(&ring, desc_n);
+			rxd = I40E_RX_DESC(ring, desc_n);
 			dev_info(&pf->pdev->dev,
 				 "vsi = %02i rx ring = %02i d[%03i] = 0x%016llx 0x%016llx\n",
 				 vsi_seid, ring_id, desc_n,
 				 rxd->read.pkt_addr, rxd->read.hdr_addr);
 		} else {
-			rxd = I40E_RX_DESC(&ring, desc_n);
+			rxd = I40E_RX_DESC(ring, desc_n);
 			dev_info(&pf->pdev->dev,
 				 "vsi = %02i rx ring = %02i d[%03i] = 0x%016llx 0x%016llx 0x%016llx 0x%016llx\n",
 				 vsi_seid, ring_id, desc_n,
@@ -833,6 +836,7 @@ static void i40e_dbg_dump_desc(int cnt,
 	} else {
 		dev_info(&pf->pdev->dev, "dump desc rx/tx <vsi_seid> <ring_id> [<desc_n>]\n");
 	}
+	kfree(ring);
 }
 
 /**

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 012/294] net: bcmgenet: rewrite bcmgenet_rx_refill()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 103/294] net: skb_needs_check() accepts CHECKSUM_NONE for tx Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 248/294] net: caif: fix misleading indentation Ben Hutchings
                   ` (197 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Florian Fainelli, Jaedon Shin, Petri Gynther

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Petri Gynther <pgynther@google.com>

commit d6707bec598649450ee0887bf11896e525777874 upstream.

Currently, bcmgenet_desc_rx() calls bcmgenet_rx_refill() at the end of
Rx packet processing loop, after the current Rx packet has already been
passed to napi_gro_receive(). However, bcmgenet_rx_refill() might fail
to allocate a new Rx skb, thus leaving a hole on the Rx queue where no
valid Rx buffer exists.

To eliminate this situation:
1. Rewrite bcmgenet_rx_refill() to retain the current Rx skb on the Rx
   queue if a new replacement Rx skb can't be allocated and DMA-mapped.
   In this case, the data on the current Rx skb is effectively dropped.
2. Modify bcmgenet_desc_rx() to call bcmgenet_rx_refill() at the top of
   Rx packet processing loop, so that the new replacement Rx skb is
   already in place before the current Rx skb is processed.

Signed-off-by: Petri Gynther <pgynther@google.com>
Tested-by: Jaedon Shin <jaedon.shin@gmail.com>--
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - There's no alloc_rx_buff_failed statistic
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1275,33 +1275,41 @@ out:
 	return ret;
 }
 
-
-static int bcmgenet_rx_refill(struct bcmgenet_priv *priv,
-				struct enet_cb *cb)
+static struct sk_buff *bcmgenet_rx_refill(struct bcmgenet_priv *priv,
+					  struct enet_cb *cb)
 {
 	struct device *kdev = &priv->pdev->dev;
 	struct sk_buff *skb;
+	struct sk_buff *rx_skb;
 	dma_addr_t mapping;
-	int ret;
 
+	/* Allocate a new Rx skb */
 	skb = netdev_alloc_skb(priv->dev,
 				priv->rx_buf_len + SKB_ALIGNMENT);
-	if (!skb)
-		return -ENOMEM;
+	if (!skb) {
+		netif_err(priv, rx_err, priv->dev,
+			  "%s: Rx skb allocation failed\n", __func__);
+		return NULL;
+	}
 
-	/* a caller did not release this control block */
-	WARN_ON(cb->skb != NULL);
-	cb->skb = skb;
-	mapping = dma_map_single(kdev, skb->data,
-			priv->rx_buf_len, DMA_FROM_DEVICE);
-	ret = dma_mapping_error(kdev, mapping);
-	if (ret) {
-		bcmgenet_free_cb(cb);
+	/* DMA-map the new Rx skb */
+	mapping = dma_map_single(kdev, skb->data, priv->rx_buf_len,
+				 DMA_FROM_DEVICE);
+	if (dma_mapping_error(kdev, mapping)) {
+		dev_kfree_skb_any(skb);
 		netif_err(priv, rx_err, priv->dev,
-				"%s DMA map failed\n", __func__);
-		return ret;
+			  "%s: Rx skb DMA mapping failed\n", __func__);
+		return NULL;
 	}
 
+	/* Grab the current Rx skb from the ring and DMA-unmap it */
+	rx_skb = cb->skb;
+	if (likely(rx_skb))
+		dma_unmap_single(kdev, dma_unmap_addr(cb, dma_addr),
+				 priv->rx_buf_len, DMA_FROM_DEVICE);
+
+	/* Put the new Rx skb on the ring */
+	cb->skb = skb;
 	dma_unmap_addr_set(cb, dma_addr, mapping);
 	/* assign packet, prepare descriptor, and advance pointer */
 
@@ -1314,7 +1322,8 @@ static int bcmgenet_rx_refill(struct bcm
 	priv->rx_bd_assign_ptr = priv->rx_bds +
 		(priv->rx_bd_assign_index * DMA_DESC_SIZE);
 
-	return 0;
+	/* Return the current Rx skb to caller */
+	return rx_skb;
 }
 
 /* bcmgenet_desc_rx - descriptor based rx process.
@@ -1329,7 +1338,7 @@ static unsigned int bcmgenet_desc_rx(str
 	struct sk_buff *skb;
 	u32 dma_length_status;
 	unsigned long dma_flag;
-	int len, err;
+	int len;
 	unsigned int rxpktprocessed = 0, rxpkttoprocess;
 	unsigned int p_index;
 	unsigned int chksum_ok = 0;
@@ -1351,26 +1360,14 @@ static unsigned int bcmgenet_desc_rx(str
 			(rxpktprocessed < budget)) {
 
 		cb = &priv->rx_cbs[priv->rx_read_ptr];
-		skb = cb->skb;
+		skb = bcmgenet_rx_refill(priv, cb);
 
-		/* We do not have a backing SKB, so we do not have a
-		 * corresponding DMA mapping for this incoming packet since
-		 * bcmgenet_rx_refill always either has both skb and mapping or
-		 * none.
-		 */
 		if (unlikely(!skb)) {
 			dev->stats.rx_dropped++;
 			dev->stats.rx_errors++;
-			goto refill;
+			goto next;
 		}
 
-		/* Unmap the packet contents such that we can use the
-		 * RSV from the 64 bytes descriptor when enabled and save
-		 * a 32-bits register read
-		 */
-		dma_unmap_single(kdev, dma_unmap_addr(cb, dma_addr),
-				priv->rx_buf_len, DMA_FROM_DEVICE);
-
 		if (!priv->desc_64b_en) {
 			dma_length_status = dmadesc_get_length_status(priv,
 							priv->rx_bds +
@@ -1398,10 +1395,10 @@ static unsigned int bcmgenet_desc_rx(str
 					"Droping fragmented packet!\n");
 			dev->stats.rx_dropped++;
 			dev->stats.rx_errors++;
-			dev_kfree_skb_any(cb->skb);
-			cb->skb = NULL;
-			goto refill;
+			dev_kfree_skb_any(skb);
+			goto next;
 		}
+
 		/* report errors */
 		if (unlikely(dma_flag & (DMA_RX_CRC_ERROR |
 						DMA_RX_OV |
@@ -1420,11 +1417,8 @@ static unsigned int bcmgenet_desc_rx(str
 				dev->stats.rx_length_errors++;
 			dev->stats.rx_dropped++;
 			dev->stats.rx_errors++;
-
-			/* discard the packet and advance consumer index.*/
-			dev_kfree_skb_any(cb->skb);
-			cb->skb = NULL;
-			goto refill;
+			dev_kfree_skb_any(skb);
+			goto next;
 		} /* error packet */
 
 		chksum_ok = (dma_flag & priv->dma_rx_chk_bit) &&
@@ -1457,15 +1451,9 @@ static unsigned int bcmgenet_desc_rx(str
 
 		/* Notify kernel */
 		napi_gro_receive(&priv->napi, skb);
-		cb->skb = NULL;
 		netif_dbg(priv, rx_status, dev, "pushed up to kernel\n");
 
-		/* refill RX path on the current control block */
-refill:
-		err = bcmgenet_rx_refill(priv, cb);
-		if (err)
-			netif_err(priv, rx_err, dev, "Rx refill failed\n");
-
+next:
 		rxpktprocessed++;
 		priv->rx_read_ptr++;
 		priv->rx_read_ptr &= (priv->num_rx_bds - 1);
@@ -1478,7 +1466,7 @@ refill:
 static int bcmgenet_alloc_rx_buffers(struct bcmgenet_priv *priv)
 {
 	struct enet_cb *cb;
-	int ret = 0;
+	struct sk_buff *skb;
 	int i;
 
 	netif_dbg(priv, hw, priv->dev, "%s:\n", __func__);
@@ -1486,16 +1474,14 @@ static int bcmgenet_alloc_rx_buffers(str
 	/* loop here for each buffer needing assign */
 	for (i = 0; i < priv->num_rx_bds; i++) {
 		cb = &priv->rx_cbs[priv->rx_bd_assign_index];
-		if (cb->skb)
-			continue;
-
-		ret = bcmgenet_rx_refill(priv, cb);
-		if (ret)
-			break;
-
+		skb = bcmgenet_rx_refill(priv, cb);
+		if (skb)
+			dev_kfree_skb_any(skb);
+		if (!cb->skb)
+			return -ENOMEM;
 	}
 
-	return ret;
+	return 0;
 }
 
 static void bcmgenet_free_rx_buffers(struct bcmgenet_priv *priv)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 204/294] modpost: expand pattern matching to support substring matches
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (133 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 154/294] dm: fix printk() rate limiting code Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 228/294] spi/pl022: Explicitly truncate large bitmask Ben Hutchings
                   ` (160 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Rusty Russell, Paul Gortmaker, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 09c20c032b0f753969ae778d9783d946f054d7fe upstream.

Currently the match() function supports a leading * to match any
prefix and a trailing * to match any suffix.  However there currently
is not a combination of both that can be used to target matches of
whole families of functions that share a common substring.

Here we expand the *foo and foo* match to also support *foo* with
the goal of targeting compiler generated symbol names that contain
strings like ".constprop." and ".isra."

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/mod/modpost.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -798,6 +798,7 @@ static int number_prefix(const char *sym
  *   where the '1' can be any number including several digits.
  *   The $ syntax is for sections where ld append a dot number
  *   to make section name unique.
+ * "*foo*" will match a string that contains "foo"
  */
 static int match(const char *sym, const char * const pat[])
 {
@@ -806,8 +807,17 @@ static int match(const char *sym, const
 		p = *pat++;
 		const char *endp = p + strlen(p) - 1;
 
+		/* "*foo*" */
+		if (*p == '*' && *endp == '*') {
+			char *here, *bare = strndup(p + 1, strlen(p) - 2);
+
+			here = strstr(sym, bare);
+			free(bare);
+			if (here != NULL)
+				return 1;
+		}
 		/* "*foo" */
-		if (*p == '*') {
+		else if (*p == '*') {
 			if (strrcmp(sym, p + 1) == 0)
 				return 1;
 		}

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 011/294] net: bcmgenet: simplify __bcmgenet_tx_reclaim()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (270 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 234/294] ips: remove pointless #warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 194/294] USB: uas: fix bug in handling of alternate settings Ben Hutchings
                   ` (23 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Petri Gynther, David S. Miller, Florian Fainelli

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Petri Gynther <pgynther@google.com>

commit 66d06757d9eb74a29775737b8c770e3b57e536d9 upstream.

1. Use c_index and ring->c_index to determine how many TxCBs/TxBDs are
   ready for cleanup
   - c_index = the current value of TDMA_CONS_INDEX
   - TDMA_CONS_INDEX is HW-incremented and auto-wraparound (0x0-0xFFFF)
   - ring->c_index = __bcmgenet_tx_reclaim() cleaned up to this point on
     the previous invocation

2. Add bcmgenet_tx_ring->clean_ptr
   - index of the next TxCB to be cleaned
   - incremented as TxCBs/TxBDs are processed
   - value always in range [ring->cb_ptr, ring->end_ptr]

3. Fix incrementing of dev->stats.tx_packets
   - should be incremented only when tx_cb_ptr->skb != NULL

These changes simplify __bcmgenet_tx_reclaim(). Furthermore, Tx ring size
can now be any value.

With the old code, Tx ring size had to be a power-of-2:
   num_tx_bds = ring->size;
   c_index &= (num_tx_bds - 1);
   last_c_index &= (num_tx_bds - 1);

Signed-off-by: Petri Gynther <pgynther@google.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - __bcmgenet_tx_reclaim() did not count completions
 - In bcmgenet_init_tx_ring(), use write_ptr not start_ptr
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -946,34 +946,30 @@ static void __bcmgenet_tx_reclaim(struct
 {
 	struct bcmgenet_priv *priv = netdev_priv(dev);
 	struct device *kdev = &priv->pdev->dev;
-	int last_tx_cn, last_c_index, num_tx_bds;
 	struct enet_cb *tx_cb_ptr;
 	struct netdev_queue *txq;
 	unsigned int c_index;
+	unsigned int txbds_ready;
+	unsigned int txbds_processed = 0;
 
 	/* Compute how many buffers are transmited since last xmit call */
 	c_index = bcmgenet_tdma_ring_readl(priv, ring->index, TDMA_CONS_INDEX);
-	txq = netdev_get_tx_queue(dev, ring->queue);
-
-	last_c_index = ring->c_index;
-	num_tx_bds = ring->size;
+	c_index &= DMA_C_INDEX_MASK;
 
-	c_index &= (num_tx_bds - 1);
-
-	if (c_index >= last_c_index)
-		last_tx_cn = c_index - last_c_index;
+	if (likely(c_index >= ring->c_index))
+		txbds_ready = c_index - ring->c_index;
 	else
-		last_tx_cn = num_tx_bds - last_c_index + c_index;
+		txbds_ready = (DMA_C_INDEX_MASK + 1) - ring->c_index + c_index;
 
 	netif_dbg(priv, tx_done, dev,
-			"%s ring=%d index=%d last_tx_cn=%d last_index=%d\n",
-			__func__, ring->index,
-			c_index, last_tx_cn, last_c_index);
+		  "%s ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n",
+		  __func__, ring->index, ring->c_index, c_index, txbds_ready);
 
 	/* Reclaim transmitted buffers */
-	while (last_tx_cn-- > 0) {
-		tx_cb_ptr = ring->cbs + last_c_index;
+	while (txbds_processed < txbds_ready) {
+		tx_cb_ptr = &priv->tx_cbs[ring->clean_ptr];
 		if (tx_cb_ptr->skb) {
+			dev->stats.tx_packets++;
 			dev->stats.tx_bytes += tx_cb_ptr->skb->len;
 			dma_unmap_single(kdev,
 					dma_unmap_addr(tx_cb_ptr, dma_addr),
@@ -989,20 +985,23 @@ static void __bcmgenet_tx_reclaim(struct
 					DMA_TO_DEVICE);
 			dma_unmap_addr_set(tx_cb_ptr, dma_addr, 0);
 		}
-		dev->stats.tx_packets++;
-		ring->free_bds += 1;
 
-		last_c_index++;
-		last_c_index &= (num_tx_bds - 1);
+		txbds_processed++;
+		if (likely(ring->clean_ptr < ring->end_ptr))
+			ring->clean_ptr++;
+		else
+			ring->clean_ptr = ring->cb_ptr;
 	}
 
+	ring->free_bds += txbds_processed;
+	ring->c_index = (ring->c_index + txbds_processed) & DMA_C_INDEX_MASK;
+
 	if (ring->free_bds > (MAX_SKB_FRAGS + 1))
 		ring->int_disable(priv, ring);
 
+	txq = netdev_get_tx_queue(dev, ring->queue);
 	if (netif_tx_queue_stopped(txq))
 		netif_tx_wake_queue(txq);
-
-	ring->c_index = c_index;
 }
 
 static void bcmgenet_tx_reclaim(struct net_device *dev,
@@ -1644,6 +1643,7 @@ static void bcmgenet_init_tx_ring(struct
 	}
 	ring->cbs = priv->tx_cbs + write_ptr;
 	ring->size = size;
+	ring->clean_ptr = write_ptr;
 	ring->c_index = 0;
 	ring->free_bds = size;
 	ring->write_ptr = write_ptr;
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -510,6 +510,7 @@ struct bcmgenet_tx_ring {
 	unsigned int	queue;		/* queue index */
 	struct enet_cb	*cbs;		/* tx ring buffer control block*/
 	unsigned int	size;		/* size of each tx ring */
+	unsigned int    clean_ptr;      /* Tx ring clean pointer */
 	unsigned int	c_index;	/* last consumer index of each ring*/
 	unsigned int	free_bds;	/* # of free bds for each ring */
 	unsigned int	write_ptr;	/* Tx ring write pointer SW copy */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 245/294] mlx5: avoid build warnings on 32-bit
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (176 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 029/294] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 087/294] ixgbe: Initialize 64-bit stats seqcounts Ben Hutchings
                   ` (117 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 065bd8c28ba37d04c9a5b732173c1508954b1f58 upstream.

The mlx5 driver passes a string pointer in through a 'u64' variable,
which on 32-bit machines causes a build warning:

drivers/net/ethernet/mellanox/mlx5/core/debugfs.c: In function 'qp_read_field':
drivers/net/ethernet/mellanox/mlx5/core/debugfs.c:303:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]

The code is in fact safe, so we can shut up the warning by adding
extra type casts.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/debugfs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
@@ -300,11 +300,11 @@ static u64 qp_read_field(struct mlx5_cor
 		param = qp->pid;
 		break;
 	case QP_STATE:
-		param = (u64)mlx5_qp_state_str(be32_to_cpu(ctx->flags) >> 28);
+		param = (unsigned long)mlx5_qp_state_str(be32_to_cpu(ctx->flags) >> 28);
 		*is_str = 1;
 		break;
 	case QP_XPORT:
-		param = (u64)mlx5_qp_type_str((be32_to_cpu(ctx->flags) >> 16) & 0xff);
+		param = (unsigned long)mlx5_qp_type_str((be32_to_cpu(ctx->flags) >> 16) & 0xff);
 		*is_str = 1;
 		break;
 	case QP_MTU:
@@ -464,7 +464,7 @@ static ssize_t dbg_read(struct file *fil
 
 
 	if (is_str)
-		ret = snprintf(tbuf, sizeof(tbuf), "%s\n", (const char *)field);
+		ret = snprintf(tbuf, sizeof(tbuf), "%s\n", (const char *)(unsigned long)field);
 	else
 		ret = snprintf(tbuf, sizeof(tbuf), "0x%llx\n", field);
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 238/294] mvsas: fix misleading indentation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 163/294] ipv6: fix sparse warning on rt6i_node Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 251/294] net: tulip: turn compile-time warning into dev_warn() Ben Hutchings
                   ` (181 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Johannes Thumshirn, Martin K. Petersen, Arnd Bergmann,
	Luis de Bethencourt

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Luis de Bethencourt <luisbg@osg.samsung.com>

commit 7789cd39274c51bf475411fe22a8ee7255082809 upstream.

