* [PATCH 3.16 000/346] 3.16.39-rc1 review
@ 2016-11-14 0:14 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 046/346] drm/radeon: add a delay after ATPX dGPU power off Ben Hutchings
` (346 more replies)
0 siblings, 347 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.16.39 release.
There are 346 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Nov 10 00:00:00 UTC 2016.
Anything received after that time might be too late.
A combined patch relative to 3.16.38 will be posted as an additional
response to this. A shortlog and diffstat can be found below.
Ben.
-------------
Adrien Vergé (1):
USB: quirks: Fix another ELAN touchscreen
[df36c5bede207f734e4750beb2b14fb892050280]
Al Viro (27):
alpha: fix copy_from_user()
[2561d309dfd1555e781484af757ed0115035ddb3]
asm-generic: make copy_from_user() zero the destination properly
[2545e5da080b4839dd859e3b09343a884f6ab0e3]
asm-generic: make get_user() clear the destination on errors
[9ad18b75c2f6e4a78ce204e79f37781f8815c0fa]
avr32: fix copy_from_user()
[8630c32275bac2de6ffb8aea9d9b11663e7ad28e]
blackfin: fix copy_from_user()
[8f035983dd826d7e04f67b28acf8e2f08c347e41]
cris: buggered copy_from_user/copy_to_user/clear_user
[eb47e0293baaa3044022059f1fa9ff474bfe35cb]
fix fault_in_multipages_...() on architectures with no-op access_ok()
[e23d4159b109167126e5bcd7f3775c95de7fee47]
fix minor infoleak in get_user_ex()
[1c109fabbd51863475cd12ac206bdd249aee35af]
frv: fix clear_user()
[3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90]
hexagon: fix strncpy_from_user() error return
[f35c1e0671728d1c9abc405d05ef548b5fcb2fc4]
ia64: copy_from_user() should zero the destination on access_ok() failure
[a5e541f796f17228793694d64b507f5f57db4cd7]
m32r: fix __get_user()
[c90a3bc5061d57e7931a9b7ad14784e1a0ed497d]
metag: copy_from_user() should zero the destination on access_ok() failure
[8ae95ed4ae5fc7c3391ed668b2014c9e2079533b]
microblaze: fix __get_user()
[e98b9e37ae04562d52c96f46b3cf4c2e80222dc1]
microblaze: fix copy_from_user()
[d0cf385160c12abd109746cad1f13e3b3e8b50b8]
mips: copy_from_user() must zero the destination on access_ok() failure
[e69d700535ac43a18032b3c399c69bf4639e89a2]
mn10300: copy_from_user() should zero on access_ok() failure...
[ae7cc577ec2a4a6151c9e928fd1f595d953ecef1]
mn10300: failing __get_user() and get_user() should zero
[43403eabf558d2800b429cd886e996fd555aa542]
openrisc: fix copy_from_user()
[acb2505d0119033a80c85ac8d02dccae41271667]
parisc: fix copy_from_user()
[aace880feea38875fbc919761b77e5732a3659ef]
ppc32: fix copy_from_user()
[224264657b8b228f949b42346e09ed8c90136a8e]
s390: get_user() should zero on failure
[fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7]
score: fix __get_user/get_user
[c2f18fa4cbb3ad92e033a24efa27583978ce9600]
score: fix copy_from_user() and friends
[b615e3c74621e06cd97f86373ca90d43d6d998aa]
sh64: failing __get_user() should zero
[c6852389228df9fb3067f94f3b651de2a7921b36]
sh: fix copy_from_user()
[6e050503a150b2126620c1a1e9b3a368fcd51eac]
sparc32: fix copy_from_user()
[917400cecb4b52b5cde5417348322bb9c8272fa6]
Alan Stern (4):
USB: avoid left shift by -1
[53e5f36fbd2453ad69a3369a1db62dc06c30a4aa]
USB: change bInterval default to 10 ms
[08c5cd37480f59ea39682f4585d92269be6b1424]
USB: fix typo in wMaxPacketSize validation
[6c73358c83ce870c0cf32413e5cadb3b9a39c606]
USB: validate wMaxPacketValue entries in endpoint descriptors
[aed9d65ac3278d4febd8665bd7db59ef53e825fe]
Aleksandr Makarov (2):
USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
[40d9c32525cba79130612650b1abc47c0c0f19a8]
USB: serial: option: add WeTelecom WM-D200
[6695593e4a7659db49ac6eca98c164f7b5589f72]
Alex Deucher (4):
drm/radeon/si/dpm: add workaround for for Jet parts
[670bb4fd21c966d0d2a59ad4a99bb4889f9a2987]
drm/radeon: add a delay after ATPX dGPU power off
[d814b24fb74cb9797d70cb8053961447c5879a5c]
drm/radeon: fix firmware info version checks
[3edc38a0facef45ee22af8afdce3737f421f36ab]
drm/radeon: support backlight control for UNIPHY3
[d3200be6c423afa1c34f7e39e9f6d04dd5b0af9d]
Alex Hung (1):
hp-wmi: Fix wifi cannot be hard-unblocked
[fc8a601e1175ae351f662506030f9939cb7fdbfe]
Alex Vesker (2):
IB/ipoib: Don't allow MC joins during light MC flush
[344bacca8cd811809fc33a249f2738ab757d327f]
IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
[e5ac40cd66c2f3cd11bc5edc658f012661b16347]
Alex Williamson (1):
vfio/pci: Fix NULL pointer oops in error interrupt setup handling
[c8952a707556e04374d7b2fdb3a079d63ddf6f2f]
Alexandre Belloni (1):
tty/serial: atmel: fix RS485 half duplex with DMA
[0058f0871efe7b01c6f2b3046c68196ab73e96da]
Alexey Dobriyan (1):
posix_cpu_timer: Exit early when process has been reaped
[2c13ce8f6b2f6fd9ba2f9261b1939fc0f62d1307]
Alexey Khoroshilov (3):
USB: serial: mos7720: fix non-atomic allocation in write path
[5a5a1d614287a647b36dff3f40c2b0ceabbc83ec]
USB: serial: mos7840: fix non-atomic allocation in write path
[3b7c7e52efda0d4640060de747768360ba70a7c0]
i2c: efm32: fix a failure path in efm32_i2c_probe()
[7dd91d52a813f99a95d20f539b777e9e6198b931]
Alexey Klimov (1):
USB: serial: fix memleak in driver-registration error path
[647024a7df36014bbc4479d92d88e6b77c0afcf6]
Alexey Kuznetsov (1):
fuse: fsync() did not return IO errors
[ac7f052b9e1534c8248f814b6f0068ad8d4a06d2]
Alison Schofield (1):
iio: proximity: as3935: set up buffer timestamps for non-zero values
[f8adf645db03345af2d9a8b6095b02327ea50885]
Amadeusz Sławiński (1):
Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
[23bc6ab0a0912146fd674a0becc758c3162baabc]
Anders Darander (1):
iio: adc: at91: unbreak channel adc channel 3
[c2ab447454d498e709d9011c0f2d2945ee321f9b]
Andrey Pronin (1):
tpm: read burstcount from TPM_STS in one 32-bit transaction
[9754d45e997000ad4021bc4606cc266bb38d876f]
Andrey Ryabinin (1):
radix-tree: fix radix_tree_iter_retry() for tagged iterators.
[3cb9185c67304b2a7ea9be73e7d13df6fb2793a1]
Andy Shevchenko (1):
gpio: intel-mid: Remove potentially harmful code
[3dbd3212f81b2b410a34a922055e2da792864829]
Ard Biesheuvel (2):
crypto: arm64/aes-ctr - fix NULL dereference in tail processing
[2db34e78f126c6001d79d3b66ab1abb482dc7caa]
crypto: cryptd - initialize child shash_desc on import
[0bd2223594a4dcddc1e34b15774a3a4776f7749e]
Arend Van Spriel (1):
brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
[ded89912156b1a47d940a0c954c43afbabd0c42c]
Artemy Kovalyov (1):
IB/mlx5: Fix MODIFY_QP command input structure
[e3353c268b06236d6c40fa1714c114f21f44451c]
Ashish Samant (1):
ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
[d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960]
Balbir Singh (1):
sched/core: Fix a race between try_to_wake_up() and a woken up task
[135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf]
Ben Hutchings (2):
Documentation/module-signing.txt: Note need for version info if reusing a key
[b8612e517c3c9809e1200b72c474dbfd969e5a83]
module: Invalidate signatures on force-loaded modules
[bca014caaa6130e57f69b5bf527967aa8ee70fdd]
Benjamin Coddington (1):
nfs: don't create zero-length requests
[149a4fddd0a72d526abbeac0c8deaab03559836a]
Cameron Gutman (1):
Input: xpad - validate USB endpoint count during probe
[caca925fca4fb30c67be88cacbe908eec6721e43]
Chen-Yu Tsai (1):
clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
[b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e]
Chris Blake (1):
PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset
[9ac0108c2bac3f1d0255f64fb89fc27e71131b24]
Chris Mason (1):
Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
[cbd60aa7cd17d81a434234268c55192862147439]
Christian König (1):
drm/radeon: fix radeon_move_blit on 32bit systems
[13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455]
Chuck Lever (2):
NFS: Don't drop CB requests with invalid principals
[a4e187d83d88eeaba6252aac0a2ffe5eaa73a818]
svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
[0533b13072f4bf35738290d2cf9e299c7bc6c42a]
Dan Carpenter (12):
MIPS: RM7000: Double locking bug in rm7k_tc_disable()
[58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225]
[media] em28xx-i2c: rt_mutex_trylock() returns zero on failure
[e44c153b30c9a0580fc2b5a93f3c6d593def2278]
avr32: off by one in at32_init_pio()
[55f1cf83d5cf885c75267269729805852039c834]
crypto: nx - off by one bug in nx_of_update_msc()
[e514cc0a492a3f39ef71b31590a7ef67537ee04b]
hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
[8a545f185145e3c09348cd74326268ecfc6715a3]
mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
[79ad07d45743721010e766e65dc004ad249bd429]
qxl: check for kmap failures
[f4cceb2affcd1285d4ce498089e8a79f4cd2fa66]
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
[7bc2b55a5c030685b399bb65b6baa9ccc3d1f167]
sparc: serial: sunhv: fix a double lock bug
[344e3c7734d5090b148c19ac6539b8947fed6767]
tools/vm/slabinfo: fix an unintentional printf
[2d6a4d64812bb12dda53704943b61a7496d02098]
usb: gadget: fsl_qe_udc: off by one in setup_received_handle()
[7442e6db5bdd0dce4615205508301f9b22e502d6]
usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
[f4693b08cc901912a87369c46537b94ed4084ea0]
Dan Williams (1):
block: fix bdi vs gendisk lifetime mismatch
[df08c32ce3be5be138c1dbfcba203314a3a7cd6f]
Daniel Borkmann (1):
bpf, mips: fix off-by-one in ctx offset allocation
[b4e76f7e6d3200462c6354a6ad4ae167459e61f8]
Daniel Mentz (1):
ARC: Call trace_hardirqs_on() before enabling irqs
[18b43e89d295cc65151c505c643c98fb2c320e59]
Daniel Vetter (1):
drm: Reject page_flip for !DRIVER_MODESET
[6f00975c619064a18c23fd3aced325ae165a73b9]
Daniele Palmas (3):
USB: serial: option: add support for Telit LE910 PID 0x1206
[3c0415fa08548e3bc63ef741762664497ab187ed]
USB: serial: option: add support for Telit LE920A4
[01d7956b58e644ea0d2e8d9340c5727a8fc39d70]
USB: serial: simple: add support for another Infineon flashloader
[f190fd92458da3e869b4e2c6289e2c617490ae53]
Dave Carroll (1):
aacraid: Check size values after double-fetch from user
[fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3]
Dave Weinstein (1):
arm: oabi compat: add missing access checks
[7de249964f5578e67b99699c5f0b405738d820a2]
David Daney (1):
MIPS: Fix page table corruption on THP permission changes.
[acd168c0bf2ce709f056a6b1bf21634b1207d7a5]
David Hildenbrand (1):
s390/mm: fix gmap tlb flush issues
[f045402984404ddc11016358411e445192919047]
David Howells (3):
KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
[20f06ed9f61a185c6dabd662c310bed6189470df]
KEYS: Fix short sprintf buffer in /proc/keys show function
[03dab869b7b239c4e013ec82aea22e181e441cfc]
x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace
[f7d665627e103e82d34306c7d3f6f46f387c0d8b]
Dmitri Epshtein (1):
net: mvneta: set real interrupt per packet for tx_done
[06708f81528725148473c0869d6af5f809c6824b]
Dmitry Torokhov (3):
Input: i8042 - break load dependency between atkbd/psmouse and i8042
[4097461897df91041382ff6fcd2bfa7ee6b2448c]
Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
[47af45d684b5f3ae000ad448db02ce4f13f73273]
tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
[510cccb5b0c8868a2b302a0ab524da7912da648b]
Dmitry Tunin (1):
Bluetooth: Add support of 13d3:3490 AR3012 device
[12d868964f7352e8b18e755488f7265a93431de1]
Emanuel Czirai (1):
x86/AMD: Apply erratum 665 on machines without a BIOS fix
[d1992996753132e2dafe955cccb2fb0714d3cfc4]
Erez Shitrit (2):
IB/core: Fix use after free in send_leave function
[68c6bcdd8bd00394c234b915ab9b97c74104130c]
IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
[546481c2816ea3c061ee9d5658eb48070f69212e]
Eric Biggers (1):
dm crypt: fix free of bad values after tfm allocation failure
[5d0be84ec0cacfc7a6d6ea548afdd07d481324cd]
Eric Dumazet (3):
qdisc: fix a module refcount leak in qdisc_create_dflt()
[166ee5b87866de07a3e56c1b757f2b5cabba72a5]
tcp: fix a compile error in DBGUNDO()
[019b1c9fe32a2a32c1153e31375f87ec3e591273]
tcp: fix use after free in tcp_xmit_retransmit_queue()
[bb1fceca22492109be12640d49f5ea5a544c6bb4]
Eric Wheeler (1):
bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
[d9dc1702b297ec4a6bb9c0326a70641b322ba886]
Fabian Frederick (1):
sysv, ipc: fix security-layer leaking
[9b24fef9f0410fb5364245d6cc2bd044cc064007]
Fabio Estevam (1):
can: flexcan: fix resume function
[4de349e786a3a2d51bd02d56f3de151bbc3c3df9]
Felipe Balbi (2):
usb: dwc3: gadget: increment request->actual once
[c7de573471832dff7d31f0c13b0f143d6f017799]
usb: gadget: udc: core: don't starve DMA resources
[23fd537c9508fb6e3b93ddf23982f51afc087781]
Felix Fietkau (1):
mac80211: fix purging multicast PS buffer queue
[6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5]
Feng Li (1):
iscsi-target: Fix panic when adding second TCP connection to iSCSI session
[8abc718de6e9e52d8a6bfdb735060554aeae25e4]
Florian Fainelli (4):
brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
[3bdae810721b33061d2e541bd78a70f86ca42af3]
brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
[5c5fa1f464ac954982df1d96b9f9a5103d21aedd]
brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
[f823a2aa8f4674c095a5413b9e3ba12d82df06f2]
net: ethoc: Fix early error paths
[386512d18b268c6182903239f9f3390f03ce4c7b]
Florian Westphal (2):
netfilter: x_tables: speed up jump target validation
[f4dc77713f8016d2e8a3295e1c9c53a21f296def]
netfilter: x_tables: validate targets of jumps
[36472341017529e2b12573093cc0f68719300997]
Forrest Liu (1):
Btrfs: add missing blk_finish_plug in btrfs_sync_log()
[3da5ab56482f322a9736c484db8773899c5c731b]
Gavin Li (1):
cdc-acm: fix wrong pipe type on rx interrupt xfers
[add125054b8727103631dce116361668436ef6a7]
Gregor Boirie (1):
iio:core: fix IIO_VAL_FRACTIONAL sign handling
[171c0091837c81ed5c949fec6966bb5afff2d1cf]
Gregory CLEMENT (1):
ARM: 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is coherent
[f12708965069410691e47d1d216ec7ad1516bfd2]
Guenter Roeck (2):
avr32: fix 'undefined reference to `___copy_from_user'
[65c0044ca8d7c7bbccae37f0ff2972f0210e9f41]
openrisc: fix the fix of copy_from_user()
[8e4b72054f554967827e18be1de0e8122e6efc04]
Haishuang Yan (1):
ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path.
[252f3f5a1189a7f6c309d8e4ff1c4c1888a27f13]
Hector Palacios (1):
mtd: nand: fix bug writing 1 byte less than page size
[144f4c98399e2c0ca60eb414c15a2c68125c18b8]
Helge Deller (1):
parisc: Fix order of EREFUSED define in errno.h
[3eb53b20d7bd1374598cfb1feaa081fcac0e76cd]
Herbert Xu (4):
crypto: gcm - Filter out async ghash if necessary
[b30bdfa86431afbafe15284a3ad5ac19b49b88e3]
crypto: scatterwalk - Fix test in scatterwalk_done
[5f070e81bee35f1b7bd1477bb223a873ff657803]
crypto: skcipher - Fix blkcipher walk OOM crash
[acdb04d0b36769b3e05990c488dc74d8b7ac8060]
macvlan: Fix potential use-after free for broadcasts
[260916dfb48c374f7840f3b86e69afd3afdb6e96]
Hock Leong Kweh (1):
iio: fix pressure data output unit in hid-sensor-attributes
[36afb176d3c9580651d7f410ed7f000ec48b5137]
Ian Abbott (3):
staging: comedi: daqboard2000: bug fix board type matching code
[80e162ee9b31d77d851b10f8c5299132be1e120f]
staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility
[f0f4b0cc3a8cffd983f5940d46cd0227f3f5710a]
staging: comedi: ni_mio_common: fix wrong insn_write handler
[5ca05345c56cb979e1a25ab6146437002f95cac8]
Ilan Tayari (1):
xfrm: Fix memory leak of aead algorithm name
[b588479358ce26f32138e0f0a7ab0678f8e3e601]
Ilya Dryomov (1):
libceph: apply new_state before new_up_client on incrementals
[930c532869774ebf8af9efe9484c597f896a7d46]
Iosif Harutyunov (1):
ubi: Fix race condition between ubi device creation and udev
[714fb87e8bc05ff78255afc0dca981e8c5242785]
Jack Morgenstein (2):
IB/mlx4: Fix code indentation in QP1 MAD flow
[baa0be7026e2f7d1d40bfd45909044169e9e3c68]
IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
[8ec07bf8a8b57d6c58927a16a0a22c0115cf2855]
Jaganath Kanakkassery (1):
Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
[951b6a0717db97ce420547222647bcc40bf1eacd]
James Hogan (11):
KVM: MIPS: Drop other CPU ASIDs on guest MMU changes
[91e4f1b6073dd680d86cdb7e42d7cccca9db39d8]
MIPS: KVM: Add missing gfn range check
[8985d50382359e5bf118fdbefc859d0dbf6cebc7]
MIPS: KVM: Check for pfn noslot case
[ba913e4f72fc9cfd03dad968dfb110eb49211d80]
MIPS: KVM: Fix gfn range check in kseg0 tlb faults
[0741f52d1b980dbeb290afe67d88fc2928edd8ab]
MIPS: KVM: Fix mapped fault broken commpage handling
[c604cffa93478f8888bec62b23d6073dad03d43a]
MIPS: KVM: Propagate kseg0/mapped tlb fault errors
[9b731bcfdec4c159ad2e4312e25d69221709b96a]
MIPS: c-r4k: Fix protected_writeback_scache_line for EVA
[0758b116b4080d9a2a2a715bec6eee2cbd828215]
arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
[3146bc64d12377a74dbda12b96ea32da3774ae07]
metag: Fix __cmpxchg_u32 asm constraint for CMP
[6154c187b97ee7513046bb4eb317a89f738f13ef]
s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
[68c5cf5a6091c2c3fabccfd42ca844d730ec24c6]
tile: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
[cdf8b4633075f2171d440d2e37c9c2609019a81a]
Jan Beulich (2):
xenbus: don't BUG() on user mode induced condition
[0beef634b86a1350c31da5fcc2992f0d7c8a622b]
xenbus: don't look up transaction IDs for ordinary writes
[9a035a40f7f3f6708b79224b86c5777a3334f7ea]
Jan Kara (6):
ext4: fix deadlock during page writeback
[646caa9c8e196880b41cd3e3d33a2ebc752bdb85]
fanotify: fix list corruption in fanotify_get_response()
[96d41019e3ac55f6f0115b0ce97e4f24a3d636d2]
fs: Avoid premature clearing of capabilities
[030b533c4fd4d2ec3402363323de4bb2983c9cee]
fs: Give dentry to inode_change_ok() instead of inode
[31051c85b5e2aaaf6315f74c72a732673632a905]
fsnotify: add a way to stop queueing events on group shutdown
[12703dbfeb15402260e7554d32a34ac40c233990]
posix_acl: Clear SGID bit when setting file permissions
[073931017b49d9458aa351605b43a7e34598caef]
Javier Martinez Canillas (2):
s5p-mfc: Add release callback for memory region devs
[6311f1261f59ce5e51fbe5cc3b5e7737197316ac]
s5p-mfc: Set device name for reserved memory region devs
[29debab0a94035a390801d1f177d171d014b7765]
Jeff Mahoney (1):
btrfs: ensure that file descriptor used with subvol ioctls is a dir
[325c50e3cebb9208009083e841550f98a863bfa0]
Jeffrey Hugo (1):
efi/libstub: Allocate headspace in efi_get_memory_map()
[dadb57abc37499f565b23933dbf49b435c3ba8af]
Jia He (1):
mm/hugetlb: avoid soft lockup in set_max_huge_pages()
[649920c6ab93429b94bc7c1aa7c0e8395351be32]
Jim Lin (1):
usb: xhci: Fix panic if disconnect
[88716a93766b8f095cdef37a8e8f2c93aa233b21]
Jim Mattson (1):
KVM: nVMX: Fix memory corruption when using VMCS shadowing
[2f1fe81123f59271bddda673b60116bde9660385]
Jimi Damon (1):
serial: 8250: added acces i/o products quad and octal serial cards
[c8d192428f52f244130b84650ad616df09f2b1e1]
Jiri Slaby (1):
pps: do not crash when failed to register
[368301f2fe4b07e5fb71dba3cc566bc59eb6705f]
Johannes Berg (2):
ipv6: suppress sparse warnings in IP6_ECN_set_ce()
[c15c0ab12fd62f2b19181d05c62d24bc9fa55a42]
nl80211: validate number of probe response CSA counters
[ad5987b47e96a0fb6d13fea250e936aed000093c]
Johannes Weiner (1):
mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page()
[22f2ac51b6d643666f4db093f13144f773ff3f3a]
John Stultz (1):
timekeeping: Cap array access in timekeeping_debug
[a4f8f6667f099036c88f231dcad4cf233652c824]
Joseph Qi (1):
ocfs2/dlm: fix race between convert and migration
[e6f0c6e6170fec175fe676495f29029aecdf486c]
Joseph Salisbury (1):
usb: quirks: Add no-lpm quirk for Elan
[25b1f9acc452209ae0fcc8c1332be852b5c52f53]
Karl Beldan (1):
mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
[f6d7c1b5598b6407c3f1da795dd54acf99c1990c]
Keerthy (2):
ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
[b00ccf5b684992829610d162e78a7836933a1b19]
rtc: ds1307: Fix relying on reset value for weekday
[e29385fab0bf94017fac130ee32f5bb2daf74417]
Kent Overstreet (1):
bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two.
[acc9cf8c66c66b2cbbdb4a375537edee72be64df]
Konrad Leszczynski (1):
usb: dwc3: fix for the isoc transfer EP_BUSY flag
[9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b]
Konstantin Neumoin (1):
balloon: check the number of available pages in leak balloon
[37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711]
Krzysztof Kozlowski (2):
serial: samsung: Fix ERR pointer dereference on deferred probe
[e51e4d8a185de90424b03f30181b35f29c46a25a]
serial: samsung: Fix possible out of bounds access on non-DT platform
[926b7b5122c96e1f18cd20e85a286c7ec8d18c97]
Lance Richardson (1):
ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
[db32e4e49ce2b0e5fcc17803d011a401c0a637f6]
Laura Abbott (1):
ftrace/recordmcount: Work around for addition of metag magic but not relocations
[b2e1c26f0b62531636509fbcb6dab65617ed8331]
Lauro Costa (1):
Bluetooth: Add USB ID 13D3:3487 to ath3k
[72f9f8b58bc743e6b6abdc68f60db98486c3ffcf]
Linus Walleij (3):
gpio: Fix OF build problem on UM
[2527ecc9195e9c66252af24c4689e8a67cd4ccb9]
iio: accel: kxsd9: Fix raw read return
[7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8]
iio: accel: kxsd9: Fix scaling bug
[307fe9dd11ae44d4f8881ee449a7cbac36e1f5de]
Liping Zhang (2):
netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
[b173a28f62cf929324a8a6adcc45adadce311d16]
netfilter: nfnetlink_queue: reject verdict request from different portid
[00a3101f561816e58de054a470484996f78eb5eb]
Lu Baolu (1):
usb: misc: usbtest: add fix for driver hang
[539587511835ea12d8daa444cbed766cf2bc3612]
Lubomir Rintel (1):
USB: serial: option: add D-Link DWM-156/A3
[cf1b18030de29e4e5b0a57695ae5db4a89da0ff7]
Lukas Wunner (6):
drm/nouveau: Don't leak runtime pm ref on driver unload
[c1b16b45607976c76a3c41b8a319172b8b83f996]
drm/radeon: Don't leak runtime pm ref on driver load
[b875194679b0f88ffdb2e2d68435572296628551]
drm/radeon: Don't leak runtime pm ref on driver unload
[19de659cb7216eb1c04889bd1a248593f296e19f]
x86/quirks: Add early quirk to reset Apple AirPort card
[abb2bafd295fe962bbadc329dbfb2146457283ac]
x86/quirks: Apply nvidia_bugs quirk only on root bus
[447d29d1d3aed839e74c2401ef63387780ac51ed]
x86/quirks: Reintroduce scanning of secondary buses
[850c321027c2e31d0afc71588974719a4b565550]
Lyude (1):
drm/radeon: Poll for both connect/disconnect on analog connectors
[14ff8d48f2235295dfb3117693008e367b49cdb5]
Mahesh Salgaonkar (2):
powerpc/book3s: Fix MCE console messages for unrecoverable MCE.
[c74dd88e77d3ecbc9e55c78796d82c9aa21cabad]
powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers.
[bc14c49195e49b3231c01e4c44e3e5456c940b94]
Mario Kleiner (2):
drm/edid: Add 6 bpc quirk for display AEO model 0.
[e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd]
drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"
[196f954e250943df414efd3d632254c29be38e59]
Masahiro Yamada (1):
Input: tegra-kbc - fix inverted reset logic
[fae16989be77b09bab86c79233e4b511ea769cea]
Mathias Krause (1):
xfrm_user: propagate sec ctx allocation errors
[2f30ea5090cbc57ea573cdc66421264b3de3fb0a]
Mathias Nyman (2):
xhci: always handle "Command Ring Stopped" events
[33be126510974e2eb9679f1ca9bca4f67ee4c4c7]
xhci: don't dereference a xhci member after removing xhci
[f1f6d9a8b540df22b87a5bf6bc104edaade81f47]
Matt Fleming (1):
perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
[080fe0b790ad438fc1b61621dac37c1964ce7f35]
Matt Redfearn (1):
MIPS: paravirt: Fix undefined reference to smp_bootstrap
[951c39cd3bc0aedf67fbd8fb4b9380287e6205d1]
Mauricio Faria de Oliveira (1):
powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)
[2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0]
Mauro Carvalho Chehab (1):
[media] ngene: properly handle __user ptr
[04da2daee383391954b34e7d0fe0281d75447d61]
Maxim Patlasov (1):
fuse: fuse_flush must check mapping->flags for errors
[9ebce595f63a407c5cec98f98f9da8459b73740a]
Michael Ellerman (1):
powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
[66443efa83dc73775100b7442962ce2cb0d4472e]
Michael Neuling (1):
powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint()
[6bcb80143e792becfd2b9cc6a339ce523e4e2219]
Michael Walle (1):
hwmon: (adt7411) set bit 3 in CFG1 register
[b53893aae441a034bf4dbbad42fe218561d7d81f]
Michal Hocko (1):
kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
[735f2770a770156100f534646158cb58cb8b2939]
Mike Christie (1):
target: Fix max_unmap_lba_count calc overflow
[ea263c7fada4af8ec7fe5fcfd6e7d7705a89351b]
Mike Snitzer (1):
dm flakey: error READ bios during the down_interval
[99f3c90d0d85708e7401a81ce3314e50bf7f2819]
Mikulas Patocka (1):
drm/nouveau/fbcon: fix font width not divisible by 8
[28668f43b8e421634e1623f72a879812288dd06b]
Mukesh Ojha (1):
powerpc/powernv : Drop reference added by kset_find_obj()
[a9cbf0b2195b695cbeeeecaa4e2770948c212e9a]
Neal Cardwell (1):
tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data
[28b346cbc0715ae45b2814d857f1d8a7e6817ed8]
Nicholas Bellinger (2):
target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP
[5e2c956b8aa24d4f33ff7afef92d409eed164746]
target: Fix race between iscsi-target connection shutdown + ABORT_TASK
[064cdd2d91c2805d788876082f31cc63506f22c3]
Nicolai Stange (1):
lib/mpi: mpi_read_raw_data(): fix nbits calculation
[eef0df6a59537032ab6b708f30b28d9530f8760e]
Nicolas Dichtel (1):
ipv6: add missing netconf notif when 'all' is updated
[d26c638c16cb54f6fb1507e27df93ede692db572]
Nicolas Iooss (1):
printk: fix parsing of "brl=" option
[ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3]
Nikolay Aleksandrov (1):
ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
[2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8]
Nishanth Menon (1):
hwrng: omap - Fix assumption that runtime_get_sync will always succeed
[61dc0a446e5d08f2de8a24b45f69a1e302bb1b1b]
Olga Kornievskaia (1):
SUNRPC: allow for upcalls for same uid but different gss service
[9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3]
Paolo Bonzini (2):
KVM: nVMX: fix lifetime issues for vmcs02
[4fa7734c62cdd8c07edd54fa5a5e91482273071a]
compiler-gcc: disable -ftracer for __noclone functions
[95272c29378ee7dc15f43fa2758cb28a5913a06d]
Paul Blakey (1):
net/mlx5: Added missing check of msg length in verifying its signature
[2c0f8ce1b584a4d7b8ff53140d21dfed99834940]
Paul Burton (1):
MIPS: Malta: Fix IOCU disable switch read for MIPS64
[305723ab439e14debc1d339aa04e835d488b8253]
Paul Moore (1):
netlabel: add address family checks to netlbl_{sock,req}_delattr()
[0e0e36774081534783aa8eeb9f6fbddf98d3c061]
Pavel Shilovsky (1):
CIFS: Fix a possible invalid memory access in smb2_query_symlink()
[7893242e2465aea6f2cbc2639da8fa5ce96e8cc2]
Peter Rosin (1):
i2c: mux: pca954x: retry updating the mux selection on failure
[463e8f845cbf1c01e4cc8aeef1703212991d8e1e]
Peter Ujfalusi (1):
ASoC: omap-mcpdm: Fix irq resource handling
[a8719670687c46ed2e904c0d05fa4cd7e4950cd1]
Peter Wu (4):
ALSA: hda - fix use-after-free after module unload
[ab58d8cc870ef3f0771c197700441936898d1f1d]
drm/nouveau/acpi: check for function 0x1B before using it
[cba97805cb69d5b1a1d3bb108872c73b5bf0e205]
drm/nouveau/acpi: ensure matching ACPI handle and supported functions
[df42194a9ac2678bf086c2c5372e125e742b0ee7]
drm/nouveau/acpi: return supported DSM functions
[a12e78dd3e727094e449ee4e3b752ea9b6f8db01]
Phil Turnbull (1):
ceph: Correctly return NXIO errors from ceph_llseek
[955818cd5b6c4b58ea574ace4573e7afa4c19c1e]
Phil.Turnbull@Oracle.Com (2):
irda: Free skb on irda_accept error path.
[8ab86c00e349cef9fb14719093a7f198bcc72629]
l2tp: Correctly return -EBADF from pppol2tp_getname.
[4ac36a4adaf80013a60013d6f829f5863d5d0e05]
Rabin Vincent (1):
cifs: fix crash due to race in hmac(md5) handling
[bd975d1eead2558b76e1079e861eacf1f678b73b]
Radim Krčmář (1):
KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
[dccbfcf52cebb8963246eba5b177b77f26b34da0]
Richard Weinberger (2):
ubi: Be more paranoid while seaching for the most recent Fastmap
[74f2c6e9a47cf4e508198c8594626cc82906a13d]
ubi: Make volume resize power cut aware
[4946784bd3924b1374f05eebff2fd68660bae866]
Rob Clark (3):
drm/msm: fix use of copy_from_user() while holding spinlock
[89f82cbb0d5c0ab768c8d02914188aa2211cd2e3]
drm/msm: protect against faults from copy_from_user() in submit ioctl
[d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035]
drm/msm: use mutex_lock_interruptible for submit ioctl
[b5b4c264df4d270819676b290cef9a11d04c35f0]
Robert Deliën (1):
USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices
[6977495c06f7f47636a076ee5a0ca571279d9697]
Roderick Colenbrander (1):
HID: uhid: fix timeout when probe races with IO
[67f8ecc550b5bda03335f845dc869b8501d25fd0]
Roger Quadros (1):
ARM: 8617/1: dma: fix dma_max_pfn()
[d248220f0465b818887baa9829e691fe662b2c5e]
Russell King (3):
ARM: sa1100: clear reset status prior to reboot
[da60626e7d02a4f385cae80e450afc8b07035368]
ARM: sa1111: fix pcmcia suspend/resume
[06dfe5cc0cc684e735cb0232fdb756d30780b05d]
crypto: caam - fix non-hmac hashes
[a0118c8b2be9297aed8e915c60b4013326b256d4]
Sabrina Dubroca (1):
l2tp: fix use-after-free during module unload
[2f86953e7436c9b9a4690909c5e2db24799e173b]
Sachin Prabhu (1):
cifs: Check for existing directory when opening file with O_CREAT
[8d9535b6efd86e6c07da59f97e68f44efb7fe080]
Sara Sharon (1):
iwlwifi: pcie: fix access to scratch buffer
[d5d0689aefc59c6a5352ca25d7e6d47d03f543ce]
Sebastian Andrzej Siewior (1):
x86/mm: Disable preemption during CR3 read+write
[5cf0791da5c162ebc14b01eb01631cfa7ed4fa6e]
Sebastian Reichel (1):
ARM: OMAP3: hwmod data: Add sysc information for DSI
[b46211d6dcfb81a8af66b8684a42d629183670d4]
Sergei Miroshnichenko (1):
can: dev: fix deadlock reported after bus-off
[9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8]
Sheng-Hui J. Chu (1):
USB: serial: ftdi_sio: add device ID for WICED USB UART dev board
[ae34d12cc1e212ffcd92e069030e54dae69c832f]
Shrirang Bagul (1):
ALSA: hda - On-board speaker fixup on ACER Veriton
[9b51fe3efe4c270005e34f55a97e5a84ad68e581]
Simon Baatz (1):
ARM: kirkwood: ib62x0: fix size of u-boot environment partition
[a778937888867aac17a33887d1c429120790fbc2]
Simon Wunderlich (1):
batman-adv: lock crc access in bridge loop avoidance
[5a1dd8a4773d4c24e925cc6154826d555a85c370]
Soeren Moch (1):
[media] media: dvb_ringbuffer: Add memory barriers
[ca6e6126db5494f18c6c6615060d4d803b528bff]
Soheil Hassas Yeganeh (2):
tcp: consider recv buf for the initial window scale
[f626300a3e776ccc9671b0dd94698fb3aa315966]
tun: fix transmit timestamp support
[7b996243fab46092fb3a29c773c54be8152366e4]
Srinivas Ramana (1):
ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
[117e5e9c4cfcb7628f08de074fbfefec1bb678b7]
Stefan Haberland (1):
s390/dasd: fix hanging device after clear subchannel
[9ba333dc55cbb9523553df973adb3024d223e905]
Stefan Richter (1):
firewire: net: guard against rx buffer overflows
[667121ace9dbafb368618dbabcf07901c962ddac]
Stephan Mueller (1):
random: add interrupt callback to VMBus IRQ handler
[4b44f2d18a330565227a7348844493c59366171e]
Steven Rostedt (2):
tracing: Move mutex to protect against resetting of seq data
[1245800c0f96eb6ebb368593e251d66c01e61022]
x86/paravirt: Do not trace _paravirt_ident_*() functions
[15301a570754c7af60335d094dd2d1808b0641a5]
Sudeep Holla (1):
i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended
[331dcf421c34d227784d07943eb01e4023a42b0a]
Suzuki K Poulose (1):
kvm-arm: Unmap shadow pagetables properly
[293f293637b55db4f9f522a5a72514e98a541076]
Suzuki K. Poulose (1):
arm64: perf: reject groups spanning multiple HW PMUs
[8fff105e13041e49b82f92eef034f363a6b1c071]
Sven Eckelmann (10):
ath9k: Fix programming of minCCA power threshold
[aaab50fcea78ae3414c3afc25aae8d0603df34d0]
batman-adv: Add missing refcnt for last_candidate
[936523441bb64cdc9a5b263e8fd2782e70313a57]
batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
[10c78f5854d361ded4736c1831948e0a5f67b932]
batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
[60154a1e0495ffb8343a95cefe1e874634572fa8]
batman-adv: Fix kerneldoc member names in for main structs
[006a199d5d1d4e1666b0d8b4f51b5a978ddc6aab]
batman-adv: Fix non-atomic bla_claim::backbone_gw access
[3db0decf1185357d6ab2256d0dede1ca9efda03d]
batman-adv: Fix orig_node_vlan leak on orig_node_release
[33fbb1f3db87ce53da925b3e034b4dd446d483f8]
batman-adv: Fix reference leak in batadv_find_router
[15c2ed753cd9e3e746472deab8151337a5b6da56]
batman-adv: Fix speedy join in gateway client mode
[d1fe176ca51fa3cb35f70c1d876d9a090e9befce]
batman-adv: Free last_bonding_candidate on release of orig_node
[cbef1e102003edb236c6b2319ab269ccef963731]
Sven Van Asbroeck (1):
power: supply: max17042_battery: fix model download bug.
[5381cfb6f0422da24cfa9da35b0433c0415830e0]
Takashi Iwai (5):
ALSA: ctl: Stop notification after disconnection
[f388cdcdd160687c6650833f286b9c89c50960ff]
ALSA: hda: Fix krealloc() with __GFP_ZERO usage
[33baefe5e72f17a6df378e48196cd8cada11deec]
ALSA: pcm: Free chmap at PCM free callback, too
[a8ff48cb70835f48de5703052760312019afea55]
ALSA: rawmidi: Fix possible deadlock with virmidi registration
[816f318b2364262a51024096da7ca3b84e78e3b5]
ALSA: timer: Fix zero-division by continue of uninitialized instance
[9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b]
Takashi Sakamoto (1):
ALSA: fireworks: accessing to user space outside spinlock
[6b1ca4bcadf9ef077cc5f03c6822ba276ed14902]
Taras Kondratiuk (1):
mmc: block: fix packed command header endianness
[f68381a70bb2b26c31b13fdaf67c778f92fd32b4]
Tejun Heo (1):
kernfs: don't depend on d_find_any_alias() when generating notifications
[df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1]
Theodore Ts'o (3):
ext4: validate s_reserved_gdt_blocks on mount
[5b9554dc5bf008ae7f68a52e3d7e76c0920938a2]
ext4: validate that metadata blocks do not overlap superblock
[829fa70dddadf9dd041d62b82cd7cea63943899d]
random: print a warning for the first ten uninitialized random users
[9b4d008787f864f17d008c9c15bbe8a0f7e2fc24]
Thomas Garnier (1):
PM / hibernate: Restore processor state before using per-CPU variables
[62822e2ec4ad091ba31f823f577ef80db52e3c2c]
Thomas Petazzoni (1):
ARM: mvebu: fix HW I/O coherency related deadlocks
[c5379ba8fccd99d5f99632c789f0393d84a57805]
Trond Myklebust (2):
NFSv4.1: Fix the CREATE_SESSION slot number accounting
[b519d408ea32040b1c7e10b155a3ee9a36660947]
NFSv4.x: Fix a refcount leak in nfs_callback_up_net
[98b0f80c2396224bbbed81792b526e6c72ba9efa]
Tyrel Datwyler (1):
scsi: fix upper bounds check of sense key in scsi_sense_key_string()
[a87eeb900dbb9f8202f96604d56e47e67c936b9d]
Vegard Nossum (11):
ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
[11749e086b2766cccf6217a527ef5c5604ba069c]
ALSA: timer: fix NULL pointer dereference on memory allocation failure
[8ddc05638ee42b18ba4fe99b5fb647fa3ad20456]
ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
[6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33]
block: fix use-after-free in seq file
[77da160530dd1dc94f6ae15a981f24e5f0021e84]
ext4: check for extents that wrap around
[f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6]
ext4: don't call ext4_should_journal_data() on the journal inode
[6a7fd522a7c94cdef0a3b08acf8e6702056e635c]
ext4: fix reference counting bug on block allocation error
[554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e]
ext4: short-cut orphan cleanup on error
[c65d5c6c81a1f27dec5f627f67840726fcd146de]
fs/seq_file: fix out-of-bounds read
[088bf2ff5d12e2e32ee52a4024fec26e582f44d3]
net/irda: fix NULL pointer dereference on memory allocation failure
[d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d]
xfrm: fix crash in XFRM_MSG_GETSA netlink handler
[1ba5bf993c6a3142e18e68ea6452b347f9cb5635]
Vignesh R (2):
gpio: pca953x: Fix NBANK calculation for PCA9536
[a246b8198f776a16d1d3a3bbfc2d437bad766b29]
iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
[90c43ec6997a892448f1f86180a515f59cafd8a3]
Vincent Stehlé (1):
ubifs: Fix assertion in layout_in_gaps()
[c0082e985fdf77b02fc9e0dac3b58504dcf11b7a]
Vineet Gupta (2):
ARC: uaccess: get_user to zero out dest in cause of fault
[05d9d0b96e53c52a113fd783c0c97c830c8dc7af]
ARC: use ASL assembler mnemonic
[a6416f57ce57fb390b6ee30b12c01c29032a26af]
Vlad Tsyrklevich (1):
vfio/pci: Fix integer overflows, bitmask check
[05692d7005a364add85c6e25a6c4447ce08f913a]
Vladis Dronov (1):
[media] usbvision: revert commit 588afcc1
[d5468d7afaa9c9e961e150f0455a14a9f4872a98]
WANG Cong (1):
ppp: defer netns reference release for ppp channel
[205e1e255c479f3fd77446415706463b282f94e4]
Wanpeng Li (2):
sched/cputime: Fix prev steal time accouting during CPU hotplug
[3d89e5478bf550a50c99e93adf659369798263b0]
x86/apic: Do not init irq remapping if ioapic is disabled
[2e63ad4bd5dd583871e6602f9d398b9322d358d9]
Wei Fang (1):
fuse: fix wrong assignment of ->flags in fuse_send_init()
[9446385f05c9af25fed53dbed3cc75763730be52]
Wei Yongjun (1):
ipv6: addrconf: fix dev refcont leak when DAD failed
[751eb6b6042a596b0080967c1a529a9fe98dac1d]
Will Deacon (2):
arm64: debug: unmask PSTATE.D earlier
[2ce39ad15182604beb6c8fa8bed5e46b59fd1082]
arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
[872c63fbf9e153146b07f0cece4da0d70b283eeb]
Xiaolong Ye (1):
PM / devfreq: Fix incorrect type issue.
[5f25f066f75a67835abb5e400471a27abd09395b]
Yadi.hu (1):
i2c-eg20t: fix race between i2c init and interrupt enable
[371a015344b6e270e7e3632107d9554ec6d27a6b]
Yinghai Lu (1):
megaraid_sas: Fix probing cards without io port
[e7f851684efb3377e9c93aca7fae6e76212e5680]
Yoshihiro Shimoda (4):
usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
[4fdef698383db07d829da567e0e405fc41ff3a89]
usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
[519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15]
usb: renesas_usbhs: fix the sequence in xfer_work()
[9b53d9af7aac09cf249d72bfbf15f08e47c4f7fe]
usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
[15e4292a2d21e9997fdb2b8c014cc461b3f268f0]
Zefan Li (1):
cpuset: make sure new tasks conform to the current config of the cpuset
[06f4e94898918bcad00cdd4d349313a439d6911e]
Zheng Yan (1):
libceph: set 'exists' flag for newly up osd
[6dd74e44dc1df85f125982a8d6591bc4a76c9f5d]
Zhong Jiang (1):
mm,ksm: fix endless looping in allocating memory when ksm enable
[5b398e416e880159fe55eefd93c6588fa072cd66]
Documentation/filesystems/porting | 4 +-
Documentation/module-signing.txt | 6 +
Makefile | 4 +-
arch/alpha/include/asm/uaccess.h | 19 ++-
arch/arc/include/asm/irqflags.h | 2 +-
arch/arc/include/asm/uaccess.h | 11 +-
arch/arc/mm/tlbex.S | 6 +-
arch/arm/boot/compressed/head.S | 2 +-
arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
arch/arm/common/sa1111.c | 22 +--
arch/arm/include/asm/dma-mapping.h | 2 +-
arch/arm/kernel/sys_oabi-compat.c | 8 +-
arch/arm/kvm/arm.c | 2 -
arch/arm/kvm/mmu.c | 1 +
arch/arm/mach-mvebu/coherency.c | 22 ++-
.../mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++
arch/arm/mach-omap2/prcm43xx.h | 1 +
arch/arm/mach-sa1100/generic.c | 3 +
arch/arm/mm/dma-mapping.c | 59 +++++---
arch/arm64/crypto/aes-glue.c | 2 +-
arch/arm64/include/asm/elf.h | 1 +
arch/arm64/include/asm/spinlock.h | 10 ++
arch/arm64/include/uapi/asm/auxvec.h | 2 +
arch/arm64/kernel/debug-monitors.c | 1 -
arch/arm64/kernel/perf_event.c | 21 ++-
arch/arm64/kernel/smp.c | 1 -
arch/arm64/mm/proc.S | 2 +
arch/avr32/include/asm/uaccess.h | 11 +-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 8 +-
arch/avr32/mach-at32ap/pio.c | 2 +-
arch/blackfin/include/asm/uaccess.h | 9 +-
arch/cris/include/asm/uaccess.h | 71 +++++-----
arch/frv/include/asm/uaccess.h | 12 +-
arch/hexagon/include/asm/uaccess.h | 3 +-
arch/ia64/include/asm/uaccess.h | 20 ++-
arch/m32r/include/asm/uaccess.h | 2 +-
arch/metag/include/asm/cmpxchg_lnkget.h | 2 +-
arch/metag/include/asm/uaccess.h | 3 +-
arch/microblaze/include/asm/uaccess.h | 11 +-
.../include/asm/mach-paravirt/kernel-entry-init.h | 2 +
arch/mips/include/asm/pgtable.h | 6 +-
arch/mips/include/asm/r4kcache.h | 4 +
arch/mips/include/asm/uaccess.h | 3 +
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
arch/mips/kvm/kvm_mips.c | 2 +-
arch/mips/kvm/kvm_mips_emul.c | 98 ++++++++++---
arch/mips/kvm/kvm_tlb.c | 64 ++++++---
arch/mips/mm/sc-rm7k.c | 2 +-
arch/mips/mti-malta/malta-setup.c | 8 +-
arch/mips/net/bpf_jit.c | 2 +-
arch/mn10300/include/asm/uaccess.h | 1 +
arch/mn10300/lib/usercopy.c | 4 +-
arch/openrisc/include/asm/uaccess.h | 35 ++---
arch/parisc/include/asm/uaccess.h | 7 +-
arch/parisc/include/uapi/asm/errno.h | 4 +-
arch/powerpc/include/asm/pci-bridge.h | 1 +
arch/powerpc/include/asm/uaccess.h | 21 +--
arch/powerpc/kernel/exceptions-64s.S | 39 ++----
arch/powerpc/kernel/mce.c | 3 +-
arch/powerpc/kernel/pci-common.c | 36 +++++
arch/powerpc/kernel/prom_init.c | 9 +-
arch/powerpc/kernel/tm.S | 3 +-
arch/powerpc/platforms/powernv/opal-dump.c | 7 +-
arch/powerpc/platforms/powernv/opal-elog.c | 7 +-
arch/powerpc/platforms/powernv/opal.c | 1 +
arch/powerpc/platforms/pseries/pci.c | 4 +
arch/powerpc/platforms/pseries/pci_dlpar.c | 7 +-
arch/s390/include/asm/elf.h | 1 +
arch/s390/include/asm/tlbflush.h | 3 +-
arch/s390/include/asm/uaccess.h | 8 +-
arch/s390/include/uapi/asm/auxvec.h | 2 +
arch/s390/mm/pgtable.c | 4 +-
arch/score/include/asm/uaccess.h | 46 +++---
arch/sh/include/asm/uaccess.h | 5 +-
arch/sh/include/asm/uaccess_64.h | 1 +
arch/sparc/include/asm/uaccess_32.h | 4 +-
arch/tile/include/asm/elf.h | 1 +
arch/tile/include/uapi/asm/auxvec.h | 2 +
arch/x86/boot/compressed/eboot.c | 20 ++-
arch/x86/include/asm/tlbflush.h | 7 +
arch/x86/include/asm/uaccess.h | 6 +-
arch/x86/kernel/apic/apic.c | 3 +
arch/x86/kernel/cpu/amd.c | 14 ++
arch/x86/kernel/cpu/perf_event_amd.c | 4 +-
arch/x86/kernel/early-quirks.c | 105 ++++++++++++--
arch/x86/kernel/paravirt.c | 4 +-
arch/x86/kvm/vmx.c | 77 +++++++---
arch/x86/syscalls/syscall_32.tbl | 2 +-
block/genhd.c | 3 +-
crypto/blkcipher.c | 3 +-
crypto/cryptd.c | 9 +-
crypto/gcm.c | 4 +-
crypto/scatterwalk.c | 3 +-
drivers/bcma/bcma_private.h | 2 -
drivers/bluetooth/ath3k.c | 4 +
drivers/bluetooth/btusb.c | 2 +
drivers/char/hw_random/omap-rng.c | 16 ++-
drivers/char/random.c | 13 +-
drivers/char/tpm/tpm_tis.c | 9 +-
drivers/clocksource/sun4i_timer.c | 9 +-
drivers/crypto/caam/caamhash.c | 1 +
drivers/crypto/nx/nx.c | 2 +-
drivers/devfreq/devfreq.c | 2 +-
drivers/firewire/net.c | 51 ++++---
drivers/firmware/efi/efi-stub-helper.c | 96 +++++++++----
drivers/firmware/efi/fdt.c | 13 +-
drivers/gpio/Kconfig | 1 +
drivers/gpio/gpio-intel-mid.c | 19 ---
drivers/gpio/gpio-pca953x.c | 2 +-
drivers/gpu/drm/drm_crtc.c | 3 +
drivers/gpu/drm/drm_edid.c | 8 ++
drivers/gpu/drm/i915/intel_display.c | 20 +--
drivers/gpu/drm/msm/msm_drv.h | 6 +
drivers/gpu/drm/msm/msm_gem.c | 9 ++
drivers/gpu/drm/msm/msm_gem_submit.c | 37 ++++-
drivers/gpu/drm/nouveau/nouveau_acpi.c | 76 +++++-----
drivers/gpu/drm/nouveau/nouveau_drm.c | 5 +-
drivers/gpu/drm/nouveau/nv04_fbcon.c | 4 +-
drivers/gpu/drm/nouveau/nv50_fbcon.c | 2 +-
drivers/gpu/drm/nouveau/nvc0_fbcon.c | 2 +-
drivers/gpu/drm/qxl/qxl_draw.c | 2 +
drivers/gpu/drm/radeon/atombios_encoders.c | 1 +
drivers/gpu/drm/radeon/radeon_atombios.c | 4 +-
drivers/gpu/drm/radeon/radeon_atpx_handler.c | 5 +
drivers/gpu/drm/radeon/radeon_connectors.c | 15 +-
drivers/gpu/drm/radeon/radeon_device.c | 4 +
drivers/gpu/drm/radeon/radeon_kms.c | 4 +-
drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
drivers/gpu/drm/radeon/si_dpm.c | 6 +
drivers/hid/uhid.c | 33 +++--
drivers/hv/vmbus_drv.c | 3 +
drivers/hwmon/adt7411.c | 5 +-
drivers/i2c/busses/i2c-efm32.c | 2 +-
drivers/i2c/busses/i2c-eg20t.c | 18 ++-
drivers/i2c/busses/i2c-qup.c | 3 +-
drivers/i2c/muxes/i2c-mux-pca954x.c | 2 +-
drivers/iio/accel/kxsd9.c | 2 +
drivers/iio/adc/at91_adc.c | 4 +-
drivers/iio/adc/ti_am335x_adc.c | 14 +-
.../iio/common/hid-sensors/hid-sensor-attributes.c | 4 +-
drivers/iio/industrialio-core.c | 5 +-
drivers/iio/proximity/as3935.c | 2 +-
drivers/infiniband/core/multicast.c | 13 +-
drivers/infiniband/hw/mlx4/mad.c | 23 +++
drivers/infiniband/hw/mlx4/mcg.c | 14 +-
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/infiniband/hw/mlx4/qp.c | 37 ++---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 +++
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 ++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
drivers/input/joystick/xpad.c | 3 +
drivers/input/keyboard/tegra-kbc.c | 2 +-
drivers/input/serio/i8042.c | 17 +--
drivers/input/serio/libps2.c | 10 +-
drivers/md/bcache/super.c | 11 +-
drivers/md/dm-crypt.c | 2 +-
drivers/md/dm-flakey.c | 23 +--
drivers/media/dvb-core/dvb_ringbuffer.c | 96 +++++++++++--
drivers/media/dvb-core/dvb_ringbuffer.h | 2 +
drivers/media/pci/ngene/ngene-dvb.c | 2 +-
drivers/media/platform/s5p-mfc/s5p_mfc.c | 11 ++
drivers/media/usb/em28xx/em28xx-i2c.c | 5 +-
drivers/media/usb/usbvision/usbvision-video.c | 7 -
drivers/mmc/card/block.c | 12 +-
drivers/mtd/maps/pmcmsp-flash.c | 6 +-
drivers/mtd/nand/davinci_nand.c | 3 +
drivers/mtd/nand/nand_base.c | 2 +-
drivers/mtd/ubi/attach.c | 27 +++-
drivers/mtd/ubi/build.c | 5 +-
drivers/mtd/ubi/ubi.h | 3 +
drivers/mtd/ubi/vmt.c | 25 +++-
drivers/net/can/dev.c | 27 ++--
drivers/net/can/flexcan.c | 13 +-
drivers/net/ethernet/ethoc.c | 10 +-
drivers/net/ethernet/marvell/mvneta.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 85 +++++++----
drivers/net/macvlan.c | 10 +-
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/tun.c | 5 +-
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +-
drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 4 +-
.../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +-
drivers/net/wireless/brcm80211/brcmsmac/dma.c | 4 +-
drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
drivers/net/wireless/iwlwifi/pcie/tx.c | 4 +-
drivers/pci/quirks.c | 10 +-
drivers/platform/x86/hp-wmi.c | 7 +-
drivers/power/max17042_battery.c | 15 +-
drivers/pps/clients/pps_parport.c | 2 +-
drivers/rtc/rtc-ds1307.c | 28 +++-
drivers/s390/block/dasd.c | 10 +-
drivers/scsi/aacraid/commctrl.c | 13 +-
drivers/scsi/arcmsr/arcmsr_hba.c | 8 +-
drivers/scsi/constants.c | 5 +-
drivers/scsi/megaraid/megaraid_sas_base.c | 6 +-
drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
drivers/staging/comedi/drivers/daqboard2000.c | 2 +-
drivers/staging/comedi/drivers/ni_mio_common.c | 12 +-
drivers/staging/lustre/lustre/llite/llite_lib.c | 2 +-
drivers/target/iscsi/iscsi_target.c | 22 ++-
drivers/target/iscsi/iscsi_target_login.c | 5 +-
drivers/target/target_core_device.c | 8 +-
drivers/target/target_core_file.c | 3 +-
drivers/target/target_core_iblock.c | 3 +-
drivers/target/target_core_transport.c | 9 +-
drivers/tty/serial/8250/8250_pci.c | 139 ++++++++++++++++++
drivers/tty/serial/atmel_serial.c | 14 +-
drivers/tty/serial/samsung.c | 16 ++-
drivers/tty/serial/sunhv.c | 6 -
drivers/tty/vt/keyboard.c | 30 ++--
drivers/usb/class/cdc-acm.c | 5 +-
drivers/usb/class/cdc-acm.h | 1 -
drivers/usb/core/config.c | 93 ++++++++++--
drivers/usb/core/devio.c | 16 ++-
drivers/usb/core/quirks.c | 6 +
drivers/usb/dwc3/gadget.c | 23 +--
drivers/usb/gadget/fsl_qe_udc.c | 9 +-
drivers/usb/gadget/udc-core.c | 2 +-
drivers/usb/host/xhci-hub.c | 3 +
drivers/usb/host/xhci-pci.c | 3 +-
drivers/usb/host/xhci-ring.c | 13 +-
drivers/usb/misc/usbtest.c | 7 +-
drivers/usb/renesas_usbhs/fifo.c | 22 ++-
drivers/usb/renesas_usbhs/mod.c | 11 +-
drivers/usb/renesas_usbhs/mod_gadget.c | 9 +-
drivers/usb/serial/ftdi_sio.c | 3 +
drivers/usb/serial/ftdi_sio_ids.h | 12 ++
drivers/usb/serial/mos7720.c | 2 +-
drivers/usb/serial/mos7840.c | 4 +-
drivers/usb/serial/option.c | 34 +++++
drivers/usb/serial/usb-serial-simple.c | 3 +-
drivers/usb/serial/usb-serial.c | 4 +-
drivers/vfio/pci/vfio_pci.c | 33 +++--
drivers/vfio/pci/vfio_pci_intrs.c | 69 +++++----
drivers/virtio/virtio_balloon.c | 2 +
drivers/xen/xenbus/xenbus_dev_frontend.c | 14 +-
fs/9p/acl.c | 40 +++---
fs/9p/vfs_inode.c | 2 +-
fs/9p/vfs_inode_dotl.c | 2 +-
fs/adfs/inode.c | 2 +-
fs/affs/inode.c | 2 +-
fs/attr.c | 35 +++--
fs/btrfs/acl.c | 6 +-
fs/btrfs/inode.c | 2 +-
fs/btrfs/ioctl.c | 12 ++
fs/btrfs/tree-log.c | 2 +
fs/ceph/acl.c | 6 +-
fs/ceph/file.c | 12 +-
fs/ceph/inode.c | 2 +-
fs/cifs/cifsencrypt.c | 16 ++-
fs/cifs/dir.c | 24 +++-
fs/cifs/inode.c | 4 +-
fs/cifs/smb2ops.c | 30 +++-
fs/ecryptfs/inode.c | 2 +-
fs/exofs/inode.c | 2 +-
fs/ext2/acl.c | 12 +-
fs/ext2/inode.c | 2 +-
fs/ext3/acl.c | 12 +-
fs/ext3/inode.c | 2 +-
fs/ext4/acl.c | 12 +-
fs/ext4/balloc.c | 3 +
fs/ext4/extents.c | 8 +-
fs/ext4/inode.c | 37 ++++-
fs/ext4/mballoc.c | 17 +--
fs/ext4/super.c | 35 ++++-
fs/f2fs/acl.c | 6 +-
fs/f2fs/file.c | 2 +-
fs/fat/file.c | 2 +-
fs/fuse/dir.c | 9 +-
fs/fuse/file.c | 24 ++++
fs/fuse/fuse_i.h | 2 +-
fs/fuse/inode.c | 2 +-
fs/gfs2/acl.c | 12 +-
fs/gfs2/inode.c | 2 +-
fs/hfs/inode.c | 2 +-
fs/hfsplus/inode.c | 2 +-
fs/hfsplus/posix_acl.c | 4 +-
fs/hostfs/hostfs_kern.c | 9 +-
fs/hpfs/inode.c | 2 +-
fs/hugetlbfs/inode.c | 2 +-
fs/jffs2/acl.c | 9 +-
fs/jffs2/fs.c | 2 +-
fs/jfs/acl.c | 6 +-
fs/jfs/file.c | 2 +-
fs/kernfs/file.c | 28 +++-
fs/kernfs/inode.c | 2 +-
fs/libfs.c | 2 +-
fs/logfs/file.c | 2 +-
fs/minix/file.c | 2 +-
fs/ncpfs/inode.c | 2 +-
fs/nfs/callback.c | 1 +
fs/nfs/callback_xdr.c | 6 +-
fs/nfs/nfs4proc.c | 13 +-
fs/nfs/write.c | 5 +-
fs/nfsd/vfs.c | 12 +-
fs/nilfs2/inode.c | 2 +-
fs/notify/fanotify/fanotify.c | 13 +-
fs/notify/fanotify/fanotify_user.c | 36 +++--
fs/notify/group.c | 19 +++
fs/notify/notification.c | 23 +--
fs/ntfs/inode.c | 2 +-
fs/ocfs2/acl.c | 9 +-
fs/ocfs2/dlm/dlmconvert.c | 12 +-
fs/ocfs2/dlmfs/dlmfs.c | 2 +-
fs/ocfs2/file.c | 36 +++--
fs/omfs/file.c | 2 +-
fs/posix_acl.c | 31 ++++
fs/proc/base.c | 2 +-
fs/proc/generic.c | 2 +-
fs/proc/proc_sysctl.c | 2 +-
fs/ramfs/file-nommu.c | 2 +-
fs/reiserfs/inode.c | 2 +-
fs/reiserfs/xattr_acl.c | 8 +-
fs/seq_file.c | 4 +-
fs/sysv/file.c | 2 +-
fs/ubifs/file.c | 2 +-
fs/ubifs/tnc_commit.c | 2 +-
fs/udf/file.c | 2 +-
fs/ufs/truncate.c | 2 +-
fs/utimes.c | 4 +-
fs/xfs/xfs_acl.c | 16 +--
fs/xfs/xfs_file.c | 2 +-
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_iops.c | 16 ++-
fs/xfs/xfs_iops.h | 6 +-
include/asm-generic/uaccess.h | 20 ++-
include/linux/backing-dev.h | 2 +
include/linux/bcma/bcma.h | 1 +
include/linux/can/dev.h | 3 +-
include/linux/compiler-gcc.h | 2 +-
include/linux/efi.h | 9 ++
include/linux/fs.h | 2 +-
include/linux/fsnotify_backend.h | 6 +-
include/linux/i8042.h | 6 -
include/linux/mlx5/qp.h | 4 +-
include/linux/mroute.h | 2 +-
include/linux/mroute6.h | 2 +-
include/linux/netfilter/x_tables.h | 4 +
include/linux/pagemap.h | 38 ++---
include/linux/posix_acl.h | 1 +
include/linux/radix-tree.h | 1 +
include/linux/serio.h | 24 +++-
include/linux/swap.h | 2 +
include/net/inet_ecn.h | 3 +-
include/net/tcp.h | 2 +
include/target/target_core_backend.h | 2 +-
ipc/msg.c | 2 +-
ipc/sem.c | 12 +-
kernel/cpuset.c | 15 ++
kernel/fork.c | 10 +-
kernel/module.c | 13 +-
kernel/posix-cpu-timers.c | 1 +
kernel/power/hibernate.c | 4 +-
kernel/printk/braille.c | 4 +-
kernel/sched/core.c | 23 ++-
kernel/sched/sched.h | 13 --
kernel/time/timekeeping_debug.c | 9 +-
kernel/trace/trace.c | 15 +-
lib/mpi/mpicoder.c | 2 +-
mm/backing-dev.c | 19 +++
mm/filemap.c | 86 ++++++------
mm/hugetlb.c | 4 +
mm/ksm.c | 3 +-
mm/shmem.c | 2 +-
mm/workingset.c | 10 +-
net/batman-adv/bridge_loop_avoidance.c | 137 +++++++++++++++---
net/batman-adv/distributed-arp-table.c | 10 +-
net/batman-adv/originator.c | 15 ++
net/batman-adv/routing.c | 80 +++++++++--
net/batman-adv/send.c | 4 +-
net/batman-adv/types.h | 20 ++-
net/bluetooth/l2cap_sock.c | 2 +-
net/bluetooth/rfcomm/sock.c | 20 +--
net/ceph/osdmap.c | 156 +++++++++++++++------
net/ipv4/ipmr.c | 3 +-
net/ipv4/netfilter/arp_tables.c | 36 +++--
net/ipv4/netfilter/ip_tables.c | 33 ++++-
net/ipv4/route.c | 3 +-
net/ipv4/tcp_fastopen.c | 1 +
net/ipv4/tcp_input.c | 3 +-
net/ipv4/tcp_output.c | 3 +-
net/ipv6/addrconf.c | 9 ++
net/ipv6/ip6_gre.c | 2 +-
net/ipv6/ip6mr.c | 5 +-
net/ipv6/netfilter/ip6_tables.c | 33 ++++-
net/ipv6/route.c | 4 +-
net/irda/af_irda.c | 12 +-
net/l2tp/l2tp_core.c | 3 +
net/l2tp/l2tp_ppp.c | 7 +-
net/mac80211/cfg.c | 2 +-
net/mac80211/tx.c | 6 +-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nfnetlink_queue_core.c | 6 +-
net/netfilter/x_tables.c | 50 +++++++
net/netlabel/netlabel_kapi.c | 12 +-
net/sched/sch_generic.c | 9 +-
net/sunrpc/auth_gss/auth_gss.c | 8 +-
net/sunrpc/svc.c | 7 +-
net/wireless/nl80211.c | 2 +-
net/xfrm/xfrm_state.c | 1 +
net/xfrm/xfrm_user.c | 15 +-
scripts/recordmcount.c | 9 +-
security/keys/proc.c | 2 +-
sound/core/control.c | 2 +
sound/core/pcm.c | 14 +-
sound/core/rawmidi.c | 4 +-
sound/core/timer.c | 34 ++++-
sound/firewire/fireworks/fireworks.h | 1 -
sound/firewire/fireworks/fireworks_hwdep.c | 71 +++++++---
sound/firewire/fireworks/fireworks_proc.c | 4 +-
sound/firewire/fireworks/fireworks_transaction.c | 5 +-
sound/pci/hda/hda_codec.c | 4 +-
sound/pci/hda/hda_intel.c | 4 +-
sound/pci/hda/patch_realtek.c | 9 ++
sound/soc/omap/omap-mcpdm.c | 5 +-
tools/vm/slabinfo.c | 3 +-
virt/kvm/kvm_main.c | 2 +
421 files changed, 3505 insertions(+), 1568 deletions(-)
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 013/346] ARM: mvebu: fix HW I/O coherency related deadlocks
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 328/346] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 158/346] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown" Ben Hutchings
` (225 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Gregory CLEMENT, Terry Stockert, Thomas Petazzoni, Romain Perier
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
commit c5379ba8fccd99d5f99632c789f0393d84a57805 upstream.
