All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 3.16 000/366] 3.16.61-rc1 review
@ 2018-11-11 19:49 Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
                   ` (366 more replies)
  0 siblings, 367 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm

This is the start of the stable review cycle for the 3.16.61 release.
There are 366 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Nov 16 18:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

kt.liao@emc.com.tw (1):
      Input: elantech - fix V4 report decoding for module with middle key
         [e0ae2519ca004a628fa55aeef969c37edce522d3]

Aaron Ma (1):
      Input: elantech - enable middle button of touchpads on ThinkPad P52
         [24bb555e6e46d96e2a954aa0295029a81cc9bbaa]

Al Viro (6):
      fix __legitimize_mnt()/mntput() race
         [119e1ef80ecfe0d1deb6378d4ab41f5b71519de1]
      fix mntput/mntput race
         [9ea0a46ca2c318fcc449c1e6b62a7230a17888f1]
      make sure that __dentry_kill() always invalidates d_seq, unhashed or not
         [4c0d7cd5c8416b1ef41534d19163cb07ffaa03ab]
      root dentries need RCU-delayed freeing
         [90bad5e05bcdb0308cfa3d3a60f5c0b9c8e2efb3]
      unify dentry_iput() and dentry_unlink_inode()
         [550dce01dd606c88a837138aa448ccd367fb0cbb]
      use ->d_seq to get coherency between ->d_inode and ->d_flags
         [a528aca7f359f4b0b1d72ae406097e491a5ba9ea]

Alex Estrin (1):
      IB/isert: Fix for lib/dma_debug check_sync warning
         [763b69654bfb88ea3230d015e7d755ee8339f8ee]

Alex Vesker (2):
      net/mlx5: Fix command interface race in polling mode
         [d412c31dae053bf30a1bc15582a9990df297a660]
      net/mlx5: Fix incorrect raw command length parsing
         [603b7bcff824740500ddfa001d7a7168b0b38542]

Alexander Potapenko (1):
      vt: prevent leaking uninitialized data to userspace via /dev/vcs*
         [21eff69aaaa0e766ca0ce445b477698dc6a9f55a]

Alexander Sverdlin (2):
      ASoC: cirrus: i2s: Fix LRCLK configuration
         [2d534113be9a2aa532a1ae127a57e83558aed358]
      ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
         [5d302ed3cc80564fb835bed5fdba1e1250ecc9e5]

Alexey Brodkin (1):
      ARC: Fix CONFIG_SWAP
         [6e3761145a9ba3ce267c330b6bff51cf6a057b06]

Alexey Kodanev (1):
      dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
         [61ef4b07fcdc30535889990cf4229766502561cf]

Amir Goldstein (3):
      ext4: do not update s_last_mounted of a frozen fs
         [db6516a5e7ddb6dc72d167b920f2f272596ea22d]
      ext4: factor out helper ext4_sample_last_mounted()
         [833a950882d33a7dfc319d5e152fdf35028936eb]
      vfs: add the sb_start_intwrite_trylock() helper
         [0c8e3fe35db9b66ae0030849545030ec7c0fc45c]

Andre Przywara (1):
      arm64: add missing data types in smp_load_acquire/smp_store_release
         [878a84d5a8a18a4ab241d40cebb791d6aedf5605]

Andrea Arcangeli (1):
      ksm: add cond_resched() to the rmap_walks
         [ad12695f177c3403a64348b42718faf9727fe358]

Andrew F. Davis (1):
      rpmsg: Correct support for MODULE_DEVICE_TABLE()
         [5b7d127726de6eed4b900bc3bbb167837690818f]

Andrew Morton (1):
      arch/x86/kernel/cpu/common.c: fix unused symbol warning
         [e48510f45107613bf14060eeabd658c49a044242]

Andri Yngvason (1):
      can: dev: Consolidate and unify state change handling
         [bac78aabcfece0c493b2ad824c68fbdc20448cbc]

Andy Lutomirski (1):
      fs/proc: Stop trying to report thread stacks
         [b18cb64ead400c01bf1580eeba330ace51f8087d]

Aneesh Kumar K.V (1):
      powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
         [91d06971881f71d945910de128658038513d1b24]

Anil Gurumurthy (1):
      scsi: qla2xxx: Return error when TMF returns
         [b4146c4929ef61d5afca011474d59d0918a0cd82]

Anna-Maria Gleixner (1):
      nohz: Fix local_timer_softirq_pending()
         [80d20d35af1edd632a5e7a3b9c0ab7ceff92769e]

Anssi Hannula (6):
      can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK
         [32852c561bffd613d4ed7ec464b1e03e1b7b6c5c]
      can: xilinx_can: fix RX overflow interrupt not being enabled
         [83997997252f5d3fc7f04abc24a89600c2b504ab]
      can: xilinx_can: fix device dropping off bus on RX overrun
         [2574fe54515ed3487405de329e4e9f13d7098c10]
      can: xilinx_can: fix incorrect clear of non-processed interrupts
         [2f4f0f338cf453bfcdbcf089e177c16f35f023c8]
      can: xilinx_can: fix recovery from error states not being propagated
         [877e0b75947e2c7acf5624331bb17ceb093c98ae]
      can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
         [620050d9c2be15c47017ba95efe59e0832e99a56]

Anton Vasilyev (1):
      can: ems_usb: Fix memory leak on ems_usb_disconnect()
         [72c05f32f4a5055c9c8fe889bb6903ec959c0aad]

Arnaldo Carvalho de Melo (9):
      perf script: Use readdir() instead of deprecated readdir_r()
         [a5e8e825bd1704c488bf6a46936aaf3b9f203d6a]
      perf thread_map: Correctly size buffer used with dirent->dt_name
         [bdf23a9a190d7ecea092fd5c4aabb7d4bd0a9980]
      perf thread_map: Use readdir() instead of deprecated readdir_r()
         [3354cf71104de49326d19d2f9bdb1f66eea52ef4]
      perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/
         [cec07f53c398f22576df77052c4777dc13f14962]
      perf tools: Use readdir() instead of deprecated readdir_r()
         [bfc279f3d233150ff260e9e93012e14f86810648]
      perf top: Use __fallthrough
         [7b0214b702ad8e124e039a317beeebb3f020d125]
      perf trace: Do not process PERF_RECORD_LOST twice
         [3ed5ca2efff70e9f589087c2013789572901112d]
      perf trace: Fix up fd -> pathname resolution
         [cdcd1e6bd8a92f8353fc2f37003c6eae2d1e6903]
      tools include: Add a __fallthrough statement
         [b5bf1733d6a391c4e90ea8f8468d83023be74a2a]

Arnd Bergmann (3):
      [media] ir-core: fix gcc-7 warning on bool arithmetic
         [bd7e31bbade02bc1e92aa00d5cf2cee2da66838a]
      arm64: use linux/types.h in kvm.h
         [d19279154b3fff9adff96b54d1a77dfb8f01e3da]
      video/omap: add module license tags
         [1bde9f2cf142b726412fa5b0e3cb557ff46952b0]

Artem Savkov (1):
      tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
         [57ea2a34adf40f3a6e88409aafcf803b8945619a]

Bart Van Assche (1):
      scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
         [1214fd7b497400d200e3f4e64e2338b303a20949]

Ben Hutchings (10):
      Revert "mtd: nand: omap2: Fix subpage write"
         [not upstream; reverted change is good but has larger dependencies]
      bcmgenet: Delete unused variable
         [not upstream; fixes incorrect backport]
      fnic: Fix misleading indentation
         [86001f248e943b7b22c22b50151ffaee9447df2d]
      iio: iio-trig-periodic-rtc: Free trigger resource  correctly
         [not upstream; driver was removed]
      rtl8723be: Fix misleading indentation
         [5c99f04fec93068147a3e95b439b345f203ac5b9]
      staging: rtl8192ee: Fix misleading indentation
         [not upstream; driver was removed from staging]
      staging: vt6656: Fix misleading indentation
         [not upstream; functions have been removed]
      string: drop __must_check from strscpy()
         [08a77676f9c5fc69a681ccd2cd8140e65dcb26c7]
      x86/apic: Fix build failure with X86_IO_APIC disabled
         [not upstream; failing configuration is no longer possible]
      x86/cpufeatures: Hide AMD-specific speculation flags
         [e7c587da125291db39ddf1f49b18e5970adbac17]

Bin Liu (1):
      usb: core: handle hub C_PORT_OVER_CURRENT condition
         [249a32b7eeb3edb6897dd38f89651a62163ac4ed]

Bjorn Helgaas (1):
      PCI: shpchp: Fix AMD POGO identification
         [bed4e9cfab93a0f3d0144cb919820e6d5c40b8b1]

Bo Chen (1):
      ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
         [a3aa60d511746bd6c0d0366d4eb90a7998bcde8b]

Boris Brezillon (1):
      m68k: Implement ndelay() as an inline function to force type checking/casting
         [d8441ba80c55aad435e4b98fe0d7ad5d21e46bf9]

Boris Ostrovsky (1):
      xen: Remove unnecessary BUG_ON from __unbind_from_irq()
         [eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff]

Borislav Petkov (1):
      x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out()
         [1f74c8a64798e2c488f86efc97e308b85fb7d7aa]

Cannon Matthews (1):
      mm: hugetlb: yield when prepping struct pages
         [520495fe96d74e05db585fc748351e0504d8f40d]

Changbin Du (1):
      tracing: Fix missing return symbol in function_graph output
         [1fe4293f4b8de75824935f8d8e9a99c7fc6873da]

Chanho Park (1):
      perf tools: define _DEFAULT_SOURCE for glibc_2.20
         [512fe365373b9c95a70b4b6357503ee74d27214f]

Chas Williams (1):
      net/xen-netfront: only clean up queues if present
         [9a873c71e91cabf4c10fd9bbd8358c22deaf6c9e]

Chen-Yu Tsai (1):
      Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
         [384cf4285b34e08917e3e66603382f2b0c4f6e1b]

Christophe Jaillet (1):
      scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()'
         [51b910c3c70986a5a0a84eea11cb8e904e37ba8b]

Colin Ian King (2):
      libata: zpodd: make arrays cdb static, reduces object code size
         [795ef788145ed2fa023efdf11e8d5d7bedc21462]
      media: smiapp: fix timeout checking in smiapp_read_nvm
         [7a2148dfda8001c983f0effd9afd8a7fa58e99c4]

Cong Wang (1):
      vsock: split dwork to avoid reinitializations
         [455f05ecd2b219e9a216050796d30c830d9bc393]

Corey Minyard (1):
      ipmi:bt: Set the timeout before doing a capabilities check
         [fe50a7d0393a552e4539da2d31261a59d6415950]

Dan Carpenter (10):
      ALSA: msnd: add some missing curly braces
         [096a020a9ef5c947577d3b57199bfc9b7e686b49]
      PCI: ibmphp: Fix use-before-set in get_max_bus_speed()
         [4051f5ebb11c6ef4b0d3eac2fbbd187c070656c5]
      USB: serial: ch341: fix type promotion bug in ch341_control_in()
         [e33eab9ded328ccc14308afa51b5be7cbe78d30b]
      dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
         [c4c2b7644cc9a41f17a8cc8904efe3f66ae4c7ed]
      drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
         [7f073d011f93e92d4d225526b9ab6b8b0bbd6613]
      libata: zpodd: small read overflow in eject_tray()
         [18c9a99bce2a57dfd7e881658703b5d7469cc7b9]
      mfd: tps65911-comparator: Fix a build error
         [ac1886165cd1201c5793099b6fbad1876bf98dfe]
      mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready()
         [01eca2842874b9a85b7cd1e1b0e5b34a5d53a21f]
      qlogic: check kstrtoul() for errors
         [5fc853cc01c68f84984ecc2d5fd777ecad78240f]
      xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
         [313db3d6488bb03b61b99de9dbca061f1fd838e1]

Dan Williams (2):
      x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()
         [eab6870fee877258122a042bfd99ee7908c40280]
      x86/speculation: Fix up array_index_nospec_mask() asm constraint
         [be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470]

Daniel Axtens (1):
      powerpc: make feature-fixup tests fortify-safe
         [c69a48cdb301a18697bc8c9935baf4f32861cf9e]

Daniel Jordan (1):
      mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT
         [955c97f0859abef698e77f5697f5c4008303abb9]

Dave Martin (1):
      tty: pl011: Avoid spuriously stuck-off interrupts
         [4a7e625ce50412a7711efa0f2ef0b96ce3826759]

Dave Wysochanski (1):
      NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
         [d68894800ec5712d7ddf042356f11e36f87d7f78]

David Disseldorp (1):
      scsi: target: Fix truncated PR-in ReadKeys response
         [63ce3c384db26494615e3c8972bcd419ed71f4c4]

David Howells (1):
      VFS: Impose ordering on accesses of d_inode and d_flags
         [4bf46a272647d89e780126b52eda04737defd9f4]

David Rivshin (1):
      ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
         [76ed0b803a2ab793a1b27d1dfe0de7955282cd34]

David Vrabel (4):
      xen-netfront: fix locking in connect error path
         [db8c8ab61a28d7e3eb86d247b342a853263262c3]
      xen-netfront: properly destroy queues when removing device
         [ad0681185770716523c81b156c44b9804d7b8ed2]
      xen-netfront: release per-queue Tx and Rx resource when disconnecting
         [a5b5dc3ce4df4f05f4d81c7d3c56a7604b242093]
      xen-netfront: use different locks for Rx and Tx stats
         [900e183301b54f8ca17a86d9835e9569090d182a]

Davide Caratti (1):
      net/sched: act_simple: fix parsing of TCA_DEF_DATA
         [8d499533e0bc02d44283dbdab03142b599b8ba16]

Dewet Thibaut (1):
      x86/MCE: Remove min interval polling limitation
         [fbdb328c6bae0a7c78d75734a738b66b86dffc96]

Dmitry Safonov (4):
      iommu/vt-d: Ratelimit each dmar fault printing
         [6c50d79f66382d78918a768374839d6d1b606d3f]
      netlink: Do not subscribe to non-existent groups
         [7acf9d4237c46894e0fa0492dd96314a41742e84]
      netlink: Don't shift on 64 for ngroups
         [91874ecf32e41b5d86a4cb9d60e0bee50d828058]
      netlink: Don't shift with UB on nlk->ngroups
         [61f4b23769f0cc72ae62c9a81cf08f0397d40da8]

Dmitry Torokhov (1):
      Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
         [a4c2a13129f7c5bcf81704c06851601593303fd5]

Doug Berger (1):
      PM / wakeup: Only update last time for active wakeup sources
         [2ef7c01c0cdb170142058c6d8fe0697aee4e4d7d]

Doug Ledford (1):
      RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events
         [fa9391dbad4b868512ed22a7e41765f881a8a935]

Douglas Anderson (1):
      dm bufio: avoid sleeping while holding the dm_bufio lock
         [9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc]

Eric Biggers (4):
      KEYS: DNS: fix parsing multiple options
         [c604cb767049b78b3075497b80ebb8fd530ea2cc]
      ext4: correct endianness conversion in __xattr_check_inode()
         [199625098a18a5522b424dea9b122b254c022fc5]
      ext4: don't read out of bounds when checking for in-inode xattrs
         [290ab230016f187c3551d8380ea742889276d03a]
      reiserfs: fix buffer overflow with long warning messages
         [fe10e398e860955bac4d28ec031b701d358465e4]

Eric Dumazet (6):
      net/packet: refine check for priv area size
         [eb73190f4fbeedf762394e92d6a4ec9ace684c88]
      net: metrics: add proper netlink validation
         [5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53]
      netfilter: ipv6: nf_defrag: reduce struct net memory waste
         [9ce7bc036ae4cfe3393232c86e9e1fea2153c237]
      netfilter: nf_queue: augment nfqa_cfg_policy
         [ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc]
      rtnetlink: validate attributes in do_setlink()
         [644c7eebbfd59e72982d11ec6cc7d39af12450ae]
      xfrm_user: prevent leaking 2 bytes of kernel memory
         [45c180bc29babbedd6b8c01b975780ef44d9d09c]

Eric Engestrom (1):
      perf tools: Remove duplicate const qualifier
         [3b556bced46aa6b1873da7faa18eff235e896adc]

Eric W. Biederman (1):
      signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
         [7de712ccc096b81d23cc0a941cd9b8cb3956605d]

Evan Green (1):
      clk: qcom: Base rcg parent rate off plan frequency
         [c7d2a0eb6c028ba064bfe92d7667977418142c7c]

Fabian Frederick (1):
      can: constify of_device_id array
         [486e957033623656298a07c39a8bf2fd81db285b]

Florian Fainelli (1):
      net: ethernet: davinci_emac: Fix printing of base address
         [5a04e8f81a4f55ce1c2b7b525744a187c99ba302]

Florian Meier (1):
      gcov: add support for gcc version >= 6
         [d02038f972538b93011d78c068f44514fbde0a8c]

Florian Westphal (2):
      atl1c: reserve min skb headroom
         [6e56830776828d8ca9897fc4429eeab47c3bb432]
      xfrm: free skb if nlsk pointer is NULL
         [86126b77dcd551ce223e7293bb55854e3df05646]

Geert Uytterhoeven (1):
      time: Make sure jiffies_to_msecs() preserves non-zero time periods
         [abcbcb80cd09cd40f2089d912764e315459b71f7]

Geoff Levand (1):
      kexec: Fix make headers_check
         [9dc5c05f45ca8101025046cda7f8aca8835204f2]

Guillaume Nault (8):
      l2tp: clean up stale tunnel or session in pppol2tp_connect's error path
         [bda06be2158c7aa7e41b15500c4d3840369c19a6]
      l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
         [ecd012e45ab5fd76ed57546865897ce35920f56b]
      l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
         [f664e37dcc525768280cb94321424a09beb1c992]
      l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()
         [90904ff5f958a215cc3d26f957a46e80fa178470]
      l2tp: fix refcount leakage on PPPoL2TP sockets
         [3d609342cc04129ff7568e19316ce3d7451a27e8]
      l2tp: only accept PPP sessions in pppol2tp_connect()
         [7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658]
      l2tp: prevent pppol2tp_connect() from creating kernel sockets
         [3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd]
      l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
         [de9bada5d389903f4faf33980e6a95a2911c7e6d]

Gustavo A. R. Silva (2):
      HID: hiddev: fix potential Spectre v1
         [4f65245f2d178b9cba48350620d76faa4a098841]
      net: cxgb3_main: fix potential Spectre v1
         [676bcfece19f83621e905aa55b5ed2d45cc4f2d3]

Hangbin Liu (2):
      ipv6: mcast: fix unsolicited report interval after receiving querys
         [6c6da92808442908287fae8ebb0ca041a52469f4]
      multicast: do not restore deleted record source filter mode to new one
         [08d3ffcc0cfaba36f6b86fd568cc3bc773061fa6]

Hans de Goede (4):
      ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
         [fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70]
      ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
         [240630e61870e62e39a97225048f9945848fa5f5]
      libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
         [2cfce3a86b64b53f0a70e92a6a659c720c319b45]
      pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
         [1d375b58c12f08d8570b30b865def4734517f04f]

Herbert Xu (1):
      crypto: padlock-aes - Fix Nano workaround data corruption
         [46d8c4b28652d35dc6cfb5adf7f54e102fc04384]

Himanshu Madhani (1):
      scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
         [413c2f33489b134e3cc65d9c3ff7861e8fdfe899]

Houston Yaroschoff (1):
      usb: cdc_acm: Add quirk for Uniden UBC125 scanner
         [4a762569a2722b8a48066c7bacf0e1dc67d17fa1]

Huacai Chen (1):
      MIPS: io: Add barrier after register read in inX()
         [18f3e95b90b28318ef35910d21c39908de672331]

Huang Ying (1):
      mm: /proc/pid/pagemap: hide swap entries from unprivileged users
         [ab6ecf247a9321e3180e021a6a60164dee53ab2e]

Ingo Flaschberger (1):
      1wire: family module autoload fails because of upper/lower case mismatch.
         [065c09563c872e52813a17218c52cd642be1dca6]

Jack Morgenstein (1):
      net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
         [958c696f5a7274d9447a458ad7aa70719b29a50a]

Jan Kara (2):
      ext4: fix fencepost error in check for inode count overflow during resize
         [4f2f76f751433908364ccff82f437a57d0e6e9b7]
      udf: Detect incorrect directory size
         [fa65653e575fbd958bdf5fb9c4a71a324e39510d]

Jann Horn (3):
      ibmasm: don't write out of bounds in read handler
         [a0341fc1981a950c1e902ab901e98f60e0e243f3]
      netfilter: nf_log: don't hold nf_log_mutex during user access
         [ce00bf07cc95a57cd20b208e02b3c2604e532ae8]
      scsi: sg: mitigate read/write abuse
         [26b5b874aff5659a7e26e5b1997e3df2c41fa7fd]

Jason Wang (1):
      vhost_net: validate sock before trying to put its fd
         [b8f1f65882f07913157c44673af7ec0b308d03eb]

Jeff Layton (3):
      ceph: don't set req->r_locked_dir in ceph_d_revalidate
         [c3f4688a08fd86f1bf8e055724c84b7a40a09733]
      ceph: fix endianness of getattr mask in ceph_d_revalidate
         [1097680d759918ce4a8705381c0ab2ed7bd60cf1]
      nfsd: silence sparse warning about accessing credentials
         [ae4b884fc6316b3190be19448cea24b020c1cad6]

Jens Axboe (1):
      sbitmap: fix race in wait batch accounting
         [c854ab5773be1c1a0d3cef0c3a3261f2c48ab7f8]

Jeremy Cline (1):
      net: socket: fix potential spectre v1 gadget in socketcall
         [c8e8cd579bb4265651df8223730105341e61a2d1]

Jia He (1):
      mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
         [1105a2fc022f3c7482e32faf516e8bc44095f778]

Jiang Biao (1):
      virtio_balloon: fix another race between migration and ballooning
         [89da619bc18d79bca5304724c11d4ba3b67ce2c6]

Jiri Olsa (2):
      perf tools: Fix python extension build for gcc 8
         [b7a313d84e853049062011d78cb04b6decd12f5c]
      perf tools: Fix snprint warnings for gcc 8
         [77f18153c080855e1c3fb520ca31a4e61530121d]

Jiri Slaby (3):
      p54: memset(0) whole array
         [6f17581788206444cbbcdbc107498f85e9765e3d]
      tty: vt, get rid of weird source code flow
         [34902b7f2754e6d890feb0cee34187f1bc75c930]
      tty: vt, remove reduntant check
         [182846a00f489849c55d113954f0c4a8a286ca39]

Joakim Tjernlund (4):
      mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
         [f1ce87f6080b1dda7e7b1eda3da332add19d87b9]
      mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
         [0cd8116f172eed018907303dbff5c112690eeb91]
      mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
         [f93aa8c4de307069c270b2d81741961162bead6c]
      mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
         [5fdfc3dbad099281bf027a353d5786c09408a8e5]

Johan Hovold (7):
      USB: serial: cp210x: add CESINEL device ids
         [24160628a34af962ac99f2f58e547ac3c4cbd26f]
      USB: serial: keyspan_pda: fix modem-status error handling
         [01b3cdfca263a17554f7b249d20a247b2a751521]
      USB: serial: mos7840: fix status-register error handling
         [794744abfffef8b1f3c0c8a4896177d6d13d653d]
      backlight: as3711_bl: Fix Device Tree node leaks
         [d5318d302e7cf6583ec85a2a8bfbb3a3910ae372]
      backlight: as3711_bl: Fix Device Tree node lookup
         [4a9c8bb2aca5b5a2a15744333729745dd9903562]
      backlight: max8925_bl: Fix Device Tree node lookup
         [d1cc0ec3da23e44c23712579515494b374f111c9]
      backlight: tps65217_bl: Fix Device Tree node lookup
         [2b12dfa124dbadf391cb9a616aaa6b056823bf75]

John Syne (2):
      staging:iio:ade7854: Fix error handling on read/write
         [4297b23d927fa5265378f4a71372ecef3c33023a]
      staging:iio:ade7854: Fix the wrong number of bits to read
         [6cef2ab01636b6021044f349df466a97c408ec27]

Jon Derrick (1):
      ext4: check superblock mapped prior to committing
         [a17712c8e4be4fa5404d20e9cd3b2b21eae7bc56]

Joshua Frkuska (1):
      usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
         [6b37bd78d30c890e575a1bda22978d1d2a233362]

Juergen Gross (1):
      xen/netfront: don't cache skb_shinfo()
         [d472b3a6cf63cd31cae1ed61930f07e6cd6671b5]

Julia Lawall (1):
      bnx2x: use the right constant
         [dd612f18a49b63af8b3a5f572d999bdb197385bc]

Julian Wiedmann (1):
      s390/qeth: don't clobber buffer on async TX completion
         [ce28867fd20c23cd769e78b4d619c4755bf71a1c]

Kai-Heng Feng (1):
      media: cx231xx: Add support for AverMedia DVD EZMaker 7
         [29e61d6ef061b012d320327af7dbb3990e75be45]

Kamal Heib (1):
      RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
         [d63c46734c545ad0488761059004a65c46efdde3]

Karoly Pados (1):
      USB: serial: cp210x: add Silicon Labs IDs for Windows Update
         [2f839823382748664b643daa73f41ee0cc01ced6]

Keerthy (1):
      ARM: dts: da850: Fix interrups property for gpio
         [3eb1b955cd7ed1e621ace856710006c2a8a7f231]

Kees Cook (2):
      binfmt_elf: fix calculations for bss padding
         [0036d1f7eb95bcc52977f15507f00dd07018e7e2]
      mm: refuse wrapped vm_brk requests
         [ba093a6d9397da8eafcfbaa7d95bd34255da39a0]

Keith Busch (1):
      block: Fix transfer when chunk sectors exceeds max
         [15bfd21fbc5d35834b9ea383dc458a1f0c9e3434]

Kiran Kumar Modukuri (5):
      cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag
         [5ce83d4bb7d8e11e8c1c687d09f4b5ae67ef3ce3]
      cachefiles: Fix refcounting bug in backing-file read monitoring
         [934140ab028713a61de8bca58c05332416d037d1]
      cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
         [c2412ac45a8f8f1cd582723c1a139608694d410d]
      fscache: Allow cancelled operations to be enqueued
         [d0eb06afe712b7b103b6361f40a9a0c638524669]
      fscache: Fix reference overput in fscache_attach_object() error handling
         [f29507ce66701084c39aeb1b0ae71690cbff3554]

Konrad Rzeszutek Wilk (3):
      x86/bugs: Add AMD's SPEC_CTRL MSR usage
         [6ac2f49edb1ef5446089c7c660017732886d62d6]
      x86/bugs: Add AMD's variant of SSB_NO
         [24809860012e0130fbafe536709e08a22b3e959e]
      x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
         [108fab4b5c8f12064ef86e02cb0459992affb30f]

Konstantin Khlebnikov (1):
      pagemap: hide physical addresses from non-privileged users
         [1c90308e7a77af6742a97d1021cca923b23b7f0d]

Krzysztof Kozlowski (1):
      clk: si5351: Constify clock names and struct regmap_config
         [8234caed27f7bce141c9fb1f7e76c91a2a66d248]

Lars Persson (1):
      cifs: Fix use after free of a mid_q_entry
         [696e420bb2a6624478105651d5368d45b502b324]

Laura Abbott (2):
      staging: android: ion: Return an ERR_PTR in ion_map_kernel
         [0a2bc00341dcfcc793c0dbf4f8d43adf60458b05]
      staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
         [45ad559a29629cb1c64ee636563c69b71524f077]

Lee Jones (1):
      mfd: tps65911-comparator: Fix an off by one bug
         [1768391c3674b0c6bdc4947121f15fb0c2f47ec4]

Leon Romanovsky (4):
      RDMA/mlx4: Discard unknown SQP work requests
         [6b1ca7ece15e94251d1d0d919f813943e4a58059]
      RDMA/uverbs: Don't fail in creation of multiple flows
         [fe48aecb4df837540f13b5216f27ddb306aaf4b9]
      RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
         [4fae7f170416f970e5655f7e945ce69286b1c4ff]
      RDMA/uverbs: Protect from attempts to create flows on unsupported QP
         [940efcc8889f0d15567eb07fc9fd69b06e366aa5]

Liang Z Li (1):
      xen-netfront: Remove the meaningless code
         [905726c1c5a3ca620ba7d73c78eddfb91de5ce28]

Linus Lüssing (2):
      batman-adv: Avoid storing non-TT-sync flags on singular entries too
         [4a519b83da16927fb98fd32b0f598e639d1f1859]
      batman-adv: Fix multicast TT issues with bogus ROAM flags
         [a44ebeff6bbd6ef50db41b4195fca87b21aefd20]

Linus Torvalds (2):
      squashfs: be more careful about metadata corruption
         [01cfb7937a9af2abb1136c7e89fbf3fd92952956]
      squashfs: more metadata hardening
         [d512584780d3e6a7cacb2f482834849453d444a1]

Lorenzo Bianconi (1):
      ipv4: remove BUG_ON() from fib_compute_spec_dst
         [9fc12023d6f51551d6ca9ed7e02ecc19d79caf17]

Lorenzo Stoakes (1):
      gcov: add support for GCC 5.1
         [3e44c471a2dab210f7e9b1e5f7d4d54d52df59eb]

Lubomir Rintel (1):
      usb: cdc_acm: Add quirk for Castles VEGA3000
         [1445cbe476fc3dd09c0b380b206526a49403c071]

Lukas Czerner (1):
      ext4: update mtime in ext4_punch_hole even if no blocks are released
         [eee597ac931305eff3d3fd1d61d6aae553bc0984]

Lyude Paul (1):
      drm/nouveau: Remove bogus crtc check in pmops_runtime_idle
         [68fe23a626b67b56c912c496ea43ed537ea9708f]

Maciej S. Szmigiero (1):
      X.509: unpack RSA signatureValue field from BIT STRING
         [b65c32ec5a942ab3ada93a048089a938918aba7f]

Mahesh Salgaonkar (1):
      powerpc/fadump: Unregister fadump on kexec down path.
         [722cde76d68e8cc4f3de42e71c82fd40dea4f7b9]

Marcelo Ricardo Leitner (1):
      sctp: fix identification of new acks for SFR-CACC
         [51446780fc33e45cb790c05a7fa2c5bf7e8bc53b]

Mark Rutland (1):
      arm64: ensure extension of smp_store_release value
         [994870bead4ab19087a79492400a5478e2906196]

Markos Chandras (2):
      MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations
         [be5136988e25ae0dc8379fcb937efc63d87aba9e]
      MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA
         [2bd7bc254ab1f45269db6dd7957d63b713817408]

Markus Pargmann (1):
      batman-adv: debugfs, avoid compiling for !DEBUG_FS
         [9bb218828c8f4fa6587af93e248903c96ce469d0]

Martin Kaiser (1):
      mtd: rawnand: mxc: set spare area size register explicitly
         [3f77f244d8ec28e3a0a81240ffac7d626390060c]

Martin Liska (1):
      gcov: support GCC 7.1
         [05384213436ab690c46d9dfec706b80ef8d671ab]

Masami Hiramatsu (1):
      ring_buffer: tracing: Inherit the tracing setting to next ring buffer
         [73c8d8945505acdcbae137c2e00a1232e0be709f]

Matt Turner (2):
      tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
         [e0d34648b4d77ba715e13739d04e7b0692fe5eaa]
      x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
         [a00072a24a9f5b88cfc56f2dec6afe8ce3874e60]

Mauro Carvalho Chehab (5):
      [media] drxd_hard: fix bad alignments
         [cea130021448763b15f4b16af184bbab4be118fb]
      [media] drxk_hard: fix bad alignments
         [89fffac802c18caebdf4e91c0785b522c9f6399a]
      media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
         [76d81243a487c09619822ef8e7201a756e58a87d]
      media: omap3isp/isp: remove an unused static var
         [3f4836beb2ebeb0211d9911d878a267d687e0e6e]
      media: v4l2-compat-ioctl32: prevent go past max size
         [ea72fbf588ac9c017224dcdaa2019ff52ca56fee]

Max Gurtovoy (1):
      IB/isert: fix T10-pi check mask setting
         [0e12af84cdd3056460f928adc164f9e87f4b303b]

Maxim Moseychuk (1):
      usb: do not reset if a low-speed or full-speed device timed out
         [6e01827ed93947895680fbdad68c072a0f4e2450]

Michael Ellerman (2):
      powerpc/lib: Fix feature fixup test of external branch
         [32810d91325ec76b8ef4df463f8a0e9baf353322]
      powerpc/lib: Fix the feature fixup tests to actually work
         [cad0e39023b43d94d5e38dfd55c103e15bdd093d]

Michael Jeanson (1):
      powerpc/e500mc: Set assembler machine type to e500mc
         [69a8405999aa1c489de4b8d349468f0c2b83f093]

Michael Karcher (1):
      net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()).
         [9144c3795c2636351d553e4d0fc5297201182de2]

Michael Neuling (2):
      powerpc/ptrace: Fix enforcement of DAWR constraints
         [cd6ef7eebf171bfcba7dc2df719c2a4958775040]
      powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
         [4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3]

Michael Schmitz (1):
      m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
         [3f90f9ef2dda316d64e420d5d51ba369587ccc55]

Michal Hocko (2):
      mm, elf: handle vm_brk error
         [ecc2bc8ac03884266cf73f8a2a42b911465b2fbc]
      mm: do not bug_on on incorrect length in __mm_populate()
         [bb177a732c4369bb58a1fe1df8f552b6f0f7db5f]

Mika Westerberg (1):
      PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
         [13c65840feab8109194f9490c9870587173cb29d]

Mike Marciniszyn (1):
      IB/qib: Fix DMA api warning with debug kernel
         [0252f73334f9ef68868e4684200bea3565a4fcee]

Mike Snitzer (1):
      dm thin: handle running out of data space vs concurrent discard
         [a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3]

Miklos Szeredi (2):
      fuse: atomic_o_trunc should truncate pagecache
         [df0e91d488276086bc07da2e389986cae0048c37]
      fuse: fix control dir setup and teardown
         [6becdb601bae2a043d7fb9762c4d48699528ea6e]

Mikulas Patocka (3):
      branch-check: fix long->int truncation when profiling branches
         [2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe]
      dm bufio: drop the lock when doing GFP_NOIO allocation
         [41c73a49df31151f4ff868f28fe4f129f113fa2c]
      drm/udl: fix display corruption of the last line
         [99ec9e77511dea55d81729fc80b6c63a61bfa8e0]

Ming_qian (1):
      media: uvcvideo: Support realtek's UVC 1.5 device
         [f620d1d7afc7db57ab59f35000752840c91f67e7]

Nathan Chancellor (1):
      kconfig: Avoid format overflow warning from GCC 8.1
         [2ae89c7a82ea9d81a19b4fc2df23bef4b112f24e]

Nathan Sullivan (1):
      leds: do not overflow sysfs buffer in led_trigger_show
         [3b9b95363c45365d606ad4bbba16acca75fdf6d3]

NeilBrown (1):
      w1: support auto-load of w1_bq27000 module.
         [4b7e4f8289c1ca60accb6c1baf31984f69bc2771]

Nicholas Mc Guire (2):
      can: mpc5xxx_can: check of_iomap return before use
         [b5c1a23b17e563b656cc9bb76ce5323b997d90e8]
      drm: re-enable error handling
         [d530b5f1ca0bb66958a2b714bebe40a1248b9c15]

Nico Sneck (1):
      usb: quirks: add delay quirks for Corsair Strafe
         [bba57eddadda936c94b5dccf73787cb9e159d0a5]

OGAWA Hirofumi (1):
      fat: fix memory allocation failure handling of match_strdup()
         [35033ab988c396ad7bce3b6d24060c16a9066db8]

Olli Salonen (1):
      USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
         [367b160fe4717c14a2a978b6f9ffb75a7762d3ed]

Omar Sandoval (3):
      Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
         [0552210997badb6a60740a26ff9d976a416510f0]
      Btrfs: don't return ino to ino cache if inode item removal fails
         [c08db7d8d295a4f3a10faaca376de011afff7950]
      Btrfs: reserve space for O_TMPFILE orphan item deletion
         [399b0bbf5f680797d3599fa14f16706ffc470145]

Oscar Salvador (1):
      fs, elf: make sure to page align bss in load_elf_library
         [24962af7e1041b7e50c1bc71d8d10dc678c556b5]

Paul Bolle (1):
      eeepc-laptop: simplify parse_arg()
         [95369a73a957ad221f1d6b8f11a63a376f38c544]

Paul Burton (1):
      MIPS: Fix off-by-one in pci_resource_to_user()
         [38c0a74fe06da3be133cae3fb7bde6a9438e698b]

Paulo Alcantara (1):
      cifs: Fix infinite loop when using hard mount option
         [7ffbe65578b44fafdef577a360eb0583929f7c6e]

Paweł Chmiel (2):
      pinctrl: samsung: Correct EINTG banks order
         [5cf9a338db94cfd570aa2607bef1b30996f188e3]
      regulator: max8998: Fix platform data retrieval.
         [c1472737914fe5246a672fef6e85c9455de8473f]

Prabhakar Lad (1):
      media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS
         [d75cf0144f150272be806b69b4e62553ba07ea1b]

Pranay Kr. Srivastava (1):
      ext4: Fix WARN_ON_ONCE in ext4_commit_super()
         [4743f83990614af6adb09ea7aa3c37b78c4031ab]

Quinn Tran (1):
      scsi: qla2xxx: Fix ISP recovery on unload
         [b08abbd9f5996309f021684f9ca74da30dcca36a]

Rasmus Villemoes (1):
      net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics
         [e843bb199ba58ce5d1364d4c82fcf6975f08eec2]

Ronnie Sahlberg (1):
      cifs: store the leaseKey in the fid on SMB2_open
         [96164ab2d880c9539989bea68d4790f6fd619b1f]

Ross Lagerwall (4):
      xen-netfront: Fix mismatched rtnl_unlock
         [cb257783c2927b73614b20f915a91ff78aa6f3e8]
      xen-netfront: Fix race between device setup and open
         [f599c64fdf7d9c108e8717fb04bc41c680120da4]
      xen-netfront: Improve error handling during initialization
         [e2e004acc7cbe3c531e752a270a74e95cde3ea48]
      xen-netfront: Update features after registering netdev
         [45c8184c1bed1ca8a7f02918552063a00b909bf5]

Sabrina Dubroca (1):
      ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
         [848235edb5c93ed086700584c8ff64f6d7fc778d]

Sakari Ailus (1):
      media: v4l: event: Prevent freeing event subscriptions while accessed
         [ad608fbcf166fec809e402d548761768f602702c]

Scott Mayhew (1):
      nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
         [9c2ece6ef67e9d376f32823086169b489c422ed0]

Sean Young (1):
      media: rc: mce_kbd decoder: fix stuck keys
         [63039c29f7a4ce8a8bd165173840543c0098d7b0]

Sergey Senozhatsky (1):
      tools/lib/subcmd/pager.c: do not alias select() params
         [ad343a98e74e85aa91d844310e797f96fee6983b]

Shuah Khan (1):
      usbip: stub_rx: fix static checker warning on unnecessary checks
         [10c90120930628e8b959bf58d4a0aaef3ae5d945]

Siarhei Liakh (1):
      x86: Call fixup_exception() before notify_die() in math_error()
         [3ae6295ccb7cf6d344908209701badbbbb503e40]

Silvio Cesare (1):
      UBIFS: Fix potential integer overflow in allocation
         [353748a359f1821ee934afc579cf04572406b420]

Simon Wunderlich (1):
      batman-adv: unify flags access style in tt global add
         [ad7e2c466d8b0a7056cd248e1df6bb7296e014f7]

Snild Dolkow (1):
      kthread, tracing: Don't expose half-written comm when creating kthreads
         [3e536e222f2930534c252c1cc7ae799c725c5ff9]

Song Liu (1):
      perf/core: Fix group scheduling with mixed hw and sw events
         [a1150c202207cc8501bebc45b63c264f91959260]

Srinivas Kandagatla (2):
      ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
         [ff2faf1289c1f81b5b26b9451dd1c2006aac8db8]
      of: platform: stop accessing invalid dev in of_platform_device_destroy
         [522811e944ed9b36806faa019faec10f9d259cca]

Stefan Agner (1):
      mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
         [92748beac07c471d995fbec642b63572dc01b3dc]

Stefan M Schaeckeler (1):
      of: unittest: for strings, account for trailing \\0 in property length field
         [3b9cf7905fe3ab35ab437b5072c883e609d3498d]

Stefan Potyra (1):
      w1: mxc_w1: Enable clock before calling clk_get_rate() on it
         [955bc61328dc0a297fb3baccd84e9d3aee501ed8]

Stefano Brivio (2):
      cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
         [729c0c9dd55204f0c9a823ac8a7bfa83d36c7e78]
      skbuff: Unconditionally copy pfmemalloc in __skb_clone()
         [e78bfb0751d4e312699106ba7efbed2bab1a53ca]

Steffen Maier (7):
      scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
         [512857a795cbbda5980efa4cdb3c0b6602330408]
      scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
         [8c3d20aada70042a39c6a6625be037c1472ca610]
      scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
         [6a76550841d412330bd86aed3238d1888ba70f0e]
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
         [96d9270499471545048ed8a6d7f425a49762283d]
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
         [d70aab55924b44f213fec2b900b095430b33eec6]
      scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
         [df30781699f53e4fd4c494c6f7dd16e3d5c21d30]
      scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
         [81979ae63e872ef650a7197f6ce6590059d37172]

Steven Rostedt (3):
      tracing: Fix double free of event_trigger_data
         [1863c387259b629e4ebfb255495f67cd06aa229b]
      tracing: Fix possible double free in event_enable_trigger_func()
         [15cc78644d0075e76d59476a4467e7143860f660]
      tracing: Quiet gcc warning about maybe unused link variable
         [2519c1bbe38d7acacc9aacba303ca6f97482ed53]

Sven Eckelmann (3):
      batman-adv: Fix debugfs path for renamed hardif
         [36dc621ceca1be3ec885aeade5fdafbbcc452a6d]
      batman-adv: Fix debugfs path for renamed softif
         [6da7be7d24b2921f8215473ba7552796dff05fe1]
      cfg80211: initialize sinfo in cfg80211_get_station
         [3c12d0486856b9eb89c2a9ac336713cba90813e3]

Tadeusz Struk (1):
      tpm: fix race condition in tpm_common_write()
         [3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df]

Takashi Iwai (5):
      ALSA: core: Assure control device to be registered at last
         [dc82e52492f684dcd5ed9e4773e72dbf2203d75e]
      ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation
         [f16041df4c360eccacfe90f96673b37829e4c959]
      ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
         [275ec0cb946cb75ac8977f662e608fce92f8b8a8]
      ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
         [b41f794f284966fd6ec634111e3b40d241389f96]
      xen-netfront: Use static attribute groups for sysfs entries
         [27b917e54bed7156c2b0249969ace34a5f585626]

Takashi Sakamoto (1):
      ALSA: hda/ca0132: fix build failure when a local macro is defined
         [8e142e9e628975b0dddd05cf1b095331dff6e2de]

Tetsuo Handa (4):
      driver core: Don't ignore class_dir_create_and_add() failure.
         [84d0c27d6233a9ba0578b20f5a09701eb66cee42]
      fuse: don't keep dead fuse_conn at fuse_fill_super().
         [543b8f8662fe6d21f19958b666ab0051af9db21a]
      n_tty: Access echo_* variables carefully.
         [ebec3f8f5271139df618ebdf8427e24ba102ba94]
      n_tty: Fix stall at n_tty_receive_char_special().
         [3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81]

Thadeu Lima de Souza Cascardo (1):
      fs/binfmt_misc.c: do not allow offset overflow
         [5cc41e099504b77014358b58567c5ea6293dd220]

Theodore Ts'o (7):
      ext4: add more mount time checks of the superblock
         [bfe0a5f47ada40d7984de67e59a7d3390b9b9ecc]
      ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
         [eb9b5f01c33adebc31cbc236c02695f605b0e417]
      ext4: check for allocation block validity with block group locked
         [8d5a803c6a6ce4ec258e31f76059ea5153ba46ef]
      ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
         [9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35]
      ext4: fix inline data updates with checksums enabled
         [362eca70b53389bddf3143fe20f53dcce2cfdf61]
      ext4: include the illegal physical block in the bad map ext4_error msg
         [bdbd6ce01a70f02e9373a584d0ae9538dcf0a121]
      random: mix rdrand with entropy sent in from userspace
         [81e69df38e2911b642ec121dec319fad2a4782f3]

Thomas Richter (2):
      perf: fix invalid bit in diagnostic entry
         [3c0a83b14ea71fef5ccc93a3bd2de5f892be3194]
      s390/cpum_sf: Add data entry sizes to sampling trailer entry
         [77715b7ddb446bd39a06f3376e85f4bb95b29bb8]

Tobias Jordan (1):
      spi: pxa2xx: check clk_prepare_enable() return value
         [62bbc864d1946c715063bd481bff3641fd1324e2]

Tokunori Ikegami (5):
      MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
         [2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175]
      mtd: cfi_cmdset_0002: Change definition naming to retry write operation
         [85a82e28b023de9b259a86824afbd6ba07bd6475]
      mtd: cfi_cmdset_0002: Change erase functions to check chip good only
         [79ca484b613041ca223f74b34608bb6f5221724b]
      mtd: cfi_cmdset_0002: Change erase functions to retry for error
         [45f75b8a919a4255f52df454f1ffdee0e42443b2]
      mtd: cfi_cmdset_0002: Change write buffer to check correct value
         [dfeae1073583dc35c33b32150e18b7048bbb37e6]

Tom Lendacky (1):
      x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
         [612bc3b3d4be749f73a513a17d9b3ee1330d3487]

Tomasz Kramkowski (2):
      HID: clamp input to logical range if no null state
         [c3883fe06488a483658ba5d849b70e49bee15e7c]
      HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter
         [9547837bdccb4af127528b36a73377150658b4ac]

Tommi Rantala (1):
      xfrm: fix missing dst_release() after policy blocking lbcast and multicast
         [8cc88773855f988d6a3bbf102bbd9dd9c828eb81]

Tushar Behera (1):
      usb: misc: usb3503: Update error code in print message
         [ec5734c41bee2ee7c938a8f34853d31cada7e67a]

Ulrik De Bie (1):
      Input: elantech - report the middle button of the touchpad
         [f386474e12a560e005ec7899e78f51f6bdc3cf41]

Valtteri Heikkilä (1):
      HID: reject input outside logical range only if null state is set
         [3f3752705dbd50b66b66ad7b4d54fe33d2f746ed]

Ville Syrjälä (1):
      x86/apm: Don't access __preempt_count with zeroed fs
         [6f6060a5c9cc76fdbc22748264e6aa3779ec2427]

Vineet Gupta (1):
      ARC: mm: allow mprotect to make stack mappings executable
         [93312b6da4df31e4102ce5420e6217135a16c7ea]

Vitaly Kuznetsov (1):
      xen-netfront: avoid crashing on resume after a failure in talk_to_netback()
         [d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e]

Vladimir Zapolskiy (1):
      sh_eth: fix invalid context bug while changing link options by ethtool
         [5cb3f52a11e18628fc4bee76dd14b1f0b76349de]

Vlastimil Babka (1):
      mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
         [7810e6781e0fcbca78b91cf65053f895bf59e85f]

Wanpeng Li (1):
      KVM: x86: fix escape of guest dr6 to the host
         [efdab992813fb2ed825745625b83c05032e9cda2]

Willem de Bruijn (1):
      packet: refine ring v3 block size test to hold one frame
         [4576cd469d980317c4edd9173f8b694aa71ea3a3]

Xunlei Pang (1):
      sched/fair: Fix bandwidth timer clock drift condition
         [512ac999d2755d2b7109e996a76b6fb8b888631d]

Yoshihiro Shimoda (2):
      usb: gadget: function: printer: avoid spinlock recursion
         [9ada8c582088d32bd5c071c17213bc6edf37443a]
      usb: gadget: function: printer: avoid wrong list handling in printer_write()
         [4a014a7339f441b0851ce012f469c0fadac61c81]

YueHaibing (1):
      net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
         [64119e05f7b31e83e2555f6782e6cdc8f81c63f4]

Yuiko Oshino (1):
      smsc75xx: Add workaround for gigabit link up hardware errata.
         [d461e3da905332189aad546b2ad9adbe6071c7cc]

Zheng Yan (2):
      ceph: fix llistxattr on symlink
         [0abb43dcacb52145aa265f82c914375d59dfe2da]
      ceph: use lookup request to revalidate dentry
         [200fd27c8fa2ba8bb4529033967b69a7cbfa2c2e]

Zhong Jiang (1):
      sched/topology: Make local variables static
         [ace8031099f91480799b5929b4cccf2dcacc5136]

 Documentation/filesystems/proc.txt                 |  31 +-
 Makefile                                           |   4 +-
 arch/arc/include/asm/page.h                        |   2 +-
 arch/arc/include/asm/pgtable.h                     |   2 +-
 arch/arm/boot/dts/da850.dtsi                       |   6 +-
 arch/arm/include/asm/kgdb.h                        |   2 +-
 arch/arm64/include/asm/barrier.h                   |  20 ++
 arch/arm64/include/uapi/asm/kvm.h                  |   2 +-
 arch/m68k/include/asm/delay.h                      |  11 +-
 arch/m68k/mm/kmap.c                                |   3 +-
 arch/mips/bcm47xx/setup.c                          |   6 +
 arch/mips/include/asm/asmmacro.h                   |  11 +
 arch/mips/include/asm/compiler.h                   |   6 +
 arch/mips/include/asm/io.h                         |   2 +
 arch/mips/include/asm/mipsregs.h                   |   3 +
 arch/mips/include/asm/pci.h                        |   2 +-
 arch/powerpc/Makefile                              |   1 +
 arch/powerpc/kernel/entry_64.S                     |   1 +
 arch/powerpc/kernel/fadump.c                       |   3 +
 arch/powerpc/kernel/hw_breakpoint.c                |   4 +-
 arch/powerpc/kernel/ptrace.c                       |   1 +
 arch/powerpc/lib/feature-fixups-test.S             |   4 +-
 arch/powerpc/lib/feature-fixups.c                  | 180 +++++------
 arch/s390/include/asm/cpu_mf.h                     |   6 +-
 arch/x86/include/asm/apm.h                         |   6 -
 arch/x86/include/asm/barrier.h                     |   4 +-
 arch/x86/include/asm/cpufeature.h                  |   8 +-
 arch/x86/include/uapi/asm/msr-index.h              |   4 +-
 arch/x86/kernel/apic/apic.c                        |   3 +-
 arch/x86/kernel/apm_32.c                           |   5 +
 arch/x86/kernel/cpu/bugs.c                         |  17 +-
 arch/x86/kernel/cpu/common.c                       |  13 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |  21 +-
 arch/x86/kernel/traps.c                            |  14 +-
 arch/x86/kvm/cpuid.c                               |  10 +-
 arch/x86/kvm/cpuid.h                               |   2 +-
 arch/x86/kvm/svm.c                                 |   2 +-
 arch/x86/kvm/x86.c                                 |   6 +
 arch/xtensa/kernel/traps.c                         |   2 +-
 block/blk-mq-tag.c                                 |  42 ++-
 crypto/asymmetric_keys/x509_cert_parser.c          |   9 +
 drivers/acpi/acpi_lpss.c                           |   1 +
 drivers/ata/ahci.c                                 |  59 ++++
 drivers/ata/libata-core.c                          |   6 +-
 drivers/ata/libata-zpodd.c                         |   4 +-
 drivers/base/core.c                                |  14 +-
 drivers/base/power/wakeup.c                        |   1 -
 drivers/char/ipmi/ipmi_bt_sm.c                     |   3 +-
 drivers/char/random.c                              |  10 +-
 drivers/char/tpm/tpm-dev.c                         |  41 ++-
 drivers/clk/clk-si5351.c                           |  10 +-
 drivers/clk/qcom/clk-rcg2.c                        |   1 +
 drivers/crypto/padlock-aes.c                       |   8 +-
 drivers/dma/k3dma.c                                |   2 +-
 drivers/gpu/drm/drm_context.c                      |   2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.c              |   7 -
 drivers/gpu/drm/nouveau/nouveau_gem.c              |   4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |   5 +-
 drivers/gpu/drm/udl/udl_transfer.c                 |  11 +-
 drivers/hid/hid-ids.h                              |   3 +
 drivers/hid/hid-input.c                            |  20 +-
 drivers/hid/usbhid/hid-quirks.c                    |   1 +
 drivers/hid/usbhid/hiddev.c                        |  11 +
 drivers/infiniband/core/uverbs_cmd.c               |  27 +-
 drivers/infiniband/hw/mlx4/mad.c                   |   1 -
 drivers/infiniband/hw/mlx5/srq.c                   |  18 +-
 drivers/infiniband/hw/qib/qib.h                    |   3 +-
 drivers/infiniband/hw/qib/qib_file_ops.c           |  10 +-
 drivers/infiniband/hw/qib/qib_user_pages.c         |  20 +-
 drivers/infiniband/ulp/ipoib/ipoib.h               |   2 +-
 drivers/infiniband/ulp/ipoib/ipoib_main.c          |  33 +-
 drivers/infiniband/ulp/isert/ib_isert.c            |  27 +-
 drivers/input/mouse/elantech.c                     |  28 +-
 drivers/input/serio/i8042-x86ia64io.h              |  14 +
 drivers/iommu/dmar.c                               |   8 +-
 drivers/leds/led-triggers.c                        |  12 +-
 drivers/md/dm-bufio.c                              |  15 +-
 drivers/md/dm-thin.c                               |  11 +-
 drivers/media/dvb-core/dvb_frontend.c              |  23 +-
 drivers/media/dvb-frontends/drxd_hard.c            |   3 +-
 drivers/media/dvb-frontends/drxk_hard.c            |   3 +-
 drivers/media/i2c/smiapp/smiapp-core.c             |  11 +-
 drivers/media/platform/davinci/ccdc_hw_device.h    |  10 -
 drivers/media/platform/davinci/dm355_ccdc.c        |  92 +-----
 drivers/media/platform/davinci/dm644x_ccdc.c       | 151 +--------
 drivers/media/platform/davinci/vpfe_capture.c      |  75 -----
 drivers/media/platform/omap3isp/isp.c              |   7 -
 drivers/media/rc/imon.c                            |   2 +-
 drivers/media/rc/ir-mce_kbd-decoder.c              |   2 +
 drivers/media/usb/cx231xx/cx231xx-cards.c          |   3 +
 drivers/media/usb/uvc/uvc_video.c                  |  24 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |   2 +-
 drivers/media/v4l2-core/v4l2-event.c               |  38 +--
 drivers/media/v4l2-core/v4l2-fh.c                  |   2 +
 drivers/mfd/tps65911-comparator.c                  |  17 +-
 drivers/misc/ibmasm/ibmasmfs.c                     |  27 +-
 drivers/mmc/host/sdhci-esdhc-imx.c                 |  18 +-
 drivers/mtd/chips/cfi_cmdset_0002.c                |  51 ++--
 drivers/mtd/nand/mxc_nand.c                        |   5 +-
 drivers/mtd/nand/omap2.c                           | 340 +++++++--------------
 drivers/net/can/cc770/cc770_platform.c             |   2 +-
 drivers/net/can/dev.c                              |  78 +++++
 drivers/net/can/grcan.c                            |   2 +-
 drivers/net/can/mscan/mpc5xxx_can.c                |   7 +-
 drivers/net/can/sja1000/sja1000_platform.c         |   2 +-
 drivers/net/can/usb/ems_usb.c                      |   1 +
 drivers/net/can/xilinx_can.c                       | 323 ++++++++++++++++----
 drivers/net/ethernet/8390/ax88796.c                |   1 -
 drivers/net/ethernet/atheros/atl1c/atl1c_main.c    |   1 +
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c   |   2 +-
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     |   1 -
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c    |   2 +
 .../net/ethernet/mellanox/mlx4/resource_tracker.c  |   2 +-
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c      |   8 +-
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c  |   2 +
 drivers/net/ethernet/renesas/sh_eth.c              |  47 +--
 drivers/net/ethernet/ti/davinci_emac.c             |   4 +-
 drivers/net/usb/smsc75xx.c                         |  62 ++++
 drivers/net/wireless/brcm80211/brcmfmac/p2p.c      |   2 +-
 .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c  |   7 +-
 .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.h  |   2 +-
 drivers/net/wireless/mwifiex/pcie.c                |   3 +-
 drivers/net/wireless/p54/fwio.c                    |   2 +-
 drivers/net/wireless/rtlwifi/rtl8723be/hw.c        |   2 +-
 drivers/net/xen-netfront.c                         | 295 +++++++-----------
 drivers/of/platform.c                              |   4 +-
 drivers/of/selftest.c                              |   8 +-
 drivers/pci/hotplug/ibmphp_core.c                  |   2 +-
 drivers/pci/hotplug/pciehp.h                       |   2 +-
 drivers/pci/hotplug/pciehp_core.c                  |   2 +-
 drivers/pci/hotplug/pciehp_hpc.c                   |  13 +-
 drivers/pci/hotplug/shpchp_ctrl.c                  |   8 +-
 drivers/pinctrl/pinctrl-exynos.c                   |   2 +-
 drivers/platform/x86/eeepc-laptop.c                |  36 +--
 drivers/pwm/pwm-lpss.c                             |  24 ++
 drivers/regulator/max8998.c                        |   3 +-
 drivers/s390/net/qeth_core.h                       |  11 +
 drivers/s390/net/qeth_core_main.c                  |  22 +-
 drivers/s390/scsi/zfcp_dbf.c                       |  39 +++
 drivers/s390/scsi/zfcp_erp.c                       | 123 ++++++--
 drivers/s390/scsi/zfcp_ext.h                       |   5 +
 drivers/s390/scsi/zfcp_scsi.c                      |  18 +-
 drivers/scsi/fnic/fnic_fcs.c                       |   3 +-
 drivers/scsi/qla2xxx/qla_init.c                    |  10 +-
 drivers/scsi/qla2xxx/qla_os.c                      |   5 +-
 drivers/scsi/qlogicpti.c                           |   6 +-
 drivers/scsi/sg.c                                  |  42 ++-
 drivers/scsi/sr.c                                  |  33 +-
 drivers/spi/spi-pxa2xx.c                           |  18 +-
 drivers/staging/android/ion/ion.c                  |   5 +-
 drivers/staging/android/ion/ion_heap.c             |   2 +-
 drivers/staging/iio/meter/ade7854-i2c.c            |  26 +-
 drivers/staging/iio/meter/ade7854.c                |  10 +-
 .../staging/iio/trigger/iio-trig-periodic-rtc.c    |   6 +-
 .../staging/rtl8192ee/btcoexist/halbtc8821a2ant.c  |   4 +-
 drivers/staging/rtl8192ee/rtl8192ee/hw.c           |  14 +-
 drivers/staging/usbip/stub_rx.c                    |  11 +-
 drivers/staging/vt6656/dpc.c                       |   4 +-
 drivers/staging/vt6656/main_usb.c                  |  23 +-
 drivers/target/target_core_pr.c                    |  22 +-
 drivers/tty/n_tty.c                                |  55 ++--
 drivers/tty/serial/amba-pl011.c                    |  15 +
 drivers/tty/vt/vt.c                                |  76 ++---
 drivers/usb/class/cdc-acm.c                        |   6 +
 drivers/usb/core/hub.c                             |  12 +-
 drivers/usb/core/quirks.c                          |   4 +
 drivers/usb/gadget/f_uac2.c                        |   8 +-
 drivers/usb/gadget/printer.c                       |  13 +-
 drivers/usb/host/xhci-mem.c                        |   2 +-
 drivers/usb/misc/usb3503.c                         |   3 +-
 drivers/usb/serial/ch341.c                         |   2 +-
 drivers/usb/serial/cp210x.c                        |  15 +
 drivers/usb/serial/keyspan_pda.c                   |   4 +-
 drivers/usb/serial/mos7840.c                       |   3 +
 drivers/vhost/net.c                                |   3 +-
 drivers/video/backlight/as3711_bl.c                |  45 ++-
 drivers/video/backlight/max8925_bl.c               |   4 +-
 drivers/video/backlight/tps65217_bl.c              |   4 +-
 drivers/video/fbdev/omap/lcd_ams_delta.c           |   4 +
 drivers/video/fbdev/omap/lcd_h3.c                  |   4 +
 drivers/video/fbdev/omap/lcd_htcherald.c           |   4 +
 drivers/video/fbdev/omap/lcd_inn1510.c             |   4 +
 drivers/video/fbdev/omap/lcd_inn1610.c             |   4 +
 drivers/video/fbdev/omap/lcd_osk.c                 |   4 +
 drivers/video/fbdev/omap/lcd_palmte.c              |   4 +
 drivers/video/fbdev/omap/lcd_palmtt.c              |   4 +
 drivers/video/fbdev/omap/lcd_palmz71.c             |   4 +
 drivers/virtio/virtio_balloon.c                    |   2 +
 drivers/w1/masters/mxc_w1.c                        |  20 +-
 drivers/w1/slaves/w1_bq27000.c                     |   4 +-
 drivers/w1/w1.c                                    |   2 +-
 drivers/w1/w1_family.h                             |   1 +
 drivers/xen/events/events_base.c                   |   2 -
 fs/binfmt_elf.c                                    |  46 +--
 fs/binfmt_misc.c                                   |  12 +-
 fs/btrfs/inode.c                                   |  33 +-
 fs/cachefiles/bind.c                               |   3 +-
 fs/cachefiles/namei.c                              |   3 +-
 fs/cachefiles/rdwr.c                               |  17 +-
 fs/ceph/dir.c                                      |  39 +++
 fs/ceph/inode.c                                    |   1 +
 fs/ceph/super.h                                    |   9 +
 fs/ceph/xattr.c                                    |  10 +-
 fs/cifs/cifsglob.h                                 |   5 +-
 fs/cifs/cifsproto.h                                |   1 +
 fs/cifs/cifssmb.c                                  |  10 +-
 fs/cifs/connect.c                                  |   7 +-
 fs/cifs/smb1ops.c                                  |   1 +
 fs/cifs/smb2file.c                                 |  11 +-
 fs/cifs/smb2ops.c                                  |  13 +-
 fs/cifs/smb2pdu.c                                  |  33 +-
 fs/cifs/smb2pdu.h                                  |   6 +-
 fs/cifs/smb2transport.c                            |   1 +
 fs/cifs/transport.c                                |  18 +-
 fs/dcache.c                                        |  85 +++---
 fs/ext4/balloc.c                                   |   3 +
 fs/ext4/file.c                                     |  90 +++---
 fs/ext4/ialloc.c                                   |   5 +-
 fs/ext4/inline.c                                   |  18 +-
 fs/ext4/inode.c                                    |  70 +++--
 fs/ext4/resize.c                                   |   2 +-
 fs/ext4/super.c                                    |  75 +++--
 fs/ext4/xattr.c                                    |  31 +-
 fs/fat/inode.c                                     |  20 +-
 fs/fscache/cache.c                                 |   2 +-
 fs/fscache/cookie.c                                |   7 +-
 fs/fscache/object.c                                |   1 +
 fs/fscache/operation.c                             |   6 +-
 fs/fuse/control.c                                  |  13 +-
 fs/fuse/dir.c                                      |  13 +-
 fs/fuse/inode.c                                    |   1 +
 fs/namespace.c                                     |  27 +-
 fs/nfs/idmap.c                                     |   5 +-
 fs/nfsd/auth.c                                     |   2 +-
 fs/nfsd/nfs4xdr.c                                  |   5 +-
 fs/proc/task_mmu.c                                 |  74 ++---
 fs/proc/task_nommu.c                               |  32 +-
 fs/reiserfs/prints.c                               | 141 +++++----
 fs/squashfs/block.c                                |   2 +
 fs/squashfs/cache.c                                |   3 +
 fs/squashfs/file.c                                 |   8 +-
 fs/squashfs/fragment.c                             |   4 +-
 fs/squashfs/squashfs_fs.h                          |   6 +
 fs/ubifs/journal.c                                 |   5 +-
 fs/udf/directory.c                                 |   3 +
 include/linux/blkdev.h                             |   4 +-
 include/linux/can/dev.h                            |   3 +
 include/linux/compiler.h                           |   2 +-
 include/linux/cred.h                               |   9 +
 include/linux/dcache.h                             |  17 --
 include/linux/fs.h                                 |   5 +
 include/linux/libata.h                             |   1 +
 include/linux/mfd/as3711.h                         |   4 +-
 include/linux/mm.h                                 |   3 +-
 include/linux/perf_event.h                         |   8 +
 include/linux/ring_buffer.h                        |   1 +
 include/linux/string.h                             |   2 +-
 include/media/davinci/dm644x_ccdc.h                |  12 -
 include/media/davinci/vpfe_capture.h               |  10 -
 include/media/v4l2-fh.h                            |   1 +
 include/net/af_vsock.h                             |   4 +-
 include/net/net_namespace.h                        |   1 +
 include/net/netns/ipv6.h                           |   1 -
 include/sound/core.h                               |   2 +-
 include/uapi/linux/can/error.h                     |   1 +
 include/uapi/linux/kexec.h                         |   6 -
 include/uapi/linux/vt.h                            |   1 -
 kernel/events/core.c                               |  21 +-
 kernel/gcov/base.c                                 |  12 +
 kernel/gcov/gcc_4_7.c                              |   6 +-
 kernel/kthread.c                                   |   8 +-
 kernel/power/wakelock.c                            |   1 +
 kernel/sched/core.c                                |   2 +-
 kernel/sched/fair.c                                |  14 +-
 kernel/sched/sched.h                               |   2 +
 kernel/time.c                                      |   6 +-
 kernel/time/tick-sched.c                           |   2 +-
 kernel/trace/ring_buffer.c                         |  16 +
 kernel/trace/trace.c                               |   6 +
 kernel/trace/trace_events_trigger.c                |  18 +-
 kernel/trace/trace_functions_graph.c               |   7 +-
 kernel/trace/trace_kprobe.c                        |  15 +-
 mm/hugetlb.c                                       |   1 +
 mm/ksm.c                                           |  16 +-
 mm/mlock.c                                         |   2 -
 mm/mmap.c                                          |  13 +-
 mm/page_alloc.c                                    |   3 +-
 mm/rmap.c                                          |   4 +
 mm/swapfile.c                                      |   2 +-
 mm/util.c                                          |  34 +--
 net/batman-adv/Makefile                            |   2 +-
 net/batman-adv/debugfs.c                           |  48 ++-
 net/batman-adv/debugfs.h                           |  45 +++
 net/batman-adv/hard-interface.c                    |  37 ++-
 net/batman-adv/translation-table.c                 |   7 +-
 net/caif/caif_dev.c                                |   4 +-
 net/core/rtnetlink.c                               |   8 +-
 net/core/skbuff.c                                  |   1 +
 net/dccp/ccids/ccid2.c                             |   6 +-
 net/dns_resolver/dns_key.c                         |  28 +-
 net/ipv4/fib_frontend.c                            |   5 +-
 net/ipv4/fib_semantics.c                           |   2 +
 net/ipv4/igmp.c                                    |   3 +-
 net/ipv6/ip6mr.c                                   |   3 +-
 net/ipv6/mcast.c                                   |  12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   6 +-
 net/l2tp/l2tp_netlink.c                            |   6 +
 net/l2tp/l2tp_ppp.c                                |  76 +++--
 net/netfilter/nf_log.c                             |   9 +-
 net/netfilter/nfnetlink_queue_core.c               |   3 +
 net/netlink/af_netlink.c                           |   5 +
 net/packet/af_packet.c                             |  10 +-
 net/sched/act_simple.c                             |  14 +-
 net/sctp/outqueue.c                                |  48 ++-
 net/socket.c                                       |   2 +
 net/vmw_vsock/af_vsock.c                           |  15 +-
 net/vmw_vsock/vmci_transport.c                     |   3 +-
 net/wireless/util.c                                |   2 +
 net/xfrm/xfrm_policy.c                             |   3 +
 net/xfrm/xfrm_user.c                               |  18 +-
 scripts/kconfig/confdata.c                         |   2 +-
 scripts/mod/devicetable-offsets.c                  |   3 +
 scripts/mod/file2alias.c                           |  11 +
 sound/core/device.c                                |   9 +
 sound/core/timer.c                                 |   2 +-
 sound/isa/msnd/msnd_pinnacle_mixer.c               |   3 +-
 sound/pci/hda/hda_controller.c                     |   4 +-
 sound/pci/hda/patch_ca0132.c                       |   8 +-
 sound/pci/hda/patch_conexant.c                     |   1 +
 sound/pci/hda/patch_realtek.c                      |   1 +
 sound/soc/cirrus/edb93xx.c                         |   2 +-
 sound/soc/cirrus/ep93xx-i2s.c                      |  26 +-
 sound/soc/cirrus/snappercl15.c                     |   2 +-
 sound/soc/soc-dapm.c                               |   2 +
 tools/arch/x86/include/asm/unistd_32.h             |   9 +
 tools/arch/x86/include/asm/unistd_64.h             |   9 +
 tools/include/linux/compiler.h                     |   9 +
 tools/perf/Makefile.perf                           |   2 -
 tools/perf/builtin-script.c                        |  82 +++--
 tools/perf/builtin-top.c                           |   2 +-
 tools/perf/builtin-trace.c                         |   5 +-
 tools/perf/config/Makefile                         |   1 +
 tools/perf/perf-sys.h                              |  18 --
 tools/perf/tests/attr.c                            |   4 +-
 tools/perf/tests/pmu.c                             |   2 +-
 tools/perf/util/cgroup.c                           |   2 +-
 tools/perf/util/event.c                            |  12 +-
 tools/perf/util/include/asm/unistd_32.h            |   1 -
 tools/perf/util/include/asm/unistd_64.h            |   1 -
 tools/perf/util/pager.c                            |   5 +-
 tools/perf/util/parse-events.c                     |  64 ++--
 tools/perf/util/pmu.c                              |   2 +-
 tools/perf/util/setup.py                           |   1 +
 tools/perf/util/thread.c                           |   2 +-
 tools/perf/util/thread_map.c                       |  10 +-
 tools/perf/util/util.h                             |   2 +
 tools/power/x86/turbostat/turbostat.c              |   4 +-
 357 files changed, 3362 insertions(+), 2348 deletions(-)

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 345/366] p54: memset(0) whole array
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (212 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 284/366] can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 315/366] fix mntput/mntput race Ben Hutchings
                   ` (152 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, linux-wireless, netdev, Jiri Slaby, Kalle Valo,
	Christian Lamparter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 6f17581788206444cbbcdbc107498f85e9765e3d upstream.

gcc 7 complains:
drivers/net/wireless/intersil/p54/fwio.c: In function 'p54_scan':
drivers/net/wireless/intersil/p54/fwio.c:491:4: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]

Fix that by passing the correct size to memset.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Christian Lamparter <chunkeey@googlemail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/p54/fwio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/p54/fwio.c
+++ b/drivers/net/wireless/p54/fwio.c
@@ -486,7 +486,7 @@ int p54_scan(struct p54_common *priv, u1
 
 			entry += sizeof(__le16);
 			chan->pa_points_per_curve = 8;
-			memset(chan->curve_data, 0, sizeof(*chan->curve_data));
+			memset(chan->curve_data, 0, sizeof(chan->curve_data));
 			memcpy(chan->curve_data, entry,
 			       sizeof(struct p54_pa_curve_data_sample) *
 			       min((u8)8, curve_data->points_per_channel));


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (154 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 364/366] perf trace: Do not process PERF_RECORD_LOST twice Ben Hutchings
                   ` (210 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Fix the compiler warnings:

drivers/staging/vt6656/dpc.c:712:5: warning: this 'if' clause does not guard...
drivers/staging/vt6656/main_usb.c:1101:7: warning: this 'if' clause does not guard...

by reducing indentation of the following statements in
RXbBulkInProcessData() and reformatting the kstrstr() function to
kernel coding style.