Fix a smatch warning:
drivers/scsi/mvsas/mv_sas.c:740 mvs_task_prep() warn: curly braces intended?

The code is correct, the indention is misleading. When the device is not
ready we want to return SAS_PHY_DOWN. But current indentation makes it
look like we only do so in the else branch of if (mvi_dev).

Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/mvsas/mv_sas.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -737,8 +737,8 @@ static int mvs_task_prep(struct sas_task
 			mv_dprintk("device %016llx not ready.\n",
 				SAS_ADDR(dev->sas_addr));
 
-			rc = SAS_PHY_DOWN;
-			return rc;
+		rc = SAS_PHY_DOWN;
+		return rc;
 	}
 	tei.port = dev->port->lldd_port;
 	if (tei.port && !tei.port->port_attached && !tmf) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 016/294] net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (242 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 111/294] xfs: fix inobt inode allocation search optimization Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 254/294] hostap: avoid uninitialized variable use in hfa384x_get_rid Ben Hutchings
                   ` (51 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Doug Berger, David S. Miller, Florian Fainelli

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Berger <opendmb@gmail.com>

commit 876dbadd53a7102e2a84afc84ea2bd3ee6dc5636 upstream.

In case we fail to map a single fragment, we would be leaving the
transmit ring populated with stale entries.

This commit introduces the helper function bcmgenet_put_txcb()
which takes care of rewinding the per-ring write pointer back to
where we left.

It also consolidates the functionality of bcmgenet_xmit_single()
and bcmgenet_xmit_frag() into the bcmgenet_xmit() function to
make the unmapping of control blocks cleaner.

Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Suggested-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - There's no tx_dma_failed statistic
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 191 +++++++++++--------------
 1 file changed, 85 insertions(+), 106 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -900,6 +900,23 @@ static struct enet_cb *bcmgenet_get_txcb
 	return tx_cb_ptr;
 }
 
+static struct enet_cb *bcmgenet_put_txcb(struct bcmgenet_priv *priv,
+					 struct bcmgenet_tx_ring *ring)
+{
+	struct enet_cb *tx_cb_ptr;
+
+	tx_cb_ptr = ring->cbs;
+	tx_cb_ptr += ring->write_ptr - ring->cb_ptr;
+
+	/* Rewinding local write pointer */
+	if (ring->write_ptr == ring->cb_ptr)
+		ring->write_ptr = ring->end_ptr;
+	else
+		ring->write_ptr--;
+
+	return tx_cb_ptr;
+}
+
 /* Simple helper to free a control block's resources */
 static void bcmgenet_free_cb(struct enet_cb *cb)
 {
@@ -1030,93 +1047,6 @@ static void bcmgenet_tx_reclaim_all(stru
 	bcmgenet_tx_reclaim(dev, &priv->tx_rings[DESC_INDEX]);
 }
 
-/* Transmits a single SKB (either head of a fragment or a single SKB)
- * caller must hold priv->lock
- */
-static int bcmgenet_xmit_single(struct net_device *dev,
-				struct sk_buff *skb,
-				u16 dma_desc_flags,
-				struct bcmgenet_tx_ring *ring)
-{
-	struct bcmgenet_priv *priv = netdev_priv(dev);
-	struct device *kdev = &priv->pdev->dev;
-	struct enet_cb *tx_cb_ptr;
-	unsigned int skb_len;
-	dma_addr_t mapping;
-	u32 length_status;
-	int ret;
-
-	tx_cb_ptr = bcmgenet_get_txcb(priv, ring);
-
-	if (unlikely(!tx_cb_ptr))
-		BUG();
-
-	tx_cb_ptr->skb = skb;
-
-	skb_len = skb_headlen(skb);
-
-	mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE);
-	ret = dma_mapping_error(kdev, mapping);
-	if (ret) {
-		netif_err(priv, tx_err, dev, "Tx DMA map failed\n");
-		dev_kfree_skb(skb);
-		return ret;
-	}
-
-	dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
-	dma_unmap_len_set(tx_cb_ptr, dma_len, skb_len);
-	length_status = (skb_len << DMA_BUFLENGTH_SHIFT) | dma_desc_flags |
-			(priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT) |
-			DMA_TX_APPEND_CRC;
-
-	if (skb->ip_summed == CHECKSUM_PARTIAL)
-		length_status |= DMA_TX_DO_CSUM;
-
-	dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping, length_status);
-
-	return 0;
-}
-
-/* Transmit a SKB fragement */
-static int bcmgenet_xmit_frag(struct net_device *dev,
-				skb_frag_t *frag,
-				u16 dma_desc_flags,
-				struct bcmgenet_tx_ring *ring)
-{
-	struct bcmgenet_priv *priv = netdev_priv(dev);
-	struct device *kdev = &priv->pdev->dev;
-	struct enet_cb *tx_cb_ptr;
-	unsigned int frag_size;
-	dma_addr_t mapping;
-	int ret;
-
-	tx_cb_ptr = bcmgenet_get_txcb(priv, ring);
-
-	if (unlikely(!tx_cb_ptr))
-		BUG();
-
-	tx_cb_ptr->skb = NULL;
-
-	frag_size = skb_frag_size(frag);
-
-	mapping = skb_frag_dma_map(kdev, frag, 0, frag_size, DMA_TO_DEVICE);
-	ret = dma_mapping_error(kdev, mapping);
-	if (ret) {
-		netif_err(priv, tx_err, dev, "%s: Tx DMA map failed\n",
-				__func__);
-		return ret;
-	}
-
-	dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
-	dma_unmap_len_set(tx_cb_ptr, dma_len, frag_size);
-
-	dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping,
-			(frag_size << DMA_BUFLENGTH_SHIFT) | dma_desc_flags |
-			(priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT));
-
-	return 0;
-}
-
 /* Reallocate the SKB to put enough headroom in front of it and insert
  * the transmit checksum offsets in the descriptors
  */
@@ -1182,11 +1112,16 @@ static int bcmgenet_put_tx_csum(struct n
 static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	struct bcmgenet_priv *priv = netdev_priv(dev);
+	struct device *kdev = &priv->pdev->dev;
 	struct bcmgenet_tx_ring *ring = NULL;
+	struct enet_cb *tx_cb_ptr;
 	struct netdev_queue *txq;
 	unsigned long flags = 0;
 	int nr_frags, index;
-	u16 dma_desc_flags;
+	dma_addr_t mapping;
+	unsigned int size;
+	skb_frag_t *frag;
+	u32 len_stat;
 	int ret;
 	int i;
 
@@ -1235,26 +1170,48 @@ static netdev_tx_t bcmgenet_xmit(struct
 		}
 	}
 
-	dma_desc_flags = DMA_SOP;
-	if (nr_frags == 0)
-		dma_desc_flags |= DMA_EOP;
-
-	/* Transmit single SKB or head of fragment list */
-	ret = bcmgenet_xmit_single(dev, skb, dma_desc_flags, ring);
-	if (ret) {
-		ret = NETDEV_TX_OK;
-		goto out;
-	}
+	for (i = 0; i <= nr_frags; i++) {
+		tx_cb_ptr = bcmgenet_get_txcb(priv, ring);
 
-	/* xmit fragment */
-	for (i = 0; i < nr_frags; i++) {
-		ret = bcmgenet_xmit_frag(dev,
-				&skb_shinfo(skb)->frags[i],
-				(i == nr_frags - 1) ? DMA_EOP : 0, ring);
+		if (unlikely(!tx_cb_ptr))
+			BUG();
+
+		if (!i) {
+			/* Transmit single SKB or head of fragment list */
+			tx_cb_ptr->skb = skb;
+			size = skb_headlen(skb);
+			mapping = dma_map_single(kdev, skb->data, size,
+						 DMA_TO_DEVICE);
+		} else {
+			/* xmit fragment */
+			tx_cb_ptr->skb = NULL;
+			frag = &skb_shinfo(skb)->frags[i - 1];
+			size = skb_frag_size(frag);
+			mapping = skb_frag_dma_map(kdev, frag, 0, size,
+						   DMA_TO_DEVICE);
+		}
+
+		ret = dma_mapping_error(kdev, mapping);
 		if (ret) {
+			netif_err(priv, tx_err, dev, "Tx DMA map failed\n");
 			ret = NETDEV_TX_OK;
-			goto out;
+			goto out_unmap_frags;
 		}
+		dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
+		dma_unmap_len_set(tx_cb_ptr, dma_len, size);
+
+		len_stat = (size << DMA_BUFLENGTH_SHIFT) |
+			   (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT);
+
+		if (!i) {
+			len_stat |= DMA_TX_APPEND_CRC | DMA_SOP;
+			if (skb->ip_summed == CHECKSUM_PARTIAL)
+				len_stat |= DMA_TX_DO_CSUM;
+		}
+		if (i == nr_frags)
+			len_stat |= DMA_EOP;
+
+		dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping, len_stat);
 	}
 
 	skb_tx_timestamp(skb);
@@ -1276,6 +1233,30 @@ out:
 	spin_unlock_irqrestore(&ring->lock, flags);
 
 	return ret;
+
+out_unmap_frags:
+	/* Back up for failed control block mapping */
+	bcmgenet_put_txcb(priv, ring);
+
+	/* Unmap successfully mapped control blocks */
+	while (i-- > 0) {
+		tx_cb_ptr = bcmgenet_put_txcb(priv, ring);
+		if (tx_cb_ptr->skb)
+			dma_unmap_single(kdev,
+					 dma_unmap_addr(tx_cb_ptr, dma_addr),
+					 dma_unmap_len(tx_cb_ptr, dma_len),
+					 DMA_TO_DEVICE);
+		else
+			dma_unmap_page(kdev,
+				       dma_unmap_addr(tx_cb_ptr, dma_addr),
+				       dma_unmap_len(tx_cb_ptr, dma_len),
+				       DMA_TO_DEVICE);
+		dma_unmap_addr_set(tx_cb_ptr, dma_addr, 0);
+		tx_cb_ptr->skb = NULL;
+	}
+
+	dev_kfree_skb(skb);
+	goto out;
 }
 
 static struct sk_buff *bcmgenet_rx_refill(struct bcmgenet_priv *priv,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 007/294] net/packet: Fix Tx queue selection for AF_PACKET
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 220/294] ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 199/294] ALSA: seq: Enable 'use' locking in all configurations Ben Hutchings
                   ` (186 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Iván Briano, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Iván Briano <ivan.briano@intel.com>

commit ccd4eb49f3392ebf989d58bd013a7bf44cdca4d6 upstream.

When PACKET_QDISC_BYPASS is not used, Tx queue selection will be done
before the packet is enqueued, taking into account any mappings set by
a queuing discipline such as mqprio without hardware offloading. This
selection may be affected by a previously saved queue_mapping, either on
the Rx path, or done before the packet reaches the device, as it's
currently the case for AF_PACKET.

In order for queue selection to work as expected when using traffic
control, there can't be another selection done before that point is
reached, so move the call to packet_pick_tx_queue to
packet_direct_xmit, leaving the default xmit path as it was before
PACKET_QDISC_BYPASS was introduced.

A forward declaration of packet_pick_tx_queue() is introduced to avoid
the need to reorder the functions within the file.

Fixes: d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option")
Signed-off-by: Iván Briano <ivan.briano@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -214,6 +214,7 @@ static void prb_clear_rxhash(struct tpac
 static void prb_fill_vlan_info(struct tpacket_kbdq_core *,
 		struct tpacket3_hdr *);
 static void packet_flush_mclist(struct sock *sk);
+static void packet_pick_tx_queue(struct net_device *dev, struct sk_buff *skb);
 
 struct packet_skb_cb {
 	unsigned int origlen;
@@ -266,6 +267,7 @@ static int packet_direct_xmit(struct sk_
 			goto drop;
 	}
 
+	packet_pick_tx_queue(dev, skb);
 	queue_map = skb_get_queue_mapping(skb);
 	txq = netdev_get_tx_queue(dev, queue_map);
 
@@ -2343,8 +2345,6 @@ static int tpacket_snd(struct packet_soc
 			}
 		}
 
-		packet_pick_tx_queue(dev, skb);
-
 		skb->destructor = tpacket_destruct_skb;
 		__packet_set_status(po, ph, TP_STATUS_SENDING);
 		packet_inc_pending(&po->tx_ring);
@@ -2551,8 +2551,6 @@ static int packet_snd(struct socket *soc
 	skb->priority = sk->sk_priority;
 	skb->mark = sk->sk_mark;
 
-	packet_pick_tx_queue(dev, skb);
-
 	if (po->has_vnet_hdr) {
 		if (vnet_hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
 			if (!skb_partial_csum_set(skb, vnet_hdr.csum_start,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 014/294] net: bcmgenet: fix dev->stats.tx_bytes accounting
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (163 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 121/294] mm/mempolicy: fix use after free when calling get_mempolicy Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 055/294] iwlwifi: dvm: prevent an out of bounds access Ben Hutchings
                   ` (130 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Petri Gynther, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Petri Gynther <pgynther@google.com>

commit 55868120a3e5420bf5aa26a816c07d691579c9e6 upstream.

1. Add bytes_compl local variable to __bcmgenet_tx_reclaim() to collect
   transmitted bytes. dev->stats updates can then be moved outside the
   while-loop. bytes_compl is also needed for future BQL support.
2. When bcmgenet device uses Tx checksum offload, each transmitted skb
   gets an extra 64-byte header prepended to it. Before this header is
   prepended to the skb, we need to save the skb "wire" length in
   GENET_CB(skb)->bytes_sent, so that proper Tx bytes accounting can
   be done in __bcmgenet_tx_reclaim().
3. skb->len covers the entire length of skb, whether it is linear or
   fragmented. Thus, when we clean the fragments, do not increase
   transmitted bytes.

Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Signed-off-by: Petri Gynther <pgynther@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Also update tx_packets accounting, as done in upstream commit 4092e6acf5cb
   "net: bcmgenet: fix throughtput regression"
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -948,6 +948,8 @@ static void __bcmgenet_tx_reclaim(struct
 	struct device *kdev = &priv->pdev->dev;
 	struct enet_cb *tx_cb_ptr;
 	struct netdev_queue *txq;
+	unsigned int pkts_compl = 0;
+	unsigned int bytes_compl = 0;
 	unsigned int c_index;
 	unsigned int txbds_ready;
 	unsigned int txbds_processed = 0;
@@ -969,16 +971,14 @@ static void __bcmgenet_tx_reclaim(struct
 	while (txbds_processed < txbds_ready) {
 		tx_cb_ptr = &priv->tx_cbs[ring->clean_ptr];
 		if (tx_cb_ptr->skb) {
-			dev->stats.tx_packets++;
-			dev->stats.tx_bytes += tx_cb_ptr->skb->len;
+			pkts_compl++;
+			bytes_compl += GENET_CB(tx_cb_ptr->skb)->bytes_sent;
 			dma_unmap_single(kdev,
 					dma_unmap_addr(tx_cb_ptr, dma_addr),
 					dma_unmap_len(tx_cb_ptr, dma_len),
 					DMA_TO_DEVICE);
 			bcmgenet_free_cb(tx_cb_ptr);
 		} else if (dma_unmap_addr(tx_cb_ptr, dma_addr)) {
-			dev->stats.tx_bytes +=
-				dma_unmap_len(tx_cb_ptr, dma_len);
 			dma_unmap_page(kdev,
 					dma_unmap_addr(tx_cb_ptr, dma_addr),
 					dma_unmap_len(tx_cb_ptr, dma_len),
@@ -996,6 +996,9 @@ static void __bcmgenet_tx_reclaim(struct
 	ring->free_bds += txbds_processed;
 	ring->c_index = (ring->c_index + txbds_processed) & DMA_C_INDEX_MASK;
 
+	dev->stats.tx_packets += pkts_compl;
+	dev->stats.tx_bytes += bytes_compl;
+
 	if (ring->free_bds > (MAX_SKB_FRAGS + 1))
 		ring->int_disable(priv, ring);
 
@@ -1215,6 +1218,11 @@ static netdev_tx_t bcmgenet_xmit(struct
 		goto out;
 	}
 
+	/* Retain how many bytes will be sent on the wire, without TSB inserted
+	 * by transmit checksum offload
+	 */
+	GENET_CB(skb)->bytes_sent = skb->len;
+
 	/* set the SKB transmit checksum */
 	if (priv->desc_64b_en) {
 		ret = bcmgenet_put_tx_csum(dev, skb);
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -504,6 +504,12 @@ struct bcmgenet_hw_params {
 	u32		flags;
 };
 
+struct bcmgenet_skb_cb {
+	unsigned int bytes_sent;	/* bytes on the wire (no TSB) */
+};
+
+#define GENET_CB(skb)	((struct bcmgenet_skb_cb *)((skb)->cb))
+
 struct bcmgenet_tx_ring {
 	spinlock_t	lock;		/* ring lock */
 	unsigned int	index;		/* ring index */

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 210/294] mm/hugetlb: improve locking in dissolve_free_huge_pages()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (233 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 018/294] i2c: mux: pinctrl: mention correct module name in Kconfig help text Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 080/294] xtensa: mm/cache: add missing EXPORT_SYMBOLs Ben Hutchings
                   ` (60 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mike Kravetz, Michal Hocko, Gerald Schaefer, Dave Hansen,
	Heiko Carstens, Rui Teng, Linus Torvalds, Martin Schwidefsky,
	Arnd Bergmann, Naoya Horiguchi, Kirill A . Shutemov,
	Vlastimil Babka, Aneesh Kumar K . V

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Gerald Schaefer <gerald.schaefer@de.ibm.com>

commit eb03aa008561004257900983193d024e57abdd96 upstream.

For every pfn aligned to minimum_order, dissolve_free_huge_pages() will
call dissolve_free_huge_page() which takes the hugetlb spinlock, even if
the page is not huge at all or a hugepage that is in-use.

Improve this by doing the PageHuge() and page_count() checks already in
dissolve_free_huge_pages() before calling dissolve_free_huge_page().  In
dissolve_free_huge_page(), when holding the spinlock, those checks need
to be revalidated.

Link: http://lkml.kernel.org/r/20160926172811.94033-4-gerald.schaefer@de.ibm.com
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Rui Teng <rui.teng@linux.vnet.ibm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/hugetlb.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1105,14 +1105,20 @@ out:
 int dissolve_free_huge_pages(unsigned long start_pfn, unsigned long end_pfn)
 {
 	unsigned long pfn;
+	struct page *page;
 	int rc = 0;
 
 	if (!hugepages_supported())
 		return rc;
 
-	for (pfn = start_pfn; pfn < end_pfn; pfn += 1 << minimum_order)
-		if (rc = dissolve_free_huge_page(pfn_to_page(pfn)))
-			break;
+	for (pfn = start_pfn; pfn < end_pfn; pfn += 1 << minimum_order) {
+		page = pfn_to_page(pfn);
+		if (PageHuge(page) && !page_count(page)) {
+			rc = dissolve_free_huge_page(page);
+			if (rc)
+				break;
+		}
+	}
 
 	return rc;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 207/294] MODULE_DEVICE_TABLE: fix some callsites
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2017-11-06 23:03   ` Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 203/294] Disable "frame-address" warning Ben Hutchings
                   ` (245 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Andrey Ryabinin, Hans Verkuil, Greg Kroah-Hartman,
	Linus Torvalds, Arnd Bergmann, David Miller,
	Mauro Carvalho Chehab, James Bottomley

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Morton <akpm@linux-foundation.org>

commit 0f989f749b51ec1fd94bb5a42f8ad10c8b9f73cb upstream.