Until now, our understanding for HW I/O coherency to work on the
Cortex-A9 based Marvell SoC was that only the PCIe regions should be
mapped strongly-ordered. However, we were still encountering some
deadlocks, especially when testing the CESA crypto engine. After
checking with the HW designers, it was concluded that all the MMIO
registers should be mapped as strongly ordered for the HW I/O coherency
mechanism to work properly.
This fixes some easy to reproduce deadlocks with the CESA crypto engine
driver (dmcrypt on a sufficiently large disk partition).
Tested-by: Terry Stockert <stockert@inkblotadmirer.me>
Tested-by: Romain Perier <romain.perier@free-electrons.com>
Cc: Terry Stockert <stockert@inkblotadmirer.me>
Cc: Romain Perier <romain.perier@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-mvebu/coherency.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
--- a/arch/arm/mach-mvebu/coherency.c
+++ b/arch/arm/mach-mvebu/coherency.c
@@ -315,22 +315,16 @@ static void __init armada_370_coherency_
}
/*
- * This ioremap hook is used on Armada 375/38x to ensure that PCIe
- * memory areas are mapped as MT_UNCACHED instead of MT_DEVICE. This
- * is needed as a workaround for a deadlock issue between the PCIe
- * interface and the cache controller.
+ * This ioremap hook is used on Armada 375/38x to ensure that all MMIO
+ * areas are mapped as MT_UNCACHED instead of MT_DEVICE. This is
+ * needed for the HW I/O coherency mechanism to work properly without
+ * deadlock.
*/
static void __iomem *
-armada_pcie_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
- unsigned int mtype, void *caller)
+armada_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
+ unsigned int mtype, void *caller)
{
- struct resource pcie_mem;
-
- mvebu_mbus_get_pcie_mem_aperture(&pcie_mem);
-
- if (pcie_mem.start <= phys_addr && (phys_addr + size) <= pcie_mem.end)
- mtype = MT_UNCACHED;
-
+ mtype = MT_UNCACHED;
return __arm_ioremap_caller(phys_addr, size, mtype, caller);
}
@@ -339,7 +333,7 @@ static void __init armada_375_380_cohere
struct device_node *cache_dn;
coherency_cpu_base = of_iomap(np, 0);
- arch_ioremap_caller = armada_pcie_wa_ioremap_caller;
+ arch_ioremap_caller = armada_wa_ioremap_caller;
/*
* We should switch the PL310 to I/O coherency mode only if
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 021/346] tty/serial: atmel: fix RS485 half duplex with DMA
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 269/346] crypto: arm64/aes-ctr - fix NULL dereference in tail processing Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 276/346] ia64: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
` (300 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicolas Ferre, Alexandre Belloni, Greg Kroah-Hartman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
commit 0058f0871efe7b01c6f2b3046c68196ab73e96da upstream.
When using DMA, half duplex doesn't work properly because rx is not stopped
before starting tx. Ensure we call atmel_stop_rx() in the DMA case.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Adjust context
- Keep using UART_GET_PTSR()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/atmel_serial.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -434,19 +434,21 @@ static void atmel_start_tx(struct uart_p
{
struct atmel_uart_port *atmel_port = to_atmel_uart_port(port);
- if (atmel_use_pdc_tx(port)) {
- if (UART_GET_PTSR(port) & ATMEL_PDC_TXTEN)
- /* The transmitter is already running. Yes, we
- really need this.*/
- return;
+ if (atmel_use_pdc_tx(port) && (UART_GET_PTSR(port)
+ & ATMEL_PDC_TXTEN))
+ /* The transmitter is already running. Yes, we
+ really need this.*/
+ return;
+ if (atmel_use_pdc_tx(port) || atmel_use_dma_tx(port))
if ((atmel_port->rs485.flags & SER_RS485_ENABLED) &&
!(atmel_port->rs485.flags & SER_RS485_RX_DURING_TX))
atmel_stop_rx(port);
+ if (atmel_use_pdc_tx(port))
/* re-enable PDC transmit */
UART_PUT_PTCR(port, ATMEL_PDC_TXTEN);
- }
+
/* Enable interrupts */
UART_PUT_IER(port, atmel_port->tx_done_mask);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 001/346] lib/mpi: mpi_read_raw_data(): fix nbits calculation
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 232/346] ALSA: timer: fix NULL pointer dereference on memory allocation failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 175/346] MIPS: KVM: Fix mapped fault broken commpage handling Ben Hutchings
` (324 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Nicolai Stange
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Stange <nicstange@gmail.com>
commit eef0df6a59537032ab6b708f30b28d9530f8760e upstream.
The number of bits, nbits, is calculated in mpi_read_raw_data() as follows:
nbits = nbytes * 8;
Afterwards, the number of leading zero bits of the first byte get
subtracted:
nbits -= count_leading_zeros(buffer[0]);
However, count_leading_zeros() takes an unsigned long and thus,
the u8 gets promoted to an unsigned long.
Thus, the above doesn't subtract the number of leading zeros in the most
significant nonzero input byte from nbits, but the number of leading
zeros of the most significant nonzero input byte promoted to unsigned long,
i.e. BITS_PER_LONG - 8 too many.
Fix this by subtracting
count_leading_zeros(...) - (BITS_PER_LONG - 8)
from nbits only.
Fixes: e1045992949 ("MPILIB: Provide a function to read raw data into an
MPI")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
lib/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -48,7 +48,7 @@ MPI mpi_read_raw_data(const void *xbuffe
return NULL;
}
if (nbytes > 0)
- nbits -= count_leading_zeros(buffer[0]);
+ nbits -= count_leading_zeros(buffer[0]) - (BITS_PER_LONG - 8);
else
nbits = 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 030/346] ath9k: Fix programming of minCCA power threshold
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 231/346] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 124/346] fuse: fsync() did not return IO errors Ben Hutchings
` (233 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Sujith Manoharan, Simon Wunderlich, Kalle Valo
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit aaab50fcea78ae3414c3afc25aae8d0603df34d0 upstream.
The function ar9003_hw_apply_minccapwr_thresh takes as second parameter not
a pointer to the channel but a boolean value describing whether the channel
is 2.4GHz or not. This broke (according to the origin commit) the ETSI
regulatory compliance on 5GHz channels.
Fixes: 3533bf6b15a0 ("ath9k: Fix regulatory compliance")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Cc: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -4169,7 +4169,7 @@ static void ath9k_hw_ar9300_set_board_va
if (!AR_SREV_9330(ah) && !AR_SREV_9340(ah) && !AR_SREV_9531(ah))
ar9003_hw_internal_regulator_apply(ah);
ar9003_hw_apply_tuning_caps(ah);
- ar9003_hw_apply_minccapwr_thresh(ah, chan);
+ ar9003_hw_apply_minccapwr_thresh(ah, is2ghz);
ar9003_hw_txend_to_xpa_off_apply(ah, is2ghz);
ar9003_hw_thermometer_apply(ah);
ar9003_hw_thermo_cal_apply(ah);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 008/346] PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 194/346] tcp: fix use after free in tcp_xmit_retransmit_queue() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 163/346] powerpc/book3s: Fix MCE console messages for unrecoverable MCE Ben Hutchings
` (191 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chris Blake, Bjorn Helgaas
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Blake <chrisrblake93@gmail.com>
commit 9ac0108c2bac3f1d0255f64fb89fc27e71131b24 upstream.
Similar to the AR93xx series, the AR94xx and the Qualcomm QCA988x also have
the same quirk for the Bus Reset.
Fixes: c3e59ee4e766 ("PCI: Mark Atheros AR93xx to avoid bus reset")
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/quirks.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3074,13 +3074,15 @@ static void quirk_no_bus_reset(struct pc
}
/*
- * Atheros AR93xx chips do not behave after a bus reset. The device will
- * throw a Link Down error on AER-capable systems and regardless of AER,
- * config space of the device is never accessible again and typically
- * causes the system to hang or reset when access is attempted.
+ * Some Atheros AR9xxx and QCA988x chips do not behave after a bus reset.
+ * The device will throw a Link Down error on AER-capable systems and
+ * regardless of AER, config space of the device is never accessible again
+ * and typically causes the system to hang or reset when access is attempted.
* http://www.spinics.net/lists/linux-pci/msg34797.html
*/
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f,
struct pci_fixup *end)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 112/346] l2tp: Correctly return -EBADF from pppol2tp_getname.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (253 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 154/346] USB: serial: option: add support for Telit LE920A4 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 258/346] ALSA: rawmidi: Fix possible deadlock with virmidi registration Ben Hutchings
` (91 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, phil.turnbull, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "phil.turnbull@oracle.com" <phil.turnbull@oracle.com>
commit 4ac36a4adaf80013a60013d6f829f5863d5d0e05 upstream.
If 'tunnel' is NULL we should return -EBADF but the 'end_put_sess' path
unconditionally sets 'error' back to zero. Rework the error path so it
more closely matches pppol2tp_sendmsg.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -883,10 +883,8 @@ static int pppol2tp_getname(struct socke
pls = l2tp_session_priv(session);
tunnel = l2tp_sock_to_tunnel(pls->tunnel_sock);
- if (tunnel == NULL) {
- error = -EBADF;
+ if (tunnel == NULL)
goto end_put_sess;
- }
inet = inet_sk(tunnel->sock);
if ((tunnel->version == 2) && (tunnel->sock->sk_family == AF_INET)) {
@@ -964,12 +962,11 @@ static int pppol2tp_getname(struct socke
}
*usockaddr_len = len;
+ error = 0;
sock_put(pls->tunnel_sock);
end_put_sess:
sock_put(sk);
- error = 0;
-
end:
return error;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 115/346] Input: i8042 - break load dependency between atkbd/psmouse and i8042
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 330/346] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 210/346] Input: tegra-kbc - fix inverted reset logic Ben Hutchings
` (213 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Mark Laws
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream.
As explained in 1407814240-4275-1-git-send-email-decui@microsoft.com we
have a hard load dependency between i8042 and atkbd which prevents
keyboard from working on Gen2 Hyper-V VMs.
> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio
> driver like atkbd.c. atkbd.c depends on libps2.c because it invokes
> ps2_command(). libps2.c depends on i8042.c because it invokes
> i8042_check_port_owner(). As a result, hyperv_keyboard actually
> depends on i8042.c.
>
> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a
> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m
> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to
> no i8042 device emulated) and finally hyperv_keyboard can't work and
> the user can't input: https://bugs.archlinux.org/task/39820
> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y)
To break the dependency we move away from using i8042_check_port_owner()
and instead allow serio port owner specify a mutex that clients should use
to serialize PS/2 command stream.
Reported-by: Mark Laws <mdl@60hz.org>
Tested-by: Mark Laws <mdl@60hz.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/serio/i8042.c | 16 +---------------
drivers/input/serio/libps2.c | 10 ++++------
include/linux/i8042.h | 6 ------
include/linux/serio.h | 24 +++++++++++++++++++-----
4 files changed, 24 insertions(+), 32 deletions(-)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1230,6 +1230,7 @@ static int __init i8042_create_kbd_port(
serio->start = i8042_start;
serio->stop = i8042_stop;
serio->close = i8042_port_close;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name));
@@ -1321,21 +1322,6 @@ static void i8042_unregister_ports(void)
}
}
-/*
- * Checks whether port belongs to i8042 controller.
- */
-bool i8042_check_port_owner(const struct serio *port)
-{
- int i;
-
- for (i = 0; i < I8042_NUM_PORTS; i++)
- if (i8042_ports[i].serio == port)
- return true;
-
- return false;
-}
-EXPORT_SYMBOL(i8042_check_port_owner);
-
static void i8042_free_irqs(void)
{
if (i8042_aux_irq_registered)
--- a/drivers/input/serio/libps2.c
+++ b/drivers/input/serio/libps2.c
@@ -56,19 +56,17 @@ EXPORT_SYMBOL(ps2_sendbyte);
void ps2_begin_command(struct ps2dev *ps2dev)
{
- mutex_lock(&ps2dev->cmd_mutex);
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_lock_chip();
+ mutex_lock(m);
}
EXPORT_SYMBOL(ps2_begin_command);
void ps2_end_command(struct ps2dev *ps2dev)
{
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_unlock_chip();
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- mutex_unlock(&ps2dev->cmd_mutex);
+ mutex_unlock(m);
}
EXPORT_SYMBOL(ps2_end_command);
--- a/include/linux/i8042.h
+++ b/include/linux/i8042.h
@@ -62,7 +62,6 @@ struct serio;
void i8042_lock_chip(void);
void i8042_unlock_chip(void);
int i8042_command(unsigned char *param, int command);
-bool i8042_check_port_owner(const struct serio *);
int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio));
int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str,
@@ -83,11 +82,6 @@ static inline int i8042_command(unsigned
return -ENODEV;
}
-static inline bool i8042_check_port_owner(const struct serio *serio)
-{
- return false;
-}
-
static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio))
{
--- a/include/linux/serio.h
+++ b/include/linux/serio.h
@@ -29,7 +29,8 @@ struct serio {
struct serio_device_id id;
- spinlock_t lock; /* protects critical sections from port's interrupt handler */
+ /* Protects critical sections from port's interrupt handler */
+ spinlock_t lock;
int (*write)(struct serio *, unsigned char);
int (*open)(struct serio *);
@@ -38,16 +39,29 @@ struct serio {
void (*stop)(struct serio *);
struct serio *parent;
- struct list_head child_node; /* Entry in parent->children list */
+ /* Entry in parent->children list */
+ struct list_head child_node;
struct list_head children;
- unsigned int depth; /* level of nesting in serio hierarchy */
+ /* Level of nesting in serio hierarchy */
+ unsigned int depth;
- struct serio_driver *drv; /* accessed from interrupt, must be protected by serio->lock and serio->sem */
- struct mutex drv_mutex; /* protects serio->drv so attributes can pin driver */
+ /*
+ * serio->drv is accessed from interrupt handlers; when modifying
+ * caller should acquire serio->drv_mutex and serio->lock.
+ */
+ struct serio_driver *drv;
+ /* Protects serio->drv so attributes can pin current driver */
+ struct mutex drv_mutex;
struct device dev;
struct list_head node;
+
+ /*
+ * For use by PS/2 layer when several ports share hardware and
+ * may get indigestion when exposed to concurrent access (i8042).
+ */
+ struct mutex *ps2_cmd_mutex;
};
#define to_serio_port(d) container_of(d, struct serio, dev)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 316/346] can: dev: fix deadlock reported after bus-off
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (272 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 155/346] USB: serial: fix memleak in driver-registration error path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 267/346] ARM: sa1111: fix pcmcia suspend/resume Ben Hutchings
` (72 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Sergei Miroshnichenko
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Miroshnichenko <sergeimir@emcraft.com>
commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 upstream.
A timer was used to restart after the bus-off state, leading to a
relatively large can_restart() executed in an interrupt context,
which in turn sets up pinctrl. When this happens during system boot,
there is a high probability of grabbing the pinctrl_list_mutex,
which is locked already by the probe() of other device, making the
kernel suspect a deadlock condition [1].
To resolve this issue, the restart_timer is replaced by a delayed
work.
[1] https://github.com/victronenergy/venus/issues/24
Signed-off-by: Sergei Miroshnichenko <sergeimir@emcraft.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/dev.c | 27 +++++++++++++++++----------
include/linux/can/dev.h | 3 ++-
2 files changed, 19 insertions(+), 11 deletions(-)
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -21,6 +21,7 @@
#include <linux/slab.h>
#include <linux/netdevice.h>
#include <linux/if_arp.h>
+#include <linux/workqueue.h>
#include <linux/can.h>
#include <linux/can/dev.h>
#include <linux/can/skb.h>
@@ -392,9 +393,8 @@ EXPORT_SYMBOL_GPL(can_free_echo_skb);
/*
* CAN device restart for bus-off recovery
*/
-static void can_restart(unsigned long data)
+static void can_restart(struct net_device *dev)
{
- struct net_device *dev = (struct net_device *)data;
struct can_priv *priv = netdev_priv(dev);
struct net_device_stats *stats = &dev->stats;
struct sk_buff *skb;
@@ -434,6 +434,14 @@ restart:
netdev_err(dev, "Error %d during restart", err);
}
+static void can_restart_work(struct work_struct *work)
+{
+ struct delayed_work *dwork = to_delayed_work(work);
+ struct can_priv *priv = container_of(dwork, struct can_priv, restart_work);
+
+ can_restart(priv->dev);
+}
+
int can_restart_now(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
@@ -447,8 +455,8 @@ int can_restart_now(struct net_device *d
if (priv->state != CAN_STATE_BUS_OFF)
return -EBUSY;
- /* Runs as soon as possible in the timer context */
- mod_timer(&priv->restart_timer, jiffies);
+ cancel_delayed_work_sync(&priv->restart_work);
+ can_restart(dev);
return 0;
}
@@ -470,8 +478,8 @@ void can_bus_off(struct net_device *dev)
priv->can_stats.bus_off++;
if (priv->restart_ms)
- mod_timer(&priv->restart_timer,
- jiffies + (priv->restart_ms * HZ) / 1000);
+ schedule_delayed_work(&priv->restart_work,
+ msecs_to_jiffies(priv->restart_ms));
}
EXPORT_SYMBOL_GPL(can_bus_off);
@@ -578,6 +586,7 @@ struct net_device *alloc_candev(int size
return NULL;
priv = netdev_priv(dev);
+ priv->dev = dev;
if (echo_skb_max) {
priv->echo_skb_max = echo_skb_max;
@@ -587,7 +596,7 @@ struct net_device *alloc_candev(int size
priv->state = CAN_STATE_STOPPED;
- init_timer(&priv->restart_timer);
+ INIT_DELAYED_WORK(&priv->restart_work, can_restart_work);
return dev;
}
@@ -662,8 +671,6 @@ int open_candev(struct net_device *dev)
if (!netif_carrier_ok(dev))
netif_carrier_on(dev);
- setup_timer(&priv->restart_timer, can_restart, (unsigned long)dev);
-
return 0;
}
EXPORT_SYMBOL_GPL(open_candev);
@@ -678,7 +685,7 @@ void close_candev(struct net_device *dev
{
struct can_priv *priv = netdev_priv(dev);
- del_timer_sync(&priv->restart_timer);
+ cancel_delayed_work_sync(&priv->restart_work);
can_flush_echo_skb(dev);
}
EXPORT_SYMBOL_GPL(close_candev);
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -31,6 +31,7 @@ enum can_mode {
* CAN common private data
*/
struct can_priv {
+ struct net_device *dev;
struct can_device_stats can_stats;
struct can_bittiming bittiming, data_bittiming;
@@ -43,7 +44,7 @@ struct can_priv {
u32 ctrlmode_supported;
int restart_ms;
- struct timer_list restart_timer;
+ struct delayed_work restart_work;
int (*do_set_bittiming)(struct net_device *dev);
int (*do_set_data_bittiming)(struct net_device *dev);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 182/346] USB: serial: mos7720: fix non-atomic allocation in write path
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (282 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 011/346] random: add interrupt callback to VMBus IRQ handler Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 104/346] gpio: intel-mid: Remove potentially harmful code Ben Hutchings
` (62 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Alexey Khoroshilov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
commit 5a5a1d614287a647b36dff3f40c2b0ceabbc83ec upstream.
There is an allocation with GFP_KERNEL flag in mos7720_write(),
while it may be called from interrupt context.
Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
allocation in write path")
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1239,7 +1239,7 @@ static int mos7720_write(struct tty_stru
if (urb->transfer_buffer == NULL) {
urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
- GFP_KERNEL);
+ GFP_ATOMIC);
if (!urb->transfer_buffer)
goto exit;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 181/346] ipv6: suppress sparse warnings in IP6_ECN_set_ce()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (285 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 095/346] target: Fix max_unmap_lba_count calc overflow Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 042/346] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
` (59 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johannes Berg, Eric Dumazet, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit c15c0ab12fd62f2b19181d05c62d24bc9fa55a42 upstream.
Pass the correct type __wsum to csum_sub() and csum_add(). This doesn't
really change anything since __wsum really *is* __be32, but removes the
address space warnings from sparse.
Cc: Eric Dumazet <edumazet@google.com>
Fixes: 34ae6a1aa054 ("ipv6: update skb->csum when CE mark is propagated")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/inet_ecn.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/net/inet_ecn.h
+++ b/include/net/inet_ecn.h
@@ -128,7 +128,8 @@ static inline int IP6_ECN_set_ce(struct
to = from | htonl(INET_ECN_CE << 20);
*(__be32 *)iph = to;
if (skb->ip_summed == CHECKSUM_COMPLETE)
- skb->csum = csum_add(csum_sub(skb->csum, from), to);
+ skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from),
+ (__force __wsum)to);
return 1;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 179/346] power: supply: max17042_battery: fix model download bug.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 173/346] usb: gadget: fsl_qe_udc: off by one in setup_received_handle() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 335/346] vfio/pci: Fix integer overflows, bitmask check Ben Hutchings
` (166 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Carpenter, Sebastian Reichel, Sven Van Asbroeck,
Krzysztof Kozlowski, Sven Van Asbroeck
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Van Asbroeck <thesven73@gmail.com>
commit 5381cfb6f0422da24cfa9da35b0433c0415830e0 upstream.
The device's model download function returns the model data as
an array of u32s, which is later compared to the reference
model data. However, since the latter is an array of u16s,
the comparison does not happen correctly, and model verification
fails. This in turn breaks the POR initialization sequence.
Fixes: 39e7213edc4f3 ("max17042_battery: Support regmap to access device's registers")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sven Van Asbroeck <TheSven73@googlemail.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/power/max17042_battery.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/power/max17042_battery.c
+++ b/drivers/power/max17042_battery.c
@@ -295,13 +295,16 @@ static inline void max17042_write_model_
}
static inline void max17042_read_model_data(struct max17042_chip *chip,
- u8 addr, u32 *data, int size)
+ u8 addr, u16 *data, int size)
{
struct regmap *map = chip->regmap;
int i;
+ u32 tmp;
- for (i = 0; i < size; i++)
- regmap_read(map, addr + i, &data[i]);
+ for (i = 0; i < size; i++) {
+ regmap_read(map, addr + i, &tmp);
+ data[i] = (u16)tmp;
+ }
}
static inline int max17042_model_data_compare(struct max17042_chip *chip,
@@ -324,7 +327,7 @@ static int max17042_init_model(struct ma
{
int ret;
int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
- u32 *temp_data;
+ u16 *temp_data;
temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
if (!temp_data)
@@ -339,7 +342,7 @@ static int max17042_init_model(struct ma
ret = max17042_model_data_compare(
chip,
chip->pdata->config_data->cell_char_tbl,
- (u16 *)temp_data,
+ temp_data,
table_size);
max10742_lock_model(chip);
@@ -352,7 +355,7 @@ static int max17042_verify_model_lock(st
{
int i;
int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl);
- u32 *temp_data;
+ u16 *temp_data;
int ret = 0;
temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 201/346] USB: serial: option: add WeTelecom WM-D200
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 320/346] ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 051/346] ppp: defer netns reference release for ppp channel Ben Hutchings
` (328 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Aleksandr Makarov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
commit 6695593e4a7659db49ac6eca98c164f7b5589f72 upstream.
Add support for WeTelecom WM-D200.
T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=22de ProdID=6801 Rev=00.00
S: Manufacturer=WeTelecom Incorporated
S: Product=WeTelecom Mobile Products
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -527,6 +527,10 @@ static void option_instat_callback(struc
#define VIATELECOM_VENDOR_ID 0x15eb
#define VIATELECOM_PRODUCT_CDS7 0x0001
+/* WeTelecom products */
+#define WETELECOM_VENDOR_ID 0x22de
+#define WETELECOM_PRODUCT_WMD200 0x6801
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -2002,6 +2006,7 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 184/346] cdc-acm: fix wrong pipe type on rx interrupt xfers
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 264/346] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 156/346] vfio/pci: Fix NULL pointer oops in error interrupt setup handling Ben Hutchings
` (238 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gavin Li, Oliver Neukum, Greg Kroah-Hartman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Li <git@thegavinli.com>
commit add125054b8727103631dce116361668436ef6a7 upstream.
This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb().
Signed-off-by: Gavin Li <git@thegavinli.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 5 ++---
drivers/usb/class/cdc-acm.h | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1336,7 +1336,6 @@ made_compressed_probe:
spin_lock_init(&acm->write_lock);
spin_lock_init(&acm->read_lock);
mutex_init(&acm->mutex);
- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
acm->is_int_ep = usb_endpoint_xfer_int(epread);
if (acm->is_int_ep)
acm->bInterval = epread->bInterval;
@@ -1386,14 +1385,14 @@ made_compressed_probe:
urb->transfer_dma = rb->dma;
if (acm->is_int_ep) {
usb_fill_int_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb,
acm->bInterval);
} else {
usb_fill_bulk_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb);
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -95,7 +95,6 @@ struct acm {
struct urb *read_urbs[ACM_NR];
struct acm_rb read_buffers[ACM_NR];
int rx_buflimit;
- int rx_endpoint;
spinlock_t read_lock;
int write_used; /* number of non-empty write buffers */
int transmitting;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 177/346] MIPS: KVM: Fix gfn range check in kseg0 tlb faults
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 286/346] score: fix __get_user/get_user Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 329/346] arm64: perf: reject groups spanning multiple HW PMUs Ben Hutchings
` (249 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paolo Bonzini, kvm, Radim Krčmář,
Ralf Baechle, James Hogan, linux-mips
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 0741f52d1b980dbeb290afe67d88fc2928edd8ab upstream.
Two consecutive gfns are loaded into host TLB, so ensure the range check
isn't off by one if guest_pmap_npages is odd.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kvm/kvm_tlb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -278,7 +278,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsi
}
gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT);
- if (gfn >= kvm->arch.guest_pmap_npages) {
+ if ((gfn | 1) >= kvm->arch.guest_pmap_npages) {
kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__,
gfn, badvaddr);
kvm_mips_dump_host_tlbs();
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 191/346] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (220 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 214/346] ubifs: Fix assertion in layout_in_gaps() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 252/346] iio:core: fix IIO_VAL_FRACTIONAL sign handling Ben Hutchings
` (124 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jim Mattson, Radim Krčmář, Wanpeng Li
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Radim Krčmář <rkrcmar@redhat.com>
commit dccbfcf52cebb8963246eba5b177b77f26b34da0 upstream.
If vmcs12 does not intercept APIC_BASE writes, then KVM will handle the
write with vmcs02 as the current VMCS.
This will incorrectly apply modifications intended for vmcs01 to vmcs02
and L2 can use it to gain access to L0's x2APIC registers by disabling
virtualized x2APIC while using msr bitmap that assumes enabled.
Postpone execution of vmx_set_virtual_x2apic_mode until vmcs01 is the
current VMCS. An alternative solution would temporarily make vmcs01 the
current VMCS, but it requires more care.
Fixes: 8d14695f9542 ("x86, apicv: add virtual x2apic support")
Reported-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -372,6 +372,7 @@ struct nested_vmx {
struct list_head vmcs02_pool;
int vmcs02_num;
u64 vmcs01_tsc_offset;
+ bool change_vmcs01_virtual_x2apic_mode;
/* L2 must run next, and mustn't decide to exit to L1. */
bool nested_run_pending;
/*
@@ -7084,6 +7085,12 @@ static void vmx_set_virtual_x2apic_mode(
{
u32 sec_exec_control;
+ /* Postpone execution until vmcs01 is the current VMCS. */
+ if (is_guest_mode(vcpu)) {
+ to_vmx(vcpu)->nested.change_vmcs01_virtual_x2apic_mode = true;
+ return;
+ }
+
/*
* There is not point to enable virtualize x2apic without enable
* apicv
@@ -8784,6 +8791,12 @@ static void nested_vmx_vmexit(struct kvm
/* Update TSC_OFFSET if TSC was changed while L2 ran */
vmcs_write64(TSC_OFFSET, vmx->nested.vmcs01_tsc_offset);
+ if (vmx->nested.change_vmcs01_virtual_x2apic_mode) {
+ vmx->nested.change_vmcs01_virtual_x2apic_mode = false;
+ vmx_set_virtual_x2apic_mode(vcpu,
+ vcpu->arch.apic_base & X2APIC_ENABLE);
+ }
+
/* This is needed for same reason as it was needed in prepare_vmcs02 */
vmx->host_rsp = 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 124/346] fuse: fsync() did not return IO errors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 030/346] ath9k: Fix programming of minCCA power threshold Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 063/346] Bluetooth: Add support of 13d3:3490 AR3012 device Ben Hutchings
` (232 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alexey Kuznetsov, Maxim Patlasov, Alexey Kuznetsov, Miklos Szeredi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kuznetsov <kuznet@parallels.com>
commit ac7f052b9e1534c8248f814b6f0068ad8d4a06d2 upstream.
Due to implementation of fuse writeback filemap_write_and_wait_range() does
not catch errors. We have to do this directly after fuse_sync_writes()
Signed-off-by: Alexey Kuznetsov <kuznet@virtuozzo.com>
Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 4d99ff8f12eb ("fuse: Turn writeback cache on")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/file.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -499,6 +499,21 @@ int fuse_fsync_common(struct file *file,
goto out;
fuse_sync_writes(inode);
+
+ /*
+ * Due to implementation of fuse writeback
+ * filemap_write_and_wait_range() does not catch errors.
+ * We have to do this directly after fuse_sync_writes()
+ */
+ if (test_bit(AS_ENOSPC, &file->f_mapping->flags) &&
+ test_and_clear_bit(AS_ENOSPC, &file->f_mapping->flags))
+ err = -ENOSPC;
+ if (test_bit(AS_EIO, &file->f_mapping->flags) &&
+ test_and_clear_bit(AS_EIO, &file->f_mapping->flags))
+ err = -EIO;
+ if (err)
+ goto out;
+
err = sync_inode_metadata(inode, 1);
if (err)
goto out;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 134/346] tcp: consider recv buf for the initial window scale
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 175/346] MIPS: KVM: Fix mapped fault broken commpage handling Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 318/346] tcp: fix a compile error in DBGUNDO() Ben Hutchings
` (322 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Soheil Hassas Yeganeh, Neal Cardwell
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Soheil Hassas Yeganeh <soheil@google.com>
commit f626300a3e776ccc9671b0dd94698fb3aa315966 upstream.
tcp_select_initial_window() intends to advertise a window
scaling for the maximum possible window size. To do so,
it considers the maximum of net.ipv4.tcp_rmem[2] and
net.core.rmem_max as the only possible upper-bounds.
However, users with CAP_NET_ADMIN can use SO_RCVBUFFORCE
to set the socket's receive buffer size to values
larger than net.ipv4.tcp_rmem[2] and net.core.rmem_max.
Thus, SO_RCVBUFFORCE is effectively ignored by
tcp_select_initial_window().
To fix this, consider the maximum of net.ipv4.tcp_rmem[2],
net.core.rmem_max and socket's initial buffer space.
Fixes: b0573dea1fb3 ("[NET]: Introduce SO_{SND,RCV}BUFFORCE socket options")
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Suggested-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -245,7 +245,8 @@ void tcp_select_initial_window(int __spa
/* Set window scaling on max possible window
* See RFC1323 for an explanation of the limit to 14
*/
- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+ space = max_t(u32, space, sysctl_tcp_rmem[2]);
+ space = max_t(u32, space, sysctl_rmem_max);
space = min_t(u32, space, *window_clamp);
while (space > 65535 && (*rcv_wscale) < 14) {
space >>= 1;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 146/346] metag: Fix __cmpxchg_u32 asm constraint for CMP
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 288/346] sh64: failing __get_user() should zero Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 141/346] dm flakey: error READ bios during the down_interval Ben Hutchings
` (207 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, linux-metag, James Hogan
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 6154c187b97ee7513046bb4eb317a89f738f13ef upstream.
The LNKGET based atomic sequence in __cmpxchg_u32 has slightly incorrect
constraints for the return value which under certain circumstances can
allow an address unit register to be used as the first operand of a CMP
instruction. This isn't a valid instruction however as the encodings
only allow a data unit to be specified. This would result in an
assembler error like the following:
Error: failed to assemble instruction: "CMP A0.2,D0Ar6"
Fix by changing the constraint from "=&da" (assigned, early clobbered,
data or address unit register) to "=&d" (data unit register only).
The constraint for the second operand, "bd" (an op2 register where op1
is a data unit register and the instruction supports O2R) is already
correct assuming the first operand is a data unit register.
Other cases of CMP in inline asm have had their constraints checked, and
appear to all be fine.
Fixes: 6006c0d8ce94 ("metag: Atomics, locks and bitops")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/metag/include/asm/cmpxchg_lnkget.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/metag/include/asm/cmpxchg_lnkget.h
+++ b/arch/metag/include/asm/cmpxchg_lnkget.h
@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u3
" DCACHE [%2], %0\n"
#endif
"2:\n"
- : "=&d" (temp), "=&da" (retval)
+ : "=&d" (temp), "=&d" (retval)
: "da" (m), "bd" (old), "da" (new)
: "cc"
);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 126/346] fuse: fix wrong assignment of ->flags in fuse_send_init()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (298 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 211/346] USB: fix typo in wMaxPacketSize validation Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 310/346] fanotify: fix list corruption in fanotify_get_response() Ben Hutchings
` (46 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Miklos Szeredi, Wei Fang
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <fangwei1@huawei.com>
commit 9446385f05c9af25fed53dbed3cc75763730be52 upstream.
FUSE_HAS_IOCTL_DIR should be assigned to ->flags, it may be a typo.
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 69fe05c90ed5 ("fuse: add missing INIT flags")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -933,7 +933,7 @@ static void fuse_send_init(struct fuse_c
arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
+ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO |
FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT;
req->in.h.opcode = FUSE_INIT;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 266/346] USB: serial: simple: add support for another Infineon flashloader
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (321 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 168/346] usb: dwc3: gadget: increment request->actual once Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 220/346] qdisc: fix a module refcount leak in qdisc_create_dflt() Ben Hutchings
` (23 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniele Palmas, Johan Hovold
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream.
This patch adds support for Infineon flashloader 0x8087/0x0801.
The flashloader is used in Telit LE940B modem family with Telit
flashing application.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/usb-serial-simple.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -48,7 +48,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
/* Infineon Flashloader driver */
#define FLASHLOADER_IDS() \
{ USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
- { USB_DEVICE(0x8087, 0x0716) }
+ { USB_DEVICE(0x8087, 0x0716) }, \
+ { USB_DEVICE(0x8087, 0x0801) }
DEVICE(flashloader, FLASHLOADER_IDS);
/* Google Serial USB SubClass */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 264/346] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 171/346] arm: oabi compat: add missing access checks Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 184/346] cdc-acm: fix wrong pipe type on rx interrupt xfers Ben Hutchings
` (239 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Karl Beldan, Brian Norris
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Karl Beldan <kbeldan@baylibre.com>
commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c upstream.
This fixes subpage writes when using 4-bit HW ECC.
There has been numerous reports about ECC errors with devices using this
driver for a while. Also the 4-bit ECC has been reported as broken with
subpages in [1] and with 16 bits NANDs in the driver and in mach* board
files both in mainline and in the vendor BSPs.
What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to
try reinitializing the ECC engine:
- R/W on whole pages properly generates/checks RS code
- try writing the 1st subpage only of a blank page, the subpage is well
written and the RS code properly generated, re-reading the same page
the HW detects some ECC error, reading the same page again no ECC
error is detected
Note that the ECC engine is already reinitialized in the 1-bit case.
Tested on my LCDK with UBI+UBIFS using subpages.
This could potentially get rid of the issue workarounded in [1].
[1] 28c015a9daab ("mtd: davinci-nand: disable subpage write for keystone-nand")
Fixes: 6a4123e581b3 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage")
Signed-off-by: Karl Beldan <kbeldan@baylibre.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/davinci_nand.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/nand/davinci_nand.c
+++ b/drivers/mtd/nand/davinci_nand.c
@@ -241,6 +241,9 @@ static void nand_davinci_hwctl_4bit(stru
unsigned long flags;
u32 val;
+ /* Reset ECC hardware */
+ davinci_nand_readl(info, NAND_4BIT_ECC1_OFFSET);
+
spin_lock_irqsave(&davinci_nand_lock, flags);
/* Start 4-bit ECC calculation for read/write */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 276/346] ia64: copy_from_user() should zero the destination on access_ok() failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 021/346] tty/serial: atmel: fix RS485 half duplex with DMA Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 157/346] drm/edid: Add 6 bpc quirk for display AEO model 0 Ben Hutchings
` (299 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: no calls to check_object_size()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void _
__cu_len; \
})
-#define copy_from_user(to, from, n) \
-({ \
- void *__cu_to = (to); \
- const void __user *__cu_from = (from); \
- long __cu_len = (n); \
- \
- __chk_user_ptr(__cu_from); \
- if (__access_ok(__cu_from, __cu_len, get_fs())) \
- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
- __cu_len; \
-})
+static inline unsigned long
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+ if (likely(__access_ok(from, n, get_fs())))
+ n = __copy_user((__force void __user *) to, from, n);
+ else
+ memset(to, 0, n);
+ return n;
+}
#define __copy_in_user(to, from, size) __copy_user((to), (from), (size))
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 144/346] ALSA: hda: Fix krealloc() with __GFP_ZERO usage
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 196/346] MIPS: KVM: Check for pfn noslot case Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 314/346] i2c: mux: pca954x: retry updating the mux selection on failure Ben Hutchings
` (219 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Joe Perches
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 33baefe5e72f17a6df378e48196cd8cada11deec upstream.
krealloc() doesn't work always properly with __GFP_ZERO flag as
expected. For clearing the reallocated area, we need to clear
explicitly instead.
Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/hda_codec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -5793,13 +5793,15 @@ void *snd_array_new(struct snd_array *ar
return NULL;
if (array->used >= array->alloced) {
int num = array->alloced + array->alloc_align;
+ int oldsize = array->alloced * array->elem_size;
int size = (num + 1) * array->elem_size;
void *nlist;
if (snd_BUG_ON(num >= 4096))
return NULL;
- nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO);
+ nlist = krealloc(array->list, size, GFP_KERNEL);
if (!nlist)
return NULL;
+ memset(nlist + oldsize, 0, size - oldsize);
array->list = nlist;
array->alloced = num;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 215/346] tun: fix transmit timestamp support
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (240 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 293/346] microblaze: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 043/346] iwlwifi: pcie: fix access to scratch buffer Ben Hutchings
` (104 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, Soheil Hassas Yeganeh, David S. Miller, Francis Yan
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Soheil Hassas Yeganeh <soheil@google.com>
commit 7b996243fab46092fb3a29c773c54be8152366e4 upstream.
Instead of using sock_tx_timestamp, use skb_tx_timestamp to record
software transmit timestamp of a packet.
sock_tx_timestamp resets and overrides the tx_flags of the skb.
The function is intended to be called from within the protocol
layer when creating the skb, not from a device driver. This is
inconsistent with other drivers and will cause issues for TCP.
In TCP, we intend to sample the timestamps for the last byte
for each sendmsg/sendpage. For that reason, tcp_sendmsg calls
tcp_tx_timestamp only with the last skb that it generates.
For example, if a 128KB message is split into two 64KB packets
we want to sample the SND timestamp of the last packet. The current
code in the tun driver, however, will result in sampling the SND
timestamp for both packets.
Also, when the last packet is split into smaller packets for
retranmission (see tcp_fragment), the tun driver will record
timestamps for all of the retransmitted packets and not only the
last packet.
Fixes: eda297729171 (tun: Support software transmit time stamping.)
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Francis Yan <francisyyan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: call to sock_tx_timestamp() was different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/tun.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -794,10 +794,7 @@ static netdev_tx_t tun_net_xmit(struct s
if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
goto drop;
- if (skb->sk) {
- sock_tx_timestamp(skb->sk, &skb_shinfo(skb)->tx_flags);
- sw_tx_timestamp(skb);
- }
+ skb_tx_timestamp(skb);
/* Orphan the skb - required as we might hang on to it
* for indefinite time.
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 278/346] ARC: uaccess: get_user to zero out dest in cause of fault
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (255 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 258/346] ALSA: rawmidi: Fix possible deadlock with virmidi registration Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 053/346] [media] ngene: properly handle __user ptr Ben Hutchings
` (89 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Al Viro, Vineet Gupta, Al Viro, linux-snps-arc,
Vineet Gupta, Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.
Al reported potential issue with ARC get_user() as it wasn't clearing
out destination pointer in case of fault due to bad address etc.
Verified using following
| {
| u32 bogus1 = 0xdeadbeef;
| u64 bogus2 = 0xdead;
| int rc1, rc2;
|
| pr_info("Orig values %x %llx\n", bogus1, bogus2);
| rc1 = get_user(bogus1, (u32 __user *)0x40000000);
| rc2 = get_user(bogus2, (u64 __user *)0x50000000);
| pr_info("access %d %d, new values %x %llx\n",
| rc1, rc2, bogus1, bogus2);
| }
| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
| Orig values deadbeef dead
| access -14 -14, new values 0 0
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-snps-arc@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/include/asm/uaccess.h | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/arch/arc/include/asm/uaccess.h
+++ b/arch/arc/include/asm/uaccess.h
@@ -83,7 +83,10 @@
"2: ;nop\n" \
" .section .fixup, \"ax\"\n" \
" .align 4\n" \
- "3: mov %0, %3\n" \
+ "3: # return -EFAULT\n" \
+ " mov %0, %3\n" \
+ " # zero out dst ptr\n" \
+ " mov %1, 0\n" \
" j 2b\n" \
" .previous\n" \
" .section __ex_table, \"a\"\n" \
@@ -101,7 +104,11 @@
"2: ;nop\n" \
" .section .fixup, \"ax\"\n" \
" .align 4\n" \
- "3: mov %0, %3\n" \
+ "3: # return -EFAULT\n" \
+ " mov %0, %3\n" \
+ " # zero out dst ptr\n" \
+ " mov %1, 0\n" \
+ " mov %R1, 0\n" \
" j 2b\n" \
" .previous\n" \
" .section __ex_table, \"a\"\n" \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 173/346] usb: gadget: fsl_qe_udc: off by one in setup_received_handle()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 038/346] batman-adv: lock crc access in bridge loop avoidance Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 179/346] power: supply: max17042_battery: fix model download bug Ben Hutchings
` (167 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Dan Carpenter, Peter Chen
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 7442e6db5bdd0dce4615205508301f9b22e502d6 upstream.
The udc->eps[] array has USB_MAX_ENDPOINTS elements so > should be >=.
Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver')
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/fsl_qe_udc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/fsl_qe_udc.c
+++ b/drivers/usb/gadget/fsl_qe_udc.c
@@ -2057,7 +2057,7 @@ static void setup_received_handle(struct
struct qe_ep *ep;
if (wValue != 0 || wLength != 0
- || pipe > USB_MAX_ENDPOINTS)
+ || pipe >= USB_MAX_ENDPOINTS)
break;
ep = &udc->eps[pipe];
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 275/346] hexagon: fix strncpy_from_user() error return
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (267 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 041/346] batman-adv: Free last_bonding_candidate on release of orig_node Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 273/346] cris: buggered copy_from_user/copy_to_user/clear_user Ben Hutchings
` (77 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Richard Kuo
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.
It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).
Acked-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/hexagon/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_
{
long res = __strnlen_user(src, n);
- /* return from strnlen can't be zero -- that would be rubbish. */
+ if (unlikely(!res))
+ return -EFAULT;
if (res > n) {
copy_from_user(dst, src, n);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 319/346] ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 190/346] xhci: don't dereference a xhci member after removing xhci Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 096/346] cifs: fix crash due to race in hmac(md5) handling Ben Hutchings
` (276 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Haishuang Yan, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
commit 252f3f5a1189a7f6c309d8e4ff1c4c1888a27f13 upstream.
In gre6 xmit path, we are sending a GRE packet, so set fl6 proto
to IPPROTO_GRE properly.
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_gre.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -939,6 +939,7 @@ static void ip6gre_tnl_link_config(struc
fl6->daddr = p->raddr;
fl6->flowi6_oif = p->link;
fl6->flowlabel = 0;
+ fl6->flowi6_proto = IPPROTO_GRE;
if (!(p->flags&IP6_TNL_F_USE_ORIG_TCLASS))
fl6->flowlabel |= IPV6_TCLASS_MASK & p->flowinfo;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 140/346] ftrace/recordmcount: Work around for addition of metag magic but not relocations
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 255/346] ipv6: addrconf: fix dev refcont leak when DAD failed Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 312/346] fix fault_in_multipages_...() on architectures with no-op access_ok() Ben Hutchings
` (150 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ross Burton, Steven Rostedt, Laura Abbott, James Hogan
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Laura Abbott <labbott@redhat.com>
commit b2e1c26f0b62531636509fbcb6dab65617ed8331 upstream.
glibc recently did a sync up (94e73c95d9b5 "elf.h: Sync with the gabi
webpage") that added a #define for EM_METAG but did not add relocations
This triggers build errors:
scripts/recordmcount.c: In function 'do_file':
scripts/recordmcount.c:466:28: error: 'R_METAG_ADDR32' undeclared (first use in this function)
case EM_METAG: reltype = R_METAG_ADDR32;
^~~~~~~~~~~~~~
scripts/recordmcount.c:466:28: note: each undeclared identifier is reported only once for each function it appears in
scripts/recordmcount.c:468:20: error: 'R_METAG_NONE' undeclared (first use in this function)
rel_type_nop = R_METAG_NONE;
^~~~~~~~~~~~
Work around this change with some more #ifdefery for the relocations.
Fedora Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1354034
Link: http://lkml.kernel.org/r/1468005530-14757-1-git-send-email-labbott@redhat.com
Cc: James Hogan <james.hogan@imgtec.com>
Fixes: 00512bdd4573 ("metag: ftrace support")
Reported-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
scripts/recordmcount.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/scripts/recordmcount.c
+++ b/scripts/recordmcount.c
@@ -33,10 +33,17 @@
#include <string.h>
#include <unistd.h>
+/*
+ * glibc synced up and added the metag number but didn't add the relocations.
+ * Work around this in a crude manner for now.
+ */
#ifndef EM_METAG
-/* Remove this when these make it to the standard system elf.h. */
#define EM_METAG 174
+#endif
+#ifndef R_METAG_ADDR32
#define R_METAG_ADDR32 2
+#endif
+#ifndef R_METAG_NONE
#define R_METAG_NONE 3
#endif
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 208/346] drm: Reject page_flip for !DRIVER_MODESET
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (275 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 300/346] IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 187/346] scsi: fix upper bounds check of sense key in scsi_sense_key_string() Ben Hutchings
` (69 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Vetter, Chris Wilson, Alexander Potapenko,
Daniel Vetter, Dave Airlie
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit 6f00975c619064a18c23fd3aced325ae165a73b9 upstream.
Somehow this one slipped through, which means drivers without modeset
support can be oopsed (since those also don't call
drm_mode_config_init, which means the crtc lookup will chase an
uninitalized idr).
Reported-by: Alexander Potapenko <glider@google.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_crtc.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4236,6 +4236,9 @@ int drm_mode_page_flip_ioctl(struct drm_
unsigned long flags;
int ret = -EINVAL;
+ if (!drm_core_check_feature(dev, DRIVER_MODESET))
+ return -EINVAL;
+
if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS ||
page_flip->reserved != 0)
return -EINVAL;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 172/346] megaraid_sas: Fix probing cards without io port
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 094/346] target: Fix race between iscsi-target connection shutdown + ABORT_TASK Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 224/346] ARM: sa1100: clear reset status prior to reboot Ben Hutchings
` (199 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yinghai Lu, Martin K. Petersen, Kashyap Desai
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yinghai Lu <yinghai@kernel.org>
commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.
Found one megaraid_sas HBA probe fails,
[ 187.235190] scsi host2: Avago SAS based MegaRAID driver
[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff]
[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!
and the card has resource like,
[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff]
[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]
that does not io port resource allocated from BIOS, and kernel can not
assign one as io port shortage.
The driver is only looking for MEM, and should not fail.
It turns out megasas_init_fw() etc are using bar index as mask. index 1
is used as mask 1, so that pci_request_selected_regions() is trying to
request BAR0 instead of BAR1.
Fix all related reference.
Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Kashyap Desai <kashyap.desai@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++---
drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3996,7 +3996,7 @@ static int megasas_init_fw(struct megasa
/* Find first memory bar */
bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
- if (pci_request_selected_regions(instance->pdev, instance->bar,
+ if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
"megasas: LSI")) {
printk(KERN_DEBUG "megasas: IO memory region busy!\n");
return -EBUSY;
@@ -4261,7 +4261,7 @@ fail_ready_state:
iounmap(instance->reg_set);
fail_ioremap:
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
return -EINVAL;
}
@@ -4282,7 +4282,7 @@ static void megasas_release_mfi(struct m
iounmap(instance->reg_set);
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}
/**
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2190,7 +2190,7 @@ megasas_release_fusion(struct megasas_in
iounmap(instance->reg_set);
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}
/**
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 169/346] x86/mm: Disable preemption during CR3 read+write
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (201 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 069/346] usb: quirks: Add no-lpm quirk for Elan Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 142/346] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Ben Hutchings
` (143 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Borislav Petkov, Josh Poimboeuf, Sebastian Andrzej Siewior,
linux-mm, Thomas Gleixner, Ingo Molnar, Mel Gorman,
Andy Lutomirski, Peter Zijlstra, Denys Vlasenko, Brian Gerst,
Rik van Riel, Peter Zijlstra (Intel),
Borislav Petkov, Linus Torvalds, H. Peter Anvin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 5cf0791da5c162ebc14b01eb01631cfa7ed4fa6e upstream.
There's a subtle preemption race on UP kernels:
Usually current->mm (and therefore mm->pgd) stays the same during the
lifetime of a task so it does not matter if a task gets preempted during
the read and write of the CR3.
But then, there is this scenario on x86-UP:
TaskA is in do_exit() and exit_mm() sets current->mm = NULL followed by:
-> mmput()
-> exit_mmap()
-> tlb_finish_mmu()
-> tlb_flush_mmu()
-> tlb_flush_mmu_tlbonly()
-> tlb_flush()
-> flush_tlb_mm_range()
-> __flush_tlb_up()
-> __flush_tlb()
-> __native_flush_tlb()
At this point current->mm is NULL but current->active_mm still points to
the "old" mm.
Let's preempt taskA _after_ native_read_cr3() by taskB. TaskB has its
own mm so CR3 has changed.
Now preempt back to taskA. TaskA has no ->mm set so it borrows taskB's
mm and so CR3 remains unchanged. Once taskA gets active it continues
where it was interrupted and that means it writes its old CR3 value
back. Everything is fine because userland won't need its memory
anymore.