Both functions have been removed in a later version, so there is no
corresponding upstream commit.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/staging/vt6656/main_usb.c
+++ b/drivers/staging/vt6656/main_usb.c
@@ -1092,17 +1092,18 @@ out:
 
 /* find out the start position of str2 from str1 */
 static unsigned char *kstrstr(const unsigned char *str1,
-			      const unsigned char *str2) {
-  int str1_len = strlen(str1);
-  int str2_len = strlen(str2);
+			      const unsigned char *str2)
+{
+	int str1_len = strlen(str1);
+	int str2_len = strlen(str2);
 
-  while (str1_len >= str2_len) {
-       str1_len--;
-      if(memcmp(str1,str2,str2_len)==0)
-	return (unsigned char *) str1;
-        str1++;
-  }
-  return NULL;
+	while (str1_len >= str2_len) {
+		str1_len--;
+		if (memcmp(str1, str2, str2_len) == 0)
+			return (unsigned char *)str1;
+		str1++;
+	}
+	return NULL;
 }
 
 static int Config_FileGetParameter(unsigned char *string,
--- a/drivers/staging/vt6656/dpc.c
+++ b/drivers/staging/vt6656/dpc.c
@@ -712,8 +712,8 @@ int RXbBulkInProcessData(struct vnt_priv
     if (FrameSize < 12)
         return false;
 
-	skb->data += cbHeaderOffset;
-	skb->tail += cbHeaderOffset;
+    skb->data += cbHeaderOffset;
+    skb->tail += cbHeaderOffset;
     skb_put(skb, FrameSize);
     skb->protocol=eth_type_trans(skb, skb->dev);
     skb->ip_summed=CHECKSUM_NONE;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 021/366] net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()).
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (353 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 310/366] netlink: Don't shift on 64 for ngroups Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 282/366] can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK Ben Hutchings
                   ` (11 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Michael Schmitz, Geert Uytterhoeven, David S. Miller,
	Michael Karcher

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>

commit 9144c3795c2636351d553e4d0fc5297201182de2 upstream.

This complements the fix in 82533ad9a1c ("net: ethernet: ax88796:
don't call free_irq without request_irq first") that removed the
free_irq call in the error path of probe, to also not call free_irq
when remove is called to revert the effects of probe.

Fixes: 82533ad9a1c (net: ethernet: ax88796: don't call free_irq without request_irq first)
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/8390/ax88796.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/ethernet/8390/ax88796.c
+++ b/drivers/net/ethernet/8390/ax88796.c
@@ -812,7 +812,6 @@ static int ax_remove(struct platform_dev
 	struct resource *mem;
 
 	unregister_netdev(dev);
-	free_irq(dev->irq, dev);
 
 	iounmap(ei_local->mem);
 	mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 100/366] fuse: fix control dir setup and teardown
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags Ben Hutchings
                   ` (349 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot, Miklos Szeredi

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.

syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
clear d_inode(dentry)->i_private field.

Fix by only adding the dentry to the array after being fully set up.

When tearing down the control directory, do d_invalidate() on it to get rid
of any mounts that might have been added.

[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/control.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr
 	if (!dentry)
 		return NULL;
 
-	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
 	inode = new_inode(fuse_control_sb);
-	if (!inode)
+	if (!inode) {
+		dput(dentry);
 		return NULL;
+	}
 
 	inode->i_ino = get_next_ino();
 	inode->i_mode = mode;
@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr
 	set_nlink(inode, nlink);
 	inode->i_private = fc;
 	d_add(dentry, inode);
+
+	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+
 	return dentry;
 }
 
@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co
 	for (i = fc->ctl_ndents - 1; i >= 0; i--) {
 		struct dentry *dentry = fc->ctl_dentry[i];
 		dentry->d_inode->i_private = NULL;
-		d_drop(dentry);
+		if (!i) {
+			/* Get rid of submounts: */
+			d_invalidate(dentry);
+		}
 		dput(dentry);
 	}
 	drop_nlink(fuse_control_sb->s_root->d_inode);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 175/366] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (237 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 323/366] media: v4l: event: Prevent freeing event subscriptions while accessed Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49   ` Ben Hutchings
                   ` (127 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Joakim Tjernlund

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.

The "sector is in requested range" test used to determine whether
sectors should be re-locked or not is done on a variable that is reset
everytime we cross a chip boundary, which can lead to some blocks being
re-locked while the caller expect them to be unlocked.
Fix the check to make sure this cannot happen.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2340,7 +2340,7 @@ static int __maybe_unused cfi_ppb_unlock
 		 * sectors shall be unlocked, so lets keep their locking
 		 * status at "unlocked" (locked=0) for the final re-locking.
 		 */
-		if ((adr < ofs) || (adr >= (ofs + len))) {
+		if ((offset < ofs) || (offset >= (ofs + len))) {
 			sect[sectors].chip = &cfi->chips[chipnum];
 			sect[sectors].adr = adr;
 			sect[sectors].locked = do_ppb_xxlock(


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (304 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work Ben Hutchings
                   ` (60 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, David Vrabel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Vrabel <david.vrabel@citrix.com>

commit a5b5dc3ce4df4f05f4d81c7d3c56a7604b242093 upstream.

Since netfront may reconnect to a backend with a different number of
queues, all per-queue Rx and Tx resources (skbs and grant references)
should be freed when disconnecting.

Without this fix, the Tx and Rx grant refs are not released and
netfront will exhaust them after only a few reconnections.  netfront
will fail to connect when no free grant references are available.

Since all Rx bufs are freed and reallocated instead of reused this
will add some additional delay to the reconnection but this is
expected to be small compared to the time taken by any backend hotplug
scripts etc.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 68 ++++----------------------------------
 1 file changed, 7 insertions(+), 61 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1194,22 +1194,6 @@ static void xennet_release_rx_bufs(struc
 	spin_unlock_bh(&queue->rx_lock);
 }
 
-static void xennet_uninit(struct net_device *dev)
-{
-	struct netfront_info *np = netdev_priv(dev);
-	unsigned int num_queues = dev->real_num_tx_queues;
-	struct netfront_queue *queue;
-	unsigned int i;
-
-	for (i = 0; i < num_queues; ++i) {
-		queue = &np->queues[i];
-		xennet_release_tx_bufs(queue);
-		xennet_release_rx_bufs(queue);
-		gnttab_free_grant_references(queue->gref_tx_head);
-		gnttab_free_grant_references(queue->gref_rx_head);
-	}
-}
-
 static netdev_features_t xennet_fix_features(struct net_device *dev,
 	netdev_features_t features)
 {
@@ -1311,7 +1295,6 @@ static void xennet_poll_controller(struc
 
 static const struct net_device_ops xennet_netdev_ops = {
 	.ndo_open            = xennet_open,
-	.ndo_uninit          = xennet_uninit,
 	.ndo_stop            = xennet_close,
 	.ndo_start_xmit      = xennet_start_xmit,
 	.ndo_change_mtu	     = xennet_change_mtu,
@@ -1454,6 +1437,11 @@ static void xennet_disconnect_backend(st
 		if (netif_running(info->netdev))
 			napi_synchronize(&queue->napi);
 
+		xennet_release_tx_bufs(queue);
+		xennet_release_rx_bufs(queue);
+		gnttab_free_grant_references(queue->gref_tx_head);
+		gnttab_free_grant_references(queue->gref_rx_head);
+
 		/* End access and free the pages */
 		xennet_end_access(queue->tx_ring_ref, queue->tx.sring);
 		xennet_end_access(queue->rx_ring_ref, queue->rx.sring);
@@ -2009,10 +1997,7 @@ static int xennet_connect(struct net_dev
 {
 	struct netfront_info *np = netdev_priv(dev);
 	unsigned int num_queues = 0;
-	int i, requeue_idx, err;
-	struct sk_buff *skb;
-	grant_ref_t ref;
-	struct xen_netif_rx_request *req;
+	int err;
 	unsigned int feature_rx_copy;
 	unsigned int j = 0;
 	struct netfront_queue *queue = NULL;
@@ -2039,47 +2024,8 @@ static int xennet_connect(struct net_dev
 	netdev_update_features(dev);
 	rtnl_unlock();
 
-	/* By now, the queue structures have been set up */
-	for (j = 0; j < num_queues; ++j) {
-		queue = &np->queues[j];
-
-		/* Step 1: Discard all pending TX packet fragments. */
-		spin_lock_irq(&queue->tx_lock);
-		xennet_release_tx_bufs(queue);
-		spin_unlock_irq(&queue->tx_lock);
-
-		/* Step 2: Rebuild the RX buffer freelist and the RX ring itself. */
-		spin_lock_bh(&queue->rx_lock);
-
-		for (requeue_idx = 0, i = 0; i < NET_RX_RING_SIZE; i++) {
-			skb_frag_t *frag;
-			const struct page *page;
-			if (!queue->rx_skbs[i])
-				continue;
-
-			skb = queue->rx_skbs[requeue_idx] = xennet_get_rx_skb(queue, i);
-			ref = queue->grant_rx_ref[requeue_idx] = xennet_get_rx_ref(queue, i);
-			req = RING_GET_REQUEST(&queue->rx, requeue_idx);
-
-			frag = &skb_shinfo(skb)->frags[0];
-			page = skb_frag_page(frag);
-			gnttab_grant_foreign_access_ref(
-				ref, queue->info->xbdev->otherend_id,
-				pfn_to_mfn(page_to_pfn(page)),
-				0);
-			req->gref = ref;
-			req->id   = requeue_idx;
-
-			requeue_idx++;
-		}
-
-		queue->rx.req_prod_pvt = requeue_idx;
-
-		spin_unlock_bh(&queue->rx_lock);
-	}
-
 	/*
-	 * Step 3: All public and private state should now be sane.  Get
+	 * All public and private state should now be sane.  Get
 	 * ready to start sending and receiving packets and give the driver
 	 * domain a kick because we've probably just requeued some
 	 * packets.


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (302 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing Ben Hutchings
                   ` (62 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro, Dae R. Jeong

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 4c0d7cd5c8416b1ef41534d19163cb07ffaa03ab upstream.

RCU pathwalk relies upon the assumption that anything that changes
->d_inode of a dentry will invalidate its ->d_seq.  That's almost
true - the one exception is that the final dput() of already unhashed
dentry does *not* touch ->d_seq at all.  Unhashing does, though,
so for anything we'd found by RCU dcache lookup we are fine.
Unfortunately, we can *start* with an unhashed dentry or jump into
it.

We could try and be careful in the (few) places where that could
happen.  Or we could just make the final dput() invalidate the damn
thing, unhashed or not.  The latter is much simpler and easier to
backport, so let's do it that way.

Reported-by: "Dae R. Jeong" <threeearcat@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/dcache.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -340,14 +340,11 @@ static void dentry_unlink_inode(struct d
 	__releases(dentry->d_inode->i_lock)
 {
 	struct inode *inode = dentry->d_inode;
-	bool hashed = !d_unhashed(dentry);
 
-	if (hashed)
-		raw_write_seqcount_begin(&dentry->d_seq);
+	raw_write_seqcount_begin(&dentry->d_seq);
 	__d_clear_type_and_inode(dentry);
 	hlist_del_init(&dentry->d_u.d_alias);
-	if (hashed)
-		raw_write_seqcount_end(&dentry->d_seq);
+	raw_write_seqcount_end(&dentry->d_seq);
 	spin_unlock(&dentry->d_lock);
 	spin_unlock(&inode->i_lock);
 	if (!inode->i_nlink)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (246 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 264/366] usb: gadget: u_audio: update hw_ptr in iso_complete after data copied Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Ben Hutchings
                   ` (118 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alan Stern, Bart Van Assche, Johannes Thumshirn,
	Martin K. Petersen, Maurizio Lombardi

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 1214fd7b497400d200e3f4e64e2338b303a20949 upstream.

Surround scsi_execute() calls with scsi_autopm_get_device() and
scsi_autopm_put_device(). Note: removing sr_mutex protection from the
scsi_cd_get() and scsi_cd_put() calls is safe because the purpose of
sr_mutex is to serialize cdrom_*() calls.

This patch avoids that complaints similar to the following appear in the
kernel log if runtime power management is enabled:

INFO: task systemd-udevd:650 blocked for more than 120 seconds.
     Not tainted 4.18.0-rc7-dbg+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
systemd-udevd   D28176   650    513 0x00000104
Call Trace:
__schedule+0x444/0xfe0
schedule+0x4e/0xe0
schedule_preempt_disabled+0x18/0x30
__mutex_lock+0x41c/0xc70
mutex_lock_nested+0x1b/0x20
__blkdev_get+0x106/0x970
blkdev_get+0x22c/0x5a0
blkdev_open+0xe9/0x100
do_dentry_open.isra.19+0x33e/0x570
vfs_open+0x7c/0xd0
path_openat+0x6e3/0x1120
do_filp_open+0x11c/0x1c0
do_sys_open+0x208/0x2d0
__x64_sys_openat+0x59/0x70
do_syscall_64+0x77/0x230
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Maurizio Lombardi <mlombard@redhat.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16:
 - Update one extra "goto out" in sr_block_ioctl() and delete the unused
   label
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -521,16 +521,25 @@ static int sr_init_command(struct scsi_c
 static int sr_block_open(struct block_device *bdev, fmode_t mode)
 {
 	struct scsi_cd *cd;
+	struct scsi_device *sdev;
 	int ret = -ENXIO;
 
-	mutex_lock(&sr_mutex);
 	cd = scsi_cd_get(bdev->bd_disk);
-	if (cd) {
-		ret = cdrom_open(&cd->cdi, bdev, mode);
-		if (ret)
-			scsi_cd_put(cd);
-	}
+	if (!cd)
+		goto out;
+
+	sdev = cd->device;
+	scsi_autopm_get_device(sdev);
+
+	mutex_lock(&sr_mutex);
+	ret = cdrom_open(&cd->cdi, bdev, mode);
 	mutex_unlock(&sr_mutex);
+
+	scsi_autopm_put_device(sdev);
+	if (ret)
+		scsi_cd_put(cd);
+
+out:
 	return ret;
 }
 
@@ -553,6 +562,8 @@ static int sr_block_ioctl(struct block_d
 
 	mutex_lock(&sr_mutex);
 
+	scsi_autopm_get_device(sdev);
+
 	/*
 	 * Send SCSI addressing ioctls directly to mid level, send other
 	 * ioctls to cdrom/block level.
@@ -561,12 +572,12 @@ static int sr_block_ioctl(struct block_d
 	case SCSI_IOCTL_GET_IDLUN:
 	case SCSI_IOCTL_GET_BUS_NUMBER:
 		ret = scsi_ioctl(sdev, cmd, argp);
-		goto out;
+		goto put;
 	}
 
 	ret = cdrom_ioctl(&cd->cdi, bdev, mode, cmd, arg);
 	if (ret != -ENOSYS)
-		goto out;
+		goto put;
 
 	/*
 	 * ENODEV means that we didn't recognise the ioctl, or that we
@@ -577,10 +588,12 @@ static int sr_block_ioctl(struct block_d
 	ret = scsi_nonblockable_ioctl(sdev, cmd, argp,
 					(mode & FMODE_NDELAY) != 0);
 	if (ret != -ENODEV)
-		goto out;
+		goto put;
 	ret = scsi_ioctl(sdev, cmd, argp);
 
-out:
+put:
+	scsi_autopm_put_device(sdev);
+
 	mutex_unlock(&sr_mutex);
 	return ret;
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 364/366] perf trace: Do not process PERF_RECORD_LOST twice
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (155 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 297/366] tracing: Quiet gcc warning about maybe unused link variable Ben Hutchings
                   ` (209 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Adrian Hunter, Wang Nan, Namhyung Kim,
	Arnaldo Carvalho de Melo, David Ahern, Jiri Olsa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 3ed5ca2efff70e9f589087c2013789572901112d upstream.

We catch this record to provide a visual indication that events are
getting lost, then call the default method to allow extra logging shared
with the other tools to take place.

This extra logging was done twice because we were continuing to the
"default" clause where machine__process_event() will end up calling
machine__process_lost_event() again, fix it.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-wus2zlhw3qo24ye84ewu4aqw@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/builtin-trace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1359,6 +1359,7 @@ static int trace__process_event(struct t
 		color_fprintf(trace->output, PERF_COLOR_RED,
 			      "LOST %" PRIu64 " events!\n", event->lost.lost);
 		ret = machine__process_lost_event(machine, event, sample);
+		break;
 	default:
 		ret = machine__process_event(machine, event, sample);
 		break;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 334/366] HID: clamp input to logical range if no null state
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 228/366] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 243/366] ARC: Fix CONFIG_SWAP Ben Hutchings
                   ` (264 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Tissoires, Tomasz Kramkowski, Jiri Kosina

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tomasz Kramkowski <tk@the-tk.com>

commit c3883fe06488a483658ba5d849b70e49bee15e7c upstream.

This patch fixes an issue in drivers/hid/hid-input.c where values
outside of the logical range are not clamped when "null state" bit of
the input control is not set.

This was discussed on the lists [1] and this change stems from the fact
due to the ambiguity of the HID specification it might be appropriate to
follow Microsoft's own interpretation of the specification. As noted in
Microsoft's documentation [2] in the section titled "Required HID usages
for digitizers" it is noted that values reported outside the logical
range "will be considered as invalid data and the value will be changed
to the nearest boundary value (logical min/max)."

This patch fixes an issue where the (1292:4745) Innomedia INNEX
GENESIS/ATARI reports out of range values for its X and Y axis of the
DPad which, due to the null state bit being unset, are forwarded to
userspace as is. Now these values will get clamped to the logical range
before being forwarded to userspace. This device was also used to test
this patch.

This patch expands on commit 3f3752705dbd ("HID: reject input outside
logical range only if null state is set").

[1]: http://lkml.kernel.org/r/20170307131036.GA853@gaia.local
[2]: https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp

Signed-off-by: Tomasz Kramkowski <tk@the-tk.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-input.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1087,19 +1087,26 @@ void hidinput_hid_event(struct hid_devic
 
 	/*
 	 * Ignore out-of-range values as per HID specification,
-	 * section 5.10 and 6.2.25.
+	 * section 5.10 and 6.2.25, when NULL state bit is present.
+	 * When it's not, clamp the value to match Microsoft's input
+	 * driver as mentioned in "Required HID usages for digitizers":
+	 * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp
 	 *
 	 * The logical_minimum < logical_maximum check is done so that we
 	 * don't unintentionally discard values sent by devices which
 	 * don't specify logical min and max.
 	 */
 	if ((field->flags & HID_MAIN_ITEM_VARIABLE) &&
-	    (field->flags & HID_MAIN_ITEM_NULL_STATE) &&
-	    (field->logical_minimum < field->logical_maximum) &&
-	    (value < field->logical_minimum ||
-	     value > field->logical_maximum)) {
-		dbg_hid("Ignoring out-of-range value %x\n", value);
-		return;
+	    (field->logical_minimum < field->logical_maximum)) {
+		if (field->flags & HID_MAIN_ITEM_NULL_STATE &&
+		    (value < field->logical_minimum ||
+		     value > field->logical_maximum)) {
+			dbg_hid("Ignoring out-of-range value %x\n", value);
+			return;
+		}
+		value = clamp(value,
+			      field->logical_minimum,
+			      field->logical_maximum);
 	}
 
 	/*


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 325/366] ceph: use lookup request to revalidate dentry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (281 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 294/366] ring_buffer: tracing: Inherit the tracing setting to next ring buffer Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Ben Hutchings
                   ` (83 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Yan, Zheng, Bryan Henderson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Yan, Zheng" <zyan@redhat.com>

commit 200fd27c8fa2ba8bb4529033967b69a7cbfa2c2e upstream.

If dentry has no lease, ceph_d_revalidate() previously return 0.
This causes VFS to invalidate the dentry and create a new dentry
for later lookup. Invalidating a dentry also detach any underneath
mount points. So mount point inside cephfs can disapear mystically
(even the mount point is not modified by other hosts).

The fix is using lookup request to revalidate dentry without lease.
This can partly solve the mount points disapear issue (as long as
the mount point is not modified by other hosts)

Signed-off-by: Yan, Zheng <zyan@redhat.com>
Cc: Bryan Henderson <bryanh@giraffe-data.com>
[bwh: Backported to 3.16: Add the ceph_security_xattr_wanted() function]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ceph/dir.c   | 34 ++++++++++++++++++++++++++++++++++
 fs/ceph/inode.c |  1 +
 2 files changed, 35 insertions(+)

--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1064,6 +1064,40 @@ static int ceph_d_revalidate(struct dent
 			valid = 1;
 	}
 
+	if (!valid) {
+		struct ceph_mds_client *mdsc =
+			ceph_sb_to_client(dir->i_sb)->mdsc;
+		struct ceph_mds_request *req;
+		int op, mask, err;
+
+		op = ceph_snap(dir) == CEPH_SNAPDIR ?
+			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_LOOKUP;
+		req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);
+		if (!IS_ERR(req)) {
+			req->r_dentry = dget(dentry);
+			req->r_num_caps = 2;
+
+			mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
+			if (ceph_security_xattr_wanted(dir))
+				mask |= CEPH_CAP_XATTR_SHARED;
+			req->r_args.getattr.mask = mask;
+
+			req->r_locked_dir = dir;
+			err = ceph_mdsc_do_request(mdsc, NULL, req);
+			if (err == 0 || err == -ENOENT) {
+				if (dentry == req->r_dentry) {
+					valid = !d_unhashed(dentry);
+				} else {
+					d_invalidate(req->r_dentry);
+					err = -EAGAIN;
+				}
+			}
+			ceph_mdsc_put_request(req);
+			dout("d_revalidate %p lookup result=%d\n",
+			     dentry, err);
+		}
+	}
+
 	dout("d_revalidate %p %s\n", dentry, valid ? "valid" : "invalid");
 	if (valid) {
 		ceph_dentry_lru_touch(dentry);
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1251,6 +1251,7 @@ retry_lookup:
 			dout(" %p links to %p %llx.%llx, not %llx.%llx\n",
 			     dn, dn->d_inode, ceph_vinop(dn->d_inode),
 			     ceph_vinop(in));
+			d_invalidate(dn);
 			have_lease = false;
 		}
 
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -736,6 +736,15 @@ extern void __ceph_destroy_xattrs(struct
 extern void __init ceph_xattr_init(void);
 extern void ceph_xattr_exit(void);
 
+#ifdef CONFIG_SECURITY
+extern bool ceph_security_xattr_wanted(struct inode *in);
+#else
+static inline bool ceph_security_xattr_wanted(struct inode *in)
+{
+	return false;
+}
+#endif
+
 /* acl.c */
 extern const struct xattr_handler *ceph_xattr_handlers[];
 
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1128,3 +1128,10 @@ int ceph_removexattr(struct dentry *dent
 
 	return __ceph_removexattr(dentry, name);
 }
+
+#ifdef CONFIG_SECURITY
+bool ceph_security_xattr_wanted(struct inode *in)
+{
+	return in->i_security != NULL;
+}
+#endif


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 306/366] squashfs: more metadata hardening
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (289 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 235/366] USB: serial: keyspan_pda: fix modem-status error handling Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 051/366] rpmsg: Correct support for MODULE_DEVICE_TABLE() Ben Hutchings
                   ` (75 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Anatoly Trosinenko, Phillip Lougher, Linus Torvalds

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.

Anatoly reports another squashfs fuzzing issue, where the decompression
parameters themselves are in a compressed block.

This causes squashfs_read_data() to be called in order to read the
decompression options before the decompression stream having been set
up, making squashfs go sideways.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/squashfs/block.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -166,6 +166,8 @@ int squashfs_read_data(struct super_bloc
 	}
 
 	if (compressed) {
+		if (!msblk->stream)
+			goto read_failure;
 		length = squashfs_decompress(msblk, bh, b, offset, length,
 			output);
 		if (length < 0)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 289/366] cachefiles: Fix refcounting bug in backing-file read monitoring
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 253/366] fs, elf: make sure to page align bss in load_elf_library Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 159/366] x86/speculation: Fix up array_index_nospec_mask() asm constraint Ben Hutchings
                   ` (332 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Howells, Anthony DeRobertis, Lei Xue,
	Kiran Kumar Modukuri, Vegard Nossum, NeilBrown, Daniel Axtens

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit 934140ab028713a61de8bca58c05332416d037d1 upstream.

cachefiles_read_waiter() has the right to access a 'monitor' object by
virtue of being called under the waitqueue lock for one of the pages in its
purview.  However, it has no ref on that monitor object or on the
associated operation.

What it is allowed to do is to move the monitor object to the operation's
to_do list, but once it drops the work_lock, it's actually no longer
permitted to access that object.  However, it is trying to enqueue the
retrieval operation for processing - but it can only do this via a pointer
in the monitor object, something it shouldn't be doing.

If it doesn't enqueue the operation, the operation may not get processed.
If the order is flipped so that the enqueue is first, then it's possible
for the work processor to look at the to_do list before the monitor is
enqueued upon it.

Fix this by getting a ref on the operation so that we can trust that it
will still be there once we've added the monitor to the to_do list and
dropped the work_lock.  The op can then be enqueued after the lock is
dropped.

The bug can manifest in one of a couple of ways.  The first manifestation
looks like:

 FS-Cache:
 FS-Cache: Assertion failed
 FS-Cache: 6 == 5 is false
 ------------[ cut here ]------------
 kernel BUG at fs/fscache/operation.c:494!
 RIP: 0010:fscache_put_operation+0x1e3/0x1f0
 ...
 fscache_op_work_func+0x26/0x50
 process_one_work+0x131/0x290
 worker_thread+0x45/0x360
 kthread+0xf8/0x130
 ? create_worker+0x190/0x190
 ? kthread_cancel_work_sync+0x10/0x10
 ret_from_fork+0x1f/0x30

This is due to the operation being in the DEAD state (6) rather than
INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through
fscache_put_operation().

The bug can also manifest like the following:

 kernel BUG at fs/fscache/operation.c:69!
 ...
    [exception RIP: fscache_enqueue_operation+246]
 ...
 #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6
 #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48
 #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028

I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not
entirely clear which assertion failed.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Reported-by: Lei Xue <carmark.dlut@gmail.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Reported-by: Anthony DeRobertis <aderobertis@metrics.net>
Reported-by: NeilBrown <neilb@suse.com>
Reported-by: Daniel Axtens <dja@axtens.net>
Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cachefiles/rdwr.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/cachefiles/rdwr.c
+++ b/fs/cachefiles/rdwr.c
@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q
 	struct cachefiles_one_read *monitor =
 		container_of(wait, struct cachefiles_one_read, monitor);
 	struct cachefiles_object *object;
+	struct fscache_retrieval *op = monitor->op;
 	struct wait_bit_key *key = _key;
 	struct page *page = wait->private;
 
@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q
 	list_del(&wait->task_list);
 
 	/* move onto the action list and queue for FS-Cache thread pool */
-	ASSERT(monitor->op);
+	ASSERT(op);
 
-	object = container_of(monitor->op->op.object,
-			      struct cachefiles_object, fscache);
+	/* We need to temporarily bump the usage count as we don't own a ref
+	 * here otherwise cachefiles_read_copier() may free the op between the
+	 * monitor being enqueued on the op->to_do list and the op getting
+	 * enqueued on the work queue.
+	 */
+	fscache_get_retrieval(op);
 
+	object = container_of(op->op.object, struct cachefiles_object, fscache);
 	spin_lock(&object->work_lock);
-	list_add_tail(&monitor->op_link, &monitor->op->to_do);
+	list_add_tail(&monitor->op_link, &op->to_do);
 	spin_unlock(&object->work_lock);
 
-	fscache_enqueue_retrieval(monitor->op);
+	fscache_enqueue_retrieval(op);
+	fscache_put_retrieval(op);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 270/366] scsi: qla2xxx: Fix ISP recovery on unload
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 019/366] media: v4l2-compat-ioctl32: prevent go past max size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 097/366] mtd: cfi_cmdset_0002: Change definition naming to retry write operation Ben Hutchings
                   ` (240 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Himanshu Madhani, Quinn Tran, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Quinn Tran <quinn.tran@cavium.com>

commit b08abbd9f5996309f021684f9ca74da30dcca36a upstream.

During unload process, the chip can encounter problem where a FW dump would
be captured. For this case, the full reset sequence will be skip to bring
the chip back to full operational state.

Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_os.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -4963,8 +4963,9 @@ qla2x00_do_dpc(void *data)
 			}
 		}
 
-		if (test_and_clear_bit(ISP_ABORT_NEEDED,
-						&base_vha->dpc_flags)) {
+		if (test_and_clear_bit
+		    (ISP_ABORT_NEEDED, &base_vha->dpc_flags) &&
+		    !test_bit(UNLOADING, &base_vha->dpc_flags)) {
 
 			ql_dbg(ql_dbg_dpc, base_vha, 0x4007,
 			    "ISP abort scheduled.\n");


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 304/366] netlink: Do not subscribe to non-existent groups
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 355/366] perf thread_map: Use readdir() instead of deprecated readdir_r() Ben Hutchings
                   ` (244 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Herbert Xu, Dmitry Safonov, David S. Miller, netdev,
	Steffen Klassert

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 7acf9d4237c46894e0fa0492dd96314a41742e84 upstream.

Make ABI more strict about subscribing to group > ngroups.
Code doesn't check for that and it looks bogus.
(one can subscribe to non-existing group)
Still, it's possible to bind() to all possible groups with (-1)

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netlink/af_netlink.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -927,6 +927,7 @@ static int netlink_bind(struct socket *s
 		if (err)
 			return err;
 	}
+	groups &= (1UL << nlk->ngroups) - 1;
 
 	if (nlk->portid)
 		if (nladdr->nl_pid != nlk->portid)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (198 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 201/366] nfsd: silence sparse warning about accessing credentials Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Ben Hutchings
                   ` (166 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Nicholas Mc Guire

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 upstream.

of_iomap() can return NULL so that return needs to be checked and NULL
treated as failure. While at it also take care of the missing
of_node_put() in the error path.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/mscan/mpc5xxx_can.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/can/mscan/mpc5xxx_can.c
+++ b/drivers/net/can/mscan/mpc5xxx_can.c
@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct
 		return 0;
 	}
 	cdm = of_iomap(np_cdm, 0);
+	if (!cdm) {
+		of_node_put(np_cdm);
+		dev_err(&ofdev->dev, "can't map clock node!\n");
+		return 0;
+	}
 
 	if (in_8(&cdm->ipb_clk_sel) & 0x1)
 		freq *= 2;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 271/366] scsi: qla2xxx: Return error when TMF returns
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (318 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 020/366] pinctrl: samsung: Correct EINTG banks order Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Ben Hutchings
                   ` (46 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Himanshu Madhani, Anil Gurumurthy, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anil Gurumurthy <anil.gurumurthy@cavium.com>

commit b4146c4929ef61d5afca011474d59d0918a0cd82 upstream.

Propagate the task management completion status properly to avoid
unnecessary waits for commands to complete.

Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling")
Signed-off-by: Anil Gurumurthy <anil.gurumurthy@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_init.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -323,11 +323,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
 
 	wait_for_completion(&tm_iocb->u.tmf.comp);
 
-	rval = tm_iocb->u.tmf.comp_status == CS_COMPLETE ?
-	    QLA_SUCCESS : QLA_FUNCTION_FAILED;
+	rval = tm_iocb->u.tmf.data;
 
-	if ((rval != QLA_SUCCESS) || tm_iocb->u.tmf.data) {
-		ql_dbg(ql_dbg_taskm, vha, 0x8030,
+	if (rval != QLA_SUCCESS) {
+		ql_log(ql_log_warn, vha, 0x8030,
 		    "TM IOCB failed (%x).\n", rval);
 	}
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 330/366] fs/proc: Stop trying to report thread stacks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (261 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 333/366] HID: reject input outside logical range only if null state is set Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Ben Hutchings
                   ` (103 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Borislav Petkov, Peter Zijlstra,
	Andy Lutomirski, Kees Cook, Ingo Molnar, Tycho Andersen,
	Brian Gerst, Johannes Weiner, Linux API, Thomas Gleixner,
	Jann Horn, Al Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit b18cb64ead400c01bf1580eeba330ace51f8087d upstream.

This reverts more of:

  b76437579d13 ("procfs: mark thread stack correctly in proc/<pid>/maps")

... which was partially reverted by:

  65376df58217 ("proc: revert /proc/<pid>/maps [stack:TID] annotation")

Originally, /proc/PID/task/TID/maps was the same as /proc/TID/maps.

In current kernels, /proc/PID/maps (or /proc/TID/maps even for
threads) shows "[stack]" for VMAs in the mm's stack address range.

In contrast, /proc/PID/task/TID/maps uses KSTK_ESP to guess the
target thread's stack's VMA.  This is racy, probably returns garbage
and, on arches with CONFIG_TASK_INFO_IN_THREAD=y, is also crash-prone:
KSTK_ESP is not safe to use on tasks that aren't known to be running
ordinary process-context kernel code.

This patch removes the difference and just shows "[stack]" for VMAs
in the mm's stack range.  This is IMO much more sensible -- the
actual "stack" address really is treated specially by the VM code,
and the current thread stack isn't even well-defined for programs
that frequently switch stacks on their own.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux API <linux-api@vger.kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tycho Andersen <tycho.andersen@canonical.com>
Link: http://lkml.kernel.org/r/3e678474ec14e0a0ec34c611016753eea2e1b8ba.1475257877.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: Squash in the earlier commits 58cb65487e92
 "proc/maps: make vm_is_stack() logic namespace-friendly" and 
 65376df58217 "proc: revert /proc/<pid>/maps [stack:TID] annotation",
 which would introduce build failures if applied separately.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -250,13 +250,28 @@ static int do_maps_open(struct inode *in
 	return ret;
 }
 
+/*
+ * Indicate if the VMA is a stack for the given task; for
+ * /proc/PID/maps that is the stack of the main task.
+ */
+static int is_stack(struct proc_maps_private *priv,
+		    struct vm_area_struct *vma)
+{
+	/*
+	 * We make no effort to guess what a given thread considers to be
+	 * its "stack".  It's not even well-defined for programs written
+	 * languages like Go.
+	 */
+	return vma->vm_start <= vma->vm_mm->start_stack &&
+		vma->vm_end >= vma->vm_mm->start_stack;
+}
+
 static void
 show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
 {
 	struct mm_struct *mm = vma->vm_mm;
 	struct file *file = vma->vm_file;
 	struct proc_maps_private *priv = m->private;
-	struct task_struct *task = priv->task;
 	vm_flags_t flags = vma->vm_flags;
 	unsigned long ino = 0;
 	unsigned long long pgoff = 0;
@@ -304,8 +319,6 @@ show_map_vma(struct seq_file *m, struct
 
 	name = arch_vma_name(vma);
 	if (!name) {
-		pid_t tid;
-
 		if (!mm) {
 			name = "[vdso]";
 			goto done;
@@ -317,22 +330,8 @@ show_map_vma(struct seq_file *m, struct
 			goto done;
 		}
 
-		tid = vm_is_stack(task, vma, is_pid);
-
-		if (tid != 0) {
-			/*
-			 * Thread stack in /proc/PID/task/TID/maps or
-			 * the main process stack.
-			 */
-			if (!is_pid || (vma->vm_start <= mm->start_stack &&
-			    vma->vm_end >= mm->start_stack)) {
-				name = "[stack]";
-			} else {
-				/* Thread stack in /proc/PID/maps */
-				seq_pad(m, ' ');
-				seq_printf(m, "[stack:%d]", tid);
-			}
-		}
+		if (is_stack(priv, vma))
+			name = "[stack]";
 	}
 
 done:
@@ -1433,19 +1432,8 @@ static int show_numa_map(struct seq_file
 		seq_path(m, &file->f_path, "\n\t= ");
 	} else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
 		seq_puts(m, " heap");
-	} else {
-		pid_t tid = vm_is_stack(task, vma, is_pid);
-		if (tid != 0) {
-			/*
-			 * Thread stack in /proc/PID/task/TID/maps or
-			 * the main process stack.
-			 */
-			if (!is_pid || (vma->vm_start <= mm->start_stack &&
-			    vma->vm_end >= mm->start_stack))
-				seq_puts(m, " stack");
-			else
-				seq_printf(m, " stack:%d", tid);
-		}
+	} else if (is_stack(proc_priv, vma)) {
+		seq_puts(m, " stack");
 	}
 
 	if (is_vm_hugetlb_page(vma))
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -123,6 +123,20 @@ unsigned long task_statm(struct mm_struc
 	return size;
 }
 
+static int is_stack(struct proc_maps_private *priv,
+		    struct vm_area_struct *vma)
+{
+	struct mm_struct *mm = vma->vm_mm;
+
+	/*
+	 * We make no effort to guess what a given thread considers to be
+	 * its "stack".  It's not even well-defined for programs written
+	 * languages like Go.
+	 */
+	return vma->vm_start <= mm->start_stack &&
+		vma->vm_end >= mm->start_stack;
+}
+
 /*
  * display a single VMA to a sequenced file
  */
@@ -162,21 +176,9 @@ static int nommu_vma_show(struct seq_fil
 	if (file) {
 		seq_pad(m, ' ');
 		seq_path(m, &file->f_path, "");
-	} else if (mm) {
-		pid_t tid = vm_is_stack(priv->task, vma, is_pid);
-
-		if (tid != 0) {
-			seq_pad(m, ' ');
-			/*
-			 * Thread stack in /proc/PID/task/TID/maps or
-			 * the main process stack.
-			 */
-			if (!is_pid || (vma->vm_start <= mm->start_stack &&
-			    vma->vm_end >= mm->start_stack))
-				seq_printf(m, "[stack]");
-			else
-				seq_printf(m, "[stack:%d]", tid);
-		}
+	} else if (mm && is_stack(priv, vma)) {
+		seq_pad(m, ' ');
+		seq_printf(m, "[stack]");
 	}
 
 	seq_putc(m, '\n');
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1239,8 +1239,7 @@ int set_page_dirty_lock(struct page *pag
 int clear_page_dirty_for_io(struct page *page);
 int get_cmdline(struct task_struct *task, char *buffer, int buflen);
 
-extern pid_t
-vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
+int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t);
 
 extern unsigned long move_page_tables(struct vm_area_struct *vma,
 		unsigned long old_addr, struct vm_area_struct *new_vma,
--- a/mm/util.c
+++ b/mm/util.c
@@ -255,43 +255,11 @@ void __vma_link_list(struct mm_struct *m
 }
 
 /* Check if the vma is being used as a stack by this task */
-static int vm_is_stack_for_task(struct task_struct *t,
-				struct vm_area_struct *vma)
+int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t)
 {
 	return (vma->vm_start <= KSTK_ESP(t) && vma->vm_end >= KSTK_ESP(t));
 }
 
-/*
- * Check if the vma is being used as a stack.
- * If is_group is non-zero, check in the entire thread group or else
- * just check in the current task. Returns the pid of the task that
- * the vma is stack for.
- */
-pid_t vm_is_stack(struct task_struct *task,
-		  struct vm_area_struct *vma, int in_group)
-{
-	pid_t ret = 0;
-
-	if (vm_is_stack_for_task(task, vma))
-		return task->pid;
-
-	if (in_group) {
-		struct task_struct *t;
-
-		rcu_read_lock();
-		for_each_thread(task, t) {
-			if (vm_is_stack_for_task(t, vma)) {
-				ret = t->pid;
-				goto done;
-			}
-		}
-done:
-		rcu_read_unlock();
-	}
-
-	return ret;
-}
-
 #if defined(CONFIG_MMU) && !defined(HAVE_ARCH_PICK_MMAP_LAYOUT)
 void arch_pick_mmap_layout(struct mm_struct *mm)
 {
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesystems/proc.txt
@@ -335,7 +335,7 @@ address           perms offset  dev   in
 a7cb1000-a7cb2000 ---p 00000000 00:00 0
 a7cb2000-a7eb2000 rw-p 00000000 00:00 0
 a7eb2000-a7eb3000 ---p 00000000 00:00 0
-a7eb3000-a7ed5000 rw-p 00000000 00:00 0          [stack:1001]
+a7eb3000-a7ed5000 rw-p 00000000 00:00 0
 a7ed5000-a8008000 r-xp 00000000 03:00 4222       /lib/libc.so.6
 a8008000-a800a000 r--p 00133000 03:00 4222       /lib/libc.so.6
 a800a000-a800b000 rw-p 00135000 03:00 4222       /lib/libc.so.6
@@ -367,40 +367,11 @@ is not associated with a file:
 
  [heap]                   = the heap of the program
  [stack]                  = the stack of the main process
- [stack:1001]             = the stack of the thread with tid 1001
  [vdso]                   = the "virtual dynamic shared object",
                             the kernel system call handler
 
  or if empty, the mapping is anonymous.
 
-The /proc/PID/task/TID/maps is a view of the virtual memory from the viewpoint
-of the individual tasks of a process. In this file you will see a mapping marked
-as [stack] if that task sees it as a stack. This is a key difference from the
-content of /proc/PID/maps, where you will see all mappings that are being used
-as stack by all of those tasks. Hence, for the example above, the task-level
-map, i.e. /proc/PID/task/TID/maps for thread 1001 will look like this:
-
-08048000-08049000 r-xp 00000000 03:00 8312       /opt/test
-08049000-0804a000 rw-p 00001000 03:00 8312       /opt/test
-0804a000-0806b000 rw-p 00000000 00:00 0          [heap]
-a7cb1000-a7cb2000 ---p 00000000 00:00 0
-a7cb2000-a7eb2000 rw-p 00000000 00:00 0
-a7eb2000-a7eb3000 ---p 00000000 00:00 0
-a7eb3000-a7ed5000 rw-p 00000000 00:00 0          [stack]
-a7ed5000-a8008000 r-xp 00000000 03:00 4222       /lib/libc.so.6
-a8008000-a800a000 r--p 00133000 03:00 4222       /lib/libc.so.6
-a800a000-a800b000 rw-p 00135000 03:00 4222       /lib/libc.so.6
-a800b000-a800e000 rw-p 00000000 00:00 0
-a800e000-a8022000 r-xp 00000000 03:00 14462      /lib/libpthread.so.0
-a8022000-a8023000 r--p 00013000 03:00 14462      /lib/libpthread.so.0
-a8023000-a8024000 rw-p 00014000 03:00 14462      /lib/libpthread.so.0
-a8024000-a8027000 rw-p 00000000 00:00 0
-a8027000-a8043000 r-xp 00000000 03:00 8317       /lib/ld-linux.so.2
-a8043000-a8044000 r--p 0001b000 03:00 8317       /lib/ld-linux.so.2
-a8044000-a8045000 rw-p 0001c000 03:00 8317       /lib/ld-linux.so.2
-aff35000-aff4a000 rw-p 00000000 00:00 0
-ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
-
 The /proc/PID/smaps is an extension based on maps, showing the memory
 consumption for each of the process's mappings. For each of mappings there
 is a series of lines such as the following:


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (300 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry Ben Hutchings
                   ` (64 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Joakim Tjernlund, Boris Brezillon

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.

cfi_ppb_unlock() tries to relock all sectors that were locked before
unlocking the whole chip.
This locking used the chip start address + the FULL offset from the
first flash chip, thereby forming an illegal address. Fix that by using
the chip offset(adr).

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2206,7 +2206,7 @@ static int cfi_atmel_unlock(struct mtd_i
 
 struct ppb_lock {
 	struct flchip *chip;
-	loff_t offset;
+	unsigned long adr;
 	int locked;
 };
 
@@ -2342,7 +2342,7 @@ static int __maybe_unused cfi_ppb_unlock
 		 */
 		if ((adr < ofs) || (adr >= (ofs + len))) {
 			sect[sectors].chip = &cfi->chips[chipnum];
-			sect[sectors].offset = offset;
+			sect[sectors].adr = adr;
 			sect[sectors].locked = do_ppb_xxlock(
 				map, &cfi->chips[chipnum], adr, 0,
 				DO_XXLOCK_ONEBLOCK_GETLOCK);
@@ -2386,7 +2386,7 @@ static int __maybe_unused cfi_ppb_unlock
 	 */
 	for (i = 0; i < sectors; i++) {
 		if (sect[i].locked)
-			do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
+			do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
 				      DO_XXLOCK_ONEBLOCK_LOCK);
 	}
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 220/366] x86/bugs: Add AMD's variant of SSB_NO
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 013/366] arch/x86/kernel/cpu/common.c: fix unused symbol warning Ben Hutchings
                   ` (311 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Woodhouse, H. Peter Anvin, Tom Lendacky,
	Andy Lutomirski, Borislav Petkov, andrew.cooper3,
	Janakarajan Natarajan, Thomas Gleixner, kvm,
	Konrad Rzeszutek Wilk

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

commit 24809860012e0130fbafe536709e08a22b3e959e upstream.

The AMD document outlining the SSBD handling
124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
mentions that the CPUID 8000_0008.EBX[26] will mean that the
speculative store bypass disable is no longer needed.

A copy of this document is available at:
    https://bugzilla.kernel.org/show_bug.cgi?id=199889

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Cc: kvm@vger.kernel.org
Cc: andrew.cooper3@citrix.com
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/20180601145921.9500-2-konrad.wilk@oracle.com
[bwh: Backported to 3.16:
 - The feature bit is in feature word 11
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/cpufeature.h | 1 +
 arch/x86/kernel/cpu/common.c      | 3 ++-
 arch/x86/kvm/cpuid.c              | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -257,6 +257,7 @@
 #define X86_FEATURE_AMD_IBRS		(11*32+14) /* "" Indirect Branch Restricted Speculation */
 #define X86_FEATURE_AMD_STIBP		(11*32+15) /* "" Single Thread Indirect Branch Predictors */
 #define X86_FEATURE_VIRT_SSBD		(11*32+25) /* Virtualized Speculative Store Bypass Disable */
+#define X86_FEATURE_AMD_SSB_NO		(11*32+26) /* "" Speculative Store Bypass is fixed in hardware. */
 
 /*
  * BUG word(s)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -865,7 +865,8 @@ static void __init cpu_set_bug_bits(stru
 		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
 
 	if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
-	   !(ia32_cap & ARCH_CAP_SSB_NO))
+	   !(ia32_cap & ARCH_CAP_SSB_NO) &&
+	   !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
 
 	if (x86_match_cpu(cpu_no_speculation))
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -302,7 +302,7 @@ static inline int __do_cpuid_ent(struct
 
 	/* cpuid 0x80000008.ebx */
 	const u32 kvm_cpuid_8000_0008_ebx_x86_features =
-		F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD);
+		F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD) | F(AMD_SSB_NO);
 
 	/* cpuid 0xC0000001.edx */
 	const u32 kvm_supported_word5_x86_features =


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 222/366] x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (203 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 361/366] perf trace: Fix up fd -> pathname resolution Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 044/366] ext4: factor out helper ext4_sample_last_mounted() Ben Hutchings
                   ` (161 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, andrew.cooper3, H. Peter Anvin, David Woodhouse, Kees Cook,
	Konrad Rzeszutek Wilk, Borislav Petkov, KarimAllah Ahmed, kvm,
	Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

commit 108fab4b5c8f12064ef86e02cb0459992affb30f upstream.

Both AMD and Intel can have SPEC_CTRL_MSR for SSBD.

However AMD also has two more other ways of doing it - which
are !SPEC_CTRL MSR ways.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: kvm@vger.kernel.org
Cc: KarimAllah Ahmed <karahmed@amazon.de>
Cc: andrew.cooper3@citrix.com
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/20180601145921.9500-4-konrad.wilk@oracle.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/bugs.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -573,17 +573,12 @@ static enum ssb_mitigation __init __ssb_
 		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
 		 * use a completely different MSR and bit dependent on family.
 		 */
-		switch (boot_cpu_data.x86_vendor) {
-		case X86_VENDOR_INTEL:
-		case X86_VENDOR_AMD:
-			if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
-				x86_amd_ssb_disable();
-				break;
-			}
+		if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+			x86_amd_ssb_disable();
+		else {
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
-			break;
 		}
 	}
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 134/366] UBIFS: Fix potential integer overflow in allocation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (271 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 277/366] atl1c: reserve min skb headroom Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 025/366] mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() Ben Hutchings
                   ` (93 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Silvio Cesare, Kees Cook

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Silvio Cesare <silvio.cesare@gmail.com>

commit 353748a359f1821ee934afc579cf04572406b420 upstream.

There is potential for the size and len fields in ubifs_data_node to be
too large causing either a negative value for the length fields or an
integer overflow leading to an incorrect memory allocation. Likewise,
when the len field is small, an integer underflow may occur.

Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
Signed-off-by: Kees Cook <keescook@chromium.org>
[bwh: Backported to 3.16: We have a different set of length variables in
 recomp_data_node()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ubifs/journal.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1099,10 +1099,11 @@ out_free:
 static int recomp_data_node(struct ubifs_data_node *dn, int *new_len)
 {
 	void *buf;
-	int err, len, compr_type, out_len;
+	int err, compr_type;
+	u32 len, out_len;
 
 	out_len = le32_to_cpu(dn->size);
-	buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+	buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
 	if (!buf)
 		return -ENOMEM;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 201/366] nfsd: silence sparse warning about accessing credentials
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (197 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 173/366] xen-netfront: Fix mismatched rtnl_unlock Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use Ben Hutchings
                   ` (167 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, J. Bruce Fields, Jeff Layton

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@primarydata.com>

commit ae4b884fc6316b3190be19448cea24b020c1cad6 upstream.

sparse says:

    fs/nfsd/auth.c:31:38: warning: incorrect type in argument 1 (different address spaces)
    fs/nfsd/auth.c:31:38:    expected struct cred const *cred
    fs/nfsd/auth.c:31:38:    got struct cred const [noderef] <asn:4>*real_cred

Add a new accessor for the ->real_cred and use that to fetch the
pointer. Accessing current->real_cred directly is actually quite safe
since we know that they can't go away so this is mostly a cosmetic fixup
to silence sparse.

Signed-off-by: Jeff Layton <jlayton@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/auth.c       | 2 +-
 include/linux/cred.h | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -28,7 +28,7 @@ int nfsd_setuser(struct svc_rqst *rqstp,
 	validate_process_creds();
 
 	/* discard any old override before preparing the new set */
-	revert_creds(get_cred(current->real_cred));
+	revert_creds(get_cred(current_real_cred()));
 	new = prepare_creds();
 	if (!new)
 		return -ENOMEM;
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -261,6 +261,15 @@ static inline void put_cred(const struct
 	rcu_dereference_protected(current->cred, 1)
 
 /**
+ * current_real_cred - Access the current task's objective credentials
+ *
+ * Access the objective credentials of the current task.  RCU-safe,
+ * since nobody else can modify it.
+ */
+#define current_real_cred() \
+	rcu_dereference_protected(current->real_cred, 1)
+
+/**
  * __task_cred - Access a task's objective credentials
  * @task: The task to query
  *


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs*
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (178 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 161/366] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:59   ` syzbot
  2018-11-11 19:49 ` [PATCH 3.16 009/366] eeepc-laptop: simplify parse_arg() Ben Hutchings
                   ` (186 subsequent siblings)
  366 siblings, 1 reply; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, syzbot+17a8efdf800000, Alexander Potapenko, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Potapenko <glider@google.com>

commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.

KMSAN reported an infoleak when reading from /dev/vcs*:

  BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
  Call Trace:
  ...
   kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
   copy_to_user ./include/linux/uaccess.h:184
   vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
   __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
   vfs_read+0x36c/0x6b0 fs/read_write.c:452
  ...
  Uninit was created at:
   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
   kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
   kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
   __kmalloc+0x13a/0x350 mm/slub.c:3818
   kmalloc ./include/linux/slab.h:517
   vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
   con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
   tty_driver_install_tty drivers/tty/tty_io.c:1224
   tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
   tty_open_by_driver drivers/tty/tty_io.c:1959
   tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
   chrdev_open+0xc25/0xd90 fs/char_dev.c:417
   do_dentry_open+0xccc/0x1440 fs/open.c:794
   vfs_open+0x1b6/0x2f0 fs/open.c:908
  ...
  Bytes 0-79 of 240 are uninitialized

Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem

Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/vt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -782,7 +782,7 @@ int vc_allocate(unsigned int currcons)	/
 	if (!*vc->vc_uni_pagedir_loc)
 		con_set_default_unimap(vc);
 
-	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+	vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
 	if (!vc->vc_screenbuf)
 		goto err_free;
 
@@ -869,7 +869,7 @@ static int vc_do_resize(struct tty_struc
 
 	if (new_screen_size > (4 << 20))
 		return -EINVAL;
-	newscreen = kmalloc(new_screen_size, GFP_USER);
+	newscreen = kzalloc(new_screen_size, GFP_USER);
 	if (!newscreen)
 		return -ENOMEM;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 074/366] RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry Ben Hutchings
                   ` (256 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, KarimAllah Ahmed, kvm, Radim Krčmář,
	Thomas Gleixner, Janakarajan Natarajan, Paolo Bonzini,
	Tom Lendacky, Joerg Roedel, Borislav Petkov, Kees Cook,
	Konrad Rzeszutek Wilk, David Woodhouse, H. Peter Anvin,
	andrew.cooper3, Andy Lutomirski

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

commit 6ac2f49edb1ef5446089c7c660017732886d62d6 upstream.

The AMD document outlining the SSBD handling
124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
mentions that if CPUID 8000_0008.EBX[24] is set we should be using
the SPEC_CTRL MSR (0x48) over the VIRT SPEC_CTRL MSR (0xC001_011f)
for speculative store bypass disable.

This in effect means we should clear the X86_FEATURE_VIRT_SSBD
flag so that we would prefer the SPEC_CTRL MSR.

See the document titled:
   124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf

A copy of this document is available at
   https://bugzilla.kernel.org/show_bug.cgi?id=199889

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Cc: kvm@vger.kernel.org
Cc: KarimAllah Ahmed <karahmed@amazon.de>
Cc: andrew.cooper3@citrix.com
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Kees Cook <keescook@chromium.org>
Link: https://lkml.kernel.org/r/20180601145921.9500-3-konrad.wilk@oracle.com
[bwh: Backported to 3.16:
 - The feature bit is in feature word 11
 - Update feature test in guest_cpuid_has_spec_ctrl() instead of
   svm_{get,set}_msr()
 - Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -256,6 +256,7 @@
 #define X86_FEATURE_AMD_IBPB		(11*32+12) /* "" Indirect Branch Prediction Barrier */
 #define X86_FEATURE_AMD_IBRS		(11*32+14) /* "" Indirect Branch Restricted Speculation */
 #define X86_FEATURE_AMD_STIBP		(11*32+15) /* "" Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_AMD_SSBD		(11*32+24) /* "" Speculative Store Bypass Disable */
 #define X86_FEATURE_VIRT_SSBD		(11*32+25) /* Virtualized Speculative Store Bypass Disable */
 #define X86_FEATURE_AMD_SSB_NO		(11*32+26) /* "" Speculative Store Bypass is fixed in hardware. */
 
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -570,18 +570,20 @@ static enum ssb_mitigation __init __ssb_
 	if (mode == SPEC_STORE_BYPASS_DISABLE) {
 		setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
 		/*
-		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
-		 * a completely different MSR and bit dependent on family.
+		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
+		 * use a completely different MSR and bit dependent on family.
 		 */
 		switch (boot_cpu_data.x86_vendor) {
 		case X86_VENDOR_INTEL:
+		case X86_VENDOR_AMD:
+			if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
+				x86_amd_ssb_disable();
+				break;
+			}
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
 			break;
-		case X86_VENDOR_AMD:
-			x86_amd_ssb_disable();
-			break;
 		}
 	}
 
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -716,6 +716,12 @@ static void init_speculation_control(str
 		set_cpu_cap(c, X86_FEATURE_STIBP);
 		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
 	}
+
+	if (cpu_has(c, X86_FEATURE_AMD_SSBD)) {
+		set_cpu_cap(c, X86_FEATURE_SSBD);
+		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+		clear_cpu_cap(c, X86_FEATURE_VIRT_SSBD);
+	}
 }
 
 void get_cpu_cap(struct cpuinfo_x86 *c)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -302,7 +302,8 @@ static inline int __do_cpuid_ent(struct
 
 	/* cpuid 0x80000008.ebx */
 	const u32 kvm_cpuid_8000_0008_ebx_x86_features =
-		F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD) | F(AMD_SSB_NO);
+		F(AMD_IBPB) | F(AMD_IBRS) | F(AMD_SSBD) | F(VIRT_SSBD) |
+		F(AMD_SSB_NO);
 
 	/* cpuid 0xC0000001.edx */
 	const u32 kvm_supported_word5_x86_features =
@@ -536,7 +537,12 @@ static inline int __do_cpuid_ent(struct
 			entry->ebx |= F(VIRT_SSBD);
 		entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
 		cpuid_mask(&entry->ebx, 11);
-		if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+		/*
+		 * The preference is to use SPEC CTRL MSR instead of the
+		 * VIRT_SPEC MSR.
+		 */
+		if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
+		    !boot_cpu_has(X86_FEATURE_AMD_SSBD))
 			entry->ebx |= F(VIRT_SSBD);
 		break;
 	}
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -120,7 +120,7 @@ static inline bool guest_cpuid_has_spec_
 	struct kvm_cpuid_entry2 *best;
 
 	best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0);
-	if (best && (best->ebx & bit(X86_FEATURE_AMD_IBRS)))
+	if (best && (best->ebx & (bit(X86_FEATURE_AMD_IBRS | bit(X86_FEATURE_AMD_SSBD)))))
 		return true;
 	best = kvm_find_cpuid_entry(vcpu, 7, 0);
 	return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_SPEC_CTRL_SSBD)));
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3236,7 +3236,7 @@ static int svm_set_msr(struct kvm_vcpu *
 			return 1;
 
 		/* The STIBP bit doesn't fault even if it's not advertised */
-		if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP))
+		if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD))
 			return 1;
 
 		svm->spec_ctrl = data;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 081/366] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 100/366] fuse: fix control dir setup and teardown Ben Hutchings
                   ` (350 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Pranay Kr. Srivastava

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Pranay Kr. Srivastava" <pranjas@gmail.com>

commit 4743f83990614af6adb09ea7aa3c37b78c4031ab upstream.

If there are racing calls to ext4_commit_super() it's possible for
another writeback of the superblock to result in the buffer being
marked with an error after we check if the buffer is marked as having
a write error and the buffer up-to-date flag is set again.  If that
happens mark_buffer_dirty() can end up throwing a WARN_ON_ONCE.

Fix this by moving this check to write before we call
write_buffer_dirty(), and keeping the buffer locked during this whole
sequence.

Signed-off-by: Pranay Kr. Srivastava <pranjas@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4653,20 +4653,6 @@ static int ext4_commit_super(struct supe
 
 	if (!sbh || block_device_ejected(sb))
 		return error;
-	if (buffer_write_io_error(sbh)) {
-		/*
-		 * Oh, dear.  A previous attempt to write the
-		 * superblock failed.  This could happen because the
-		 * USB device was yanked out.  Or it could happen to
-		 * be a transient write error and maybe the block will
-		 * be remapped.  Nothing we can do but to retry the
-		 * write and hope for the best.
-		 */
-		ext4_msg(sb, KERN_ERR, "previous I/O error to "
-		       "superblock detected");
-		clear_buffer_write_io_error(sbh);
-		set_buffer_uptodate(sbh);
-	}
 	/*
 	 * If the file system is mounted read-only, don't update the
 	 * superblock write time.  This avoids updating the superblock
@@ -4695,7 +4681,23 @@ static int ext4_commit_super(struct supe
 				&EXT4_SB(sb)->s_freeinodes_counter));
 	BUFFER_TRACE(sbh, "marking dirty");
 	ext4_superblock_csum_set(sb);
+	lock_buffer(sbh);
+	if (buffer_write_io_error(sbh)) {
+		/*
+		 * Oh, dear.  A previous attempt to write the
+		 * superblock failed.  This could happen because the
+		 * USB device was yanked out.  Or it could happen to
+		 * be a transient write error and maybe the block will
+		 * be remapped.  Nothing we can do but to retry the
+		 * write and hope for the best.
+		 */
+		ext4_msg(sb, KERN_ERR, "previous I/O error to "
+		       "superblock detected");
+		clear_buffer_write_io_error(sbh);
+		set_buffer_uptodate(sbh);
+	}
 	mark_buffer_dirty(sbh);
+	unlock_buffer(sbh);
 	if (sync) {
 		error = sync_dirty_buffer(sbh);
 		if (error)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (166 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user() Ben Hutchings
                   ` (198 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Gustavo A. R. Silva

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream.

t.qset_idx can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
warn: potential spectre issue 'adapter->msix_info'

Fix this by sanitizing t.qset_idx before using it to index
adapter->msix_info

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -51,6 +51,7 @@
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <asm/uaccess.h>
+#include <linux/nospec.h>
 
 #include "common.h"
 #include "cxgb3_ioctl.h"
@@ -2256,6 +2257,7 @@ static int cxgb_extension_ioctl(struct n
 
 		if (t.qset_idx >= nqsets)
 			return -EINVAL;
+		t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
 
 		q = &adapter->params.sge.qset[q1 + t.qset_idx];
 		t.rspq_size = q->rspq_size;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 275/366] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (220 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 328/366] dm bufio: avoid sleeping while holding the dm_bufio lock Ben Hutchings
                   ` (144 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, YueHaibing, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 upstream.

Add a missing rcu_read_unlock in the error path

Fixes: c95567c80352 ("caif: added check for potential null return")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/caif/caif_dev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff
 	caifd = caif_get(skb->dev);
 
 	WARN_ON(caifd == NULL);
-	if (caifd == NULL)
+	if (!caifd) {
+		rcu_read_unlock();
 		return;
+	}
 
 	caifd_hold(caifd);
 	rcu_read_unlock();


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 264/366] usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (245 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 098/366] mtd: cfi_cmdset_0002: Change erase functions to retry for error Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Ben Hutchings
                   ` (119 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Joshua Frkuska, Felipe Balbi, Eugeniu Rosca

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joshua Frkuska <joshua_frkuska@mentor.com>

commit 6b37bd78d30c890e575a1bda22978d1d2a233362 upstream.

In u_audio_iso_complete, the runtime hw_ptr is updated before the
data is actually copied over to/from the buffer/dma area. When
ALSA uses this hw_ptr, the data may not actually be available to
be used. This causes trash/stale audio to play/record. This
patch updates the hw_ptr after the data has been copied to avoid
this.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Joshua Frkuska <joshua_frkuska@mentor.com>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16:
 - Don't use a local hw_ptr variable
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/f_uac2.c
+++ b/drivers/usb/gadget/f_uac2.c
@@ -229,12 +229,16 @@ agdev_iso_complete(struct usb_ep *ep, st
 	if (pending >= prm->period_size)
 		update_alsa = true;
 
-	prm->hw_ptr = (prm->hw_ptr + req->actual) % prm->dma_bytes;
-
 	spin_unlock_irqrestore(&prm->lock, flags);
 
 	/* Pack USB load in ALSA ring buffer */
 	memcpy(dst, src, req->actual);
+
+	spin_lock_irqsave(&prm->lock, flags);
+	/* update hw_ptr after data is copied to memory */
+	prm->hw_ptr = (prm->hw_ptr + req->actual) % prm->dma_bytes;
+	spin_unlock_irqrestore(&prm->lock, flags);
+
 exit:
 	if (usb_ep_queue(ep, req, GFP_ATOMIC))
 		dev_err(&uac2->pdev.dev, "%d Error!\n", __LINE__);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (268 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 285/366] can: xilinx_can: fix RX overflow interrupt not being enabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe Ben Hutchings
                   ` (96 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Peter Feiner, Greg Thelen, Mike Kravetz,
	Andres Lagar-Cavilla, Cannon Matthews, Michal Hocko

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Cannon Matthews <cannonmatthews@google.com>

commit 520495fe96d74e05db585fc748351e0504d8f40d upstream.

When booting with very large numbers of gigantic (i.e.  1G) pages, the
operations in the loop of gather_bootmem_prealloc, and specifically
prep_compound_gigantic_page, takes a very long time, and can cause a
softlockup if enough pages are requested at boot.

For example booting with 3844 1G pages requires prepping
(set_compound_head, init the count) over 1 billion 4K tail pages, which
takes considerable time.

Add a cond_resched() to the outer loop in gather_bootmem_prealloc() to
prevent this lockup.

Tested: Booted with softlockup_panic=1 hugepagesz=1G hugepages=3844 and
no softlockup is reported, and the hugepages are reported as
successfully setup.

Link: http://lkml.kernel.org/r/20180627214447.260804-1-cannonmatthews@google.com
Signed-off-by: Cannon Matthews <cannonmatthews@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Andres Lagar-Cavilla <andreslc@google.com>
Cc: Peter Feiner <pfeiner@google.com>
Cc: Greg Thelen <gthelen@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/hugetlb.c | 1 +
 1 file changed, 1 insertion(+)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1546,6 +1546,7 @@ static void __init gather_bootmem_preall
 		 */
 		if (hstate_is_gigantic(h))
 			adjust_managed_page_count(page, 1 << h->order);
+		cond_resched();
 	}
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (147 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches Ben Hutchings
                   ` (217 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), Changbin Du

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Changbin Du <changbin.du@intel.com>

commit 1fe4293f4b8de75824935f8d8e9a99c7fc6873da upstream.

The function_graph tracer does not show the interrupt return marker for the
leaf entry. On leaf entries, we see an unbalanced interrupt marker (the
interrupt was entered, but nevern left).

Before:
 1)               |  SyS_write() {
 1)               |    __fdget_pos() {
 1)   0.061 us    |      __fget_light();
 1)   0.289 us    |    }
 1)               |    vfs_write() {
 1)   0.049 us    |      rw_verify_area();
 1) + 15.424 us   |      __vfs_write();
 1)   ==========> |
 1)   6.003 us    |      smp_apic_timer_interrupt();
 1)   0.055 us    |      __fsnotify_parent();
 1)   0.073 us    |      fsnotify();
 1) + 23.665 us   |    }
 1) + 24.501 us   |  }

After:
 0)               |  SyS_write() {
 0)               |    __fdget_pos() {
 0)   0.052 us    |      __fget_light();
 0)   0.328 us    |    }
 0)               |    vfs_write() {
 0)   0.057 us    |      rw_verify_area();
 0)               |      __vfs_write() {
 0)   ==========> |
 0)   8.548 us    |      smp_apic_timer_interrupt();
 0)   <========== |
 0) + 36.507 us   |      } /* __vfs_write */
 0)   0.049 us    |      __fsnotify_parent();
 0)   0.066 us    |      fsnotify();
 0) + 50.064 us   |    }
 0) + 50.952 us   |  }

Link: http://lkml.kernel.org/r/1517413729-20411-1-git-send-email-changbin.du@intel.com

Fixes: f8b755ac8e0cc ("tracing/function-graph-tracer: Output arrows signal on hardirq call/return")
Signed-off-by: Changbin Du <changbin.du@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: Propagate return of TRACE_TYPE_PARTIAL_LINE from
 print_graph_irq()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_functions_graph.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -828,6 +828,7 @@ print_graph_entry_leaf(struct trace_iter
 	struct ftrace_graph_ret *graph_ret;
 	struct ftrace_graph_ent *call;
 	unsigned long long duration;
+	int cpu = iter->cpu;
 	int ret;
 	int i;
 
@@ -837,7 +838,6 @@ print_graph_entry_leaf(struct trace_iter
 
 	if (data) {
 		struct fgraph_cpu_data *cpu_data;
-		int cpu = iter->cpu;
 
 		cpu_data = per_cpu_ptr(data->cpu_data, cpu);
 
@@ -874,6 +874,11 @@ print_graph_entry_leaf(struct trace_iter
 	if (!ret)
 		return TRACE_TYPE_PARTIAL_LINE;
 
+	ret = print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET,
+			      cpu, iter->ent->pid, flags);
+	if (ret == TRACE_TYPE_PARTIAL_LINE)
+		return ret;
+
 	return TRACE_TYPE_HANDLED;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 219/366] x86/cpufeatures: Hide AMD-specific speculation flags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (294 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 033/366] powerpc/fadump: Unregister fadump on kexec down path Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 102/366] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Ben Hutchings
                   ` (70 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Hide the AMD_{IBRS,IBPB,STIBP} flag from /proc/cpuinfo.  This was done
upstream as part of commit e7c587da1252 "x86/speculation: Use
synthetic bits for IBRS/IBPB/STIBP".  I already backported that commit
but accidentally dropped this part.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -253,9 +253,9 @@
 #define X86_FEATURE_SPEC_CTRL_SSBD	(10*32+31) /* "" Speculative Store Bypass Disable */
 
 /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 11 */
-#define X86_FEATURE_AMD_IBPB		(11*32+12) /* Indirect Branch Prediction Barrier */
-#define X86_FEATURE_AMD_IBRS		(11*32+14) /* Indirect Branch Restricted Speculation */
-#define X86_FEATURE_AMD_STIBP		(11*32+15) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_AMD_IBPB		(11*32+12) /* "" Indirect Branch Prediction Barrier */
+#define X86_FEATURE_AMD_IBRS		(11*32+14) /* "" Indirect Branch Restricted Speculation */
+#define X86_FEATURE_AMD_STIBP		(11*32+15) /* "" Single Thread Indirect Branch Predictors */
 #define X86_FEATURE_VIRT_SSBD		(11*32+25) /* Virtualized Speculative Store Bypass Disable */
 
 /*


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (138 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 091/366] Btrfs: reserve space for O_TMPFILE orphan item deletion Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg Ben Hutchings
                   ` (226 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tom Lendacky, Thomas Gleixner, Linus Torvalds,
	David Woodhouse, Borislav Petkov, Peter Zijlstra,
	Konrad Rzeszutek Wilk, Ingo Molnar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit 612bc3b3d4be749f73a513a17d9b3ee1330d3487 upstream.

