linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.19 000/123] 3.19.3-stable review
@ 2015-03-24 15:45 Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 001/123] sparc: semtimedop() unreachable due to comparison error Greg Kroah-Hartman
                   ` (115 more replies)
  0 siblings, 116 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, satoru.takeuchi,
	shuah.kh, stable

This is the start of the stable review cycle for the 3.19.3 release.
There are 123 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu Mar 26 15:43:14 UTC 2015.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.19.3-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 3.19.3-rc1

Nicholas Bellinger <nab@linux-iscsi.org>
    target/pscsi: Fix NULL pointer dereference in get_device_type

Nicholas Bellinger <nab@linux-iscsi.org>
    iscsi-target: Avoid early conn_logout_comp for iser connections

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Fix virtual LUN=0 target_configure_device failure OOPs

Bart Van Assche <bart.vanassche@sandisk.com>
    target: Fix reference leak in target_get_sess_cmd() error path

Vignesh R <vigneshr@ti.com>
    ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx

Vignesh R <vigneshr@ti.com>
    ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx

Ravikumar Kattekola <rk@ti.com>
    ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others

Alexandre Belloni <alexandre.belloni@free-electrons.com>
    ARM: at91: pm: fix at91rm9200 standby

Peter Chen <peter.chen@freescale.com>
    ARM: imx6qdl-sabresd: set swbst_reg as vbus's parent reg

Krzysztof Kozlowski <k.kozlowski@samsung.com>
    ARM: EXYNOS: Don't use LDREX and STREX after disabling cache coherency

Rafał Miłecki <zajec5@gmail.com>
    b43: fix support for 5 GHz only BCM43228 model

Peter Chen <peter.chen@freescale.com>
    ARM: imx6sl-evk: set swbst_reg as vbus's parent reg

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables: fix addition/deletion of elements from commit/abort

Patrick McHardy <kaber@trash.net>
    netfilter: nf_tables: fix transaction race condition

Eric Dumazet <edumazet@google.com>
    netfilter: xt_socket: fix a stack corruption bug

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_compat: fix module refcount underflow

Alexey Andriyanov <alan@al-an.info>
    ipvs: fix inability to remove a mixed-family RS

Julian Anastasov <ja@ssi.bg>
    ipvs: add missing ip_vs_pe_put in sync code

Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
    powerpc/iommu: Remove IOMMU device references via bus notifier

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/smp: Wait until secondaries are active & online

Daniel J Blueman <daniel@numascale.com>
    x86/apic/numachip: Fix sibling map with NumaChip

Andy Lutomirski <luto@amacapital.net>
    x86/asm/entry/32: Fix user_mode() misuses

Jiri Slaby <jslaby@suse.cz>
    x86/vdso: Fix the build on GCC5

Paolo Bonzini <pbonzini@redhat.com>
    kvm: move advertising of KVM_CAP_IRQFD to common code

Oleg Nesterov <oleg@redhat.com>
    x86/fpu: Drop_fpu() should not assume that tsk equals current

Oleg Nesterov <oleg@redhat.com>
    x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig()

Stephan Mueller <smueller@chronox.de>
    crypto: aesni - fix memory usage in GCM decryption

Ard Biesheuvel <ard.biesheuvel@linaro.org>
    crypto: arm/aes update NEON AES module to latest OpenSSL version

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    pagemap: do not leak physical addresses to non-privileged userspace

Maxime Ripard <maxime.ripard@free-electrons.com>
    irqchip: armada-370-xp: Fix chained per-cpu interrupts

Sasha Levin <sasha.levin@oracle.com>
    PCI: Don't read past the end of sysfs "driver_override" buffer

James Bottomley <JBottomley@Parallels.com>
    libsas: Fix Kernel Crash in smp_execute_task

Al Viro <viro@zeniv.linux.org.uk>
    gadgetfs: use-after-free in ->aio_read()

Brian Norris <computersforpeace@gmail.com>
    of: handle both '/' and ':' in path strings

Leif Lindholm <leif.lindholm@linaro.org>
    of: fix handling of '/' in options for of_find_node_by_path()

Jan Beulich <JBeulich@suse.com>
    xen-pciback: limit guest control of command register

Juergen Gross <jgross@suse.com>
    x86/xen: correct bug in p2m list initialization

Juergen Gross <jgross@suse.com>
    xen/events: avoid NULL pointer dereference in dom0 on large machines

Javier Martinez Canillas <javier.martinez@collabora.co.uk>
    drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data

Imre Deak <imre.deak@intel.com>
    drm/i915: gen4: work around hang during hibernation

Imre Deak <imre.deak@intel.com>
    drm/i915: add dev_to_i915 helper

Chris Wilson <chris@chris-wilson.co.uk>
    drm: Don't assign fbs for universal cursor support to files

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Fix a couple of lock dependency violations

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Reorder device takedown somewhat

Jakub Kicinski <kubakici@wp.pl>
    Revert "i2c: core: Dispose OF IRQ mapping at client removal time"

Danesh Petigara <dpetigara@broadcom.com>
    mm: cma: fix CMA aligned offset calculation

Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    nilfs2: fix deadlock of segment constructor during recovery

Doug Anderson <dianders@chromium.org>
    regulator: core: Fix enable GPIO reference counting

Javier Martinez Canillas <javier.martinez@collabora.co.uk>
    regulator: Only enable disabled regulators on resume

Doug Anderson <dianders@chromium.org>
    regulator: rk808: Set the enable time for LDOs

Fugang Duan <b38611@freescale.com>
    net: fec: fix rcv is not last issue when do suspend/resume test

Brian King <brking@linux.vnet.ibm.com>
    bnx2x: Force fundamental reset for EEH recovery

Maxime Ripard <maxime.ripard@free-electrons.com>
    mtd: nand: pxa3xx: Fix PIO FIFO draining

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Treat stereo-to-mono mix properly

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix regression of HD-audio controller fallback modes

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Set single_adc_amp flag for CS420x codecs

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Don't access stereo amps for mono channel widgets

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix built-in mic on Compaq Presario CQ60

Takashi Iwai <tiwai@suse.de>
    ALSA: control: Add sanity checks for user ctl id name string

Daniel Mack <daniel@zonque.org>
    ALSA: snd-usb: add quirks for Roland UA-22

Alexander Sverdlin <alexander.sverdlin@nokia.com>
    spi: pl022: Fix race in giveback() leading to driver lock-up

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    spi: dw-mid: avoid potential NULL dereference

Torsten Fleischer <torfl6749@gmail.com>
    spi: atmel: Fix interrupt setup for PDC transfers

Sebastian Ott <sebott@linux.vnet.ibm.com>
    s390/pci: fix possible information leak in mmio syscall

Christophe Ricard <christophe.ricard@gmail.com>
    tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO

jmlatten@linux.vnet.ibm.com <jmlatten@linux.vnet.ibm.com>
    tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send

Jason Low <jason.low2@hp.com>
    cpuset: Fix cpuset sched_relax_domain_level

Zefan Li <lizefan@huawei.com>
    cpuset: fix a warning when clearing configured masks in old hierarchy

Zefan Li <lizefan@huawei.com>
    cpuset: initialize effective masks when clone_children is enabled

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    seq_buf: Fix seq_buf_bprintf() truncation

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    seq_buf: Fix seq_buf_vprintf() truncation

Tejun Heo <tj@kernel.org>
    workqueue: fix hang involving racing cancel[_delayed]_work_sync()'s for PREEMPT_NONE

Ahmed S. Darwish <ahmed.darwish@valeo.com>
    can: kvaser_usb: Read all messages in a bulk-in URB buffer

Oliver Hartkopp <socketcan@hartkopp.net>
    can: add missing initialisations in CAN related skbuffs

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled

Pratyush Anand <panand@redhat.com>
    ftrace: Fix en(dis)able graph caller when en(dis)abling record via sysctl

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    ftrace: Clear REGS_EN and TRAMP_EN flags on disabling record via sysctl

Russell King <rmk+kernel@arm.linux.org.uk>
    Change email address for 8250_pci

Michael S. Tsirkin <mst@redhat.com>
    virtio_console: avoid config access from irq

Michael S. Tsirkin <mst@redhat.com>
    virtio_console: init work unconditionally

Peter Hurley <peter@hurleysoftware.com>
    console: Fix console name size mismatch

Peter Hurley <peter@hurleysoftware.com>
    serial: 8250_dw: Fix deadlock in LCR workaround

Peter Hurley <peter@hurleysoftware.com>
    serial: core: Fix iotype userspace breakage

Miklos Szeredi <mszeredi@suse.cz>
    fuse: notify: don't move pages

Miklos Szeredi <mszeredi@suse.cz>
    fuse: set stolen page uptodate

JeHyeon Yeon <tom.yeon@windriver.com>
    LZ4 : fix the data abort issue

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: drop ttm two ended allocation

Ben Goz <ben.goz@amd.com>
    drm/radeon: Changing number of compute pipe lines

Maarten Lankhorst <maarten.lankhorst@ubuntu.com>
    drm/radeon: fix wait to actually occur after the signaling callback

Christian König <christian.koenig@amd.com>
    drm/radeon: drop setting UPLL to sleep mode

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix interlaced modes on DCE8

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: do a posting read in rs600_set_irq

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: do a posting read in si_set_irq

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: do a posting read in cik_set_irq

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: do a posting read in r600_set_irq

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: do a posting read in r100_set_irq

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: do a posting read in evergreen_set_irq

Tommi Rantala <tt.rantala@gmail.com>
    drm/radeon: fix DRM_IOCTL_RADEON_CS oops

Catalin Marinas <catalin.marinas@arm.com>
    arm64: Invalidate the TLB corresponding to intermediate page table levels

Suzuki K. Poulose <suzuki.poulose@arm.com>
    arm64: Honor __GFP_ZERO in dma allocations

Al Viro <viro@ZenIV.linux.org.uk>
    net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom

Catalin Marinas <catalin.marinas@arm.com>
    net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour

Josh Hunt <johunt@akamai.com>
    tcp: fix tcp fin memory accounting

Steven Barth <cyrus@openwrt.org>
    ipv6: fix backtracking for throw routes

Sabrina Dubroca <sd@queasysnail.net>
    ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment

Ondrej Zary <linux@rainbow-software.org>
    Revert "net: cx82310_eth: use common match macro"

Eran Ben Elisha <eranbe@mellanox.com>
    net/mlx4_en: Fix off-by-one in ethtool statistics display

Al Viro <viro@ZenIV.linux.org.uk>
    rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg()

Al Viro <viro@ZenIV.linux.org.uk>
    caif: fix MSG_OOB test in caif_seqpkt_recvmsg()

Eric Dumazet <edumazet@google.com>
    inet_diag: fix possible overflow in inet_diag_dump_one_icsk()

Jason Wang <jasowang@redhat.com>
    virtio-net: correctly delete napi hash

Arnd Bergmann <arnd@arndb.de>
    rds: avoid potential stack overflow

Alexey Kodanev <alexey.kodanev@oracle.com>
    net: sysctl_net_core: check SNDBUF and RCVBUF for min length

Neal Cardwell <ncardwell@google.com>
    tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance

Neal Cardwell <ncardwell@google.com>
    tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w

Nimrod Andy <B38611@freescale.com>
    net: fec: fix receive VLAN CTAG HW acceleration issue

WANG Cong <xiyou.wangcong@gmail.com>
    net_sched: fix struct tc_u_hnode layout in u32

David S. Miller <davem@davemloft.net>
    sparc64: Fix several bugs in memmove().

David Ahern <david.ahern@oracle.com>
    sparc: Touch NMI watchdog when walking cpus and calling printk

David Ahern <david.ahern@oracle.com>
    sparc: perf: Make counting mode actually work

David Ahern <david.ahern@oracle.com>
    sparc: perf: Remove redundant perf_pmu_{en|dis}able calls

Rob Gardner <rob.gardner@oracle.com>
    sparc: semtimedop() unreachable due to comparison error


-------------

Diffstat:

 Makefile                                         |  4 +-
 arch/arm/boot/dts/am33xx-clocks.dtsi             |  6 +-
 arch/arm/boot/dts/am43xx-clocks.dtsi             | 12 ++--
 arch/arm/boot/dts/dra7xx-clocks.dtsi             | 90 +++++++++++++++++++++---
 arch/arm/boot/dts/imx6qdl-sabresd.dtsi           |  2 +
 arch/arm/boot/dts/imx6sl-evk.dts                 |  2 +
 arch/arm/crypto/aesbs-core.S_shipped             | 12 ++--
 arch/arm/crypto/bsaes-armv7.pl                   | 12 ++--
 arch/arm/mach-at91/pm.h                          |  2 +-
 arch/arm/mach-exynos/platsmp.c                   |  3 +-
 arch/arm64/include/asm/tlb.h                     |  3 +
 arch/arm64/include/asm/tlbflush.h                | 13 ++++
 arch/arm64/mm/dma-mapping.c                      | 12 +++-
 arch/powerpc/include/asm/iommu.h                 |  6 ++
 arch/powerpc/kernel/iommu.c                      | 26 +++++++
 arch/powerpc/kernel/smp.c                        |  4 +-
 arch/powerpc/platforms/powernv/pci.c             | 26 -------
 arch/powerpc/platforms/pseries/iommu.c           |  2 +
 arch/s390/kvm/kvm-s390.c                         |  1 -
 arch/s390/pci/pci_mmio.c                         | 17 +++--
 arch/sparc/kernel/perf_event.c                   | 15 +---
 arch/sparc/kernel/process_64.c                   |  4 ++
 arch/sparc/kernel/sys_sparc_64.c                 |  2 +-
 arch/sparc/lib/memmove.S                         | 35 ++++++++-
 arch/x86/crypto/aesni-intel_glue.c               |  4 +-
 arch/x86/include/asm/fpu-internal.h              |  2 +-
 arch/x86/kernel/apic/apic_numachip.c             | 22 ++++--
 arch/x86/kernel/traps.c                          |  4 +-
 arch/x86/kernel/xsave.c                          |  7 +-
 arch/x86/kvm/x86.c                               |  1 -
 arch/x86/vdso/vdso32/sigreturn.S                 |  1 +
 arch/x86/xen/p2m.c                               |  2 +-
 drivers/char/tpm/tpm_i2c_stm_st33.c              | 10 +--
 drivers/char/tpm/tpm_ibmvtpm.c                   | 10 +--
 drivers/char/tpm/tpm_ibmvtpm.h                   |  6 +-
 drivers/char/virtio_console.c                    | 19 ++++-
 drivers/gpu/drm/drm_crtc.c                       | 35 ++++-----
 drivers/gpu/drm/i915/i915_drv.c                  | 39 +++++++---
 drivers/gpu/drm/i915/i915_drv.h                  |  5 ++
 drivers/gpu/drm/radeon/atombios_crtc.c           |  3 +
 drivers/gpu/drm/radeon/cik.c                     |  3 +
 drivers/gpu/drm/radeon/evergreen.c               |  3 +
 drivers/gpu/drm/radeon/r100.c                    |  4 ++
 drivers/gpu/drm/radeon/r600.c                    |  3 +
 drivers/gpu/drm/radeon/radeon_cs.c               |  4 +-
 drivers/gpu/drm/radeon/radeon_fence.c            | 68 ++++++++++++------
 drivers/gpu/drm/radeon/radeon_kfd.c              |  2 +-
 drivers/gpu/drm/radeon/radeon_object.c           | 11 ---
 drivers/gpu/drm/radeon/rs600.c                   |  4 ++
 drivers/gpu/drm/radeon/si.c                      |  9 +--
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c              | 77 ++++++++++----------
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c          |  8 +--
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c              | 14 +---
 drivers/i2c/i2c-core.c                           |  3 -
 drivers/irqchip/irq-armada-370-xp.c              | 21 +++++-
 drivers/mtd/nand/pxa3xx_nand.c                   | 48 +++++++++++--
 drivers/net/can/dev.c                            |  8 +++
 drivers/net/can/usb/kvaser_usb.c                 | 28 ++++++--
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |  3 +
 drivers/net/ethernet/freescale/fec_main.c        |  5 +-
 drivers/net/ethernet/mellanox/mlx4/mlx4_en.h     |  2 +-
 drivers/net/usb/cx82310_eth.c                    | 11 ++-
 drivers/net/virtio_net.c                         |  9 ++-
 drivers/net/wireless/b43/main.c                  |  1 +
 drivers/of/base.c                                | 18 ++---
 drivers/pci/pci-sysfs.c                          |  5 +-
 drivers/regulator/core.c                         | 34 ++++-----
 drivers/regulator/rk808-regulator.c              |  8 +++
 drivers/rtc/rtc-s3c.c                            |  1 +
 drivers/scsi/libsas/sas_discover.c               |  6 +-
 drivers/spi/spi-atmel.c                          | 12 ++--
 drivers/spi/spi-dw-mid.c                         |  6 ++
 drivers/spi/spi-pl022.c                          |  2 +-
 drivers/target/iscsi/iscsi_target.c              | 14 ++--
 drivers/target/target_core_device.c              |  4 +-
 drivers/target/target_core_pscsi.c               |  2 +-
 drivers/target/target_core_transport.c           |  4 ++
 drivers/tty/serial/8250/8250_dw.c                | 15 +++-
 drivers/tty/serial/8250/8250_pci.c               |  2 +-
 drivers/usb/gadget/legacy/inode.c                | 15 +++-
 drivers/xen/events/events_base.c                 | 18 +++--
 drivers/xen/xen-pciback/conf_space.c             |  2 +-
 drivers/xen/xen-pciback/conf_space.h             |  2 +
 drivers/xen/xen-pciback/conf_space_header.c      | 61 ++++++++++++----
 fs/fuse/dev.c                                    |  7 +-
 fs/nilfs2/segment.c                              |  7 +-
 fs/proc/task_mmu.c                               |  3 +
 include/linux/serial_core.h                      |  6 +-
 include/linux/workqueue.h                        |  3 +-
 kernel/cpuset.c                                  |  9 ++-
 kernel/printk/console_cmdline.h                  |  2 +-
 kernel/printk/printk.c                           |  1 +
 kernel/trace/ftrace.c                            | 40 ++++++++---
 kernel/workqueue.c                               | 56 +++++++++++++--
 lib/lz4/lz4_decompress.c                         |  3 +
 lib/seq_buf.c                                    |  4 +-
 mm/cma.c                                         | 12 ++--
 net/caif/caif_socket.c                           |  2 +-
 net/can/af_can.c                                 |  3 +
 net/compat.c                                     |  7 ++
 net/core/sysctl_net_core.c                       | 10 +--
 net/ipv4/inet_diag.c                             | 18 ++++-
 net/ipv4/tcp_cong.c                              |  6 ++
 net/ipv4/tcp_cubic.c                             |  6 +-
 net/ipv4/tcp_output.c                            |  6 +-
 net/ipv6/fib6_rules.c                            |  1 +
 net/ipv6/udp_offload.c                           |  8 +--
 net/netfilter/ipvs/ip_vs_ctl.c                   |  2 +-
 net/netfilter/ipvs/ip_vs_sync.c                  |  3 +
 net/netfilter/nf_tables_api.c                    | 23 +++---
 net/netfilter/nft_compat.c                       | 12 +++-
 net/netfilter/xt_socket.c                        | 21 +++---
 net/rds/iw_rdma.c                                | 40 ++++++-----
 net/rxrpc/ar-recvmsg.c                           |  2 +-
 net/sched/cls_u32.c                              |  5 +-
 net/socket.c                                     |  4 ++
 sound/core/control.c                             |  4 ++
 sound/pci/hda/hda_controller.c                   |  2 +-
 sound/pci/hda/hda_generic.c                      | 47 ++++++++++---
 sound/pci/hda/hda_proc.c                         | 38 +++++++---
 sound/pci/hda/patch_cirrus.c                     |  2 +
 sound/pci/hda/patch_conexant.c                   | 11 +++
 sound/usb/quirks-table.h                         | 30 ++++++++
 virt/kvm/kvm_main.c                              |  1 +
 124 files changed, 1081 insertions(+), 447 deletions(-)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 001/123] sparc: semtimedop() unreachable due to comparison error
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 002/123] sparc: perf: Remove redundant perf_pmu_{en|dis}able calls Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rob Gardner, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rob Gardner <rob.gardner@oracle.com>

[ Upstream commit 53eb2516972b8c4628651dfcb926cb9ef8b2864a ]

A bug was reported that the semtimedop() system call was always
failing eith ENOSYS.

Since SEMCTL is defined as 3, and SEMTIMEDOP is defined as 4,
the comparison "call <= SEMCTL" will always prevent SEMTIMEDOP
from getting through to the semaphore ops switch statement.

This is corrected by changing the comparison to "call <= SEMTIMEDOP".

Orabug: 20633375

Signed-off-by: Rob Gardner <rob.gardner@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/kernel/sys_sparc_64.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/sparc/kernel/sys_sparc_64.c
+++ b/arch/sparc/kernel/sys_sparc_64.c
@@ -333,7 +333,7 @@ SYSCALL_DEFINE6(sparc_ipc, unsigned int,
 	long err;
 
 	/* No need for backward compatibility. We can start fresh... */
-	if (call <= SEMCTL) {
+	if (call <= SEMTIMEDOP) {
 		switch (call) {
 		case SEMOP:
 			err = sys_semtimedop(first, ptr,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 002/123] sparc: perf: Remove redundant perf_pmu_{en|dis}able calls
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 001/123] sparc: semtimedop() unreachable due to comparison error Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 003/123] sparc: perf: Make counting mode actually work Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ahern, Bob Picco, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Ahern <david.ahern@oracle.com>

[ Upstream commit 5b0d4b5514bbcce69b516d0742f2cfc84ebd6db3 ]

perf_pmu_disable is called by core perf code before pmu->del and the
enable function is called by core perf code afterwards. No need to
call again within sparc_pmu_del.

Ditto for pmu->add and sparc_pmu_add.

Signed-off-by: David Ahern <david.ahern@oracle.com>
Acked-by: Bob Picco <bob.picco@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/kernel/perf_event.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/arch/sparc/kernel/perf_event.c
+++ b/arch/sparc/kernel/perf_event.c
@@ -1101,7 +1101,6 @@ static void sparc_pmu_del(struct perf_ev
 	int i;
 
 	local_irq_save(flags);
-	perf_pmu_disable(event->pmu);
 
 	for (i = 0; i < cpuc->n_events; i++) {
 		if (event == cpuc->event[i]) {
@@ -1127,7 +1126,6 @@ static void sparc_pmu_del(struct perf_ev
 		}
 	}
 
-	perf_pmu_enable(event->pmu);
 	local_irq_restore(flags);
 }
 
@@ -1361,7 +1359,6 @@ static int sparc_pmu_add(struct perf_eve
 	unsigned long flags;
 
 	local_irq_save(flags);
-	perf_pmu_disable(event->pmu);
 
 	n0 = cpuc->n_events;
 	if (n0 >= sparc_pmu->max_hw_events)
@@ -1394,7 +1391,6 @@ nocheck:
 
 	ret = 0;
 out:
-	perf_pmu_enable(event->pmu);
 	local_irq_restore(flags);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 003/123] sparc: perf: Make counting mode actually work
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 001/123] sparc: semtimedop() unreachable due to comparison error Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 002/123] sparc: perf: Remove redundant perf_pmu_{en|dis}able calls Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 004/123] sparc: Touch NMI watchdog when walking cpus and calling printk Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ahern, Bob Picco, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Ahern <david.ahern@oracle.com>

[ Upstream commit d51291cb8f32bfae6b331e1838651f3ddefa73a5 ]

Currently perf-stat (aka, counting mode) does not work:

$ perf stat ls
...
 Performance counter stats for 'ls':

          1.585665      task-clock (msec)         #    0.580 CPUs utilized
                24      context-switches          #    0.015 M/sec
                 0      cpu-migrations            #    0.000 K/sec
                86      page-faults               #    0.054 M/sec
   <not supported>      cycles
   <not supported>      stalled-cycles-frontend
   <not supported>      stalled-cycles-backend
   <not supported>      instructions
   <not supported>      branches
   <not supported>      branch-misses

       0.002735100 seconds time elapsed

The reason is that state is never reset (stays with PERF_HES_UPTODATE set).
Add a call to sparc_pmu_enable_event during the added_event handling.
Clean up the encoding since pmu_start calls sparc_pmu_enable_event which
does the same. Passing PERF_EF_RELOAD to sparc_pmu_start means the call
to sparc_perf_event_set_period can be removed as well.

With this patch:

$ perf stat ls
...
 Performance counter stats for 'ls':

          1.552890      task-clock (msec)         #    0.552 CPUs utilized
                24      context-switches          #    0.015 M/sec
                 0      cpu-migrations            #    0.000 K/sec
                86      page-faults               #    0.055 M/sec
         5,748,997      cycles                    #    3.702 GHz
   <not supported>      stalled-cycles-frontend:HG
   <not supported>      stalled-cycles-backend:HG
         1,684,362      instructions:HG           #    0.29  insns per cycle
           295,133      branches:HG               #  190.054 M/sec
            28,007      branch-misses:HG          #    9.49% of all branches

       0.002815665 seconds time elapsed

Signed-off-by: David Ahern <david.ahern@oracle.com>
Acked-by: Bob Picco <bob.picco@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/kernel/perf_event.c |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/arch/sparc/kernel/perf_event.c
+++ b/arch/sparc/kernel/perf_event.c
@@ -960,6 +960,8 @@ out:
 	cpuc->pcr[0] |= cpuc->event[0]->hw.config_base;
 }
 
+static void sparc_pmu_start(struct perf_event *event, int flags);
+
 /* On this PMU each PIC has it's own PCR control register.  */
 static void calculate_multiple_pcrs(struct cpu_hw_events *cpuc)
 {
@@ -972,20 +974,13 @@ static void calculate_multiple_pcrs(stru
 		struct perf_event *cp = cpuc->event[i];
 		struct hw_perf_event *hwc = &cp->hw;
 		int idx = hwc->idx;
-		u64 enc;
 
 		if (cpuc->current_idx[i] != PIC_NO_INDEX)
 			continue;
 
-		sparc_perf_event_set_period(cp, hwc, idx);
 		cpuc->current_idx[i] = idx;
 
-		enc = perf_event_get_enc(cpuc->events[i]);
-		cpuc->pcr[idx] &= ~mask_for_index(idx);
-		if (hwc->state & PERF_HES_STOPPED)
-			cpuc->pcr[idx] |= nop_for_index(idx);
-		else
-			cpuc->pcr[idx] |= event_encoding(enc, idx);
+		sparc_pmu_start(cp, PERF_EF_RELOAD);
 	}
 out:
 	for (i = 0; i < cpuc->n_events; i++) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 004/123] sparc: Touch NMI watchdog when walking cpus and calling printk
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 003/123] sparc: perf: Make counting mode actually work Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 005/123] sparc64: Fix several bugs in memmove() Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Ahern, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Ahern <david.ahern@oracle.com>

[ Upstream commit 31aaa98c248da766ece922bbbe8cc78cfd0bc920 ]

With the increase in number of CPUs calls to functions that dump
output to console (e.g., arch_trigger_all_cpu_backtrace) can take
a long time to complete. If IRQs are disabled eventually the NMI
watchdog kicks in and creates more havoc. Avoid by telling the NMI
watchdog everything is ok.

Signed-off-by: David Ahern <david.ahern@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/kernel/process_64.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/sparc/kernel/process_64.c
+++ b/arch/sparc/kernel/process_64.c
@@ -287,6 +287,8 @@ void arch_trigger_all_cpu_backtrace(bool
 			printk("             TPC[%lx] O7[%lx] I7[%lx] RPC[%lx]\n",
 			       gp->tpc, gp->o7, gp->i7, gp->rpc);
 		}
+
+		touch_nmi_watchdog();
 	}
 
 	memset(global_cpu_snapshot, 0, sizeof(global_cpu_snapshot));
@@ -362,6 +364,8 @@ static void pmu_snapshot_all_cpus(void)
 		       (cpu == this_cpu ? '*' : ' '), cpu,
 		       pp->pcr[0], pp->pcr[1], pp->pcr[2], pp->pcr[3],
 		       pp->pic[0], pp->pic[1], pp->pic[2], pp->pic[3]);
+
+		touch_nmi_watchdog();
 	}
 
 	memset(global_cpu_snapshot, 0, sizeof(global_cpu_snapshot));



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 005/123] sparc64: Fix several bugs in memmove().
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 004/123] sparc: Touch NMI watchdog when walking cpus and calling printk Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 006/123] net_sched: fix struct tc_u_hnode layout in u32 Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ahern, Bob Picco, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "David S. Miller" <davem@davemloft.net>

[ Upstream commit 2077cef4d5c29cf886192ec32066f783d6a80db8 ]

Firstly, handle zero length calls properly.  Believe it or not there
are a few of these happening during early boot.

Next, we can't just drop to a memcpy() call in the forward copy case
where dst <= src.  The reason is that the cache initializing stores
used in the Niagara memcpy() implementations can end up clearing out
cache lines before we've sourced their original contents completely.

For example, considering NG4memcpy, the main unrolled loop begins like
this:

     load   src + 0x00
     load   src + 0x08
     load   src + 0x10
     load   src + 0x18
     load   src + 0x20
     store  dst + 0x00

Assume dst is 64 byte aligned and let's say that dst is src - 8 for
this memcpy() call.  That store at the end there is the one to the
first line in the cache line, thus clearing the whole line, which thus
clobbers "src + 0x28" before it even gets loaded.

To avoid this, just fall through to a simple copy only mildly
optimized for the case where src and dst are 8 byte aligned and the
length is a multiple of 8 as well.  We could get fancy and call
GENmemcpy() but this is good enough for how this thing is actually
used.

Reported-by: David Ahern <david.ahern@oracle.com>
Reported-by: Bob Picco <bpicco@meloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/lib/memmove.S |   35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

--- a/arch/sparc/lib/memmove.S
+++ b/arch/sparc/lib/memmove.S
@@ -8,9 +8,11 @@
 
 	.text
 ENTRY(memmove) /* o0=dst o1=src o2=len */
-	mov		%o0, %g1
+	brz,pn		%o2, 99f
+	 mov		%o0, %g1
+
 	cmp		%o0, %o1
-	bleu,pt		%xcc, memcpy
+	bleu,pt		%xcc, 2f
 	 add		%o1, %o2, %g7
 	cmp		%g7, %o0
 	bleu,pt		%xcc, memcpy
@@ -24,7 +26,34 @@ ENTRY(memmove) /* o0=dst o1=src o2=len *
 	stb		%g7, [%o0]
 	bne,pt		%icc, 1b
 	 sub		%o0, 1, %o0
-
+99:
 	retl
 	 mov		%g1, %o0
+
+	/* We can't just call memcpy for these memmove cases.  On some
+	 * chips the memcpy uses cache initializing stores and when dst
+	 * and src are close enough, those can clobber the source data
+	 * before we've loaded it in.
+	 */
+2:	or		%o0, %o1, %g7
+	or		%o2, %g7, %g7
+	andcc		%g7, 0x7, %g0
+	bne,pn		%xcc, 4f
+	 nop
+
+3:	ldx		[%o1], %g7
+	add		%o1, 8, %o1
+	subcc		%o2, 8, %o2
+	add		%o0, 8, %o0
+	bne,pt		%icc, 3b
+	 stx		%g7, [%o0 - 0x8]
+	ba,a,pt		%xcc, 99b
+
+4:	ldub		[%o1], %g7
+	add		%o1, 1, %o1
+	subcc		%o2, 1, %o2
+	add		%o0, 1, %o0
+	bne,pt		%icc, 4b
+	 stb		%g7, [%o0 - 0x1]
+	ba,a,pt		%xcc, 99b
 ENDPROC(memmove)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 006/123] net_sched: fix struct tc_u_hnode layout in u32
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 005/123] sparc64: Fix several bugs in memmove() Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 007/123] net: fec: fix receive VLAN CTAG HW acceleration issue Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, John Fastabend,
	Cong Wang, Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.wangcong@gmail.com>

[ Upstream commit 5778d39d070b4ac5f889928175b7f2d53ae7504e ]

We dynamically allocate divisor+1 entries for ->ht[] in tc_u_hnode:

  ht = kzalloc(sizeof(*ht) + divisor*sizeof(void *), GFP_KERNEL);

So ->ht is supposed to be the last field of this struct, however
this is broken, since an rcu head is appended after it.

Fixes: 1ce87720d456 ("net: sched: make cls_u32 lockless")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/cls_u32.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -78,8 +78,11 @@ struct tc_u_hnode {
 	struct tc_u_common	*tp_c;
 	int			refcnt;
 	unsigned int		divisor;
-	struct tc_u_knode __rcu	*ht[1];
 	struct rcu_head		rcu;
+	/* The 'ht' field MUST be the last field in structure to allow for
+	 * more entries allocated at end of structure.
+	 */
+	struct tc_u_knode __rcu	*ht[1];
 };
 
 struct tc_u_common {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 007/123] net: fec: fix receive VLAN CTAG HW acceleration issue
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 006/123] net_sched: fix struct tc_u_hnode layout in u32 Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 008/123] tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Grzeschik, Fugang Duan,
	David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nimrod Andy <B38611@freescale.com>

[ Upstream commit af5cbc9822f6bbe399925760a4d5ee82c21f258c ]

The current driver support receive VLAN CTAG HW acceleration feature
(NETIF_F_HW_VLAN_CTAG_RX) through software simulation. There calls the
api .skb_copy_to_linear_data_offset() to skip the VLAN tag, but there
have overlap between the two memory data point range. The patch just fix
the issue.

V2:
Michael Grzeschik suggest to use memmove() instead of skb_copy_to_linear_data_offset().

Reported-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Fixes: 1b7bde6d659d ("net: fec: implement rx_copybreak to improve rx performance")
Signed-off-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/freescale/fec_main.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1448,8 +1448,7 @@ fec_enet_rx_queue(struct net_device *nde
 
 			vlan_packet_rcvd = true;
 
-			skb_copy_to_linear_data_offset(skb, VLAN_HLEN,
-						       data, (2 * ETH_ALEN));
+			memmove(skb->data + VLAN_HLEN, data, ETH_ALEN * 2);
 			skb_pull(skb, VLAN_HLEN);
 		}
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 008/123] tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 007/123] net: fec: fix receive VLAN CTAG HW acceleration issue Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 009/123] tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neal Cardwell, Yuchung Cheng,
	Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Neal Cardwell <ncardwell@google.com>

[ Upstream commit 9949afa42be0b76f5832db112ce51bb6b35b2abb ]

The recent change to tcp_cong_avoid_ai() to handle stretch ACKs
introduced a bug where snd_cwnd_cnt could accumulate a very large
value while w was large, and then if w was reduced snd_cwnd could be
incremented by a large delta, leading to a large burst and high packet
loss. This was tickled when CUBIC's bictcp_update() sets "ca->cnt =
100 * cwnd".

This bug crept in while preparing the upstream version of
814d488c6126.

Testing: This patch has been tested in datacenter netperf transfers
and live youtube.com and google.com servers.

Fixes: 814d488c6126 ("tcp: fix the timid additive increase on stretch ACKs")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_cong.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -309,6 +309,12 @@ EXPORT_SYMBOL_GPL(tcp_slow_start);
  */
 void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked)
 {
+	/* If credits accumulated at a higher w, apply them gently now. */
+	if (tp->snd_cwnd_cnt >= w) {
+		tp->snd_cwnd_cnt = 0;
+		tp->snd_cwnd++;
+	}
+
 	tp->snd_cwnd_cnt += acked;
 	if (tp->snd_cwnd_cnt >= w) {
 		u32 delta = tp->snd_cwnd_cnt / w;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 009/123] tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 008/123] tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 010/123] net: sysctl_net_core: check SNDBUF and RCVBUF for min length Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neal Cardwell, Yuchung Cheng,
	Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Neal Cardwell <ncardwell@google.com>

[ Upstream commit d578e18ce93f5d33a7120fd57c453e22a4c0fc37 ]

Commit 814d488c6126 ("tcp: fix the timid additive increase on stretch
ACKs") fixed a bug where tcp_cong_avoid_ai() would either credit a
connection with an increase of snd_cwnd_cnt, or increase snd_cwnd, but
not both, resulting in cwnd increasing by 1 packet on at most every
alternate invocation of tcp_cong_avoid_ai().

Although the commit correctly implemented the CUBIC algorithm, which
can increase cwnd by as much as 1 packet per 1 packet ACKed (2x per
RTT), in practice that could be too aggressive: in tests on network
paths with small buffers, YouTube server retransmission rates nearly
doubled.

This commit restores CUBIC to a maximum cwnd growth rate of 1 packet
per 2 packets ACKed (1.5x per RTT). In YouTube tests this restored
retransmit rates to low levels.

Testing: This patch has been tested in datacenter netperf transfers
and live youtube.com and google.com servers.