Now the fun part:
Let's preempt taskA one more time and get back to taskB. This
time switch_mm() won't do a thing because oldmm (->active_mm)
is the same as mm (as per context_switch()). So we remain
with a bad CR3 / PGD and return to userland.
The next thing that happens is handle_mm_fault() with an address for
the execution of its code in userland. handle_mm_fault() realizes that
it has a PTE with proper rights so it returns doing nothing. But the
CPU looks at the wrong PGD and insists that something is wrong and
faults again. And again. And one more time…
This pagefault circle continues until the scheduler gets tired of it and
puts another task on the CPU. It gets little difficult if the task is a
RT task with a high priority. The system will either freeze or it gets
fixed by the software watchdog thread which usually runs at RT-max prio.
But waiting for the watchdog will increase the latency of the RT task
which is no good.
Fix this by disabling preemption across the critical code section.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/1470404259-26290-1-git-send-email-bigeasy@linutronix.de
[ Prettified the changelog. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/tlbflush.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -17,7 +17,14 @@
static inline void __native_flush_tlb(void)
{
+ /*
+ * If current->mm == NULL then we borrow a mm which may change during a
+ * task switch and therefore we must not be preempted while we write CR3
+ * back:
+ */
+ preempt_disable();
native_write_cr3(native_read_cr3());
+ preempt_enable();
}
static inline void __native_flush_tlb_global_irq_disabled(void)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 314/346] i2c: mux: pca954x: retry updating the mux selection on failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 144/346] ALSA: hda: Fix krealloc() with __GFP_ZERO usage Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 245/346] x86/AMD: Apply erratum 665 on machines without a BIOS fix Ben Hutchings
` (218 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Peter Rosin, Wolfram Sang
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Rosin <peda@axentia.se>
commit 463e8f845cbf1c01e4cc8aeef1703212991d8e1e upstream.
The cached value of the last selected channel prevents retries on the
next call, even on failure to update the selected channel. Fix that.
Signed-off-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/muxes/i2c-mux-pca954x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
+++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
@@ -161,7 +161,7 @@ static int pca954x_select_chan(struct i2
/* Only select the channel if its different from the last channel */
if (data->last_chan != regval) {
ret = pca954x_reg_write(adap, client, regval);
- data->last_chan = regval;
+ data->last_chan = ret ? 0 : regval;
}
return ret;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 197/346] drm/radeon: fix radeon_move_blit on 32bit systems
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 090/346] brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 222/346] batman-adv: Add missing refcnt for last_candidate Ben Hutchings
` (160 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher, Christian König
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 upstream.
This bug seems to be present for a very long time.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -232,8 +232,8 @@ static int radeon_move_blit(struct ttm_b
rdev = radeon_get_rdev(bo->bdev);
ridx = radeon_copy_ring_index(rdev);
- old_start = old_mem->start << PAGE_SHIFT;
- new_start = new_mem->start << PAGE_SHIFT;
+ old_start = (u64)old_mem->start << PAGE_SHIFT;
+ new_start = (u64)new_mem->start << PAGE_SHIFT;
switch (old_mem->mem_type) {
case TTM_PL_VRAM:
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 198/346] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 018/346] drm/nouveau: Don't leak runtime pm ref on driver unload Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 010/346] random: print a warning for the first ten uninitialized random users Ben Hutchings
` (294 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bruno Wolff III, Dmitry Torokhov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 47af45d684b5f3ae000ad448db02ce4f13f73273 upstream.
The commit 4097461897df ("Input: i8042 - break load dependency ...")
correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
the same for AUX port(s), which results in communication on KBD and AUX
ports to clash with each other.
Fixes: 4097461897df ("Input: i8042 - break load dependency ...")
Reported-by: Bruno Wolff III <bruno@wolff.to>
Tested-by: Bruno Wolff III <bruno@wolff.to>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/serio/i8042.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1258,6 +1258,7 @@ static int __init i8042_create_aux_port(
serio->write = i8042_aux_write;
serio->start = i8042_start;
serio->stop = i8042_stop;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
if (idx < 0) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 229/346] drm/msm: protect against faults from copy_from_user() in submit ioctl
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (263 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 113/346] module: Invalidate signatures on force-loaded modules Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 212/346] ASoC: omap-mcpdm: Fix irq resource handling Ben Hutchings
` (81 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rob Clark
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@gmail.com>
commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.
An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table. Which will trigger
msm_gem_fault() while we already hold struct_mutex. See:
https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
Signed-off-by: Rob Clark <robdclark@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/msm/msm_drv.h | 6 ++++++
drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++
drivers/gpu/drm/msm/msm_gem_submit.c | 3 +++
3 files changed, 18 insertions(+)
--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -124,6 +124,12 @@ struct msm_drm_private {
*/
struct drm_mm mm;
} vram;
+
+ /* task holding struct_mutex.. currently only used in submit path
+ * to detect and reject faults from copy_from_user() for submit
+ * ioctl.
+ */
+ struct task_struct *struct_mutex_task;
};
struct msm_format {
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -188,11 +188,20 @@ int msm_gem_fault(struct vm_area_struct
{
struct drm_gem_object *obj = vma->vm_private_data;
struct drm_device *dev = obj->dev;
+ struct msm_drm_private *priv = dev->dev_private;
struct page **pages;
unsigned long pfn;
pgoff_t pgoff;
int ret;
+ /* This should only happen if userspace tries to pass a mmap'd
+ * but unfaulted gem bo vaddr into submit ioctl, triggering
+ * a page fault while struct_mutex is already held. This is
+ * not a valid use-case so just bail.
+ */
+ if (priv->struct_mutex_task == current)
+ return VM_FAULT_SIGBUS;
+
/* Make sure we don't parallel update on a fault, nor move or remove
* something from beneath our feet
*/
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -360,6 +360,8 @@ int msm_ioctl_gem_submit(struct drm_devi
if (ret)
return ret;
+ priv->struct_mutex_task = current;
+
submit = submit_create(dev, gpu, args->nr_bos);
if (!submit) {
ret = -ENOMEM;
@@ -442,6 +444,7 @@ out:
if (submit)
submit_cleanup(submit, !!ret);
out_unlock:
+ priv->struct_mutex_task = NULL;
mutex_unlock(&dev->struct_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 151/346] USB: serial: option: add D-Link DWM-156/A3
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 059/346] ALSA: hda - fix use-after-free after module unload Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 125/346] fuse: fuse_flush must check mapping->flags for errors Ben Hutchings
` (245 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Lubomir Rintel
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lubomir Rintel <lkundrak@v3.sk>
commit cf1b18030de29e4e5b0a57695ae5db4a89da0ff7 upstream.
The device has four interfaces; the three serial ports ought to be
handled by this driver:
00 Diagnostic interface serial port
01 NMEA device serial port
02 Mass storage (sd card)
03 Modem serial port
The other product ids listed in the Windows driver are present already.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1977,6 +1977,7 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 309/346] fsnotify: add a way to stop queueing events on group shutdown
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (174 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 092/346] mtd: nand: fix bug writing 1 byte less than page size Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 066/346] net: ethoc: Fix early error paths Ben Hutchings
` (170 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Linus Torvalds, Miklos Szeredi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 12703dbfeb15402260e7554d32a34ac40c233990 upstream.
Implement a function that can be called when a group is being shutdown
to stop queueing new events to the group. Fanotify will use this.
Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/notify/group.c | 19 +++++++++++++++++++
fs/notify/notification.c | 8 +++++++-
include/linux/fsnotify_backend.h | 3 +++
3 files changed, 29 insertions(+), 1 deletion(-)
--- a/fs/notify/group.c
+++ b/fs/notify/group.c
@@ -40,6 +40,17 @@ void fsnotify_final_destroy_group(struct
}
/*
+ * Stop queueing new events for this group. Once this function returns
+ * fsnotify_add_event() will not add any new events to the group's queue.
+ */
+void fsnotify_group_stop_queueing(struct fsnotify_group *group)
+{
+ mutex_lock(&group->notification_mutex);
+ group->shutdown = true;
+ mutex_unlock(&group->notification_mutex);
+}
+
+/*
* Trying to get rid of a group. Remove all marks, flush all events and release
* the group reference.
* Note that another thread calling fsnotify_clear_marks_by_group() may still
@@ -47,6 +58,14 @@ void fsnotify_final_destroy_group(struct
*/
void fsnotify_destroy_group(struct fsnotify_group *group)
{
+ /*
+ * Stop queueing new events. The code below is careful enough to not
+ * require this but fanotify needs to stop queuing events even before
+ * fsnotify_destroy_group() is called and this makes the other callers
+ * of fsnotify_destroy_group() to see the same behavior.
+ */
+ fsnotify_group_stop_queueing(group);
+
/* clear all inode marks for this group */
fsnotify_clear_marks_by_group(group);
--- a/fs/notify/notification.c
+++ b/fs/notify/notification.c
@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnot
* Add an event to the group notification queue. The group can later pull this
* event off the queue to deal with. The function returns 0 if the event was
* added to the queue, 1 if the event was merged with some other queued event,
- * 2 if the queue of events has overflown.
+ * 2 if the event was not queued - either the queue of events has overflown
+ * or the group is shutting down.
*/
int fsnotify_add_notify_event(struct fsnotify_group *group,
struct fsnotify_event *event,
@@ -96,6 +97,11 @@ int fsnotify_add_notify_event(struct fsn
mutex_lock(&group->notification_mutex);
+ if (group->shutdown) {
+ mutex_unlock(&group->notification_mutex);
+ return 2;
+ }
+
if (group->q_len >= group->max_events) {
ret = 2;
/* Queue overflow event only if it isn't already queued */
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -150,6 +150,7 @@ struct fsnotify_group {
#define FS_PRIO_1 1 /* fanotify content based access control */
#define FS_PRIO_2 2 /* fanotify pre-content access */
unsigned int priority;
+ bool shutdown; /* group is being shut down, don't queue more events */
/* stores all fastpath marks assoc with this group so they can be cleaned on unregister */
struct mutex mark_mutex; /* protect marks_list */
@@ -314,6 +315,8 @@ extern struct fsnotify_group *fsnotify_a
extern void fsnotify_get_group(struct fsnotify_group *group);
/* drop reference on a group from fsnotify_alloc_group */
extern void fsnotify_put_group(struct fsnotify_group *group);
+/* group destruction begins, stop queuing new events */
+extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
/* destroy group */
extern void fsnotify_destroy_group(struct fsnotify_group *group);
/* fasync handler function */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 170/346] ARC: Call trace_hardirqs_on() before enabling irqs
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 227/346] drm/msm: use mutex_lock_interruptible for submit ioctl Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 281/346] mn10300: copy_from_user() should zero on access_ok() failure Ben Hutchings
` (336 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniel Mentz, Vineet Gupta
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Mentz <danielmentz@google.com>
commit 18b43e89d295cc65151c505c643c98fb2c320e59 upstream.
trace_hardirqs_on_caller() in lockdep.c expects to be called before, not
after interrupts are actually enabled.
The following comment in kernel/locking/lockdep.c substantiates this
claim:
"
/*
* We're enabling irqs and according to our state above irqs weren't
* already enabled, yet we find the hardware thinks they are in fact
* enabled.. someone messed up their IRQ state tracing.
*/
"
An example can be found in include/linux/irqflags.h:
do { trace_hardirqs_on(); raw_local_irq_enable(); } while (0)
Without this change, we hit the following DEBUG_LOCKS_WARN_ON.
[ 7.760000] ------------[ cut here ]------------
[ 7.760000] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:2711 resume_user_mode_begin+0x48/0xf0
[ 7.770000] DEBUG_LOCKS_WARN_ON(!irqs_disabled())
[ 7.780000] Modules linked in:
[ 7.780000] CPU: 0 PID: 1 Comm: init Not tainted 4.7.0-00003-gc668bb9-dirty #366
[ 7.790000]
[ 7.790000] Stack Trace:
[ 7.790000] arc_unwind_core.constprop.1+0xa4/0x118
[ 7.800000] warn_slowpath_fmt+0x72/0x158
[ 7.800000] resume_user_mode_begin+0x48/0xf0
[ 7.810000] ---[ end trace 6f6a7a8fae20d2f0 ]---
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/include/asm/irqflags.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arc/include/asm/irqflags.h
+++ b/arch/arc/include/asm/irqflags.h
@@ -179,10 +179,10 @@ static inline void arch_unmask_irq(unsig
.endm
.macro IRQ_ENABLE scratch
+ TRACE_ASM_IRQ_ENABLE
lr \scratch, [status32]
or \scratch, \scratch, (STATUS_E1_MASK | STATUS_E2_MASK)
flag \scratch
- TRACE_ASM_IRQ_ENABLE
.endm
#endif /* __ASSEMBLY__ */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 290/346] sparc32: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (170 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 058/346] posix_cpu_timer: Exit early when process has been reaped Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 218/346] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products Ben Hutchings
` (174 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/include/asm/uaccess_32.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -265,8 +265,10 @@ static inline unsigned long copy_from_us
{
if (n && __access_ok((unsigned long) from, n))
return __copy_user((__force void __user *) to, from, n);
- else
+ else {
+ memset(to, 0, n);
return n;
+ }
}
static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 125/346] fuse: fuse_flush must check mapping->flags for errors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 151/346] USB: serial: option: add D-Link DWM-156/A3 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 117/346] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Ben Hutchings
` (244 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Maxim Patlasov, Miklos Szeredi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Patlasov <mpatlasov@virtuozzo.com>
commit 9ebce595f63a407c5cec98f98f9da8459b73740a upstream.
fuse_flush() calls write_inode_now() that triggers writeback, but actual
writeback will happen later, on fuse_sync_writes(). If an error happens,
fuse_writepage_end() will set error bit in mapping->flags. So, we have to
check mapping->flags after fuse_sync_writes().
Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 4d99ff8f12eb ("fuse: Turn writeback cache on")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/fuse/file.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -454,6 +454,15 @@ static int fuse_flush(struct file *file,
fuse_sync_writes(inode);
mutex_unlock(&inode->i_mutex);
+ if (test_bit(AS_ENOSPC, &file->f_mapping->flags) &&
+ test_and_clear_bit(AS_ENOSPC, &file->f_mapping->flags))
+ err = -ENOSPC;
+ if (test_bit(AS_EIO, &file->f_mapping->flags) &&
+ test_and_clear_bit(AS_EIO, &file->f_mapping->flags))
+ err = -EIO;
+ if (err)
+ return err;
+
req = fuse_get_req_nofail_nopages(fc, file);
memset(&inarg, 0, sizeof(inarg));
inarg.fh = ff->fh;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 321/346] tracing: Move mutex to protect against resetting of seq data
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (197 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 003/346] macvlan: Fix potential use-after free for broadcasts Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 132/346] drm/nouveau/acpi: return supported DSM functions Ben Hutchings
` (147 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Steven Rostedt (Red Hat)
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 1245800c0f96eb6ebb368593e251d66c01e61022 upstream.
The iter->seq can be reset outside the protection of the mutex. So can
reading of user data. Move the mutex up to the beginning of the function.
Fixes: d7350c3f45694 ("tracing/core: make the read callbacks reentrants")
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4435,13 +4435,6 @@ tracing_read_pipe(struct file *filp, cha
struct trace_array *tr = iter->tr;
ssize_t sret;
- /* return any leftover data */
- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
- if (sret != -EBUSY)
- return sret;
-
- trace_seq_init(&iter->seq);
-
/* copy the tracer to avoid using a global lock all around */
mutex_lock(&trace_types_lock);
if (unlikely(iter->trace->name != tr->current_trace->name))
@@ -4454,6 +4447,14 @@ tracing_read_pipe(struct file *filp, cha
* is protected.
*/
mutex_lock(&iter->mutex);
+
+ /* return any leftover data */
+ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+ if (sret != -EBUSY)
+ goto out;
+
+ trace_seq_init(&iter->seq);
+
if (iter->trace->read) {
sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
if (sret)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 145/346] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (309 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 315/346] btrfs: ensure that file descriptor used with subvol ioctls is a dir Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 203/346] staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility Ben Hutchings
` (35 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream.
We can't pass error pointers to kfree() or it causes an oops.
Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hostfs/hostfs_kern.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -942,10 +942,11 @@ static int hostfs_fill_sb_common(struct
if (S_ISLNK(root_inode->i_mode)) {
char *name = follow_link(host_root_path);
- if (IS_ERR(name))
+ if (IS_ERR(name)) {
err = PTR_ERR(name);
- else
- err = read_name(root_inode, name);
+ goto out_put;
+ }
+ err = read_name(root_inode, name);
kfree(name);
if (err)
goto out_put;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 138/346] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 098/346] iscsi-target: Fix panic when adding second TCP connection to iSCSI session Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 236/346] ALSA: fireworks: accessing to user space outside spinlock Ben Hutchings
` (204 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Howells, Borislav Petkov, Josh Poimboeuf,
Ingo Molnar, Thomas Gleixner, Andy Lutomirski, Peter Zijlstra,
Brian Gerst, Stephan Mueller, linux-security-module,
Denys Vlasenko, keyrings, H. Peter Anvin, Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit f7d665627e103e82d34306c7d3f6f46f387c0d8b upstream.
x86_64 needs to use compat_sys_keyctl for 32-bit userspace rather than
calling sys_keyctl(). The latter will work in a lot of cases, thereby
hiding the issue.
Reported-by: Stephan Mueller <smueller@chronox.de>
Tested-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Link: http://lkml.kernel.org/r/146961615805.14395.5581949237156769439.stgit@warthog.procyon.org.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/syscalls/syscall_32.tbl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -294,7 +294,7 @@
# 285 sys_setaltroot
286 i386 add_key sys_add_key
287 i386 request_key sys_request_key
-288 i386 keyctl sys_keyctl
+288 i386 keyctl sys_keyctl compat_sys_keyctl
289 i386 ioprio_set sys_ioprio_set
290 i386 ioprio_get sys_ioprio_get
291 i386 inotify_init sys_inotify_init
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 128/346] ubi: Make volume resize power cut aware
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (303 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 332/346] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 165/346] USB: validate wMaxPacketValue entries in endpoint descriptors Ben Hutchings
` (41 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, Boris Brezillon
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 4946784bd3924b1374f05eebff2fd68660bae866 upstream.
When the volume resize operation shrinks a volume,
LEBs will be unmapped. Since unmapping will not erase these
LEBs immediately we have to wait for that operation to finish.
Otherwise in case of a power cut right after writing the new
volume table the UBI attach process can find more LEBs than the
volume table knows. This will render the UBI image unattachable.
Fix this issue by waiting for erase to complete and write the new
volume table afterward.
Reported-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/vmt.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -534,13 +534,6 @@ int ubi_resize_volume(struct ubi_volume_
spin_unlock(&ubi->volumes_lock);
}
- /* Change volume table record */
- vtbl_rec = ubi->vtbl[vol_id];
- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
- if (err)
- goto out_acc;
-
if (pebs < 0) {
for (i = 0; i < -pebs; i++) {
err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i);
@@ -558,6 +551,24 @@ int ubi_resize_volume(struct ubi_volume_
spin_unlock(&ubi->volumes_lock);
}
+ /*
+ * When we shrink a volume we have to flush all pending (erase) work.
+ * Otherwise it can happen that upon next attach UBI finds a LEB with
+ * lnum > highest_lnum and refuses to attach.
+ */
+ if (pebs < 0) {
+ err = ubi_wl_flush(ubi, vol_id, UBI_ALL);
+ if (err)
+ goto out_acc;
+ }
+
+ /* Change volume table record */
+ vtbl_rec = ubi->vtbl[vol_id];
+ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
+ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
+ if (err)
+ goto out_acc;
+
vol->reserved_pebs = reserved_pebs;
if (vol->vol_type == UBI_DYNAMIC_VOLUME) {
vol->used_ebs = reserved_pebs;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 315/346] btrfs: ensure that file descriptor used with subvol ioctls is a dir
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (308 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 089/346] brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 145/346] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Ben Hutchings
` (36 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jeff Mahoney, Chris Mason
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <jeffm@suse.com>
commit 325c50e3cebb9208009083e841550f98a863bfa0 upstream.
If the subvol/snapshot create/destroy ioctls are passed a regular file
with execute permissions set, we'll eventually Oops while trying to do
inode->i_op->lookup via lookup_one_len.
This patch ensures that the file descriptor refers to a directory.
Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules)
Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl)
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ioctl.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1649,6 +1649,9 @@ static noinline int btrfs_ioctl_snap_cre
int namelen;
int ret = 0;
+ if (!S_ISDIR(file_inode(file)->i_mode))
+ return -ENOTDIR;
+
ret = mnt_want_write_file(file);
if (ret)
goto out;
@@ -1706,6 +1709,9 @@ static noinline int btrfs_ioctl_snap_cre
struct btrfs_ioctl_vol_args *vol_args;
int ret;
+ if (!S_ISDIR(file_inode(file)->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1729,6 +1735,9 @@ static noinline int btrfs_ioctl_snap_cre
bool readonly = false;
struct btrfs_qgroup_inherit *inherit = NULL;
+ if (!S_ISDIR(file_inode(file)->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -2355,6 +2364,9 @@ static noinline int btrfs_ioctl_snap_des
int ret;
int err = 0;
+ if (!S_ISDIR(dir->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 200/346] parisc: Fix order of EREFUSED define in errno.h
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 241/346] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 279/346] mips: copy_from_user() must zero the destination on access_ok() failure Ben Hutchings
` (156 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Helge Deller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream.
When building gccgo in userspace, errno.h gets parsed and the go include file
sysinfo.go is generated.
Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
is defined later on in errno.h, this leads to go complaining that EREFUSED
isn't defined yet.
Fix this trivial problem by moving the define of EREFUSED down after
ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/include/uapi/asm/errno.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/parisc/include/uapi/asm/errno.h
+++ b/arch/parisc/include/uapi/asm/errno.h
@@ -97,10 +97,10 @@
#define ENOTCONN 235 /* Transport endpoint is not connected */
#define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */
#define ETOOMANYREFS 237 /* Too many references: cannot splice */
-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
#define ETIMEDOUT 238 /* Connection timed out */
#define ECONNREFUSED 239 /* Connection refused */
-#define EREMOTERELEASE 240 /* Remote peer released connection */
+#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+#define EREMOTERELEASE 240 /* Remote peer released connection */
#define EHOSTDOWN 241 /* Host is down */
#define EHOSTUNREACH 242 /* No route to host */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 127/346] ubi: Fix race condition between ubi device creation and udev
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (313 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 016/346] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 118/346] sparc: serial: sunhv: fix a double lock bug Ben Hutchings
` (31 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Richard Weinberger, Iosif Harutyunov, Iosif Harutyunov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Iosif Harutyunov <iharutyunov@SonicWALL.com>
commit 714fb87e8bc05ff78255afc0dca981e8c5242785 upstream.
Install the UBI device object before we arm sysfs.
Otherwise udev tries to read sysfs attributes before UBI is ready and
udev rules will not match.
Signed-off-by: Iosif Harutyunov <iharutyunov@sonicwall.com>
[rw: massaged commit message]
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/build.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -999,6 +999,9 @@ int ubi_attach_mtd_dev(struct mtd_info *
goto out_detach;
}
+ /* Make device "available" before it becomes accessible via sysfs */
+ ubi_devices[ubi_num] = ubi;
+
err = uif_init(ubi, &ref);
if (err)
goto out_detach;
@@ -1043,7 +1046,6 @@ int ubi_attach_mtd_dev(struct mtd_info *
wake_up_process(ubi->bgt_thread);
spin_unlock(&ubi->wl_lock);
- ubi_devices[ubi_num] = ubi;
ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL);
return ubi_num;
@@ -1054,6 +1056,7 @@ out_uif:
ubi_assert(ref);
uif_close(ubi);
out_detach:
+ ubi_devices[ubi_num] = NULL;
ubi_wl_close(ubi);
ubi_free_internal_volumes(ubi);
vfree(ubi->vtbl);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 284/346] ppc32: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (247 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 243/346] IB/core: Fix use after free in send_leave function Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 303/346] irda: Free skb on irda_accept error path Ben Hutchings
` (97 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.
should clear on access_ok() failures. Also remove the useless
range truncation logics.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: no calls to check_object_size()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -323,30 +323,17 @@ extern unsigned long __copy_tofrom_user(
static inline unsigned long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_tofrom_user((__force void __user *)to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user((__force void __user *)to, from,
- n - over) + over;
- }
+ memset(to, 0, n);
return n;
}
static inline unsigned long copy_to_user(void __user *to,
const void *from, unsigned long n)
{
- unsigned long over;
-
if (access_ok(VERIFY_WRITE, to, n))
return __copy_tofrom_user(to, (__force void __user *)from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, (__force void __user *)from,
- n - over) + over;
- }
return n;
}
@@ -437,10 +424,6 @@ static inline unsigned long clear_user(v
might_fault();
if (likely(access_ok(VERIFY_WRITE, addr, size)))
return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
return size;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 157/346] drm/edid: Add 6 bpc quirk for display AEO model 0.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 276/346] ia64: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 014/346] usb: dwc3: fix for the isoc transfer EP_BUSY flag Ben Hutchings
` (298 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Airlie, Mario Kleiner, Jani Nikula, Daniel Vetter,
Ville Syrjälä
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mario Kleiner <mario.kleiner.de@gmail.com>
commit e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd upstream.
Bugzilla https://bugzilla.kernel.org/show_bug.cgi?id=105331
reports that the "AEO model 0" display is driven with 8 bpc
without dithering by default, which looks bad because that
panel is apparently a 6 bpc DP panel with faulty EDID.
A fix for this was made by commit 013dd9e03872
("drm/i915/dp: fall back to 18 bpp when sink capability is unknown").
That commit triggers new regressions in precision for DP->DVI and
DP->VGA displays. A patch is out to revert that commit, but it will
revert video output for the AEO model 0 panel to 8 bpc without
dithering.
The EDID 1.3 of that panel, as decoded from the xrandr output
attached to that bugzilla bug report, is somewhat faulty, and beyond
other problems also sets the "DFP 1.x compliant TMDS" bit, which
according to DFP spec means to drive the panel with 8 bpc and
no dithering in absence of other colorimetry information.
Try to make the original bug reporter happy despite the
faulty EDID by adding a quirk to mark that panel as 6 bpc,
so 6 bpc output with dithering creates a nice picture.
Tested by injecting the edid from the fdo bug into a DP connector
via drm_kms_helper.edid_firmware and verifying the 6 bpc + dithering
is selected.
This patch should be backported to stable.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_edid.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -72,6 +72,8 @@
#define EDID_QUIRK_FORCE_8BPC (1 << 8)
/* Force 12bpc */
#define EDID_QUIRK_FORCE_12BPC (1 << 9)
+/* Force 6bpc */
+#define EDID_QUIRK_FORCE_6BPC (1 << 10)
struct detailed_mode_closure {
struct drm_connector *connector;
@@ -98,6 +100,9 @@ static struct edid_quirk {
/* Unknown Acer */
{ "ACR", 2423, EDID_QUIRK_FIRST_DETAILED_PREFERRED },
+ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
+ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+
/* Belinea 10 15 55 */
{ "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
{ "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
@@ -3667,6 +3672,9 @@ int drm_add_edid_modes(struct drm_connec
drm_add_display_info(edid, &connector->display_info, connector);
+ if (quirks & EDID_QUIRK_FORCE_6BPC)
+ connector->display_info.bpc = 6;
+
if (quirks & EDID_QUIRK_FORCE_8BPC)
connector->display_info.bpc = 8;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 142/346] mm/hugetlb: avoid soft lockup in set_max_huge_pages()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (202 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 169/346] x86/mm: Disable preemption during CR3 read+write Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 019/346] drm/radeon: Don't leak runtime pm ref on driver unload Ben Hutchings
` (142 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michal Hocko, Dave Hansen, Linus Torvalds, Naoya Horiguchi,
Paul Gortmaker, Mike Kravetz, Kirill A. Shutemov, Jia He
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jia He <hejianet@gmail.com>
commit 649920c6ab93429b94bc7c1aa7c0e8395351be32 upstream.
In powerpc servers with large memory(32TB), we watched several soft
lockups for hugepage under stress tests.
The call traces are as follows:
1.
get_page_from_freelist+0x2d8/0xd50
__alloc_pages_nodemask+0x180/0xc20
alloc_fresh_huge_page+0xb0/0x190
set_max_huge_pages+0x164/0x3b0
2.
prep_new_huge_page+0x5c/0x100
alloc_fresh_huge_page+0xc8/0x190
set_max_huge_pages+0x164/0x3b0
This patch fixes such soft lockups. It is safe to call cond_resched()
there because it is out of spin_lock/unlock section.
Link: http://lkml.kernel.org/r/1469674442-14848-1-git-send-email-hejianet@gmail.com
Signed-off-by: Jia He <hejianet@gmail.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/hugetlb.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1655,6 +1655,10 @@ static unsigned long set_max_huge_pages(
* and reducing the surplus.
*/
spin_unlock(&hugetlb_lock);
+
+ /* yield cpu to avoid soft lockup */
+ cond_resched();
+
if (hstate_is_gigantic(h))
ret = alloc_fresh_gigantic_page(h, nodes_allowed);
else
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 162/346] netfilter: nfnetlink_queue: reject verdict request from different portid
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 324/346] mm,ksm: fix endless looping in allocating memory when ksm enable Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 217/346] x86/apic: Do not init irq remapping if ioapic is disabled Ben Hutchings
` (309 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pablo Neira Ayuso, Liping Zhang, Florian Westphal
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <liping.zhang@spreadtrum.com>
commit 00a3101f561816e58de054a470484996f78eb5eb upstream.
Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).
Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nfnetlink_queue_core.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -985,10 +985,8 @@ nfqnl_recv_verdict(struct sock *ctnl, st
struct net *net = sock_net(ctnl);
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
- queue = instance_lookup(q, queue_num);
- if (!queue)
- queue = verdict_instance_lookup(q, queue_num,
- NETLINK_CB(skb).portid);
+ queue = verdict_instance_lookup(q, queue_num,
+ NETLINK_CB(skb).portid);
if (IS_ERR(queue))
return PTR_ERR(queue);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 147/346] block: fix use-after-free in seq file
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 234/346] dm crypt: fix free of bad values after tfm allocation failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 223/346] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Ben Hutchings
` (194 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, Jens Axboe, Tejun Heo
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
block/genhd.c | 1 +
1 file changed, 1 insertion(+)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_fi
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 216/346] timekeeping: Cap array access in timekeeping_debug
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 121/346] MIPS: c-r4k: Fix protected_writeback_scache_line for EVA Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 326/346] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Ben Hutchings
` (333 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, John Stultz, Thomas Gleixner, Chen Yu, Janek Kozicki,
linux-pm, Zhang Rui, Xunlei Pang, Rafael J. Wysocki,
Peter Zijlstra
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: John Stultz <john.stultz@linaro.org>
commit a4f8f6667f099036c88f231dcad4cf233652c824 upstream.
It was reported that hibernation could fail on the 2nd attempt, where the
system hangs at hibernate() -> syscore_resume() -> i8237A_resume() ->
claim_dma_lock(), because the lock has already been taken.
However there is actually no other process would like to grab this lock on
that problematic platform.
Further investigation showed that the problem is triggered by setting
/sys/power/pm_trace to 1 before the 1st hibernation.
Since once pm_trace is enabled, the rtc becomes unmeaningful after suspend,
and meanwhile some BIOSes would like to adjust the 'invalid' RTC (e.g, smaller
than 1970) to the release date of that motherboard during POST stage, thus
after resumed, it may seem that the system had a significant long sleep time
which is a completely meaningless value.
Then in timekeeping_resume -> tk_debug_account_sleep_time, if the bit31 of the
sleep time happened to be set to 1, fls() returns 32 and we add 1 to
sleep_time_bin[32], which causes an out of bounds array access and therefor
memory being overwritten.
As depicted by System.map:
0xffffffff81c9d080 b sleep_time_bin
0xffffffff81c9d100 B dma_spin_lock
the dma_spin_lock.val is set to 1, which caused this problem.
This patch adds a sanity check in tk_debug_account_sleep_time()
to ensure we don't index past the sleep_time_bin array.
[jstultz: Problem diagnosed and original patch by Chen Yu, I've solved the
issue slightly differently, but borrowed his excelent explanation of the
issue here.]
Fixes: 5c83545f24ab "power: Add option to log time spent in suspend"
Reported-by: Janek Kozicki <cosurgi@gmail.com>
Reported-by: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Cc: linux-pm@vger.kernel.org
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Xunlei Pang <xpang@redhat.com>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Zhang Rui <rui.zhang@intel.com>
Link: http://lkml.kernel.org/r/1471993702-29148-3-git-send-email-john.stultz@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/time/timekeeping_debug.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/kernel/time/timekeeping_debug.c
+++ b/kernel/time/timekeeping_debug.c
@@ -23,7 +23,9 @@
#include "timekeeping_internal.h"
-static unsigned int sleep_time_bin[32] = {0};
+#define NUM_BINS 32
+
+static unsigned int sleep_time_bin[NUM_BINS] = {0};
static int tk_debug_show_sleep_time(struct seq_file *s, void *data)
{
@@ -69,6 +71,9 @@ late_initcall(tk_debug_sleep_time_init);
void tk_debug_account_sleep_time(struct timespec *t)
{
- sleep_time_bin[fls(t->tv_sec)]++;
+ /* Cap bin index so we don't overflow the array */
+ int bin = min(fls(t->tv_sec), NUM_BINS-1);
+
+ sleep_time_bin[bin]++;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 194/346] tcp: fix use after free in tcp_xmit_retransmit_queue()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 223/346] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 008/346] PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset Ben Hutchings
` (192 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Cong Wang, Eric Dumazet, Neal Cardwell,
Marco Grassi, Ilpo Järvinen, Yuchung Cheng
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit bb1fceca22492109be12640d49f5ea5a544c6bb4 upstream.
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/tcp.h | 2 ++
1 file changed, 2 insertions(+)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1413,6 +1413,8 @@ static inline void tcp_check_send_head(s
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}
static inline void tcp_init_send_head(struct sock *sk)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 227/346] drm/msm: use mutex_lock_interruptible for submit ioctl
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 238/346] ipv6: add missing netconf notif when 'all' is updated Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 170/346] ARC: Call trace_hardirqs_on() before enabling irqs Ben Hutchings
` (337 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rob Clark
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@gmail.com>
commit b5b4c264df4d270819676b290cef9a11d04c35f0 upstream.
Be kinder to things that do lots of signal handling (ie. Xorg)
Signed-off-by: Rob Clark <robdclark@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -339,12 +339,14 @@ int msm_ioctl_gem_submit(struct drm_devi
if (args->nr_cmds > MAX_CMDS)
return -EINVAL;
- mutex_lock(&dev->struct_mutex);
+ ret = mutex_lock_interruptible(&dev->struct_mutex);
+ if (ret)
+ return ret;
submit = submit_create(dev, gpu, args->nr_bos);
if (!submit) {
ret = -ENOMEM;
- goto out;
+ goto out_unlock;
}
ret = submit_lookup_objects(submit, args, file);
@@ -422,6 +424,7 @@ int msm_ioctl_gem_submit(struct drm_devi
out:
if (submit)
submit_cleanup(submit, !!ret);
+out_unlock:
mutex_unlock(&dev->struct_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 286/346] score: fix __get_user/get_user
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 065/346] cifs: Check for existing directory when opening file with O_CREAT Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 177/346] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Ben Hutchings
` (250 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.
* should zero on any failure
* __get_user() should use __copy_from_user(), not copy_from_user()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/score/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -158,7 +158,7 @@ do { \
__get_user_asm(val, "lw", ptr); \
break; \
case 8: \
- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
+ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
__gu_err = 0; \
else \
__gu_err = -EFAULT; \
@@ -183,6 +183,8 @@ do { \
\
if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
__get_user_common((x), size, __gu_ptr); \
+ else \
+ (x) = 0; \
\
__gu_err; \
})
@@ -196,6 +198,7 @@ do { \
"2:\n" \
".section .fixup,\"ax\"\n" \
"3:li %0, %4\n" \
+ "li %1, 0\n" \
"j 2b\n" \
".previous\n" \
".section __ex_table,\"a\"\n" \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 165/346] USB: validate wMaxPacketValue entries in endpoint descriptors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (304 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 128/346] ubi: Make volume resize power cut aware Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 261/346] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Ben Hutchings
` (40 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, roswest, Greg Kroah-Hartman, Alan Stern
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit aed9d65ac3278d4febd8665bd7db59ef53e825fe upstream.
Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values. This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.
This issue was first discovered and tests were conducted by Jake Lamberson
<jake.lamberson1@gmail.com>, an intern working for Rosie Hall.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: roswest <roswest@cisco.com>
Tested-by: roswest <roswest@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: drop the USB_SPEED_SUPER_PLUS case]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 66 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 63 insertions(+), 3 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -142,6 +142,31 @@ static void usb_parse_ss_endpoint_compan
}
}
+static const unsigned short low_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 8,
+ [USB_ENDPOINT_XFER_ISOC] = 0,
+ [USB_ENDPOINT_XFER_BULK] = 0,
+ [USB_ENDPOINT_XFER_INT] = 8,
+};
+static const unsigned short full_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1023,
+ [USB_ENDPOINT_XFER_BULK] = 64,
+ [USB_ENDPOINT_XFER_INT] = 64,
+};
+static const unsigned short high_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+ [USB_ENDPOINT_XFER_INT] = 1023,
+};
+static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 1024,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+
static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
int asnum, struct usb_host_interface *ifp, int num_ep,
unsigned char *buffer, int size)
@@ -150,6 +175,8 @@ static int usb_parse_endpoint(struct dev
struct usb_endpoint_descriptor *d;
struct usb_host_endpoint *endpoint;
int n, i, j, retval;
+ unsigned int maxp;
+ const unsigned short *maxpacket_maxes;
d = (struct usb_endpoint_descriptor *) buffer;
buffer += d->bLength;
@@ -256,6 +283,41 @@ static int usb_parse_endpoint(struct dev
endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
}
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_LOW:
+ maxpacket_maxes = low_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_FULL:
+ maxpacket_maxes = full_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_HIGH:
+ /* Bits 12..11 are allowed only for HS periodic endpoints */
+ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
+ i = maxp & (BIT(12) | BIT(11));
+ maxp &= ~i;
+ }
+ /* fallthrough */
+ default:
+ maxpacket_maxes = high_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_SUPER:
+ maxpacket_maxes = super_speed_maxpacket_maxes;
+ break;
+ }
+ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)];
+
+ if (maxp > j) {
+ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n",
+ cfgno, inum, asnum, d->bEndpointAddress, maxp, j);
+ maxp = j;
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp);
+ }
+
/*
* Some buggy high speed devices have bulk endpoints using
* maxpacket sizes other than 512. High speed HCDs may not
@@ -263,9 +325,6 @@ static int usb_parse_endpoint(struct dev
*/
if (to_usb_device(ddev)->speed == USB_SPEED_HIGH
&& usb_endpoint_xfer_bulk(d)) {
- unsigned maxp;
-
- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff;
if (maxp != 512)
dev_warn(ddev, "config %d interface %d altsetting %d "
"bulk endpoint 0x%X has invalid maxpacket %d\n",
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 057/346] x86/quirks: Add early quirk to reset Apple AirPort card
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 205/346] iio: accel: kxsd9: Fix raw read return Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 075/346] ext4: short-cut orphan cleanup on error Ben Hutchings
` (271 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denys Vlasenko, Peter Zijlstra, Brian Gerst,
Michael Buesch, Lukas Wunner, Chris Milsted, Yinghai Lu,
Linus Torvalds, H. Peter Anvin, Matthew Garrett,
Rafał Miłecki, Thomas Gleixner, linux-pci, Ingo Molnar,
linux-wireless, Borislav Petkov, Josh Poimboeuf, b43-dev,
Matt Fleming, Konstantin Simanov, Andy Lutomirski,
Andrew Worsley, Bryan Paradis, Chris Bainbridge, Bjorn Helgaas
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit abb2bafd295fe962bbadc329dbfb2146457283ac upstream.
The EFI firmware on Macs contains a full-fledged network stack for
downloading OS X images from osrecovery.apple.com. Unfortunately
on Macs introduced 2011 and 2012, EFI brings up the Broadcom 4331
wireless card on every boot and leaves it enabled even after
ExitBootServices has been called. The card continues to assert its IRQ
line, causing spurious interrupts if the IRQ is shared. It also corrupts
memory by DMAing received packets, allowing for remote code execution
over the air. This only stops when a driver is loaded for the wireless
card, which may be never if the driver is not installed or blacklisted.
The issue seems to be constrained to the Broadcom 4331. Chris Milsted
has verified that the newer Broadcom 4360 built into the MacBookPro11,3
(2013/2014) does not exhibit this behaviour. The chances that Apple will
ever supply a firmware fix for the older machines appear to be zero.
The solution is to reset the card on boot by writing to a reset bit in
its mmio space. This must be done as an early quirk and not as a plain
vanilla PCI quirk to successfully combat memory corruption by DMAed
packets: Matthew Garrett found out in 2012 that the packets are written
to EfiBootServicesData memory (http://mjg59.dreamwidth.org/11235.html).
This type of memory is made available to the page allocator by
efi_free_boot_services(). Plain vanilla PCI quirks run much later, in
subsys initcall level. In-between a time window would be open for memory
corruption. Random crashes occurring in this time window and attributed
to DMAed packets have indeed been observed in the wild by Chris
Bainbridge.
When Matthew Garrett analyzed the memory corruption issue in 2012, he
sought to fix it with a grub quirk which transitions the card to D3hot:
http://git.savannah.gnu.org/cgit/grub.git/commit/?id=9d34bb85da56
This approach does not help users with other bootloaders and while it
may prevent DMAed packets, it does not cure the spurious interrupts
emanating from the card. Unfortunately the card's mmio space is
inaccessible in D3hot, so to reset it, we have to undo the effect of
Matthew's grub patch and transition the card back to D0.
Note that the quirk takes a few shortcuts to reduce the amount of code:
The size of BAR 0 and the location of the PM capability is identical
on all affected machines and therefore hardcoded. Only the address of
BAR 0 differs between models. Also, it is assumed that the BCMA core
currently mapped is the 802.11 core. The EFI driver seems to always take
care of this.
Michael Büsch, Bjorn Helgaas and Matt Fleming contributed feedback
towards finding the best solution to this problem.
The following should be a comprehensive list of affected models:
iMac13,1 2012 21.5" [Root Port 00:1c.3 = 8086:1e16]
iMac13,2 2012 27" [Root Port 00:1c.3 = 8086:1e16]
Macmini5,1 2011 i5 2.3 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini5,2 2011 i5 2.5 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini5,3 2011 i7 2.0 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini6,1 2012 i5 2.5 GHz [Root Port 00:1c.1 = 8086:1e12]
Macmini6,2 2012 i7 2.3 GHz [Root Port 00:1c.1 = 8086:1e12]
MacBookPro8,1 2011 13" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro8,2 2011 15" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro8,3 2011 17" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro9,1 2012 15" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro9,2 2012 13" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro10,1 2012 15" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro10,2 2012 13" [Root Port 00:1c.1 = 8086:1e12]
For posterity, spurious interrupts caused by the Broadcom 4331 wireless
card resulted in splats like this (stacktrace omitted):
irq 17: nobody cared (try booting with the "irqpoll" option)
handlers:
[<ffffffff81374370>] pcie_isr
[<ffffffffc0704550>] sdhci_irq [sdhci] threaded [<ffffffffc07013c0>] sdhci_thread_irq [sdhci]
[<ffffffffc0a0b960>] azx_interrupt [snd_hda_codec]
Disabling IRQ #17
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79301
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111781
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=728916
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=895951#c16
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1009819
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1098621
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1149632#c5
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1279130
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1332732
Tested-by: Konstantin Simanov <k.simanov@stlk.ru> # [MacBookPro8,1]
Tested-by: Lukas Wunner <lukas@wunner.de> # [MacBookPro9,1]
Tested-by: Bryan Paradis <bryan.paradis@gmail.com> # [MacBookPro9,2]
Tested-by: Andrew Worsley <amworsley@gmail.com> # [MacBookPro10,1]
Tested-by: Chris Bainbridge <chris.bainbridge@gmail.com> # [MacBookPro10,2]
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Rafał Miłecki <zajec5@gmail.com>
Acked-by: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Chris Milsted <cmilsted@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Michael Buesch <m@bues.ch>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: b43-dev@lists.infradead.org
Cc: linux-pci@vger.kernel.org
Cc: linux-wireless@vger.kernel.org
Link: http://lkml.kernel.org/r/48d0972ac82a53d460e5fce77a07b2560db95203.1465690253.git.lukas@wunner.de
[ Did minor readability edits. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/early-quirks.c | 64 ++++++++++++++++++++++++++++++++++++++++++
drivers/bcma/bcma_private.h | 2 --
include/linux/bcma/bcma.h | 1 +
3 files changed, 65 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -11,7 +11,11 @@
#include <linux/pci.h>
#include <linux/acpi.h>
+#include <linux/delay.h>
+#include <linux/dmi.h>
#include <linux/pci_ids.h>
+#include <linux/bcma/bcma.h>
+#include <linux/bcma/bcma_regs.h>
#include <drm/i915_drm.h>
#include <asm/pci-direct.h>
#include <asm/dma.h>
@@ -21,6 +25,9 @@
#include <asm/iommu.h>
#include <asm/gart.h>
#include <asm/irq_remapping.h>
+#include <asm/early_ioremap.h>
+
+#define dev_err(msg) pr_err("pci 0000:%02x:%02x.%d: %s", bus, slot, func, msg)
static void __init fix_hypertransport_config(int num, int slot, int func)
{
@@ -572,6 +579,61 @@ static void __init force_disable_hpet(in
#endif
}
+#define BCM4331_MMIO_SIZE 16384
+#define BCM4331_PM_CAP 0x40
+#define bcma_aread32(reg) ioread32(mmio + 1 * BCMA_CORE_SIZE + reg)
+#define bcma_awrite32(reg, val) iowrite32(val, mmio + 1 * BCMA_CORE_SIZE + reg)
+
+static void __init apple_airport_reset(int bus, int slot, int func)
+{
+ void __iomem *mmio;
+ u16 pmcsr;
+ u64 addr;
+ int i;
+
+ if (!dmi_match(DMI_SYS_VENDOR, "Apple Inc."))
+ return;
+
+ /* Card may have been put into PCI_D3hot by grub quirk */
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ write_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL, pmcsr);
+ mdelay(10);
+
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ dev_err("Cannot power up Apple AirPort card\n");
+ return;
+ }
+ }
+
+ addr = read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_0);
+ addr |= (u64)read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_1) << 32;
+ addr &= PCI_BASE_ADDRESS_MEM_MASK;
+
+ mmio = early_ioremap(addr, BCM4331_MMIO_SIZE);
+ if (!mmio) {
+ dev_err("Cannot iomap Apple AirPort card\n");
+ return;
+ }
+
+ pr_info("Resetting Apple AirPort card (left enabled by EFI)\n");
+
+ for (i = 0; bcma_aread32(BCMA_RESET_ST) && i < 30; i++)
+ udelay(10);
+
+ bcma_awrite32(BCMA_RESET_CTL, BCMA_RESET_CTL_RESET);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(1);
+
+ bcma_awrite32(BCMA_RESET_CTL, 0);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(10);
+
+ early_iounmap(mmio, BCM4331_MMIO_SIZE);
+}
#define QFLAG_APPLY_ONCE 0x1
#define QFLAG_APPLIED 0x2
@@ -610,6 +672,8 @@ static struct chipset early_qrk[] __init
*/
{ PCI_VENDOR_ID_INTEL, 0x0f00,
PCI_CLASS_BRIDGE_HOST, PCI_ANY_ID, 0, force_disable_hpet},
+ { PCI_VENDOR_ID_BROADCOM, 0x4331,
+ PCI_CLASS_NETWORK_OTHER, PCI_ANY_ID, 0, apple_airport_reset},
{}
};
--- a/drivers/bcma/bcma_private.h
+++ b/drivers/bcma/bcma_private.h
@@ -8,8 +8,6 @@
#include <linux/bcma/bcma.h>
#include <linux/delay.h>
-#define BCMA_CORE_SIZE 0x1000
-
#define bcma_err(bus, fmt, ...) \
pr_err("bus%d: " fmt, (bus)->num, ##__VA_ARGS__)
#define bcma_warn(bus, fmt, ...) \
--- a/include/linux/bcma/bcma.h
+++ b/include/linux/bcma/bcma.h
@@ -153,6 +153,7 @@ struct bcma_host_ops {
#define BCMA_CORE_DEFAULT 0xFFF
#define BCMA_MAX_NR_CORES 16
+#define BCMA_CORE_SIZE 0x1000
/* Chip IDs of PCIe devices */
#define BCMA_CHIP_ID_BCM4313 0x4313
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 174/346] usb: misc: usbtest: add fix for driver hang
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 049/346] ALSA: pcm: Free chmap at PCM free callback, too Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 171/346] arm: oabi compat: add missing access checks Ben Hutchings
` (241 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman, Lu Baolu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 539587511835ea12d8daa444cbed766cf2bc3612 upstream.
In sg_timeout(), req->status is set to "-ETIMEDOUT" before calling
into usb_sg_cancel(). usb_sg_cancel() will do nothing and return
directly if req->status has been set to a non-zero value. This will
cause driver hang whenever transfer time out is triggered.
This patch fixes this issue. It could be backported to stable kernel
with version later than v3.15.
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/misc/usbtest.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -488,7 +488,6 @@ static void sg_timeout(unsigned long _re
{
struct usb_sg_request *req = (struct usb_sg_request *) _req;
- req->status = -ETIMEDOUT;
usb_sg_cancel(req);
}
@@ -519,8 +518,10 @@ static int perform_sglist(
mod_timer(&sg_timer, jiffies +
msecs_to_jiffies(SIMPLE_IO_TIMEOUT));
usb_sg_wait(req);
- del_timer_sync(&sg_timer);
- retval = req->status;
+ if (!del_timer_sync(&sg_timer))
+ retval = -ETIMEDOUT;
+ else
+ retval = req->status;
/* FIXME check resulting data pattern */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 247/346] iio: fix pressure data output unit in hid-sensor-attributes
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 023/346] serial: samsung: Fix possible out of bounds access on non-DT platform Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 006/346] netlabel: add address family checks to netlbl_{sock,req}_delattr() Ben Hutchings
` (229 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Srinivas Pandruvada, Kweh, Hock Leong, Jonathan Cameron
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Kweh, Hock Leong" <hock.leong.kweh@intel.com>
commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream.
According to IIO ABI definition, IIO_PRESSURE data output unit is
kilopascal:
http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio
This patch fix output unit of HID pressure sensor IIO driver from pascal to
kilopascal to follow IIO ABI definition.
Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
@@ -56,8 +56,8 @@ struct {
{HID_USAGE_SENSOR_ALS, 0, 1, 0},
{HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
- {HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0},
- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0},
+ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
+ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
};
static int pow_10(unsigned power)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 218/346] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 290/346] sparc32: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 160/346] powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers Ben Hutchings
` (173 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aleksandr Makarov, Johan Hovold
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
commit 40d9c32525cba79130612650b1abc47c0c0f19a8 upstream.
These product IDs are listed in Windows driver.
0x6803 corresponds to WeTelecom WM-D300.
0x6802 name is unknown.
Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -530,6 +530,8 @@ static void option_instat_callback(struc
/* WeTelecom products */
#define WETELECOM_VENDOR_ID 0x22de
#define WETELECOM_PRODUCT_WMD200 0x6801
+#define WETELECOM_PRODUCT_6802 0x6802
+#define WETELECOM_PRODUCT_WMD300 0x6803
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
@@ -2007,6 +2009,8 @@ static const struct usb_device_id option
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 164/346] crypto: caam - fix non-hmac hashes
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 228/346] drm/msm: fix use of copy_from_user() while holding spinlock Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 133/346] drm/nouveau/acpi: check for function 0x1B before using it Ben Hutchings
` (177 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Russell King
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit a0118c8b2be9297aed8e915c60b4013326b256d4 upstream.
Since 6de62f15b581 ("crypto: algif_hash - Require setkey before
accept(2)"), the AF_ALG interface requires userspace to provide a key
to any algorithm that has a setkey method. However, the non-HMAC
algorithms are not keyed, so setting a key is unnecessary.
Fix this by removing the setkey method from the non-keyed hash
algorithms.
Fixes: 6de62f15b581 ("crypto: algif_hash - Require setkey before accept(2)")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/caam/caamhash.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -1778,6 +1778,7 @@ caam_hash_alloc(struct caam_hash_templat
template->name);
snprintf(alg->cra_driver_name, CRYPTO_MAX_ALG_NAME, "%s",
template->driver_name);
+ t_alg->ahash_alg.setkey = NULL;
}
alg->cra_module = THIS_MODULE;
alg->cra_init = caam_hash_cra_init;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 110/346] tile: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (257 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 053/346] [media] ngene: properly handle __user ptr Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 250/346] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Ben Hutchings
` (87 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Hogan, Chris Metcalf
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit cdf8b4633075f2171d440d2e37c9c2609019a81a upstream.
AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
for tile at all even though ARCH_DLINFO will contain one NEW_AUX_ENT for
the VDSO address.
This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
AT_BASE_PLATFORM which tile doesn't use, but lets define it now and add
the comment above ARCH_DLINFO as found in several other architectures to
remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
date.
Fixes: 4a556f4f56da ("tile: implement gettimeofday() via vDSO")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Chris Metcalf <cmetcalf@mellanox.com>
Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/tile/include/asm/elf.h | 1 +
arch/tile/include/uapi/asm/auxvec.h | 2 ++
2 files changed, 3 insertions(+)
--- a/arch/tile/include/asm/elf.h
+++ b/arch/tile/include/asm/elf.h
@@ -131,6 +131,7 @@ extern int dump_task_regs(struct task_st
struct linux_binprm;
extern int arch_setup_additional_pages(struct linux_binprm *bprm,
int executable_stack);
+/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
do { \
NEW_AUX_ENT(AT_SYSINFO_EHDR, VDSO_BASE); \
--- a/arch/tile/include/uapi/asm/auxvec.h
+++ b/arch/tile/include/uapi/asm/auxvec.h
@@ -18,4 +18,6 @@
/* The vDSO location. */
#define AT_SYSINFO_EHDR 33
+#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
+
#endif /* _ASM_TILE_AUXVEC_H */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 158/346] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 013/346] ARM: mvebu: fix HW I/O coherency related deadlocks Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 137/346] ALSA: hda - On-board speaker fixup on ACER Veriton Ben Hutchings
` (224 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jani Nikula, Daniel Vetter, Mario Kleiner, Dave Airlie,
Ville Syrjälä
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mario Kleiner <mario.kleiner.de@gmail.com>
commit 196f954e250943df414efd3d632254c29be38e59 upstream.
This reverts commit 013dd9e03872
("drm/i915/dp: fall back to 18 bpp when sink capability is unknown")
This commit introduced a regression into stable kernels,
as it reduces output color depth to 6 bpc for any video
sink connected to a Displayport connector if that sink
doesn't report a specific color depth via EDID, or if
our EDID parser doesn't actually recognize the proper
bpc from EDID.
Affected are active DisplayPort->VGA converters and
active DisplayPort->DVI converters. Both should be
able to handle 8 bpc, but are degraded to 6 bpc with
this patch.
The reverted commit was meant to fix
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105331
A followup patch implements a fix for that specific bug,
which is caused by a faulty EDID of the affected DP panel
by adding a new EDID quirk for that panel.
DP 18 bpp fallback handling and other improvements to
DP sink bpc detection will be handled for future
kernels in a separate series of patches.
Please backport to stable.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Acked-by: Jani Nikula <jani.nikula@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_display.c | 20 +++++---------------
1 file changed, 5 insertions(+), 15 deletions(-)
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -9475,21 +9475,11 @@ connected_sink_compute_bpp(struct intel_
pipe_config->pipe_bpp = connector->base.display_info.bpc*3;
}
- /* Clamp bpp to default limit on screens without EDID 1.4 */
- if (connector->base.display_info.bpc == 0) {
- int type = connector->base.connector_type;
- int clamp_bpp = 24;
-
- /* Fall back to 18 bpp when DP sink capability is unknown. */
- if (type == DRM_MODE_CONNECTOR_DisplayPort ||
- type == DRM_MODE_CONNECTOR_eDP)
- clamp_bpp = 18;
-
- if (bpp > clamp_bpp) {
- DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of %d\n",
- bpp, clamp_bpp);
- pipe_config->pipe_bpp = clamp_bpp;
- }
+ /* Clamp bpp to 8 on screens without EDID 1.4 */
+ if (connector->base.display_info.bpc == 0 && bpp > 24) {
+ DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of 24\n",
+ bpp);
+ pipe_config->pipe_bpp = 24;
}
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 143/346] sysv, ipc: fix security-layer leaking
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 047/346] drm/radeon: Poll for both connect/disconnect on analog connectors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 101/346] bpf, mips: fix off-by-one in ctx offset allocation Ben Hutchings
` (259 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Fabian Frederick, Davidlohr Bueso, Manfred Spraul
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Fabian Frederick <fabf@skynet.be>
commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
to receive rcu freeing function but used generic ipc_rcu_free() instead
of msg_rcu_free() which does security cleaning.
Running LTP msgsnd06 with kmemleak gives the following:
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff88003c0a11f8 (size 8):
comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
hex dump (first 8 bytes):
1b 00 00 00 01 00 00 00 ........
backtrace:
kmemleak_alloc+0x23/0x40
kmem_cache_alloc_trace+0xe1/0x180
selinux_msg_queue_alloc_security+0x3f/0xd0
security_msg_queue_alloc+0x2e/0x40
newque+0x4e/0x150
ipcget+0x159/0x1b0
SyS_msgget+0x39/0x40
entry_SYSCALL_64_fastpath+0x13/0x8f
Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
only use ipc_rcu_free in case of security allocation failure in newary()
Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
ipc/msg.c | 2 +-
ipc/sem.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -678,7 +678,7 @@ long do_msgsnd(int msqid, long mtype, vo
rcu_read_lock();
ipc_lock_object(&msq->q_perm);
- ipc_rcu_putref(msq, ipc_rcu_free);
+ ipc_rcu_putref(msq, msg_rcu_free);
/* raced with RMID? */
if (!ipc_valid_object(&msq->q_perm)) {
err = -EIDRM;
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -442,7 +442,7 @@ static inline struct sem_array *sem_obta
static inline void sem_lock_and_putref(struct sem_array *sma)
{
sem_lock(sma, NULL, -1);
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
}
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
@@ -1385,7 +1385,7 @@ static int semctl_main(struct ipc_namesp
rcu_read_unlock();
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if (sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
@@ -1419,20 +1419,20 @@ static int semctl_main(struct ipc_namesp
if (nsems > SEMMSL_FAST) {
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if (sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
}
if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -EFAULT;
goto out_free;
}
for (i = 0; i < nsems; i++) {
if (sem_io[i] > SEMVMX) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -ERANGE;
goto out_free;
}
@@ -1722,7 +1722,7 @@ static struct sem_undo *find_alloc_undo(
/* step 2: allocate new undo structure */
new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL);
if (!new) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return ERR_PTR(-ENOMEM);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 233/346] NFSv4.x: Fix a refcount leak in nfs_callback_up_net
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 086/346] i2c: efm32: fix a failure path in efm32_i2c_probe() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 150/346] SUNRPC: allow for upcalls for same uid but different gss service Ben Hutchings
` (183 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Trond Myklebust
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream.