On AMD, the presence of the MSR_SPEC_CTRL feature does not imply that the
SSBD mitigation support should use the SPEC_CTRL MSR. Other features could
have caused the MSR_SPEC_CTRL feature to be set, while a different SSBD
mitigation option is in place.

Update the SSBD support to check for the actual SSBD features that will
use the SPEC_CTRL MSR.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 6ac2f49edb1e ("x86/bugs: Add AMD's SPEC_CTRL MSR usage")
Link: http://lkml.kernel.org/r/20180702213602.29202.33151.stgit@tlendack-t1.amdoffice.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/bugs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -219,7 +219,8 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl,
 		guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
 
 		/* SSBD controlled in MSR_SPEC_CTRL */
-		if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
+		if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
+		    static_cpu_has(X86_FEATURE_AMD_SSBD))
 			hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
 
 		if (hostval != guestval) {
@@ -573,9 +574,10 @@ static enum ssb_mitigation __init __ssb_
 		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
 		 * use a completely different MSR and bit dependent on family.
 		 */
-		if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+		if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
+		    !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
 			x86_amd_ssb_disable();
-		else {
+		} else {
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 278/366] can: constify of_device_id array
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 242/366] HID: hiddev: fix potential Spectre v1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink() Ben Hutchings
                   ` (341 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Fabian Frederick, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Fabian Frederick <fabf@skynet.be>

commit 486e957033623656298a07c39a8bf2fd81db285b upstream.

of_device_id is always used as const.
(See driver.of_match_table and open firmware functions)

Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/cc770/cc770_platform.c     | 2 +-
 drivers/net/can/grcan.c                    | 2 +-
 drivers/net/can/mscan/mpc5xxx_can.c        | 2 +-
 drivers/net/can/sja1000/sja1000_platform.c | 2 +-
 drivers/net/can/xilinx_can.c               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/can/cc770/cc770_platform.c
+++ b/drivers/net/can/cc770/cc770_platform.c
@@ -254,7 +254,7 @@ static int cc770_platform_remove(struct
 	return 0;
 }
 
-static struct of_device_id cc770_platform_table[] = {
+static const struct of_device_id cc770_platform_table[] = {
 	{.compatible = "bosch,cc770"}, /* CC770 from Bosch */
 	{.compatible = "intc,82527"},  /* AN82527 from Intel CP */
 	{},
--- a/drivers/net/can/grcan.c
+++ b/drivers/net/can/grcan.c
@@ -1725,7 +1725,7 @@ static int grcan_remove(struct platform_
 	return 0;
 }
 
-static struct of_device_id grcan_match[] = {
+static const struct of_device_id grcan_match[] = {
 	{.name = "GAISLER_GRCAN"},
 	{.name = "01_03d"},
 	{.name = "GAISLER_GRHCAN"},
--- a/drivers/net/can/mscan/mpc5xxx_can.c
+++ b/drivers/net/can/mscan/mpc5xxx_can.c
@@ -43,7 +43,7 @@ struct mpc5xxx_can_data {
 };
 
 #ifdef CONFIG_PPC_MPC52xx
-static struct of_device_id mpc52xx_cdm_ids[] = {
+static const struct of_device_id mpc52xx_cdm_ids[] = {
 	{ .compatible = "fsl,mpc5200-cdm", },
 	{}
 };
--- a/drivers/net/can/sja1000/sja1000_platform.c
+++ b/drivers/net/can/sja1000/sja1000_platform.c
@@ -242,7 +242,7 @@ static int sp_remove(struct platform_dev
 	return 0;
 }
 
-static struct of_device_id sp_of_table[] = {
+static const struct of_device_id sp_of_table[] = {
 	{.compatible = "nxp,sja1000"},
 	{},
 };
--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -1184,7 +1184,7 @@ static int xcan_remove(struct platform_d
 }
 
 /* Match table for OF platform binding */
-static struct of_device_id xcan_of_match[] = {
+static const struct of_device_id xcan_of_match[] = {
 	{ .compatible = "xlnx,zynq-can-1.0", },
 	{ .compatible = "xlnx,axi-can-1.00.a", },
 	{ /* end of list */ },


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 259/366] drm/nouveau: Remove bogus crtc check in pmops_runtime_idle
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 159/366] x86/speculation: Fix up array_index_nospec_mask() asm constraint Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 212/366] tty: vt, get rid of weird source code flow Ben Hutchings
                   ` (330 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ben Skeggs, Lyude Paul, Daniel Vetter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lyude Paul <lyude@redhat.com>

commit 68fe23a626b67b56c912c496ea43ed537ea9708f upstream.

This both uses the legacy modesetting structures in a racy manner, and
additionally also doesn't even check the right variable (enabled != the
CRTC is actually turned on for atomic).

This fixes issues on my P50 regarding the dedicated GPU not entering
runtime suspend.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
[bwh: Backported to 3.16:
 - Preserve local variables that are still needed
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -927,7 +927,6 @@ static int nouveau_pmops_runtime_idle(st
 	struct pci_dev *pdev = to_pci_dev(dev);
 	struct drm_device *drm_dev = pci_get_drvdata(pdev);
 	struct nouveau_drm *drm = nouveau_drm(drm_dev);
-	struct drm_crtc *crtc;
 
 	if (nouveau_runtime_pm == 0) {
 		pm_runtime_forbid(dev);
@@ -950,12 +949,6 @@ static int nouveau_pmops_runtime_idle(st
 		}
 	}
 
-	list_for_each_entry(crtc, &drm->dev->mode_config.crtc_list, head) {
-		if (crtc->enabled) {
-			DRM_DEBUG_DRIVER("failing to power off - crtc active\n");
-			return -EBUSY;
-		}
-	}
 	pm_runtime_mark_last_busy(dev);
 	pm_runtime_autosuspend(dev);
 	/* we don't want the main rpm_idle to call suspend - we want to autosuspend */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (298 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 143/366] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif Ben Hutchings
                   ` (66 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Menzel, Marcos Paulo de Souza, Vojtech Pavlik,
	Dmitry Torokhov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit a4c2a13129f7c5bcf81704c06851601593303fd5 upstream.

TUXEDO BU1406 does not implement active multiplexing mode properly,
and takes around 550 ms in i8042_set_mux_mode(). Given that the
device does not have external AUX port, there is no downside in
disabling the MUX mode.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Suggested-by: Vojtech Pavlik <vojtech@suse.cz>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -513,6 +513,13 @@ static const struct dmi_system_id __init
 			DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"),
 		},
 	},
+	{
+		/* TUXEDO BU1406 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
+		},
+	},
 	{ }
 };
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 277/366] atl1c: reserve min skb headroom
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (270 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 134/366] UBIFS: Fix potential integer overflow in allocation Ben Hutchings
                   ` (94 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Eric Dumazet, Florian Westphal

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 6e56830776828d8ca9897fc4429eeab47c3bb432 upstream.

Got crash report with following backtrace:
BUG: unable to handle kernel paging request at ffff8801869daffe
RIP: 0010:[<ffffffff816429c4>]  [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
RSP: 0018:ffff880186c83a98  EFLAGS: 00010283
RAX: ffff8801869db00e ...
  [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
  [<ffffffff81644d97>] ip6_output+0x57/0x100
  [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
  [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
  [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
  [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
  [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
  ...

The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
atl1c driver provided skb with no headroom, so 14 bytes (ethernet
header) got pulled, but then 16 are copied.

Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().

Compile tested only; I lack hardware.

Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
@@ -1674,6 +1674,7 @@ static struct sk_buff *atl1c_alloc_skb(s
 	skb = build_skb(page_address(page) + adapter->rx_page_offset,
 			adapter->rx_frag_size);
 	if (likely(skb)) {
+		skb_reserve(skb, NET_SKB_PAD);
 		adapter->rx_page_offset += adapter->rx_frag_size;
 		if (adapter->rx_page_offset >= PAGE_SIZE)
 			adapter->rx_page = NULL;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 272/366] crypto: padlock-aes - Fix Nano workaround data corruption
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 096/366] mtd: cfi_cmdset_0002: Change write buffer to check correct value Ben Hutchings
                   ` (296 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jamie Heilman, Herbert Xu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.

This was detected by the self-test thanks to Ard's chunking patch.

I finally got around to testing this out on my ancient Via box.  It
turns out that the workaround got the assembly wrong and we end up
doing count + initial cycles of the loop instead of just count.

This obviously causes corruption, either by overwriting the source
that is yet to be processed, or writing over the end of the buffer.

On CPUs that don't require the workaround only ECB is affected.
On Nano CPUs both ECB and CBC are affected.

This patch fixes it by doing the subtraction prior to the assembly.

Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
Reported-by: Jamie Heilman <jamie@audible.transient.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/crypto/padlock-aes.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/crypto/padlock-aes.c
+++ b/drivers/crypto/padlock-aes.c
@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
 		return;
 	}
 
+	count -= initial;
+
 	if (initial)
 		asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"	/* rep xcryptecb */
 			      : "+S"(input), "+D"(output)
@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
 
 	asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"	/* rep xcryptecb */
 		      : "+S"(input), "+D"(output)
-		      : "d"(control_word), "b"(key), "c"(count - initial));
+		      : "d"(control_word), "b"(key), "c"(count));
 }
 
 static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
 	if (count < cbc_fetch_blocks)
 		return cbc_crypt(input, output, key, iv, control_word, count);
 
+	count -= initial;
+
 	if (initial)
 		asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"	/* rep xcryptcbc */
 			      : "+S" (input), "+D" (output), "+a" (iv)
@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
 
 	asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"	/* rep xcryptcbc */
 		      : "+S" (input), "+D" (output), "+a" (iv)
-		      : "d" (control_word), "b" (key), "c" (count-initial));
+		      : "d" (control_word), "b" (key), "c" (count));
 	return iv;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 236/366] USB: serial: mos7840: fix status-register error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (170 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 244/366] ext4: fix inline data updates with checksums enabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 299/366] ipv4: remove BUG_ON() from fib_compute_spec_dst Ben Hutchings
                   ` (194 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 794744abfffef8b1f3c0c8a4896177d6d13d653d upstream.

Add missing transfer-length sanity check to the status-register
completion handler to avoid leaking bits of uninitialised slab data to
user space.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/mos7840.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -471,6 +471,9 @@ static void mos7840_control_callback(str
 	}
 
 	dev_dbg(dev, "%s urb buffer size is %d\n", __func__, urb->actual_length);
+	if (urb->actual_length < 1)
+		goto out;
+
 	dev_dbg(dev, "%s mos7840_port->MsrLsr is %d port %d\n", __func__,
 		mos7840_port->MsrLsr, mos7840_port->port_num);
 	data = urb->transfer_buffer;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 276/366] multicast: do not restore deleted record source filter mode to new one
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 349/366] x86/apic: Fix build failure with X86_IO_APIC disabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 314/366] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Ben Hutchings
                   ` (301 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Hangbin Liu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>

commit 08d3ffcc0cfaba36f6b86fd568cc3bc773061fa6 upstream.

There are two scenarios that we will restore deleted records. The first is
when device down and up(or unmap/remap). In this scenario the new filter
mode is same with previous one. Because we get it from in_dev->mc_list and
we do not touch it during device down and up.

The other scenario is when a new socket join a group which was just delete
and not finish sending status reports. In this scenario, we should use the
current filter mode instead of restore old one. Here are 4 cases in total.

old_socket        new_socket       before_fix       after_fix
  IN(A)             IN(A)           ALLOW(A)         ALLOW(A)
  IN(A)             EX( )           TO_IN( )         TO_EX( )
  EX( )             IN(A)           TO_EX( )         ALLOW(A)
  EX( )             EX( )           TO_EX( )         TO_EX( )

Fixes: 24803f38a5c0b (igmp: do not remove igmp souce list info when set link down)
Fixes: 1666d49e1d416 (mld: do not remove mld souce list info when set link down)
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/igmp.c  | 3 +--
 net/ipv6/mcast.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1159,8 +1159,7 @@ static void igmpv3_del_delrec(struct in_
 	if (pmc) {
 		im->interface = pmc->interface;
 		im->crcount = in_dev->mr_qrv ?: IGMP_Unsolicited_Report_Count;
-		im->sfmode = pmc->sfmode;
-		if (pmc->sfmode == MCAST_INCLUDE) {
+		if (im->sfmode == MCAST_INCLUDE) {
 			im->tomb = pmc->tomb;
 			im->sources = pmc->sources;
 			for (psf = im->sources; psf; psf = psf->sf_next)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -806,8 +806,7 @@ static void mld_del_delrec(struct inet6_
 	if (pmc) {
 		im->idev = pmc->idev;
 		im->mca_crcount = idev->mc_qrv;
-		im->mca_sfmode = pmc->mca_sfmode;
-		if (pmc->mca_sfmode == MCAST_INCLUDE) {
+		if (im->mca_sfmode == MCAST_INCLUDE) {
 			im->mca_tomb = pmc->mca_tomb;
 			im->mca_sources = pmc->mca_sources;
 			for (psf = im->mca_sources; psf; psf = psf->sf_next)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (167 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 186/366] batman-adv: debugfs, avoid compiling for !DEBUG_FS Ben Hutchings
                   ` (197 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Burton, Rui Wang, Ralf Baechle, James Hogan,
	Wolfgang Grandegger, linux-mips

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@mips.com>

commit 38c0a74fe06da3be133cae3fb7bde6a9438e698b upstream.

The MIPS implementation of pci_resource_to_user() introduced in v3.12 by
commit 4c2924b725fb ("MIPS: PCI: Use pci_resource_to_user to map pci
memory space properly") incorrectly sets *end to the address of the
byte after the resource, rather than the last byte of the resource.

This results in userland seeing resources as a byte larger than they
actually are, for example a 32 byte BAR will be reported by a tool such
as lspci as being 33 bytes in size:

    Region 2: I/O ports at 1000 [disabled] [size=33]

Correct this by subtracting one from the calculated end address,
reporting the correct address to userland.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reported-by: Rui Wang <rui.wang@windriver.com>
Fixes: 4c2924b725fb ("MIPS: PCI: Use pci_resource_to_user to map pci memory space properly")
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/19829/
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/pci.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/include/asm/pci.h
+++ b/arch/mips/include/asm/pci.h
@@ -87,7 +87,7 @@ static inline void pci_resource_to_user(
 	phys_t size = resource_size(rsrc);
 
 	*start = fixup_bigphys_addr(rsrc->start, size);
-	*end = rsrc->start + size;
+	*end = rsrc->start + size - 1;
 }
 
 /*


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 233/366] cifs: store the leaseKey in the fid on SMB2_open
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (322 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 180/366] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 246/366] RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path Ben Hutchings
                   ` (42 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steve French, Ronnie Sahlberg, Pavel Shilovsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit 96164ab2d880c9539989bea68d4790f6fd619b1f upstream.

In SMB2_open(), if we got a lease we need to store this in the fid structure
or else we will never be able to map a lease break back to which file/fid
it applies to.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h | 2 +-
 fs/cifs/smb2ops.c  | 7 +++++--
 fs/cifs/smb2pdu.c  | 8 +++++---
 3 files changed, 11 insertions(+), 6 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -383,7 +383,7 @@ struct smb_version_operations {
 	/* create lease context buffer for CREATE request */
 	char * (*create_lease_buf)(u8 *, u8);
 	/* parse lease context buffer and return oplock/epoch info */
-	__u8 (*parse_lease_buf)(void *, unsigned int *);
+	__u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey);
 	int (*clone_range)(const unsigned int, struct cifsFileInfo *src_file,
 			struct cifsFileInfo *target_file, u64 src_off, u64 len,
 			u64 dest_off);
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1118,7 +1118,7 @@ smb3_create_lease_buf(u8 *lease_key, u8
 }
 
 static __u8
-smb2_parse_lease_buf(void *buf, unsigned int *epoch)
+smb2_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key)
 {
 	struct create_lease *lc = (struct create_lease *)buf;
 
@@ -1129,13 +1129,16 @@ smb2_parse_lease_buf(void *buf, unsigned
 }
 
 static __u8
-smb3_parse_lease_buf(void *buf, unsigned int *epoch)
+smb3_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key)
 {
 	struct create_lease_v2 *lc = (struct create_lease_v2 *)buf;
 
 	*epoch = le16_to_cpu(lc->lcontext.Epoch);
 	if (lc->lcontext.LeaseFlags & SMB2_LEASE_FLAG_BREAK_IN_PROGRESS)
 		return SMB2_OPLOCK_LEVEL_NOCHANGE;
+	if (lease_key)
+		memcpy(lease_key, &lc->lcontext.LeaseKeyLow,
+		       SMB2_LEASE_KEY_SIZE);
 	return le32_to_cpu(lc->lcontext.LeaseState);
 }
 
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1054,7 +1054,7 @@ create_reconnect_durable_buf(struct cifs
 
 static __u8
 parse_lease_state(struct TCP_Server_Info *server, struct smb2_create_rsp *rsp,
-		  unsigned int *epoch)
+		  unsigned int *epoch, char *lease_key)
 {
 	char *data_offset;
 	struct create_context *cc;
@@ -1069,7 +1069,8 @@ parse_lease_state(struct TCP_Server_Info
 		name = le16_to_cpu(cc->NameOffset) + (char *)cc;
 		if (le16_to_cpu(cc->NameLength) == 4 &&
 		    strncmp(name, "RqLs", 4) == 0)
-			return server->ops->parse_lease_buf(cc, epoch);
+			return server->ops->parse_lease_buf(cc, epoch,
+							    lease_key);
 
 		next = le32_to_cpu(cc->Next);
 		if (!next)
@@ -1262,7 +1263,8 @@ SMB2_open(const unsigned int xid, struct
 	}
 
 	if (rsp->OplockLevel == SMB2_OPLOCK_LEVEL_LEASE)
-		*oplock = parse_lease_state(server, rsp, &oparms->fid->epoch);
+		*oplock = parse_lease_state(server, rsp, &oparms->fid->epoch,
+					    oparms->fid->lease_key);
 	else
 		*oplock = rsp->OplockLevel;
 creat_exit:


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 273/366] usb: core: handle hub C_PORT_OVER_CURRENT condition
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (311 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 292/366] cachefiles: Wait rather than BUG'ing on "Unexpected object collision" Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets Ben Hutchings
                   ` (53 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Alan Stern, Bin Liu, Alessandro Antenucci

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Liu <b-liu@ti.com>

commit 249a32b7eeb3edb6897dd38f89651a62163ac4ed upstream.

Based on USB2.0 Spec Section 11.12.5,

  "If a hub has per-port power switching and per-port current limiting,
  an over-current on one port may still cause the power on another port
  to fall below specific minimums. In this case, the affected port is
  placed in the Power-Off state and C_PORT_OVER_CURRENT is set for the
  port, but PORT_OVER_CURRENT is not set."

so let's check C_PORT_OVER_CURRENT too for over current condition.

Fixes: 08d1dec6f405 ("usb:hub set hub->change_bits when over-current happens")
Tested-by: Alessandro Antenucci <antenucci@korg.it>
Signed-off-by: Bin Liu <b-liu@ti.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1119,10 +1119,14 @@ static void hub_activate(struct usb_hub
 
 		if (!udev || udev->state == USB_STATE_NOTATTACHED) {
 			/* Tell khubd to disconnect the device or
-			 * check for a new connection
+			 * check for a new connection or over current condition.
+			 * Based on USB2.0 Spec Section 11.12.5,
+			 * C_PORT_OVER_CURRENT could be set while
+			 * PORT_OVER_CURRENT is not. So check for any of them.
 			 */
 			if (udev || (portstatus & USB_PORT_STAT_CONNECTION) ||
-			    (portstatus & USB_PORT_STAT_OVERCURRENT))
+			    (portstatus & USB_PORT_STAT_OVERCURRENT) ||
+			    (portchange & USB_PORT_STAT_C_OVERCURRENT))
 				set_bit(port1, hub->change_bits);
 
 		} else if (portstatus & USB_PORT_STAT_ENABLE) {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 235/366] USB: serial: keyspan_pda: fix modem-status error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (288 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 026/366] usb: do not reset if a low-speed or full-speed device timed out Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 306/366] squashfs: more metadata hardening Ben Hutchings
                   ` (76 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 01b3cdfca263a17554f7b249d20a247b2a751521 upstream.

Fix broken modem-status error handling which could lead to bits of slab
data leaking to user space.

Fixes: 3b36a8fd6777 ("usb: fix uninitialized variable warning in keyspan_pda")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/keyspan_pda.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -373,8 +373,10 @@ static int keyspan_pda_get_modem_info(st
 			     3, /* get pins */
 			     USB_TYPE_VENDOR|USB_RECIP_INTERFACE|USB_DIR_IN,
 			     0, 0, data, 1, 2000);
-	if (rc >= 0)
+	if (rc == 1)
 		*value = *data;
+	else if (rc >= 0)
+		rc = -EIO;
 
 	kfree(data);
 	return rc;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 260/366] drm: re-enable error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 109/366] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 101/366] fuse: don't keep dead fuse_conn at fuse_fill_super() Ben Hutchings
                   ` (335 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sean Paul, Nicholas Mc Guire

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit d530b5f1ca0bb66958a2b714bebe40a1248b9c15 upstream.

drm_legacy_ctxbitmap_next() returns idr_alloc() which can return
-ENOMEM, -EINVAL or -ENOSPC none of which are -1 . but the call sites
of drm_legacy_ctxbitmap_next() seem to be assuming that the error case
would be -1 (original return of drm_ctxbitmap_next() prior to 2.6.23
was actually -1). Thus reenable error handling by checking for < 0.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr")
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1531571532-22733-1-git-send-email-hofrat@osadl.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/drm_context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -316,7 +316,7 @@ int drm_addctx(struct drm_device *dev, v
 		ctx->handle = drm_ctxbitmap_next(dev);
 	}
 	DRM_DEBUG("%d\n", ctx->handle);
-	if (ctx->handle == -1) {
+	if (ctx->handle < 0) {
 		DRM_DEBUG("Not enough free contexts.\n");
 		/* Should this return -EBUSY instead? */
 		return -ENOMEM;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 268/366] Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 366/366] perf tools: Fix python extension build for gcc 8 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode Ben Hutchings
                   ` (314 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chen-Yu Tsai, Dmitry Torokhov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chen-Yu Tsai <wens@csie.org>

commit 384cf4285b34e08917e3e66603382f2b0c4f6e1b upstream.

The Lenovo LaVie Z laptop requires i8042 to be reset in order to
consistently detect its Elantech touchpad. The nomux and kbdreset
quirks are not sufficient.

It's possible the other LaVie Z models from NEC require this as well.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -520,6 +520,13 @@ static const struct dmi_system_id __init
 			DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
 		},
 	},
+	{
+		/* Lenovo LaVie Z */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"),
+		},
+	},
 	{ }
 };
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 011/366] Revert "mtd: nand: omap2: Fix subpage write" Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 211/366] tty: vt, remove reduntant check Ben Hutchings
                   ` (357 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, OGAWA Hirofumi, Linus Torvalds, syzbot+90b8e10515ae88228a92

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream.

In parse_options(), if match_strdup() failed, parse_options() leaves
opts->iocharset in unexpected state (i.e.  still pointing the freed
string).  And this can be the cause of double free.

To fix, this initialize opts->iocharset always when freeing.

Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fat/inode.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -610,13 +610,21 @@ static void fat_set_state(struct super_b
 	brelse(bh);
 }
 
+static void fat_reset_iocharset(struct fat_mount_options *opts)
+{
+	if (opts->iocharset != fat_default_iocharset) {
+		/* Note: opts->iocharset can be NULL here */
+		kfree(opts->iocharset);
+		opts->iocharset = fat_default_iocharset;
+	}
+}
+
 static void delayed_free(struct rcu_head *p)
 {
 	struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu);
 	unload_nls(sbi->nls_disk);
 	unload_nls(sbi->nls_io);
-	if (sbi->options.iocharset != fat_default_iocharset)
-		kfree(sbi->options.iocharset);
+	fat_reset_iocharset(&sbi->options);
 	kfree(sbi);
 }
 
@@ -1031,7 +1039,7 @@ static int parse_options(struct super_bl
 	opts->fs_fmask = opts->fs_dmask = current_umask();
 	opts->allow_utime = -1;
 	opts->codepage = fat_default_codepage;
-	opts->iocharset = fat_default_iocharset;
+	fat_reset_iocharset(opts);
 	if (is_vfat) {
 		opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95;
 		opts->rodir = 0;
@@ -1181,8 +1189,7 @@ static int parse_options(struct super_bl
 
 		/* vfat specific */
 		case Opt_charset:
-			if (opts->iocharset != fat_default_iocharset)
-				kfree(opts->iocharset);
+			fat_reset_iocharset(opts);
 			iocharset = match_strdup(&args[0]);
 			if (!iocharset)
 				return -ENOMEM;
@@ -1763,8 +1770,7 @@ out_fail:
 		iput(fat_inode);
 	unload_nls(sbi->nls_io);
 	unload_nls(sbi->nls_disk);
-	if (sbi->options.iocharset != fat_default_iocharset)
-		kfree(sbi->options.iocharset);
+	fat_reset_iocharset(&sbi->options);
 	sb->s_fs_info = NULL;
 	kfree(sbi);
 	return error;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (328 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 210/366] n_tty: Access echo_* variables carefully Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel Ben Hutchings
                   ` (36 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Steffen Maier, Benjamin Block

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 6a76550841d412330bd86aed3238d1888ba70f0e upstream.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : .......
LUN            : 0x...
WWPN           : 0x...
D_ID           : 0x...
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x...
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -314,8 +314,11 @@ static int zfcp_erp_action_enqueue(int w
 		goto out;
 	}
 
-	if (!adapter->erp_thread)
-		return -EIO;
+	if (!adapter->erp_thread) {
+		need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
+		retval = -EIO;
+		goto out;
+	}
 
 	need = zfcp_erp_required_act(want, adapter, port, sdev);
 	if (!need)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (199 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 130/366] backlight: as3711_bl: Fix Device Tree node lookup Ben Hutchings
                   ` (165 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Michael Neuling

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Neuling <mikey@neuling.org>

commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.

In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
validating DAWR region end") we fixed setting the DAWR end point to
its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.

PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
zero (memset() in hw_breakpoint_init()). This worked with
arch_validate_hwbkpt_settings() before the above patch was applied but
is now broken if the breakpoint is 512byte aligned.

This sets the length of the breakpoint to 8 bytes when using
PTRACE_SET_DEBUGREG.

Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/ptrace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1011,6 +1011,7 @@ int ptrace_set_debugreg(struct task_stru
 	/* Create a new breakpoint request if one doesn't exist already */
 	hw_breakpoint_init(&attr);
 	attr.bp_addr = hw_brk.address;
+	attr.bp_len = 8;
 	arch_bp_generic_fields(hw_brk.type,
 			       &attr.bp_type);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (274 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 190/366] batman-adv: unify flags access style in tt global add Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 032/366] iommu/vt-d: Ratelimit each dmar fault printing Ben Hutchings
                   ` (90 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Rafael J. Wysocki, Doug Berger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Berger <opendmb@gmail.com>

commit 2ef7c01c0cdb170142058c6d8fe0697aee4e4d7d upstream.

When wakelock support was added, the wakeup_source_add() function
was updated to set the last_time value of the wakeup source. This
has the unintended side effect of producing confusing output from
pm_print_active_wakeup_sources() when a wakeup source is added
prior to a sleep that is blocked by a different wakeup source.

The function pm_print_active_wakeup_sources() will search for the
most recently active wakeup source when no active source is found.
If a wakeup source is added after a different wakeup source blocks
the system from going to sleep it may have a later last_time value
than the blocking source and be output as the last active wakeup
source even if it has never actually been active.

It looks to me like the change to wakeup_source_add() was made to
prevent the wakelock garbage collection from accidentally dropping
a wakelock during the narrow window between adding the wakelock to
the wakelock list in wakelock_lookup_add() and the activation of
the wakeup source in pm_wake_lock().

This commit changes the behavior so that only the last_time of the
wakeup source used by a wakelock is initialized prior to adding it
to the wakeup source list. This preserves the meaning of the
last_time value as the last time the wakeup source was active and
allows a wakeup source that has never been active to have a
last_time value of 0.

Fixes: b86ff9820fd5 (PM / Sleep: Add user space interface for manipulating wakeup sources, v3)
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/base/power/wakeup.c | 1 -
 kernel/power/wakelock.c     | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/power/wakeup.c
+++ b/drivers/base/power/wakeup.c
@@ -135,7 +135,6 @@ void wakeup_source_add(struct wakeup_sou
 	spin_lock_init(&ws->lock);
 	setup_timer(&ws->timer, pm_wakeup_timer_fn, (unsigned long)ws);
 	ws->active = false;
-	ws->last_time = ktime_get();
 
 	spin_lock_irqsave(&events_lock, flags);
 	list_add_rcu(&ws->entry, &wakeup_sources);
--- a/kernel/power/wakelock.c
+++ b/kernel/power/wakelock.c
@@ -175,6 +175,7 @@ static struct wakelock *wakelock_lookup_
 		return ERR_PTR(-ENOMEM);
 	}
 	wl->ws.name = wl->name;
+	wl->ws.last_time = ktime_get();
 	wakeup_source_add(&wl->ws);
 	rb_link_node(&wl->node, parent, node);
 	rb_insert_color(&wl->node, &wakelocks_tree);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 115/366] kconfig: Avoid format overflow warning from GCC 8.1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 135/366] ksm: add cond_resched() to the rmap_walks Ben Hutchings
                   ` (281 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Rob Herring, Frank Rowand, Stefan M Schaeckeler

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan M Schaeckeler <sschaeck@cisco.com>

commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream.

For strings, account for trailing \0 in property length field:

This is consistent with how dtc builds string properties.

Function __of_prop_dup() would misbehave on such properties as it duplicates
properties based on the property length field creating new string values
without trailing \0s.

Signed-off-by: Stefan M Schaeckeler <sschaeck@cisco.com>
Reviewed-by: Frank Rowand <frank.rowand@sony.com>
Tested-by: Frank Rowand <frank.rowand@sony.com>
Signed-off-by: Rob Herring <robh@kernel.org>
[bwh: Backported to 3.16: s/unittest/selftest/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/selftest.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/of/selftest.c
+++ b/drivers/of/selftest.c
@@ -97,20 +97,20 @@ static void __init of_selftest_dynamic(v
 	/* Add a new property - should pass*/
 	prop->name = "new-property";
 	prop->value = "new-property-data";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
 
 	/* Try to add an existing property - should fail */
 	prop++;
 	prop->name = "new-property";
 	prop->value = "new-property-data-should-fail";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_add_property(np, prop) != 0,
 		 "Adding an existing property should have failed\n");
 
 	/* Try to modify an existing property - should pass */
 	prop->value = "modify-property-data-should-pass";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_update_property(np, prop) == 0,
 		 "Updating an existing property should have passed\n");
 
@@ -118,7 +118,7 @@ static void __init of_selftest_dynamic(v
 	prop++;
 	prop->name = "modify-property";
 	prop->value = "modify-missing-property-data-should-pass";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_update_property(np, prop) == 0,
 		 "Updating a missing property should have passed\n");
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 215/366] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (334 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 006/366] fnic: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 069/366] powerpc/ptrace: Fix enforcement of DAWR constraints Ben Hutchings
                   ` (30 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Hans de Goede

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 240630e61870e62e39a97225048f9945848fa5f5 upstream.

There have been several reports of LPM related hard freezes about once
a day on multiple Lenovo 50 series models. Strange enough these reports
where not disk model specific as LPM issues usually are and some users
with the exact same disk + laptop where seeing them while other users
where not seeing these issues.

It turns out that enabling LPM triggers a firmware bug somewhere, which
has been fixed in later BIOS versions.

This commit adds a new ahci_broken_lpm() function and a new ATA_FLAG_NO_LPM
for dealing with this.

The ahci_broken_lpm() function contains DMI match info for the 4 models
which are known to be affected by this and the DMI BIOS date field for
known good BIOS versions. If the BIOS date is older then the one in the
table LPM will be disabled and a warning will be printed.

Note the BIOS dates are for known good versions, some older versions may
work too, but we don't know for sure, the table is using dates from BIOS
versions for which users have confirmed that upgrading to that version
makes the problem go away.

Unfortunately I've been unable to get hold of the reporter who reported
that BIOS version 2.35 fixed the problems on the W541 for him. I've been
able to verify the DMI_SYS_VENDOR and DMI_PRODUCT_VERSION from an older
dmidecode, but I don't know the exact BIOS date as reported in the DMI.
Lenovo keeps a changelog with dates in their release notes, but the
dates there are the release dates not the build dates which are in DMI.
So I've chosen to set the date to which we compare to one day past the
release date of the 2.34 BIOS. I plan to fix this with a follow up
commit once I've the necessary info.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/ahci.c        | 59 +++++++++++++++++++++++++++++++++++++++
 drivers/ata/libata-core.c |  3 ++
 include/linux/libata.h    |  1 +
 3 files changed, 63 insertions(+)

--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -1225,6 +1225,59 @@ static bool ahci_broken_suspend(struct p
 	return strcmp(buf, dmi->driver_data) < 0;
 }
 
+static bool ahci_broken_lpm(struct pci_dev *pdev)
+{
+	static const struct dmi_system_id sysids[] = {
+		/* Various Lenovo 50 series have LPM issues with older BIOSen */
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X250"),
+			},
+			.driver_data = "20180406", /* 1.31 */
+		},
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L450"),
+			},
+			.driver_data = "20180420", /* 1.28 */
+		},
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T450s"),
+			},
+			.driver_data = "20180315", /* 1.33 */
+		},
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W541"),
+			},
+			/*
+			 * Note date based on release notes, 2.35 has been
+			 * reported to be good, but I've been unable to get
+			 * a hold of the reporter to get the DMI BIOS date.
+			 * TODO: fix this.
+			 */
+			.driver_data = "20180310", /* 2.35 */
+		},
+		{ }	/* terminate list */
+	};
+	const struct dmi_system_id *dmi = dmi_first_match(sysids);
+	int year, month, date;
+	char buf[9];
+
+	if (!dmi)
+		return false;
+
+	dmi_get_date(DMI_BIOS_DATE, &year, &month, &date);
+	snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date);
+
+	return strcmp(buf, dmi->driver_data) < 0;
+}
+
 static bool ahci_broken_online(struct pci_dev *pdev)
 {
 #define ENCODE_BUSDEVFN(bus, slot, func)			\
@@ -1608,6 +1661,12 @@ static int ahci_init_one(struct pci_dev
 			"quirky BIOS, skipping spindown on poweroff\n");
 	}
 
+	if (ahci_broken_lpm(pdev)) {
+		pi.flags |= ATA_FLAG_NO_LPM;
+		dev_warn(&pdev->dev,
+			 "BIOS update required for Link Power Management support\n");
+	}
+
 	if (ahci_broken_suspend(pdev)) {
 		hpriv->flags |= AHCI_HFLAG_NO_SUSPEND;
 		dev_warn(&pdev->dev,
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2227,6 +2227,9 @@ int ata_dev_configure(struct ata_device
 	    (id[ATA_ID_SATA_CAPABILITY] & 0xe) == 0x2)
 		dev->horkage |= ATA_HORKAGE_NOLPM;
 
+	if (ap->flags & ATA_FLAG_NO_LPM)
+		dev->horkage |= ATA_HORKAGE_NOLPM;
+
 	if (dev->horkage & ATA_HORKAGE_NOLPM) {
 		ata_dev_warn(dev, "LPM support broken, forcing max_power\n");
 		dev->link->ap->target_lpm_policy = ATA_LPM_MAX_POWER;
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -210,6 +210,7 @@ enum {
 	ATA_FLAG_SLAVE_POSS	= (1 << 0), /* host supports slave dev */
 					    /* (doesn't imply presence) */
 	ATA_FLAG_SATA		= (1 << 1),
+	ATA_FLAG_NO_LPM		= (1 << 2), /* host not happy with LPM */
 	ATA_FLAG_NO_ATAPI	= (1 << 6), /* No ATAPI support */
 	ATA_FLAG_PIO_DMA	= (1 << 7), /* PIO cmds via DMA */
 	ATA_FLAG_PIO_LBA48	= (1 << 8), /* Host DMA engine is LBA28 only */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 196/366] staging: android: ion: Return an ERR_PTR in ion_map_kernel
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (189 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 053/366] sbitmap: fix race in wait batch accounting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 341/366] MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations Ben Hutchings
                   ` (175 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Laura Abbott, Greg Kroah-Hartman, syzbot+55b1d9f811650de944c6

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laura Abbott <labbott@redhat.com>

commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream.

The expected return value from ion_map_kernel is an ERR_PTR. The error
path for a vmalloc failure currently just returns NULL, triggering
a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR.

Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ion/ion_heap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/android/ion/ion_heap.c
+++ b/drivers/staging/android/ion/ion_heap.c
@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_hea
 	struct page **tmp = pages;
 
 	if (!pages)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	if (buffer->flags & ION_FLAG_CACHED)
 		pgprot = PAGE_KERNEL;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 206/366] ARM: dts: da850: Fix interrups property for gpio
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (181 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 257/366] usb: cdc_acm: Add quirk for Castles VEGA3000 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 018/366] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Ben Hutchings
                   ` (183 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Keerthy, Sekhar Nori

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Keerthy <j-keerthy@ti.com>

commit 3eb1b955cd7ed1e621ace856710006c2a8a7f231 upstream.

The intc #interrupt-cells is equal to 1. Currently gpio
node has 2 cells per IRQ which is wrong. Remove the additional
cell for each of the interrupts.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Fixes: 2e38b946dc54 ("ARM: davinci: da850: add GPIO DT node")
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/boot/dts/da850.dtsi | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/arch/arm/boot/dts/da850.dtsi
+++ b/arch/arm/boot/dts/da850.dtsi
@@ -261,11 +261,7 @@
 			compatible = "ti,dm6441-gpio";
 			gpio-controller;
 			reg = <0x226000 0x1000>;
-			interrupts = <42 IRQ_TYPE_EDGE_BOTH
-				43 IRQ_TYPE_EDGE_BOTH 44 IRQ_TYPE_EDGE_BOTH
-				45 IRQ_TYPE_EDGE_BOTH 46 IRQ_TYPE_EDGE_BOTH
-				47 IRQ_TYPE_EDGE_BOTH 48 IRQ_TYPE_EDGE_BOTH
-				49 IRQ_TYPE_EDGE_BOTH 50 IRQ_TYPE_EDGE_BOTH>;
+			interrupts = <42 43 44 45 46 47 48 49 50>;
 			ti,ngpio = <144>;
 			ti,davinci-gpio-unbanked = <0>;
 			status = "disabled";


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 128/366] video/omap: add module license tags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (364 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 077/366] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Bartlomiej Zolnierkiewicz, Imre Deak

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 1bde9f2cf142b726412fa5b0e3cb557ff46952b0 upstream.

I got a bunch of warnings in a randconfig build:

WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_ams_delta.o
WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_inn1510.o
WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_palmte.o
WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_palmtt.o

These come from an earlier patch of mine that turned all display drivers
into separate modules. The fix is to add a MODULE_LICENSE tag. Since I'm
doing that, adding a description and author field also makes sense. I
went by the authors listed in the comment at the top of each file, but
removed Imre's Nokia email address that I assume is not valid any more,
since Imre is working at Intel these days.

Fixes: 81c44c2b2ce3 ("video/omap: fix modular build")
Cc: Imre Deak <imre.deak@intel.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[b.zolnierkie: minor fixups]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/omap/lcd_ams_delta.c | 4 ++++
 drivers/video/fbdev/omap/lcd_h3.c        | 4 ++++
 drivers/video/fbdev/omap/lcd_htcherald.c | 4 ++++
 drivers/video/fbdev/omap/lcd_inn1510.c   | 4 ++++
 drivers/video/fbdev/omap/lcd_inn1610.c   | 4 ++++
 drivers/video/fbdev/omap/lcd_osk.c       | 4 ++++
 drivers/video/fbdev/omap/lcd_palmte.c    | 4 ++++
 drivers/video/fbdev/omap/lcd_palmtt.c    | 4 ++++
 drivers/video/fbdev/omap/lcd_palmz71.c   | 4 ++++
 9 files changed, 36 insertions(+)

--- a/drivers/video/fbdev/omap/lcd_ams_delta.c
+++ b/drivers/video/fbdev/omap/lcd_ams_delta.c
@@ -223,3 +223,7 @@ static struct platform_driver ams_delta_
 };
 
 module_platform_driver(ams_delta_panel_driver);
+
+MODULE_AUTHOR("Jonathan McDowell <noodles@earth.li>");
+MODULE_DESCRIPTION("LCD panel support for the Amstrad E3 (Delta) videophone");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_h3.c
+++ b/drivers/video/fbdev/omap/lcd_h3.c
@@ -125,3 +125,7 @@ static struct platform_driver h3_panel_d
 };
 
 module_platform_driver(h3_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP H3 board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_htcherald.c
+++ b/drivers/video/fbdev/omap/lcd_htcherald.c
@@ -116,3 +116,7 @@ static struct platform_driver htcherald_
 };
 
 module_platform_driver(htcherald_panel_driver);
+
+MODULE_AUTHOR("Cory Maccarrone");
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("LCD panel support for the HTC Herald");
--- a/drivers/video/fbdev/omap/lcd_inn1510.c
+++ b/drivers/video/fbdev/omap/lcd_inn1510.c
@@ -111,3 +111,7 @@ static struct platform_driver innovator1
 };
 
 module_platform_driver(innovator1510_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP1510 Innovator board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_inn1610.c
+++ b/drivers/video/fbdev/omap/lcd_inn1610.c
@@ -132,3 +132,7 @@ static struct platform_driver innovator1
 };
 
 module_platform_driver(innovator1610_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP1610 Innovator board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_osk.c
+++ b/drivers/video/fbdev/omap/lcd_osk.c
@@ -131,3 +131,7 @@ static struct platform_driver osk_panel_
 };
 
 module_platform_driver(osk_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP OSK board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_palmte.c
+++ b/drivers/video/fbdev/omap/lcd_palmte.c
@@ -108,3 +108,7 @@ static struct platform_driver palmte_pan
 };
 
 module_platform_driver(palmte_panel_driver);
+
+MODULE_AUTHOR("Romain Goyet <r.goyet@gmail.com>, Laurent Gonzalez <palmte.linux@free.fr>");
+MODULE_DESCRIPTION("LCD panel support for the Palm Tungsten E");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_palmtt.c
+++ b/drivers/video/fbdev/omap/lcd_palmtt.c
@@ -114,3 +114,7 @@ static struct platform_driver palmtt_pan
 };
 
 module_platform_driver(palmtt_panel_driver);
+
+MODULE_AUTHOR("Marek Vasut <marek.vasut@gmail.com>");
+MODULE_DESCRIPTION("LCD panel support for Palm Tungsten|T");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_palmz71.c
+++ b/drivers/video/fbdev/omap/lcd_palmz71.c
@@ -110,3 +110,7 @@ static struct platform_driver palmz71_pa
 };
 
 module_platform_driver(palmz71_panel_driver);
+
+MODULE_AUTHOR("Romain Goyet, Laurent Gonzalez, Marek Vasut");
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("LCD panel support for the Palm Zire71");


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 146/366] ext4: add more mount time checks of the superblock
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (240 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 088/366] ext4: fix fencepost error in check for inode count overflow during resize Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 177/366] Input: elantech - enable middle button of touchpads on ThinkPad P52 Ben Hutchings
                   ` (124 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bfe0a5f47ada40d7984de67e59a7d3390b9b9ecc upstream.

The kernel's ext4 mount-time checks were more permissive than
e2fsprogs's libext2fs checks when opening a file system.  The
superblock is considered too insane for debugfs or e2fsck to operate
on it, the kernel has no business trying to mount it.

This will make file system fuzzing tools work harder, but the failure
cases that they find will be more useful and be easier to evaluate.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3725,6 +3725,13 @@ static int ext4_fill_super(struct super_
 			 le32_to_cpu(es->s_log_block_size));
 		goto failed_mount;
 	}
+	if (le32_to_cpu(es->s_log_cluster_size) >
+	    (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+		ext4_msg(sb, KERN_ERR,
+			 "Invalid log cluster size: %u",
+			 le32_to_cpu(es->s_log_cluster_size));
+		goto failed_mount;
+	}
 
 	if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
 		ext4_msg(sb, KERN_ERR,
@@ -3853,13 +3860,6 @@ static int ext4_fill_super(struct super_
 				 "block size (%d)", clustersize, blocksize);
 			goto failed_mount;
 		}
-		if (le32_to_cpu(es->s_log_cluster_size) >
-		    (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
-			ext4_msg(sb, KERN_ERR,
-				 "Invalid log cluster size: %u",
-				 le32_to_cpu(es->s_log_cluster_size));
-			goto failed_mount;
-		}
 		sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) -
 			le32_to_cpu(es->s_log_block_size);
 		sbi->s_clusters_per_group =
@@ -3880,10 +3880,10 @@ static int ext4_fill_super(struct super_
 		}
 	} else {
 		if (clustersize != blocksize) {
-			ext4_warning(sb, "fragment/cluster size (%d) != "
-				     "block size (%d)", clustersize,
-				     blocksize);
-			clustersize = blocksize;
+			ext4_msg(sb, KERN_ERR,
+				 "fragment/cluster size (%d) != "
+				 "block size (%d)", clustersize, blocksize);
+			goto failed_mount;
 		}
 		if (sbi->s_blocks_per_group > blocksize * 8) {
 			ext4_msg(sb, KERN_ERR,
@@ -3937,6 +3937,13 @@ static int ext4_fill_super(struct super_
 			 ext4_blocks_count(es));
 		goto failed_mount;
 	}
+	if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) &&
+	    (sbi->s_cluster_ratio == 1)) {
+		ext4_msg(sb, KERN_WARNING, "bad geometry: first data "
+			 "block is 0 with a 1k block and cluster size");
+		goto failed_mount;
+	}
+
 	blocks_count = (ext4_blocks_count(es) -
 			le32_to_cpu(es->s_first_data_block) +
 			EXT4_BLOCKS_PER_GROUP(sb) - 1);
@@ -3972,6 +3979,14 @@ static int ext4_fill_super(struct super_
 		ret = -ENOMEM;
 		goto failed_mount;
 	}
+	if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+	    le32_to_cpu(es->s_inodes_count)) {
+		ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+			 le32_to_cpu(es->s_inodes_count),
+			 ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+		ret = -EINVAL;
+		goto failed_mount;
+	}
 
 	if (ext4_proc_root)
 		sbi->s_proc = proc_mkdir(sb->s_id, ext4_proc_root);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 143/366] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (297 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 099/366] mtd: cfi_cmdset_0002: Change erase functions to check chip good only Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list Ben Hutchings
                   ` (67 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit de9bada5d389903f4faf33980e6a95a2911c7e6d upstream.

The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_netlink.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -460,6 +460,12 @@ static int l2tp_nl_cmd_session_create(st
 		goto out_tunnel;
 	}
 
+	/* L2TPv2 only accepts PPP pseudo-wires */
+	if (tunnel->version == 2 && cfg.pw_type != L2TP_PWTYPE_PPP) {
+		ret = -EPROTONOSUPPORT;
+		goto out_tunnel;
+	}
+
 	if (tunnel->version > 2) {
 		if (info->attrs[L2TP_ATTR_OFFSET])
 			cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 131/366] backlight: max8925_bl: Fix Device Tree node lookup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (307 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 095/366] tpm: fix race condition in tpm_common_write() Ben Hutchings
                   ` (57 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Lee Jones, Daniel Thompson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed,
while the child backlight node was leaked.

Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/max8925_bl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/video/backlight/max8925_bl.c
+++ b/drivers/video/backlight/max8925_bl.c
@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(st
 	if (!pdata)
 		return;
 
-	np = of_find_node_by_name(nproot, "backlight");
+	np = of_get_child_by_name(nproot, "backlight");
 	if (!np) {
 		dev_err(&pdev->dev, "failed to find backlight node\n");
 		return;
@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(st
 	if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
 		pdata->dual_string = val;
 
+	of_node_put(np);
+
 	pdev->dev.platform_data = pdata;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 239/366] sh_eth: fix invalid context bug while changing link options by ethtool
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (315 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 017/366] media: omap3isp/isp: remove an unused static var Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 181/366] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Ben Hutchings
                   ` (49 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Sergei Shtylyov, Vladimir Zapolskiy

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>

commit 5cb3f52a11e18628fc4bee76dd14b1f0b76349de upstream.

The change fixes sleep in atomic context bug, which is encountered
every time when link settings are changed by ethtool.

Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O
potentially sleeping") phy_start_aneg() function utilizes a mutex
to serialize changes to phy state, however that helper function is
called in atomic context under a grabbed spinlock, because
phy_start_aneg() is called by phy_ethtool_ksettings_set() and by
replaced phy_ethtool_sset() helpers from phylib.

Now duplex mode setting is enforced in sh_eth_adjust_link() only,
also now RX/TX is disabled when link is put down or modifications
to E-MAC registers ECMR and GECMR are expected for both cases of
checked and ignored link status pin state from E-MAC interrupt handler.

For reference the change is a partial rework of commit 1e1b812bbe10
("sh_eth: fix handling of no LINK signal").

Fixes: dc19e4e5e02f ("sh: sh_eth: Add support ethtool")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Keep using phy_ethtool_sset()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -1727,8 +1727,15 @@ static void sh_eth_adjust_link(struct ne
 {
 	struct sh_eth_private *mdp = netdev_priv(ndev);
 	struct phy_device *phydev = mdp->phydev;
+	unsigned long flags;
 	int new_state = 0;
 
+	spin_lock_irqsave(&mdp->lock, flags);
+
+	/* Disable TX and RX right over here, if E-MAC change is ignored */
+	if (mdp->cd->no_psr || mdp->no_ether_link)
+		sh_eth_rcv_snd_disable(ndev);
+
 	if (phydev->link) {
 		if (phydev->duplex != mdp->duplex) {
 			new_state = 1;
@@ -1749,18 +1756,21 @@ static void sh_eth_adjust_link(struct ne
 				     ECMR);
 			new_state = 1;
 			mdp->link = phydev->link;
-			if (mdp->cd->no_psr || mdp->no_ether_link)
-				sh_eth_rcv_snd_enable(ndev);
 		}
 	} else if (mdp->link) {
 		new_state = 1;
 		mdp->link = 0;
 		mdp->speed = 0;
 		mdp->duplex = -1;
-		if (mdp->cd->no_psr || mdp->no_ether_link)
-			sh_eth_rcv_snd_disable(ndev);
 	}
 
+	/* Enable TX and RX right over here, if E-MAC change is ignored */
+	if ((mdp->cd->no_psr || mdp->no_ether_link) && phydev->link)
+		sh_eth_rcv_snd_enable(ndev);
+
+	mmiowb();
+	spin_unlock_irqrestore(&mdp->lock, flags);
+
 	if (new_state && netif_msg_link(mdp))
 		phy_print_status(phydev);
 }
@@ -1843,35 +1853,8 @@ static int sh_eth_set_settings(struct ne
 			       struct ethtool_cmd *ecmd)
 {
 	struct sh_eth_private *mdp = netdev_priv(ndev);
-	unsigned long flags;
-	int ret;
-
-	spin_lock_irqsave(&mdp->lock, flags);
 
-	/* disable tx and rx */
-	sh_eth_rcv_snd_disable(ndev);
-
-	ret = phy_ethtool_sset(mdp->phydev, ecmd);
-	if (ret)
-		goto error_exit;
-
-	if (ecmd->duplex == DUPLEX_FULL)
-		mdp->duplex = 1;
-	else
-		mdp->duplex = 0;
-
-	if (mdp->cd->set_duplex)
-		mdp->cd->set_duplex(ndev);
-
-error_exit:
-	mdelay(1);
-
-	/* enable tx and rx */
-	sh_eth_rcv_snd_enable(ndev);
-
-	spin_unlock_irqrestore(&mdp->lock, flags);
-
-	return ret;
+	return phy_ethtool_sset(mdp->phydev, ecmd);
 }
 
 static int sh_eth_nway_reset(struct net_device *ndev)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 211/366] tty: vt, remove reduntant check Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Ben Hutchings
                   ` (355 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Steffen Maier, Benjamin Block

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 81979ae63e872ef650a7197f6ce6590059d37172 upstream.

We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
our eh callback and an actual send/recv of an abort / TMF request.  In order
to see the temporal sequence including any abort / TMF send retries, add a
trace before the above two blocking functions.  This supports problem
determination with scsi_eh and parallel zfcp ERP.

No need to explicitly trace the beginning of our eh callback, since we
typically can send an abort / TMF and see its HBA response (in the worst
case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
almost the beginning of the callback.

No need to explicitly trace the wakeup after the above two blocking
functions because the next retry loop causes another trace in any case and
that is sufficient.

Example trace records formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : abrt_wt        abort, before zfcp_erp_wait()
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0x<scsi_id>
SCSI LUN       : 0x<scsi_lun>
SCSI LUN high  : 0x<scsi_lun_high>
SCSI result    : 0x<scsi_result_of_cmd_to_be_aborted>
SCSI retries   : 0x<retries_of_cmd_to_be_aborted>
SCSI allowed   : 0x<allowed_retries_of_cmd_to_be_aborted>
SCSI scribble  : 0x<req_id_of_cmd_to_be_aborted>
SCSI opcode    : <CDB_of_cmd_to_be_aborted>
FCP rsp inf cod: 0x..                                   none (invalid)
FCP rsp IU     : ...                                    none (invalid)

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : lr_wait        LUN reset, before zfcp_erp_wait()
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0x<scsi_id>
SCSI LUN       : 0x<scsi_lun>
SCSI LUN high  : 0x<scsi_lun_high>
SCSI result    : 0x...                                  unrelated
SCSI retries   : 0x..                                   unrelated
SCSI allowed   : 0x..                                   unrelated
SCSI scribble  : 0x...                                  unrelated
SCSI opcode    : ...                                    unrelated
FCP rsp inf cod: 0x..                                   none (invalid)
FCP rsp IU     : ...                                    none (invalid)

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_scsi.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -201,6 +201,7 @@ static int zfcp_scsi_eh_abort_handler(st
 		if (abrt_req)
 			break;
 
+		zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
 		zfcp_erp_wait(adapter);
 		ret = fc_block_scsi_eh(scpnt);
 		if (ret) {
@@ -297,6 +298,7 @@ static int zfcp_task_mgmt_function(struc
 		if (fsf_req)
 			break;
 
+		zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
 		zfcp_erp_wait(adapter);
 		ret = fc_block_scsi_eh(scpnt);
 		if (ret) {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 268/366] Input: i8042 - add Lenovo LaVie Z to the i8042 reset list Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows Ben Hutchings
                   ` (313 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Saeed Mahameed, Alex Vesker

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Vesker <valex@mellanox.com>

commit d412c31dae053bf30a1bc15582a9990df297a660 upstream.

The command interface can work in two modes: Events and Polling.
In the general case, each time we invoke a command, a work is
queued to handle it.

When working in events, the interrupt handler completes the
command execution. On the other hand, when working in polling
mode, the work itself completes it.

Due to a bug in the work handler, a command could have been
completed by the interrupt handler, while the work handler
hasn't finished yet, causing the it to complete once again
if the command interface mode was changed from Events to
polling after the interrupt handler was called.

mlx5_unload_one()
        mlx5_stop_eqs()
                // Destroy the EQ before cmd EQ
                ...cmd_work_handler()
                        write_doorbell()
                        --> EVENT_TYPE_CMD
                                mlx5_cmd_comp_handler() // First free
                                        free_ent(cmd, ent->idx)
                                        complete(&ent->done)

        <-- mlx5_stop_eqs //cmd was complete
                // move to polling before destroying the last cmd EQ
                mlx5_cmd_use_polling()
                        cmd->mode = POLL;

                --> cmd_work_handler (continues)
                        if (cmd->mode == POLL)
                                mlx5_cmd_comp_handler() // Double free

The solution is to store the cmd->mode before writing the doorbell.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -560,6 +560,7 @@ static void cmd_work_handler(struct work
 	struct mlx5_cmd_layout *lay;
 	struct semaphore *sem;
 	int alloc_ret;
+	int cmd_mode;
 
 	sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
 	down(sem);
@@ -602,6 +603,7 @@ static void cmd_work_handler(struct work
 	set_signature(ent, !cmd->checksum_disabled);
 	dump_command(dev, ent, 1);
 	ktime_get_ts(&ent->ts1);
+	cmd_mode = cmd->mode;
 
 	if (ent->callback)
 		schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
@@ -611,7 +613,7 @@ static void cmd_work_handler(struct work
 	iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell);
 	mlx5_core_dbg(dev, "write 0x%x to command doorbell\n", 1 << ent->idx);
 	mmiowb();
-	if (cmd->mode == CMD_MODE_POLLING) {
+	if (cmd_mode == CMD_MODE_POLLING) {
 		poll_timeout(ent);
 		/* make sure we read the descriptor after ownership is SW */
 		rmb();


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 033/366] powerpc/fadump: Unregister fadump on kexec down path.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (293 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 300/366] net: socket: fix potential spectre v1 gadget in socketcall Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 219/366] x86/cpufeatures: Hide AMD-specific speculation flags Ben Hutchings
                   ` (71 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Mahesh Salgaonkar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>

commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.

Unregister fadump on kexec down path otherwise the fadump registration
in new kexec-ed kernel complains that fadump is already registered.
This makes new kernel to continue using fadump registered by previous
kernel which may lead to invalid vmcore generation. Hence this patch
fixes this issue by un-registering fadump in fadump_cleanup() which is
called during kexec path so that new kernel can register fadump with
new valid values.

Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/fadump.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1025,6 +1025,9 @@ void fadump_cleanup(void)
 		init_fadump_mem_struct(&fdm,
 			fdm_active->cpu_state_data.destination_address);
 		fadump_invalidate_dump(&fdm);
+	} else if (fw_dump.dump_registered) {
+		/* Un-register Firmware-assisted dump if it was registered. */
+		fadump_unregister_dump(&fdm);
 	}
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 190/366] batman-adv: unify flags access style in tt global add
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (273 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 025/366] mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources Ben Hutchings
                   ` (91 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Antonio Quartulli, Marek Lindner, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Simon Wunderlich <sw@simonwunderlich.de>

commit ad7e2c466d8b0a7056cd248e1df6bb7296e014f7 upstream.

This should slightly improve readability

Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1435,7 +1435,7 @@ static bool batadv_tt_global_add(struct
 		 * TT_CLIENT_TEMP, therefore they have to be copied in the
 		 * client entry
 		 */
-		tt_global_entry->common.flags |= flags & (~BATADV_TT_SYNC_MASK);
+		common->flags |= flags & (~BATADV_TT_SYNC_MASK);
 
 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
 		 * one originator left in the list and we previously received a


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 071/366] net: ethernet: davinci_emac: Fix printing of base address
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (158 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 138/366] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 344/366] [media] ir-core: fix gcc-7 warning on bool arithmetic Ben Hutchings
                   ` (206 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 5a04e8f81a4f55ce1c2b7b525744a187c99ba302 upstream.

Use %pa which is the correct formatter to print a physical address,
instead of %p which is just a pointer.

Fixes: a6286ee630f6 ("net: Add TI DaVinci EMAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/ti/davinci_emac.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -2024,8 +2024,8 @@ static int davinci_emac_probe(struct pla
 
 	if (netif_msg_probe(priv)) {
 		dev_notice(&pdev->dev, "DaVinci EMAC Probe found device "
-			   "(regs: %p, irq: %d)\n",
-			   (void *)priv->emac_base_phys, ndev->irq);
+			   "(regs: %pa, irq: %d)\n",
+			   &priv->emac_base_phys, ndev->irq);
 	}
 	pm_runtime_put(&pdev->dev);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 111/366] net/packet: refine check for priv area size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (361 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 031/366] ALSA: hda/ca0132: fix build failure when a local macro is defined Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 016/366] staging:iio:ade7854: Fix the wrong number of bits to read Ben Hutchings
                   ` (3 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, syzbot, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 upstream.

syzbot was able to trick af_packet again [1]

Various commits tried to address the problem in the past,
but failed to take into account V3 header size.

[1]

tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106

CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
 prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
 prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
 __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
 packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
 tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
 xmit_one net/core/dev.c:3049 [inline]
 dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
 neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
 neigh_output include/net/neighbour.h:482 [inline]
 ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
 ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
 addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the page:
page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80
raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3898,7 +3898,7 @@ static int packet_set_ring(struct sock *
 			goto out;
 		if (po->tp_version >= TPACKET_V3 &&
 		    req->tp_block_size <=
-			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+		    BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
 			goto out;
 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
 					po->tp_reserve))


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (207 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 139/366] l2tp: only accept PPP sessions in pppol2tp_connect() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line Ben Hutchings
                   ` (157 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dennis Yang, Mike Snitzer

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <snitzer@redhat.com>

commit a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3 upstream.

Discards issued to a DM thin device can complete to userspace (via
fstrim) _before_ the metadata changes associated with the discards is
reflected in the thinp superblock (e.g. free blocks).  As such, if a
user constructs a test that loops repeatedly over these steps, block
allocation can fail due to discards not having completed yet:
1) fill thin device via filesystem file
2) remove file
3) fstrim

=46rominitial report, here:
https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html

"The root cause of this issue is that dm-thin will first remove
mapping and increase corresponding blocks' reference count to prevent
them from being reused before DISCARD bios get processed by the
underlying layers. However. increasing blocks' reference count could
also increase the nr_allocated_this_transaction in struct sm_disk
which makes smd->old_ll.nr_allocated +
smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
In this case, alloc_data_block() will never commit metadata to reset
the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
always return an underflow value."

While there is room for improvement to the space-map accounting that
thinp is making use of: the reality is this test is inherently racey and
will result in the previous iteration's fstrim's discard(s) completing
vs concurrent block allocation, via dd, in the next iteration of the
loop.

No amount of space map accounting improvements will be able to allow
user's to use a block before a discard of that block has completed.

So the best we can really do is allow DM thinp to gracefully handle such
aggressive use of all the pool's data by degrading the pool into
out-of-data-space (OODS) mode.  We _should_ get that behaviour already
(if space map accounting didn't falsely cause alloc_data_block() to
believe free space was available).. but short of that we handle the
current reality that dm_pool_alloc_data_block() can return -ENOSPC.

Reported-by: Dennis Yang <dennisyang@qnap.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-thin.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -938,6 +938,8 @@ static void schedule_zero(struct thin_c
 
 static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
 
+static void requeue_bios(struct pool *pool);
+
 static void check_for_space(struct pool *pool)
 {
 	int r;
@@ -950,8 +952,10 @@ static void check_for_space(struct pool
 	if (r)
 		return;
 
-	if (nr_free)
+	if (nr_free) {
 		set_pool_mode(pool, PM_WRITE);
+		requeue_bios(pool);
+	}
 }
 
 /*
@@ -1028,7 +1032,10 @@ static int alloc_data_block(struct thin_
 
 	r = dm_pool_alloc_data_block(pool->pmd, result);
 	if (r) {
-		metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
+		if (r == -ENOSPC)
+			set_pool_mode(pool, PM_OUT_OF_DATA_SPACE);
+		else
+			metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
 		return r;
 	}
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 087/366] perf/core: Fix group scheduling with mixed hw and sw events
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 133/366] backlight: as3711_bl: Fix Device Tree node leaks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 336/366] gcov: add support for GCC 5.1 Ben Hutchings
                   ` (277 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, Song Liu, Thomas Gleixner, Alexander Shishkin,
	kernel-team, Jiri Olsa, Arnaldo Carvalho de Melo, Linus Torvalds,
	Peter Zijlstra (Intel),
	Vince Weaver, Stephane Eranian

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Song Liu <songliubraving@fb.com>

commit a1150c202207cc8501bebc45b63c264f91959260 upstream.

When hw and sw events are mixed in the same group, they are all attached
to the hw perf_event_context. This sometimes requires moving group of
perf_event to a different context.

We found a bug in how the kernel handles this, for example if we do:

   perf stat -e '{faults,ref-cycles,faults}'  -I 1000

     1.005591180              1,297      faults
     1.005591180        457,476,576      ref-cycles
     1.005591180    <not supported>      faults

First, sw event "faults" is attached to the sw context, and becomes the
group leader. Then, hw event "ref-cycles" is attached, so both events
are moved to the hw context. Last, another sw "faults" tries to attach,
but it fails because of mismatch between the new target ctx (from sw
pmu) and the group_leader's ctx (hw context, same as ref-cycles).

The broken condition is:
   group_leader is sw event;
   group_leader is on hw context;
   add a sw event to the group.

Fix this scenario by checking group_leader's context (instead of just
event type). If group_leader is on hw context, use the ->pmu of this
context to look up context for the new event.

Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <kernel-team@fb.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: b04243ef7006 ("perf: Complete software pmu grouping")
Link: http://lkml.kernel.org/r/20180503194716.162815-1-songliubraving@fb.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/perf_event.h |  8 ++++++++
 kernel/events/core.c       | 21 +++++++++++----------
 2 files changed, 19 insertions(+), 10 deletions(-)

--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -640,6 +640,14 @@ static inline int is_software_event(stru
 	return event->pmu->task_ctx_nr == perf_sw_context;
 }
 
+/*
+ * Return 1 for event in sw context, 0 for event in hw context
+ */
+static inline int in_software_context(struct perf_event *event)
+{
+	return event->ctx->pmu->task_ctx_nr == perf_sw_context;
+}
+
 extern struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX];
 
 extern void ___perf_sw_event(u32, u64, struct pt_regs *, u64);
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7502,19 +7502,20 @@ SYSCALL_DEFINE5(perf_event_open,
 	 */
 	pmu = event->pmu;
 
-	if (group_leader &&
-	    (is_software_event(event) != is_software_event(group_leader))) {
-		if (is_software_event(event)) {
+	if (group_leader) {
+		if (is_software_event(event) &&
+		    !in_software_context(group_leader)) {
 			/*
-			 * If event and group_leader are not both a software
-			 * event, and event is, then group leader is not.
+			 * If the event is a sw event, but the group_leader
+			 * is on hw context.
 			 *
-			 * Allow the addition of software events to !software
-			 * groups, this is safe because software events never
-			 * fail to schedule.
+			 * Allow the addition of software events to hw
+			 * groups, this is safe because software events
+			 * never fail to schedule.
 			 */
-			pmu = group_leader->pmu;
-		} else if (is_software_event(group_leader) &&
+			pmu = group_leader->ctx->pmu;
+		} else if (!is_software_event(event) &&
+			   is_software_event(group_leader) &&
 			   (group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
 			/*
 			 * In case the group is a pure software group, and we


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 041/366] powerpc: make feature-fixup tests fortify-safe
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (325 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 362/366] tools/lib/subcmd/pager.c: do not alias select() params Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 319/366] unify dentry_iput() and dentry_unlink_inode() Ben Hutchings
                   ` (39 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Andrew Donnellan, Kees Cook, Daniel Axtens, Linus Torvalds,
	Michael Ellerman, Daniel Micay

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Axtens <dja@axtens.net>

commit c69a48cdb301a18697bc8c9935baf4f32861cf9e upstream.

Testing the fortified string functions[1] would cause a kernel panic on
boot in test_feature_fixups() due to a buffer overflow in memcmp.

This boils down to things like this:

  extern unsigned int ftr_fixup_test1;
  extern unsigned int ftr_fixup_test1_orig;

  check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);

We know that these are asm labels so it is safe to read up to 'size'
bytes at those addresses.

However, because we have passed the address of a single unsigned int to
memcmp, the compiler believes the underlying object is in fact a single
unsigned int.  So if size > sizeof(unsigned int), there will be a panic
at runtime.

We can fix this by changing the types: instead of calling the asm labels
unsigned ints, call them unsigned int[]s.  Therefore the size isn't
incorrectly determined at compile time and we get a regular unsafe
memcmp and no panic.