The patch "module: fix types of device tables aliases" newly requires that
invocations of

MODULE_DEVICE_TABLE(type, name);

come *after* the definition of `name'.  That is reasonable, but some
drivers weren't doing this.  Fix them.

Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: David Miller <davem@davemloft.net>
Cc: Hans Verkuil <hverkuil@xs4all.nl>
Acked-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Documentation/video4linux/v4l2-pci-skeleton.c | 2 +-
 drivers/net/ethernet/emulex/benet/be_main.c   | 1 -
 drivers/scsi/be2iscsi/be_main.c               | 1 -
 3 files changed, 1 insertion(+), 3 deletions(-)

--- a/Documentation/video4linux/v4l2-pci-skeleton.c
+++ b/Documentation/video4linux/v4l2-pci-skeleton.c
@@ -42,7 +42,6 @@
 MODULE_DESCRIPTION("V4L2 PCI Skeleton Driver");
 MODULE_AUTHOR("Hans Verkuil");
 MODULE_LICENSE("GPL v2");
-MODULE_DEVICE_TABLE(pci, skeleton_pci_tbl);
 
 /**
  * struct skeleton - All internal data for one instance of device
@@ -95,6 +94,7 @@ static const struct pci_device_id skelet
 	/* { PCI_DEVICE(PCI_VENDOR_ID_, PCI_DEVICE_ID_) }, */
 	{ 0, }
 };
+MODULE_DEVICE_TABLE(pci, skeleton_pci_tbl);
 
 /*
  * HDTV: this structure has the capabilities of the HDTV receiver.
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -26,7 +26,6 @@
 #include <net/vxlan.h>
 
 MODULE_VERSION(DRV_VER);
-MODULE_DEVICE_TABLE(pci, be_dev_ids);
 MODULE_DESCRIPTION(DRV_DESC " " DRV_VER);
 MODULE_AUTHOR("Emulex Corporation");
 MODULE_LICENSE("GPL");
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -48,7 +48,6 @@ static unsigned int be_iopoll_budget = 1
 static unsigned int be_max_phys_size = 64;
 static unsigned int enable_msix = 1;
 
-MODULE_DEVICE_TABLE(pci, beiscsi_pci_id_table);
 MODULE_DESCRIPTION(DRV_DESC " " BUILD_STR);
 MODULE_VERSION(BUILD_STR);
 MODULE_AUTHOR("Emulex Corporation");

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 241/294] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 168/294] i2c: ismt: Return EMSGSIZE for block reads with bogus length Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 201/294] platform/x86: samsung-laptop: Initialize loca variable Ben Hutchings
                   ` (286 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marek Vasut, Brian Norris, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 906b268477bc03daaa04f739844c120fe4dbc991 upstream.

kernelci.org reports a warning for this driver, as it copies a local
variable into a 'const char *' string:

    drivers/mtd/maps/pmcmsp-flash.c:149:30: warning: passing argument 1 of 'strncpy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

Using kstrndup() simplifies the code and avoids the warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/maps/pmcmsp-flash.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/mtd/maps/pmcmsp-flash.c
+++ b/drivers/mtd/maps/pmcmsp-flash.c
@@ -139,15 +139,13 @@ static int __init init_msp_flash(void)
 		}
 
 		msp_maps[i].bankwidth = 1;
-		msp_maps[i].name = kmalloc(7, GFP_KERNEL);
+		msp_maps[i].name = kstrndup(flash_name, 7, GFP_KERNEL);
 		if (!msp_maps[i].name) {
 			iounmap(msp_maps[i].virt);
 			kfree(msp_parts[i]);
 			goto cleanup_loop;
 		}
 
-		msp_maps[i].name = strncpy(msp_maps[i].name, flash_name, 7);
-
 		for (j = 0; j < pcnt; j++) {
 			part_name[5] = '0' + i;
 			part_name[7] = '0' + j;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 015/294] net: bcmgenet: cleanup for bcmgenet_xmit_frag()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (200 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 070/294] net/mlx5: Fix command bad flow on command entry allocation failure Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 136/294] qlge: avoid memcpy buffer overflow Ben Hutchings
                   ` (93 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Florian Fainelli, David S. Miller, Petri Gynther

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Petri Gynther <pgynther@google.com>

commit 824ba603573d910e32df75fe6a5e7d7ec2a0a6a7 upstream.

Add frag_size = skb_frag_size(frag) and use it when needed.

Signed-off-by: Petri Gynther <pgynther@google.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1086,6 +1086,7 @@ static int bcmgenet_xmit_frag(struct net
 	struct bcmgenet_priv *priv = netdev_priv(dev);
 	struct device *kdev = &priv->pdev->dev;
 	struct enet_cb *tx_cb_ptr;
+	unsigned int frag_size;
 	dma_addr_t mapping;
 	int ret;
 
@@ -1093,10 +1094,12 @@ static int bcmgenet_xmit_frag(struct net
 
 	if (unlikely(!tx_cb_ptr))
 		BUG();
+
 	tx_cb_ptr->skb = NULL;
 
-	mapping = skb_frag_dma_map(kdev, frag, 0,
-		skb_frag_size(frag), DMA_TO_DEVICE);
+	frag_size = skb_frag_size(frag);
+
+	mapping = skb_frag_dma_map(kdev, frag, 0, frag_size, DMA_TO_DEVICE);
 	ret = dma_mapping_error(kdev, mapping);
 	if (ret) {
 		netif_err(priv, tx_err, dev, "%s: Tx DMA map failed\n",
@@ -1105,10 +1108,10 @@ static int bcmgenet_xmit_frag(struct net
 	}
 
 	dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
-	dma_unmap_len_set(tx_cb_ptr, dma_len, frag->size);
+	dma_unmap_len_set(tx_cb_ptr, dma_len, frag_size);
 
 	dmadesc_set(priv, tx_cb_ptr->bd_addr, mapping,
-			(frag->size << DMA_BUFLENGTH_SHIFT) | dma_desc_flags |
+			(frag_size << DMA_BUFLENGTH_SHIFT) | dma_desc_flags |
 			(priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT));
 
 	return 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 009/294] net: bcmgenet: check harder for out of memory conditions
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (190 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 147/294] ipv6: Fix may be used uninitialized warning in rt6_check Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 211/294] cpumask_set_cpu_local_first => cpumask_local_spread, lament Ben Hutchings
                   ` (103 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit b629be5c8399d7c423b92135eb43a86c924d1cbc upstream.

There is a potential case where we might be failing to refill a
control block, leaving it with both a NULL skb pointer *and* a NULL
dma_unmap_addr.

The way we process incoming packets, by first calling
dma_unmap_single(), and then only checking for a potential NULL skb can
lead to situations where do pass a NULL dma_unmap_addr() to
dma_unmap_single(), resulting in an oops.

Fix this my moving the NULL skb check earlier, since no backing skb
also means no corresponding DMA mapping for this packet.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 33 +++++++++++++++-----------
 1 file changed, 19 insertions(+), 14 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1351,12 +1351,29 @@ static unsigned int bcmgenet_desc_rx(str
 	while ((rxpktprocessed < rxpkttoprocess) &&
 			(rxpktprocessed < budget)) {
 
+		cb = &priv->rx_cbs[priv->rx_read_ptr];
+		skb = cb->skb;
+
+		rxpktprocessed++;
+
+		priv->rx_read_ptr++;
+		priv->rx_read_ptr &= (priv->num_rx_bds - 1);
+
+		/* We do not have a backing SKB, so we do not have a
+		 * corresponding DMA mapping for this incoming packet since
+		 * bcmgenet_rx_refill always either has both skb and mapping or
+		 * none.
+		 */
+		if (unlikely(!skb)) {
+			dev->stats.rx_dropped++;
+			dev->stats.rx_errors++;
+			goto refill;
+		}
+
 		/* Unmap the packet contents such that we can use the
 		 * RSV from the 64 bytes descriptor when enabled and save
 		 * a 32-bits register read
 		 */
-		cb = &priv->rx_cbs[priv->rx_read_ptr];
-		skb = cb->skb;
 		dma_unmap_single(kdev, dma_unmap_addr(cb, dma_addr),
 				priv->rx_buf_len, DMA_FROM_DEVICE);
 
@@ -1382,18 +1399,6 @@ static unsigned int bcmgenet_desc_rx(str
 			__func__, p_index, priv->rx_c_index, priv->rx_read_ptr,
 			dma_length_status);
 
-		rxpktprocessed++;
-
-		priv->rx_read_ptr++;
-		priv->rx_read_ptr &= (priv->num_rx_bds - 1);
-
-		/* out of memory, just drop packets at the hardware level */
-		if (unlikely(!skb)) {
-			dev->stats.rx_dropped++;
-			dev->stats.rx_errors++;
-			goto refill;
-		}
-
 		if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) {
 			netif_err(priv, rx_status, dev,
 					"Droping fragmented packet!\n");

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 006/294] net: bridge: fix dest lookup when vlan proto doesn't match
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (289 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 151/294] xfrm_user: fix info leak in xfrm_notify_sa() Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 134/294] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Ben Hutchings
                   ` (4 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Nikolay Aleksandrov, David S. Miller, Toshiaki Makita,
	Anitha Narasimha Murthy

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 31a4562d7408493c6377933ff2f7d7302dbdea80 upstream.

With 802.1ad support the vlan_ingress code started checking for vlan
protocol mismatch which causes the current tag to be inserted and the
bridge vlan protocol & pvid to be set. The vlan tag insertion changes
the skb mac_header and thus the lookup mac dest pointer which was loaded
prior to calling br_allowed_ingress in br_handle_frame_finish is VLAN_HLEN
bytes off now, pointing to the last two bytes of the destination mac and
the first four of the source mac causing lookups to always fail and
broadcasting all such packets to all ports. Same thing happens for locally
originated packets when passing via br_dev_xmit. So load the dest pointer
after the vlan checks and possible skb change.

Fixes: 8580e2117c06 ("bridge: Prepare for 802.1ad vlan filtering support")
Reported-by: Anitha Narasimha Murthy <anitha@cumulusnetworks.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/bridge/br_device.c | 3 ++-
 net/bridge/br_input.c  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -31,10 +31,10 @@ static struct lock_class_key bridge_netd
 netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
 {
 	struct net_bridge *br = netdev_priv(dev);
-	const unsigned char *dest = skb->data;
 	struct net_bridge_fdb_entry *dst;
 	struct net_bridge_mdb_entry *mdst;
 	struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats);
+	const unsigned char *dest;
 	u16 vid = 0;
 
 	rcu_read_lock();
@@ -59,6 +59,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *
 	if (!br_allowed_ingress(br, br_get_vlan_info(br), skb, &vid))
 		goto out;
 
+	dest = eth_hdr(skb)->h_dest;
 	if (is_broadcast_ether_addr(dest))
 		br_flood_deliver(br, skb, false);
 	else if (is_multicast_ether_addr(dest)) {
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -60,11 +60,11 @@ static int br_pass_frame_up(struct sk_bu
 /* note: already called with rcu_read_lock */
 int br_handle_frame_finish(struct sk_buff *skb)
 {
-	const unsigned char *dest = eth_hdr(skb)->h_dest;
 	struct net_bridge_port *p = br_port_get_rcu(skb->dev);
 	struct net_bridge *br;
 	struct net_bridge_fdb_entry *dst;
 	struct net_bridge_mdb_entry *mdst;
+	const unsigned char *dest;
 	struct sk_buff *skb2;
 	bool unicast = true;
 	u16 vid = 0;
@@ -80,6 +80,7 @@ int br_handle_frame_finish(struct sk_buf
 	if (p->flags & BR_LEARNING)
 		br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, false);
 
+	dest = eth_hdr(skb)->h_dest;
 	if (!is_broadcast_ether_addr(dest) && is_multicast_ether_addr(dest) &&
 	    br_multicast_rcv(br, p, skb, vid))
 		goto drop;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 005/294] perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (274 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 291/294] net: ti: cpmac: Fix compiler warning due to type confusion Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 189/294] KEYS: don't let add_key() update an uninstantiated key Ben Hutchings
                   ` (19 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alexander Shishkin, Kan Liang, Peter Zijlstra, Jin Yao,
	Arnaldo Carvalho de Melo, Andi Kleen, Jiri Olsa

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jin Yao <yao.jin@linux.intel.com>

commit 80f62589fa52f530cffc50e78c0b5a2ae572d61e upstream.

When the jump instruction is displayed at the row 0 in annotate view,
the arrow is broken. An example:

 16.86 │   ┌──je     82
  0.01 │      movsd  (%rsp),%xmm0
       │      movsd  0x8(%rsp),%xmm4
       │      movsd  0x8(%rsp),%xmm1
       │      movsd  (%rsp),%xmm3
       │      divsd  %xmm4,%xmm0
       │      divsd  %xmm3,%xmm1
       │      movsd  (%rsp),%xmm2
       │      addsd  %xmm1,%xmm0
       │      addsd  %xmm2,%xmm0
       │      movsd  %xmm0,(%rsp)
       │82:   sub    $0x1,%ebx
 83.03 │    ↑ jne    38
       │      add    $0x10,%rsp
       │      xor    %eax,%eax
       │      pop    %rbx
       │    ← retq

The patch increments the row number before checking with 0.

Signed-off-by: Yao Jin <yao.jin@linux.intel.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: 944e1abed9e1 ("perf ui browser: Add method to draw up/down arrow line")
Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/ui/browser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/ui/browser.c
+++ b/tools/perf/ui/browser.c
@@ -670,7 +670,7 @@ static void __ui_browser__line_arrow_dow
 		ui_browser__gotorc(browser, row, column + 1);
 		SLsmg_draw_hline(2);
 
-		if (row++ == 0)
+		if (++row == 0)
 			goto out;
 	} else
 		row = 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 003/294] iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 027/294] staging: rtl8188eu: add TL-WN722N v2 support Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 230/294] tty/isicom: fix big-endian compile warning Ben Hutchings
                   ` (228 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Stefan-Gabriel Mirea, Jonathan Cameron

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan-Gabriel Mirea <stefan-gabriel.mirea@nxp.com>

commit d466d3c1217406b14b834335b5b4b33c0d45bd09 upstream.

In order to select the alternate voltage reference pair (VALTH/VALTL), the
right value for the REFSEL field in the ADCx_CFG register is "01", leading
to 0x800 as register mask. See section 8.2.6.4 in the reference manual[1].

[1] http://www.nxp.com/docs/en/reference-manual/VFXXXRM.pdf

Fixes: a775427632fd ("iio:adc:imx: add Freescale Vybrid vf610 adc driver")
Signed-off-by: Stefan-Gabriel Mirea <stefan-gabriel.mirea@nxp.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/adc/vf610_adc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/vf610_adc.c
+++ b/drivers/iio/adc/vf610_adc.c
@@ -71,7 +71,7 @@
 #define VF610_ADC_ADSTS_MASK		0x300
 #define VF610_ADC_ADLPC_EN		0x80
 #define VF610_ADC_ADHSC_EN		0x400
-#define VF610_ADC_REFSEL_VALT		0x100
+#define VF610_ADC_REFSEL_VALT		0x800
 #define VF610_ADC_REFSEL_VBG		0x1000
 #define VF610_ADC_ADTRG_HARD		0x2000
 #define VF610_ADC_AVGS_8		0x4000

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 227/294] spi/atmel: Fix pointer to int conversion warnings on 64 bit builds
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 085/294] b44: Initialize 64-bit stats seqcount Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 225/294] clk/efm32gg: fix dt init prototype Ben Hutchings
                   ` (219 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mark Brown, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit 67f08d690aa90e47a0e793fc63e2ecbe95d29839 upstream.

On 64 bit systems integers are generally still 32 bit but long values and
pointers are usually 64 bit. GCC warns when casting a 64 bit pointer into
a 32 bit integer so cast to a long instead in order to avoid warnings.

Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-atmel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -1020,7 +1020,7 @@ static int atmel_spi_setup(struct spi_de
 	csr |= SPI_BF(DLYBCT, 0);
 
 	/* chipselect must have been muxed as GPIO (e.g. in board setup) */
-	npcs_pin = (unsigned int)spi->controller_data;
+	npcs_pin = (unsigned long)spi->controller_data;
 
 	if (gpio_is_valid(spi->cs_gpio))
 		npcs_pin = spi->cs_gpio;
@@ -1255,7 +1255,7 @@ msg_done:
 static void atmel_spi_cleanup(struct spi_device *spi)
 {
 	struct atmel_spi_device	*asd = spi->controller_state;
-	unsigned		gpio = (unsigned) spi->controller_data;
+	unsigned		gpio = (unsigned long) spi->controller_data;
 
 	if (!asd)
 		return;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 218/294] dma: pl08x: Use correct specifier for size_t values
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (170 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 041/294] xhci: fix 20000ms port resume timeout Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros Ben Hutchings
                   ` (123 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Vinod Koul, Mark Brown

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit 6fc8ae787c589245ee3395630d2c428a1afab26c upstream.

When printing size_t values we should use the %zd or %zx format specifier
in order to ensure the value is displayed correctly and avoid warnings from
sparse.

Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/amba-pl08x.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/dma/amba-pl08x.c
+++ b/drivers/dma/amba-pl08x.c
@@ -1040,7 +1040,7 @@ static int pl08x_fill_llis_for_desc(stru
 
 		if (early_bytes) {
 			dev_vdbg(&pl08x->adev->dev,
-				"%s byte width LLIs (remain 0x%08x)\n",
+				"%s byte width LLIs (remain 0x%08zx)\n",
 				__func__, bd.remainder);
 			prep_byte_width_lli(pl08x, &bd, &cctl, early_bytes,
 				num_llis++, &total_bytes);
@@ -1662,7 +1662,7 @@ static struct dma_async_tx_descriptor *p
 	dma_addr_t slave_addr;
 
 	dev_dbg(&pl08x->adev->dev,
-		"%s prepare cyclic transaction of %d/%d bytes %s %s\n",
+		"%s prepare cyclic transaction of %zd/%zd bytes %s %s\n",
 		__func__, period_len, buf_len,
 		direction == DMA_MEM_TO_DEV ? "to" : "from",
 		plchan->name);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 220/294] ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (106 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 193/294] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 007/294] net/packet: Fix Tx queue selection for AF_PACKET Ben Hutchings
                   ` (187 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Timur Tabi, Mark Brown

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Timur Tabi <timur@tabi.org>

commit acf2c60a60b3d6d7080854b9483f37d99ded9b23 upstream.

do_div() requires that the first parameter is a 64-bit integer,
which but clkrate was defined as an unsigned long.  This caused
the following warnings:

 CC      sound/soc/fsl/fsl_ssi.o
sound/soc/fsl/fsl_ssi.c: In function 'fsl_ssi_set_bclk':
sound/soc/fsl/fsl_ssi.c:593:3: warning: comparison of distinct pointer types lacks a cast
sound/soc/fsl/fsl_ssi.c:593:3: warning: right shift count >= width of type
sound/soc/fsl/fsl_ssi.c:593:3: warning: passing argument 1 of '__div64_32' from incompatible pointer type
include/asm-generic/div64.h:35:17: note: expected 'uint64_t *' but argument is of type 'long unsigned int *'

Signed-off-by: Timur Tabi <timur@tabi.org>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/fsl_ssi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/soc/fsl/fsl_ssi.c
+++ b/sound/soc/fsl/fsl_ssi.c
@@ -590,8 +590,8 @@ static int fsl_ssi_set_bclk(struct snd_p
 		else
 			clkrate = clk_round_rate(ssi_private->baudclk, tmprate);
 
-		do_div(clkrate, factor);
-		afreq = (u32)clkrate / (i + 1);
+		clkrate /= factor;
+		afreq = clkrate / (i + 1);
 
 		if (freq == afreq)
 			sub = 0;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 239/294] paride: fix the "verbose" module param
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (157 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 195/294] USB: fix out-of-bounds in usb_set_configuration Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 033/294] libata: array underflow in ata_find_dev() Ben Hutchings
                   ` (136 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Arnd Bergmann, Dan Carpenter, Tim Waugh

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 946e87981942552e526aca9cb6204f02a6c847cb upstream.

The verbose module parameter can be set to 2 for extremely verbose
messages so the type should be int instead of bool.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Tim Waugh <tim@cyberelk.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/block/paride/pg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/block/paride/pg.c
+++ b/drivers/block/paride/pg.c
@@ -137,7 +137,7 @@
 
 */
 
-static bool verbose = 0;
+static int verbose;
 static int major = PG_MAJOR;
 static char *name = PG_NAME;
 static int disable = 0;
@@ -168,7 +168,7 @@ enum {D_PRT, D_PRO, D_UNI, D_MOD, D_SLV,
 
 #include <asm/uaccess.h>
 
-module_param(verbose, bool, 0644);
+module_param(verbose, int, 0644);
 module_param(major, int, 0);
 module_param(name, charp, 0);
 module_param_array(drive0, int, NULL, 0);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 219/294] gpio: drop retval check enforcing from gpiochip_remove()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (123 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 092/294] ipv6: set rt6i_protocol properly in the route when it is installed Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 059/294] KVM: PPC: Book3S HV: Enable TM before accessing TM registers Ben Hutchings
                   ` (170 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Abdoulaye Berthe, Stephen Rothwell, Linus Walleij, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Walleij <linus.walleij@linaro.org>

commit 14c8a620ba436511b1347c592633befa49535176 upstream.

As we start to decomission the return value from gpiochip_remove()
the compilers emit warnings due to the function being tagged
__must_check. So drop this until we remove the return value
altogether.

Cc: Abdoulaye Berthe <berthe.ab@gmail.com>
Suggested-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/gpio/driver.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/gpio/driver.h
+++ b/include/linux/gpio/driver.h
@@ -141,7 +141,7 @@ extern const char *gpiochip_is_requested
 
 /* add/remove chips */
 extern int gpiochip_add(struct gpio_chip *chip);
-extern int __must_check gpiochip_remove(struct gpio_chip *chip);
+extern int gpiochip_remove(struct gpio_chip *chip);
 extern struct gpio_chip *gpiochip_find(void *data,
 			      int (*match)(struct gpio_chip *chip, void *data));
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 228/294] spi/pl022: Explicitly truncate large bitmask
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (134 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 204/294] modpost: expand pattern matching to support substring matches Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 253/294] drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer Ben Hutchings
                   ` (159 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Mark Brown

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit d555ea05f9d8ebf567eaa6b4e4cb5776aacf2940 upstream.

When building on 64 bit architectures the use of bitwise negation generates
constants larger than 32 bits which won't fit in u32s used to represent
32 bit register values on the device. Explicitly cast to let the compiler
know that the higher bits are not significant and can be discarded.

Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-pl022.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/spi/spi-pl022.c
+++ b/drivers/spi/spi-pl022.c
@@ -1417,7 +1417,7 @@ static void do_interrupt_dma_transfer(st
 	 * Default is to enable all interrupts except RX -
 	 * this will be enabled once TX is complete
 	 */
-	u32 irqflags = ENABLE_ALL_INTERRUPTS & ~SSP_IMSC_MASK_RXIM;
+	u32 irqflags = (u32)(ENABLE_ALL_INTERRUPTS & ~SSP_IMSC_MASK_RXIM);
 
 	/* Enable target chip, if not already active */
 	if (!pl022->next_msg_cs_active)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 203/294] Disable "frame-address" warning
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 207/294] MODULE_DEVICE_TABLE: fix some callsites Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 205/294] modpost: don't emit section mismatch warnings for compiler optimizations Ben Hutchings
                   ` (244 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Linus Torvalds, Arnd Bergmann, Steven Rostedt

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 124a3d88fa20e1869fc229d7d8c740cc81944264 upstream.

Newer versions of gcc warn about the use of __builtin_return_address()
with a non-zero argument when "-Wall" is specified:

  kernel/trace/trace_irqsoff.c: In function ‘stop_critical_timings’:
  kernel/trace/trace_irqsoff.c:433:86: warning: calling ‘__builtin_return_address’ with a nonzero argument is unsafe [-Wframe-address]
     stop_critical_timing(CALLER_ADDR0, CALLER_ADDR1);
  [ .. repeats a few times for other similar cases .. ]

It is true that a non-zero argument is somewhat dangerous, and we do not
actually have very many uses of that in the kernel - but the ftrace code
does use it, and as Stephen Rostedt says:

 "We are well aware of the danger of using __builtin_return_address() of
  > 0.  In fact that's part of the reason for having the "thunk" code in
  x86 (See arch/x86/entry/thunk_{64,32}.S).  [..] it adds extra frames
  when tracking irqs off sections, to prevent __builtin_return_address()
  from accessing bad areas.  In fact the thunk_32.S states: 'Trampoline to
  trace irqs off.  (otherwise CALLER_ADDR1 might crash)'."

For now, __builtin_return_address() with a non-zero argument is the best
we can do, and the warning is not helpful and can end up making people
miss other warnings for real problems.

So disable the frame-address warning on compilers that need it.

Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

--- a/Makefile
+++ b/Makefile
@@ -616,6 +616,7 @@ all: vmlinux
 include $(srctree)/arch/$(SRCARCH)/Makefile
 
 KBUILD_CFLAGS	+= $(call cc-option,-fno-delete-null-pointer-checks,)
+KBUILD_CFLAGS	+= $(call cc-disable-warning,frame-address,)
 
 ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
 KBUILD_CFLAGS	+= -Os $(call cc-disable-warning,maybe-uninitialized,)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 221/294] ASoC: imx-audmux: Use uintptr_t for port numbers
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (236 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 271/294] ARM: cns3xxx: shut up frame size warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 019/294] USB: serial: cp210x: add support for Qivicon USB ZigBee dongle Ben Hutchings
                   ` (57 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mark Brown, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit e5f89768e9bc1f441d18e2299518a2907e5017c9 upstream.

Since we pass the port number through file private data for debugfs we cast
it to and from a pointer so use uintptr_t in order to ensure that the
types are compatible, avoiding warnings on 64 bit platforms where pointers
are 64 bit and unsigned integers 32 bit.

Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/imx-audmux.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/sound/soc/fsl/imx-audmux.c
+++ b/sound/soc/fsl/imx-audmux.c
@@ -67,7 +67,7 @@ static ssize_t audmux_read_file(struct f
 {
 	ssize_t ret;
 	char *buf;
-	int port = (int)file->private_data;
+	uintptr_t port = (uintptr_t)file->private_data;
 	u32 pdcr, ptcr;
 
 	if (audmux_clk) {
@@ -147,7 +147,7 @@ static const struct file_operations audm
 
 static void audmux_debugfs_init(void)
 {
-	int i;
+	uintptr_t i;
 	char buf[20];
 
 	audmux_debugfs_root = debugfs_create_dir("audmux", NULL);
@@ -157,10 +157,10 @@ static void audmux_debugfs_init(void)
 	}
 
 	for (i = 0; i < MX31_AUDMUX_PORT7_SSI_PINS_7 + 1; i++) {
-		snprintf(buf, sizeof(buf), "ssi%d", i);
+		snprintf(buf, sizeof(buf), "ssi%lu", i);
 		if (!debugfs_create_file(buf, 0444, audmux_debugfs_root,
 					 (void *)i, &audmux_debugfs_fops))
-			pr_warning("Failed to create AUDMUX port %d debugfs file\n",
+			pr_warning("Failed to create AUDMUX port %lu debugfs file\n",
 				   i);
 	}
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 208/294] Input: gscps2 - fix MODULE_DEVICE_TABLE invocation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 205/294] modpost: don't emit section mismatch warnings for compiler optimizations Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 118/294] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo Ben Hutchings
                   ` (242 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Geert Uytterhoeven, Dmitry Torokhov

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert@linux-m68k.org>

commit 6c8afa88adce613c23f27e719f805cc2a6441b07 upstream.

The patch "module: fix types of device tables aliases" newly requires
that invocations of

MODULE_DEVICE_TABLE(type, name);

come *after* the definition of `name'.  That is reasonable, but gscps2
wasn't doing this.  Fix it.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/serio/gscps2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/serio/gscps2.c
+++ b/drivers/input/serio/gscps2.c
@@ -40,7 +40,6 @@
 MODULE_AUTHOR("Laurent Canet <canetl@esiee.fr>, Thibaut Varene <varenet@parisc-linux.org>, Helge Deller <deller@gmx.de>");
 MODULE_DESCRIPTION("HP GSC PS2 port driver");
 MODULE_LICENSE("GPL");
-MODULE_DEVICE_TABLE(parisc, gscps2_device_tbl);
 
 #define PFX "gscps2.c: "
 
@@ -439,6 +438,7 @@ static struct parisc_device_id gscps2_de
 #endif
 	{ 0, }	/* 0 terminated list */
 };
+MODULE_DEVICE_TABLE(parisc, gscps2_device_tbl);
 
 static struct parisc_driver parisc_ps2_driver = {
 	.name		= "gsc_ps2",

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 217/294] Input: joystick - use get_cycles on ARMv8
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (150 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 089/294] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 174/294] sch_hhf: fix null pointer dereference on init failure Ben Hutchings
                   ` (143 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mark Brown, Dmitry Torokhov, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit a6b48699ae50ccce700506ced863ba1f5ce2af11 upstream.

As with ARM the ARMv8 architecture provides a cycle counter which can be
used to provide a high resolution time for the joystick driver and
silence the build warning that results from not having a precise timer
on ARMv8, making allmodconfig and allyesconfig quieter.

Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/joystick/analog.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/joystick/analog.c
+++ b/drivers/input/joystick/analog.c
@@ -158,7 +158,7 @@ static unsigned int get_time_pit(void)
 #define GET_TIME(x)	rdtscl(x)
 #define DELTA(x,y)	((y)-(x))
 #define TIME_NAME	"TSC"
-#elif defined(__alpha__) || defined(CONFIG_MN10300) || defined(CONFIG_ARM) || defined(CONFIG_TILE)
+#elif defined(__alpha__) || defined(CONFIG_MN10300) || defined(CONFIG_ARM) || defined(CONFIG_ARM64) || defined(CONFIG_TILE)
 #define GET_TIME(x)	do { x = get_cycles(); } while (0)
 #define DELTA(x,y)	((y)-(x))
 #define TIME_NAME	"get_cycles"

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 212/294] gfs2: remove IS_ERR_VALUE abuse
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (185 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 258/294] netfilter; Add some missing default cases to switch statements in nft_reject Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 187/294] mac80211: accept key reinstall without changing anything Ben Hutchings
                   ` (108 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

Picked from commit 287980e49ffc0f6d911601e7e352a812ed27768e ("remove lots
of IS_ERR_VALUE abuses") upstream.

The original fix that was backported to 3.18 already addressed the warning
in some configurations, but not in others, leaving us with the same output:

../fs/gfs2/dir.c: In function 'get_first_leaf':
../fs/gfs2/dir.c:768:9: warning: 'leaf_no' may be used uninitialized in this function [-Wmaybe-uninitialized]
   error = get_leaf(dip, leaf_no, bh_out);
         ^
../fs/gfs2/dir.c: In function 'dir_split_leaf.isra.20':
../fs/gfs2/dir.c:987:8: warning: 'leaf_no' may be used uninitialized in this function [-Wmaybe-uninitialized]

This takes the approach that we took in later versions in mainline,
but does not backport the entire patch, as that would be too large
for stable and IIRC caused regressions in other drivers.

Fixes: 9d46d31e9aea ("gfs2: avoid uninitialized variable warning")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/gfs2/dir.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/fs/gfs2/dir.c
+++ b/fs/gfs2/dir.c
@@ -749,12 +749,15 @@ static int get_leaf_nr(struct gfs2_inode
 		       u64 *leaf_out)
 {
 	__be64 *hash;
+	int error;
 
 	hash = gfs2_dir_get_hash_table(dip);
-	if (IS_ERR(hash))
-		return PTR_ERR(hash);
-	*leaf_out = be64_to_cpu(*(hash + index));
-	return 0;
+	error = PTR_ERR_OR_ZERO(hash);
+
+	if (!error)
+		*leaf_out = be64_to_cpu(*(hash + index));
+
+	return error;
 }
 
 static int get_first_leaf(struct gfs2_inode *dip, u32 index,

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 008/294] staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (131 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 026/294] drm/vmwgfx: Fix gcc-7.1.1 warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 154/294] dm: fix printk() rate limiting code Ben Hutchings
                   ` (162 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Jonathan Cameron

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 105967ad68d2eb1a041bc041f9cf96af2a653b65 upstream.

gcc-7 points out an older regression:

drivers/staging/iio/resolver/ad2s1210.c: In function 'ad2s1210_read_raw':
drivers/staging/iio/resolver/ad2s1210.c:515:42: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]

The original code had 'unsigned short' here, but incorrectly got
converted to 'bool'. This reverts the regression and uses a normal
type instead.

Fixes: 29148543c521 ("staging:iio:resolver:ad2s1210 minimal chan spec conversion.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/resolver/ad2s1210.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/resolver/ad2s1210.c
+++ b/drivers/staging/iio/resolver/ad2s1210.c
@@ -462,7 +462,7 @@ static int ad2s1210_read_raw(struct iio_
 			     long m)
 {
 	struct ad2s1210_state *st = iio_priv(indio_dev);
-	bool negative;
+	u16 negative;
 	int ret = 0;
 	u16 pos;
 	s16 vel;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 215/294] power/reset: xgene-reset: Fix prototype of xgene_restart()
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 224/294] ata: hpt366: fix constant cast warning Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 062/294] workqueue: implicit ordered attribute should be overridable Ben Hutchings
                   ` (255 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Sebastian Reichel, Mark Brown

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit d3ed534cca703b2aaeee9277a5b8063ae6eab1d1 upstream.

The xgene-reset driver uses xgene_restart() as arm_pm_restart() but that
function should take an enum reset_type as the first argument rather than
a char. Fix this; the paramter is not referenced in the implementation.

Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/power/reset/xgene-reboot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/power/reset/xgene-reboot.c
+++ b/drivers/power/reset/xgene-reboot.c
@@ -40,7 +40,7 @@ struct xgene_reboot_context {
 
 static struct xgene_reboot_context *xgene_restart_ctx;
 
-static void xgene_restart(char str, const char *cmd)
+static void xgene_restart(enum reboot_mode mode, const char *cmd)
 {
 	struct xgene_reboot_context *ctx = xgene_restart_ctx;
 	unsigned long timeout;

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 001/294] fuse: initialize the flock flag in fuse_file on allocation
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 020/294] USB: cdc-acm: add device-id for quirky printer Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 105/294] crypto: x86/sha1 - Fix reads beyond the number of blocks passed Ben Hutchings
                   ` (191 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mateusz Jurczyk, Miklos Szeredi

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mateusz Jurczyk <mjurczyk@google.com>

commit 68227c03cba84a24faf8a7277d2b1a03c8959c2c upstream.

Before the patch, the flock flag could remain uninitialized for the
lifespan of the fuse_file allocation. Unless set to true in
fuse_file_flock(), it would remain in an indeterminate state until read in
an if statement in fuse_release_common(). This could consequently lead to
taking an unexpected branch in the code.

The bug was discovered by a runtime instrumentation designed to detect use
of uninitialized memory in the kernel.

Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Fixes: 37fb3a30b462 ("fuse: fix flock")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -54,7 +54,7 @@ struct fuse_file *fuse_file_alloc(struct
 {
 	struct fuse_file *ff;
 
-	ff = kmalloc(sizeof(struct fuse_file), GFP_KERNEL);
+	ff = kzalloc(sizeof(struct fuse_file), GFP_KERNEL);
 	if (unlikely(!ff))
 		return NULL;
 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 216/294] mfd: arizona: Rid data size incompatibility warn when building for 64bit
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (278 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 202/294] mm/init: fix zone boundary creation Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 158/294] l2tp: hold tunnel while processing genl delete command Ben Hutchings
                   ` (15 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Lee Jones, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lee Jones <lee.jones@linaro.org>

commit 942786e6e647cef94cf96dcd836d343be55fc452 upstream.