Fixes: 9cd981dcf174 ("tcp: fix stretch ACK bugs in CUBIC")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_cubic.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -306,8 +306,10 @@ tcp_friendliness:
 		}
 	}
 
-	if (ca->cnt == 0)			/* cannot be zero */
-		ca->cnt = 1;
+	/* The maximum rate of cwnd increase CUBIC allows is 1 packet per
+	 * 2 packets ACKed, meaning cwnd grows at 1.5x per RTT.
+	 */
+	ca->cnt = max(ca->cnt, 2U);
 }
 
 static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 010/123] net: sysctl_net_core: check SNDBUF and RCVBUF for min length
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 009/123] tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 011/123] rds: avoid potential stack overflow Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexey Kodanev, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <alexey.kodanev@oracle.com>

[ Upstream commit b1cb59cf2efe7971d3d72a7b963d09a512d994c9 ]

sysctl has sysctl.net.core.rmem_*/wmem_* parameters which can be
set to incorrect values. Given that 'struct sk_buff' allocates from
rcvbuf, incorrectly set buffer length could result to memory
allocation failures. For example, set them as follows:

    # sysctl net.core.rmem_default=64
      net.core.wmem_default = 64
    # sysctl net.core.wmem_default=64
      net.core.wmem_default = 64
    # ping localhost -s 1024 -i 0 > /dev/null

This could result to the following failure:

skbuff: skb_over_panic: text:ffffffff81628db4 len:-32 put:-32
head:ffff88003a1cc200 data:ffff88003a1cc200 tail:0xffffffe0 end:0xc0 dev:<NULL>
kernel BUG at net/core/skbuff.c:102!
invalid opcode: 0000 [#1] SMP
...
task: ffff88003b7f5550 ti: ffff88003ae88000 task.ti: ffff88003ae88000
RIP: 0010:[<ffffffff8155fbd1>]  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
RSP: 0018:ffff88003ae8bc68  EFLAGS: 00010296
RAX: 000000000000008d RBX: 00000000ffffffe0 RCX: 0000000000000000
RDX: ffff88003fdcf598 RSI: ffff88003fdcd9c8 RDI: ffff88003fdcd9c8
RBP: ffff88003ae8bc88 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 00000000000002b2 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88003d3f7300 R15: ffff88000012a900
FS:  00007fa0e2b4a840(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000d0f7e0 CR3: 000000003b8fb000 CR4: 00000000000006f0
Stack:
 ffff88003a1cc200 00000000ffffffe0 00000000000000c0 ffffffff818cab1d
 ffff88003ae8bd68 ffffffff81628db4 ffff88003ae8bd48 ffff88003b7f5550
 ffff880031a09408 ffff88003b7f5550 ffff88000012aa48 ffff88000012ab00
Call Trace:
 [<ffffffff81628db4>] unix_stream_sendmsg+0x2c4/0x470
 [<ffffffff81556f56>] sock_write_iter+0x146/0x160
 [<ffffffff811d9612>] new_sync_write+0x92/0xd0
 [<ffffffff811d9cd6>] vfs_write+0xd6/0x180
 [<ffffffff811da499>] SyS_write+0x59/0xd0
 [<ffffffff81651532>] system_call_fastpath+0x12/0x17
Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00
      00 00 48 c7 c7 30 db 91 81 48 89 04 24 31 c0 e8 4f a8 0e 00 <0f> 0b
      eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83
RIP  [<ffffffff8155fbd1>] skb_put+0xa1/0xb0
RSP <ffff88003ae8bc68>
Kernel panic - not syncing: Fatal exception

Moreover, the possible minimum is 1, so we can get another kernel panic:
...
BUG: unable to handle kernel paging request at ffff88013caee5c0
IP: [<ffffffff815604cf>] __alloc_skb+0x12f/0x1f0
...

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/sysctl_net_core.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -25,6 +25,8 @@
 static int zero = 0;
 static int one = 1;
 static int ushort_max = USHRT_MAX;
+static int min_sndbuf = SOCK_MIN_SNDBUF;
+static int min_rcvbuf = SOCK_MIN_RCVBUF;
 
 static int net_msg_warn;	/* Unused, but still a sysctl */
 
@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[]
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
-		.extra1		= &one,
+		.extra1		= &min_sndbuf,
 	},
 	{
 		.procname	= "rmem_max",
@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[]
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
-		.extra1		= &one,
+		.extra1		= &min_rcvbuf,
 	},
 	{
 		.procname	= "wmem_default",
@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[]
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
-		.extra1		= &one,
+		.extra1		= &min_sndbuf,
 	},
 	{
 		.procname	= "rmem_default",
@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[]
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
-		.extra1		= &one,
+		.extra1		= &min_rcvbuf,
 	},
 	{
 		.procname	= "dev_weight",



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 011/123] rds: avoid potential stack overflow
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 010/123] net: sysctl_net_core: check SNDBUF and RCVBUF for min length Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 012/123] virtio-net: correctly delete napi hash Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Sowmini Varadhan,
	David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit f862e07cf95d5b62a5fc5e981dd7d0dbaf33a501 ]

The rds_iw_update_cm_id function stores a large 'struct rds_sock' object
on the stack in order to pass a pair of addresses. This happens to just
fit withint the 1024 byte stack size warning limit on x86, but just
exceed that limit on ARM, which gives us this warning:

net/rds/iw_rdma.c:200:1: warning: the frame size of 1056 bytes is larger than 1024 bytes [-Wframe-larger-than=]

As the use of this large variable is basically bogus, we can rearrange
the code to not do that. Instead of passing an rds socket into
rds_iw_get_device, we now just pass the two addresses that we have
available in rds_iw_update_cm_id, and we change rds_iw_get_mr accordingly,
to create two address structures on the stack there.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rds/iw_rdma.c |   40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

--- a/net/rds/iw_rdma.c
+++ b/net/rds/iw_rdma.c
@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg
 			int *unpinned);
 static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr);
 
-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id)
+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst,
+			     struct rds_iw_device **rds_iwdev,
+			     struct rdma_cm_id **cm_id)
 {
 	struct rds_iw_device *iwdev;
 	struct rds_iw_cm_id *i_cm_id;
@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_
 				src_addr->sin_port,
 				dst_addr->sin_addr.s_addr,
 				dst_addr->sin_port,
-				rs->rs_bound_addr,
-				rs->rs_bound_port,
-				rs->rs_conn_addr,
-				rs->rs_conn_port);
+				src->sin_addr.s_addr,
+				src->sin_port,
+				dst->sin_addr.s_addr,
+				dst->sin_port);
 #ifdef WORKING_TUPLE_DETECTION
-			if (src_addr->sin_addr.s_addr == rs->rs_bound_addr &&
-			    src_addr->sin_port == rs->rs_bound_port &&
-			    dst_addr->sin_addr.s_addr == rs->rs_conn_addr &&
-			    dst_addr->sin_port == rs->rs_conn_port) {
+			if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr &&
+			    src_addr->sin_port == src->sin_port &&
+			    dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr &&
+			    dst_addr->sin_port == dst->sin_port) {
 #else
 			/* FIXME - needs to compare the local and remote
 			 * ipaddr/port tuple, but the ipaddr is the only
@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_
 			 * zero'ed.  It doesn't appear to be properly populated
 			 * during connection setup...
 			 */
-			if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) {
+			if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) {
 #endif
 				spin_unlock_irq(&iwdev->spinlock);
 				*rds_iwdev = iwdev;
@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_de
 {
 	struct sockaddr_in *src_addr, *dst_addr;
 	struct rds_iw_device *rds_iwdev_old;
-	struct rds_sock rs;
 	struct rdma_cm_id *pcm_id;
 	int rc;
 
 	src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
 	dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
 
-	rs.rs_bound_addr = src_addr->sin_addr.s_addr;
-	rs.rs_bound_port = src_addr->sin_port;
-	rs.rs_conn_addr = dst_addr->sin_addr.s_addr;
-	rs.rs_conn_port = dst_addr->sin_port;
-
-	rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id);
+	rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id);
 	if (rc)
 		rds_iw_remove_cm_id(rds_iwdev, cm_id);
 
@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *
 	struct rds_iw_device *rds_iwdev;
 	struct rds_iw_mr *ibmr = NULL;
 	struct rdma_cm_id *cm_id;
+	struct sockaddr_in src = {
+		.sin_addr.s_addr = rs->rs_bound_addr,
+		.sin_port = rs->rs_bound_port,
+	};
+	struct sockaddr_in dst = {
+		.sin_addr.s_addr = rs->rs_conn_addr,
+		.sin_port = rs->rs_conn_port,
+	};
 	int ret;
 
-	ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id);
+	ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id);
 	if (ret || !cm_id) {
 		ret = -ENODEV;
 		goto out;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 012/123] virtio-net: correctly delete napi hash
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 011/123] rds: avoid potential stack overflow Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 013/123] inet_diag: fix possible overflow in inet_diag_dump_one_icsk() Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rusty Russell, Michael S. Tsirkin,
	Jason Wang, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Wang <jasowang@redhat.com>

[ Upstream commit ab3971b1e7d72270a2a259a29c1a40351b889740 ]

We don't delete napi from hash list during module exit. This will
cause the following panic when doing module load and unload:

BUG: unable to handle kernel paging request at 0000004e00000075
IP: [<ffffffff816bd01b>] napi_hash_add+0x6b/0xf0
PGD 3c5d5067 PUD 0
Oops: 0000 [#1] SMP
...
Call Trace:
[<ffffffffa0a5bfb7>] init_vqs+0x107/0x490 [virtio_net]
[<ffffffffa0a5c9f2>] virtnet_probe+0x562/0x791815639d880be [virtio_net]
[<ffffffff8139e667>] virtio_dev_probe+0x137/0x200
[<ffffffff814c7f2a>] driver_probe_device+0x7a/0x250
[<ffffffff814c81d3>] __driver_attach+0x93/0xa0
[<ffffffff814c8140>] ? __device_attach+0x40/0x40
[<ffffffff814c6053>] bus_for_each_dev+0x63/0xa0
[<ffffffff814c7a79>] driver_attach+0x19/0x20
[<ffffffff814c76f0>] bus_add_driver+0x170/0x220
[<ffffffffa0a60000>] ? 0xffffffffa0a60000
[<ffffffff814c894f>] driver_register+0x5f/0xf0
[<ffffffff8139e41b>] register_virtio_driver+0x1b/0x30
[<ffffffffa0a60010>] virtio_net_driver_init+0x10/0x12 [virtio_net]

This patch fixes this by doing this in virtnet_free_queues(). And also
don't delete napi in virtnet_freeze() since it will call
virtnet_free_queues() which has already did this.

Fixes 91815639d880 ("virtio-net: rx busy polling support")
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/virtio_net.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -1444,8 +1444,10 @@ static void virtnet_free_queues(struct v
 {
 	int i;
 
-	for (i = 0; i < vi->max_queue_pairs; i++)
+	for (i = 0; i < vi->max_queue_pairs; i++) {
+		napi_hash_del(&vi->rq[i].napi);
 		netif_napi_del(&vi->rq[i].napi);
+	}
 
 	kfree(vi->rq);
 	kfree(vi->sq);
@@ -1936,11 +1938,8 @@ static int virtnet_freeze(struct virtio_
 	cancel_delayed_work_sync(&vi->refill);
 
 	if (netif_running(vi->dev)) {
-		for (i = 0; i < vi->max_queue_pairs; i++) {
+		for (i = 0; i < vi->max_queue_pairs; i++)
 			napi_disable(&vi->rq[i].napi);
-			napi_hash_del(&vi->rq[i].napi);
-			netif_napi_del(&vi->rq[i].napi);
-		}
 	}
 
 	remove_vq_common(vi);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 013/123] inet_diag: fix possible overflow in inet_diag_dump_one_icsk()
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 012/123] virtio-net: correctly delete napi hash Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 014/123] caif: fix MSG_OOB test in caif_seqpkt_recvmsg() Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit c8e2c80d7ec00d020320f905822bf49c5ad85250 ]

inet_diag_dump_one_icsk() allocates too small skb.

Add inet_sk_attr_size() helper right before inet_sk_diag_fill()
so that it can be updated if/when new attributes are added.

iproute2/ss currently does not use this dump_one() interface,
this might explain nobody noticed this problem yet.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/inet_diag.c |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_hand
 	mutex_unlock(&inet_diag_table_mutex);
 }
 
+static size_t inet_sk_attr_size(void)
+{
+	return	  nla_total_size(sizeof(struct tcp_info))
+		+ nla_total_size(1) /* INET_DIAG_SHUTDOWN */
+		+ nla_total_size(1) /* INET_DIAG_TOS */
+		+ nla_total_size(1) /* INET_DIAG_TCLASS */
+		+ nla_total_size(sizeof(struct inet_diag_meminfo))
+		+ nla_total_size(sizeof(struct inet_diag_msg))
+		+ nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
+		+ nla_total_size(TCP_CA_NAME_MAX)
+		+ nla_total_size(sizeof(struct tcpvegas_info))
+		+ 64;
+}
+
 int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
 			      struct sk_buff *skb, struct inet_diag_req_v2 *req,
 			      struct user_namespace *user_ns,		      	
@@ -324,9 +338,7 @@ int inet_diag_dump_one_icsk(struct inet_
 	if (err)
 		goto out;
 
-	rep = nlmsg_new(sizeof(struct inet_diag_msg) +
-			sizeof(struct inet_diag_meminfo) +
-			sizeof(struct tcp_info) + 64, GFP_KERNEL);
+	rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL);
 	if (!rep) {
 		err = -ENOMEM;
 		goto out;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 014/123] caif: fix MSG_OOB test in caif_seqpkt_recvmsg()
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 013/123] inet_diag: fix possible overflow in inet_diag_dump_one_icsk() Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 015/123] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@ZenIV.linux.org.uk>

[ Upstream commit 3eeff778e00c956875c70b145c52638c313dfb23 ]

It should be checking flags, not msg->msg_flags.  It's ->sendmsg()
instances that need to look for that in ->msg_flags, ->recvmsg() ones
(including the other ->recvmsg() instance in that file, as well as
unix_dgram_recvmsg() this one claims to be imitating) check in flags.
Braino had been introduced in commit dcda13 ("caif: Bugfix - use MSG_TRUNC
in receive") back in 2010, so it goes quite a while back.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/caif/caif_socket.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -281,7 +281,7 @@ static int caif_seqpkt_recvmsg(struct ki
 	int copylen;
 
 	ret = -EOPNOTSUPP;
-	if (m->msg_flags&MSG_OOB)
+	if (flags & MSG_OOB)
 		goto read_error;
 
 	skb = skb_recv_datagram(sk, flags, 0 , &ret);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 015/123] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg()
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 014/123] caif: fix MSG_OOB test in caif_seqpkt_recvmsg() Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 016/123] net/mlx4_en: Fix off-by-one in ethtool statistics display Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@ZenIV.linux.org.uk>

[ Upstream commit 7d985ed1dca5c90535d67ce92ef6ca520302340a ]

[I would really like an ACK on that one from dhowells; it appears to be
quite straightforward, but...]

MSG_PEEK isn't passed to ->recvmsg() via msg->msg_flags; as the matter of
fact, neither the kernel users of rxrpc, nor the syscalls ever set that bit
in there.  It gets passed via flags; in fact, another such check in the same
function is done correctly - as flags & MSG_PEEK.

It had been that way (effectively disabled) for 8 years, though, so the patch
needs beating up - that case had never been tested.  If it is correct, it's
-stable fodder.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rxrpc/ar-recvmsg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/rxrpc/ar-recvmsg.c
+++ b/net/rxrpc/ar-recvmsg.c
@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, st
 		if (!skb) {
 			/* nothing remains on the queue */
 			if (copied &&
-			    (msg->msg_flags & MSG_PEEK || timeo == 0))
+			    (flags & MSG_PEEK || timeo == 0))
 				goto out;
 
 			/* wait for a message to turn up */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 016/123] net/mlx4_en: Fix off-by-one in ethtool statistics display
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 015/123] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 017/123] Revert "net: cx82310_eth: use common match macro" Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eran Ben Elisha, Hadar Hen Zion,
	Or Gerlitz, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eran Ben Elisha <eranbe@mellanox.com>

[ Upstream commit a16f3565703cfc3094938fb3c979cbb90f6d9eb4 ]

NUM_PORT_STATS was 9 instead of 10, which caused off-by-one bug when
displaying the statistics starting from tx_chksum_offload in ethtool.

Fixes: f8c6455bb04b ('net/mlx4_en: Extend checksum offloading by CHECKSUM COMPLETE')
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx4/mlx4_en.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
@@ -451,7 +451,7 @@ struct mlx4_en_port_stats {
 	unsigned long rx_chksum_none;
 	unsigned long rx_chksum_complete;
 	unsigned long tx_chksum_offload;
-#define NUM_PORT_STATS		9
+#define NUM_PORT_STATS		10
 };
 
 struct mlx4_en_perf_stats {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 017/123] Revert "net: cx82310_eth: use common match macro"
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 016/123] net/mlx4_en: Fix off-by-one in ethtool statistics display Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 018/123] ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Zary, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Zary <linux@rainbow-software.org>

[ Upstream commit 8d006e0105978619fb472e150c88b0d49337fe2b ]

This reverts commit 11ad714b98f6d9ca0067568442afe3e70eb94845 because
it breaks cx82310_eth.

The custom USB_DEVICE_CLASS macro matches
bDeviceClass, bDeviceSubClass and bDeviceProtocol
but the common USB_DEVICE_AND_INTERFACE_INFO matches
bInterfaceClass, bInterfaceSubClass and bInterfaceProtocol instead, which are
not specified.

Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/cx82310_eth.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/net/usb/cx82310_eth.c
+++ b/drivers/net/usb/cx82310_eth.c
@@ -300,9 +300,18 @@ static const struct driver_info	cx82310_
 	.tx_fixup	= cx82310_tx_fixup,
 };
 
+#define USB_DEVICE_CLASS(vend, prod, cl, sc, pr) \
+	.match_flags = USB_DEVICE_ID_MATCH_DEVICE | \
+		       USB_DEVICE_ID_MATCH_DEV_INFO, \
+	.idVendor = (vend), \
+	.idProduct = (prod), \
+	.bDeviceClass = (cl), \
+	.bDeviceSubClass = (sc), \
+	.bDeviceProtocol = (pr)
+
 static const struct usb_device_id products[] = {
 	{
-		USB_DEVICE_AND_INTERFACE_INFO(0x0572, 0xcb01, 0xff, 0, 0),
+		USB_DEVICE_CLASS(0x0572, 0xcb01, 0xff, 0, 0),
 		.driver_info = (unsigned long) &cx82310_info
 	},
 	{ },



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 018/123] ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 017/123] Revert "net: cx82310_eth: use common match macro" Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 019/123] ipv6: fix backtracking for throw routes Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladislav Yasevich, Matt Grant,
	Sabrina Dubroca, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 8e199dfd82ee097b522b00344af6448715d8ee0c ]

Matt Grant reported frequent crashes in ipv6_select_ident when
udp6_ufo_fragment is called from openvswitch on a skb that doesn't
have a dst_entry set.

ipv6_proxy_select_ident generates the frag_id without using the dst
associated with the skb.  This approach was suggested by Vladislav
Yasevich.

Fixes: 0508c07f5e0c ("ipv6: Select fragment id during UFO segmentation if not set.")
Cc: Vladislav Yasevich <vyasevic@redhat.com>
Reported-by: Matt Grant <matt@mattgrant.net.nz>
Tested-by: Matt Grant <matt@mattgrant.net.nz>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Vladislav Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/udp_offload.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -112,11 +112,9 @@ static struct sk_buff *udp6_ufo_fragment
 		fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
 		fptr->nexthdr = nexthdr;
 		fptr->reserved = 0;
-		if (skb_shinfo(skb)->ip6_frag_id)
-			fptr->identification = skb_shinfo(skb)->ip6_frag_id;
-		else
-			ipv6_select_ident(fptr,
-					  (struct rt6_info *)skb_dst(skb));
+		if (!skb_shinfo(skb)->ip6_frag_id)
+			ipv6_proxy_select_ident(skb);
+		fptr->identification = skb_shinfo(skb)->ip6_frag_id;
 
 		/* Fragment the skb. ipv6 header and the remaining fields of the
 		 * fragment header are updated in ipv6_gso_segment()



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 019/123] ipv6: fix backtracking for throw routes
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 018/123] ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 020/123] tcp: fix tcp fin memory accounting Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Barth, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steven Barth <cyrus@openwrt.org>

[ Upstream commit 73ba57bfae4a1914f6a6dac71e3168dd900e00af ]

for throw routes to trigger evaluation of other policy rules
EAGAIN needs to be propagated up to fib_rules_lookup
similar to how its done for IPv4

A simple testcase for verification is:

ip -6 rule add lookup 33333 priority 33333
ip -6 route add throw 2001:db8::1
ip -6 route add 2001:db8::1 via fe80::1 dev wlan0 table 33333
ip route get 2001:db8::1

Signed-off-by: Steven Barth <cyrus@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/fib6_rules.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -104,6 +104,7 @@ static int fib6_rule_action(struct fib_r
 				goto again;
 			flp6->saddr = saddr;
 		}
+		err = rt->dst.error;
 		goto out;
 	}
 again:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 020/123] tcp: fix tcp fin memory accounting
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 019/123] ipv6: fix backtracking for throw routes Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 021/123] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josh Hunt <johunt@akamai.com>

[ Upstream commit d22e1537181188e5dc8cbc51451832625035bdc2 ]

tcp_send_fin() does not account for the memory it allocates properly, so
sk_forward_alloc can be negative in cases where we've sent a FIN:

ss example output (ss -amn | grep -B1 f4294):
tcp    FIN-WAIT-1 0      1            192.168.0.1:45520         192.0.2.1:8080
	skmem:(r0,rb87380,t0,tb87380,f4294966016,w1280,o0,bl0)
Acked-by: Eric Dumazet <edumazet@google.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_output.c |    6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2775,15 +2775,11 @@ void tcp_send_fin(struct sock *sk)
 	} else {
 		/* Socket is locked, keep trying until memory is available. */
 		for (;;) {
-			skb = alloc_skb_fclone(MAX_TCP_HEADER,
-					       sk->sk_allocation);
+			skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
 			if (skb)
 				break;
 			yield();
 		}
-
-		/* Reserve space for headers and prepare control bits. */
-		skb_reserve(skb, MAX_TCP_HEADER);
 		/* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */
 		tcp_init_nondata_skb(skb, tp->write_seq,
 				     TCPHDR_ACK | TCPHDR_FIN);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 021/123] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 020/123] tcp: fix tcp fin memory accounting Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 022/123] net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David S. Miller, Dan Carpenter,
	Catalin Marinas

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Catalin Marinas <catalin.marinas@arm.com>

[ Upstream commit 91edd096e224941131f896b86838b1e59553696a ]

Commit db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an
error) introduced the clamping of msg_namelen when the unsigned value
was larger than sizeof(struct sockaddr_storage). This caused a
msg_namelen of -1 to be valid. The native code was subsequently fixed by
commit dbb490b96584 (net: socket: error on a negative msg_namelen).

In addition, the native code sets msg_namelen to 0 when msg_name is
NULL. This was done in commit (6a2a2b3ae075 net:socket: set msg_namelen
to 0 if msg_name is passed as NULL in msghdr struct from userland) and
subsequently updated by 08adb7dabd48 (fold verify_iovec() into
copy_msghdr_from_user()).

This patch brings the get_compat_msghdr() in line with
copy_msghdr_from_user().

Fixes: db31c55a6fb2 (net: clamp ->msg_namelen instead of returning an error)
Cc: David S. Miller <davem@davemloft.net>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/compat.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/compat.c
+++ b/net/compat.c
@@ -49,6 +49,13 @@ ssize_t get_compat_msghdr(struct msghdr
 	    __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
 	    __get_user(kmsg->msg_flags, &umsg->msg_flags))
 		return -EFAULT;
+
+	if (!uaddr)
+		kmsg->msg_namelen = 0;
+
+	if (kmsg->msg_namelen < 0)
+		return -EINVAL;
+
 	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
 		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
 	kmsg->msg_control = compat_ptr(tmp3);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 022/123] net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 021/123] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 023/123] arm64: Honor __GFP_ZERO in dma allocations Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@ZenIV.linux.org.uk>

commit 4de930efc23b92ddf88ce91c405ee645fe6e27ea upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/socket.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/socket.c
+++ b/net/socket.c
@@ -1765,6 +1765,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __
 
 	if (len > INT_MAX)
 		len = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_READ, buff, len)))
+		return -EFAULT;
 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
 	if (!sock)
 		goto out;
@@ -1823,6 +1825,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
 
 	if (size > INT_MAX)
 		size = INT_MAX;
+	if (unlikely(!access_ok(VERIFY_WRITE, ubuf, size)))
+		return -EFAULT;
 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
 	if (!sock)
 		goto out;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 023/123] arm64: Honor __GFP_ZERO in dma allocations
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 022/123] net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 024/123] arm64: Invalidate the TLB corresponding to intermediate page table levels Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Will Deacon, Suzuki K. Poulose,
	Catalin Marinas

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Suzuki K. Poulose" <suzuki.poulose@arm.com>

commit 7132813c384515c9dede1ae20e56f3895feb7f1e upstream.

Current implementation doesn't zero out the pages allocated.
Honor the __GFP_ZERO flag and zero out if set.

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/mm/dma-mapping.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/arm64/mm/dma-mapping.c
+++ b/arch/arm64/mm/dma-mapping.c
@@ -51,7 +51,7 @@ static int __init early_coherent_pool(ch
 }
 early_param("coherent_pool", early_coherent_pool);
 
-static void *__alloc_from_pool(size_t size, struct page **ret_page)
+static void *__alloc_from_pool(size_t size, struct page **ret_page, gfp_t flags)
 {
 	unsigned long val;
 	void *ptr = NULL;
@@ -67,6 +67,8 @@ static void *__alloc_from_pool(size_t si
 
 		*ret_page = phys_to_page(phys);
 		ptr = (void *)val;
+		if (flags & __GFP_ZERO)
+			memset(ptr, 0, size);
 	}
 
 	return ptr;
@@ -101,6 +103,7 @@ static void *__dma_alloc_coherent(struct
 		flags |= GFP_DMA;
 	if (IS_ENABLED(CONFIG_DMA_CMA) && (flags & __GFP_WAIT)) {
 		struct page *page;
+		void *addr;
 
 		size = PAGE_ALIGN(size);
 		page = dma_alloc_from_contiguous(dev, size >> PAGE_SHIFT,
@@ -109,7 +112,10 @@ static void *__dma_alloc_coherent(struct
 			return NULL;
 
 		*dma_handle = phys_to_dma(dev, page_to_phys(page));
-		return page_address(page);
+		addr = page_address(page);
+		if (flags & __GFP_ZERO)
+			memset(addr, 0, size);
+		return addr;
 	} else {
 		return swiotlb_alloc_coherent(dev, size, dma_handle, flags);
 	}
@@ -145,7 +151,7 @@ static void *__dma_alloc_noncoherent(str
 
 	if (!(flags & __GFP_WAIT)) {
 		struct page *page = NULL;
-		void *addr = __alloc_from_pool(size, &page);
+		void *addr = __alloc_from_pool(size, &page, flags);
 
 		if (addr)
 			*dma_handle = phys_to_dma(dev, page_to_phys(page));



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 024/123] arm64: Invalidate the TLB corresponding to intermediate page table levels
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 023/123] arm64: Honor __GFP_ZERO in dma allocations Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 026/123] drm/radeon: do a posting read in evergreen_set_irq Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Masters, Steve Capper, Catalin Marinas

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Catalin Marinas <catalin.marinas@arm.com>

commit 285994a62c80f1d72c6924282bcb59608098d5ec upstream.

The ARM architecture allows the caching of intermediate page table
levels and page table freeing requires a sequence like:

	pmd_clear()
	TLB invalidation
	pte page freeing

With commit 5e5f6dc10546 (arm64: mm: enable HAVE_RCU_TABLE_FREE logic),
the page table freeing batching was moved from tlb_remove_page() to
tlb_remove_table(). The former takes care of TLB invalidation as this is
also shared with pte clearing and page cache page freeing. The latter,
however, does not invalidate the TLBs for intermediate page table levels
as it probably relies on the architecture code to do it if required.
When the mm->mm_users < 2, tlb_remove_table() does not do any batching
and page table pages are freed before tlb_finish_mmu() which performs
the actual TLB invalidation.

This patch introduces __tlb_flush_pgtable() for arm64 and calls it from
the {pte,pmd,pud}_free_tlb() directly without relying on deferred page
table freeing.

Fixes: 5e5f6dc10546 arm64: mm: enable HAVE_RCU_TABLE_FREE logic
Reported-by: Jon Masters <jcm@redhat.com>
Tested-by: Jon Masters <jcm@redhat.com>
Tested-by: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/tlb.h      |    3 +++
 arch/arm64/include/asm/tlbflush.h |   13 +++++++++++++
 2 files changed, 16 insertions(+)

--- a/arch/arm64/include/asm/tlb.h
+++ b/arch/arm64/include/asm/tlb.h
@@ -48,6 +48,7 @@ static inline void tlb_flush(struct mmu_
 static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t pte,
 				  unsigned long addr)
 {
+	__flush_tlb_pgtable(tlb->mm, addr);
 	pgtable_page_dtor(pte);
 	tlb_remove_entry(tlb, pte);
 }
@@ -56,6 +57,7 @@ static inline void __pte_free_tlb(struct
 static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmdp,
 				  unsigned long addr)
 {
+	__flush_tlb_pgtable(tlb->mm, addr);
 	tlb_remove_entry(tlb, virt_to_page(pmdp));
 }
 #endif
@@ -64,6 +66,7 @@ static inline void __pmd_free_tlb(struct
 static inline void __pud_free_tlb(struct mmu_gather *tlb, pud_t *pudp,
 				  unsigned long addr)
 {
+	__flush_tlb_pgtable(tlb->mm, addr);
 	tlb_remove_entry(tlb, virt_to_page(pudp));
 }
 #endif
--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -149,6 +149,19 @@ static inline void flush_tlb_kernel_rang
 }
 
 /*
+ * Used to invalidate the TLB (walk caches) corresponding to intermediate page
+ * table levels (pgd/pud/pmd).
+ */
+static inline void __flush_tlb_pgtable(struct mm_struct *mm,
+				       unsigned long uaddr)
+{
+	unsigned long addr = uaddr >> 12 | ((unsigned long)ASID(mm) << 48);
+
+	dsb(ishst);
+	asm("tlbi	vae1is, %0" : : "r" (addr));
+	dsb(ish);
+}
+/*
  * On AArch64, the cache coherency is handled via the set_pte_at() function.
  */
 static inline void update_mmu_cache(struct vm_area_struct *vma,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 026/123] drm/radeon: do a posting read in evergreen_set_irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 024/123] arm64: Invalidate the TLB corresponding to intermediate page table levels Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 027/123] drm/radeon: do a posting read in r100_set_irq Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit c320bb5f6dc0cb88a811cbaf839303e0a3916a92 upstream.

To make sure the writes go through the pci bridge.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=90741

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/evergreen.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -4589,6 +4589,9 @@ int evergreen_irq_set(struct radeon_devi
 	WREG32(AFMT_AUDIO_PACKET_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET, afmt5);
 	WREG32(AFMT_AUDIO_PACKET_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET, afmt6);
 
+	/* posting read */
+	RREG32(SRBM_STATUS);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 027/123] drm/radeon: do a posting read in r100_set_irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 026/123] drm/radeon: do a posting read in evergreen_set_irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 028/123] drm/radeon: do a posting read in r600_set_irq Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit f957063fee6392bb9365370db6db74dc0b2dce0a upstream.

To make sure the writes go through the pci bridge.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=90741

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/r100.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -728,6 +728,10 @@ int r100_irq_set(struct radeon_device *r
 		tmp |= RADEON_FP2_DETECT_MASK;
 	}
 	WREG32(RADEON_GEN_INT_CNTL, tmp);
+
+	/* read back to post the write */
+	RREG32(RADEON_GEN_INT_CNTL);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 028/123] drm/radeon: do a posting read in r600_set_irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 027/123] drm/radeon: do a posting read in r100_set_irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 029/123] drm/radeon: do a posting read in cik_set_irq Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 9d1393f23d5656cdd5f368efd60694d4aeed81d3 upstream.

To make sure the writes go through the pci bridge.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=90741

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/r600.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -3783,6 +3783,9 @@ int r600_irq_set(struct radeon_device *r
 		WREG32(RV770_CG_THERMAL_INT, thermal_int);
 	}
 
+	/* posting read */
+	RREG32(R_000E50_SRBM_STATUS);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 029/123] drm/radeon: do a posting read in cik_set_irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 028/123] drm/radeon: do a posting read in r600_set_irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 030/123] drm/radeon: do a posting read in si_set_irq Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit cffefd9bb31cd35ab745d3b49005d10616d25bdc upstream.

To make sure the writes go through the pci bridge.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=90741

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/cik.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -7526,6 +7526,9 @@ int cik_irq_set(struct radeon_device *rd
 	WREG32(DC_HPD5_INT_CONTROL, hpd5);
 	WREG32(DC_HPD6_INT_CONTROL, hpd6);
 
+	/* posting read */
+	RREG32(SRBM_STATUS);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 030/123] drm/radeon: do a posting read in si_set_irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 029/123] drm/radeon: do a posting read in cik_set_irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 031/123] drm/radeon: do a posting read in rs600_set_irq Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 0586915ec10d0ae60de5cd3381ad25a704760402 upstream.

To make sure the writes go through the pci bridge.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=90741

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/si.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -6198,6 +6198,9 @@ int si_irq_set(struct radeon_device *rde
 
 	WREG32(CG_THERMAL_INT, thermal_int);
 
+	/* posting read */
+	RREG32(SRBM_STATUS);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 031/123] drm/radeon: do a posting read in rs600_set_irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 030/123] drm/radeon: do a posting read in si_set_irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 032/123] drm/radeon: fix interlaced modes on DCE8 Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 54acf107e4e66d1f4a697e08a7f60dba9fcf07c3 upstream.

To make sure the writes go through the pci bridge.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=90741

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/rs600.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/radeon/rs600.c
+++ b/drivers/gpu/drm/radeon/rs600.c
@@ -693,6 +693,10 @@ int rs600_irq_set(struct radeon_device *
 	WREG32(R_007D18_DC_HOT_PLUG_DETECT2_INT_CONTROL, hpd2);
 	if (ASIC_IS_DCE2(rdev))
 		WREG32(R_007408_HDMI0_AUDIO_PACKET_CONTROL, hdmi0);
+
+	/* posting read */
+	RREG32(R_000040_GEN_INT_CNTL);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 032/123] drm/radeon: fix interlaced modes on DCE8
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 031/123] drm/radeon: do a posting read in rs600_set_irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 035/123] drm/radeon: Changing number of compute pipe lines Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 77ae5f4b48a0445426c9c1ef7c0f28b717e35d55 upstream.

Need to double the viewport height.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/atombios_crtc.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/radeon/atombios_crtc.c
+++ b/drivers/gpu/drm/radeon/atombios_crtc.c
@@ -1405,6 +1405,9 @@ static int dce4_crtc_do_set_base(struct
 	       (x << 16) | y);
 	viewport_w = crtc->mode.hdisplay;
 	viewport_h = (crtc->mode.vdisplay + 1) & ~1;
+	if ((rdev->family >= CHIP_BONAIRE) &&
+	    (crtc->mode.flags & DRM_MODE_FLAG_INTERLACE))
+		viewport_h *= 2;
 	WREG32(EVERGREEN_VIEWPORT_SIZE + radeon_crtc->crtc_offset,
 	       (viewport_w << 16) | viewport_h);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 035/123] drm/radeon: Changing number of compute pipe lines
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 032/123] drm/radeon: fix interlaced modes on DCE8 Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 037/123] LZ4 : fix the data abort issue Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Goz, Oded Gabbay

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Goz <ben.goz@amd.com>

commit e405ca3a1bf166f741506c07c2a277b5d48af8f7 upstream.

The current CP firmware can handle Usermode Queues only on MEC1.
To reflect this firmware change, this commit reduces number of compute pipelines
to 4 - 1, from 8 - 1 (the first pipeline is allocated for kgd).

Signed-off-by: Ben Goz <ben.goz@amd.com>
Signed-off-by: Oded Gabbay <oded.gabbay@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_kfd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/radeon/radeon_kfd.c
+++ b/drivers/gpu/drm/radeon/radeon_kfd.c
@@ -152,7 +152,7 @@ void radeon_kfd_device_init(struct radeo
 			.compute_vmid_bitmap = 0xFF00,
 
 			.first_compute_pipe = 1,
-			.compute_pipe_count = 8 - 1,
+			.compute_pipe_count = 4 - 1,
 		};
 
 		radeon_doorbell_get_kfd_info(rdev,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 037/123] LZ4 : fix the data abort issue
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 035/123] drm/radeon: Changing number of compute pipe lines Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 038/123] fuse: set stolen page uptodate Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, JeHyeon Yeon, David Sterba

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: JeHyeon Yeon <tom.yeon@windriver.com>

commit d5e7cafd69da24e6d6cc988fab6ea313a2577efc upstream.