[1] http://openwall.com/lists/kernel-hardening/2017/05/09/2

Link: http://lkml.kernel.org/r/1497903987-21002-7-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/lib/feature-fixups.c | 180 +++++++++++++++---------------
 1 file changed, 90 insertions(+), 90 deletions(-)

--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -166,192 +166,192 @@ static long calc_offset(struct fixup_ent
 
 void test_basic_patching(void)
 {
-	extern unsigned int ftr_fixup_test1;
-	extern unsigned int end_ftr_fixup_test1;
-	extern unsigned int ftr_fixup_test1_orig;
-	extern unsigned int ftr_fixup_test1_expected;
-	int size = &end_ftr_fixup_test1 - &ftr_fixup_test1;
+	extern unsigned int ftr_fixup_test1[];
+	extern unsigned int end_ftr_fixup_test1[];
+	extern unsigned int ftr_fixup_test1_orig[];
+	extern unsigned int ftr_fixup_test1_expected[];
+	int size = end_ftr_fixup_test1 - ftr_fixup_test1;
 
 	fixup.value = fixup.mask = 8;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test1 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test1 + 2);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test1 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test1 + 2);
 	fixup.alt_start_off = fixup.alt_end_off = 0;
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_orig, size) == 0);
 
 	/* Check we don't patch if the value matches */
 	patch_feature_section(8, &fixup);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_orig, size) == 0);
 
 	/* Check we do patch if the value doesn't match */
 	patch_feature_section(0, &fixup);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_expected, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_expected, size) == 0);
 
 	/* Check we do patch if the mask doesn't match */
-	memcpy(&ftr_fixup_test1, &ftr_fixup_test1_orig, size);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
+	memcpy(ftr_fixup_test1, ftr_fixup_test1_orig, size);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_orig, size) == 0);
 	patch_feature_section(~8, &fixup);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_expected, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_expected, size) == 0);
 }
 
 static void test_alternative_patching(void)
 {
-	extern unsigned int ftr_fixup_test2;
-	extern unsigned int end_ftr_fixup_test2;
-	extern unsigned int ftr_fixup_test2_orig;
-	extern unsigned int ftr_fixup_test2_alt;
-	extern unsigned int ftr_fixup_test2_expected;
-	int size = &end_ftr_fixup_test2 - &ftr_fixup_test2;
+	extern unsigned int ftr_fixup_test2[];
+	extern unsigned int end_ftr_fixup_test2[];
+	extern unsigned int ftr_fixup_test2_orig[];
+	extern unsigned int ftr_fixup_test2_alt[];
+	extern unsigned int ftr_fixup_test2_expected[];
+	int size = end_ftr_fixup_test2 - ftr_fixup_test2;
 
 	fixup.value = fixup.mask = 0xF;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test2 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test2 + 2);
-	fixup.alt_start_off = calc_offset(&fixup, &ftr_fixup_test2_alt);
-	fixup.alt_end_off = calc_offset(&fixup, &ftr_fixup_test2_alt + 1);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test2 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test2 + 2);
+	fixup.alt_start_off = calc_offset(&fixup, ftr_fixup_test2_alt);
+	fixup.alt_end_off = calc_offset(&fixup, ftr_fixup_test2_alt + 1);
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_orig, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_orig, size) == 0);
 
 	/* Check we don't patch if the value matches */
 	patch_feature_section(0xF, &fixup);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_orig, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_orig, size) == 0);
 
 	/* Check we do patch if the value doesn't match */
 	patch_feature_section(0, &fixup);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_expected, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_expected, size) == 0);
 
 	/* Check we do patch if the mask doesn't match */
-	memcpy(&ftr_fixup_test2, &ftr_fixup_test2_orig, size);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_orig, size) == 0);
+	memcpy(ftr_fixup_test2, ftr_fixup_test2_orig, size);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_orig, size) == 0);
 	patch_feature_section(~0xF, &fixup);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_expected, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_expected, size) == 0);
 }
 
 static void test_alternative_case_too_big(void)
 {
-	extern unsigned int ftr_fixup_test3;
-	extern unsigned int end_ftr_fixup_test3;
-	extern unsigned int ftr_fixup_test3_orig;
-	extern unsigned int ftr_fixup_test3_alt;
-	int size = &end_ftr_fixup_test3 - &ftr_fixup_test3;
+	extern unsigned int ftr_fixup_test3[];
+	extern unsigned int end_ftr_fixup_test3[];
+	extern unsigned int ftr_fixup_test3_orig[];
+	extern unsigned int ftr_fixup_test3_alt[];
+	int size = end_ftr_fixup_test3 - ftr_fixup_test3;
 
 	fixup.value = fixup.mask = 0xC;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test3 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test3 + 2);
-	fixup.alt_start_off = calc_offset(&fixup, &ftr_fixup_test3_alt);
-	fixup.alt_end_off = calc_offset(&fixup, &ftr_fixup_test3_alt + 2);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test3 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test3 + 2);
+	fixup.alt_start_off = calc_offset(&fixup, ftr_fixup_test3_alt);
+	fixup.alt_end_off = calc_offset(&fixup, ftr_fixup_test3_alt + 2);
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 
 	/* Expect nothing to be patched, and the error returned to us */
 	check(patch_feature_section(0xF, &fixup) == 1);
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 	check(patch_feature_section(0, &fixup) == 1);
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 	check(patch_feature_section(~0xF, &fixup) == 1);
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 }
 
 static void test_alternative_case_too_small(void)
 {
-	extern unsigned int ftr_fixup_test4;
-	extern unsigned int end_ftr_fixup_test4;
-	extern unsigned int ftr_fixup_test4_orig;
-	extern unsigned int ftr_fixup_test4_alt;
-	extern unsigned int ftr_fixup_test4_expected;
-	int size = &end_ftr_fixup_test4 - &ftr_fixup_test4;
+	extern unsigned int ftr_fixup_test4[];
+	extern unsigned int end_ftr_fixup_test4[];
+	extern unsigned int ftr_fixup_test4_orig[];
+	extern unsigned int ftr_fixup_test4_alt[];
+	extern unsigned int ftr_fixup_test4_expected[];
+	int size = end_ftr_fixup_test4 - ftr_fixup_test4;
 	unsigned long flag;
 
 	/* Check a high-bit flag */
 	flag = 1UL << ((sizeof(unsigned long) - 1) * 8);
 	fixup.value = fixup.mask = flag;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test4 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test4 + 5);
-	fixup.alt_start_off = calc_offset(&fixup, &ftr_fixup_test4_alt);
-	fixup.alt_end_off = calc_offset(&fixup, &ftr_fixup_test4_alt + 2);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test4 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test4 + 5);
+	fixup.alt_start_off = calc_offset(&fixup, ftr_fixup_test4_alt);
+	fixup.alt_end_off = calc_offset(&fixup, ftr_fixup_test4_alt + 2);
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_orig, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_orig, size) == 0);
 
 	/* Check we don't patch if the value matches */
 	patch_feature_section(flag, &fixup);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_orig, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_orig, size) == 0);
 
 	/* Check we do patch if the value doesn't match */
 	patch_feature_section(0, &fixup);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_expected, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_expected, size) == 0);
 
 	/* Check we do patch if the mask doesn't match */
-	memcpy(&ftr_fixup_test4, &ftr_fixup_test4_orig, size);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_orig, size) == 0);
+	memcpy(ftr_fixup_test4, ftr_fixup_test4_orig, size);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_orig, size) == 0);
 	patch_feature_section(~flag, &fixup);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_expected, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_expected, size) == 0);
 }
 
 static void test_alternative_case_with_branch(void)
 {
-	extern unsigned int ftr_fixup_test5;
-	extern unsigned int end_ftr_fixup_test5;
-	extern unsigned int ftr_fixup_test5_expected;
-	int size = &end_ftr_fixup_test5 - &ftr_fixup_test5;
+	extern unsigned int ftr_fixup_test5[];
+	extern unsigned int end_ftr_fixup_test5[];
+	extern unsigned int ftr_fixup_test5_expected[];
+	int size = end_ftr_fixup_test5 - ftr_fixup_test5;
 
-	check(memcmp(&ftr_fixup_test5, &ftr_fixup_test5_expected, size) == 0);
+	check(memcmp(ftr_fixup_test5, ftr_fixup_test5_expected, size) == 0);
 }
 
 static void test_alternative_case_with_external_branch(void)
 {
-	extern unsigned int ftr_fixup_test6;
-	extern unsigned int end_ftr_fixup_test6;
-	extern unsigned int ftr_fixup_test6_expected;
-	int size = &end_ftr_fixup_test6 - &ftr_fixup_test6;
+	extern unsigned int ftr_fixup_test6[];
+	extern unsigned int end_ftr_fixup_test6[];
+	extern unsigned int ftr_fixup_test6_expected[];
+	int size = end_ftr_fixup_test6 - ftr_fixup_test6;
 
-	check(memcmp(&ftr_fixup_test6, &ftr_fixup_test6_expected, size) == 0);
+	check(memcmp(ftr_fixup_test6, ftr_fixup_test6_expected, size) == 0);
 }
 
 static void test_cpu_macros(void)
 {
-	extern u8 ftr_fixup_test_FTR_macros;
-	extern u8 ftr_fixup_test_FTR_macros_expected;
-	unsigned long size = &ftr_fixup_test_FTR_macros_expected -
-			     &ftr_fixup_test_FTR_macros;
+	extern u8 ftr_fixup_test_FTR_macros[];
+	extern u8 ftr_fixup_test_FTR_macros_expected[];
+	unsigned long size = ftr_fixup_test_FTR_macros_expected -
+			     ftr_fixup_test_FTR_macros;
 
 	/* The fixups have already been done for us during boot */
-	check(memcmp(&ftr_fixup_test_FTR_macros,
-		     &ftr_fixup_test_FTR_macros_expected, size) == 0);
+	check(memcmp(ftr_fixup_test_FTR_macros,
+		     ftr_fixup_test_FTR_macros_expected, size) == 0);
 }
 
 static void test_fw_macros(void)
 {
 #ifdef CONFIG_PPC64
-	extern u8 ftr_fixup_test_FW_FTR_macros;
-	extern u8 ftr_fixup_test_FW_FTR_macros_expected;
-	unsigned long size = &ftr_fixup_test_FW_FTR_macros_expected -
-			     &ftr_fixup_test_FW_FTR_macros;
+	extern u8 ftr_fixup_test_FW_FTR_macros[];
+	extern u8 ftr_fixup_test_FW_FTR_macros_expected[];
+	unsigned long size = ftr_fixup_test_FW_FTR_macros_expected -
+			     ftr_fixup_test_FW_FTR_macros;
 
 	/* The fixups have already been done for us during boot */
-	check(memcmp(&ftr_fixup_test_FW_FTR_macros,
-		     &ftr_fixup_test_FW_FTR_macros_expected, size) == 0);
+	check(memcmp(ftr_fixup_test_FW_FTR_macros,
+		     ftr_fixup_test_FW_FTR_macros_expected, size) == 0);
 #endif
 }
 
 static void test_lwsync_macros(void)
 {
-	extern u8 lwsync_fixup_test;
-	extern u8 end_lwsync_fixup_test;
-	extern u8 lwsync_fixup_test_expected_LWSYNC;
-	extern u8 lwsync_fixup_test_expected_SYNC;
-	unsigned long size = &end_lwsync_fixup_test -
-			     &lwsync_fixup_test;
+	extern u8 lwsync_fixup_test[];
+	extern u8 end_lwsync_fixup_test[];
+	extern u8 lwsync_fixup_test_expected_LWSYNC[];
+	extern u8 lwsync_fixup_test_expected_SYNC[];
+	unsigned long size = end_lwsync_fixup_test -
+			     lwsync_fixup_test;
 
 	/* The fixups have already been done for us during boot */
 	if (cur_cpu_spec->cpu_features & CPU_FTR_LWSYNC) {
-		check(memcmp(&lwsync_fixup_test,
-			     &lwsync_fixup_test_expected_LWSYNC, size) == 0);
+		check(memcmp(lwsync_fixup_test,
+			     lwsync_fixup_test_expected_LWSYNC, size) == 0);
 	} else {
-		check(memcmp(&lwsync_fixup_test,
-			     &lwsync_fixup_test_expected_SYNC, size) == 0);
+		check(memcmp(lwsync_fixup_test,
+			     lwsync_fixup_test_expected_SYNC, size) == 0);
 	}
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released Ben Hutchings
                   ` (255 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hendrik Brueckner, Thomas Richter, Martin Schwidefsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Richter <tmricht@linux.ibm.com>

commit 3c0a83b14ea71fef5ccc93a3bd2de5f892be3194 upstream.

The s390 CPU measurement facility sampling mode supports basic entries
and diagnostic entries. Each entry has a valid bit to indicate the
status of the entry as valid or invalid.

This bit is bit 31 in the diagnostic entry, but the bit mask definition
refers to bit 30.

Fix this by making the reserved field one bit larger.

Fixes: 7e75fc3ff4cf ("s390/cpum_sf: Add raw data sampling to support the diagnostic-sampling function")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/s390/include/asm/cpu_mf.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/include/asm/cpu_mf.h
+++ b/arch/s390/include/asm/cpu_mf.h
@@ -118,7 +118,7 @@ struct hws_basic_entry {
 
 struct hws_diag_entry {
 	unsigned int def:16;	    /* 0-15  Data Entry Format		 */
-	unsigned int R:14;	    /* 16-19 and 20-30 reserved		 */
+	unsigned int R:15;	    /* 16-19 and 20-30 reserved		 */
 	unsigned int I:1;	    /* 31 entry valid or invalid	 */
 	u8	     data[];	    /* Machine-dependent sample data	 */
 } __packed;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 052/366] driver core: Don't ignore class_dir_create_and_add() failure.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 096/366] mtd: cfi_cmdset_0002: Change write buffer to check correct value Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49   ` Ben Hutchings
                   ` (294 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tetsuo Handa, Greg Kroah-Hartman, syzbot

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 84d0c27d6233a9ba0578b20f5a09701eb66cee42 upstream.

syzbot is hitting WARN() at kernfs_add_one() [1].
This is because kernfs_create_link() is confused by previous device_add()
call which continued without setting dev->kobj.parent field when
get_device_parent() failed by memory allocation fault injection.
Fix this by propagating the error from class_dir_create_and_add() to
the calllers of get_device_parent().

[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+df47f81c226b31d89fb1@syzkaller.appspotmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/base/core.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -709,7 +709,7 @@ class_dir_create_and_add(struct class *c
 
 	dir = kzalloc(sizeof(*dir), GFP_KERNEL);
 	if (!dir)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	dir->class = class;
 	kobject_init(&dir->kobj, &class_dir_ktype);
@@ -719,7 +719,7 @@ class_dir_create_and_add(struct class *c
 	retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name);
 	if (retval < 0) {
 		kobject_put(&dir->kobj);
-		return NULL;
+		return ERR_PTR(retval);
 	}
 	return &dir->kobj;
 }
@@ -1000,6 +1000,10 @@ int device_add(struct device *dev)
 
 	parent = get_device(dev->parent);
 	kobj = get_device_parent(dev, parent);
+	if (IS_ERR(kobj)) {
+		error = PTR_ERR(kobj);
+		goto parent_error;
+	}
 	if (kobj)
 		dev->kobj.parent = kobj;
 
@@ -1097,6 +1101,7 @@ done:
 	kobject_del(&dev->kobj);
  Error:
 	cleanup_device_parent(dev);
+parent_error:
 	if (parent)
 		put_device(parent);
 name_error:
@@ -1867,6 +1872,11 @@ int device_move(struct device *dev, stru
 	device_pm_lock();
 	new_parent = get_device(new_parent);
 	new_parent_kobj = get_device_parent(dev, new_parent);
+	if (IS_ERR(new_parent_kobj)) {
+		error = PTR_ERR(new_parent_kobj);
+		put_device(new_parent);
+		goto out;
+	}
 
 	pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev),
 		 __func__, new_parent ? dev_name(new_parent) : "<NULL>");


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (229 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 234/366] cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 107/366] x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
                   ` (135 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Paweł Chmiel, Mark Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>

commit c1472737914fe5246a672fef6e85c9455de8473f upstream.

Since the max8998 MFD driver supports instantiation by DT, platform data
retrieval is handled in MFD probe and cell drivers should get use
the pdata field of max8998_dev struct to obtain them.

Fixes: ee999fb3f17f ("mfd: max8998: Add support for Device Tree")
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/regulator/max8998.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/regulator/max8998.c
+++ b/drivers/regulator/max8998.c
@@ -309,8 +309,7 @@ static int max8998_set_voltage_buck_sel(
 					unsigned selector)
 {
 	struct max8998_data *max8998 = rdev_get_drvdata(rdev);
-	struct max8998_platform_data *pdata =
-		dev_get_platdata(max8998->iodev->dev);
+	struct max8998_platform_data *pdata = max8998->iodev->pdata;
 	struct i2c_client *i2c = max8998->iodev->i2c;
 	int buck = rdev_get_id(rdev);
 	int reg, shift = 0, mask, ret, j;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 037/366] s390/cpum_sf: Add data entry sizes to sampling trailer entry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 178/366] Input: elantech - fix V4 report decoding for module with middle key Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 187/366] batman-adv: Fix debugfs path for renamed hardif Ben Hutchings
                   ` (360 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hendrik Brueckner, Thomas Richter, Martin Schwidefsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Richter <tmricht@linux.ibm.com>

commit 77715b7ddb446bd39a06f3376e85f4bb95b29bb8 upstream.

The CPU Measurement sampling facility creates a trailer entry for each
Sample-Data-Block of stored samples. The trailer entry contains the sizes
(in bytes) of the stored sampling types:
 - basic-sampling data entry size
 - diagnostic-sampling data entry size
Both sizes are 2 bytes long.

This patch changes the trailer entry definition to reflect this.

Fixes: fcc77f507333 ("s390/cpum_sf: Atomically reset trailer entry fields of sample-data-blocks")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/s390/include/asm/cpu_mf.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/s390/include/asm/cpu_mf.h
+++ b/arch/s390/include/asm/cpu_mf.h
@@ -134,7 +134,9 @@ struct hws_trailer_entry {
 			unsigned int f:1;	/* 0 - Block Full Indicator   */
 			unsigned int a:1;	/* 1 - Alert request control  */
 			unsigned int t:1;	/* 2 - Timestamp format	      */
-			unsigned long long:61;	/* 3 - 63: Reserved	      */
+			unsigned int :29;	/* 3 - 31: Reserved	      */
+			unsigned int bsdes:16;	/* 32-47: size of basic SDE   */
+			unsigned int dsdes:16;	/* 48-63: size of diagnostic SDE */
 		};
 		unsigned long long flags;	/* 0 - 63: All indicators     */
 	};


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (247 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 20:17   ` Rafał Miłecki
  2018-11-11 19:49 ` [PATCH 3.16 280/366] can: dev: Consolidate and unify state change handling Ben Hutchings
                   ` (117 subsequent siblings)
  366 siblings, 1 reply; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Burton, Hauke Mehrtens, linux-mips,
	Rafał Miłecki, Chris Packham, James Hogan,
	Tokunori Ikegami

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream.

The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as
below.

  R10: PCIe Transactions Periodically Fail

    Description: The BCM5300X PCIe does not maintain transaction ordering.
                 This may cause PCIe transaction failure.
    Fix Comment: Add a dummy PCIe configuration read after a PCIe
                 configuration write to ensure PCIe configuration access
                 ordering. Set ES bit of CP0 configu7 register to enable
                 sync function so that the sync instruction is functional.
    Resolution:  hndpci.c: extpci_write_config()
                 hndmips.c: si_mips_init()
                 mipsinc.h CONF7_ES

This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX.
Also the dummy PCIe configuration read is already implemented in the
Linux BCMA driver.

Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y
too so that the sync instruction is externalised.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Paul Burton <paul.burton@mips.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Rafał Miłecki <zajec5@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/19461/
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/bcm47xx/setup.c        | 6 ++++++
 arch/mips/include/asm/mipsregs.h | 3 +++
 2 files changed, 9 insertions(+)

--- a/arch/mips/bcm47xx/setup.c
+++ b/arch/mips/bcm47xx/setup.c
@@ -253,6 +253,12 @@ static int __init bcm47xx_cpu_fixes(void
 		 */
 		if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
 			cpu_wait = NULL;
+
+		/*
+		 * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
+		 * Enable ExternalSync for sync instruction to take effect
+		 */
+		set_c0_config7(MIPS_CONF7_ES);
 		break;
 #endif
 	}
--- a/arch/mips/include/asm/mipsregs.h
+++ b/arch/mips/include/asm/mipsregs.h
@@ -674,6 +674,8 @@
 #define MIPS_CONF7_WII		(_ULCAST_(1) << 31)
 
 #define MIPS_CONF7_RPS		(_ULCAST_(1) << 2)
+/* ExternalSync */
+#define MIPS_CONF7_ES		(_ULCAST_(1) << 8)
 
 #define MIPS_CONF7_IAR		(_ULCAST_(1) << 10)
 #define MIPS_CONF7_AR		(_ULCAST_(1) << 16)
@@ -1817,6 +1819,7 @@ __BUILD_SET_C0(status)
 __BUILD_SET_C0(cause)
 __BUILD_SET_C0(config)
 __BUILD_SET_C0(config5)
+__BUILD_SET_C0(config7)
 __BUILD_SET_C0(intcontrol)
 __BUILD_SET_C0(intctl)
 __BUILD_SET_C0(srsmap)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 091/366] Btrfs: reserve space for O_TMPFILE orphan item deletion
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (137 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 255/366] string: drop __must_check from strscpy() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR Ben Hutchings
                   ` (227 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Sterba, Filipe Manana, Omar Sandoval

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit 399b0bbf5f680797d3599fa14f16706ffc470145 upstream.

btrfs_link() calls btrfs_orphan_del() if it's linking an O_TMPFILE but
it doesn't reserve space to do so. Even before the removal of the
orphan_block_rsv it wasn't using it.

Fixes: ef3b9af50bfa ("Btrfs: implement inode_operations callback tmpfile")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6142,8 +6142,9 @@ static int btrfs_link(struct dentry *old
 	 * 2 items for inode and inode ref
 	 * 2 items for dir items
 	 * 1 item for parent inode
+	 * 1 item for orphan item deletion if O_TMPFILE
 	 */
-	trans = btrfs_start_transaction(root, 5);
+	trans = btrfs_start_transaction(root, inode->i_nlink ? 5 : 6);
 	if (IS_ERR(trans)) {
 		err = PTR_ERR(trans);
 		goto fail;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 210/366] n_tty: Access echo_* variables carefully.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (327 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 319/366] unify dentry_iput() and dentry_unlink_inode() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Ben Hutchings
                   ` (37 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Hurley, Greg Kroah-Hartman, syzbot, Tetsuo Handa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit ebec3f8f5271139df618ebdf8427e24ba102ba94 upstream.

syzbot is reporting stalls at __process_echoes() [1]. This is because
since ldata->echo_commit < ldata->echo_tail becomes true for some reason,
the discard loop is serving as almost infinite loop. This patch tries to
avoid falling into ldata->echo_commit < ldata->echo_tail situation by
making access to echo_* variables more carefully.

Since reset_buffer_flags() is called without output_lock held, it should
not touch echo_* variables. And omit a call to reset_buffer_flags() from
n_tty_open() by using vzalloc().

Since add_echo_byte() is called without output_lock held, it needs memory
barrier between storing into echo_buf[] and incrementing echo_head counter.
echo_buf() needs corresponding memory barrier before reading echo_buf[].
Lack of handling the possibility of not-yet-stored multi-byte operation
might be the reason of falling into ldata->echo_commit < ldata->echo_tail
situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to
echo_buf(ldata, tail + 1), the WARN_ON() fires.

Also, explicitly masking with buffer for the former "while" loop, and
use ldata->echo_commit > tail for the latter "while" loop.

[1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf40

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+108696293d7a21ab688f@syzkaller.appspotmail.com>
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/n_tty.c | 42 ++++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 18 deletions(-)

--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -146,6 +146,7 @@ static inline unsigned char *read_buf_ad
 
 static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i)
 {
+	smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */
 	return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)];
 }
 
@@ -347,8 +348,6 @@ static inline void put_tty_queue(unsigne
 static void reset_buffer_flags(struct n_tty_data *ldata)
 {
 	ldata->read_head = ldata->canon_head = ldata->read_tail = 0;
-	ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0;
-	ldata->echo_mark = 0;
 	ldata->line_start = 0;
 
 	ldata->erasing = 0;
@@ -669,13 +668,20 @@ static size_t __process_echoes(struct tt
 	old_space = space = tty_write_room(tty);
 
 	tail = ldata->echo_tail;
-	while (ldata->echo_commit != tail) {
+	while (MASK(ldata->echo_commit) != MASK(tail)) {
 		c = echo_buf(ldata, tail);
 		if (c == ECHO_OP_START) {
 			unsigned char op;
 			int no_space_left = 0;
 
 			/*
+			 * Since add_echo_byte() is called without holding
+			 * output_lock, we might see only portion of multi-byte
+			 * operation.
+			 */
+			if (MASK(ldata->echo_commit) == MASK(tail + 1))
+				goto not_yet_stored;
+			/*
 			 * If the buffer byte is the start of a multi-byte
 			 * operation, get the next byte, which is either the
 			 * op code or a control character value.
@@ -686,6 +692,8 @@ static size_t __process_echoes(struct tt
 				unsigned int num_chars, num_bs;
 
 			case ECHO_OP_ERASE_TAB:
+				if (MASK(ldata->echo_commit) == MASK(tail + 2))
+					goto not_yet_stored;
 				num_chars = echo_buf(ldata, tail + 2);
 
 				/*
@@ -780,7 +788,8 @@ static size_t __process_echoes(struct tt
 	/* If the echo buffer is nearly full (so that the possibility exists
 	 * of echo overrun before the next commit), then discard enough
 	 * data at the tail to prevent a subsequent overrun */
-	while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
+	while (ldata->echo_commit > tail &&
+	       ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
 		if (echo_buf(ldata, tail) == ECHO_OP_START) {
 			if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB)
 				tail += 3;
@@ -790,6 +799,7 @@ static size_t __process_echoes(struct tt
 			tail++;
 	}
 
+ not_yet_stored:
 	ldata->echo_tail = tail;
 	return old_space - space;
 }
@@ -800,6 +810,7 @@ static void commit_echoes(struct tty_str
 	size_t nr, old, echoed;
 	size_t head;
 
+	mutex_lock(&ldata->output_lock);
 	head = ldata->echo_head;
 	ldata->echo_mark = head;
 	old = ldata->echo_commit - ldata->echo_tail;
@@ -808,10 +819,12 @@ static void commit_echoes(struct tty_str
 	 * is over the threshold (and try again each time another
 	 * block is accumulated) */
 	nr = head - ldata->echo_tail;
-	if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK))
+	if (nr < ECHO_COMMIT_WATERMARK ||
+	    (nr % ECHO_BLOCK > old % ECHO_BLOCK)) {
+		mutex_unlock(&ldata->output_lock);
 		return;
+	}
 
-	mutex_lock(&ldata->output_lock);
 	ldata->echo_commit = head;
 	echoed = __process_echoes(tty);
 	mutex_unlock(&ldata->output_lock);
@@ -862,7 +875,9 @@ static void flush_echoes(struct tty_stru
 
 static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata)
 {
-	*echo_buf_addr(ldata, ldata->echo_head++) = c;
+	*echo_buf_addr(ldata, ldata->echo_head) = c;
+	smp_wmb(); /* Matches smp_rmb() in echo_buf(). */
+	ldata->echo_head++;
 }
 
 /**
@@ -1928,31 +1943,22 @@ static int n_tty_open(struct tty_struct
 	struct n_tty_data *ldata;
 
 	/* Currently a malloc failure here can panic */
-	ldata = vmalloc(sizeof(*ldata));
+	ldata = vzalloc(sizeof(*ldata));
 	if (!ldata)
-		goto err;
+		return -ENOMEM;
 
 	ldata->overrun_time = jiffies;
 	mutex_init(&ldata->atomic_read_lock);
 	mutex_init(&ldata->output_lock);
 
 	tty->disc_data = ldata;
-	reset_buffer_flags(tty->disc_data);
-	ldata->column = 0;
-	ldata->canon_column = 0;
 	ldata->minimum_to_wake = 1;
-	ldata->num_overrun = 0;
-	ldata->no_room = 0;
-	ldata->lnext = 0;
 	tty->closing = 0;
 	/* indicate buffer work may resume */
 	clear_bit(TTY_LDISC_HALTED, &tty->flags);
 	n_tty_set_termios(tty, NULL);
 	tty_unthrottle(tty);
-
 	return 0;
-err:
-	return -ENOMEM;
 }
 
 static inline int input_available_p(struct tty_struct *tty, int poll)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 161/366] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (177 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 303/366] virtio_balloon: fix another race between migration and ballooning Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Ben Hutchings
                   ` (187 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Joakim Tjernlund

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit f93aa8c4de307069c270b2d81741961162bead6c upstream.

do_ppb_xxlock() fails to add chip->start when querying for lock status
(and chip_ready test), which caused false status reports.
Fix that by adding adr += chip->start and adjust call sites
accordingly.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2224,8 +2224,9 @@ static int __maybe_unused do_ppb_xxlock(
 	unsigned long timeo;
 	int ret;
 
+	adr += chip->start;
 	mutex_lock(&chip->mutex);
-	ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
+	ret = get_chip(map, chip, adr, FL_LOCKING);
 	if (ret) {
 		mutex_unlock(&chip->mutex);
 		return ret;
@@ -2243,8 +2244,8 @@ static int __maybe_unused do_ppb_xxlock(
 
 	if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
 		chip->state = FL_LOCKING;
-		map_write(map, CMD(0xA0), chip->start + adr);
-		map_write(map, CMD(0x00), chip->start + adr);
+		map_write(map, CMD(0xA0), adr);
+		map_write(map, CMD(0x00), adr);
 	} else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
 		/*
 		 * Unlocking of one specific sector is not supported, so we
@@ -2282,7 +2283,7 @@ static int __maybe_unused do_ppb_xxlock(
 	map_write(map, CMD(0x00), chip->start);
 
 	chip->state = FL_READY;
-	put_chip(map, chip, adr + chip->start);
+	put_chip(map, chip, adr);
 	mutex_unlock(&chip->mutex);
 
 	return ret;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (269 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 277/366] atl1c: reserve min skb headroom Ben Hutchings
                   ` (95 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Nico Sneck

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nico Sneck <snecknico@gmail.com>

commit bba57eddadda936c94b5dccf73787cb9e159d0a5 upstream.

Corsair Strafe appears to suffer from the same issues
as the Corsair Strafe RGB.
Apply the same quirks (control message delay and init delay)
that the RGB version has to 1b1c:1b15.

With these quirks in place the keyboard works correctly upon
booting the system, and no longer requires reattaching the device.

Signed-off-by: Nico Sneck <snecknico@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -228,6 +228,10 @@ static const struct usb_device_id usb_qu
 	/* Corsair K70 RGB */
 	{ USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
 
+	/* Corsair Strafe */
+	{ USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |
+	  USB_QUIRK_DELAY_CTRL_MSG },
+
 	/* Corsair Strafe RGB */
 	{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
 	  USB_QUIRK_DELAY_CTRL_MSG },


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (303 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting Ben Hutchings
                   ` (61 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Saeed Mahameed, Alex Vesker

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Vesker <valex@mellanox.com>

commit 603b7bcff824740500ddfa001d7a7168b0b38542 upstream.

The NULL character was not set correctly for the string containing
the command length, this caused failures reading the output of the
command due to a random length. The fix is to initialize the output
length string.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -1028,7 +1028,7 @@ static ssize_t outlen_write(struct file
 {
 	struct mlx5_core_dev *dev = filp->private_data;
 	struct mlx5_cmd_debug *dbg = &dev->cmd.dbg;
-	char outlen_str[8];
+	char outlen_str[8] = {0};
 	int outlen;
 	void *ptr;
 	int err;
@@ -1043,8 +1043,6 @@ static ssize_t outlen_write(struct file
 	if (copy_from_user(outlen_str, buf, count))
 		return -EFAULT;
 
-	outlen_str[7] = 0;
-
 	err = sscanf(outlen_str, "%d", &outlen);
 	if (err < 0)
 		return err;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (148 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 110/366] IB/isert: fix T10-pi check mask setting Ben Hutchings
                   ` (216 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, Steven Rostedt (VMware), Mikulas Patocka

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.

The function __builtin_expect returns long type (see the gcc
documentation), and so do macros likely and unlikely. Unfortunatelly, when
CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
unlikely expand to __branch_check__ and __branch_check__ truncates the
long type to int. This unintended truncation may cause bugs in various
kernel code (we found a bug in dm-writecache because of it), so it's
better to fix __branch_check__ to return long.

Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com

Cc: Ingo Molnar <mingo@redhat.com>
Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/compiler.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -105,7 +105,7 @@ void ftrace_likely_update(struct ftrace_
 #define unlikely_notrace(x)	__builtin_expect(!!(x), 0)
 
 #define __branch_check__(x, expect) ({					\
-			int ______r;					\
+			long ______r;					\
 			static struct ftrace_branch_data		\
 				__attribute__((__aligned__(4)))		\
 				__attribute__((section("_ftrace_annotated_branch"))) \


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 198/366] RDMA/uverbs: Protect from attempts to create flows on unsupported QP
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (143 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 291/366] cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Ben Hutchings
                   ` (221 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Leon Romanovsky, Noa Osherovich, syzkaller, Jason Gunthorpe

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 940efcc8889f0d15567eb07fc9fd69b06e366aa5 upstream.

Flows can be created on UD and RAW_PACKET QP types. Attempts to provide
other QP types as an input causes to various unpredictable failures.

The reason is that in order to support all various types (e.g. XRC), we
are supposed to use real_qp handle and not qp handle and expect to
driver/FW to fail such (XRC) flows. The simpler and safer variant is to
ban all QP types except UD and RAW_PACKET, instead of relying on
driver/FW.

Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs")
Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2740,6 +2740,11 @@ int ib_uverbs_ex_create_flow(struct ib_u
 		goto err_uobj;
 	}
 
+	if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) {
+		err = -EINVAL;
+		goto err_put;
+	}
+
 	flow_attr = kmalloc(sizeof(*flow_attr) + cmd.flow_attr.size, GFP_KERNEL);
 	if (!flow_attr) {
 		err = -ENOMEM;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 218/366] sched/fair: Fix bandwidth timer clock drift condition
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 067/366] scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 245/366] ARC: mm: allow mprotect to make stack mappings executable Ben Hutchings
                   ` (344 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Xunlei Pang, Peter Zijlstra (Intel),
	Ben Segall, Ingo Molnar, Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xunlei Pang <xlpang@linux.alibaba.com>

commit 512ac999d2755d2b7109e996a76b6fb8b888631d upstream.

I noticed that cgroup task groups constantly get throttled even
if they have low CPU usage, this causes some jitters on the response
time to some of our business containers when enabling CPU quotas.

It's very simple to reproduce:

  mkdir /sys/fs/cgroup/cpu/test
  cd /sys/fs/cgroup/cpu/test
  echo 100000 > cpu.cfs_quota_us
  echo $$ > tasks

then repeat:

  cat cpu.stat | grep nr_throttled  # nr_throttled will increase steadily

After some analysis, we found that cfs_rq::runtime_remaining will
be cleared by expire_cfs_rq_runtime() due to two equal but stale
"cfs_{b|q}->runtime_expires" after period timer is re-armed.

The current condition to judge clock drift in expire_cfs_rq_runtime()
is wrong, the two runtime_expires are actually the same when clock
drift happens, so this condtion can never hit. The orginal design was
correctly done by this commit:

  a9cf55b28610 ("sched: Expire invalid runtime")

... but was changed to be the current implementation due to its locking bug.

This patch introduces another way, it adds a new field in both structures
cfs_rq and cfs_bandwidth to record the expiration update sequence, and
uses them to figure out if clock drift happens (true if they are equal).

Signed-off-by: Xunlei Pang <xlpang@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ben Segall <bsegall@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 51f2176d74ac ("sched/fair: Fix unlocked reads of some cfs_b->quota/period")
Link: http://lkml.kernel.org/r/20180620101834.24455-1-xlpang@linux.alibaba.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
 - Drop changes to other member types in struct cfs_bandwidth
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/sched/fair.c  | 14 ++++++++------
 kernel/sched/sched.h |  6 ++++--
 2 files changed, 12 insertions(+), 8 deletions(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3143,6 +3143,7 @@ void __refill_cfs_bandwidth_runtime(stru
 	now = sched_clock_cpu(smp_processor_id());
 	cfs_b->runtime = cfs_b->quota;
 	cfs_b->runtime_expires = now + ktime_to_ns(cfs_b->period);
+	cfs_b->expires_seq++;
 }
 
 static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg)
@@ -3165,6 +3166,7 @@ static int assign_cfs_rq_runtime(struct
 	struct task_group *tg = cfs_rq->tg;
 	struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg);
 	u64 amount = 0, min_amount, expires;
+	int expires_seq;
 
 	/* note: this is a positive sum as runtime_remaining <= 0 */
 	min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining;
@@ -3190,6 +3192,7 @@ static int assign_cfs_rq_runtime(struct
 			cfs_b->idle = 0;
 		}
 	}
+	expires_seq = cfs_b->expires_seq;
 	expires = cfs_b->runtime_expires;
 	raw_spin_unlock(&cfs_b->lock);
 
@@ -3199,8 +3202,10 @@ static int assign_cfs_rq_runtime(struct
 	 * spread between our sched_clock and the one on which runtime was
 	 * issued.
 	 */
-	if ((s64)(expires - cfs_rq->runtime_expires) > 0)
+	if (cfs_rq->expires_seq != expires_seq) {
+		cfs_rq->expires_seq = expires_seq;
 		cfs_rq->runtime_expires = expires;
+	}
 
 	return cfs_rq->runtime_remaining > 0;
 }
@@ -3226,12 +3231,9 @@ static void expire_cfs_rq_runtime(struct
 	 * has not truly expired.
 	 *
 	 * Fortunately we can check determine whether this the case by checking
-	 * whether the global deadline has advanced. It is valid to compare
-	 * cfs_b->runtime_expires without any locks since we only care about
-	 * exact equality, so a partial write will still work.
+	 * whether the global deadline(cfs_b->expires_seq) has advanced.
 	 */
-
-	if (cfs_rq->runtime_expires != cfs_b->runtime_expires) {
+	if (cfs_rq->expires_seq == cfs_b->expires_seq) {
 		/* extend local deadline, drift is bounded above by 2 ticks */
 		cfs_rq->runtime_expires += TICK_NSEC;
 	} else {
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -186,6 +186,7 @@ struct cfs_bandwidth {
 	u64 quota, runtime;
 	s64 hierarchal_quota;
 	u64 runtime_expires;
+	int expires_seq;
 
 	int idle, timer_active;
 	struct hrtimer period_timer, slack_timer;
@@ -375,6 +376,7 @@ struct cfs_rq {
 
 #ifdef CONFIG_CFS_BANDWIDTH
 	int runtime_enabled;
+	int expires_seq;
 	u64 runtime_expires;
 	s64 runtime_remaining;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (184 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 054/366] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 065/366] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Ben Hutchings
                   ` (180 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Thierry Reding, Andy Shevchenko

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 1d375b58c12f08d8570b30b865def4734517f04f upstream.

On some devices the contents of the ctrl register get lost over a
suspend/resume and the PWM comes back up disabled after the resume.

This is seen on some Bay Trail devices with the PWM in ACPI enumerated
mode, so it shows up as a platform device instead of a PCI device.

If we still think it is enabled and then try to change the duty-cycle
after this, we end up with a "PWM_SW_UPDATE was not cleared" error and
the PWM is stuck in that state from then on.

This commit adds suspend and resume pm callbacks to the pwm-lpss-platform
code, which save/restore the ctrl register over a suspend/resume, fixing
this.

Note that:

1) There is no need to do this over a runtime suspend, since we
only runtime suspend when disabled and then we properly set the enable
bit and reprogram the timings when we re-enable the PWM.

2) This may be happening on more systems then we realize, but has been
covered up sofar by a bug in the acpi-lpss.c code which was save/restoring
the regular device registers instead of the lpss private registers due to
lpss_device_desc.prv_offset not being set. This is fixed by a later patch
in this series.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
[bwh: Backported to 3.16:
 - pwm-lpss is a single module, so make the new functions static
 - Only one PWM per chip is supported; remove the npwm assertion and loops
 - Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/pwm/pwm-lpss.c
+++ b/drivers/pwm/pwm-lpss.c
@@ -39,6 +39,7 @@ struct pwm_lpss_chip {
 	void __iomem *regs;
 	struct clk *clk;
 	unsigned long clk_rate;
+	u32 saved_ctrl;
 };
 
 struct pwm_lpss_boardinfo {
@@ -177,6 +178,24 @@ static int pwm_lpss_remove(struct pwm_lp
 	return pwmchip_remove(&lpwm->chip);
 }
 
+static int pwm_lpss_suspend(struct device *dev)
+{
+	struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
+
+	lpwm->saved_ctrl = readl(lpwm->regs + PWM);
+
+	return 0;
+}
+
+static int pwm_lpss_resume(struct device *dev)
+{
+	struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
+
+	writel(lpwm->saved_ctrl, lpwm->regs + PWM);
+
+	return 0;
+}
+
 static int pwm_lpss_probe_pci(struct pci_dev *pdev,
 			      const struct pci_device_id *id)
 {
@@ -241,6 +260,10 @@ static int pwm_lpss_remove_platform(stru
 	return pwm_lpss_remove(lpwm);
 }
 
+static SIMPLE_DEV_PM_OPS(pwm_lpss_platform_pm_ops,
+			 pwm_lpss_suspend,
+			 pwm_lpss_resume);
+
 static const struct acpi_device_id pwm_lpss_acpi_match[] = {
 	{ "80860F09", 0 },
 	{ },
@@ -251,6 +274,7 @@ static struct platform_driver pwm_lpss_d
 	.driver = {
 		.name = "pwm-lpss",
 		.acpi_match_table = pwm_lpss_acpi_match,
+		.pm = &pwm_lpss_platform_pm_ops,
 	},
 	.probe = pwm_lpss_probe_platform,
 	.remove = pwm_lpss_remove_platform,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 109/366] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 342/366] clk: si5351: Constify clock names and struct regmap_config Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 260/366] drm: re-enable error handling Ben Hutchings
                   ` (336 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mark Brown, Srinivas Kandagatla

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit ff2faf1289c1f81b5b26b9451dd1c2006aac8db8 upstream.

dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the
paths pointer dangling in the list.

This leads to system crash when we try to unload and reload sound card.
I hit this bug during ADSP crash/reboot test case on Dragon board DB410c.

Without this patch, on SLAB Poisoning enabled build, kernel crashes with
"BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten"

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/soc-dapm.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -254,6 +254,8 @@ static int dapm_kcontrol_data_alloc(stru
 static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
 {
 	struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
+
+	list_del(&data->paths);
 	kfree(data->wlist);
 	kfree(data);
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch Ben Hutchings
                   ` (254 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Joe Habermann, Lukas Czerner, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Czerner <lczerner@redhat.com>

commit eee597ac931305eff3d3fd1d61d6aae553bc0984 upstream.

Currently in ext4_punch_hole we're going to skip the mtime update if
there are no actual blocks to release. However we've actually modified
the file by zeroing the partial block so the mtime should be updated.

Moreover the sync and datasync handling is skipped as well, which is
also wrong. Fix it.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Joe Habermann <joe.habermann@quantum.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3749,28 +3749,28 @@ int ext4_punch_hole(struct inode *inode,
 		EXT4_BLOCK_SIZE_BITS(sb);
 	stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb);
 
-	/* If there are no blocks to remove, return now */
-	if (first_block >= stop_block)
-		goto out_stop;
-
-	down_write(&EXT4_I(inode)->i_data_sem);
-	ext4_discard_preallocations(inode);
-
-	ret = ext4_es_remove_extent(inode, first_block,
-				    stop_block - first_block);
-	if (ret) {
-		up_write(&EXT4_I(inode)->i_data_sem);
-		goto out_stop;
-	}
+	/* If there are blocks to remove, do it */
+	if (stop_block > first_block) {
+
+		down_write(&EXT4_I(inode)->i_data_sem);
+		ext4_discard_preallocations(inode);
 
-	if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
-		ret = ext4_ext_remove_space(inode, first_block,
-					    stop_block - 1);
-	else
-		ret = ext4_ind_remove_space(handle, inode, first_block,
-					    stop_block);
+		ret = ext4_es_remove_extent(inode, first_block,
+					    stop_block - first_block);
+		if (ret) {
+			up_write(&EXT4_I(inode)->i_data_sem);
+			goto out_stop;
+		}
+
+		if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+			ret = ext4_ext_remove_space(inode, first_block,
+						    stop_block - 1);
+		else
+			ret = ext4_ind_remove_space(handle, inode, first_block,
+						    stop_block);
 
-	up_write(&EXT4_I(inode)->i_data_sem);
+		up_write(&EXT4_I(inode)->i_data_sem);
+	}
 	if (IS_SYNC(inode))
 		ext4_handle_sync(handle);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 186/366] batman-adv: debugfs, avoid compiling for !DEBUG_FS
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (168 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 244/366] ext4: fix inline data updates with checksums enabled Ben Hutchings
                   ` (196 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Markus Pargmann, Marek Lindner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Markus Pargmann <mpa@pengutronix.de>

commit 9bb218828c8f4fa6587af93e248903c96ce469d0 upstream.

Normally the debugfs framework will return error pointer with -ENODEV
for function calls when DEBUG_FS is not set.

batman does not notice this error code and continues trying to create
debugfs files and executes more code. We can avoid this code execution
by disabling compiling debugfs.c when DEBUG_FS is not set.

Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/Makefile  |  2 +-
 net/batman-adv/debugfs.c |  8 --------
 net/batman-adv/debugfs.h | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 9 deletions(-)

--- a/net/batman-adv/Makefile
+++ b/net/batman-adv/Makefile
@@ -20,7 +20,7 @@ obj-$(CONFIG_BATMAN_ADV) += batman-adv.o
 batman-adv-y += bat_iv_ogm.o
 batman-adv-y += bitarray.o
 batman-adv-$(CONFIG_BATMAN_ADV_BLA) += bridge_loop_avoidance.o
-batman-adv-y += debugfs.o
+batman-adv-$(CONFIG_DEBUG_FS) += debugfs.o
 batman-adv-$(CONFIG_BATMAN_ADV_DAT) += distributed-arp-table.o
 batman-adv-y += fragmentation.o
 batman-adv-y += gateway_client.o
--- a/net/batman-adv/debugfs.c
+++ b/net/batman-adv/debugfs.c
@@ -482,11 +482,7 @@ rem_attr:
 	debugfs_remove_recursive(hard_iface->debug_dir);
 	hard_iface->debug_dir = NULL;
 out:
-#ifdef CONFIG_DEBUG_FS
 	return -ENOMEM;
-#else
-	return 0;
-#endif /* CONFIG_DEBUG_FS */
 }
 
 /**
@@ -541,11 +537,7 @@ rem_attr:
 	debugfs_remove_recursive(bat_priv->debug_dir);
 	bat_priv->debug_dir = NULL;
 out:
-#ifdef CONFIG_DEBUG_FS
 	return -ENOMEM;
-#else
-	return 0;
-#endif /* CONFIG_DEBUG_FS */
 }
 
 void batadv_debugfs_del_meshif(struct net_device *dev)
--- a/net/batman-adv/debugfs.h
+++ b/net/batman-adv/debugfs.h
@@ -20,6 +20,8 @@
 
 #define BATADV_DEBUGFS_SUBDIR "batman_adv"
 
+#if IS_ENABLED(CONFIG_DEBUG_FS)
+
 void batadv_debugfs_init(void);
 void batadv_debugfs_destroy(void);
 int batadv_debugfs_add_meshif(struct net_device *dev);
@@ -27,4 +29,36 @@ void batadv_debugfs_del_meshif(struct ne
 int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
 void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface);
 
+#else
+
+static inline void batadv_debugfs_init(void)
+{
+}
+
+static inline void batadv_debugfs_destroy(void)
+{
+}
+
+static inline int batadv_debugfs_add_meshif(struct net_device *dev)
+{
+	return 0;
+}
+
+static inline void batadv_debugfs_del_meshif(struct net_device *dev)
+{
+}
+
+static inline
+int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface)
+{
+	return 0;
+}
+
+static inline
+void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface)
+{
+}
+
+#endif
+
 #endif /* _NET_BATMAN_ADV_DEBUGFS_H_ */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (306 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 131/366] backlight: max8925_bl: Fix Device Tree node lookup Ben Hutchings
                   ` (58 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, James Morris, Maciej S. Szmigiero

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>

commit b65c32ec5a942ab3ada93a048089a938918aba7f upstream.

The signatureValue field of a X.509 certificate is encoded as a BIT STRING.
For RSA signatures this BIT STRING is of so-called primitive subtype, which
contains a u8 prefix indicating a count of unused bits in the encoding.

We have to strip this prefix from signature data, just as we already do for
key data in x509_extract_key_data() function.

This wasn't noticed earlier because this prefix byte is zero for RSA key
sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero
prefixes has no bearing on its value.

The signature length, however was incorrect, which is a problem for RSA
implementations that need it to be exactly correct (like AMD CCP).

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 certificates")
Signed-off-by: James Morris <james.morris@microsoft.com>
[bwh: Backported to 3.16:
 - x509_certificate::sig is a structure, not a pointer
 - public_key_signature::pkey_algo is an enumeration type, not a string]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -205,6 +205,15 @@ int x509_note_signature(void *context, s
 		return -EINVAL;
 	}
 
+	if (ctx->cert->sig.pkey_algo == PKEY_ALGO_RSA) {
+		/* Discard the BIT STRING metadata */
+		if (vlen < 1 || *(const u8 *)value != 0)
+			return -EBADMSG;
+
+		value++;
+		vlen--;
+	}
+
 	ctx->cert->raw_sig = value;
 	ctx->cert->raw_sig_size = vlen;
 	return 0;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 211/366] tty: vt, remove reduntant check
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Ben Hutchings
                   ` (356 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jiri Slaby, Fugang Duan, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 182846a00f489849c55d113954f0c4a8a286ca39 upstream.

MAX_NR_CONSOLES and MAX_NR_USER_CONSOLES are both 63 since they were
introduced in 1.1.54. And since vc_allocate does:

if (currcons >= MAX_NR_CONSOLES)
	return -ENXIO;

if (!vc_cons[currcons].d) {
	if (currcons >= MAX_NR_USER_CONSOLES && !capable(CAP_SYS_RESOURCE))
		return -EPERM;
}

the second check is pointless. Remove both the check and the macro
MAX_NR_USER_CONSOLES.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/vt.c     | 4 ----
 include/uapi/linux/vt.h | 1 -
 2 files changed, 5 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -760,10 +760,6 @@ int vc_allocate(unsigned int currcons)	/
 	    struct vc_data *vc;
 	    struct vt_notifier_param param;
 
-	    /* prevent users from taking too much memory */
-	    if (currcons >= MAX_NR_USER_CONSOLES && !capable(CAP_SYS_RESOURCE))
-	      return -EPERM;
-
 	    /* due to the granularity of kmalloc, we waste some memory here */
 	    /* the alloc is done in two steps, to optimize the common situation
 	       of a 25x80 console (structsize=216, screenbuf_size=4000) */
--- a/include/uapi/linux/vt.h
+++ b/include/uapi/linux/vt.h
@@ -8,7 +8,6 @@
  */
 #define MIN_NR_CONSOLES 1       /* must be at least 1 */
 #define MAX_NR_CONSOLES	63	/* serial lines start at 64 */
-#define MAX_NR_USER_CONSOLES 63	/* must be root to allocate above this */
 		/* Note: the ioctl VT_GETSTATE does not work for
 		   consoles 16 and higher (since it returns a short) */
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 132/366] backlight: tps65217_bl: Fix Device Tree node lookup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (347 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 237/366] xhci: xhci-mem: off by one in xhci_stream_id_to_ring() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 034/366] spi: pxa2xx: check clk_prepare_enable() return value Ben Hutchings
                   ` (17 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Daniel Thompson, Lee Jones

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

This would only cause trouble if the child node is missing while there
is an unrelated node named "backlight" elsewhere in the tree.

Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/tps65217_bl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/video/backlight/tps65217_bl.c
+++ b/drivers/video/backlight/tps65217_bl.c
@@ -190,11 +190,11 @@ static struct tps65217_bl_pdata *
 tps65217_bl_parse_dt(struct platform_device *pdev)
 {
 	struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
-	struct device_node *node = of_node_get(tps->dev->of_node);
+	struct device_node *node;
 	struct tps65217_bl_pdata *pdata, *err;
 	u32 val;
 
-	node = of_find_node_by_name(node, "backlight");
+	node = of_get_child_by_name(tps->dev->of_node, "backlight");
 	if (!node)
 		return ERR_PTR(-ENODEV);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 214/366] s390/qeth: don't clobber buffer on async TX completion
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 243/366] ARC: Fix CONFIG_SWAP Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 248/366] skbuff: Unconditionally copy pfmemalloc in __skb_clone() Ben Hutchings
                   ` (262 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Julian Wiedmann

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.ibm.com>

commit ce28867fd20c23cd769e78b4d619c4755bf71a1c upstream.

If qeth_qdio_output_handler() detects that a transmit requires async
completion, it replaces the pending buffer's metadata object
(qeth_qdio_out_buffer) so that this queue buffer can be re-used while
the data is pending completion.

Later when the CQ indicates async completion of such a metadata object,
qeth_qdio_cq_handler() tries to free any data associated with this
object (since HW has now completed the transfer). By calling
qeth_clear_output_buffer(), it erronously operates on the queue buffer
that _previously_ belonged to this transfer ... but which has been
potentially re-used several times by now.
This results in double-free's of the buffer's data, and failing
transmits as the buffer descriptor is scrubbed in mid-air.

The correct way of handling this situation is to
1. scrub the queue buffer when it is prepared for re-use, and
2. later obtain the data addresses from the async-completion notifier
   (ie. the AOB), instead of the queue buffer.

All this only affects qeth devices used for af_iucv HiperTransport.

Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/net/qeth_core.h      | 11 +++++++++++
 drivers/s390/net/qeth_core_main.c | 22 ++++++++++++++++------
 2 files changed, 27 insertions(+), 6 deletions(-)

--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -844,6 +844,17 @@ struct qeth_trap_id {
 /*some helper functions*/
 #define QETH_CARD_IFNAME(card) (((card)->dev)? (card)->dev->name : "")
 
+static inline void qeth_scrub_qdio_buffer(struct qdio_buffer *buf,
+					  unsigned int elements)
+{
+	unsigned int i;
+
+	for (i = 0; i < elements; i++)
+		memset(&buf->element[i], 0, sizeof(struct qdio_buffer_element));
+	buf->element[14].sflags = 0;
+	buf->element[15].sflags = 0;
+}
+
 static inline struct qeth_card *CARD_FROM_CDEV(struct ccw_device *cdev)
 {
 	struct qeth_card *card = dev_get_drvdata(&((struct ccwgroup_device *)
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -65,9 +65,6 @@ static void qeth_notify_skbs(struct qeth
 		struct qeth_qdio_out_buffer *buf,
 		enum iucv_tx_notify notification);
 static void qeth_release_skbs(struct qeth_qdio_out_buffer *buf);
-static void qeth_clear_output_buffer(struct qeth_qdio_out_q *queue,
-		struct qeth_qdio_out_buffer *buf,
-		enum qeth_qdio_buffer_states newbufstate);
 static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *, int);
 
 struct workqueue_struct *qeth_wq;
@@ -451,6 +448,7 @@ static inline void qeth_qdio_handle_aob(
 	struct qaob *aob;
 	struct qeth_qdio_out_buffer *buffer;
 	enum iucv_tx_notify notification;
+	unsigned int i;
 
 	aob = (struct qaob *) phys_to_virt(phys_aob_addr);
 	QETH_CARD_TEXT(card, 5, "haob");
@@ -475,10 +473,18 @@ static inline void qeth_qdio_handle_aob(
 	qeth_notify_skbs(buffer->q, buffer, notification);
 
 	buffer->aob = NULL;
-	qeth_clear_output_buffer(buffer->q, buffer,
-				 QETH_QDIO_BUF_HANDLED_DELAYED);
+	/* Free dangling allocations. The attached skbs are handled by
+	 * qeth_cleanup_handled_pending().
+	 */
+	for (i = 0;
+	     i < aob->sb_count && i < QETH_MAX_BUFFER_ELEMENTS(card);
+	     i++) {
+		if (aob->sba[i] && buffer->is_header[i])
+			kmem_cache_free(qeth_core_header_cache,
+					(void *) aob->sba[i]);
+	}
+	atomic_set(&buffer->state, QETH_QDIO_BUF_HANDLED_DELAYED);
 
-	/* from here on: do not touch buffer anymore */
 	qdio_release_aob(aob);
 }
 
@@ -3635,6 +3641,10 @@ void qeth_qdio_output_handler(struct ccw
 			QETH_CARD_TEXT(queue->card, 5, "aob");
 			QETH_CARD_TEXT_(queue->card, 5, "%lx",
 					virt_to_phys(buffer->aob));
+
+			/* prepare the queue slot for re-use: */
+			qeth_scrub_qdio_buffer(buffer->buffer,
+					       QETH_MAX_BUFFER_ELEMENTS(card));
 			if (qeth_init_qdio_out_buf(queue, bidx)) {
 				QETH_CARD_TEXT(card, 2, "outofbuf");
 				qeth_schedule_recovery(card);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (164 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm Ben Hutchings
                   ` (200 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 96d9270499471545048ed8a6d7f425a49762283d upstream.

get_device() and its internally used kobject_get() only return NULL if they
get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
adapter->port_list so the iteration variable port is always non-NULL.
Struct device is embedded in struct zfcp_port so &port->dev is always
non-NULL. This is the argument to get_device().  However, if we get an
fc_rport in terminate_rport_io() for which we cannot find a match within
zfcp_get_port_by_wwpn(), the latter can return NULL.  v2.6.30 commit
70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an
early return without adding a trace record for this case.  Even if we don't
need recovery in this case, for debugging we should still see that our
callback was invoked originally by scsi_transport_fc.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : sctrpin        SCSI terminate rport I/O, no zfcp port
LUN            : 0xffffffffffffffff                     none (invalid)
WWPN           : 0x<wwpn>               WWPN
D_ID           : 0x<n_port_id>          N_Port-ID
Adapter status : 0x...
Port status    : 0xffffffff             unknown (-1)
LUN status     : 0x00000000                             none (invalid)
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears")
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c  | 20 ++++++++++++++++++++
 drivers/s390/scsi/zfcp_ext.h  |  3 +++
 drivers/s390/scsi/zfcp_scsi.c |  5 +++++
 3 files changed, 28 insertions(+)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -282,6 +282,26 @@ static int zfcp_erp_action_enqueue(int w
 	return retval;
 }
 
+void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
+				      u64 port_name, u32 port_id)
+{
+	unsigned long flags;
+	static /* don't waste stack */ struct zfcp_port tmpport;
+
+	write_lock_irqsave(&adapter->erp_lock, flags);
+	/* Stand-in zfcp port with fields just good enough for
+	 * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
+	 * Under lock because tmpport is static.
+	 */
+	atomic_set(&tmpport.status, -1); /* unknown */
+	tmpport.wwpn = port_name;
+	tmpport.d_id = port_id;
+	zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
+			  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+			  ZFCP_ERP_ACTION_NONE);
+	write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
 static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
 				    int clear_mask, char *id)
 {
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -58,6 +58,9 @@ extern void zfcp_dbf_scsi_eh(char *tag,
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
 extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
+extern void zfcp_erp_port_forced_no_port_dbf(char *id,
+					     struct zfcp_adapter *adapter,
+					     u64 port_name, u32 port_id);
 extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -624,6 +624,11 @@ static void zfcp_scsi_terminate_rport_io
 	if (port) {
 		zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
 		put_device(&port->dev);
+	} else {
+		zfcp_erp_port_forced_no_port_dbf(
+			"sctrpin", adapter,
+			rport->port_name /* zfcp_scsi_rport_register */,
+			rport->port_id /* zfcp_scsi_rport_register */);
 	}
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 035/366] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Ben Hutchings
                   ` (339 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Andreas Dilger, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit eb9b5f01c33adebc31cbc236c02695f605b0e417 upstream.

If ext4_find_inline_data_nolock() returns an error it needs to get
reflected up to ext4_iget().  In order to fix this,
ext4_iget_extra_inode() needs to return an error (and not return
void).

This is related to "ext4: do not allow external inodes for inline
data" (which fixes CVE-2018-11412) in that in the errors=continue
case, it would be useful to for userspace to receive an error
indicating that file system is corrupted.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4159,19 +4159,21 @@ static blkcnt_t ext4_inode_blocks(struct
 	}
 }
 
-static inline void ext4_iget_extra_inode(struct inode *inode,
+static inline int ext4_iget_extra_inode(struct inode *inode,
 					 struct ext4_inode *raw_inode,
 					 struct ext4_inode_info *ei)
 {
 	__le32 *magic = (void *)raw_inode +
 			EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
+
 	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
 	    EXT4_INODE_SIZE(inode->i_sb) &&
 	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
-		ext4_find_inline_data_nolock(inode);
+		return ext4_find_inline_data_nolock(inode);
 	} else
 		EXT4_I(inode)->i_inline_off = 0;
+	return 0;
 }
 
 struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
@@ -4331,7 +4333,9 @@ struct inode *ext4_iget(struct super_blo
 			ei->i_extra_isize = sizeof(struct ext4_inode) -
 					    EXT4_GOOD_OLD_INODE_SIZE;
 		} else {
-			ext4_iget_extra_inode(inode, raw_inode, ei);
+			ret = ext4_iget_extra_inode(inode, raw_inode, ei);
+			if (ret)
+				goto bad_inode;
 		}
 	}
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 130/366] backlight: as3711_bl: Fix Device Tree node lookup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (200 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 174/366] xen-netfront: Update features after registering netdev Ben Hutchings
                   ` (164 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Lee Jones, Daniel Thompson, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed.

Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/as3711_bl.c | 33 ++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 10 deletions(-)

--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -262,10 +262,10 @@ static int as3711_bl_register(struct pla
 static int as3711_backlight_parse_dt(struct device *dev)
 {
 	struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
-	struct device_node *bl =
-		of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
+	struct device_node *bl, *fb;
 	int ret;
 
+	bl = of_get_child_by_name(dev->parent->of_node, "backlight");
 	if (!bl) {
 		dev_dbg(dev, "backlight node not found\n");
 		return -ENODEV;
@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(str
 		if (pdata->su1_max_uA <= 0)
 			ret = -EINVAL;
 		if (ret < 0)
-			return ret;
+			goto err_put_bl;
 	}
 
 	fb = of_parse_phandle(bl, "su2-dev", 0);
@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(str
 		if (pdata->su2_max_uA <= 0)
 			ret = -EINVAL;
 		if (ret < 0)
-			return ret;
+			goto err_put_bl;
 
 		if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
 			pdata->su2_feedback = AS3711_SU2_VOLTAGE;
@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(str
 			pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
 			count++;
 		}
-		if (count != 1)
-			return -EINVAL;
+		if (count != 1) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 
 		count = 0;
 		if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(str
 			pdata->su2_fbprot = AS3711_SU2_GPIO4;
 			count++;
 		}
-		if (count != 1)
-			return -EINVAL;
+		if (count != 1) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 
 		count = 0;
 		if (of_find_property(bl, "su2-auto-curr1", NULL)) {
@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(str
 		 * At least one su2-auto-curr* must be specified iff
 		 * AS3711_SU2_CURR_AUTO is used
 		 */
-		if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
-			return -EINVAL;
+		if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 	}
 
+	of_node_put(bl);
+
 	return 0;
+
+err_put_bl:
+	of_node_put(bl);
+
+	return ret;
 }
 
 static int as3711_backlight_probe(struct platform_device *pdev)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 127/366] fs/binfmt_misc.c: do not allow offset overflow
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 184/366] vhost_net: validate sock before trying to put its fd Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 012/366] media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS Ben Hutchings
                   ` (274 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Thadeu Lima de Souza Cascardo, Alexander Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream.

WHen registering a new binfmt_misc handler, it is possible to overflow
the offset to get a negative value, which might crash the system, or
possibly leak kernel data.

Here is a crash log when 2500000000 was used as an offset:

  BUG: unable to handle kernel paging request at ffff989cfd6edca0
  IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
  PGD 1ef3e067 P4D 1ef3e067 PUD 0
  Oops: 0000 [#1] SMP NOPTI
  Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
  CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
  RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
  Call Trace:
    search_binary_handler+0x97/0x1d0
    do_execveat_common.isra.34+0x667/0x810
    SyS_execve+0x31/0x40
    do_syscall_64+0x73/0x130
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Use kstrtoint instead of simple_strtoul.  It will work as the code
already set the delimiter byte to '\0' and we only do it when the field
is not empty.

Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX.  Also tested
with examples documented at Documentation/admin-guide/binfmt-misc.rst
and other registrations from packages on Ubuntu.

Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Error label is "Einval"
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/binfmt_misc.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -319,8 +319,13 @@ static Node *create_entry(const char __u
 		char *s = strchr(p, del);
 		if (!s)
 			goto Einval;
-		*s++ = '\0';
-		e->offset = simple_strtoul(p, &p, 10);
+		*s = '\0';
+		if (p != s) {
+			int r = kstrtoint(p, 10, &e->offset);
+			if (r != 0 || e->offset < 0)
+				goto Einval;
+		}
+		p = s;
 		if (*p++)
 			goto Einval;
 		e->magic = p;
@@ -341,7 +346,8 @@ static Node *create_entry(const char __u
 		if (e->mask &&
 		    string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
 			goto Einval;
-		if (e->size + e->offset > BINPRM_BUF_SIZE)
+		if (e->size > BINPRM_BUF_SIZE ||
+		    BINPRM_BUF_SIZE - e->size < e->offset)
 			goto Einval;
 	} else {
 		p = strchr(p, del);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 229/366] USB: serial: ch341: fix type promotion bug in ch341_control_in()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 166/366] xen-netfront: Use static attribute groups for sysfs entries Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 301/366] squashfs: be more careful about metadata corruption Ben Hutchings
                   ` (308 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit e33eab9ded328ccc14308afa51b5be7cbe78d30b upstream.

The "r" variable is an int and "bufsize" is an unsigned int so the
comparison is type promoted to unsigned.  If usb_control_msg() returns a
negative that is treated as a high positive value and the error handling
doesn't work.

Fixes: 2d5a9c72d0c4 ("USB: serial: ch341: fix control-message error handling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ch341.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -131,7 +131,7 @@ static int ch341_control_in(struct usb_d
 	r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
 			    USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
 			    value, index, buf, bufsize, DEFAULT_TIMEOUT);
-	if (r < bufsize) {
+	if (r < (int)bufsize) {
 		if (r >= 0) {
 			dev_err(&dev->dev,
 				"short control message received (%d < %u)\n",


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 054/366] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (183 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 018/366] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Ben Hutchings
                   ` (181 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, syzbot+cd8bcd40cb049efa2770, Laura Abbott, syzbot,
	Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laura Abbott <labbott@redhat.com>

commit 45ad559a29629cb1c64ee636563c69b71524f077 upstream.

Syzbot reported yet another warning with Ion:

WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
Kernel panic - not syncing: panic_on_warn set ...

This is catching that a buffer was freed with an existing kernel mapping
still present. This can be easily be triggered from userspace by calling
DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
pr_warn_once to indicate the error without being disruptive.

Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ion/ion.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -272,8 +272,11 @@ err2:
 
 void ion_buffer_destroy(struct ion_buffer *buffer)
 {
-	if (WARN_ON(buffer->kmap_cnt > 0))
+	if (buffer->kmap_cnt > 0) {
+		pr_warn_once("%s: buffer still mapped in the kernel\n",
+			     __func__);
 		buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
+	}
 	buffer->heap->ops->unmap_dma(buffer->heap, buffer);
 	buffer->heap->ops->free(buffer);
 	if (buffer->pages)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 065/366] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (185 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 002/366] arm64: ensure extension of smp_store_release value Ben Hutchings
                   ` (179 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 8c3d20aada70042a39c6a6625be037c1472ca610 upstream.

That other commit introduced an inconsistency because it would trace on
ERP_FAILED for all callers of port forced reopen triggers (not just
terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
other ERP triggers such as adapter, port regular, LUN.

Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
had two early outs which re-used the one zfcp_dbf_rec_trig() call.  All ERP
trigger functions finally run through zfcp_erp_action_enqueue().  So move
the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
zfcp_erp_action_enqueue() and add another early out with new trace marker
for pseudo ERP need in this case. This removes all early returns from all
ERP trigger functions so we always end up at zfcp_dbf_rec_trig().

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : .......
LUN            : 0x...
WWPN           : 0x...
D_ID           : 0x...
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x...
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 79 +++++++++++++++++++++++-------------
 1 file changed, 51 insertions(+), 28 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -142,6 +142,49 @@ static void zfcp_erp_action_dismiss_adap
 	}
 }
 
+static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
+				  struct zfcp_port *port,
+				  struct scsi_device *sdev)
+{
+	int need = want;
+	struct zfcp_scsi_dev *zsdev;
+
+	switch (want) {
+	case ZFCP_ERP_ACTION_REOPEN_LUN:
+		zsdev = sdev_to_zfcp(sdev);
+		if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+			need = 0;
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
+		if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+			need = 0;
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_PORT:
+		if (atomic_read(&port->status) &
+		    ZFCP_STATUS_COMMON_ERP_FAILED) {
+			need = 0;
+			/* ensure propagation of failed status to new devices */
+			zfcp_erp_set_port_status(
+				port, ZFCP_STATUS_COMMON_ERP_FAILED);
+		}
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
+		if (atomic_read(&adapter->status) &
+		    ZFCP_STATUS_COMMON_ERP_FAILED) {
+			need = 0;
+			/* ensure propagation of failed status to new devices */
+			zfcp_erp_set_adapter_status(
+				adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
+		}
+		break;
+	default:
+		need = 0;
+		break;
+	}
+
+	return need;
+}
+
 static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
 				 struct zfcp_port *port,
 				 struct scsi_device *sdev)
@@ -265,6 +308,12 @@ static int zfcp_erp_action_enqueue(int w
 	int retval = 1, need;
 	struct zfcp_erp_action *act;
 
+	need = zfcp_erp_handle_failed(want, adapter, port, sdev);
+	if (!need) {
+		need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
+		goto out;
+	}
+
 	if (!adapter->erp_thread)
 		return -EIO;
 
@@ -313,12 +362,6 @@ static int _zfcp_erp_adapter_reopen(stru
 	zfcp_erp_adapter_block(adapter, clear_mask);
 	zfcp_scsi_schedule_rports_block(adapter);
 
-	/* ensure propagation of failed status to new devices */
-	if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		zfcp_erp_set_adapter_status(adapter,
-					    ZFCP_STATUS_COMMON_ERP_FAILED);
-		return -EIO;
-	}
 	return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
 				       adapter, NULL, NULL, id, 0);
 }
@@ -337,12 +380,8 @@ void zfcp_erp_adapter_reopen(struct zfcp
 	zfcp_scsi_schedule_rports_block(adapter);
 
 	write_lock_irqsave(&adapter->erp_lock, flags);
-	if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-		zfcp_erp_set_adapter_status(adapter,
-					    ZFCP_STATUS_COMMON_ERP_FAILED);
-	else
-		zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-					NULL, NULL, id, 0);
+	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
+				NULL, NULL, id, 0);
 	write_unlock_irqrestore(&adapter->erp_lock, flags);
 }
 
@@ -383,13 +422,6 @@ static void _zfcp_erp_port_forced_reopen
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
-				  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
-				  ZFCP_ERP_ACTION_FAILED);
-		return;
-	}
-
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
 				port->adapter, port, NULL, id, 0);
 }
@@ -415,12 +447,6 @@ static int _zfcp_erp_port_reopen(struct
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		/* ensure propagation of failed status to new devices */
-		zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
-		return -EIO;
-	}
-
 	return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
 				       port->adapter, port, NULL, id, 0);
 }
@@ -460,9 +486,6 @@ static void _zfcp_erp_lun_reopen(struct
 
 	zfcp_erp_lun_block(sdev, clear);
 
-	if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-		return;
-
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
 				zfcp_sdev->port, sdev, id, act_status);
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 046/366] ext4: do not update s_last_mounted of a frozen fs
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (226 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 123/366] bnx2x: use the right constant Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 331/366] leds: do not overflow sysfs buffer in led_trigger_show Ben Hutchings
                   ` (138 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Amir Goldstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit db6516a5e7ddb6dc72d167b920f2f272596ea22d upstream.