On error, the callers expect us to return without bumping
nn->cb_users[].
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/callback.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -301,6 +301,7 @@ static int nfs_callback_up_net(int minor
err_socks:
svc_rpcb_cleanup(serv, net);
err_bind:
+ nn->cb_users[minorversion]--;
dprintk("NFS: Couldn't create callback socket: err = %d; "
"net = %p\n", ret, net);
return ret;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 243/346] IB/core: Fix use after free in send_leave function
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (246 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 100/346] MIPS: RM7000: Double locking bug in rm7k_tc_disable() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 284/346] ppc32: fix copy_from_user() Ben Hutchings
` (98 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Erez Shitrit, Leon Romanovsky, Doug Ledford
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erez Shitrit <erezsh@mellanox.com>
commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream.
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/multicast.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -106,7 +106,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -339,11 +338,7 @@ static int send_join(struct mcast_group
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -363,11 +358,7 @@ static int send_leave(struct mcast_group
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static void join_group(struct mcast_group *group, struct mcast_member *member,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 307/346] can: flexcan: fix resume function
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 070/346] ARM: 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is coherent Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 025/346] hp-wmi: Fix wifi cannot be hard-unblocked Ben Hutchings
` (254 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Fabio Estevam, Marc Kleine-Budde
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <fabio.estevam@nxp.com>
commit 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 upstream.
On a imx6ul-pico board the following error is seen during system suspend:
dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110
PM: Device 2090000.flexcan failed to resume: error -110
The reason for this suspend error is because when the CAN interface is not
active the clocks are disabled and then flexcan_chip_enable() will
always fail due to a timeout error.
In order to fix this issue, only call flexcan_chip_enable/disable()
when the CAN interface is active.
Based on a patch from Dong Aisheng in the NXP kernel.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/flexcan.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -1248,11 +1248,10 @@ static int __maybe_unused flexcan_suspen
struct flexcan_priv *priv = netdev_priv(dev);
int err;
- err = flexcan_chip_disable(priv);
- if (err)
- return err;
-
if (netif_running(dev)) {
+ err = flexcan_chip_disable(priv);
+ if (err)
+ return err;
netif_stop_queue(dev);
netif_device_detach(dev);
}
@@ -1265,13 +1264,17 @@ static int __maybe_unused flexcan_resume
{
struct net_device *dev = dev_get_drvdata(device);
struct flexcan_priv *priv = netdev_priv(dev);
+ int err;
priv->can.state = CAN_STATE_ERROR_ACTIVE;
if (netif_running(dev)) {
netif_device_attach(dev);
netif_start_queue(dev);
+ err = flexcan_chip_enable(priv);
+ if (err)
+ return err;
}
- return flexcan_chip_enable(priv);
+ return 0;
}
static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 282/346] openrisc: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 046/346] drm/radeon: add a delay after ATPX dGPU power off Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 130/346] drm/nouveau/fbcon: fix font width not divisible by 8 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 102/346] libceph: set 'exists' flag for newly up osd Ben Hutchings
` (343 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.
... that should zero on faults. Also remove the <censored> helpful
logics wrt range truncation copied from ppc32. Where it had ever
been needed only in case of copy_from_user() *and* had not been merged
into the mainline until a month after the need had disappeared.
A decade before openrisc went into mainline, I might add...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/openrisc/include/asm/uaccess.h | 35 +++++++++++------------------------
1 file changed, 11 insertions(+), 24 deletions(-)
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
+ unsigned long res = n;
- if (access_ok(VERIFY_READ, from, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ n = __copy_tofrom_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, to, n)))
+ n = __copy_tofrom_user(to, from, n);
return n;
}
@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *
static inline __must_check unsigned long
clear_user(void *addr, unsigned long size)
{
-
- if (access_ok(VERIFY_WRITE, addr, size))
- return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, addr, size)))
+ size = __clear_user(addr, size);
return size;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 238/346] ipv6: add missing netconf notif when 'all' is updated
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 189/346] usb: xhci: Fix panic if disconnect Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 227/346] drm/msm: use mutex_lock_interruptible for submit ioctl Ben Hutchings
` (338 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicolas Dichtel, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
commit d26c638c16cb54f6fb1507e27df93ede692db572 upstream.
The 'default' value was not advertised.
Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -723,7 +723,14 @@ static int addrconf_fixup_forwarding(str
}
if (p == &net->ipv6.devconf_all->forwarding) {
+ int old_dflt = net->ipv6.devconf_dflt->forwarding;
+
net->ipv6.devconf_dflt->forwarding = newf;
+ if ((!newf) ^ (!old_dflt))
+ inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING,
+ NETCONFA_IFINDEX_DEFAULT,
+ net->ipv6.devconf_dflt);
+
addrconf_forward_change(net, newf);
if ((!newf) ^ (!old))
inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 160/346] powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 218/346] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 092/346] mtd: nand: fix bug writing 1 byte less than page size Ben Hutchings
` (172 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paul Mackerras, Mahesh Salgaonkar, Shreyas B. Prabhu,
Michael Ellerman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
commit bc14c49195e49b3231c01e4c44e3e5456c940b94 upstream.
The current implementation of MCE early handling modifies CR0/1 registers
without saving its old values. Fix this by moving early check for
powersaving mode to machine_check_handle_early().
The power architecture 2.06 or later allows the possibility of getting
machine check while in nap/sleep/winkle. The last bit of HSPRG0 is set
to 1, if thread is woken up from winkle. Hence, clear the last bit of
HSPRG0 (r13) before MCE handler starts using it as paca pointer.
Also, the current code always puts the thread into nap state irrespective
of whatever idle state it woke up from. Fix that by looking at
paca->thread_idle_state and put the thread back into same state where it
came from.
Fixes: 1c51089f777b ("powerpc/book3s: Return from interrupt if coming from evil context.")
Reported-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Reviewed-by: Shreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: drop inapplicable changes to idle entry]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/exceptions-64s.S | 69 +++++++++++++++++++++---------------
1 file changed, 40 insertions(+), 29 deletions(-)
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -153,29 +153,14 @@ machine_check_pSeries_1:
*/
HMT_MEDIUM_PPR_DISCARD
SET_SCRATCH0(r13) /* save r13 */
-#ifdef CONFIG_PPC_P7_NAP
-BEGIN_FTR_SECTION
- /* Running native on arch 2.06 or later, check if we are
- * waking up from nap. We only handle no state loss and
- * supervisor state loss. We do -not- handle hypervisor
- * state loss at this time.
- */
- mfspr r13,SPRN_SRR1
- rlwinm. r13,r13,47-31,30,31
- OPT_GET_SPR(r13, SPRN_CFAR, CPU_FTR_CFAR)
- beq 9f
-
- mfspr r13,SPRN_SRR1
- rlwinm. r13,r13,47-31,30,31
- /* waking up from powersave (nap) state */
- cmpwi cr1,r13,2
- /* Total loss of HV state is fatal. let's just stay stuck here */
- OPT_GET_SPR(r13, SPRN_CFAR, CPU_FTR_CFAR)
- bgt cr1,.
-9:
- OPT_SET_SPR(r13, SPRN_CFAR, CPU_FTR_CFAR)
-END_FTR_SECTION_IFSET(CPU_FTR_HVMODE | CPU_FTR_ARCH_206)
-#endif /* CONFIG_PPC_P7_NAP */
+ /*
+ * Running native on arch 2.06 or later, we may wakeup from winkle
+ * inside machine check. If yes, then last bit of HSPGR0 would be set
+ * to 1. Hence clear it unconditionally.
+ */
+ GET_PACA(r13)
+ clrrdi r13,r13,1
+ SET_PACA(r13)
EXCEPTION_PROLOG_0(PACA_EXMC)
BEGIN_FTR_SECTION
b machine_check_pSeries_early
@@ -1418,17 +1403,17 @@ machine_check_handle_early:
* Check if thread was in power saving mode. We come here when any
* of the following is true:
* a. thread wasn't in power saving mode
- * b. thread was in power saving mode with no state loss or
- * supervisor state loss
+ * b. thread was in power saving mode with no state loss,
+ * supervisor state loss or hypervisor state loss.
*
- * Go back to nap again if (b) is true.
+ * Go back to nap/sleep/winkle mode again if (b) is true.
*/
rlwinm. r11,r12,47-31,30,31 /* Was it in power saving mode? */
beq 4f /* No, it wasn;t */
/* Thread was in power saving mode. Go back to nap again. */
cmpwi r11,2
- bne 3f
- /* Supervisor state loss */
+ blt 3f
+ /* Supervisor/Hypervisor state loss */
li r0,1
stb r0,PACA_NAPSTATELOST(r13)
3: bl machine_check_queue_event
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 210/346] Input: tegra-kbc - fix inverted reset logic
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 115/346] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 221/346] ARM: kirkwood: ib62x0: fix size of u-boot environment partition Ben Hutchings
` (212 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Laxman Dewangan, Dmitry Torokhov, Thierry Reding, Masahiro Yamada
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <yamada.masahiro@socionext.com>
commit fae16989be77b09bab86c79233e4b511ea769cea upstream.
Commit fe6b0dfaba68 ("Input: tegra-kbc - use reset framework")
accidentally converted _deassert to _assert, so there is no code
to wake up this hardware.
Fixes: fe6b0dfaba68 ("Input: tegra-kbc - use reset framework")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Acked-by: Laxman Dewangan <ldewangan@nvidia.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/keyboard/tegra-kbc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/keyboard/tegra-kbc.c
+++ b/drivers/input/keyboard/tegra-kbc.c
@@ -376,7 +376,7 @@ static int tegra_kbc_start(struct tegra_
/* Reset the KBC controller to clear all previous status.*/
reset_control_assert(kbc->rst);
udelay(100);
- reset_control_assert(kbc->rst);
+ reset_control_deassert(kbc->rst);
udelay(100);
tegra_kbc_config_pins(kbc);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 131/346] drm/nouveau/acpi: ensure matching ACPI handle and supported functions
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 236/346] ALSA: fireworks: accessing to user space outside spinlock Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 260/346] kvm-arm: Unmap shadow pagetables properly Ben Hutchings
` (202 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Ben Skeggs, Peter Wu, Dave
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wu <peter@lekensteyn.nl>
commit df42194a9ac2678bf086c2c5372e125e742b0ee7 upstream.
Ensure that the returned set of supported DSM functions (MUX, Optimus)
match the ACPI handle that is set in nouveau_dsm_pci_probe.
As there are no machines with a MUX function on just one PCI device and
an Optimus on another, there should not be a functional impact. This
change however makes this implicit assumption more obvious.
Convert int to bool and rename has_dsm to has_mux while at it. Let the
caller set nouveau_dsm_priv.dhandle as needed.
v2: pass dhandle to the caller.
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Acked-by: Dave Airlie <airlied@redhat.com
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nouveau_acpi.c | 58 +++++++++++++++-------------------
1 file changed, 26 insertions(+), 32 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
+++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
@@ -58,9 +58,6 @@ bool nouveau_is_v1_dsm(void) {
return nouveau_dsm_priv.dsm_detected;
}
-#define NOUVEAU_DSM_HAS_MUX 0x1
-#define NOUVEAU_DSM_HAS_OPT 0x2
-
#ifdef CONFIG_VGA_SWITCHEROO
static const char nouveau_dsm_muid[] = {
0xA0, 0xA0, 0x95, 0x9D, 0x60, 0x00, 0x48, 0x4D,
@@ -213,27 +210,34 @@ static struct vga_switcheroo_handler nou
.get_client_id = nouveau_dsm_get_client_id,
};
-static int nouveau_dsm_pci_probe(struct pci_dev *pdev)
+static void nouveau_dsm_pci_probe(struct pci_dev *pdev, acpi_handle *dhandle_out,
+ bool *has_mux, bool *has_opt)
{
acpi_handle dhandle;
- int retval = 0;
+ bool supports_mux;
+ bool supports_opt;
dhandle = ACPI_HANDLE(&pdev->dev);
if (!dhandle)
- return false;
+ return;
if (!acpi_has_method(dhandle, "_DSM")) {
nouveau_dsm_priv.other_handle = dhandle;
- return false;
+ return;
}
- if (acpi_check_dsm(dhandle, nouveau_dsm_muid, 0x00000102,
- 1 << NOUVEAU_DSM_POWER))
- retval |= NOUVEAU_DSM_HAS_MUX;
+ supports_mux = acpi_check_dsm(dhandle, nouveau_dsm_muid, 0x00000102,
+ 1 << NOUVEAU_DSM_POWER);
+ supports_opt = nouveau_check_optimus_dsm(dhandle);
+
+ /* Does not look like a Nvidia device. */
+ if (!supports_mux && !supports_opt)
+ return;
- if (nouveau_check_optimus_dsm(dhandle))
- retval |= NOUVEAU_DSM_HAS_OPT;
+ *dhandle_out = dhandle;
+ *has_mux = supports_mux;
+ *has_opt = supports_opt;
- if (retval & NOUVEAU_DSM_HAS_OPT) {
+ if (supports_opt) {
uint32_t result;
nouveau_optimus_dsm(dhandle, NOUVEAU_DSM_OPTIMUS_CAPS, 0,
&result);
@@ -242,10 +246,6 @@ static int nouveau_dsm_pci_probe(struct
(result & OPTIMUS_DYNAMIC_PWR_CAP) ? "dynamic power, " : "",
(result & OPTIMUS_HDA_CODEC_MASK) ? "hda bios codec supported" : "");
}
- if (retval)
- nouveau_dsm_priv.dhandle = dhandle;
-
- return retval;
}
static bool nouveau_dsm_detect(void)
@@ -253,11 +253,11 @@ static bool nouveau_dsm_detect(void)
char acpi_method_name[255] = { 0 };
struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
struct pci_dev *pdev = NULL;
- int has_dsm = 0;
- int has_optimus = 0;
+ acpi_handle dhandle = NULL;
+ bool has_mux = false;
+ bool has_optimus = false;
int vga_count = 0;
bool guid_valid;
- int retval;
bool ret = false;
/* lookup the MXM GUID */
@@ -270,32 +270,26 @@ static bool nouveau_dsm_detect(void)
while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) {
vga_count++;
- retval = nouveau_dsm_pci_probe(pdev);
- if (retval & NOUVEAU_DSM_HAS_MUX)
- has_dsm |= 1;
- if (retval & NOUVEAU_DSM_HAS_OPT)
- has_optimus = 1;
+ nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
}
while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_3D << 8, pdev)) != NULL) {
vga_count++;
- retval = nouveau_dsm_pci_probe(pdev);
- if (retval & NOUVEAU_DSM_HAS_MUX)
- has_dsm |= 1;
- if (retval & NOUVEAU_DSM_HAS_OPT)
- has_optimus = 1;
+ nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
}
/* find the optimus DSM or the old v1 DSM */
- if (has_optimus == 1) {
+ if (has_optimus) {
+ nouveau_dsm_priv.dhandle = dhandle;
acpi_get_name(nouveau_dsm_priv.dhandle, ACPI_FULL_PATHNAME,
&buffer);
printk(KERN_INFO "VGA switcheroo: detected Optimus DSM method %s handle\n",
acpi_method_name);
nouveau_dsm_priv.optimus_detected = true;
ret = true;
- } else if (vga_count == 2 && has_dsm && guid_valid) {
+ } else if (vga_count == 2 && has_mux && guid_valid) {
+ nouveau_dsm_priv.dhandle = dhandle;
acpi_get_name(nouveau_dsm_priv.dhandle, ACPI_FULL_PATHNAME,
&buffer);
printk(KERN_INFO "VGA switcheroo: detected DSM switching method %s handle\n",
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 136/346] ext4: validate that metadata blocks do not overlap superblock
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (211 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 202/346] staging: comedi: daqboard2000: bug fix board type matching code Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 071/346] KVM: nVMX: fix lifetime issues for vmcs02 Ben Hutchings
` (133 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream.
A number of fuzzing failures seem to be caused by allocation bitmaps
or other metadata blocks being pointed at the superblock.
This can cause kernel BUG or WARNings once the superblock is
overwritten, so validate the group descriptor blocks to make sure this
doesn't happen.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2077,6 +2077,7 @@ void ext4_group_desc_csum_set(struct sup
/* Called at mount-time, super-block is locked */
static int ext4_check_descriptors(struct super_block *sb,
+ ext4_fsblk_t sb_block,
ext4_group_t *first_not_zeroed)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -2107,6 +2108,11 @@ static int ext4_check_descriptors(struct
grp = i;
block_bitmap = ext4_block_bitmap(sb, gdp);
+ if (block_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Block bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (block_bitmap < first_block || block_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Block bitmap for group %u not in group "
@@ -2114,6 +2120,11 @@ static int ext4_check_descriptors(struct
return 0;
}
inode_bitmap = ext4_inode_bitmap(sb, gdp);
+ if (inode_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (inode_bitmap < first_block || inode_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Inode bitmap for group %u not in group "
@@ -2121,6 +2132,11 @@ static int ext4_check_descriptors(struct
return 0;
}
inode_table = ext4_inode_table(sb, gdp);
+ if (inode_table == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode table for group %u overlaps "
+ "superblock", i);
+ }
if (inode_table < first_block ||
inode_table + sbi->s_itb_per_group - 1 > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
@@ -3902,7 +3918,7 @@ static int ext4_fill_super(struct super_
goto failed_mount2;
}
}
- if (!ext4_check_descriptors(sb, &first_not_zeroed)) {
+ if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
goto failed_mount2;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 217/346] x86/apic: Do not init irq remapping if ioapic is disabled
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 162/346] netfilter: nfnetlink_queue: reject verdict request from different portid Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 331/346] KEYS: Fix short sprintf buffer in /proc/keys show function Ben Hutchings
` (308 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Wanpeng Li, Peter Zijlstra, Joerg Roedel, Thomas Gleixner
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit 2e63ad4bd5dd583871e6602f9d398b9322d358d9 upstream.
native_smp_prepare_cpus
-> default_setup_apic_routing
-> enable_IR_x2apic
-> irq_remapping_prepare
-> intel_prepare_irq_remapping
-> intel_setup_irq_remapping
So IR table is setup even if "noapic" boot parameter is added. As a result we
crash later when the interrupt affinity is set due to a half initialized
remapping infrastructure.
Prevent remap initialization when IOAPIC is disabled.
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Joerg Roedel <joro@8bytes.org>
Link: http://lkml.kernel.org/r/1471954039-3942-1-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/apic/apic.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1615,6 +1615,9 @@ void __init enable_IR_x2apic(void)
int ret, x2apic_enabled = 0;
int hardware_init_ret;
+ if (skip_ioapic_setup)
+ return;
+
/* Make sure irq_remap_ops are initialized */
setup_irq_remapping_ops();
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 285/346] s390: get_user() should zero on failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 081/346] crypto: scatterwalk - Fix test in scatterwalk_done Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 322/346] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Ben Hutchings
` (187 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/uaccess.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -213,28 +213,28 @@ int __put_user_bad(void) __attribute__((
__chk_user_ptr(ptr); \
switch (sizeof(*(ptr))) { \
case 1: { \
- unsigned char __x; \
+ unsigned char __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 2: { \
- unsigned short __x; \
+ unsigned short __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 4: { \
- unsigned int __x; \
+ unsigned int __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 8: { \
- unsigned long long __x; \
+ unsigned long long __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 325/346] ARM: 8617/1: dma: fix dma_max_pfn()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (235 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 122/346] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 209/346] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() Ben Hutchings
` (109 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnd Bergmann, Olof Johansson, Roger Quadros,
Grygorii Strashko, Russell King, Linus Walleij, Catalin Marinas,
Santosh Shilimkar, Greg Kroah-Hartman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roger Quadros <rogerq@ti.com>
commit d248220f0465b818887baa9829e691fe662b2c5e upstream.
Since commit 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation"),
dma_to_pfn() already returns the PFN with the physical memory start offset
so we don't need to add it again.
This fixes USB mass storage lock-up problem on systems that can't do DMA
over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM
can only do DMA over the first 2GB. [K2E-EVM].
What happens there is that without this patch SCSI layer sets a wrong
bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass
storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit
is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2
is 0x87fffffff. This results in non DMA'ble pages being given to the
USB controller and hence the lock-up.
NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0.
This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000
and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be
0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because
USB devices are not correctly inheriting the dma_pfn_offset from the
USB host controller. This will be fixed by a separate patch.
Fixes: 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation")
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Olof Johansson <olof@lixom.net>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/include/asm/dma-mapping.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/include/asm/dma-mapping.h
+++ b/arch/arm/include/asm/dma-mapping.h
@@ -117,7 +117,7 @@ static inline dma_addr_t virt_to_dma(str
/* The ARM override for dma_max_pfn() */
static inline unsigned long dma_max_pfn(struct device *dev)
{
- return PHYS_PFN_OFFSET + dma_to_pfn(dev, *dev->dma_mask);
+ return dma_to_pfn(dev, *dev->dma_mask);
}
#define dma_max_pfn(dev) dma_max_pfn(dev)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 155/346] USB: serial: fix memleak in driver-registration error path
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (271 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 034/346] batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 316/346] can: dev: fix deadlock reported after bus-off Ben Hutchings
` (73 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Alexey Klimov, Alan Stern
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Klimov <klimov.linux@gmail.com>
commit 647024a7df36014bbc4479d92d88e6b77c0afcf6 upstream.
udriver struct allocated by kzalloc() will not be freed
if usb_register() and next calls fail. This patch fixes this
by adding one more step with kfree(udriver) in error path.
Signed-off-by: Alexey Klimov <klimov.linux@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/usb-serial.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -1416,7 +1416,7 @@ int usb_serial_register_drivers(struct u
rc = usb_register(udriver);
if (rc)
- return rc;
+ goto failed_usb_register;
for (sd = serial_drivers; *sd; ++sd) {
(*sd)->usb_driver = udriver;
@@ -1434,6 +1434,8 @@ int usb_serial_register_drivers(struct u
while (sd-- > serial_drivers)
usb_serial_deregister(*sd);
usb_deregister(udriver);
+failed_usb_register:
+ kfree(udriver);
return rc;
}
EXPORT_SYMBOL_GPL(usb_serial_register_drivers);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 300/346] IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (274 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 267/346] ARM: sa1111: fix pcmcia suspend/resume Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 208/346] drm: Reject page_flip for !DRIVER_MODESET Ben Hutchings
` (70 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Vesker, Leon Romanovsky, Doug Ledford
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Vesker <valex@mellanox.com>
commit e5ac40cd66c2f3cd11bc5edc658f012661b16347 upstream.
Because of an incorrect bit-masking done on the join state bits, when
handling a join request we failed to detect a difference between the
group join state and the request join state when joining as send only
full member (0x8). This caused the MC join request not to be sent.
This issue is relevant only when SRIOV is enabled and SM supports
send only full member.
This fix separates scope bits and join states bits a nibble each.
Fixes: b9c5d6a64358 ('IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV')
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/mcg.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/infiniband/hw/mlx4/mcg.c
+++ b/drivers/infiniband/hw/mlx4/mcg.c
@@ -485,7 +485,7 @@ static u8 get_leave_state(struct mcast_g
if (!group->members[i])
leave_state |= (1 << i);
- return leave_state & (group->rec.scope_join_state & 7);
+ return leave_state & (group->rec.scope_join_state & 0xf);
}
static int join_group(struct mcast_group *group, int slave, u8 join_mask)
@@ -560,8 +560,8 @@ static void mlx4_ib_mcg_timeout_handler(
} else
mcg_warn_group(group, "DRIVER BUG\n");
} else if (group->state == MCAST_LEAVE_SENT) {
- if (group->rec.scope_join_state & 7)
- group->rec.scope_join_state &= 0xf8;
+ if (group->rec.scope_join_state & 0xf)
+ group->rec.scope_join_state &= 0xf0;
group->state = MCAST_IDLE;
mutex_unlock(&group->lock);
if (release_group(group, 1))
@@ -601,7 +601,7 @@ static int handle_leave_req(struct mcast
static int handle_join_req(struct mcast_group *group, u8 join_mask,
struct mcast_req *req)
{
- u8 group_join_state = group->rec.scope_join_state & 7;
+ u8 group_join_state = group->rec.scope_join_state & 0xf;
int ref = 0;
u16 status;
struct ib_sa_mcmember_data *sa_data = (struct ib_sa_mcmember_data *)req->sa_mad.data;
@@ -686,8 +686,8 @@ static void mlx4_ib_mcg_work_handler(str
u8 cur_join_state;
resp_join_state = ((struct ib_sa_mcmember_data *)
- group->response_sa_mad.data)->scope_join_state & 7;
- cur_join_state = group->rec.scope_join_state & 7;
+ group->response_sa_mad.data)->scope_join_state & 0xf;
+ cur_join_state = group->rec.scope_join_state & 0xf;
if (method == IB_MGMT_METHOD_GET_RESP) {
/* successfull join */
@@ -706,7 +706,7 @@ process_requests:
req = list_first_entry(&group->pending_list, struct mcast_req,
group_list);
sa_data = (struct ib_sa_mcmember_data *)req->sa_mad.data;
- req_join_state = sa_data->scope_join_state & 0x7;
+ req_join_state = sa_data->scope_join_state & 0xf;
/* For a leave request, we will immediately answer the VF, and
* update our internal counters. The actual leave will be sent
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 163/346] powerpc/book3s: Fix MCE console messages for unrecoverable MCE.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 008/346] PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 097/346] hwmon: (adt7411) set bit 3 in CFG1 register Ben Hutchings
` (190 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mahesh Salgaonkar, Michael Ellerman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
commit c74dd88e77d3ecbc9e55c78796d82c9aa21cabad upstream.
When machine check occurs with MSR(RI=0), it means MC interrupt is
unrecoverable and kernel goes down to panic path. But the console
message still shows it as recovered. This patch fixes the MCE console
messages.
Fixes: 36df96f8acaf ("powerpc/book3s: Decode and save machine check event.")
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/mce.c | 3 ++-
arch/powerpc/platforms/powernv/opal.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/arch/powerpc/kernel/mce.c
+++ b/arch/powerpc/kernel/mce.c
@@ -92,7 +92,8 @@ void save_mce_event(struct pt_regs *regs
mce->in_use = 1;
mce->initiator = MCE_INITIATOR_CPU;
- if (handled)
+ /* Mark it recovered if we have handled it and MSR(RI=1). */
+ if (handled && (regs->msr & MSR_RI))
mce->disposition = MCE_DISPOSITION_RECOVERED;
else
mce->disposition = MCE_DISPOSITION_NOT_RECOVERED;
--- a/arch/powerpc/platforms/powernv/opal.c
+++ b/arch/powerpc/platforms/powernv/opal.c
@@ -459,6 +459,7 @@ static int opal_recover_mce(struct pt_re
if (!(regs->msr & MSR_RI)) {
/* If MSR_RI isn't set, we cannot recover */
+ pr_err("Machine check interrupt unrecoverable: MSR(RI=0)\n");
recovered = 0;
} else if (evt->disposition == MCE_DISPOSITION_RECOVERED) {
/* Platform corrected itself */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 240/346] kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 105/346] nfs: don't create zero-length requests Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 080/346] xfrm: fix crash in XFRM_MSG_GETSA netlink handler Ben Hutchings
` (266 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, William Preston, Andreas Schwab, Linus Torvalds,
Michal Hocko, Oleg Nesterov, Roland McGrath
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.com>
commit 735f2770a770156100f534646158cb58cb8b2939 upstream.
Commit fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal
exit") has caused a subtle regression in nscd which uses
CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the
shared databases, so that the clients are notified when nscd is
restarted. Now, when nscd uses a non-persistent database, clients that
have it mapped keep thinking the database is being updated by nscd, when
in fact nscd has created a new (anonymous) one (for non-persistent
databases it uses an unlinked file as backend).
The original proposal for the CLONE_CHILD_CLEARTID change claimed
(https://lkml.org/lkml/2006/10/25/233):
: The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls
: on behalf of pthread_create() library calls. This feature is used to
: request that the kernel clear the thread-id in user space (at an address
: provided in the syscall) when the thread disassociates itself from the
: address space, which is done in mm_release().
:
: Unfortunately, when a multi-threaded process incurs a core dump (such as
: from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of
: the other threads, which then proceed to clear their user-space tids
: before synchronizing in exit_mm() with the start of core dumping. This
: misrepresents the state of process's address space at the time of the
: SIGSEGV and makes it more difficult for someone to debug NPTL and glibc
: problems (misleading him/her to conclude that the threads had gone away
: before the fault).
:
: The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a
: core dump has been initiated.
The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269)
seems to have a larger scope than the original patch asked for. It
seems that limitting the scope of the check to core dumping should work
for SIGSEGV issue describe above.
[Changelog partly based on Andreas' description]
Fixes: fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit")
Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Tested-by: William Preston <wpreston@suse.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Andreas Schwab <schwab@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/fork.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -777,14 +777,12 @@ void mm_release(struct task_struct *tsk,
deactivate_mm(tsk, mm);
/*
- * If we're exiting normally, clear a user-space tid field if
- * requested. We leave this alone when dying by signal, to leave
- * the value intact in a core dump, and to save the unnecessary
- * trouble, say, a killed vfork parent shouldn't touch this mm.
- * Userland only wants this done for a sys_exit.
+ * Signal userspace if we're not exiting with a core dump
+ * because we want to leave the value intact for debugging
+ * purposes.
*/
if (tsk->clear_child_tid) {
- if (!(tsk->flags & PF_SIGNALED) &&
+ if (!(tsk->signal->flags & SIGNAL_GROUP_COREDUMP) &&
atomic_read(&mm->mm_users) > 1) {
/*
* We don't check the error code - if userspace has
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 196/346] MIPS: KVM: Check for pfn noslot case
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 123/346] avr32: off by one in at32_init_pio() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 144/346] ALSA: hda: Fix krealloc() with __GFP_ZERO usage Ben Hutchings
` (220 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Radim Krčmář,
Greg Kroah-Hartman, Paolo Bonzini, kvm, James Hogan, linux-mips,
Ralf Baechle
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 upstream.
When mapping a page into the guest we error check using is_error_pfn(),
however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an
error HVA for the page. This can only happen on MIPS right now due to
unusual memslot management (e.g. being moved / removed / resized), or
with an Enhanced Virtual Memory (EVA) configuration where the default
KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed
in a later patch). This case will be treated as a pfn of zero, mapping
the first page of physical memory into the guest.
It would appear the MIPS KVM port wasn't updated prior to being merged
(in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as
a error pfn") into account (merged v3.8), which converted a bunch of
is_error_pfn() calls to is_error_noslot_pfn(). Switch to using
is_error_noslot_pfn() instead to catch this case properly.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[james.hogan@imgtec.com: Backport to v4.7.y]
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kvm/kvm_tlb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -155,7 +155,7 @@ static int kvm_mips_map_page(struct kvm
srcu_idx = srcu_read_lock(&kvm->srcu);
pfn = kvm_mips_gfn_to_pfn(kvm, gfn);
- if (kvm_mips_is_error_pfn(pfn)) {
+ if (is_error_noslot_pfn(pfn)) {
kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn);
err = -EFAULT;
goto out;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 221/346] ARM: kirkwood: ib62x0: fix size of u-boot environment partition
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 210/346] Input: tegra-kbc - fix inverted reset logic Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 295/346] avr32: fix copy_from_user() Ben Hutchings
` (211 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Baatz, Sebastian Hesselbarth, Jason Cooper,
Gregory Clement, Andrew Lunn, Luka Perkov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Baatz <gmbnomis@gmail.com>
commit a778937888867aac17a33887d1c429120790fbc2 upstream.
Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
partition") split the "u-boot" partition into "u-boot" and "u-boot
environment". However, instead of the size of the environment, an offset
was given, resulting in overlapping partitions.
Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Gregory Clement <gregory.clement@free-electrons.com>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Cc: Luka Perkov <luka@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
+++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
@@ -113,7 +113,7 @@
partition@e0000 {
label = "u-boot environment";
- reg = <0xe0000 0x100000>;
+ reg = <0xe0000 0x20000>;
};
partition@100000 {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 149/346] mac80211: fix purging multicast PS buffer queue
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (329 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 167/346] s390/dasd: fix hanging device after clear subchannel Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 249/346] sched/core: Fix a race between try_to_wake_up() and a woken up task Ben Hutchings
` (15 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johannes Berg, Felix Fietkau
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
commit 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 upstream.
The code currently assumes that buffered multicast PS frames don't have
a pending ACK frame for tx status reporting.
However, hostapd sends a broadcast deauth frame on teardown for which tx
status is requested. This can lead to the "Have pending ack frames"
warning on module reload.
Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/mac80211/cfg.c | 2 +-
net/mac80211/tx.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1186,7 +1186,7 @@ static int ieee80211_stop_ap(struct wiph
/* free all potentially still buffered bcast frames */
local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
- skb_queue_purge(&sdata->u.ap.ps.bc_buf);
+ ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf);
mutex_lock(&local->mtx);
ieee80211_vif_copy_chanctx_to_vlans(sdata, true);
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -351,7 +351,7 @@ static void purge_old_ps_buffers(struct
skb = skb_dequeue(&ps->bc_buf);
if (skb) {
purged++;
- dev_kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
}
total += skb_queue_len(&ps->bc_buf);
}
@@ -434,7 +434,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i
if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
ps_dbg(tx->sdata,
"BC TX buffer full - dropping the oldest frame\n");
- dev_kfree_skb(skb_dequeue(&ps->bc_buf));
+ ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf));
} else
tx->local->total_ps_buffered++;
@@ -2989,7 +2989,7 @@ ieee80211_get_buffered_bc(struct ieee802
sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
if (!ieee80211_tx_prepare(sdata, &tx, skb))
break;
- dev_kfree_skb_any(skb);
+ ieee80211_free_txskb(hw, skb);
}
info = IEEE80211_SKB_CB(skb);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 212/346] ASoC: omap-mcpdm: Fix irq resource handling
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (264 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 229/346] drm/msm: protect against faults from copy_from_user() in submit ioctl Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 219/346] usb: gadget: udc: core: don't starve DMA resources Ben Hutchings
` (80 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Russell King, Mark Brown, Peter Ujfalusi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@ti.com>
commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 upstream.
Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function")
Managed irq request will not doing any good in ASoC probe level as it is
not going to free up the irq when the driver is unbound from the sound
card.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reported-by: Russell King <linux@armlinux.org.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/omap/omap-mcpdm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/soc/omap/omap-mcpdm.c
+++ b/sound/soc/omap/omap-mcpdm.c
@@ -390,8 +390,8 @@ static int omap_mcpdm_probe(struct snd_s
pm_runtime_get_sync(mcpdm->dev);
omap_mcpdm_write(mcpdm, MCPDM_REG_CTRL, 0x00);
- ret = devm_request_irq(mcpdm->dev, mcpdm->irq, omap_mcpdm_irq_handler,
- 0, "McPDM", (void *)mcpdm);
+ ret = request_irq(mcpdm->irq, omap_mcpdm_irq_handler, 0, "McPDM",
+ (void *)mcpdm);
pm_runtime_put_sync(mcpdm->dev);
@@ -416,6 +416,7 @@ static int omap_mcpdm_remove(struct snd_
{
struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
+ free_irq(mcpdm->irq, (void *)mcpdm);
pm_runtime_disable(mcpdm->dev);
return 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 135/346] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 161/346] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty Ben Hutchings
` (262 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Schwidefsky, linux-s390, James Hogan, Heiko Carstens
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 68c5cf5a6091c2c3fabccfd42ca844d730ec24c6 upstream.
AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
for s390 at all even though ARCH_DLINFO can contain one NEW_AUX_ENT when
VDSO is enabled.
This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
AT_BASE_PLATFORM which s390 doesn't use, but lets define it now and add
the comment above ARCH_DLINFO as found in several other architectures to
remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
date.
Fixes: b020632e40c3 ("[S390] introduce vdso on s390")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/elf.h | 1 +
arch/s390/include/uapi/asm/auxvec.h | 2 ++
2 files changed, 3 insertions(+)
--- a/arch/s390/include/asm/elf.h
+++ b/arch/s390/include/asm/elf.h
@@ -210,6 +210,7 @@ do { \
#define STACK_RND_MASK 0x7ffUL
+/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
do { \
if (vdso_enabled) \
--- a/arch/s390/include/uapi/asm/auxvec.h
+++ b/arch/s390/include/uapi/asm/auxvec.h
@@ -3,4 +3,6 @@
#define AT_SYSINFO_EHDR 33
+#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
+
#endif
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 214/346] ubifs: Fix assertion in layout_in_gaps()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (219 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 235/346] kernfs: don't depend on d_find_any_alias() when generating notifications Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 191/346] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write Ben Hutchings
` (125 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Vincent Stehlé, Artem Bityutskiy, Richard Weinberger
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Stehlé <vincent.stehle@intel.com>
commit c0082e985fdf77b02fc9e0dac3b58504dcf11b7a upstream.
An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
below the maximum bound. When computing this maximum bound the idx_lebs
count is multiplied by sizeof(int), while C pointers arithmetic does take
into account the size of the pointed elements implicitly already. Remove
the multiplication to fix the assertion.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Signed-off-by: Vincent Stehlé <vincent.stehle@intel.com>
Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ubifs/tnc_commit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ubifs/tnc_commit.c
+++ b/fs/ubifs/tnc_commit.c
@@ -370,7 +370,7 @@ static int layout_in_gaps(struct ubifs_i
p = c->gap_lebs;
do {
- ubifs_assert(p < c->gap_lebs + sizeof(int) * c->lst.idx_lebs);
+ ubifs_assert(p < c->gap_lebs + c->lst.idx_lebs);
written = layout_leb_in_gaps(c, p);
if (written < 0) {
err = written;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 328/346] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 176/346] MIPS: KVM: Add missing gfn range check Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 013/346] ARM: mvebu: fix HW I/O coherency related deadlocks Ben Hutchings
` (226 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Robin Murphy, Russell King, Srinivas Ramana
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Ramana <sramana@codeaurora.org>
commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 upstream.
If the bootloader uses the long descriptor format and jumps to
kernel decompressor code, TTBCR may not be in a right state.
Before enabling the MMU, it is required to clear the TTBCR.PD0
field to use TTBR0 for translation table walks.
The commit dbece45894d3a ("ARM: 7501/1: decompressor:
reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but
doesn't consider all the bits for the size of TTBCR.N.
Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to
indicate the use of TTBR0 and the correct base address width.
Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores")
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/compressed/head.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/compressed/head.S
+++ b/arch/arm/boot/compressed/head.S
@@ -726,7 +726,7 @@ __armv7_mmu_cache_on:
orrne r0, r0, #1 @ MMU enabled
movne r1, #0xfffffffd @ domain 0 = client
bic r6, r6, #1 << 31 @ 32-bit translation system
- bic r6, r6, #3 << 0 @ use only ttbr0
+ bic r6, r6, #(7 << 0) | (1 << 4) @ use only ttbr0
mcrne p15, 0, r3, c2, c0, 0 @ load page table pointer
mcrne p15, 0, r1, c3, c0, 0 @ load domain access control
mcrne p15, 0, r6, c2, c0, 2 @ load ttb control
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 292/346] m32r: fix __get_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (279 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 304/346] avr32: fix 'undefined reference to `___copy_from_user' Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 103/346] libceph: apply new_state before new_up_client on incrementals Ben Hutchings
` (65 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/m32r/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_reg
#define __get_user_nocheck(x,ptr,size) \
({ \
long __gu_err = 0; \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
might_fault(); \
__get_user_size(__gu_val,(ptr),(size),__gu_err); \
(x) = (__typeof__(*(ptr)))__gu_val; \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 051/346] ppp: defer netns reference release for ppp channel
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 201/346] USB: serial: option: add WeTelecom WM-D200 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 265/346] NFSv4.1: Fix the CREATE_SESSION slot number accounting Ben Hutchings
` (327 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matt Bennett, Cyrill Gorcunov, Paul Mackerras,
David S. Miller, Guillaume Nault, linux-ppp, WANG Cong
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 205e1e255c479f3fd77446415706463b282f94e4 upstream.
Matt reported that we have a NULL pointer dereference
in ppp_pernet() from ppp_connect_channel(),
i.e. pch->chan_net is NULL.
This is due to that a parallel ppp_unregister_channel()
could happen while we are in ppp_connect_channel(), during
which pch->chan_net set to NULL. Since we need a reference
to net per channel, it makes sense to sync the refcnt
with the life time of the channel, therefore we should
release this reference when we destroy it.
Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2338,8 +2338,6 @@ ppp_unregister_channel(struct ppp_channe
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;
pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2955,6 +2953,9 @@ ppp_disconnect_channel(struct channel *p
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);
if (!pch->file.dead) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 153/346] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 075/346] ext4: short-cut orphan cleanup on error Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 139/346] balloon: check the number of available pages in leak balloon Ben Hutchings
` (269 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Sheng-Hui J. Chu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Sheng-Hui J. Chu" <s.jeffrey.chu@gmail.com>
commit ae34d12cc1e212ffcd92e069030e54dae69c832f upstream.
BCM20706V2_EVAL is a WICED dev board designed with FT2232H USB 2.0
UART/FIFO IC.
To support BCM920706V2_EVAL dev board for WICED development on Linux.
Add the VID(0a5c) and PID(6422) to ftdi_sio driver to allow loading
ftdi_sio for this board.
Signed-off-by: Sheng-Hui J. Chu <s.jeffrey.chu@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1023,6 +1023,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -679,6 +679,12 @@
#define INTREPID_NEOVI_PID 0x0701
/*
+ * WICED USB UART
+ */
+#define WICED_VID 0x0A5C
+#define WICED_USB20706V2_PID 0x6422
+
+/*
* Definitions for ID TECH (www.idt-net.com) devices
*/
#define IDTECH_VID 0x0ACD /* ID TECH Vendor ID */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 279/346] mips: copy_from_user() must zero the destination on access_ok() failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 200/346] parisc: Fix order of EREFUSED define in errno.h Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 024/346] hwrng: omap - Fix assumption that runtime_get_sync will always succeed Ben Hutchings
` (155 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/uaccess.h | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -14,6 +14,7 @@
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/thread_info.h>
+#include <linux/string.h>
#include <asm/asm-eva.h>
/*
@@ -1139,6 +1140,8 @@ extern size_t __copy_in_user_eva(void *_
__cu_len = __invoke_copy_from_user(__cu_to, \
__cu_from, \
__cu_len); \
+ } else { \
+ memset(__cu_to, 0, __cu_len); \
} \
} \
__cu_len; \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 171/346] arm: oabi compat: add missing access checks
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 174/346] usb: misc: usbtest: add fix for driver hang Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 264/346] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl Ben Hutchings
` (240 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kees Cook, Nicolas Pitre, Chiachih Wu, Linus Torvalds,
Dave Weinstein
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Weinstein <olorin@google.com>
commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.
Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
This fixes CVE-2016-3857, a local privilege escalation under
CONFIG_OABI_COMPAT.
Reported-by: Chiachih Wu <wuchiachih@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Dave Weinstein <olorin@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int
mm_segment_t fs;
long ret, err, i;
- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
+ if (maxevents <= 0 ||
+ maxevents > (INT_MAX/sizeof(*kbuf)) ||
+ maxevents > (INT_MAX/sizeof(*events)))
return -EINVAL;
+ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+ return -EFAULT;
kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
if (!kbuf)
return -ENOMEM;
@@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int
if (nsops < 1 || nsops > SEMOPM)
return -EINVAL;
+ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+ return -EFAULT;
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
if (!sops)
return -ENOMEM;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 324/346] mm,ksm: fix endless looping in allocating memory when ksm enable
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 263/346] asm-generic: make copy_from_user() zero the destination properly Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 162/346] netfilter: nfnetlink_queue: reject verdict request from different portid Ben Hutchings
` (310 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michal Hocko, zhong jiang, Hugh Dickins, Linus Torvalds,
Michal Hocko
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: zhong jiang <zhongjiang@huawei.com>
commit 5b398e416e880159fe55eefd93c6588fa072cd66 upstream.
I hit the following hung task when runing a OOM LTP test case with 4.1
kernel.
Call trace:
[<ffffffc000086a88>] __switch_to+0x74/0x8c
[<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
[<ffffffc000a1c09c>] schedule+0x3c/0x94
[<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
[<ffffffc000a1e32c>] down_write+0x64/0x80
[<ffffffc00021f794>] __ksm_exit+0x90/0x19c
[<ffffffc0000be650>] mmput+0x118/0x11c
[<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
[<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
[<ffffffc0000d0f34>] get_signal+0x444/0x5e0
[<ffffffc000089fcc>] do_signal+0x1d8/0x450
[<ffffffc00008a35c>] do_notify_resume+0x70/0x78
The oom victim cannot terminate because it needs to take mmap_sem for
write while the lock is held by ksmd for read which loops in the page
allocator
ksm_do_scan
scan_get_next_rmap_item
down_read
get_next_rmap_item
alloc_rmap_item #ksmd will loop permanently.
There is no way forward because the oom victim cannot release any memory
in 4.1 based kernel. Since 4.6 we have the oom reaper which would solve
this problem because it would release the memory asynchronously.
Nevertheless we can relax alloc_rmap_item requirements and use
__GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
would just retry later after the lock got dropped.
Such a patch would be also easy to backport to older stable kernels which
do not have oom_reaper.
While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
by the allocation failure.
Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Suggested-by: Hugh Dickins <hughd@google.com>
Suggested-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/ksm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -283,7 +283,8 @@ static inline struct rmap_item *alloc_rm
{
struct rmap_item *rmap_item;
- rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL);
+ rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL |
+ __GFP_NORETRY | __GFP_NOWARN);
if (rmap_item)
ksm_rmap_items++;
return rmap_item;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 156/346] vfio/pci: Fix NULL pointer oops in error interrupt setup handling
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 184/346] cdc-acm: fix wrong pipe type on rx interrupt xfers Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 206/346] powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) Ben Hutchings
` (237 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Williamson, Chris Thompson, Eric Auger
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit c8952a707556e04374d7b2fdb3a079d63ddf6f2f upstream.
There are multiple cases in vfio_pci_set_ctx_trigger_single() where
we assume we can safely read from our data pointer without actually
checking whether the user has passed any data via the count field.
VFIO_IRQ_SET_DATA_NONE in particular is entirely broken since we
attempt to pull an int32_t file descriptor out before even checking
the data type. The other data types assume the data pointer contains
one element of their type as well.
In part this is good news because we were previously restricted from
doing much sanitization of parameters because it was missed in the
past and we didn't want to break existing users. Clearly DATA_NONE
is completely broken, so it must not have any users and we can fix
it up completely. For DATA_BOOL and DATA_EVENTFD, we'll just
protect ourselves, returning error when count is zero since we
previously would have oopsed.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reported-by: Chris Thompson <the_cartographer@hotmail.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
[bwh: Backported to 3.16:
- Drop changes to vfio_pci_set_req_trigger()
- Apply remaining changes in vfio_pci_set_err_trigger()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/vfio/pci/vfio_pci_intrs.c | 85 ++++++++++++++++++++++-----------------
1 file changed, 49 insertions(+), 36 deletions(-)
--- a/drivers/vfio/pci/vfio_pci_intrs.c
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
@@ -752,41 +752,58 @@ static int vfio_pci_set_err_trigger(stru
unsigned index, unsigned start,
unsigned count, uint32_t flags, void *data)
{
- int32_t fd = *(int32_t *)data;
-
- if ((index != VFIO_PCI_ERR_IRQ_INDEX) ||
- !(flags & VFIO_IRQ_SET_DATA_TYPE_MASK))
+ if (index != VFIO_PCI_ERR_IRQ_INDEX || start != 0 || count > 1)
return -EINVAL;
/* DATA_NONE/DATA_BOOL enables loopback testing */
if (flags & VFIO_IRQ_SET_DATA_NONE) {
- if (vdev->err_trigger)
- eventfd_signal(vdev->err_trigger, 1);
- return 0;
+ if (vdev->err_trigger) {
+ if (count) {
+ eventfd_signal(vdev->err_trigger, 1);
+ } else {
+ eventfd_ctx_put(vdev->err_trigger);
+ vdev->err_trigger = NULL;
+ }
+ return 0;
+ }
} else if (flags & VFIO_IRQ_SET_DATA_BOOL) {
- uint8_t trigger = *(uint8_t *)data;
+ uint8_t trigger;
+
+ if (!count)
+ return -EINVAL;
+
+ trigger = *(uint8_t *)data;
if (trigger && vdev->err_trigger)
eventfd_signal(vdev->err_trigger, 1);
- return 0;
- }
- /* Handle SET_DATA_EVENTFD */
- if (fd == -1) {
- if (vdev->err_trigger)
- eventfd_ctx_put(vdev->err_trigger);
- vdev->err_trigger = NULL;
return 0;
- } else if (fd >= 0) {
- struct eventfd_ctx *efdctx;
- efdctx = eventfd_ctx_fdget(fd);
- if (IS_ERR(efdctx))
- return PTR_ERR(efdctx);
- if (vdev->err_trigger)
- eventfd_ctx_put(vdev->err_trigger);
- vdev->err_trigger = efdctx;
+ } else if (flags & VFIO_IRQ_SET_DATA_EVENTFD) {
+ int32_t fd;
+
+ if (!count)
+ return -EINVAL;
+
+ fd = *(int32_t *)data;
+ if (fd == -1) {
+ if (vdev->err_trigger)
+ eventfd_ctx_put(vdev->err_trigger);
+ vdev->err_trigger = NULL;
+ } else if (fd >= 0) {
+ struct eventfd_ctx *efdctx;
+
+ efdctx = eventfd_ctx_fdget(fd);
+ if (IS_ERR(efdctx))
+ return PTR_ERR(efdctx);
+
+ if (vdev->err_trigger)
+ eventfd_ctx_put(vdev->err_trigger);
+
+ vdev->err_trigger = efdctx;
+ }
return 0;
- } else
- return -EINVAL;
+ }
+
+ return -EINVAL;
}
int vfio_pci_set_irqs_ioctl(struct vfio_pci_device *vdev, uint32_t flags,
unsigned index, unsigned start, unsigned count,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 265/346] NFSv4.1: Fix the CREATE_SESSION slot number accounting
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 051/346] ppp: defer netns reference release for ppp channel Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 232/346] ALSA: timer: fix NULL pointer dereference on memory allocation failure Ben Hutchings
` (326 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Trond Myklebust
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream.
Ensure that we conform to the algorithm described in RFC5661, section
18.36.4 for when to bump the sequence id. In essence we do it for all
cases except when the RPC call timed out, or in case of the server returning
NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[bwh: Backported to 3.16:
- Add the 'out' label
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -7063,13 +7063,22 @@ static int _nfs4_proc_create_session(str
status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
trace_nfs4_create_session(clp, status);
+ switch (status) {
+ case -NFS4ERR_STALE_CLIENTID:
+ case -NFS4ERR_DELAY:
+ case -ETIMEDOUT:
+ case -EACCES:
+ case -EAGAIN:
+ goto out;
+ };
+
+ clp->cl_seqid++;
if (!status) {
/* Verify the session's negotiated channel_attrs values */
status = nfs4_verify_channel_attrs(&args, session);
- /* Increment the clientid slot sequence id */
- clp->cl_seqid++;
}
+out:
return status;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 236/346] ALSA: fireworks: accessing to user space outside spinlock
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 138/346] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 131/346] drm/nouveau/acpi: ensure matching ACPI handle and supported functions Ben Hutchings
` (203 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Takashi Iwai, Takashi Sakamoto, Vaishali Thakkar
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
commit 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 upstream.
In hwdep interface of fireworks driver, accessing to user space is in a
critical section with disabled local interrupt. Depending on architecture,
accessing to user space can cause page fault exception. Then local
processor stores machine status and handles the synchronous event. A
handler corresponding to the event can call task scheduler to wait for
preparing pages. In a case of usage of single core processor, the state to
disable local interrupt is worse because it don't handle usual interrupts
from hardware.
This commit fixes this bug, performing the accessing outside spinlock. This
commit also gives up counting the number of queued response messages to
simplify ring-buffer management.
Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
Fixes: 555e8a8f7f14('ALSA: fireworks: Add command/response functionality into hwdep interface')
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/firewire/fireworks/fireworks.h | 1 -
sound/firewire/fireworks/fireworks_hwdep.c | 71 +++++++++++++++++-------
sound/firewire/fireworks/fireworks_proc.c | 4 +-
sound/firewire/fireworks/fireworks_transaction.c | 5 +-
4 files changed, 56 insertions(+), 25 deletions(-)
--- a/sound/firewire/fireworks/fireworks.h
+++ b/sound/firewire/fireworks/fireworks.h
@@ -106,7 +106,6 @@ struct snd_efw {
u8 *resp_buf;
u8 *pull_ptr;
u8 *push_ptr;
- unsigned int resp_queues;
};
int snd_efw_transaction_cmd(struct fw_unit *unit,
--- a/sound/firewire/fireworks/fireworks_hwdep.c
+++ b/sound/firewire/fireworks/fireworks_hwdep.c
@@ -25,6 +25,7 @@ hwdep_read_resp_buf(struct snd_efw *efw,
{
unsigned int length, till_end, type;
struct snd_efw_transaction *t;
+ u8 *pull_ptr;
long count = 0;
if (remained < sizeof(type) + sizeof(struct snd_efw_transaction))
@@ -38,8 +39,17 @@ hwdep_read_resp_buf(struct snd_efw *efw,
buf += sizeof(type);
/* write into buffer as many responses as possible */
- while (efw->resp_queues > 0) {
- t = (struct snd_efw_transaction *)(efw->pull_ptr);
+ spin_lock_irq(&efw->lock);
+
+ /*
+ * When another task reaches here during this task's access to user
+ * space, it picks up current position in buffer and can read the same
+ * series of responses.
+ */
+ pull_ptr = efw->pull_ptr;
+
+ while (efw->push_ptr != pull_ptr) {
+ t = (struct snd_efw_transaction *)(pull_ptr);
length = be32_to_cpu(t->length) * sizeof(__be32);
/* confirm enough space for this response */
@@ -49,26 +59,39 @@ hwdep_read_resp_buf(struct snd_efw *efw,
/* copy from ring buffer to user buffer */
while (length > 0) {
till_end = snd_efw_resp_buf_size -
- (unsigned int)(efw->pull_ptr - efw->resp_buf);
+ (unsigned int)(pull_ptr - efw->resp_buf);
till_end = min_t(unsigned int, length, till_end);
- if (copy_to_user(buf, efw->pull_ptr, till_end))
+ spin_unlock_irq(&efw->lock);
+
+ if (copy_to_user(buf, pull_ptr, till_end))
return -EFAULT;
- efw->pull_ptr += till_end;
- if (efw->pull_ptr >= efw->resp_buf +
- snd_efw_resp_buf_size)
- efw->pull_ptr -= snd_efw_resp_buf_size;
+ spin_lock_irq(&efw->lock);
+
+ pull_ptr += till_end;
+ if (pull_ptr >= efw->resp_buf + snd_efw_resp_buf_size)
+ pull_ptr -= snd_efw_resp_buf_size;
length -= till_end;
buf += till_end;
count += till_end;
remained -= till_end;
}
-
- efw->resp_queues--;
}
+ /*
+ * All of tasks can read from the buffer nearly simultaneously, but the
+ * last position for each task is different depending on the length of
+ * given buffer. Here, for simplicity, a position of buffer is set by
+ * the latest task. It's better for a listening application to allow one
+ * thread to read from the buffer. Unless, each task can read different
+ * sequence of responses depending on variation of buffer length.
+ */
+ efw->pull_ptr = pull_ptr;
+
+ spin_unlock_irq(&efw->lock);
+
return count;
}
@@ -76,14 +99,17 @@ static long
hwdep_read_locked(struct snd_efw *efw, char __user *buf, long count,
loff_t *offset)
{
- union snd_firewire_event event;
+ union snd_firewire_event event = {
+ .lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
+ };
- memset(&event, 0, sizeof(event));
+ spin_lock_irq(&efw->lock);
- event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
event.lock_status.status = (efw->dev_lock_count > 0);
efw->dev_lock_changed = false;
+ spin_unlock_irq(&efw->lock);
+
count = min_t(long, count, sizeof(event.lock_status));
if (copy_to_user(buf, &event, count))
@@ -98,10 +124,15 @@ hwdep_read(struct snd_hwdep *hwdep, char
{
struct snd_efw *efw = hwdep->private_data;
DEFINE_WAIT(wait);
+ bool dev_lock_changed;
+ bool queued;
spin_lock_irq(&efw->lock);
- while ((!efw->dev_lock_changed) && (efw->resp_queues == 0)) {
+ dev_lock_changed = efw->dev_lock_changed;
+ queued = efw->push_ptr != efw->pull_ptr;
+
+ while (!dev_lock_changed && !queued) {
prepare_to_wait(&efw->hwdep_wait, &wait, TASK_INTERRUPTIBLE);
spin_unlock_irq(&efw->lock);
schedule();
@@ -109,15 +140,17 @@ hwdep_read(struct snd_hwdep *hwdep, char
if (signal_pending(current))
return -ERESTARTSYS;
spin_lock_irq(&efw->lock);
+ dev_lock_changed = efw->dev_lock_changed;
+ queued = efw->push_ptr != efw->pull_ptr;
}
- if (efw->dev_lock_changed)
+ spin_unlock_irq(&efw->lock);
+
+ if (dev_lock_changed)
count = hwdep_read_locked(efw, buf, count, offset);
- else if (efw->resp_queues > 0)
+ else if (queued)
count = hwdep_read_resp_buf(efw, buf, count, offset);
- spin_unlock_irq(&efw->lock);
-
return count;
}
@@ -160,7 +193,7 @@ hwdep_poll(struct snd_hwdep *hwdep, stru
poll_wait(file, &efw->hwdep_wait, wait);
spin_lock_irq(&efw->lock);
- if (efw->dev_lock_changed || (efw->resp_queues > 0))
+ if (efw->dev_lock_changed || efw->pull_ptr != efw->push_ptr)
events = POLLIN | POLLRDNORM;
else
events = 0;
--- a/sound/firewire/fireworks/fireworks_proc.c
+++ b/sound/firewire/fireworks/fireworks_proc.c
@@ -188,8 +188,8 @@ proc_read_queues_state(struct snd_info_e
else
consumed = (unsigned int)(efw->push_ptr - efw->pull_ptr);
- snd_iprintf(buffer, "%d %d/%d\n",
- efw->resp_queues, consumed, snd_efw_resp_buf_size);
+ snd_iprintf(buffer, "%d/%d\n",
+ consumed, snd_efw_resp_buf_size);
}
static void
--- a/sound/firewire/fireworks/fireworks_transaction.c
+++ b/sound/firewire/fireworks/fireworks_transaction.c
@@ -121,11 +121,11 @@ copy_resp_to_buf(struct snd_efw *efw, vo
size_t capacity, till_end;
struct snd_efw_transaction *t;
- spin_lock_irq(&efw->lock);
-
t = (struct snd_efw_transaction *)data;
length = min_t(size_t, be32_to_cpu(t->length) * sizeof(u32), length);
+ spin_lock_irq(&efw->lock);
+
if (efw->push_ptr < efw->pull_ptr)
capacity = (unsigned int)(efw->pull_ptr - efw->push_ptr);
else
@@ -155,7 +155,6 @@ copy_resp_to_buf(struct snd_efw *efw, vo
}
/* for hwdep */
- efw->resp_queues++;
wake_up(&efw->hwdep_wait);
*rcode = RCODE_COMPLETE;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 132/346] drm/nouveau/acpi: return supported DSM functions
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 321/346] tracing: Move mutex to protect against resetting of seq data Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 253/346] Btrfs: add missing blk_finish_plug in btrfs_sync_log() Ben Hutchings
` (146 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Peter Wu, Dave, Ben Skeggs
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wu <peter@lekensteyn.nl>
commit a12e78dd3e727094e449ee4e3b752ea9b6f8db01 upstream.