If the part of the compression data are corrupted, or the compression
data is totally fake, the memory access over the limit is possible.

This is the log from my system usning lz4 decompression.
   [6502]data abort, halting
   [6503]r0  0x00000000 r1  0x00000000 r2  0xdcea0ffc r3  0xdcea0ffc
   [6509]r4  0xb9ab0bfd r5  0xdcea0ffc r6  0xdcea0ff8 r7  0xdce80000
   [6515]r8  0x00000000 r9  0x00000000 r10 0x00000000 r11 0xb9a98000
   [6522]r12 0xdcea1000 usp 0x00000000 ulr 0x00000000 pc  0x820149bc
   [6528]spsr 0x400001f3
and the memory addresses of some variables at the moment are
    ref:0xdcea0ffc, op:0xdcea0ffc, oend:0xdcea1000

As you can see, COPYLENGH is 8bytes, so @ref and @op can access the momory
over @oend.

Signed-off-by: JeHyeon Yeon <tom.yeon@windriver.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/lz4/lz4_decompress.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -139,6 +139,9 @@ static int lz4_uncompress(const char *so
 			/* Error: request to write beyond destination buffer */
 			if (cpy > oend)
 				goto _output_error;
+			if ((ref + COPYLENGTH) > oend ||
+					(op + COPYLENGTH) > oend)
+				goto _output_error;
 			LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH));
 			while (op < cpy)
 				*op++ = *ref++;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 038/123] fuse: set stolen page uptodate
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 037/123] LZ4 : fix the data abort issue Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 039/123] fuse: notify: dont move pages Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@suse.cz>

commit aa991b3b267e24f578bac7b09cc57579b660304b upstream.

Regular pipe buffers' ->steal method (generic_pipe_buf_steal()) doesn't set
PG_uptodate.

Don't warn on this condition, just set the uptodate flag.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -890,8 +890,8 @@ static int fuse_try_move_page(struct fus
 
 	newpage = buf->page;
 
-	if (WARN_ON(!PageUptodate(newpage)))
-		return -EIO;
+	if (!PageUptodate(newpage))
+		SetPageUptodate(newpage);
 
 	ClearPageMappedToDisk(newpage);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 039/123] fuse: notify: dont move pages
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 038/123] fuse: set stolen page uptodate Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 040/123] serial: core: Fix iotype userspace breakage Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Miklos Szeredi

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@suse.cz>

commit 0d2783626a53d4c922f82d51fa675cb5d13f0d36 upstream.

fuse_try_move_page() is not prepared for replacing pages that have already
been read.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1797,6 +1797,9 @@ copy_finish:
 static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code,
 		       unsigned int size, struct fuse_copy_state *cs)
 {
+	/* Don't try to move pages (yet) */
+	cs->move_pages = 0;
+
 	switch (code) {
 	case FUSE_NOTIFY_POLL:
 		return fuse_notify_poll(fc, size, cs);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 040/123] serial: core: Fix iotype userspace breakage
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 039/123] fuse: notify: dont move pages Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 041/123] serial: 8250_dw: Fix deadlock in LCR workaround Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kevin Cernekee, Peter Hurley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 2bb785169e9709d41220e5c18b0270883a82f85c upstream.

commit 3ffb1a8193bea ("serial: core: Add big-endian iotype")
re-numbered userspace-dependent values; ioctl(TIOCSSERIAL) can
assign the port iotype (which is expected to match the selected
i/o accessors), so iotype values must not be changed.

Cc: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Reviewed-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/serial_core.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/include/linux/serial_core.h
+++ b/include/linux/serial_core.h
@@ -146,9 +146,9 @@ struct uart_port {
 #define UPIO_HUB6		(1)			/* Hub6 ISA card */
 #define UPIO_MEM		(2)			/* 8b MMIO access */
 #define UPIO_MEM32		(3)			/* 32b little endian */
-#define UPIO_MEM32BE		(4)			/* 32b big endian */
-#define UPIO_AU			(5)			/* Au1x00 and RT288x type IO */
-#define UPIO_TSI		(6)			/* Tsi108/109 type IO */
+#define UPIO_AU			(4)			/* Au1x00 and RT288x type IO */
+#define UPIO_TSI		(5)			/* Tsi108/109 type IO */
+#define UPIO_MEM32BE		(6)			/* 32b big endian */
 
 	unsigned int		read_status_mask;	/* driver specific */
 	unsigned int		ignore_status_mask;	/* driver specific */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 041/123] serial: 8250_dw: Fix deadlock in LCR workaround
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 040/123] serial: core: Fix iotype userspace breakage Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 042/123] console: Fix console name size mismatch Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tim Kryger, Zhang Zhen, Peter Hurley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 7fd6f640f2dd17dac6ddd6702c378cb0bb9cfa11 upstream.

Trying to write console output from within the serial console driver
while the port->lock is held causes recursive deadlock:

  CPU 0
spin_lock_irqsave(&port->lock)
printk()
  console_unlock()
    call_console_drivers()
      serial8250_console_write()
        spin_lock_irqsave(&port->lock)
** DEADLOCK **

The 8250_dw i/o accessors try to write a console error message if the
LCR workaround was unsuccessful. When the port->lock is already held
(eg., when called from serial8250_set_termios()), this deadlocks.

Make the error message a FIXME until a general solution is devised.

Cc: Tim Kryger <tim.kryger@gmail.com>
Reported-by: Zhang Zhen <zhenzhang.zhang@huawei.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/8250_dw.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/tty/serial/8250/8250_dw.c
+++ b/drivers/tty/serial/8250/8250_dw.c
@@ -111,7 +111,10 @@ static void dw8250_serial_out(struct uar
 			dw8250_force_idle(p);
 			writeb(value, p->membase + (UART_LCR << p->regshift));
 		}
-		dev_err(p->dev, "Couldn't set LCR to %d\n", value);
+		/*
+		 * FIXME: this deadlocks if port->lock is already held
+		 * dev_err(p->dev, "Couldn't set LCR to %d\n", value);
+		 */
 	}
 }
 
@@ -155,7 +158,10 @@ static void dw8250_serial_outq(struct ua
 			__raw_writeq(value & 0xff,
 				     p->membase + (UART_LCR << p->regshift));
 		}
-		dev_err(p->dev, "Couldn't set LCR to %d\n", value);
+		/*
+		 * FIXME: this deadlocks if port->lock is already held
+		 * dev_err(p->dev, "Couldn't set LCR to %d\n", value);
+		 */
 	}
 }
 #endif /* CONFIG_64BIT */
@@ -179,7 +185,10 @@ static void dw8250_serial_out32(struct u
 			dw8250_force_idle(p);
 			writel(value, p->membase + (UART_LCR << p->regshift));
 		}
-		dev_err(p->dev, "Couldn't set LCR to %d\n", value);
+		/*
+		 * FIXME: this deadlocks if port->lock is already held
+		 * dev_err(p->dev, "Couldn't set LCR to %d\n", value);
+		 */
 	}
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 042/123] console: Fix console name size mismatch
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 041/123] serial: 8250_dw: Fix deadlock in LCR workaround Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 043/123] virtio_console: init work unconditionally Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Hurley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 30a22c215a0007603ffc08021f2e8b64018517dd upstream.

commit 6ae9200f2cab7 ("enlarge console.name") increased the storage
for the console name to 16 bytes, but not the corresponding
struct console_cmdline::name storage. Console names longer than
8 bytes cause read beyond end-of-string and failure to match
console; I'm not sure if there are other unexpected consequences.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/printk/console_cmdline.h |    2 +-
 kernel/printk/printk.c          |    1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/printk/console_cmdline.h
+++ b/kernel/printk/console_cmdline.h
@@ -3,7 +3,7 @@
 
 struct console_cmdline
 {
-	char	name[8];			/* Name of the driver	    */
+	char	name[16];			/* Name of the driver	    */
 	int	index;				/* Minor dev. to use	    */
 	char	*options;			/* Options for the driver   */
 #ifdef CONFIG_A11Y_BRAILLE_CONSOLE
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -2464,6 +2464,7 @@ void register_console(struct console *ne
 	for (i = 0, c = console_cmdline;
 	     i < MAX_CMDLINECONSOLES && c->name[0];
 	     i++, c++) {
+		BUILD_BUG_ON(sizeof(c->name) != sizeof(newcon->name));
 		if (strcmp(c->name, newcon->name) != 0)
 			continue;
 		if (newcon->index >= 0 &&



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 043/123] virtio_console: init work unconditionally
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 042/123] console: Fix console name size mismatch Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 044/123] virtio_console: avoid config access from irq Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael S. Tsirkin, Amit Shah, Rusty Russell

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Michael S. Tsirkin" <mst@redhat.com>

commit 4f6e24ed9de8634d6471ef86b382cba6d4e57ca8 upstream.

when multiport is off, we don't initialize config work,
but we then cancel uninitialized control_work on freeze.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/virtio_console.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -2031,12 +2031,13 @@ static int virtcons_probe(struct virtio_
 
 	virtio_device_ready(portdev->vdev);
 
+	INIT_WORK(&portdev->control_work, &control_work_handler);
+
 	if (multiport) {
 		unsigned int nr_added_bufs;
 
 		spin_lock_init(&portdev->c_ivq_lock);
 		spin_lock_init(&portdev->c_ovq_lock);
-		INIT_WORK(&portdev->control_work, &control_work_handler);
 
 		nr_added_bufs = fill_queue(portdev->c_ivq,
 					   &portdev->c_ivq_lock);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 044/123] virtio_console: avoid config access from irq
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 043/123] virtio_console: init work unconditionally Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 045/123] Change email address for 8250_pci Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael S. Tsirkin, Amit Shah, Rusty Russell

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Michael S. Tsirkin" <mst@redhat.com>

commit eeb8a7e8bb123e84daeef84f5a2eab99ad2839a2 upstream.

when multiport is off, virtio console invokes config access from irq
context, config access is blocking on s390.
Fix this up by scheduling work from config irq - similar to what we do
for multiport configs.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/virtio_console.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -142,6 +142,7 @@ struct ports_device {
 	 * notification
 	 */
 	struct work_struct control_work;
+	struct work_struct config_work;
 
 	struct list_head ports;
 
@@ -1837,10 +1838,21 @@ static void config_intr(struct virtio_de
 
 	portdev = vdev->priv;
 
+	if (!use_multiport(portdev))
+		schedule_work(&portdev->config_work);
+}
+
+static void config_work_handler(struct work_struct *work)
+{
+	struct ports_device *portdev;
+
+	portdev = container_of(work, struct ports_device, control_work);
 	if (!use_multiport(portdev)) {
+		struct virtio_device *vdev;
 		struct port *port;
 		u16 rows, cols;
 
+		vdev = portdev->vdev;
 		virtio_cread(vdev, struct virtio_console_config, cols, &cols);
 		virtio_cread(vdev, struct virtio_console_config, rows, &rows);
 
@@ -2031,6 +2043,7 @@ static int virtcons_probe(struct virtio_
 
 	virtio_device_ready(portdev->vdev);
 
+	INIT_WORK(&portdev->config_work, &config_work_handler);
 	INIT_WORK(&portdev->control_work, &control_work_handler);
 
 	if (multiport) {
@@ -2105,6 +2118,8 @@ static void virtcons_remove(struct virti
 	/* Finish up work that's lined up */
 	if (use_multiport(portdev))
 		cancel_work_sync(&portdev->control_work);
+	else
+		cancel_work_sync(&portdev->config_work);
 
 	list_for_each_entry_safe(port, port2, &portdev->ports, list)
 		unplug_port(port);
@@ -2156,6 +2171,7 @@ static int virtcons_freeze(struct virtio
 
 	virtqueue_disable_cb(portdev->c_ivq);
 	cancel_work_sync(&portdev->control_work);
+	cancel_work_sync(&portdev->config_work);
 	/*
 	 * Once more: if control_work_handler() was running, it would
 	 * enable the cb as the last step.



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 045/123] Change email address for 8250_pci
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 044/123] virtio_console: avoid config access from irq Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 046/123] ftrace: Clear REGS_EN and TRAMP_EN flags on disabling record via sysctl Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit f2e0ea861117bda073d1d7ffbd3120c07c0d5d34 upstream.

I'm still receiving reports to my email address, so let's point this
at the linux-serial mailing list instead.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/8250_pci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -69,7 +69,7 @@ static void moan_device(const char *str,
 	       "Please send the output of lspci -vv, this\n"
 	       "message (0x%04x,0x%04x,0x%04x,0x%04x), the\n"
 	       "manufacturer and name of serial board or\n"
-	       "modem board to rmk+serial@arm.linux.org.uk.\n",
+	       "modem board to <linux-serial@vger.kernel.org>.\n",
 	       pci_name(dev), str, dev->vendor, dev->device,
 	       dev->subsystem_vendor, dev->subsystem_device);
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 046/123] ftrace: Clear REGS_EN and TRAMP_EN flags on disabling record via sysctl
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 045/123] Change email address for 8250_pci Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 047/123] ftrace: Fix en(dis)able graph caller when en(dis)abling " Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pratyush Anand, Steven Rostedt

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit b24d443b8f17d9776f5fc1f6c780a0a21eb02913 upstream.

When /proc/sys/kernel/ftrace_enabled is set to zero, all function
tracing is disabled. But the records that represent the functions
still hold information about the ftrace_ops that are hooked to them.

ftrace_ops may request "REGS" (have a full set of pt_regs passed to
the callback), or "TRAMP" (the ops has its own trampoline to use).
When the record is updated to represent the state of the ops hooked
to it, it sets "REGS_EN" and/or "TRAMP_EN" to state that the callback
points to the correct trampoline (REGS has its own trampoline).

When ftrace_enabled is set to zero, all ftrace locations are a nop,
so they do not point to any trampoline. But the _EN flags are still
set. This can cause the accounting to go wrong when ftrace_enabled
is cleared and an ops that has a trampoline is registered or unregistered.

For example, the following will cause ftrace to crash:

 # echo function_graph > /sys/kernel/debug/tracing/current_tracer
 # echo 0 > /proc/sys/kernel/ftrace_enabled
 # echo nop > /sys/kernel/debug/tracing/current_tracer
 # echo 1 > /proc/sys/kernel/ftrace_enabled
 # echo function_graph > /sys/kernel/debug/tracing/current_tracer

As function_graph uses a trampoline, when ftrace_enabled is set to zero
the updates to the record are not done. When enabling function_graph
again, the record will still have the TRAMP_EN flag set, and it will
look for an op that has a trampoline other than the function_graph
ops, and fail to find one.

Reported-by: Pratyush Anand <panand@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/ftrace.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -2041,8 +2041,12 @@ static int ftrace_check_record(struct dy
 		if (!ftrace_rec_count(rec))
 			rec->flags = 0;
 		else
-			/* Just disable the record (keep REGS state) */
-			rec->flags &= ~FTRACE_FL_ENABLED;
+			/*
+			 * Just disable the record, but keep the ops TRAMP
+			 * and REGS states. The _EN flags must be disabled though.
+			 */
+			rec->flags &= ~(FTRACE_FL_ENABLED | FTRACE_FL_TRAMP_EN |
+					FTRACE_FL_REGS_EN);
 	}
 
 	return FTRACE_UPDATE_MAKE_NOP;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 047/123] ftrace: Fix en(dis)able graph caller when en(dis)abling record via sysctl
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 046/123] ftrace: Clear REGS_EN and TRAMP_EN flags on disabling record via sysctl Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 048/123] ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pratyush Anand, Steven Rostedt

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pratyush Anand <panand@redhat.com>

commit 1619dc3f8f555ee1cdd3c75db3885d5715442b12 upstream.

When ftrace is enabled globally through the proc interface, we must check if
ftrace_graph_active is set. If it is set, then we should also pass the
FTRACE_START_FUNC_RET command to ftrace_run_update_code(). Similarly, when
ftrace is disabled globally through the proc interface, we must check if
ftrace_graph_active is set. If it is set, then we should also pass the
FTRACE_STOP_FUNC_RET command to ftrace_run_update_code().

Consider the following situation.

 # echo 0 > /proc/sys/kernel/ftrace_enabled

After this ftrace_enabled = 0.

 # echo function_graph > /sys/kernel/debug/tracing/current_tracer

Since ftrace_enabled = 0, ftrace_enable_ftrace_graph_caller() is never
called.

 # echo 1 > /proc/sys/kernel/ftrace_enabled

Now ftrace_enabled will be set to true, but still
ftrace_enable_ftrace_graph_caller() will not be called, which is not
desired.

Further if we execute the following after this:
  # echo nop > /sys/kernel/debug/tracing/current_tracer

Now since ftrace_enabled is set it will call
ftrace_disable_ftrace_graph_caller(), which causes a kernel warning on
the ARM platform.

On the ARM platform, when ftrace_enable_ftrace_graph_caller() is called,
it checks whether the old instruction is a nop or not. If it's not a nop,
then it returns an error. If it is a nop then it replaces instruction at
that address with a branch to ftrace_graph_caller.
ftrace_disable_ftrace_graph_caller() behaves just the opposite. Therefore,
if generic ftrace code ever calls either ftrace_enable_ftrace_graph_caller()
or ftrace_disable_ftrace_graph_caller() consecutively two times in a row,
then it will return an error, which will cause the generic ftrace code to
raise a warning.

Note, x86 does not have an issue with this because the architecture
specific code for ftrace_enable_ftrace_graph_caller() and
ftrace_disable_ftrace_graph_caller() does not check the previous state,
and calling either of these functions twice in a row has no ill effect.

Link: http://lkml.kernel.org/r/e4fbe64cdac0dd0e86a3bf914b0f83c0b419f146.1425666454.git.panand@redhat.com

Signed-off-by: Pratyush Anand <panand@redhat.com>
[
  removed extra if (ftrace_start_up) and defined ftrace_graph_active as 0
  if CONFIG_FUNCTION_GRAPH_TRACER is not set.
]
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/ftrace.c |   28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1059,6 +1059,12 @@ static __init void ftrace_profile_debugf
 
 static struct pid * const ftrace_swapper_pid = &init_struct_pid;
 
+#ifdef CONFIG_FUNCTION_GRAPH_TRACER
+static int ftrace_graph_active;
+#else
+# define ftrace_graph_active 0
+#endif
+
 #ifdef CONFIG_DYNAMIC_FTRACE
 
 static struct ftrace_ops *removed_ops;
@@ -2692,24 +2698,36 @@ static int ftrace_shutdown(struct ftrace
 
 static void ftrace_startup_sysctl(void)
 {
+	int command;
+
 	if (unlikely(ftrace_disabled))
 		return;
 
 	/* Force update next time */
 	saved_ftrace_func = NULL;
 	/* ftrace_start_up is true if we want ftrace running */
-	if (ftrace_start_up)
-		ftrace_run_update_code(FTRACE_UPDATE_CALLS);
+	if (ftrace_start_up) {
+		command = FTRACE_UPDATE_CALLS;
+		if (ftrace_graph_active)
+			command |= FTRACE_START_FUNC_RET;
+		ftrace_run_update_code(command);
+	}
 }
 
 static void ftrace_shutdown_sysctl(void)
 {
+	int command;
+
 	if (unlikely(ftrace_disabled))
 		return;
 
 	/* ftrace_start_up is true if ftrace is running */
-	if (ftrace_start_up)
-		ftrace_run_update_code(FTRACE_DISABLE_CALLS);
+	if (ftrace_start_up) {
+		command = FTRACE_DISABLE_CALLS;
+		if (ftrace_graph_active)
+			command |= FTRACE_STOP_FUNC_RET;
+		ftrace_run_update_code(command);
+	}
 }
 
 static cycle_t		ftrace_update_time;
@@ -5594,8 +5612,6 @@ static struct ftrace_ops graph_ops = {
 	ASSIGN_OPS_HASH(graph_ops, &global_ops.local_hash)
 };
 
-static int ftrace_graph_active;
-
 int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
 {
 	return 0;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 048/123] ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 047/123] ftrace: Fix en(dis)able graph caller when en(dis)abling " Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 049/123] can: add missing initialisations in CAN related skbuffs Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Rostedt

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit 524a38682573b2e15ab6317ccfe50280441514be upstream.

Some archs (specifically PowerPC), are sensitive with the ordering of
the enabling of the calls to function tracing and setting of the
function to use to be traced.

That is, update_ftrace_function() sets what function the ftrace_caller
trampoline should call. Some archs require this to be set before
calling ftrace_run_update_code().

Another bug was discovered, that ftrace_startup_sysctl() called
ftrace_run_update_code() directly. If the function the ftrace_caller
trampoline changes, then it will not be updated. Instead a call
to ftrace_startup_enable() should be called because it tests to see
if the callback changed since the code was disabled, and will
tell the arch to update appropriately. Most archs do not need this
notification, but PowerPC does.

The problem could be seen by the following commands:

 # echo 0 > /proc/sys/kernel/ftrace_enabled
 # echo function > /sys/kernel/debug/tracing/current_tracer
 # echo 1 > /proc/sys/kernel/ftrace_enabled
 # cat /sys/kernel/debug/tracing/trace

The trace will show that function tracing was not active.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/ftrace.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -2710,7 +2710,7 @@ static void ftrace_startup_sysctl(void)
 		command = FTRACE_UPDATE_CALLS;
 		if (ftrace_graph_active)
 			command |= FTRACE_START_FUNC_RET;
-		ftrace_run_update_code(command);
+		ftrace_startup_enable(command);
 	}
 }
 
@@ -5580,12 +5580,12 @@ ftrace_enable_sysctl(struct ctl_table *t
 
 	if (ftrace_enabled) {
 
-		ftrace_startup_sysctl();
-
 		/* we are starting ftrace again */
 		if (ftrace_ops_list != &ftrace_list_end)
 			update_ftrace_function();
 
+		ftrace_startup_sysctl();
+
 	} else {
 		/* stopping ftrace calls (just send to ftrace_stub) */
 		ftrace_trace_function = ftrace_stub;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 049/123] can: add missing initialisations in CAN related skbuffs
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 048/123] ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:45 ` [PATCH 3.19 050/123] can: kvaser_usb: Read all messages in a bulk-in URB buffer Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Austin Schuh, Daniel Steer,
	Oliver Hartkopp, Marc Kleine-Budde

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit 969439016d2cf61fef53a973d7e6d2061c3793b1 upstream.

When accessing CAN network interfaces with AF_PACKET sockets e.g. by dhclient
this can lead to a skb_under_panic due to missing skb initialisations.

Add the missing initialisations at the CAN skbuff creation times on driver
level (rx path) and in the network layer (tx path).

Reported-by: Austin Schuh <austin@peloton-tech.com>
Reported-by: Daniel Steer <daniel.steer@mclaren.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/dev.c |    8 ++++++++
 net/can/af_can.c      |    3 +++
 2 files changed, 11 insertions(+)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -578,6 +578,10 @@ struct sk_buff *alloc_can_skb(struct net
 	skb->pkt_type = PACKET_BROADCAST;
 	skb->ip_summed = CHECKSUM_UNNECESSARY;
 
+	skb_reset_mac_header(skb);
+	skb_reset_network_header(skb);
+	skb_reset_transport_header(skb);
+
 	can_skb_reserve(skb);
 	can_skb_prv(skb)->ifindex = dev->ifindex;
 
@@ -602,6 +606,10 @@ struct sk_buff *alloc_canfd_skb(struct n
 	skb->pkt_type = PACKET_BROADCAST;
 	skb->ip_summed = CHECKSUM_UNNECESSARY;
 
+	skb_reset_mac_header(skb);
+	skb_reset_network_header(skb);
+	skb_reset_transport_header(skb);
+
 	can_skb_reserve(skb);
 	can_skb_prv(skb)->ifindex = dev->ifindex;
 
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -259,6 +259,9 @@ int can_send(struct sk_buff *skb, int lo
 		goto inval_skb;
 	}
 
+	skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+	skb_reset_mac_header(skb);
 	skb_reset_network_header(skb);
 	skb_reset_transport_header(skb);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 050/123] can: kvaser_usb: Read all messages in a bulk-in URB buffer
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 049/123] can: add missing initialisations in CAN related skbuffs Greg Kroah-Hartman
@ 2015-03-24 15:45 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 051/123] workqueue: fix hang involving racing cancel[_delayed]_work_sync()s for PREEMPT_NONE Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ahmed S. Darwish, Marc Kleine-Budde

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Ahmed S. Darwish" <ahmed.darwish@valeo.com>

commit 2fec5104f9c61de4cf2205aa355101e19a81f490 upstream.

The Kvaser firmware can only read and write messages that are
not crossing the USB endpoint's wMaxPacketSize boundary. While
receiving commands from the CAN device, if the next command in
the same URB buffer crossed that max packet size boundary, the
firmware puts a zero-length placeholder command in its place
then moves the real command to the next boundary mark.

The driver did not recognize such behavior, leading to missing
a good number of rx events during a heavy rx load session.

Moreover, a tx URB context only gets freed upon receiving its
respective tx ACK event. Over time, the free tx URB contexts
pool gets depleted due to the missing ACK events. Consequently,
the netif transmission queue gets __permanently__ stopped; no
frames could be sent again except after restarting the CAN
newtwork interface.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |   28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -12,6 +12,7 @@
  * Copyright (C) 2012 Olivier Sobrie <olivier@sobrie.be>
  */
 
+#include <linux/kernel.h>
 #include <linux/completion.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
@@ -403,8 +404,15 @@ static int kvaser_usb_wait_msg(const str
 		while (pos <= actual_len - MSG_HEADER_LEN) {
 			tmp = buf + pos;
 
-			if (!tmp->len)
-				break;
+			/* Handle messages crossing the USB endpoint max packet
+			 * size boundary. Check kvaser_usb_read_bulk_callback()
+			 * for further details.
+			 */
+			if (tmp->len == 0) {
+				pos = round_up(pos,
+					       dev->bulk_in->wMaxPacketSize);
+				continue;
+			}
 
 			if (pos + tmp->len > actual_len) {
 				dev_err(dev->udev->dev.parent,
@@ -980,8 +988,19 @@ static void kvaser_usb_read_bulk_callbac
 	while (pos <= urb->actual_length - MSG_HEADER_LEN) {
 		msg = urb->transfer_buffer + pos;
 
-		if (!msg->len)
-			break;
+		/* The Kvaser firmware can only read and write messages that
+		 * does not cross the USB's endpoint wMaxPacketSize boundary.
+		 * If a follow-up command crosses such boundary, firmware puts
+		 * a placeholder zero-length command in its place then aligns
+		 * the real command to the next max packet size.
+		 *
+		 * Handle such cases or we're going to miss a significant
+		 * number of events in case of a heavy rx load on the bus.
+		 */
+		if (msg->len == 0) {
+			pos = round_up(pos, dev->bulk_in->wMaxPacketSize);
+			continue;
+		}
 
 		if (pos + msg->len > urb->actual_length) {
 			dev_err(dev->udev->dev.parent, "Format error\n");
@@ -989,7 +1008,6 @@ static void kvaser_usb_read_bulk_callbac
 		}
 
 		kvaser_usb_handle_message(dev, msg);
-
 		pos += msg->len;
 	}
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 051/123] workqueue: fix hang involving racing cancel[_delayed]_work_sync()s for PREEMPT_NONE
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2015-03-24 15:45 ` [PATCH 3.19 050/123] can: kvaser_usb: Read all messages in a bulk-in URB buffer Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 052/123] seq_buf: Fix seq_buf_vprintf() truncation Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Rabin Vincent,
	Tomeu Vizoso, Jesper Nilsson

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 8603e1b30027f943cc9c1eef2b291d42c3347af1 upstream.

cancel[_delayed]_work_sync() are implemented using
__cancel_work_timer() which grabs the PENDING bit using
try_to_grab_pending() and then flushes the work item with PENDING set
to prevent the on-going execution of the work item from requeueing
itself.

try_to_grab_pending() can always grab PENDING bit without blocking
except when someone else is doing the above flushing during
cancelation.  In that case, try_to_grab_pending() returns -ENOENT.  In
this case, __cancel_work_timer() currently invokes flush_work().  The
assumption is that the completion of the work item is what the other
canceling task would be waiting for too and thus waiting for the same
condition and retrying should allow forward progress without excessive
busy looping

Unfortunately, this doesn't work if preemption is disabled or the
latter task has real time priority.  Let's say task A just got woken
up from flush_work() by the completion of the target work item.  If,
before task A starts executing, task B gets scheduled and invokes
__cancel_work_timer() on the same work item, its try_to_grab_pending()
will return -ENOENT as the work item is still being canceled by task A
and flush_work() will also immediately return false as the work item
is no longer executing.  This puts task B in a busy loop possibly
preventing task A from executing and clearing the canceling state on
the work item leading to a hang.

task A			task B			worker

						executing work
__cancel_work_timer()
  try_to_grab_pending()
  set work CANCELING
  flush_work()
    block for work completion
						completion, wakes up A
			__cancel_work_timer()
			while (forever) {
			  try_to_grab_pending()
			    -ENOENT as work is being canceled
			  flush_work()
			    false as work is no longer executing
			}

This patch removes the possible hang by updating __cancel_work_timer()
to explicitly wait for clearing of CANCELING rather than invoking
flush_work() after try_to_grab_pending() fails with -ENOENT.

Link: http://lkml.kernel.org/g/20150206171156.GA8942@axis.com

v3: bit_waitqueue() can't be used for work items defined in vmalloc
    area.  Switched to custom wake function which matches the target
    work item and exclusive wait and wakeup.

v2: v1 used wake_up() on bit_waitqueue() which leads to NULL deref if
    the target bit waitqueue has wait_bit_queue's on it.  Use
    DEFINE_WAIT_BIT() and __wake_up_bit() instead.  Reported by Tomeu
    Vizoso.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Rabin Vincent <rabin.vincent@axis.com>
Cc: Tomeu Vizoso <tomeu.vizoso@gmail.com>
Tested-by: Jesper Nilsson <jesper.nilsson@axis.com>
Tested-by: Rabin Vincent <rabin.vincent@axis.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/workqueue.h |    3 +-
 kernel/workqueue.c        |   56 ++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 5 deletions(-)

--- a/include/linux/workqueue.h
+++ b/include/linux/workqueue.h
@@ -70,7 +70,8 @@ enum {
 	/* data contains off-queue information when !WORK_STRUCT_PWQ */
 	WORK_OFFQ_FLAG_BASE	= WORK_STRUCT_COLOR_SHIFT,
 
-	WORK_OFFQ_CANCELING	= (1 << WORK_OFFQ_FLAG_BASE),
+	__WORK_OFFQ_CANCELING	= WORK_OFFQ_FLAG_BASE,
+	WORK_OFFQ_CANCELING	= (1 << __WORK_OFFQ_CANCELING),
 
 	/*
 	 * When a work item is off queue, its high bits point to the last
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -2728,19 +2728,57 @@ bool flush_work(struct work_struct *work
 }
 EXPORT_SYMBOL_GPL(flush_work);
 
+struct cwt_wait {
+	wait_queue_t		wait;
+	struct work_struct	*work;
+};
+
+static int cwt_wakefn(wait_queue_t *wait, unsigned mode, int sync, void *key)
+{
+	struct cwt_wait *cwait = container_of(wait, struct cwt_wait, wait);
+
+	if (cwait->work != key)
+		return 0;
+	return autoremove_wake_function(wait, mode, sync, key);
+}
+
 static bool __cancel_work_timer(struct work_struct *work, bool is_dwork)
 {
+	static DECLARE_WAIT_QUEUE_HEAD(cancel_waitq);
 	unsigned long flags;
 	int ret;
 
 	do {
 		ret = try_to_grab_pending(work, is_dwork, &flags);
 		/*
-		 * If someone else is canceling, wait for the same event it
-		 * would be waiting for before retrying.
+		 * If someone else is already canceling, wait for it to
+		 * finish.  flush_work() doesn't work for PREEMPT_NONE
+		 * because we may get scheduled between @work's completion
+		 * and the other canceling task resuming and clearing
+		 * CANCELING - flush_work() will return false immediately
+		 * as @work is no longer busy, try_to_grab_pending() will
+		 * return -ENOENT as @work is still being canceled and the
+		 * other canceling task won't be able to clear CANCELING as
+		 * we're hogging the CPU.
+		 *
+		 * Let's wait for completion using a waitqueue.  As this
+		 * may lead to the thundering herd problem, use a custom
+		 * wake function which matches @work along with exclusive
+		 * wait and wakeup.
 		 */
-		if (unlikely(ret == -ENOENT))
-			flush_work(work);
+		if (unlikely(ret == -ENOENT)) {
+			struct cwt_wait cwait;
+
+			init_wait(&cwait.wait);
+			cwait.wait.func = cwt_wakefn;
+			cwait.work = work;
+
+			prepare_to_wait_exclusive(&cancel_waitq, &cwait.wait,
+						  TASK_UNINTERRUPTIBLE);
+			if (work_is_canceling(work))
+				schedule();
+			finish_wait(&cancel_waitq, &cwait.wait);
+		}
 	} while (unlikely(ret < 0));
 
 	/* tell other tasks trying to grab @work to back off */
@@ -2749,6 +2787,16 @@ static bool __cancel_work_timer(struct w
 
 	flush_work(work);
 	clear_work_data(work);
+
+	/*
+	 * Paired with prepare_to_wait() above so that either
+	 * waitqueue_active() is visible here or !work_is_canceling() is
+	 * visible there.
+	 */
+	smp_mb();
+	if (waitqueue_active(&cancel_waitq))
+		__wake_up(&cancel_waitq, TASK_NORMAL, 1, work);
+
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 052/123] seq_buf: Fix seq_buf_vprintf() truncation
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 051/123] workqueue: fix hang involving racing cancel[_delayed]_work_sync()s for PREEMPT_NONE Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 053/123] seq_buf: Fix seq_buf_bprintf() truncation Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Rostedt

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit 4a8fe4e1811c96ad0ad9f4083f2fe4fb43b2988d upstream.

In seq_buf_vprintf(), vsnprintf() is used to copy the format into the
buffer remaining in the seq_buf structure. The return of vsnprintf()
is the amount of characters written to the buffer excluding the '\0',
unless the line was truncated!

If the line copied does not fit, it is truncated, and a '\0' is added
to the end of the buffer. But in this case, '\0' is included in the length
of the line written. To know if the buffer had overflowed, the return
length will be the same as the length of the buffer passed in.

The check in seq_buf_vprintf() only checked if the length returned from
vsnprintf() would fit in the buffer, as the seq_buf_vprintf() is only
to be an all or nothing command. It either writes all the string into
the seq_buf, or none of it. If the string is truncated, the pointers
inside the seq_buf must be reset to what they were when the function was
called. This is not the case. On overflow, it copies only part of the string.

The fix is to change the overflow check to see if the length returned from
vsnprintf() is less than the length remaining in the seq_buf buffer, and not
if it is less than or equal to as it currently does. Then seq_buf_vprintf()
will know if the write from vsnpritnf() was truncated or not.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/seq_buf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -61,7 +61,7 @@ int seq_buf_vprintf(struct seq_buf *s, c
 
 	if (s->len < s->size) {
 		len = vsnprintf(s->buffer + s->len, s->size - s->len, fmt, args);
-		if (seq_buf_can_fit(s, len)) {
+		if (s->len + len < s->size) {
 			s->len += len;
 			return 0;
 		}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 053/123] seq_buf: Fix seq_buf_bprintf() truncation
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 052/123] seq_buf: Fix seq_buf_vprintf() truncation Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 054/123] cpuset: initialize effective masks when clone_children is enabled Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Perches, Steven Rostedt

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit 4d4eb4d4fbd9403682e2b75117b6b895531d8e01 upstream.

In seq_buf_bprintf(), bstr_printf() is used to copy the format into the
buffer remaining in the seq_buf structure. The return of bstr_printf()
is the amount of characters written to the buffer excluding the '\0',
unless the line was truncated!

If the line copied does not fit, it is truncated, and a '\0' is added
to the end of the buffer. But in this case, '\0' is included in the length
of the line written. To know if the buffer had overflowed, the return
length will be the same or greater than the length of the buffer passed in.

The check in seq_buf_bprintf() only checked if the length returned from
bstr_printf() would fit in the buffer, as the seq_buf_bprintf() is only
to be an all or nothing command. It either writes all the string into
the seq_buf, or none of it. If the string is truncated, the pointers
inside the seq_buf must be reset to what they were when the function was
called. This is not the case. On overflow, it copies only part of the string.

The fix is to change the overflow check to see if the length returned from
bstr_printf() is less than the length remaining in the seq_buf buffer, and not
if it is less than or equal to as it currently does. Then seq_buf_bprintf()
will know if the write from bstr_printf() was truncated or not.