If fs is frozen after mount and before the first file open, the
update of s_last_mounted bypasses freeze protection and prints out
a WARNING splat:

$ mount /vdf
$ fsfreeze -f /vdf
$ cat /vdf/foo

[   31.578555] WARNING: CPU: 1 PID: 1415 at
fs/ext4/ext4_jbd2.c:53 ext4_journal_check_start+0x48/0x82

[   31.614016] Call Trace:
[   31.614997]  __ext4_journal_start_sb+0xe4/0x1a4
[   31.616771]  ? ext4_file_open+0xb6/0x189
[   31.618094]  ext4_file_open+0xb6/0x189

If fs is frozen, skip s_last_mounted update.

[backport hint: to apply to stable tree, need to apply also patches
 vfs: add the sb_start_intwrite_trylock() helper
 ext4: factor out helper ext4_sample_last_mounted()]

Fixes: bc0b0d6d69ee ("ext4: update the s_last_mounted field in the superblock")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/file.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -220,7 +220,7 @@ static int ext4_sample_last_mounted(stru
 	if (likely(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED))
 		return 0;
 
-	if (sb->s_flags & MS_RDONLY)
+	if (sb->s_flags & MS_RDONLY || !sb_start_intwrite_trylock(sb))
 		return 0;
 
 	sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
@@ -234,21 +234,25 @@ static int ext4_sample_last_mounted(stru
 	path.mnt = mnt;
 	path.dentry = mnt->mnt_root;
 	cp = d_path(&path, buf, sizeof(buf));
+	err = 0;
 	if (IS_ERR(cp))
-		return 0;
+		goto out;
 
 	handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
+	err = PTR_ERR(handle);
 	if (IS_ERR(handle))
-		return PTR_ERR(handle);
+		goto out;
 	BUFFER_TRACE(sbi->s_sbh, "get_write_access");
 	err = ext4_journal_get_write_access(handle, sbi->s_sbh);
 	if (err)
-		goto out;
+		goto out_journal;
 	strlcpy(sbi->s_es->s_last_mounted, cp,
 		sizeof(sbi->s_es->s_last_mounted));
 	ext4_handle_dirty_super(handle, sb);
-out:
+out_journal:
 	ext4_journal_stop(handle);
+out:
+	sb_end_intwrite(sb);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 147/366] USB: serial: cp210x: add Silicon Labs IDs for Windows Update
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 353/366] perf tools: define _DEFAULT_SOURCE for glibc_2.20 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 360/366] perf tools: Fix snprint warnings for gcc 8 Ben Hutchings
                   ` (267 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Karoly Pados

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Karoly Pados <pados@pados.hu>

commit 2f839823382748664b643daa73f41ee0cc01ced6 upstream.

Silicon Labs defines alternative VID/PID pairs for some chips that when
used will automatically install drivers for Windows users without manual
intervention. Unfortunately, these IDs are not recognized by the Linux
module, so using these IDs improves user experience on one platform but
degrades it on Linux. This patch addresses this problem.

Signed-off-by: Karoly Pados <pados@pados.hu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -139,8 +139,11 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
 	{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
 	{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+	{ USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */
 	{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
 	{ USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
+	{ USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */
+	{ USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */
 	{ USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
 	{ USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
 	{ USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 039/366] clk: qcom: Base rcg parent rate off plan frequency
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 355/366] perf thread_map: Use readdir() instead of deprecated readdir_r() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 019/366] media: v4l2-compat-ioctl32: prevent go past max size Ben Hutchings
                   ` (242 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Evan Green, Stephen Boyd

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Evan Green <evgreen@chromium.org>

commit c7d2a0eb6c028ba064bfe92d7667977418142c7c upstream.

_freq_tbl_determine_rate uses the pre_div found in the clock plan
multiplied by the requested rate from the caller to determine the
best parent rate to set. If the requested rate is not exactly equal
to the rate that was found in the clock plan, then using the requested
rate in parent rate calculations is incorrect. For instance, if 150MHz
was requested, but 200MHz was the match found, and that plan had a
pre_div of 3, then the parent should be set to 600MHz, not 450MHz.

Signed-off-by: Evan Green <evgreen@chromium.org>
Fixes: bcd61c0f535a ("clk: qcom: Add support for root clock generators (RCGs)")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/qcom/clk-rcg2.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/qcom/clk-rcg2.c
+++ b/drivers/clk/qcom/clk-rcg2.c
@@ -199,6 +199,7 @@ static long _freq_tbl_determine_rate(str
 	clk_flags = __clk_get_flags(hw->clk);
 	*p = clk_get_parent_by_index(hw->clk, f->src);
 	if (clk_flags & CLK_SET_RATE_PARENT) {
+		rate = f->freq;
 		if (f->pre_div) {
 			rate /= 2;
 			rate *= f->pre_div + 1;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 138/366] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (157 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 297/366] tracing: Quiet gcc warning about maybe unused link variable Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 071/366] net: ethernet: davinci_emac: Fix printing of base address Ben Hutchings
                   ` (207 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 90904ff5f958a215cc3d26f957a46e80fa178470 upstream.

Define cfg.pw_type so that the new session is created with its .pwtype
field properly set (L2TP_PWTYPE_PPP).

Not setting the pseudo-wire type had several annoying effects:

  * Invalid value returned in the L2TP_ATTR_PW_TYPE attribute when
    dumping sessions with the netlink API.

  * Impossibility to delete the session using the netlink API (because
    l2tp_nl_cmd_session_delete() gets the deletion callback function
    from an array indexed by the session's pseudo-wire type).

Also, there are several cases where we should check a session's
pseudo-wire type. For example, pppol2tp_connect() should refuse to
connect a session that is not PPPoL2TP, but that requires the session's
.pwtype field to be properly set.

Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -780,6 +780,7 @@ static int pppol2tp_connect(struct socke
 		/* Default MTU must allow space for UDP/L2TP/PPP headers */
 		cfg.mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
 		cfg.mru = cfg.mtu;
+		cfg.pw_type = L2TP_PWTYPE_PPP;
 
 		session = l2tp_session_create(sizeof(struct pppol2tp_session),
 					      tunnel, session_id,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 034/366] spi: pxa2xx: check clk_prepare_enable() return value
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (348 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 132/366] backlight: tps65217_bl: Fix Device Tree node lookup Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 317/366] VFS: Impose ordering on accesses of d_inode and d_flags Ben Hutchings
                   ` (16 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tobias Jordan, Mark Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Jordan <Tobias.Jordan@elektrobit.com>

commit 62bbc864d1946c715063bd481bff3641fd1324e2 upstream.

clk_prepare_enable() can fail, so its return value should be checked and
acted upon.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 3343b7a6d2cd ("spi/pxa2xx: convert to the common clk framework")
Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-pxa2xx.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -1182,7 +1182,9 @@ static int pxa2xx_spi_probe(struct platf
 	}
 
 	/* Enable SOC clock */
-	clk_prepare_enable(ssp->clk);
+	status = clk_prepare_enable(ssp->clk);
+	if (status)
+		goto out_error_dma_irq_alloc;
 
 	drv_data->max_clk_rate = clk_get_rate(ssp->clk);
 
@@ -1221,6 +1223,8 @@ static int pxa2xx_spi_probe(struct platf
 
 out_error_clock_enabled:
 	clk_disable_unprepare(ssp->clk);
+
+out_error_dma_irq_alloc:
 	pxa2xx_spi_dma_release(drv_data);
 	free_irq(ssp->irq, drv_data);
 
@@ -1296,8 +1300,11 @@ static int pxa2xx_spi_resume(struct devi
 	pxa2xx_spi_dma_resume(drv_data);
 
 	/* Enable the SSP clock */
-	if (!pm_runtime_suspended(dev))
-		clk_prepare_enable(ssp->clk);
+	if (!pm_runtime_suspended(dev)) {
+		status = clk_prepare_enable(ssp->clk);
+		if (status)
+			return status;
+	}
 
 	/* Restore LPSS private register bits */
 	lpss_ssp_setup(drv_data);
@@ -1325,9 +1332,10 @@ static int pxa2xx_spi_runtime_suspend(st
 static int pxa2xx_spi_runtime_resume(struct device *dev)
 {
 	struct driver_data *drv_data = dev_get_drvdata(dev);
+	int status;
 
-	clk_prepare_enable(drv_data->ssp->clk);
-	return 0;
+	status = clk_prepare_enable(drv_data->ssp->clk);
+	return status;
 }
 #endif
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 117/366] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 335/366] usbip: stub_rx: fix static checker warning on unnecessary checks Ben Hutchings
                   ` (347 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sabrina Dubroca

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

commit 848235edb5c93ed086700584c8ff64f6d7fc778d upstream.

Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during
ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same
setsockopt will fail with -ENOENT, since we haven't actually created
that table.

A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr:
various fixes and cleanups").

Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/ip6mr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1785,7 +1785,8 @@ int ip6_mroute_setsockopt(struct sock *s
 		ret = 0;
 		if (!ip6mr_new_table(net, v))
 			ret = -ENOMEM;
-		raw6_sk(sk)->ip6mr_table = v;
+		else
+			raw6_sk(sk)->ip6mr_table = v;
 		rtnl_unlock();
 		return ret;
 	}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 035/366] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 342/366] clk: si5351: Constify clock names and struct regmap_config Ben Hutchings
                   ` (338 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Scott Mayhew, J. Bruce Fields

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Scott Mayhew <smayhew@redhat.com>

commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.

nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
estimating the size of the readdir reply, but nfsd_encode_readdir
restricts it to INT_MAX when encoding the reply.  This can result in log
messages like "kernel: RPC request reserved 32896 but used 1049444".

Restrict rd_dircount similarly (no reason it should be larger than
svc_max_payload).

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/nfs4xdr.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3343,7 +3343,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
 		nfserr = nfserr_resource;
 		goto err_no_verf;
 	}
-	maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
+	maxcount = svc_max_payload(resp->rqstp);
+	maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
 	/*
 	 * Note the rfc defines rd_maxcount as the size of the
 	 * READDIR4resok structure, which includes the verifier above
@@ -3357,7 +3358,7 @@ nfsd4_encode_readdir(struct nfsd4_compou
 
 	/* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
 	if (!readdir->rd_dircount)
-		readdir->rd_dircount = INT_MAX;
+		readdir->rd_dircount = svc_max_payload(resp->rqstp);
 
 	readdir->xdr = xdr;
 	readdir->rd_maxcount = maxcount;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 044/366] ext4: factor out helper ext4_sample_last_mounted()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (204 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 222/366] x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 305/366] netlink: Don't shift with UB on nlk->ngroups Ben Hutchings
                   ` (160 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Amir Goldstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 833a950882d33a7dfc319d5e152fdf35028936eb upstream.

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16:
 - Move up declaration of ret in ext4_file_open()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/file.c | 82 ++++++++++++++++++++++++++++----------------------
 1 file changed, 46 insertions(+), 36 deletions(-)

--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -208,52 +208,64 @@ static int ext4_file_mmap(struct file *f
 	return 0;
 }
 
-static int ext4_file_open(struct inode * inode, struct file * filp)
+static int ext4_sample_last_mounted(struct super_block *sb,
+				    struct vfsmount *mnt)
 {
-	struct super_block *sb = inode->i_sb;
-	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
-	struct vfsmount *mnt = filp->f_path.mnt;
+	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	struct path path;
 	char buf[64], *cp;
+	handle_t *handle;
+	int err;
+
+	if (likely(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED))
+		return 0;
+
+	if (sb->s_flags & MS_RDONLY)
+		return 0;
+
+	sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
+	/*
+	 * Sample where the filesystem has been mounted and
+	 * store it in the superblock for sysadmin convenience
+	 * when trying to sort through large numbers of block
+	 * devices or filesystem images.
+	 */
+	memset(buf, 0, sizeof(buf));
+	path.mnt = mnt;
+	path.dentry = mnt->mnt_root;
+	cp = d_path(&path, buf, sizeof(buf));
+	if (IS_ERR(cp))
+		return 0;
+
+	handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
+	if (IS_ERR(handle))
+		return PTR_ERR(handle);
+	BUFFER_TRACE(sbi->s_sbh, "get_write_access");
+	err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+	if (err)
+		goto out;
+	strlcpy(sbi->s_es->s_last_mounted, cp,
+		sizeof(sbi->s_es->s_last_mounted));
+	ext4_handle_dirty_super(handle, sb);
+out:
+	ext4_journal_stop(handle);
+	return err;
+}
+
+static int ext4_file_open(struct inode * inode, struct file * filp)
+{
+	int ret;
+
+	ret = ext4_sample_last_mounted(inode->i_sb, filp->f_path.mnt);
+	if (ret)
+		return ret;
 
-	if (unlikely(!(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED) &&
-		     !(sb->s_flags & MS_RDONLY))) {
-		sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
-		/*
-		 * Sample where the filesystem has been mounted and
-		 * store it in the superblock for sysadmin convenience
-		 * when trying to sort through large numbers of block
-		 * devices or filesystem images.
-		 */
-		memset(buf, 0, sizeof(buf));
-		path.mnt = mnt;
-		path.dentry = mnt->mnt_root;
-		cp = d_path(&path, buf, sizeof(buf));
-		if (!IS_ERR(cp)) {
-			handle_t *handle;
-			int err;
-
-			handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
-			if (IS_ERR(handle))
-				return PTR_ERR(handle);
-			BUFFER_TRACE(sbi->s_sbh, "get_write_access");
-			err = ext4_journal_get_write_access(handle, sbi->s_sbh);
-			if (err) {
-				ext4_journal_stop(handle);
-				return err;
-			}
-			strlcpy(sbi->s_es->s_last_mounted, cp,
-				sizeof(sbi->s_es->s_last_mounted));
-			ext4_handle_dirty_super(handle, sb);
-			ext4_journal_stop(handle);
-		}
-	}
 	/*
 	 * Set up the jbd2_inode if we are opening the inode for
 	 * writing and the journal is present
 	 */
 	if (filp->f_mode & FMODE_WRITE) {
-		int ret = ext4_inode_attach_jinode(inode);
+		ret = ext4_inode_attach_jinode(inode);
 		if (ret < 0)
 			return ret;
 	}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 187/366] batman-adv: Fix debugfs path for renamed hardif
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 037/366] s390/cpum_sf: Add data entry sizes to sampling trailer entry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 011/366] Revert "mtd: nand: omap2: Fix subpage write" Ben Hutchings
                   ` (359 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, John Soros, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 36dc621ceca1be3ec885aeade5fdafbbcc452a6d upstream.

batman-adv is creating special debugfs directories in the init
net_namespace for each valid hard-interface (net_device). But it is
possible to rename a net_device to a completely different name then the
original one.

It can therefore happen that a user registers a new net_device which gets
the name "wlan0" assigned by default. batman-adv is also adding a new
directory under $debugfs/batman-adv/ with the name "wlan0".

The user then decides to rename this device to "wl_pri" and registers a
different device. The kernel may now decide to use the name "wlan0" again
for this new device. batman-adv will detect it as a valid net_device and
tries to create a directory with the name "wlan0" under
$debugfs/batman-adv/. But there already exists one with this name under
this path and thus this fails. batman-adv will detect a problem and
rollback the registering of this device.

batman-adv must therefore take care of renaming the debugfs directories
for hard-interfaces whenever it detects such a net_device rename.

Fixes: 5bc7c1eb44f2 ("batman-adv: add debugfs structure for information per interface")
Reported-by: John Soros <sorosj@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/debugfs.c        | 20 ++++++++++++++++++++
 net/batman-adv/debugfs.h        |  6 ++++++
 net/batman-adv/hard-interface.c |  3 +++
 3 files changed, 29 insertions(+)

--- a/net/batman-adv/debugfs.c
+++ b/net/batman-adv/debugfs.c
@@ -17,6 +17,7 @@
 
 #include "main.h"
 
+#include <linux/dcache.h>
 #include <linux/debugfs.h>
 
 #include "debugfs.h"
@@ -486,6 +487,25 @@ out:
 }
 
 /**
+ * batadv_debugfs_rename_hardif() - Fix debugfs path for renamed hardif
+ * @hard_iface: hard interface which was renamed
+ */
+void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface)
+{
+	const char *name = hard_iface->net_dev->name;
+	struct dentry *dir;
+	struct dentry *d;
+
+	dir = hard_iface->debug_dir;
+	if (!dir)
+		return;
+
+	d = debugfs_rename(dir->d_parent, dir, dir->d_parent, name);
+	if (!d)
+		pr_err("Can't rename debugfs dir to %s\n", name);
+}
+
+/**
  * batadv_debugfs_del_hardif - delete the base directory for a hard interface
  *  in debugfs.
  * @hard_iface: hard interface which is deleted.
--- a/net/batman-adv/debugfs.h
+++ b/net/batman-adv/debugfs.h
@@ -27,6 +27,7 @@ void batadv_debugfs_destroy(void);
 int batadv_debugfs_add_meshif(struct net_device *dev);
 void batadv_debugfs_del_meshif(struct net_device *dev);
 int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
+void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface);
 void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface);
 
 #else
@@ -55,6 +56,11 @@ int batadv_debugfs_add_hardif(struct bat
 }
 
 static inline
+void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface)
+{
+}
+
+static inline
 void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface)
 {
 }
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -695,6 +695,9 @@ static int batadv_hard_if_event(struct n
 		if (hard_iface == primary_if)
 			batadv_primary_if_update_addr(bat_priv, NULL);
 		break;
+	case NETDEV_CHANGENAME:
+		batadv_debugfs_rename_hardif(hard_iface);
+		break;
 	default:
 		break;
 	}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 278/366] can: constify of_device_id array Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Ben Hutchings
                   ` (340 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Dumazet, Dmitry Vyukov, syzbot, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae upstream.

It seems that rtnl_group_changelink() can call do_setlink
while a prior call to validate_linkmsg(dev = NULL, ...) could
not validate IFLA_ADDRESS / IFLA_BROADCAST

Make sure do_setlink() calls validate_linkmsg() instead
of letting its callers having this responsibility.

With help from Dmitry Vyukov, thanks a lot !

BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
 is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
 eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
 eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
 dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
 do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
 rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
 do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
 rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: e7ed828f10bd ("netlink: support setting devgroup parameters")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/rtnetlink.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1483,6 +1483,10 @@ static int do_setlink(const struct sk_bu
 	const struct net_device_ops *ops = dev->netdev_ops;
 	int err;
 
+	err = validate_linkmsg(dev, tb);
+	if (err < 0)
+		return err;
+
 	if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
 		struct net *net = rtnl_link_get_net(dev_net(dev), tb);
 		if (IS_ERR(net)) {
@@ -1747,10 +1751,6 @@ static int rtnl_setlink(struct sk_buff *
 		goto errout;
 	}
 
-	err = validate_linkmsg(dev, tb);
-	if (err < 0)
-		goto errout;
-
 	err = do_setlink(skb, dev, ifm, tb, ifname, 0);
 errout:
 	return err;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 069/366] powerpc/ptrace: Fix enforcement of DAWR constraints
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (335 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 215/366] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 347/366] arm64: use linux/types.h in kvm.h Ben Hutchings
                   ` (29 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Michael Neuling

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Neuling <mikey@neuling.org>

commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.

Back when we first introduced the DAWR, in commit 4ae7ebe9522a
("powerpc: Change hardware breakpoint to allow longer ranges"), we
screwed up the constraint making it a 1024 byte boundary rather than a
512. This makes the check overly permissive. Fortunately GDB is the
only real user and it always did they right thing, so we never
noticed.

This fixes the constraint to 512 bytes.

Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/hw_breakpoint.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/hw_breakpoint.c
+++ b/arch/powerpc/kernel/hw_breakpoint.c
@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct
 	if (cpu_has_feature(CPU_FTR_DAWR)) {
 		length_max = 512 ; /* 64 doublewords */
 		/* DAWR region can't cross 512 boundary */
-		if ((bp->attr.bp_addr >> 10) != 
-		    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
+		if ((bp->attr.bp_addr >> 9) !=
+		    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
 			return -EINVAL;
 	}
 	if (info->len >


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 194/366] usb: cdc_acm: Add quirk for Uniden UBC125 scanner
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (339 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 312/366] packet: refine ring v3 block size test to hold one frame Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 343/366] net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics Ben Hutchings
                   ` (25 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Oliver Neukum, Greg Kroah-Hartman, Houston Yaroschoff

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Houston Yaroschoff <hstn@4ever3.net>

commit 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 upstream.

Uniden UBC125 radio scanner has USB interface which fails to work
with cdc_acm driver:
  usb 1-1.5: new full-speed USB device number 4 using xhci_hcd
  cdc_acm 1-1.5:1.0: Zero length descriptor references
  cdc_acm: probe of 1-1.5:1.0 failed with error -22

Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
  usb 1-4: new full-speed USB device number 15 using xhci_hcd
  usb 1-4: New USB device found, idVendor=1965, idProduct=0018
  usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
  usb 1-4: Product: UBC125XLT
  usb 1-4: Manufacturer: Uniden Corp.
  usb 1-4: SerialNumber: 0001
  cdc_acm 1-4:1.0: ttyACM0: USB ACM device

`lsusb -v` of the device:

  Bus 001 Device 015: ID 1965:0018 Uniden Corporation
  Device Descriptor:
    bLength                18
    bDescriptorType         1
    bcdUSB               2.00
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    idVendor           0x1965 Uniden Corporation
    idProduct          0x0018
    bcdDevice            0.01
    iManufacturer           1 Uniden Corp.
    iProduct                2 UBC125XLT
    iSerial                 3 0001
    bNumConfigurations      1
    Configuration Descriptor:
      bLength                 9
      bDescriptorType         2
      wTotalLength           48
      bNumInterfaces          2
      bConfigurationValue     1
      iConfiguration          0
      bmAttributes         0x80
        (Bus Powered)
      MaxPower              500mA
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        0
        bAlternateSetting       0
        bNumEndpoints           1
        bInterfaceClass         2 Communications
        bInterfaceSubClass      2 Abstract (modem)
        bInterfaceProtocol      0 None
        iInterface              0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x87  EP 7 IN
          bmAttributes            3
            Transfer Type            Interrupt
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0008  1x 8 bytes
          bInterval              10
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        1
        bAlternateSetting       0
        bNumEndpoints           2
        bInterfaceClass        10 CDC Data
        bInterfaceSubClass      0 Unused
        bInterfaceProtocol      0
        iInterface              0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x81  EP 1 IN
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval               0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x02  EP 2 OUT
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval               0
  Device Status:     0x0000
    (Bus Powered)

Signed-off-by: Houston Yaroschoff <hstn@4ever3.net>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-acm.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1711,6 +1711,9 @@ static const struct usb_device_id acm_id
 	{ USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
 	.driver_info = SINGLE_RX_URB,
 	},
+	{ USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
+	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+	},
 	{ USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
 	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
 	},


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (139 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 144/366] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Ben Hutchings
                   ` (225 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bdbd6ce01a70f02e9373a584d0ae9538dcf0a121 upstream.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -414,9 +414,9 @@ static int __check_block_validity(struct
 	if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
 				   map->m_len)) {
 		ext4_error_inode(inode, func, line, map->m_pblk,
-				 "lblock %lu mapped to illegal pblock "
+				 "lblock %lu mapped to illegal pblock %llu "
 				 "(length %d)", (unsigned long) map->m_lblk,
-				 map->m_len);
+				 map->m_pblk, map->m_len);
 		return -EIO;
 	}
 	return 0;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (299 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Ben Hutchings
                   ` (65 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 6da7be7d24b2921f8215473ba7552796dff05fe1 upstream.

batman-adv is creating special debugfs directories in the init
net_namespace for each created soft-interface (batadv net_device). But it
is possible to rename a net_device to a completely different name then the
original one.

It can therefore happen that a user registers a new batadv net_device with
the name "bat0". batman-adv is then also adding a new directory under
$debugfs/batman-adv/ with the name "wlan0".

The user then decides to rename this device to "bat1" and registers a
different batadv device with the name "bat0". batman-adv will then try to
create a directory with the name "bat0" under $debugfs/batman-adv/ again.
But there already exists one with this name under this path and thus this
fails. batman-adv will detect a problem and rollback the registering of
this device.

batman-adv must therefore take care of renaming the debugfs directories for
soft-interfaces whenever it detects such a net_device rename.

Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/debugfs.c        | 20 +++++++++++++++++++
 net/batman-adv/debugfs.h        |  5 +++++
 net/batman-adv/hard-interface.c | 34 +++++++++++++++++++++++++++------
 3 files changed, 53 insertions(+), 6 deletions(-)

--- a/net/batman-adv/debugfs.c
+++ b/net/batman-adv/debugfs.c
@@ -560,6 +560,26 @@ out:
 	return -ENOMEM;
 }
 
+/**
+ * batadv_debugfs_rename_meshif() - Fix debugfs path for renamed softif
+ * @dev: net_device which was renamed
+ */
+void batadv_debugfs_rename_meshif(struct net_device *dev)
+{
+	struct batadv_priv *bat_priv = netdev_priv(dev);
+	const char *name = dev->name;
+	struct dentry *dir;
+	struct dentry *d;
+
+	dir = bat_priv->debug_dir;
+	if (!dir)
+		return;
+
+	d = debugfs_rename(dir->d_parent, dir, dir->d_parent, name);
+	if (!d)
+		pr_err("Can't rename debugfs dir to %s\n", name);
+}
+
 void batadv_debugfs_del_meshif(struct net_device *dev)
 {
 	struct batadv_priv *bat_priv = netdev_priv(dev);
--- a/net/batman-adv/debugfs.h
+++ b/net/batman-adv/debugfs.h
@@ -25,6 +25,7 @@
 void batadv_debugfs_init(void);
 void batadv_debugfs_destroy(void);
 int batadv_debugfs_add_meshif(struct net_device *dev);
+void batadv_debugfs_rename_meshif(struct net_device *dev);
 void batadv_debugfs_del_meshif(struct net_device *dev);
 int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
 void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface);
@@ -45,6 +46,10 @@ static inline int batadv_debugfs_add_mes
 	return 0;
 }
 
+static inline void batadv_debugfs_rename_meshif(struct net_device *dev)
+{
+}
+
 static inline void batadv_debugfs_del_meshif(struct net_device *dev)
 {
 }
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -640,6 +640,32 @@ void batadv_hardif_remove_interfaces(voi
 	rtnl_unlock();
 }
 
+/**
+ * batadv_hard_if_event_softif() - Handle events for soft interfaces
+ * @event: NETDEV_* event to handle
+ * @net_dev: net_device which generated an event
+ *
+ * Return: NOTIFY_* result
+ */
+static int batadv_hard_if_event_softif(unsigned long event,
+				       struct net_device *net_dev)
+{
+	struct batadv_priv *bat_priv;
+
+	switch (event) {
+	case NETDEV_REGISTER:
+		batadv_sysfs_add_meshif(net_dev);
+		bat_priv = netdev_priv(net_dev);
+		batadv_softif_create_vlan(bat_priv, BATADV_NO_FLAGS);
+		break;
+	case NETDEV_CHANGENAME:
+		batadv_debugfs_rename_meshif(net_dev);
+		break;
+	}
+
+	return NOTIFY_DONE;
+}
+
 static int batadv_hard_if_event(struct notifier_block *this,
 				unsigned long event, void *ptr)
 {
@@ -648,12 +674,8 @@ static int batadv_hard_if_event(struct n
 	struct batadv_hard_iface *primary_if = NULL;
 	struct batadv_priv *bat_priv;
 
-	if (batadv_softif_is_valid(net_dev) && event == NETDEV_REGISTER) {
-		batadv_sysfs_add_meshif(net_dev);
-		bat_priv = netdev_priv(net_dev);
-		batadv_softif_create_vlan(bat_priv, BATADV_NO_FLAGS);
-		return NOTIFY_DONE;
-	}
+	if (batadv_softif_is_valid(net_dev))
+		return batadv_hard_if_event_softif(event, net_dev);
 
 	hard_iface = batadv_hardif_get_by_netdev(net_dev);
 	if (!hard_iface && event == NETDEV_REGISTER)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 110/366] IB/isert: fix T10-pi check mask setting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (149 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 015/366] staging:iio:ade7854: Fix error handling on read/write Ben Hutchings
                   ` (215 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jason Gunthorpe, Christoph Hellwig, Martin K. Petersen,
	Sagi Grimberg, Max Gurtovoy

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Gurtovoy <maxg@mellanox.com>

commit 0e12af84cdd3056460f928adc164f9e87f4b303b upstream.

A copy/paste bug (probably) caused setting of an app_tag check mask
in case where a ref_tag check was needed.

Fixes: 38a2d0d429f1 ("IB/isert: convert to the generic RDMA READ/WRITE API")
Fixes: 9e961ae73c2c ("IB/isert: Support T10-PI protected transactions")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2822,7 +2822,7 @@ static inline u8
 isert_set_prot_checks(u8 prot_checks)
 {
 	return (prot_checks & TARGET_DIF_CHECK_GUARD  ? 0xc0 : 0) |
-	       (prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x30 : 0) |
+	       (prot_checks & TARGET_DIF_CHECK_APPTAG ? 0x30 : 0) |
 	       (prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x0f : 0);
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 076/366] ipmi:bt: Set the timeout before doing a capabilities check Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 103/366] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Ben Hutchings
                   ` (249 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Jon Derrick

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jon Derrick <jonathan.derrick@intel.com>

commit a17712c8e4be4fa5404d20e9cd3b2b21eae7bc56 upstream.

This patch attempts to close a hole leading to a BUG seen with hot
removals during writes [1].

A block device (NVME namespace in this test case) is formatted to EXT4
without partitions. It's mounted and write I/O is run to a file, then
the device is hot removed from the slot. The superblock attempts to be
written to the drive which is no longer present.

The typical chain of events leading to the BUG:
ext4_commit_super()
  __sync_dirty_buffer()
    submit_bh()
      submit_bh_wbc()
        BUG_ON(!buffer_mapped(bh));

This fix checks for the superblock's buffer head being mapped prior to
syncing.

[1] https://www.spinics.net/lists/linux-ext4/msg56527.html

Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4653,6 +4653,14 @@ static int ext4_commit_super(struct supe
 
 	if (!sbh || block_device_ejected(sb))
 		return error;
+
+	/*
+	 * The superblock bh should be mapped, but it might not be if the
+	 * device was hot-removed. Not much we can do but fail the I/O.
+	 */
+	if (!buffer_mapped(sbh))
+		return error;
+
 	/*
 	 * If the file system is mounted read-only, don't update the
 	 * superblock write time.  This avoids updating the superblock


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 118/366] net: metrics: add proper netlink validation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (341 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 343/366] net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 094/366] libata: zpodd: small read overflow in eject_tray() Ben Hutchings
                   ` (23 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Dumazet, David Ahern, David S. Miller, syzbot

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53 upstream.

Before using nla_get_u32(), better make sure the attribute
is of the proper size.

Code recently was changed, but bug has been there from beginning
of git.

BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
 rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
 fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
 rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
 fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
 inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
 fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
 fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
 fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
 inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Metrics are parsed in fib_create_info()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -862,6 +862,8 @@ struct fib_info *fib_create_info(struct
 
 				if (type > RTAX_MAX)
 					goto err_inval;
+				if (nla_len(nla) != sizeof(u32))
+					goto err_inval;
 				val = nla_get_u32(nla);
 				if (type == RTAX_ADVMSS && val > 65535 - 40)
 					val = 65535 - 40;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 142/366] cfg80211: initialize sinfo in cfg80211_get_station
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
@ 2018-11-11 19:49   ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Ben Hutchings
                     ` (365 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, b.a.t.m.a.n, Sven Eckelmann, Marcel Schmidt, Johannes Berg,
	Thomas Lauer

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 3c12d0486856b9eb89c2a9ac336713cba90813e3 upstream.

Most of the implementations behind cfg80211_get_station will not initialize
sinfo to zero before manipulating it. For example, the member "filled",
which indicates the filled in parts of this struct, is often only modified
by enabling certain bits in the bitfield while keeping the remaining bits
in their original state. A caller without a preinitialized sinfo.filled can
then no longer decide which parts of sinfo were filled in by
cfg80211_get_station (or actually the underlying implementations).

cfg80211_get_station must therefore take care that sinfo is initialized to
zero. Otherwise, the caller may tries to read information which was not
filled in and which must therefore also be considered uninitialized. In
batadv_v_elp_get_throughput's case, an invalid "random" expected throughput
may be stored for this neighbor and thus the B.A.T.M.A.N V algorithm may
switch to non-optimal neighbors for certain destinations.

Fixes: 7406353d43c8 ("cfg80211: implement cfg80211_get_station cfg80211 API")
Reported-by: Thomas Lauer <holminateur@gmail.com>
Reported-by: Marcel Schmidt <ff.z-casparistrasse@mailbox.org>
Cc: b.a.t.m.a.n@lists.open-mesh.org
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/wireless/util.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1566,6 +1566,8 @@ int cfg80211_get_station(struct net_devi
 	if (!rdev->ops->get_station)
 		return -EOPNOTSUPP;
 
+	memset(sinfo, 0, sizeof(*sinfo));
+
 	return rdev_get_station(rdev, dev, mac_addr, sinfo);
 }
 EXPORT_SYMBOL(cfg80211_get_station);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 209/366] n_tty: Fix stall at n_tty_receive_char_special().
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (192 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 155/366] scsi: target: Fix truncated PR-in ReadKeys response Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun Ben Hutchings
                   ` (172 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Hurley, Tetsuo Handa, syzbot, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream.

syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
because comparison is not working as expected since ldata->read_head can
change at any moment. Mitigate this by explicitly masking with buffer size
when checking condition for "while" loops.

[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size")
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/n_tty.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -127,6 +127,8 @@ struct n_tty_data {
 	struct mutex output_lock;
 };
 
+#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
+
 static inline size_t read_cnt(struct n_tty_data *ldata)
 {
 	return ldata->read_head - ldata->read_tail;
@@ -1032,14 +1034,15 @@ static void eraser(unsigned char c, stru
 	}
 
 	seen_alnums = 0;
-	while (ldata->read_head != ldata->canon_head) {
+	while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
 		head = ldata->read_head;
 
 		/* erase a single possibly multibyte character */
 		do {
 			head--;
 			c = read_buf(ldata, head);
-		} while (is_continuation(c, tty) && head != ldata->canon_head);
+		} while (is_continuation(c, tty) &&
+			 MASK(head) != MASK(ldata->canon_head));
 
 		/* do not partially erase */
 		if (is_continuation(c, tty))
@@ -1081,7 +1084,7 @@ static void eraser(unsigned char c, stru
 				 * This info is used to go back the correct
 				 * number of columns.
 				 */
-				while (tail != ldata->canon_head) {
+				while (MASK(tail) != MASK(ldata->canon_head)) {
 					tail--;
 					c = read_buf(ldata, tail);
 					if (c == '\t') {
@@ -1341,7 +1344,7 @@ n_tty_receive_char_special(struct tty_st
 			finish_erasing(ldata);
 			echo_char(c, tty);
 			echo_char_raw('\n', ldata);
-			while (tail != ldata->read_head) {
+			while (MASK(tail) != MASK(ldata->read_head)) {
 				echo_char(read_buf(ldata, tail), tty);
 				tail++;
 			}
@@ -2506,7 +2509,7 @@ static unsigned long inq_canon(struct n_
 	tail = ldata->read_tail;
 	nr = head - tail;
 	/* Skip EOF-chars.. */
-	while (head != tail) {
+	while (MASK(head) != MASK(tail)) {
 		if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
 		    read_buf(ldata, tail) == __DISABLED_CHAR)
 			nr--;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 265/366] x86/MCE: Remove min interval polling limitation
@ 2018-11-11 19:49   ` Ben Hutchings
  0 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dewet Thibaut, Tony Luck, Thomas Gleixner, linux-edac,
	Alexander Sverdlin, Borislav Petkov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dewet Thibaut <thibaut.dewet@nokia.com>

commit fbdb328c6bae0a7c78d75734a738b66b86dffc96 upstream.

commit b3b7c4795c ("x86/MCE: Serialize sysfs changes") introduced a min
interval limitation when setting the check interval for polled MCEs.
However, the logic is that 0 disables polling for corrected MCEs, see
Documentation/x86/x86_64/machinecheck. The limitation prevents disabling.

Remove this limitation and allow the value 0 to disable polling again.

Fixes: b3b7c4795c ("x86/MCE: Serialize sysfs changes")
Signed-off-by: Dewet Thibaut <thibaut.dewet@nokia.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
[ Massage commit message. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Luck <tony.luck@intel.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180716084927.24869-1-alexander.sverdlin@nokia.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/mcheck/mce.c | 3 ---
 1 file changed, 3 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -2260,9 +2260,6 @@ static ssize_t store_int_with_restart(st
 	if (check_interval == old_check_interval)
 		return ret;
 
-	if (check_interval < 1)
-		check_interval = 1;
-
 	mutex_lock(&mce_sysfs_mutex);
 	mce_restart();
 	mutex_unlock(&mce_sysfs_mutex);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (145 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets Ben Hutchings
                   ` (219 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Doug Ledford

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream.

There is no need to crash the machine if unknown work request was
received in SQP MAD.

Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/mlx4/mad.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1748,7 +1748,6 @@ static void mlx4_ib_sqp_comp_worker(stru
 					       "buf:%lld\n", wc.wr_id);
 				break;
 			default:
-				BUG_ON(1);
 				break;
 			}
 		} else  {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 189/366] batman-adv: Avoid storing non-TT-sync flags on singular entries too
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (234 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 240/366] ibmasm: don't write out of bounds in read handler Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 172/366] xen-netfront: Fix race between device setup and open Ben Hutchings
                   ` (130 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sven Eckelmann, Linus Lüssing, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Lüssing <linus.luessing@c0d3.blue>

commit 4a519b83da16927fb98fd32b0f598e639d1f1859 upstream.

Since commit 54e22f265e87 ("batman-adv: fix TT sync flag inconsistencies")
TT sync flags and TT non-sync'd flags are supposed to be stored
separately.

The previous patch missed to apply this separation on a TT entry with
only a single TT orig entry.

This is a minor fix because with only a single TT orig entry the DDoS
issue the former patch solves does not apply.

Fixes: 54e22f265e87 ("batman-adv: fix TT sync flag inconsistencies")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1378,7 +1378,8 @@ static bool batadv_tt_global_add(struct
 		ether_addr_copy(common->addr, tt_addr);
 		common->vid = vid;
 
-		common->flags = flags;
+		common->flags = flags & (~BATADV_TT_SYNC_MASK);
+
 		tt_global_entry->roam_at = 0;
 		/* node must store current time in case of roaming. This is
 		 * needed to purge this entry out on timeout (if nobody claims


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 208/366] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (194 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 007/366] [media] drxk_hard: fix bad alignments Ben Hutchings
                   ` (170 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Vinod Koul

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit c4c2b7644cc9a41f17a8cc8904efe3f66ae4c7ed upstream.

The d->chans[] array has d->dma_requests elements so the > should be
>= here.

Fixes: 8e6152bc660e ("dmaengine: Add hisilicon k3 DMA engine driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/k3dma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/dma/k3dma.c
+++ b/drivers/dma/k3dma.c
@@ -652,7 +652,7 @@ static struct dma_chan *k3_of_dma_simple
 	struct k3_dma_dev *d = ofdma->of_dma_data;
 	unsigned int request = dma_spec->args[0];
 
-	if (request > d->dma_requests)
+	if (request >= d->dma_requests)
 		return NULL;
 
 	return dma_get_slave_channel(&(d->chans[request].vc.chan));


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 077/366] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (363 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 016/366] staging:iio:ade7854: Fix the wrong number of bits to read Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 128/366] video/omap: add module license tags Ben Hutchings
  2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.

We aren't checking to see if the in-inode extended attribute is
corrupted before we try to expand the inode's extra isize fields.

This can lead to potential crashes caused by the BUG_ON() check in
ext4_xattr_shift_entries().

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: s/EFSCORRUPTED/EIO/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -243,6 +243,27 @@ ext4_xattr_check_block(struct inode *ino
 	return error;
 }
 
+static int
+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
+			 void *end, const char *function, unsigned int line)
+{
+	struct ext4_xattr_entry *entry = IFIRST(header);
+	int error = -EIO;
+
+	if (((void *) header >= end) ||
+	    (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
+		goto errout;
+	error = ext4_xattr_check_names(entry, end, entry);
+errout:
+	if (error)
+		__ext4_error_inode(inode, function, line, 0,
+				   "corrupted in-inode xattr");
+	return error;
+}
+
+#define xattr_check_inode(inode, header, end) \
+	__xattr_check_inode((inode), (header), (end), __func__, __LINE__)
+
 static inline int
 ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size)
 {
@@ -368,7 +389,7 @@ ext4_xattr_ibody_get(struct inode *inode
 	header = IHDR(inode, raw_inode);
 	entry = IFIRST(header);
 	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-	error = ext4_xattr_check_names(entry, end, entry);
+	error = xattr_check_inode(inode, header, end);
 	if (error)
 		goto cleanup;
 	error = xattr_find_entry(inode, &entry, end, name_index, name,
@@ -506,7 +527,7 @@ ext4_xattr_ibody_list(struct dentry *den
 	raw_inode = ext4_raw_inode(&iloc);
 	header = IHDR(inode, raw_inode);
 	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-	error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
+	error = xattr_check_inode(inode, header, end);
 	if (error)
 		goto cleanup;
 	error = ext4_xattr_list_entries(dentry, IFIRST(header),
@@ -1038,8 +1059,7 @@ int ext4_xattr_ibody_find(struct inode *
 	is->s.here = is->s.first;
 	is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
-		error = ext4_xattr_check_names(IFIRST(header), is->s.end,
-					       IFIRST(header));
+		error = xattr_check_inode(inode, header, is->s.end);
 		if (error)
 			return error;
 		/* Find the named attribute. */
@@ -1319,6 +1339,10 @@ retry:
 	last = entry;
 	total_ino = sizeof(struct ext4_xattr_ibody_header);
 
+	error = xattr_check_inode(inode, header, end);
+	if (error)
+		goto cleanup;
+
 	free = ext4_xattr_free_space(last, &min_offs, base, &total_ino);
 	if (free >= new_extra_isize) {
 		entry = IFIRST(header);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 283/366] can: xilinx_can: fix recovery from error states not being propagated Ben Hutchings
                   ` (253 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Evgeniy Polyakov, Ingo Flaschberger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ingo Flaschberger <ingo.flaschberger@gmail.com>

commit 065c09563c872e52813a17218c52cd642be1dca6 upstream.

1wire family module autoload fails because of upper/lower
  case mismatch.

Signed-off-by: Ingo Flaschberger <ingo.flaschberger@gmail.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/w1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -727,7 +727,7 @@ int w1_attach_slave_device(struct w1_mas
 
 	/* slave modules need to be loaded in a context with unlocked mutex */
 	mutex_unlock(&dev->mutex);
-	request_module("w1-family-0x%02x", rn->family);
+	request_module("w1-family-0x%02X", rn->family);
 	mutex_lock(&dev->mutex);
 
 	spin_lock(&w1_flock);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (329 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 062/366] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Ben Hutchings
                   ` (35 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Doug Ledford, Don Dutile, Alex Estrin, Mike Marciniszyn,
	Dennis Dalessandro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream.

The following error occurs in a debug build when running MPI PSM:

[  307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
check_unmap+0x4ee/0xa20
[  307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
[  307.517494] Modules linked in:
[  307.531584]  ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
[  307.846113]  pps_core dm_mirror dm_region_hash dm_log dm_mod
[  307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
tainted 3.10.0-862.el7.x86_64.debug #1
[  307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
[  307.944206] Call Trace:
[  307.956973]  [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
[  307.982201]  [<ffffffffbd2a2f58>] __warn+0xd8/0x100
[  308.005999]  [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
[  308.034260]  [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
[  308.060801]  [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
[  308.090689]  [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
[  308.120155]  [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
[  308.146656]  [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
[  308.180739]  [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
[  308.210733]  [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
[  308.244837]  [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
[  308.266025] qib_ib0.8006: multicast join failed for
ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
[  308.323421]  [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
[  308.347077]  [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
[  308.372533]  [<ffffffffbd47045a>] SyS_write+0x8a/0x100
[  308.396456]  [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21

The code calls a qib_map_page() which has never correctly tested for a
mapping error.

Fix by testing for pci_dma_mapping_error() in all cases and properly
handling the failure in the caller.

Additionally, streamline qib_map_page() arguments to satisfy just
the single caller.

Reviewed-by: Alex Estrin <alex.estrin@intel.com>
Tested-by: Don Dutile <ddutile@redhat.com>
Reviewed-by: Don Dutile <ddutile@redhat.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/qib/qib.h            |  3 +--
 drivers/infiniband/hw/qib/qib_file_ops.c   | 10 +++++++---
 drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++--------
 3 files changed, 20 insertions(+), 13 deletions(-)

--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1452,8 +1452,7 @@ u64 qib_sps_ints(void);
 /*
  * dma_addr wrappers - all 0's invalid for hw
  */
-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
-			  size_t, int);
+int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
 const char *qib_get_unit_name(int unit);
 
 /*
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -359,6 +359,8 @@ static int qib_tid_update(struct qib_ctx
 		goto done;
 	}
 	for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
+		dma_addr_t daddr;
+
 		for (; ntids--; tid++) {
 			if (tid == tidcnt)
 				tid = 0;
@@ -375,12 +377,14 @@ static int qib_tid_update(struct qib_ctx
 			ret = -ENOMEM;
 			break;
 		}
+		ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
+		if (ret)
+			break;
+
 		tidlist[i] = tid + tidoff;
 		/* we "know" system pages and TID pages are same size */
 		dd->pageshadow[ctxttid + tid] = pagep[i];
-		dd->physshadow[ctxttid + tid] =
-			qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
-				     PCI_DMA_FROMDEVICE);
+		dd->physshadow[ctxttid + tid] = daddr;
 		/*
 		 * don't need atomic or it's overhead
 		 */
--- a/drivers/infiniband/hw/qib/qib_user_pages.c
+++ b/drivers/infiniband/hw/qib/qib_user_pages.c
@@ -98,23 +98,27 @@ bail:
  *
  * I'm sure we won't be so lucky with other iommu's, so FIXME.
  */
-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
-			unsigned long offset, size_t size, int direction)
+int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
 {
 	dma_addr_t phys;
 
-	phys = pci_map_page(hwdev, page, offset, size, direction);
+	phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+	if (pci_dma_mapping_error(hwdev, phys))
+		return -ENOMEM;
 
-	if (phys == 0) {
-		pci_unmap_page(hwdev, phys, size, direction);
-		phys = pci_map_page(hwdev, page, offset, size, direction);
+	if (!phys) {
+		pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+		phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
+				    PCI_DMA_FROMDEVICE);
+		if (pci_dma_mapping_error(hwdev, phys))
+			return -ENOMEM;
 		/*
 		 * FIXME: If we get 0 again, we should keep this page,
 		 * map another, then free the 0 page.
 		 */
 	}
-
-	return phys;
+	*daddr = phys;
+	return 0;
 }
 
 /**


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 139/366] l2tp: only accept PPP sessions in pppol2tp_connect()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (206 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 305/366] netlink: Don't shift with UB on nlk->ngroups Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard Ben Hutchings
                   ` (158 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658 upstream.

l2tp_session_priv() returns a struct pppol2tp_session pointer only for
PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
structure, which is much smaller than struct pppol2tp_session. This
leads to invalid memory dereference when trying to lock ps->sk_lock.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -756,6 +756,12 @@ static int pppol2tp_connect(struct socke
 	session = l2tp_session_get(sock_net(sk), tunnel, session_id, false);
 	if (session) {
 		drop_refcnt = true;
+
+		if (session->pwtype != L2TP_PWTYPE_PPP) {
+			error = -EPROTOTYPE;
+			goto end;
+		}
+
 		ps = l2tp_session_priv(session);
 
 		/* Using a pre-existing session is fine as long as it hasn't


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 089/366] Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (277 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Ben Hutchings
                   ` (87 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Omar Sandoval, David Sterba, Nikolay Borisov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit 0552210997badb6a60740a26ff9d976a416510f0 upstream.

btrfs_free_extent() can fail because of ENOMEM. There's no reason to
panic here, we can just abort the transaction.

Fixes: f4b9aa8d3b87 ("btrfs_truncate")
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Also pass root to btrfs_abort_transaction()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4313,7 +4313,10 @@ delete:
 						extent_num_bytes, 0,
 						btrfs_header_owner(leaf),
 						ino, extent_offset, 0);
-			BUG_ON(ret);
+			if (ret) {
+				btrfs_abort_transaction(trans, root, ret);
+				break;
+			}
 		}
 
 		if (found_type == BTRFS_INODE_ITEM_KEY)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (153 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation Ben Hutchings
                   ` (211 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Josef Bacik, David Sterba, Omar Sandoval

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit c08db7d8d295a4f3a10faaca376de011afff7950 upstream.

In btrfs_evict_inode(), if btrfs_truncate_inode_items() fails, the inode
item will still be in the tree but we still return the ino to the ino
cache. That will blow up later when someone tries to allocate that ino,
so don't return it to the cache.

Fixes: 581bb050941b ("Btrfs: Cache free inode numbers in memory")
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Pass inode, not btrfs_inode, to btrfs_orphan_del()
 - Pass btrfs_root, not btrfs_fs_info, to btrfs_free_block_rsv()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4908,13 +4908,18 @@ void btrfs_evict_inode(struct inode *ino
 		trans->block_rsv = rsv;
 
 		ret = btrfs_truncate_inode_items(trans, root, inode, 0, 0);
-		if (ret != -ENOSPC)
+		if (ret) {
+			trans->block_rsv = &root->fs_info->trans_block_rsv;
+			btrfs_end_transaction(trans, root);
+			btrfs_btree_balance_dirty(root);
+			if (ret != -ENOSPC) {
+				btrfs_orphan_del(NULL, inode);
+				btrfs_free_block_rsv(root, rsv);
+				goto no_delete;
+			}
+		} else {
 			break;
-
-		trans->block_rsv = &root->fs_info->trans_block_rsv;
-		btrfs_end_transaction(trans, root);
-		trans = NULL;
-		btrfs_btree_balance_dirty(root);
+		}
 	}
 
 	btrfs_free_block_rsv(root, rsv);
@@ -4923,12 +4928,8 @@ void btrfs_evict_inode(struct inode *ino
 	 * Errors here aren't a big deal, it just means we leave orphan items
 	 * in the tree.  They will be cleaned up on the next mount.
 	 */
-	if (ret == 0) {
-		trans->block_rsv = root->orphan_block_rsv;
-		btrfs_orphan_del(trans, inode);
-	} else {
-		btrfs_orphan_del(NULL, inode);
-	}
+	trans->block_rsv = root->orphan_block_rsv;
+	btrfs_orphan_del(trans, inode);
 
 	trans->block_rsv = &root->fs_info->trans_block_rsv;
 	if (!(root == root->fs_info->tree_root ||


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (282 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 325/366] ceph: use lookup request to revalidate dentry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 193/366] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Ben Hutchings
                   ` (82 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Evgeniy Polyakov, Stefan Potyra, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Potyra <Stefan.Potyra@elektrobit.com>

commit 955bc61328dc0a297fb3baccd84e9d3aee501ed8 upstream.

According to the API, you may only call clk_get_rate() after actually
enabling it.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31")
Signed-off-by: Stefan Potyra <Stefan.Potyra@elektrobit.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/masters/mxc_w1.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

--- a/drivers/w1/masters/mxc_w1.c
+++ b/drivers/w1/masters/mxc_w1.c
@@ -111,6 +111,10 @@ static int mxc_w1_probe(struct platform_
 	if (IS_ERR(mdev->clk))
 		return PTR_ERR(mdev->clk);
 
+	err = clk_prepare_enable(mdev->clk);
+	if (err)
+		return err;
+
 	clkrate = clk_get_rate(mdev->clk);
 	if (clkrate < 10000000)
 		dev_warn(&pdev->dev,
@@ -124,12 +128,10 @@ static int mxc_w1_probe(struct platform_
 
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	mdev->regs = devm_ioremap_resource(&pdev->dev, res);
-	if (IS_ERR(mdev->regs))
-		return PTR_ERR(mdev->regs);
-
-	err = clk_prepare_enable(mdev->clk);
-	if (err)
-		return err;
+	if (IS_ERR(mdev->regs)) {
+		err = PTR_ERR(mdev->regs);
+		goto out_disable_clk;
+	}
 
 	writeb(clkdiv - 1, mdev->regs + MXC_W1_TIME_DIVIDER);
 
@@ -141,8 +143,12 @@ static int mxc_w1_probe(struct platform_
 
 	err = w1_add_master_device(&mdev->bus_master);
 	if (err)
-		clk_disable_unprepare(mdev->clk);
+		goto out_disable_clk;
+
+	return 0;
 
+out_disable_clk:
+	clk_disable_unprepare(mdev->clk);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (163 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Ben Hutchings
                   ` (201 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Rafael J . Wysocki, Hans de Goede, Thierry Reding

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70 upstream.

The LPSS PWM device on on Bay Trail and Cherry Trail devices has a set
of private registers at offset 0x800, the current lpss_device_desc for
them already sets the LPSS_SAVE_CTX flag to have these saved/restored
over device-suspend, but the current lpss_device_desc was not setting
the prv_offset field, leading to the regular device registers getting
saved/restored instead.

This is causing the PWM controller to no longer work, resulting in a black
screen,  after a suspend/resume on systems where the firmware clears the
APB clock and reset bits at offset 0x804.

This commit fixes this by properly setting prv_offset to 0x800 for
the PWM devices.

Fixes: e1c748179754 ("ACPI / LPSS: Add Intel BayTrail ACPI mode PWM")
Fixes: 1bfbd8eb8a7f ("ACPI / LPSS: Add ACPI IDs for Intel Braswell")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Rafael J . Wysocki <rjw@rjwysocki.net>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
[bwh: Backported to 3.16:
 - Drop changes for Braswell
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -150,6 +150,7 @@ static struct lpss_shared_clock pwm_cloc
 
 static struct lpss_device_desc byt_pwm_dev_desc = {
 	.clk_required = true,
+	.prv_offset = 0x800,
 	.save_ctx = true,
 	.shared_clock = &pwm_clock,
 };


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 123/366] bnx2x: use the right constant
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (225 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 316/366] fix __legitimize_mnt()/mntput() race Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 046/366] ext4: do not update s_last_mounted of a frozen fs Ben Hutchings
                   ` (139 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Julia Lawall

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julia Lawall <Julia.Lawall@lip6.fr>

commit dd612f18a49b63af8b3a5f572d999bdb197385bc upstream.

Nearby code that also tests port suggests that the P0 constant should be
used when port is zero.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression e,e1;
@@

* e ? e1 : e1
// </smpl>

Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx")
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -581,7 +581,7 @@ static void bnx2x_ets_e3b0_nig_disabled(
 	 * slots for the highest priority.
 	 */
 	REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
-		   NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+		   NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
 	/* Mapping between the CREDIT_WEIGHT registers and actual client
 	 * numbers
 	 */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (319 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 271/366] scsi: qla2xxx: Return error when TMF returns Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 295/366] tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure Ben Hutchings
                   ` (45 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Suzuki K Poulose, Andrea Arcangeli, Linus Torvalds,
	Mike Rapoport, Arvind Yadav, Jia He, Claudio Imbrenda,
	Minchan Kim, Jia He

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jia He <jia.he@hxt-semitech.com>

commit 1105a2fc022f3c7482e32faf516e8bc44095f778 upstream.

In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by
PAGE_SIZE unaligned for rmap_item->address under memory pressure
tests(start 20 guests and run memhog in the host).

  WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8
  CPU: 4 PID: 4641 Comm: memhog Tainted: G        W 4.17.0-rc3+ #8
  Call trace:
   kvm_age_hva_handler+0xc0/0xc8
   handle_hva_to_gpa+0xa8/0xe0
   kvm_age_hva+0x4c/0xe8
   kvm_mmu_notifier_clear_flush_young+0x54/0x98
   __mmu_notifier_clear_flush_young+0x6c/0xa0
   page_referenced_one+0x154/0x1d8
   rmap_walk_ksm+0x12c/0x1d0
   rmap_walk+0x94/0xa0
   page_referenced+0x194/0x1b0
   shrink_page_list+0x674/0xc28
   shrink_inactive_list+0x26c/0x5b8
   shrink_node_memcg+0x35c/0x620
   shrink_node+0x100/0x430
   do_try_to_free_pages+0xe0/0x3a8
   try_to_free_pages+0xe4/0x230
   __alloc_pages_nodemask+0x564/0xdc0
   alloc_pages_vma+0x90/0x228
   do_anonymous_page+0xc8/0x4d0
   __handle_mm_fault+0x4a0/0x508
   handle_mm_fault+0xf8/0x1b0
   do_page_fault+0x218/0x4b8
   do_translation_fault+0x90/0xa0
   do_mem_abort+0x68/0xf0
   el0_da+0x24/0x28

In rmap_walk_ksm, the rmap_item->address might still have the
STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be
PAGE_SIZE aligned.  Thus it will cause exceptions in handle_hva_to_gpa
on arm64.

This patch fixes it by ignoring (not removing) the low bits of address
when doing rmap_walk_ksm.

IMO, it should be backported to stable tree.  the storm of WARN_ONs is
very easy for me to reproduce.  More than that, I watched a panic (not
reproducible) as follows:

  page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0
  flags: 0x1fffc00000000000()
  raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000
  raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000
  page dumped because: nonzero _refcount
  CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1
  Hardware name: <snip for confidential issues>
  Call trace:
    dump_backtrace+0x0/0x22c
    show_stack+0x24/0x2c
    dump_stack+0x8c/0xb0
    bad_page+0xf4/0x154
    free_pages_check_bad+0x90/0x9c
    free_pcppages_bulk+0x464/0x518
    free_hot_cold_page+0x22c/0x300
    __put_page+0x54/0x60
    unmap_stage2_range+0x170/0x2b4
    kvm_unmap_hva_handler+0x30/0x40
    handle_hva_to_gpa+0xb0/0xec
    kvm_unmap_hva_range+0x5c/0xd0

I even injected a fault on purpose in kvm_unmap_hva_range by seting
size=size-0x200, the call trace is similar as above.  So I thought the
panic is similarly caused by the root cause of WARN_ON.

Andrea said:

: It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would
: zap those bits and hide the misalignment caused by the low metadata
: bits being erroneously left set in the address, but the arm code
: notices when that's the last page in the memslot and the hva_end is
: getting aligned and the size is below one page.
:
: I think the problem triggers in the addr += PAGE_SIZE of
: unmap_stage2_ptes that never matches end because end is aligned but
: addr is not.
:
: 	} while (pte++, addr += PAGE_SIZE, addr != end);
:
: x86 again only works on hva_start/hva_end after converting it to
: gfn_start/end and that being in pfn units the bits are zapped before
: they risk to cause trouble.

Jia He said:

: I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without
: this patch, the WARN_ON is very easy for reproducing.  After this patch, I
: have run the same benchmarch for a whole day without any WARN_ONs

Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.com
Signed-off-by: Jia He <jia.he@hxt-semitech.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Tested-by: Jia He <hejianet@gmail.com>
Cc: Suzuki K Poulose <Suzuki.Poulose@arm.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/ksm.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -181,6 +181,8 @@ struct rmap_item {
 #define SEQNR_MASK	0x0ff	/* low bits of unstable tree seqnr */
 #define UNSTABLE_FLAG	0x100	/* is a node of the unstable tree */
 #define STABLE_FLAG	0x200	/* is listed from the stable tree */
+#define KSM_FLAG_MASK	(SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG)
+				/* to mask all the flags */
 
 /* The stable and unstable tree heads */
 static struct rb_root one_stable_tree[1] = { RB_ROOT };
@@ -1919,10 +1921,15 @@ again:
 		anon_vma_lock_read(anon_vma);
 		anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
 					       0, ULONG_MAX) {
+			unsigned long addr;
+
 			cond_resched();
 			vma = vmac->vma;
-			if (rmap_item->address < vma->vm_start ||
-			    rmap_item->address >= vma->vm_end)
+
+			/* Ignore the stable/unstable/sqnr flags */
+			addr = rmap_item->address & ~KSM_FLAG_MASK;
+
+			if (addr < vma->vm_start || addr >= vma->vm_end)
 				continue;
 			/*
 			 * Initially we examine only the vma which covers this
@@ -1936,8 +1943,7 @@ again:
 			if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 				continue;
 
-			ret = rwc->rmap_one(page, vma,
-					rmap_item->address, rwc->arg);
+			ret = rwc->rmap_one(page, vma, addr, rwc->arg);
 			if (ret != SWAP_AGAIN) {
 				anon_vma_unlock_read(anon_vma);
 				goto out;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 058/366] ALSA: core: Assure control device to be registered at last
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 056/366] mfd: tps65911-comparator: Fix an off by one bug Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 092/366] media: uvcvideo: Support realtek's UVC 1.5 device Ben Hutchings
                   ` (288 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tzung-Bi Shih, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit dc82e52492f684dcd5ed9e4773e72dbf2203d75e upstream.

The commit 289ca025ee1d ("ALSA: Use priority list for managing device
list") changed the way to register/disconnect/free devices via a
single priority list.  This helped to make behavior consistent, but it
also changed a slight behavior change: namely, the control device is
registered earlier than others, while it was supposed to be the very
last one.

I've put SNDRV_DEV_CONTROL in the current position as the release of
ctl elements often conflict with the private ctl elements some PCM or
other components may create, which often leads to a double-free.
But, the order of register and disconnect should be indeed fixed as
expected in the early days: the control device gets registered at
last, and disconnected at first.

This patch changes the priority list order to move SNDRV_DEV_CONTROL
as the last guy to assure the register / disconnect order.  Meanwhile,
for keeping the messy resource release order, manually treat the
control and lowlevel devices as last freed one.

Additional note:
The lowlevel device is the device where a card driver creates at
probe.  And, we still keep the release order control -> lowlevel, as
there might  be link from a control element back to a lowlevel object.

Fixes: 289ca025ee1d ("ALSA: Use priority list for managing device list")
Reported-by: Tzung-Bi Shih <tzungbi@google.com>
Tested-by: Tzung-Bi Shih <tzungbi@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/sound/core.h | 2 +-
 sound/core/device.c  | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

--- a/include/sound/core.h
+++ b/include/sound/core.h
@@ -51,7 +51,6 @@ struct completion;
  */
 enum snd_device_type {
 	SNDRV_DEV_LOWLEVEL,
-	SNDRV_DEV_CONTROL,
 	SNDRV_DEV_INFO,
 	SNDRV_DEV_BUS,
 	SNDRV_DEV_CODEC,
@@ -62,6 +61,7 @@ enum snd_device_type {
 	SNDRV_DEV_SEQUENCER,
 	SNDRV_DEV_HWDEP,
 	SNDRV_DEV_JACK,
+	SNDRV_DEV_CONTROL,	/* NOTE: this must be the last one */
 };
 
 enum snd_device_state {
--- a/sound/core/device.c
+++ b/sound/core/device.c
@@ -219,6 +219,15 @@ void snd_device_free_all(struct snd_card
 
 	if (snd_BUG_ON(!card))
 		return;
+	list_for_each_entry_safe_reverse(dev, next, &card->devices, list) {
+		/* exception: free ctl and lowlevel stuff later */
+		if (dev->type == SNDRV_DEV_CONTROL ||
+		    dev->type == SNDRV_DEV_LOWLEVEL)
+			continue;
+		__snd_device_free(dev);
+	}
+
+	/* free all */
 	list_for_each_entry_safe_reverse(dev, next, &card->devices, list)
 		__snd_device_free(dev);
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 227/366] smsc75xx: Add workaround for gigabit link up hardware errata.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 097/366] mtd: cfi_cmdset_0002: Change definition naming to retry write operation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 163/366] xen-netfront: fix locking in connect error path Ben Hutchings
                   ` (238 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Yuiko Oshino

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yuiko Oshino <yuiko.oshino@microchip.com>

commit d461e3da905332189aad546b2ad9adbe6071c7cc upstream.

In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state.

Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices")
Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/usb/smsc75xx.c | 62 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -81,6 +81,9 @@ static bool turbo_mode = true;
 module_param(turbo_mode, bool, 0644);
 MODULE_PARM_DESC(turbo_mode, "Enable multiple frames per Rx transaction");
 
+static int smsc75xx_link_ok_nopm(struct usbnet *dev);
+static int smsc75xx_phy_gig_workaround(struct usbnet *dev);
+
 static int __must_check __smsc75xx_read_reg(struct usbnet *dev, u32 index,
 					    u32 *data, int in_pm)
 {
@@ -840,6 +843,9 @@ static int smsc75xx_phy_initialize(struc
 		return -EIO;
 	}
 
+	/* phy workaround for gig link */
+	smsc75xx_phy_gig_workaround(dev);
+
 	smsc75xx_mdio_write(dev->net, dev->mii.phy_id, MII_ADVERTISE,
 		ADVERTISE_ALL | ADVERTISE_CSMA | ADVERTISE_PAUSE_CAP |
 		ADVERTISE_PAUSE_ASYM);
@@ -977,6 +983,62 @@ static int smsc75xx_wait_ready(struct us
 	return -EIO;
 }
 
+static int smsc75xx_phy_gig_workaround(struct usbnet *dev)
+{
+	struct mii_if_info *mii = &dev->mii;
+	int ret = 0, timeout = 0;
+	u32 buf, link_up = 0;
+
+	/* Set the phy in Gig loopback */
+	smsc75xx_mdio_write(dev->net, mii->phy_id, MII_BMCR, 0x4040);
+
+	/* Wait for the link up */
+	do {
+		link_up = smsc75xx_link_ok_nopm(dev);
+		usleep_range(10000, 20000);
+		timeout++;
+	} while ((!link_up) && (timeout < 1000));
+
+	if (timeout >= 1000) {
+		netdev_warn(dev->net, "Timeout waiting for PHY link up\n");
+		return -EIO;
+	}
+
+	/* phy reset */
+	ret = smsc75xx_read_reg(dev, PMT_CTL, &buf);
+	if (ret < 0) {
+		netdev_warn(dev->net, "Failed to read PMT_CTL: %d\n", ret);
+		return ret;
+	}
+
+	buf |= PMT_CTL_PHY_RST;
+
+	ret = smsc75xx_write_reg(dev, PMT_CTL, buf);
+	if (ret < 0) {
+		netdev_warn(dev->net, "Failed to write PMT_CTL: %d\n", ret);
+		return ret;
+	}
+
+	timeout = 0;
+	do {
+		usleep_range(10000, 20000);
+		ret = smsc75xx_read_reg(dev, PMT_CTL, &buf);
+		if (ret < 0) {
+			netdev_warn(dev->net, "Failed to read PMT_CTL: %d\n",
+				    ret);
+			return ret;
+		}
+		timeout++;
+	} while ((buf & PMT_CTL_PHY_RST) && (timeout < 100));
+
+	if (timeout >= 100) {
+		netdev_warn(dev->net, "timeout waiting for PHY Reset\n");
+		return -EIO;
+	}
+
+	return 0;
+}
+
 static int smsc75xx_reset(struct usbnet *dev)
 {
 	struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 073/366] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation Ben Hutchings
                   ` (363 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Daniel Jordan, Hugh Dickins, Huang, Ying

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit 955c97f0859abef698e77f5697f5c4008303abb9 upstream.

Commit 570a335b8e22 ("swap_info: swap count continuations") introduces
COUNT_CONTINUED but refers to it incorrectly as SWAP_HAS_CONT in a
comment in swap_count.  Fix it.

Link: http://lkml.kernel.org/r/20180612175919.30413-1-daniel.m.jordan@oracle.com
Fixes: 570a335b8e22 ("swap_info: swap count continuations")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/swapfile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -88,7 +88,7 @@ static atomic_t proc_poll_event = ATOMIC
 
 static inline unsigned char swap_count(unsigned char ent)
 {
-	return ent & ~SWAP_HAS_CACHE;	/* may include SWAP_HAS_CONT flag */
+	return ent & ~SWAP_HAS_CACHE;	/* may include COUNT_CONTINUED flag */
 }
 
 /* returns 1 if swap entry is freed */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 228/366] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (99 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 360/366] perf tools: Fix snprint warnings for gcc 8 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 334/366] HID: clamp input to logical range if no null state Ben Hutchings
                   ` (265 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Olli Salonen, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Olli Salonen <olli.salonen@iki.fi>

commit 367b160fe4717c14a2a978b6f9ffb75a7762d3ed upstream.

There are two versions of the Qivicon Zigbee stick in circulation. This
adds the second USB ID to the cp210x driver.

Signed-off-by: Olli Salonen <olli.salonen@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -145,6 +145,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8977) },	/* CEL MeshWorks DevKit Device */
 	{ USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
 	{ USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
+	{ USB_DEVICE(0x10C4, 0x89FB) }, /* Qivicon ZigBee USB Radio Stick */
 	{ USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
 	{ USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
 	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (165 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1 Ben Hutchings
                   ` (199 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Colin Ian King

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 7a2148dfda8001c983f0effd9afd8a7fa58e99c4 upstream.

The current code decrements the timeout counter i and the end of
each loop i is incremented, so the check for timeout will always
be false and hence the timeout mechanism is just a dead code path.
Potentially, if the RD_READY bit is not set, we could end up in
an infinite loop.

Fix this so the timeout starts from 1000 and decrements to zero,
if at the end of the loop i is zero we have a timeout condition.

Detected by CoverityScan, CID#1324008 ("Logically dead code")

Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/i2c/smiapp/smiapp-core.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/media/i2c/smiapp/smiapp-core.c
+++ b/drivers/media/i2c/smiapp/smiapp-core.c
@@ -899,7 +899,7 @@ static int smiapp_read_nvm(struct smiapp
 		if (rval)
 			goto out;
 
-		for (i = 0; i < 1000; i++) {
+		for (i = 1000; i > 0; i--) {
 			rval = smiapp_read(
 				sensor,
 				SMIAPP_REG_U8_DATA_TRANSFER_IF_1_STATUS, &s);
@@ -910,11 +910,10 @@ static int smiapp_read_nvm(struct smiapp
 			if (s & SMIAPP_DATA_TRANSFER_IF_1_STATUS_RD_READY)
 				break;
 
-			if (--i == 0) {
-				rval = -ETIMEDOUT;
-				goto out;
-			}
-
+		}
+		if (!i) {
+			rval = -ETIMEDOUT;
+			goto out;
 		}
 
 		for (i = 0; i < SMIAPP_NVM_PAGE_SIZE; i++) {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 125/366] mm: /proc/pid/pagemap: hide swap entries from unprivileged users
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 055/366] mfd: tps65911-comparator: Fix a build error Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 288/366] fscache: Allow cancelled operations to be enqueued Ben Hutchings
                   ` (321 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Zi Yan, Daniel Colascione, Andrei Vagin,
	Naoya Horiguchi, Huang Ying, Jerome Glisse,
	Konstantin Khlebnikov, Michal Hocko, Kirill A. Shutemov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Huang Ying <ying.huang@intel.com>

commit ab6ecf247a9321e3180e021a6a60164dee53ab2e upstream.