Return the set of supported functions to the caller. No functional
changes.
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Acked-by: Dave Airlie <airlied@redhat.com
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nouveau_acpi.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
+++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
@@ -108,7 +108,7 @@ static int nouveau_optimus_dsm(acpi_hand
* requirements on the fourth parameter, so a private implementation
* instead of using acpi_check_dsm().
*/
-static int nouveau_check_optimus_dsm(acpi_handle handle)
+static int nouveau_dsm_get_optimus_functions(acpi_handle handle)
{
int result;
@@ -123,7 +123,9 @@ static int nouveau_check_optimus_dsm(acp
* ACPI Spec v4 9.14.1: if bit 0 is zero, no function is supported.
* If the n-th bit is enabled, function n is supported
*/
- return result & 1 && result & (1 << NOUVEAU_DSM_OPTIMUS_CAPS);
+ if (result & 1 && result & (1 << NOUVEAU_DSM_OPTIMUS_CAPS))
+ return result;
+ return 0;
}
static int nouveau_dsm(acpi_handle handle, int func, int arg)
@@ -215,7 +217,7 @@ static void nouveau_dsm_pci_probe(struct
{
acpi_handle dhandle;
bool supports_mux;
- bool supports_opt;
+ int optimus_funcs;
dhandle = ACPI_HANDLE(&pdev->dev);
if (!dhandle)
@@ -227,17 +229,17 @@ static void nouveau_dsm_pci_probe(struct
}
supports_mux = acpi_check_dsm(dhandle, nouveau_dsm_muid, 0x00000102,
1 << NOUVEAU_DSM_POWER);
- supports_opt = nouveau_check_optimus_dsm(dhandle);
+ optimus_funcs = nouveau_dsm_get_optimus_functions(dhandle);
/* Does not look like a Nvidia device. */
- if (!supports_mux && !supports_opt)
+ if (!supports_mux && !optimus_funcs)
return;
*dhandle_out = dhandle;
*has_mux = supports_mux;
- *has_opt = supports_opt;
+ *has_opt = !!optimus_funcs;
- if (supports_opt) {
+ if (optimus_funcs) {
uint32_t result;
nouveau_optimus_dsm(dhandle, NOUVEAU_DSM_OPTIMUS_CAPS, 0,
&result);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 129/346] ubi: Be more paranoid while seaching for the most recent Fastmap
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (333 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 291/346] blackfin: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 340/346] [media] usbvision: revert commit 588afcc1 Ben Hutchings
` (11 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 74f2c6e9a47cf4e508198c8594626cc82906a13d upstream.
Since PEB erasure is asynchornous it can happen that there is
more than one Fastmap on the MTD. This is fine because the attach logic
will pick the Fastmap data structure with the highest sequence number.
On a not so well configured MTD stack spurious ECC errors are common.
Causes can be different, bad hardware, wrong operating modes, etc...
If the most current Fastmap renders bad due to ECC errors UBI might
pick an older Fastmap to attach from.
While this can only happen on an anyway broken setup it will show
completely different sympthoms and makes finding the root cause much
more difficult.
So, be debug friendly and fall back to scanning mode of we're facing
an ECC error while scanning for Fastmap.
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16:
- In scan_fast(), use 'ai' instead of 'scan_ai'
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mtd/ubi/attach.c
+++ b/drivers/mtd/ubi/attach.c
@@ -807,6 +807,7 @@ out_unlock:
* @pnum: the physical eraseblock number
* @vid: The volume ID of the found volume will be stored in this pointer
* @sqnum: The sqnum of the found volume will be stored in this pointer
+ * @fast: true if we're scanning for a Fastmap
*
* This function reads UBI headers of PEB @pnum, checks them, and adds
* information about this PEB to the corresponding list or RB-tree in the
@@ -814,7 +815,7 @@ out_unlock:
* successfully handled and a negative error code in case of failure.
*/
static int scan_peb(struct ubi_device *ubi, struct ubi_attach_info *ai,
- int pnum, int *vid, unsigned long long *sqnum)
+ int pnum, int *vid, unsigned long long *sqnum, bool fast)
{
long long uninitialized_var(ec);
int err, bitflips = 0, vol_id = -1, ec_err = 0;
@@ -931,6 +932,20 @@ static int scan_peb(struct ubi_device *u
*/
ai->maybe_bad_peb_count += 1;
case UBI_IO_BAD_HDR:
+ /*
+ * If we're facing a bad VID header we have to drop *all*
+ * Fastmap data structures we find. The most recent Fastmap
+ * could be bad and therefore there is a chance that we attach
+ * from an old one. On a fine MTD stack a PEB must not render
+ * bad all of a sudden, but the reality is different.
+ * So, let's be paranoid and help finding the root cause by
+ * falling back to scanning mode instead of attaching with a
+ * bad EBA table and cause data corruption which is hard to
+ * analyze.
+ */
+ if (fast)
+ ai->force_full_scan = 1;
+
if (ec_err)
/*
* Both headers are corrupted. There is a possibility
@@ -1243,7 +1258,7 @@ static int scan_all(struct ubi_device *u
cond_resched();
dbg_gen("process PEB %d", pnum);
- err = scan_peb(ubi, ai, pnum, NULL, NULL);
+ err = scan_peb(ubi, ai, pnum, NULL, NULL, false);
if (err < 0)
goto out_vidh;
}
@@ -1330,7 +1345,7 @@ static int scan_fast(struct ubi_device *
cond_resched();
dbg_gen("process PEB %d", pnum);
- err = scan_peb(ubi, ai, pnum, &vol_id, &sqnum);
+ err = scan_peb(ubi, ai, pnum, &vol_id, &sqnum, true);
if (err < 0)
goto out_vidh;
@@ -1346,7 +1361,11 @@ static int scan_fast(struct ubi_device *
if (fm_anchor < 0)
return UBI_NO_FASTMAP;
- return ubi_scan_fastmap(ubi, ai, fm_anchor);
+ if (ai->force_full_scan)
+ return UBI_NO_FASTMAP;
+ else
+ return ubi_scan_fastmap(ubi, ai, fm_anchor);
+
out_vidh:
ubi_free_vid_hdr(ubi, vidh);
--- a/drivers/mtd/ubi/ubi.h
+++ b/drivers/mtd/ubi/ubi.h
@@ -670,6 +670,8 @@ struct ubi_ainf_volume {
* @vols_found: number of volumes found
* @highest_vol_id: highest volume ID
* @is_empty: flag indicating whether the MTD device is empty or not
+ * @force_full_scan: flag indicating whether we need to do a full scan and drop
+ all existing Fastmap data structures
* @min_ec: lowest erase counter value
* @max_ec: highest erase counter value
* @max_sqnum: highest sequence number value
@@ -696,6 +698,7 @@ struct ubi_attach_info {
int vols_found;
int highest_vol_id;
int is_empty;
+ int force_full_scan;
int min_ec;
int max_ec;
unsigned long long max_sqnum;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 133/346] drm/nouveau/acpi: check for function 0x1B before using it
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (168 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 164/346] crypto: caam - fix non-hmac hashes Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 058/346] posix_cpu_timer: Exit early when process has been reaped Ben Hutchings
` (176 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dave, Peter Wu, Ben Skeggs, Hans de Goede
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wu <peter@lekensteyn.nl>
commit cba97805cb69d5b1a1d3bb108872c73b5bf0e205 upstream.
Do not unconditionally invoke function 0x1B without checking for its
availability, it leads to an infinite loop on some firmware.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104791
Fixes: 5addcf0a5f0fad ("nouveau: add runtime PM support (v0.9)")
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Acked-by: Dave Airlie <airlied@redhat.com
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nouveau_acpi.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
+++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
@@ -45,6 +45,7 @@
static struct nouveau_dsm_priv {
bool dsm_detected;
bool optimus_detected;
+ bool optimus_flags_detected;
acpi_handle dhandle;
acpi_handle other_handle;
acpi_handle rom_handle;
@@ -213,7 +214,8 @@ static struct vga_switcheroo_handler nou
};
static void nouveau_dsm_pci_probe(struct pci_dev *pdev, acpi_handle *dhandle_out,
- bool *has_mux, bool *has_opt)
+ bool *has_mux, bool *has_opt,
+ bool *has_opt_flags)
{
acpi_handle dhandle;
bool supports_mux;
@@ -238,6 +240,7 @@ static void nouveau_dsm_pci_probe(struct
*dhandle_out = dhandle;
*has_mux = supports_mux;
*has_opt = !!optimus_funcs;
+ *has_opt_flags = optimus_funcs & (1 << NOUVEAU_DSM_OPTIMUS_FLAGS);
if (optimus_funcs) {
uint32_t result;
@@ -258,6 +261,7 @@ static bool nouveau_dsm_detect(void)
acpi_handle dhandle = NULL;
bool has_mux = false;
bool has_optimus = false;
+ bool has_optimus_flags = false;
int vga_count = 0;
bool guid_valid;
bool ret = false;
@@ -272,13 +276,15 @@ static bool nouveau_dsm_detect(void)
while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) {
vga_count++;
- nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
+ nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus,
+ &has_optimus_flags);
}
while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_3D << 8, pdev)) != NULL) {
vga_count++;
- nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
+ nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus,
+ &has_optimus_flags);
}
/* find the optimus DSM or the old v1 DSM */
@@ -289,6 +295,7 @@ static bool nouveau_dsm_detect(void)
printk(KERN_INFO "VGA switcheroo: detected Optimus DSM method %s handle\n",
acpi_method_name);
nouveau_dsm_priv.optimus_detected = true;
+ nouveau_dsm_priv.optimus_flags_detected = has_optimus_flags;
ret = true;
} else if (vga_count == 2 && has_mux && guid_valid) {
nouveau_dsm_priv.dhandle = dhandle;
@@ -332,8 +339,9 @@ void nouveau_switcheroo_optimus_dsm(void
if (!nouveau_dsm_priv.optimus_detected)
return;
- nouveau_optimus_dsm(nouveau_dsm_priv.dhandle, NOUVEAU_DSM_OPTIMUS_FLAGS,
- 0x3, &result);
+ if (nouveau_dsm_priv.optimus_flags_detected)
+ nouveau_optimus_dsm(nouveau_dsm_priv.dhandle, NOUVEAU_DSM_OPTIMUS_FLAGS,
+ 0x3, &result);
nouveau_optimus_dsm(nouveau_dsm_priv.dhandle, NOUVEAU_DSM_OPTIMUS_CAPS,
NOUVEAU_DSM_OPTIMUS_SET_POWERDOWN, &result);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 320/346] ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 005/346] s5p-mfc: Add release callback for memory region devs Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 201/346] USB: serial: option: add WeTelecom WM-D200 Ben Hutchings
` (329 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Shmulik Ladkani, Lance Richardson, Jiri Benc, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lance Richardson <lrichard@redhat.com>
commit db32e4e49ce2b0e5fcc17803d011a401c0a637f6 upstream.
Similar to commit 3be07244b733 ("ip6_gre: fix flowi6_proto value in
xmit path"), set flowi6_proto to IPPROTO_GRE for output route lookup.
Up until now, ip6gre_xmit_other() has set flowi6_proto to a bogus value.
This affected output route lookup for packets sent on an ip6gretap device
in cases where routing was dependent on the value of flowi6_proto.
Since the correct proto is already set in the tunnel flowi6 template via
commit 252f3f5a1189 ("ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit
path."), simply delete the line setting the incorrect flowi6_proto value.
Suggested-by: Jiri Benc <jbenc@redhat.com>
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/ip6_gre.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -881,7 +881,6 @@ static int ip6gre_xmit_other(struct sk_b
encap_limit = t->parms.encap_limit;
memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
- fl6.flowi6_proto = skb->protocol;
err = ip6gre_xmit2(skb, dev, 0, &fl6, encap_limit, &mtu);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 137/346] ALSA: hda - On-board speaker fixup on ACER Veriton
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 158/346] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown" Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 334/346] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Ben Hutchings
` (223 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shrirang Bagul, Takashi Iwai
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shrirang Bagul <shrirang.bagul@canonical.com>
commit 9b51fe3efe4c270005e34f55a97e5a84ad68e581 upstream.
On Acer Veriton machines, codec with subsystem-id 0x1b0a01b8 the port at
0x15 is configured by default as an Internal Speaker (0x90170120).
However, no physical is speaker installed on-board. This patch adds a quirk
which disables the physical connection on this pin.
BugLink: https://bugs.launchpad.net/bugs/1607647
Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5837,6 +5837,7 @@ enum {
ALC668_FIXUP_DELL_XPS13,
ALC662_FIXUP_ASUS_Nx50,
ALC668_FIXUP_ASUS_Nx51,
+ ALC662_FIXUP_ACER_VERITON,
};
static const struct hda_fixup alc662_fixups[] = {
@@ -6078,6 +6079,13 @@ static const struct hda_fixup alc662_fix
.chained = true,
.chain_id = ALC662_FIXUP_BASS_CHMAP,
},
+ [ALC662_FIXUP_ACER_VERITON] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x15, 0x50170120 }, /* no internal speaker */
+ { }
+ }
+ },
};
static const struct snd_pci_quirk alc662_fixup_tbl[] = {
@@ -6113,6 +6121,7 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
SND_PCI_QUIRK(0x19da, 0xa130, "Zotac Z68", ALC662_FIXUP_ZOTAC_Z68),
+ SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON),
SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T),
#if 0
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 225/346] printk: fix parsing of "brl=" option
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (306 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 261/346] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 089/346] brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain Ben Hutchings
` (38 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joe Perches, Linus Torvalds, Nicolas Iooss
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
commit ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3 upstream.
Commit bbeddf52adc1 ("printk: move braille console support into separate
braille.[ch] files") moved the parsing of braille-related options into
_braille_console_setup(), changing the type of variable str from char*
to char**. In this commit, memcmp(str, "brl,", 4) was correctly updated
to memcmp(*str, "brl,", 4) but not memcmp(str, "brl=", 4).
Update the code to make "brl=" option work again and replace memcmp()
with strncmp() to make the compiler able to detect such an issue.
Fixes: bbeddf52adc1 ("printk: move braille console support into separate braille.[ch] files")
Link: http://lkml.kernel.org/r/20160823165700.28952-1-nicolas.iooss_linux@m4x.org
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/printk/braille.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/printk/braille.c
+++ b/kernel/printk/braille.c
@@ -9,10 +9,10 @@
char *_braille_console_setup(char **str, char **brl_options)
{
- if (!memcmp(*str, "brl,", 4)) {
+ if (!strncmp(*str, "brl,", 4)) {
*brl_options = "";
*str += 4;
- } else if (!memcmp(str, "brl=", 4)) {
+ } else if (!strncmp(*str, "brl=", 4)) {
*brl_options = *str + 4;
*str = strchr(*brl_options, ',');
if (!*str)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 239/346] tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (319 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 272/346] asm-generic: make get_user() clear the destination on errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 168/346] usb: dwc3: gadget: increment request->actual once Ben Hutchings
` (25 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Neal Cardwell, Eric Dumazet,
Yuchung Cheng, Soheil Hassas Yeganeh
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Neal Cardwell <ncardwell@google.com>
commit 28b346cbc0715ae45b2814d857f1d8a7e6817ed8 upstream.
Yuchung noticed that on the first TFO server data packet sent after
the (TFO) handshake, the server echoed the TCP timestamp value in the
SYN/data instead of the timestamp value in the final ACK of the
handshake. This problem did not happen on regular opens.
The tcp_replace_ts_recent() logic that decides whether to remember an
incoming TS value needs tp->rcv_wup to hold the latest receive
sequence number that we have ACKed (latest tp->rcv_nxt we have
ACKed). This commit fixes this issue by ensuring that a TFO server
properly updates tp->rcv_wup to match tp->rcv_nxt at the time it sends
a SYN/ACK for the SYN/data.
Reported-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_fastopen.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -213,6 +213,7 @@ static bool tcp_fastopen_create_child(st
}
}
tcp_rsk(req)->rcv_nxt = tp->rcv_nxt = end_seq;
+ tp->rcv_wup = tp->rcv_nxt;
sk->sk_data_ready(sk);
bh_unlock_sock(child);
sock_put(child);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 204/346] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (226 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 062/346] Bluetooth: Add USB ID 13D3:3487 to ath3k Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 072/346] KVM: nVMX: Fix memory corruption when using VMCS shadowing Ben Hutchings
` (118 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Vignesh R
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh R <vigneshr@ti.com>
commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream.
It is possible that two or more ADC channels can be simultaneously
requested for raw samples, in which case there can be race in access to
FIFO data resulting in loss of samples.
If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when
ADC is still acquired to sample one of the channels, the second process
might be put into uninterruptible sleep state. Fix these issues, by
protecting FIFO access and channel configurations with a mutex. Since
tiadc_read_raw() might take anywhere between few microseconds to few
milliseconds to finish execution (depending on averaging and delay
values supplied via DT), its better to use mutex instead of spinlock.
Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/iio/adc/ti_am335x_adc.c
+++ b/drivers/iio/adc/ti_am335x_adc.c
@@ -32,6 +32,7 @@
struct tiadc_device {
struct ti_tscadc_dev *mfd_tscadc;
+ struct mutex fifo1_lock; /* to protect fifo access */
int channels;
u8 channel_line[8];
u8 channel_step[8];
@@ -341,6 +342,7 @@ static int tiadc_read_raw(struct iio_dev
int *val, int *val2, long mask)
{
struct tiadc_device *adc_dev = iio_priv(indio_dev);
+ int ret = IIO_VAL_INT;
int i, map_val;
unsigned int fifo1count, read, stepid;
bool found = false;
@@ -354,6 +356,7 @@ static int tiadc_read_raw(struct iio_dev
if (!step_en)
return -EINVAL;
+ mutex_lock(&adc_dev->fifo1_lock);
fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT);
while (fifo1count--)
tiadc_readl(adc_dev, REG_FIFO1);
@@ -370,7 +373,8 @@ static int tiadc_read_raw(struct iio_dev
if (time_after(jiffies, timeout)) {
am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
- return -EAGAIN;
+ ret = -EAGAIN;
+ goto err_unlock;
}
}
map_val = adc_dev->channel_step[chan->scan_index];
@@ -396,8 +400,11 @@ static int tiadc_read_raw(struct iio_dev
am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
if (found == false)
- return -EBUSY;
- return IIO_VAL_INT;
+ ret = -EBUSY;
+
+err_unlock:
+ mutex_unlock(&adc_dev->fifo1_lock);
+ return ret;
}
static const struct iio_info tiadc_info = {
@@ -444,6 +451,7 @@ static int tiadc_probe(struct platform_d
tiadc_step_config(indio_dev);
tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD);
+ mutex_init(&adc_dev->fifo1_lock);
err = tiadc_channel_init(indio_dev, adc_dev->channels);
if (err < 0)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 305/346] openrisc: fix the fix of copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 109/346] ARM: OMAP3: hwmod data: Add sysc information for DSI Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 330/346] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback Ben Hutchings
` (215 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guenter Roeck, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 8e4b72054f554967827e18be1de0e8122e6efc04 upstream.
Since commit acb2505d0119 ("openrisc: fix copy_from_user()"),
copy_from_user() returns the number of bytes requested, not the
number of bytes not copied.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: acb2505d0119 ("openrisc: fix copy_from_user()")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/openrisc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -276,7 +276,7 @@ copy_from_user(void *to, const void *fro
unsigned long res = n;
if (likely(access_ok(VERIFY_READ, from, n)))
- n = __copy_tofrom_user(to, from, n);
+ res = __copy_tofrom_user(to, from, n);
if (unlikely(res))
memset(to + (n - res), 0, res);
return res;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 203/346] staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (310 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 145/346] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 076/346] powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint() Ben Hutchings
` (34 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ian Abbott, Spencer Olson, Greg Kroah-Hartman, H Hartley Sweeten
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit f0f4b0cc3a8cffd983f5940d46cd0227f3f5710a upstream.
Commit ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the
cmd->start_arg validation and use") introduced a backwards compatibility
issue in the use of asynchronous commands on the AO subdevice when
`start_src` is `TRIG_EXT`. Valid values for `start_src` are `TRIG_INT`
(for internal, software trigger), and `TRIG_EXT` (for external trigger).
When set to `TRIG_EXT`. In both cases, the driver relies on an
internal, software trigger to set things up (allowing the user
application to write sufficient samples to the data buffer before the
trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case.
The software trigger is handled by `ni_ao_inttrig()`.
Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg`
was required to be 0, and `ni_ao_inttrig()` checked that the software
trigger number was also 0. After the above change, when `start_src` was
`TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()`
checked that the software trigger number matched this `start_arg` value.
The backwards compatibility issue is that the internal trigger number
now has to match `start_arg` when `start_src` is `TRIG_EXT` when it
previously had to be 0.
Fix the backwards compatibility issue in `ni_ao_inttrig()` by always
allowing software trigger number 0 when `start_src` is something other
than `TRIG_INT`.
Thanks to Spencer Olson for reporting the issue.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reported-by: Spencer Olson <olsonse@umich.edu>
Fixes: ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use")
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/comedi/drivers/ni_mio_common.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -2959,7 +2959,15 @@ static int ni_ao_inttrig(struct comedi_d
int i;
static const int timeout = 1000;
- if (trig_num != cmd->start_arg)
+ /*
+ * Require trig_num == cmd->start_arg when cmd->start_src == TRIG_INT.
+ * For backwards compatibility, also allow trig_num == 0 when
+ * cmd->start_src != TRIG_INT (i.e. when cmd->start_src == TRIG_EXT);
+ * in that case, the internal trigger is being used as a pre-trigger
+ * before the external trigger.
+ */
+ if (!(trig_num == cmd->start_arg ||
+ (trig_num == 0 && cmd->start_src != TRIG_INT)))
return -EINVAL;
/* Null trig at beginning prevent ao start trigger from executing more than
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 168/346] usb: dwc3: gadget: increment request->actual once
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (320 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 239/346] tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 266/346] USB: serial: simple: add support for another Infineon flashloader Ben Hutchings
` (24 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Brian E Rogers
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit c7de573471832dff7d31f0c13b0f143d6f017799 upstream.
When using SG lists, we would end up setting
request->actual to:
num_mapped_sgs * (request->length - count)
Let's fix that up by incrementing request->actual
only once.
Reported-by: Brian E Rogers <brian.e.rogers@intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/gadget.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1943,14 +1943,6 @@ static int __dwc3_cleanup_done_trbs(stru
s_pkt = 1;
}
- /*
- * We assume here we will always receive the entire data block
- * which we should receive. Meaning, if we program RX to
- * receive 4K but we receive only 2K, we assume that's all we
- * should receive and we simply bounce the request back to the
- * gadget driver for further processing.
- */
- req->request.actual += req->request.length - count;
if (s_pkt)
return 1;
if ((event->status & DEPEVT_STATUS_LST) &&
@@ -1970,6 +1962,7 @@ static int dwc3_cleanup_done_reqs(struct
struct dwc3_trb *trb;
unsigned int slot;
unsigned int i;
+ int count = 0;
int ret;
do {
@@ -1986,6 +1979,8 @@ static int dwc3_cleanup_done_reqs(struct
slot++;
slot %= DWC3_TRB_NUM;
trb = &dep->trb_pool[slot];
+ count += trb->size & DWC3_TRB_SIZE_MASK;
+
ret = __dwc3_cleanup_done_trbs(dwc, dep, req, trb,
event, status);
@@ -1993,6 +1988,14 @@ static int dwc3_cleanup_done_reqs(struct
break;
}while (++i < req->request.num_mapped_sgs);
+ /*
+ * We assume here we will always receive the entire data block
+ * which we should receive. Meaning, if we program RX to
+ * receive 4K but we receive only 2K, we assume that's all we
+ * should receive and we simply bounce the request back to the
+ * gadget driver for further processing.
+ */
+ req->request.actual += req->request.length - count;
dwc3_gadget_giveback(dep, req, status);
if (ret)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 332/346] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (302 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 254/346] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 128/346] ubi: Make volume resize power cut aware Ben Hutchings
` (42 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marco Grassi, Dan Carpenter, Tomas Henzl, Martin K. Petersen
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream.
We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16:
- Adjust context
- Use literal 1032 insetad of ARCMSR_API_DATA_BUFLEN]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -1802,7 +1802,8 @@ static int arcmsr_iop_message_xfer(struc
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
+ uint32_t user_len;
+ int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
uint8_t *pQbuffer, *ptmpuserbuffer;
ver_addr = kmalloc(1032, GFP_ATOMIC);
@@ -1819,6 +1820,11 @@ static int arcmsr_iop_message_xfer(struc
}
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > 1032) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ kfree(ver_addr);
+ goto message_out;
+ }
memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);
wqbuf_lastindex = acb->wqbuf_lastindex;
wqbuf_firstindex = acb->wqbuf_firstindex;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 148/346] block: fix bdi vs gendisk lifetime mismatch
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (323 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 220/346] qdisc: fix a module refcount leak in qdisc_create_dflt() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 287/346] score: fix copy_from_user() and friends Ben Hutchings
` (21 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Williams, Jens Axboe, Yi Zhang
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams <dan.j.williams@intel.com>
commit df08c32ce3be5be138c1dbfcba203314a3a7cd6f upstream.
The name for a bdi of a gendisk is derived from the gendisk's devt.
However, since the gendisk is destroyed before the bdi it leaves a
window where a new gendisk could dynamically reuse the same devt while a
bdi with the same name is still live. Arrange for the bdi to hold a
reference against its "owner" disk device while it is registered.
Otherwise we can hit sysfs duplicate name collisions like the following:
WARNING: CPU: 10 PID: 2078 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x64/0x80
sysfs: cannot create duplicate filename '/devices/virtual/bdi/259:1'
Hardware name: HP ProLiant DL580 Gen8, BIOS P79 05/06/2015
0000000000000286 0000000002c04ad5 ffff88006f24f970 ffffffff8134caec
ffff88006f24f9c0 0000000000000000 ffff88006f24f9b0 ffffffff8108c351
0000001f0000000c ffff88105d236000 ffff88105d1031e0 ffff8800357427f8
Call Trace:
[<ffffffff8134caec>] dump_stack+0x63/0x87
[<ffffffff8108c351>] __warn+0xd1/0xf0
[<ffffffff8108c3cf>] warn_slowpath_fmt+0x5f/0x80
[<ffffffff812a0d34>] sysfs_warn_dup+0x64/0x80
[<ffffffff812a0e1e>] sysfs_create_dir_ns+0x7e/0x90
[<ffffffff8134faaa>] kobject_add_internal+0xaa/0x320
[<ffffffff81358d4e>] ? vsnprintf+0x34e/0x4d0
[<ffffffff8134ff55>] kobject_add+0x75/0xd0
[<ffffffff816e66b2>] ? mutex_lock+0x12/0x2f
[<ffffffff8148b0a5>] device_add+0x125/0x610
[<ffffffff8148b788>] device_create_groups_vargs+0xd8/0x100
[<ffffffff8148b7cc>] device_create_vargs+0x1c/0x20
[<ffffffff811b775c>] bdi_register+0x8c/0x180
[<ffffffff811b7877>] bdi_register_dev+0x27/0x30
[<ffffffff813317f5>] add_disk+0x175/0x4a0
Reported-by: Yi Zhang <yizhan@redhat.com>
Tested-by: Yi Zhang <yizhan@redhat.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Fixed up missing 0 return in bdi_register_owner().
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -611,7 +611,7 @@ void add_disk(struct gendisk *disk)
/* Register BDI before referencing it from bdev */
bdi = &disk->queue->backing_dev_info;
- bdi_register_dev(bdi, disk_devt(disk));
+ bdi_register_owner(bdi, disk_to_dev(disk));
blk_register_region(disk_devt(disk), disk->minors, NULL,
exact_match, exact_lock, disk);
--- a/include/linux/backing-dev.h
+++ b/include/linux/backing-dev.h
@@ -100,6 +100,7 @@ struct backing_dev_info {
struct list_head work_list;
struct device *dev;
+ struct device *owner;
struct timer_list laptop_mode_wb_timer;
@@ -116,6 +117,7 @@ __printf(3, 4)
int bdi_register(struct backing_dev_info *bdi, struct device *parent,
const char *fmt, ...);
int bdi_register_dev(struct backing_dev_info *bdi, dev_t dev);
+int bdi_register_owner(struct backing_dev_info *bdi, struct device *owner);
void bdi_unregister(struct backing_dev_info *bdi);
int __must_check bdi_setup_and_register(struct backing_dev_info *, char *, unsigned int);
void bdi_start_writeback(struct backing_dev_info *bdi, long nr_pages,
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -350,6 +350,20 @@ int bdi_register_dev(struct backing_dev_
}
EXPORT_SYMBOL(bdi_register_dev);
+int bdi_register_owner(struct backing_dev_info *bdi, struct device *owner)
+{
+ int rc;
+
+ rc = bdi_register(bdi, NULL, "%u:%u", MAJOR(owner->devt),
+ MINOR(owner->devt));
+ if (rc)
+ return rc;
+ bdi->owner = owner;
+ get_device(owner);
+ return 0;
+}
+EXPORT_SYMBOL(bdi_register_owner);
+
/*
* Remove bdi from the global list and shutdown any threads we have running
*/
@@ -418,6 +432,11 @@ void bdi_unregister(struct backing_dev_i
device_unregister(dev);
}
+
+ if (bdi->owner) {
+ put_device(bdi->owner);
+ bdi->owner = NULL;
+ }
}
EXPORT_SYMBOL(bdi_unregister);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 150/346] SUNRPC: allow for upcalls for same uid but different gss service
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 233/346] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 268/346] crypto: skcipher - Fix blkcipher walk OOM crash Ben Hutchings
` (182 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Olga Kornievskaia, Trond Myklebust
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <kolga@netapp.com>
commit 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 upstream.
It's possible to have simultaneous upcalls for the same UIDs but
different GSS service. In that case, we need to allow for the
upcall to gssd to proceed so that not the same context is used
by two different GSS services. Some servers lock the use of context
to the GSS service.
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sunrpc/auth_gss/auth_gss.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -326,12 +326,14 @@ gss_release_msg(struct gss_upcall_msg *g
}
static struct gss_upcall_msg *
-__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid)
+__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth)
{
struct gss_upcall_msg *pos;
list_for_each_entry(pos, &pipe->in_downcall, list) {
if (!uid_eq(pos->uid, uid))
continue;
+ if (auth && pos->auth->service != auth->service)
+ continue;
atomic_inc(&pos->count);
dprintk("RPC: %s found msg %p\n", __func__, pos);
return pos;
@@ -351,7 +353,7 @@ gss_add_msg(struct gss_upcall_msg *gss_m
struct gss_upcall_msg *old;
spin_lock(&pipe->lock);
- old = __gss_find_upcall(pipe, gss_msg->uid);
+ old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
if (old == NULL) {
atomic_inc(&gss_msg->count);
list_add(&gss_msg->list, &pipe->in_downcall);
@@ -700,7 +702,7 @@ gss_pipe_downcall(struct file *filp, con
err = -ENOENT;
/* Find a matching upcall */
spin_lock(&pipe->lock);
- gss_msg = __gss_find_upcall(pipe, uid);
+ gss_msg = __gss_find_upcall(pipe, uid, NULL);
if (gss_msg == NULL) {
spin_unlock(&pipe->lock);
goto err_put_ctx;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 166/346] cpuset: make sure new tasks conform to the current config of the cpuset
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 280/346] mn10300: failing __get_user() and get_user() should zero Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 067/346] s390/mm: fix gmap tlb flush issues Ben Hutchings
` (305 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Zefan Li, Tejun Heo
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream.
A new task inherits cpus_allowed and mems_allowed masks from its parent,
but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems
before this new task is inserted into the cgroup's task list, the new task
won't be updated accordingly.
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/cpuset.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -1963,6 +1963,20 @@ static void cpuset_css_free(struct cgrou
kfree(cs);
}
+/*
+ * Make sure the new task conform to the current state of its parent,
+ * which could have been changed by cpuset just after it inherits the
+ * state from the parent and before it sits on the cgroup's task list.
+ */
+void cpuset_fork(struct task_struct *task)
+{
+ if (task_css_is_root(task, cpuset_cgrp_id))
+ return;
+
+ set_cpus_allowed_ptr(task, ¤t->cpus_allowed);
+ task->mems_allowed = current->mems_allowed;
+}
+
struct cgroup_subsys cpuset_cgrp_subsys = {
.css_alloc = cpuset_css_alloc,
.css_online = cpuset_css_online,
@@ -1971,6 +1985,7 @@ struct cgroup_subsys cpuset_cgrp_subsys
.can_attach = cpuset_can_attach,
.cancel_attach = cpuset_cancel_attach,
.attach = cpuset_attach,
+ .fork = cpuset_fork,
.base_cftypes = files,
.early_init = 1,
};
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 219/346] usb: gadget: udc: core: don't starve DMA resources
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (265 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 212/346] ASoC: omap-mcpdm: Fix irq resource handling Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 041/346] batman-adv: Free last_bonding_candidate on release of orig_node Ben Hutchings
` (79 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <felipe.balbi@linux.intel.com>
commit 23fd537c9508fb6e3b93ddf23982f51afc087781 upstream.
Always unmap all SG entries as required by DMA API
Fixes: a698908d3b3b ("usb: gadget: add generic map/unmap request utilities")
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/udc-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc-core.c
+++ b/drivers/usb/gadget/udc-core.c
@@ -91,7 +91,7 @@ void usb_gadget_unmap_request(struct usb
return;
if (req->num_mapped_sgs) {
- dma_unmap_sg(&gadget->dev, req->sg, req->num_mapped_sgs,
+ dma_unmap_sg(&gadget->dev, req->sg, req->num_sgs,
is_in ? DMA_TO_DEVICE : DMA_FROM_DEVICE);
req->num_mapped_sgs = 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 161/346] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 135/346] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 047/346] drm/radeon: Poll for both connect/disconnect on analog connectors Ben Hutchings
` (261 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Liping Zhang
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <liping.zhang@spreadtrum.com>
commit b173a28f62cf929324a8a6adcc45adadce311d16 upstream.
The 'name' filed in struct nf_conntrack_expect_policy{} is not a
pointer, so check it is NULL or not will always return true. Even if the
name is empty, slash will always be displayed like follows:
# cat /proc/net/nf_conntrack_expect
297 l3proto = 2 proto=6 src=1.1.1.1 dst=2.2.2.2 sport=1 dport=1025 ftp/
^
Fixes: 3a8fc53a45c4 ("netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy names")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nf_conntrack_expect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -556,7 +556,7 @@ static int exp_seq_show(struct seq_file
helper = rcu_dereference(nfct_help(expect->master)->helper);
if (helper) {
seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
- if (helper->expect_policy[expect->class].name)
+ if (helper->expect_policy[expect->class].name[0])
seq_printf(s, "/%s",
helper->expect_policy[expect->class].name);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 333/346] firewire: net: guard against rx buffer overflows
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (208 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 061/346] NFS: Don't drop CB requests with invalid principals Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 022/346] serial: samsung: Fix ERR pointer dereference on deferred probe Ben Hutchings
` (136 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eyal Itkin, Stefan Richter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Richter <stefanr@s5r6.in-berlin.de>
commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams. A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.
So, drop any packets carrying a fragment with offset + length larger
than datagram_size.
In addition, ensure that
- GASP header, unfragmented encapsulation header, or fragment
encapsulation header actually exists before we access it,
- the encapsulated datagram or fragment is of nonzero size.
Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/firewire/net.c | 51 ++++++++++++++++++++++++++++++++++----------------
1 file changed, 35 insertions(+), 16 deletions(-)
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -591,6 +591,9 @@ static int fwnet_incoming_packet(struct
int retval;
u16 ether_type;
+ if (len <= RFC2374_UNFRAG_HDR_SIZE)
+ return 0;
+
hdr.w0 = be32_to_cpu(buf[0]);
lf = fwnet_get_hdr_lf(&hdr);
if (lf == RFC2374_HDR_UNFRAG) {
@@ -615,7 +618,12 @@ static int fwnet_incoming_packet(struct
return fwnet_finish_incoming_packet(net, skb, source_node_id,
is_broadcast, ether_type);
}
+
/* A datagram fragment has been received, now the fun begins. */
+
+ if (len <= RFC2374_FRAG_HDR_SIZE)
+ return 0;
+
hdr.w1 = ntohl(buf[1]);
buf += 2;
len -= RFC2374_FRAG_HDR_SIZE;
@@ -629,6 +637,9 @@ static int fwnet_incoming_packet(struct
datagram_label = fwnet_get_hdr_dgl(&hdr);
dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */
+ if (fg_off + len > dg_size)
+ return 0;
+
spin_lock_irqsave(&dev->lock, flags);
peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);
@@ -735,6 +746,22 @@ static void fwnet_receive_packet(struct
fw_send_response(card, r, rcode);
}
+static int gasp_source_id(__be32 *p)
+{
+ return be32_to_cpu(p[0]) >> 16;
+}
+
+static u32 gasp_specifier_id(__be32 *p)
+{
+ return (be32_to_cpu(p[0]) & 0xffff) << 8 |
+ (be32_to_cpu(p[1]) & 0xff000000) >> 24;
+}
+
+static u32 gasp_version(__be32 *p)
+{
+ return be32_to_cpu(p[1]) & 0xffffff;
+}
+
static void fwnet_receive_broadcast(struct fw_iso_context *context,
u32 cycle, size_t header_length, void *header, void *data)
{
@@ -744,9 +771,6 @@ static void fwnet_receive_broadcast(stru
__be32 *buf_ptr;
int retval;
u32 length;
- u16 source_node_id;
- u32 specifier_id;
- u32 ver;
unsigned long offset;
unsigned long flags;
@@ -763,22 +787,17 @@ static void fwnet_receive_broadcast(stru
spin_unlock_irqrestore(&dev->lock, flags);
- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8
- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;
- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff;
- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16;
-
- if (specifier_id == IANA_SPECIFIER_ID &&
- (ver == RFC2734_SW_VERSION
+ if (length > IEEE1394_GASP_HDR_SIZE &&
+ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&
+ (gasp_version(buf_ptr) == RFC2734_SW_VERSION
#if IS_ENABLED(CONFIG_IPV6)
- || ver == RFC3146_SW_VERSION
+ || gasp_version(buf_ptr) == RFC3146_SW_VERSION
#endif
- )) {
- buf_ptr += 2;
- length -= IEEE1394_GASP_HDR_SIZE;
- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id,
+ ))
+ fwnet_incoming_packet(dev, buf_ptr + 2,
+ length - IEEE1394_GASP_HDR_SIZE,
+ gasp_source_id(buf_ptr),
context->card->generation, true);
- }
packet.payload_length = dev->rcv_buffer_size;
packet.interrupt = 1;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 317/346] i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (288 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 116/346] ceph: Correctly return NXIO errors from ceph_llseek Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 055/346] x86/quirks: Apply nvidia_bugs quirk only on root bus Ben Hutchings
` (56 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Wolfram Sang, Sudeep Holla, Sudeep Holla, Andy Gross
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sudeep Holla <Sudeep.Holla@arm.com>
commit 331dcf421c34d227784d07943eb01e4023a42b0a upstream.
If the i2c device is already runtime suspended, if qup_i2c_suspend is
executed during suspend-to-idle or suspend-to-ram it will result in the
following splat:
WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90
Modules linked in:
CPU: 3 PID: 1593 Comm: bash Tainted: G W 4.8.0-rc3 #14
Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
PC is at clk_core_unprepare+0x80/0x90
LR is at clk_unprepare+0x28/0x40
pc : [<ffff0000086eecf0>] lr : [<ffff0000086f0c58>] pstate: 60000145
Call trace:
clk_core_unprepare+0x80/0x90
qup_i2c_disable_clocks+0x2c/0x68
qup_i2c_suspend+0x10/0x20
platform_pm_suspend+0x24/0x68
...
This patch fixes the issue by executing qup_i2c_pm_suspend_runtime
conditionally in qup_i2c_suspend.
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Reviewed-by: Andy Gross <andy.gross@linaro.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/busses/i2c-qup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qup.c
+++ b/drivers/i2c/busses/i2c-qup.c
@@ -724,7 +724,8 @@ static int qup_i2c_pm_resume_runtime(str
#ifdef CONFIG_PM_SLEEP
static int qup_i2c_suspend(struct device *device)
{
- qup_i2c_pm_suspend_runtime(device);
+ if (!pm_runtime_suspended(device))
+ return qup_i2c_pm_suspend_runtime(device);
return 0;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 295/346] avr32: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 221/346] ARM: kirkwood: ib62x0: fix size of u-boot environment partition Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 099/346] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Ben Hutchings
` (210 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.
really ugly, but apparently avr32 compilers turns access_ok() into
something so bad that they want it in assembler. Left that way,
zeroing added in inline wrapper.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 4 ++--
3 files changed, 13 insertions(+), 4 deletions(-)
--- a/arch/avr32/include/asm/uaccess.h
+++ b/arch/avr32/include/asm/uaccess.h
@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void
extern __kernel_size_t copy_to_user(void __user *to, const void *from,
__kernel_size_t n);
-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
+extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
__kernel_size_t n);
static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
{
return __copy_user(to, (const void __force *)from, n);
}
+static inline __kernel_size_t copy_from_user(void *to,
+ const void __user *from,
+ __kernel_size_t n)
+{
+ size_t res = ___copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
+}
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
--- a/arch/avr32/kernel/avr32_ksyms.c
+++ b/arch/avr32/kernel/avr32_ksyms.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
/*
* Userspace access stuff.
*/
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(___copy_from_user);
EXPORT_SYMBOL(copy_to_user);
EXPORT_SYMBOL(__copy_user);
EXPORT_SYMBOL(strncpy_from_user);
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -25,11 +25,11 @@
.align 1
.global copy_from_user
.type copy_from_user, @function
-copy_from_user:
+___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
rjmp __copy_user
- .size copy_from_user, . - copy_from_user
+ .size ___copy_from_user, . - ___copy_from_user
.global copy_to_user
.type copy_to_user, @function
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 297/346] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 183/346] USB: serial: mos7840: fix non-atomic allocation in write path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 090/346] brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill Ben Hutchings
` (162 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Matt Fleming, Peter Zijlstra, Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Fleming <matt@codeblueprint.co.uk>
commit 080fe0b790ad438fc1b61621dac37c1964ce7f35 upstream.
While the Intel PMU monitors the LLC when perf enables the
HW_CACHE_REFERENCES and HW_CACHE_MISSES events, these events monitor
L1 instruction cache fetches (0x0080) and instruction cache misses
(0x0081) on the AMD PMU.
This is extremely confusing when monitoring the same workload across
Intel and AMD machines, since parameters like,
$ perf stat -e cache-references,cache-misses
measure completely different things.
Instead, make the AMD PMU measure instruction/data cache and TLB fill
requests to the L2 and instruction/data cache and TLB misses in the L2
when HW_CACHE_REFERENCES and HW_CACHE_MISSES are enabled,
respectively. That way the events measure unified caches on both
platforms.
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1472044328-21302-1-git-send-email-matt@codeblueprint.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Drop KVM PMU changes
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/cpu/perf_event_amd.c
+++ b/arch/x86/kernel/cpu/perf_event_amd.c
@@ -119,8 +119,8 @@ static const u64 amd_perfmon_event_map[]
{
[PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
[PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x0080,
- [PERF_COUNT_HW_CACHE_MISSES] = 0x0081,
+ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
+ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
[PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
[PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
[PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 159/346] aacraid: Check size values after double-fetch from user
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (233 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 060/346] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 122/346] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
` (111 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin K. Petersen, Dave Carroll, Johannes Thumshirn, Pengfei Wang
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Carroll <david.carroll@microsemi.com>
commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
- unsigned size;
+ unsigned int size, osize;
int retval;
if (dev->in_reset) {
@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+ osize = size = le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev
goto cleanup;
}
+ /* Sanity check the second copy */
+ if ((osize != le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr))
+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
+ retval = -EINVAL;
+ goto cleanup;
+ }
+
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 141/346] dm flakey: error READ bios during the down_interval
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 146/346] metag: Fix __cmpxchg_u32 asm constraint for CMP Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 098/346] iscsi-target: Fix panic when adding second TCP connection to iSCSI session Ben Hutchings
` (206 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Akira Hayakawa, Mike Snitzer
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit 99f3c90d0d85708e7401a81ce3314e50bf7f2819 upstream.
When the corrupt_bio_byte feature was introduced it caused READ bios to
no longer be errored with -EIO during the down_interval. This had to do
with the complexity of needing to submit READs if the corrupt_bio_byte
feature was used.
Fix it so READ bios are properly errored with -EIO; doing so early in
flakey_map() as long as there isn't a match for the corrupt_bio_byte
feature.
Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
Reported-by: Akira Hayakawa <ruby.wktk@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm-flakey.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -287,10 +287,16 @@ static int flakey_map(struct dm_target *
pb->bio_submitted = true;
/*
- * Map reads as normal.
+ * Map reads as normal only if corrupt_bio_byte set.
*/
- if (bio_data_dir(bio) == READ)
- goto map_bio;
+ if (bio_data_dir(bio) == READ) {
+ /* If flags were specified, only corrupt those that match. */
+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+ all_corrupt_bio_flags_match(bio, fc))
+ goto map_bio;
+ else
+ return -EIO;
+ }
/*
* Drop writes?
@@ -328,12 +334,13 @@ static int flakey_end_io(struct dm_targe
/*
* Corrupt successful READs while in down state.
- * If flags were specified, only corrupt those that match.
*/
- if (fc->corrupt_bio_byte && !error && pb->bio_submitted &&
- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
- all_corrupt_bio_flags_match(bio, fc))
- corrupt_bio_data(bio, fc);
+ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
+ if (fc->corrupt_bio_byte)
+ corrupt_bio_data(bio, fc);
+ else
+ return -EIO;
+ }
return error;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 139/346] balloon: check the number of available pages in leak balloon
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 153/346] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 105/346] nfs: don't create zero-length requests Ben Hutchings
` (268 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Konstantin Neumoin, Denis V. Lunev, Michael S. Tsirkin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Neumoin <kneumoin@virtuozzo.com>
commit 37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711 upstream.
The balloon has a special mechanism that is subscribed to the oom
notification which leads to deflation for a fixed number of pages.
The number is always fixed even when the balloon is fully deflated.
But leak_balloon did not expect that the pages to deflate will be more
than taken, and raise a "BUG" in balloon_page_dequeue when page list
will be empty.
So, the simplest solution would be to check that the number of releases
pages is less or equal to the number taken pages.
Signed-off-by: Konstantin Neumoin <kneumoin@virtuozzo.com>
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/virtio/virtio_balloon.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -177,6 +177,8 @@ static void leak_balloon(struct virtio_b
num = min(num, ARRAY_SIZE(vb->pfns));
mutex_lock(&vb->balloon_lock);
+ /* We can't release more pages than taken */
+ num = min(num, (size_t)vb->num_pages);
for (vb->num_pfns = 0; vb->num_pfns < num;
vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
page = balloon_page_dequeue(vb_dev_info);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 192/346] bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 067/346] s390/mm: fix gmap tlb flush issues Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 226/346] fs/seq_file: fix out-of-bounds read Ben Hutchings
` (303 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Wheeler, Eric Wheeler, Kent Overstreet
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Wheeler <git@linux.ewheeler.net>
commit d9dc1702b297ec4a6bb9c0326a70641b322ba886 upstream.
register_cache() is supposed to return an error string on error so that
register_bcache() will will blkdev_put and cleanup other user counters,
but it does not set 'char *err' when cache_alloc() fails (eg, due to
memory pressure) and thus register_bcache() performs no cleanup.
register_bcache() <----------\ <- no jump to err_close, no blkdev_put()
| |
+->register_cache() | <- fails to set char *err
| |
+->cache_alloc() ---/ <- returns error
This patch sets `char *err` for this failure case so that register_cache()
will cause register_bcache() to correctly jump to err_close and do
cleanup. This was tested under OOM conditions that triggered the bug.
Signed-off-by: Eric Wheeler <bcache@linux.ewheeler.net>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/bcache/super.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1854,7 +1854,7 @@ static int register_cache(struct cache_s
struct block_device *bdev, struct cache *ca)
{
char name[BDEVNAME_SIZE];
- const char *err = NULL;
+ const char *err = NULL; /* must be set for any error case */
int ret = 0;
memcpy(&ca->sb, sb, sizeof(struct cache_sb));
@@ -1871,8 +1871,13 @@ static int register_cache(struct cache_s
ca->discard = CACHE_DISCARD(&ca->sb);
ret = cache_alloc(sb, ca);
- if (ret != 0)
+ if (ret != 0) {
+ if (ret == -ENOMEM)
+ err = "cache_alloc(): -ENOMEM";
+ else
+ err = "cache_alloc(): unknown error";
goto err;
+ }
if (kobject_add(&ca->kobj, &part_to_dev(bdev->bd_part)->kobj, "bcache")) {
err = "error calling kobject_add";
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 330/346] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 305/346] openrisc: fix the fix of copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 115/346] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Ben Hutchings
` (214 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcel Holtmann, Jaganath Kanakkassery
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jaganath Kanakkassery <jaganath.k@samsung.com>
commit 951b6a0717db97ce420547222647bcc40bf1eacd upstream.
addr can be NULL and it should not be dereferenced before NULL checking.
Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/rfcomm/sock.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -334,16 +334,19 @@ static int rfcomm_sock_create(struct net
static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
{
- struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
+ struct sockaddr_rc sa;
struct sock *sk = sock->sk;
- int chan = sa->rc_channel;
- int err = 0;
-
- BT_DBG("sk %p %pMR", sk, &sa->rc_bdaddr);
+ int len, err = 0;
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ memset(&sa, 0, sizeof(sa));
+ len = min_t(unsigned int, sizeof(sa), addr_len);
+ memcpy(&sa, addr, len);
+
+ BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
+
lock_sock(sk);
if (sk->sk_state != BT_OPEN) {
@@ -358,12 +361,13 @@ static int rfcomm_sock_bind(struct socke
write_lock(&rfcomm_sk_list.lock);
- if (chan && __rfcomm_get_listen_sock_by_addr(chan, &sa->rc_bdaddr)) {
+ if (sa.rc_channel &&
+ __rfcomm_get_listen_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
err = -EADDRINUSE;
} else {
/* Save source address */
- bacpy(&rfcomm_pi(sk)->src, &sa->rc_bdaddr);
- rfcomm_pi(sk)->channel = chan;
+ bacpy(&rfcomm_pi(sk)->src, &sa.rc_bdaddr);
+ rfcomm_pi(sk)->channel = sa.rc_channel;
sk->sk_state = BT_BOUND;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 195/346] gpio: Fix OF build problem on UM
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (291 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 248/346] iio: accel: kxsd9: Fix scaling bug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 274/346] frv: fix clear_user() Ben Hutchings
` (53 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Walleij, Geert Uytterhoeven, kbuild test robot
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 upstream.
The UserMode (UM) Linux build was failing in gpiolib-of as it requires
ioremap()/iounmap() to exist, which is absent from UM. The non-existence
of IO memory is negatively defined as CONFIG_NO_IOMEM which means we
need to depend on HAS_IOMEM.
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpio/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpio/Kconfig
+++ b/drivers/gpio/Kconfig
@@ -50,6 +50,7 @@ config GPIO_DEVRES
config OF_GPIO
def_bool y
depends on OF
+ depends on HAS_IOMEM
config GPIO_ACPI
def_bool y
--- a/arch/mips/kvm/kvm_mips.c
+++ b/arch/mips/kvm/kvm_mips.c
@@ -1211,7 +1211,7 @@ int __init kvm_mips_init(void)
*/
kvm_mips_gfn_to_pfn = gfn_to_pfn;
kvm_mips_release_pfn_clean = kvm_release_pfn_clean;
- kvm_mips_is_error_pfn = is_error_pfn;
+ kvm_mips_is_error_pfn = is_error_noslot_pfn;
pr_info("KVM/MIPS Initialized\n");
return 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 152/346] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 004/346] s5p-mfc: Set device name for reserved memory region devs Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 205/346] iio: accel: kxsd9: Fix raw read return Ben Hutchings
` (273 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Robert Deliën
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Robert Deliën <robert@delien.nl>
commit 6977495c06f7f47636a076ee5a0ca571279d9697 upstream.
Ivium Technologies uses the FTDI VID with custom PIDs for their line of
electrochemical interfaces and the PalmSens they developed for PalmSens
BV.
Signed-off-by: Robert Delien <robert@delien.nl>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -661,6 +661,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_ELV_TFD128_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_FM3RX_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_WS777_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_PALMSENS_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_IVIUM_XSTAT_PID) },
{ USB_DEVICE(FTDI_VID, LINX_SDMUSBQSS_PID) },
{ USB_DEVICE(FTDI_VID, LINX_MASTERDEVEL2_PID) },
{ USB_DEVICE(FTDI_VID, LINX_FUTURE_0_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -406,6 +406,12 @@
#define FTDI_4N_GALAXY_DE_3_PID 0xF3C2
/*
+ * Ivium Technologies product IDs
+ */
+#define FTDI_PALMSENS_PID 0xf440
+#define FTDI_IVIUM_XSTAT_PID 0xf441
+
+/*
* Linx Technologies product ids
*/
#define LINX_SDMUSBQSS_PID 0xF448 /* Linx SDM-USB-QS-S */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 167/346] s390/dasd: fix hanging device after clear subchannel
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (328 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 033/346] ext4: don't call ext4_should_journal_data() on the journal inode Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 149/346] mac80211: fix purging multicast PS buffer queue Ben Hutchings
` (16 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Schwidefsky, Stefan Haberland, Sebastian Ott
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.vnet.ibm.com>
commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream.
When a device is in a status where CIO has killed all I/O by itself the
interrupt for a clear request may not contain an irb to determine the
clear function. Instead it contains an error pointer -EIO.
This was ignored by the DASD int_handler leading to a hanging device
waiting for a clear interrupt.
Handle -EIO error pointer correctly for requests that are clear pending and
treat the clear as successful.
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/block/dasd.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -1613,9 +1613,18 @@ void dasd_int_handler(struct ccw_device
unsigned long long now;
int expires;
+ cqr = (struct dasd_ccw_req *) intparm;
if (IS_ERR(irb)) {
switch (PTR_ERR(irb)) {
case -EIO:
+ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) {
+ device = (struct dasd_device *) cqr->startdev;
+ cqr->status = DASD_CQR_CLEARED;
+ dasd_device_clear_timer(device);
+ wake_up(&dasd_flush_wq);
+ dasd_schedule_device_bh(device);
+ return;
+ }
break;
case -ETIMEDOUT:
DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: "
@@ -1631,7 +1640,6 @@ void dasd_int_handler(struct ccw_device
}
now = get_tod_clock();
- cqr = (struct dasd_ccw_req *) intparm;
/* check for conditions that should be handled immediately */
if (!cqr ||
!(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) &&
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 207/346] powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (244 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 048/346] ALSA: ctl: Stop notification after disconnection Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 100/346] MIPS: RM7000: Double locking bug in rm7k_tc_disable() Ben Hutchings
` (100 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Benjamin Herrenschmidt, Michael Ellerman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
commit 66443efa83dc73775100b7442962ce2cb0d4472e upstream.
When booting from an OpenFirmware which supports it, we use the
"ibm,client-architecture-support" firmware call to communicate
our capabilities to firmware.
The format of the structure we pass to firmware is specified in
PAPR (Power Architecture Platform Requirements), or the public version
LoPAPR (Linux on Power Architecture Platform Reference).
Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte
field at bytes 17-20 for the "Platform Facilities Enable". This is
followed by a 1 byte field at byte 21 for "Sub-Processor Represenation
Level".
Comparing to the code, there we have the Platform Facilities
options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its
full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is
incorrectly placed at byte 18.
Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes
to hopefully make it clearer in future.
As far as I'm aware nothing actually consumes this value at this time,
so the effect of this bug is nil in practice.
It does mean we've been incorrectly setting bit 15 of the "Platform
Facilities Enable" option for the past ~3 1/2 years, so we should avoid
allocating that bit to anything else in future.
Fixes: df77c7992029 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[bwh: Backported to 3.16:
- Adjust context
- Length calculations don't use VECTOR_LENGTH()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/prom_init.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/powerpc/kernel/prom_init.c
+++ b/arch/powerpc/kernel/prom_init.c
@@ -685,7 +685,7 @@ unsigned char ibm_architecture_vec[] = {
OV4_MIN_ENT_CAP, /* minimum VP entitled capacity */
/* option vector 5: PAPR/OF options */
- 19 - 2, /* length */
+ 22 - 2, /* length */
0, /* don't ignore, don't halt */
OV5_FEAT(OV5_LPAR) | OV5_FEAT(OV5_SPLPAR) | OV5_FEAT(OV5_LARGE_PAGES) |
OV5_FEAT(OV5_DRCONF_MEMORY) | OV5_FEAT(OV5_DONATE_DEDICATE_CPU) |
@@ -716,8 +716,11 @@ unsigned char ibm_architecture_vec[] = {
0,
0,
OV5_FEAT(OV5_PFO_HW_RNG) | OV5_FEAT(OV5_PFO_HW_ENCR) |
- OV5_FEAT(OV5_PFO_HW_842),
- OV5_FEAT(OV5_SUB_PROCESSORS),
+ OV5_FEAT(OV5_PFO_HW_842), /* Byte 17 */
+ 0, /* Byte 18 */
+ 0, /* Byte 19 */
+ 0, /* Byte 20 */
+ OV5_FEAT(OV5_SUB_PROCESSORS), /* Byte 21 */
/* option vector 6: IBM PAPR hints */
4 - 2, /* length */
0,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 120/346] drm/radeon: fix firmware info version checks
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (215 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 091/346] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 270/346] MIPS: paravirt: Fix undefined reference to smp_bootstrap Ben Hutchings
` (129 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3edc38a0facef45ee22af8afdce3737f421f36ab upstream.