Extinguishes:

../drivers/mfd/arizona-core.c: In function ‘arizona_of_get_type’:
../drivers/mfd/arizona-core.c:505:10:
	warning: cast from pointer to integer of different size

Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/arizona-core.c | 4 ++--
 drivers/mfd/arizona-i2c.c  | 5 +++--
 drivers/mfd/arizona-spi.c  | 3 ++-
 drivers/mfd/arizona.h      | 4 ++--
 4 files changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/mfd/arizona-core.c
+++ b/drivers/mfd/arizona-core.c
@@ -497,12 +497,12 @@ const struct dev_pm_ops arizona_pm_ops =
 EXPORT_SYMBOL_GPL(arizona_pm_ops);
 
 #ifdef CONFIG_OF
-int arizona_of_get_type(struct device *dev)
+unsigned long arizona_of_get_type(struct device *dev)
 {
 	const struct of_device_id *id = of_match_device(arizona_of_match, dev);
 
 	if (id)
-		return (int)id->data;
+		return (unsigned long)id->data;
 	else
 		return 0;
 }
--- a/drivers/mfd/arizona-i2c.c
+++ b/drivers/mfd/arizona-i2c.c
@@ -24,11 +24,12 @@
 #include "arizona.h"
 
 static int arizona_i2c_probe(struct i2c_client *i2c,
-					  const struct i2c_device_id *id)
+			     const struct i2c_device_id *id)
 {
 	struct arizona *arizona;
 	const struct regmap_config *regmap_config;
-	int ret, type;
+	unsigned long type;
+	int ret;
 
 	if (i2c->dev.of_node)
 		type = arizona_of_get_type(&i2c->dev);
--- a/drivers/mfd/arizona-spi.c
+++ b/drivers/mfd/arizona-spi.c
@@ -28,7 +28,8 @@ static int arizona_spi_probe(struct spi_
 	const struct spi_device_id *id = spi_get_device_id(spi);
 	struct arizona *arizona;
 	const struct regmap_config *regmap_config;
-	int ret, type;
+	unsigned long type;
+	int ret;
 
 	if (spi->dev.of_node)
 		type = arizona_of_get_type(&spi->dev);
--- a/drivers/mfd/arizona.h
+++ b/drivers/mfd/arizona.h
@@ -46,9 +46,9 @@ int arizona_irq_init(struct arizona *ari
 int arizona_irq_exit(struct arizona *arizona);
 
 #ifdef CONFIG_OF
-int arizona_of_get_type(struct device *dev);
+unsigned long arizona_of_get_type(struct device *dev);
 #else
-static inline int arizona_of_get_type(struct device *dev)
+static inline unsigned long arizona_of_get_type(struct device *dev)
 {
 	return 0;
 }

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 213/294] iio: adc: fix building on 64-bit
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 110/294] mm: migrate: prevent racy access to tlb_flush_pending Ben Hutchings
@ 2017-11-06 23:03 ` Ben Hutchings
  2017-11-06 23:03 ` [PATCH 3.16 283/294] MIPS: TXx9: Delete an unused variable in tx4927_pcibios_setup Ben Hutchings
                   ` (280 subsequent siblings)
  295 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

On the 3.16 kernel, we get a harmless warning:

drivers/iio/adc/exynos_adc.c: In function 'exynos_adc_get_version':
drivers/iio/adc/exynos_adc.c:112:9: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]

Upstream commit e49d99e0ecc8 ("iio: adc: exynos_adc: Add exynos_adc_data
structure to improve readability") in 3.17 removed the function, so
we can't backport a fix from upstream, but changing the cast to
use uintptr_t is the obvious fix.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/adc/exynos_adc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/exynos_adc.c
+++ b/drivers/iio/adc/exynos_adc.c
@@ -109,7 +109,7 @@ static inline unsigned int exynos_adc_ge
 	const struct of_device_id *match;
 
 	match = of_match_node(exynos_adc_match, pdev->dev.of_node);
-	return (unsigned int)match->data;
+	return (uintptr_t)match->data;
 }
 
 static void exynos_adc_hw_init(struct exynos_adc *info)

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 023/294] of: device: Export of_device_{get_modalias, uvent_modalias} to modules
@ 2017-11-06 23:03   ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, devicetree, Peter Chen, Rob Herring, Stephen Boyd

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Boyd <stephen.boyd@linaro.org>

commit 7a3b7cd332db08546f3cdd984f11773e0d1999e7 upstream.

The ULPI bus can be built as a module, and it will soon be
calling these functions when it supports probing devices from DT.
Export them so they can be used by the ULPI module.

Acked-by: Rob Herring <robh@kernel.org>
Cc: <devicetree@vger.kernel.org>
Signed-off-by: Stephen Boyd <stephen.boyd@linaro.org>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/device.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/of/device.c
+++ b/drivers/of/device.c
@@ -128,6 +128,7 @@ ssize_t of_device_get_modalias(struct de
 
 	return tsize;
 }
+EXPORT_SYMBOL_GPL(of_device_get_modalias);
 
 /**
  * of_device_uevent - Display OF related uevent information
@@ -190,3 +191,4 @@ int of_device_uevent_modalias(struct dev
 
 	return 0;
 }
+EXPORT_SYMBOL_GPL(of_device_uevent_modalias);

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 165/294] x86/ldt: Fix off by one in get_segment_base()
@ 2017-11-06 23:03   ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, kernel-janitors, Arnaldo Carvalho de Melo, Ingo Molnar,
	Andy Lutomirski, Alexander Shishkin, Peter Zijlstra,
	Dan Carpenter, Thomas Gleixner, Linus Torvalds

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit eaa2f87c6b840b83827c40db6eb8481689570259 upstream.

ldt->entries[] is allocated in alloc_ldt_struct().  It has
ldt->nr_entries elements and ldt->nr_entries is capped at LDT_ENTRIES.
So if "idx" is = ldt->nr_entries then we're reading beyond the end of
the buffer.  It seems duplicative to have two limit checks when one
would work just as well so I removed the check against LDT_ENTRIES.

The gdt_page.gdt[] array has GDT_ENTRIES entries.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-janitors@vger.kernel.org
Fixes: d07bdfd322d3 ("perf/x86: Fix USER/KERNEL tagging of samples properly")
Link: http://lkml.kernel.org/r/20170818102516.gqwm4xdvvuvjw5ho@mwanda
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/perf_event.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -2009,17 +2009,14 @@ static unsigned long get_segment_base(un
 	if ((segment & SEGMENT_TI_MASK) = SEGMENT_LDT) {
 		struct ldt_struct *ldt;
 
-		if (idx > LDT_ENTRIES)
-			return 0;
-
 		/* IRQs are off, so this synchronizes with smp_store_release */
 		ldt = lockless_dereference(current->active_mm->context.ldt);
-		if (!ldt || idx > ldt->size)
+		if (!ldt || idx >= ldt->size)
 			return 0;
 
 		desc = &ldt->entries[idx];
 	} else {
-		if (idx > GDT_ENTRIES)
+		if (idx >= GDT_ENTRIES)
 			return 0;
 
 		desc = __this_cpu_ptr(&gdt_page.gdt[0]) + idx;


^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 265/294] Staging: lustre: missing curly braces in ll_setattr_raw()
@ 2017-11-06 23:03   ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dan Carpenter, Greg Kroah-Hartman, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 53bd4a004ee5ff0f71a858de78faac98924b4a87 upstream.

>>From the indenting, it looks like curly braces were intended here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/lustre/lustre/llite/llite_lib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/staging/lustre/lustre/llite/llite_lib.c
+++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
@@ -1489,7 +1489,7 @@ int ll_setattr_raw(struct dentry *dentry
 
 	if (attr->ia_valid & (ATTR_SIZE |
 			      ATTR_ATIME | ATTR_ATIME_SET |
-			      ATTR_MTIME | ATTR_MTIME_SET))
+			      ATTR_MTIME | ATTR_MTIME_SET)) {
 		/* For truncate and utimes sending attributes to OSTs, setting
 		 * mtime/atime to the past will be performed under PW [0:EOF]
 		 * extent lock (new_size:EOF for truncate).  It may seem
@@ -1501,6 +1501,7 @@ int ll_setattr_raw(struct dentry *dentry
 		rc = ll_setattr_ost(inode, attr);
 		if (attr->ia_valid & ATTR_SIZE)
 			up_write(&lli->lli_trunc_sem);
+	}
 out:
 	if (op_data) {
 		if (op_data->op_ioepoch) {

^ permalink raw reply	[flat|nested] 330+ messages in thread

* [PATCH 3.16 294/294] net/xen-netback: disable on 64KB page granularity
@ 2017-11-06 23:03   ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-06 23:03 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann

3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

Building the linux-3.16 stable branch, I ran into this warning that
shows a serious problem in the xen-netback driver:

drivers/net/xen-netback/netback.c: In function 'xenvif_dealloc_kthread':
drivers/net/xen-netback/netback.c:2002:1: error: the frame size of 16384 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]

The bug was fixed in linux-4.4, but for any older stable kernel we
either need to backport that fix, or not use the driver when the page
size is set to 64KB. As the proper fix is way bigger than the usual limit
for stable backport patches, this adds a Kconfig dependency.

Fixes: d0089e8a0e4c ("net/xen-netback: Make it running on 64KB page granularity")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/Kconfig | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -331,6 +331,9 @@ config XEN_NETDEV_FRONTEND
 config XEN_NETDEV_BACKEND
 	tristate "Xen backend network device"
 	depends on XEN_BACKEND
+	depends on !(PAGE_SIZE_64KB || ARM64_64K_PAGES || \
+		     IA64_PAGE_SIZE_64KB || MICROBLAZE_64K_PAGES || \
+		     PARISC_PAGE_SIZE_64KB || PPC_64K_PAGES)
 	help
 	  This driver allows the kernel to act as a Xen network driver
 	  domain which exports paravirtual network devices to other

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
  2017-11-06 23:03 ` [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies Ben Hutchings
@ 2017-11-07  1:16     ` Linus Lüssing
  0 siblings, 0 replies; 330+ messages in thread
From: Linus Lüssing @ 2017-11-07  1:16 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, b.a.t.m.a.n, akpm, Antonio Quartulli,
	Simon Wunderlich

Hi Ben!

On Mon, Nov 06, 2017 at 11:03:02PM +0000, Ben Hutchings wrote:
> 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Linus Lüssing <linus.luessing@c0d3.blue>
> 
> commit 54e22f265e872ae140755b3318521d400a094605 upstream.
[...]
> [bwh: Backported to 3.16:
>  - Drop changes to batadv_tt_global_dump_subentry()

May I ask, were there specific concerns for stable 3.16 kernel
releases with this change?

It's not bothering me, but I'm currently wondering whether
this could cause some confusion to users.

Regards, Linus

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [B.A.T.M.A.N.] [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
@ 2017-11-07  1:16     ` Linus Lüssing
  0 siblings, 0 replies; 330+ messages in thread
From: Linus Lüssing @ 2017-11-07  1:16 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, b.a.t.m.a.n, akpm, Antonio Quartulli,
	Simon Wunderlich

Hi Ben!

On Mon, Nov 06, 2017 at 11:03:02PM +0000, Ben Hutchings wrote:
> 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Linus Lüssing <linus.luessing@c0d3.blue>
> 
> commit 54e22f265e872ae140755b3318521d400a094605 upstream.
[...]
> [bwh: Backported to 3.16:
>  - Drop changes to batadv_tt_global_dump_subentry()

May I ask, were there specific concerns for stable 3.16 kernel
releases with this change?

It's not bothering me, but I'm currently wondering whether
this could cause some confusion to users.

Regards, Linus

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros
  2017-11-06 23:03 ` [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros Ben Hutchings
@ 2017-11-07  3:19   ` Joe Perches
  2017-11-07  3:40     ` Mike Snitzer
  0 siblings, 1 reply; 330+ messages in thread
From: Joe Perches @ 2017-11-07  3:19 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: akpm, Mike Snitzer

On Mon, 2017-11-06 at 23:03 +0000, Ben Hutchings wrote:
> 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

Why include this?  It's a simplification, not a bug fix.

> ------------------
> 
> From: Joe Perches <joe@perches.com>
> 
> commit d2c3c8dcb5987b8352e82089c79a41b6e17e28d2 upstream.
> 
> Using pr_<level> is the more common logging style.
> 
> Standardize style and use new macro DM_FMT.
> Use no_printk in DMDEBUG macros when CONFIG_DM_DEBUG is not #defined.

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros
  2017-11-07  3:19   ` Joe Perches
@ 2017-11-07  3:40     ` Mike Snitzer
  2017-11-07 13:43       ` Ben Hutchings
  0 siblings, 1 reply; 330+ messages in thread
From: Mike Snitzer @ 2017-11-07  3:40 UTC (permalink / raw)
  To: Joe Perches; +Cc: Ben Hutchings, linux-kernel, stable, akpm

On Mon, Nov 06 2017 at 10:19pm -0500,
Joe Perches <joe@perches.com> wrote:

> On Mon, 2017-11-06 at 23:03 +0000, Ben Hutchings wrote:
> > 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
> 
> Why include this?  It's a simplification, not a bug fix.

Logical reason is it serves as a prereq for applying commit 604407890ecf
("dm: fix printk() rate limiting code").  Which is 154/294 in this
series.

Mike

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task
  2017-11-06 23:03 ` [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task Ben Hutchings
@ 2017-11-07 10:37   ` Paolo Bonzini
  2017-11-07 13:50     ` Ben Hutchings
  2017-11-21 20:10     ` Ben Hutchings
  0 siblings, 2 replies; 330+ messages in thread
From: Paolo Bonzini @ 2017-11-07 10:37 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable
  Cc: akpm, Radim Krčmář, Paul E. McKenney, Wanpeng Li

On 07/11/2017 00:03, Ben Hutchings wrote:
> 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Wanpeng Li <wanpeng.li@hotmail.com>
> 
> commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream.
> 
>  WARNING: CPU: 5 PID: 1242 at kernel/rcu/tree_plugin.h:323 rcu_note_context_switch+0x207/0x6b0
>  CPU: 5 PID: 1242 Comm: unity-settings- Not tainted 4.13.0-rc2+ #1
>  RIP: 0010:rcu_note_context_switch+0x207/0x6b0
>  Call Trace:
>   __schedule+0xda/0xba0
>   ? kvm_async_pf_task_wait+0x1b2/0x270
>   schedule+0x40/0x90
>   kvm_async_pf_task_wait+0x1cc/0x270
>   ? prepare_to_swait+0x22/0x70
>   do_async_page_fault+0x77/0xb0
>   ? do_async_page_fault+0x77/0xb0
>   async_page_fault+0x28/0x30
>  RIP: 0010:__d_lookup_rcu+0x90/0x1e0
> 
> I encounter this when trying to stress the async page fault in L1 guest w/
> L2 guests running.
> 
> Commit 9b132fbe5419 (Add rcu user eqs exception hooks for async page
> fault) adds rcu_irq_enter/exit() to kvm_async_pf_task_wait() to exit cpu
> idle eqs when needed, to protect the code that needs use rcu.  However,
> we need to call the pair even if the function calls schedule(), as seen
> from the above backtrace.
> 
> This patch fixes it by informing the RCU subsystem exit/enter the irq
> towards/away from idle for both n.halted and !n.halted.
> 
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  arch/x86/kernel/kvm.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> --- a/arch/x86/kernel/kvm.c
> +++ b/arch/x86/kernel/kvm.c
> @@ -150,6 +150,8 @@ void kvm_async_pf_task_wait(u32 token)
>  		if (hlist_unhashed(&n.link))
>  			break;
>  
> +		rcu_irq_exit();
> +
>  		if (!n.halted) {
>  			local_irq_enable();
>  			schedule();
> @@ -158,11 +160,11 @@ void kvm_async_pf_task_wait(u32 token)
>  			/*
>  			 * We cannot reschedule. So halt.
>  			 */
> -			rcu_irq_exit();
>  			native_safe_halt();
>  			local_irq_disable();
> -			rcu_irq_enter();
>  		}
> +
> +		rcu_irq_enter();
>  	}
>  	if (!n.halted)
>  		finish_wait(&n.wq, &wait);
> 

Looks good, please backport

b862789aa5186d5ea3a024b7cfe0f80c3a38b980 and
a2b7861bb33b2538420bb5d8554153484d3f961f

as well.

Thanks,

Paolo

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
  2017-11-07  1:16     ` [B.A.T.M.A.N.] " Linus Lüssing
@ 2017-11-07 13:42       ` Ben Hutchings
  -1 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-07 13:42 UTC (permalink / raw)
  To: Linus Lüssing
  Cc: linux-kernel, stable, b.a.t.m.a.n, akpm, Antonio Quartulli,
	Simon Wunderlich

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Tue, 2017-11-07 at 02:16 +0100, Linus Lüssing wrote:
> Hi Ben!
> 
> On Mon, Nov 06, 2017 at 11:03:02PM +0000, Ben Hutchings wrote:
> > 3.16.50-rc1 review patch.  If anyone has any objections, please let
> > me know.
> > 
> > ------------------
> > 
> > From: Linus Lüssing <linus.luessing@c0d3.blue>
> > 
> > commit 54e22f265e872ae140755b3318521d400a094605 upstream.
> 
> [...]
> > [bwh: Backported to 3.16:
> >  - Drop changes to batadv_tt_global_dump_subentry()
> 
> May I ask, were there specific concerns for stable 3.16 kernel
> releases with this change?
>
> It's not bothering me, but I'm currently wondering whether
> this could cause some confusion to users.

That function didn't exist in 3.16 (at least not under that name).

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [B.A.T.M.A.N.] [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
@ 2017-11-07 13:42       ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-07 13:42 UTC (permalink / raw)
  To: Linus Lüssing
  Cc: linux-kernel, stable, b.a.t.m.a.n, akpm, Antonio Quartulli,
	Simon Wunderlich

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Tue, 2017-11-07 at 02:16 +0100, Linus Lüssing wrote:
> Hi Ben!
> 
> On Mon, Nov 06, 2017 at 11:03:02PM +0000, Ben Hutchings wrote:
> > 3.16.50-rc1 review patch.  If anyone has any objections, please let
> > me know.
> > 
> > ------------------
> > 
> > From: Linus Lüssing <linus.luessing@c0d3.blue>
> > 
> > commit 54e22f265e872ae140755b3318521d400a094605 upstream.
> 
> [...]
> > [bwh: Backported to 3.16:
> >  - Drop changes to batadv_tt_global_dump_subentry()
> 
> May I ask, were there specific concerns for stable 3.16 kernel
> releases with this change?
>
> It's not bothering me, but I'm currently wondering whether
> this could cause some confusion to users.

That function didn't exist in 3.16 (at least not under that name).

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros
  2017-11-07  3:40     ` Mike Snitzer
@ 2017-11-07 13:43       ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-07 13:43 UTC (permalink / raw)
  To: Mike Snitzer, Joe Perches; +Cc: linux-kernel, stable, akpm

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

On Mon, 2017-11-06 at 22:40 -0500, Mike Snitzer wrote:
> On Mon, Nov 06 2017 at 10:19pm -0500,
> Joe Perches <joe@perches.com> wrote:
> 
> > On Mon, 2017-11-06 at 23:03 +0000, Ben Hutchings wrote:
> > > 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > Why include this?  It's a simplification, not a bug fix.
> 
> Logical reason is it serves as a prereq for applying commit 604407890ecf
> ("dm: fix printk() rate limiting code").  Which is 154/294 in this
> series.

Exactly.

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task
  2017-11-07 10:37   ` Paolo Bonzini
@ 2017-11-07 13:50     ` Ben Hutchings
  2017-11-07 13:54       ` Paolo Bonzini
  2017-11-21 20:10     ` Ben Hutchings
  1 sibling, 1 reply; 330+ messages in thread
From: Ben Hutchings @ 2017-11-07 13:50 UTC (permalink / raw)
  To: Paolo Bonzini, linux-kernel, stable
  Cc: akpm, Radim Krčmář, Paul E. McKenney, Wanpeng Li

[-- Attachment #1: Type: text/plain, Size: 773 bytes --]

On Tue, 2017-11-07 at 11:37 +0100, Paolo Bonzini wrote:
> On 07/11/2017 00:03, Ben Hutchings wrote:
> > 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Wanpeng Li <wanpeng.li@hotmail.com>
> > 
> > commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream.
[...]
> Looks good, please backport
> 
> b862789aa5186d5ea3a024b7cfe0f80c3a38b980 and
> a2b7861bb33b2538420bb5d8554153484d3f961f
> 
> as well.