Link: http://lkml.kernel.org/r/1425500481.2712.27.camel@perches.com

Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/seq_buf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -154,7 +154,7 @@ int seq_buf_bprintf(struct seq_buf *s, c
 
 	if (s->len < s->size) {
 		ret = bstr_printf(s->buffer + s->len, len, fmt, binary);
-		if (seq_buf_can_fit(s, ret)) {
+		if (s->len + ret < s->size) {
 			s->len += ret;
 			return 0;
 		}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 054/123] cpuset: initialize effective masks when clone_children is enabled
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 053/123] seq_buf: Fix seq_buf_bprintf() truncation Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 055/123] cpuset: fix a warning when clearing configured masks in old hierarchy Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Brauner, Serge Hallyn,
	Zefan Li, Tejun Heo, Serge Hallyn

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zefan Li <lizefan@huawei.com>

commit 790317e1b266c776765a4bdcedefea706ff0fada upstream.

If clone_children is enabled, effective masks won't be initialized
due to the bug:

  # mount -t cgroup -o cpuset xxx /mnt
  # echo 1 > cgroup.clone_children
  # mkdir /mnt/tmp
  # cat /mnt/tmp/
  # cat cpuset.effective_cpus

  # cat cpuset.cpus
  0-15

And then this cpuset won't constrain the tasks in it.

Either the bug or the fix has no effect on unified hierarchy, as
there's no clone_chidren flag there any more.

Reported-by: Christian Brauner <christianvanbrauner@gmail.com>
Reported-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Tested-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpuset.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1992,7 +1992,9 @@ static int cpuset_css_online(struct cgro
 
 	spin_lock_irq(&callback_lock);
 	cs->mems_allowed = parent->mems_allowed;
+	cs->effective_mems = parent->mems_allowed;
 	cpumask_copy(cs->cpus_allowed, parent->cpus_allowed);
+	cpumask_copy(cs->effective_cpus, parent->cpus_allowed);
 	spin_unlock_irq(&callback_lock);
 out_unlock:
 	mutex_unlock(&cpuset_mutex);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 055/123] cpuset: fix a warning when clearing configured masks in old hierarchy
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 054/123] cpuset: initialize effective masks when clone_children is enabled Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 056/123] cpuset: Fix cpuset sched_relax_domain_level Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zefan Li, Tejun Heo, Serge Hallyn

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zefan Li <lizefan@huawei.com>

commit 79063bffc81f82689bd90e16da1b49408f3bf095 upstream.

When we clear cpuset.cpus, cpuset.effective_cpus won't be cleared:

  # mount -t cgroup -o cpuset xxx /mnt
  # mkdir /mnt/tmp
  # echo 0 > /mnt/tmp/cpuset.cpus
  # echo > /mnt/tmp/cpuset.cpus
  # cat cpuset.cpus

  # cat cpuset.effective_cpus
  0-15

And a kernel warning in update_cpumasks_hier() is triggered:

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 4028 at kernel/cpuset.c:894 update_cpumasks_hier+0x471/0x650()

Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Tested-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpuset.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -873,7 +873,7 @@ static void update_cpumasks_hier(struct
 		 * If it becomes empty, inherit the effective mask of the
 		 * parent, which is guaranteed to have some CPUs.
 		 */
-		if (cpumask_empty(new_cpus))
+		if (cgroup_on_dfl(cp->css.cgroup) && cpumask_empty(new_cpus))
 			cpumask_copy(new_cpus, parent->effective_cpus);
 
 		/* Skip the whole subtree if the cpumask remains the same. */
@@ -1129,7 +1129,7 @@ static void update_nodemasks_hier(struct
 		 * If it becomes empty, inherit the effective mask of the
 		 * parent, which is guaranteed to have some MEMs.
 		 */
-		if (nodes_empty(*new_mems))
+		if (cgroup_on_dfl(cp->css.cgroup) && nodes_empty(*new_mems))
 			*new_mems = parent->effective_mems;
 
 		/* Skip the whole subtree if the nodemask remains the same. */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 056/123] cpuset: Fix cpuset sched_relax_domain_level
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 055/123] cpuset: fix a warning when clearing configured masks in old hierarchy Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 057/123] tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Low, Zefan Li, Tejun Heo, Serge Hallyn

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Low <jason.low2@hp.com>

commit 283cb41f426b723a0255702b761b0fc5d1b53a81 upstream.

The cpuset.sched_relax_domain_level can control how far we do
immediate load balancing on a system. However, it was found on recent
kernels that echo'ing a value into cpuset.sched_relax_domain_level
did not reduce any immediate load balancing.

The reason this occurred was because the update_domain_attr_tree() traversal
did not update for the "top_cpuset". This resulted in nothing being changed
when modifying the sched_relax_domain_level parameter.

This patch is able to address that problem by having update_domain_attr_tree()
allow updates for the root in the cpuset traversal.

Fixes: fc560a26acce ("cpuset: replace cpuset->stack_list with cpuset_for_each_descendant_pre()")
Signed-off-by: Jason Low <jason.low2@hp.com>
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Tested-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpuset.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -548,9 +548,6 @@ static void update_domain_attr_tree(stru
 
 	rcu_read_lock();
 	cpuset_for_each_descendant_pre(cp, pos_css, root_cs) {
-		if (cp == root_cs)
-			continue;
-
 		/* skip the whole subtree if @cp doesn't have any CPU */
 		if (cpumask_empty(cp->cpus_allowed)) {
 			pos_css = css_rightmost_descendant(pos_css);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 057/123] tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 056/123] cpuset: Fix cpuset sched_relax_domain_level Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 058/123] tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joy Latten, Ashley Lai, Peter Huewe

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "jmlatten@linux.vnet.ibm.com" <jmlatten@linux.vnet.ibm.com>

commit 62dfd912ab3b5405b6fe72d0135c37e9648071f1 upstream.

Problem: When IMA and VTPM are both enabled in kernel config,
kernel hangs during bootup on LE OS.

Why?: IMA calls tpm_pcr_read() which results in tpm_ibmvtpm_send
and tpm_ibmtpm_recv getting called. A trace showed that
tpm_ibmtpm_recv was hanging.

Resolution: tpm_ibmtpm_recv was hanging because tpm_ibmvtpm_send
was sending CRQ message that probably did not make much sense
to phype because of Endianness. The fix below sends correctly
converted CRQ for LE. This was not caught before because it
seems IMA is not enabled by default in kernel config and
IMA exercises this particular code path in vtpm.

Tested with IMA and VTPM enabled in kernel config and VTPM
enabled on both a BE OS and a LE OS ppc64 lpar. This exercised
CRQ and TPM command code paths in vtpm.
Patch is against Peter's tpmdd tree on github which included
Vicky's previous vtpm le patches.

Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
Reviewed-by: Ashley Lai <ashley@ahsleylai.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_ibmvtpm.c |   10 +++++-----
 drivers/char/tpm/tpm_ibmvtpm.h |    6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/char/tpm/tpm_ibmvtpm.c
+++ b/drivers/char/tpm/tpm_ibmvtpm.c
@@ -124,7 +124,7 @@ static int tpm_ibmvtpm_send(struct tpm_c
 {
 	struct ibmvtpm_dev *ibmvtpm;
 	struct ibmvtpm_crq crq;
-	u64 *word = (u64 *) &crq;
+	__be64 *word = (__be64 *)&crq;
 	int rc;
 
 	ibmvtpm = (struct ibmvtpm_dev *)TPM_VPRIV(chip);
@@ -145,11 +145,11 @@ static int tpm_ibmvtpm_send(struct tpm_c
 	memcpy((void *)ibmvtpm->rtce_buf, (void *)buf, count);
 	crq.valid = (u8)IBMVTPM_VALID_CMD;
 	crq.msg = (u8)VTPM_TPM_COMMAND;
-	crq.len = (u16)count;
-	crq.data = ibmvtpm->rtce_dma_handle;
+	crq.len = cpu_to_be16(count);
+	crq.data = cpu_to_be32(ibmvtpm->rtce_dma_handle);
 
-	rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]),
-			      cpu_to_be64(word[1]));
+	rc = ibmvtpm_send_crq(ibmvtpm->vdev, be64_to_cpu(word[0]),
+			      be64_to_cpu(word[1]));
 	if (rc != H_SUCCESS) {
 		dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc);
 		rc = 0;
--- a/drivers/char/tpm/tpm_ibmvtpm.h
+++ b/drivers/char/tpm/tpm_ibmvtpm.h
@@ -22,9 +22,9 @@
 struct ibmvtpm_crq {
 	u8 valid;
 	u8 msg;
-	u16 len;
-	u32 data;
-	u64 reserved;
+	__be16 len;
+	__be32 data;
+	__be64 reserved;
 } __attribute__((packed, aligned(8)));
 
 struct ibmvtpm_crq_queue {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 058/123] tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 057/123] tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 059/123] s390/pci: fix possible information leak in mmio syscall Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Christophe Ricard,
	Peter Huewe

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Ricard <christophe.ricard@gmail.com>

commit c4eadfafb91d5501095c55ffadaa1168743f39d3 upstream.

Add a return value check when reading data from the FIFO register.

Reviewed-by: Jason Gunthorpe <jason.gunthorpe@obsidianresearch.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_i2c_stm_st33.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/char/tpm/tpm_i2c_stm_st33.c
+++ b/drivers/char/tpm/tpm_i2c_stm_st33.c
@@ -397,7 +397,7 @@ static int wait_for_stat(struct tpm_chip
  */
 static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
 {
-	int size = 0, burstcnt, len;
+	int size = 0, burstcnt, len, ret;
 	struct i2c_client *client;
 
 	client = (struct i2c_client *)TPM_VPRIV(chip);
@@ -406,13 +406,15 @@ static int recv_data(struct tpm_chip *ch
 	       wait_for_stat(chip,
 			     TPM_STS_DATA_AVAIL | TPM_STS_VALID,
 			     chip->vendor.timeout_c,
-			     &chip->vendor.read_queue)
-	       == 0) {
+			     &chip->vendor.read_queue) == 0) {
 		burstcnt = get_burstcount(chip);
 		if (burstcnt < 0)
 			return burstcnt;
 		len = min_t(int, burstcnt, count - size);
-		I2C_READ_DATA(client, TPM_DATA_FIFO, buf + size, len);
+		ret = I2C_READ_DATA(client, TPM_DATA_FIFO, buf + size, len);
+		if (ret < 0)
+			return ret;
+
 		size += len;
 	}
 	return size;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 059/123] s390/pci: fix possible information leak in mmio syscall
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 058/123] tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 060/123] spi: atmel: Fix interrupt setup for PDC transfers Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Ott, Martin Schwidefsky

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Ott <sebott@linux.vnet.ibm.com>

commit f0483044c1c96089256cda4cf182eea1ead77fe4 upstream.

Make sure that even in error situations we do not use copy_to_user
on uninitialized kernel memory.

Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/pci/pci_mmio.c |   17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

--- a/arch/s390/pci/pci_mmio.c
+++ b/arch/s390/pci/pci_mmio.c
@@ -64,8 +64,7 @@ SYSCALL_DEFINE3(s390_pci_mmio_write, uns
 	if (copy_from_user(buf, user_buffer, length))
 		goto out;
 
-	memcpy_toio(io_addr, buf, length);
-	ret = 0;
+	ret = zpci_memcpy_toio(io_addr, buf, length);
 out:
 	if (buf != local_buf)
 		kfree(buf);
@@ -98,16 +97,16 @@ SYSCALL_DEFINE3(s390_pci_mmio_read, unsi
 		goto out;
 	io_addr = (void *)((pfn << PAGE_SHIFT) | (mmio_addr & ~PAGE_MASK));
 
-	ret = -EFAULT;
-	if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE)
+	if ((unsigned long) io_addr < ZPCI_IOMAP_ADDR_BASE) {
+		ret = -EFAULT;
 		goto out;
-
-	memcpy_fromio(buf, io_addr, length);
-
-	if (copy_to_user(user_buffer, buf, length))
+	}
+	ret = zpci_memcpy_fromio(buf, io_addr, length);
+	if (ret)
 		goto out;
+	if (copy_to_user(user_buffer, buf, length))
+		ret = -EFAULT;
 
-	ret = 0;
 out:
 	if (buf != local_buf)
 		kfree(buf);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 060/123] spi: atmel: Fix interrupt setup for PDC transfers
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 059/123] s390/pci: fix possible information leak in mmio syscall Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 061/123] spi: dw-mid: avoid potential NULL dereference Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Torsten Fleischer, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Torsten Fleischer <torfl6749@gmail.com>

commit 76e1d14b316d6f501ebc001e7a5d86b24ce5b615 upstream.

Additionally to the current DMA transfer the PDC allows to set up a next DMA
transfer. This is useful for larger SPI transfers.

The driver currently waits for ENDRX as end of the transfer. But ENDRX is set
when the current DMA transfer is done (RCR = 0), i.e. it doesn't include the
next DMA transfer.
Thus a subsequent SPI transfer could be started although there is currently a
transfer in progress. This can cause invalid accesses to the SPI slave devices
and to SPI transfer errors.

This issue has been observed on a hardware with a M25P128 SPI NOR flash.

So instead of ENDRX we should wait for RXBUFF. This flag is set if there is
no more DMA transfer in progress (RCR = RNCR = 0).

Signed-off-by: Torsten Fleischer <torfl6749@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-atmel.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -764,17 +764,17 @@ static void atmel_spi_pdc_next_xfer(stru
 			(unsigned long long)xfer->rx_dma);
 	}
 
-	/* REVISIT: We're waiting for ENDRX before we start the next
+	/* REVISIT: We're waiting for RXBUFF before we start the next
 	 * transfer because we need to handle some difficult timing
-	 * issues otherwise. If we wait for ENDTX in one transfer and
-	 * then starts waiting for ENDRX in the next, it's difficult
-	 * to tell the difference between the ENDRX interrupt we're
-	 * actually waiting for and the ENDRX interrupt of the
+	 * issues otherwise. If we wait for TXBUFE in one transfer and
+	 * then starts waiting for RXBUFF in the next, it's difficult
+	 * to tell the difference between the RXBUFF interrupt we're
+	 * actually waiting for and the RXBUFF interrupt of the
 	 * previous transfer.
 	 *
 	 * It should be doable, though. Just not now...
 	 */
-	spi_writel(as, IER, SPI_BIT(ENDRX) | SPI_BIT(OVRES));
+	spi_writel(as, IER, SPI_BIT(RXBUFF) | SPI_BIT(OVRES));
 	spi_writel(as, PTCR, SPI_BIT(TXTEN) | SPI_BIT(RXTEN));
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 061/123] spi: dw-mid: avoid potential NULL dereference
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 060/123] spi: atmel: Fix interrupt setup for PDC transfers Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 062/123] spi: pl022: Fix race in giveback() leading to driver lock-up Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit c9dafb27c84412fe4b17c3b94cc4ffeef5df1833 upstream.

When DMA descriptor allocation fails we should not try to assign any fields in
the bad descriptor. The patch adds the necessary checks for that.

Fixes: 7063c0d942a1 (spi/dw_spi: add DMA support)
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-dw-mid.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/spi/spi-dw-mid.c
+++ b/drivers/spi/spi-dw-mid.c
@@ -139,6 +139,9 @@ static struct dma_async_tx_descriptor *d
 				1,
 				DMA_MEM_TO_DEV,
 				DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+	if (!txdesc)
+		return NULL;
+
 	txdesc->callback = dw_spi_dma_tx_done;
 	txdesc->callback_param = dws;
 
@@ -184,6 +187,9 @@ static struct dma_async_tx_descriptor *d
 				1,
 				DMA_DEV_TO_MEM,
 				DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+	if (!rxdesc)
+		return NULL;
+
 	rxdesc->callback = dw_spi_dma_rx_done;
 	rxdesc->callback_param = dws;
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 062/123] spi: pl022: Fix race in giveback() leading to driver lock-up
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 061/123] spi: dw-mid: avoid potential NULL dereference Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 064/123] ALSA: control: Add sanity checks for user ctl id name string Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Sverdlin, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander.sverdlin@nokia.com>

commit cd6fa8d2ca53cac3226fdcffcf763be390abae32 upstream.

Commit fd316941c ("spi/pl022: disable port when unused") introduced a race,
which leads to possible driver lock up (easily reproducible on SMP).

The problem happens in giveback() function where the completion of the transfer
is signalled to SPI subsystem and then the HW SPI controller is disabled. Another
transfer might be setup in between, which brings driver in locked-up state.

Exact event sequence on SMP:

core0                                   core1

                                        => pump_transfers()
                                        /* message->state == STATE_DONE */
                                          => giveback()
                                            => spi_finalize_current_message()

=> pl022_unprepare_transfer_hardware()
=> pl022_transfer_one_message
  => flush()
  => do_interrupt_dma_transfer()
    => set_up_next_transfer()
    /* Enable SSP, turn on interrupts */
    writew((readw(SSP_CR1(pl022->virtbase)) |
           SSP_CR1_MASK_SSE), SSP_CR1(pl022->virtbase));

...

=> pl022_interrupt_handler()
  => readwriter()

                                        /* disable the SPI/SSP operation */
                                        => writew((readw(SSP_CR1(pl022->virtbase)) &
                                                  (~SSP_CR1_MASK_SSE)), SSP_CR1(pl022->virtbase));

Lockup! SPI controller is disabled and the data will never be received. Whole
SPI subsystem is waiting for transfer ACK and blocked.

So, only signal transfer completion after disabling the controller.

Fixes: fd316941c (spi/pl022: disable port when unused)
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/spi/spi-pl022.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/spi/spi-pl022.c
+++ b/drivers/spi/spi-pl022.c
@@ -534,12 +534,12 @@ static void giveback(struct pl022 *pl022
 	pl022->cur_msg = NULL;
 	pl022->cur_transfer = NULL;
 	pl022->cur_chip = NULL;
-	spi_finalize_current_message(pl022->master);
 
 	/* disable the SPI/SSP operation */
 	writew((readw(SSP_CR1(pl022->virtbase)) &
 		(~SSP_CR1_MASK_SSE)), SSP_CR1(pl022->virtbase));
 
+	spi_finalize_current_message(pl022->master);
 }
 
 /**



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 064/123] ALSA: control: Add sanity checks for user ctl id name string
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 062/123] spi: pl022: Fix race in giveback() leading to driver lock-up Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 065/123] ALSA: hda - Fix built-in mic on Compaq Presario CQ60 Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit be3bb8236db2d0fcd705062ae2e2a9d75131222f upstream.

There was no check about the id string of user control elements, so we
accepted even a control element with an empty string, which is
obviously bogus.  This patch adds more sanity checks of id strings.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/control.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1168,6 +1168,10 @@ static int snd_ctl_elem_add(struct snd_c
 
 	if (info->count < 1)
 		return -EINVAL;
+	if (!*info->id.name)
+		return -EINVAL;
+	if (strnlen(info->id.name, sizeof(info->id.name)) >= sizeof(info->id.name))
+		return -EINVAL;
 	access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE :
 		(info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE|
 				 SNDRV_CTL_ELEM_ACCESS_INACTIVE|



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 065/123] ALSA: hda - Fix built-in mic on Compaq Presario CQ60
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 064/123] ALSA: control: Add sanity checks for user ctl id name string Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 066/123] ALSA: hda - Dont access stereo amps for mono channel widgets Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit ddb6ca75b5671b8fbf1909bc588c449ee74b34f9 upstream.

Compaq Presario CQ60 laptop with CX20561 gives a wrong pin for the
built-in mic NID 0x17 instead of NID 0x1d, and it results in the
non-working mic.  This patch just remaps the pin correctly via fixup.

Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=920604
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_conexant.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -223,6 +223,7 @@ enum {
 	CXT_PINCFG_LENOVO_TP410,
 	CXT_PINCFG_LEMOTE_A1004,
 	CXT_PINCFG_LEMOTE_A1205,
+	CXT_PINCFG_COMPAQ_CQ60,
 	CXT_FIXUP_STEREO_DMIC,
 	CXT_FIXUP_INC_MIC_BOOST,
 	CXT_FIXUP_HEADPHONE_MIC_PIN,
@@ -660,6 +661,15 @@ static const struct hda_fixup cxt_fixups
 		.type = HDA_FIXUP_PINS,
 		.v.pins = cxt_pincfg_lemote,
 	},
+	[CXT_PINCFG_COMPAQ_CQ60] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			/* 0x17 was falsely set up as a mic, it should 0x1d */
+			{ 0x17, 0x400001f0 },
+			{ 0x1d, 0x97a70120 },
+			{ }
+		}
+	},
 	[CXT_FIXUP_STEREO_DMIC] = {
 		.type = HDA_FIXUP_FUNC,
 		.v.func = cxt_fixup_stereo_dmic,
@@ -769,6 +779,7 @@ static const struct hda_model_fixup cxt5
 };
 
 static const struct snd_pci_quirk cxt5051_fixups[] = {
+	SND_PCI_QUIRK(0x103c, 0x360b, "Compaq CQ60", CXT_PINCFG_COMPAQ_CQ60),
 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo X200", CXT_PINCFG_LENOVO_X200),
 	{}
 };



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 066/123] ALSA: hda - Dont access stereo amps for mono channel widgets
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 065/123] ALSA: hda - Fix built-in mic on Compaq Presario CQ60 Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 067/123] ALSA: hda - Set single_adc_amp flag for CS420x codecs Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit ef403edb75580a3ec5d155f5de82155f0419c621 upstream.

The current HDA generic parser initializes / modifies the amp values
always in stereo, but this seems causing the problem on ALC3229 codec
that has a few mono channel widgets: namely, these mono widgets react
to actions for both channels equally.

In the driver code, we do care the mono channel and create a control
only for the left channel (as defined in HD-audio spec) for such a
node.  When the control is updated, only the left channel value is
changed.  However, in the resume, the right channel value is also
restored from the initial value we took as stereo, and this overwrites
the left channel value.  This ends up being the silent output as the
right channel has been never touched and remains muted.

This patch covers the places where unconditional stereo amp accesses
are done and converts to the conditional accesses.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=94581
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_generic.c |   30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -692,7 +692,23 @@ static void init_amp(struct hda_codec *c
 {
 	unsigned int caps = query_amp_caps(codec, nid, dir);
 	int val = get_amp_val_to_activate(codec, nid, dir, caps, false);
-	snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val);
+
+	if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
+		snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val);
+	else
+		snd_hda_codec_amp_init(codec, nid, 0, dir, idx, 0xff, val);
+}
+
+/* update the amp, doing in stereo or mono depending on NID */
+static int update_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx,
+		      unsigned int mask, unsigned int val)
+{
+	if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
+		return snd_hda_codec_amp_stereo(codec, nid, dir, idx,
+						mask, val);
+	else
+		return snd_hda_codec_amp_update(codec, nid, 0, dir, idx,
+						mask, val);
 }
 
 /* calculate amp value mask we can modify;
@@ -732,7 +748,7 @@ static void activate_amp(struct hda_code
 		return;
 
 	val &= mask;
-	snd_hda_codec_amp_stereo(codec, nid, dir, idx, mask, val);
+	update_amp(codec, nid, dir, idx, mask, val);
 }
 
 static void activate_amp_out(struct hda_codec *codec, struct nid_path *path,
@@ -4424,13 +4440,11 @@ static void mute_all_mixer_nid(struct hd
 	has_amp = nid_has_mute(codec, mix, HDA_INPUT);
 	for (i = 0; i < nums; i++) {
 		if (has_amp)
-			snd_hda_codec_amp_stereo(codec, mix,
-						 HDA_INPUT, i,
-						 0xff, HDA_AMP_MUTE);
+			update_amp(codec, mix, HDA_INPUT, i,
+				   0xff, HDA_AMP_MUTE);
 		else if (nid_has_volume(codec, conn[i], HDA_OUTPUT))
-			snd_hda_codec_amp_stereo(codec, conn[i],
-						 HDA_OUTPUT, 0,
-						 0xff, HDA_AMP_MUTE);
+			update_amp(codec, conn[i], HDA_OUTPUT, 0,
+				   0xff, HDA_AMP_MUTE);
 	}
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 067/123] ALSA: hda - Set single_adc_amp flag for CS420x codecs
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 066/123] ALSA: hda - Dont access stereo amps for mono channel widgets Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 068/123] ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit bad994f5b4ab57eec8d56c180edca00505c3eeb2 upstream.

CS420x codecs seem to deal only the single amps of ADC nodes even
though the nodes receive multiple inputs.  This leads to the
inconsistent amp value after S3/S4 resume, for example.

The fix is just to set codec->single_adc_amp flag.  Then the driver
handles these ADC amps as if single connections.

Reported-and-tested-by: Vasil Zlatanov <vasil.zlatanov@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_cirrus.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -584,6 +584,7 @@ static int patch_cs420x(struct hda_codec
 		return -ENOMEM;
 
 	spec->gen.automute_hook = cs_automute;
+	codec->single_adc_amp = 1;
 
 	snd_hda_pick_fixup(codec, cs420x_models, cs420x_fixup_tbl,
 			   cs420x_fixups);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 068/123] ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 067/123] ALSA: hda - Set single_adc_amp flag for CS420x codecs Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 069/123] ALSA: hda - Fix regression of HD-audio controller fallback modes Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 2ddee91abe9cc34ddb6294ee14702b46ae07d460 upstream.

MacBook Air 5,2 has the same problem as MacBook Pro 8,1 where the
built-in mic records only the right channel.  Apply the same
workaround as MBP8,1 to spread the mono channel via a Cirrus codec
vendor-specific COEF setup.

Reported-and-tested-by: Vasil Zlatanov <vasil.zlatanov@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_cirrus.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -393,6 +393,7 @@ static const struct snd_pci_quirk cs420x
 	SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
 	SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
 	SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
+	SND_PCI_QUIRK(0x106b, 0x5600, "MacBookAir 5,2", CS420X_MBP81),
 	SND_PCI_QUIRK(0x106b, 0x5b00, "MacBookAir 4,2", CS420X_MBA42),
 	SND_PCI_QUIRK_VENDOR(0x106b, "Apple", CS420X_APPLE),
 	{} /* terminator */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 069/123] ALSA: hda - Fix regression of HD-audio controller fallback modes
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 068/123] ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 070/123] ALSA: hda - Treat stereo-to-mono mix properly Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit a1f3f1ca66bd12c339b17a0c2ef93a093f90a277 upstream.

The commit [63e51fd708f5: ALSA: hda - Don't take unresponsive D3
transition too serious] introduced a conditional fallback behavior to
the HD-audio controller depending on the flag set.  However, it
introduced a silly bug, too, that the flag was evaluated in a reverse
way.  This resulted in a regression of HD-audio controller driver
where it can't go to the fallback mode at communication errors.

Unfortunately (or fortunately?) this didn't come up until recently
because the affected code path is an error handling that happens only
on an unstable hardware chip.  Most of recent chips work stably, thus
they didn't hit this problem.  Now, we've got a regression report with
a VIA chip, and this seems indeed requiring the fallback to the
polling mode, and finally the bug was revealed.

The fix is a oneliner to remove the wrong logical NOT in the check.
(Lesson learned - be careful about double negation.)

The bug should be backported to stable, but the patch won't be
applicable to 3.13 or earlier because of the code splits.  The stable
fix patches for earlier kernels will be posted later manually.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=94021
Fixes: 63e51fd708f5 ('ALSA: hda - Don't take unresponsive D3 transition too serious')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_controller.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -1160,7 +1160,7 @@ static unsigned int azx_rirb_get_respons
 		}
 	}
 
-	if (!bus->no_response_fallback)
+	if (bus->no_response_fallback)
 		return -1;
 
 	if (!chip->polling_mode && chip->poll_count < 2) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 070/123] ALSA: hda - Treat stereo-to-mono mix properly
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 069/123] ALSA: hda - Fix regression of HD-audio controller fallback modes Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 071/123] mtd: nand: pxa3xx: Fix PIO FIFO draining Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Raymond Yau, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit cc261738add93947d138d2fabad9f4dbed4e5c00 upstream.

The commit [ef403edb7558: ALSA: hda - Don't access stereo amps for
mono channel widgets] fixed the handling of mono widgets in general,
but it still misses an exceptional case: namely, a mono mixer widget
taking a single stereo input.  In this case, it has stereo volumes
although it's a mono widget, and thus we have to take care of both
left and right input channels, as stated in HD-audio spec ("7.1.3
Widget Interconnection Rules").

This patch covers this missing piece by adding proper checks of stereo
amps in both the generic parser and the proc output codes.

Reported-by: Raymond Yau <superquad.vortex2@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_generic.c |   21 +++++++++++++++++++--
 sound/pci/hda/hda_proc.c    |   38 ++++++++++++++++++++++++++++++--------
 2 files changed, 49 insertions(+), 10 deletions(-)

--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -687,13 +687,30 @@ static int get_amp_val_to_activate(struc
 	return val;
 }
 
+/* is this a stereo widget or a stereo-to-mono mix? */
+static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid, int dir)
+{
+	unsigned int wcaps = get_wcaps(codec, nid);
+	hda_nid_t conn;
+
+	if (wcaps & AC_WCAP_STEREO)
+		return true;
+	if (dir != HDA_INPUT || get_wcaps_type(wcaps) != AC_WID_AUD_MIX)
+		return false;
+	if (snd_hda_get_num_conns(codec, nid) != 1)
+		return false;
+	if (snd_hda_get_connections(codec, nid, &conn, 1) < 0)
+		return false;
+	return !!(get_wcaps(codec, conn) & AC_WCAP_STEREO);
+}
+
 /* initialize the amp value (only at the first time) */
 static void init_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx)
 {
 	unsigned int caps = query_amp_caps(codec, nid, dir);
 	int val = get_amp_val_to_activate(codec, nid, dir, caps, false);
 
-	if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
+	if (is_stereo_amps(codec, nid, dir))
 		snd_hda_codec_amp_init_stereo(codec, nid, dir, idx, 0xff, val);
 	else
 		snd_hda_codec_amp_init(codec, nid, 0, dir, idx, 0xff, val);
@@ -703,7 +720,7 @@ static void init_amp(struct hda_codec *c
 static int update_amp(struct hda_codec *codec, hda_nid_t nid, int dir, int idx,
 		      unsigned int mask, unsigned int val)
 {
-	if (get_wcaps(codec, nid) & AC_WCAP_STEREO)
+	if (is_stereo_amps(codec, nid, dir))
 		return snd_hda_codec_amp_stereo(codec, nid, dir, idx,
 						mask, val);
 	else
--- a/sound/pci/hda/hda_proc.c
+++ b/sound/pci/hda/hda_proc.c
@@ -134,13 +134,38 @@ static void print_amp_caps(struct snd_in
 		    (caps & AC_AMPCAP_MUTE) >> AC_AMPCAP_MUTE_SHIFT);
 }
 
+/* is this a stereo widget or a stereo-to-mono mix? */
+static bool is_stereo_amps(struct hda_codec *codec, hda_nid_t nid,
+			   int dir, unsigned int wcaps, int indices)
+{
+	hda_nid_t conn;
+
+	if (wcaps & AC_WCAP_STEREO)
+		return true;
+	/* check for a stereo-to-mono mix; it must be:
+	 * only a single connection, only for input, and only a mixer widget
+	 */
+	if (indices != 1 || dir != HDA_INPUT ||
+	    get_wcaps_type(wcaps) != AC_WID_AUD_MIX)
+		return false;
+
+	if (snd_hda_get_raw_connections(codec, nid, &conn, 1) < 0)
+		return false;
+	/* the connection source is a stereo? */
+	wcaps = snd_hda_param_read(codec, conn, AC_PAR_AUDIO_WIDGET_CAP);
+	return !!(wcaps & AC_WCAP_STEREO);
+}
+
 static void print_amp_vals(struct snd_info_buffer *buffer,
 			   struct hda_codec *codec, hda_nid_t nid,
-			   int dir, int stereo, int indices)
+			   int dir, unsigned int wcaps, int indices)
 {
 	unsigned int val;
+	bool stereo;
 	int i;
 
+	stereo = is_stereo_amps(codec, nid, dir, wcaps, indices);
+
 	dir = dir == HDA_OUTPUT ? AC_AMP_GET_OUTPUT : AC_AMP_GET_INPUT;
 	for (i = 0; i < indices; i++) {
 		snd_iprintf(buffer, " [");
@@ -757,12 +782,10 @@ static void print_codec_info(struct snd_
 			    (codec->single_adc_amp &&
 			     wid_type == AC_WID_AUD_IN))
 				print_amp_vals(buffer, codec, nid, HDA_INPUT,
-					       wid_caps & AC_WCAP_STEREO,
-					       1);
+					       wid_caps, 1);
 			else
 				print_amp_vals(buffer, codec, nid, HDA_INPUT,
-					       wid_caps & AC_WCAP_STEREO,
-					       conn_len);
+					       wid_caps, conn_len);
 		}
 		if (wid_caps & AC_WCAP_OUT_AMP) {
 			snd_iprintf(buffer, "  Amp-Out caps: ");
@@ -771,11 +794,10 @@ static void print_codec_info(struct snd_
 			if (wid_type == AC_WID_PIN &&
 			    codec->pin_amp_workaround)
 				print_amp_vals(buffer, codec, nid, HDA_OUTPUT,
-					       wid_caps & AC_WCAP_STEREO,
-					       conn_len);
+					       wid_caps, conn_len);
 			else
 				print_amp_vals(buffer, codec, nid, HDA_OUTPUT,
-					       wid_caps & AC_WCAP_STEREO, 1);
+					       wid_caps, 1);
 		}
 
 		switch (wid_type) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 071/123] mtd: nand: pxa3xx: Fix PIO FIFO draining
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 070/123] ALSA: hda - Treat stereo-to-mono mix properly Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 072/123] bnx2x: Force fundamental reset for EEH recovery Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Boris Brezillon,
	Ezequiel Garcia, Brian Norris

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxime Ripard <maxime.ripard@free-electrons.com>

commit 8dad0386b97c4bd6edd56752ca7f2e735fe5beb4 upstream.

The NDDB register holds the data that are needed by the read and write
commands.

However, during a read PIO access, the datasheet specifies that after each 32
bytes read in that register, when BCH is enabled, we have to make sure that the
RDDREQ bit is set in the NDSR register.

This fixes an issue that was seen on the Armada 385, and presumably other mvebu
SoCs, when a read on a newly erased page would end up in the driver reporting a
timeout from the NAND.

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Acked-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/pxa3xx_nand.c |   48 +++++++++++++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 6 deletions(-)

--- a/drivers/mtd/nand/pxa3xx_nand.c
+++ b/drivers/mtd/nand/pxa3xx_nand.c
@@ -480,6 +480,42 @@ static void disable_int(struct pxa3xx_na
 	nand_writel(info, NDCR, ndcr | int_mask);
 }
 
+static void drain_fifo(struct pxa3xx_nand_info *info, void *data, int len)
+{
+	if (info->ecc_bch) {
+		int timeout;
+
+		/*
+		 * According to the datasheet, when reading from NDDB
+		 * with BCH enabled, after each 32 bytes reads, we
+		 * have to make sure that the NDSR.RDDREQ bit is set.
+		 *
+		 * Drain the FIFO 8 32 bits reads at a time, and skip
+		 * the polling on the last read.
+		 */
+		while (len > 8) {
+			__raw_readsl(info->mmio_base + NDDB, data, 8);
+
+			for (timeout = 0;
+			     !(nand_readl(info, NDSR) & NDSR_RDDREQ);
+			     timeout++) {
+				if (timeout >= 5) {
+					dev_err(&info->pdev->dev,
+						"Timeout on RDDREQ while draining the FIFO\n");
+					return;
+				}
+
+				mdelay(1);
+			}
+
+			data += 32;
+			len -= 8;
+		}
+	}
+
+	__raw_readsl(info->mmio_base + NDDB, data, len);
+}
+
 static void handle_data_pio(struct pxa3xx_nand_info *info)
 {
 	unsigned int do_bytes = min(info->data_size, info->chunk_size);
@@ -496,14 +532,14 @@ static void handle_data_pio(struct pxa3x
 				      DIV_ROUND_UP(info->oob_size, 4));
 		break;
 	case STATE_PIO_READING:
-		__raw_readsl(info->mmio_base + NDDB,
-			     info->data_buff + info->data_buff_pos,
-			     DIV_ROUND_UP(do_bytes, 4));
+		drain_fifo(info,
+			   info->data_buff + info->data_buff_pos,
+			   DIV_ROUND_UP(do_bytes, 4));
 
 		if (info->oob_size > 0)
-			__raw_readsl(info->mmio_base + NDDB,
-				     info->oob_buff + info->oob_buff_pos,
-				     DIV_ROUND_UP(info->oob_size, 4));
+			drain_fifo(info,
+				   info->oob_buff + info->oob_buff_pos,
+				   DIV_ROUND_UP(info->oob_size, 4));
 		break;
 	default:
 		dev_err(&info->pdev->dev, "%s: invalid state %d\n", __func__,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 072/123] bnx2x: Force fundamental reset for EEH recovery
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 071/123] mtd: nand: pxa3xx: Fix PIO FIFO draining Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 073/123] net: fec: fix rcv is not last issue when do suspend/resume test Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Brian King, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Brian King <brking@linux.vnet.ibm.com>

commit da293700568ed3d96fcf062ac15d7d7c41377f11 upstream.