Some of the checks didn't handle frev 2 tables properly.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -1128,7 +1128,7 @@ bool radeon_atom_get_clock_info(struct d
le16_to_cpu(firmware_info->info.usReferenceClock);
p1pll->reference_div = 0;
- if (crev < 2)
+ if ((frev < 2) && (crev < 2))
p1pll->pll_out_min =
le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
else
@@ -1137,7 +1137,7 @@ bool radeon_atom_get_clock_info(struct d
p1pll->pll_out_max =
le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
- if (crev >= 4) {
+ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
p1pll->lcd_pll_out_min =
le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
if (p1pll->lcd_pll_out_min == 0)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 108/346] pps: do not crash when failed to register
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 222/346] batman-adv: Add missing refcnt for last_candidate Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 241/346] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Ben Hutchings
` (158 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rodolfo Giometti, Jiri Slaby, Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 368301f2fe4b07e5fb71dba3cc566bc59eb6705f upstream.
With this command sequence:
modprobe plip
modprobe pps_parport
rmmod pps_parport
the partport_pps modules causes this crash:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: parport_detach+0x1d/0x60 [pps_parport]
Oops: 0000 [#1] SMP
...
Call Trace:
parport_unregister_driver+0x65/0xc0 [parport]
SyS_delete_module+0x187/0x210
The sequence that builds up to this is:
1) plip is loaded and takes the parport device for exclusive use:
plip0: Parallel port at 0x378, using IRQ 7.
2) pps_parport then fails to grab the device:
pps_parport: parallel port PPS client
parport0: cannot grant exclusive access for device pps_parport
pps_parport: couldn't register with parport0
3) rmmod of pps_parport is then killed because it tries to access
pardev->name, but pardev (taken from port->cad) is NULL.
So add a check for NULL in the test there too.
Link: http://lkml.kernel.org/r/20160714115245.12651-1-jslaby@suse.cz
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pps/clients/pps_parport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -195,7 +195,7 @@ static void parport_detach(struct parpor
struct pps_client_pp *device;
/* FIXME: oooh, this is ugly! */
- if (strcmp(pardev->name, KBUILD_MODNAME))
+ if (!pardev || strcmp(pardev->name, KBUILD_MODNAME))
/* not our port */
return;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 114/346] Documentation/module-signing.txt: Note need for version info if reusing a key
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (269 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 273/346] cris: buggered copy_from_user/copy_to_user/clear_user Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 034/346] batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag Ben Hutchings
` (75 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rusty Russell
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit b8612e517c3c9809e1200b72c474dbfd969e5a83 upstream.
Signing a module should only make it trusted by the specific kernel it
was built for, not anything else. If a module signing key is used for
multiple ABI-incompatible kernels, the modules need to include enough
version information to distinguish them.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
Documentation/module-signing.txt | 6 ++++++
1 file changed, 6 insertions(+)
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -239,3 +239,9 @@ Since the private key is used to sign mo
the private key to sign modules and compromise the operating system. The
private key must be either destroyed or moved to a secure location and not kept
in the root node of the kernel source tree.
+
+If you use the same private key to sign modules for multiple kernel
+configurations, you must ensure that the module version information is
+sufficient to prevent loading a module into a different kernel. Either
+set CONFIG_MODVERSIONS=y or ensure that each configuration has a different
+kernel release string by changing EXTRAVERSION or CONFIG_LOCALVERSION.
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 123/346] avr32: off by one in at32_init_pio()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 334/346] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 196/346] MIPS: KVM: Check for pfn noslot case Ben Hutchings
` (221 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 55f1cf83d5cf885c75267269729805852039c834 upstream.
The pio_dev[] array has MAX_NR_PIO_DEVICES elements so the > should be
>=.
Fixes: 5f97f7f9400d ('[PATCH] avr32 architecture')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/mach-at32ap/pio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/avr32/mach-at32ap/pio.c
+++ b/arch/avr32/mach-at32ap/pio.c
@@ -435,7 +435,7 @@ void __init at32_init_pio(struct platfor
struct resource *regs;
struct pio_device *pio;
- if (pdev->id > MAX_NR_PIO_DEVICES) {
+ if (pdev->id >= MAX_NR_PIO_DEVICES) {
dev_err(&pdev->dev, "only %d PIO devices supported\n",
MAX_NR_PIO_DEVICES);
return;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 183/346] USB: serial: mos7840: fix non-atomic allocation in write path
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (181 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 074/346] ext4: fix reference counting bug on block allocation error Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 297/346] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 Ben Hutchings
` (163 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexey Khoroshilov, Johan Hovold
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
commit 3b7c7e52efda0d4640060de747768360ba70a7c0 upstream.
There is an allocation with GFP_KERNEL flag in mos7840_write(),
while it may be called from interrupt context.
Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
allocation in write path")
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7840.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1372,8 +1372,8 @@ static int mos7840_write(struct tty_stru
}
if (urb->transfer_buffer == NULL) {
- urb->transfer_buffer =
- kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL);
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+ GFP_ATOMIC);
if (!urb->transfer_buffer)
goto exit;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 056/346] x86/quirks: Reintroduce scanning of secondary buses
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (296 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 020/346] drm/radeon: Don't leak runtime pm ref on driver load Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 211/346] USB: fix typo in wMaxPacketSize validation Ben Hutchings
` (48 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, H. Peter Anvin, Linus Torvalds, Bjorn Helgaas,
Andy Lutomirski, Lukas Wunner, linux-pci, Ingo Molnar,
Brian Gerst, Peter Zijlstra, Denys Vlasenko, Thomas Gleixner,
Yinghai Lu, Josh Poimboeuf, Borislav Petkov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 850c321027c2e31d0afc71588974719a4b565550 upstream.
We used to scan secondary buses until the following commit that
was applied in 2009:
8659c406ade3 ("x86: only scan the root bus in early PCI quirks")
which commit constrained early quirks to the root bus only. Its
motivation was to prevent application of the nvidia_bugs quirk
on secondary buses.
We're about to add a quirk to reset the Broadcom 4331 wireless card on
2011/2012 Macs, which is located on a secondary bus behind a PCIe root
port. To facilitate that, reintroduce scanning of secondary buses.
The commit message of 8659c406ade3 notes that scanning only the root bus
"saves quite some unnecessary scanning work". The algorithm used prior
to 8659c406ade3 was particularly time consuming because it scanned
buses 0 to 31 brute force. To avoid lengthening boot time, employ a
recursive strategy which only scans buses that are actually reachable
from the root bus.
Yinghai Lu pointed out that the secondary bus number read from a
bridge's config space may be invalid, in particular a value of 0 would
cause an infinite loop. The PCI core goes beyond that and recurses to a
child bus only if its bus number is greater than the parent bus number
(see pci_scan_bridge()). Since the root bus is numbered 0, this implies
that secondary buses may not be 0. Do the same on early scanning.
If this algorithm is found to significantly impact boot time or cause
infinite loops on broken hardware, it would be possible to limit its
recursion depth: The Broadcom 4331 quirk applies at depth 1, all others
at depth 0, so the bus need not be scanned deeper than that for now. An
alternative approach would be to revert to scanning only the root bus,
and apply the Broadcom 4331 quirk to the root ports 8086:1c12, 8086:1e12
and 8086:1e16. Apple always positioned the card behind either of these
three ports. The quirk would then check presence of the card in slot 0
below the root port and do its deed.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: linux-pci@vger.kernel.org
Link: http://lkml.kernel.org/r/f0daa70dac1a9b2483abdb31887173eb6ab77bdf.1465690253.git.lukas@wunner.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/early-quirks.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -585,12 +585,6 @@ struct chipset {
void (*f)(int num, int slot, int func);
};
-/*
- * Only works for devices on the root bus. If you add any devices
- * not on bus 0 readd another loop level in early_quirks(). But
- * be careful because at least the Nvidia quirk here relies on
- * only matching on bus 0.
- */
static struct chipset early_qrk[] __initdata = {
{ PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID,
PCI_CLASS_BRIDGE_PCI, PCI_ANY_ID, QFLAG_APPLY_ONCE, nvidia_bugs },
@@ -619,6 +613,8 @@ static struct chipset early_qrk[] __init
{}
};
+static void __init early_pci_scan_bus(int bus);
+
/**
* check_dev_quirk - apply early quirks to a given PCI device
* @num: bus number
@@ -627,7 +623,7 @@ static struct chipset early_qrk[] __init
*
* Check the vendor & device ID against the early quirks table.
*
- * If the device is single function, let early_quirks() know so we don't
+ * If the device is single function, let early_pci_scan_bus() know so we don't
* poke at this device again.
*/
static int __init check_dev_quirk(int num, int slot, int func)
@@ -636,6 +632,7 @@ static int __init check_dev_quirk(int nu
u16 vendor;
u16 device;
u8 type;
+ u8 sec;
int i;
class = read_pci_config_16(num, slot, func, PCI_CLASS_DEVICE);
@@ -663,25 +660,36 @@ static int __init check_dev_quirk(int nu
type = read_pci_config_byte(num, slot, func,
PCI_HEADER_TYPE);
+
+ if ((type & 0x7f) == PCI_HEADER_TYPE_BRIDGE) {
+ sec = read_pci_config_byte(num, slot, func, PCI_SECONDARY_BUS);
+ if (sec > num)
+ early_pci_scan_bus(sec);
+ }
+
if (!(type & 0x80))
return -1;
return 0;
}
-void __init early_quirks(void)
+static void __init early_pci_scan_bus(int bus)
{
int slot, func;
- if (!early_pci_allowed())
- return;
-
/* Poor man's PCI discovery */
- /* Only scan the root bus */
for (slot = 0; slot < 32; slot++)
for (func = 0; func < 8; func++) {
/* Only probe function 0 on single fn devices */
- if (check_dev_quirk(0, slot, func))
+ if (check_dev_quirk(bus, slot, func))
break;
}
}
+
+void __init early_quirks(void)
+{
+ if (!early_pci_allowed())
+ return;
+
+ early_pci_scan_bus(0);
+}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 190/346] xhci: don't dereference a xhci member after removing xhci
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 230/346] powerpc/powernv : Drop reference added by kset_find_obj() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 319/346] ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path Ben Hutchings
` (277 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit f1f6d9a8b540df22b87a5bf6bc104edaade81f47 upstream.
Remove the hcd after checking for the xhci last quirks, not before.
This caused a hang on a Alpine Ridge xhci based maching which remove
the whole xhci controller when unplugging the last usb device
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -293,12 +293,13 @@ static void xhci_pci_remove(struct pci_d
usb_remove_hcd(xhci->shared_hcd);
usb_put_hcd(xhci->shared_hcd);
}
- usb_hcd_pci_remove(dev);
/* Workaround for spurious wakeups at shutdown with HSW */
if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
pci_set_power_state(dev, PCI_D3hot);
+ usb_hcd_pci_remove(dev);
+
kfree(xhci);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 187/346] scsi: fix upper bounds check of sense key in scsi_sense_key_string()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (276 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 208/346] drm: Reject page_flip for !DRIVER_MODESET Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 213/346] USB: avoid left shift by -1 Ben Hutchings
` (68 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin K. Petersen, Tyrel Datwyler, Bart Van Assche
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
commit a87eeb900dbb9f8202f96604d56e47e67c936b9d upstream.
Commit 655ee63cf371 ("scsi constants: command, sense key + additional
sense string") added a "Completed" sense string with key 0xF to
snstext[], but failed to updated the upper bounds check of the sense key
in scsi_sense_key_string().
Fixes: 655ee63cf371 ("[SCSI] scsi constants: command, sense key + additional sense strings")
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/constants.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/scsi/constants.c
+++ b/drivers/scsi/constants.c
@@ -1335,9 +1335,10 @@ static const char * const snstext[] = {
/* Get sense key string or NULL if not available */
const char *
-scsi_sense_key_string(unsigned char key) {
+scsi_sense_key_string(unsigned char key)
+{
#ifdef CONFIG_SCSI_CONSTANTS
- if (key <= 0xE)
+ if (key < ARRAY_SIZE(snstext))
return snstext[key];
#endif
return NULL;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 185/346] iio: proximity: as3935: set up buffer timestamps for non-zero values
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 106/346] radix-tree: fix radix_tree_iter_retry() for tagged iterators Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 029/346] Input: xpad - validate USB endpoint count during probe Ben Hutchings
` (282 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alison Schofield, Jonathan Cameron, Daniel Baluta
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <amsfield22@gmail.com>
commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream.
Use the iio_pollfunc_store_time parameter during triggered buffer
set-up to get valid timestamps.
Signed-off-by: Alison Schofield <amsfield22@gmail.com>
Cc: Daniel Baluta <daniel.baluta@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/proximity/as3935.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -389,7 +389,7 @@ static int as3935_probe(struct spi_devic
return ret;
}
- ret = iio_triggered_buffer_setup(indio_dev, NULL,
+ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
&as3935_trigger_handler, NULL);
if (ret) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 188/346] xhci: always handle "Command Ring Stopped" events
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (228 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 072/346] KVM: nVMX: Fix memory corruption when using VMCS shadowing Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 044/346] MIPS: Fix page table corruption on THP permission changes Ben Hutchings
` (116 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 33be126510974e2eb9679f1ca9bca4f67ee4c4c7 upstream.
Fix "Command completion event does not match command" errors by always
handling the command ring stopped events.
The command ring stopped event is generated as a result of aborting
or stopping the command ring with a register write. It is not caused
by a command in the command queue, and thus won't have a matching command
in the comman list.
Solve it by handling the command ring stopped event before checking for a
matching command.
In most command time out cases we abort the command ring, and get
a command ring stopped event. The events command pointer will point at
the current command ring dequeue, which in most cases matches the timed
out command in the command list, and no error messages are seen.
If we instead get a command aborted event before the command ring stopped
event, the abort event will increse the command ring dequeue pointer, and
the following command ring stopped events command pointer will point at the
next, not yet queued command. This case triggered the error message
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-ring.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1351,12 +1351,6 @@ static void handle_cmd_completion(struct
cmd = list_entry(xhci->cmd_list.next, struct xhci_command, cmd_list);
- if (cmd->command_trb != xhci->cmd_ring->dequeue) {
- xhci_err(xhci,
- "Command completion event does not match command\n");
- return;
- }
-
del_timer(&xhci->cmd_timer);
trace_xhci_cmd_completion(cmd_trb, (struct xhci_generic_trb *) event);
@@ -1368,6 +1362,13 @@ static void handle_cmd_completion(struct
xhci_handle_stopped_cmd_ring(xhci, cmd);
return;
}
+
+ if (cmd->command_trb != xhci->cmd_ring->dequeue) {
+ xhci_err(xhci,
+ "Command completion event does not match command\n");
+ return;
+ }
+
/*
* Host aborted the command ring, check if the current command was
* supposed to be aborted, otherwise continue normally.
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 121/346] MIPS: c-r4k: Fix protected_writeback_scache_line for EVA
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 281/346] mn10300: copy_from_user() should zero on access_ok() failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 216/346] timekeeping: Cap array access in timekeeping_debug Ben Hutchings
` (334 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, James Hogan, linux-mips, Leonid Yegoshin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 0758b116b4080d9a2a2a715bec6eee2cbd828215 upstream.
The protected_writeback_scache_line() function is used by
local_r4k_flush_cache_sigtramp() to flush an FPU delay slot emulation
trampoline on the userland stack from the caches so it is visible to
subsequent instruction fetches.
Commit de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing
functions") updated some protected_ cache flush functions to use EVA
CACHEE instructions via protected_cachee_op(), and commit 83fd43449baa
("MIPS: r4kcache: Add EVA case for protected_writeback_dcache_line") did
the same thing for protected_writeback_dcache_line(), but
protected_writeback_scache_line() never got updated. Lets fix that now
to flush the right user address from the secondary cache rather than
some arbitrary kernel unmapped address.
This issue was spotted through code inspection, and it seems unlikely to
be possible to hit this in practice. It theoretically affect EVA kernels
on EVA capable cores with an L2 cache, where the icache fetches straight
from RAM (cpu_icache_snoops_remote_store == 0), running a hard float
userland with FPU disabled (nofpu). That both Malta and Boston platforms
override cpu_icache_snoops_remote_store to 1 suggests that all MIPS
cores fetch instructions into icache straight from L2 rather than RAM.
Fixes: de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13800/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/r4kcache.h | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/mips/include/asm/r4kcache.h
+++ b/arch/mips/include/asm/r4kcache.h
@@ -263,7 +263,11 @@ static inline void protected_writeback_d
static inline void protected_writeback_scache_line(unsigned long addr)
{
+#ifdef CONFIG_EVA
+ protected_cachee_op(Hit_Writeback_Inv_SD, addr);
+#else
protected_cache_op(Hit_Writeback_Inv_SD, addr);
+#endif
}
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 111/346] net/irda: fix NULL pointer dereference on memory allocation failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 025/346] hp-wmi: Fix wifi cannot be hard-unblocked Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 065/346] cifs: Check for existing directory when opening file with O_CREAT Ben Hutchings
` (252 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d upstream.
I ran into this:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
RIP: 0010:[<ffffffff82bbf066>] [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP: 0018:ffff880111747bb8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
FS: 00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
Stack:
0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
Call Trace:
[<ffffffff82bca542>] irda_connect+0x562/0x1190
[<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
[<ffffffff825b4489>] SyS_connect+0x9/0x10
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
RIP [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP <ffff880111747bb8>
---[ end trace 4cda2588bc055b30 ]---
The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/irda/af_irda.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1037,8 +1037,11 @@ static int irda_connect(struct socket *s
}
/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }
/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 122/346] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (234 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 159/346] aacraid: Check size values after double-fetch from user Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 325/346] ARM: 8617/1: dma: fix dma_max_pfn() Ben Hutchings
` (110 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Catalin Marinas, linux-arm-kernel, James Hogan, Will Deacon
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 3146bc64d12377a74dbda12b96ea32da3774ae07 upstream.
AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
for arm64 at all even though ARCH_DLINFO will contain one NEW_AUX_ENT
for the VDSO address.
This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
AT_BASE_PLATFORM which arm64 doesn't use, but lets define it now and add
the comment above ARCH_DLINFO as found in several other architectures to
remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
date.
Fixes: f668cd1673aa ("arm64: ELF definitions")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/elf.h | 1 +
arch/arm64/include/uapi/asm/auxvec.h | 2 ++
2 files changed, 3 insertions(+)
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -137,6 +137,7 @@ extern unsigned long randomize_et_dyn(un
#define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT);
+/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
do { \
NEW_AUX_ENT(AT_SYSINFO_EHDR, \
--- a/arch/arm64/include/uapi/asm/auxvec.h
+++ b/arch/arm64/include/uapi/asm/auxvec.h
@@ -19,4 +19,6 @@
/* vDSO location */
#define AT_SYSINFO_EHDR 33
+#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
+
#endif
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 113/346] module: Invalidate signatures on force-loaded modules
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (262 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 283/346] parisc: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 229/346] drm/msm: protect against faults from copy_from_user() in submit ioctl Ben Hutchings
` (82 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rusty Russell
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit bca014caaa6130e57f69b5bf527967aa8ee70fdd upstream.
Signing a module should only make it trusted by the specific kernel it
was built for, not anything else. Loading a signed module meant for a
kernel with a different ABI could have interesting effects.
Therefore, treat all signatures as invalid when a module is
force-loaded.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
kernel/module.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2435,13 +2435,18 @@ static inline void kmemleak_load_module(
#endif
#ifdef CONFIG_MODULE_SIG
-static int module_sig_check(struct load_info *info)
+static int module_sig_check(struct load_info *info, int flags)
{
int err = -ENOKEY;
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
const void *mod = info->hdr;
- if (info->len > markerlen &&
+ /*
+ * Require flags == 0, as a module with version information
+ * removed is no longer the module that was signed
+ */
+ if (flags == 0 &&
+ info->len > markerlen &&
memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
/* We truncate the module to discard the signature */
info->len -= markerlen;
@@ -2463,7 +2468,7 @@ static int module_sig_check(struct load_
return err;
}
#else /* !CONFIG_MODULE_SIG */
-static int module_sig_check(struct load_info *info)
+static int module_sig_check(struct load_info *info, int flags)
{
return 0;
}
@@ -3200,7 +3205,7 @@ static int load_module(struct load_info
long err;
char *after_dashes;
- err = module_sig_check(info);
+ err = module_sig_check(info, flags);
if (err)
goto free_copy;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 094/346] target: Fix race between iscsi-target connection shutdown + ABORT_TASK
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 260/346] kvm-arm: Unmap shadow pagetables properly Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 172/346] megaraid_sas: Fix probing cards without io port Ben Hutchings
` (200 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicholas Bellinger, Himanshu Madhani, Mike Christie,
Hannes Reinecke, Christoph Hellwig, Quinn Tran
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 064cdd2d91c2805d788876082f31cc63506f22c3 upstream.
This patch fixes a race in iscsit_release_commands_from_conn() ->
iscsit_free_cmd() -> transport_generic_free_cmd() + wait_for_tasks=1,
where CMD_T_FABRIC_STOP could end up being set after the final
kref_put() is called from core_tmr_abort_task() context.
This results in transport_generic_free_cmd() blocking indefinately
on se_cmd->cmd_wait_comp, because the target_release_cmd_kref()
check for CMD_T_FABRIC_STOP returns false.
To address this bug, make iscsit_release_commands_from_conn()
do list_splice and set CMD_T_FABRIC_STOP early while holding
iscsi_conn->cmd_lock. Also make iscsit_aborted_task() only
remove iscsi_cmd_t if CMD_T_FABRIC_STOP has not already been
set.
Finally in target_release_cmd_kref(), only honor fabric_stop
if CMD_T_ABORTED has been set.
Cc: Mike Christie <mchristi@redhat.com>
Cc: Quinn Tran <quinn.tran@qlogic.com>
Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Tested-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/iscsi/iscsi_target.c | 22 ++++++++++++++++------
drivers/target/target_core_transport.c | 3 ++-
2 files changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -505,7 +505,8 @@ static void iscsit_aborted_task(struct i
bool scsi_cmd = (cmd->iscsi_opcode == ISCSI_OP_SCSI_CMD);
spin_lock_bh(&conn->cmd_lock);
- if (!list_empty(&cmd->i_conn_node))
+ if (!list_empty(&cmd->i_conn_node) &&
+ !(cmd->se_cmd.transport_state & CMD_T_FABRIC_STOP))
list_del_init(&cmd->i_conn_node);
spin_unlock_bh(&conn->cmd_lock);
@@ -4174,6 +4175,7 @@ transport_err:
static void iscsit_release_commands_from_conn(struct iscsi_conn *conn)
{
+ LIST_HEAD(tmp_list);
struct iscsi_cmd *cmd = NULL, *cmd_tmp = NULL;
struct iscsi_session *sess = conn->sess;
/*
@@ -4182,18 +4184,26 @@ static void iscsit_release_commands_from
* has been reset -> returned sleeping pre-handler state.
*/
spin_lock_bh(&conn->cmd_lock);
- list_for_each_entry_safe(cmd, cmd_tmp, &conn->conn_cmd_list, i_conn_node) {
+ list_splice_init(&conn->conn_cmd_list, &tmp_list);
+ list_for_each_entry(cmd, &tmp_list, i_conn_node) {
+ struct se_cmd *se_cmd = &cmd->se_cmd;
+
+ if (se_cmd->se_tfo != NULL) {
+ spin_lock(&se_cmd->t_state_lock);
+ se_cmd->transport_state |= CMD_T_FABRIC_STOP;
+ spin_unlock(&se_cmd->t_state_lock);
+ }
+ }
+ spin_unlock_bh(&conn->cmd_lock);
+
+ list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) {
list_del_init(&cmd->i_conn_node);
- spin_unlock_bh(&conn->cmd_lock);
iscsit_increment_maxcmdsn(cmd, sess);
-
iscsit_free_cmd(cmd, true);
- spin_lock_bh(&conn->cmd_lock);
}
- spin_unlock_bh(&conn->cmd_lock);
}
static void iscsit_stop_timers_for_cmds(
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2457,7 +2457,8 @@ static void target_release_cmd_kref(stru
spin_lock(&se_cmd->t_state_lock);
- fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP);
+ fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP) &&
+ (se_cmd->transport_state & CMD_T_ABORTED);
spin_unlock(&se_cmd->t_state_lock);
if (se_cmd->cmd_wait_set || fabric_stop) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 186/346] iio: adc: at91: unbreak channel adc channel 3
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 262/346] alpha: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 070/346] ARM: 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is coherent Ben Hutchings
` (256 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Anders Darander, Alexandre Belloni, Jonathan Cameron
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anders Darander <anders@chargestorm.se>
commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream.
The driver always assumes that an input device has been created when
reading channel 3. This causes a kernel panic when dereferencing
st->ts_input.
The change was introduced in
commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens
without TSMR"). Earlier versions only entered that part of the if-else
statement if only the following flags are set:
AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY
Signed-off-by: Anders Darander <anders@chargestorm.se>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/at91_adc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt
st->ts_bufferedmeasure = false;
input_report_key(st->ts_input, BTN_TOUCH, 0);
input_sync(st->ts_input);
- } else if (status & AT91_ADC_EOC(3)) {
- /* Conversion finished */
+ } else if (status & AT91_ADC_EOC(3) && st->ts_input) {
+ /* Conversion finished and we've a touchscreen */
if (st->ts_bufferedmeasure) {
/*
* Last measurement is always discarded, since it can
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 189/346] usb: xhci: Fix panic if disconnect
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 277/346] metag: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 238/346] ipv6: add missing netconf notif when 'all' is updated Ben Hutchings
` (339 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jim Lin, Greg Kroah-Hartman, Mathias Nyman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Lin <jilin@nvidia.com>
commit 88716a93766b8f095cdef37a8e8f2c93aa233b21 upstream.
After a device is disconnected, xhci_stop_device() will be invoked
in xhci_bus_suspend().
Also the "disconnect" IRQ will have ISR to invoke
xhci_free_virt_device() in this sequence.
xhci_irq -> xhci_handle_event -> handle_cmd_completion ->
xhci_handle_cmd_disable_slot -> xhci_free_virt_device
If xhci->devs[slot_id] has been assigned to NULL in
xhci_free_virt_device(), then virt_dev->eps[i].ring in
xhci_stop_device() may point to an invlid address to cause kernel
panic.
virt_dev = xhci->devs[slot_id];
:
if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue)
[] Unable to handle kernel paging request at virtual address 00001a68
[] pgd=ffffffc001430000
[] [00001a68] *pgd=000000013c807003, *pud=000000013c807003,
*pmd=000000013c808003, *pte=0000000000000000
[] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G U
[] Workqueue: pm pm_runtime_work
[] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti:
ffffffc0bc0ec000
[] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4
This issue is found when running with realtek ethernet device
(0bda:8153).
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-hub.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -276,6 +276,9 @@ static int xhci_stop_device(struct xhci_
ret = 0;
virt_dev = xhci->devs[slot_id];
+ if (!virt_dev)
+ return -ENODEV;
+
cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO);
if (!cmd) {
xhci_dbg(xhci, "Couldn't allocate command structure.\n");
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 308/346] ocfs2/dlm: fix race between convert and migration
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 256/346] crypto: cryptd - initialize child shash_desc on import Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 234/346] dm crypt: fix free of bad values after tfm allocation failure Ben Hutchings
` (196 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Joel Becker, Jun Piao, Joseph Qi, Mark Fasheh, Junxiao Bi,
Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@huawei.com>
commit e6f0c6e6170fec175fe676495f29029aecdf486c upstream.
Commit ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
checks if lockres master has changed to identify whether new master has
finished recovery or not. This will introduce a race that right after
old master does umount ( means master will change), a new convert
request comes.
In this case, it will reset lockres state to DLM_RECOVERING and then
retry convert, and then fail with lockres->l_action being set to
OCFS2_AST_INVALID, which will cause inconsistent lock level between
ocfs2 and dlm, and then finally BUG.
Since dlm recovery will clear lock->convert_pending in
dlm_move_lockres_to_recovery_list, we can use it to correctly identify
the race case between convert and recovery. So fix it.
Fixes: ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.com
Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Signed-off-by: Jun Piao <piaojun@huawei.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/dlm/dlmconvert.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -262,7 +262,6 @@ enum dlm_status dlmconvert_remote(struct
struct dlm_lock *lock, int flags, int type)
{
enum dlm_status status;
- u8 old_owner = res->owner;
mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -329,7 +328,6 @@ enum dlm_status dlmconvert_remote(struct
spin_lock(&res->spinlock);
res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
- lock->convert_pending = 0;
/* if it failed, move it back to granted queue.
* if master returns DLM_NORMAL and then down before sending ast,
* it may have already been moved to granted queue, reset to
@@ -338,12 +336,14 @@ enum dlm_status dlmconvert_remote(struct
if (status != DLM_NOTQUEUED)
dlm_error(status);
dlm_revert_pending_convert(res, lock);
- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
- (old_owner != res->owner)) {
- mlog(0, "res %.*s is in recovering or has been recovered.\n",
- res->lockname.len, res->lockname.name);
+ } else if (!lock->convert_pending) {
+ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
+ "to granted list, retry convert.\n",
+ dlm->name, res->lockname.len, res->lockname.name);
status = DLM_RECOVERING;
}
+
+ lock->convert_pending = 0;
bail:
spin_unlock(&res->spinlock);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 178/346] MIPS: KVM: Propagate kseg0/mapped tlb fault errors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 029/346] Input: xpad - validate USB endpoint count during probe Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 037/346] batman-adv: Fix kerneldoc member names in for main structs Ben Hutchings
` (280 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, linux-mips, James Hogan,
Radim Krčmář,
kvm, Paolo Bonzini
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 9b731bcfdec4c159ad2e4312e25d69221709b96a upstream.
Propagate errors from kvm_mips_handle_kseg0_tlb_fault() and
kvm_mips_handle_mapped_seg_tlb_fault(), usually triggering an internal
error since they normally indicate the guest accessed bad physical
memory or the commpage in an unexpected way.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/kvm/kvm_mips_emul.c
+++ b/arch/mips/kvm/kvm_mips_emul.c
@@ -1481,9 +1481,13 @@ kvm_mips_emulate_cache(uint32_t inst, ui
preempt_disable();
if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) {
-
- if (kvm_mips_host_tlb_lookup(vcpu, va) < 0) {
- kvm_mips_handle_kseg0_tlb_fault(va, vcpu);
+ if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 &&
+ kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) {
+ kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n",
+ __func__, va, vcpu, read_c0_entryhi());
+ er = EMULATE_FAIL;
+ preempt_enable();
+ goto done;
}
} else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) ||
KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) {
@@ -1516,11 +1520,19 @@ kvm_mips_emulate_cache(uint32_t inst, ui
run, vcpu);
preempt_enable();
goto dont_update_pc;
- } else {
- /* We fault an entry from the guest tlb to the shadow host TLB */
- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
- NULL,
- NULL);
+ }
+ /*
+ * We fault an entry from the guest tlb to the
+ * shadow host TLB
+ */
+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
+ NULL, NULL)) {
+ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
+ __func__, va, index, vcpu,
+ read_c0_entryhi());
+ er = EMULATE_FAIL;
+ preempt_enable();
+ goto done;
}
}
} else {
@@ -2335,8 +2347,13 @@ kvm_mips_handle_tlbmiss(unsigned long ca
("Injecting hi: %#lx, lo0: %#lx, lo1: %#lx into shadow host TLB\n",
tlb->tlb_hi, tlb->tlb_lo0, tlb->tlb_lo1);
/* OK we have a Guest TLB entry, now inject it into the shadow host TLB */
- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL,
- NULL);
+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
+ NULL, NULL)) {
+ kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
+ __func__, va, index, vcpu,
+ read_c0_entryhi());
+ er = EMULATE_FAIL;
+ }
}
}
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -801,10 +801,16 @@ uint32_t kvm_get_inst(uint32_t *opc, str
local_irq_restore(flags);
return KVM_INVALID_INST;
}
- kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
- &vcpu->arch.
- guest_tlb[index],
- NULL, NULL);
+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
+ &vcpu->arch.guest_tlb[index],
+ NULL, NULL)) {
+ kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n",
+ __func__, opc, index, vcpu,
+ read_c0_entryhi());
+ kvm_mips_dump_guest_tlbs(vcpu);
+ local_irq_restore(flags);
+ return KVM_INVALID_INST;
+ }
inst = *(opc);
}
local_irq_restore(flags);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 180/346] PM / hibernate: Restore processor state before using per-CPU variables
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (192 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 119/346] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 255/346] ipv6: addrconf: fix dev refcont leak when DAD failed Ben Hutchings
` (152 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jiri Kosina, Jiri Kosina, Pavel Machek, Rafael J. Wysocki,
Thomas Garnier, Rafael J. Wysocki
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Garnier <thgarnie@google.com>
commit 62822e2ec4ad091ba31f823f577ef80db52e3c2c upstream.
Restore the processor state before calling any other functions to
ensure per-CPU variables can be used with KASLR memory randomization.
Tracing functions use per-CPU variables (GS based on x86) and one was
called just before restoring the processor state fully. It resulted
in a double fault when both the tracing & the exception handler
functions tried to use a per-CPU variable.
Fixes: bb3632c6101b (PM / sleep: trace events for suspend/resume)
Reported-and-tested-by: Borislav Petkov <bp@suse.de>
Reported-by: Jiri Kosina <jikos@kernel.org>
Tested-by: Rafael J. Wysocki <rafael@kernel.org>
Tested-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/power/hibernate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -301,12 +301,12 @@ static int create_image(int platform_mod
save_processor_state();
trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, true);
error = swsusp_arch_suspend();
+ /* Restore control flow magically appears here */
+ restore_processor_state();
trace_suspend_resume(TPS("machine_suspend"), PM_EVENT_HIBERNATE, false);
if (error)
printk(KERN_ERR "PM: Error %d creating hibernation image\n",
error);
- /* Restore control flow magically appears here */
- restore_processor_state();
if (!in_suspend)
events_check_enabled = false;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 248/346] iio: accel: kxsd9: Fix scaling bug
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (290 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 055/346] x86/quirks: Apply nvidia_bugs quirk only on root bus Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 195/346] gpio: Fix OF build problem on UM Ben Hutchings
` (54 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Jonathan Cameron
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.
All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.
However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:
$cat in_accel_scale
-1057462640.011978
Fix this by assigning zero to the integer part.
Tested-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
if (ret < 0)
goto error_ret;
+ *val = 0;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
break;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 246/346] l2tp: fix use-after-free during module unload
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 107/346] tools/vm/slabinfo: fix an unintentional printf Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 002/346] HID: uhid: fix timeout when probe races with IO Ben Hutchings
` (289 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sabrina Dubroca, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
commit 2f86953e7436c9b9a4690909c5e2db24799e173b upstream.
Tunnel deletion is delayed by both a workqueue (l2tp_tunnel_delete -> wq
-> l2tp_tunnel_del_work) and RCU (sk_destruct -> RCU ->
l2tp_tunnel_destruct).
By the time l2tp_tunnel_destruct() runs to destroy the tunnel and finish
destroying the socket, the private data reserved via the net_generic
mechanism has already been freed, but l2tp_tunnel_destruct() actually
uses this data.
Make sure tunnel deletion for the netns has completed before returning
from l2tp_exit_net() by first flushing the tunnel removal workqueue, and
then waiting for RCU callbacks to complete.
Fixes: 167eb17e0b17 ("l2tp: create tunnel sockets in the right namespace")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1892,6 +1892,9 @@ static __net_exit void l2tp_exit_net(str
(void)l2tp_tunnel_delete(tunnel);
}
rcu_read_unlock_bh();
+
+ flush_workqueue(l2tp_wq);
+ rcu_barrier();
}
static struct pernet_operations l2tp_net_ops = {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 259/346] xfrm_user: propagate sec ctx allocation errors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 318/346] tcp: fix a compile error in DBGUNDO() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 296/346] fix minor infoleak in get_user_ex() Ben Hutchings
` (320 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mathias Krause, Steffen Klassert, Thomas Graf
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 2f30ea5090cbc57ea573cdc66421264b3de3fb0a upstream.
When we fail to attach the security context in xfrm_state_construct()
we'll return 0 as error value which, in turn, will wrongly claim success
to userland when, in fact, we won't be adding / updating the XFRM state.
This is a regression introduced by commit fd21150a0fe1 ("[XFRM] netlink:
Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()").
Fix it by propagating the error returned by security_xfrm_state_alloc()
in this case.
Fixes: fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl()...")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_user.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -559,9 +559,12 @@ static struct xfrm_state *xfrm_state_con
if (err)
goto error;
- if (attrs[XFRMA_SEC_CTX] &&
- security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
- goto error;
+ if (attrs[XFRMA_SEC_CTX]) {
+ err = security_xfrm_state_alloc(x,
+ nla_data(attrs[XFRMA_SEC_CTX]));
+ if (err)
+ goto error;
+ }
if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
attrs[XFRMA_REPLAY_ESN_VAL])))
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 119/346] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 024/346] hwrng: omap - Fix assumption that runtime_get_sync will always succeed Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 180/346] PM / hibernate: Restore processor state before using per-CPU variables Ben Hutchings
` (153 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Howells, linux-mips, Ralf Baechle, Stephan Mueller,
linux-security-module, keyrings
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream.
MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than
calling sys_keyctl. The latter will work in a lot of cases, thereby hiding
the issue.
Reported-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: keyrings@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13832/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -353,7 +353,7 @@ EXPORT(sysn32_call_table)
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key
PTR sys_request_key
- PTR sys_keyctl /* 6245 */
+ PTR compat_sys_keyctl /* 6245 */
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -491,7 +491,7 @@ EXPORT(sys32_call_table)
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key /* 4280 */
PTR sys_request_key
- PTR sys_keyctl
+ PTR compat_sys_keyctl
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch /* 4285 */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 254/346] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (301 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 079/346] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 332/346] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Ben Hutchings
` (43 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chris Mason
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@fb.com>
commit cbd60aa7cd17d81a434234268c55192862147439 upstream.
We use a btrfs_log_ctx structure to pass information into the
tree log commit, and get error values out. It gets added to a per
log-transaction list which we walk when things go bad.
Commit d1433debe added an optimization to skip waiting for the log
commit, but didn't take root_log_ctx out of the list. This
patch makes sure we remove things before exiting.
Signed-off-by: Chris Mason <clm@fb.com>
Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/tree-log.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2601,6 +2601,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
blk_finish_plug(&plug);
+ list_del_init(&root_log_ctx.list);
mutex_unlock(&log_root_tree->log_mutex);
ret = root_log_ctx.log_ret;
goto out;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 175/346] MIPS: KVM: Fix mapped fault broken commpage handling
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 001/346] lib/mpi: mpi_read_raw_data(): fix nbits calculation Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 134/346] tcp: consider recv buf for the initial window scale Ben Hutchings
` (323 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, James Hogan, linux-mips, kvm, Paolo Bonzini,
Radim Krčmář
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit c604cffa93478f8888bec62b23d6073dad03d43a upstream.
kvm_mips_handle_mapped_seg_tlb_fault() appears to map the guest page at
virtual address 0 to PFN 0 if the guest has created its own mapping
there. The intention is unclear, but it may have been an attempt to
protect the zero page from being mapped to anything but the comm page in
code paths you wouldn't expect from genuine commpage accesses (guest
kernel mode cache instructions on that address, hitting trapping
instructions when executing from that address with a coincidental TLB
eviction during the KVM handling, and guest user mode accesses to that
address).
Fix this to check for mappings exactly at KVM_GUEST_COMMPAGE_ADDR (it
may not be at address 0 since commit 42aa12e74e91 ("MIPS: KVM: Move
commpage so 0x0 is unmapped")), and set the corresponding EntryLo to be
interpreted as 0 (invalid).
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -361,21 +361,32 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
struct kvm *kvm = vcpu->kvm;
pfn_t pfn0, pfn1;
+ long tlb_lo[2];
- if ((tlb->tlb_hi & VPN2_MASK) == 0) {
- pfn0 = 0;
- pfn1 = 0;
- } else {
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT) < 0)
- return -1;
-
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT) < 0)
- return -1;
-
- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT];
- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT];
- }
+ tlb_lo[0] = tlb->tlb_lo0;
+ tlb_lo[1] = tlb->tlb_lo1;
+
+ /*
+ * The commpage address must not be mapped to anything else if the guest
+ * TLB contains entries nearby, or commpage accesses will break.
+ */
+ if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
+ VPN2_MASK & (PAGE_MASK << 1)))
+ tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
+
+ if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
+ >> PAGE_SHIFT) < 0)
+ return -1;
+
+ if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
+ >> PAGE_SHIFT) < 0)
+ return -1;
+
+ pfn0 = kvm->arch.guest_pmap[
+ mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT];
+ pfn1 = kvm->arch.guest_pmap[
+ mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT];
if (hpa0)
*hpa0 = pfn0 << PAGE_SHIFT;
@@ -387,9 +398,9 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
entryhi = (tlb->tlb_hi & VPN2_MASK) | (KVM_GUEST_KERNEL_MODE(vcpu) ?
kvm_mips_get_kernel_asid(vcpu) : kvm_mips_get_user_asid(vcpu));
entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) |
- (tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 & MIPS3_PG_V);
+ (tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V);
entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) |
- (tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 & MIPS3_PG_V);
+ (tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V);
kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
tlb->tlb_lo0, tlb->tlb_lo1);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 176/346] MIPS: KVM: Add missing gfn range check
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 006/346] netlabel: add address family checks to netlbl_{sock,req}_delattr() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 328/346] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Ben Hutchings
` (227 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, linux-mips, James Hogan, kvm, Paolo Bonzini,
Radim Krčmář
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream.
kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number
based on the guest TLB EntryLo values, however it is not range checked
to ensure it lies within the guest_pmap. If the physical memory the
guest refers to is out of range then dump the guest TLB and emit an
internal error.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kvm/kvm_tlb.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -361,6 +361,7 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
struct kvm *kvm = vcpu->kvm;
pfn_t pfn0, pfn1;
+ gfn_t gfn0, gfn1;
long tlb_lo[2];
@@ -375,18 +376,24 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
VPN2_MASK & (PAGE_MASK << 1)))
tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
- >> PAGE_SHIFT) < 0)
+ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
+ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
+ if (gfn0 >= kvm->arch.guest_pmap_npages ||
+ gfn1 >= kvm->arch.guest_pmap_npages) {
+ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
+ __func__, gfn0, gfn1, tlb->tlb_hi);
+ kvm_mips_dump_guest_tlbs(vcpu);
return -1;
+ }
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
- >> PAGE_SHIFT) < 0)
+ if (kvm_mips_map_page(kvm, gfn0) < 0)
return -1;
- pfn0 = kvm->arch.guest_pmap[
- mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT];
- pfn1 = kvm->arch.guest_pmap[
- mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT];
+ if (kvm_mips_map_page(kvm, gfn1) < 0)
+ return -1;
+
+ pfn0 = kvm->arch.guest_pmap[gfn0];
+ pfn1 = kvm->arch.guest_pmap[gfn1];
if (hpa0)
*hpa0 = pfn0 << PAGE_SHIFT;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 250/346] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (258 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 110/346] tile: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 007/346] [media] em28xx-i2c: rt_mutex_trylock() returns zero on failure Ben Hutchings
` (86 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Yoshihiro Shimoda
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream.
The previous driver is possible to stop the transfer wrongly.
For example:
1) An interrupt happens, but not BRDY interruption.
2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
3) BRDY is set to 1 here.
4) Read BRDYSTS.
5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.
Remarks:
- The INTSTS0.BRDY is read only.
- If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
- If BRDYSTS is 0, the BRDY is set to 0.
So, this patch adds condition to avoid such situation. (And about
NRDYSTS, this is not used for now. But, avoiding any side effects,
this patch doesn't touch it.)
Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/mod.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/mod.c
+++ b/drivers/usb/renesas_usbhs/mod.c
@@ -272,9 +272,16 @@ static irqreturn_t usbhs_interrupt(int i
usbhs_write(priv, INTSTS0, ~irq_state.intsts0 & INTSTS0_MAGIC);
usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
+ /*
+ * The driver should not clear the xxxSTS after the line of
+ * "call irq callback functions" because each "if" statement is
+ * possible to call the callback function for avoiding any side effects.
+ */
+ if (irq_state.intsts0 & BRDY)
+ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
+ if (irq_state.intsts0 & BEMP)
+ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
/*
* call irq callback functions
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 249/346] sched/core: Fix a race between try_to_wake_up() and a woken up task
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (330 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 149/346] mac80211: fix purging multicast PS buffer queue Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 032/346] ext4: fix deadlock during page writeback Ben Hutchings
` (14 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Ingo Molnar, Nicholas Piggin,
Benjamin Herrenschmidt, Nicholas Piggin, Alexey Kardashevskiy,
Peter Zijlstra (Intel),
Oleg Nesterov, Linus Torvalds, Balbir Singh
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Balbir Singh <bsingharora@gmail.com>
commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream.
The origin of the issue I've seen is related to
a missing memory barrier between check for task->state and
the check for task->on_rq.
The task being woken up is already awake from a schedule()
and is doing the following:
do {
schedule()
set_current_state(TASK_(UN)INTERRUPTIBLE);
} while (!cond);
The waker, actually gets stuck doing the following in
try_to_wake_up():
while (p->on_cpu)
cpu_relax();
Analysis:
The instance I've seen involves the following race:
CPU1 CPU2
while () {
if (cond)
break;
do {
schedule();
set_current_state(TASK_UN..)
} while (!cond);
wakeup_routine()
spin_lock_irqsave(wait_lock)
raw_spin_lock_irqsave(wait_lock) wake_up_process()
} try_to_wake_up()
set_current_state(TASK_RUNNING); ..
list_del(&waiter.list);
CPU2 wakes up CPU1, but before it can get the wait_lock and set
current state to TASK_RUNNING the following occurs:
CPU3
wakeup_routine()
raw_spin_lock_irqsave(wait_lock)
if (!list_empty)
wake_up_process()
try_to_wake_up()
raw_spin_lock_irqsave(p->pi_lock)
..
if (p->on_rq && ttwu_wakeup())
..
while (p->on_cpu)
cpu_relax()
..
CPU3 tries to wake up the task on CPU1 again since it finds
it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
after CPU2, CPU3 got it.
CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
the task is spinning on the wait_lock. Interestingly since p->on_rq
is checked under pi_lock, I've noticed that try_to_wake_up() finds
p->on_rq to be 0. This was the most confusing bit of the analysis,
but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
check is not reliable without this fix IMHO. The race is visible
(based on the analysis) only when ttwu_queue() does a remote wakeup
via ttwu_queue_remote. In which case the p->on_rq change is not
done uder the pi_lock.
The result is that after a while the entire system locks up on
the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
Reproduction of the issue:
The issue can be reproduced after a long run on my system with 80
threads and having to tweak available memory to very low and running
memory stress-ng mmapfork test. It usually takes a long time to
reproduce. I am trying to work on a test case that can reproduce
the issue faster, but thats work in progress. I am still testing the
changes on my still in a loop and the tests seem OK thus far.
Big thanks to Benjamin and Nick for helping debug this as well.
Ben helped catch the missing barrier, Nick caught every missing
bit in my theory.
Signed-off-by: Balbir Singh <bsingharora@gmail.com>
[ Updated comment to clarify matching barriers. Many
architectures do not have a full barrier in switch_to()
so that cannot be relied upon. ]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1696,6 +1696,28 @@ try_to_wake_up(struct task_struct *p, un
success = 1; /* we're going to change ->state */
cpu = task_cpu(p);
+ /*
+ * Ensure we load p->on_rq _after_ p->state, otherwise it would
+ * be possible to, falsely, observe p->on_rq == 0 and get stuck
+ * in smp_cond_load_acquire() below.
+ *
+ * sched_ttwu_pending() try_to_wake_up()
+ * [S] p->on_rq = 1; [L] P->state
+ * UNLOCK rq->lock -----.
+ * \
+ * +--- RMB
+ * schedule() /
+ * LOCK rq->lock -----'
+ * UNLOCK rq->lock
+ *
+ * [task p]
+ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
+ *
+ * Pairs with the UNLOCK+LOCK on rq->lock from the
+ * last wakeup of our task and the schedule that got our task
+ * current.
+ */
+ smp_rmb();
if (p->on_rq && ttwu_remote(p, wake_flags))
goto stat;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 193/346] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 306/346] xfrm: Fix memory leak of aead algorithm name Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 036/346] batman-adv: Fix orig_node_vlan leak on orig_node_release Ben Hutchings
` (286 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kent Overstreet, Eric Wheeler
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kent Overstreet <kent.overstreet@gmail.com>
commit acc9cf8c66c66b2cbbdb4a375537edee72be64df upstream.
This patch fixes a cachedev registration-time allocation deadlock.
This can deadlock on boot if your initrd auto-registeres bcache devices:
Allocator thread:
[ 720.727614] INFO: task bcache_allocato:3833 blocked for more than 120 seconds.
[ 720.732361] [<ffffffff816eeac7>] schedule+0x37/0x90
[ 720.732963] [<ffffffffa05192b8>] bch_bucket_alloc+0x188/0x360 [bcache]
[ 720.733538] [<ffffffff810e6950>] ? prepare_to_wait_event+0xf0/0xf0
[ 720.734137] [<ffffffffa05302bd>] bch_prio_write+0x19d/0x340 [bcache]
[ 720.734715] [<ffffffffa05190bf>] bch_allocator_thread+0x3ff/0x470 [bcache]
[ 720.735311] [<ffffffff816ee41c>] ? __schedule+0x2dc/0x950
[ 720.735884] [<ffffffffa0518cc0>] ? invalidate_buckets+0x980/0x980 [bcache]
Registration thread:
[ 720.710403] INFO: task bash:3531 blocked for more than 120 seconds.
[ 720.715226] [<ffffffff816eeac7>] schedule+0x37/0x90
[ 720.715805] [<ffffffffa05235cd>] __bch_btree_map_nodes+0x12d/0x150 [bcache]
[ 720.716409] [<ffffffffa0522d30>] ? bch_btree_insert_check_key+0x1c0/0x1c0 [bcache]
[ 720.717008] [<ffffffffa05236e4>] bch_btree_insert+0xf4/0x170 [bcache]
[ 720.717586] [<ffffffff810e6950>] ? prepare_to_wait_event+0xf0/0xf0
[ 720.718191] [<ffffffffa0527d9a>] bch_journal_replay+0x14a/0x290 [bcache]
[ 720.718766] [<ffffffff810cc90d>] ? ttwu_do_activate.constprop.94+0x5d/0x70
[ 720.719369] [<ffffffff810cf684>] ? try_to_wake_up+0x1d4/0x350
[ 720.719968] [<ffffffffa05317d0>] run_cache_set+0x580/0x8e0 [bcache]
[ 720.720553] [<ffffffffa053302e>] register_bcache+0xe2e/0x13b0 [bcache]
[ 720.721153] [<ffffffff81354cef>] kobj_attr_store+0xf/0x20
[ 720.721730] [<ffffffff812a2dad>] sysfs_kf_write+0x3d/0x50
[ 720.722327] [<ffffffff812a225a>] kernfs_fop_write+0x12a/0x180
[ 720.722904] [<ffffffff81225177>] __vfs_write+0x37/0x110
[ 720.723503] [<ffffffff81228048>] ? __sb_start_write+0x58/0x110
[ 720.724100] [<ffffffff812cedb3>] ? security_file_permission+0x23/0xa0
[ 720.724675] [<ffffffff812258a9>] vfs_write+0xa9/0x1b0
[ 720.725275] [<ffffffff8102479c>] ? do_audit_syscall_entry+0x6c/0x70
[ 720.725849] [<ffffffff81226755>] SyS_write+0x55/0xd0
[ 720.726451] [<ffffffff8106a390>] ? do_page_fault+0x30/0x80
[ 720.727045] [<ffffffff816f2cae>] system_call_fastpath+0x12/0x71
The fifo code in upstream bcache can't use the last element in the buffer,
which was the cause of the bug: if you asked for a power of two size,
it'd give you a fifo that could hold one less than what you asked for
rather than allocating a buffer twice as big.
Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/bcache/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1829,7 +1829,7 @@ static int cache_alloc(struct cache_sb *
free = roundup_pow_of_two(ca->sb.nbuckets) >> 10;
if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) ||
- !init_fifo(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
+ !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
!init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) ||
!init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) ||
!init_fifo(&ca->free_inc, free << 2, GFP_KERNEL) ||
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 255/346] ipv6: addrconf: fix dev refcont leak when DAD failed
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (193 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 180/346] PM / hibernate: Restore processor state before using per-CPU variables Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 140/346] ftrace/recordmcount: Work around for addition of metag magic but not relocations Ben Hutchings
` (151 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Wei Yongjun, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <weiyongjun1@huawei.com>
commit 751eb6b6042a596b0080967c1a529a9fe98dac1d upstream.
In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:
ndisc_recv_ns
-> addrconf_dad_failure <- missing ifp put
-> addrconf_mod_dad_work
-> schedule addrconf_dad_work()
-> addrconf_dad_stop() <- missing ifp hold before call it
addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.
But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:
IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1
Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1686,6 +1686,7 @@ void addrconf_dad_failure(struct inet6_i
spin_unlock_bh(&ifp->state_lock);
addrconf_mod_dad_work(ifp, 0);
+ in6_ifa_put(ifp);
}
/* Join to solicited addr multicast group.
@@ -3262,6 +3263,7 @@ static void addrconf_dad_work(struct wor
addrconf_dad_begin(ifp);
goto out;
} else if (action == DAD_ABORT) {
+ in6_ifa_hold(ifp);
addrconf_dad_stop(ifp, 1);
goto out;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 252/346] iio:core: fix IIO_VAL_FRACTIONAL sign handling
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (221 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 191/346] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 323/346] drm/radeon/si/dpm: add workaround for for Jet parts Ben Hutchings
` (123 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Gregor Boirie, Jonathan Cameron, Lars-Peter Clausen
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gregor Boirie <gregor.boirie@parrot.com>
commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream.
7985e7c100 ("iio: Introduce a new fractional value type") introduced a
new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers
expressed by a numerator and denominator combination.
Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This
fails handling negative values properly since parameters are reevaluated
as unsigned values.
Fix this by using div_s64_rem() instead. Computed integer part will carry
properly signed value. Formatted fractional part will always be positive.
Fixes: 7985e7c100 ("iio: Introduce a new fractional value type")
Signed-off-by: Gregor Boirie <gregor.boirie@parrot.com>
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/industrialio-core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -404,9 +404,8 @@ ssize_t iio_format_value(char *buf, unsi
return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
case IIO_VAL_FRACTIONAL:
tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
- vals[1] = do_div(tmp, 1000000000LL);
- vals[0] = tmp;
- return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
+ vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]);
+ return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1]));
case IIO_VAL_FRACTIONAL_LOG2:
tmp = (s64)vals[0] * 1000000000LL >> vals[1];
vals[1] = do_div(tmp, 1000000000LL);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 260/346] kvm-arm: Unmap shadow pagetables properly
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 131/346] drm/nouveau/acpi: ensure matching ACPI handle and supported functions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 094/346] target: Fix race between iscsi-target connection shutdown + ABORT_TASK Ben Hutchings
` (201 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Morse, Christoffer Dall, Marc Zyngier,
Suzuki K Poulose, Catalin Marinas, Itaru Kitayama
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Suzuki K Poulose <suzuki.poulose@arm.com>
commit 293f293637b55db4f9f522a5a72514e98a541076 upstream.
On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
the userspace buffer gets unmapped. However, when the Hypervisor
process exits without explicit unmap of the guest buffers, the only
notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
) which does nothing on arm. Later this causes us to access pages that
were already released [via exit_mmap() -> unmap_vmas()] when we actually
get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
which unmaps any free'd pages from the linear map.
[ 757.644120] Unable to handle kernel paging request at virtual address
ffff800661e00000
[ 757.652046] pgd = ffff20000b1a2000
[ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
*pmd=00000047fcc7c003, *pte=00e8004661e00712
[ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
[ 757.672041] Modules linked in:
[ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D
4.8.0-rc1 #3
[ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
BIOS 3.06.15 Aug 19 2016
[ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
[ 757.698840] PC is at __flush_dcache_area+0x1c/0x40
[ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
[ 757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
...
[ 758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
[ 758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
[ 758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
[ 758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
[ 758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
[ 758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
[ 758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
[ 758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
[ 758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
[ 758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
[ 758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
[ 758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
[ 758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
[ 758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
[ 758.432608] [<ffff200008083624>] work_pending+0x10/0x14
[ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)
This patch fixes the issue by moving the kvm_free_stage2_pgd() to
kvm_arch_flush_shadow_all().
Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kvm/arm.c | 2 --
arch/arm/kvm/mmu.c | 1 +
2 files changed, 1 insertion(+), 2 deletions(-)
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -164,8 +164,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm
{
int i;
- kvm_free_stage2_pgd(kvm);
-
for (i = 0; i < KVM_MAX_VCPUS; ++i) {
if (kvm->vcpus[i]) {
kvm_arch_vcpu_free(kvm->vcpus[i]);
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -1257,6 +1257,7 @@ void kvm_arch_memslots_updated(struct kv
void kvm_arch_flush_shadow_all(struct kvm *kvm)
{
+ kvm_free_stage2_pgd(kvm);
}
void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 253/346] Btrfs: add missing blk_finish_plug in btrfs_sync_log()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (199 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 132/346] drm/nouveau/acpi: return supported DSM functions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 069/346] usb: quirks: Add no-lpm quirk for Elan Ben Hutchings
` (145 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chris Mason, David Sterba, Forrest Liu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Forrest Liu <forrestl@synology.com>
commit 3da5ab56482f322a9736c484db8773899c5c731b upstream.
Add missing blk_finish_plug in btrfs_sync_log()
Signed-off-by: Forrest Liu <forrestl@synology.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/tree-log.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2600,6 +2600,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
}
if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
+ blk_finish_plug(&plug);
mutex_unlock(&log_root_tree->log_mutex);
ret = root_log_ctx.log_ret;
goto out;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 257/346] ALSA: timer: Fix zero-division by continue of uninitialized instance
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (242 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 043/346] iwlwifi: pcie: fix access to scratch buffer Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 048/346] ALSA: ctl: Stop notification after disconnection Ben Hutchings
` (102 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dmitry Vyukov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b upstream.
When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:
divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003c9b2280 task.stack: ffff880027280000
RIP: 0010:[<ffffffff858e1a6c>] [< inline >] ktime_divns include/linux/ktime.h:195
RIP: 0010:[<ffffffff858e1a6c>] [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
Call Trace:
<IRQ>
[< inline >] __run_hrtimer kernel/time/hrtimer.c:1238
[<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
[<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
[<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
[<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
<EOI>
.....
Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c63a: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.