In commit ab676b7d6fbf ("pagemap: do not leak physical addresses to
non-privileged userspace"), the /proc/PID/pagemap is restricted to be
readable only by CAP_SYS_ADMIN to address some security issue.

In commit 1c90308e7a77 ("pagemap: hide physical addresses from
non-privileged users"), the restriction is relieved to make
/proc/PID/pagemap readable, but hide the physical addresses for
non-privileged users.

But the swap entries are readable for non-privileged users too.  This
has some security issues.  For example, for page under migrating, the
swap entry has physical address information.  So, in this patch, the
swap entries are hided for non-privileged users too.

Link: http://lkml.kernel.org/r/20180508012745.7238-1-ying.huang@intel.com
Fixes: 1c90308e7a77 ("pagemap: hide physical addresses from non-privileged users")
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Andrei Vagin <avagin@openvz.org>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Daniel Colascione <dancol@google.com>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Only PTEs can be swap entries
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -938,8 +938,9 @@ static void pte_to_pagemap_entry(pagemap
 		if (pte_swp_soft_dirty(pte))
 			flags2 |= __PM_SOFT_DIRTY;
 		entry = pte_to_swp_entry(pte);
-		frame = swp_type(entry) |
-			(swp_offset(entry) << MAX_SWAPFILES_SHIFT);
+		if (pm->show_pfn)
+			frame = swp_type(entry) |
+				(swp_offset(entry) << MAX_SWAPFILES_SHIFT);
 		flags = PM_SWAP;
 		if (is_migration_entry(entry))
 			page = migration_entry_to_page(entry);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 234/366] cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (228 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 331/366] leds: do not overflow sysfs buffer in led_trigger_show Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval Ben Hutchings
                   ` (136 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steve French, Stefano Brivio, Aurélien Aptel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit 729c0c9dd55204f0c9a823ac8a7bfa83d36c7e78 upstream.

smb{2,3}_create_lease_buf() store a lease key in the lease
context for later usage on a lease break.

In most paths, the key is currently sourced from data that
happens to be on the stack near local variables for oplock in
SMB2_open() callers, e.g. from open_shroot(), whereas
smb2_open_file() properly allocates space on its stack for it.

The address of those local variables holding the oplock is then
passed to create_lease_buf handlers via SMB2_open(), and 16
bytes near oplock are used. This causes a stack out-of-bounds
access as reported by KASAN on SMB2.1 and SMB3 mounts (first
out-of-bounds access is shown here):

[  111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
[  111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
[  111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  111.536838] Call Trace:
[  111.537528]  dump_stack+0xc2/0x16b
[  111.540890]  print_address_description+0x6a/0x270
[  111.542185]  kasan_report+0x258/0x380
[  111.544701]  smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.546134]  SMB2_open+0x1ef8/0x4b70 [cifs]
[  111.575883]  open_shroot+0x339/0x550 [cifs]
[  111.591969]  smb3_qfs_tcon+0x32c/0x1e60 [cifs]
[  111.617405]  cifs_mount+0x4f3/0x2fc0 [cifs]
[  111.674332]  cifs_smb3_do_mount+0x263/0xf10 [cifs]
[  111.677915]  mount_fs+0x55/0x2b0
[  111.679504]  vfs_kern_mount.part.22+0xaa/0x430
[  111.684511]  do_mount+0xc40/0x2660
[  111.698301]  ksys_mount+0x80/0xd0
[  111.701541]  do_syscall_64+0x14e/0x4b0
[  111.711807]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  111.713665] RIP: 0033:0x7f372385b5fa
[  111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
[  111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
[  111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
[  111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
[  111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
[  111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000

[  111.735448] The buggy address belongs to the page:
[  111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  111.739890] flags: 0x17ffffc0000000()
[  111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
[  111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  111.746679] page dumped because: kasan: bad access detected

[  111.750482] Memory state around the buggy address:
[  111.752562]  ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[  111.754991]  ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[  111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
[  111.759801]                                               ^
[  111.762034]  ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[  111.764486]  ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.766913] ==================================================================

Lease keys are however already generated and stored in fid data
on open and create paths: pass them down to the lease context
creation handlers and use them.

Suggested-by: Aurélien Aptel <aaptel@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Fixes: b8c32dbb0deb ("CIFS: Request SMB2.1 leases")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h |  2 +-
 fs/cifs/smb2file.c | 11 ++++-------
 fs/cifs/smb2ops.c  |  9 +++------
 fs/cifs/smb2pdu.c  |  7 ++++---
 fs/cifs/smb2pdu.h  |  6 ++----
 5 files changed, 14 insertions(+), 21 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -381,7 +381,7 @@ struct smb_version_operations {
 	void (*set_oplock_level)(struct cifsInodeInfo *, __u32, unsigned int,
 				 bool *);
 	/* create lease context buffer for CREATE request */
-	char * (*create_lease_buf)(u8 *, u8);
+	char * (*create_lease_buf)(u8 *lease_key, u8 oplock);
 	/* parse lease context buffer and return oplock/epoch info */
 	__u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey);
 	int (*clone_range)(const unsigned int, struct cifsFileInfo *src_file,
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -41,7 +41,7 @@ smb2_open_file(const unsigned int xid, s
 	int rc;
 	__le16 *smb2_path;
 	struct smb2_file_all_info *smb2_data = NULL;
-	__u8 smb2_oplock[17];
+	__u8 smb2_oplock;
 	struct cifs_fid *fid = oparms->fid;
 
 	smb2_path = cifs_convert_path_to_utf16(oparms->path, oparms->cifs_sb);
@@ -58,12 +58,9 @@ smb2_open_file(const unsigned int xid, s
 	}
 
 	oparms->desired_access |= FILE_READ_ATTRIBUTES;
-	*smb2_oplock = SMB2_OPLOCK_LEVEL_BATCH;
+	smb2_oplock = SMB2_OPLOCK_LEVEL_BATCH;
 
-	if (oparms->tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_LEASING)
-		memcpy(smb2_oplock + 1, fid->lease_key, SMB2_LEASE_KEY_SIZE);
-
-	rc = SMB2_open(xid, oparms, smb2_path, smb2_oplock, smb2_data, NULL);
+	rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL);
 	if (rc)
 		goto out;
 
@@ -80,7 +77,7 @@ smb2_open_file(const unsigned int xid, s
 		move_smb2_info_to_cifs(buf, smb2_data);
 	}
 
-	*oplock = *smb2_oplock;
+	*oplock = smb2_oplock;
 out:
 	kfree(smb2_data);
 	kfree(smb2_path);
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1072,8 +1072,7 @@ smb2_create_lease_buf(u8 *lease_key, u8
 	if (!buf)
 		return NULL;
 
-	buf->lcontext.LeaseKeyLow = cpu_to_le64(*((u64 *)lease_key));
-	buf->lcontext.LeaseKeyHigh = cpu_to_le64(*((u64 *)(lease_key + 8)));
+	memcpy(&buf->lcontext.LeaseKey, lease_key, SMB2_LEASE_KEY_SIZE);
 	buf->lcontext.LeaseState = map_oplock_to_lease(oplock);
 
 	buf->ccontext.DataOffset = cpu_to_le16(offsetof
@@ -1099,8 +1098,7 @@ smb3_create_lease_buf(u8 *lease_key, u8
 	if (!buf)
 		return NULL;
 
-	buf->lcontext.LeaseKeyLow = cpu_to_le64(*((u64 *)lease_key));
-	buf->lcontext.LeaseKeyHigh = cpu_to_le64(*((u64 *)(lease_key + 8)));
+	memcpy(&buf->lcontext.LeaseKey, lease_key, SMB2_LEASE_KEY_SIZE);
 	buf->lcontext.LeaseState = map_oplock_to_lease(oplock);
 
 	buf->ccontext.DataOffset = cpu_to_le16(offsetof
@@ -1137,8 +1135,7 @@ smb3_parse_lease_buf(void *buf, unsigned
 	if (lc->lcontext.LeaseFlags & SMB2_LEASE_FLAG_BREAK_IN_PROGRESS)
 		return SMB2_OPLOCK_LEVEL_NOCHANGE;
 	if (lease_key)
-		memcpy(lease_key, &lc->lcontext.LeaseKeyLow,
-		       SMB2_LEASE_KEY_SIZE);
+		memcpy(lease_key, &lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
 	return le32_to_cpu(lc->lcontext.LeaseState);
 }
 
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1084,12 +1084,12 @@ parse_lease_state(struct TCP_Server_Info
 
 static int
 add_lease_context(struct TCP_Server_Info *server, struct kvec *iov,
-		  unsigned int *num_iovec, __u8 *oplock)
+		  unsigned int *num_iovec, u8 *lease_key, __u8 *oplock)
 {
 	struct smb2_create_req *req = iov[0].iov_base;
 	unsigned int num = *num_iovec;
 
-	iov[num].iov_base = server->ops->create_lease_buf(oplock+1, *oplock);
+	iov[num].iov_base = server->ops->create_lease_buf(lease_key, *oplock);
 	if (iov[num].iov_base == NULL)
 		return -ENOMEM;
 	iov[num].iov_len = server->vals->create_lease_size;
@@ -1212,7 +1212,8 @@ SMB2_open(const unsigned int xid, struct
 	    *oplock == SMB2_OPLOCK_LEVEL_NONE)
 		req->RequestedOplockLevel = *oplock;
 	else {
-		rc = add_lease_context(server, iov, &num_iovecs, oplock);
+		rc = add_lease_context(server, iov, &num_iovecs,
+				       oparms->fid->lease_key, oplock);
 		if (rc) {
 			cifs_small_buf_release(req);
 			kfree(copy_path);
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -510,16 +510,14 @@ struct create_context {
 #define SMB2_LEASE_KEY_SIZE 16
 
 struct lease_context {
-	__le64 LeaseKeyLow;
-	__le64 LeaseKeyHigh;
+	u8 LeaseKey[SMB2_LEASE_KEY_SIZE];
 	__le32 LeaseState;
 	__le32 LeaseFlags;
 	__le64 LeaseDuration;
 } __packed;
 
 struct lease_context_v2 {
-	__le64 LeaseKeyLow;
-	__le64 LeaseKeyHigh;
+	u8 LeaseKey[SMB2_LEASE_KEY_SIZE];
 	__le32 LeaseState;
 	__le32 LeaseFlags;
 	__le64 LeaseDuration;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 060/366] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (279 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 294/366] ring_buffer: tracing: Inherit the tracing setting to next ring buffer Ben Hutchings
                   ` (85 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen, Jens Remus

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit df30781699f53e4fd4c494c6f7dd16e3d5c21d30 upstream.

For problem determination we need to see whether and why we were successful
or not. This allows deduction of scsi_eh escalation.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : schrh_r        SCSI host reset handler result
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0xffffffff                             none (invalid)
SCSI LUN       : 0xffffffff                             none (invalid)
SCSI LUN high  : 0xffffffff                             none (invalid)
SCSI result    : 0x00002002     field re-used for midlayer value: SUCCESS
                                or in other cases: 0x2009 == FAST_IO_FAIL
SCSI retries   : 0xff                                   none (invalid)
SCSI allowed   : 0xff                                   none (invalid)
SCSI scribble  : 0xffffffffffffffff                     none (invalid)
SCSI opcode    : ffffffff ffffffff ffffffff ffffffff    none (invalid)
FCP rsp inf cod: 0xff                                   none (invalid)
FCP rsp IU     : 00000000 00000000 00000000 00000000    none (invalid)
                 00000000 00000000

v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from
fc_block_scsi_eh to scsi eh") introduced the first return with something
other than the previously hardcoded single SUCCESS return path.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: Drop assignment to zfcp_dbf_scsi::scsi_lun_64_hi
 which doesn't exist here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -624,6 +624,45 @@ void zfcp_dbf_scsi(char *tag, int level,
 	spin_unlock_irqrestore(&dbf->scsi_lock, flags);
 }
 
+/**
+ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
+ * @tag: Identifier for event.
+ * @adapter: Pointer to zfcp adapter as context for this event.
+ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
+ * @ret: Return value of calling function.
+ *
+ * This SCSI trace variant does not depend on any of:
+ * scsi_cmnd, zfcp_fsf_req, scsi_device.
+ */
+void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+		      unsigned int scsi_id, int ret)
+{
+	struct zfcp_dbf *dbf = adapter->dbf;
+	struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
+	unsigned long flags;
+	static int const level = 1;
+
+	if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
+		return;
+
+	spin_lock_irqsave(&dbf->scsi_lock, flags);
+	memset(rec, 0, sizeof(*rec));
+
+	memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
+	rec->id = ZFCP_DBF_SCSI_CMND;
+	rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
+	rec->scsi_retries = ~0;
+	rec->scsi_allowed = ~0;
+	rec->fcp_rsp_info = ~0;
+	rec->scsi_id = scsi_id;
+	rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
+	rec->host_scribble = ~0;
+	memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
+
+	debug_event(dbf->scsi, level, rec, sizeof(*rec));
+	spin_unlock_irqrestore(&dbf->scsi_lock, flags);
+}
+
 static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
 {
 	struct debug_info *d;
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -52,6 +52,8 @@ extern void zfcp_dbf_san_res(char *, str
 extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
 extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
 			  struct zfcp_fsf_req *);
+extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+			     unsigned int scsi_id, int ret);
 
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -343,15 +343,16 @@ static int zfcp_scsi_eh_host_reset_handl
 {
 	struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
 	struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
-	int ret;
+	int ret = SUCCESS, fc_ret;
 
 	zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
 	zfcp_erp_wait(adapter);
-	ret = fc_block_scsi_eh(scpnt);
-	if (ret)
-		return ret;
+	fc_ret = fc_block_scsi_eh(scpnt);
+	if (fc_ret)
+		ret = fc_ret;
 
-	return SUCCESS;
+	zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
+	return ret;
 }
 
 struct scsi_transport_template *zfcp_scsi_transport_template;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 272/366] crypto: padlock-aes - Fix Nano workaround data corruption Ben Hutchings
                   ` (297 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Douglas Gilbert, Jann Horn, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd upstream.

As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit
to be called under KERNEL_DS"), sg improperly accesses userspace memory
outside the provided buffer, permitting kernel memory corruption via
splice().  But it doesn't just do it on ->write(), also on ->read().

As a band-aid, make sure that the ->read() and ->write() handlers can not
be called in weird contexts (kernel context or credentials different from
file opener), like for ib_safe_file_access().

If someone needs to use these interfaces from different security contexts,
a new interface should be written that goes through the ->ioctl() handler.

I've mostly copypasted ib_safe_file_access() over as sg_safe_file_access()
because I couldn't find a good common header - please tell me if you know a
better way.

[mkp: s/_safe_/_check_/]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: open-code uaccess_kernel()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/sg.c | 42 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -52,6 +52,7 @@ static int sg_version_num = 30534;	/* 2
 #include <linux/blktrace_api.h>
 #include <linux/mutex.h>
 #include <linux/ratelimit.h>
+#include <linux/cred.h> /* for sg_check_file_access() */
 
 #include "scsi.h"
 #include <scsi/scsi_dbg.h>
@@ -215,6 +216,33 @@ static void sg_put_dev(Sg_device *sdp);
 #define SZ_SG_IOVEC sizeof(sg_iovec_t)
 #define SZ_SG_REQ_INFO sizeof(sg_req_info_t)
 
+/*
+ * The SCSI interfaces that use read() and write() as an asynchronous variant of
+ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
+ * to trigger read() and write() calls from various contexts with elevated
+ * privileges. This can lead to kernel memory corruption (e.g. if these
+ * interfaces are called through splice()) and privilege escalation inside
+ * userspace (e.g. if a process with access to such a device passes a file
+ * descriptor to a SUID binary as stdin/stdout/stderr).
+ *
+ * This function provides protection for the legacy API by restricting the
+ * calling context.
+ */
+static int sg_check_file_access(struct file *filp, const char *caller)
+{
+	if (filp->f_cred != current_real_cred()) {
+		pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
+			caller, task_tgid_vnr(current), current->comm);
+		return -EPERM;
+	}
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
+		pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
+			caller, task_tgid_vnr(current), current->comm);
+		return -EACCES;
+	}
+	return 0;
+}
+
 static int sg_allow_access(struct file *filp, unsigned char *cmd)
 {
 	struct sg_fd *sfp = filp->private_data;
@@ -382,6 +410,14 @@ sg_read(struct file *filp, char __user *
 	struct sg_header *old_hdr = NULL;
 	int retval = 0;
 
+	/*
+	 * This could cause a response to be stranded. Close the associated
+	 * file descriptor to free up any resources being held.
+	 */
+	retval = sg_check_file_access(filp, __func__);
+	if (retval)
+		return retval;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, printk("sg_read: %s, count=%d\n",
@@ -567,9 +603,11 @@ sg_write(struct file *filp, const char _
 	struct sg_header old_hdr;
 	sg_io_hdr_t *hp;
 	unsigned char cmnd[MAX_COMMAND_SIZE];
+	int retval;
 
-	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-		return -EINVAL;
+	retval = sg_check_file_access(filp, __func__);
+	if (retval)
+		return retval;
 
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 135/366] ksm: add cond_resched() to the rmap_walks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads Ben Hutchings
                   ` (280 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hugh Dickins, Andrea Arcangeli, Petr Holasek,
	Linus Torvalds, Davidlohr Bueso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrea Arcangeli <aarcange@redhat.com>

commit ad12695f177c3403a64348b42718faf9727fe358 upstream.

While at it add it to the file and anon walks too.

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Petr Holasek <pholasek@redhat.com>
Acked-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/ksm.c  | 2 ++
 mm/rmap.c | 4 ++++
 2 files changed, 6 insertions(+)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -1915,9 +1915,11 @@ again:
 		struct anon_vma_chain *vmac;
 		struct vm_area_struct *vma;
 
+		cond_resched();
 		anon_vma_lock_read(anon_vma);
 		anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
 					       0, ULONG_MAX) {
+			cond_resched();
 			vma = vmac->vma;
 			if (rmap_item->address < vma->vm_start ||
 			    rmap_item->address >= vma->vm_end)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1486,6 +1486,8 @@ static int rmap_walk_anon(struct page *p
 		struct vm_area_struct *vma = avc->vma;
 		unsigned long address = vma_address(page, vma);
 
+		cond_resched();
+
 		if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 			continue;
 
@@ -1533,6 +1535,8 @@ static int rmap_walk_file(struct page *p
 	vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff) {
 		unsigned long address = vma_address(page, vma);
 
+		cond_resched();
+
 		if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 			continue;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (144 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 198/366] RDMA/uverbs: Protect from attempts to create flows on unsupported QP Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests Ben Hutchings
                   ` (220 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Bo Chen, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bo Chen <chenbo@pdx.edu>

commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream.

When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is
created without setting its operators via 'snd_pcm_set_ops()'. Following
operations on the new pcm instance can trigger kernel null pointer dereferences
and cause kernel oops.

This bug was found with my work on building a gray-box fault-injection tool for
linux-kernel-module binaries. A kernel null pointer dereference was confirmed
from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in
file 'sound/core/pcm_native.c'.

This patch fixes the bug by calling 'snd_device_free()' in the error handling
path of 'kzalloc()', which removes the new pcm instance from the snd card before
returns with an error code.

Signed-off-by: Bo Chen <chenbo@pdx.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/hda_controller.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -998,8 +998,10 @@ static int azx_attach_pcm_stream(struct
 		return err;
 	strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
 	apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
-	if (apcm == NULL)
+	if (apcm == NULL) {
+		snd_device_free(chip->card, pcm);
 		return -ENOMEM;
+	}
 	apcm->chip = chip;
 	apcm->pcm = pcm;
 	apcm->codec = codec;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 079/366] ext4: don't read out of bounds when checking for in-inode xattrs
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (214 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 315/366] fix mntput/mntput race Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace Ben Hutchings
                   ` (150 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Biggers, Theodore Ts'o, Andreas Dilger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 290ab230016f187c3551d8380ea742889276d03a upstream.

With i_extra_isize equal to or close to the available space, it was
possible for us to read past the end of the inode when trying to detect
or validate in-inode xattrs.  Fix this by checking for the needed extra
space first.

This patch shouldn't have any noticeable effect on
non-corrupted/non-malicious filesystems.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 4 +++-
 fs/ext4/xattr.c | 5 ++---
 2 files changed, 5 insertions(+), 4 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4165,7 +4165,9 @@ static inline void ext4_iget_extra_inode
 {
 	__le32 *magic = (void *)raw_inode +
 			EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
-	if (*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
+	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
+	    EXT4_INODE_SIZE(inode->i_sb) &&
+	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
 		ext4_find_inline_data_nolock(inode);
 	} else
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -247,13 +247,12 @@ static int
 __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
 			 void *end, const char *function, unsigned int line)
 {
-	struct ext4_xattr_entry *entry = IFIRST(header);
 	int error = -EIO;
 
-	if (((void *) header >= end) ||
+	if (end - (void *)header < sizeof(*header) + sizeof(u32) ||
 	    (header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)))
 		goto errout;
-	error = ext4_xattr_check_names(entry, end, entry);
+	error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
 errout:
 	if (error)
 		__ext4_error_inode(inode, function, line, 0,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 082/366] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 157/366] udf: Detect incorrect directory size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 349/366] x86/apic: Fix build failure with X86_IO_APIC disabled Ben Hutchings
                   ` (303 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Schmitz, Geert Uytterhoeven

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Schmitz <schmitzmic@gmail.com>

commit 3f90f9ef2dda316d64e420d5d51ba369587ccc55 upstream.

If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap
between mappings which is added to the vm_struct representing the
mapping.  __ioremap() uses the actual requested size (after alignment),
while __iounmap() is passed the size from the vm_struct.

On 020/030, early termination descriptors are used to set up mappings of
extent 'size', which are validated on unmapping. The unmapped gap of
size IO_SIZE defeats the sanity check of the pmd tables, causing
__iounmap() to loop forever on 030.

On 040/060, unmapping of page table entries does not check for a valid
mapping, so the umapping loop always completes there.

Adjust size to be unmapped by the gap that had been added in the
vm_struct prior.

This fixes the hang in atari_platform_init() reported a long time ago,
and a similar one reported by Finn recently (addressed by removing
ioremap() use from the SWIM driver.

Tested on my Falcon in 030 mode - untested but should work the same on
040/060 (the extra page tables cleared there would never have been set
up anyway).

Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
[geert: Minor commit description improvements]
[geert: This was fixed in 2.4.23, but not in 2.5.x]
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/m68k/mm/kmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/m68k/mm/kmap.c
+++ b/arch/m68k/mm/kmap.c
@@ -88,7 +88,8 @@ static inline void free_io_area(void *ad
 	for (p = &iolist ; (tmp = *p) ; p = &tmp->next) {
 		if (tmp->addr == addr) {
 			*p = tmp->next;
-			__iounmap(tmp->addr, tmp->size);
+			/* remove gap added in get_io_area() */
+			__iounmap(tmp->addr, tmp->size - IO_SIZE);
 			kfree(tmp);
 			return;
 		}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 088/366] ext4: fix fencepost error in check for inode count overflow during resize
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (239 preceding siblings ...)
  2018-11-11 19:49   ` Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 146/366] ext4: add more mount time checks of the superblock Ben Hutchings
                   ` (125 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jaco Kroon, Andreas Dilger, Theodore Ts'o, Jan Kara

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 upstream.

ext4_resize_fs() has an off-by-one bug when checking whether growing of
a filesystem will not overflow inode count. As a result it allows a
filesystem with 8192 inodes per group to grow to 64TB which overflows
inode count to 0 and makes filesystem unusable. Fix it.

Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b
Reported-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1906,7 +1906,7 @@ retry:
 		return 0;
 
 	n_group = ext4_get_group_number(sb, n_blocks_count - 1);
-	if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
+	if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
 		ext4_warning(sb, "resize would cause inodes_count overflow");
 		return -EINVAL;
 	}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 081/366] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 307/366] nohz: Fix local_timer_softirq_pending() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super() Ben Hutchings
                   ` (351 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Bjorn Helgaas, Andy Shevchenko, Mika Westerberg, Rafael J. Wysocki

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 13c65840feab8109194f9490c9870587173cb29d upstream.

After a suspend/resume cycle the Presence Detect or Data Link Layer Status
Changed bits might be set.  If we don't clear them those events will not
fire anymore and nothing happens for instance when a device is now
hot-unplugged.

Fix this by clearing those bits in a newly introduced function
pcie_reenable_notification().  This should be fine because immediately
after, we check if the adapter is still present by reading directly from
the status register.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/hotplug/pciehp.h      |  2 +-
 drivers/pci/hotplug/pciehp_core.c |  2 +-
 drivers/pci/hotplug/pciehp_hpc.c  | 13 ++++++++++++-
 3 files changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/pci/hotplug/pciehp.h
+++ b/drivers/pci/hotplug/pciehp.h
@@ -143,7 +143,7 @@ struct controller *pcie_init(struct pcie
 int pcie_init_notification(struct controller *ctrl);
 int pciehp_enable_slot(struct slot *p_slot);
 int pciehp_disable_slot(struct slot *p_slot);
-void pcie_enable_notification(struct controller *ctrl);
+void pcie_reenable_notification(struct controller *ctrl);
 int pciehp_power_on_slot(struct slot *slot);
 void pciehp_power_off_slot(struct slot *slot);
 void pciehp_get_power_status(struct slot *slot, u8 *status);
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -332,7 +332,7 @@ static int pciehp_resume(struct pcie_dev
 	ctrl = get_service_data(dev);
 
 	/* reinitialize the chipset's event detection logic */
-	pcie_enable_notification(ctrl);
+	pcie_reenable_notification(ctrl);
 
 	slot = ctrl->slot;
 
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -580,7 +580,7 @@ static irqreturn_t pcie_isr(int irq, voi
 	return IRQ_HANDLED;
 }
 
-void pcie_enable_notification(struct controller *ctrl)
+static void pcie_enable_notification(struct controller *ctrl)
 {
 	u16 cmd, mask;
 
@@ -618,6 +618,17 @@ void pcie_enable_notification(struct con
 	pcie_write_cmd(ctrl, cmd, mask);
 }
 
+void pcie_reenable_notification(struct controller *ctrl)
+{
+	/*
+	 * Clear both Presence and Data Link Layer Changed to make sure
+	 * those events still fire after we have re-enabled them.
+	 */
+	pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
+				   PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
+	pcie_enable_notification(ctrl);
+}
+
 static void pcie_disable_notification(struct controller *ctrl)
 {
 	u16 mask;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 183/366] time: Make sure jiffies_to_msecs() preserves non-zero time periods
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
@ 2018-11-11 19:49   ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Ben Hutchings
                     ` (365 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Geert Uytterhoeven, linux-mips,
	Thomas Gleixner, Stephen Boyd, John Stultz, linux-alpha

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert@linux-m68k.org>

commit abcbcb80cd09cd40f2089d912764e315459b71f7 upstream.

For the common cases where 1000 is a multiple of HZ, or HZ is a multiple of
1000, jiffies_to_msecs() never returns zero when passed a non-zero time
period.

However, if HZ > 1000 and not an integer multiple of 1000 (e.g. 1024 or
1200, as used on alpha and DECstation), jiffies_to_msecs() may return zero
for small non-zero time periods.  This may break code that relies on
receiving back a non-zero value.

jiffies_to_usecs() does not need such a fix: one jiffy can only be less
than one µs if HZ > 1000000, and such large values of HZ are already
rejected at build time, twice:

  - include/linux/jiffies.h does #error if HZ >= 12288,
  - kernel/time/time.c has BUILD_BUG_ON(HZ > USEC_PER_SEC).

Broken since forever.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Stephen Boyd <sboyd@kernel.org>
Cc: linux-alpha@vger.kernel.org
Cc: linux-mips@linux-mips.org
Link: https://lkml.kernel.org/r/20180622143357.7495-1-geert@linux-m68k.org
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/time.c
+++ b/kernel/time.c
@@ -28,6 +28,7 @@
  */
 
 #include <linux/export.h>
+#include <linux/kernel.h>
 #include <linux/timex.h>
 #include <linux/capability.h>
 #include <linux/timekeeper_internal.h>
@@ -253,9 +254,10 @@ unsigned int jiffies_to_msecs(const unsi
 	return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC);
 #else
 # if BITS_PER_LONG == 32
-	return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32;
+	return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >>
+	       HZ_TO_MSEC_SHR32;
 # else
-	return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN;
+	return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN);
 # endif
 #endif
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 100/366] fuse: fix control dir setup and teardown Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 117/366] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Ben Hutchings
                   ` (348 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Leonardo Mörlein, Simon Wunderlich, Linus Lüssing

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Lüssing <linus.luessing@c0d3.blue>

commit a44ebeff6bbd6ef50db41b4195fca87b21aefd20 upstream.

When a (broken) node wrongly sends multicast TT entries with a ROAM
flag then this causes any receiving node to drop all entries for the
same multicast MAC address announced by other nodes, leading to
packet loss.

Fix this DoS vector by only storing TT sync flags. For multicast TT
non-sync'ing flag bits like ROAM are unused so far anyway.

Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
Reported-by: Leonardo Mörlein <me@irrelefant.net>
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1378,7 +1378,8 @@ static bool batadv_tt_global_add(struct
 		ether_addr_copy(common->addr, tt_addr);
 		common->vid = vid;
 
-		common->flags = flags & (~BATADV_TT_SYNC_MASK);
+		if (!is_multicast_ether_addr(common->addr))
+			common->flags = flags & (~BATADV_TT_SYNC_MASK);
 
 		tt_global_entry->roam_at = 0;
 		/* node must store current time in case of roaming. This is
@@ -1435,7 +1436,8 @@ static bool batadv_tt_global_add(struct
 		 * TT_CLIENT_TEMP, therefore they have to be copied in the
 		 * client entry
 		 */
-		common->flags |= flags & (~BATADV_TT_SYNC_MASK);
+		if (!is_multicast_ether_addr(common->addr))
+			common->flags |= flags & (~BATADV_TT_SYNC_MASK);
 
 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
 		 * one originator left in the list and we previously received a


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (301 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not Ben Hutchings
                   ` (63 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ronnie Sahlberg, Paulo Alcantara, Lars Persson,
	Steve French, Lars Persson, Pavel Shilovsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lars Persson <lars.persson@axis.com>

commit 696e420bb2a6624478105651d5368d45b502b324 upstream.

With protocol version 2.0 mounts we have seen crashes with corrupt mid
entries. Either the server->pending_mid_q list becomes corrupt with a
cyclic reference in one element or a mid object fetched by the
demultiplexer thread becomes overwritten during use.

Code review identified a race between the demultiplexer thread and the
request issuing thread. The demultiplexer thread seems to be written
with the assumption that it is the sole user of the mid object until
it calls the mid callback which either wakes the issuer task or
deletes the mid.

This assumption is not true because the issuer task can be woken up
earlier by a signal. If the demultiplexer thread has proceeded as far
as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
thread will happily end up calling cifs_delete_mid while the
demultiplexer thread still is using the mid object.

Inserting a delay in the cifs demultiplexer thread widens the race
window and makes reproduction of the race very easy:

		if (server->large_buf)
			buf = server->bigbuf;

+		usleep_range(500, 4000);

		server->lstrp = jiffies;

To resolve this I think the proper solution involves putting a
reference count on the mid object. This patch makes sure that the
demultiplexer thread holds a reference until it has finished
processing the transaction.

Signed-off-by: Lars Persson <larper@axis.com>
Acked-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: Drop redundant assignment to mid_entry]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h      |  1 +
 fs/cifs/cifsproto.h     |  1 +
 fs/cifs/connect.c       |  8 +++++++-
 fs/cifs/smb1ops.c       |  1 +
 fs/cifs/smb2ops.c       |  1 +
 fs/cifs/smb2transport.c |  1 +
 fs/cifs/transport.c     | 18 +++++++++++++++++-
 7 files changed, 29 insertions(+), 2 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1232,6 +1232,7 @@ typedef void (mid_callback_t)(struct mid
 /* one of these for every pending CIFS request to the server */
 struct mid_q_entry {
 	struct list_head qhead;	/* mids waiting on reply from this server */
+	struct kref refcount;
 	struct TCP_Server_Info *server;	/* server corresponding to this mid */
 	__u64 mid;		/* multiplex id */
 	__u32 pid;		/* process id */
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -74,6 +74,7 @@ extern struct mid_q_entry *AllocMidQEntr
 					struct TCP_Server_Info *server);
 extern void DeleteMidQEntry(struct mid_q_entry *midEntry);
 extern void cifs_delete_mid(struct mid_q_entry *mid);
+extern void cifs_mid_q_entry_release(struct mid_q_entry *midEntry);
 extern void cifs_wake_up_task(struct mid_q_entry *mid);
 extern int cifs_call_async(struct TCP_Server_Info *server,
 			struct smb_rqst *rqst,
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -903,8 +903,11 @@ cifs_demultiplex_thread(void *p)
 		else
 			length = mid_entry->receive(server, mid_entry);
 
-		if (length < 0)
+		if (length < 0) {
+			if (mid_entry)
+				cifs_mid_q_entry_release(mid_entry);
 			continue;
+		}
 
 		if (server->large_buf)
 			buf = server->bigbuf;
@@ -920,6 +923,8 @@ cifs_demultiplex_thread(void *p)
 
 			if (!mid_entry->multiRsp || mid_entry->multiEnd)
 				mid_entry->callback(mid_entry);
+
+			cifs_mid_q_entry_release(mid_entry);
 		} else if (server->ops->is_oplock_break &&
 			   server->ops->is_oplock_break(buf, server)) {
 			cifs_dbg(FYI, "Received oplock break\n");
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -104,6 +104,7 @@ cifs_find_mid(struct TCP_Server_Info *se
 		if (compare_mid(mid->mid, buf) &&
 		    mid->mid_state == MID_REQUEST_SUBMITTED &&
 		    le16_to_cpu(mid->command) == buf->Command) {
+			kref_get(&mid->refcount);
 			spin_unlock(&GlobalMid_Lock);
 			return mid;
 		}
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -138,6 +138,7 @@ smb2_find_mid(struct TCP_Server_Info *se
 		if ((mid->mid == hdr->MessageId) &&
 		    (mid->mid_state == MID_REQUEST_SUBMITTED) &&
 		    (mid->command == hdr->Command)) {
+			kref_get(&mid->refcount);
 			spin_unlock(&GlobalMid_Lock);
 			return mid;
 		}
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -531,6 +531,7 @@ smb2_mid_entry_alloc(const struct smb2_h
 		return temp;
 	else {
 		memset(temp, 0, sizeof(struct mid_q_entry));
+		kref_init(&temp->refcount);
 		temp->mid = smb_buffer->MessageId;	/* always LE */
 		temp->pid = current->pid;
 		temp->command = smb_buffer->Command;	/* Always LE */
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -58,6 +58,7 @@ AllocMidQEntry(const struct smb_hdr *smb
 		return temp;
 	else {
 		memset(temp, 0, sizeof(struct mid_q_entry));
+		kref_init(&temp->refcount);
 		temp->mid = get_mid(smb_buffer);
 		temp->pid = current->pid;
 		temp->command = cpu_to_le16(smb_buffer->Command);
@@ -80,6 +81,21 @@ AllocMidQEntry(const struct smb_hdr *smb
 	return temp;
 }
 
+static void _cifs_mid_q_entry_release(struct kref *refcount)
+{
+	struct mid_q_entry *mid = container_of(refcount, struct mid_q_entry,
+					       refcount);
+
+	mempool_free(mid, cifs_mid_poolp);
+}
+
+void cifs_mid_q_entry_release(struct mid_q_entry *midEntry)
+{
+	spin_lock(&GlobalMid_Lock);
+	kref_put(&midEntry->refcount, _cifs_mid_q_entry_release);
+	spin_unlock(&GlobalMid_Lock);
+}
+
 void
 DeleteMidQEntry(struct mid_q_entry *midEntry)
 {
@@ -108,7 +124,7 @@ DeleteMidQEntry(struct mid_q_entry *midE
 		}
 	}
 #endif
-	mempool_free(midEntry, cifs_mid_poolp);
+	cifs_mid_q_entry_release(midEntry);
 }
 
 void


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 032/366] iommu/vt-d: Ratelimit each dmar fault printing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (275 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Ben Hutchings
                   ` (89 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Joerg Roedel, Lu Baolu, Joerg Roedel, Dmitry Safonov,
	David Woodhouse, Ingo Molnar, iommu, Alex Williamson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 6c50d79f66382d78918a768374839d6d1b606d3f upstream.

There is a ratelimit for printing, but it's incremented each time the
cpu recives dmar fault interrupt. While one interrupt may signal about
*many* faults.
So, measuring the impact it turns out that reading/clearing one fault
takes < 1 usec, and printing info about the fault takes ~170 msec.

Having in mind that maximum number of fault recording registers per
remapping hardware unit is 256.. IRQ handler may run for (170*256) msec.
And as fault-serving loop runs without a time limit, during servicing
new faults may occur..

Ratelimit each fault printing rather than each irq printing.

Fixes: commit c43fce4eebae ("iommu/vt-d: Ratelimit fault handler")

BUG: spinlock lockup suspected on CPU#0, CliShell/9903
 lock: 0xffffffff81a47440, .magic: dead4ead, .owner: kworker/u16:2/8915, .owner_cpu: 6
CPU: 0 PID: 9903 Comm: CliShell
Call Trace:$\n'
[..] dump_stack+0x65/0x83$\n'
[..] spin_dump+0x8f/0x94$\n'
[..] do_raw_spin_lock+0x123/0x170$\n'
[..] _raw_spin_lock_irqsave+0x32/0x3a$\n'
[..] uart_chars_in_buffer+0x20/0x4d$\n'
[..] tty_chars_in_buffer+0x18/0x1d$\n'
[..] n_tty_poll+0x1cb/0x1f2$\n'
[..] tty_poll+0x5e/0x76$\n'
[..] do_select+0x363/0x629$\n'
[..] compat_core_sys_select+0x19e/0x239$\n'
[..] compat_SyS_select+0x98/0xc0$\n'
[..] sysenter_dispatch+0x7/0x25$\n'
[..]
NMI backtrace for cpu 6
CPU: 6 PID: 8915 Comm: kworker/u16:2
Workqueue: dmar_fault dmar_fault_work
Call Trace:$\n'
[..] wait_for_xmitr+0x26/0x8f$\n'
[..] serial8250_console_putchar+0x1c/0x2c$\n'
[..] uart_console_write+0x40/0x4b$\n'
[..] serial8250_console_write+0xe6/0x13f$\n'
[..] call_console_drivers.constprop.13+0xce/0x103$\n'
[..] console_unlock+0x1f8/0x39b$\n'
[..] vprintk_emit+0x39e/0x3e6$\n'
[..] printk+0x4d/0x4f$\n'
[..] dmar_fault+0x1a8/0x1fc$\n'
[..] dmar_fault_work+0x15/0x17$\n'
[..] process_one_work+0x1e8/0x3a9$\n'
[..] worker_thread+0x25d/0x345$\n'
[..] kthread+0xea/0xf2$\n'
[..] ret_from_fork+0x58/0x90$\n'

Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Lu Baolu <baolu.lu@linux.intel.com>
Cc: iommu@lists.linux-foundation.org
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iommu/dmar.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1483,17 +1483,13 @@ irqreturn_t dmar_fault(int irq, void *de
 	int reg, fault_index;
 	u32 fault_status;
 	unsigned long flag;
-	bool ratelimited;
 	static DEFINE_RATELIMIT_STATE(rs,
 				      DEFAULT_RATELIMIT_INTERVAL,
 				      DEFAULT_RATELIMIT_BURST);
 
-	/* Disable printing, simply clear the fault when ratelimited */
-	ratelimited = !__ratelimit(&rs);
-
 	raw_spin_lock_irqsave(&iommu->register_lock, flag);
 	fault_status = readl(iommu->reg + DMAR_FSTS_REG);
-	if (fault_status && !ratelimited)
+	if (fault_status && __ratelimit(&rs))
 		pr_err("DRHD: handling fault status reg %x\n", fault_status);
 
 	/* TBD: ignore advanced fault log currently */
@@ -1503,6 +1499,8 @@ irqreturn_t dmar_fault(int irq, void *de
 	fault_index = dma_fsts_fault_record_index(fault_status);
 	reg = cap_fault_reg_offset(iommu->cap);
 	while (1) {
+		/* Disable printing, simply clear the fault when ratelimited */
+		bool ratelimited = !__ratelimit(&rs);
 		u8 fault_reason;
 		u16 source_id;
 		u64 guest_addr;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 031/366] ALSA: hda/ca0132: fix build failure when a local macro is defined
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (360 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 322/366] ALSA: msnd: add some missing curly braces Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 111/366] net/packet: refine check for priv area size Ben Hutchings
                   ` (4 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Takashi Sakamoto, Connor McAdams

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 8e142e9e628975b0dddd05cf1b095331dff6e2de upstream.

DECLARE_TLV_DB_SCALE (alias of SNDRV_CTL_TLVD_DECLARE_DB_SCALE) is used but
tlv.h is not included. This causes build failure when local macro is
defined by comment-out.

This commit fixes the bug. At the same time, the alias macro is replaced
with a destination macro added at a commit 46e860f76804 ("ALSA: rename
TLV-related macros so that they're friendly to user applications")

Reported-by: Connor McAdams <conmanx360@gmail.com>
Fixes: 44f0c9782cc6 ('ALSA: hda/ca0132: Add tuning controls')
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_ca0132.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -38,6 +38,10 @@
 /* Enable this to see controls for tuning purpose. */
 /*#define ENABLE_TUNING_CONTROLS*/
 
+#ifdef ENABLE_TUNING_CONTROLS
+#include <sound/tlv.h>
+#endif
+
 #define FLOAT_ZERO	0x00000000
 #define FLOAT_ONE	0x3f800000
 #define FLOAT_TWO	0x40000000
@@ -3037,8 +3041,8 @@ static int equalizer_ctl_put(struct snd_
 	return 1;
 }
 
-static const DECLARE_TLV_DB_SCALE(voice_focus_db_scale, 2000, 100, 0);
-static const DECLARE_TLV_DB_SCALE(eq_db_scale, -2400, 100, 0);
+static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(voice_focus_db_scale, 2000, 100, 0);
+static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(eq_db_scale, -2400, 100, 0);
 
 static int add_tuning_control(struct hda_codec *codec,
 				hda_nid_t pnid, hda_nid_t nid,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 212/366] tty: vt, get rid of weird source code flow
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 259/366] drm/nouveau: Remove bogus crtc check in pmops_runtime_idle Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 352/366] perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ Ben Hutchings
                   ` (329 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Jiri Slaby

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 34902b7f2754e6d890feb0cee34187f1bc75c930 upstream.

Some code in vc_allocate is indented by 4 spaces. It is inside a
condition. Invert the condition and move the code to the first
indentation level (using \tab). And insert some empty lines to have
logical code blocks separated.

Then, instead of freeing in an 'if' false branch, use goto-error
label as fail path.

Maybe better to look at this patch with diff -w -b.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/vt.c | 70 +++++++++++++++++++++++++--------------------
 1 file changed, 39 insertions(+), 31 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -752,46 +752,54 @@ static void visual_init(struct vc_data *
 
 int vc_allocate(unsigned int currcons)	/* return 0 on success */
 {
+	struct vt_notifier_param param;
+	struct vc_data *vc;
+
 	WARN_CONSOLE_UNLOCKED();
 
 	if (currcons >= MAX_NR_CONSOLES)
 		return -ENXIO;
-	if (!vc_cons[currcons].d) {
-	    struct vc_data *vc;
-	    struct vt_notifier_param param;
-
-	    /* due to the granularity of kmalloc, we waste some memory here */
-	    /* the alloc is done in two steps, to optimize the common situation
-	       of a 25x80 console (structsize=216, screenbuf_size=4000) */
-	    /* although the numbers above are not valid since long ago, the
-	       point is still up-to-date and the comment still has its value
-	       even if only as a historical artifact.  --mj, July 1998 */
-	    param.vc = vc = kzalloc(sizeof(struct vc_data), GFP_KERNEL);
-	    if (!vc)
+
+	if (vc_cons[currcons].d)
+		return 0;
+
+	/* due to the granularity of kmalloc, we waste some memory here */
+	/* the alloc is done in two steps, to optimize the common situation
+	   of a 25x80 console (structsize=216, screenbuf_size=4000) */
+	/* although the numbers above are not valid since long ago, the
+	   point is still up-to-date and the comment still has its value
+	   even if only as a historical artifact.  --mj, July 1998 */
+	param.vc = vc = kzalloc(sizeof(struct vc_data), GFP_KERNEL);
+	if (!vc)
 		return -ENOMEM;
-	    vc_cons[currcons].d = vc;
-	    tty_port_init(&vc->port);
-	    INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
-	    visual_init(vc, currcons, 1);
-	    if (!*vc->vc_uni_pagedir_loc)
+
+	vc_cons[currcons].d = vc;
+	tty_port_init(&vc->port);
+	INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
+
+	visual_init(vc, currcons, 1);
+
+	if (!*vc->vc_uni_pagedir_loc)
 		con_set_default_unimap(vc);
-	    vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
-	    if (!vc->vc_screenbuf) {
-		kfree(vc);
-		vc_cons[currcons].d = NULL;
-		return -ENOMEM;
-	    }
 
-	    /* If no drivers have overridden us and the user didn't pass a
-	       boot option, default to displaying the cursor */
-	    if (global_cursor_default == -1)
-		    global_cursor_default = 1;
-
-	    vc_init(vc, vc->vc_rows, vc->vc_cols, 1);
-	    vcs_make_sysfs(currcons);
-	    atomic_notifier_call_chain(&vt_notifier_list, VT_ALLOCATE, &param);
-	}
+	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+	if (!vc->vc_screenbuf)
+		goto err_free;
+
+	/* If no drivers have overridden us and the user didn't pass a
+	   boot option, default to displaying the cursor */
+	if (global_cursor_default == -1)
+		global_cursor_default = 1;
+
+	vc_init(vc, vc->vc_rows, vc->vc_cols, 1);
+	vcs_make_sysfs(currcons);
+	atomic_notifier_call_chain(&vt_notifier_list, VT_ALLOCATE, &param);
+
 	return 0;
+err_free:
+	kfree(vc);
+	vc_cons[currcons].d = NULL;
+	return -ENOMEM;
 }
 
 static inline int resize_screen(struct vc_data *vc, int width, int height,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 144/366] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (140 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 256/366] reiserfs: fix buffer overflow with long warning messages Ben Hutchings
                   ` (224 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit ecd012e45ab5fd76ed57546865897ce35920f56b upstream.

pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
'session' may be an Ethernet pseudo-wire.

However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
assumes l2tp_session_priv() points to a pppol2tp_session structure. For
an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
structure instead, making pppol2tp_session_ioctl() access invalid
memory.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1231,7 +1231,7 @@ static int pppol2tp_tunnel_ioctl(struct
 				l2tp_session_get(sock_net(sk), tunnel,
 						 stats.session_id, true);
 
-			if (session) {
+			if (session && session->pwtype == L2TP_PWTYPE_PPP) {
 				err = pppol2tp_session_ioctl(session, cmd,
 							     arg);
 				if (session->deref)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 149/366] netfilter: nf_queue: augment nfqa_cfg_policy
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (358 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 354/366] perf script: Use readdir() instead of deprecated readdir_r() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 322/366] ALSA: msnd: add some missing curly braces Ben Hutchings
                   ` (6 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, syzbot, Pablo Neira Ayuso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc upstream.

Three attributes are currently not verified, thus can trigger KMSAN
warnings such as :

BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
BUG: KMSAN: uninit-value in nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268
CPU: 1 PID: 4521 Comm: syz-executor120 Not tainted 4.17.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620
 __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
 __fswab32 include/uapi/linux/swab.h:59 [inline]
 nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268
 nfnetlink_rcv_msg+0xb2e/0xc80 net/netfilter/nfnetlink.c:212
 netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
 nfnetlink_rcv+0x2fe/0x680 net/netfilter/nfnetlink.c:513
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43fd59
RSP: 002b:00007ffde0e30d28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401680
R13: 0000000000401710 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: fdb694a01f1f ("netfilter: Add fail-open support")
Fixes: 829e17a1a602 ("[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nfnetlink_queue_core.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1039,6 +1039,9 @@ nfqnl_recv_unsupp(struct sock *ctnl, str
 static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
 	[NFQA_CFG_CMD]		= { .len = sizeof(struct nfqnl_msg_config_cmd) },
 	[NFQA_CFG_PARAMS]	= { .len = sizeof(struct nfqnl_msg_config_params) },
+	[NFQA_CFG_QUEUE_MAXLEN]	= { .type = NLA_U32 },
+	[NFQA_CFG_MASK]		= { .type = NLA_U32 },
+	[NFQA_CFG_FLAGS]	= { .type = NLA_U32 },
 };
 
 static const struct nf_queue_handler nfqh = {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 108/366] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (265 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 168/366] xen-netfront: Remove the meaningless code Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 254/366] mm: do not bug_on on incorrect length in __mm_populate() Ben Hutchings
                   ` (99 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Aneesh Kumar K.V

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>

commit 91d06971881f71d945910de128658038513d1b24 upstream.

Currently we do not have an isync, or any other context synchronizing
instruction prior to the slbie/slbmte in _switch() that updates the
SLB entry for the kernel stack.

However that is not correct as outlined in the ISA.

=46romPower ISA Version 3.0B, Book III, Chapter 11, page 1133:

  "Changing the contents of ... the contents of SLB entries ... can
   have the side effect of altering the context in which data
   addresses and instruction addresses are interpreted, and in which
   instructions are executed and data accesses are performed.
   ...
   These side effects need not occur in program order, and therefore
   may require explicit synchronization by software.
   ...
   The synchronizing instruction before the context-altering
   instruction ensures that all instructions up to and including that
   synchronizing instruction are fetched and executed in the context
   that existed before the alteration."

And page 1136:

  "For data accesses, the context synchronizing instruction before the
   slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
   that all preceding instructions that access data storage have
   completed to a point at which they have reported all exceptions
   they will cause."

We're not aware of any bugs caused by this, but it should be fixed
regardless.

Add the missing isync when updating kernel stack SLB entry.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
[mpe: Flesh out change log with more ISA text & explanation]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/entry_64.S | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -525,6 +525,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG
 	 * actually hit this code path.
 	 */
 
+	isync
 	slbie	r6
 	slbie	r6		/* Workaround POWER5 < DD2.1 issue */
 	slbmte	r7,r0


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 064/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (216 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func() Ben Hutchings
                   ` (148 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Steffen Maier, Benjamin Block

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit d70aab55924b44f213fec2b900b095430b33eec6 upstream.

For problem determination we always want to see when we were invoked on the
terminate_rport_io callback whether we perform something or not.

Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:

loose remote port

t   workqueue
[s] zfcp_q_<dev>       IRQ                 zfcperp<dev>

=== ================== =================== ============================

  0                    recv RSCN
                       q p.test_link_work
    block rport
     start fast_io_fail_tmo
    send ADISC ELS
  4                    recv ADISC fail
                       block zfcp_port
                                           port forced reopen
                                           send open port
 12                    recv open port fail
                                           q p.gid_pn_work
                                           zfcp_erp_wakeup
                                           (zfcp_erp_wait would return)
    GID_PN fail

Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
e.g. with the typical 5 sec setting.

    port.status |= ERP_FAILED

If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.

    workqueue
    fc_dl_<host>
    ==================
 27 fc_timeout_fail_rport_io
    fc_terminate_rport_io
    zfcp_scsi_terminate_rport_io
    zfcp_erp_port_forced_reopen
    _zfcp_erp_port_forced_reopen
     if (port.status & ERP_FAILED)
      return;

Therefore, write a trace before above early return.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : sctrpi1                SCSI terminate rport I/O
LUN            : 0xffffffffffffffff                     none (invalid)
WWPN           : 0x<wwpn>
D_ID           : 0x<n_port_id>
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x00000000                             none (invalid)
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -41,9 +41,13 @@ enum zfcp_erp_steps {
  * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
  * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
  * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
- *			  either of the other enum values.
+ *			  either of the first four enum values.
  *			  Used to indicate that an ERP action could not be
  *			  set up despite a detected need for some recovery.
+ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
+ *			    either of the first four enum values.
+ *			    Used to indicate that ERP not needed because
+ *			    the object has ZFCP_STATUS_COMMON_ERP_FAILED.
  */
 enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
@@ -51,6 +55,7 @@ enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
 	ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
 	ZFCP_ERP_ACTION_NONE		   = 0xc0,
+	ZFCP_ERP_ACTION_FAILED		   = 0xe0,
 };
 
 enum zfcp_erp_act_state {
@@ -378,8 +383,12 @@ static void _zfcp_erp_port_forced_reopen
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+		zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
+				  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+				  ZFCP_ERP_ACTION_FAILED);
 		return;
+	}
 
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
 				port->adapter, port, NULL, id, 0);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 073/366] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 178/366] Input: elantech - fix V4 report decoding for module with middle key Ben Hutchings
                   ` (362 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit f16041df4c360eccacfe90f96673b37829e4c959 upstream.

HP Z2 G4 requires the same workaround as other HP machines that have
no mic-pin detection.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_conexant.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -3454,6 +3454,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
 	SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
 	SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 047/366] tty: pl011: Avoid spuriously stuck-off interrupts
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (135 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 251/366] binfmt_elf: fix calculations for bss padding Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 255/366] string: drop __must_check from strscpy() Ben Hutchings
                   ` (229 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dave Martin, Greg Kroah-Hartman, Wei Xu, Linus Walleij,
	Russell King, Peter Maydell

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 4a7e625ce50412a7711efa0f2ef0b96ce3826759 upstream.

Commit 9b96fbacda34 ("serial: PL011: clear pending interrupts")
clears the RX and receive timeout interrupts on pl011 startup, to
avoid a screaming-interrupt scenario that can occur when the
firmware or bootloader leaves these interrupts asserted.

This has been noted as an issue when running Linux on qemu [1].

Unfortunately, the above fix seems to lead to potential
misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously
on driver startup, if the RX FIFO is also already full to the
trigger level.

Clearing the RX FIFO interrupt does not change the FIFO fill level.
In this scenario, because the interrupt is now clear and because
the FIFO is already full to the trigger level, no new assertion of
the RX FIFO interrupt can occur unless the FIFO is drained back
below the trigger level.  This never occurs because the pl011
driver is waiting for an RX FIFO interrupt to tell it that there is
something to read, and does not read the FIFO at all until that
interrupt occurs.

Thus, simply clearing "spurious" interrupts on startup may be
misguided, since there is no way to be sure that the interrupts are
truly spurious, and things can go wrong if they are not.

This patch instead clears the interrupt condition by draining the
RX FIFO during UART startup, after clearing any potentially
spurious interrupt.  This should ensure that an interrupt will
definitely be asserted if the RX FIFO subsequently becomes
sufficiently full.

The drain is done at the point of enabling interrupts only.  This
means that it will occur any time the UART is newly opened through
the tty layer.  It will not apply to polled-mode use of the UART by
kgdboc: since that scenario cannot use interrupts by design, this
should not matter.  kgdboc will interact badly with "normal" use of
the UART in any case: this patch makes no attempt to paper over
such issues.

This patch does not attempt to address the case where the RX FIFO
fills faster than it can be drained: that is a pathological
hardware design problem that is beyond the scope of the driver to
work around.  As a failsafe, the number of poll iterations for
draining the FIFO is limited to twice the FIFO size.  This will
ensure that the kernel at least boots even if it is impossible to
drain the FIFO for some reason.

[1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo
before enabled the interruption
https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.html

Reported-by: Wei Xu <xuwei5@hisilicon.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 9b96fbacda34 ("serial: PL011: clear pending interrupts")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Tested-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Open-code pl011_read()
 - s/REG_/UART01x_/
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/amba-pl011.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -1531,6 +1531,7 @@ static int pl011_startup(struct uart_por
 	struct uart_amba_port *uap = (struct uart_amba_port *)port;
 	unsigned int cr, lcr_h, fbrd, ibrd;
 	int retval;
+	unsigned int i;
 
 	retval = pl011_hwinit(port);
 	if (retval)
@@ -1595,6 +1596,20 @@ static int pl011_startup(struct uart_por
 	/* Clear out any spuriously appearing RX interrupts */
 	 writew(UART011_RTIS | UART011_RXIS,
 		uap->port.membase + UART011_ICR);
+
+	/*
+	 * RXIS is asserted only when the RX FIFO transitions from below
+	 * to above the trigger threshold.  If the RX FIFO is already
+	 * full to the threshold this can't happen and RXIS will now be
+	 * stuck off.  Drain the RX FIFO explicitly to fix this:
+	 */
+	for (i = 0; i < uap->fifosize * 2; ++i) {
+		if (readw(uap->port.membase + UART01x_FR) & UART01x_FR_RXFE)
+			break;
+
+		readw(uap->port.membase + UART01x_DR);
+	}
+
 	uap->im = UART011_RTIM;
 	if (!pl011_dma_rx_running(uap))
 		uap->im |= UART011_RXIM;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 193/366] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (283 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 348/366] MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA Ben Hutchings
                   ` (81 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit b41f794f284966fd6ec634111e3b40d241389f96 upstream.

The kernel may spew a WARNING about UBSAN undefined behavior at
handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:

UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 handle_overflow+0x1c2/0x21f lib/ubsan.c:190
 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 snd_timer_user_next_device sound/core/timer.c:1524 [inline]
 __snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
 snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
 ....

It happens only when a value with INT_MAX is passed, as we're
incrementing it unconditionally.  So the fix is trivial, check the
value with INT_MAX.  Although the bug itself is fairly harmless, it's
better to fix it so that fuzzers won't hit this again later.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213
Reported-and-tested-by: Team OWL337 <icytxw@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/timer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1476,7 +1476,7 @@ static int snd_timer_user_next_device(st
 					} else {
 						if (id.subdevice < 0) {
 							id.subdevice = 0;
-						} else {
+						} else if (id.subdevice < INT_MAX) {
 							id.subdevice++;
 						}
 					}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (208 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 068/366] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Ben Hutchings
                   ` (156 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mikulas Patocka, Dave Airlie

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 99ec9e77511dea55d81729fc80b6c63a61bfa8e0 upstream.

The displaylink hardware has such a peculiarity that it doesn't render a
command until next command is received. This produces occasional
corruption, such as when setting 22x11 font on the console, only the first
line of the cursor will be blinking if the cursor is located at some
specific columns.

When we end up with a repeating pixel, the driver has a bug that it leaves
one uninitialized byte after the command (and this byte is enough to flush
the command and render it - thus it fixes the screen corruption), however
whe we end up with a non-repeating pixel, there is no byte appended and
this results in temporary screen corruption.

This patch fixes the screen corruption by always appending a byte 0xAF at
the end of URB. It also removes the uninitialized byte.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/udl/udl_fb.c       |  5 ++++-
 drivers/gpu/drm/udl/udl_transfer.c | 11 +++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -234,7 +234,10 @@ int udl_handle_damage(struct udl_framebu
 
 	if (cmd > (char *) urb->transfer_buffer) {
 		/* Send partial buffer remaining before exiting */
-		int len = cmd - (char *) urb->transfer_buffer;
+		int len;
+		if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length)
+			*cmd++ = 0xAF;
+		len = cmd - (char *) urb->transfer_buffer;
 		ret = udl_submit_urb(dev, urb, len);
 		bytes_sent += len;
 	} else
--- a/drivers/gpu/drm/udl/udl_transfer.c
+++ b/drivers/gpu/drm/udl/udl_transfer.c
@@ -149,11 +149,11 @@ static void udl_compress_hline16(
 		raw_pixels_count_byte = cmd++; /*  we'll know this later */
 		raw_pixel_start = pixel;
 
-		cmd_pixel_end = pixel + (min(MAX_CMD_PIXELS + 1,
-			min((int)(pixel_end - pixel) / bpp,
-			    (int)(cmd_buffer_end - cmd) / 2))) * bpp;
+		cmd_pixel_end = pixel + min3(MAX_CMD_PIXELS + 1UL,
+					(unsigned long)(pixel_end - pixel) / bpp,
+					(unsigned long)(cmd_buffer_end - 1 - cmd) / 2) * bpp;
 
-		prefetch_range((void *) pixel, (cmd_pixel_end - pixel) * bpp);
+		prefetch_range((void *) pixel, cmd_pixel_end - pixel);
 
 		while (pixel < cmd_pixel_end) {
 			const u8 *const start = pixel;
@@ -193,6 +193,9 @@ static void udl_compress_hline16(
 		if (pixel > raw_pixel_start) {
 			/* finalize last RAW span */
 			*raw_pixels_count_byte = ((pixel-raw_pixel_start) / bpp) & 0xFF;
+		} else {
+			/* undo unused byte */
+			cmd--;
 		}
 
 		*cmd_pixels_count_byte = ((pixel - cmd_pixel_start) / bpp) & 0xFF;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 184/366] vhost_net: validate sock before trying to put its fd
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 336/366] gcov: add support for GCC 5.1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 127/366] fs/binfmt_misc.c: do not allow offset overflow Ben Hutchings
                   ` (275 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dan Carpenter, Jason Wang

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Wang <jasowang@redhat.com>

commit b8f1f65882f07913157c44673af7ec0b308d03eb upstream.

Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when
we meet errors during ubuf allocation, the code does not check for
NULL before calling sockfd_put(), this will lead NULL
dereferencing. Fixing by checking sock pointer before.

Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/vhost/net.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -983,7 +983,8 @@ err_used:
 	if (ubufs)
 		vhost_net_ubuf_put_wait_and_free(ubufs);
 err_ubufs:
-	sockfd_put(sock);
+	if (sock)
+		sockfd_put(sock);
 err_vq:
 	mutex_unlock(&vq->mutex);
 err:


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 185/366] ipv6: mcast: fix unsolicited report interval after receiving querys
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 321/366] xen/netfront: don't cache skb_shinfo() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host Ben Hutchings
                   ` (284 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Hangbin Liu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>

commit 6c6da92808442908287fae8ebb0ca041a52469f4 upstream.

After recieving MLD querys, we update idev->mc_maxdelay with max_delay
from query header. This make the later unsolicited reports have the same
interval with mc_maxdelay, which means we may send unsolicited reports with
long interval time instead of default configured interval time.

Also as we will not call ipv6_mc_reset() after device up. This issue will
be there even after leave the group and join other groups.

Fixes: fc4eba58b4c14 ("ipv6: make unsolicited report intervals configurable for mld")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/mcast.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -2058,7 +2058,8 @@ void ipv6_mc_dad_complete(struct inet6_d
 		mld_send_initial_cr(idev);
 		idev->mc_dad_count--;
 		if (idev->mc_dad_count)
-			mld_dad_start_timer(idev, idev->mc_maxdelay);
+			mld_dad_start_timer(idev,
+					    unsolicited_report_interval(idev));
 	}
 }
 
@@ -2070,7 +2071,8 @@ static void mld_dad_timer_expire(unsigne
 	if (idev->mc_dad_count) {
 		idev->mc_dad_count--;
 		if (idev->mc_dad_count)
-			mld_dad_start_timer(idev, idev->mc_maxdelay);
+			mld_dad_start_timer(idev,
+					    unsolicited_report_interval(idev));
 	}
 	in6_dev_put(idev);
 }
@@ -2428,7 +2430,8 @@ static void mld_ifc_timer_expire(unsigne
 	if (idev->mc_ifc_count) {
 		idev->mc_ifc_count--;
 		if (idev->mc_ifc_count)
-			mld_ifc_start_timer(idev, idev->mc_maxdelay);
+			mld_ifc_start_timer(idev,
+					    unsolicited_report_interval(idev));
 	}
 	in6_dev_put(idev);
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 068/366] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (209 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 337/366] gcov: add support for gcc version >= 6 Ben Hutchings
                   ` (155 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Rivshin, Rabin Vincent, David Rivshin,
	Daniel Thompson, Russell King

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Rivshin <DRivshin@allworx.com>

commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.

NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
is the number of total registers, while GDB_MAX_REGS is the number
of 'unsigned longs' it takes to serialize those registers. Since
FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
smaller than GDB_MAX_REGS.

This causes GDB 8.0 give the following error on connect:
"Truncated register 19 in remote 'g' packet"

This also causes the register serialization/deserialization logic
to overflow gdb_regs[], overwriting whatever follows.

Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
Signed-off-by: David Rivshin <drivshin@allworx.com>
Acked-by: Rabin Vincent <rabin@rab.in>
Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/include/asm/kgdb.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/include/asm/kgdb.h
+++ b/arch/arm/include/asm/kgdb.h
@@ -76,7 +76,7 @@ extern int kgdb_fault_expected;
 
 #define KGDB_MAX_NO_CPUS	1
 #define BUFMAX			400
-#define NUMREGBYTES		(DBG_MAX_REG_NUM << 2)
+#define NUMREGBYTES		(GDB_MAX_REGS << 2)
 #define NUMCRITREGBYTES		(32 << 2)
 
 #define _R0			0


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (162 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 152/366] mtd: rawnand: mxc: set spare area size register explicitly Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Ben Hutchings
                   ` (202 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Carlos Barcala Lara

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 24160628a34af962ac99f2f58e547ac3c4cbd26f upstream.

Add device ids for CESINEL products.

Reported-by: Carlos Barcala Lara <cabl@cesinel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -91,6 +91,9 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */
 	{ USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */
 	{ USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */
+	{ USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */
+	{ USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */
+	{ USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */
 	{ USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */
 	{ USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */
 	{ USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */
@@ -108,6 +111,9 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */
 	{ USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
 	{ USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
+	{ USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */
+	{ USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */
+	{ USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */
 	{ USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */
 	{ USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
 	{ USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
@@ -120,7 +126,9 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
 	{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
 	{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
+	{ USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */
 	{ USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
+	{ USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */
 	{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
 	{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
@@ -130,10 +138,13 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8857) },	/* CEL EM357 ZigBee USB Stick */
 	{ USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
 	{ USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+	{ USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */
+	{ USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */
 	{ USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
 	{ USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
 	{ USB_DEVICE(0x10C4, 0x8977) },	/* CEL MeshWorks DevKit Device */
 	{ USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+	{ USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
 	{ USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
 	{ USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
 	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 103/366] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 311/366] root dentries need RCU-delayed freeing Ben Hutchings
                   ` (248 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Trond Myklebust, Stephen Johnston, Dave Wysochanski

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Wysochanski <dwysocha@redhat.com>

commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream.

In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
is a stack char array variable of length NFS_UINT_MAXLEN == 11.
If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
overflows into a negative value, for example:
crash> p (unsigned) (0x80000000)
$1 = 2147483648
crash> p (signed) (0x80000000)
$2 = -2147483648
The '-' sign is written to the buffer and this causes a 1 byte overflow
when the NULL byte is written, which corrupts kernel stack memory.  If
CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:

[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
[11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
[11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
[11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
[11558053.650107] Call Trace:
[11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
[11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
[11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
[11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
[11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
[11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
[11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
[11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
[11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b

Fix this by calling the internally defined nfs_map_numeric_to_string()
function which properly uses '%u' to convert this __u32.  For consistency,
also replace the one other place where snprintf is called.

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reported-by: Stephen Johnston <sjohnsto@redhat.com>
Fixes: cf4ab538f1516 ("NFSv4: Fix the string length returned by the idmapper")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/idmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -339,7 +339,7 @@ static ssize_t nfs_idmap_lookup_name(__u
 	int id_len;
 	ssize_t ret;
 
-	id_len = snprintf(id_str, sizeof(id_str), "%u", id);
+	id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str));
 	ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap);
 	if (ret < 0)
 		return -EINVAL;
@@ -636,7 +636,8 @@ static int nfs_idmap_read_and_verify_mes
 		if (strcmp(upcall->im_name, im->im_name) != 0)
 			break;
 		/* Note: here we store the NUL terminator too */
-		len = sprintf(id_str, "%d", im->im_id) + 1;
+		len = 1 + nfs_map_numeric_to_string(im->im_id, id_str,
+						    sizeof(id_str));
 		ret = nfs_idmap_instantiate(key, authkey, id_str, len);
 		break;
 	case IDMAP_CONV_IDTONAME:


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 203/366] block: Fix transfer when chunk sectors exceeds max
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (259 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 329/366] dm bufio: drop the lock when doing GFP_NOIO allocation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 333/366] HID: reject input outside logical range only if null state is set Ben Hutchings
                   ` (105 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jens Axboe, Jitendra Bhivare, Martin K. Petersen, Keith Busch

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Keith Busch <keith.busch@intel.com>

commit 15bfd21fbc5d35834b9ea383dc458a1f0c9e3434 upstream.

A device may have boundary restrictions where the number of sectors
between boundaries exceeds its max transfer size. In this case, we need
to cap the max size to the smaller of the two limits.

Reported-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Tested-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <keith.busch@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/blkdev.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -929,8 +929,8 @@ static inline unsigned int blk_max_size_
 	if (!q->limits.chunk_sectors)
 		return q->limits.max_sectors;
 
-	return q->limits.chunk_sectors -
-			(offset & (q->limits.chunk_sectors - 1));
+	return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors -
+			(offset & (q->limits.chunk_sectors - 1))));
 }
 
 static inline unsigned int blk_rq_get_max_sectors(struct request *rq)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 051/366] rpmsg: Correct support for MODULE_DEVICE_TABLE()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (290 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 306/366] squashfs: more metadata hardening Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 340/366] iio: iio-trig-periodic-rtc: Free trigger resource correctly Ben Hutchings
                   ` (74 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Andrew F. Davis, Suman Anna

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Andrew F. Davis" <afd@ti.com>

commit 5b7d127726de6eed4b900bc3bbb167837690818f upstream.