EEH recovery for bnx2x based adapters is not reliable on all Power
systems using the default hot reset, which can result in an
unrecoverable EEH error. Forcing the use of fundamental reset
during EEH recovery fixes this.

Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -12722,6 +12722,9 @@ static int bnx2x_init_dev(struct bnx2x *
 	pci_write_config_dword(bp->pdev, PCICFG_GRC_ADDRESS,
 			       PCICFG_VENDOR_ID_OFFSET);
 
+	/* Set PCIe reset type to fundamental for EEH recovery */
+	pdev->needs_freset = 1;
+
 	/* AER (Advanced Error reporting) configuration */
 	rc = pci_enable_pcie_error_reporting(pdev);
 	if (!rc)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 073/123] net: fec: fix rcv is not last issue when do suspend/resume test
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 072/123] bnx2x: Force fundamental reset for EEH recovery Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 074/123] regulator: rk808: Set the enable time for LDOs Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Chen, Fugang Duan, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fugang Duan <b38611@freescale.com>

commit 61615cd27e2fdcf698261ba77c7d93f7a7739c65 upstream.

When do suspend/resume stress test, some log shows "rcv is not +last".
The issue is that enet suspend will disable phy clock, phy link down,
after resume back, enet MAC redo initial and ready to tx/rx packet,
but phy still is not ready which is doing auto-negotiation. When phy
link is not up, don't schdule napi soft irq.

[Peter]
It has fixed kernel panic after long time suspend/resume test
with nfs rootfs.

[ 8864.429458] fec 2188000.ethernet eth0: rcv is not +last
[ 8864.434799] fec 2188000.ethernet eth0: rcv is not +last
[ 8864.440088] fec 2188000.ethernet eth0: rcv is not +last
[ 8864.445424] fec 2188000.ethernet eth0: rcv is not +last
[ 8864.450782] fec 2188000.ethernet eth0: rcv is not +last
[ 8864.456111] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 8864.464225] pgd = 80004000
[ 8864.466997] [00000000] *pgd=00000000
[ 8864.470627] Internal error: Oops: 17 [#1] SMP ARM
[ 8864.475353] Modules linked in: evbug
[ 8864.479006] CPU: 0 PID: 3 Comm: ksoftirqd/0 Not tainted 4.0.0-rc1-00044-g7a2a1d2 #234
[ 8864.486854] Hardware name: Freescale i.MX6 SoloX (Device Tree)
[ 8864.492709] task: be069380 ti: be07a000 task.ti: be07a000
[ 8864.498137] PC is at memcpy+0x80/0x330
[ 8864.501919] LR is at gro_pull_from_frag0+0x34/0xa8
[ 8864.506735] pc : [<802bb080>]    lr : [<8057c204>]    psr: 00000113
[ 8864.506735] sp : be07bbd4  ip : 00000010  fp : be07bc0c
[ 8864.518235] r10: 0000000e  r9 : 00000000  r8 : 809c7754
[ 8864.523479] r7 : 809c7754  r6 : bb43c040  r5 : bd280cc0  r4 : 00000012
[ 8864.530025] r3 : 00000804  r2 : fffffff2  r1 : 00000000  r0 : bb43b83c
[ 8864.536575] Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[ 8864.543904] Control: 10c5387d  Table: bd14c04a  DAC: 00000015
[ 8864.549669] Process ksoftirqd/0 (pid: 3, stack limit = 0xbe07a210)
[ 8864.555869] Stack: (0xbe07bbd4 to 0xbe07c000)
[ 8864.560250] bbc0:                                              bd280cc0 bb43c040 809c7754
[ 8864.568455] bbe0: 809c7754 bb43b83c 00000012 8057c204 00000000 bd280cc0 bd8a0718 00000003
[ 8864.576658] bc00: be07bc5c be07bc10 8057ebf0 8057c1dc 00000000 00000000 8057ecc4 bef59760
[ 8864.584863] bc20: 00000002 bd8a0000 be07bc64 809c7754 00000000 bd8a0718 bd280cc0 bd8a0000
[ 8864.593066] bc40: 00000000 0000001c 00000000 bd8a0000 be07bc74 be07bc60 8057f148 8057eb90
[ 8864.601268] bc60: bf0810a0 00000000 be07bcf4 be07bc78 8044e7b4 8057f12c 00000000 8007df6c
[ 8864.609470] bc80: bd8a0718 00000040 00000000 bd280a80 00000002 00000019 bd8a0600 bd8a1214
[ 8864.617672] bca0: bd8a0690 bf0810a0 00000000 00000000 bd8a1000 00000000 00000027 bd280cc0
[ 8864.625874] bcc0: 80062708 800625cc 000943db bd8a0718 00000001 000d1166 00000040 be7c1ec0
[ 8864.634077] bce0: 0000012c be07bd00 be07bd3c be07bcf8 8057fc98 8044e3ac 809c2ec0 3ddff000
[ 8864.642280] bd00: be07bd00 be07bd00 be07bd08 be07bd08 00000000 00000020 809c608c 00000003
[ 8864.650481] bd20: 809c6080 40000001 809c6088 00200100 be07bd84 be07bd40 8002e690 8057fac8
[ 8864.658684] bd40: be07bd64 be07bd50 00000001 04208040 000d1165 0000000a be07bd84 809c0d7c
[ 8864.666885] bd60: 00000000 809c6af8 00000000 00000001 be008000 00000000 be07bd9c be07bd88
[ 8864.675087] bd80: 8002eb64 8002e564 00000125 809c0d7c be07bdc4 be07bda0 8006f100 8002eaac
[ 8864.683291] bda0: c080e10c be07bde8 809c6c6c c080e100 00000002 00000000 be07bde4 be07bdc8
[ 8864.691492] bdc0: 800087a0 8006f098 806f2934 20000013 ffffffff be07be1c be07be44 be07bde8
[ 8864.699695] bde0: 800133a4 80008784 00000001 00000001 00000000 00000000 be7c1680 00000000
[ 8864.707896] be00: be0cfe00 bd93eb40 00000002 00000000 00000000 be07be44 be07be00 be07be30
[ 8864.716098] be20: 8006278c 806f2934 20000013 ffffffff be069380 be7c1680 be07be7c be07be48
[ 8864.724300] be40: 80049cfc 806f2910 00000001 00000000 80049cb4 00000000 be07be7c be7c1680
[ 8864.732502] be60: be3289c0 be069380 bd23b600 be0cfe00 be07bebc be07be80 806ed614 80049c68
[ 8864.740706] be80: be07a000 0000020a 809c608c 00000003 00000001 8002e858 be07a000 be035740
[ 8864.748907] bea0: 00000000 00000001 809d4598 00000000 be07bed4 be07bec0 806edd0c 806ed440
[ 8864.757110] bec0: be07a000 be07a000 be07bee4 be07bed8 806edd68 806edcf0 be07bef4 be07bee8
[ 8864.765311] bee0: 8002e860 806edd34 be07bf24 be07bef8 800494b0 8002e828 be069380 00000000
[ 8864.773512] bf00: be035780 be035740 8004938c 00000000 00000000 00000000 be07bfac be07bf28
[ 8864.781715] bf20: 80045928 80049398 be07bf44 00000001 00000000 be035740 00000000 00030003
[ 8864.789917] bf40: dead4ead ffffffff ffffffff 80a2716c 80b59b00 00000000 8088c954 be07bf5c
[ 8864.798120] bf60: be07bf5c 00000000 00000000 dead4ead ffffffff ffffffff 80a2716c 00000000
[ 8864.806320] bf80: 00000000 8088c954 be07bf88 be07bf88 be035780 8004584c 00000000 00000000
[ 8864.814523] bfa0: 00000000 be07bfb0 8000ed10 80045858 00000000 00000000 00000000 00000000
[ 8864.822723] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 8864.830925] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 5ffbb5f7 f9fcf5e7
[ 8864.839115] Backtrace:
[ 8864.841631] [<8057c1d0>] (gro_pull_from_frag0) from [<8057ebf0>] (dev_gro_receive+0x6c/0x3f8)
[ 8864.850173]  r6:00000003 r5:bd8a0718 r4:bd280cc0 r3:00000000
[ 8864.855958] [<8057eb84>] (dev_gro_receive) from [<8057f148>] (napi_gro_receive+0x28/0xac)
[ 8864.864152]  r10:bd8a0000 r9:00000000 r8:0000001c r7:00000000 r6:bd8a0000 r5:bd280cc0
[ 8864.872115]  r4:bd8a0718
[ 8864.874713] [<8057f120>] (napi_gro_receive) from [<8044e7b4>] (fec_enet_rx_napi+0x414/0xc74)
[ 8864.883167]  r5:00000000 r4:bf0810a0
[ 8864.886823] [<8044e3a0>] (fec_enet_rx_napi) from [<8057fc98>] (net_rx_action+0x1dc/0x2ec)
[ 8864.895016]  r10:be07bd00 r9:0000012c r8:be7c1ec0 r7:00000040 r6:000d1166 r5:00000001
[ 8864.902982]  r4:bd8a0718
[ 8864.905570] [<8057fabc>] (net_rx_action) from [<8002e690>] (__do_softirq+0x138/0x2c4)
[ 8864.913417]  r10:00200100 r9:809c6088 r8:40000001 r7:809c6080 r6:00000003 r5:809c608c
[ 8864.921382]  r4:00000020
[ 8864.923966] [<8002e558>] (__do_softirq) from [<8002eb64>] (irq_exit+0xc4/0x138)
[ 8864.931289]  r10:00000000 r9:be008000 r8:00000001 r7:00000000 r6:809c6af8 r5:00000000
[ 8864.939252]  r4:809c0d7c
[ 8864.941841] [<8002eaa0>] (irq_exit) from [<8006f100>] (__handle_domain_irq+0x74/0xe8)
[ 8864.949688]  r4:809c0d7c r3:00000125
[ 8864.953342] [<8006f08c>] (__handle_domain_irq) from [<800087a0>] (gic_handle_irq+0x28/0x68)
[ 8864.961707]  r9:00000000 r8:00000002 r7:c080e100 r6:809c6c6c r5:be07bde8 r4:c080e10c
[ 8864.969597] [<80008778>] (gic_handle_irq) from [<800133a4>] (__irq_svc+0x44/0x5c)
[ 8864.977097] Exception stack(0xbe07bde8 to 0xbe07be30)
[ 8864.982173] bde0:                   00000001 00000001 00000000 00000000 be7c1680 00000000
[ 8864.990377] be00: be0cfe00 bd93eb40 00000002 00000000 00000000 be07be44 be07be00 be07be30
[ 8864.998573] be20: 8006278c 806f2934 20000013 ffffffff
[ 8865.003638]  r7:be07be1c r6:ffffffff r5:20000013 r4:806f2934
[ 8865.009447] [<806f2904>] (_raw_spin_unlock_irq) from [<80049cfc>] (finish_task_switch+0xa0/0x160)
[ 8865.018334]  r4:be7c1680 r3:be069380
[ 8865.021993] [<80049c5c>] (finish_task_switch) from [<806ed614>] (__schedule+0x1e0/0x5dc)
[ 8865.030098]  r8:be0cfe00 r7:bd23b600 r6:be069380 r5:be3289c0 r4:be7c1680
[ 8865.036942] [<806ed434>] (__schedule) from [<806edd0c>] (preempt_schedule_common+0x28/0x44)
[ 8865.045307]  r9:00000000 r8:809d4598 r7:00000001 r6:00000000 r5:be035740 r4:be07a000
[ 8865.053197] [<806edce4>] (preempt_schedule_common) from [<806edd68>] (_cond_resched+0x40/0x48)
[ 8865.061822]  r4:be07a000 r3:be07a000
[ 8865.065472] [<806edd28>] (_cond_resched) from [<8002e860>] (run_ksoftirqd+0x44/0x64)
[ 8865.073252] [<8002e81c>] (run_ksoftirqd) from [<800494b0>] (smpboot_thread_fn+0x124/0x190)
[ 8865.081550] [<8004938c>] (smpboot_thread_fn) from [<80045928>] (kthread+0xdc/0xf8)
[ 8865.089133]  r10:00000000 r9:00000000 r8:00000000 r7:8004938c r6:be035740 r5:be035780
[ 8865.097097]  r4:00000000 r3:be069380
[ 8865.100752] [<8004584c>] (kthread) from [<8000ed10>] (ret_from_fork+0x14/0x24)
[ 8865.107990]  r7:00000000 r6:00000000 r5:8004584c r4:be035780
[ 8865.113767] Code: e320f000 e4913004 e4914004 e4915004 (e4916004)
[ 8865.120006] ---[ end trace b0a4c6bd499288ca ]---
[ 8865.124697] Kernel panic - not syncing: Fatal exception in interrupt
[ 8865.131084] ---[ end Kernel panic - not syncing: Fatal exception in interrupt

Tested-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Fugang Duan <B38611@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/freescale/fec_main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1565,7 +1565,7 @@ fec_enet_interrupt(int irq, void *dev_id
 	writel(int_events, fep->hwp + FEC_IEVENT);
 	fec_enet_collect_events(fep, int_events);
 
-	if (fep->work_tx || fep->work_rx) {
+	if ((fep->work_tx || fep->work_rx) && fep->link) {
 		ret = IRQ_HANDLED;
 
 		if (napi_schedule_prep(&fep->napi)) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 074/123] regulator: rk808: Set the enable time for LDOs
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 073/123] net: fec: fix rcv is not last issue when do suspend/resume test Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 075/123] regulator: Only enable disabled regulators on resume Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Doug Anderson, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Anderson <dianders@chromium.org>

commit 28249b0c2fa361cdac450a6f40242ed45408a24f upstream.

The LDOs are documented in the rk808 datasheet to have a soft start
time of 400us.  Add that to the driver.  If this time takes longer on
a certain board the device tree should be able to override with
"regulator-enable-ramp-delay".

This fixes some dw_mmc probing problems (together with other patches
posted to the mmc maiing lists) on rk3288.

Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/regulator/rk808-regulator.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/regulator/rk808-regulator.c
+++ b/drivers/regulator/rk808-regulator.c
@@ -235,6 +235,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(0),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG2",
@@ -249,6 +250,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(1),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG3",
@@ -263,6 +265,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_BUCK4_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(2),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG4",
@@ -277,6 +280,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(3),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG5",
@@ -291,6 +295,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(4),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG6",
@@ -305,6 +310,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(5),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG7",
@@ -319,6 +325,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(6),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "LDO_REG8",
@@ -333,6 +340,7 @@ static const struct regulator_desc rk808
 		.vsel_mask = RK808_LDO_VSEL_MASK,
 		.enable_reg = RK808_LDO_EN_REG,
 		.enable_mask = BIT(7),
+		.enable_time = 400,
 		.owner = THIS_MODULE,
 	}, {
 		.name = "SWITCH_REG1",



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 075/123] regulator: Only enable disabled regulators on resume
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 074/123] regulator: rk808: Set the enable time for LDOs Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 076/123] regulator: core: Fix enable GPIO reference counting Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Javier Martinez Canillas, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>

commit 0548bf4f5ad6fc3bd93c4940fa48078b34609682 upstream.

The _regulator_do_enable() call ought to be a no-op when called on an
already-enabled regulator.  However, as an optimization
_regulator_enable() doesn't call _regulator_do_enable() on an already
enabled regulator.  That means we never test the case of calling
_regulator_do_enable() during normal usage and there may be hidden
bugs or warnings.  We have seen warnings issued by the tps65090 driver
and bugs when using the GPIO enable pin.

Let's match the same optimization that _regulator_enable() in
regulator_suspend_finish().  That may speed up suspend/resume and also
avoids exposing hidden bugs.

[Use much clearer commit message from Doug Anderson]

Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/regulator/core.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -3856,9 +3856,11 @@ int regulator_suspend_finish(void)
 	list_for_each_entry(rdev, &regulator_list, list) {
 		mutex_lock(&rdev->mutex);
 		if (rdev->use_count > 0  || rdev->constraints->always_on) {
-			error = _regulator_do_enable(rdev);
-			if (error)
-				ret = error;
+			if (!_regulator_is_enabled(rdev)) {
+				error = _regulator_do_enable(rdev);
+				if (error)
+					ret = error;
+			}
 		} else {
 			if (!have_full_constraints())
 				goto unlock;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 076/123] regulator: core: Fix enable GPIO reference counting
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 075/123] regulator: Only enable disabled regulators on resume Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 077/123] nilfs2: fix deadlock of segment constructor during recovery Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Doug Anderson, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Anderson <dianders@chromium.org>

commit 29d62ec5f87fbeec8413e2215ddad12e7f972e4c upstream.

Normally _regulator_do_enable() isn't called on an already-enabled
rdev.  That's because the main caller, _regulator_enable() always
calls _regulator_is_enabled() and only calls _regulator_do_enable() if
the rdev was not already enabled.

However, there is one caller of _regulator_do_enable() that doesn't
check: regulator_suspend_finish().  While we might want to make
regulator_suspend_finish() behave more like _regulator_enable(), it's
probably also a good idea to make _regulator_do_enable() robust if it
is called on an already enabled rdev.

At the moment, _regulator_do_enable() is _not_ robust for already
enabled rdevs if we're using an ena_pin.  Each time
_regulator_do_enable() is called for an rdev using an ena_pin the
reference count of the ena_pin is incremented even if the rdev was
already enabled.  This is not as intended because the ena_pin is for
something else: for keeping track of how many active rdevs there are
sharing the same ena_pin.

Here's how the reference counting works here:

* Each time _regulator_enable() is called we increment
  rdev->use_count, so _regulator_enable() calls need to be balanced
  with _regulator_disable() calls.

* There is no explicit reference counting in _regulator_do_enable()
  which is normally just a warapper around rdev->desc->ops->enable()
  with code for supporting delays.  It's not expected that the
  "ops->enable()" call do reference counting.

* Since regulator_ena_gpio_ctrl() does have reference counting
  (handling the sharing of the pin amongst multiple rdevs), we
  shouldn't call it if the current rdev is already enabled.

Note that as part of this we cleanup (remove) the initting of
ena_gpio_state in regulator_register().  In _regulator_do_enable(),
_regulator_do_disable() and _regulator_is_enabled() is is clear that
ena_gpio_state should be the state of whether this particular rdev has
requested the GPIO be enabled.  regulator_register() was initting it
as the actual state of the pin.

Fixes: 967cfb18c0e3 ("regulator: core: manage enable GPIO list")
Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/regulator/core.c |   26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1843,10 +1843,12 @@ static int _regulator_do_enable(struct r
 	}
 
 	if (rdev->ena_pin) {
-		ret = regulator_ena_gpio_ctrl(rdev, true);
-		if (ret < 0)
-			return ret;
-		rdev->ena_gpio_state = 1;
+		if (!rdev->ena_gpio_state) {
+			ret = regulator_ena_gpio_ctrl(rdev, true);
+			if (ret < 0)
+				return ret;
+			rdev->ena_gpio_state = 1;
+		}
 	} else if (rdev->desc->ops->enable) {
 		ret = rdev->desc->ops->enable(rdev);
 		if (ret < 0)
@@ -1943,10 +1945,12 @@ static int _regulator_do_disable(struct
 	trace_regulator_disable(rdev_get_name(rdev));
 
 	if (rdev->ena_pin) {
-		ret = regulator_ena_gpio_ctrl(rdev, false);
-		if (ret < 0)
-			return ret;
-		rdev->ena_gpio_state = 0;
+		if (rdev->ena_gpio_state) {
+			ret = regulator_ena_gpio_ctrl(rdev, false);
+			if (ret < 0)
+				return ret;
+			rdev->ena_gpio_state = 0;
+		}
 
 	} else if (rdev->desc->ops->disable) {
 		ret = rdev->desc->ops->disable(rdev);
@@ -3678,12 +3682,6 @@ regulator_register(const struct regulato
 				 config->ena_gpio, ret);
 			goto wash;
 		}
-
-		if (config->ena_gpio_flags & GPIOF_OUT_INIT_HIGH)
-			rdev->ena_gpio_state = 1;
-
-		if (config->ena_gpio_invert)
-			rdev->ena_gpio_state = !rdev->ena_gpio_state;
 	}
 
 	/* set regulator constraints */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 077/123] nilfs2: fix deadlock of segment constructor during recovery
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 076/123] regulator: core: Fix enable GPIO reference counting Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 078/123] mm: cma: fix CMA aligned offset calculation Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryusuke Konishi, Yuxuan Shui,
	Al Viro, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

commit 283ee1482f349d6c0c09dfb725db5880afc56813 upstream.

According to a report from Yuxuan Shui, nilfs2 in kernel 3.19 got stuck
during recovery at mount time.  The code path that caused the deadlock was
as follows:

  nilfs_fill_super()
    load_nilfs()
      nilfs_salvage_orphan_logs()
        * Do roll-forwarding, attach segment constructor for recovery,
          and kick it.

        nilfs_segctor_thread()
          nilfs_segctor_thread_construct()
           * A lock is held with nilfs_transaction_lock()
             nilfs_segctor_do_construct()
               nilfs_segctor_drop_written_files()
                 iput()
                   iput_final()
                     write_inode_now()
                       writeback_single_inode()
                         __writeback_single_inode()
                           do_writepages()
                             nilfs_writepage()
                               nilfs_construct_dsync_segment()
                                 nilfs_transaction_lock() --> deadlock

This can happen if commit 7ef3ff2fea8b ("nilfs2: fix deadlock of segment
constructor over I_SYNC flag") is applied and roll-forward recovery was
performed at mount time.  The roll-forward recovery can happen if datasync
write is done and the file system crashes immediately after that.  For
instance, we can reproduce the issue with the following steps:

 < nilfs2 is mounted on /nilfs (device: /dev/sdb1) >
 # dd if=/dev/zero of=/nilfs/test bs=4k count=1 && sync
 # dd if=/dev/zero of=/nilfs/test conv=notrunc oflag=dsync bs=4k
 count=1 && reboot -nfh
 < the system will immediately reboot >
 # mount -t nilfs2 /dev/sdb1 /nilfs

The deadlock occurs because iput() can run segment constructor through
writeback_single_inode() if MS_ACTIVE flag is not set on sb->s_flags.  The
above commit changed segment constructor so that it calls iput()
asynchronously for inodes with i_nlink == 0, but that change was
imperfect.

This fixes the another deadlock by deferring iput() in segment constructor
even for the case that mount is not finished, that is, for the case that
MS_ACTIVE flag is not set.

Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Reported-by: Yuxuan Shui <yshuiv7@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nilfs2/segment.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -1907,6 +1907,7 @@ static void nilfs_segctor_drop_written_f
 					     struct the_nilfs *nilfs)
 {
 	struct nilfs_inode_info *ii, *n;
+	int during_mount = !(sci->sc_super->s_flags & MS_ACTIVE);
 	int defer_iput = false;
 
 	spin_lock(&nilfs->ns_inode_lock);
@@ -1919,10 +1920,10 @@ static void nilfs_segctor_drop_written_f
 		brelse(ii->i_bh);
 		ii->i_bh = NULL;
 		list_del_init(&ii->i_dirty);
-		if (!ii->vfs_inode.i_nlink) {
+		if (!ii->vfs_inode.i_nlink || during_mount) {
 			/*
-			 * Defer calling iput() to avoid a deadlock
-			 * over I_SYNC flag for inodes with i_nlink == 0
+			 * Defer calling iput() to avoid deadlocks if
+			 * i_nlink == 0 or mount is not yet finished.
 			 */
 			list_add_tail(&ii->i_dirty, &sci->sc_iput_queue);
 			defer_iput = true;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 078/123] mm: cma: fix CMA aligned offset calculation
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 077/123] nilfs2: fix deadlock of segment constructor during recovery Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 080/123] drm/vmwgfx: Reorder device takedown somewhat Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Danesh Petigara, Gregory Fong,
	Michal Nazarewicz, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Danesh Petigara <dpetigara@broadcom.com>

commit 850fc430f47aad52092deaaeb32b99f97f0e6aca upstream.

The CMA aligned offset calculation is incorrect for non-zero order_per_bit
values.

For example, if cma->order_per_bit=1, cma->base_pfn= 0x2f800000 and
align_order=12, the function returns a value of 0x17c00 instead of 0x400.

This patch fixes the CMA aligned offset calculation.

The previous calculation was wrong and would return too-large values for
the offset, so that when cma_alloc looks for free pages in the bitmap with
the requested alignment > order_per_bit, it starts too far into the bitmap
and so CMA allocations will fail despite there actually being plenty of
free pages remaining.  It will also probably have the wrong alignment.
With this change, we will get the correct offset into the bitmap.

One affected user is powerpc KVM, which has kvm_cma->order_per_bit set to
KVM_CMA_CHUNK_ORDER - PAGE_SHIFT, or 18 - 12 = 6.

[gregory.0xf0@gmail.com: changelog additions]
Signed-off-by: Danesh Petigara <dpetigara@broadcom.com>
Reviewed-by: Gregory Fong <gregory.0xf0@gmail.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/cma.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/mm/cma.c
+++ b/mm/cma.c
@@ -64,15 +64,17 @@ static unsigned long cma_bitmap_aligned_
 	return (1UL << (align_order - cma->order_per_bit)) - 1;
 }
 
+/*
+ * Find a PFN aligned to the specified order and return an offset represented in
+ * order_per_bits.
+ */
 static unsigned long cma_bitmap_aligned_offset(struct cma *cma, int align_order)
 {
-	unsigned int alignment;
-
 	if (align_order <= cma->order_per_bit)
 		return 0;
-	alignment = 1UL << (align_order - cma->order_per_bit);
-	return ALIGN(cma->base_pfn, alignment) -
-		(cma->base_pfn >> cma->order_per_bit);
+
+	return (ALIGN(cma->base_pfn, (1UL << align_order))
+		- cma->base_pfn) >> cma->order_per_bit;
 }
 
 static unsigned long cma_bitmap_maxno(struct cma *cma)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 080/123] drm/vmwgfx: Reorder device takedown somewhat
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 078/123] mm: cma: fix CMA aligned offset calculation Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 081/123] drm/vmwgfx: Fix a couple of lock dependency violations Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Sinclair Yeh

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 3458390b9f0ba784481d23134798faee27b5f16f upstream.

To take down the MOB and GMR memory types, the driver may have to issue
fence objects and thus make sure that the fence manager is taken down
after those memory types.
Reorder device init accordingly.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c |   77 ++++++++++++++++++------------------
 1 file changed, 40 insertions(+), 37 deletions(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -725,32 +725,6 @@ static int vmw_driver_load(struct drm_de
 		goto out_err1;
 	}
 
-	ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM,
-			     (dev_priv->vram_size >> PAGE_SHIFT));
-	if (unlikely(ret != 0)) {
-		DRM_ERROR("Failed initializing memory manager for VRAM.\n");
-		goto out_err2;
-	}
-
-	dev_priv->has_gmr = true;
-	if (((dev_priv->capabilities & (SVGA_CAP_GMR | SVGA_CAP_GMR2)) == 0) ||
-	    refuse_dma || ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR,
-					 VMW_PL_GMR) != 0) {
-		DRM_INFO("No GMR memory available. "
-			 "Graphics memory resources are very limited.\n");
-		dev_priv->has_gmr = false;
-	}
-
-	if (dev_priv->capabilities & SVGA_CAP_GBOBJECTS) {
-		dev_priv->has_mob = true;
-		if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_MOB,
-				   VMW_PL_MOB) != 0) {
-			DRM_INFO("No MOB memory available. "
-				 "3D will be disabled.\n");
-			dev_priv->has_mob = false;
-		}
-	}
-
 	dev_priv->mmio_mtrr = arch_phys_wc_add(dev_priv->mmio_start,
 					       dev_priv->mmio_size);
 
@@ -813,6 +787,33 @@ static int vmw_driver_load(struct drm_de
 		goto out_no_fman;
 	}
 
+
+	ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM,
+			     (dev_priv->vram_size >> PAGE_SHIFT));
+	if (unlikely(ret != 0)) {
+		DRM_ERROR("Failed initializing memory manager for VRAM.\n");
+		goto out_no_vram;
+	}
+
+	dev_priv->has_gmr = true;
+	if (((dev_priv->capabilities & (SVGA_CAP_GMR | SVGA_CAP_GMR2)) == 0) ||
+	    refuse_dma || ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR,
+					 VMW_PL_GMR) != 0) {
+		DRM_INFO("No GMR memory available. "
+			 "Graphics memory resources are very limited.\n");
+		dev_priv->has_gmr = false;
+	}
+
+	if (dev_priv->capabilities & SVGA_CAP_GBOBJECTS) {
+		dev_priv->has_mob = true;
+		if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_MOB,
+				   VMW_PL_MOB) != 0) {
+			DRM_INFO("No MOB memory available. "
+				 "3D will be disabled.\n");
+			dev_priv->has_mob = false;
+		}
+	}
+
 	vmw_kms_save_vga(dev_priv);
 
 	/* Start kms and overlay systems, needs fifo. */
@@ -838,6 +839,12 @@ out_no_fifo:
 	vmw_kms_close(dev_priv);
 out_no_kms:
 	vmw_kms_restore_vga(dev_priv);
+	if (dev_priv->has_mob)
+		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB);
+	if (dev_priv->has_gmr)
+		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
+	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
+out_no_vram:
 	vmw_fence_manager_takedown(dev_priv->fman);
 out_no_fman:
 	if (dev_priv->capabilities & SVGA_CAP_IRQMASK)
@@ -853,12 +860,6 @@ out_err4:
 	iounmap(dev_priv->mmio_virt);
 out_err3:
 	arch_phys_wc_del(dev_priv->mmio_mtrr);
-	if (dev_priv->has_mob)
-		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB);
-	if (dev_priv->has_gmr)
-		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
-	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
-out_err2:
 	(void)ttm_bo_device_release(&dev_priv->bdev);
 out_err1:
 	vmw_ttm_global_release(dev_priv);
@@ -887,6 +888,13 @@ static int vmw_driver_unload(struct drm_
 	}
 	vmw_kms_close(dev_priv);
 	vmw_overlay_close(dev_priv);
+
+	if (dev_priv->has_mob)
+		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB);
+	if (dev_priv->has_gmr)
+		(void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
+	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
+
 	vmw_fence_manager_takedown(dev_priv->fman);
 	if (dev_priv->capabilities & SVGA_CAP_IRQMASK)
 		drm_irq_uninstall(dev_priv->dev);
@@ -898,11 +906,6 @@ static int vmw_driver_unload(struct drm_
 	ttm_object_device_release(&dev_priv->tdev);
 	iounmap(dev_priv->mmio_virt);
 	arch_phys_wc_del(dev_priv->mmio_mtrr);
-	if (dev_priv->has_mob)
-		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_MOB);
-	if (dev_priv->has_gmr)
-		(void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
-	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
 	(void)ttm_bo_device_release(&dev_priv->bdev);
 	vmw_ttm_global_release(dev_priv);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 081/123] drm/vmwgfx: Fix a couple of lock dependency violations
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 080/123] drm/vmwgfx: Reorder device takedown somewhat Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 083/123] drm/i915: add dev_to_i915 helper Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sinclair Yeh, Thomas Hellstrom

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 5151adb37a5918957f4c33a8d8e7629c0fb00563 upstream.

Experimental lockdep annotation added to the TTM lock has unveiled a
couple of lock dependency violations in the vmwgfx driver. In both
cases it turns out that the device_private::reservation_sem is not
needed so the offending code is moved out of that lock.

Acked-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    8 +++-----
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c     |   14 +++-----------
 2 files changed, 6 insertions(+), 16 deletions(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2780,13 +2780,11 @@ int vmw_execbuf_ioctl(struct drm_device
 				  NULL, arg->command_size, arg->throttle_us,
 				  (void __user *)(unsigned long)arg->fence_rep,
 				  NULL);
-
+	ttm_read_unlock(&dev_priv->reservation_sem);
 	if (unlikely(ret != 0))
-		goto out_unlock;
+		return ret;
 
 	vmw_kms_cursor_post_execbuf(dev_priv);
 
-out_unlock:
-	ttm_read_unlock(&dev_priv->reservation_sem);
-	return ret;
+	return 0;
 }
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -2033,23 +2033,17 @@ int vmw_kms_update_layout_ioctl(struct d
 	int i;
 	struct drm_mode_config *mode_config = &dev->mode_config;
 
-	ret = ttm_read_lock(&dev_priv->reservation_sem, true);
-	if (unlikely(ret != 0))
-		return ret;
-
 	if (!arg->num_outputs) {
 		struct drm_vmw_rect def_rect = {0, 0, 800, 600};
 		vmw_du_update_layout(dev_priv, 1, &def_rect);
-		goto out_unlock;
+		return 0;
 	}
 
 	rects_size = arg->num_outputs * sizeof(struct drm_vmw_rect);
 	rects = kcalloc(arg->num_outputs, sizeof(struct drm_vmw_rect),
 			GFP_KERNEL);
-	if (unlikely(!rects)) {
-		ret = -ENOMEM;
-		goto out_unlock;
-	}
+	if (unlikely(!rects))
+		return -ENOMEM;
 
 	user_rects = (void __user *)(unsigned long)arg->rects;
 	ret = copy_from_user(rects, user_rects, rects_size);
@@ -2074,7 +2068,5 @@ int vmw_kms_update_layout_ioctl(struct d
 
 out_free:
 	kfree(rects);
-out_unlock:
-	ttm_read_unlock(&dev_priv->reservation_sem);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 083/123] drm/i915: add dev_to_i915 helper
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 081/123] drm/vmwgfx: Fix a couple of lock dependency violations Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 085/123] drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Imre Deak, Takashi Iwai, Daniel Vetter

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Imre Deak <imre.deak@intel.com>

commit 888d0d421663313739a8bf93459c6ba61fd4b121 upstream.

This will be needed by later patches, so factor it out.

No functional change.

v2:
- s/dev_to_i915_priv/dev_to_i915/ (Jani)
- don't use the helper in i915_pm_suspend (Chris)
- simplify the helper (Chris)
v3:
- remove redundant upcasting in the helper (Daniel)

Signed-off-by: Imre Deak <imre.deak@intel.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_drv.c |    9 +++------
 drivers/gpu/drm/i915/i915_drv.h |    5 +++++
 2 files changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/i915/i915_drv.c
+++ b/drivers/gpu/drm/i915/i915_drv.c
@@ -934,8 +934,7 @@ static int i915_pm_suspend(struct device
 
 static int i915_pm_suspend_late(struct device *dev)
 {
-	struct pci_dev *pdev = to_pci_dev(dev);
-	struct drm_device *drm_dev = pci_get_drvdata(pdev);
+	struct drm_device *drm_dev = dev_to_i915(dev)->dev;
 
 	/*
 	 * We have a suspedn ordering issue with the snd-hda driver also
@@ -954,8 +953,7 @@ static int i915_pm_suspend_late(struct d
 
 static int i915_pm_resume_early(struct device *dev)
 {
-	struct pci_dev *pdev = to_pci_dev(dev);
-	struct drm_device *drm_dev = pci_get_drvdata(pdev);
+	struct drm_device *drm_dev = dev_to_i915(dev)->dev;
 
 	if (drm_dev->switch_power_state == DRM_SWITCH_POWER_OFF)
 		return 0;
@@ -965,8 +963,7 @@ static int i915_pm_resume_early(struct d
 
 static int i915_pm_resume(struct device *dev)
 {
-	struct pci_dev *pdev = to_pci_dev(dev);
-	struct drm_device *drm_dev = pci_get_drvdata(pdev);
+	struct drm_device *drm_dev = dev_to_i915(dev)->dev;
 
 	if (drm_dev->switch_power_state == DRM_SWITCH_POWER_OFF)
 		return 0;
--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -1781,6 +1781,11 @@ static inline struct drm_i915_private *t
 	return dev->dev_private;
 }
 
+static inline struct drm_i915_private *dev_to_i915(struct device *dev)
+{
+	return to_i915(dev_get_drvdata(dev));
+}
+
 /* Iterate over initialised rings */
 #define for_each_ring(ring__, dev_priv__, i__) \
 	for ((i__) = 0; (i__) < I915_NUM_RINGS; (i__)++) \



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 085/123] drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 083/123] drm/i915: add dev_to_i915 helper Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 086/123] xen/events: avoid NULL pointer dereference in dom0 on large machines Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Javier Martinez Canillas,
	Marek Szyprowski, Chanwoo Choi, Doug Anderson, Olof Johansson,
	Kevin Hilman, Tyler Baker, Alessandro Zummo, Andrew Morton,
	Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>

commit 8792f7772f4f40ffc68bad5f28311205584b734d upstream.

Commit df9e26d093d3 ("rtc: s3c: add support for RTC of Exynos3250 SoC")
added an "rtc_src" DT property to specify the clock used as a source to
the S3C real-time clock.

Not all SoCs needs this so commit eaf3a659086e ("drivers/rtc/rtc-s3c.c:
fix initialization failure without rtc source clock") changed to check
the struct s3c_rtc_data .needs_src_clk to conditionally grab the clock.