Do they fix regressions related to this commit?  If so, I'll add them
to this update.  Otherwise I'll get to them later - I have not yet scanned through changes after 4.13.

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task
  2017-11-07 13:50     ` Ben Hutchings
@ 2017-11-07 13:54       ` Paolo Bonzini
  2017-11-07 14:03         ` Ben Hutchings
  0 siblings, 1 reply; 330+ messages in thread
From: Paolo Bonzini @ 2017-11-07 13:54 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable
  Cc: akpm, Radim Krčmář, Paul E. McKenney, Wanpeng Li


[-- Attachment #1.1: Type: text/plain, Size: 789 bytes --]

On 07/11/2017 14:50, Ben Hutchings wrote:
> On Tue, 2017-11-07 at 11:37 +0100, Paolo Bonzini wrote:
>> On 07/11/2017 00:03, Ben Hutchings wrote:
>>> 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Wanpeng Li <wanpeng.li@hotmail.com>
>>>
>>> commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream.
> [...]
>> Looks good, please backport
>>
>> b862789aa5186d5ea3a024b7cfe0f80c3a38b980 and
>> a2b7861bb33b2538420bb5d8554153484d3f961f
>>
>> as well.
> 
> Do they fix regressions related to this commit?  If so, I'll add them
> to this update.  Otherwise I'll get to them later - I have not yet scanned through changes after 4.13.

No, they fix other instances of the same bug.

Thanks,

Paolo


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task
  2017-11-07 13:54       ` Paolo Bonzini
@ 2017-11-07 14:03         ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-07 14:03 UTC (permalink / raw)
  To: Paolo Bonzini, linux-kernel, stable
  Cc: akpm, Radim Krčmář, Paul E. McKenney, Wanpeng Li

[-- Attachment #1: Type: text/plain, Size: 1085 bytes --]

On Tue, 2017-11-07 at 14:54 +0100, Paolo Bonzini wrote:
> On 07/11/2017 14:50, Ben Hutchings wrote:
> > On Tue, 2017-11-07 at 11:37 +0100, Paolo Bonzini wrote:
> > > On 07/11/2017 00:03, Ben Hutchings wrote:
> > > > 3.16.50-rc1 review patch.  If anyone has any objections, please
> > > > let me know.
> > > > 
> > > > ------------------
> > > > 
> > > > From: Wanpeng Li <wanpeng.li@hotmail.com>
> > > > 
> > > > commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream.
> > 
> > [...]
> > > Looks good, please backport
> > > 
> > > b862789aa5186d5ea3a024b7cfe0f80c3a38b980 and
> > > a2b7861bb33b2538420bb5d8554153484d3f961f
> > > 
> > > as well.
> > 
> > Do they fix regressions related to this commit?  If so, I'll add
> > them
> > to this update.  Otherwise I'll get to them later - I have not yet
> > scanned through changes after 4.13.
> 
> No, they fix other instances of the same bug.

Then I'll probably  get to them in 3.16.52.  Thanks.

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (293 preceding siblings ...)
  2017-11-06 23:03 ` [PATCH 3.16 278/294] MIPS: DEC: Avoid la pseudo-instruction in delay slots Ben Hutchings
@ 2017-11-07 14:17 ` Guenter Roeck
  2017-11-08 15:18   ` Ben Hutchings
  2017-11-09 11:55 ` Arnd Bergmann
  295 siblings, 1 reply; 330+ messages in thread
From: Guenter Roeck @ 2017-11-07 14:17 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm

On 11/06/2017 03:02 PM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.50 release.
> There are 294 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Nov 08 18:00:00 UTC 2017.
> Anything received after that time might be too late.
> 


Build results:
	total: 136 pass: 136 fail: 0
Qemu test results:
	total: 108 pass: 108 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads
  2017-11-06 23:03 ` [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads Ben Hutchings
@ 2017-11-07 16:24   ` Stephen Douthit
  2017-11-11 13:32     ` Ben Hutchings
  0 siblings, 1 reply; 330+ messages in thread
From: Stephen Douthit @ 2017-11-07 16:24 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable
  Cc: akpm, Dan Priamo, Neil Horman, Wolfram Sang, Pontus Andersson

On 11/06/2017 06:03 PM, Ben Hutchings wrote:
> 3.16.50-rc1 review patch.  If anyone has any objections, please let me know.

Pontus found that this patch trades one bug for another (fixes SMBus
reads, breaks I2C reads) and provided a fix.

You'll also want c6ebcedbab7ca78984959386012a17b21183e1a3 from upstream.

-Steve

> ------------------
> 
> From: Stephen Douthit <stephend@adiengineering.com>
> 
> commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream.
> 
> According to Table 15-14 of the C2000 EDS (Intel doc #510524) the
> rx data pointed to by the descriptor dptr contains the byte count.
> 
> desc->rxbytes reports all bytes read on the wire, including the
> "byte count" byte.  So if a device sends 4 bytes in response to a
> block read, on the wire and in the DMA buffer we see:
> 
> count data1 data2 data3 data4
>   0x04  0xde  0xad  0xbe  0xef
> 
> That's what we want to return in data->block to the next level.
> 
> Instead we were actually prefixing that with desc->rxbytes:
> 
> bad
> count count data1 data2 data3 data4
>   0x05  0x04  0xde  0xad  0xbe  0xef
> 
> This was discovered while developing a BMC solution relying on the
> ipmi_ssif.c driver which was trying to interpret the bogus length
> field as part of the IPMI response.
> 
> Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
> Tested-by: Dan Priamo <danp@adiengineering.com>
> Acked-by: Neil Horman <nhorman@tuxdriver.com>
> Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>   drivers/i2c/busses/i2c-ismt.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> --- a/drivers/i2c/busses/i2c-ismt.c
> +++ b/drivers/i2c/busses/i2c-ismt.c
> @@ -344,8 +344,8 @@ static int ismt_process_desc(const struc
>   			break;
>   		case I2C_SMBUS_BLOCK_DATA:
>   		case I2C_SMBUS_I2C_BLOCK_DATA:
> -			memcpy(&data->block[1], dma_buffer, desc->rxbytes);
> -			data->block[0] = desc->rxbytes;
> +			memcpy(data->block, dma_buffer, desc->rxbytes);
> +			data->block[0] = desc->rxbytes - 1;
>   			break;
>   		}
>   		return 0;
> 

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-07 14:17 ` [PATCH 3.16 000/294] 3.16.50-rc1 review Guenter Roeck
@ 2017-11-08 15:18   ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-08 15:18 UTC (permalink / raw)
  To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

On Tue, 2017-11-07 at 06:17 -0800, Guenter Roeck wrote:
> On 11/06/2017 03:02 PM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.50 release.
> > There are 294 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Nov 08 18:00:00 UTC 2017.
> > Anything received after that time might be too late.
> > 
> 
> 
> Build results:
> 	total: 136 pass: 136 fail: 0
> Qemu test results:
> 	total: 108 pass: 108 fail: 0
> 
> Details are available at http://kerneltests.org/builders.

Thanks for checking these.

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
                   ` (294 preceding siblings ...)
  2017-11-07 14:17 ` [PATCH 3.16 000/294] 3.16.50-rc1 review Guenter Roeck
@ 2017-11-09 11:55 ` Arnd Bergmann
  2017-11-09 12:08   ` Greg KH
  295 siblings, 1 reply; 330+ messages in thread
From: Arnd Bergmann @ 2017-11-09 11:55 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Linux Kernel Mailing List, # 3.4.x, Linus Torvalds,
	Guenter Roeck, Andrew Morton, kernelci.org bot

On Tue, Nov 7, 2017 at 12:02 AM, Ben Hutchings <ben@decadent.org.uk> wrote:
> This is the start of the stable review cycle for the 3.16.50 release.
> There are 294 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri Nov 08 18:00:00 UTC 2017.
> Anything received after that time might be too late.
>
> A combined patch relative to 3.16.49 will be posted as an additional
> response to this.  A shortlog and diffstat can be found below.

I haven'tr tried building the proposed patches so far, as I was waiting for
the kernelci builds.

However, I see that the stable-rc/linux-3.16.y doesn't have the current
set, it still points to the old 3.16.35 release from last year.

I think if you upload the branch to the stable-rc git, that should produce
the automated build and boot results via email or via the
https://kernelci.org/job/ interface. Once there are some results
there, I'll go through the list once more to see what warnings
and failures remain.

I'm not in a hurry to fix the old warnings, and can do that pass after
the 3.16 release is out on git and in kernelci, but it would help to see
if the bots has caught any regressions.

      Arnd

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 11:55 ` Arnd Bergmann
@ 2017-11-09 12:08   ` Greg KH
  2017-11-09 12:21     ` Arnd Bergmann
  0 siblings, 1 reply; 330+ messages in thread
From: Greg KH @ 2017-11-09 12:08 UTC (permalink / raw)
  To: Arnd Bergmann
  Cc: Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot

On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
> On Tue, Nov 7, 2017 at 12:02 AM, Ben Hutchings <ben@decadent.org.uk> wrote:
> > This is the start of the stable review cycle for the 3.16.50 release.
> > There are 294 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri Nov 08 18:00:00 UTC 2017.
> > Anything received after that time might be too late.
> >
> > A combined patch relative to 3.16.49 will be posted as an additional
> > response to this.  A shortlog and diffstat can be found below.
> 
> I haven'tr tried building the proposed patches so far, as I was waiting for
> the kernelci builds.
> 
> However, I see that the stable-rc/linux-3.16.y doesn't have the current
> set, it still points to the old 3.16.35 release from last year.

That's because I don't always update the stable-rc tree for other
people's releases.  I can start doing that, just never have in the past.

> I think if you upload the branch to the stable-rc git, that should produce
> the automated build and boot results via email or via the
> https://kernelci.org/job/ interface. Once there are some results
> there, I'll go through the list once more to see what warnings
> and failures remain.

I don't know of a way to have others push to that tree/branch at the
moment :(

I'll go update that branch now...

greg k-h

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 12:08   ` Greg KH
@ 2017-11-09 12:21     ` Arnd Bergmann
  2017-11-09 12:40       ` Ben Hutchings
  0 siblings, 1 reply; 330+ messages in thread
From: Arnd Bergmann @ 2017-11-09 12:21 UTC (permalink / raw)
  To: Greg KH
  Cc: Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot

On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
>> On Tue, Nov 7, 2017 at 12:02 AM, Ben Hutchings <ben@decadent.org.uk> wrote:
>> > This is the start of the stable review cycle for the 3.16.50 release.
>> > There are 294 patches in this series, which will be posted as responses
>> > to this one.  If anyone has any issues with these being applied, please
>> > let me know.
>> >
>> > Responses should be made by Fri Nov 08 18:00:00 UTC 2017.
>> > Anything received after that time might be too late.
>> >
>> > A combined patch relative to 3.16.49 will be posted as an additional
>> > response to this.  A shortlog and diffstat can be found below.
>>
>> I haven'tr tried building the proposed patches so far, as I was waiting for
>> the kernelci builds.
>>
>> However, I see that the stable-rc/linux-3.16.y doesn't have the current
>> set, it still points to the old 3.16.35 release from last year.
>
> That's because I don't always update the stable-rc tree for other
> people's releases.  I can start doing that, just never have in the past.

I hadn't realized that you are the only one pushing to that git tree, I
simply assumed that all owners of stable kernels had write access to
all the branches.

>> I think if you upload the branch to the stable-rc git, that should produce
>> the automated build and boot results via email or via the
>> https://kernelci.org/job/ interface. Once there are some results
>> there, I'll go through the list once more to see what warnings
>> and failures remain.
>
> I don't know of a way to have others push to that tree/branch at the
> moment :(
>
> I'll go update that branch now...

Thanks!

With the arm-soc tree, we simply have a shared group-id on
gitolite.kernel.org and everyone in that group can push to it.

If that is the only thing you need, it should be trivial to let Ben
and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
I'm sure helpdesk@kernel.org can arrange that. Of course if you are
worried about having multiple accounts with write access to all the
branches, then that wouldn't be enough.

     Arnd

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 12:21     ` Arnd Bergmann
@ 2017-11-09 12:40       ` Ben Hutchings
  2017-11-09 12:48         ` Greg KH
  2017-11-09 16:03         ` Guenter Roeck
  0 siblings, 2 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-09 12:40 UTC (permalink / raw)
  To: Arnd Bergmann, Greg KH
  Cc: Linux Kernel Mailing List, # 3.4.x, Linus Torvalds,
	Guenter Roeck, Andrew Morton, kernelci.org bot

[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]

On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
> On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
[...]
> > > I think if you upload the branch to the stable-rc git, that should produce
> > > the automated build and boot results via email or via the
> > > https://kernelci.org/job/ interface. Once there are some results
> > > there, I'll go through the list once more to see what warnings
> > > and failures remain.
> > 
> > I don't know of a way to have others push to that tree/branch at the
> > moment :(
> > 
> > I'll go update that branch now...
> 
> Thanks!
> 
> With the arm-soc tree, we simply have a shared group-id on
> gitolite.kernel.org and everyone in that group can push to it.
> 
> If that is the only thing you need, it should be trivial to let Ben
> and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
> I'm sure helpdesk@kernel.org can arrange that. Of course if you are
> worried about having multiple accounts with write access to all the
> branches, then that wouldn't be enough.

I think I'd rather send a pull request to Greg at the start of the
review period.

Ben.

-- 
Ben Hutchings
73.46% of all statistics are made up.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 12:40       ` Ben Hutchings
@ 2017-11-09 12:48         ` Greg KH
  2017-11-09 13:35           ` Arnd Bergmann
  2017-11-09 16:03         ` Guenter Roeck
  1 sibling, 1 reply; 330+ messages in thread
From: Greg KH @ 2017-11-09 12:48 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Arnd Bergmann, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot

On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
> [...]
> > > > I think if you upload the branch to the stable-rc git, that should produce
> > > > the automated build and boot results via email or via the
> > > > https://kernelci.org/job/ interface. Once there are some results
> > > > there, I'll go through the list once more to see what warnings
> > > > and failures remain.
> > > 
> > > I don't know of a way to have others push to that tree/branch at the
> > > moment :(
> > > 
> > > I'll go update that branch now...
> > 
> > Thanks!
> > 
> > With the arm-soc tree, we simply have a shared group-id on
> > gitolite.kernel.org and everyone in that group can push to it.
> > 
> > If that is the only thing you need, it should be trivial to let Ben
> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
> > worried about having multiple accounts with write access to all the
> > branches, then that wouldn't be enough.
> 
> I think I'd rather send a pull request to Greg at the start of the
> review period.

That works for me!

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 12:48         ` Greg KH
@ 2017-11-09 13:35           ` Arnd Bergmann
  2017-11-09 16:10             ` Guenter Roeck
  2017-11-14 20:35             ` Kevin Hilman
  0 siblings, 2 replies; 330+ messages in thread
From: Arnd Bergmann @ 2017-11-09 13:35 UTC (permalink / raw)
  To: Greg KH
  Cc: Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot

On Thu, Nov 9, 2017 at 1:48 PM, Greg KH <greg@kroah.com> wrote:
> On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
>> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
>> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
>> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
>> [...]
>> > > > I think if you upload the branch to the stable-rc git, that should produce
>> > > > the automated build and boot results via email or via the
>> > > > https://kernelci.org/job/ interface. Once there are some results
>> > > > there, I'll go through the list once more to see what warnings
>> > > > and failures remain.
>> > >
>> > > I don't know of a way to have others push to that tree/branch at the
>> > > moment :(
>> > >
>> > > I'll go update that branch now...
>> >
>> > Thanks!
>> >
>> > With the arm-soc tree, we simply have a shared group-id on
>> > gitolite.kernel.org and everyone in that group can push to it.
>> >
>> > If that is the only thing you need, it should be trivial to let Ben
>> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
>> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
>> > worried about having multiple accounts with write access to all the
>> > branches, then that wouldn't be enough.
>>
>> I think I'd rather send a pull request to Greg at the start of the
>> review period.
>
> That works for me!

We just discussed this on the #kernelci IRC channel. Since kernelci
has a whitelist of branches and 3.16 isn't currently on it, how about
just adding a different git tree for Ben's 3.2-rc and 3.16-rc releases?

Ben, do you have a git URL that we can add to kernelci, and and
an email address you want to see the build results at?

       Arnd

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 12:40       ` Ben Hutchings
  2017-11-09 12:48         ` Greg KH
@ 2017-11-09 16:03         ` Guenter Roeck
  2017-11-09 16:59           ` Ben Hutchings
  1 sibling, 1 reply; 330+ messages in thread
From: Guenter Roeck @ 2017-11-09 16:03 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Arnd Bergmann, Greg KH, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Andrew Morton, kernelci.org bot

On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
> [...]
> > > > I think if you upload the branch to the stable-rc git, that should produce
> > > > the automated build and boot results via email or via the
> > > > https://kernelci.org/job/ interface. Once there are some results
> > > > there, I'll go through the list once more to see what warnings
> > > > and failures remain.
> > > 
> > > I don't know of a way to have others push to that tree/branch at the
> > > moment :(
> > > 
> > > I'll go update that branch now...
> > 
> > Thanks!
> > 
> > With the arm-soc tree, we simply have a shared group-id on
> > gitolite.kernel.org and everyone in that group can push to it.
> > 
> > If that is the only thing you need, it should be trivial to let Ben
> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
> > worried about having multiple accounts with write access to all the
> > branches, then that wouldn't be enough.
> 
> I think I'd rather send a pull request to Greg at the start of the
> review period.
> 

If you change the trees I am supposed to pull from for my builders,
please let me know.

Guenter

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 13:35           ` Arnd Bergmann
@ 2017-11-09 16:10             ` Guenter Roeck
  2017-11-14 20:35             ` Kevin Hilman
  1 sibling, 0 replies; 330+ messages in thread
From: Guenter Roeck @ 2017-11-09 16:10 UTC (permalink / raw)
  To: Arnd Bergmann
  Cc: Greg KH, Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Andrew Morton, kernelci.org bot

On Thu, Nov 09, 2017 at 02:35:37PM +0100, Arnd Bergmann wrote:
> On Thu, Nov 9, 2017 at 1:48 PM, Greg KH <greg@kroah.com> wrote:
> > On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
> >> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
> >> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> >> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
> >> [...]
> >> > > > I think if you upload the branch to the stable-rc git, that should produce
> >> > > > the automated build and boot results via email or via the
> >> > > > https://kernelci.org/job/ interface. Once there are some results
> >> > > > there, I'll go through the list once more to see what warnings
> >> > > > and failures remain.
> >> > >
> >> > > I don't know of a way to have others push to that tree/branch at the
> >> > > moment :(
> >> > >
> >> > > I'll go update that branch now...
> >> >
> >> > Thanks!
> >> >
> >> > With the arm-soc tree, we simply have a shared group-id on
> >> > gitolite.kernel.org and everyone in that group can push to it.
> >> >
> >> > If that is the only thing you need, it should be trivial to let Ben
> >> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
> >> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
> >> > worried about having multiple accounts with write access to all the
> >> > branches, then that wouldn't be enough.
> >>
> >> I think I'd rather send a pull request to Greg at the start of the
> >> review period.
> >
> > That works for me!
> 
> We just discussed this on the #kernelci IRC channel. Since kernelci
> has a whitelist of branches and 3.16 isn't currently on it, how about
> just adding a different git tree for Ben's 3.2-rc and 3.16-rc releases?
> 
> Ben, do you have a git URL that we can add to kernelci, and and
> an email address you want to see the build results at?
> 
Would be great. Maybe I can then finally shut down kerneltests.org
as redundant.