Due to missing a missing entry in file2alias.c MODULE_DEVICE_TABLE() are
not generating the proper module aliases. Add the needed entry here.

Fixes: bcabbccabffe ("rpmsg: add virtio-based remote processor messaging bus")
Reported-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/mod/devicetable-offsets.c |  3 +++
 scripts/mod/file2alias.c          | 11 +++++++++++
 2 files changed, 14 insertions(+)

--- a/scripts/mod/devicetable-offsets.c
+++ b/scripts/mod/devicetable-offsets.c
@@ -136,6 +136,9 @@ int main(void)
 	DEVID(hv_vmbus_device_id);
 	DEVID_FIELD(hv_vmbus_device_id, guid);
 
+	DEVID(rpmsg_device_id);
+	DEVID_FIELD(rpmsg_device_id, name);
+
 	DEVID(i2c_device_id);
 	DEVID_FIELD(i2c_device_id, name);
 
--- a/scripts/mod/file2alias.c
+++ b/scripts/mod/file2alias.c
@@ -884,6 +884,17 @@ static int do_vmbus_entry(const char *fi
 }
 ADD_TO_DEVTABLE("vmbus", hv_vmbus_device_id, do_vmbus_entry);
 
+/* Looks like: rpmsg:S */
+static int do_rpmsg_entry(const char *filename, void *symval,
+			  char *alias)
+{
+	DEF_FIELD_ADDR(symval, rpmsg_device_id, name);
+	sprintf(alias, RPMSG_DEVICE_MODALIAS_FMT, *name);
+
+	return 1;
+}
+ADD_TO_DEVTABLE("rpmsg", rpmsg_device_id, do_rpmsg_entry);
+
 /* Looks like: i2c:S */
 static int do_i2c_entry(const char *filename, void *symval,
 			char *alias)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 152/366] mtd: rawnand: mxc: set spare area size register explicitly
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (161 preceding siblings ...)
  2018-11-11 19:49   ` [B.A.T.M.A.N.] " Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids Ben Hutchings
                   ` (203 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Boris Brezillon, Martin Kaiser, Sascha Hauer, Miquel Raynal

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kaiser <martin@kaiser.cx>

commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream.

The v21 version of the NAND flash controller contains a Spare Area Size
Register (SPAS) at offset 0x10. Its setting defaults to the maximum
spare area size of 218 bytes. The size that is set in this register is
used by the controller when it calculates the ECC bytes internally in
hardware.

Usually, this register is updated from settings in the IIM fuses when
the system is booting from NAND flash. For other boot media, however,
the SPAS register remains at the default setting, which may not work for
the particular flash chip on the board. The same goes for flash chips
whose configuration cannot be set in the IIM fuses (e.g. chips with 2k
sector size and 128 bytes spare area size can't be configured in the IIM
fuses on imx25 systems).

Set the SPAS register explicitly during the preset operation. Derive the
register value from mtd->oobsize that was detected during probe by
decoding the flash chip's ID bytes.

While at it, rename the define for the spare area register's offset to
NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is
different from the register on v21 controllers.

Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset")
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/nand/mxc_nand.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/mxc_nand.c
+++ b/drivers/mtd/nand/mxc_nand.c
@@ -49,7 +49,7 @@
 #define NFC_V1_V2_CONFIG		(host->regs + 0x0a)
 #define NFC_V1_V2_ECC_STATUS_RESULT	(host->regs + 0x0c)
 #define NFC_V1_V2_RSLTMAIN_AREA		(host->regs + 0x0e)
-#define NFC_V1_V2_RSLTSPARE_AREA	(host->regs + 0x10)
+#define NFC_V21_RSLTSPARE_AREA		(host->regs + 0x10)
 #define NFC_V1_V2_WRPROT		(host->regs + 0x12)
 #define NFC_V1_UNLOCKSTART_BLKADDR	(host->regs + 0x14)
 #define NFC_V1_UNLOCKEND_BLKADDR	(host->regs + 0x16)
@@ -958,6 +958,9 @@ static void preset_v2(struct mtd_info *m
 	writew(config1, NFC_V1_V2_CONFIG1);
 	/* preset operation */
 
+	/* spare area size in 16-bit half-words */
+	writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
+
 	/* Unlock the internal RAM Buffer */
 	writew(0x2, NFC_V1_V2_CONFIG);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 085/366] usb: gadget: function: printer: avoid spinlock recursion
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 307/366] nohz: Fix local_timer_softirq_pending() Ben Hutchings
                   ` (353 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Yoshihiro Shimoda

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 9ada8c582088d32bd5c071c17213bc6edf37443a upstream.

If usb_gadget_giveback_request() is called in usb_ep_queue(),
this printer_write() is possible to cause spinlock recursion. So,
this patch adds spin_unlock() before calls usb_ep_queue() to avoid it.

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/printer.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/printer.c
+++ b/drivers/usb/gadget/printer.c
@@ -587,6 +587,7 @@ printer_write(struct file *fd, const cha
 	size_t			size;	/* Amount of data in a TX request. */
 	size_t			bytes_copied = 0;
 	struct usb_request	*req;
+	int			value;
 
 	DBG(dev, "printer_write trying to send %d bytes\n", (int)len);
 
@@ -666,7 +667,11 @@ printer_write(struct file *fd, const cha
 			return -EAGAIN;
 		}
 
-		if (usb_ep_queue(dev->in_ep, req, GFP_ATOMIC)) {
+		/* here, we unlock, and only unlock, to avoid deadlock. */
+		spin_unlock(&dev->lock);
+		value = usb_ep_queue(dev->in_ep, req, GFP_ATOMIC);
+		spin_lock(&dev->lock);
+		if (value) {
 			list_add(&req->list, &dev->tx_reqs);
 			spin_unlock_irqrestore(&dev->lock, flags);
 			mutex_unlock(&dev->lock_printer_io);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 072/366] m68k: Implement ndelay() as an inline function to force type checking/casting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (223 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 363/366] perf tools: Remove duplicate const qualifier Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 316/366] fix __legitimize_mnt()/mntput() race Ben Hutchings
                   ` (141 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Geert Uytterhoeven, Miquel Raynal, Boris Brezillon

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Brezillon <boris.brezillon@bootlin.com>

commit d8441ba80c55aad435e4b98fe0d7ad5d21e46bf9 upstream.

ndelay() is supposed to take an unsigned long, but if you define
ndelay() as a macro and the caller pass an unsigned long long instead
of an unsigned long, the unsigned long long to unsigned long cast is
not done and we end up with an "undefined reference to `__udivdi3'"
error at link time.

Fix that by making ndelay() an inline function and then defining dummy
ndelay() macro that redirects to the ndelay() function (it's how most
archs do to implement ndelay()).

Fixes: c8ee038bd148 ("m68k: Implement ndelay() based on the existing udelay() logic")
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
[geert: Remove comment now it is no longer a macro]
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/m68k/include/asm/delay.h | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/arch/m68k/include/asm/delay.h
+++ b/arch/m68k/include/asm/delay.h
@@ -48,8 +48,6 @@ extern void __bad_udelay(void);
  * The simpler m68k and ColdFire processors do not have a 32*32->64
  * multiply instruction. So we need to handle them a little differently.
  * We use a bit of shifting and a single 32*32->32 multiply to get close.
- * This is a macro so that the const version can factor out the first
- * multiply and shift.
  */
 #define	HZSCALE		(268435456 / (1000000 / HZ))
 
@@ -114,6 +112,13 @@ static inline void __udelay(unsigned lon
  */
 #define	HZSCALE		(268435456 / (1000000 / HZ))
 
-#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000))
+static inline void ndelay(unsigned long nsec)
+{
+	__delay(DIV_ROUND_UP(nsec *
+			     ((((HZSCALE) >> 11) *
+			       (loops_per_jiffy >> 11)) >> 6),
+			     1000));
+}
+#define ndelay(n) ndelay(n)
 
 #endif /* defined(_M68K_DELAY_H) */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT Ben Hutchings
                   ` (364 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Thomas Gleixner, Borislav Petkov, Tony Luck

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit 1f74c8a64798e2c488f86efc97e308b85fb7d7aa upstream.

mce_no_way_out() does a quick check during #MC to see whether some of
the MCEs logged would require the kernel to panic immediately. And it
passes a struct mce where MCi_STATUS gets written.

However, after having saved a valid status value, the next iteration
of the loop which goes over the MCA banks on the CPU, overwrites the
valid status value because we're using struct mce as storage instead of
a temporary variable.

Which leads to MCE records with an empty status value:

  mce: [Hardware Error]: CPU 0: Machine Check Exception: 6 Bank 0: 0000000000000000
  mce: [Hardware Error]: RIP 10:<ffffffffbd42fbd7> {trigger_mce+0x7/0x10}

In order to prevent the loss of the status register value, return
immediately when severity is a panic one so that we can panic
immediately with the first fatal MCE logged. This is also the intention
of this function and not to noodle over the banks while a fatal MCE is
already logged.

Tony: read the rest of the MCA bank to populate the struct mce fully.

Suggested-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20180622095428.626-8-bp@alien8.de
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/mcheck/mce.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -666,23 +666,25 @@ EXPORT_SYMBOL_GPL(machine_check_poll);
 static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
 			  struct pt_regs *regs)
 {
-	int i, ret = 0;
 	char *tmp;
+	int i;
 
 	for (i = 0; i < mca_cfg.banks; i++) {
 		m->status = mce_rdmsrl(MSR_IA32_MCx_STATUS(i));
-		if (m->status & MCI_STATUS_VAL) {
-			__set_bit(i, validp);
-			if (quirk_no_way_out)
-				quirk_no_way_out(i, m, regs);
-		}
+		if (!(m->status & MCI_STATUS_VAL))
+			continue;
+
+		__set_bit(i, validp);
+		if (quirk_no_way_out)
+			quirk_no_way_out(i, m, regs);
 
 		if (mce_severity(m, mca_cfg.tolerant, &tmp) >= MCE_PANIC_SEVERITY) {
+			mce_read_aux(m, i);
 			*msg = tmp;
-			ret = 1;
+			return 1;
 		}
 	}
-	return ret;
+	return 0;
 }
 
 /*


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 263/366] KEYS: DNS: fix parsing multiple options Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse Ben Hutchings
                   ` (298 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Rob Herring, Srinivas Kandagatla

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit 522811e944ed9b36806faa019faec10f9d259cca upstream.

Immediately after the platform_device_unregister() the device will be
cleaned up. Accessing the freed pointer immediately after that will
crash the system.

Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing
loading/unloading audio drivers in a loop on Qcom platforms.

Fix this by moving of_node_clear_flag() just before the unregister calls.

Below is the crash trace:

Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c03
Mem abort info:
  ESR = 0x96000021
  Exception class = DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
Data abort info:
  ISV = 0, ISS = 0x00000021
  CM = 0, WnR = 0
[006b6b6b6b6b6c03] address between user and kernel address ranges
Internal error: Oops: 96000021 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 1784 Comm: sh Tainted: G        W         4.17.0-rc7-02230-ge3a63a7ef641-dirty #204
Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO)
pc : clear_bit+0x18/0x2c
lr : of_platform_device_destroy+0x64/0xb8
sp : ffff00000c9c3930
x29: ffff00000c9c3930 x28: ffff80003d39b200
x27: ffff000008bb1000 x26: 0000000000000040
x25: 0000000000000124 x24: ffff80003a9a3080
x23: 0000000000000060 x22: ffff00000939f518
x21: ffff80003aa79e98 x20: ffff80003aa3dae0
x19: ffff80003aa3c890 x18: ffff800009feb794
x17: 0000000000000000 x16: 0000000000000000
x15: ffff800009feb790 x14: 0000000000000000
x13: ffff80003a058778 x12: ffff80003a058728
x11: ffff80003a058750 x10: 0000000000000000
x9 : 0000000000000006 x8 : ffff80003a825988
x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000001
x5 : 0000000000000000 x4 : 0000000000000001
x3 : 0000000000000008 x2 : 0000000000000001
x1 : 6b6b6b6b6b6b6c03 x0 : 0000000000000000
Process sh (pid: 1784, stack limit = 0x        (ptrval))
Call trace:
 clear_bit+0x18/0x2c
 q6afe_remove+0x20/0x38
 apr_device_remove+0x30/0x70
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 apr_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 apr_remove+0x18/0x20
 rpmsg_dev_remove+0x38/0x68
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 qcom_smd_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 qcom_smd_unregister_edge+0x3c/0x70
 smd_subdev_remove+0x18/0x28
 rproc_stop+0x48/0xd8
 rproc_shutdown+0x60/0xe8
 state_store+0xbc/0xf8
 dev_attr_store+0x18/0x28
 sysfs_kf_write+0x3c/0x50
 kernfs_fop_write+0x118/0x1e0
 __vfs_write+0x18/0x110
 vfs_write+0xa4/0x1a8
 ksys_write+0x48/0xb0
 sys_write+0xc/0x18
 el0_svc_naked+0x30/0x34
Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
---[ end trace 32020935775616a2 ]---

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
[bwh: Backported to 3.16: There's no OF_POPULATED_BUS flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/platform.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -522,6 +522,8 @@ static int of_platform_device_destroy(st
 		return 0;
 	}
 
+	of_node_clear_flag(dev->of_node, OF_POPULATED);
+
 	if (dev->bus == &platform_bus_type)
 		platform_device_unregister(to_platform_device(dev));
 #ifdef CONFIG_ARM_AMBA
@@ -533,8 +535,6 @@ static int of_platform_device_destroy(st
 		return 0;
 	}
 
-	of_node_clear_flag(dev->of_node, OF_POPULATED);
-
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 200/366] netfilter: nf_log: don't hold nf_log_mutex during user access
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (132 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 023/366] media: rc: mce_kbd decoder: fix stuck keys Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 249/366] qlogic: check kstrtoul() for errors Ben Hutchings
                   ` (232 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jann Horn, Pablo Neira Ayuso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit ce00bf07cc95a57cd20b208e02b3c2604e532ae8 upstream.

The old code would indefinitely block other users of nf_log_mutex if
a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
region. Fix it by moving proc_dostring() out of the locked region.

This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
sleeping function called from invalid context"), which changed this code
from using rcu_read_lock() to taking nf_log_mutex.

Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nf_log.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -273,15 +273,18 @@ static int nf_log_proc_dostring(struct c
 		rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
 		mutex_unlock(&nf_log_mutex);
 	} else {
+		struct ctl_table tmp = *table;
+
+		tmp.data = buf;
 		mutex_lock(&nf_log_mutex);
 		logger = rcu_dereference_protected(net->nf.nf_loggers[tindex],
 						   lockdep_is_held(&nf_log_mutex));
 		if (!logger)
-			table->data = "NONE";
+			strlcpy(buf, "NONE", sizeof(buf));
 		else
-			table->data = logger->name;
-		r = proc_dostring(table, write, buffer, lenp, ppos);
+			strlcpy(buf, logger->name, sizeof(buf));
 		mutex_unlock(&nf_log_mutex);
+		r = proc_dostring(&tmp, write, buffer, lenp, ppos);
 	}
 
 	return r;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (146 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output Ben Hutchings
                   ` (218 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 3d609342cc04129ff7568e19316ce3d7451a27e8 upstream.

Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session
object destroy") tried to fix a race condition where a PPPoL2TP socket
would disappear while the L2TP session was still using it. However, it
missed the root issue which is that an L2TP session may accept to be
reconnected if its associated socket has entered the release process.

The tentative fix makes the session hold the socket it is connected to.
That saves the kernel from crashing, but introduces refcount leakage,
preventing the socket from completing the release process. Once stalled,
everything the socket depends on can't be released anymore, including
the L2TP session and the l2tp_ppp module.

The root issue is that, when releasing a connected PPPoL2TP socket, the
session's ->sk pointer (RCU-protected) is reset to NULL and we have to
wait for a grace period before destroying the socket. The socket drops
the session in its ->sk_destruct callback function, so the session
will exist until the last reference on the socket is dropped.
Therefore, there is a time frame where pppol2tp_connect() may accept
reconnecting a session, as it only checks ->sk to figure out if the
session is connected. This time frame is shortened by the fact that
pppol2tp_release() calls l2tp_session_delete(), making the session
unreachable before resetting ->sk. However, pppol2tp_connect() may
grab the session before it gets unhashed by l2tp_session_delete(), but
it may test ->sk after the later got reset. The race is not so hard to
trigger and syzbot found a pretty reliable reproducer:
https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf

Before d02ba2a6110c, another race could let pppol2tp_release()
overwrite the ->__sk pointer of an L2TP session, thus tricking
pppol2tp_put_sk() into calling sock_put() on a socket that is different
than the one for which pppol2tp_release() was originally called. To get
there, we had to trigger the race described above, therefore having one
PPPoL2TP socket being released, while the session it is connected to is
reconnecting to a different PPPoL2TP socket. When releasing this new
socket fast enough, pppol2tp_release() overwrites the session's
->__sk pointer with the address of the new socket, before the first
pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
invoked by the original socket will sock_put() the new socket,
potentially dropping its last reference. When the second
pppol2tp_put_sk() finally runs, its socket has already been freed.

With d02ba2a6110c, the session takes a reference on both sockets.
Furthermore, the session's ->sk pointer is reset in the
pppol2tp_session_close() callback function rather than in
pppol2tp_release(). Therefore, ->__sk can't be overwritten and
pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
run pppol2tp_session_close() once, to protect the session against
concurrent deletion requests). Now pppol2tp_put_sk() will properly
sock_put() the original socket, but the new socket will remain, as
l2tp_session_delete() prevented the release process from completing.
Here, we don't depend on the ->__sk race to trigger the bug. Getting
into the pppol2tp_connect() race is enough to leak the reference, no
matter when new socket is released.

So it all boils down to pppol2tp_connect() failing to realise that the
session has already been connected. This patch drops the unneeded extra
reference counting (mostly reverting d02ba2a6110c) and checks that
neither ->sk nor ->__sk is set before allowing a session to be
connected.

Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -449,16 +449,6 @@ static void pppol2tp_put_sk(struct rcu_h
  */
 static void pppol2tp_session_close(struct l2tp_session *session)
 {
-	struct pppol2tp_session *ps;
-
-	ps = l2tp_session_priv(session);
-	mutex_lock(&ps->sk_lock);
-	ps->__sk = rcu_dereference_protected(ps->sk,
-					     lockdep_is_held(&ps->sk_lock));
-	RCU_INIT_POINTER(ps->sk, NULL);
-	if (ps->__sk)
-		call_rcu(&ps->rcu, pppol2tp_put_sk);
-	mutex_unlock(&ps->sk_lock);
 }
 
 /* Really kill the session socket. (Called from sock_put() if
@@ -501,15 +491,24 @@ static int pppol2tp_release(struct socke
 	sock_orphan(sk);
 	sock->sk = NULL;
 
-	/* If the socket is associated with a session,
-	 * l2tp_session_delete will call pppol2tp_session_close which
-	 * will drop the session's ref on the socket.
-	 */
 	session = pppol2tp_sock_to_session(sk);
 	if (session) {
+		struct pppol2tp_session *ps;
+
 		l2tp_session_delete(session);
-		/* drop the ref obtained by pppol2tp_sock_to_session */
-		sock_put(sk);
+
+		ps = l2tp_session_priv(session);
+		mutex_lock(&ps->sk_lock);
+		ps->__sk = rcu_dereference_protected(ps->sk,
+						     lockdep_is_held(&ps->sk_lock));
+		RCU_INIT_POINTER(ps->sk, NULL);
+		mutex_unlock(&ps->sk_lock);
+		call_rcu(&ps->rcu, pppol2tp_put_sk);
+
+		/* Rely on the sock_put() call at the end of the function for
+		 * dropping the reference held by pppol2tp_sock_to_session().
+		 * The last reference will be dropped by pppol2tp_put_sk().
+		 */
 	}
 
 	release_sock(sk);
@@ -764,7 +763,8 @@ static int pppol2tp_connect(struct socke
 		 */
 		mutex_lock(&ps->sk_lock);
 		if (rcu_dereference_protected(ps->sk,
-					      lockdep_is_held(&ps->sk_lock))) {
+					      lockdep_is_held(&ps->sk_lock)) ||
+		    ps->__sk) {
 			mutex_unlock(&ps->sk_lock);
 			error = -EEXIST;
 			goto end;
@@ -832,7 +832,6 @@ static int pppol2tp_connect(struct socke
 
 out_no_ppp:
 	/* This is how we get the session context from the socket. */
-	sock_hold(sk);
 	sk->sk_user_data = session;
 	rcu_assign_pointer(ps->sk, sk);
 	mutex_unlock(&ps->sk_lock);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 049/366] w1: support auto-load of w1_bq27000 module Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 304/366] netlink: Do not subscribe to non-existent groups Ben Hutchings
                   ` (245 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Pablo Neira Ayuso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 9ce7bc036ae4cfe3393232c86e9e1fea2153c237 upstream.

It is a waste of memory to use a full "struct netns_sysctl_ipv6"
while only one pointer is really used, considering netns_sysctl_ipv6
keeps growing.

Also, since "struct netns_frags" has cache line alignment,
it is better to move the frags_hdr pointer outside, otherwise
we spend a full cache line for this pointer.

This saves 192 bytes of memory per netns.

Fixes: c038a767cd69 ("ipv6: add a new namespace for nf_conntrack_reasm")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/net_namespace.h             | 1 +
 include/net/netns/ipv6.h                | 1 -
 net/ipv6/netfilter/nf_conntrack_reasm.c | 6 +++---
 3 files changed, 4 insertions(+), 4 deletions(-)

--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -112,6 +112,7 @@ struct net {
 #endif
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 	struct netns_nf_frag	nf_frag;
+	struct ctl_table_header *nf_frag_frags_hdr;
 #endif
 	struct sock		*nfnl;
 	struct sock		*nfnl_stash;
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -80,7 +80,6 @@ struct netns_ipv6 {
 
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 struct netns_nf_frag {
-	struct netns_sysctl_ipv6 sysctl;
 	struct netns_frags	frags;
 };
 #endif
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -109,7 +109,7 @@ static int nf_ct_frag6_sysctl_register(s
 	if (hdr == NULL)
 		goto err_reg;
 
-	net->nf_frag.sysctl.frags_hdr = hdr;
+	net->nf_frag_frags_hdr = hdr;
 	return 0;
 
 err_reg:
@@ -123,8 +123,8 @@ static void __net_exit nf_ct_frags6_sysc
 {
 	struct ctl_table *table;
 
-	table = net->nf_frag.sysctl.frags_hdr->ctl_table_arg;
-	unregister_net_sysctl_table(net->nf_frag.sysctl.frags_hdr);
+	table = net->nf_frag_frags_hdr->ctl_table_arg;
+	unregister_net_sysctl_table(net->nf_frag_frags_hdr);
 	if (!net_eq(net, &init_net))
 		kfree(table);
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (262 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 330/366] fs/proc: Stop trying to report thread stacks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 262/366] x86/apm: Don't access __preempt_count with zeroed fs Ben Hutchings
                   ` (102 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Vlastimil Babka, Michal Hocko, Mel Gorman, Joonsoo Kim,
	David Rientjes, Linus Torvalds

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream.

In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for
allocations that can ignore memory policies.  The zonelist is obtained
from current CPU's node.  This is a problem for __GFP_THISNODE
allocations that want to allocate on a different node, e.g.  because the
allocating thread has been migrated to a different CPU.

This has been observed to break SLAB in our 4.4-based kernel, because
there it relies on __GFP_THISNODE working as intended.  If a slab page
is put on wrong node's list, then further list manipulations may corrupt
the list because page_to_nid() is used to determine which node's
list_lock should be locked and thus we may take a wrong lock and race.

Current SLAB implementation seems to be immune by luck thanks to commit
511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on
arbitrary node") but there may be others assuming that __GFP_THISNODE
works as promised.

We can fix it by simply removing the zonelist reset completely.  There
is actually no reason to reset it, because memory policies and cpusets
don't affect the zonelist choice in the first place.  This was different
when commit 183f6371aac2 ("mm: ignore mempolicies when using
ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their
own restricted zonelists.

We might consider this for 4.17 although I don't know if there's
anything currently broken.

SLAB is currently not affected, but in kernels older than 4.7 that don't
yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page
allocated on arbitrary node") it is.  That's at least 4.4 LTS.  Older
ones I'll have to check.

So stable backports should be more important, but will have to be
reviewed carefully, as the code went through many changes.  BTW I think
that also the ac->preferred_zoneref reset is currently useless if we
don't also reset ac->nodemask from a mempolicy to NULL first (which we
probably should for the OOM victims etc?), but I would leave that for a
separate patch.

Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK")
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: Resetting the zonelist may still be useful here,
 so keep doing it if __GFP_THISNODE is not used.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/page_alloc.c | 1 -
 1 file changed, 1 deletion(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2594,7 +2594,8 @@ rebalance:
 		 * the allocation is high priority and these type of
 		 * allocations are system rather than user orientated
 		 */
-		zonelist = node_zonelist(numa_node_id(), gfp_mask);
+		if (!(gfp_mask & __GFP_THISNODE))
+			zonelist = node_zonelist(numa_node_id(), gfp_mask);
 
 		page = __alloc_pages_high_priority(gfp_mask, order,
 				zonelist, high_zoneidx, nodemask,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 085/366] usb: gadget: function: printer: avoid spinlock recursion Ben Hutchings
                   ` (354 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Eda Zhou, Ewan D. Milne, Himanshu Madhani

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@cavium.com>

commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.

This patch prevents driver from setting lower default speed of 1 GB/sec,
if the switch does not support Get Port Speed Capabilities (GPSC)
command. Setting this default speed results into much lower write
performance for large sequential WRITE.  This patch modifies driver to
check for gpsc_supported flags and prevents driver from issuing
MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
does not send this mailbox command, firmware assumes maximum supported
link speed and will operate at the max speed.

Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reported-by: Eda Zhou <ezhou@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Tested-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_init.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -3205,7 +3205,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vh
 		return;
 
 	if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
-	    fcport->fp_speed > ha->link_data_rate)
+	    fcport->fp_speed > ha->link_data_rate ||
+	    !ha->flags.gpsc_supported)
 		return;
 
 	rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 106/366] tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (285 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 348/366] MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 290/366] fscache: Fix reference overput in fscache_attach_object() error handling Ben Hutchings
                   ` (79 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Matt Turner, Len Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Turner <mattst88@gmail.com>

commit e0d34648b4d77ba715e13739d04e7b0692fe5eaa upstream.

According to the Intel Software Developers' Manual, Vol. 4, Order No.
335592, these macros have been reversed since they were added.

Fixes: 889facbee3e6 ("tools/power turbostat: v3.0: monitor Watts and Temperature")
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/power/x86/turbostat/turbostat.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -1088,8 +1088,8 @@ void print_verbose_header(void)
 print_nhm_turbo_ratio_limits:
 	get_msr(0, MSR_NHM_SNB_PKG_CST_CFG_CTL, &msr);
 
-#define SNB_C1_AUTO_UNDEMOTE              (1UL << 27)
-#define SNB_C3_AUTO_UNDEMOTE              (1UL << 28)
+#define SNB_C3_AUTO_UNDEMOTE              (1UL << 27)
+#define SNB_C1_AUTO_UNDEMOTE              (1UL << 28)
 
 	fprintf(stderr, "cpu0: MSR_NHM_SNB_PKG_CST_CFG_CTL: 0x%08llx", msr);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 133/366] backlight: as3711_bl: Fix Device Tree node leaks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 087/366] perf/core: Fix group scheduling with mixed hw and sw events Ben Hutchings
                   ` (278 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Daniel Thompson, Lee Jones, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit d5318d302e7cf6583ec85a2a8bfbb3a3910ae372 upstream.

Two framebuffer device-node names were looked up during probe, but were
only used as flags to indicate the presence of two framebuffer device.

Drop the unused framebuffer name along with a likewise unused device
pointer from the driver data, and update the platform data to pass in
booleans instead of the framebuffer strings. This allows us do drop the
node references acquired during probe, which would otherwise leak.

Note that there are no other in-kernel users of the modified
platform-data fields.

Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/as3711_bl.c | 12 ++++++------
 include/linux/mfd/as3711.h          |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -28,8 +28,6 @@ enum as3711_bl_type {
 
 struct as3711_bl_data {
 	bool powered;
-	const char *fb_name;
-	struct device *fb_dev;
 	enum as3711_bl_type type;
 	int brightness;
 	struct backlight_device *bl;
@@ -273,7 +271,9 @@ static int as3711_backlight_parse_dt(str
 
 	fb = of_parse_phandle(bl, "su1-dev", 0);
 	if (fb) {
-		pdata->su1_fb = fb->full_name;
+		of_node_put(fb);
+
+		pdata->su1_fb = true;
 
 		ret = of_property_read_u32(bl, "su1-max-uA", &pdata->su1_max_uA);
 		if (pdata->su1_max_uA <= 0)
@@ -286,7 +286,9 @@ static int as3711_backlight_parse_dt(str
 	if (fb) {
 		int count = 0;
 
-		pdata->su2_fb = fb->full_name;
+		of_node_put(fb);
+
+		pdata->su2_fb = true;
 
 		ret = of_property_read_u32(bl, "su2-max-uA", &pdata->su2_max_uA);
 		if (pdata->su2_max_uA <= 0)
@@ -425,7 +427,6 @@ static int as3711_backlight_probe(struct
 
 	if (pdata->su1_fb) {
 		su = &supply->su1;
-		su->fb_name = pdata->su1_fb;
 		su->type = AS3711_BL_SU1;
 
 		max_brightness = min(pdata->su1_max_uA, 31);
@@ -436,7 +437,6 @@ static int as3711_backlight_probe(struct
 
 	if (pdata->su2_fb) {
 		su = &supply->su2;
-		su->fb_name = pdata->su2_fb;
 		su->type = AS3711_BL_SU2;
 
 		switch (pdata->su2_fbprot) {
--- a/include/linux/mfd/as3711.h
+++ b/include/linux/mfd/as3711.h
@@ -107,9 +107,9 @@ struct as3711_regulator_pdata {
 };
 
 struct as3711_bl_pdata {
-	const char *su1_fb;
+	bool su1_fb;
 	int su1_max_uA;
-	const char *su2_fb;
+	bool su2_fb;
 	int su2_max_uA;
 	enum as3711_su2_feedback su2_feedback;
 	enum as3711_su2_fbprot su2_fbprot;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (305 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING Ben Hutchings
                   ` (59 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit cad0e39023b43d94d5e38dfd55c103e15bdd093d upstream.

The code patching code has always been a bit confused about whether
it's best to use void *, unsigned int *, char *, etc. to point to
instructions. In fact in the feature fixups tests we use both unsigned
int[] and u8[] in different places.

Unfortunately the tests that use unsigned int[] calculate the size of
the code blocks using subtraction of those unsigned int pointers, and
then pass the result to memcmp(). This means we're only comparing 1/4
of the bytes we need to, because we need to multiply by
sizeof(unsigned int) to get the number of *bytes*.

The result is that the tests do all the patching and then only compare
some of the resulting code, so patching bugs that only effect that
last 3/4 of the code could slip through undetected. It turns out that
hasn't been happening, although one test had a bad expected case (see
previous commit).

Fix it for now by multiplying the size by 4 in the affected functions.

Fixes: 362e7701fd18 ("powerpc: Add self-tests of the feature fixup code")
Epic-brown-paper-bag-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/lib/feature-fixups.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -170,7 +170,7 @@ void test_basic_patching(void)
 	extern unsigned int end_ftr_fixup_test1[];
 	extern unsigned int ftr_fixup_test1_orig[];
 	extern unsigned int ftr_fixup_test1_expected[];
-	int size = end_ftr_fixup_test1 - ftr_fixup_test1;
+	int size = 4 * (end_ftr_fixup_test1 - ftr_fixup_test1);
 
 	fixup.value = fixup.mask = 8;
 	fixup.start_off = calc_offset(&fixup, ftr_fixup_test1 + 1);
@@ -202,7 +202,7 @@ static void test_alternative_patching(vo
 	extern unsigned int ftr_fixup_test2_orig[];
 	extern unsigned int ftr_fixup_test2_alt[];
 	extern unsigned int ftr_fixup_test2_expected[];
-	int size = end_ftr_fixup_test2 - ftr_fixup_test2;
+	int size = 4 * (end_ftr_fixup_test2 - ftr_fixup_test2);
 
 	fixup.value = fixup.mask = 0xF;
 	fixup.start_off = calc_offset(&fixup, ftr_fixup_test2 + 1);
@@ -234,7 +234,7 @@ static void test_alternative_case_too_bi
 	extern unsigned int end_ftr_fixup_test3[];
 	extern unsigned int ftr_fixup_test3_orig[];
 	extern unsigned int ftr_fixup_test3_alt[];
-	int size = end_ftr_fixup_test3 - ftr_fixup_test3;
+	int size = 4 * (end_ftr_fixup_test3 - ftr_fixup_test3);
 
 	fixup.value = fixup.mask = 0xC;
 	fixup.start_off = calc_offset(&fixup, ftr_fixup_test3 + 1);
@@ -261,7 +261,7 @@ static void test_alternative_case_too_sm
 	extern unsigned int ftr_fixup_test4_orig[];
 	extern unsigned int ftr_fixup_test4_alt[];
 	extern unsigned int ftr_fixup_test4_expected[];
-	int size = end_ftr_fixup_test4 - ftr_fixup_test4;
+	int size = 4 * (end_ftr_fixup_test4 - ftr_fixup_test4);
 	unsigned long flag;
 
 	/* Check a high-bit flag */
@@ -295,7 +295,7 @@ static void test_alternative_case_with_b
 	extern unsigned int ftr_fixup_test5[];
 	extern unsigned int end_ftr_fixup_test5[];
 	extern unsigned int ftr_fixup_test5_expected[];
-	int size = end_ftr_fixup_test5 - ftr_fixup_test5;
+	int size = 4 * (end_ftr_fixup_test5 - ftr_fixup_test5);
 
 	check(memcmp(ftr_fixup_test5, ftr_fixup_test5_expected, size) == 0);
 }
@@ -305,7 +305,7 @@ static void test_alternative_case_with_e
 	extern unsigned int ftr_fixup_test6[];
 	extern unsigned int end_ftr_fixup_test6[];
 	extern unsigned int ftr_fixup_test6_expected[];
-	int size = end_ftr_fixup_test6 - ftr_fixup_test6;
+	int size = 4 * (end_ftr_fixup_test6 - ftr_fixup_test6);
 
 	check(memcmp(ftr_fixup_test6, ftr_fixup_test6_expected, size) == 0);
 }


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 107/366] x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (230 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 327/366] ceph: fix endianness of getattr mask in ceph_d_revalidate Ben Hutchings
                   ` (134 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Matt Turner, Len Brown, Ingo Molnar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Turner <mattst88@gmail.com>

commit a00072a24a9f5b88cfc56f2dec6afe8ce3874e60 upstream.

According to the Intel Software Developers' Manual, Vol. 4, Order No.
335592, these macros have been reversed since they were added in the
initial turbostat commit. The reversed definitions were presumably
copied from turbostat.c to this file.

Fixes: 9c63a650bb10 ("tools/power/x86/turbostat: share kernel MSR #defines")
Signed-off-by: Matt Turner <mattst88@gmail.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Len Brown <len.brown@intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/uapi/asm/msr-index.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -50,8 +50,8 @@
 #define NHM_C3_AUTO_DEMOTE		(1UL << 25)
 #define NHM_C1_AUTO_DEMOTE		(1UL << 26)
 #define ATM_LNC_C6_AUTO_DEMOTE		(1UL << 25)
-#define SNB_C1_AUTO_UNDEMOTE		(1UL << 27)
-#define SNB_C3_AUTO_UNDEMOTE		(1UL << 28)
+#define SNB_C3_AUTO_UNDEMOTE		(1UL << 27)
+#define SNB_C1_AUTO_UNDEMOTE		(1UL << 28)
 
 #define MSR_PLATFORM_INFO		0x000000ce
 #define MSR_MTRRcap			0x000000fe


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 049/366] w1: support auto-load of w1_bq27000 module.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 311/366] root dentries need RCU-delayed freeing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste Ben Hutchings
                   ` (246 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Evgeniy Polyakov, NeilBrown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.de>

commit 4b7e4f8289c1ca60accb6c1baf31984f69bc2771 upstream.

1/ change request_module call to zero-pad single digit
   family numbers.  This appears to be the intention of
   the code, but not what it actually does.

   This means that the alias created for W1_FAMILY_SMEM_01
   might actually be useful.

2/ Define a family name for the BQ27000 battery charge monitor.
   Unfortunately this is the same number as W1_FAMILY_SMEM_01
   so if both a compiled on a system, one module might need to
   be blacklisted.

3/ Add a MODULE_ALIAS for the bq27000.

Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/slaves/w1_bq27000.c | 4 ++--
 drivers/w1/w1.c                | 2 +-
 drivers/w1/w1_family.h         | 1 +
 3 files changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/w1/slaves/w1_bq27000.c
+++ b/drivers/w1/slaves/w1_bq27000.c
@@ -88,7 +88,7 @@ static struct w1_family_ops w1_bq27000_f
 };
 
 static struct w1_family w1_bq27000_family = {
-	.fid = 1,
+	.fid = W1_FAMILY_BQ27000,
 	.fops = &w1_bq27000_fops,
 };
 
@@ -111,7 +111,7 @@ module_exit(w1_bq27000_exit);
 
 module_param(F_ID, int, S_IRUSR);
 MODULE_PARM_DESC(F_ID, "1-wire slave FID for BQ device");
-
+MODULE_ALIAS("w1-family-" __stringify(W1_FAMILY_BQ27000));
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Texas Instruments Ltd");
 MODULE_DESCRIPTION("HDQ/1-wire slave driver bq27000 battery monitor chip");
--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -727,7 +727,7 @@ int w1_attach_slave_device(struct w1_mas
 
 	/* slave modules need to be loaded in a context with unlocked mutex */
 	mutex_unlock(&dev->mutex);
-	request_module("w1-family-0x%0x", rn->family);
+	request_module("w1-family-0x%02x", rn->family);
 	mutex_lock(&dev->mutex);
 
 	spin_lock(&w1_flock);
--- a/drivers/w1/w1_family.h
+++ b/drivers/w1/w1_family.h
@@ -27,6 +27,7 @@
 #include <linux/atomic.h>
 
 #define W1_FAMILY_DEFAULT	0
+#define W1_FAMILY_BQ27000	0x01
 #define W1_FAMILY_SMEM_01	0x01
 #define W1_FAMILY_SMEM_81	0x81
 #define W1_THERM_DS18S20 	0x10


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 074/366] RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 359/366] perf top: Use __fallthrough Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage Ben Hutchings
                   ` (257 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Evgenii Smirnov, Doug Ledford

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Ledford <dledford@redhat.com>

commit fa9391dbad4b868512ed22a7e41765f881a8a935 upstream.

We do a light flush on CLIENT_REREG and SM_CHANGE events.  This goes
through and marks paths invalid. But we weren't always checking for this
validity when we needed to, and so we could keep using a path marked
invalid.  What's more, once we establish a path with a valid ah, we put
a pointer to the ah in the neigh struct directly, so even if we mark the
path as invalid, as long as the neigh has a direct pointer to the ah, it
keeps using the old, outdated ah.

To fix this we do several things.

1) Put the valid flag in the ah instead of the path struct, so when we
put the ah pointer directly in the neigh struct, we can easily check the
validity of the ah on send events.
2) Check the neigh->ah and neigh->ah->valid elements in the needed
places, and if we have an ah, but it's invalid, then invoke a refresh of
the ah.
3) Fix the various places that check for path, but didn't check for
path->valid (now path->ah && path->ah->valid).

Reported-by: Evgenii Smirnov <evgenii.smirnov@profitbricks.com>
Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
 - s/phdr->hwaddr/cb->hdwaddr/
 - s/ipoib_priv/netdev_priv/
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/ipoib/ipoib.h      |  2 +-
 drivers/infiniband/ulp/ipoib/ipoib_main.c | 33 ++++++++++++++++++-----
 2 files changed, 28 insertions(+), 7 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -384,6 +384,7 @@ struct ipoib_ah {
 	struct list_head   list;
 	struct kref	   ref;
 	unsigned	   last_send;
+	int  		   valid;
 };
 
 struct ipoib_path {
@@ -400,7 +401,6 @@ struct ipoib_path {
 
 	struct rb_node	      rb_node;
 	struct list_head      list;
-	int  		      valid;
 };
 
 struct ipoib_neigh {
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -426,7 +426,8 @@ void ipoib_mark_paths_invalid(struct net
 		ipoib_dbg(priv, "mark path LID 0x%04x GID %pI6 invalid\n",
 			be16_to_cpu(path->pathrec.dlid),
 			path->pathrec.dgid.raw);
-		path->valid =  0;
+		if (path->ah)
+			path->ah->valid = 0;
 	}
 
 	spin_unlock_irq(&priv->lock);
@@ -535,7 +536,7 @@ static void path_rec_completion(int stat
 			while ((skb = __skb_dequeue(&neigh->queue)))
 				__skb_queue_tail(&skqueue, skb);
 		}
-		path->valid = 1;
+		path->ah->valid = 1;
 	}
 
 	path->query = NULL;
@@ -615,6 +616,24 @@ static int path_rec_start(struct net_dev
 	return 0;
 }
 
+static void neigh_refresh_path(struct ipoib_neigh *neigh, u8 *daddr,
+			       struct net_device *dev)
+{
+	struct ipoib_dev_priv *priv = netdev_priv(dev);
+	struct ipoib_path *path;
+	unsigned long flags;
+
+	spin_lock_irqsave(&priv->lock, flags);
+
+	path = __path_find(dev, daddr + 4);
+	if (!path)
+		goto out;
+	if (!path->query)
+		path_rec_start(dev, path);
+out:
+	spin_unlock_irqrestore(&priv->lock, flags);
+}
+
 static struct ipoib_neigh *neigh_add_path(struct sk_buff *skb, u8 *daddr,
 					  struct net_device *dev)
 {
@@ -651,7 +670,7 @@ static struct ipoib_neigh *neigh_add_pat
 
 	list_add_tail(&neigh->list, &path->neigh_list);
 
-	if (path->ah) {
+	if (path->ah && path->ah->valid) {
 		kref_get(&path->ah->ref);
 		neigh->ah = path->ah;
 
@@ -710,7 +729,7 @@ static void unicast_arp_send(struct sk_b
 	spin_lock_irqsave(&priv->lock, flags);
 
 	path = __path_find(dev, cb->hwaddr + 4);
-	if (!path || !path->valid) {
+	if (!path || !path->ah || !path->ah->valid) {
 		int new_path = 0;
 
 		if (!path) {
@@ -736,7 +755,7 @@ static void unicast_arp_send(struct sk_b
 		return;
 	}
 
-	if (path->ah) {
+	if (path->ah && path->ah->valid) {
 		ipoib_dbg(priv, "Send unicast ARP to %04x\n",
 			  be16_to_cpu(path->pathrec.dlid));
 
@@ -818,9 +837,11 @@ send_using_neigh:
 			ipoib_cm_send(dev, skb, ipoib_cm_get(neigh));
 			goto unref;
 		}
-	} else if (neigh->ah) {
+	} else if (neigh->ah && neigh->ah->valid) {
 		ipoib_send(dev, skb, neigh->ah, IPOIB_QPN(cb->hwaddr));
 		goto unref;
+	} else if (neigh->ah) {
+		neigh_refresh_path(neigh, cb->hwaddr, dev);
 	}
 
 	if (skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE) {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 053/366] sbitmap: fix race in wait batch accounting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (188 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 351/366] usb: misc: usb3503: Update error code in print message Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 196/366] staging: android: ion: Return an ERR_PTR in ion_map_kernel Ben Hutchings
                   ` (176 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Omar Sandoval, Jens Axboe

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jens Axboe <axboe@kernel.dk>

commit c854ab5773be1c1a0d3cef0c3a3261f2c48ab7f8 upstream.

If we have multiple callers of sbq_wake_up(), we can end up in a
situation where the wait_cnt will continually go more and more
negative. Consider the case where our wake batch is 1, hence
wait_cnt will start out as 1.

wait_cnt == 1

CPU0				CPU1
atomic_dec_return(), cnt == 0
				atomic_dec_return(), cnt == -1
				cmpxchg(-1, 0) (succeeds)
				[wait_cnt now 0]
cmpxchg(0, 1) (fails)

This ends up with wait_cnt being 0, we'll wakeup immediately
next time. Going through the same loop as above again, and
we'll have wait_cnt -1.

For the case where we have a larger wake batch, the only
difference is that the starting point will be higher. We'll
still end up with continually smaller batch wakeups, which
defeats the purpose of the rolling wakeups.

Always reset the wait_cnt to the batch value. Then it doesn't
matter who wins the race. But ensure that whomever does win
the race is the one that increments the ws index and wakes up
our batch count, loser gets to call __sbq_wake_up() again to
account his wakeups towards the next active wait state index.

Fixes: 6c0ca7ae292a ("sbitmap: fix wakeup hang after sbq resize")
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16:
 - Rename almost everything
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/blk-mq-tag.c | 35 +++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -336,42 +336,58 @@ static struct bt_wait_state *bt_wake_ptr
 	return NULL;
 }
 
-static void bt_clear_tag(struct blk_mq_bitmap_tags *bt, unsigned int tag)
+static bool __bt_wake_up(struct blk_mq_bitmap_tags *bt)
 {
-	const int index = TAG_TO_INDEX(bt, tag);
 	struct bt_wait_state *bs;
 	unsigned int wake_batch;
 	int wait_cnt;
 
-	clear_bit(TAG_TO_BIT(bt, tag), &bt->map[index].word);
-
 	/* Ensure that the wait list checks occur after clear_bit(). */
 	smp_mb();
 
 	bs = bt_wake_ptr(bt);
 	if (!bs)
-		return;
+		return false;
 
 	wait_cnt = atomic_dec_return(&bs->wait_cnt);
 	if (wait_cnt <= 0) {
+		int ret;
+
 		wake_batch = ACCESS_ONCE(bt->wake_cnt);
+
 		/*
 		 * Pairs with the memory barrier in bt_update_count() to
 		 * ensure that we see the batch size update before the wait
 		 * count is reset.
 		 */
 		smp_mb__before_atomic();
+
 		/*
-		 * If there are concurrent callers to bt_clear_tag(), the last
-		 * one to decrement the wait count below zero will bump it back
-		 * up. If there is a concurrent resize, the count reset will
-		 * either cause the cmpxchg to fail or overwrite after the
-		 * cmpxchg.
+		 * For concurrent callers of this, the one that failed the
+		 * atomic_cmpxhcg() race should call this function again
+		 * to wakeup a new batch on a different 'bs'.
 		 */
-		atomic_cmpxchg(&bs->wait_cnt, wait_cnt, wait_cnt + wake_batch);
-		bt_index_atomic_inc(&bt->wake_index);
-		wake_up(&bs->wait);
+		ret = atomic_cmpxchg(&bs->wait_cnt, wait_cnt, wake_batch);
+		if (ret == wait_cnt) {
+			bt_index_atomic_inc(&bt->wake_index);
+			wake_up(&bs->wait);
+			return false;
+		}
+
+		return true;
 	}
+
+	return false;
+}
+
+static void bt_clear_tag(struct blk_mq_bitmap_tags *bt, unsigned int tag)
+{
+	const int index = TAG_TO_INDEX(bt, tag);
+
+	clear_bit(TAG_TO_BIT(bt, tag), &bt->map[index].word);
+
+	while (__bt_wake_up(bt))
+		;
 }
 
 static void __blk_mq_put_tag(struct blk_mq_tags *tags, unsigned int tag)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 055/366] mfd: tps65911-comparator: Fix a build error
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 358/366] tools include: Add a __fallthrough statement Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 125/366] mm: /proc/pid/pagemap: hide swap entries from unprivileged users Ben Hutchings
                   ` (322 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Lee Jones

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit ac1886165cd1201c5793099b6fbad1876bf98dfe upstream.

In 2012, we changed the tps65910 API and fixed most drivers but forgot
to update this one.

Fixes: 3f7e82759c69 ("mfd: Commonize tps65910 regmap access through header")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/tps65911-comparator.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mfd/tps65911-comparator.c
+++ b/drivers/mfd/tps65911-comparator.c
@@ -78,7 +78,7 @@ static int comp_threshold_set(struct tps
 		return -EINVAL;
 
 	val = index << 1;
-	ret = tps65910->write(tps65910, tps_comp.reg, 1, &val);
+	ret = tps65910_reg_write(tps65910, tps_comp.reg, val);
 
 	return ret;
 }
@@ -86,13 +86,13 @@ static int comp_threshold_set(struct tps
 static int comp_threshold_get(struct tps65910 *tps65910, int id)
 {
 	struct comparator tps_comp = tps_comparators[id];
+	unsigned int val;
 	int ret;
-	u8 val;
 
 	if (id == COMP)
 		return 0;
 
-	ret = tps65910->read(tps65910, tps_comp.reg, 1, &val);
+	ret = tps65910_reg_read(tps65910, tps_comp.reg, &val);
 	if (ret < 0)
 		return ret;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 045/366] vfs: add the sb_start_intwrite_trylock() helper
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 163/366] xen-netfront: fix locking in connect error path Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 346/366] kexec: Fix make headers_check Ben Hutchings
                   ` (236 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Jan Kara, Amir Goldstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 0c8e3fe35db9b66ae0030849545030ec7c0fc45c upstream.

Needed by ext4 to test frozen fs before updating s_last_mounted.

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/fs.h | 5 +++++
 1 file changed, 5 insertions(+)

--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1389,6 +1389,11 @@ static inline void sb_start_intwrite(str
 	__sb_start_write(sb, SB_FREEZE_FS, true);
 }
 
+static inline int sb_start_intwrite_trylock(struct super_block *sb)
+{
+	return __sb_start_write(sb, SB_FREEZE_FS, false);
+}
+
 
 extern bool inode_owner_or_capable(const struct inode *inode);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 220/366] x86/bugs: Add AMD's variant of SSB_NO Ben Hutchings
                   ` (312 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jason Gunthorpe, Leon Romanovsky, Ran Rozenstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit fe48aecb4df837540f13b5216f27ddb306aaf4b9 upstream.

The conversion from offsetof() calculations to sizeof()
wrongly behaved for missed exact size and in scenario with
more than one flow.

In such scenario we got "create flow failed, flow 10: 8 bytes
left from uverb cmd" error, which is wrong because the size of
kern_spec is exactly 8 bytes, and we were not supposed to fail.

Fixes: 4fae7f170416 ("RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow")
Reported-by: Ran Rozenstein <ranro@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2761,7 +2761,7 @@ int ib_uverbs_ex_create_flow(struct ib_u
 	kern_spec = kern_flow_attr->flow_specs;
 	ib_spec = flow_attr + 1;
 	for (i = 0; i < flow_attr->num_of_specs &&
-			cmd.flow_attr.size > sizeof(*kern_spec) &&
+			cmd.flow_attr.size >= sizeof(*kern_spec) &&
 			cmd.flow_attr.size >= kern_spec->size;
 	     i++) {
 		err = kern_spec_to_ib_spec(


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 067/366] scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()'
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 335/366] usbip: stub_rx: fix static checker warning on unnecessary checks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 218/366] sched/fair: Fix bandwidth timer clock drift condition Ben Hutchings
                   ` (345 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Christophe Jaillet, Martin K. Petersen, Dan Carpenter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>

commit 51b910c3c70986a5a0a84eea11cb8e904e37ba8b upstream.

The 'free_irq()' call is not at the right place in the error handling
path.  The changed order has been introduced in commit 3d4253d9afab
("[SCSI] qlogicpti: Convert to new SBUS device framework.")

Fixes: 3d4253d9afab ("[SCSI] qlogicpti: Convert to new SBUS device framework.")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qlogicpti.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/qlogicpti.c
+++ b/drivers/scsi/qlogicpti.c
@@ -1386,6 +1386,9 @@ fail_unmap_queues:
 			  qpti->req_cpu, qpti->req_dvma);
 #undef QSIZE
 
+fail_free_irq:
+	free_irq(qpti->irq, qpti);
+
 fail_unmap_regs:
 	of_iounmap(&op->resource[0], qpti->qregs,
 		   resource_size(&op->resource[0]));
@@ -1393,9 +1396,6 @@ fail_unmap_regs:
 		of_iounmap(&op->resource[0], qpti->sreg,
 			   sizeof(unsigned char));
 
-fail_free_irq:
-	free_irq(qpti->irq, qpti);
-
 fail_unlink:
 	scsi_host_put(host);
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 113/366] PCI: shpchp: Fix AMD POGO identification
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (151 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 015/366] staging:iio:ade7854: Fix error handling on read/write Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch Ben Hutchings
                   ` (213 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Bjorn Helgaas, Mika Westerberg, Rafael J. Wysocki

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <bhelgaas@google.com>

commit bed4e9cfab93a0f3d0144cb919820e6d5c40b8b1 upstream.

The fix for an AMD POGO erratum related to SHPC incorrectly identified the
device.  The workaround should be applied only for AMD POGO devices, but it
was instead applied to:

  - all AMD bridges, and
  - all devices from any vendor with device ID 0x7458

Fixes: 53044f357448 ("[PATCH] PCI Hotplug: shpchp: AMD POGO errata fix")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/hotplug/shpchp_ctrl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/pci/hotplug/shpchp_ctrl.c
+++ b/drivers/pci/hotplug/shpchp_ctrl.c
@@ -595,13 +595,13 @@ static int shpchp_enable_slot (struct sl
 	ctrl_dbg(ctrl, "%s: p_slot->pwr_save %x\n", __func__, p_slot->pwr_save);
 	p_slot->hpc_ops->get_latch_status(p_slot, &getstatus);
 
-	if(((p_slot->ctrl->pci_dev->vendor == PCI_VENDOR_ID_AMD) ||
-	    (p_slot->ctrl->pci_dev->device == PCI_DEVICE_ID_AMD_POGO_7458))
+	if ((p_slot->ctrl->pci_dev->vendor == PCI_VENDOR_ID_AMD &&
+	     p_slot->ctrl->pci_dev->device == PCI_DEVICE_ID_AMD_POGO_7458)
 	     && p_slot->ctrl->num_slots == 1) {
-		/* handle amd pogo errata; this must be done before enable  */
+		/* handle AMD POGO errata; this must be done before enable  */
 		amd_pogo_errata_save_misc_reg(p_slot);
 		retval = board_added(p_slot);
-		/* handle amd pogo errata; this must be done after enable  */
+		/* handle AMD POGO errata; this must be done after enable  */
 		amd_pogo_errata_restore_misc_reg(p_slot);
 	} else
 		retval = board_added(p_slot);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 199/366] RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2018-11-11 19:49   ` Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 179/366] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Ben Hutchings
                   ` (292 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Leon Romanovsky, Noa Osherovich, Jason Gunthorpe, syzkaller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 4fae7f170416f970e5655f7e945ce69286b1c4ff upstream.

The check of cmd.flow_attr.size should check into account the size of the
reserved field (2 bytes), otherwise user can provide a size which will
cause a slab-out-of-bounds warning below.

==================================================================
BUG: KASAN: slab-out-of-bounds in ib_uverbs_ex_create_flow+0x1740/0x1d00
Read of size 2 at addr ffff880068dff1a6 by task syz-executor775/269

CPU: 0 PID: 269 Comm: syz-executor775 Not tainted 4.18.0-rc1+ #245
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0xef/0x17e
 print_address_description+0x83/0x3b0
 kasan_report+0x18d/0x4d0
 ib_uverbs_ex_create_flow+0x1740/0x1d00
 ib_uverbs_write+0x923/0x1010
 __vfs_write+0x10d/0x720
 vfs_write+0x1b0/0x550
 ksys_write+0xc6/0x1a0
 do_syscall_64+0xa7/0x590
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x433899
Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d
89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 91 fd ff c3 66
2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc2724db58 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000020006880 RCX: 0000000000433899
RDX: 00000000000000e0 RSI: 0000000020002480 RDI: 0000000000000003
RBP: 00000000006d7018 R08: 00000000004002f8 R09: 00000000004002f8
R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000

R13: 000000000040cd20 R14: 000000000040cdb0 R15: 0000000000000006

Allocated by task 269:
 kasan_kmalloc+0xa0/0xd0
 __kmalloc+0x1a9/0x510
 ib_uverbs_ex_create_flow+0x26c/0x1d00
 ib_uverbs_write+0x923/0x1010
 __vfs_write+0x10d/0x720
 vfs_write+0x1b0/0x550
 ksys_write+0xc6/0x1a0
 do_syscall_64+0xa7/0x590
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 __kasan_slab_free+0x12e/0x180
 kfree+0x159/0x630
 detach_buf+0x559/0x7a0
 virtqueue_get_buf_ctx+0x3cc/0xab0
 virtblk_done+0x1eb/0x3d0
 vring_interrupt+0x16d/0x2b0
 __handle_irq_event_percpu+0x10a/0x980
 handle_irq_event_percpu+0x77/0x190
 handle_irq_event+0xc6/0x1a0
 handle_edge_irq+0x211/0xd80
 handle_irq+0x3d/0x60
 do_IRQ+0x9b/0x220

The buggy address belongs to the object at ffff880068dff180
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 38 bytes inside of
 64-byte region [ffff880068dff180, ffff880068dff1c0)
The buggy address belongs to the page:
page:ffffea0001a37fc0 count:1 mapcount:0 mapping:ffff88006c401780
index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 ffffea0001a31100 0000001100000011 ffff88006c401780
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880068dff080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
 ffff880068dff100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
>ffff880068dff180: 00 00 00 00 07 fc fc fc fc fc fc fc fb fb fb fb
                               ^
 ffff880068dff200: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 fc fc
 ffff880068dff280: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================

Fixes: f88482743872 ("IB/core: clarify overflow/underflow checks on ib_create/destroy_flow")
Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2674,8 +2674,8 @@ int ib_uverbs_ex_create_flow(struct ib_u
 	struct ib_uverbs_flow_attr	  *kern_flow_attr;
 	struct ib_flow_attr		  *flow_attr;
 	struct ib_qp			  *qp;
+	struct ib_uverbs_flow_spec_hdr	  *kern_spec;
 	int err = 0;
-	void *kern_spec;
 	void *ib_spec;
 	int i;
 
@@ -2717,8 +2717,8 @@ int ib_uverbs_ex_create_flow(struct ib_u
 		if (!kern_flow_attr)
 			return -ENOMEM;
 
-		memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr));
-		err = ib_copy_from_udata(kern_flow_attr + 1, ucore,
+		*kern_flow_attr = cmd.flow_attr;
+		err = ib_copy_from_udata(&kern_flow_attr->flow_specs, ucore,
 					 cmd.flow_attr.size);
 		if (err)
 			goto err_free_attr;
@@ -2758,19 +2758,21 @@ int ib_uverbs_ex_create_flow(struct ib_u
 	flow_attr->flags = kern_flow_attr->flags;
 	flow_attr->size = sizeof(*flow_attr);
 
-	kern_spec = kern_flow_attr + 1;
+	kern_spec = kern_flow_attr->flow_specs;
 	ib_spec = flow_attr + 1;
 	for (i = 0; i < flow_attr->num_of_specs &&
-	     cmd.flow_attr.size > offsetof(struct ib_uverbs_flow_spec, reserved) &&
-	     cmd.flow_attr.size >=
-	     ((struct ib_uverbs_flow_spec *)kern_spec)->size; i++) {
-		err = kern_spec_to_ib_spec(kern_spec, ib_spec);
+			cmd.flow_attr.size > sizeof(*kern_spec) &&
+			cmd.flow_attr.size >= kern_spec->size;
+	     i++) {
+		err = kern_spec_to_ib_spec(
+				(struct ib_uverbs_flow_spec *)kern_spec,
+				ib_spec);
 		if (err)
 			goto err_free;
 		flow_attr->size +=
 			((union ib_flow_spec *) ib_spec)->size;
-		cmd.flow_attr.size -= ((struct ib_uverbs_flow_spec *)kern_spec)->size;
-		kern_spec += ((struct ib_uverbs_flow_spec *) kern_spec)->size;
+		cmd.flow_attr.size -= kern_spec->size;
+		kern_spec = ((void *)kern_spec) + kern_spec->size;
 		ib_spec += ((union ib_flow_spec *) ib_spec)->size;
 	}
 	if (cmd.flow_attr.size || (i != flow_attr->num_of_specs)) {


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 062/366] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (330 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 356/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
                   ` (34 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 512857a795cbbda5980efa4cdb3c0b6602330408 upstream.

If a SCSI device is deleted during scsi_eh host reset, we cannot get a
reference to the SCSI device anymore since scsi_device_get returns !=0 by
design. Assuming the recovery of adapter and port(s) was successful,
zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
half-gone SCSI device. Unfortunately, it causes the following confusing
trace record which states that zfcp will do a LUN recovery as "ERP need" is
ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".

Old example trace record formatted with zfcpdbf from s390-tools:

Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
LUN            : 0x<FCP_LUN>
WWPN           : 0x<WWPN>
D_ID           : 0x<N_Port-ID>
Adapter status : 0x5400050b
Port status    : 0x54000001
LUN status     : 0x40000000     ZFCP_STATUS_COMMON_RUNNING
                                but not ZFCP_STATUS_COMMON_UNBLOCKED as it
                                was closed on close part of adapter reopen
ERP want       : 0x01
ERP need       : 0x01           misleading

However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
actually happens.

We always do want the recovery trigger trace record even if no erp_action
could be enqueued as in this case. For other cases where we did not enqueue
an erp_action, 'need' has always been zero to indicate this. In order to
indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
need" as 'not needed' but still keep the information which erp_action type,
that zfcp_erp_required_act() had decided upon, is needed.  0xc_ is chosen to
be visibly different from 0x0_ in "ERP want".

New example trace record formatted with zfcpdbf from s390-tools:

Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
LUN            : 0x<FCP_LUN>
WWPN           : 0x<WWPN>
D_ID           : 0x<N_Port-ID>
Adapter status : 0x5400050b
Port status    : 0x54000001
LUN status     : 0x40000000
ERP want       : 0x01
ERP need       : 0xc1           would need LUN ERP, but no action set up
                   ^

Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug
tracing for recovery actions.") we could detect this case because the
"erp_action" field in the trace was NULL. The rework removed erp_action as
argument and field from the trace.

This patch here is for tracing. A fix to allow LUN recovery in the case at
hand is a topic for a separate patch.

See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown
without acquiring reference") for a similar case and background info.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -34,11 +34,23 @@ enum zfcp_erp_steps {
 	ZFCP_ERP_STEP_LUN_OPENING	= 0x2000,
 };
 
+/**
+ * enum zfcp_erp_act_type - Type of ERP action object.
+ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
+ *			  either of the other enum values.
+ *			  Used to indicate that an ERP action could not be
+ *			  set up despite a detected need for some recovery.
+ */
 enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
 	ZFCP_ERP_ACTION_REOPEN_PORT	   = 2,
 	ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
 	ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
+	ZFCP_ERP_ACTION_NONE		   = 0xc0,
 };
 
 enum zfcp_erp_act_state {
@@ -256,8 +268,10 @@ static int zfcp_erp_action_enqueue(int w
 		goto out;
 
 	act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
-	if (!act)
+	if (!act) {
+		need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
 		goto out;
+	}
 	atomic_set_mask(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
 	++adapter->erp_total_count;
 	list_add_tail(&act->list, &adapter->erp_ready_head);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 232/366] cifs: Fix infinite loop when using hard mount option
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (350 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 317/366] VFS: Impose ordering on accesses of d_inode and d_flags Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 004/366] bcmgenet: Delete unused variable Ben Hutchings
                   ` (14 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Aurelien Aptel, Paulo Alcantara, Paulo Alcantara, Steve French

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paulo Alcantara <paulo@paulo.ac>

commit 7ffbe65578b44fafdef577a360eb0583929f7c6e upstream.

For every request we send, whether it is SMB1 or SMB2+, we attempt to
reconnect tcon (cifs_reconnect_tcon or smb2_reconnect) before carrying
out the request.

So, while server->tcpStatus != CifsNeedReconnect, we wait for the
reconnection to succeed on wait_event_interruptible_timeout(). If it
returns, that means that either the condition was evaluated to true, or
timeout elapsed, or it was interrupted by a signal.

Since we're not handling the case where the process woke up due to a
received signal (-ERESTARTSYS), the next call to
wait_event_interruptible_timeout() will _always_ fail and we end up
looping forever inside either cifs_reconnect_tcon() or smb2_reconnect().

Here's an example of how to trigger that:

$ mount.cifs //foo/share /mnt/test -o
username=foo,password=foo,vers=1.0,hard

(break connection to server before executing bellow cmd)
$ stat -f /mnt/test & sleep 140
[1] 2511

$ ps -aux -q 2511
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2511  0.0  0.0  12892  1008 pts/0    S    12:24   0:00 stat -f
/mnt/test

$ kill -9 2511

(wait for a while; process is stuck in the kernel)
$ ps -aux -q 2511
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2511 83.2  0.0  12892  1008 pts/0    R    12:24  30:01 stat -f
/mnt/test

By using 'hard' mount point means that cifs.ko will keep retrying
indefinitely, however we must allow the process to be killed otherwise
it would hang the system.

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifssmb.c | 10 ++++++++--
 fs/cifs/smb2pdu.c | 18 ++++++++++++------
 2 files changed, 20 insertions(+), 8 deletions(-)

--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -150,8 +150,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tc
 	 * greater than cifs socket timeout which is 7 seconds
 	 */
 	while (server->tcpStatus == CifsNeedReconnect) {
-		wait_event_interruptible_timeout(server->response_q,
-			(server->tcpStatus != CifsNeedReconnect), 10 * HZ);
+		rc = wait_event_interruptible_timeout(server->response_q,
+						      (server->tcpStatus != CifsNeedReconnect),
+						      10 * HZ);
+		if (rc < 0) {
+			cifs_dbg(FYI, "%s: aborting reconnect due to a received"
+				 " signal by the process\n", __func__);
+			return -ERESTARTSYS;
+		}
 
 		/* are we still trying to reconnect? */
 		if (server->tcpStatus != CifsNeedReconnect)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -158,7 +158,7 @@ out:
 static int
 smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
 {
-	int rc = 0;
+	int rc;
 	struct nls_table *nls_codepage;
 	struct cifs_ses *ses;
 	struct TCP_Server_Info *server;
@@ -169,10 +169,10 @@ smb2_reconnect(__le16 smb2_command, stru
 	 * for those three - in the calling routine.
 	 */
 	if (tcon == NULL)
-		return rc;
+		return 0;
 
 	if (smb2_command == SMB2_TREE_CONNECT)
-		return rc;
+		return 0;
 
 	if (tcon->tidStatus == CifsExiting) {
 		/*
@@ -215,8 +215,14 @@ smb2_reconnect(__le16 smb2_command, stru
 			return -EAGAIN;
 		}
 
-		wait_event_interruptible_timeout(server->response_q,
-			(server->tcpStatus != CifsNeedReconnect), 10 * HZ);
+		rc = wait_event_interruptible_timeout(server->response_q,
+						      (server->tcpStatus != CifsNeedReconnect),
+						      10 * HZ);
+		if (rc < 0) {
+			cifs_dbg(FYI, "%s: aborting reconnect due to a received"
+				 " signal by the process\n", __func__);
+			return -ERESTARTSYS;
+		}
 
 		/* are we still trying to reconnect? */
 		if (server->tcpStatus != CifsNeedReconnect)
@@ -234,7 +240,7 @@ smb2_reconnect(__le16 smb2_command, stru
 	}
 
 	if (!tcon->ses->need_reconnect && !tcon->need_reconnect)
-		return rc;
+		return 0;
 
 	nls_codepage = load_nls_default();
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 262/366] x86/apm: Don't access __preempt_count with zeroed fs
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (263 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 168/366] xen-netfront: Remove the meaningless code Ben Hutchings
                   ` (101 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, Ville Syrjälä,
	x86, H. Peter Anvin, David Woodhouse

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 upstream.

APM_DO_POP_SEGS does not restore fs/gs which were zeroed by
APM_DO_ZERO_SEGS. Trying to access __preempt_count with
zeroed fs doesn't really work.

Move the ibrs call outside the APM_DO_SAVE_SEGS/APM_DO_RESTORE_SEGS
invocations so that fs is actually restored before calling
preempt_enable().