But that commit didn't update the data for each IP version so the RTC
broke on the boards that needs a source clock. This is the case of at
least Exynos5250 and Exynos5440 which uses the s3c6410 RTC IP block.

This commit fixes the S3C rtc on the Exynos5250 Snow and Exynos5420
Peach Pit and Pi Chromebooks.

Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Chanwoo Choi <cw00.choi@samsung.com>
Cc: Doug Anderson <dianders@chromium.org>
Cc: Olof Johansson <olof@lixom.net>
Cc: Kevin Hilman <khilman@linaro.org>
Cc: Tyler Baker <tyler.baker@linaro.org>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rtc/rtc-s3c.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/rtc/rtc-s3c.c
+++ b/drivers/rtc/rtc-s3c.c
@@ -849,6 +849,7 @@ static struct s3c_rtc_data const s3c2443
 
 static struct s3c_rtc_data const s3c6410_rtc_data = {
 	.max_user_freq		= 32768,
+	.needs_src_clk		= true,
 	.irq_handler		= s3c6410_rtc_irq,
 	.set_freq		= s3c6410_rtc_setfreq,
 	.enable_tick		= s3c6410_rtc_enable_tick,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 086/123] xen/events: avoid NULL pointer dereference in dom0 on large machines
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 085/123] drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 087/123] x86/xen: correct bug in p2m list initialization Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, David Vrabel

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 85e40b0539b24518c8bdf63e2605c8522377d00f upstream.

Using the pvops kernel a NULL pointer dereference was detected on a
large machine (144 processors) when booting as dom0 in
evtchn_fifo_unmask() during assignment of a pirq.

The event channel in question was the first to need a new entry in
event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup()
is called with evtchn being 0 for a new pirq and the real event channel
number is assigned to the pirq only during __startup_pirq().

It is mandatory to call xen_evtchn_port_setup() after assigning the
event channel number to the pirq to make sure all memory needed for the
event channel is allocated.

Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/events/events_base.c |   18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -526,20 +526,26 @@ static unsigned int __startup_pirq(unsig
 	pirq_query_unmask(irq);
 
 	rc = set_evtchn_to_irq(evtchn, irq);
-	if (rc != 0) {
-		pr_err("irq%d: Failed to set port to irq mapping (%d)\n",
-		       irq, rc);
-		xen_evtchn_close(evtchn);
-		return 0;
-	}
+	if (rc)
+		goto err;
+
 	bind_evtchn_to_cpu(evtchn, 0);
 	info->evtchn = evtchn;
 
+	rc = xen_evtchn_port_setup(info);
+	if (rc)
+		goto err;
+
 out:
 	unmask_evtchn(evtchn);
 	eoi_pirq(irq_get_irq_data(irq));
 
 	return 0;
+
+err:
+	pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc);
+	xen_evtchn_close(evtchn);
+	return 0;
 }
 
 static unsigned int startup_pirq(struct irq_data *data)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 087/123] x86/xen: correct bug in p2m list initialization
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 086/123] xen/events: avoid NULL pointer dereference in dom0 on large machines Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 088/123] xen-pciback: limit guest control of command register Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Bader, Juergen Gross, David Vrabel

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit b8f05c8803fce899d79ca66f8d7f348cf15fb40e upstream.

Commit 054954eb051f35e74b75a566a96fe756015352c8 ("xen: switch to
linear virtual mapped sparse p2m list") introduced an error.

During initialization of the p2m list a p2m identity area mapped by
a complete identity pmd entry has to be split up into smaller chunks
sometimes, if a non-identity pfn is introduced in this area.

If this non-identity pfn is not at index 0 of a p2m page the new
p2m page needed is initialized with wrong identity entries, as the
identity pfns don't start with the value corresponding to index 0,
but with the initial non-identity pfn. This results in weird wrong
mappings.

Correct the wrong initialization by starting with the correct pfn.

Reported-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Tested-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/xen/p2m.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/xen/p2m.c
+++ b/arch/x86/xen/p2m.c
@@ -567,7 +567,7 @@ static bool alloc_p2m(unsigned long pfn)
 		if (p2m_pfn == PFN_DOWN(__pa(p2m_missing)))
 			p2m_init(p2m);
 		else
-			p2m_init_identity(p2m, pfn);
+			p2m_init_identity(p2m, pfn & ~(P2M_PER_PAGE - 1));
 
 		spin_lock_irqsave(&p2m_update_lock, flags);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 088/123] xen-pciback: limit guest control of command register
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 087/123] x86/xen: correct bug in p2m list initialization Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 089/123] of: fix handling of / in options for of_find_node_by_path() Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Beulich, Konrad Rzeszutek Wilk,
	David Vrabel

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Beulich <JBeulich@suse.com>

commit af6fc858a35b90e89ea7a7ee58e66628c55c776b upstream.

Otherwise the guest can abuse that control to cause e.g. PCIe
Unsupported Request responses by disabling memory and/or I/O decoding
and subsequently causing (CPU side) accesses to the respective address
ranges, which (depending on system configuration) may be fatal to the
host.

Note that to alter any of the bits collected together as
PCI_COMMAND_GUEST permissive mode is now required to be enabled
globally or on the specific device.

This is CVE-2015-2150 / XSA-120.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/xen-pciback/conf_space.c        |    2 
 drivers/xen/xen-pciback/conf_space.h        |    2 
 drivers/xen/xen-pciback/conf_space_header.c |   59 ++++++++++++++++++++++------
 3 files changed, 50 insertions(+), 13 deletions(-)

--- a/drivers/xen/xen-pciback/conf_space.c
+++ b/drivers/xen/xen-pciback/conf_space.c
@@ -16,7 +16,7 @@
 #include "conf_space.h"
 #include "conf_space_quirks.h"
 
-static bool permissive;
+bool permissive;
 module_param(permissive, bool, 0644);
 
 /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
--- a/drivers/xen/xen-pciback/conf_space.h
+++ b/drivers/xen/xen-pciback/conf_space.h
@@ -64,6 +64,8 @@ struct config_field_entry {
 	void *data;
 };
 
+extern bool permissive;
+
 #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
 
 /* Add fields to a device - the add_fields macro expects to get a pointer to
--- a/drivers/xen/xen-pciback/conf_space_header.c
+++ b/drivers/xen/xen-pciback/conf_space_header.c
@@ -11,6 +11,10 @@
 #include "pciback.h"
 #include "conf_space.h"
 
+struct pci_cmd_info {
+	u16 val;
+};
+
 struct pci_bar_info {
 	u32 val;
 	u32 len_val;
@@ -20,22 +24,36 @@ struct pci_bar_info {
 #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
 #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
 
-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
+/* Bits guests are allowed to control in permissive mode. */
+#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
+			   PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
+			   PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
+
+static void *command_init(struct pci_dev *dev, int offset)
 {
-	int i;
-	int ret;
+	struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
+	int err;
 
-	ret = xen_pcibk_read_config_word(dev, offset, value, data);
-	if (!pci_is_enabled(dev))
-		return ret;
-
-	for (i = 0; i < PCI_ROM_RESOURCE; i++) {
-		if (dev->resource[i].flags & IORESOURCE_IO)
-			*value |= PCI_COMMAND_IO;
-		if (dev->resource[i].flags & IORESOURCE_MEM)
-			*value |= PCI_COMMAND_MEMORY;
+	if (!cmd)
+		return ERR_PTR(-ENOMEM);
+
+	err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
+	if (err) {
+		kfree(cmd);
+		return ERR_PTR(err);
 	}
 
+	return cmd;
+}
+
+static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
+{
+	int ret = pci_read_config_word(dev, offset, value);
+	const struct pci_cmd_info *cmd = data;
+
+	*value &= PCI_COMMAND_GUEST;
+	*value |= cmd->val & ~PCI_COMMAND_GUEST;
+
 	return ret;
 }
 
@@ -43,6 +61,8 @@ static int command_write(struct pci_dev
 {
 	struct xen_pcibk_dev_data *dev_data;
 	int err;
+	u16 val;
+	struct pci_cmd_info *cmd = data;
 
 	dev_data = pci_get_drvdata(dev);
 	if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
@@ -83,6 +103,19 @@ static int command_write(struct pci_dev
 		}
 	}
 
+	cmd->val = value;
+
+	if (!permissive && (!dev_data || !dev_data->permissive))
+		return 0;
+
+	/* Only allow the guest to control certain bits. */
+	err = pci_read_config_word(dev, offset, &val);
+	if (err || val == value)
+		return err;
+
+	value &= PCI_COMMAND_GUEST;
+	value |= val & ~PCI_COMMAND_GUEST;
+
 	return pci_write_config_word(dev, offset, value);
 }
 
@@ -282,6 +315,8 @@ static const struct config_field header_
 	{
 	 .offset    = PCI_COMMAND,
 	 .size      = 2,
+	 .init      = command_init,
+	 .release   = bar_release,
 	 .u.w.read  = command_read,
 	 .u.w.write = command_write,
 	},



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 089/123] of: fix handling of / in options for of_find_node_by_path()
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 088/123] xen-pciback: limit guest control of command register Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 090/123] of: handle both / and : in path strings Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Hurley, Leif Lindholm, Rob Herring

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leif Lindholm <leif.lindholm@linaro.org>

commit 106937e8ccdcf0f4b95fbf0fe9abd42766cade33 upstream.

Ensure proper handling of paths with appended options (after ':'),
where those options may contain a '/'.

Fixes: 7914a7c5651a ("of: support passing console options with stdout-path")
Reported-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/base.c |   23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -714,16 +714,17 @@ static struct device_node *__of_find_nod
 						const char *path)
 {
 	struct device_node *child;
-	int len = strchrnul(path, '/') - path;
-	int term;
+	int len;
+	const char *end;
 
+	end = strchr(path, ':');
+	if (!end)
+		end = strchrnul(path, '/');
+
+	len = end - path;
 	if (!len)
 		return NULL;
 
-	term = strchrnul(path, ':') - path;
-	if (term < len)
-		len = term;
-
 	__for_each_child_of_node(parent, child) {
 		const char *name = strrchr(child->full_name, '/');
 		if (WARN(!name, "malformed device_node %s\n", child->full_name))
@@ -768,8 +769,12 @@ struct device_node *of_find_node_opts_by
 
 	/* The path could begin with an alias */
 	if (*path != '/') {
-		char *p = strchrnul(path, '/');
-		int len = separator ? separator - path : p - path;
+		int len;
+		const char *p = separator;
+
+		if (!p)
+			p = strchrnul(path, '/');
+		len = p - path;
 
 		/* of_aliases must not be NULL */
 		if (!of_aliases)
@@ -794,6 +799,8 @@ struct device_node *of_find_node_opts_by
 		path++; /* Increment past '/' delimiter */
 		np = __of_find_node_by_path(np, path);
 		path = strchrnul(path, '/');
+		if (separator && separator < path)
+			break;
 	}
 	raw_spin_unlock_irqrestore(&devtree_lock, flags);
 	return np;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 090/123] of: handle both / and : in path strings
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 089/123] of: fix handling of / in options for of_find_node_by_path() Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read() Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Norris, Leif Lindholm, Rob Herring

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Brian Norris <computersforpeace@gmail.com>

commit 721a09e95c786346b4188863a1cfa3909c76f690 upstream.

Commit 106937e8ccdc ("of: fix handling of '/' in options for
of_find_node_by_path()") caused a regression in OF handling of
stdout-path. While it fixes some cases which have '/' after the ':', it
breaks cases where there is more than one '/' *before* the ':'.

For example, it breaks this boot string

  stdout-path = "/rdb/serial@f040ab00:115200";

So rather than doing sequentialized checks (first for '/', then for ':';
or vice versa), to get the correct behavior we need to check for the
first occurrence of either one of them.

It so happens that the handy strcspn() helper can do just that.

Fixes: 106937e8ccdc ("of: fix handling of '/' in options for of_find_node_by_path()")
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Acked-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/base.c |    7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -715,13 +715,8 @@ static struct device_node *__of_find_nod
 {
 	struct device_node *child;
 	int len;
-	const char *end;
 
-	end = strchr(path, ':');
-	if (!end)
-		end = strchrnul(path, '/');
-
-	len = end - path;
+	len = strcspn(path, "/:");
 	if (!len)
 		return NULL;
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 090/123] of: handle both / and : in path strings Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 17:30   ` Alexander Holler
  2015-03-24 15:46 ` [PATCH 3.19 092/123] libsas: Fix Kernel Crash in smp_execute_task Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  115 siblings, 1 reply; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.

AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
we are going to access it asynchronously, we'd better get ourselves
a copy - the one on kernel stack of aio_run_iocb() won't be there
anymore.  function/f_fs.c take care of doing that, legacy/inode.c
doesn't...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/legacy/inode.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -566,7 +566,6 @@ static ssize_t ep_copy_to_user(struct ki
 		if (total == 0)
 			break;
 	}
-
 	return len;
 }
 
@@ -585,6 +584,7 @@ static void ep_user_copy_worker(struct w
 	aio_complete(iocb, ret, ret);
 
 	kfree(priv->buf);
+	kfree(priv->iv);
 	kfree(priv);
 }
 
@@ -605,6 +605,7 @@ static void ep_aio_complete(struct usb_e
 	 */
 	if (priv->iv == NULL || unlikely(req->actual == 0)) {
 		kfree(req->buf);
+		kfree(priv->iv);
 		kfree(priv);
 		iocb->private = NULL;
 		/* aio_complete() reports bytes-transferred _and_ faults */
@@ -640,7 +641,7 @@ ep_aio_rwtail(
 	struct usb_request	*req;
 	ssize_t			value;
 
-	priv = kmalloc(sizeof *priv, GFP_KERNEL);
+	priv = kzalloc(sizeof *priv, GFP_KERNEL);
 	if (!priv) {
 		value = -ENOMEM;
 fail:
@@ -649,7 +650,14 @@ fail:
 	}
 	iocb->private = priv;
 	priv->iocb = iocb;
-	priv->iv = iv;
+	if (iv) {
+		priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
+				   GFP_KERNEL);
+		if (!priv->iv) {
+			kfree(priv);
+			goto fail;
+		}
+	}
 	priv->nr_segs = nr_segs;
 	INIT_WORK(&priv->work, ep_user_copy_worker);
 
@@ -689,6 +697,7 @@ fail:
 	mutex_unlock(&epdata->lock);
 
 	if (unlikely(value)) {
+		kfree(priv->iv);
 		kfree(priv);
 		put_ep(epdata);
 	} else



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 092/123] libsas: Fix Kernel Crash in smp_execute_task
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read() Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 093/123] PCI: Dont read past the end of sysfs "driver_override" buffer Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Praveen Murali, James Bottomley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Bottomley <JBottomley@Parallels.com>

commit 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 upstream.

This crash was reported:

[  366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
[  368.804046] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
[  368.804098] PGD 0
[  368.804114] Oops: 0002 [#1] SMP
[  368.804143] CPU 1
[  368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
[  368.804749]
[  368.804764] Pid: 392, comm: kworker/u:3 Tainted: P        W  O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
[  368.804802] RIP: 0010:[<ffffffff81358457>]  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
[  368.804827] RSP: 0018:ffff880117001cc0  EFLAGS: 00010246
[  368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
[  368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
[  368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
[  368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
[  368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
[  368.804916] FS:  0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
[  368.804931] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
[  368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
[  368.805009] Stack:
[  368.805017]  ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
[  368.805062]  000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
[  368.805100]  ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
[  368.805135] Call Trace:
[  368.805153]  [<ffffffff81056f7c>] ? up+0xb/0x33
[  368.805168]  [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
[  368.805194]  [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
[  368.805217]  [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
[  368.805240]  [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
[  368.805264]  [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
[  368.805280]  [<ffffffff81355a2a>] ? printk+0x43/0x48
[  368.805296]  [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
[  368.805318]  [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
[  368.805336]  [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
[  368.805351]  [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
[  368.805366]  [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
[  368.805382]  [<ffffffff81052c4e>] ? kthread+0x79/0x81
[  368.805399]  [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
[  368.805416]  [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
[  368.805431]  [<ffffffff8135fea0>] ? gs_change+0x13/0x13
[  368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
[  368.805851] RIP  [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
[  368.805877]  RSP <ffff880117001cc0>
[  368.805886] CR2: 0000000000000000
[  368.805899] ---[ end trace b720682065d8f4cc ]---

It's directly caused by 89d3cf6 [SCSI] libsas: add mutex for SMP task
execution, but shows a deeper cause: expander functions expect to be able to
cast to and treat domain devices as expanders.  The correct fix is to only do
expander discover when we know we've got an expander device to avoid wrongly
casting a non-expander device.

Reported-by: Praveen Murali <pmurali@logicube.com>
Tested-by: Praveen Murali <pmurali@logicube.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/libsas/sas_discover.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/scsi/libsas/sas_discover.c
+++ b/drivers/scsi/libsas/sas_discover.c
@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct
 	struct sas_discovery_event *ev = to_sas_discovery_event(work);
 	struct asd_sas_port *port = ev->port;
 	struct sas_ha_struct *ha = port->ha;
+	struct domain_device *ddev = port->port_dev;
 
 	/* prevent revalidation from finding sata links in recovery */
 	mutex_lock(&ha->disco_mutex);
@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct
 	SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id,
 		    task_pid_nr(current));
 
-	if (port->port_dev)
-		res = sas_ex_revalidate_domain(port->port_dev);
+	if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE ||
+		     ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE))
+		res = sas_ex_revalidate_domain(ddev);
 
 	SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n",
 		    port->id, task_pid_nr(current), res);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 093/123] PCI: Dont read past the end of sysfs "driver_override" buffer
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 092/123] libsas: Fix Kernel Crash in smp_execute_task Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 094/123] irqchip: armada-370-xp: Fix chained per-cpu interrupts Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sasha Levin, Bjorn Helgaas,
	Alex Williamson, Konrad Rzeszutek Wilk, Alexander Graf

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sasha Levin <sasha.levin@oracle.com>

commit 4efe874aace57dba967624ce1c48322da2447b75 upstream.

When printing the driver_override parameter when it is 4095 and 4094 bytes
long, the printing code would access invalid memory because we need count+1
bytes for printing.

Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override")
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: Alexander Graf <agraf@suse.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci-sysfs.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -521,7 +521,8 @@ static ssize_t driver_override_store(str
 	struct pci_dev *pdev = to_pci_dev(dev);
 	char *driver_override, *old = pdev->driver_override, *cp;
 
-	if (count > PATH_MAX)
+	/* We need to keep extra room for a newline */
+	if (count >= (PAGE_SIZE - 1))
 		return -EINVAL;
 
 	driver_override = kstrndup(buf, count, GFP_KERNEL);
@@ -549,7 +550,7 @@ static ssize_t driver_override_show(stru
 {
 	struct pci_dev *pdev = to_pci_dev(dev);
 
-	return sprintf(buf, "%s\n", pdev->driver_override);
+	return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
 }
 static DEVICE_ATTR_RW(driver_override);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 094/123] irqchip: armada-370-xp: Fix chained per-cpu interrupts
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 093/123] PCI: Dont read past the end of sysfs "driver_override" buffer Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 095/123] pagemap: do not leak physical addresses to non-privileged userspace Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Gregory CLEMENT, Jason Cooper

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxime Ripard <maxime.ripard@free-electrons.com>

commit 5724be8464dceac047c1eaddaa3651cea0ec16ca upstream.

On the Cortex-A9-based Armada SoCs, the MPIC is not the primary interrupt
controller. Yet, it still has to handle some per-cpu interrupt.

To do so, it is chained with the GIC using a per-cpu interrupt. However, the
current code only call irq_set_chained_handler, which is called and enable that
interrupt only on the boot CPU, which means that the parent per-CPU interrupt
is never unmasked on the secondary CPUs, preventing the per-CPU interrupt to
actually work as expected.

This was not seen until now since the only MPIC PPI users were the Marvell
timers that were not working, but not used either since the system use the ARM
TWD by default, and the ethernet controllers, that are faking there interrupts
as SPI, and don't really expect to have interrupts on the secondary cores
anyway.

Add a CPU notifier that will enable the PPI on the secondary cores when they
are brought up.

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Link: https://lkml.kernel.org/r/1425378443-28822-1-git-send-email-maxime.ripard@free-electrons.com
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/irqchip/irq-armada-370-xp.c |   21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

--- a/drivers/irqchip/irq-armada-370-xp.c
+++ b/drivers/irqchip/irq-armada-370-xp.c
@@ -69,6 +69,7 @@ static void __iomem *per_cpu_int_base;
 static void __iomem *main_int_base;
 static struct irq_domain *armada_370_xp_mpic_domain;
 static u32 doorbell_mask_reg;
+static int parent_irq;
 #ifdef CONFIG_PCI_MSI
 static struct irq_domain *armada_370_xp_msi_domain;
 static DECLARE_BITMAP(msi_used, PCI_MSI_DOORBELL_NR);
@@ -356,6 +357,7 @@ static int armada_xp_mpic_secondary_init
 {
 	if (action == CPU_STARTING || action == CPU_STARTING_FROZEN)
 		armada_xp_mpic_smp_cpu_init();
+
 	return NOTIFY_OK;
 }
 
@@ -364,6 +366,20 @@ static struct notifier_block armada_370_
 	.priority = 100,
 };
 
+static int mpic_cascaded_secondary_init(struct notifier_block *nfb,
+					unsigned long action, void *hcpu)
+{
+	if (action == CPU_STARTING || action == CPU_STARTING_FROZEN)
+		enable_percpu_irq(parent_irq, IRQ_TYPE_NONE);
+
+	return NOTIFY_OK;
+}
+
+static struct notifier_block mpic_cascaded_cpu_notifier = {
+	.notifier_call = mpic_cascaded_secondary_init,
+	.priority = 100,
+};
+
 #endif /* CONFIG_SMP */
 
 static struct irq_domain_ops armada_370_xp_mpic_irq_ops = {
@@ -539,7 +555,7 @@ static int __init armada_370_xp_mpic_of_
 					     struct device_node *parent)
 {
 	struct resource main_int_res, per_cpu_int_res;
-	int parent_irq, nr_irqs, i;
+	int nr_irqs, i;
 	u32 control;
 
 	BUG_ON(of_address_to_resource(node, 0, &main_int_res));
@@ -587,6 +603,9 @@ static int __init armada_370_xp_mpic_of_
 		register_cpu_notifier(&armada_370_xp_mpic_cpu_notifier);
 #endif
 	} else {
+#ifdef CONFIG_SMP
+		register_cpu_notifier(&mpic_cascaded_cpu_notifier);
+#endif
 		irq_set_chained_handler(parent_irq,
 					armada_370_xp_mpic_handle_cascade_irq);
 	}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 095/123] pagemap: do not leak physical addresses to non-privileged userspace
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 094/123] irqchip: armada-370-xp: Fix chained per-cpu interrupts Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 096/123] crypto: arm/aes update NEON AES module to latest OpenSSL version Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov,
	Konstantin Khlebnikov, Andy Lutomirski, Pavel Emelyanov,
	Andrew Morton, Mark Seaborn, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>

commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream.

As pointed by recent post[1] on exploiting DRAM physical imperfection,
/proc/PID/pagemap exposes sensitive information which can be used to do
attacks.

This disallows anybody without CAP_SYS_ADMIN to read the pagemap.

[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

[ Eventually we might want to do anything more finegrained, but for now
  this is the simple model.   - Linus ]

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Cc: Pavel Emelyanov <xemul@parallels.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Seaborn <mseaborn@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/task_mmu.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -1326,6 +1326,9 @@ out:
 
 static int pagemap_open(struct inode *inode, struct file *file)
 {
+	/* do not disclose physical addresses: attack vector */
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
 			"to stop being page-shift some time soon. See the "
 			"linux/Documentation/vm/pagemap.txt for details.\n");



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 096/123] crypto: arm/aes update NEON AES module to latest OpenSSL version
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 095/123] pagemap: do not leak physical addresses to non-privileged userspace Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 097/123] crypto: aesni - fix memory usage in GCM decryption Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Kotelba, Ard Biesheuvel,
	Milan Broz, Herbert Xu

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed upstream.

This updates the bit sliced AES module to the latest version in the
upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a
bug in the XTS decryption path, where data chunked in a certain way
could trigger the ciphertext stealing code, which is not supposed to
be active in the kernel build (The kernel implementation of XTS only
supports round multiples of the AES block size of 16 bytes, whereas
the conformant OpenSSL implementation of XTS supports inputs of
arbitrary size by applying ciphertext stealing). This is fixed in
the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK
around the offending instructions.

The upstream code also contains the change applied by Russell to
build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7,
but implemented slightly differently.

Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
Reported-by: Adrian Kotelba <adrian.kotelba@gmail.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/crypto/aesbs-core.S_shipped |   12 ++++++++----
 arch/arm/crypto/bsaes-armv7.pl       |   12 ++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

--- a/arch/arm/crypto/aesbs-core.S_shipped
+++ b/arch/arm/crypto/aesbs-core.S_shipped
@@ -58,14 +58,18 @@
 # define VFP_ABI_FRAME	0
 # define BSAES_ASM_EXTENDED_KEY
 # define XTS_CHAIN_TWEAK
-# define __ARM_ARCH__	7
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
 #endif
 
 #ifdef __thumb__
 # define adrl adr
 #endif
 
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
+.fpu	neon
+
 .text
 .syntax	unified 	@ ARMv7-capable assembler is expected to handle this
 #ifdef __thumb2__
@@ -74,8 +78,6 @@
 .code   32
 #endif
 
-.fpu	neon
-
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt:
 	vld1.8	{q8}, [r0]			@ initial tweak
 	adr	r2, .Lxts_magic
 
+#ifndef	XTS_CHAIN_TWEAK
 	tst	r9, #0xf			@ if not multiple of 16
 	it	ne				@ Thumb2 thing, sanity check in ARM
 	subne	r9, #0x10			@ subtract another 16 bytes
+#endif
 	subs	r9, #0x80
 
 	blo	.Lxts_dec_short
--- a/arch/arm/crypto/bsaes-armv7.pl
+++ b/arch/arm/crypto/bsaes-armv7.pl
@@ -701,14 +701,18 @@ $code.=<<___;
 # define VFP_ABI_FRAME	0
 # define BSAES_ASM_EXTENDED_KEY
 # define XTS_CHAIN_TWEAK
-# define __ARM_ARCH__	7
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
 #endif
 
 #ifdef __thumb__
 # define adrl adr
 #endif
 
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
+.fpu	neon
+
 .text
 .syntax	unified 	@ ARMv7-capable assembler is expected to handle this
 #ifdef __thumb2__
@@ -717,8 +721,6 @@ $code.=<<___;
 .code   32
 #endif
 
-.fpu	neon
-
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt:
 	vld1.8	{@XMM[8]}, [r0]			@ initial tweak
 	adr	$magic, .Lxts_magic
 
+#ifndef	XTS_CHAIN_TWEAK
 	tst	$len, #0xf			@ if not multiple of 16
 	it	ne				@ Thumb2 thing, sanity check in ARM
 	subne	$len, #0x10			@ subtract another 16 bytes
+#endif
 	subs	$len, #0x80
 
 	blo	.Lxts_dec_short



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 097/123] crypto: aesni - fix memory usage in GCM decryption
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 096/123] crypto: arm/aes update NEON AES module to latest OpenSSL version Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 098/123] x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tadeusz Struk, Stephan Mueller, Herbert Xu

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream.

The kernel crypto API logic requires the caller to provide the
length of (ciphertext || authentication tag) as cryptlen for the
AEAD decryption operation. Thus, the cipher implementation must
calculate the size of the plaintext output itself and cannot simply use
cryptlen.

The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
in req->dst. As the destination buffer for decryption only needs to hold
the plaintext memory but cryptlen references the input buffer holding
(ciphertext || authentication tag), the assumption of the destination
buffer length in RFC4106 GCM operation leads to a too large size. This
patch simply uses the already calculated plaintext size.

In addition, this patch fixes the offset calculation of the AAD buffer
pointer: as mentioned before, cryptlen already includes the size of the
tag. Thus, the tag does not need to be added. With the addition, the AAD
will be written beyond the already allocated buffer.

Note, this fixes a kernel crash that can be triggered from user space
via AF_ALG(aead) -- simply use the libkcapi test application
from [1] and update it to use rfc4106-gcm-aes.

Using [1], the changes were tested using CAVS vectors to demonstrate
that the crypto operation still delivers the right results.

[1] http://www.chronox.de/libkcapi.html

CC: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/aesni-intel_glue.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -1133,7 +1133,7 @@ static int __driver_rfc4106_decrypt(stru
 		src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
 		if (!src)
 			return -ENOMEM;
-		assoc = (src + req->cryptlen + auth_tag_len);
+		assoc = (src + req->cryptlen);
 		scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
 		scatterwalk_map_and_copy(assoc, req->assoc, 0,
 			req->assoclen, 0);
@@ -1158,7 +1158,7 @@ static int __driver_rfc4106_decrypt(stru
 		scatterwalk_done(&src_sg_walk, 0, 0);
 		scatterwalk_done(&assoc_sg_walk, 0, 0);
 	} else {
-		scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
+		scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
 		kfree(src);
 	}
 	return retval;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 098/123] x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig()
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 097/123] crypto: aesni - fix memory usage in GCM decryption Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 099/123] x86/fpu: Drop_fpu() should not assume that tsk equals current Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Borislav Petkov,
	Andy Lutomirski, Borislav Petkov, Dave Hansen, Fenghua Yu,
	H. Peter Anvin, Linus Torvalds, Pekka Riikonen,
	Quentin Casasnovas, Rik van Riel, Suresh Siddha, Thomas Gleixner,
	Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <oleg@redhat.com>

commit a7c80ebcac3068b1c3cb27d538d29558c30010c8 upstream.

math_state_restore() assumes it is called with irqs disabled,
but this is not true if the caller is __restore_xstate_sig().

This means that if ia32_fxstate == T and __copy_from_user()
fails, __restore_xstate_sig() returns with irqs disabled too.

This triggers:

  BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
   dump_stack
   ___might_sleep
   ? _raw_spin_unlock_irqrestore
   __might_sleep
   down_read
   ? _raw_spin_unlock_irqrestore
   print_vma_addr
   signal_fault
   sys32_rt_sigreturn

Change __restore_xstate_sig() to call set_used_math()
unconditionally. This avoids enabling and disabling interrupts
in math_state_restore(). If copy_from_user() fails, we can
simply do fpu_finit() by hand.

[ Note: this is only the first step. math_state_restore() should
        not check used_math(), it should set this flag. While
	init_fpu() should simply die. ]

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Pekka Riikonen <priikone@iki.fi>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Suresh Siddha <sbsiddha@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/xsave.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -378,7 +378,7 @@ int __restore_xstate_sig(void __user *bu
 		 * thread's fpu state, reconstruct fxstate from the fsave
 		 * header. Sanitize the copied state etc.
 		 */
-		struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave;
+		struct fpu *fpu = &tsk->thread.fpu;
 		struct user_i387_ia32_struct env;
 		int err = 0;
 
@@ -392,14 +392,15 @@ int __restore_xstate_sig(void __user *bu
 		 */
 		drop_fpu(tsk);
 
-		if (__copy_from_user(xsave, buf_fx, state_size) ||
+		if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
 		    __copy_from_user(&env, buf, sizeof(env))) {
+			fpu_finit(fpu);
 			err = -1;
 		} else {
 			sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only);
-			set_used_math();
 		}
 
+		set_used_math();
 		if (use_eager_fpu()) {
 			preempt_disable();
 			math_state_restore();



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 099/123] x86/fpu: Drop_fpu() should not assume that tsk equals current
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 098/123] x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 100/123] kvm: move advertising of KVM_CAP_IRQFD to common code Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Borislav Petkov,
	Rik van Riel, Andy Lutomirski, Borislav Petkov, Dave Hansen,
	Fenghua Yu, H. Peter Anvin, Linus Torvalds, Pekka Riikonen,
	Quentin Casasnovas, Suresh Siddha, Thomas Gleixner, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <oleg@redhat.com>

commit f4c3686386393c120710dd34df2a74183ab805fd upstream.

drop_fpu() does clear_used_math() and usually this is correct
because tsk == current.

However switch_fpu_finish()->restore_fpu_checking() is called before
__switch_to() updates the "current_task" variable. If it fails,
we will wrongly clear the PF_USED_MATH flag of the previous task.

So use clear_stopped_child_used_math() instead.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Pekka Riikonen <priikone@iki.fi>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: Suresh Siddha <sbsiddha@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/fpu-internal.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/fpu-internal.h
+++ b/arch/x86/include/asm/fpu-internal.h
@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_
 	preempt_disable();
 	tsk->thread.fpu_counter = 0;
 	__drop_fpu(tsk);
-	clear_used_math();
+	clear_stopped_child_used_math(tsk);
 	preempt_enable();
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 100/123] kvm: move advertising of KVM_CAP_IRQFD to common code
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 099/123] x86/fpu: Drop_fpu() should not assume that tsk equals current Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 101/123] x86/vdso: Fix the build on GCC5 Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini, Marcelo Tosatti

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit dc9be0fac70a2ad86e31a81372bb0bdfb6945353 upstream.

POWER supports irqfds but forgot to advertise them.  Some userspace does
not check for the capability, but others check it---thus they work on
x86 and s390 but not POWER.

To avoid that other architectures in the future make the same mistake, let
common code handle KVM_CAP_IRQFD the same way as KVM_CAP_IRQFD_RESAMPLE.

Reported-and-tested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Fixes: 297e21053a52f060944e9f0de4c64fad9bcd72fc
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/kvm-s390.c |    1 -
 arch/x86/kvm/x86.c       |    1 -
 virt/kvm/kvm_main.c      |    1 +
 3 files changed, 1 insertion(+), 2 deletions(-)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -159,7 +159,6 @@ int kvm_vm_ioctl_check_extension(struct
 	case KVM_CAP_ONE_REG:
 	case KVM_CAP_ENABLE_CAP:
 	case KVM_CAP_S390_CSS_SUPPORT:
-	case KVM_CAP_IRQFD:
 	case KVM_CAP_IOEVENTFD:
 	case KVM_CAP_DEVICE_CTRL:
 	case KVM_CAP_ENABLE_CAP_VM:
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2716,7 +2716,6 @@ int kvm_vm_ioctl_check_extension(struct
 	case KVM_CAP_USER_NMI:
 	case KVM_CAP_REINJECT_CONTROL:
 	case KVM_CAP_IRQ_INJECT_STATUS:
-	case KVM_CAP_IRQFD:
 	case KVM_CAP_IOEVENTFD:
 	case KVM_CAP_IOEVENTFD_NO_LENGTH:
 	case KVM_CAP_PIT2:
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2416,6 +2416,7 @@ static long kvm_vm_ioctl_check_extension
 	case KVM_CAP_SIGNAL_MSI:
 #endif
 #ifdef CONFIG_HAVE_KVM_IRQFD
+	case KVM_CAP_IRQFD:
 	case KVM_CAP_IRQFD_RESAMPLE:
 #endif
 	case KVM_CAP_CHECK_EXTENSION_VM:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 101/123] x86/vdso: Fix the build on GCC5
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 100/123] kvm: move advertising of KVM_CAP_IRQFD to common code Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 102/123] x86/asm/entry/32: Fix user_mode() misuses Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Biener, Jiri Slaby,
	Andy Lutomirski, Borislav Petkov, H. Peter Anvin, Linus Torvalds,
	Thomas Gleixner, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit e893286918d2cde3a94850d8f7101cd1039e0c62 upstream.

On gcc5 the kernel does not link:

  ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670.

Because prior GCC versions always emitted NOPs on ALIGN directives, but
gcc5 started omitting them.

.LSTARTFDEDLSI1 says:

        /* HACK: The dwarf2 unwind routines will subtract 1 from the
           return address to get an address in the middle of the
           presumed call instruction.  Since we didn't get here via
           a call, we need to include the nop before the real start
           to make up for it.  */
        .long .LSTART_sigreturn-1-.     /* PC-relative start address */

But commit 69d0627a7f6e ("x86 vDSO: reorder vdso32 code") from 2.6.25
replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before
__kernel_sigreturn.

Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses
vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN".

So fix this by adding to that point at least a single NOP and make the
function ALIGN possibly with more NOPs then.

Kudos for reporting and diagnosing should go to Richard.

Reported-by: Richard Biener <rguenther@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.cz
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/vdso/vdso32/sigreturn.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/vdso/vdso32/sigreturn.S
+++ b/arch/x86/vdso/vdso32/sigreturn.S
@@ -17,6 +17,7 @@
 	.text
 	.globl __kernel_sigreturn
 	.type __kernel_sigreturn,@function
+	nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */
 	ALIGN
 __kernel_sigreturn:
 .LSTART_sigreturn:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 102/123] x86/asm/entry/32: Fix user_mode() misuses
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 101/123] x86/vdso: Fix the build on GCC5 Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 103/123] x86/apic/numachip: Fix sibling map with NumaChip Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Borislav Petkov,
	Dave Hansen, H. Peter Anvin, Linus Torvalds, Thomas Gleixner,
	Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@amacapital.net>

commit 394838c96013ba414a24ffe7a2a593a9154daadf upstream.