Guenter

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 16:03         ` Guenter Roeck
@ 2017-11-09 16:59           ` Ben Hutchings
  2017-11-09 21:12             ` Guenter Roeck
  0 siblings, 1 reply; 330+ messages in thread
From: Ben Hutchings @ 2017-11-09 16:59 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: Arnd Bergmann, Greg KH, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Andrew Morton, kernelci.org bot

[-- Attachment #1: Type: text/plain, Size: 1811 bytes --]

On Thu, 2017-11-09 at 08:03 -0800, Guenter Roeck wrote:
> On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
> > On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
> > > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> > > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
> > 
> > [...]
> > > > > I think if you upload the branch to the stable-rc git, that should produce
> > > > > the automated build and boot results via email or via the
> > > > > https://kernelci.org/job/ interface. Once there are some results
> > > > > there, I'll go through the list once more to see what warnings
> > > > > and failures remain.
> > > > 
> > > > I don't know of a way to have others push to that tree/branch at the
> > > > moment :(
> > > > 
> > > > I'll go update that branch now...
> > > 
> > > Thanks!
> > > 
> > > With the arm-soc tree, we simply have a shared group-id on
> > > gitolite.kernel.org and everyone in that group can push to it.
> > > 
> > > If that is the only thing you need, it should be trivial to let Ben
> > > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
> > > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
> > > worried about having multiple accounts with write access to all the
> > > branches, then that wouldn't be enough.
> > 
> > I think I'd rather send a pull request to Greg at the start of the
> > review period.
> > 
> 
> If you change the trees I am supposed to pull from for my builders,
> please let me know.

If you're happy to keep supporting quilt-in-git then there's no change.
I check your builders page and try to fix up build failures before even
making a release candidate.

Ben.

-- 
Ben Hutchings
73.46% of all statistics are made up.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 16:59           ` Ben Hutchings
@ 2017-11-09 21:12             ` Guenter Roeck
  0 siblings, 0 replies; 330+ messages in thread
From: Guenter Roeck @ 2017-11-09 21:12 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Arnd Bergmann, Greg KH, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Andrew Morton, kernelci.org bot

On Thu, Nov 09, 2017 at 04:59:58PM +0000, Ben Hutchings wrote:
> On Thu, 2017-11-09 at 08:03 -0800, Guenter Roeck wrote:
> > On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
> > > On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
> > > > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
> > > > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
> > > 
> > > [...]
> > > > > > I think if you upload the branch to the stable-rc git, that should produce
> > > > > > the automated build and boot results via email or via the
> > > > > > https://kernelci.org/job/ interface. Once there are some results
> > > > > > there, I'll go through the list once more to see what warnings
> > > > > > and failures remain.
> > > > > 
> > > > > I don't know of a way to have others push to that tree/branch at the
> > > > > moment :(
> > > > > 
> > > > > I'll go update that branch now...
> > > > 
> > > > Thanks!
> > > > 
> > > > With the arm-soc tree, we simply have a shared group-id on
> > > > gitolite.kernel.org and everyone in that group can push to it.
> > > > 
> > > > If that is the only thing you need, it should be trivial to let Ben
> > > > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
> > > > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
> > > > worried about having multiple accounts with write access to all the
> > > > branches, then that wouldn't be enough.
> > > 
> > > I think I'd rather send a pull request to Greg at the start of the
> > > review period.
> > > 
> > 
> > If you change the trees I am supposed to pull from for my builders,
> > please let me know.
> 
> If you're happy to keep supporting quilt-in-git then there's no change.
> I check your builders page and try to fix up build failures before even
> making a release candidate.
> 

Ah yes, kernelci won't pick that up. No problem to keep kerneltests going
as long as it adds value.

Guenter

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads
  2017-11-07 16:24   ` Stephen Douthit
@ 2017-11-11 13:32     ` Ben Hutchings
  0 siblings, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-11 13:32 UTC (permalink / raw)
  To: stephend, linux-kernel, stable
  Cc: akpm, Dan Priamo, Neil Horman, Wolfram Sang, Pontus Andersson

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]

On Tue, 2017-11-07 at 11:24 -0500, Stephen Douthit wrote:
> On 11/06/2017 06:03 PM, Ben Hutchings wrote:
> > 3.16.50-rc1 review patch.  If anyone has any objections, please let
> > me know.
> 
> Pontus found that this patch trades one bug for another (fixes SMBus
> reads, breaks I2C reads) and provided a fix.
> 
> You'll also want c6ebcedbab7ca78984959386012a17b21183e1a3 from
> upstream.
[...]

Thanks, I've added this.

Ben.

-- 
Ben Hutchings
Who are all these weirdos? - David Bowie, reading IRC for the first
time


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
  2017-11-07 13:42       ` [B.A.T.M.A.N.] " Ben Hutchings
@ 2017-11-12 19:55         ` Linus Lüssing
  -1 siblings, 0 replies; 330+ messages in thread
From: Linus Lüssing @ 2017-11-12 19:55 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, b.a.t.m.a.n, akpm, Antonio Quartulli,
	Simon Wunderlich

Hi Ben,

On Tue, Nov 07, 2017 at 01:42:35PM +0000, Ben Hutchings wrote:
> That function didn't exist in 3.16 (at least not under that name).

Ah, you're right, back then the netlink interface did not
exist in batman-adv yet, only the debugfs one.
batadv_tt_global_print_entry would be the equivalent function
for debugfs. But not worth the effort now, in my opinion.

I'm fine with this proposed patch for 3.16 now. Thanks for the
clarification! And I'm happy to see this patch backported.

Regards, Linus

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [B.A.T.M.A.N.] [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies
@ 2017-11-12 19:55         ` Linus Lüssing
  0 siblings, 0 replies; 330+ messages in thread
From: Linus Lüssing @ 2017-11-12 19:55 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, b.a.t.m.a.n, akpm, Antonio Quartulli,
	Simon Wunderlich

Hi Ben,

On Tue, Nov 07, 2017 at 01:42:35PM +0000, Ben Hutchings wrote:
> That function didn't exist in 3.16 (at least not under that name).

Ah, you're right, back then the netlink interface did not
exist in batman-adv yet, only the debugfs one.
batadv_tt_global_print_entry would be the equivalent function
for debugfs. But not worth the effort now, in my opinion.

I'm fine with this proposed patch for 3.16 now. Thanks for the
clarification! And I'm happy to see this patch backported.

Regards, Linus

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-09 13:35           ` Arnd Bergmann
  2017-11-09 16:10             ` Guenter Roeck
@ 2017-11-14 20:35             ` Kevin Hilman
  2017-11-14 20:55               ` Arnd Bergmann
  1 sibling, 1 reply; 330+ messages in thread
From: Kevin Hilman @ 2017-11-14 20:35 UTC (permalink / raw)
  To: Arnd Bergmann
  Cc: Greg KH, Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot,
	Matt Hart

On Thu, Nov 9, 2017 at 5:35 AM, Arnd Bergmann <arnd@arndb.de> wrote:
> On Thu, Nov 9, 2017 at 1:48 PM, Greg KH <greg@kroah.com> wrote:
>> On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
>>> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
>>> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
>>> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
>>> [...]
>>> > > > I think if you upload the branch to the stable-rc git, that should produce
>>> > > > the automated build and boot results via email or via the
>>> > > > https://kernelci.org/job/ interface. Once there are some results
>>> > > > there, I'll go through the list once more to see what warnings
>>> > > > and failures remain.
>>> > >
>>> > > I don't know of a way to have others push to that tree/branch at the
>>> > > moment :(
>>> > >
>>> > > I'll go update that branch now...
>>> >
>>> > Thanks!
>>> >
>>> > With the arm-soc tree, we simply have a shared group-id on
>>> > gitolite.kernel.org and everyone in that group can push to it.
>>> >
>>> > If that is the only thing you need, it should be trivial to let Ben
>>> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
>>> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
>>> > worried about having multiple accounts with write access to all the
>>> > branches, then that wouldn't be enough.
>>>
>>> I think I'd rather send a pull request to Greg at the start of the
>>> review period.
>>
>> That works for me!
>
> We just discussed this on the #kernelci IRC channel. Since kernelci
> has a whitelist of branches and 3.16 isn't currently on it, how about
> just adding a different git tree for Ben's 3.2-rc and 3.16-rc releases?

We are currently reaching the limits of our current build capacity, so
want to understand the users before adding more trees.

That being said, it seems Ben is now pushing to Greg's stable-rc, so
we can pretty easily add linux-3.16.y to our list of stable-rc
branches if there is enough interest.  Also, we would much prefer
monitoring a git branch, since kernelci does not currently deal with
git + quilt (and we have no time, and less motivation to add it) :)

Kevin

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-14 20:35             ` Kevin Hilman
@ 2017-11-14 20:55               ` Arnd Bergmann
  2017-11-16  4:02                 ` Kevin Hilman
  0 siblings, 1 reply; 330+ messages in thread
From: Arnd Bergmann @ 2017-11-14 20:55 UTC (permalink / raw)
  To: Kevin Hilman
  Cc: Greg KH, Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot,
	Matt Hart

On Tue, Nov 14, 2017 at 9:35 PM, Kevin Hilman <khilman@baylibre.com> wrote:
> On Thu, Nov 9, 2017 at 5:35 AM, Arnd Bergmann <arnd@arndb.de> wrote:
>> On Thu, Nov 9, 2017 at 1:48 PM, Greg KH <greg@kroah.com> wrote:
>>> On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
>>>> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
>>>> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
>>>> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
>>>> [...]
>>>> > > > I think if you upload the branch to the stable-rc git, that should produce
>>>> > > > the automated build and boot results via email or via the
>>>> > > > https://kernelci.org/job/ interface. Once there are some results
>>>> > > > there, I'll go through the list once more to see what warnings
>>>> > > > and failures remain.
>>>> > >
>>>> > > I don't know of a way to have others push to that tree/branch at the
>>>> > > moment :(
>>>> > >
>>>> > > I'll go update that branch now...
>>>> >
>>>> > Thanks!
>>>> >
>>>> > With the arm-soc tree, we simply have a shared group-id on
>>>> > gitolite.kernel.org and everyone in that group can push to it.
>>>> >
>>>> > If that is the only thing you need, it should be trivial to let Ben
>>>> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
>>>> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
>>>> > worried about having multiple accounts with write access to all the
>>>> > branches, then that wouldn't be enough.
>>>>
>>>> I think I'd rather send a pull request to Greg at the start of the
>>>> review period.
>>>
>>> That works for me!
>>
>> We just discussed this on the #kernelci IRC channel. Since kernelci
>> has a whitelist of branches and 3.16 isn't currently on it, how about
>> just adding a different git tree for Ben's 3.2-rc and 3.16-rc releases?
>
> We are currently reaching the limits of our current build capacity, so
> want to understand the users before adding more trees.
>
> That being said, it seems Ben is now pushing to Greg's stable-rc, so
> we can pretty easily add linux-3.16.y to our list of stable-rc
> branches if there is enough interest.  Also, we would much prefer
> monitoring a git branch, since kernelci does not currently deal with
> git + quilt (and we have no time, and less motivation to add it) :)

Ben does not push to Greg's stable-rc, that was a mistake on my
side, but he does now have a git tree at
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git
that he said he'd push to in order to trigger build bots. It's not
git+quilt, so I'd assume it's still very easy to add, and the releases
are rare enough that I would not expect too much additional
work for kernelci.

       Arnd

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 000/294] 3.16.50-rc1 review
  2017-11-14 20:55               ` Arnd Bergmann
@ 2017-11-16  4:02                 ` Kevin Hilman
  0 siblings, 0 replies; 330+ messages in thread
From: Kevin Hilman @ 2017-11-16  4:02 UTC (permalink / raw)
  To: Arnd Bergmann, Greg KH
  Cc: Ben Hutchings, Linux Kernel Mailing List, # 3.4.x,
	Linus Torvalds, Guenter Roeck, Andrew Morton, kernelci.org bot,
	Matt Hart

On Tue, Nov 14, 2017 at 12:55 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> On Tue, Nov 14, 2017 at 9:35 PM, Kevin Hilman <khilman@baylibre.com> wrote:
>> On Thu, Nov 9, 2017 at 5:35 AM, Arnd Bergmann <arnd@arndb.de> wrote:
>>> On Thu, Nov 9, 2017 at 1:48 PM, Greg KH <greg@kroah.com> wrote:
>>>> On Thu, Nov 09, 2017 at 12:40:36PM +0000, Ben Hutchings wrote:
>>>>> On Thu, 2017-11-09 at 13:21 +0100, Arnd Bergmann wrote:
>>>>> > On Thu, Nov 9, 2017 at 1:08 PM, Greg KH <greg@kroah.com> wrote:
>>>>> > > On Thu, Nov 09, 2017 at 12:55:30PM +0100, Arnd Bergmann wrote:
>>>>> [...]
>>>>> > > > I think if you upload the branch to the stable-rc git, that should produce
>>>>> > > > the automated build and boot results via email or via the
>>>>> > > > https://kernelci.org/job/ interface. Once there are some results
>>>>> > > > there, I'll go through the list once more to see what warnings
>>>>> > > > and failures remain.
>>>>> > >
>>>>> > > I don't know of a way to have others push to that tree/branch at the
>>>>> > > moment :(
>>>>> > >
>>>>> > > I'll go update that branch now...
>>>>> >
>>>>> > Thanks!
>>>>> >
>>>>> > With the arm-soc tree, we simply have a shared group-id on
>>>>> > gitolite.kernel.org and everyone in that group can push to it.
>>>>> >
>>>>> > If that is the only thing you need, it should be trivial to let Ben
>>>>> > and Sasha push to /pub/scm/linux/kernel/git/stable/*.git as well,
>>>>> > I'm sure helpdesk@kernel.org can arrange that. Of course if you are
>>>>> > worried about having multiple accounts with write access to all the
>>>>> > branches, then that wouldn't be enough.
>>>>>
>>>>> I think I'd rather send a pull request to Greg at the start of the
>>>>> review period.
>>>>
>>>> That works for me!
>>>
>>> We just discussed this on the #kernelci IRC channel. Since kernelci
>>> has a whitelist of branches and 3.16 isn't currently on it, how about
>>> just adding a different git tree for Ben's 3.2-rc and 3.16-rc releases?
>>
>> We are currently reaching the limits of our current build capacity, so
>> want to understand the users before adding more trees.
>>
>> That being said, it seems Ben is now pushing to Greg's stable-rc, so
>> we can pretty easily add linux-3.16.y to our list of stable-rc
>> branches if there is enough interest.  Also, we would much prefer
>> monitoring a git branch, since kernelci does not currently deal with
>> git + quilt (and we have no time, and less motivation to add it) :)
>
> Ben does not push to Greg's stable-rc, that was a mistake on my
> side,

Any reason not to push to Greg's stable-rc (or have Greg pull)?

It would be a lot simpler from our side if we didn't have to track the
various stable tree maintainers.

Kevin

^ permalink raw reply	[flat|nested] 330+ messages in thread

* Re: [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task
  2017-11-07 10:37   ` Paolo Bonzini
  2017-11-07 13:50     ` Ben Hutchings
@ 2017-11-21 20:10     ` Ben Hutchings
  1 sibling, 0 replies; 330+ messages in thread
From: Ben Hutchings @ 2017-11-21 20:10 UTC (permalink / raw)
  To: Paolo Bonzini, linux-kernel, stable
  Cc: akpm, Radim Krčmář, Paul E. McKenney, Wanpeng Li

[-- Attachment #1: Type: text/plain, Size: 337 bytes --]

On Tue, 2017-11-07 at 11:37 +0100, Paolo Bonzini wrote:
[...]
> Looks good, please backport
> 
> b862789aa5186d5ea3a024b7cfe0f80c3a38b980 and
> a2b7861bb33b2538420bb5d8554153484d3f961f
> 
> as well.

OK, I've queued these up.

Ben.