Fixes the following sort of oopses:
[    0.313581] general protection fault: 0000 [#1] PREEMPT SMP
[    0.313803] Modules linked in:
[    0.314040] CPU: 0 PID: 268 Comm: kapmd Not tainted 4.16.0-rc1-triton-bisect-00090-gdd84441a7971 #19
[    0.316161] EIP: __apm_bios_call_simple+0xc8/0x170
[    0.316161] EFLAGS: 00210016 CPU: 0
[    0.316161] EAX: 00000102 EBX: 00000000 ECX: 00000102 EDX: 00000000
[    0.316161] ESI: 0000530e EDI: dea95f64 EBP: dea95f18 ESP: dea95ef0
[    0.316161]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
[    0.316161] CR0: 80050033 CR2: 00000000 CR3: 015d3000 CR4: 000006d0
[    0.316161] Call Trace:
[    0.316161]  ? cpumask_weight.constprop.15+0x20/0x20
[    0.316161]  on_cpu0+0x44/0x70
[    0.316161]  apm+0x54e/0x720
[    0.316161]  ? __switch_to_asm+0x26/0x40
[    0.316161]  ? __schedule+0x17d/0x590
[    0.316161]  kthread+0xc0/0xf0
[    0.316161]  ? proc_apm_show+0x150/0x150
[    0.316161]  ? kthread_create_worker_on_cpu+0x20/0x20
[    0.316161]  ret_from_fork+0x2e/0x38
[    0.316161] Code: da 8e c2 8e e2 8e ea 57 55 2e ff 1d e0 bb 5d b1 0f 92 c3 5d 5f 07 1f 89 47 0c 90 8d b4 26 00 00 00 00 90 8d b4 26 00 00 00 00 90 <64> ff 0d 84 16 5c b1 74 7f 8b 45 dc 8e e0 8b 45 d8 8e e8 8b 45
[    0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 SS:ESP: 0068:dea95ef0
[    0.316161] ---[ end trace 656253db2deaa12c ]---

Fixes: dd84441a7971 ("x86/speculation: Use IBRS if available before calling into firmware")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc:  David Woodhouse <dwmw@amazon.co.uk>
Cc:  "H. Peter Anvin" <hpa@zytor.com>
Cc:  x86@kernel.org
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Link: https://lkml.kernel.org/r/20180709133534.5963-1-ville.syrjala@linux.intel.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/apm.h | 6 ------
 arch/x86/kernel/apm_32.c   | 5 +++++
 2 files changed, 5 insertions(+), 6 deletions(-)

--- a/arch/x86/include/asm/apm.h
+++ b/arch/x86/include/asm/apm.h
@@ -6,8 +6,6 @@
 #ifndef _ASM_X86_MACH_DEFAULT_APM_H
 #define _ASM_X86_MACH_DEFAULT_APM_H
 
-#include <asm/nospec-branch.h>
-
 #ifdef APM_ZERO_SEGS
 #	define APM_DO_ZERO_SEGS \
 		"pushl %%ds\n\t" \
@@ -33,7 +31,6 @@ static inline void apm_bios_call_asm(u32
 	 * N.B. We do NOT need a cld after the BIOS call
 	 * because we always save and restore the flags.
 	 */
-	firmware_restrict_branch_speculation_start();
 	__asm__ __volatile__(APM_DO_ZERO_SEGS
 		"pushl %%edi\n\t"
 		"pushl %%ebp\n\t"
@@ -46,7 +43,6 @@ static inline void apm_bios_call_asm(u32
 		  "=S" (*esi)
 		: "a" (func), "b" (ebx_in), "c" (ecx_in)
 		: "memory", "cc");
-	firmware_restrict_branch_speculation_end();
 }
 
 static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
@@ -59,7 +55,6 @@ static inline u8 apm_bios_call_simple_as
 	 * N.B. We do NOT need a cld after the BIOS call
 	 * because we always save and restore the flags.
 	 */
-	firmware_restrict_branch_speculation_start();
 	__asm__ __volatile__(APM_DO_ZERO_SEGS
 		"pushl %%edi\n\t"
 		"pushl %%ebp\n\t"
@@ -72,7 +67,6 @@ static inline u8 apm_bios_call_simple_as
 		  "=S" (si)
 		: "a" (func), "b" (ebx_in), "c" (ecx_in)
 		: "memory", "cc");
-	firmware_restrict_branch_speculation_end();
 	return error;
 }
 
--- a/arch/x86/kernel/apm_32.c
+++ b/arch/x86/kernel/apm_32.c
@@ -239,6 +239,7 @@
 #include <asm/olpc.h>
 #include <asm/paravirt.h>
 #include <asm/reboot.h>
+#include <asm/nospec-branch.h>
 
 #if defined(CONFIG_APM_DISPLAY_BLANK) && defined(CONFIG_VT)
 extern int (*console_blank_hook)(int);
@@ -614,11 +615,13 @@ static long __apm_bios_call(void *_call)
 	gdt[0x40 / 8] = bad_bios_desc;
 
 	apm_irq_save(flags);
+	firmware_restrict_branch_speculation_start();
 	APM_DO_SAVE_SEGS;
 	apm_bios_call_asm(call->func, call->ebx, call->ecx,
 			  &call->eax, &call->ebx, &call->ecx, &call->edx,
 			  &call->esi);
 	APM_DO_RESTORE_SEGS;
+	firmware_restrict_branch_speculation_end();
 	apm_irq_restore(flags);
 	gdt[0x40 / 8] = save_desc_40;
 	put_cpu();
@@ -690,10 +693,12 @@ static long __apm_bios_call_simple(void
 	gdt[0x40 / 8] = bad_bios_desc;
 
 	apm_irq_save(flags);
+	firmware_restrict_branch_speculation_start();
 	APM_DO_SAVE_SEGS;
 	error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx,
 					 &call->eax);
 	APM_DO_RESTORE_SEGS;
+	firmware_restrict_branch_speculation_end();
 	apm_irq_restore(flags);
 	gdt[0x40 / 8] = save_desc_40;
 	put_cpu();


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 083/366] IB/isert: Fix for lib/dma_debug check_sync warning
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 346/366] kexec: Fix make headers_check Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 023/366] media: rc: mce_kbd decoder: fix stuck keys Ben Hutchings
                   ` (234 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dennis Dalessandro, Mike Marciniszyn, Doug Ledford,
	Don Dutile, Alex Estrin

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Estrin <alex.estrin@intel.com>

commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream.

The following error message occurs on a target host in a debug build
during session login:

[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0
[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes]
......snip .....

[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1
[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015
[ 3524.555740] Call Trace:
[ 3524.559102]  [<ffffffffa5fe915b>] dump_stack+0x19/0x1b
[ 3524.565477]  [<ffffffffa58a2f58>] __warn+0xd8/0x100
[ 3524.571557]  [<ffffffffa58a2fdf>] warn_slowpath_fmt+0x5f/0x80
[ 3524.578610]  [<ffffffffa5bf5b8c>] check_sync+0x4ec/0x5b0
[ 3524.585177]  [<ffffffffa58efc3f>] ? set_cpus_allowed_ptr+0x5f/0x1c0
[ 3524.592812]  [<ffffffffa5bf5cd0>] debug_dma_sync_single_for_cpu+0x80/0x90
[ 3524.601029]  [<ffffffffa586add3>] ? x2apic_send_IPI_mask+0x13/0x20
[ 3524.608574]  [<ffffffffa585ee1b>] ? native_smp_send_reschedule+0x5b/0x80
[ 3524.616699]  [<ffffffffa58e9b76>] ? resched_curr+0xf6/0x140
[ 3524.623567]  [<ffffffffc0879af0>] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert]
[ 3524.633060]  [<ffffffffc087af95>] isert_put_login_tx+0x55/0x8b0 [ib_isert]
[ 3524.641383]  [<ffffffffa58ef114>] ? try_to_wake_up+0x1a4/0x430
[ 3524.648561]  [<ffffffffc098cfed>] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod]
[ 3524.658557]  [<ffffffffc098d827>] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod]
[ 3524.668084]  [<ffffffffa59f9bc9>] ? kstrdup+0x49/0x60
[ 3524.674420]  [<ffffffffc098e976>] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod]
[ 3524.684656]  [<ffffffffc098c2ee>] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod]
[ 3524.694901]  [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
[ 3524.705446]  [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
[ 3524.715976]  [<ffffffffc098ca78>] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod]
[ 3524.725739]  [<ffffffffa58d60ff>] kthread+0xef/0x100
[ 3524.732007]  [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
[ 3524.739540]  [<ffffffffa5fff1b7>] ret_from_fork_nospec_begin+0x21/0x21
[ 3524.747558]  [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]---
[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION.

The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it
with dma-mapped address.
login_tx_desc is a part of iser_conn structure and is used only once
during login negotiation, so the issue is fixed by eliminating
dma_sync call for this buffer using a special case routine.

Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Don Dutile <ddutile@redhat.com>
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
 - Parameters to isert_create_send_desc() are not redundant; forward them
   all to __isert_create_send_desc()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/isert/ib_isert.c | 26 ++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1033,14 +1033,10 @@ isert_post_send(struct isert_conn *isert
 }
 
 static void
-isert_create_send_desc(struct isert_conn *isert_conn,
-		       struct isert_cmd *isert_cmd,
-		       struct iser_tx_desc *tx_desc)
+__isert_create_send_desc(struct isert_conn *isert_conn,
+			 struct isert_cmd *isert_cmd,
+			 struct iser_tx_desc *tx_desc)
 {
-	struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
-
-	ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
-				   ISER_HEADERS_LEN, DMA_TO_DEVICE);
 
 	memset(&tx_desc->iser_header, 0, sizeof(struct iser_hdr));
 	tx_desc->iser_header.flags = ISER_VER;
@@ -1054,6 +1050,19 @@ isert_create_send_desc(struct isert_conn
 	}
 }
 
+static void
+isert_create_send_desc(struct isert_conn *isert_conn,
+		       struct isert_cmd *isert_cmd,
+		       struct iser_tx_desc *tx_desc)
+{
+	struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
+
+	ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
+				   ISER_HEADERS_LEN, DMA_TO_DEVICE);
+
+	__isert_create_send_desc(isert_conn, isert_cmd, tx_desc);
+}
+
 static int
 isert_init_tx_hdrs(struct isert_conn *isert_conn,
 		   struct iser_tx_desc *tx_desc)
@@ -1150,7 +1159,7 @@ isert_put_login_tx(struct iscsi_conn *co
 	struct iser_tx_desc *tx_desc = &isert_conn->conn_login_tx_desc;
 	int ret;
 
-	isert_create_send_desc(isert_conn, NULL, tx_desc);
+	__isert_create_send_desc(isert_conn, NULL, tx_desc);
 
 	memcpy(&tx_desc->iscsi_header, &login->rsp[0],
 	       sizeof(struct iscsi_hdr));


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 086/366] usb: gadget: function: printer: avoid wrong list handling in printer_write()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 352/366] perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 129/366] net/sched: act_simple: fix parsing of TCA_DEF_DATA Ben Hutchings
                   ` (327 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Felipe Balbi, Yoshihiro Shimoda, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 4a014a7339f441b0851ce012f469c0fadac61c81 upstream.

When printer_write() calls usb_ep_queue(), a udc driver (e.g.
renesas_usbhs driver) may call usb_gadget_giveback_request() in
the udc .queue ops immediately. Then, printer_write() calls
list_add(&req->list, &dev->tx_reqs_active) wrongly. After that,
if we do unbind the printer driver, WARN_ON() happens in
printer_func_unbind() because the list entry is not removed.

So, this patch moves list_add(&req->list, &dev->tx_reqs_active)
calling before usb_ep_queue().

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/printer.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/printer.c
+++ b/drivers/usb/gadget/printer.c
@@ -667,19 +667,19 @@ printer_write(struct file *fd, const cha
 			return -EAGAIN;
 		}
 
+		list_add(&req->list, &dev->tx_reqs_active);
+
 		/* here, we unlock, and only unlock, to avoid deadlock. */
 		spin_unlock(&dev->lock);
 		value = usb_ep_queue(dev->in_ep, req, GFP_ATOMIC);
 		spin_lock(&dev->lock);
 		if (value) {
+			list_del(&req->list);
 			list_add(&req->list, &dev->tx_reqs);
 			spin_unlock_irqrestore(&dev->lock, flags);
 			mutex_unlock(&dev->lock_printer_io);
 			return -EAGAIN;
 		}
-
-		list_add(&req->list, &dev->tx_reqs_active);
-
 	}
 
 	spin_unlock_irqrestore(&dev->lock, flags);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 076/366] ipmi:bt: Set the timeout before doing a capabilities check
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 169/366] net/xen-netfront: only clean up queues if present Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing Ben Hutchings
                   ` (250 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Corey Minyard, Nordmark Claes

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Corey Minyard <cminyard@mvista.com>

commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.

There was one place where the timeout value for an operation was
not being set, if a capabilities request was done from idle.  Move
the timeout value setting to before where that change might be
requested.

IMHO the cause here is the invisible returns in the macros.  Maybe
that's a job for later, though.

Reported-by: Nordmark Claes <Claes.Nordmark@tieto.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/ipmi/ipmi_bt_sm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct
 		if (status & BT_H_BUSY)		/* clear a leftover H_BUSY */
 			BT_CONTROL(BT_H_BUSY);
 
+		bt->timeout = bt->BT_CAP_req2rsp;
+
 		/* Read BT capabilities if it hasn't been done yet */
 		if (!bt->BT_CAP_outreqs)
 			BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
 					SI_SM_CALL_WITHOUT_DELAY);
-		bt->timeout = bt->BT_CAP_req2rsp;
 		BT_SI_SM_RETURN(SI_SM_IDLE);
 
 	case BT_STATE_XACTION_START:


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (278 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 089/366] Btrfs: don't BUG_ON() in btrfs_truncate_inode_items() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 060/366] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Ben Hutchings
                   ` (86 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Ben Skeggs

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 upstream.

The bo array has req->nr_buffers elements so the > should be >= so we
don't read beyond the end of the array.

Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -613,7 +613,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n
 		struct nouveau_bo *nvbo;
 		uint32_t data;
 
-		if (unlikely(r->bo_index > req->nr_buffers)) {
+		if (unlikely(r->bo_index >= req->nr_buffers)) {
 			NV_ERROR(cli, "reloc bo index invalid\n");
 			ret = -EINVAL;
 			break;
@@ -623,7 +623,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n
 		if (b->presumed.valid)
 			continue;
 
-		if (unlikely(r->reloc_bo_index > req->nr_buffers)) {
+		if (unlikely(r->reloc_bo_index >= req->nr_buffers)) {
 			NV_ERROR(cli, "reloc container bo index invalid\n");
 			ret = -EINVAL;
 			break;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (312 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 273/366] usb: core: handle hub C_PORT_OVER_CURRENT condition Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 124/366] pagemap: hide physical addresses from non-privileged users Ben Hutchings
                   ` (52 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd upstream.

If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
the relevant fields to zero, tricking l2tp_tunnel_create() into setting
up an unusable kernel socket.

We can't set 'tcfg' with the required fields because there's no way to
get them from the current connect() parameters. So let's restrict
kernel sockets creation to the netlink API, which is the original use
case.

Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -723,6 +723,15 @@ static int pppol2tp_connect(struct socke
 				.encap = L2TP_ENCAPTYPE_UDP,
 				.debug = 0,
 			};
+
+			/* Prevent l2tp_tunnel_register() from trying to set up
+			 * a kernel socket.
+			 */
+			if (fd < 0) {
+				error = -EBADF;
+				goto end;
+			}
+
 			error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
 			if (error < 0)
 				goto end;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (152 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 113/366] PCI: shpchp: Fix AMD POGO identification Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails Ben Hutchings
                   ` (212 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 32810d91325ec76b8ef4df463f8a0e9baf353322 upstream.

The expected case for this test was wrong, the source of the alternate
code sequence is:

  FTR_SECTION_ELSE
  2:	or	2,2,2
  	PPC_LCMPI	r3,1
  	beq	3f
  	blt	2b
  	b	3f
  	b	1b
  ALT_FTR_SECTION_END(0, 1)
  3:	or	1,1,1
  	or	2,2,2
  4:	or	3,3,3

So when it's patched the '3' label should still be on the 'or 1,1,1',
and the 4 label is irrelevant and can be removed.

Fixes: 362e7701fd18 ("powerpc: Add self-tests of the feature fixup code")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/lib/feature-fixups-test.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/lib/feature-fixups-test.S
+++ b/arch/powerpc/lib/feature-fixups-test.S
@@ -167,9 +167,9 @@ globl(ftr_fixup_test6_expected)
 	blt	2b
 	b	3f
 	b	1b
-2:	or	1,1,1
+3:	or	1,1,1
 	or	2,2,2
-3:	or	3,3,3
+	or	3,3,3
 
 
 #if 0


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 115/366] kconfig: Avoid format overflow warning from GCC 8.1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field Ben Hutchings
                   ` (282 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nathan Chancellor, Masahiro Yamada

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit 2ae89c7a82ea9d81a19b4fc2df23bef4b112f24e upstream.

In file included from scripts/kconfig/zconf.tab.c:2485:
scripts/kconfig/confdata.c: In function ‘conf_write’:
scripts/kconfig/confdata.c:773:22: warning: ‘%s’ directive writing likely 7 or more bytes into a region of size between 1 and 4097 [-Wformat-overflow=]
  sprintf(newname, "%s%s", dirname, basename);
                      ^~
scripts/kconfig/confdata.c:773:19: note: assuming directive output of 7 bytes
  sprintf(newname, "%s%s", dirname, basename);
                   ^~~~~~
scripts/kconfig/confdata.c:773:2: note: ‘sprintf’ output 1 or more bytes (assuming 4104) into a destination of size 4097
  sprintf(newname, "%s%s", dirname, basename);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
scripts/kconfig/confdata.c:776:23: warning: ‘.tmpconfig.’ directive writing 11 bytes into a region of size between 1 and 4097 [-Wformat-overflow=]
   sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid());
                       ^~~~~~~~~~~
scripts/kconfig/confdata.c:776:3: note: ‘sprintf’ output between 13 and 4119 bytes into a destination of size 4097
   sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid());
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Increase the size of tmpname and newname to make GCC happy.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/kconfig/confdata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -738,7 +738,7 @@ int conf_write(const char *name)
 	struct menu *menu;
 	const char *basename;
 	const char *str;
-	char dirname[PATH_MAX+1], tmpname[PATH_MAX+1], newname[PATH_MAX+1];
+	char dirname[PATH_MAX+1], tmpname[PATH_MAX+22], newname[PATH_MAX+8];
 	char *env;
 
 	dirname[0] = 0;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 056/366] mfd: tps65911-comparator: Fix an off by one bug
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 302/366] can: ems_usb: Fix memory leak on ems_usb_disconnect() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 058/366] ALSA: core: Assure control device to be registered at last Ben Hutchings
                   ` (289 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Lee Jones

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lee Jones <lee.jones@linaro.org>

commit 1768391c3674b0c6bdc4947121f15fb0c2f47ec4 upstream.

The COMP1 and COMP2 elements are in 0 and 1 respectively so this code is
accessing the wrong elements and one space beyond the end of the array.

The "id" variable is never COMP (0) so that code can be removed.

Fixes: 6851ad3ab346 ("TPS65911: Comparator: Add comparator driver")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/tps65911-comparator.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

--- a/drivers/mfd/tps65911-comparator.c
+++ b/drivers/mfd/tps65911-comparator.c
@@ -22,9 +22,8 @@
 #include <linux/gpio.h>
 #include <linux/mfd/tps65910.h>
 
-#define COMP					0
-#define COMP1					1
-#define COMP2					2
+#define COMP1					0
+#define COMP2					1
 
 /* Comparator 1 voltage selection table in millivolts */
 static const u16 COMP_VSEL_TABLE[] = {
@@ -63,9 +62,6 @@ static int comp_threshold_set(struct tps
 	int ret;
 	u8 index = 0, val;
 
-	if (id == COMP)
-		return 0;
-
 	while (curr_voltage < tps_comp.uV_max) {
 		curr_voltage = tps_comp.vsel_table[index];
 		if (curr_voltage >= voltage)
@@ -89,9 +85,6 @@ static int comp_threshold_get(struct tps
 	unsigned int val;
 	int ret;
 
-	if (id == COMP)
-		return 0;
-
 	ret = tps65910_reg_read(tps65910, tps_comp.reg, &val);
 	if (ret < 0)
 		return ret;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 192/366] xfrm: fix missing dst_release() after policy blocking lbcast and multicast
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (343 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 094/366] libata: zpodd: small read overflow in eject_tray() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 027/366] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Ben Hutchings
                   ` (21 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, Tommi Rantala

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tommi Rantala <tommi.t.rantala@nokia.com>

commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 upstream.

Fix missing dst_release() when local broadcast or multicast traffic is
xfrm policy blocked.

For IPv4 this results to dst leak: ip_route_output_flow() allocates
dst_entry via __ip_route_output_key() and passes it to
xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
propagated. The dst that was allocated is never released.

IPv4 local broadcast testcase:
 ping -b 192.168.1.255 &
 sleep 1
 ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block

IPv4 multicast testcase:
 ping 224.0.0.1 &
 sleep 1
 ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block

For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
 ip netns add TEST
 ip netns exec TEST ip link set lo up
 ip link add dummy0 type dummy
 ip link set dev dummy0 netns TEST
 ip netns exec TEST ip addr add fd00::1111 dev dummy0
 ip netns exec TEST ip link set dummy0 up
 ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
 sleep 1
 ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
 wait
 ip netns del TEST

After netns deletion we see:
[  258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2

Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_policy.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2176,6 +2176,9 @@ struct dst_entry *xfrm_lookup_route(stru
 	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
 		return make_blackhole(net, dst_orig->ops->family, dst_orig);
 
+	if (IS_ERR(dst))
+		dst_release(dst_orig);
+
 	return dst;
 }
 EXPORT_SYMBOL(xfrm_lookup_route);


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 195/366] xfrm: free skb if nlsk pointer is NULL
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 010/366] rtl8723be: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 359/366] perf top: Use __fallthrough Ben Hutchings
                   ` (259 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Steffen Klassert

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 86126b77dcd551ce223e7293bb55854e3df05646 upstream.

nlmsg_multicast() always frees the skb, so in case we cannot call
it we must do that ourselves.

Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_user.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -959,10 +959,12 @@ static inline int xfrm_nlmsg_multicast(s
 {
 	struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
 
-	if (nlsk)
-		return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
-	else
-		return -1;
+	if (!nlsk) {
+		kfree_skb(skb);
+		return -EPIPE;
+	}
+
+	return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
 }
 
 static inline size_t xfrm_spdinfo_msgsize(void)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (219 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 286/366] can: xilinx_can: fix incorrect clear of non-processed interrupts Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 275/366] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Ben Hutchings
                   ` (145 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Eric Biggers

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 199625098a18a5522b424dea9b122b254c022fc5 upstream.

It should be cpu_to_le32(), not le32_to_cpu().  No change in behavior.

Found with sparse, and this was the only endianness warning in fs/ext4/.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,7 +251,7 @@ __xattr_check_inode(struct inode *inode,
 	int error = -EIO;
 
 	if (((void *) header >= end) ||
-	    (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
+	    (header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)))
 		goto errout;
 	error = ext4_xattr_check_names(entry, end, entry);
 errout:


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 129/366] net/sched: act_simple: fix parsing of TCA_DEF_DATA
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 086/366] usb: gadget: function: printer: avoid wrong list handling in printer_write() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 001/366] arm64: add missing data types in smp_load_acquire/smp_store_release Ben Hutchings
                   ` (326 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Davide Caratti, Simon Horman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Davide Caratti <dcaratti@redhat.com>

commit 8d499533e0bc02d44283dbdab03142b599b8ba16 upstream.

use nla_strlcpy() to avoid copying data beyond the length of TCA_DEF_DATA
netlink attribute, in case it is less than SIMP_MAX_DATA and it does not
end with '\0' character.

v2: fix errors in the commit message, thanks Hangbin Liu

Fixes: fa1b1cff3d06 ("net_cls_act: Make act_simple use of netlink policy.")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -52,22 +52,22 @@ static void tcf_simp_release(struct tc_a
 	kfree(d->tcfd_defdata);
 }
 
-static int alloc_defdata(struct tcf_defact *d, char *defdata)
+static int alloc_defdata(struct tcf_defact *d, const struct nlattr *defdata)
 {
 	d->tcfd_defdata = kzalloc(SIMP_MAX_DATA, GFP_KERNEL);
 	if (unlikely(!d->tcfd_defdata))
 		return -ENOMEM;
-	strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
+	nla_strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
 	return 0;
 }
 
-static void reset_policy(struct tcf_defact *d, char *defdata,
+static void reset_policy(struct tcf_defact *d, const struct nlattr *defdata,
 			 struct tc_defact *p)
 {
 	spin_lock_bh(&d->tcf_lock);
 	d->tcf_action = p->action;
 	memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
-	strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
+	nla_strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
 	spin_unlock_bh(&d->tcf_lock);
 }
 
@@ -83,7 +83,6 @@ static int tcf_simp_init(struct net *net
 	struct nlattr *tb[TCA_DEF_MAX + 1];
 	struct tc_defact *parm;
 	struct tcf_defact *d;
-	char *defdata;
 	int ret = 0, err;
 
 	if (nla == NULL)
@@ -100,7 +99,6 @@ static int tcf_simp_init(struct net *net
 		return -EINVAL;
 
 	parm = nla_data(tb[TCA_DEF_PARMS]);
-	defdata = nla_data(tb[TCA_DEF_DATA]);
 
 	if (!tcf_hash_check(parm->index, a, bind)) {
 		ret = tcf_hash_create(parm->index, est, a, sizeof(*d), bind);
@@ -108,7 +106,7 @@ static int tcf_simp_init(struct net *net
 			return ret;
 
 		d = to_defact(a);
-		ret = alloc_defdata(d, defdata);
+		ret = alloc_defdata(d, tb[TCA_DEF_DATA]);
 		if (ret < 0) {
 			tcf_hash_cleanup(a, est);
 			return ret;
@@ -124,7 +122,7 @@ static int tcf_simp_init(struct net *net
 		if (!ovr)
 			return -EEXIST;
 
-		reset_policy(d, defdata, parm);
+		reset_policy(d, tb[TCA_DEF_DATA], parm);
 	}
 
 	if (ret == ACT_P_CREATED)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 141/366] l2tp: clean up stale tunnel or session in pppol2tp_connect's error path
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 288/366] fscache: Allow cancelled operations to be enqueued Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 171/366] xen-netfront: avoid crashing on resume after a failure in talk_to_netback() Ben Hutchings
                   ` (319 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit bda06be2158c7aa7e41b15500c4d3840369c19a6 upstream.

pppol2tp_connect() may create a tunnel or a session. Remove them in
case of error.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -634,6 +634,8 @@ static int pppol2tp_connect(struct socke
 	u32 session_id, peer_session_id;
 	bool drop_refcnt = false;
 	bool drop_tunnel = false;
+	bool new_session = false;
+	bool new_tunnel = false;
 	int ver = 2;
 	int fd;
 
@@ -744,6 +746,7 @@ static int pppol2tp_connect(struct socke
 				goto end;
 			}
 			drop_tunnel = true;
+			new_tunnel = true;
 		}
 	} else {
 		/* Error if we can't find the tunnel */
@@ -817,6 +820,7 @@ static int pppol2tp_connect(struct socke
 			goto end;
 		}
 		drop_refcnt = true;
+		new_session = true;
 	}
 
 	/* Special case: if source & dest session_id == 0x0000, this
@@ -863,6 +867,12 @@ out_no_ppp:
 		  session->name);
 
 end:
+	if (error) {
+		if (new_session)
+			l2tp_session_delete(session);
+		if (new_tunnel)
+			l2tp_tunnel_delete(tunnel);
+	}
 	if (drop_refcnt)
 		l2tp_session_dec_refcount(session);
 	if (drop_tunnel)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 124/366] pagemap: hide physical addresses from non-privileged users
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (313 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 017/366] media: omap3isp/isp: remove an unused static var Ben Hutchings
                   ` (51 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mark Williamson, Linus Torvalds, Naoya Horiguchi,
	Konstantin Khlebnikov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.

This patch makes pagemap readable for normal users and hides physical
addresses from them.  For some use-cases PFN isn't required at all.

See http://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shutemov.name

Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Mark Williamson <mwilliamson@undo-software.com>
Tested-by:  Mark Williamson <mwilliamson@undo-software.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Add the same check in the places where we look up a PFN
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/proc/task_mmu.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -862,6 +862,7 @@ struct pagemapread {
 	int pos, len;		/* units: PM_ENTRY_BYTES, not bytes */
 	pagemap_entry_t *buffer;
 	bool v2;
+	bool show_pfn;
 };
 
 #define PAGEMAP_WALK_SIZE	(PMD_SIZE)
@@ -921,12 +922,13 @@ static int pagemap_pte_hole(unsigned lon
 static void pte_to_pagemap_entry(pagemap_entry_t *pme, struct pagemapread *pm,
 		struct vm_area_struct *vma, unsigned long addr, pte_t pte)
 {
-	u64 frame, flags;
+	u64 frame = 0, flags;
 	struct page *page = NULL;
 	int flags2 = 0;
 
 	if (pte_present(pte)) {
-		frame = pte_pfn(pte);
+		if (pm->show_pfn)
+			frame = pte_pfn(pte);
 		flags = PM_PRESENT;
 		page = vm_normal_page(vma, addr, pte);
 		if (pte_soft_dirty(pte))
@@ -966,7 +968,7 @@ static void thp_pmd_to_pagemap_entry(pag
 	 * This if-check is just to prepare for future implementation.
 	 */
 	if (pmd_present(pmd))
-		*pme = make_pme(PM_PFRAME(pmd_pfn(pmd) + offset)
+		*pme = make_pme((pm->show_pfn ? PM_PFRAME(pmd_pfn(pmd) + offset) : 0)
 				| PM_STATUS2(pm->v2, pmd_flags2) | PM_PRESENT);
 	else
 		*pme = make_pme(PM_NOT_PRESENT(pm->v2) | PM_STATUS2(pm->v2, pmd_flags2));
@@ -1075,7 +1077,7 @@ static void huge_pte_to_pagemap_entry(pa
 					pte_t pte, int offset, int flags2)
 {
 	if (pte_present(pte))
-		*pme = make_pme(PM_PFRAME(pte_pfn(pte) + offset)	|
+		*pme = make_pme((pm->show_pfn ? PM_PFRAME(pte_pfn(pte) + offset) : 0) |
 				PM_STATUS2(pm->v2, flags2)		|
 				PM_PRESENT);
 	else
@@ -1167,6 +1169,10 @@ static ssize_t pagemap_read(struct file
 		goto out_task;
 
 	pm.v2 = soft_dirty_cleared;
+
+	/* do not disclose physical addresses: attack vector */
+	pm.show_pfn = file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN);
+
 	pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
 	pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
 	ret = -ENOMEM;
@@ -1241,9 +1247,6 @@ out:
 
 static int pagemap_open(struct inode *inode, struct file *file)
 {
-	/* do not disclose physical addresses: attack vector */
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
 	pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
 			"to stop being page-shift some time soon. See the "
 			"linux/Documentation/vm/pagemap.txt for details.\n");


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 263/366] KEYS: DNS: fix parsing multiple options
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 314/366] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy Ben Hutchings
                   ` (299 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, syzbot, Eric Biggers

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit c604cb767049b78b3075497b80ebb8fd530ea2cc upstream.

My recent fix for dns_resolver_preparse() printing very long strings was
incomplete, as shown by syzbot which still managed to hit the
WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:

    precision 50001 too large
    WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0

The bug this time isn't just a printing bug, but also a logical error
when multiple options ("#"-separated strings) are given in the key
payload.  Specifically, when separating an option string into name and
value, if there is no value then the name is incorrectly considered to
end at the end of the key payload, rather than the end of the current
option.  This bypasses validation of the option length, and also means
that specifying multiple options is broken -- which presumably has gone
unnoticed as there is currently only one valid option anyway.

A similar problem also applied to option values, as the kstrtoul() when
parsing the "dnserror" option will read past the end of the current
option and into the next option.

Fix these bugs by correctly computing the length of the option name and
by copying the option value, null-terminated, into a temporary buffer.

Reproducer for the WARN_ONCE() that syzbot hit:

    perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s

Reproducer for "dnserror" option being parsed incorrectly (expected
behavior is to fail when seeing the unknown option "foo", actual
behavior was to read the dnserror value as "1#foo" and fail there):

    perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/dns_resolver/dns_key.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -89,35 +89,39 @@ dns_resolver_instantiate(struct key *key
 		opt++;
 		kdebug("options: '%s'", opt);
 		do {
+			int opt_len, opt_nlen;
 			const char *eq;
-			int opt_len, opt_nlen, opt_vlen, tmp;
+			char optval[128];
 
 			next_opt = memchr(opt, '#', end - opt) ?: end;
 			opt_len = next_opt - opt;
-			if (opt_len <= 0 || opt_len > 128) {
+			if (opt_len <= 0 || opt_len > sizeof(optval)) {
 				pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
 						    opt_len);
 				return -EINVAL;
 			}
 
-			eq = memchr(opt, '=', opt_len) ?: end;
-			opt_nlen = eq - opt;
-			eq++;
-			opt_vlen = next_opt - eq; /* will be -1 if no value */
-
-			tmp = opt_vlen >= 0 ? opt_vlen : 0;
-			kdebug("option '%*.*s' val '%*.*s'",
-			       opt_nlen, opt_nlen, opt, tmp, tmp, eq);
+			eq = memchr(opt, '=', opt_len);
+			if (eq) {
+				opt_nlen = eq - opt;
+				eq++;
+				memcpy(optval, eq, next_opt - eq);
+				optval[next_opt - eq] = '\0';
+			} else {
+				opt_nlen = opt_len;
+				optval[0] = '\0';
+			}
+
+			kdebug("option '%*.*s' val '%s'",
+			       opt_nlen, opt_nlen, opt, optval);
 
 			/* see if it's an error number representing a DNS error
 			 * that's to be recorded as the result in this key */
 			if (opt_nlen == sizeof(DNS_ERRORNO_OPTION) - 1 &&
 			    memcmp(opt, DNS_ERRORNO_OPTION, opt_nlen) == 0) {
 				kdebug("dns error number option");
-				if (opt_vlen <= 0)
-					goto bad_option_value;
 
-				ret = kstrtoul(eq, 10, &derrno);
+				ret = kstrtoul(optval, 10, &derrno);
 				if (ret < 0)
 					goto bad_option_value;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (215 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 079/366] ext4: don't read out of bounds when checking for in-inode xattrs Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 064/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Ben Hutchings
                   ` (149 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream.

Fedora has integrated the jitter entropy daemon to work around slow
boot problems, especially on VM's that don't support virtio-rng:

    https://bugzilla.redhat.com/show_bug.cgi?id=1572944

It's understandable why they did this, but the Jitter entropy daemon
works fundamentally on the principle: "the CPU microarchitecture is
**so** complicated and we can't figure it out, so it *must* be
random".  Yes, it uses statistical tests to "prove" it is secure, but
AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
flying colors.

So if RDRAND is available, mix it into entropy submitted from
userspace.  It can't hurt, and if you believe the NSA has backdoored
RDRAND, then they probably have enough details about the Intel
microarchitecture that they can reverse engineer how the Jitter
entropy daemon affects the microarchitecture, and attack its output
stream.  And if RDRAND is in fact an honest DRNG, it will immeasurably
improve on what the Jitter entropy daemon might produce.

This also provides some protection against someone who is able to read
or set the entropy seed file.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/random.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1418,14 +1418,22 @@ static int
 write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 {
 	size_t bytes;
-	__u32 buf[16];
+	__u32 t, buf[16];
 	const char __user *p = buffer;
 
 	while (count > 0) {
+		int b, i = 0;
+
 		bytes = min(count, sizeof(buf));
 		if (copy_from_user(&buf, p, bytes))
 			return -EFAULT;
 
+		for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
+			if (!arch_get_random_int(&t))
+				break;
+			buf[i] ^= t;
+		}
+
 		count -= bytes;
 		p += bytes;
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 284/366] can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (211 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 337/366] gcov: add support for gcc version >= 6 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 345/366] p54: memset(0) whole array Ben Hutchings
                   ` (153 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Anssi Hannula

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 620050d9c2be15c47017ba95efe59e0832e99a56 upstream.

The xilinx_can driver assumes that the TXOK interrupt only clears after
it has been acknowledged as many times as there have been successfully
sent frames.

However, the documentation does not mention such behavior, instead
saying just that the interrupt is cleared when the clear bit is set.

Similarly, testing seems to also suggest that it is immediately cleared
regardless of the amount of frames having been sent. Performing some
heavy TX load and then going back to idle has the tx_head drifting
further away from tx_tail over time, steadily reducing the amount of
frames the driver keeps in the TX FIFO (but not to zero, as the TXOK
interrupt always frees up space for 1 frame from the driver's
perspective, so frames continue to be sent) and delaying the local echo
frames.

The TX FIFO tracking is also otherwise buggy as it does not account for
TX FIFO being cleared after software resets, causing
  BUG!, TX FIFO full when queue awake!
messages to be output.

There does not seem to be any way to accurately track the state of the
TX FIFO for local echo support while using the full TX FIFO.

The Zynq version of the HW (but not the soft-AXI version) has watermark
programming support and with it an additional TX-FIFO-empty interrupt
bit.

Modify the driver to only put 1 frame into TX FIFO at a time on soft-AXI
and 2 frames at a time on Zynq. On Zynq the TXFEMP interrupt bit is used
to detect whether 1 or 2 frames have been sent at interrupt processing
time.

Tested with the integrated CAN on Zynq-7000 SoC. The 1-frame-FIFO mode
was also tested.

An alternative way to solve this would be to drop local echo support but
keep using the full TX FIFO.

v2: Add FIFO space check before TX queue wake with locking to
synchronize with queue stop. This avoids waking the queue when xmit()
had just filled it.

v3: Keep local echo support and reduce the amount of frames in FIFO
instead as suggested by Marc Kleine-Budde.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 139 +++++++++++++++++++++++++++++++----
 1 file changed, 123 insertions(+), 16 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -26,8 +26,10 @@
 #include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/of.h>
+#include <linux/of_device.h>
 #include <linux/platform_device.h>
 #include <linux/skbuff.h>
+#include <linux/spinlock.h>
 #include <linux/string.h>
 #include <linux/types.h>
 #include <linux/can/dev.h>
@@ -118,6 +120,7 @@ enum xcan_reg {
 /**
  * struct xcan_priv - This definition define CAN driver instance
  * @can:			CAN private data structure.
+ * @tx_lock:			Lock for synchronizing TX interrupt handling
  * @tx_head:			Tx CAN packets ready to send on the queue
  * @tx_tail:			Tx CAN packets successfully sended on the queue
  * @tx_max:			Maximum number packets the driver can send
@@ -132,6 +135,7 @@ enum xcan_reg {
  */
 struct xcan_priv {
 	struct can_priv can;
+	spinlock_t tx_lock;
 	unsigned int tx_head;
 	unsigned int tx_tail;
 	unsigned int tx_max;
@@ -159,6 +163,11 @@ static const struct can_bittiming_const
 	.brp_inc = 1,
 };
 
+#define XCAN_CAP_WATERMARK	0x0001
+struct xcan_devtype_data {
+	unsigned int caps;
+};
+
 /**
  * xcan_write_reg_le - Write a value to the device register little endian
  * @priv:	Driver private data structure
@@ -238,6 +247,10 @@ static int set_reset_mode(struct net_dev
 		usleep_range(500, 10000);
 	}
 
+	/* reset clears FIFOs */
+	priv->tx_head = 0;
+	priv->tx_tail = 0;
+
 	return 0;
 }
 
@@ -391,6 +404,7 @@ static int xcan_start_xmit(struct sk_buf
 	struct net_device_stats *stats = &ndev->stats;
 	struct can_frame *cf = (struct can_frame *)skb->data;
 	u32 id, dlc, data[2] = {0, 0};
+	unsigned long flags;
 
 	if (can_dropped_invalid_skb(ndev, skb))
 		return NETDEV_TX_OK;
@@ -438,6 +452,9 @@ static int xcan_start_xmit(struct sk_buf
 		data[1] = be32_to_cpup((__be32 *)(cf->data + 4));
 
 	can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max);
+
+	spin_lock_irqsave(&priv->tx_lock, flags);
+
 	priv->tx_head++;
 
 	/* Write the Frame to Xilinx CAN TX FIFO */
@@ -453,10 +470,16 @@ static int xcan_start_xmit(struct sk_buf
 		stats->tx_bytes += cf->can_dlc;
 	}
 
+	/* Clear TX-FIFO-empty interrupt for xcan_tx_interrupt() */
+	if (priv->tx_max > 1)
+		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXFEMP_MASK);
+
 	/* Check if the TX buffer is full */
 	if ((priv->tx_head - priv->tx_tail) == priv->tx_max)
 		netif_stop_queue(ndev);
 
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+
 	return NETDEV_TX_OK;
 }
 
@@ -833,19 +856,71 @@ static void xcan_tx_interrupt(struct net
 {
 	struct xcan_priv *priv = netdev_priv(ndev);
 	struct net_device_stats *stats = &ndev->stats;
+	unsigned int frames_in_fifo;
+	int frames_sent = 1; /* TXOK => at least 1 frame was sent */
+	unsigned long flags;
+	int retries = 0;
+
+	/* Synchronize with xmit as we need to know the exact number
+	 * of frames in the FIFO to stay in sync due to the TXFEMP
+	 * handling.
+	 * This also prevents a race between netif_wake_queue() and
+	 * netif_stop_queue().
+	 */
+	spin_lock_irqsave(&priv->tx_lock, flags);
+
+	frames_in_fifo = priv->tx_head - priv->tx_tail;
+
+	if (WARN_ON_ONCE(frames_in_fifo == 0)) {
+		/* clear TXOK anyway to avoid getting back here */
+		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+		spin_unlock_irqrestore(&priv->tx_lock, flags);
+		return;
+	}
+
+	/* Check if 2 frames were sent (TXOK only means that at least 1
+	 * frame was sent).
+	 */
+	if (frames_in_fifo > 1) {
+		WARN_ON(frames_in_fifo > priv->tx_max);
+
+		/* Synchronize TXOK and isr so that after the loop:
+		 * (1) isr variable is up-to-date at least up to TXOK clear
+		 *     time. This avoids us clearing a TXOK of a second frame
+		 *     but not noticing that the FIFO is now empty and thus
+		 *     marking only a single frame as sent.
+		 * (2) No TXOK is left. Having one could mean leaving a
+		 *     stray TXOK as we might process the associated frame
+		 *     via TXFEMP handling as we read TXFEMP *after* TXOK
+		 *     clear to satisfy (1).
+		 */
+		while ((isr & XCAN_IXR_TXOK_MASK) && !WARN_ON(++retries == 100)) {
+			priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+			isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
+		}
 
-	while ((priv->tx_head - priv->tx_tail > 0) &&
-			(isr & XCAN_IXR_TXOK_MASK)) {
+		if (isr & XCAN_IXR_TXFEMP_MASK) {
+			/* nothing in FIFO anymore */
+			frames_sent = frames_in_fifo;
+		}
+	} else {
+		/* single frame in fifo, just clear TXOK */
 		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+	}
+
+	while (frames_sent--) {
 		can_get_echo_skb(ndev, priv->tx_tail %
 					priv->tx_max);
 		priv->tx_tail++;
 		stats->tx_packets++;
-		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
+
+	netif_wake_queue(ndev);
+
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+
 	can_led_event(ndev, CAN_LED_EVENT_TX);
 	xcan_update_error_state_after_rxtx(ndev);
-	netif_wake_queue(ndev);
 }
 
 /**
@@ -1121,6 +1196,18 @@ static int __maybe_unused xcan_resume(st
 
 static SIMPLE_DEV_PM_OPS(xcan_dev_pm_ops, xcan_suspend, xcan_resume);
 
+static const struct xcan_devtype_data xcan_zynq_data = {
+	.caps = XCAN_CAP_WATERMARK,
+};
+
+/* Match table for OF platform binding */
+static const struct of_device_id xcan_of_match[] = {
+	{ .compatible = "xlnx,zynq-can-1.0", .data = &xcan_zynq_data },
+	{ .compatible = "xlnx,axi-can-1.00.a", },
+	{ /* end of list */ },
+};
+MODULE_DEVICE_TABLE(of, xcan_of_match);
+
 /**
  * xcan_probe - Platform registration call
  * @pdev:	Handle to the platform device structure
@@ -1135,8 +1222,10 @@ static int xcan_probe(struct platform_de
 	struct resource *res; /* IO mem resources */
 	struct net_device *ndev;
 	struct xcan_priv *priv;
+	const struct of_device_id *of_id;
+	int caps = 0;
 	void __iomem *addr;
-	int ret, rx_max, tx_max;
+	int ret, rx_max, tx_max, tx_fifo_depth;
 
 	/* Get the virtual base address for the device */
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
@@ -1146,7 +1235,8 @@ static int xcan_probe(struct platform_de
 		goto err;
 	}
 
-	ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth", &tx_max);
+	ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth",
+				   &tx_fifo_depth);
 	if (ret < 0)
 		goto err;
 
@@ -1154,6 +1244,30 @@ static int xcan_probe(struct platform_de
 	if (ret < 0)
 		goto err;
 
+	of_id = of_match_device(xcan_of_match, &pdev->dev);
+	if (of_id) {
+		const struct xcan_devtype_data *devtype_data = of_id->data;
+
+		if (devtype_data)
+			caps = devtype_data->caps;
+	}
+
+	/* There is no way to directly figure out how many frames have been
+	 * sent when the TXOK interrupt is processed. If watermark programming
+	 * is supported, we can have 2 frames in the FIFO and use TXFEMP
+	 * to determine if 1 or 2 frames have been sent.
+	 * Theoretically we should be able to use TXFWMEMP to determine up
+	 * to 3 frames, but it seems that after putting a second frame in the
+	 * FIFO, with watermark at 2 frames, it can happen that TXFWMEMP (less
+	 * than 2 frames in FIFO) is set anyway with no TXOK (a frame was
+	 * sent), which is not a sensible state - possibly TXFWMEMP is not
+	 * completely synchronized with the rest of the bits?
+	 */
+	if (caps & XCAN_CAP_WATERMARK)
+		tx_max = min(tx_fifo_depth, 2);
+	else
+		tx_max = 1;
+
 	/* Create a CAN device instance */
 	ndev = alloc_candev(sizeof(struct xcan_priv), tx_max);
 	if (!ndev)
@@ -1168,6 +1282,7 @@ static int xcan_probe(struct platform_de
 					CAN_CTRLMODE_BERR_REPORTING;
 	priv->reg_base = addr;
 	priv->tx_max = tx_max;
+	spin_lock_init(&priv->tx_lock);
 
 	/* Get IRQ for the device */
 	ndev->irq = platform_get_irq(pdev, 0);
@@ -1235,9 +1350,9 @@ static int xcan_probe(struct platform_de
 	devm_can_led_init(ndev);
 	clk_disable_unprepare(priv->bus_clk);
 	clk_disable_unprepare(priv->can_clk);
-	netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth:%d\n",
+	netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth: actual %d, using %d\n",
 			priv->reg_base, ndev->irq, priv->can.clock.freq,
-			priv->tx_max);
+			tx_fifo_depth, priv->tx_max);
 
 	return 0;
 
@@ -1273,14 +1388,6 @@ static int xcan_remove(struct platform_d
 	return 0;
 }
 
-/* Match table for OF platform binding */
-static const struct of_device_id xcan_of_match[] = {
-	{ .compatible = "xlnx,zynq-can-1.0", },
-	{ .compatible = "xlnx,axi-can-1.00.a", },
-	{ /* end of list */ },
-};
-MODULE_DEVICE_TABLE(of, xcan_of_match);
-
 static struct platform_driver xcan_driver = {
 	.probe = xcan_probe,
 	.remove	= xcan_remove,


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 285/366] can: xilinx_can: fix RX overflow interrupt not being enabled
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (267 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 254/366] mm: do not bug_on on incorrect length in __mm_populate() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages Ben Hutchings
                   ` (97 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Michal Simek, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 83997997252f5d3fc7f04abc24a89600c2b504ab upstream.

RX overflow interrupt (RXOFLW) is disabled even though xcan_interrupt()
processes it. This means that an RX overflow interrupt will only be
processed when another interrupt gets asserted (e.g. for RX/TX).

Fix that by enabling the RXOFLW interrupt.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Cc: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -103,7 +103,7 @@ enum xcan_reg {
 #define XCAN_INTR_ALL		(XCAN_IXR_TXOK_MASK | XCAN_IXR_BSOFF_MASK |\
 				 XCAN_IXR_WKUP_MASK | XCAN_IXR_SLP_MASK | \
 				 XCAN_IXR_RXNEMP_MASK | XCAN_IXR_ERROR_MASK | \
-				 XCAN_IXR_ARBLST_MASK)
+				 XCAN_IXR_RXOFLW_MASK | XCAN_IXR_ARBLST_MASK)
 
 /* CAN register bit shift - XCAN_<REG>_<BIT>_SHIFT */
 #define XCAN_BTR_SJW_SHIFT		7  /* Synchronous jump width */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 280/366] can: dev: Consolidate and unify state change handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (248 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 030/366] ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup Ben Hutchings
                   ` (116 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wolfgang Grandegger, Marc Kleine-Budde, Andri Yngvason

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andri Yngvason <andri.yngvason@marel.com>

commit bac78aabcfece0c493b2ad824c68fbdc20448cbc upstream.

The handling of can error states is different between platforms.
This is an attempt to correct that problem.

I've moved this handling into a generic function for changing the
error state. This ensures that error state changes are handled
the same way everywhere (where this function is used).

This new mechanism also adds reverse state transitioning in error
frames, i.e. the user will be notified through the socket interface
when the state goes down.

Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/dev.c          | 78 ++++++++++++++++++++++++++++++++++
 include/linux/can/dev.h        |  3 ++
 include/uapi/linux/can/error.h |  1 +
 3 files changed, 82 insertions(+)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -275,6 +275,84 @@ static int can_get_bittiming(struct net_
 	return err;
 }
 
+static void can_update_state_error_stats(struct net_device *dev,
+					 enum can_state new_state)
+{
+	struct can_priv *priv = netdev_priv(dev);
+
+	if (new_state <= priv->state)
+		return;
+
+	switch (new_state) {
+	case CAN_STATE_ERROR_WARNING:
+		priv->can_stats.error_warning++;
+		break;
+	case CAN_STATE_ERROR_PASSIVE:
+		priv->can_stats.error_passive++;
+		break;
+	case CAN_STATE_BUS_OFF:
+	default:
+		break;
+	};
+}
+
+static int can_tx_state_to_frame(struct net_device *dev, enum can_state state)
+{
+	switch (state) {
+	case CAN_STATE_ERROR_ACTIVE:
+		return CAN_ERR_CRTL_ACTIVE;
+	case CAN_STATE_ERROR_WARNING:
+		return CAN_ERR_CRTL_TX_WARNING;
+	case CAN_STATE_ERROR_PASSIVE:
+		return CAN_ERR_CRTL_TX_PASSIVE;
+	default:
+		return 0;
+	}
+}
+
+static int can_rx_state_to_frame(struct net_device *dev, enum can_state state)
+{
+	switch (state) {
+	case CAN_STATE_ERROR_ACTIVE:
+		return CAN_ERR_CRTL_ACTIVE;
+	case CAN_STATE_ERROR_WARNING:
+		return CAN_ERR_CRTL_RX_WARNING;
+	case CAN_STATE_ERROR_PASSIVE:
+		return CAN_ERR_CRTL_RX_PASSIVE;
+	default:
+		return 0;
+	}
+}
+
+void can_change_state(struct net_device *dev, struct can_frame *cf,
+		      enum can_state tx_state, enum can_state rx_state)
+{
+	struct can_priv *priv = netdev_priv(dev);
+	enum can_state new_state = max(tx_state, rx_state);
+
+	if (unlikely(new_state == priv->state)) {
+		netdev_warn(dev, "%s: oops, state did not change", __func__);
+		return;
+	}
+
+	netdev_dbg(dev, "New error state: %d\n", new_state);
+
+	can_update_state_error_stats(dev, new_state);
+	priv->state = new_state;
+
+	if (unlikely(new_state == CAN_STATE_BUS_OFF)) {
+		cf->can_id |= CAN_ERR_BUSOFF;
+		return;
+	}
+
+	cf->can_id |= CAN_ERR_CRTL;
+	cf->data[1] |= tx_state >= rx_state ?
+		       can_tx_state_to_frame(dev, tx_state) : 0;
+	cf->data[1] |= tx_state <= rx_state ?
+		       can_rx_state_to_frame(dev, rx_state) : 0;
+}
+EXPORT_SYMBOL_GPL(can_change_state);
+
 /*
  * Local echo of CAN messages
  *
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -122,6 +122,9 @@ void unregister_candev(struct net_device
 int can_restart_now(struct net_device *dev);
 void can_bus_off(struct net_device *dev);
 
+void can_change_state(struct net_device *dev, struct can_frame *cf,
+		      enum can_state tx_state, enum can_state rx_state);
+
 void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
 		      unsigned int idx);
 unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx);
--- a/include/uapi/linux/can/error.h
+++ b/include/uapi/linux/can/error.h
@@ -71,6 +71,7 @@
 #define CAN_ERR_CRTL_TX_PASSIVE  0x20 /* reached error passive status TX */
 				      /* (at least one error counter exceeds */
 				      /* the protocol-defined level of 127)  */
+#define CAN_ERR_CRTL_ACTIVE      0x40 /* recovered to error active state */
 
 /* error in CAN protocol (type) / data[2] */
 #define CAN_ERR_PROT_UNSPEC      0x00 /* unspecified */


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 283/366] can: xilinx_can: fix recovery from error states not being propagated
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 169/366] net/xen-netfront: only clean up queues if present Ben Hutchings
                   ` (252 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 877e0b75947e2c7acf5624331bb17ceb093c98ae upstream.

The xilinx_can driver contains no mechanism for propagating recovery
from CAN_STATE_ERROR_WARNING and CAN_STATE_ERROR_PASSIVE.

Add such a mechanism by factoring the handling of
XCAN_STATE_ERROR_PASSIVE and XCAN_STATE_ERROR_WARNING out of
xcan_err_interrupt and checking for recovery after RX and TX if the
interface is in one of those states.

Tested with the integrated CAN on Zynq-7000 SoC.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 155 ++++++++++++++++++++++++++++-------
 1 file changed, 127 insertions(+), 28 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -2,6 +2,7 @@
  *
  * Copyright (C) 2012 - 2014 Xilinx, Inc.
  * Copyright (C) 2009 PetaLogix. All rights reserved.
+ * Copyright (C) 2017 Sandvik Mining and Construction Oy
  *
  * Description:
  * This driver is developed for Axi CAN IP and for Zynq CANPS Controller.
@@ -528,6 +529,123 @@ static int xcan_rx(struct net_device *nd
 }
 
 /**
+ * xcan_current_error_state - Get current error state from HW
+ * @ndev:	Pointer to net_device structure
+ *
+ * Checks the current CAN error state from the HW. Note that this
+ * only checks for ERROR_PASSIVE and ERROR_WARNING.
+ *
+ * Return:
+ * ERROR_PASSIVE or ERROR_WARNING if either is active, ERROR_ACTIVE
+ * otherwise.
+ */
+static enum can_state xcan_current_error_state(struct net_device *ndev)
+{
+	struct xcan_priv *priv = netdev_priv(ndev);
+	u32 status = priv->read_reg(priv, XCAN_SR_OFFSET);
+
+	if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK)
+		return CAN_STATE_ERROR_PASSIVE;
+	else if (status & XCAN_SR_ERRWRN_MASK)
+		return CAN_STATE_ERROR_WARNING;
+	else
+		return CAN_STATE_ERROR_ACTIVE;
+}
+
+/**
+ * xcan_set_error_state - Set new CAN error state
+ * @ndev:	Pointer to net_device structure
+ * @new_state:	The new CAN state to be set
+ * @cf:		Error frame to be populated or NULL
+ *
+ * Set new CAN error state for the device, updating statistics and
+ * populating the error frame if given.
+ */
+static void xcan_set_error_state(struct net_device *ndev,
+				 enum can_state new_state,
+				 struct can_frame *cf)
+{
+	struct xcan_priv *priv = netdev_priv(ndev);
+	u32 ecr = priv->read_reg(priv, XCAN_ECR_OFFSET);
+	u32 txerr = ecr & XCAN_ECR_TEC_MASK;
+	u32 rxerr = (ecr & XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT;
+
+	priv->can.state = new_state;
+
+	if (cf) {
+		cf->can_id |= CAN_ERR_CRTL;
+		cf->data[6] = txerr;
+		cf->data[7] = rxerr;
+	}
+
+	switch (new_state) {
+	case CAN_STATE_ERROR_PASSIVE:
+		priv->can.can_stats.error_passive++;
+		if (cf)
+			cf->data[1] = (rxerr > 127) ?
+					CAN_ERR_CRTL_RX_PASSIVE :
+					CAN_ERR_CRTL_TX_PASSIVE;
+		break;
+	case CAN_STATE_ERROR_WARNING:
+		priv->can.can_stats.error_warning++;
+		if (cf)
+			cf->data[1] |= (txerr > rxerr) ?
+					CAN_ERR_CRTL_TX_WARNING :
+					CAN_ERR_CRTL_RX_WARNING;
+		break;
+	case CAN_STATE_ERROR_ACTIVE:
+		if (cf)
+			cf->data[1] |= CAN_ERR_CRTL_ACTIVE;
+		break;
+	default:
+		/* non-ERROR states are handled elsewhere */
+		WARN_ON(1);
+		break;
+	}
+}
+
+/**
+ * xcan_update_error_state_after_rxtx - Update CAN error state after RX/TX
+ * @ndev:	Pointer to net_device structure
+ *
+ * If the device is in a ERROR-WARNING or ERROR-PASSIVE state, check if
+ * the performed RX/TX has caused it to drop to a lesser state and set
+ * the interface state accordingly.
+ */
+static void xcan_update_error_state_after_rxtx(struct net_device *ndev)
+{
+	struct xcan_priv *priv = netdev_priv(ndev);
+	enum can_state old_state = priv->can.state;
+	enum can_state new_state;
+
+	/* changing error state due to successful frame RX/TX can only
+	 * occur from these states
+	 */
+	if (old_state != CAN_STATE_ERROR_WARNING &&
+	    old_state != CAN_STATE_ERROR_PASSIVE)
+		return;
+
+	new_state = xcan_current_error_state(ndev);
+
+	if (new_state != old_state) {
+		struct sk_buff *skb;
+		struct can_frame *cf;
+
+		skb = alloc_can_err_skb(ndev, &cf);
+
+		xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
+
+		if (skb) {
+			struct net_device_stats *stats = &ndev->stats;
+
+			stats->rx_packets++;
+			stats->rx_bytes += cf->can_dlc;
+			netif_rx(skb);
+		}
+	}
+}
+
+/**
  * xcan_err_interrupt - error frame Isr
  * @ndev:	net_device pointer
  * @isr:	interrupt status register value
@@ -542,16 +660,12 @@ static void xcan_err_interrupt(struct ne
 	struct net_device_stats *stats = &ndev->stats;
 	struct can_frame *cf;
 	struct sk_buff *skb;
-	u32 err_status, status, txerr = 0, rxerr = 0;
+	u32 err_status;
 
 	skb = alloc_can_err_skb(ndev, &cf);
 
 	err_status = priv->read_reg(priv, XCAN_ESR_OFFSET);
 	priv->write_reg(priv, XCAN_ESR_OFFSET, err_status);
-	txerr = priv->read_reg(priv, XCAN_ECR_OFFSET) & XCAN_ECR_TEC_MASK;
-	rxerr = ((priv->read_reg(priv, XCAN_ECR_OFFSET) &
-			XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT);
-	status = priv->read_reg(priv, XCAN_SR_OFFSET);
 
 	if (isr & XCAN_IXR_BSOFF_MASK) {
 		priv->can.state = CAN_STATE_BUS_OFF;
@@ -561,28 +675,10 @@ static void xcan_err_interrupt(struct ne
 		can_bus_off(ndev);
 		if (skb)
 			cf->can_id |= CAN_ERR_BUSOFF;
-	} else if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK) {
-		priv->can.state = CAN_STATE_ERROR_PASSIVE;
-		priv->can.can_stats.error_passive++;
-		if (skb) {
-			cf->can_id |= CAN_ERR_CRTL;
-			cf->data[1] = (rxerr > 127) ?
-					CAN_ERR_CRTL_RX_PASSIVE :
-					CAN_ERR_CRTL_TX_PASSIVE;
-			cf->data[6] = txerr;
-			cf->data[7] = rxerr;
-		}
-	} else if (status & XCAN_SR_ERRWRN_MASK) {
-		priv->can.state = CAN_STATE_ERROR_WARNING;
-		priv->can.can_stats.error_warning++;
-		if (skb) {
-			cf->can_id |= CAN_ERR_CRTL;
-			cf->data[1] |= (txerr > rxerr) ?
-					CAN_ERR_CRTL_TX_WARNING :
-					CAN_ERR_CRTL_RX_WARNING;
-			cf->data[6] = txerr;
-			cf->data[7] = rxerr;
-		}
+	} else {
+		enum can_state new_state = xcan_current_error_state(ndev);
+
+		xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
 	}
 
 	/* Check for Arbitration lost interrupt */
@@ -714,8 +810,10 @@ static int xcan_rx_poll(struct napi_stru
 		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
 
-	if (work_done)
+	if (work_done) {
 		can_led_event(ndev, CAN_LED_EVENT_RX);
+		xcan_update_error_state_after_rxtx(ndev);
+	}
 
 	if (work_done < quota) {
 		napi_complete(napi);
@@ -746,6 +844,7 @@ static void xcan_tx_interrupt(struct net
 		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
 	can_led_event(ndev, CAN_LED_EVENT_TX);
+	xcan_update_error_state_after_rxtx(ndev);
 	netif_wake_queue(ndev);
 }
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 282/366] can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (354 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 021/366] net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()) Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 252/366] mm: refuse wrapped vm_brk requests Ben Hutchings
                   ` (10 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Anssi Hannula

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 32852c561bffd613d4ed7ec464b1e03e1b7b6c5c upstream.

If the device gets into a state where RXNEMP (RX FIFO not empty)
interrupt is asserted without RXOK (new frame received successfully)
interrupt being asserted, xcan_rx_poll() will continue to try to clear
RXNEMP without actually reading frames from RX FIFO. If the RX FIFO is
not empty, the interrupt will not be cleared and napi_schedule() will
just be called again.

This situation can occur when:

(a) xcan_rx() returns without reading RX FIFO due to an error condition.
The code tries to clear both RXOK and RXNEMP but RXNEMP will not clear
due to a frame still being in the FIFO. The frame will never be read
from the FIFO as RXOK is no longer set.

(b) A frame is received between xcan_rx_poll() reading interrupt status
and clearing RXOK. RXOK will be cleared, but RXNEMP will again remain
set as the new message is still in the FIFO.

I'm able to trigger case (b) by flooding the bus with frames under load.

There does not seem to be any benefit in using both RXNEMP and RXOK in
the way the driver does, and the polling example in the reference manual
(UG585 v1.10 18.3.7 Read Messages from RxFIFO) also says that either
RXOK or RXNEMP can be used for detecting incoming messages.

Fix the issue and simplify the RX processing by only using RXNEMP
without RXOK.

Tested with the integrated CAN on Zynq-7000 SoC.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -100,7 +100,7 @@ enum xcan_reg {
 #define XCAN_INTR_ALL		(XCAN_IXR_TXOK_MASK | XCAN_IXR_BSOFF_MASK |\
 				 XCAN_IXR_WKUP_MASK | XCAN_IXR_SLP_MASK | \
 				 XCAN_IXR_RXNEMP_MASK | XCAN_IXR_ERROR_MASK | \
-				 XCAN_IXR_ARBLST_MASK | XCAN_IXR_RXOK_MASK)
+				 XCAN_IXR_ARBLST_MASK)
 
 /* CAN register bit shift - XCAN_<REG>_<BIT>_SHIFT */
 #define XCAN_BTR_SJW_SHIFT		7  /* Synchronous jump width */
@@ -709,15 +709,7 @@ static int xcan_rx_poll(struct napi_stru
 
 	isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	while ((isr & XCAN_IXR_RXNEMP_MASK) && (work_done < quota)) {
-		if (isr & XCAN_IXR_RXOK_MASK) {
-			priv->write_reg(priv, XCAN_ICR_OFFSET,
-				XCAN_IXR_RXOK_MASK);
-			work_done += xcan_rx(ndev);
-		} else {
-			priv->write_reg(priv, XCAN_ICR_OFFSET,
-				XCAN_IXR_RXNEMP_MASK);
-			break;
-		}
+		work_done += xcan_rx(ndev);
 		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_RXNEMP_MASK);
 		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
@@ -728,7 +720,7 @@ static int xcan_rx_poll(struct napi_stru
 	if (work_done < quota) {
 		napi_complete(napi);
 		ier = priv->read_reg(priv, XCAN_IER_OFFSET);
-		ier |= (XCAN_IXR_RXOK_MASK | XCAN_IXR_RXNEMP_MASK);
+		ier |= XCAN_IXR_RXNEMP_MASK;
 		priv->write_reg(priv, XCAN_IER_OFFSET, ier);
 	}
 	return work_done;
@@ -800,9 +792,9 @@ static irqreturn_t xcan_interrupt(int ir
 	}
 
 	/* Check for the type of receive interrupt and Processing it */
-	if (isr & (XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK)) {
+	if (isr & XCAN_IXR_RXNEMP_MASK) {
 		ier = priv->read_reg(priv, XCAN_IER_OFFSET);
-		ier &= ~(XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK);
+		ier &= ~XCAN_IXR_RXNEMP_MASK;
 		priv->write_reg(priv, XCAN_IER_OFFSET, ier);
 		napi_schedule(&priv->napi);
 	}


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 287/366] net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 350/366] sched/topology: Make local variables static Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 366/366] perf tools: Fix python extension build for gcc 8 Ben Hutchings
                   ` (316 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Tariq Toukan, Jack Morgenstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

commit 958c696f5a7274d9447a458ad7aa70719b29a50a upstream.

Function mlx4_RST2INIT_QP_wrapper saved the qp number passed in the qp
context, rather than the one passed in the input modifier.

However, the qp number in the qp context is not defined as a
required parameter by the FW. Therefore, drivers may choose to not
specify the qp number in the qp context for the reset-to-init transition.

Thus, we must save the qp number passed in the command input modifier --
which is always present. (This saved qp number is used as the input
modifier for command 2RST_QP when a slave's qp's are destroyed).

Fixes: c82e9aa0a8bc ("mlx4_core: resource tracking for HCA resources used by guests")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2673,7 +2673,7 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4
 	u32 srqn = qp_get_srqn(qpc) & 0xffffff;
 	int use_srq = (qp_get_srqn(qpc) >> 24) & 1;
 	struct res_srq *srq;
-	int local_qpn = be32_to_cpu(qpc->local_qpn) & 0xffffff;
+	int local_qpn = vhcr->in_modifier & 0xffffff;
 
 	err = qp_res_start_move_to(dev, slave, qpn, RES_QP_HW, &qp, 0);
 	if (err)


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 286/366] can: xilinx_can: fix incorrect clear of non-processed interrupts
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (218 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode() Ben Hutchings
                   ` (146 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Michal Simek, Anssi Hannula

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 2f4f0f338cf453bfcdbcf089e177c16f35f023c8 upstream.

xcan_interrupt() clears ERROR|RXOFLV|BSOFF|ARBLST interrupts if any of
them is asserted. This does not take into account that some of them
could have been asserted between interrupt status read and interrupt
clear, therefore clearing them without handling them.

Fix the code to only clear those interrupts that it knows are asserted
and therefore going to be processed in xcan_err_interrupt().

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Cc: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -939,6 +939,7 @@ static irqreturn_t xcan_interrupt(int ir
 	struct net_device *ndev = (struct net_device *)dev_id;
 	struct xcan_priv *priv = netdev_priv(ndev);
 	u32 isr, ier;
+	u32 isr_errors;
 
 	/* Get the interrupt status from Xilinx CAN */
 	isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
@@ -957,11 +958,10 @@ static irqreturn_t xcan_interrupt(int ir
 		xcan_tx_interrupt(ndev, isr);
 
 	/* Check for the type of error interrupt and Processing it */
-	if (isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK |
-			XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK)) {
-		priv->write_reg(priv, XCAN_ICR_OFFSET, (XCAN_IXR_ERROR_MASK |
-				XCAN_IXR_RXOFLW_MASK | XCAN_IXR_BSOFF_MASK |
-				XCAN_IXR_ARBLST_MASK));
+	isr_errors = isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK |
+			    XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK);
+	if (isr_errors) {
+		priv->write_reg(priv, XCAN_ICR_OFFSET, isr_errors);
 		xcan_err_interrupt(ndev, isr);
 	}
 


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (193 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 209/366] n_tty: Fix stall at n_tty_receive_char_special() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 208/366] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Ben Hutchings
                   ` (171 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 2574fe54515ed3487405de329e4e9f13d7098c10 upstream.

The xilinx_can driver performs a software reset when an RX overrun is
detected. This causes the device to enter Configuration mode where no
messages are received or transmitted.

The documentation does not mention any need to perform a reset on an RX
overrun, and testing by inducing an RX overflow also indicated that the
device continues to work just fine without a reset.

Remove the software reset.

Tested with the integrated CAN on Zynq-7000 SoC.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -598,7 +598,6 @@ static void xcan_err_interrupt(struct ne
 	if (isr & XCAN_IXR_RXOFLW_MASK) {
 		stats->rx_over_errors++;
 		stats->rx_errors++;
-		priv->write_reg(priv, XCAN_SRR_OFFSET, XCAN_SRR_RESET_MASK);
 		if (skb) {
 			cf->can_id |= CAN_ERR_CRTL;
 			cf->data[1] |= CAN_ERR_CRTL_RX_OVERFLOW;


^ permalink raw reply	[flat|nested] 380+ messages in thread

* [PATCH 3.16 290/366] fscache: Fix reference overput in fscache_attach_object() error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (286 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 106/366] tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 026/366] usb: do not reset if a low-speed or full-speed device timed out Ben Hutchings
                   ` (78 subsequent siblings)
  366 siblings, 0 replies; 380+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kiran Kumar Modukuri, David Howells

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit f29507ce66701084c39aeb1b0ae71690cbff3554 upstream.

When a cookie is allocated that causes fscache_object structs to be
allocated, those objects are initialised with the cookie pointer, but
aren't blessed with a ref on that cookie unless the attachment is
successfully completed in fscache_attach_object().

If attachment fails because the parent object was dying or there was a
collision, fscache_attach_object() returns without incrementing the cookie
counter - but upon failure of this function, the object is released which
then puts the cookie, whether or not a ref was taken on the cookie.

Fix this by taking a ref on the cookie when it is assigned in
fscache_object_init(), even when we're creating a root object.


Analysis from Kiran Kumar:

This bug has been seen in 4.4.0-124-generic #148-Ubuntu kernel

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277

fscache cookie ref count updated incorrectly during fscache object
allocation resulting in following Oops.

kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321!
kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639!

[Cause]
Two threads are trying to do operate on a cookie and two objects.

(1) One thread tries to unmount the filesystem and in process goes over a
    huge list of objects marking them dead and deleting the objects.
    cookie->usage is also decremented in following path:

      nfs_fscache_release_super_cookie
       -> __fscache_relinquish_cookie
        ->__fscache_cookie_put
        ->BUG_ON(atomic_read(&cookie->usage) <= 0);

(2) A second thread tries to lookup an object for reading data in following
    path:

    fscache_alloc_object
    1) cachefiles_alloc_object
        -> fscache_object_init
           -> assign cookie, but usage not bumped.
    2) fscache_attach_object -> fails in cant_attach_object because the
         cookie's backing object or cookie's->parent object are going away
    3) fscache_put_object
        -> cachefiles_put_object
          ->fscache_object_destroy
            ->fscache_cookie_put
               ->BUG_ON(atomic_read(&cookie->usage) <= 0);

[NOTE from dhowells] It's unclear as to the circumstances in which (2) can
take place, given that thread (1) is in nfs_kill_super(), however a
conflicting NFS mount with slightly different parameters that creates a
different superblock would do it.  A backtrace from Kiran seems to show
that this is a possibility:

    kernel BUG at/build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639!
    ...
    RIP: __fscache_cookie_put+0x3a/0x40 [fscache]
    Call Trace:
     __fscache_relinquish_cookie+0x87/0x120 [fscache]
     nfs_fscache_release_super_cookie+0x2d/0xb0