The one in do_debug() is probably harmless, but better safe than sorry.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/d67deaa9df5458363623001f252d1aee3215d014.1425948056.git.luto@amacapital.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/traps.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -300,7 +300,7 @@ dotraplinkage void do_bounds(struct pt_r
 		goto exit;
 	conditional_sti(regs);
 
-	if (!user_mode(regs))
+	if (!user_mode_vm(regs))
 		die("bounds", regs, error_code);
 
 	if (!cpu_feature_enabled(X86_FEATURE_MPX)) {
@@ -566,7 +566,7 @@ dotraplinkage void do_debug(struct pt_re
 	 * then it's very likely the result of an icebp/int01 trap.
 	 * User wants a sigtrap for that.
 	 */
-	if (!dr6 && user_mode(regs))
+	if (!dr6 && user_mode_vm(regs))
 		user_icebp = 1;
 
 	/* Catch kmemcheck conditions first of all! */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 103/123] x86/apic/numachip: Fix sibling map with NumaChip
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 102/123] x86/asm/entry/32: Fix user_mode() misuses Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 104/123] powerpc/smp: Wait until secondaries are active & online Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel J Blueman, Borislav Petkov,
	H. Peter Anvin, Steffen Persvold, Thomas Gleixner, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel J Blueman <daniel@numascale.com>

commit c8a470cab030bae8f9e6e5cfff72b047b7c627a7 upstream.

On NumaChip systems, the physical processor ID assignment wasn't
accounting for the number of nodes in AMD multi-module
processors, giving an incorrect sibling map:

  $ cd /sys/devices/system/cpu/cpu29/topology
  $ grep . *
  core_id:5
  core_siblings:00000000,ff000000
  core_siblings_list:24-31
  physical_package_id:3
  thread_siblings:00000000,30000000
  thread_siblings_list:28-29

This fixes it:

  $ cd /sys/devices/system/cpu/cpu29/topology
  $ grep . *
  core_id:5
  core_siblings:00000000,ffff0000
  core_siblings_list:16-31
  physical_package_id:1
  thread_siblings:00000000,30000000
  thread_siblings_list:28-29

Signed-off-by: Daniel J Blueman <daniel@numascale.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Steffen Persvold <sp@numascale.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1426135950-10110-1-git-send-email-daniel@numascale.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/apic/apic_numachip.c |   22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/apic/apic_numachip.c
+++ b/arch/x86/kernel/apic/apic_numachip.c
@@ -37,10 +37,12 @@ static const struct apic apic_numachip;
 static unsigned int get_apic_id(unsigned long x)
 {
 	unsigned long value;
-	unsigned int id;
+	unsigned int id = (x >> 24) & 0xff;
 
-	rdmsrl(MSR_FAM10H_NODE_ID, value);
-	id = ((x >> 24) & 0xffU) | ((value << 2) & 0xff00U);
+	if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
+		rdmsrl(MSR_FAM10H_NODE_ID, value);
+		id |= (value << 2) & 0xff00;
+	}
 
 	return id;
 }
@@ -155,10 +157,18 @@ static int __init numachip_probe(void)
 
 static void fixup_cpu_id(struct cpuinfo_x86 *c, int node)
 {
-	if (c->phys_proc_id != node) {
-		c->phys_proc_id = node;
-		per_cpu(cpu_llc_id, smp_processor_id()) = node;
+	u64 val;
+	u32 nodes = 1;
+
+	this_cpu_write(cpu_llc_id, node);
+
+	/* Account for nodes per socket in multi-core-module processors */
+	if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
+		rdmsrl(MSR_FAM10H_NODE_ID, val);
+		nodes = ((val >> 3) & 7) + 1;
 	}
+
+	c->phys_proc_id = node / nodes;
 }
 
 static int __init numachip_system_init(void)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 104/123] powerpc/smp: Wait until secondaries are active & online
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 103/123] x86/apic/numachip: Fix sibling map with NumaChip Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 105/123] powerpc/iommu: Remove IOMMU device references via bus notifier Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Anton Blanchard

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 875ebe940d77a41682c367ad799b4f39f128d3fa upstream.

Anton has a busy ppc64le KVM box where guests sometimes hit the infamous
"kernel BUG at kernel/smpboot.c:134!" issue during boot:

  BUG_ON(td->cpu != smp_processor_id());

Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops
output confirms it:

  CPU: 0
  Comm: watchdog/130

The problem is that we aren't ensuring the CPU active bit is set for the
secondary before allowing the master to continue on. The master unparks
the secondary CPU's kthreads and the scheduler looks for a CPU to run
on. It calls select_task_rq() and realises the suggested CPU is not in
the cpus_allowed mask. It then ends up in select_fallback_rq(), and
since the active bit isnt't set we choose some other CPU to run on.

This seems to have been introduced by 6acbfb96976f "sched: Fix hotplug
vs. set_cpus_allowed_ptr()", which changed from setting active before
online to setting active after online. However that was in turn fixing a
bug where other code assumed an active CPU was also online, so we can't
just revert that fix.

The simplest fix is just to spin waiting for both active & online to be
set. We already have a barrier prior to set_cpu_online() (which also
sets active), to ensure all other setup is completed before online &
active are set.

Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/smp.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/smp.c
+++ b/arch/powerpc/kernel/smp.c
@@ -555,8 +555,8 @@ int __cpu_up(unsigned int cpu, struct ta
 	if (smp_ops->give_timebase)
 		smp_ops->give_timebase();
 
-	/* Wait until cpu puts itself in the online map */
-	while (!cpu_online(cpu))
+	/* Wait until cpu puts itself in the online & active maps */
+	while (!cpu_online(cpu) || !cpu_active(cpu))
 		cpu_relax();
 
 	return 0;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 105/123] powerpc/iommu: Remove IOMMU device references via bus notifier
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 104/123] powerpc/smp: Wait until secondaries are active & online Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 106/123] ipvs: add missing ip_vs_pe_put in sync code Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nishanth Aravamudan, Michael Ellerman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>

commit 4ad04e5987115ece5fa8a0cf1dc72fcd4707e33e upstream.

After d905c5df9aef ("PPC: POWERNV: move iommu_add_device earlier"), the
refcnt on the kobject backing the IOMMU group for a PCI device is
elevated by each call to pci_dma_dev_setup_pSeriesLP() (via
set_iommu_table_base_and_group). When we go to dlpar a multi-function
PCI device out:

        iommu_reconfig_notifier ->
                iommu_free_table ->
                        iommu_group_put
                        BUG_ON(tbl->it_group)

We trip this BUG_ON, because there are still references on the table, so
it is not freed. Fix this by moving the powernv bus notifier to common
code and calling it for both powernv and pseries.

Fixes: d905c5df9aef ("PPC: POWERNV: move iommu_add_device earlier")
Signed-off-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Tested-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/iommu.h       |    6 ++++++
 arch/powerpc/kernel/iommu.c            |   26 ++++++++++++++++++++++++++
 arch/powerpc/platforms/powernv/pci.c   |   26 --------------------------
 arch/powerpc/platforms/pseries/iommu.c |    2 ++
 4 files changed, 34 insertions(+), 26 deletions(-)

--- a/arch/powerpc/include/asm/iommu.h
+++ b/arch/powerpc/include/asm/iommu.h
@@ -113,6 +113,7 @@ extern void iommu_register_group(struct
 				 int pci_domain_number, unsigned long pe_num);
 extern int iommu_add_device(struct device *dev);
 extern void iommu_del_device(struct device *dev);
+extern int __init tce_iommu_bus_notifier_init(void);
 #else
 static inline void iommu_register_group(struct iommu_table *tbl,
 					int pci_domain_number,
@@ -128,6 +129,11 @@ static inline int iommu_add_device(struc
 static inline void iommu_del_device(struct device *dev)
 {
 }
+
+static inline int __init tce_iommu_bus_notifier_init(void)
+{
+        return 0;
+}
 #endif /* !CONFIG_IOMMU_API */
 
 static inline void set_iommu_table_base_and_group(struct device *dev,
--- a/arch/powerpc/kernel/iommu.c
+++ b/arch/powerpc/kernel/iommu.c
@@ -1175,4 +1175,30 @@ void iommu_del_device(struct device *dev
 }
 EXPORT_SYMBOL_GPL(iommu_del_device);
 
+static int tce_iommu_bus_notifier(struct notifier_block *nb,
+                unsigned long action, void *data)
+{
+        struct device *dev = data;
+
+        switch (action) {
+        case BUS_NOTIFY_ADD_DEVICE:
+                return iommu_add_device(dev);
+        case BUS_NOTIFY_DEL_DEVICE:
+                if (dev->iommu_group)
+                        iommu_del_device(dev);
+                return 0;
+        default:
+                return 0;
+        }
+}
+
+static struct notifier_block tce_iommu_bus_nb = {
+        .notifier_call = tce_iommu_bus_notifier,
+};
+
+int __init tce_iommu_bus_notifier_init(void)
+{
+        bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb);
+        return 0;
+}
 #endif /* CONFIG_IOMMU_API */
--- a/arch/powerpc/platforms/powernv/pci.c
+++ b/arch/powerpc/platforms/powernv/pci.c
@@ -866,30 +866,4 @@ void __init pnv_pci_init(void)
 #endif
 }
 
-static int tce_iommu_bus_notifier(struct notifier_block *nb,
-		unsigned long action, void *data)
-{
-	struct device *dev = data;
-
-	switch (action) {
-	case BUS_NOTIFY_ADD_DEVICE:
-		return iommu_add_device(dev);
-	case BUS_NOTIFY_DEL_DEVICE:
-		if (dev->iommu_group)
-			iommu_del_device(dev);
-		return 0;
-	default:
-		return 0;
-	}
-}
-
-static struct notifier_block tce_iommu_bus_nb = {
-	.notifier_call = tce_iommu_bus_notifier,
-};
-
-static int __init tce_iommu_bus_notifier_init(void)
-{
-	bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb);
-	return 0;
-}
 machine_subsys_initcall_sync(powernv, tce_iommu_bus_notifier_init);
--- a/arch/powerpc/platforms/pseries/iommu.c
+++ b/arch/powerpc/platforms/pseries/iommu.c
@@ -1340,3 +1340,5 @@ static int __init disable_multitce(char
 }
 
 __setup("multitce=", disable_multitce);
+
+machine_subsys_initcall_sync(pseries, tce_iommu_bus_notifier_init);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 106/123] ipvs: add missing ip_vs_pe_put in sync code
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 105/123] powerpc/iommu: Remove IOMMU device references via bus notifier Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 107/123] ipvs: fix inability to remove a mixed-family RS Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Julian Anastasov, Simon Horman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Anastasov <ja@ssi.bg>

commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream.

ip_vs_conn_fill_param_sync() gets in param.pe a module
reference for persistence engine from __ip_vs_pe_getbyname()
but forgets to put it. Problem occurs in backup for
sync protocol v1 (2.6.39).

Also, pe_data usually comes in sync messages for
connection templates and ip_vs_conn_new() copies
the pointer only in this case. Make sure pe_data
is not leaked if it comes unexpectedly for normal
connections. Leak can happen only if bogus messages
are sent to backup server.

Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/ipvs/ip_vs_sync.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -896,6 +896,8 @@ static void ip_vs_proc_conn(struct net *
 			IP_VS_DBG(2, "BACKUP, add new conn. failed\n");
 			return;
 		}
+		if (!(flags & IP_VS_CONN_F_TEMPLATE))
+			kfree(param->pe_data);
 	}
 
 	if (opt)
@@ -1169,6 +1171,7 @@ static inline int ip_vs_proc_sync_conn(s
 				(opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
 				);
 #endif
+	ip_vs_pe_put(param.pe);
 	return 0;
 	/* Error exit */
 out:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 107/123] ipvs: fix inability to remove a mixed-family RS
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 106/123] ipvs: add missing ip_vs_pe_put in sync code Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 108/123] netfilter: nft_compat: fix module refcount underflow Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Andriyanov, Julian Anastasov,
	Simon Horman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Andriyanov <alan@al-an.info>

commit dd3733b3e798daf778a1ec08557f388f00fdc2f6 upstream.

The current code prevents any operation with a mixed-family dest
unless IP_VS_CONN_F_TUNNEL flag is set. The problem is that it's impossible
for the client to follow this rule, because ip_vs_genl_parse_dest does
not even read the destination conn_flags when cmd = IPVS_CMD_DEL_DEST
(need_full_dest = 0).

Also, not every client can pass this flag when removing a dest. ipvsadm,
for example, does not support the "-i" command line option together with
the "-d" option.

This change disables any checks for mixed-family on IPVS_CMD_DEL_DEST command.

Signed-off-by: Alexey Andriyanov <alan@al-an.info>
Fixes: bc18d37f676f ("ipvs: Allow heterogeneous pools now that we support them")
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/ipvs/ip_vs_ctl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3399,7 +3399,7 @@ static int ip_vs_genl_set_cmd(struct sk_
 		if (udest.af == 0)
 			udest.af = svc->af;
 
-		if (udest.af != svc->af) {
+		if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) {
 			/* The synchronization protocol is incompatible
 			 * with mixed family services
 			 */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 108/123] netfilter: nft_compat: fix module refcount underflow
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 107/123] ipvs: fix inability to remove a mixed-family RS Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 109/123] netfilter: xt_socket: fix a stack corruption bug Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arturo Borrero Gonzalez, Pablo Neira Ayuso

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 520aa7414bb590f39d0d1591b06018e60cbc7cf4 upstream.

Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------
Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba()
Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G        W      3.19.0-rc6+ #43
[...]
Feb 12 18:20:42 nfdev kernel: Call Trace:
Feb 12 18:20:42 nfdev kernel: [<ffffffff815fd911>] dump_stack+0x4c/0x65
Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e6f7>] warn_slowpath_common+0x9c/0xb6
Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] ? module_put+0x9b/0xba
Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e726>] warn_slowpath_null+0x15/0x17
Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] module_put+0x9b/0xba
Feb 12 18:20:42 nfdev kernel: [<ffffffff813ecf7c>] nft_match_destroy+0x45/0x4c
Feb 12 18:20:42 nfdev kernel: [<ffffffff813e683f>] nf_tables_rule_destroy+0x28/0x70

Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nft_compat.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -578,8 +578,12 @@ nft_match_select_ops(const struct nft_ct
 		struct xt_match *match = nft_match->ops.data;
 
 		if (strcmp(match->name, mt_name) == 0 &&
-		    match->revision == rev && match->family == family)
+		    match->revision == rev && match->family == family) {
+			if (!try_module_get(match->me))
+				return ERR_PTR(-ENOENT);
+
 			return &nft_match->ops;
+		}
 	}
 
 	match = xt_request_find_match(family, mt_name, rev);
@@ -648,8 +652,12 @@ nft_target_select_ops(const struct nft_c
 		struct xt_target *target = nft_target->ops.data;
 
 		if (strcmp(target->name, tg_name) == 0 &&
-		    target->revision == rev && target->family == family)
+		    target->revision == rev && target->family == family) {
+			if (!try_module_get(target->me))
+				return ERR_PTR(-ENOENT);
+
 			return &nft_target->ops;
+		}
 	}
 
 	target = xt_request_find_target(family, tg_name, rev);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 109/123] netfilter: xt_socket: fix a stack corruption bug
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 108/123] netfilter: nft_compat: fix module refcount underflow Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:46 ` [PATCH 3.19 110/123] netfilter: nf_tables: fix transaction race condition Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Pablo Neira Ayuso

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 78296c97ca1fd3b104f12e1f1fbc06c46635990b upstream.

As soon as extract_icmp6_fields() returns, its local storage (automatic
variables) is deallocated and can be overwritten.

Lets add an additional parameter to make sure storage is valid long
enough.

While we are at it, adds some const qualifiers.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/xt_socket.c |   21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -243,12 +243,13 @@ static int
 extract_icmp6_fields(const struct sk_buff *skb,
 		     unsigned int outside_hdrlen,
 		     int *protocol,
-		     struct in6_addr **raddr,
-		     struct in6_addr **laddr,
+		     const struct in6_addr **raddr,
+		     const struct in6_addr **laddr,
 		     __be16 *rport,
-		     __be16 *lport)
+		     __be16 *lport,
+		     struct ipv6hdr *ipv6_var)
 {
-	struct ipv6hdr *inside_iph, _inside_iph;
+	const struct ipv6hdr *inside_iph;
 	struct icmp6hdr *icmph, _icmph;
 	__be16 *ports, _ports[2];
 	u8 inside_nexthdr;
@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buf
 	if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK)
 		return 1;
 
-	inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph);
+	inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph),
+					sizeof(*ipv6_var), ipv6_var);
 	if (inside_iph == NULL)
 		return 1;
 	inside_nexthdr = inside_iph->nexthdr;
 
-	inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph),
+	inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) +
+					      sizeof(*ipv6_var),
 					 &inside_nexthdr, &inside_fragoff);
 	if (inside_hdrlen < 0)
 		return 1; /* hjm: Packet has no/incomplete transport layer headers. */
@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, c
 static bool
 socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
 {
-	struct ipv6hdr *iph = ipv6_hdr(skb);
+	struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb);
 	struct udphdr _hdr, *hp = NULL;
 	struct sock *sk = skb->sk;
-	struct in6_addr *daddr = NULL, *saddr = NULL;
+	const struct in6_addr *daddr = NULL, *saddr = NULL;
 	__be16 uninitialized_var(dport), uninitialized_var(sport);
 	int thoff = 0, uninitialized_var(tproto);
 	const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *s
 
 	} else if (tproto == IPPROTO_ICMPV6) {
 		if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
-					 &sport, &dport))
+					 &sport, &dport, &ipv6_var))
 			return false;
 	} else {
 		return false;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 110/123] netfilter: nf_tables: fix transaction race condition
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 109/123] netfilter: xt_socket: fix a stack corruption bug Greg Kroah-Hartman
@ 2015-03-24 15:46 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 111/123] netfilter: nf_tables: fix addition/deletion of elements from commit/abort Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:46 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Patrick McHardy, Pablo Neira Ayuso

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Patrick McHardy <kaber@trash.net>

commit 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf upstream.

A race condition exists in the rule transaction code for rules that
get added and removed within the same transaction.

The new rule starts out as inactive in the current and active in the
next generation and is inserted into the ruleset. When it is deleted,
it is additionally set to inactive in the next generation as well.

On commit the next generation is begun, then the actions are finalized.
For the new rule this would mean clearing out the inactive bit for
the previously current, now next generation.

However nft_rule_clear() clears out the bits for *both* generations,
activating the rule in the current generation, where it should be
deactivated due to being deleted. The rule will thus be active until
the deletion is finalized, removing the rule from the ruleset.

Similarly, when aborting a transaction for the same case, the undo
of insertion will remove it from the RCU protected rule list, the
deletion will clear out all bits. However until the next RCU
synchronization after all operations have been undone, the rule is
active on CPUs which can still see the rule on the list.

Generally, there may never be any modifications of the current
generations' inactive bit since this defeats the entire purpose of
atomicity. Change nft_rule_clear() to only touch the next generations
bit to fix this.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_tables_api.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -227,7 +227,7 @@ nft_rule_deactivate_next(struct net *net
 
 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
 {
-	rule->genmask = 0;
+	rule->genmask &= ~(1 << gencursor_next(net));
 }
 
 static int



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 111/123] netfilter: nf_tables: fix addition/deletion of elements from commit/abort
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2015-03-24 15:46 ` [PATCH 3.19 110/123] netfilter: nf_tables: fix transaction race condition Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 112/123] ARM: imx6sl-evk: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 02263db00b6cb98701332aa257c07ca549c2324b upstream.

We have several problems in this path:

1) There is a use-after-free when removing individual elements from
   the commit path.

2) We have to uninit() the data part of the element from the abort
   path to avoid a chain refcount leak.

3) We have to check for set->flags to see if there's a mapping, instead
   of the element flags.

4) We have to check for !(flags & NFT_SET_ELEM_INTERVAL_END) to skip
   elements that are part of the interval that have no data part, so
   they don't need to be uninit().

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_tables_api.c |   21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3606,12 +3606,11 @@ static int nf_tables_commit(struct sk_bu
 						 &te->elem,
 						 NFT_MSG_DELSETELEM, 0);
 			te->set->ops->get(te->set, &te->elem);
-			te->set->ops->remove(te->set, &te->elem);
 			nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
-			if (te->elem.flags & NFT_SET_MAP) {
-				nft_data_uninit(&te->elem.data,
-						te->set->dtype);
-			}
+			if (te->set->flags & NFT_SET_MAP &&
+			    !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
+				nft_data_uninit(&te->elem.data, te->set->dtype);
+			te->set->ops->remove(te->set, &te->elem);
 			nft_trans_destroy(trans);
 			break;
 		}
@@ -3652,7 +3651,7 @@ static int nf_tables_abort(struct sk_buf
 {
 	struct net *net = sock_net(skb->sk);
 	struct nft_trans *trans, *next;
-	struct nft_set *set;
+	struct nft_trans_elem *te;
 
 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
 		switch (trans->msg_type) {
@@ -3713,9 +3712,13 @@ static int nf_tables_abort(struct sk_buf
 			break;
 		case NFT_MSG_NEWSETELEM:
 			nft_trans_elem_set(trans)->nelems--;
-			set = nft_trans_elem_set(trans);
-			set->ops->get(set, &nft_trans_elem(trans));
-			set->ops->remove(set, &nft_trans_elem(trans));
+			te = (struct nft_trans_elem *)trans->data;
+			te->set->ops->get(te->set, &te->elem);
+			nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
+			if (te->set->flags & NFT_SET_MAP &&
+			    !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
+				nft_data_uninit(&te->elem.data, te->set->dtype);
+			te->set->ops->remove(te->set, &te->elem);
 			nft_trans_destroy(trans);
 			break;
 		case NFT_MSG_DELSETELEM:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 112/123] ARM: imx6sl-evk: set swbst_reg as vbuss parent reg
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 111/123] netfilter: nf_tables: fix addition/deletion of elements from commit/abort Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 114/123] ARM: EXYNOS: Dont use LDREX and STREX after disabling cache coherency Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Shawn Guo

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Chen <peter.chen@freescale.com>

commit 2de9dd0391a74e80922c1bc95a78cedf85bcdc9e upstream.

USB vbus 5V is from PMIC SWBST, so set swbst_reg as vbus's
parent reg, it fixed a bug that the voltage of vbus is incorrect
due to swbst_reg is disabled after boots up.

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6sl-evk.dts |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/boot/dts/imx6sl-evk.dts
+++ b/arch/arm/boot/dts/imx6sl-evk.dts
@@ -52,6 +52,7 @@
 			regulator-max-microvolt = <5000000>;
 			gpio = <&gpio4 0 0>;
 			enable-active-high;
+			vin-supply = <&swbst_reg>;
 		};
 
 		reg_usb_otg2_vbus: regulator@1 {
@@ -62,6 +63,7 @@
 			regulator-max-microvolt = <5000000>;
 			gpio = <&gpio4 2 0>;
 			enable-active-high;
+			vin-supply = <&swbst_reg>;
 		};
 
 		reg_aud3v: regulator@2 {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 114/123] ARM: EXYNOS: Dont use LDREX and STREX after disabling cache coherency
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 112/123] ARM: imx6sl-evk: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 115/123] ARM: imx6qdl-sabresd: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Boyd, Krzysztof Kozlowski,
	Kukjin Kim

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.kozlowski@samsung.com>

commit ca489c58ef0b81cc9c9252fd92e6c9bb38d3c408 upstream.

During CPU shutdown the exynos_cpu_power_down() is called after
disabling cache coherency and it uses LDREX and STREX instructions (by
calling of_machine_is_compatible() -> kobject_get() -> kref_get()).

The LDREX and STREX should not be used after disabling the cache
coherency so just use soc_is_exynos().

Fixes: adc548d77c22 ("ARM: EXYNOS: Use MCPM call-backs to support S2R
on exynos5420")

Reported-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Kukjin Kim <kgene@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-exynos/platsmp.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm/mach-exynos/platsmp.c
+++ b/arch/arm/mach-exynos/platsmp.c
@@ -126,8 +126,7 @@ static inline void platform_do_lowpower(
  */
 void exynos_cpu_power_down(int cpu)
 {
-	if (cpu == 0 && (of_machine_is_compatible("samsung,exynos5420") ||
-		of_machine_is_compatible("samsung,exynos5800"))) {
+	if (cpu == 0 && (soc_is_exynos5420() || soc_is_exynos5800())) {
 		/*
 		 * Bypass power down for CPU0 during suspend. Check for
 		 * the SYS_PWR_REG value to decide if we are suspending



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 115/123] ARM: imx6qdl-sabresd: set swbst_reg as vbuss parent reg
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 114/123] ARM: EXYNOS: Dont use LDREX and STREX after disabling cache coherency Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 116/123] ARM: at91: pm: fix at91rm9200 standby Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Shawn Guo

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Chen <peter.chen@freescale.com>

commit 40f737791d4dab26bf23a6331609c604142228bd upstream.

USB vbus 5V is from PMIC SWBST, so set swbst_reg as vbus's
parent reg, it fixed a bug that the voltage of vbus is incorrect
due to swbst_reg is disabled after boots up.

Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6qdl-sabresd.dtsi |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/boot/dts/imx6qdl-sabresd.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-sabresd.dtsi
@@ -35,6 +35,7 @@
 			regulator-max-microvolt = <5000000>;
 			gpio = <&gpio3 22 0>;
 			enable-active-high;
+			vin-supply = <&swbst_reg>;
 		};
 
 		reg_usb_h1_vbus: regulator@1 {
@@ -45,6 +46,7 @@
 			regulator-max-microvolt = <5000000>;
 			gpio = <&gpio1 29 0>;
 			enable-active-high;
+			vin-supply = <&swbst_reg>;
 		};
 
 		reg_audio: regulator@2 {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 116/123] ARM: at91: pm: fix at91rm9200 standby
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 115/123] ARM: imx6qdl-sabresd: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 117/123] ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Nicolas Ferre

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandre Belloni <alexandre.belloni@free-electrons.com>

commit 84e871660bebfddb9a62ebd6f19d02536e782f0a upstream.

at91rm9200 standby and suspend to ram has been broken since
00482a4078f4. It is wrongly using AT91_BASE_SYS which is a physical address
and actually doesn't correspond to any register on at91rm9200.

Use the correct at91_ramc_base[0] instead.

Fixes: 00482a4078f4 (ARM: at91: implement the standby function for pm/cpuidle)

Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-at91/pm.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/mach-at91/pm.h
+++ b/arch/arm/mach-at91/pm.h
@@ -44,7 +44,7 @@ static inline void at91rm9200_standby(vo
 		"    mcr    p15, 0, %0, c7, c0, 4\n\t"
 		"    str    %5, [%1, %2]"
 		:
-		: "r" (0), "r" (AT91_BASE_SYS), "r" (AT91RM9200_SDRAMC_LPR),
+		: "r" (0), "r" (at91_ramc_base[0]), "r" (AT91RM9200_SDRAMC_LPR),
 		  "r" (1), "r" (AT91RM9200_SDRAMC_SRR),
 		  "r" (lpr));
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 117/123] ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 116/123] ARM: at91: pm: fix at91rm9200 standby Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 118/123] ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ravikumar Kattekola, Tero Kristo,
	Tony Lindgren

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ravikumar Kattekola <rk@ti.com>

commit d2192ea09858a8535b056fcede1a41d824e0b3d8 upstream.

Fixes: ee6c750761 (ARM: dts: dra7 clock data)

On DRA7x, For DPLL_IVA, the ref clock(CLKINP) is connected to sys_clk1 and
the bypass input(CLKINPULOW) is connected to iva_dpll_hs_clk_div clock.
But the bypass input is not directly routed to bypass clkout instead
both CLKINP and CLKINPULOW are connected to bypass clkout via a mux.

This mux is controlled by the bit - CM_CLKSEL_DPLL_IVA[23]:DPLL_BYP_CLKSEL
and it's POR value is zero which selects the CLKINP as bypass clkout.
which means iva_dpll_hs_clk_div is not the bypass clock for dpll_iva_ck

Fix this by adding another mux clock as parent in bypass mode.

This design is common to most of the PLLs and the rest have only one bypass
clock. Below is a list of the DPLLs that need this fix:

DPLL_IVA, DPLL_DDR,
DPLL_DSP, DPLL_EVE,
DPLL_GMAC, DPLL_PER,
DPLL_USB and DPLL_CORE

Signed-off-by: Ravikumar Kattekola <rk@ti.com>
Acked-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/dra7xx-clocks.dtsi |   90 +++++++++++++++++++++++++++++++----
 1 file changed, 81 insertions(+), 9 deletions(-)

--- a/arch/arm/boot/dts/dra7xx-clocks.dtsi
+++ b/arch/arm/boot/dts/dra7xx-clocks.dtsi
@@ -243,10 +243,18 @@
 		ti,invert-autoidle-bit;
 	};
 
+	dpll_core_byp_mux: dpll_core_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		ti,bit-shift = <23>;
+		reg = <0x012c>;
+	};
+
 	dpll_core_ck: dpll_core_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-core-clock";
-		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		clocks = <&sys_clkin1>, <&dpll_core_byp_mux>;
 		reg = <0x0120>, <0x0124>, <0x012c>, <0x0128>;
 	};
 
@@ -309,10 +317,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_dsp_byp_mux: dpll_dsp_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>;
+		ti,bit-shift = <23>;
+		reg = <0x0240>;
+	};
+
 	dpll_dsp_ck: dpll_dsp_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&dsp_dpll_hs_clk_div>;
+		clocks = <&sys_clkin1>, <&dpll_dsp_byp_mux>;
 		reg = <0x0234>, <0x0238>, <0x0240>, <0x023c>;
 	};
 
@@ -335,10 +351,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_iva_byp_mux: dpll_iva_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>;
+		ti,bit-shift = <23>;
+		reg = <0x01ac>;
+	};
+
 	dpll_iva_ck: dpll_iva_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&iva_dpll_hs_clk_div>;
+		clocks = <&sys_clkin1>, <&dpll_iva_byp_mux>;
 		reg = <0x01a0>, <0x01a4>, <0x01ac>, <0x01a8>;
 	};
 
@@ -361,10 +385,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_gpu_byp_mux: dpll_gpu_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		ti,bit-shift = <23>;
+		reg = <0x02e4>;
+	};
+
 	dpll_gpu_ck: dpll_gpu_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		clocks = <&sys_clkin1>, <&dpll_gpu_byp_mux>;
 		reg = <0x02d8>, <0x02dc>, <0x02e4>, <0x02e0>;
 	};
 
@@ -398,10 +430,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_ddr_byp_mux: dpll_ddr_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		ti,bit-shift = <23>;
+		reg = <0x021c>;
+	};
+
 	dpll_ddr_ck: dpll_ddr_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		clocks = <&sys_clkin1>, <&dpll_ddr_byp_mux>;
 		reg = <0x0210>, <0x0214>, <0x021c>, <0x0218>;
 	};
 
@@ -416,10 +456,18 @@
 		ti,invert-autoidle-bit;
 	};
 
+	dpll_gmac_byp_mux: dpll_gmac_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		ti,bit-shift = <23>;
+		reg = <0x02b4>;
+	};
+
 	dpll_gmac_ck: dpll_gmac_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&dpll_abe_m3x2_ck>;
+		clocks = <&sys_clkin1>, <&dpll_gmac_byp_mux>;
 		reg = <0x02a8>, <0x02ac>, <0x02b4>, <0x02b0>;
 	};
 
@@ -482,10 +530,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_eve_byp_mux: dpll_eve_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>;
+		ti,bit-shift = <23>;
+		reg = <0x0290>;
+	};
+
 	dpll_eve_ck: dpll_eve_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&eve_dpll_hs_clk_div>;
+		clocks = <&sys_clkin1>, <&dpll_eve_byp_mux>;
 		reg = <0x0284>, <0x0288>, <0x0290>, <0x028c>;
 	};
 
@@ -1249,10 +1305,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_per_byp_mux: dpll_per_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>;
+		ti,bit-shift = <23>;
+		reg = <0x014c>;
+	};
+
 	dpll_per_ck: dpll_per_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-clock";
-		clocks = <&sys_clkin1>, <&per_dpll_hs_clk_div>;
+		clocks = <&sys_clkin1>, <&dpll_per_byp_mux>;
 		reg = <0x0140>, <0x0144>, <0x014c>, <0x0148>;
 	};
 
@@ -1275,10 +1339,18 @@
 		clock-div = <1>;
 	};
 
+	dpll_usb_byp_mux: dpll_usb_byp_mux {
+		#clock-cells = <0>;
+		compatible = "ti,mux-clock";
+		clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>;
+		ti,bit-shift = <23>;
+		reg = <0x018c>;
+	};
+
 	dpll_usb_ck: dpll_usb_ck {
 		#clock-cells = <0>;
 		compatible = "ti,omap4-dpll-j-type-clock";
-		clocks = <&sys_clkin1>, <&usb_dpll_hs_clk_div>;
+		clocks = <&sys_clkin1>, <&dpll_usb_byp_mux>;
 		reg = <0x0180>, <0x0184>, <0x018c>, <0x0188>;
 	};
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 118/123] ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 117/123] ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 119/123] ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vignesh R, Tero Kristo, Tony Lindgren

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vignesh R <vigneshr@ti.com>

commit 6e22616eba7e25fac5aa6cb6563471afa1815ec2 upstream.

ehrpwm tbclk is wrongly modelled as deriving from dpll_per_m2_ck.
The TRM says tbclk is derived from SYSCLKOUT. SYSCLKOUT nothing but the
functional clock of pwmss (l4ls_gclk).
Fix this by changing source of ehrpwmx_tbclk to l4ls_gclk.

Fixes: 9e100ebafb91: ("Fix ehrpwm tbclk data")
Signed-off-by: Vignesh R <vigneshr@ti.com>
Acked-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am33xx-clocks.dtsi |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm/boot/dts/am33xx-clocks.dtsi
+++ b/arch/arm/boot/dts/am33xx-clocks.dtsi
@@ -99,7 +99,7 @@
 	ehrpwm0_tbclk: ehrpwm0_tbclk@44e10664 {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <0>;
 		reg = <0x0664>;
 	};
@@ -107,7 +107,7 @@
 	ehrpwm1_tbclk: ehrpwm1_tbclk@44e10664 {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <1>;
 		reg = <0x0664>;
 	};
@@ -115,7 +115,7 @@
 	ehrpwm2_tbclk: ehrpwm2_tbclk@44e10664 {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <2>;
 		reg = <0x0664>;
 	};



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 119/123] ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 118/123] ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 120/123] target: Fix reference leak in target_get_sess_cmd() error path Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vignesh R, Tero Kristo, Tony Lindgren

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vignesh R <vigneshr@ti.com>

commit 7d53d25578486d65bd7cd242bc7816b40e55e62b upstream.

ehrpwm tbclk is wrongly modelled as deriving from dpll_per_m2_ck.
The TRM says tbclk is derived from SYSCLKOUT. SYSCLKOUT nothing but the
functional clock of pwmss (l4ls_gclk).
Fix this by changing source of ehrpwmx_tbclk to l4ls_gclk.

Fixes: 4da1c67719f61 ("add tbclk data for ehrpwm")
Signed-off-by: Vignesh R <vigneshr@ti.com>
Acked-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am43xx-clocks.dtsi |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/arm/boot/dts/am43xx-clocks.dtsi
+++ b/arch/arm/boot/dts/am43xx-clocks.dtsi
@@ -107,7 +107,7 @@
 	ehrpwm0_tbclk: ehrpwm0_tbclk {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <0>;
 		reg = <0x0664>;
 	};
@@ -115,7 +115,7 @@
 	ehrpwm1_tbclk: ehrpwm1_tbclk {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <1>;
 		reg = <0x0664>;
 	};
@@ -123,7 +123,7 @@
 	ehrpwm2_tbclk: ehrpwm2_tbclk {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <2>;
 		reg = <0x0664>;
 	};
@@ -131,7 +131,7 @@
 	ehrpwm3_tbclk: ehrpwm3_tbclk {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <4>;
 		reg = <0x0664>;
 	};
@@ -139,7 +139,7 @@
 	ehrpwm4_tbclk: ehrpwm4_tbclk {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <5>;
 		reg = <0x0664>;
 	};
@@ -147,7 +147,7 @@
 	ehrpwm5_tbclk: ehrpwm5_tbclk {
 		#clock-cells = <0>;
 		compatible = "ti,gate-clock";
-		clocks = <&dpll_per_m2_ck>;
+		clocks = <&l4ls_gclk>;
 		ti,bit-shift = <6>;
 		reg = <0x0664>;
 	};



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 120/123] target: Fix reference leak in target_get_sess_cmd() error path
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 119/123] ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 121/123] target: Fix virtual LUN=0 target_configure_device failure OOPs Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@sandisk.com>

commit 7544e597343e2166daba3f32e4708533aa53c233 upstream.