In this patch, we fix the issue a bit more drastically. Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers. For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16:
- Adjust context
- In _snd_timer_stop(), check the value of 'event' instead of 'stop']
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -35,6 +35,9 @@
#include <sound/initval.h>
#include <linux/kmod.h>
+/* internal flags */
+#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
+
#if IS_ENABLED(CONFIG_SND_HRTIMER)
#define DEFAULT_TIMER_LIMIT 4
#elif IS_ENABLED(CONFIG_SND_RTCTIMER)
@@ -569,6 +572,10 @@ static int _snd_timer_stop(struct snd_ti
}
}
timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ if (event == SNDRV_TIMER_EVENT_STOP)
+ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
+ else
+ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
spin_unlock_irqrestore(&timer->lock, flags);
__end:
if (event != SNDRV_TIMER_EVENT_RESOLUTION)
@@ -611,6 +618,10 @@ int snd_timer_continue(struct snd_timer_
if (timeri == NULL)
return result;
+ /* timer can continue only after pause */
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return -EINVAL;
+
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
return snd_timer_start_slave(timeri);
timer = timeri->timer;
@@ -1844,6 +1855,9 @@ static int snd_timer_user_continue(struc
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
+ /* start timer instead of continue if it's not used before */
+ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return snd_timer_user_start(file);
tu->timeri->lost = 0;
return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 256/346] crypto: cryptd - initialize child shash_desc on import
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 224/346] ARM: sa1100: clear reset status prior to reboot Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 308/346] ocfs2/dlm: fix race between convert and migration Ben Hutchings
` (197 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ard Biesheuvel, Herbert Xu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.
When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/cryptd.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct aha
static int cryptd_hash_import(struct ahash_request *req, const void *in)
{
- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct shash_desc *desc = cryptd_shash_desc(req);
- return crypto_shash_import(&rctx->desc, in);
+ desc->tfm = ctx->child;
+ desc->flags = req->base.flags;
+
+ return crypto_shash_import(desc, in);
}
static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 302/346] IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (230 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 044/346] MIPS: Fix page table corruption on THP permission changes Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 052/346] rtc: ds1307: Fix relying on reset value for weekday Ben Hutchings
` (114 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jack Morgenstein, Doug Ledford, Leon Romanovsky
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit 8ec07bf8a8b57d6c58927a16a0a22c0115cf2855 upstream.
When sending QP1 MAD packets which use a GRH, the source GID
(which consists of the 64-bit subnet prefix, and the 64 bit port GUID)
must be included in the packet GRH.
For SR-IOV, a GID cache is used, since the source GID needs to be the
slave's source GID, and not the Hypervisor's GID. This cache also
included a subnet_prefix. Unfortunately, the subnet_prefix field in
the cache was never initialized (to the default subnet prefix 0xfe80::0).
As a result, this field remained all zeroes. Therefore, when SR-IOV
was active, all QP1 packets which included a GRH had a source GID
subnet prefix of all-zeroes.
However, the subnet-prefix should initially be 0xfe80::0 (the default
subnet prefix). In addition, if OpenSM modifies a port's subnet prefix,
the new subnet prefix must be used in the GRH when sending QP1 packets.
To fix this we now initialize the subnet prefix in the SR-IOV GID cache
to the default subnet prefix. We update the cached value if/when OpenSM
modifies the port's subnet prefix. We take this cached value when sending
QP1 packets when SR-IOV is active.
Note that the value is stored as an atomic64. This eliminates any need
for locking when the subnet prefix is being updated.
Note also that we depend on the FW generating the "port management change"
event for tracking subnet-prefix changes performed by OpenSM. If running
early FW (before 2.9.4630), subnet prefix changes will not be tracked (but
the default subnet prefix still will be stored in the cache; therefore
users who do not modify the subnet prefix will not have a problem).
IF there is a need for such tracking also for early FW, we will add that
capability in a subsequent patch.
Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/mad.c | 23 +++++++++++++++++++++++
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/infiniband/hw/mlx4/qp.c | 5 +++--
3 files changed, 27 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1062,6 +1062,27 @@ void handle_port_mgmt_change_event(struc
/* Generate GUID changed event */
if (changed_attr & MLX4_EQ_PORT_INFO_GID_PFX_CHANGE_MASK) {
+ if (mlx4_is_master(dev->dev)) {
+ union ib_gid gid;
+ int err = 0;
+
+ if (!eqe->event.port_mgmt_change.params.port_info.gid_prefix)
+ err = __mlx4_ib_query_gid(&dev->ib_dev, port, 0, &gid, 1);
+ else
+ gid.global.subnet_prefix =
+ eqe->event.port_mgmt_change.params.port_info.gid_prefix;
+ if (err) {
+ pr_warn("Could not change QP1 subnet prefix for port %d: query_gid error (%d)\n",
+ port, err);
+ } else {
+ pr_debug("Changing QP1 subnet prefix for port %d. old=0x%llx. new=0x%llx\n",
+ port,
+ (u64)atomic64_read(&dev->sriov.demux[port - 1].subnet_prefix),
+ be64_to_cpu(gid.global.subnet_prefix));
+ atomic64_set(&dev->sriov.demux[port - 1].subnet_prefix,
+ be64_to_cpu(gid.global.subnet_prefix));
+ }
+ }
mlx4_ib_dispatch_event(dev, port, IB_EVENT_GID_CHANGE);
/*if master, notify all slaves*/
if (mlx4_is_master(dev->dev))
@@ -2134,6 +2155,8 @@ int mlx4_ib_init_sriov(struct mlx4_ib_de
if (err)
goto demux_err;
dev->sriov.demux[i].guid_cache[0] = gid.global.interface_id;
+ atomic64_set(&dev->sriov.demux[i].subnet_prefix,
+ be64_to_cpu(gid.global.subnet_prefix));
err = alloc_pv_object(dev, mlx4_master_func_num(dev->dev), i + 1,
&dev->sriov.sqps[i]);
if (err)
--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
+++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
@@ -417,7 +417,7 @@ struct mlx4_ib_demux_ctx {
struct workqueue_struct *wq;
struct workqueue_struct *ud_wq;
spinlock_t ud_lock;
- __be64 subnet_prefix;
+ atomic64_t subnet_prefix;
__be64 guid_cache[128];
struct mlx4_ib_dev *dev;
/* the following lock protects both mcg_table and mcg_mgid0_list */
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -2158,8 +2158,9 @@ static int build_mlx_header(struct mlx4_
* we must use our own cache
*/
sqp->ud_header.grh.source_gid.global.subnet_prefix =
- to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
- subnet_prefix;
+ cpu_to_be64(atomic64_read(&(to_mdev(ib_dev)->sriov.
+ demux[sqp->qp.port - 1].
+ subnet_prefix)));
sqp->ud_header.grh.source_gid.global.interface_id =
to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
guid_cache[ah->av.ib.gid_index];
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 335/346] vfio/pci: Fix integer overflows, bitmask check
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 179/346] power: supply: max17042_battery: fix model download bug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 074/346] ext4: fix reference counting bug on block allocation error Ben Hutchings
` (165 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Williamson, Vlad Tsyrklevich
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
commit 05692d7005a364add85c6e25a6c4447ce08f913a upstream.
The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
user-supplied integers, potentially allowing memory corruption. This
patch adds appropriate integer overflow checks, checks the range bounds
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
vfio_pci_set_irqs_ioctl().
Furthermore, a kzalloc is changed to a kcalloc because the use of a
kzalloc with an integer multiplication allowed an integer overflow
condition to be reached without this patch. kcalloc checks for overflow
and should prevent a similar occurrence.
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++------------
drivers/vfio/pci/vfio_pci_intrs.c | 2 +-
2 files changed, 22 insertions(+), 13 deletions(-)
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -460,8 +460,9 @@ static long vfio_pci_ioctl(void *device_
} else if (cmd == VFIO_DEVICE_SET_IRQS) {
struct vfio_irq_set hdr;
+ size_t size;
u8 *data = NULL;
- int ret = 0;
+ int max, ret = 0;
minsz = offsetofend(struct vfio_irq_set, count);
@@ -469,23 +470,31 @@ static long vfio_pci_ioctl(void *device_
return -EFAULT;
if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
+ hdr.count >= (U32_MAX - hdr.start) ||
hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
VFIO_IRQ_SET_ACTION_TYPE_MASK))
return -EINVAL;
- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
- size_t size;
- int max = vfio_pci_get_irq_count(vdev, hdr.index);
-
- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
- size = sizeof(uint8_t);
- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
- size = sizeof(int32_t);
- else
- return -EINVAL;
+ max = vfio_pci_get_irq_count(vdev, hdr.index);
+ if (hdr.start >= max || hdr.start + hdr.count > max)
+ return -EINVAL;
+
+ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
+ case VFIO_IRQ_SET_DATA_NONE:
+ size = 0;
+ break;
+ case VFIO_IRQ_SET_DATA_BOOL:
+ size = sizeof(uint8_t);
+ break;
+ case VFIO_IRQ_SET_DATA_EVENTFD:
+ size = sizeof(int32_t);
+ break;
+ default:
+ return -EINVAL;
+ }
- if (hdr.argsz - minsz < hdr.count * size ||
- hdr.start >= max || hdr.start + hdr.count > max)
+ if (size) {
+ if (hdr.argsz - minsz < hdr.count * size)
return -EINVAL;
data = memdup_user((void __user *)(arg + minsz),
--- a/drivers/vfio/pci/vfio_pci_intrs.c
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
@@ -465,7 +465,7 @@ static int vfio_msi_enable(struct vfio_p
if (!is_irq_none(vdev))
return -EINVAL;
- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
+ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
if (!vdev->ctx)
return -ENOMEM;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 154/346] USB: serial: option: add support for Telit LE920A4
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (252 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 199/346] net/mlx5: Added missing check of msg length in verifying its signature Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 112/346] l2tp: Correctly return -EBADF from pppol2tp_getname Ben Hutchings
` (92 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Daniele Palmas
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit 01d7956b58e644ea0d2e8d9340c5727a8fc39d70 upstream.
This patch adds a set of compositions for Telit LE920A4.
Compositions in short are:
0x1207: tty + tty
0x1208: tty + adb + tty + tty
0x1211: tty + adb + ecm
0x1212: tty + adb
0x1213: ecm + tty
0x1214: tty + adb + ecm + tty
telit_le922_blacklist_usbcfg3 is reused for compositions 0x1211
and 0x1214 due to the same interfaces positions.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -277,6 +277,12 @@ static void option_instat_callback(struc
#define TELIT_PRODUCT_LE920 0x1200
#define TELIT_PRODUCT_LE910 0x1201
#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
+#define TELIT_PRODUCT_LE920A4_1207 0x1207
+#define TELIT_PRODUCT_LE920A4_1208 0x1208
+#define TELIT_PRODUCT_LE920A4_1211 0x1211
+#define TELIT_PRODUCT_LE920A4_1212 0x1212
+#define TELIT_PRODUCT_LE920A4_1213 0x1213
+#define TELIT_PRODUCT_LE920A4_1214 0x1214
/* ZTE PRODUCTS */
#define ZTE_VENDOR_ID 0x19d2
@@ -643,6 +649,11 @@ static const struct option_blacklist_inf
.reserved = BIT(8) | BIT(10) | BIT(11),
};
+static const struct option_blacklist_info telit_le920a4_blacklist_1 = {
+ .sendsetup = BIT(0),
+ .reserved = BIT(1),
+};
+
static const struct option_blacklist_info telit_le922_blacklist_usbcfg0 = {
.sendsetup = BIT(2),
.reserved = BIT(0) | BIT(1) | BIT(3),
@@ -1222,6 +1233,16 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1207) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1208),
+ .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1211),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1212),
+ .driver_info = (kernel_ulong_t)&telit_le920a4_blacklist_1 },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&net_intf1_blacklist },
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 261/346] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (305 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 165/346] USB: validate wMaxPacketValue entries in endpoint descriptors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 225/346] printk: fix parsing of "brl=" option Ben Hutchings
` (39 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Will Deacon, Alan Stern, Catalin Marinas, Peter Zijlstra
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream.
smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
to a full barrier, such that prior stores are ordered with respect to
loads and stores occuring inside the critical section.
Unfortunately, the core code defines the barrier as smp_wmb(), which
is insufficient to provide the required ordering guarantees when used in
conjunction with our load-acquire-based spinlock implementation.
This patch overrides the arm64 definition of smp_mb__before_spinlock()
to map to a full smp_mb().
Cc: Peter Zijlstra <peterz@infradead.org>
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/spinlock.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/arm64/include/asm/spinlock.h
+++ b/arch/arm64/include/asm/spinlock.h
@@ -231,4 +231,14 @@ static inline int arch_read_trylock(arch
#define arch_read_relax(lock) cpu_relax()
#define arch_write_relax(lock) cpu_relax()
+/*
+ * Accesses appearing in program order before a spin_lock() operation
+ * can be reordered with accesses inside the critical section, by virtue
+ * of arch_spin_lock being constructed using acquire semantics.
+ *
+ * In cases where this is problematic (e.g. try_to_wake_up), an
+ * smp_mb__before_spinlock() can restore the required ordering.
+ */
+#define smp_mb__before_spinlock() smp_mb()
+
#endif /* __ASM_SPINLOCK_H */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 304/346] avr32: fix 'undefined reference to `___copy_from_user'
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (278 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 213/346] USB: avoid left shift by -1 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 292/346] m32r: fix __get_user() Ben Hutchings
` (66 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Guenter Roeck, Al Viro, Hans-Christian Noren Egtvedt,
Havard Skinnemoen
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 upstream.
avr32 builds fail with:
arch/avr32/kernel/built-in.o: In function `arch_ptrace':
(.text+0x650): undefined reference to `___copy_from_user'
arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
reference to `___copy_from_user'
kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
(.text+0x5dd8): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `ptrace_has_cap':
ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
`___copy_from_user' follow
Fixes: 8630c32275ba ("avr32: fix copy_from_user()")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Havard Skinnemoen <hskinnemoen@gmail.com>
Acked-by: Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/lib/copy_user.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -23,8 +23,8 @@
*/
.text
.align 1
- .global copy_from_user
- .type copy_from_user, @function
+ .global ___copy_from_user
+ .type ___copy_from_user, @function
___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 245/346] x86/AMD: Apply erratum 665 on machines without a BIOS fix
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 314/346] i2c: mux: pca954x: retry updating the mux selection on failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 109/346] ARM: OMAP3: hwmod data: Add sysc information for DSI Ben Hutchings
` (217 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Emanuel Czirai, Borislav Petkov, Yaowu Xu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Emanuel Czirai <icanrealizeum@gmail.com>
commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream.
AMD F12h machines have an erratum which can cause DIV/IDIV to behave
unpredictably. The workaround is to set MSRC001_1029[31] but sometimes
there is no BIOS update containing that workaround so let's do it
ourselves unconditionally. It is simple enough.
[ Borislav: Wrote commit message. ]
Signed-off-by: Emanuel Czirai <icanrealizeum@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Yaowu Xu <yaowu@google.com>
Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16:
- Add an if-statement to init_amd() in place of the switch
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -522,6 +522,17 @@ static const int amd_erratum_383[];
static const int amd_erratum_400[];
static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum);
+#define MSR_AMD64_DE_CFG 0xC0011029
+
+static void init_amd_ln(struct cpuinfo_x86 *c)
+{
+ /*
+ * Apply erratum 665 fix unconditionally so machines without a BIOS
+ * fix work.
+ */
+ msr_set_bit(MSR_AMD64_DE_CFG, 31);
+}
+
static void init_amd(struct cpuinfo_x86 *c)
{
u32 dummy;
@@ -614,6 +625,9 @@ static void init_amd(struct cpuinfo_x86
}
}
+ if (c->x86 == 0x12)
+ init_amd_ln(c);
+
/* re-enable TopologyExtensions if switched off by BIOS */
if ((c->x86 == 0x15) &&
(c->x86_model >= 0x10) && (c->x86_model <= 0x1f) &&
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 251/346] efi/libstub: Allocate headspace in efi_get_memory_map()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (316 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 040/346] batman-adv: Fix reference leak in batadv_find_router Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 301/346] IB/mlx4: Fix code indentation in QP1 MAD flow Ben Hutchings
` (28 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leif Lindholm, Jeffrey Hugo, Ard Biesheuvel, Matt Fleming,
Mark Rutland, Ingo Molnar
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Hugo <jhugo@codeaurora.org>
commit dadb57abc37499f565b23933dbf49b435c3ba8af upstream.
efi_get_memory_map() allocates a buffer to store the memory map that it
retrieves. This buffer may need to be reused by the client after
ExitBootServices() is called, at which point allocations are not longer
permitted. To support this usecase, provide the allocated buffer size back
to the client, and allocate some additional headroom to account for any
reasonable growth in the map that is likely to happen between the call to
efi_get_memory_map() and the client reusing the buffer.
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
[bwh: Backported to 3.16:
- Adjust filenames, context
- In allocate_new_fdt_and_exit_boot(), only fill memory_map
- Drop changes to efi_random_alloc()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -1266,7 +1266,7 @@ static efi_status_t exit_boot(struct boo
void *handle, bool is64)
{
struct efi_info *efi = &boot_params->efi_info;
- unsigned long map_sz, key, desc_size;
+ unsigned long map_sz, key, desc_size, buff_size;
efi_memory_desc_t *mem_map;
struct setup_data *e820ext;
const char *signature;
@@ -1277,14 +1277,20 @@ static efi_status_t exit_boot(struct boo
bool called_exit = false;
u8 nr_entries;
int i;
+ struct efi_boot_memmap map;
- nr_desc = 0;
- e820ext = NULL;
- e820ext_size = 0;
+ nr_desc = 0;
+ e820ext = NULL;
+ e820ext_size = 0;
+ map.map = &mem_map;
+ map.map_size = &map_sz;
+ map.desc_size = &desc_size;
+ map.desc_ver = &desc_version;
+ map.key_ptr = &key;
+ map.buff_size = &buff_size;
get_map:
- status = efi_get_memory_map(sys_table, &mem_map, &map_sz, &desc_size,
- &desc_version, &key);
+ status = efi_get_memory_map(sys_table, &map);
if (status != EFI_SUCCESS)
return status;
--- a/drivers/firmware/efi/efi-stub-helper.c
+++ b/drivers/firmware/efi/efi-stub-helper.c
@@ -15,6 +15,8 @@
#define EFI_ERROR (~0UL)
+#define EFI_MMAP_NR_SLACK_SLOTS 8
+
struct file_info {
efi_file_handle_t *handle;
u64 size;
@@ -41,49 +43,62 @@ static void efi_printk(efi_system_table_
#define pr_efi_err(sys_table, msg) efi_printk(sys_table, "EFI stub: ERROR: "msg)
+static inline bool mmap_has_headroom(unsigned long buff_size,
+ unsigned long map_size,
+ unsigned long desc_size)
+{
+ unsigned long slack = buff_size - map_size;
+
+ return slack / desc_size >= EFI_MMAP_NR_SLACK_SLOTS;
+}
+
static efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg,
- efi_memory_desc_t **map,
- unsigned long *map_size,
- unsigned long *desc_size,
- u32 *desc_ver,
- unsigned long *key_ptr)
+ struct efi_boot_memmap *map)
{
efi_memory_desc_t *m = NULL;
efi_status_t status;
unsigned long key;
u32 desc_version;
- *map_size = sizeof(*m) * 32;
+ *map->desc_size = sizeof(*m);
+ *map->map_size = *map->desc_size * 32;
+ *map->buff_size = *map->map_size;
again:
- /*
- * Add an additional efi_memory_desc_t because we're doing an
- * allocation which may be in a new descriptor region.
- */
- *map_size += sizeof(*m);
status = efi_call_early(allocate_pool, EFI_LOADER_DATA,
- *map_size, (void **)&m);
+ *map->map_size, (void **)&m);
if (status != EFI_SUCCESS)
goto fail;
- *desc_size = 0;
+ *map->desc_size = 0;
key = 0;
- status = efi_call_early(get_memory_map, map_size, m,
- &key, desc_size, &desc_version);
- if (status == EFI_BUFFER_TOO_SMALL) {
+ status = efi_call_early(get_memory_map, map->map_size, m,
+ &key, map->desc_size, &desc_version);
+ if (status == EFI_BUFFER_TOO_SMALL ||
+ !mmap_has_headroom(*map->buff_size, *map->map_size,
+ *map->desc_size)) {
efi_call_early(free_pool, m);
+ /*
+ * Make sure there is some entries of headroom so that the
+ * buffer can be reused for a new map after allocations are
+ * no longer permitted. Its unlikely that the map will grow to
+ * exceed this headroom once we are ready to trigger
+ * ExitBootServices()
+ */
+ *map->map_size += *map->desc_size * EFI_MMAP_NR_SLACK_SLOTS;
+ *map->buff_size = *map->map_size;
goto again;
}
if (status != EFI_SUCCESS)
efi_call_early(free_pool, m);
- if (key_ptr && status == EFI_SUCCESS)
- *key_ptr = key;
- if (desc_ver && status == EFI_SUCCESS)
- *desc_ver = desc_version;
+ if (map->key_ptr && status == EFI_SUCCESS)
+ *map->key_ptr = key;
+ if (map->desc_ver && status == EFI_SUCCESS)
+ *map->desc_ver = desc_version;
fail:
- *map = m;
+ *map->map = m;
return status;
}
@@ -91,13 +106,20 @@ fail:
static unsigned long __init get_dram_base(efi_system_table_t *sys_table_arg)
{
efi_status_t status;
- unsigned long map_size;
+ unsigned long map_size, buff_size;
unsigned long membase = EFI_ERROR;
struct efi_memory_map map;
efi_memory_desc_t *md;
+ struct efi_boot_memmap boot_map;
- status = efi_get_memory_map(sys_table_arg, (efi_memory_desc_t **)&map.map,
- &map_size, &map.desc_size, NULL, NULL);
+ boot_map.map = (efi_memory_desc_t **)&map.map;
+ boot_map.map_size = &map_size;
+ boot_map.desc_size = &map.desc_size;
+ boot_map.desc_ver = NULL;
+ boot_map.key_ptr = NULL;
+ boot_map.buff_size = &buff_size;
+
+ status = efi_get_memory_map(sys_table_arg, &boot_map);
if (status != EFI_SUCCESS)
return membase;
@@ -120,15 +142,22 @@ static efi_status_t efi_high_alloc(efi_s
unsigned long size, unsigned long align,
unsigned long *addr, unsigned long max)
{
- unsigned long map_size, desc_size;
+ unsigned long map_size, desc_size, buff_size;
efi_memory_desc_t *map;
efi_status_t status;
unsigned long nr_pages;
u64 max_addr = 0;
int i;
+ struct efi_boot_memmap boot_map;
+
+ boot_map.map = ↦
+ boot_map.map_size = &map_size;
+ boot_map.desc_size = &desc_size;
+ boot_map.desc_ver = NULL;
+ boot_map.key_ptr = NULL;
+ boot_map.buff_size = &buff_size;
- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
- NULL, NULL);
+ status = efi_get_memory_map(sys_table_arg, &boot_map);
if (status != EFI_SUCCESS)
goto fail;
@@ -206,14 +235,21 @@ static efi_status_t efi_low_alloc(efi_sy
unsigned long size, unsigned long align,
unsigned long *addr)
{
- unsigned long map_size, desc_size;
+ unsigned long map_size, desc_size, buff_size;
efi_memory_desc_t *map;
efi_status_t status;
unsigned long nr_pages;
int i;
+ struct efi_boot_memmap boot_map;
+
+ boot_map.map = ↦
+ boot_map.map_size = &map_size;
+ boot_map.desc_size = &desc_size;
+ boot_map.desc_ver = NULL;
+ boot_map.key_ptr = NULL;
+ boot_map.buff_size = &buff_size;
- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
- NULL, NULL);
+ status = efi_get_memory_map(sys_table_arg, &boot_map);
if (status != EFI_SUCCESS)
goto fail;
--- a/drivers/firmware/efi/fdt.c
+++ b/drivers/firmware/efi/fdt.c
@@ -178,12 +178,20 @@ efi_status_t allocate_new_fdt_and_exit_b
unsigned long fdt_addr,
unsigned long fdt_size)
{
- unsigned long map_size, desc_size;
+ unsigned long map_size, desc_size, buff_size;
u32 desc_ver;
unsigned long mmap_key;
efi_memory_desc_t *memory_map;
unsigned long new_fdt_size;
efi_status_t status;
+ struct efi_boot_memmap map;
+
+ map.map = &memory_map;
+ map.map_size = &map_size;
+ map.desc_size = &desc_size;
+ map.desc_ver = &desc_ver;
+ map.key_ptr = &mmap_key;
+ map.buff_size = &buff_size;
/*
* Estimate size of new FDT, and allocate memory for it. We
@@ -204,8 +212,7 @@ efi_status_t allocate_new_fdt_and_exit_b
* we can get the memory map key needed for
* exit_boot_services().
*/
- status = efi_get_memory_map(sys_table, &memory_map, &map_size,
- &desc_size, &desc_ver, &mmap_key);
+ status = efi_get_memory_map(sys_table, &map);
if (status != EFI_SUCCESS)
goto fail_free_new_fdt;
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -117,6 +117,15 @@ typedef struct {
u32 imagesize;
} efi_capsule_header_t;
+struct efi_boot_memmap {
+ efi_memory_desc_t **map;
+ unsigned long *map_size;
+ unsigned long *desc_size;
+ u32 *desc_ver;
+ unsigned long *key_ptr;
+ unsigned long *buff_size;
+};
+
/*
* Allocation types for calls to boottime->allocate_pages.
*/
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 301/346] IB/mlx4: Fix code indentation in QP1 MAD flow
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (317 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 251/346] efi/libstub: Allocate headspace in efi_get_memory_map() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 272/346] asm-generic: make get_user() clear the destination on errors Ben Hutchings
` (27 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Doug Ledford, Jack Morgenstein
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <jackm@dev.mellanox.co.il>
commit baa0be7026e2f7d1d40bfd45909044169e9e3c68 upstream.
The indentation in the QP1 GRH flow in procedure build_mlx_header is
really confusing. Fix it, in preparation for a commit which touches
this code.
Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/qp.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -2149,24 +2149,26 @@ static int build_mlx_header(struct mlx4_
sqp->ud_header.grh.flow_label =
ah->av.ib.sl_tclass_flowlabel & cpu_to_be32(0xfffff);
sqp->ud_header.grh.hop_limit = ah->av.ib.hop_limit;
- if (is_eth)
+ if (is_eth) {
memcpy(sqp->ud_header.grh.source_gid.raw, sgid.raw, 16);
- else {
- if (mlx4_is_mfunc(to_mdev(ib_dev)->dev)) {
- /* When multi-function is enabled, the ib_core gid
- * indexes don't necessarily match the hw ones, so
- * we must use our own cache */
- sqp->ud_header.grh.source_gid.global.subnet_prefix =
- to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
- subnet_prefix;
- sqp->ud_header.grh.source_gid.global.interface_id =
- to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
- guid_cache[ah->av.ib.gid_index];
- } else
- ib_get_cached_gid(ib_dev,
- be32_to_cpu(ah->av.ib.port_pd) >> 24,
- ah->av.ib.gid_index,
- &sqp->ud_header.grh.source_gid);
+ } else {
+ if (mlx4_is_mfunc(to_mdev(ib_dev)->dev)) {
+ /* When multi-function is enabled, the ib_core gid
+ * indexes don't necessarily match the hw ones, so
+ * we must use our own cache
+ */
+ sqp->ud_header.grh.source_gid.global.subnet_prefix =
+ to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
+ subnet_prefix;
+ sqp->ud_header.grh.source_gid.global.interface_id =
+ to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
+ guid_cache[ah->av.ib.gid_index];
+ } else {
+ ib_get_cached_gid(ib_dev,
+ be32_to_cpu(ah->av.ib.port_pd) >> 24,
+ ah->av.ib.gid_index,
+ &sqp->ud_header.grh.source_gid);
+ }
}
memcpy(sqp->ud_header.grh.destination_gid.raw,
ah->av.ib.dgid, 16);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 262/346] alpha: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 101/346] bpf, mips: fix off-by-one in ctx offset allocation Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 186/346] iio: adc: at91: unbreak channel adc channel 3 Ben Hutchings
` (257 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.
it should clear the destination even when access_ok() fails.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
return __cu_len;
}
-extern inline long
-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
-{
- if (__access_ok((unsigned long)validate, len, get_fs()))
- len = __copy_tofrom_user_nocheck(to, from, len);
- return len;
-}
-
#define __copy_to_user(to,from,n) \
({ \
__chk_user_ptr(to); \
@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
-
extern inline long
copy_to_user(void __user *to, const void *from, long n)
{
- return __copy_tofrom_user((__force void *)to, from, n, to);
+ if (likely(__access_ok((unsigned long)to, n, get_fs())))
+ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
+ return n;
}
extern inline long
copy_from_user(void *to, const void __user *from, long n)
{
- return __copy_tofrom_user(to, (__force void *)from, n, from);
+ if (likely(__access_ok((unsigned long)from, n, get_fs())))
+ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
+ else
+ memset(to, 0, n);
+ return n;
}
extern void __do_clear_user(void);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 310/346] fanotify: fix list corruption in fanotify_get_response()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (299 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 126/346] fuse: fix wrong assignment of ->flags in fuse_send_init() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 079/346] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Ben Hutchings
` (45 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Linus Torvalds, Miklos Szeredi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 upstream.
fanotify_get_response() calls fsnotify_remove_event() when it finds that
group is being released from fanotify_release() (bypass_perm is set).
However the event it removes need not be only in the group's notification
queue but it can have already moved to access_list (userspace read the
event before closing the fanotify instance fd) which is protected by a
different lock. Thus when fsnotify_remove_event() races with
fanotify_release() operating on access_list, the list can get corrupted.
Fix the problem by moving all the logic removing permission events from
the lists to one place - fanotify_release().
Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reported-by: Miklos Szeredi <mszeredi@redhat.com>
Tested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- s/fsnotify_remove_first_event/fsnotify_remove_notify_event/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/notify/fanotify/fanotify.c | 13 +------------
fs/notify/fanotify/fanotify_user.c | 36 ++++++++++++++++++++++++------------
fs/notify/notification.c | 15 ---------------
include/linux/fsnotify_backend.h | 3 ---
4 files changed, 25 insertions(+), 42 deletions(-)
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -67,18 +67,7 @@ static int fanotify_get_response(struct
pr_debug("%s: group=%p event=%p\n", __func__, group, event);
- wait_event(group->fanotify_data.access_waitq, event->response ||
- atomic_read(&group->fanotify_data.bypass_perm));
-
- if (!event->response) { /* bypass_perm set */
- /*
- * Event was canceled because group is being destroyed. Remove
- * it from group's event list because we are responsible for
- * freeing the permission event.
- */
- fsnotify_remove_event(group, &event->fae.fse);
- return 0;
- }
+ wait_event(group->fanotify_data.access_waitq, event->response);
/* userspace responded, convert to something usable */
switch (event->response) {
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -358,16 +358,20 @@ static int fanotify_release(struct inode
#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
struct fanotify_perm_event_info *event, *next;
+ struct fsnotify_event *fsn_event;
/*
- * There may be still new events arriving in the notification queue
- * but since userspace cannot use fanotify fd anymore, no event can
- * enter or leave access_list by now.
+ * Stop new events from arriving in the notification queue. since
+ * userspace cannot use fanotify fd anymore, no event can enter or
+ * leave access_list by now either.
*/
- spin_lock(&group->fanotify_data.access_lock);
-
- atomic_inc(&group->fanotify_data.bypass_perm);
+ fsnotify_group_stop_queueing(group);
+ /*
+ * Process all permission events on access_list and notification queue
+ * and simulate reply from userspace.
+ */
+ spin_lock(&group->fanotify_data.access_lock);
list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
fae.fse.list) {
pr_debug("%s: found group=%p event=%p\n", __func__, group,
@@ -379,12 +383,21 @@ static int fanotify_release(struct inode
spin_unlock(&group->fanotify_data.access_lock);
/*
- * Since bypass_perm is set, newly queued events will not wait for
- * access response. Wake up the already sleeping ones now.
- * synchronize_srcu() in fsnotify_destroy_group() will wait for all
- * processes sleeping in fanotify_handle_event() waiting for access
- * response and thus also for all permission events to be freed.
+ * Destroy all non-permission events. For permission events just
+ * dequeue them and set the response. They will be freed once the
+ * response is consumed and fanotify_get_response() returns.
*/
+ mutex_lock(&group->notification_mutex);
+ while (!fsnotify_notify_queue_is_empty(group)) {
+ fsn_event = fsnotify_remove_notify_event(group);
+ if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
+ fsnotify_destroy_event(group, fsn_event);
+ else
+ FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
+ }
+ mutex_unlock(&group->notification_mutex);
+
+ /* Response for all permission events it set, wakeup waiters */
wake_up(&group->fanotify_data.access_waitq);
#endif
@@ -742,7 +755,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
spin_lock_init(&group->fanotify_data.access_lock);
init_waitqueue_head(&group->fanotify_data.access_waitq);
INIT_LIST_HEAD(&group->fanotify_data.access_list);
- atomic_set(&group->fanotify_data.bypass_perm, 0);
#endif
switch (flags & FAN_ALL_CLASS_BITS) {
case FAN_CLASS_NOTIF:
--- a/fs/notify/notification.c
+++ b/fs/notify/notification.c
@@ -132,21 +132,6 @@ queue:
}
/*
- * Remove @event from group's notification queue. It is the responsibility of
- * the caller to destroy the event.
- */
-void fsnotify_remove_event(struct fsnotify_group *group,
- struct fsnotify_event *event)
-{
- mutex_lock(&group->notification_mutex);
- if (!list_empty(&event->list)) {
- list_del_init(&event->list);
- group->q_len--;
- }
- mutex_unlock(&group->notification_mutex);
-}
-
-/*
* Remove and return the first event from the notification list. It is the
* responsibility of the caller to destroy the obtained event
*/
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -182,7 +182,6 @@ struct fsnotify_group {
spinlock_t access_lock;
struct list_head access_list;
wait_queue_head_t access_waitq;
- atomic_t bypass_perm;
#endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
int f_flags;
unsigned int max_marks;
@@ -329,8 +328,6 @@ extern int fsnotify_add_notify_event(str
struct fsnotify_event *event,
int (*merge)(struct list_head *,
struct fsnotify_event *));
-/* Remove passed event from groups notification queue */
-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
/* true if the group notification queue is empty */
extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
/* return, but do not dequeue the first event on the notification queue */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 085/346] crypto: nx - off by one bug in nx_of_update_msc() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 15:42 ` Johannes Weiner
2016-11-14 0:14 ` [PATCH 3.16 135/346] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
` (263 subsequent siblings)
346 siblings, 1 reply; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Antonio SJ Musumeci, Johannes Weiner, Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Weiner <hannes@cmpxchg.org>
commit 22f2ac51b6d643666f4db093f13144f773ff3f3a upstream.
Antonio reports the following crash when using fuse under memory pressure:
kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346!
invalid opcode: 0000 [#1] SMP
Modules linked in: all of them
CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu
Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013
task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000
RIP: shadow_lru_isolate+0x181/0x190
Call Trace:
__list_lru_walk_one.isra.3+0x8f/0x130
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x34/0x50
shrink_slab.part.40+0x1ed/0x3d0
shrink_zone+0x2ca/0x2e0
kswapd+0x51e/0x990
kthread+0xd8/0xf0
ret_from_fork+0x3f/0x70
which corresponds to the following sanity check in the shadow node
tracking:
BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
The workingset code tracks radix tree nodes that exclusively contain
shadow entries of evicted pages in them, and this (somewhat obscure)
line checks whether there are real pages left that would interfere with
reclaim of the radix tree node under memory pressure.
While discussing ways how fuse might sneak pages into the radix tree
past the workingset code, Miklos pointed to replace_page_cache_page(),
and indeed there is a problem there: it properly accounts for the old
page being removed - __delete_from_page_cache() does that - but then
does a raw raw radix_tree_insert(), not accounting for the replacement
page. Eventually the page count bits in node->count underflow while
leaving the node incorrectly linked to the shadow node LRU.
To address this, make sure replace_page_cache_page() uses the tracked
page insertion code, page_cache_tree_insert(). This fixes the page
accounting and makes sure page-containing nodes are properly unlinked
from the shadow node LRU again.
Also, make the sanity checks a bit less obscure by using the helpers for
checking the number of pages and shadows in a radix tree node.
Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.org
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
Debugged-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Implementation of page_cache_tree_insert() is different
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -274,6 +274,7 @@ static inline void workingset_node_pages
static inline void workingset_node_pages_dec(struct radix_tree_node *node)
{
+ VM_BUG_ON(!workingset_node_pages(node));
node->count--;
}
@@ -289,6 +290,7 @@ static inline void workingset_node_shado
static inline void workingset_node_shadows_dec(struct radix_tree_node *node)
{
+ VM_BUG_ON(!workingset_node_shadows(node));
node->count -= 1U << RADIX_TREE_COUNT_SHIFT;
}
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -108,6 +108,48 @@
* ->tasklist_lock (memory_failure, collect_procs_ao)
*/
+static int page_cache_tree_insert(struct address_space *mapping,
+ struct page *page, void **shadowp)
+{
+ struct radix_tree_node *node;
+ void **slot;
+ int error;
+
+ error = __radix_tree_create(&mapping->page_tree, page->index,
+ &node, &slot);
+ if (error)
+ return error;
+ if (*slot) {
+ void *p;
+
+ p = radix_tree_deref_slot_protected(slot, &mapping->tree_lock);
+ if (!radix_tree_exceptional_entry(p))
+ return -EEXIST;
+ if (shadowp)
+ *shadowp = p;
+ mapping->nrshadows--;
+ if (node)
+ workingset_node_shadows_dec(node);
+ }
+ radix_tree_replace_slot(slot, page);
+ mapping->nrpages++;
+ if (node) {
+ workingset_node_pages_inc(node);
+ /*
+ * Don't track node that contains actual pages.
+ *
+ * Avoid acquiring the list_lru lock if already
+ * untracked. The list_empty() test is safe as
+ * node->private_list is protected by
+ * mapping->tree_lock.
+ */
+ if (!list_empty(&node->private_list))
+ list_lru_del(&workingset_shadow_nodes,
+ &node->private_list);
+ }
+ return 0;
+}
+
static void page_cache_tree_delete(struct address_space *mapping,
struct page *page, void *shadow)
{
@@ -494,7 +536,7 @@ int replace_page_cache_page(struct page
spin_lock_irq(&mapping->tree_lock);
__delete_from_page_cache(old, NULL);
- error = radix_tree_insert(&mapping->page_tree, offset, new);
+ error = page_cache_tree_insert(mapping, new, NULL);
BUG_ON(error);
mapping->nrpages++;
__inc_zone_page_state(new, NR_FILE_PAGES);
@@ -513,48 +555,6 @@ int replace_page_cache_page(struct page
}
EXPORT_SYMBOL_GPL(replace_page_cache_page);
-static int page_cache_tree_insert(struct address_space *mapping,
- struct page *page, void **shadowp)
-{
- struct radix_tree_node *node;
- void **slot;
- int error;
-
- error = __radix_tree_create(&mapping->page_tree, page->index,
- &node, &slot);
- if (error)
- return error;
- if (*slot) {
- void *p;
-
- p = radix_tree_deref_slot_protected(slot, &mapping->tree_lock);
- if (!radix_tree_exceptional_entry(p))
- return -EEXIST;
- if (shadowp)
- *shadowp = p;
- mapping->nrshadows--;
- if (node)
- workingset_node_shadows_dec(node);
- }
- radix_tree_replace_slot(slot, page);
- mapping->nrpages++;
- if (node) {
- workingset_node_pages_inc(node);
- /*
- * Don't track node that contains actual pages.
- *
- * Avoid acquiring the list_lru lock if already
- * untracked. The list_empty() test is safe as
- * node->private_list is protected by
- * mapping->tree_lock.
- */
- if (!list_empty(&node->private_list))
- list_lru_del(&workingset_shadow_nodes,
- &node->private_list);
- }
- return 0;
-}
-
static int __add_to_page_cache_locked(struct page *page,
struct address_space *mapping,
pgoff_t offset, gfp_t gfp_mask,
--- a/mm/workingset.c
+++ b/mm/workingset.c
@@ -340,21 +340,19 @@ static enum lru_status shadow_lru_isolat
* no pages, so we expect to be able to remove them all and
* delete and free the empty node afterwards.
*/
-
- BUG_ON(!node->count);
- BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
+ BUG_ON(!workingset_node_shadows(node));
+ BUG_ON(workingset_node_pages(node));
for (i = 0; i < RADIX_TREE_MAP_SIZE; i++) {
if (node->slots[i]) {
BUG_ON(!radix_tree_exceptional_entry(node->slots[i]));
node->slots[i] = NULL;
- BUG_ON(node->count < (1U << RADIX_TREE_COUNT_SHIFT));
- node->count -= 1U << RADIX_TREE_COUNT_SHIFT;
+ workingset_node_shadows_dec(node);
BUG_ON(!mapping->nrshadows);
mapping->nrshadows--;
}
}
- BUG_ON(node->count);
+ BUG_ON(workingset_node_shadows(node));
inc_zone_state(page_zone(virt_to_page(node)), WORKINGSET_NODERECLAIM);
if (!__radix_tree_delete_node(&mapping->page_tree, node))
BUG();
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 244/346] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 322/346] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 086/346] i2c: efm32: fix a failure path in efm32_i2c_probe() Ben Hutchings
` (185 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Erez Shitrit, Leon Romanovsky, Doug Ledford
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erez Shitrit <erezsh@mellanox.com>
commit 546481c2816ea3c061ee9d5658eb48070f69212e upstream.
When a new CM connection is being requested, ipoib driver copies data
from the path pointer in the CM/tx object, the path object might be
invalid at the point and memory corruption will happened later when now
the CM driver will try using that data.
The next scenario demonstrates it:
neigh_add_path --> ipoib_cm_create_tx -->
queue_work (pointer to path is in the cm/tx struct)
#while the work is still in the queue,
#the port goes down and causes the ipoib_flush_paths:
ipoib_flush_paths --> path_free --> kfree(path)
#at this point the work scheduled starts.
ipoib_cm_tx_start --> copy from the (invalid)path pointer:
(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
-> memory corruption.
To fix that the driver now starts the CM/tx connection only if that
specific path exists in the general paths database.
This check is protected with the relevant locks, and uses the gid from
the neigh member in the CM/tx object which is valid according to the ref
count that was taken by the CM/tx.
Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++++++++++++++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
3 files changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -463,6 +463,7 @@ void ipoib_send(struct net_device *dev,
struct ipoib_ah *address, u32 qpn);
void ipoib_reap_ah(struct work_struct *work);
+struct ipoib_path *__path_find(struct net_device *dev, void *gid);
void ipoib_mark_paths_invalid(struct net_device *dev);
void ipoib_flush_paths(struct net_device *dev);
struct ipoib_dev_priv *ipoib_intf_alloc(const char *format);
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1303,6 +1303,8 @@ void ipoib_cm_destroy_tx(struct ipoib_cm
}
}
+#define QPN_AND_OPTIONS_OFFSET 4
+
static void ipoib_cm_tx_start(struct work_struct *work)
{
struct ipoib_dev_priv *priv = container_of(work, struct ipoib_dev_priv,
@@ -1311,6 +1313,7 @@ static void ipoib_cm_tx_start(struct wor
struct ipoib_neigh *neigh;
struct ipoib_cm_tx *p;
unsigned long flags;
+ struct ipoib_path *path;
int ret;
struct ib_sa_path_rec pathrec;
@@ -1323,7 +1326,19 @@ static void ipoib_cm_tx_start(struct wor
p = list_entry(priv->cm.start_list.next, typeof(*p), list);
list_del_init(&p->list);
neigh = p->neigh;
+
qpn = IPOIB_QPN(neigh->daddr);
+ /*
+ * As long as the search is with these 2 locks,
+ * path existence indicates its validity.
+ */
+ path = __path_find(dev, neigh->daddr + QPN_AND_OPTIONS_OFFSET);
+ if (!path) {
+ pr_info("%s ignore not valid path %pI6\n",
+ __func__,
+ neigh->daddr + QPN_AND_OPTIONS_OFFSET);
+ goto free_neigh;
+ }
memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);
spin_unlock_irqrestore(&priv->lock, flags);
@@ -1335,6 +1350,7 @@ static void ipoib_cm_tx_start(struct wor
spin_lock_irqsave(&priv->lock, flags);
if (ret) {
+free_neigh:
neigh = p->neigh;
if (neigh) {
neigh->cm = NULL;
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -253,7 +253,7 @@ int ipoib_set_mode(struct net_device *de
return -EINVAL;
}
-static struct ipoib_path *__path_find(struct net_device *dev, void *gid)
+struct ipoib_path *__path_find(struct net_device *dev, void *gid)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
struct rb_node *n = priv->path_tree.rb_node;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 258/346] ALSA: rawmidi: Fix possible deadlock with virmidi registration
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (254 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 112/346] l2tp: Correctly return -EBADF from pppol2tp_getname Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 278/346] ARC: uaccess: get_user to zero out dest in cause of fault Ben Hutchings
` (90 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dmitry Vyukov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 816f318b2364262a51024096da7ca3b84e78e3b5 upstream.
When a seq-virmidi driver is initialized, it registers a rawmidi
instance with its callback to create an associated seq kernel client.
Currently it's done throughly in rawmidi's register_mutex context.
Recently it was found that this may lead to a deadlock another rawmidi
device that is being attached with the sequencer is accessed, as both
open with the same register_mutex. This was actually triggered by
syzkaller, as Dmitry Vyukov reported:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
......
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
......
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
======================================================
The fix is to simply move the registration parts in
snd_rawmidi_dev_register() to the outside of the register_mutex lock.
The lock is needed only to manage the linked list, and it's not
necessarily to cover the whole initialization process.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/rawmidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1637,12 +1637,14 @@ static int snd_rawmidi_dev_register(stru
return -EBUSY;
}
list_add_tail(&rmidi->list, &snd_rawmidi_devices);
+ mutex_unlock(®ister_mutex);
sprintf(name, "midiC%iD%i", rmidi->card->number, rmidi->device);
if ((err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
rmidi->card, rmidi->device,
&snd_rawmidi_f_ops, rmidi, name)) < 0) {
rmidi_err(rmidi, "unable to register rawmidi device %i:%i\n",
rmidi->card->number, rmidi->device);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1650,6 +1652,7 @@ static int snd_rawmidi_dev_register(stru
if (rmidi->ops && rmidi->ops->dev_register &&
(err = rmidi->ops->dev_register(rmidi)) < 0) {
snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1682,7 +1685,6 @@ static int snd_rawmidi_dev_register(stru
}
}
#endif /* CONFIG_SND_OSSEMUL */
- mutex_unlock(®ister_mutex);
sprintf(name, "midi%d", rmidi->device);
entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
if (entry) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 329/346] arm64: perf: reject groups spanning multiple HW PMUs
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 177/346] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 035/346] batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag Ben Hutchings
` (248 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mark Rutland, Will Deacon, Suzuki K. Poulose,
Peter Ziljstra (Intel)
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Suzuki K. Poulose" <suzuki.poulose@arm.com>
commit 8fff105e13041e49b82f92eef034f363a6b1c071 upstream.
The perf core implicitly rejects events spanning multiple HW PMUs, as in
these cases the event->ctx will differ. However this validation is
performed after pmu::event_init() is called in perf_init_event(), and
thus pmu::event_init() may be called with a group leader from a
different HW PMU.
The ARM64 PMU driver does not take this fact into account, and when
validating groups assumes that it can call to_arm_pmu(event->pmu) for
any HW event. When the event in question is from another HW PMU this is
wrong, and results in dereferencing garbage.
This patch updates the ARM64 PMU driver to first test for and reject
events from other PMUs, moving the to_arm_pmu and related logic after
this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
a CCI PMU present:
Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
PC is at 0x0
LR is at validate_event+0x90/0xa8
pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
sp : ffffffc07b0a3ba0
[< (null)>] (null)
[<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
[<ffffffc00015d870>] perf_try_init_event+0x34/0x70
[<ffffffc000164094>] perf_init_event+0xe0/0x10c
[<ffffffc000164348>] perf_event_alloc+0x288/0x358
[<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
Code: bad PC value
Also cleans up the code to use the arm_pmu only when we know
that we are dealing with an arm pmu event.
Cc: Will Deacon <will.deacon@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org>
Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/perf_event.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
--- a/arch/arm64/kernel/perf_event.c
+++ b/arch/arm64/kernel/perf_event.c
@@ -316,22 +316,31 @@ out:
}
static int
-validate_event(struct pmu_hw_events *hw_events,
- struct perf_event *event)
+validate_event(struct pmu *pmu, struct pmu_hw_events *hw_events,
+ struct perf_event *event)
{
- struct arm_pmu *armpmu = to_arm_pmu(event->pmu);
+ struct arm_pmu *armpmu;
struct hw_perf_event fake_event = event->hw;
struct pmu *leader_pmu = event->group_leader->pmu;
if (is_software_event(event))
return 1;
+ /*
+ * Reject groups spanning multiple HW PMUs (e.g. CPU + CCI). The
+ * core perf code won't check that the pmu->ctx == leader->ctx
+ * until after pmu->event_init(event).
+ */
+ if (event->pmu != pmu)
+ return 0;
+
if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
return 1;
if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec)
return 1;
+ armpmu = to_arm_pmu(event->pmu);
return armpmu->get_event_idx(hw_events, &fake_event) >= 0;
}
@@ -349,15 +358,15 @@ validate_group(struct perf_event *event)
memset(fake_used_mask, 0, sizeof(fake_used_mask));
fake_pmu.used_mask = fake_used_mask;
- if (!validate_event(&fake_pmu, leader))
+ if (!validate_event(event->pmu, &fake_pmu, leader))
return -EINVAL;
list_for_each_entry(sibling, &leader->sibling_list, group_entry) {
- if (!validate_event(&fake_pmu, sibling))
+ if (!validate_event(event->pmu, &fake_pmu, sibling))
return -EINVAL;
}
- if (!validate_event(&fake_pmu, event))
+ if (!validate_event(event->pmu, &fake_pmu, event))
return -EINVAL;
return 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 323/346] drm/radeon/si/dpm: add workaround for for Jet parts
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (222 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 252/346] iio:core: fix IIO_VAL_FRACTIONAL sign handling Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 077/346] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Ben Hutchings
` (122 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sonny Jiang, Alex Deucher
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 670bb4fd21c966d0d2a59ad4a99bb4889f9a2987 upstream.
Add clock quirks for Jet parts.
Reviewed-by: Sonny Jiang <sonny.jiang@amd.com>
Tested-by: Sonny Jiang <sonny.jiang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -3022,6 +3022,12 @@ static void si_apply_state_adjust_rules(
if (rdev->pdev->device == 0x6811 &&
rdev->pdev->revision == 0x81)
max_mclk = 120000;
+ /* limit sclk/mclk on Jet parts for stability */
+ if (rdev->pdev->device == 0x6665 &&
+ rdev->pdev->revision == 0xc3) {
+ max_sclk = 75000;
+ max_mclk = 80000;
+ }
/* XXX validate the min clocks required for display */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 322/346] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 285/346] s390: get_user() should zero on failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 244/346] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow Ben Hutchings
` (186 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nikolay Aleksandrov, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
commit 2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8 upstream.
Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid
instead of the previous dst_pid which was copied from in_skb's portid.
Since the skb is new the portid is 0 at that point so the packets are sent
to the kernel and we get scheduling while atomic or a deadlock (depending
on where it happens) by trying to acquire rtnl two times.
Also since this is RTM_GETROUTE, it can be triggered by a normal user.
Here's the sleeping while atomic trace:
[ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
[ 7858.212881] 2 locks held by swapper/0/0:
[ 7858.213013] #0: (((&mrt->ipmr_expire_timer))){+.-...}, at: [<ffffffff810fbbf5>] call_timer_fn+0x5/0x350
[ 7858.213422] #1: (mfc_unres_lock){+.....}, at: [<ffffffff8161e005>] ipmr_expire_process+0x25/0x130
[ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179
[ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 7858.214108] 0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000
[ 7858.214412] ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e
[ 7858.214716] 000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f
[ 7858.215251] Call Trace:
[ 7858.215412] <IRQ> [<ffffffff813a7804>] dump_stack+0x85/0xc1
[ 7858.215662] [<ffffffff810a4a72>] ___might_sleep+0x192/0x250
[ 7858.215868] [<ffffffff810a4b9f>] __might_sleep+0x6f/0x100
[ 7858.216072] [<ffffffff8165bea3>] mutex_lock_nested+0x33/0x4d0
[ 7858.216279] [<ffffffff815a7a5f>] ? netlink_lookup+0x25f/0x460
[ 7858.216487] [<ffffffff8157474b>] rtnetlink_rcv+0x1b/0x40
[ 7858.216687] [<ffffffff815a9a0c>] netlink_unicast+0x19c/0x260
[ 7858.216900] [<ffffffff81573c70>] rtnl_unicast+0x20/0x30
[ 7858.217128] [<ffffffff8161cd39>] ipmr_destroy_unres+0xa9/0xf0
[ 7858.217351] [<ffffffff8161e06f>] ipmr_expire_process+0x8f/0x130
[ 7858.217581] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.217785] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.217990] [<ffffffff810fbc95>] call_timer_fn+0xa5/0x350
[ 7858.218192] [<ffffffff810fbbf5>] ? call_timer_fn+0x5/0x350
[ 7858.218415] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.218656] [<ffffffff810fde10>] run_timer_softirq+0x260/0x640
[ 7858.218865] [<ffffffff8166379b>] ? __do_softirq+0xbb/0x54f
[ 7858.219068] [<ffffffff816637c8>] __do_softirq+0xe8/0x54f
[ 7858.219269] [<ffffffff8107a948>] irq_exit+0xb8/0xc0
[ 7858.219463] [<ffffffff81663452>] smp_apic_timer_interrupt+0x42/0x50
[ 7858.219678] [<ffffffff816625bc>] apic_timer_interrupt+0x8c/0xa0
[ 7858.219897] <EOI> [<ffffffff81055f16>] ? native_safe_halt+0x6/0x10
[ 7858.220165] [<ffffffff810d64dd>] ? trace_hardirqs_on+0xd/0x10
[ 7858.220373] [<ffffffff810298e3>] default_idle+0x23/0x190
[ 7858.220574] [<ffffffff8102a20f>] arch_cpu_idle+0xf/0x20
[ 7858.220790] [<ffffffff810c9f8c>] default_idle_call+0x4c/0x60
[ 7858.221016] [<ffffffff810ca33b>] cpu_startup_entry+0x39b/0x4d0
[ 7858.221257] [<ffffffff8164f995>] rest_init+0x135/0x140
[ 7858.221469] [<ffffffff81f83014>] start_kernel+0x50e/0x51b
[ 7858.221670] [<ffffffff81f82120>] ? early_idt_handler_array+0x120/0x120
[ 7858.221894] [<ffffffff81f8243f>] x86_64_start_reservations+0x2a/0x2c
[ 7858.222113] [<ffffffff81f8257c>] x86_64_start_kernel+0x13b/0x14a
Fixes: 2942e9005056 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/mroute.h | 2 +-
include/linux/mroute6.h | 2 +-
net/ipv4/ipmr.c | 3 ++-
net/ipv4/route.c | 3 ++-
net/ipv6/ip6mr.c | 5 +++--
net/ipv6/route.c | 4 +++-
6 files changed, 12 insertions(+), 7 deletions(-)
--- a/include/linux/mroute.h
+++ b/include/linux/mroute.h
@@ -103,5 +103,5 @@ struct mfc_cache {
struct rtmsg;
extern int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#endif
--- a/include/linux/mroute6.h
+++ b/include/linux/mroute6.h
@@ -115,7 +115,7 @@ struct mfc6_cache {
struct rtmsg;
extern int ip6mr_get_route(struct net *net, struct sk_buff *skb,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#ifdef CONFIG_IPV6_MROUTE
extern struct sock *mroute6_socket(struct net *net, struct sk_buff *skb);
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -2188,7 +2188,7 @@ static int __ipmr_fill_mroute(struct mr_
int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait)
+ struct rtmsg *rtm, int nowait, u32 portid)
{
struct mfc_cache *cache;
struct mr_table *mrt;
@@ -2233,6 +2233,7 @@ int ipmr_get_route(struct net *net, stru
return -ENOMEM;
}
+ NETLINK_CB(skb2).portid = portid;
skb_push(skb2, sizeof(struct iphdr));
skb_reset_network_header(skb2);
iph = ip_hdr(skb2);
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2413,7 +2413,8 @@ static int rt_fill_info(struct net *net,
IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
int err = ipmr_get_route(net, skb,
fl4->saddr, fl4->daddr,
- r, nowait);
+ r, nowait, portid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -2272,8 +2272,8 @@ static int __ip6mr_fill_mroute(struct mr
return 1;
}
-int ip6mr_get_route(struct net *net,
- struct sk_buff *skb, struct rtmsg *rtm, int nowait)
+int ip6mr_get_route(struct net *net, struct sk_buff *skb, struct rtmsg *rtm,
+ int nowait, u32 portid)
{
int err;
struct mr6_table *mrt;
@@ -2318,6 +2318,7 @@ int ip6mr_get_route(struct net *net,
return -ENOMEM;
}
+ NETLINK_CB(skb2).portid = portid;
skb_reset_transport_header(skb2);
skb_put(skb2, sizeof(struct ipv6hdr));
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2618,7 +2618,9 @@ static int rt6_fill_node(struct net *net
if (iif) {
#ifdef CONFIG_IPV6_MROUTE
if (ipv6_addr_is_multicast(&rt->rt6i_dst.addr)) {
- int err = ip6mr_get_route(net, skb, rtm, nowait);
+ int err = ip6mr_get_route(net, skb, rtm, nowait,
+ portid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 331/346] KEYS: Fix short sprintf buffer in /proc/keys show function
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 217/346] x86/apic: Do not init irq remapping if ioapic is disabled Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 280/346] mn10300: failing __get_user() and get_user() should zero Ben Hutchings
` (307 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Howells, Ondrej Kozina, James Morris
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.
This fixes CVE-2016-7042.
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943
That's 14 chars plus NUL, not 11 chars plus NUL.
Expand the buffer to 16 chars.
I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.
The panic incurred looks something like:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<ffffffff813d941f>] dump_stack+0x63/0x84
[<ffffffff811b2cb6>] panic+0xde/0x22a
[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<ffffffff81350410>] ? key_validate+0x50/0x50
[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<ffffffff8126b31c>] seq_read+0x2cc/0x390
[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<ffffffff81244fc7>] __vfs_read+0x37/0x150
[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<ffffffff81246156>] vfs_read+0x96/0x130
[<ffffffff81247635>] SyS_read+0x55/0xc0
[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -187,7 +187,7 @@ static int proc_keys_show(struct seq_fil
struct timespec now;
unsigned long timo;
key_ref_t key_ref, skey_ref;
- char xbuf[12];
+ char xbuf[16];
int rc;
struct keyring_search_context ctx = {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 334/346] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 137/346] ALSA: hda - On-board speaker fixup on ACER Veriton Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 123/346] avr32: off by one in at32_init_pio() Ben Hutchings
` (222 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arend Van Spriel, Pieter-Paul Giesberts, Daxing Guo,
Hante Meuleman, Kalle Valo, Franky Lin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream.