-- 
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 330+ messages in thread

end of thread, other threads:[~2017-11-21 20:10 UTC | newest]

Thread overview: 330+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-06 23:02 [PATCH 3.16 000/294] 3.16.50-rc1 review Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 277/294] MIPS: BMIPS: Fix ".previous without corresponding .section" warnings Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 075/294] uas: Add US_FL_IGNORE_RESIDUE for Initio Corporation INIC-3069 Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 186/294] assoc_array: Fix a buggy node-splitting case Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 093/294] RDMA/uverbs: Prevent leak of reserved field Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 108/294] USB: Check for dropped connection before switching to full speed Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 159/294] l2tp: hold tunnel while handling genl tunnel updates Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 177/294] sch_fq_codel: avoid double free on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 168/294] i2c: ismt: Return EMSGSIZE for block reads with bogus length Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 241/294] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 201/294] platform/x86: samsung-laptop: Initialize loca variable Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 275/294] ARM: 8160/1: drop warning about return_address not using unwind tables Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 146/294] ipv6: add rcu grace period before freeing fib6_node Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 165/294] x86/ldt: Fix off by one in get_segment_base() Ben Hutchings
2017-11-06 23:03   ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 110/294] mm: migrate: prevent racy access to tlb_flush_pending Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 213/294] iio: adc: fix building on 64-bit Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 283/294] MIPS: TXx9: Delete an unused variable in tx4927_pcibios_setup Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 160/294] l2tp: hold tunnel while handling genl TUNNEL_GET commands Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 109/294] usb: quirks: Add no-lpm quirk for Moshi USB to Ethernet Adapter Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 069/294] sctp: fix the check for _sctp_walk_params and _sctp_walk_errors Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 288/294] perf: Avoid horrible stack usage Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 081/294] USB: serial: option: add D-Link DWM-222 device ID Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 047/294] RDMA/ocrdma: Fix error codes in ocrdma_create_srq() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 183/294] brcmfmac: add length check in brcmf_cfg80211_escan_handler() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 063/294] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 053/294] perf/core: Invert perf_read_group() loops Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 060/294] kprobes/x86: Release insn_slot in failure path Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 261/294] staging: bcm: add 32-bit host dependency Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 170/294] CIFS: remove endian related sparse warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 156/294] l2tp: define parameters of l2tp_session_get*() as "const" Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 206/294] ethernet: amd: fix pci device ids Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 071/294] ARM: pxa: select both FB and FB_W100 for eseries Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 259/294] drm/i915: cleanup some indenting Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 039/294] xhci: Fix NULL pointer dereference when cleaning up streams for removed host Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 104/294] net: avoid skb_warn_bad_offload false positives on UFO Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 091/294] ocfs2: don't clear SGID when inheriting ACLs Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 161/294] l2tp: remove useless duplicate session detection in l2tp_netlink Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 051/294] RDMA/core: Initialize port_num in qp_attr Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 150/294] Clarify (and fix) MAX_LFS_FILESIZE macros Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 224/294] ata: hpt366: fix constant cast warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 215/294] power/reset: xgene-reset: Fix prototype of xgene_restart() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 062/294] workqueue: implicit ordered attribute should be overridable Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 032/294] netfilter: ipt_CLUSTERIP: fix use-after-free of proc entry Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 244/294] i40e: Reduce stack in i40e_dbg_dump_desc Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 247/294] cpmac: remove hopeless #warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 067/294] powerpc/mm/hash: Free the subpage_prot_table correctly Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 035/294] mount: copy the port field into the cloned nfs_server structure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 131/294] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 013/294] net: bcmgenet: update ring producer index and buffer count in xmit Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 294/294] net/xen-netback: disable on 64KB page granularity Ben Hutchings
2017-11-06 23:03   ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 207/294] MODULE_DEVICE_TABLE: fix some callsites Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 203/294] Disable "frame-address" warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 205/294] modpost: don't emit section mismatch warnings for compiler optimizations Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 208/294] Input: gscps2 - fix MODULE_DEVICE_TABLE invocation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 118/294] parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 249/294] net: am2150: fix nmclan_cs.c shared interrupt handling Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 237/294] be2iscsi: Fix bogus WARN_ON length check Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 176/294] sch_cbq: fix null pointer dereferences on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 223/294] ASoC: adau1977: Fix truncation warning on 64 bit architectures Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 100/294] scsi: st: fix blk_get_queue usage Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 113/294] audit: Fix use after free in audit_remove_watch_rule() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 072/294] powerpc/boot: Fix 64-bit boot wrapper build with non-biarch compiler Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 119/294] ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 200/294] nilfs2: fix gcc uninitialized-variable warnings in powerpc build Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 082/294] drm/msm: Fix potential buffer overflow issue Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 222/294] ASoC: fsl_sai: Set SYNC bit of TCR2 to Asynchronous Mode Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 027/294] staging: rtl8188eu: add TL-WN722N v2 support Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 003/294] iio: adc: vf610_adc: Fix VALT selection value for REFSEL bits Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 230/294] tty/isicom: fix big-endian compile warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 086/294] i40e: Initialize 64-bit statistics TX ring seqcount Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 021/294] usb: storage: return on error to avoid a null pointer dereference Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 099/294] s390/qeth: fix L3 next-hop in xmit qeth hdr Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 292/294] e1000e: fix call to do_div() to use u64 arg Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 155/294] l2tp: initialise session's refcount before making it reachable Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 175/294] sch_hfsc: fix null pointer deref and double free on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 085/294] b44: Initialize 64-bit stats seqcount Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 227/294] spi/atmel: Fix pointer to int conversion warnings on 64 bit builds Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 225/294] clk/efm32gg: fix dt init prototype Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 264/294] Staging: iio: adc: fix indent on break statement Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 125/294] iio: imu: adis16480: Fix acceleration scale factor for adis16480 Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 078/294] iwlwifi: mvm: set the RTS_MIMO_PROT bit in flag mask when sending sta to fw Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 185/294] KEYS: prevent KEYCTL_READ on negative key Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 229/294] tty: nozomi: avoid a harmless gcc warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 107/294] usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 083/294] drm/msm: fix an integer overflow test Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 198/294] USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 137/294] nfsd: Limit end of page list when decoding NFSv4 WRITE Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 054/294] perf/core: Fix locking for children siblings group read Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 286/294] mtd: cfi: reduce stack size Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 272/294] ARM: 8221/1: PJ4: allow building in Thumb-2 mode Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 115/294] ipv4: add reference counting to metrics Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 114/294] dst: Increase alignment of metrics to allow extra flag on pointers Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 117/294] net_sched/sfq: update hierarchical backlog when drop packet Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 098/294] irqchip: brcmstb-l2: Define an irq_pm_shutdown function Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 122/294] staging: rtl8188eu: add RNX-N150NUB support Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 164/294] cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 276/294] ARM: 8296/1: cache-l2x0: clean up aurora cache handling Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 103/294] net: skb_needs_check() accepts CHECKSUM_NONE for tx Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 012/294] net: bcmgenet: rewrite bcmgenet_rx_refill() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 248/294] net: caif: fix misleading indentation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 192/294] ALSA: usb-audio: Kill stray URB at exiting Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 023/294] of: device: Export of_device_{get_modalias, uvent_modalias} to modules Ben Hutchings
2017-11-06 23:03   ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 057/294] IB/ipoib: Set IPOIB_NEIGH_TBL_FLUSH after flushed completion initialization Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 020/294] USB: cdc-acm: add device-id for quirky printer Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 001/294] fuse: initialize the flock flag in fuse_file on allocation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 105/294] crypto: x86/sha1 - Fix reads beyond the number of blocks passed Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 139/294] net: bcmgenet: Be drop monitor friendly Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 193/294] ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 220/294] ASoC: fsl-ssi: fix do_div build warning in fsl_ssi_set_bclk() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 007/294] net/packet: Fix Tx queue selection for AF_PACKET Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 199/294] ALSA: seq: Enable 'use' locking in all configurations Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 246/294] mISDN: avoid arch specific __builtin_return_address call Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 231/294] i2o: hide unsafe ioctl on 64-bit Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 163/294] ipv6: fix sparse warning on rt6i_node Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 238/294] mvsas: fix misleading indentation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 251/294] net: tulip: turn compile-time warning into dev_warn() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 242/294] mtd: maps: rbtx4939-flash: delete an unused variable in rbtx4939_flash_remove Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 255/294] iwlegacy: avoid warning about missing braces Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 191/294] packet: in packet_do_bind, test fanout with bind_lock held Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 214/294] infiniband: mlx5: avoid a compile-time warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 190/294] packet: hold bind lock when rebinding to fanout hook Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 209/294] module: fix types of device tables aliases Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 135/294] tracing: Fix freeing of filter in create_filter() when set_str is false Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 024/294] spmi: Include OF based modalias in device uevent Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 092/294] ipv6: set rt6i_protocol properly in the route when it is installed Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 219/294] gpio: drop retval check enforcing from gpiochip_remove() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 059/294] KVM: PPC: Book3S HV: Enable TM before accessing TM registers Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 064/294] media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 094/294] IB/uverbs: Fix device cleanup Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 284/294] MIPS: elf2ecoff: Fix warning due to dead code Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 289/294] MIPS: jz4740: fix build error in irq.h Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 236/294] bfa: Fix indentation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 026/294] drm/vmwgfx: Fix gcc-7.1.1 warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 008/294] staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 154/294] dm: fix printk() rate limiting code Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 204/294] modpost: expand pattern matching to support substring matches Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 228/294] spi/pl022: Explicitly truncate large bitmask Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 253/294] drivers/net/ethernet/dec/tulip/uli526x.c: fix misleading indentation in uli526x_timer Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 065/294] media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 140/294] net: systemport: Free DMA coherent descriptors on errors Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 270/294] x86/boot: Add CONFIG_PARAVIRT_SPINLOCKS quirk to arch/x86/boot/compressed/misc.h Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 250/294] am2150: Update nmclan_cs.c to use update PCMCIA API Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 166/294] alpha: uapi: Add support for __SANE_USERSPACE_TYPES__ Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 073/294] xtensa: fix cache aliasing handling code for WT cache Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 097/294] iscsi-target: Fix iscsi_np reset hung task during parallel delete Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 290/294] MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 179/294] sch_tbf: fix two null pointer dereferences on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 132/294] ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978) Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 048/294] IB/cma: Fix a race condition in iboe_addr_get_sgid() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 040/294] xhci: Bad Ethernet performance plugged in ASM1042A host Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 046/294] RDMA/ocrdma: Fix an error code in ocrdma_alloc_pd() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 089/294] ALSA: hda - Fix speaker output from VAIO VPCL14M1R Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 217/294] Input: joystick - use get_cycles on ARMv8 Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 174/294] sch_hhf: fix null pointer dereference on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 169/294] CIFS: Fix maximum SMB2 header size Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 167/294] i2c: ismt: Don't duplicate the receive length for block reads Ben Hutchings
2017-11-07 16:24   ` Stephen Douthit
2017-11-11 13:32     ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 049/294] IB/cma: Fix reference count leak when no ipv4 addresses are set Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 287/294] drbd: avoid redefinition of BITS_PER_PAGE Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 195/294] USB: fix out-of-bounds in usb_set_configuration Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 239/294] paride: fix the "verbose" module param Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 033/294] libata: array underflow in ata_find_dev() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 088/294] gpio: tegra: fix unbalanced chained_irq_enter/exit Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 044/294] cxgb4: Fix error codes in c4iw_create_cq() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 173/294] sch_multiq: fix double free on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 121/294] mm/mempolicy: fix use after free when calling get_mempolicy Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 014/294] net: bcmgenet: fix dev->stats.tx_bytes accounting Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 055/294] iwlwifi: dvm: prevent an out of bounds access Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 235/294] scsi: advansys: remove #warning message Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 138/294] net: systemport: Be drop monitor friendly Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 243/294] xilinx: Fix compiler warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 141/294] mtd: nandsim: remove debugfs entries in error path Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 041/294] xhci: fix 20000ms port resume timeout Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 218/294] dma: pl08x: Use correct specifier for size_t values Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 153/294] dm: convert DM printk macros to pr_<level> macros Ben Hutchings
2017-11-07  3:19   ` Joe Perches
2017-11-07  3:40     ` Mike Snitzer
2017-11-07 13:43       ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 252/294] net: vxge: avoid unused function warnings Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 257/294] netfilter: Fix switch statement warnings with recent gcc Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 226/294] spi: rspi: Remove unused variable in rspi_rz_transfer_one() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 029/294] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 245/294] mlx5: avoid build warnings on 32-bit Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 087/294] ixgbe: Initialize 64-bit stats seqcounts Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 010/294] net: bcmgenet: fix off-by-one in incrementing read pointer Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 030/294] usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 269/294] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 282/294] MIPS: Fix the build on jz4740 after removing the custom gpio.h Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 002/294] iio: light: tsl2563: use correct event code Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 042/294] xhci: fix memleak in xhci_run() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 258/294] netfilter; Add some missing default cases to switch statements in nft_reject Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 212/294] gfs2: remove IS_ERR_VALUE abuse Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 187/294] mac80211: accept key reinstall without changing anything Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 181/294] epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 279/294] MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 147/294] ipv6: Fix may be used uninitialized warning in rt6_check Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 009/294] net: bcmgenet: check harder for out of memory conditions Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 211/294] cpumask_set_cpu_local_first => cpumask_local_spread, lament Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 004/294] Raid5 should update rdev->sectors after reshape Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 128/294] ALSA: core: Fix unexpected error at replacing user TLV Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 262/294] staging: imx-drm: fix indentation warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 056/294] IB/ipoib: Prevent setting negative values to max_nonsrq_conn_qp Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 145/294] ipv6: Add rt6_get_cookie() function Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 112/294] af_key: do not use GFP_KERNEL in atomic contexts Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 281/294] MIPS: MSP71xx: remove odd locking in PCI config space access code Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 070/294] net/mlx5: Fix command bad flow on command entry allocation failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 015/294] net: bcmgenet: cleanup for bcmgenet_xmit_frag() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 136/294] qlge: avoid memcpy buffer overflow Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 123/294] ipv6: reset fn->rr_ptr when replacing route Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 052/294] ipv4: initialize fib_trie prior to register_netdev_notifier call Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 133/294] cifs: Fix df output for users with quota limits Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 084/294] KVM: async_pf: make rcu irq exit if not triggered from idle task Ben Hutchings
2017-11-07 10:37   ` Paolo Bonzini
2017-11-07 13:50     ` Ben Hutchings
2017-11-07 13:54       ` Paolo Bonzini
2017-11-07 14:03         ` Ben Hutchings
2017-11-21 20:10     ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 285/294] staging: r8192ee: prorperly format warning message Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 102/294] net: reduce skb_warn_bad_offload() noise Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 268/294] staging: dgnc: Fix frame size is larger than 1024B Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 096/294] ext4: fix overflow caused by missing cast in ext4_resize_fs() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 152/294] xfrm_user: fix info leak in build_aevent() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 263/294] staging: vt6655: fix overly large stack usage Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 031/294] usb: renesas_usbhs: gadget: disable all eps when the driver stops Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 028/294] usb: renesas_usbhs: gadget: fix re-enabling pipe without re-connecting Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 043/294] tracing: Fix kmemleak in instance_rmdir Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 232/294] dm bufio: hide bogus warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 143/294] perf/core: Fix group {cpu,task} validation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 061/294] md/raid5: add thread_group worker async_tx_issue_pending_all Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 149/294] r8169: Be drop monitor friendly Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 184/294] fix unbalanced page refcounting in bio_map_user_iov Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 116/294] ipv4: fix NULL dereference in free_fib_info_rcu() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 017/294] net: bcmgenet: Free skb after last Tx frag Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 025/294] ASoC: do not close shared backend dailink Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 090/294] net/mlx4_en: Fix wrong indication of Wake-on-LAN (WoL) support Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 079/294] xtensa: don't limit csum_partial export by CONFIG_NET Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 095/294] ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 148/294] r8169: Do not increment tx_dropped in TX ring cleaning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 101/294] net: remove open-coded skb_cow_head Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 172/294] sch_htb: fix crash on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 182/294] cifs: check MaxPathNameComponentLength != 0 before using it Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 233/294] scsi-tgt: fix type conversion warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 162/294] l2tp: hold tunnel used while creating sessions with netlink Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 018/294] i2c: mux: pinctrl: mention correct module name in Kconfig help text Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 210/294] mm/hugetlb: improve locking in dissolve_free_huge_pages() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 080/294] xtensa: mm/cache: add missing EXPORT_SYMBOLs Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 271/294] ARM: cns3xxx: shut up frame size warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 221/294] ASoC: imx-audmux: Use uintptr_t for port numbers Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 019/294] USB: serial: cp210x: add support for Qivicon USB ZigBee dongle Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 273/294] ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 197/294] HID: usbhid: fix out-of-bounds bug Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 074/294] USB: hcd: Mark secondary HCD as dead if the primary one died Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 111/294] xfs: fix inobt inode allocation search optimization Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 016/294] net: bcmgenet: Fix unmapping of fragments in bcmgenet_xmit() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 254/294] hostap: avoid uninitialized variable use in hfa384x_get_rid Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 130/294] arm64: mm: abort uaccess retries upon fatal signal Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 171/294] net_sched: fix error recovery at qdisc creation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 127/294] drm: Release driver tracking before making the object available again Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 274/294] ARM: OMAP: Fix Kconfig warning for omap1 Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 066/294] iommu/amd: Fix schedule-while-atomic BUG in initialization code Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 267/294] Staging: wlan-ng: fix sparse warning in prism2fw.c Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 050/294] RDMA/uverbs: Fix the check for port number Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 076/294] batman-adv: fix TT sync flag inconsistencies Ben Hutchings
2017-11-07  1:16   ` Linus Lüssing
2017-11-07  1:16     ` [B.A.T.M.A.N.] " Linus Lüssing
2017-11-07 13:42     ` Ben Hutchings
2017-11-07 13:42       ` [B.A.T.M.A.N.] " Ben Hutchings
2017-11-12 19:55       ` Linus Lüssing
2017-11-12 19:55         ` [B.A.T.M.A.N.] " Linus Lüssing
2017-11-06 23:03 ` [PATCH 3.16 045/294] IB/cxgb3: Fix error codes in iwch_alloc_mr() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 265/294] Staging: lustre: missing curly braces in ll_setattr_raw() Ben Hutchings
2017-11-06 23:03   ` Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 157/294] l2tp: hold tunnel while looking up sessions in l2tp_netlink Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 058/294] IB/ipoib: Remove double pointer assigning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 293/294] MIPS: Fix a warning for virt_to_page Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 188/294] ALSA: seq: Fix use-after-free at creating a port Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 256/294] brcmfmac: avoid gcc-5.1 warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 142/294] netvsc: fix deadlock betwen link status and removal Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 129/294] arm64: fpsimd: Prevent registers leaking across exec Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 106/294] x86/asm/64: Clear AC on NMI entries Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 260/294] video: mx3fb: always enable BACKLIGHT_LCD_SUPPORT Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 280/294] MIPS: ip22: Fix ip28 build for modern gcc Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 120/294] netxen: fix incorrect loop counter decrement Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 180/294] wl1251: add a missing spin_lock_init() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 124/294] Input: trackpoint - add new trackpoint firmware ID Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 038/294] ARM: kexec: fix failure to boot crash kernel Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 036/294] x86/acpi: Prevent out of bound access caused by broken ACPI tables Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 234/294] ips: remove pointless #warning Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 011/294] net: bcmgenet: simplify __bcmgenet_tx_reclaim() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 194/294] USB: uas: fix bug in handling of alternate settings Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 034/294] workqueue: restore WQ_UNBOUND/max_active==1 to be ordered Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 291/294] net: ti: cpmac: Fix compiler warning due to type confusion Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 005/294] perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 189/294] KEYS: don't let add_key() update an uninstantiated key Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 068/294] sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 202/294] mm/init: fix zone boundary creation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 216/294] mfd: arizona: Rid data size incompatibility warn when building for 64bit Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 158/294] l2tp: hold tunnel while processing genl delete command Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 077/294] pinctrl: sunxi: add a missing function of A10/A20 pinctrl driver Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 266/294] staging: rtl8723au: core: rtw_wlan_util: fix misleading indentation Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 240/294] aic94xx: Skip reading user settings if flash is not found Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 022/294] libceph: potential NULL dereference in ceph_msg_data_create() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 196/294] usb: usbtest: fix NULL pointer dereference Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 126/294] net_sched: fix order of queue length updates in qdisc_replace() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 144/294] PM/hibernate: touch NMI watchdog when creating snapshot Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 178/294] sch_netem: avoid null pointer deref on init failure Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 151/294] xfrm_user: fix info leak in xfrm_notify_sa() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 006/294] net: bridge: fix dest lookup when vlan proto doesn't match Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 134/294] cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 037/294] ARM: kexec: Make .text R/W in machine_kexec Ben Hutchings
2017-11-06 23:03 ` [PATCH 3.16 278/294] MIPS: DEC: Avoid la pseudo-instruction in delay slots Ben Hutchings
2017-11-07 14:17 ` [PATCH 3.16 000/294] 3.16.50-rc1 review Guenter Roeck
2017-11-08 15:18   ` Ben Hutchings
2017-11-09 11:55 ` Arnd Bergmann
2017-11-09 12:08   ` Greg KH
2017-11-09 12:21     ` Arnd Bergmann
2017-11-09 12:40       ` Ben Hutchings
2017-11-09 12:48         ` Greg KH
2017-11-09 13:35           ` Arnd Bergmann
2017-11-09 16:10             ` Guenter Roeck
2017-11-14 20:35             ` Kevin Hilman
2017-11-14 20:55               ` Arnd Bergmann
2017-11-16  4:02                 ` Kevin Hilman
2017-11-09 16:03         ` Guenter Roeck
2017-11-09 16:59           ` Ben Hutchings
2017-11-09 21:12             ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.