This patch fixes a se_cmd->cmd_kref leak buf when se_sess->sess_tearing_down
is true within target_get_sess_cmd() submission path code.

This se_cmd reference leak can occur during active session shutdown when
ack_kref=1 is passed by target_submit_cmd_[map_sgls,tmr]() callers.

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_transport.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2389,6 +2389,10 @@ int target_get_sess_cmd(struct se_sessio
 	list_add_tail(&se_cmd->se_cmd_list, &se_sess->sess_cmd_list);
 out:
 	spin_unlock_irqrestore(&se_sess->sess_cmd_lock, flags);
+
+	if (ret && ack_kref)
+		target_put_sess_cmd(se_sess, se_cmd);
+
 	return ret;
 }
 EXPORT_SYMBOL(target_get_sess_cmd);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 121/123] target: Fix virtual LUN=0 target_configure_device failure OOPs
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 120/123] target: Fix reference leak in target_get_sess_cmd() error path Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 122/123] iscsi-target: Avoid early conn_logout_comp for iser connections Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Claudio Fleiner, Christoph Hellwig,
	Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 5f7da044f8bc1cfb21c962edf34bd5699a76e7ae upstream.

This patch fixes a NULL pointer dereference triggered by a late
target_configure_device() -> alloc_workqueue() failure that results
in target_free_device() being called with DF_CONFIGURED already set,
which subsequently OOPses in destroy_workqueue() code.

Currently this only happens at modprobe target_core_mod time when
core_dev_setup_virtual_lun0() -> target_configure_device() fails,
and the explicit target_free_device() gets called.

To address this bug originally introduced by commit 0fd97ccf45, go
ahead and move DF_CONFIGURED to end of target_configure_device()
code to handle this special failure case.

Reported-by: Claudio Fleiner <cmf@daterainc.com>
Cc: Claudio Fleiner <cmf@daterainc.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_device.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -1534,8 +1534,6 @@ int target_configure_device(struct se_de
 	ret = dev->transport->configure_device(dev);
 	if (ret)
 		goto out;
-	dev->dev_flags |= DF_CONFIGURED;
-
 	/*
 	 * XXX: there is not much point to have two different values here..
 	 */
@@ -1597,6 +1595,8 @@ int target_configure_device(struct se_de
 	list_add_tail(&dev->g_dev_node, &g_device_list);
 	mutex_unlock(&g_device_mutex);
 
+	dev->dev_flags |= DF_CONFIGURED;
+
 	return 0;
 
 out_free_alua:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 122/123] iscsi-target: Avoid early conn_logout_comp for iser connections
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 121/123] target: Fix virtual LUN=0 target_configure_device failure OOPs Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-24 15:47 ` [PATCH 3.19 123/123] target/pscsi: Fix NULL pointer dereference in get_device_type Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sagi Grimberg, Slava Shwartsman,
	Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit f068fbc82e7696d67b1bb8189306865bedf368b6 upstream.

This patch fixes a iser specific logout bug where early complete()
of conn->conn_logout_comp in iscsit_close_connection() was causing
isert_wait4logout() to complete too soon, triggering a use after
free NULL pointer dereference of iscsi_conn memory.

The complete() was originally added for traditional iscsi-target
when a ISCSI_LOGOUT_OP failed in iscsi_target_rx_opcode(), but given
iser-target does not wait in logout failure, this special case needs
to be avoided.

Reported-by: Sagi Grimberg <sagig@mellanox.com>
Cc: Sagi Grimberg <sagig@mellanox.com>
Cc: Slava Shwartsman <valyushash@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/iscsi/iscsi_target.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4221,11 +4221,17 @@ int iscsit_close_connection(
 	pr_debug("Closing iSCSI connection CID %hu on SID:"
 		" %u\n", conn->cid, sess->sid);
 	/*
-	 * Always up conn_logout_comp just in case the RX Thread is sleeping
-	 * and the logout response never got sent because the connection
-	 * failed.
+	 * Always up conn_logout_comp for the traditional TCP case just in case
+	 * the RX Thread in iscsi_target_rx_opcode() is sleeping and the logout
+	 * response never got sent because the connection failed.
+	 *
+	 * However for iser-target, isert_wait4logout() is using conn_logout_comp
+	 * to signal logout response TX interrupt completion.  Go ahead and skip
+	 * this for iser since isert_rx_opcode() does not wait on logout failure,
+	 * and to avoid iscsi_conn pointer dereference in iser-target code.
 	 */
-	complete(&conn->conn_logout_comp);
+	if (conn->conn_transport->transport_type == ISCSI_TCP)
+		complete(&conn->conn_logout_comp);
 
 	iscsi_release_thread_set(conn);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 3.19 123/123] target/pscsi: Fix NULL pointer dereference in get_device_type
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 122/123] iscsi-target: Avoid early conn_logout_comp for iser connections Greg Kroah-Hartman
@ 2015-03-24 15:47 ` Greg Kroah-Hartman
  2015-03-25  2:36 ` [PATCH 3.19 000/123] 3.19.3-stable review Guenter Roeck
       [not found] ` <20150324154429.061840411@linuxfoundation.org>
  115 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 15:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Olaf Hering, Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 215a8fe4198f607f34ecdbc9969dae783d8b5a61 upstream.

This patch fixes a NULL pointer dereference OOPs with pSCSI backends
within target_core_stat.c code.  The bug is caused by a configfs attr
read if no pscsi_dev_virt->pdv_sd has been configured.

Reported-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_pscsi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/target/target_core_pscsi.c
+++ b/drivers/target/target_core_pscsi.c
@@ -1121,7 +1121,7 @@ static u32 pscsi_get_device_type(struct
 	struct pscsi_dev_virt *pdv = PSCSI_DEV(dev);
 	struct scsi_device *sd = pdv->pdv_sd;
 
-	return sd->type;
+	return (sd) ? sd->type : TYPE_NO_LUN;
 }
 
 static sector_t pscsi_get_blocks(struct se_device *dev)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-24 15:46 ` [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read() Greg Kroah-Hartman
@ 2015-03-24 17:30   ` Alexander Holler
  2015-03-24 17:58     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 130+ messages in thread
From: Alexander Holler @ 2015-03-24 17:30 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Al Viro

Am 24.03.2015 um 16:46 schrieb Greg Kroah-Hartman:
> 3.19-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Al Viro <viro@zeniv.linux.org.uk>
>
> commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.

Just what I've thought. Please see

https://lkml.org/lkml/2015/3/15/5

Regards,

Alexander Holler

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-24 17:30   ` Alexander Holler
@ 2015-03-24 17:58     ` Greg Kroah-Hartman
  2015-03-24 18:06       ` Alexander Holler
  0 siblings, 1 reply; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-24 17:58 UTC (permalink / raw)
  To: Alexander Holler; +Cc: linux-kernel, stable, Al Viro

On Tue, Mar 24, 2015 at 06:30:17PM +0100, Alexander Holler wrote:
> Am 24.03.2015 um 16:46 schrieb Greg Kroah-Hartman:
> >3.19-stable review patch.  If anyone has any objections, please let me know.
> >
> >------------------
> >
> >From: Al Viro <viro@zeniv.linux.org.uk>
> >
> >commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.
> 
> Just what I've thought. Please see
> 
> https://lkml.org/lkml/2015/3/15/5

I have no idea what you are asking me to do here, please be specific.

greg k-h

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-24 17:58     ` Greg Kroah-Hartman
@ 2015-03-24 18:06       ` Alexander Holler
  2015-03-25  8:33         ` Greg Kroah-Hartman
  0 siblings, 1 reply; 130+ messages in thread
From: Alexander Holler @ 2015-03-24 18:06 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Al Viro

Am 24.03.2015 um 18:58 schrieb Greg Kroah-Hartman:
> On Tue, Mar 24, 2015 at 06:30:17PM +0100, Alexander Holler wrote:
>> Am 24.03.2015 um 16:46 schrieb Greg Kroah-Hartman:
>>> 3.19-stable review patch.  If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Al Viro <viro@zeniv.linux.org.uk>
>>>
>>> commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.
>>
>> Just what I've thought. Please see
>>
>> https://lkml.org/lkml/2015/3/15/5
>
> I have no idea what you are asking me to do here, please be specific.

In order to not become blamed for mangling some language, here's a 
machine generated output:

------
wandq linux # git co -b t v3.19.2
Switched to a new branch 't'
wandq linux # git am /tmp/\[PATCH\ 3.19\ 091_123\]\ gadgetfs\:\ 
use-after-free\ in\ -\>aio_read\(\).eml
Applying: gadgetfs: use-after-free in ->aio_read()
wandq linux # make drivers/usb/gadget/legacy/gadgetfs.ko
(...)
   CALL    scripts/checksyscalls.sh
   CC [M]  drivers/usb/gadget/legacy/inode.o
drivers/usb/gadget/legacy/inode.c: In function 'ep_aio_rwtail':
drivers/usb/gadget/legacy/inode.c:642:12: warning: 'value' may be used 
uninitialized in this function [-Wmaybe-uninitialized]
   ssize_t   value;
             ^
   LD [M]  drivers/usb/gadget/legacy/gadgetfs.o
(...)
------

Regards,

Alexander Holler

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 000/123] 3.19.3-stable review
  2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2015-03-24 15:47 ` [PATCH 3.19 123/123] target/pscsi: Fix NULL pointer dereference in get_device_type Greg Kroah-Hartman
@ 2015-03-25  2:36 ` Guenter Roeck
  2015-03-25  8:32   ` Greg Kroah-Hartman
       [not found] ` <20150324154429.061840411@linuxfoundation.org>
  115 siblings, 1 reply; 130+ messages in thread
From: Guenter Roeck @ 2015-03-25  2:36 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On 03/24/2015 08:45 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.19.3 release.
> There are 123 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu Mar 26 15:43:14 UTC 2015.
> Anything received after that time might be too late.
>

Build results:
	total: 121 pass: 121 fail: 0
Qemu test results:
	total: 30 pass: 30 fail: 0

Details are available at http://server.roeck-us.net:8010/builders.

Guenter



^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 113/123] b43: fix support for 5 GHz only BCM43228 model
       [not found] ` <20150324154429.061840411@linuxfoundation.org>
@ 2015-03-25  6:55   ` Kalle Valo
  2015-03-25  8:17     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 130+ messages in thread
From: Kalle Valo @ 2015-03-25  6:55 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, zajec5

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:

> 3.19-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Rafał Miłecki <zajec5@gmail.com>
>
> commit 0ff66cffde47de51c155ebdd2356403276c04cc4 upstream.
>
> It was incorrectly detected as 2 GHz device.
>
> Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

UTF-8 characters look to be broken?

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 113/123] b43: fix support for 5 GHz only BCM43228 model
  2015-03-25  6:55   ` [PATCH 3.19 113/123] b43: fix support for 5 GHz only BCM43228 model Kalle Valo
@ 2015-03-25  8:17     ` Greg Kroah-Hartman
  2015-03-25  8:33       ` Kalle Valo
  0 siblings, 1 reply; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-25  8:17 UTC (permalink / raw)
  To: Kalle Valo; +Cc: linux-kernel, stable, zajec5

On Wed, Mar 25, 2015 at 08:55:38AM +0200, Kalle Valo wrote:
> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
> 
> > 3.19-stable review patch.  If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Rafał Miłecki <zajec5@gmail.com>
> >
> > commit 0ff66cffde47de51c155ebdd2356403276c04cc4 upstream.
> >
> > It was incorrectly detected as 2 GHz device.
> >
> > Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
> 
> UTF-8 characters look to be broken?

That's normal with the mismatch of git and quilt, sorry.

greg k-h

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 000/123] 3.19.3-stable review
  2015-03-25  2:36 ` [PATCH 3.19 000/123] 3.19.3-stable review Guenter Roeck
@ 2015-03-25  8:32   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-25  8:32 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On Tue, Mar 24, 2015 at 07:36:01PM -0700, Guenter Roeck wrote:
> On 03/24/2015 08:45 AM, Greg Kroah-Hartman wrote:
> >This is the start of the stable review cycle for the 3.19.3 release.
> >There are 123 patches in this series, all will be posted as a response
> >to this one.  If anyone has any issues with these being applied, please
> >let me know.
> >
> >Responses should be made by Thu Mar 26 15:43:14 UTC 2015.
> >Anything received after that time might be too late.
> >
> 
> Build results:
> 	total: 121 pass: 121 fail: 0
> Qemu test results:
> 	total: 30 pass: 30 fail: 0
> 
> Details are available at http://server.roeck-us.net:8010/builders.

Thanks for testing these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 113/123] b43: fix support for 5 GHz only BCM43228 model
  2015-03-25  8:17     ` Greg Kroah-Hartman
@ 2015-03-25  8:33       ` Kalle Valo
  0 siblings, 0 replies; 130+ messages in thread
From: Kalle Valo @ 2015-03-25  8:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, zajec5

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:

> On Wed, Mar 25, 2015 at 08:55:38AM +0200, Kalle Valo wrote:
>> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
>> 
>> > 3.19-stable review patch.  If anyone has any objections, please let me know.
>> >
>> > ------------------
>> >
>> > From: Rafał Miłecki <zajec5@gmail.com>
>> >
>> > commit 0ff66cffde47de51c155ebdd2356403276c04cc4 upstream.
>> >
>> > It was incorrectly detected as 2 GHz device.
>> >
>> > Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
>> 
>> UTF-8 characters look to be broken?
>
> That's normal with the mismatch of git and quilt, sorry.

Ok, no worries. I just wanted to make sure that you know.

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-24 18:06       ` Alexander Holler
@ 2015-03-25  8:33         ` Greg Kroah-Hartman
  2015-03-25  9:23           ` Alexander Holler
  0 siblings, 1 reply; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-25  8:33 UTC (permalink / raw)
  To: Alexander Holler; +Cc: linux-kernel, stable, Al Viro

On Tue, Mar 24, 2015 at 07:06:56PM +0100, Alexander Holler wrote:
> Am 24.03.2015 um 18:58 schrieb Greg Kroah-Hartman:
> >On Tue, Mar 24, 2015 at 06:30:17PM +0100, Alexander Holler wrote:
> >>Am 24.03.2015 um 16:46 schrieb Greg Kroah-Hartman:
> >>>3.19-stable review patch.  If anyone has any objections, please let me know.
> >>>
> >>>------------------
> >>>
> >>>From: Al Viro <viro@zeniv.linux.org.uk>
> >>>
> >>>commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.
> >>
> >>Just what I've thought. Please see
> >>
> >>https://lkml.org/lkml/2015/3/15/5
> >
> >I have no idea what you are asking me to do here, please be specific.
> 
> In order to not become blamed for mangling some language, here's a machine
> generated output:
> 
> ------
> wandq linux # git co -b t v3.19.2
> Switched to a new branch 't'
> wandq linux # git am /tmp/\[PATCH\ 3.19\ 091_123\]\ gadgetfs\:\
> use-after-free\ in\ -\>aio_read\(\).eml
> Applying: gadgetfs: use-after-free in ->aio_read()
> wandq linux # make drivers/usb/gadget/legacy/gadgetfs.ko
> (...)
>   CALL    scripts/checksyscalls.sh
>   CC [M]  drivers/usb/gadget/legacy/inode.o
> drivers/usb/gadget/legacy/inode.c: In function 'ep_aio_rwtail':
> drivers/usb/gadget/legacy/inode.c:642:12: warning: 'value' may be used
> uninitialized in this function [-Wmaybe-uninitialized]
>   ssize_t   value;
>             ^
>   LD [M]  drivers/usb/gadget/legacy/gadgetfs.o
> (...)
> ------

Is there a specific patch that is in Linus's tree that fixes this issue
that I should be applying to the stable tree?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-25  8:33         ` Greg Kroah-Hartman
@ 2015-03-25  9:23           ` Alexander Holler
  2015-03-25 10:15             ` Greg Kroah-Hartman
  0 siblings, 1 reply; 130+ messages in thread
From: Alexander Holler @ 2015-03-25  9:23 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Al Viro

Am 25.03.2015 um 09:33 schrieb Greg Kroah-Hartman:
> On Tue, Mar 24, 2015 at 07:06:56PM +0100, Alexander Holler wrote:
>> Am 24.03.2015 um 18:58 schrieb Greg Kroah-Hartman:
>>> On Tue, Mar 24, 2015 at 06:30:17PM +0100, Alexander Holler wrote:
>>>> Am 24.03.2015 um 16:46 schrieb Greg Kroah-Hartman:
>>>>> 3.19-stable review patch.  If anyone has any objections, please let me know.
>>>>>
>>>>> ------------------
>>>>>
>>>>> From: Al Viro <viro@zeniv.linux.org.uk>
>>>>>
>>>>> commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.
>>>>
>>>> Just what I've thought. Please see
>>>>
>>>> https://lkml.org/lkml/2015/3/15/5
>>>
>>> I have no idea what you are asking me to do here, please be specific.
>>
>> In order to not become blamed for mangling some language, here's a machine
>> generated output:
>>
>> ------
>> wandq linux # git co -b t v3.19.2
>> Switched to a new branch 't'
>> wandq linux # git am /tmp/\[PATCH\ 3.19\ 091_123\]\ gadgetfs\:\
>> use-after-free\ in\ -\>aio_read\(\).eml
>> Applying: gadgetfs: use-after-free in ->aio_read()
>> wandq linux # make drivers/usb/gadget/legacy/gadgetfs.ko
>> (...)
>>    CALL    scripts/checksyscalls.sh
>>    CC [M]  drivers/usb/gadget/legacy/inode.o
>> drivers/usb/gadget/legacy/inode.c: In function 'ep_aio_rwtail':
>> drivers/usb/gadget/legacy/inode.c:642:12: warning: 'value' may be used
>> uninitialized in this function [-Wmaybe-uninitialized]
>>    ssize_t   value;
>>              ^
>>    LD [M]  drivers/usb/gadget/legacy/gadgetfs.o
>> (...)
>> ------
>
> Is there a specific patch that is in Linus's tree that fixes this issue
> that I should be applying to the stable tree?

No specific one. The changes of this patch were discarded by other 
patches in Linus tree which fixed other problems of gadgetfs too.

Besides that the solution for this one specific patch is a one-liner, 
I'll give a short overview:

- gadgetfs is already unusable since 3.16 (even with this patch) because 
(p)read/(p)write doesn't work (fixed with 4.0)
- the problem this patch fixes is unlikely to be hit because glibc 
doesn't use the Linux aio-syscall, but pread/pwrite, which means someone 
has to use a special lib and not aio(7) to end up at the syscall the 
patch in question fixes.
- there aren't that many users of gadgetfs

No idea if you want to apply or backport the whole series found in Al 
Viros vfs.git/gadgetfs.

Regards,

Alexander Holler

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-25  9:23           ` Alexander Holler
@ 2015-03-25 10:15             ` Greg Kroah-Hartman
  2015-03-25 10:58               ` Alexander Holler
  0 siblings, 1 reply; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-25 10:15 UTC (permalink / raw)
  To: Alexander Holler; +Cc: linux-kernel, stable, Al Viro

On Wed, Mar 25, 2015 at 10:23:27AM +0100, Alexander Holler wrote:
> Am 25.03.2015 um 09:33 schrieb Greg Kroah-Hartman:
> >On Tue, Mar 24, 2015 at 07:06:56PM +0100, Alexander Holler wrote:
> >>Am 24.03.2015 um 18:58 schrieb Greg Kroah-Hartman:
> >>>On Tue, Mar 24, 2015 at 06:30:17PM +0100, Alexander Holler wrote:
> >>>>Am 24.03.2015 um 16:46 schrieb Greg Kroah-Hartman:
> >>>>>3.19-stable review patch.  If anyone has any objections, please let me know.
> >>>>>
> >>>>>------------------
> >>>>>
> >>>>>From: Al Viro <viro@zeniv.linux.org.uk>
> >>>>>
> >>>>>commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.
> >>>>
> >>>>Just what I've thought. Please see
> >>>>
> >>>>https://lkml.org/lkml/2015/3/15/5
> >>>
> >>>I have no idea what you are asking me to do here, please be specific.
> >>
> >>In order to not become blamed for mangling some language, here's a machine
> >>generated output:
> >>
> >>------
> >>wandq linux # git co -b t v3.19.2
> >>Switched to a new branch 't'
> >>wandq linux # git am /tmp/\[PATCH\ 3.19\ 091_123\]\ gadgetfs\:\
> >>use-after-free\ in\ -\>aio_read\(\).eml
> >>Applying: gadgetfs: use-after-free in ->aio_read()
> >>wandq linux # make drivers/usb/gadget/legacy/gadgetfs.ko
> >>(...)
> >>   CALL    scripts/checksyscalls.sh
> >>   CC [M]  drivers/usb/gadget/legacy/inode.o
> >>drivers/usb/gadget/legacy/inode.c: In function 'ep_aio_rwtail':
> >>drivers/usb/gadget/legacy/inode.c:642:12: warning: 'value' may be used
> >>uninitialized in this function [-Wmaybe-uninitialized]
> >>   ssize_t   value;
> >>             ^
> >>   LD [M]  drivers/usb/gadget/legacy/gadgetfs.o
> >>(...)
> >>------
> >
> >Is there a specific patch that is in Linus's tree that fixes this issue
> >that I should be applying to the stable tree?
> 
> No specific one. The changes of this patch were discarded by other patches
> in Linus tree which fixed other problems of gadgetfs too.
> 
> Besides that the solution for this one specific patch is a one-liner, I'll
> give a short overview:
> 
> - gadgetfs is already unusable since 3.16 (even with this patch) because
> (p)read/(p)write doesn't work (fixed with 4.0)
> - the problem this patch fixes is unlikely to be hit because glibc doesn't
> use the Linux aio-syscall, but pread/pwrite, which means someone has to use
> a special lib and not aio(7) to end up at the syscall the patch in question
> fixes.
> - there aren't that many users of gadgetfs
> 
> No idea if you want to apply or backport the whole series found in Al Viros
> vfs.git/gadgetfs.

As this has been broken since 3.16, and no one has taken the time to fix
it since then, it's not really an issue here, people can just use 4.0 if
they want it.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-25 10:15             ` Greg Kroah-Hartman
@ 2015-03-25 10:58               ` Alexander Holler
  2015-03-25 11:08                 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 130+ messages in thread
From: Alexander Holler @ 2015-03-25 10:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Al Viro

Am 25.03.2015 um 11:15 schrieb Greg Kroah-Hartman:
> On Wed, Mar 25, 2015 at 10:23:27AM +0100, Alexander Holler wrote:
>> Am 25.03.2015 um 09:33 schrieb Greg Kroah-Hartman:

>>> Is there a specific patch that is in Linus's tree that fixes this issue
>>> that I should be applying to the stable tree?
>>
>> No specific one. The changes of this patch were discarded by other patches
>> in Linus tree which fixed other problems of gadgetfs too.
>>
>> Besides that the solution for this one specific patch is a one-liner, I'll
>> give a short overview:
>>
>> - gadgetfs is already unusable since 3.16 (even with this patch) because
>> (p)read/(p)write doesn't work (fixed with 4.0)
>> - the problem this patch fixes is unlikely to be hit because glibc doesn't
>> use the Linux aio-syscall, but pread/pwrite, which means someone has to use
>> a special lib and not aio(7) to end up at the syscall the patch in question
>> fixes.
>> - there aren't that many users of gadgetfs
>>
>> No idea if you want to apply or backport the whole series found in Al Viros
>> vfs.git/gadgetfs.
>
> As this has been broken since 3.16, and no one has taken the time to fix
> it since then, it's not really an issue here, people can just use 4.0 if
> they want it.

Just a hint I think which should be kept in mind: Debian still uses 
something below 3.16, which very likely is the reason why nobody has hit 
(and examined) these bugs before.

Regards,

Alexander Holler

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-25 10:58               ` Alexander Holler
@ 2015-03-25 11:08                 ` Greg Kroah-Hartman
  2015-03-25 11:15                   ` Alexander Holler
  0 siblings, 1 reply; 130+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-25 11:08 UTC (permalink / raw)
  To: Alexander Holler; +Cc: linux-kernel, stable, Al Viro

On Wed, Mar 25, 2015 at 11:58:46AM +0100, Alexander Holler wrote:
> Am 25.03.2015 um 11:15 schrieb Greg Kroah-Hartman:
> >On Wed, Mar 25, 2015 at 10:23:27AM +0100, Alexander Holler wrote:
> >>Am 25.03.2015 um 09:33 schrieb Greg Kroah-Hartman:
> 
> >>>Is there a specific patch that is in Linus's tree that fixes this issue
> >>>that I should be applying to the stable tree?
> >>
> >>No specific one. The changes of this patch were discarded by other patches
> >>in Linus tree which fixed other problems of gadgetfs too.
> >>
> >>Besides that the solution for this one specific patch is a one-liner, I'll
> >>give a short overview:
> >>
> >>- gadgetfs is already unusable since 3.16 (even with this patch) because
> >>(p)read/(p)write doesn't work (fixed with 4.0)
> >>- the problem this patch fixes is unlikely to be hit because glibc doesn't
> >>use the Linux aio-syscall, but pread/pwrite, which means someone has to use
> >>a special lib and not aio(7) to end up at the syscall the patch in question
> >>fixes.
> >>- there aren't that many users of gadgetfs
> >>
> >>No idea if you want to apply or backport the whole series found in Al Viros
> >>vfs.git/gadgetfs.
> >
> >As this has been broken since 3.16, and no one has taken the time to fix
> >it since then, it's not really an issue here, people can just use 4.0 if
> >they want it.
> 
> Just a hint I think which should be kept in mind: Debian still uses
> something below 3.16, which very likely is the reason why nobody has hit
> (and examined) these bugs before.

Not all the world is Debian :)

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-25 11:08                 ` Greg Kroah-Hartman
@ 2015-03-25 11:15                   ` Alexander Holler
  2015-03-26 10:22                     ` Alexander Holler
  0 siblings, 1 reply; 130+ messages in thread
From: Alexander Holler @ 2015-03-25 11:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Al Viro

Am 25.03.2015 um 12:08 schrieb Greg Kroah-Hartman:
> On Wed, Mar 25, 2015 at 11:58:46AM +0100, Alexander Holler wrote:
>>> As this has been broken since 3.16, and no one has taken the time to fix
>>> it since then, it's not really an issue here, people can just use 4.0 if
>>> they want it.
>>
>> Just a hint I think which should be kept in mind: Debian still uses
>> something below 3.16, which very likely is the reason why nobody has hit
>> (and examined) these bugs before.
>
> Not all the world is Debian :)
>

Sure, but e.g. the already small group of users of gadgetfs seem to use 
debian based distributions. For reasons I can understand (e.g. they 
aren't hit by the (new) bugs in gadgetfs. ;)

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read()
  2015-03-25 11:15                   ` Alexander Holler
@ 2015-03-26 10:22                     ` Alexander Holler
  0 siblings, 0 replies; 130+ messages in thread
From: Alexander Holler @ 2015-03-26 10:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Al Viro

Am 25.03.2015 um 12:15 schrieb Alexander Holler:
> Am 25.03.2015 um 12:08 schrieb Greg Kroah-Hartman:
>> On Wed, Mar 25, 2015 at 11:58:46AM +0100, Alexander Holler wrote:
>>>> As this has been broken since 3.16, and no one has taken the time to
>>>> fix
>>>> it since then, it's not really an issue here, people can just use
>>>> 4.0 if
>>>> they want it.

Just a last comment: I've no idea if the bug might be exploitable. I 
haven't had a deeper look at what it fixes but in regard to memory 
problems I would prefer a careful solution. So even without fixing the 
problem of an undefined return code in case of an oom (and the imho more 
problematic ugly output of a (with gcc 4.9 colored) warning when 
compiling the kernel, it might be better to apply the patch.

Regards,

Alexander Holler

^ permalink raw reply	[flat|nested] 130+ messages in thread

end of thread, other threads:[~2015-03-26 10:22 UTC | newest]

Thread overview: 130+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-24 15:45 [PATCH 3.19 000/123] 3.19.3-stable review Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 001/123] sparc: semtimedop() unreachable due to comparison error Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 002/123] sparc: perf: Remove redundant perf_pmu_{en|dis}able calls Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 003/123] sparc: perf: Make counting mode actually work Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 004/123] sparc: Touch NMI watchdog when walking cpus and calling printk Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 005/123] sparc64: Fix several bugs in memmove() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 006/123] net_sched: fix struct tc_u_hnode layout in u32 Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 007/123] net: fec: fix receive VLAN CTAG HW acceleration issue Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 008/123] tcp: fix tcp_cong_avoid_ai() credit accumulation bug with decreases in w Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 009/123] tcp: restore 1.5x per RTT limit to CUBIC cwnd growth in congestion avoidance Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 010/123] net: sysctl_net_core: check SNDBUF and RCVBUF for min length Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 011/123] rds: avoid potential stack overflow Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 012/123] virtio-net: correctly delete napi hash Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 013/123] inet_diag: fix possible overflow in inet_diag_dump_one_icsk() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 014/123] caif: fix MSG_OOB test in caif_seqpkt_recvmsg() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 015/123] rxrpc: bogus MSG_PEEK test in rxrpc_recvmsg() Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 016/123] net/mlx4_en: Fix off-by-one in ethtool statistics display Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 017/123] Revert "net: cx82310_eth: use common match macro" Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 018/123] ipv6: call ipv6_proxy_select_ident instead of ipv6_select_ident in udp6_ufo_fragment Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 019/123] ipv6: fix backtracking for throw routes Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 020/123] tcp: fix tcp fin memory accounting Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 021/123] net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 022/123] net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 023/123] arm64: Honor __GFP_ZERO in dma allocations Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 024/123] arm64: Invalidate the TLB corresponding to intermediate page table levels Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 026/123] drm/radeon: do a posting read in evergreen_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 027/123] drm/radeon: do a posting read in r100_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 028/123] drm/radeon: do a posting read in r600_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 029/123] drm/radeon: do a posting read in cik_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 030/123] drm/radeon: do a posting read in si_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 031/123] drm/radeon: do a posting read in rs600_set_irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 032/123] drm/radeon: fix interlaced modes on DCE8 Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 035/123] drm/radeon: Changing number of compute pipe lines Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 037/123] LZ4 : fix the data abort issue Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 038/123] fuse: set stolen page uptodate Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 039/123] fuse: notify: dont move pages Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 040/123] serial: core: Fix iotype userspace breakage Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 041/123] serial: 8250_dw: Fix deadlock in LCR workaround Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 042/123] console: Fix console name size mismatch Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 043/123] virtio_console: init work unconditionally Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 044/123] virtio_console: avoid config access from irq Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 045/123] Change email address for 8250_pci Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 046/123] ftrace: Clear REGS_EN and TRAMP_EN flags on disabling record via sysctl Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 047/123] ftrace: Fix en(dis)able graph caller when en(dis)abling " Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 048/123] ftrace: Fix ftrace enable ordering of sysctl ftrace_enabled Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 049/123] can: add missing initialisations in CAN related skbuffs Greg Kroah-Hartman
2015-03-24 15:45 ` [PATCH 3.19 050/123] can: kvaser_usb: Read all messages in a bulk-in URB buffer Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 051/123] workqueue: fix hang involving racing cancel[_delayed]_work_sync()s for PREEMPT_NONE Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 052/123] seq_buf: Fix seq_buf_vprintf() truncation Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 053/123] seq_buf: Fix seq_buf_bprintf() truncation Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 054/123] cpuset: initialize effective masks when clone_children is enabled Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 055/123] cpuset: fix a warning when clearing configured masks in old hierarchy Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 056/123] cpuset: Fix cpuset sched_relax_domain_level Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 057/123] tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 058/123] tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 059/123] s390/pci: fix possible information leak in mmio syscall Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 060/123] spi: atmel: Fix interrupt setup for PDC transfers Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 061/123] spi: dw-mid: avoid potential NULL dereference Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 062/123] spi: pl022: Fix race in giveback() leading to driver lock-up Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 064/123] ALSA: control: Add sanity checks for user ctl id name string Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 065/123] ALSA: hda - Fix built-in mic on Compaq Presario CQ60 Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 066/123] ALSA: hda - Dont access stereo amps for mono channel widgets Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 067/123] ALSA: hda - Set single_adc_amp flag for CS420x codecs Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 068/123] ALSA: hda - Add workaround for MacBook Air 5,2 built-in mic Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 069/123] ALSA: hda - Fix regression of HD-audio controller fallback modes Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 070/123] ALSA: hda - Treat stereo-to-mono mix properly Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 071/123] mtd: nand: pxa3xx: Fix PIO FIFO draining Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 072/123] bnx2x: Force fundamental reset for EEH recovery Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 073/123] net: fec: fix rcv is not last issue when do suspend/resume test Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 074/123] regulator: rk808: Set the enable time for LDOs Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 075/123] regulator: Only enable disabled regulators on resume Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 076/123] regulator: core: Fix enable GPIO reference counting Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 077/123] nilfs2: fix deadlock of segment constructor during recovery Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 078/123] mm: cma: fix CMA aligned offset calculation Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 080/123] drm/vmwgfx: Reorder device takedown somewhat Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 081/123] drm/vmwgfx: Fix a couple of lock dependency violations Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 083/123] drm/i915: add dev_to_i915 helper Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 085/123] drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 086/123] xen/events: avoid NULL pointer dereference in dom0 on large machines Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 087/123] x86/xen: correct bug in p2m list initialization Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 088/123] xen-pciback: limit guest control of command register Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 089/123] of: fix handling of / in options for of_find_node_by_path() Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 090/123] of: handle both / and : in path strings Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 091/123] gadgetfs: use-after-free in ->aio_read() Greg Kroah-Hartman
2015-03-24 17:30   ` Alexander Holler
2015-03-24 17:58     ` Greg Kroah-Hartman
2015-03-24 18:06       ` Alexander Holler
2015-03-25  8:33         ` Greg Kroah-Hartman
2015-03-25  9:23           ` Alexander Holler
2015-03-25 10:15             ` Greg Kroah-Hartman
2015-03-25 10:58               ` Alexander Holler
2015-03-25 11:08                 ` Greg Kroah-Hartman
2015-03-25 11:15                   ` Alexander Holler
2015-03-26 10:22                     ` Alexander Holler
2015-03-24 15:46 ` [PATCH 3.19 092/123] libsas: Fix Kernel Crash in smp_execute_task Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 093/123] PCI: Dont read past the end of sysfs "driver_override" buffer Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 094/123] irqchip: armada-370-xp: Fix chained per-cpu interrupts Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 095/123] pagemap: do not leak physical addresses to non-privileged userspace Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 096/123] crypto: arm/aes update NEON AES module to latest OpenSSL version Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 097/123] crypto: aesni - fix memory usage in GCM decryption Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 098/123] x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 099/123] x86/fpu: Drop_fpu() should not assume that tsk equals current Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 100/123] kvm: move advertising of KVM_CAP_IRQFD to common code Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 101/123] x86/vdso: Fix the build on GCC5 Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 102/123] x86/asm/entry/32: Fix user_mode() misuses Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 103/123] x86/apic/numachip: Fix sibling map with NumaChip Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 104/123] powerpc/smp: Wait until secondaries are active & online Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 105/123] powerpc/iommu: Remove IOMMU device references via bus notifier Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 106/123] ipvs: add missing ip_vs_pe_put in sync code Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 107/123] ipvs: fix inability to remove a mixed-family RS Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 108/123] netfilter: nft_compat: fix module refcount underflow Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 109/123] netfilter: xt_socket: fix a stack corruption bug Greg Kroah-Hartman
2015-03-24 15:46 ` [PATCH 3.19 110/123] netfilter: nf_tables: fix transaction race condition Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 111/123] netfilter: nf_tables: fix addition/deletion of elements from commit/abort Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 112/123] ARM: imx6sl-evk: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 114/123] ARM: EXYNOS: Dont use LDREX and STREX after disabling cache coherency Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 115/123] ARM: imx6qdl-sabresd: set swbst_reg as vbuss parent reg Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 116/123] ARM: at91: pm: fix at91rm9200 standby Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 117/123] ARM: dts: DRA7x: Fix the bypass clock source for dpll_iva and others Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 118/123] ARM: dts: am33xx-clocks: Fix ehrpwm tbclk data on am33xx Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 119/123] ARM: dts: am43xx-clocks: Fix ehrpwm tbclk data on am43xx Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 120/123] target: Fix reference leak in target_get_sess_cmd() error path Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 121/123] target: Fix virtual LUN=0 target_configure_device failure OOPs Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 122/123] iscsi-target: Avoid early conn_logout_comp for iser connections Greg Kroah-Hartman
2015-03-24 15:47 ` [PATCH 3.19 123/123] target/pscsi: Fix NULL pointer dereference in get_device_type Greg Kroah-Hartman
2015-03-25  2:36 ` [PATCH 3.19 000/123] 3.19.3-stable review Guenter Roeck
2015-03-25  8:32   ` Greg Kroah-Hartman
     [not found] ` <20150324154429.061840411@linuxfoundation.org>
2015-03-25  6:55   ` [PATCH 3.19 113/123] b43: fix support for 5 GHz only BCM43228 model Kalle Valo
2015-03-25  8:17     ` Greg Kroah-Hartman
2015-03-25  8:33       ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).