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -3822,7 +3822,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 318/346] tcp: fix a compile error in DBGUNDO()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 134/346] tcp: consider recv buf for the initial window scale Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 259/346] xfrm_user: propagate sec ctx allocation errors Ben Hutchings
` (321 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 019b1c9fe32a2a32c1153e31375f87ec3e591273 upstream.
If DBGUNDO() is enabled (FASTRETRANS_DEBUG > 1), a compile
error will happen, since inet6_sk(sk)->daddr became sk->sk_v6_daddr
Fixes: efe4208f47f9 ("ipv6: make lookups simpler and faster")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_input.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2316,10 +2316,9 @@ static void DBGUNDO(struct sock *sk, con
}
#if IS_ENABLED(CONFIG_IPV6)
else if (sk->sk_family == AF_INET6) {
- struct ipv6_pinfo *np = inet6_sk(sk);
pr_debug("Undo %s %pI6/%u c%u l%u ss%u/%u p%u\n",
msg,
- &np->daddr, ntohs(inet->inet_dport),
+ &sk->sk_v6_daddr, ntohs(inet->inet_dport),
tp->snd_cwnd, tcp_left_out(tp),
tp->snd_ssthresh, tp->prior_ssthresh,
tp->packets_out);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 298/346] USB: change bInterval default to 10 ms
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 087/346] tpm: read burstcount from TPM_STS in one 32-bit transaction Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 039/346] batman-adv: Fix non-atomic bla_claim::backbone_gw access Ben Hutchings
` (317 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman, Wade Berrier
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.
Some full-speed mceusb infrared transceivers contain invalid endpoint
descriptors for their interrupt endpoints, with bInterval set to 0.
In the past they have worked out okay with the mceusb driver, because
the driver sets the bInterval field in the descriptor to 1,
overwriting whatever value may have been there before. However, this
approach was never sanctioned by the USB core, and in fact it does not
work with xHCI controllers, because they use the bInterval value that
was present when the configuration was installed.
Currently usbcore uses 32 ms as the default interval if the value in
the endpoint descriptor is invalid. It turns out that these IR
transceivers don't work properly unless the interval is set to 10 ms
or below. To work around this mceusb problem, this patch changes the
endpoint-descriptor parsing routine, making the default interval value
be 10 ms rather than 32 ms.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Wade Berrier <wberrier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -211,8 +211,10 @@ static int usb_parse_endpoint(struct dev
memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);
- /* Fix up bInterval values outside the legal range. Use 32 ms if no
- * proper value can be guessed. */
+ /*
+ * Fix up bInterval values outside the legal range.
+ * Use 10 or 8 ms if no proper value can be guessed.
+ */
i = 0; /* i = min, j = max, n = default */
j = 255;
if (usb_endpoint_xfer_int(d)) {
@@ -220,13 +222,15 @@ static int usb_parse_endpoint(struct dev
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_SUPER:
case USB_SPEED_HIGH:
- /* Many device manufacturers are using full-speed
+ /*
+ * Many device manufacturers are using full-speed
* bInterval values in high-speed interrupt endpoint
- * descriptors. Try to fix those and fall back to a
- * 32 ms default value otherwise. */
+ * descriptors. Try to fix those and fall back to an
+ * 8-ms default value otherwise.
+ */
n = fls(d->bInterval*8);
if (n == 0)
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
j = 16;
/*
@@ -241,10 +245,12 @@ static int usb_parse_endpoint(struct dev
}
break;
default: /* USB_SPEED_FULL or _LOW */
- /* For low-speed, 10 ms is the official minimum.
+ /*
+ * For low-speed, 10 ms is the official minimum.
* But some "overclocked" devices might want faster
- * polling so we'll allow it. */
- n = 32;
+ * polling so we'll allow it.
+ */
+ n = 10;
break;
}
} else if (usb_endpoint_xfer_isoc(d)) {
@@ -252,10 +258,10 @@ static int usb_parse_endpoint(struct dev
j = 16;
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_HIGH:
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
break;
default: /* USB_SPEED_FULL */
- n = 6; /* 32 ms = 2^(6-1) frames */
+ n = 4; /* 8 ms = 2^(4-1) frames */
break;
}
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 293/346] microblaze: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (239 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 313/346] i2c-eg20t: fix race between i2c init and interrupt enable Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 215/346] tun: fix transmit timestamp support Ben Hutchings
` (105 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/microblaze/include/asm/uaccess.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -371,10 +371,13 @@ extern long __user_bad(void);
static inline long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
+ unsigned long res = n;
might_fault();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
#define __copy_to_user(to, from, n) \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 306/346] xfrm: Fix memory leak of aead algorithm name
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 002/346] HID: uhid: fix timeout when probe races with IO Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 193/346] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two Ben Hutchings
` (287 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, Ilan Tayari, Rami Rosen
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Tayari <ilant@mellanox.com>
commit b588479358ce26f32138e0f0a7ab0678f8e3e601 upstream.
commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
introduced aead. The function attach_aead kmemdup()s the algorithm
name during xfrm_state_construct().
However this memory is never freed.
Implementation has since been slightly modified in
commit ee5c23176fcc ("xfrm: Clone states properly on migration")
without resolving this leak.
This patch adds a kfree() call for the aead algorithm name.
Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
Signed-off-by: Ilan Tayari <ilant@mellanox.com>
Acked-by: Rami Rosen <roszenrami@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -339,6 +339,7 @@ static void xfrm_state_gc_destroy(struct
{
tasklet_hrtimer_cancel(&x->mtimer);
del_timer_sync(&x->rtimer);
+ kfree(x->aead);
kfree(x->aalg);
kfree(x->ealg);
kfree(x->calg);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 296/346] fix minor infoleak in get_user_ex()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 259/346] xfrm_user: propagate sec ctx allocation errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
[not found] ` <CA+55aFyrySgb5rGq=0aON5tPu5_UR5CNn8T0FUqonMqSJUTXrQ@mail.gmail.com>
2016-11-14 0:14 ` [PATCH 3.16 087/346] tpm: read burstcount from TPM_STS in one 32-bit transaction Ben Hutchings
` (319 subsequent siblings)
346 siblings, 1 reply; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Linus Torvalds, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
(at most we are leaking uninitialized 64bit value off the kernel stack,
and in a fairly constrained situation, at that), but the fix is trivial,
so...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ This sat in different branch from the uaccess fixes since mid-August ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/uaccess.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -391,7 +391,11 @@ do { \
#define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
asm volatile("1: mov"itype" %1,%"rtype"0\n" \
"2:\n" \
- _ASM_EXTABLE_EX(1b, 2b) \
+ ".section .fixup,\"ax\"\n" \
+ "3:xor"itype" %"rtype"0,%"rtype"0\n" \
+ " jmp 2b\n" \
+ ".previous\n" \
+ _ASM_EXTABLE_EX(1b, 3b) \
: ltype(x) : "m" (__m(addr)))
#define __put_user_nocheck(x, ptr, size) \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 273/346] cris: buggered copy_from_user/copy_to_user/clear_user
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (268 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 275/346] hexagon: fix strncpy_from_user() error return Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 114/346] Documentation/module-signing.txt: Note need for version info if reusing a key Ben Hutchings
` (76 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Jesper Nilsson
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.
* copy_from_user() on access_ok() failure ought to zero the destination
* none of those primitives should skip the access_ok() check in case of
small constant size.
Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 39 deletions(-)
--- a/arch/cris/include/asm/uaccess.h
+++ b/arch/cris/include/asm/uaccess.h
@@ -176,30 +176,6 @@ extern unsigned long __copy_user(void __
extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
extern unsigned long __do_clear_user(void __user *to, unsigned long n);
-static inline unsigned long
-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_user(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
-{
- if (access_ok(VERIFY_READ, from, n))
- return __copy_user_zeroing(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_clear_user(void __user *to, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __do_clear_user(to,n);
- return n;
-}
-
static inline long
__strncpy_from_user(char *dst, const char __user *src, long count)
{
@@ -262,7 +238,7 @@ __constant_copy_from_user(void *to, cons
else if (n == 24)
__asm_copy_from_user_24(to, from, ret);
else
- ret = __generic_copy_from_user(to, from, n);
+ ret = __copy_user_zeroing(to, from, n);
return ret;
}
@@ -312,7 +288,7 @@ __constant_copy_to_user(void __user *to,
else if (n == 24)
__asm_copy_to_user_24(to, from, ret);
else
- ret = __generic_copy_to_user(to, from, n);
+ ret = __copy_user(to, from, n);
return ret;
}
@@ -344,26 +320,43 @@ __constant_clear_user(void __user *to, u
else if (n == 24)
__asm_clear_24(to, ret);
else
- ret = __generic_clear_user(to, n);
+ ret = __do_clear_user(to, n);
return ret;
}
-#define clear_user(to, n) \
-(__builtin_constant_p(n) ? \
- __constant_clear_user(to, n) : \
- __generic_clear_user(to, n))
-
-#define copy_from_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_from_user(to, from, n) : \
- __generic_copy_from_user(to, from, n))
-
-#define copy_to_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_to_user(to, from, n) : \
- __generic_copy_to_user(to, from, n))
+static inline size_t clear_user(void __user *to, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_clear_user(to, n);
+ else
+ return __do_clear_user(to, n);
+}
+
+static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
+ memset(to, 0, n);
+ return n;
+ }
+ if (__builtin_constant_p(n))
+ return __constant_copy_from_user(to, from, n);
+ else
+ return __copy_user_zeroing(to, from, n);
+}
+
+static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_copy_to_user(to, from, n);
+ else
+ return __copy_user(to, from, n);
+}
/* We let the __ versions of copy_from/to_user inline, because they're often
* used in fast paths and have only a small space overhead.
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 109/346] ARM: OMAP3: hwmod data: Add sysc information for DSI
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 245/346] x86/AMD: Apply erratum 665 on machines without a BIOS fix Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 305/346] openrisc: fix the fix of copy_from_user() Ben Hutchings
` (216 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tony Lindgren, Sebastian Reichel
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sre@kernel.org>
commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.
Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.
Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -724,8 +724,20 @@ static struct omap_hwmod omap3xxx_dss_di
* display serial interface controller
*/
+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+ .rev_offs = 0x0000,
+ .sysc_offs = 0x0010,
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+};
+
static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
.name = "dsi",
+ .sysc = &omap3xxx_dsi_sysc,
};
static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 303/346] irda: Free skb on irda_accept error path.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (248 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 284/346] ppc32: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 073/346] drm/radeon: support backlight control for UNIPHY3 Ben Hutchings
` (96 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, phil.turnbull
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "phil.turnbull@oracle.com" <phil.turnbull@oracle.com>
commit 8ab86c00e349cef9fb14719093a7f198bcc72629 upstream.
skb is not freed if newsk is NULL. Rework the error path so free_skb is
unconditionally called on function exit.
Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/irda/af_irda.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -843,7 +843,7 @@ static int irda_accept(struct socket *so
struct sock *sk = sock->sk;
struct irda_sock *new, *self = irda_sk(sk);
struct sock *newsk;
- struct sk_buff *skb;
+ struct sk_buff *skb = NULL;
int err;
IRDA_DEBUG(2, "%s()\n", __func__);
@@ -913,7 +913,6 @@ static int irda_accept(struct socket *so
err = -EPERM; /* value does not seem to make sense. -arnd */
if (!new->tsap) {
IRDA_DEBUG(0, "%s(), dup failed!\n", __func__);
- kfree_skb(skb);
goto out;
}
@@ -932,7 +931,6 @@ static int irda_accept(struct socket *so
/* Clean up the original one to keep it in listen state */
irttp_listen(self->tsap);
- kfree_skb(skb);
sk->sk_ack_backlog--;
newsock->state = SS_CONNECTED;
@@ -940,6 +938,7 @@ static int irda_accept(struct socket *so
irda_connect_response(new);
err = 0;
out:
+ kfree_skb(skb);
release_sock(sk);
return err;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 062/346] Bluetooth: Add USB ID 13D3:3487 to ath3k
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (225 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 064/346] qxl: check for kmap failures Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 204/346] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access Ben Hutchings
` (119 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcel Holtmann, Lauro Costa
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lauro Costa <lauro@polilinux.com.br>
commit 72f9f8b58bc743e6b6abdc68f60db98486c3ffcf upstream.
Add hw id to ath3k usb device list and btusb blacklist
T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3487 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
Requires these firmwares:
ar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu
Firmwares are available in linux-firmware.
Device found in a laptop ASUS model N552VW. It's an Atheros AR9462 chip.
Signed-off-by: Lauro Costa <lauro@polilinux.com.br>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -122,6 +122,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x13d3, 0x3432) },
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
+ { USB_DEVICE(0x13d3, 0x3487) },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -188,6 +189,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -216,6 +216,7 @@ static const struct usb_device_id blackl
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 288/346] sh64: failing __get_user() should zero
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 099/346] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 146/346] metag: Fix __cmpxchg_u32 asm constraint for CMP Ben Hutchings
` (208 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.
It could be done in exception-handling bits in __get_user_b() et.al.,
but the surgery involved would take more knowledge of sh64 details
than I have or _want_ to have.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/asm/uaccess_64.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/sh/include/asm/uaccess_64.h
+++ b/arch/sh/include/asm/uaccess_64.h
@@ -24,6 +24,7 @@
#define __get_user_size(x,ptr,size,retval) \
do { \
retval = 0; \
+ x = 0; \
switch (size) { \
case 1: \
retval = __get_user_asm_b((void *)&x, \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 277/346] metag: copy_from_user() should zero the destination on access_ok() failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 093/346] target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 189/346] usb: xhci: Fix panic if disconnect Ben Hutchings
` (340 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Hogan, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream.
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/metag/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -199,8 +199,9 @@ extern unsigned long __must_check __copy
static inline unsigned long
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_user_zeroing(to, from, n);
+ memset(to, 0, n);
return n;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 313/346] i2c-eg20t: fix race between i2c init and interrupt enable
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (238 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 083/346] netfilter: x_tables: validate targets of jumps Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 293/346] microblaze: fix copy_from_user() Ben Hutchings
` (106 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Wolfram Sang, Yadi.hu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Yadi.hu" <yadi.hu@windriver.com>
commit 371a015344b6e270e7e3632107d9554ec6d27a6b upstream.
the eg20t driver call request_irq() function before the pch_base_address,
base address of i2c controller's register, is assigned an effective value.
there is one possible scenario that an interrupt which isn't inside eg20t
arrives immediately after request_irq() is executed when i2c controller
shares an interrupt number with others. since the interrupt handler
pch_i2c_handler() has already active as shared action, it will be called
and read its own register to determine if this interrupt is from itself.
At that moment, since base address of i2c registers is not remapped
in kernel space yet,so the INT handler will access an illegal address
and then a error occurs.
Signed-off-by: Yadi.hu <yadi.hu@windriver.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/i2c/busses/i2c-eg20t.c
+++ b/drivers/i2c/busses/i2c-eg20t.c
@@ -777,13 +777,6 @@ static int pch_i2c_probe(struct pci_dev
/* Set the number of I2C channel instance */
adap_info->ch_num = id->driver_data;
- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
- KBUILD_MODNAME, adap_info);
- if (ret) {
- pch_pci_err(pdev, "request_irq FAILED\n");
- goto err_request_irq;
- }
-
for (i = 0; i < adap_info->ch_num; i++) {
pch_adap = &adap_info->pch_data[i].pch_adapter;
adap_info->pch_i2c_suspended = false;
@@ -800,6 +793,17 @@ static int pch_i2c_probe(struct pci_dev
adap_info->pch_data[i].pch_base_address = base_addr + 0x100 * i;
pch_adap->dev.parent = &pdev->dev;
+ }
+
+ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+ KBUILD_MODNAME, adap_info);
+ if (ret) {
+ pch_pci_err(pdev, "request_irq FAILED\n");
+ goto err_request_irq;
+ }
+
+ for (i = 0; i < adap_info->ch_num; i++) {
+ pch_adap = &adap_info->pch_data[i].pch_adapter;
pch_i2c_init(&adap_info->pch_data[i]);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 274/346] frv: fix clear_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (292 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 195/346] gpio: Fix OF build problem on UM Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 078/346] USB: serial: option: add support for Telit LE910 PID 0x1206 Ben Hutchings
` (52 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.
It should check access_ok(). Otherwise a bunch of places turn into
trivially exploitable rootholes.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/frv/include/asm/uaccess.h | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do { \
extern long __memset_user(void *dst, unsigned long count);
extern long __memcpy_user(void *dst, const void *src, unsigned long count);
-#define clear_user(dst,count) __memset_user(____force(dst), (count))
+#define __clear_user(dst,count) __memset_user(____force(dst), (count))
#define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
#define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
#else
-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
#define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
#define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
#endif
-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+ if (likely(__access_ok(to, n)))
+ n = __clear_user(to, n);
+ return n;
+}
static inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 071/346] KVM: nVMX: fix lifetime issues for vmcs02
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (212 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 136/346] ext4: validate that metadata blocks do not overlap superblock Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 088/346] arm64: debug: unmask PSTATE.D earlier Ben Hutchings
` (132 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Wanpeng Li, Paolo Bonzini
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 4fa7734c62cdd8c07edd54fa5a5e91482273071a upstream.
free_nested needs the loaded_vmcs to be valid if it is a vmcs02, in
order to detach it from the shadow vmcs. However, this is not
available anymore after commit 26a865f4aa8e (KVM: VMX: fix use after
free of vmx->loaded_vmcs, 2014-01-03).
Revert that patch, and fix its problem by forcing a vmcs01 as the
active VMCS before freeing all the nested VMX state.
Reported-by: Wanpeng Li <wanpeng.li@linux.intel.com>
Tested-by: Wanpeng Li <wanpeng.li@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 49 +++++++++++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 16 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5777,22 +5777,27 @@ static void nested_free_vmcs02(struct vc
/*
* Free all VMCSs saved for this vcpu, except the one pointed by
- * vmx->loaded_vmcs. These include the VMCSs in vmcs02_pool (except the one
- * currently used, if running L2), and vmcs01 when running L2.
+ * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
+ * must be &vmx->vmcs01.
*/
static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
{
struct vmcs02_list *item, *n;
+
+ WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
- if (vmx->loaded_vmcs != &item->vmcs02)
- free_loaded_vmcs(&item->vmcs02);
+ /*
+ * Something will leak if the above WARN triggers. Better than
+ * a use-after-free.
+ */
+ if (vmx->loaded_vmcs == &item->vmcs02)
+ continue;
+
+ free_loaded_vmcs(&item->vmcs02);
list_del(&item->list);
kfree(item);
+ vmx->nested.vmcs02_num--;
}
- vmx->nested.vmcs02_num = 0;
-
- if (vmx->loaded_vmcs != &vmx->vmcs01)
- free_loaded_vmcs(&vmx->vmcs01);
}
/*
@@ -7557,13 +7562,31 @@ static void __noclone vmx_vcpu_run(struc
vmx_complete_interrupts(vmx);
}
+static void vmx_load_vmcs01(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ int cpu;
+
+ if (vmx->loaded_vmcs == &vmx->vmcs01)
+ return;
+
+ cpu = get_cpu();
+ vmx->loaded_vmcs = &vmx->vmcs01;
+ vmx_vcpu_put(vcpu);
+ vmx_vcpu_load(vcpu, cpu);
+ vcpu->cpu = cpu;
+ put_cpu();
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
free_vpid(vmx);
- free_loaded_vmcs(vmx->loaded_vmcs);
+ leave_guest_mode(vcpu);
+ vmx_load_vmcs01(vcpu);
free_nested(vmx);
+ free_loaded_vmcs(vmx->loaded_vmcs);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
kmem_cache_free(kvm_vcpu_cache, vmx);
@@ -8707,7 +8730,6 @@ static void nested_vmx_vmexit(struct kvm
unsigned long exit_qualification)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
- int cpu;
struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
/* trying to cancel vmlaunch/vmresume is a bug */
@@ -8732,12 +8754,7 @@ static void nested_vmx_vmexit(struct kvm
vmcs12->vm_exit_intr_error_code,
KVM_ISA_VMX);
- cpu = get_cpu();
- vmx->loaded_vmcs = &vmx->vmcs01;
- vmx_vcpu_put(vcpu);
- vmx_vcpu_load(vcpu, cpu);
- vcpu->cpu = cpu;
- put_cpu();
+ vmx_load_vmcs01(vcpu);
vm_entry_controls_init(vmx, vmcs_read32(VM_ENTRY_CONTROLS));
vm_exit_controls_init(vmx, vmcs_read32(VM_EXIT_CONTROLS));
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 312/346] fix fault_in_multipages_...() on architectures with no-op access_ok()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (195 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 140/346] ftrace/recordmcount: Work around for addition of metag magic but not relocations Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 003/346] macvlan: Fix potential use-after free for broadcasts Ben Hutchings
` (149 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Jan Stancek, Linus Torvalds, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit e23d4159b109167126e5bcd7f3775c95de7fee47 upstream.
Switching iov_iter fault-in to multipages variants has exposed an old
bug in underlying fault_in_multipages_...(); they break if the range
passed to them wraps around. Normally access_ok() done by callers will
prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
such a range and they should not point to any valid objects).
However, on architectures where userland and kernel live in different
MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
with a wraparound can reach fault_in_multipages_...().
Since any wraparound means EFAULT there, the fix is trivial - turn
those
while (uaddr <= end)
...
into
if (unlikely(uaddr > end))
return -EFAULT;
do
...
while (uaddr <= end);
Reported-by: Jan Stancek <jstancek@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/pagemap.h | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -599,56 +599,56 @@ static inline int fault_in_pages_readabl
*/
static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
{
- int ret = 0;
char __user *end = uaddr + size - 1;
if (unlikely(size == 0))
- return ret;
+ return 0;
+ if (unlikely(uaddr > end))
+ return -EFAULT;
/*
* Writing zeroes into userspace here is OK, because we know that if
* the zero gets there, we'll be overwriting it.
*/
- while (uaddr <= end) {
- ret = __put_user(0, uaddr);
- if (ret != 0)
- return ret;
+ do {
+ if (unlikely(__put_user(0, uaddr) != 0))
+ return -EFAULT;
uaddr += PAGE_SIZE;
- }
+ } while (uaddr <= end);
/* Check whether the range spilled into the next page. */
if (((unsigned long)uaddr & PAGE_MASK) ==
((unsigned long)end & PAGE_MASK))
- ret = __put_user(0, end);
+ return __put_user(0, end);
- return ret;
+ return 0;
}
static inline int fault_in_multipages_readable(const char __user *uaddr,
int size)
{
volatile char c;
- int ret = 0;
const char __user *end = uaddr + size - 1;
if (unlikely(size == 0))
- return ret;
+ return 0;
+
+ if (unlikely(uaddr > end))
+ return -EFAULT;
- while (uaddr <= end) {
- ret = __get_user(c, uaddr);
- if (ret != 0)
- return ret;
+ do {
+ if (unlikely(__get_user(c, uaddr) != 0))
+ return -EFAULT;
uaddr += PAGE_SIZE;
- }
+ } while (uaddr <= end);
/* Check whether the range spilled into the next page. */
if (((unsigned long)uaddr & PAGE_MASK) ==
((unsigned long)end & PAGE_MASK)) {
- ret = __get_user(c, end);
- (void)c;
+ return __get_user(c, end);
}
- return ret;
+ return 0;
}
int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 280/346] mn10300: failing __get_user() and get_user() should zero
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 331/346] KEYS: Fix short sprintf buffer in /proc/keys show function Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 166/346] cpuset: make sure new tasks conform to the current config of the cpuset Ben Hutchings
` (306 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mn10300/include/asm/uaccess.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -181,6 +181,7 @@ struct __large_struct { unsigned long bu
"2:\n" \
" .section .fixup,\"ax\"\n" \
"3:\n\t" \
+ " mov 0,%1\n" \
" mov %3,%0\n" \
" jmp 2b\n" \
" .previous\n" \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 294/346] microblaze: fix __get_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 027/346] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 228/346] drm/msm: fix use of copy_from_user() while holding spinlock Ben Hutchings
` (179 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/microblaze/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -226,7 +226,7 @@ extern long __user_bad(void);
#define __get_user(x, ptr) \
({ \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
/*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
long __gu_err; \
switch (sizeof(*(ptr))) { \
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 269/346] crypto: arm64/aes-ctr - fix NULL dereference in tail processing
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 226/346] fs/seq_file: fix out-of-bounds read Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 021/346] tty/serial: atmel: fix RS485 half duplex with DMA Ben Hutchings
` (301 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ard Biesheuvel, xiakaixu, Herbert Xu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 2db34e78f126c6001d79d3b66ab1abb482dc7caa upstream.
The AES-CTR glue code avoids calling into the blkcipher API for the
tail portion of the walk, by comparing the remainder of walk.nbytes
modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight
into the tail processing block if they are equal. This tail processing
block checks whether nbytes != 0, and does nothing otherwise.
However, in case of an allocation failure in the blkcipher layer, we
may enter this code with walk.nbytes == 0, while nbytes > 0. In this
case, we should not dereference the source and destination pointers,
since they may be NULL. So instead of checking for nbytes != 0, check
for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in
non-error conditions.
Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
Reported-by: xiakaixu <xiakaixu@huawei.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/crypto/aes-glue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/crypto/aes-glue.c
+++ b/arch/arm64/crypto/aes-glue.c
@@ -205,7 +205,7 @@ static int ctr_encrypt(struct blkcipher_
err = blkcipher_walk_done(desc, &walk,
walk.nbytes % AES_BLOCK_SIZE);
}
- if (nbytes) {
+ if (walk.nbytes % AES_BLOCK_SIZE) {
u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
u8 __aligned(8) tail[AES_BLOCK_SIZE];
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 299/346] IB/ipoib: Don't allow MC joins during light MC flush
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (260 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 007/346] [media] em28xx-i2c: rt_mutex_trylock() returns zero on failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 283/346] parisc: fix copy_from_user() Ben Hutchings
` (84 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Alex Vesker, Doug Ledford
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Vesker <valex@mellanox.com>
commit 344bacca8cd811809fc33a249f2738ab757d327f upstream.
This fix solves a race between light flush and on the fly joins.
Light flush doesn't set the device to down and unset IPOIB_OPER_UP
flag, this means that if while flushing we have a MC join in progress
and the QP was attached to BC MGID we can have a mismatches when
re-attaching a QP to the BC MGID.
The light flush would set the broadcast group to NULL causing an on
the fly join to rejoin and reattach to the BC MCG as well as adding
the BC MGID to the multicast list. The flush process would later on
remove the BC MGID and detach it from the QP. On the next flush
the BC MGID is present in the multicast list but not found when trying
to detach it because of the previous double attach and single detach.
[18332.714265] ------------[ cut here ]------------
[18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
...
[18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
[18332.779411] 0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
[18332.784960] 0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
[18332.790547] ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
[18332.796199] Call Trace:
[18332.798015] [<ffffffff813fed47>] dump_stack+0x63/0x8c
[18332.801831] [<ffffffff8109add1>] __warn+0xd1/0xf0
[18332.805403] [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
[18332.809706] [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
[18332.814384] [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
[18332.820031] [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
[18332.825220] [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
[18332.830290] [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
[18332.834911] [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
[18332.839741] [<ffffffff81772bd1>] rollback_registered+0x31/0x40
[18332.844091] [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
[18332.848880] [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
[18332.853848] [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
[18332.858474] [<ffffffff81520c08>] dev_attr_store+0x18/0x30
[18332.862510] [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
[18332.866349] [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
[18332.870471] [<ffffffff81207198>] __vfs_write+0x28/0xe0
[18332.874152] [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
[18332.878274] [<ffffffff81208062>] vfs_write+0xa2/0x1a0
[18332.881896] [<ffffffff812093a6>] SyS_write+0x46/0xa0
[18332.885632] [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
[18332.889709] [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
[18332.894727] ---[ end trace 09ebbe31f831ef17 ]---
Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -1030,8 +1030,17 @@ static void __ipoib_ib_dev_flush(struct
}
if (level == IPOIB_FLUSH_LIGHT) {
+ int oper_up;
ipoib_mark_paths_invalid(dev);
+ /* Set IPoIB operation as down to prevent races between:
+ * the flush flow which leaves MCG and on the fly joins
+ * which can happen during that time. mcast restart task
+ * should deal with join requests we missed.
+ */
+ oper_up = test_and_clear_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
ipoib_mcast_dev_flush(dev);
+ if (oper_up)
+ set_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
}
if (level >= IPOIB_FLUSH_NORMAL)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 272/346] asm-generic: make get_user() clear the destination on errors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (318 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 301/346] IB/mlx4: Fix code indentation in QP1 MAD flow Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 239/346] tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data Ben Hutchings
` (26 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
both for access_ok() failures and for faults halfway through
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/asm-generic/uaccess.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -228,14 +228,18 @@ extern int __put_user_bad(void) __attrib
might_fault(); \
access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
__get_user(x, ptr) : \
- -EFAULT; \
+ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
})
#ifndef __get_user_fn
static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
{
- size = __copy_from_user(x, ptr, size);
- return size ? -EFAULT : size;
+ size_t n = __copy_from_user(x, ptr, size);
+ if (unlikely(n)) {
+ memset(x + (size - n), 0, n);
+ return -EFAULT;
+ }
+ return 0;
}
#define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 291/346] blackfin: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (332 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 032/346] ext4: fix deadlock during page writeback Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 129/346] ubi: Be more paranoid while seaching for the most recent Fastmap Ben Hutchings
` (12 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/blackfin/include/asm/uaccess.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -177,11 +177,12 @@ static inline int bad_user_access_length
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n))) {
memcpy(to, (const void __force *)from, n);
- else
- return n;
- return 0;
+ return 0;
+ }
+ memset(to, 0, n);
+ return n;
}
static inline unsigned long __must_check
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 270/346] MIPS: paravirt: Fix undefined reference to smp_bootstrap
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (216 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 120/346] drm/radeon: fix firmware info version checks Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 311/346] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Ben Hutchings
` (128 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Matt Redfearn, Ralf Baechle, linux-mips
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Redfearn <matt.redfearn@imgtec.com>
commit 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 upstream.
If the paravirt machine is compiles without CONFIG_SMP, the following
linker error occurs
arch/mips/kernel/head.o: In function `kernel_entry':
(.ref.text+0x10): undefined reference to `smp_bootstrap'
due to the kernel entry macro always including SMP startup code.
Wrap this code in CONFIG_SMP to fix the error.
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14212/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/mach-paravirt/kernel-entry-init.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
@@ -11,11 +11,13 @@
#define CP0_EBASE $15, 1
.macro kernel_entry_setup
+#ifdef CONFIG_SMP
mfc0 t0, CP0_EBASE
andi t0, t0, 0x3ff # CPUNum
beqz t0, 1f
# CPUs other than zero goto smp_bootstrap
j smp_bootstrap
+#endif /* CONFIG_SMP */
1:
.endm
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 232/346] ALSA: timer: fix NULL pointer dereference on memory allocation failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 265/346] NFSv4.1: Fix the CREATE_SESSION slot number accounting Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 001/346] lib/mpi: mpi_read_raw_data(): fix nbits calculation Ben Hutchings
` (325 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Vegard Nossum
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream.
I hit this with syzkaller:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff88011278d600 task.stack: ffff8801120c0000
RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
Stack:
ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
Call Trace:
[<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
[<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
[<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP <ffff8801120c7a60>
---[ end trace 5955b08db7f2b029 ]---
This can happen if snd_hrtimer_open() fails to allocate memory and
returns an error, which is currently not checked by snd_timer_open():
ioctl(SNDRV_TIMER_IOCTL_SELECT)
- snd_timer_user_tselect()
- snd_timer_close()
- snd_hrtimer_close()
- (struct snd_timer *) t->private_data = NULL
- snd_timer_open()
- snd_hrtimer_open()
- kzalloc() fails; t->private_data is still NULL
ioctl(SNDRV_TIMER_IOCTL_START)
- snd_timer_user_start()
- snd_timer_start()
- snd_timer_start1()
- snd_hrtimer_start()
- t->private_data == NULL // boom
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -296,8 +296,21 @@ int snd_timer_open(struct snd_timer_inst
get_device(&timer->card->card_dev);
timeri->slave_class = tid->dev_sclass;
timeri->slave_id = slave_id;
- if (list_empty(&timer->open_list_head) && timer->hw.open)
- timer->hw.open(timer);
+
+ if (list_empty(&timer->open_list_head) && timer->hw.open) {
+ int err = timer->hw.open(timer);
+ if (err) {
+ kfree(timeri->owner);
+ kfree(timeri);
+
+ if (timer->card)
+ put_device(&timer->card->card_dev);
+ module_put(timer->module);
+ mutex_unlock(®ister_mutex);
+ return err;
+ }
+ }
+
list_add_tail(&timeri->open_list, &timer->open_list_head);
snd_timer_check_master(timeri);
mutex_unlock(®ister_mutex);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 230/346] powerpc/powernv : Drop reference added by kset_find_obj()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 037/346] batman-adv: Fix kerneldoc member names in for main structs Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 190/346] xhci: don't dereference a xhci member after removing xhci Ben Hutchings
` (278 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mukesh Ojha, Vasant Hegde, Benjamin Herrenschmidt
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream.
In a situation, where Linux kernel gets notified about duplicate error log
from OPAL, it is been observed that kernel fails to remove sysfs entries
(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because,
we currently search the error log/dump kobject in the kset list via
'kset_find_obj()' routine. Which eventually increment the reference count
by one, once it founds the kobject.
So, unless we decrement the reference count by one after it found the kobject,
we would not be able to release the kobject properly later.
This patch adds the 'kobject_put()' which was missing earlier.
Signed-off-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++-
arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
--- a/arch/powerpc/platforms/powernv/opal-dump.c
+++ b/arch/powerpc/platforms/powernv/opal-dump.c
@@ -365,6 +365,7 @@ static int process_dump(void)
uint32_t dump_id, dump_size, dump_type;
struct dump_obj *dump;
char name[22];
+ struct kobject *kobj;
rc = dump_read_info(&dump_id, &dump_size, &dump_type);
if (rc != OPAL_SUCCESS)
@@ -376,8 +377,12 @@ static int process_dump(void)
* that gracefully and not create two conflicting
* entries.
*/
- if (kset_find_obj(dump_kset, name))
+ kobj = kset_find_obj(dump_kset, name);
+ if (kobj) {
+ /* Drop reference added by kset_find_obj() */
+ kobject_put(kobj);
return 0;
+ }
dump = create_dump_obj(dump_id, dump_size, dump_type);
if (!dump)
--- a/arch/powerpc/platforms/powernv/opal-elog.c
+++ b/arch/powerpc/platforms/powernv/opal-elog.c
@@ -246,6 +246,7 @@ static void elog_work_fn(struct work_str
uint64_t elog_type;
int rc;
char name[2+16+1];
+ struct kobject *kobj;
rc = opal_get_elog_size(&id, &size, &type);
if (rc != OPAL_SUCCESS) {
@@ -268,8 +269,12 @@ static void elog_work_fn(struct work_str
* that gracefully and not create two conflicting
* entries.
*/
- if (kset_find_obj(elog_kset, name))
+ kobj = kset_find_obj(elog_kset, name);
+ if (kobj) {
+ /* Drop reference added by kset_find_obj() */
+ kobject_put(kobj);
return;
+ }
create_elog_obj(log_id, elog_size, elog_type);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 263/346] asm-generic: make copy_from_user() zero the destination properly
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 271/346] nl80211: validate number of probe response CSA counters Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 324/346] mm,ksm: fix endless looping in allocating memory when ksm enable Ben Hutchings
` (311 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
... in all cases, including the failing access_ok()
Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through. This variant works either way.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/asm-generic/uaccess.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -255,11 +255,13 @@ extern int __get_user_bad(void) __attrib
static inline long copy_from_user(void *to,
const void __user * from, unsigned long n)
{
+ unsigned long res = n;
might_fault();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- else
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline long copy_to_user(void __user *to,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 237/346] serial: 8250: added acces i/o products quad and octal serial cards
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 014/346] usb: dwc3: fix for the isoc transfer EP_BUSY flag Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 018/346] drm/nouveau: Don't leak runtime pm ref on driver unload Ben Hutchings
` (296 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Jimi Damon
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jimi Damon <jdamon@accesio.com>
commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream.
Added devices ids for acces i/o products quad and octal serial cards
that make use of existing Pericom PI7C9X7954 and PI7C9X7958
configurations .
Signed-off-by: Jimi Damon <jdamon@accesio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1821,6 +1821,43 @@ pci_wch_ch353_setup(struct serial_privat
#define PCI_DEVICE_ID_PERICOM_PI7C9X7954 0x7954
#define PCI_DEVICE_ID_PERICOM_PI7C9X7958 0x7958
+#define PCI_VENDOR_ID_ACCESIO 0x494f
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB 0x1051
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S 0x1053
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB 0x105C
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S 0x105E
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB 0x1091
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2 0x1093
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB 0x1099
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4 0x109B
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB 0x10D1
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM 0x10D3
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB 0x10DA
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM 0x10DC
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1 0x1108
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2 0x1110
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2 0x1111
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4 0x1118
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4 0x1119
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S 0x1152
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S 0x115A
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2 0x1190
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2 0x1191
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 0x1198
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4 0x1199
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM 0x11D0
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4 0x105A
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4 0x105B
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8 0x106A
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8 0x106B
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4 0x1098
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8 0x10A9
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM 0x10D9
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8
+
+
+
/* Unknown vendors/cards - this should not be in linux/pci_ids.h */
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
@@ -4890,6 +4927,108 @@ static struct pci_device_id serial_pci_t
0,
0, pbn_pericom_PI7C9X7958 },
/*
+ * ACCES I/O Products quad
+ */
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ /*
* Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke)
*/
{ PCI_VENDOR_ID_TOPIC, PCI_DEVICE_ID_TOPIC_TP560,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 287/346] score: fix copy_from_user() and friends
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (324 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 148/346] block: fix bdi vs gendisk lifetime mismatch Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 054/346] [media] media: dvb_ringbuffer: Add memory barriers Ben Hutchings
` (20 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/score/include/asm/uaccess.h | 41 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 21 deletions(-)
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -296,35 +296,34 @@ extern int __copy_tofrom_user(void *to,
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
+ unsigned long res = len;
- if (access_ok(VERIFY_READ, from, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_READ, from, len)))
+ res = __copy_tofrom_user(to, from, len);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
- return len;
+ if (unlikely(res))
+ memset(to + (len - res), 0, res);
+
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_WRITE, to, len)))
+ len = __copy_tofrom_user(to, from, len);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
return len;
}
-#define __copy_from_user(to, from, len) \
- __copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+ unsigned long left = __copy_tofrom_user(to, from, len);
+ if (unlikely(left))
+ memset(to + (len - left), 0, left);
+ return left;
+}
#define __copy_to_user(to, from, len) \
__copy_tofrom_user((to), (from), (len))
@@ -338,17 +337,17 @@ __copy_to_user_inatomic(void *to, const
static inline unsigned long
__copy_from_user_inatomic(void *to, const void *from, unsigned long len)
{
- return __copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
static inline unsigned long
copy_in_user(void *to, const void *from, unsigned long len)
{
if (access_ok(VERIFY_READ, from, len) &&
access_ok(VERFITY_WRITE, to, len))
- return copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 226/346] fs/seq_file: fix out-of-bounds read
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 192/346] bcache: register_bcache(): call blkdev_put() when cache_alloc() fails Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 269/346] crypto: arm64/aes-ctr - fix NULL dereference in tail processing Ben Hutchings
` (302 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Jones, Vegard Nossum, Al Viro, Linus Torvalds
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream.
seq_read() is a nasty piece of work, not to mention buggy.
It has (I think) an old bug which allows unprivileged userspace to read
beyond the end of m->buf.
I was getting these:
BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
Read of size 2713 by task trinity-c2/1329
CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
kasan_object_err+0x1c/0x80
kasan_report_error+0x2cb/0x7e0
kasan_report+0x4e/0x80
check_memory_region+0x13e/0x1a0
kasan_check_read+0x11/0x20
seq_read+0xcd2/0x1480
proc_reg_read+0x10b/0x260
do_loop_readv_writev.part.5+0x140/0x2c0
do_readv_writev+0x589/0x860
vfs_readv+0x7b/0xd0
do_readv+0xd8/0x2c0
SyS_readv+0xb/0x10
do_syscall_64+0x1b3/0x4b0
entry_SYSCALL64_slow_path+0x25/0x25
Object at ffff880116889100, in cache kmalloc-4096 size: 4096
Allocated:
PID = 1329
save_stack_trace+0x26/0x80
save_stack+0x46/0xd0
kasan_kmalloc+0xad/0xe0
__kmalloc+0x1aa/0x4a0
seq_buf_alloc+0x35/0x40
seq_read+0x7d8/0x1480
proc_reg_read+0x10b/0x260
do_loop_readv_writev.part.5+0x140/0x2c0
do_readv_writev+0x589/0x860
vfs_readv+0x7b/0xd0
do_readv+0xd8/0x2c0
SyS_readv+0xb/0x10
do_syscall_64+0x1b3/0x4b0
return_from_SYSCALL_64+0x0/0x6a
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
This seems to be the same thing that Dave Jones was seeing here:
https://lkml.org/lkml/2016/8/12/334
There are multiple issues here:
1) If we enter the function with a non-empty buffer, there is an attempt
to flush it. But it was not clearing m->from after doing so, which
means that if we try to do this flush twice in a row without any call
to traverse() in between, we are going to be reading from the wrong
place -- the splat above, fixed by this patch.
2) If there's a short write to userspace because of page faults, the
buffer may already contain multiple lines (i.e. pos has advanced by
more than 1), but we don't save the progress that was made so the
next call will output what we've already returned previously. Since
that is a much less serious issue (and I have a headache after
staring at seq_read() for the past 8 hours), I'll leave that for now.
Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/seq_file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -219,8 +219,10 @@ ssize_t seq_read(struct file *file, char
size -= n;
buf += n;
copied += n;
- if (!m->count)
+ if (!m->count) {
+ m->from = 0;
m->index++;
+ }
if (!size)
goto Done;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 311/346] ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (217 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 270/346] MIPS: paravirt: Fix undefined reference to smp_bootstrap Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 235/346] kernfs: don't depend on d_find_any_alias() when generating notifications Ben Hutchings
` (127 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Joseph Qi, Mark Fasheh, Joel Becker, Srinivas Eeda,
Ashish Samant, Junxiao Bi, Linus Torvalds, Saar Maoz, Eric Ren
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Samant <ashish.samant@oracle.com>
commit d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960 upstream.
If we punch a hole on a reflink such that following conditions are met:
1. start offset is on a cluster boundary
2. end offset is not on a cluster boundary
3. (end offset is somewhere in another extent) or
(hole range > MAX_CONTIG_BYTES(1MB)),
we dont COW the first cluster starting at the start offset. But in this
case, we were wrongly passing this cluster to
ocfs2_zero_range_for_truncate() to zero out. This will modify the
cluster in place and zero it in the source too.
Fix this by skipping this cluster in such a scenario.
To reproduce:
1. Create a random file of say 10 MB
xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
2. Reflink it
reflink -f 10MBfile reflnktest
3. Punch a hole at starting at cluster boundary with range greater that
1MB. You can also use a range that will put the end offset in another
extent.
fallocate -p -o 0 -l 1048615 reflnktest
4. sync
5. Check the first cluster in the source file. (It will be zeroed out).
dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C
Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.com
Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
Reported-by: Saar Maoz <saar.maoz@oracle.com>
Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <joseph.qi@huawei.com>
Cc: Eric Ren <zren@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/file.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1516,7 +1516,8 @@ static int ocfs2_zero_partial_clusters(s
u64 start, u64 len)
{
int ret = 0;
- u64 tmpend, end = start + len;
+ u64 tmpend = 0;
+ u64 end = start + len;
struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
unsigned int csize = osb->s_clustersize;
handle_t *handle;
@@ -1548,18 +1549,31 @@ static int ocfs2_zero_partial_clusters(s
}
/*
- * We want to get the byte offset of the end of the 1st cluster.
+ * If start is on a cluster boundary and end is somewhere in another
+ * cluster, we have not COWed the cluster starting at start, unless
+ * end is also within the same cluster. So, in this case, we skip this
+ * first call to ocfs2_zero_range_for_truncate() truncate and move on
+ * to the next one.
*/
- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
- if (tmpend > end)
- tmpend = end;
-
- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
- (unsigned long long)tmpend);
-
- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
- if (ret)
- mlog_errno(ret);
+ if ((start & (csize - 1)) != 0) {
+ /*
+ * We want to get the byte offset of the end of the 1st
+ * cluster.
+ */
+ tmpend = (u64)osb->s_clustersize +
+ (start & ~(osb->s_clustersize - 1));
+ if (tmpend > end)
+ tmpend = end;
+
+ trace_ocfs2_zero_partial_clusters_range1(
+ (unsigned long long)start,
+ (unsigned long long)tmpend);
+
+ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
+ tmpend);
+ if (ret)
+ mlog_errno(ret);
+ }
if (tmpend < end) {
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 213/346] USB: avoid left shift by -1
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (277 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 187/346] scsi: fix upper bounds check of sense key in scsi_sense_key_string() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 304/346] avr32: fix 'undefined reference to `___copy_from_user' Ben Hutchings
` (67 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alan Stern, Greg Kroah-Hartman, Vittorio Zecca, Bjørn Mork
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa upstream.
UBSAN complains about a left shift by -1 in proc_do_submiturb(). This
can occur when an URB is submitted for a bulk or control endpoint on
a high-speed device, since the code doesn't bother to check the
endpoint type; normally only interrupt or isochronous endpoints have
a nonzero bInterval value.
Aside from the fact that the operation is illegal, it shouldn't matter
because the result isn't used. Still, in theory it could cause a
hardware exception or other problem, so we should work around it.
This patch avoids doing the left shift unless the shift amount is >= 0.
The same piece of code has another problem. When checking the device
speed (the exponential encoding for interrupt endpoints is used only
by high-speed or faster devices), we need to look for speed >=
USB_SPEED_SUPER as well as speed == USB_SPEED HIGH. The patch adds
this check.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Vittorio Zecca <zeccav@gmail.com>
Tested-by: Vittorio Zecca <zeccav@gmail.com>
Suggested-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/devio.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1527,11 +1527,17 @@ static int proc_do_submiturb(struct usb_
as->urb->start_frame = uurb->start_frame;
as->urb->number_of_packets = number_of_packets;
as->urb->stream_id = stream_id;
- if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
- ps->dev->speed == USB_SPEED_HIGH)
- as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
- else
- as->urb->interval = ep->desc.bInterval;
+
+ if (ep->desc.bInterval) {
+ if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
+ ps->dev->speed == USB_SPEED_HIGH ||
+ ps->dev->speed >= USB_SPEED_SUPER)
+ as->urb->interval = 1 <<
+ min(15, ep->desc.bInterval - 1);
+ else
+ as->urb->interval = ep->desc.bInterval;
+ }
+
as->urb->context = as;
as->urb->complete = async_completed;
for (totlen = u = 0; u < number_of_packets; u++) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 267/346] ARM: sa1111: fix pcmcia suspend/resume
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (273 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 316/346] can: dev: fix deadlock reported after bus-off Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 300/346] IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV Ben Hutchings
` (71 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Russell King
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d upstream.
SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for
the PCMCIA socket class. PCMCIA used to handle suspend/resume via the
socket hosting device, which happened at normal device suspend/resume
time.
However, the referenced commit changed this: much of the resume now
happens much earlier, in the noirq resume handler of dev_pm_ops.
However, on SA1111, the PCMCIA device is not accessible as the SA1111
has not been resumed at _noirq time. It's slightly worse than that,
because the SA1111 has already been put to sleep at _noirq time, so
suspend doesn't work properly.
Fix this by converting the core SA1111 code to use dev_pm_ops as well,
and performing its own suspend/resume at noirq time.
This fixes these errors in the kernel log:
pcmcia_socket pcmcia_socket0: time out after reset
pcmcia_socket pcmcia_socket1: time out after reset
and the resulting lack of PCMCIA cards after a S2RAM cycle.
Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/common/sa1111.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
--- a/arch/arm/common/sa1111.c
+++ b/arch/arm/common/sa1111.c
@@ -872,9 +872,9 @@ struct sa1111_save_data {
#ifdef CONFIG_PM
-static int sa1111_suspend(struct platform_device *dev, pm_message_t state)
+static int sa1111_suspend_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags;
unsigned int val;
@@ -937,9 +937,9 @@ static int sa1111_suspend(struct platfor
* restored by their respective drivers, and must be called
* via LDM after this function.
*/
-static int sa1111_resume(struct platform_device *dev)
+static int sa1111_resume_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags, id;
void __iomem *base;
@@ -955,7 +955,7 @@ static int sa1111_resume(struct platform
id = sa1111_readl(sachip->base + SA1111_SKID);
if ((id & SKID_ID_MASK) != SKID_SA1111_ID) {
__sa1111_remove(sachip);
- platform_set_drvdata(dev, NULL);
+ dev_set_drvdata(dev, NULL);
kfree(save);
return 0;
}
@@ -1006,8 +1006,8 @@ static int sa1111_resume(struct platform
}
#else
-#define sa1111_suspend NULL
-#define sa1111_resume NULL
+#define sa1111_suspend_noirq NULL
+#define sa1111_resume_noirq NULL
#endif
static int sa1111_probe(struct platform_device *pdev)
@@ -1041,6 +1041,11 @@ static int sa1111_remove(struct platform
return 0;
}
+static struct dev_pm_ops sa1111_pm_ops = {
+ .suspend_noirq = sa1111_suspend_noirq,
+ .resume_noirq = sa1111_resume_noirq,
+};
+
/*
* Not sure if this should be on the system bus or not yet.
* We really want some way to register a system device at
@@ -1053,11 +1058,10 @@ static int sa1111_remove(struct platform
static struct platform_driver sa1111_device_driver = {
.probe = sa1111_probe,
.remove = sa1111_remove,
- .suspend = sa1111_suspend,
- .resume = sa1111_resume,
.driver = {
.name = "sa1111",
.owner = THIS_MODULE,
+ .pm = &sa1111_pm_ops,
},
};
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 231/346] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 017/346] IB/mlx5: Fix MODIFY_QP command input structure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 030/346] ath9k: Fix programming of minCCA power threshold Ben Hutchings
` (234 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, Takashi Iwai
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 upstream.
I got this:
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff8801120a9580 task.stack: ffff8801120b0000
RIP: 0010:[<ffffffff82c8bd9a>] [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006
RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
Stack:
0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
Call Trace:
<IRQ>
[<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
[<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
[<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
[<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
[<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
[<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
[<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
[<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
[<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
<EOI>
[<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
[<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
[<ffffffff82c87015>] snd_timer_continue+0x45/0x80
[<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
[<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
RIP [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP <ffff88011aa87da8>
---[ end trace 6aa380f756a21074 ]---
The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
completely new/unused timer -- it will have ->sticks == 0, which causes a
divide by 0 in snd_hrtimer_callback().
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -839,6 +839,7 @@ int snd_timer_new(struct snd_card *card,
timer->tmr_subdevice = tid->subdevice;
if (id)
strlcpy(timer->id, id, sizeof(timer->id));
+ timer->sticks = 1;
INIT_LIST_HEAD(&timer->device_list);
INIT_LIST_HEAD(&timer->open_list_head);
INIT_LIST_HEAD(&timer->active_list_head);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 271/346] nl80211: validate number of probe response CSA counters
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 050/346] net: mvneta: set real interrupt per packet for tx_done Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 263/346] asm-generic: make copy_from_user() zero the destination properly Ben Hutchings
` (312 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johannes Berg
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit ad5987b47e96a0fb6d13fea250e936aed000093c upstream.
Due to an apparent copy/paste bug, the number of counters for the
beacon configuration were checked twice, instead of checking the
number of probe response counters. Fix this to check the number of
probe response counters before parsing those.
Fixes: 9a774c78e211 ("cfg80211: Support multiple CSA counters")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5980,7 +5980,7 @@ static int nl80211_channel_switch(struct
params.n_counter_offsets_presp = len / sizeof(u16);
if (rdev->wiphy.max_num_csa_counters &&
- (params.n_counter_offsets_beacon >
+ (params.n_counter_offsets_presp >
rdev->wiphy.max_num_csa_counters))
return -EINVAL;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 234/346] dm crypt: fix free of bad values after tfm allocation failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 308/346] ocfs2/dlm: fix race between convert and migration Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 147/346] block: fix use-after-free in seq file Ben Hutchings
` (195 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, Mike Snitzer
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd upstream.
If crypt_alloc_tfms() had to allocate multiple tfms and it failed before
the last allocation, then it would call crypt_free_tfms() and could free
pointers from uninitialized memory -- due to the crypt_free_tfms() check
for non-zero cc->tfms[i]. Fix by allocating zeroed memory.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm-crypt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1400,7 +1400,7 @@ static int crypt_alloc_tfms(struct crypt
unsigned i;
int err;
- cc->tfms = kmalloc(cc->tfms_count * sizeof(struct crypto_ablkcipher *),
+ cc->tfms = kzalloc(cc->tfms_count * sizeof(struct crypto_ablkcipher *),
GFP_KERNEL);
if (!cc->tfms)
return -ENOMEM;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 268/346] crypto: skcipher - Fix blkcipher walk OOM crash
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 150/346] SUNRPC: allow for upcalls for same uid but different gss service Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 027/346] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Ben Hutchings
` (181 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel, xiakaixu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 upstream.
When we need to allocate a temporary blkcipher_walk_next and it
fails, the code is supposed to take the slow path of processing
the data block by block. However, due to an unrelated change
we instead end up dereferencing the NULL pointer.
This patch fixes it by moving the unrelated bsize setting out
of the way so that we enter the slow path as inteded.
Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
Reported-by: xiakaixu <xiakaixu@huawei.com>
Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/blkcipher.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -233,6 +233,8 @@ static int blkcipher_walk_next(struct bl
return blkcipher_walk_done(desc, walk, -EINVAL);
}
+ bsize = min(walk->walk_blocksize, n);
+
walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
BLKCIPHER_WALK_DIFF);
if (!scatterwalk_aligned(&walk->in, walk->alignmask) ||
@@ -245,7 +247,6 @@ static int blkcipher_walk_next(struct bl
}
}
- bsize = min(walk->walk_blocksize, n);
n = scatterwalk_clamp(&walk->in, n);
n = scatterwalk_clamp(&walk->out, n);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 281/346] mn10300: copy_from_user() should zero on access_ok() failure...
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 170/346] ARC: Call trace_hardirqs_on() before enabling irqs Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 121/346] MIPS: c-r4k: Fix protected_writeback_scache_line for EVA Ben Hutchings
` (335 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mn10300/lib/usercopy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,7 @@
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
unsigned long
__generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const
{
if (access_ok(VERIFY_READ, from, n))
__copy_user_zeroing(to, from, n);
+ else
+ memset(to, 0, n);
return n;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 228/346] drm/msm: fix use of copy_from_user() while holding spinlock
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 294/346] microblaze: fix __get_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 164/346] crypto: caam - fix non-hmac hashes Ben Hutchings
` (178 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rob Clark, Vaishali Thakkar
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@gmail.com>
commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 upstream.
Use instead __copy_from_user_inatomic() and fallback to slow-path where
we drop and re-aquire the lock in case of fault.
Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -55,6 +55,14 @@ static struct msm_gem_submit *submit_cre
return submit;
}
+static inline unsigned long __must_check
+copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
+{
+ if (access_ok(VERIFY_READ, from, n))
+ return __copy_from_user_inatomic(to, from, n);
+ return -EFAULT;
+}
+
static int submit_lookup_objects(struct msm_gem_submit *submit,
struct drm_msm_gem_submit *args, struct drm_file *file)
{
@@ -62,6 +70,7 @@ static int submit_lookup_objects(struct
int ret = 0;
spin_lock(&file->table_lock);
+ pagefault_disable();
for (i = 0; i < args->nr_bos; i++) {
struct drm_msm_gem_submit_bo submit_bo;
@@ -70,10 +79,15 @@ static int submit_lookup_objects(struct
void __user *userptr =
to_user_ptr(args->bos + (i * sizeof(submit_bo)));
- ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo));
- if (ret) {
- ret = -EFAULT;
- goto out_unlock;
+ ret = copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo));
+ if (unlikely(ret)) {
+ pagefault_enable();
+ spin_unlock(&file->table_lock);
+ ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo));
+ if (ret)
+ goto out;
+ spin_lock(&file->table_lock);
+ pagefault_disable();
}
if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
@@ -113,9 +127,12 @@ static int submit_lookup_objects(struct
}
out_unlock:
- submit->nr_bos = i;
+ pagefault_enable();
spin_unlock(&file->table_lock);
+out:
+ submit->nr_bos = i;
+
return ret;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 202/346] staging: comedi: daqboard2000: bug fix board type matching code
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (210 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 022/346] serial: samsung: Fix ERR pointer dereference on deferred probe Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 136/346] ext4: validate that metadata blocks do not overlap superblock Ben Hutchings
` (134 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Ian Abbott
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 80e162ee9b31d77d851b10f8c5299132be1e120f upstream.
`daqboard2000_find_boardinfo()` is supposed to check if the
DaqBoard/2000 series model is supported, based on the PCI subvendor and
subdevice ID. The current code is wrong as it is comparing the PCI
device's subdevice ID to an expected, fixed value for the subvendor ID.
It should be comparing the PCI device's subvendor ID to this fixed
value. Correct it.
Fixes: 7e8401b23e7f ("staging: comedi: daqboard2000: add back
subsystem_device check")
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/comedi/drivers/daqboard2000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/comedi/drivers/daqboard2000.c
+++ b/drivers/staging/comedi/drivers/daqboard2000.c
@@ -684,7 +684,7 @@ static const void *daqboard2000_find_boa
const struct daq200_boardtype *board;
int i;
- if (pcidev->subsystem_device != PCI_VENDOR_ID_IOTECH)
+ if (pcidev->subsystem_vendor != PCI_VENDOR_ID_IOTECH)
return NULL;
for (i = 0; i < ARRAY_SIZE(boardtypes); i++) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 242/346] x86/paravirt: Do not trace _paravirt_ident_*() functions
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 028/346] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 050/346] net: mvneta: set real interrupt per packet for tx_done Ben Hutchings
` (314 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steven Rostedt, Linus Torvalds, Łukasz Daniluk
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream.
Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
after enabling function tracer. I asked him to bisect the functions within
available_filter_functions, which he did and it came down to three:
_paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()
It was found that this is only an issue when noreplace-paravirt is added
to the kernel command line.
This means that those functions are most likely called within critical
sections of the funtion tracer, and must not be traced.
In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
longer an issue. But both _paravirt_ident_{32,64}() causes the
following splat when they are traced:
mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
Modules linked in: e1000e
CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
RIP: 0010:[<ffffffff81134148>] [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
Call Trace:
_raw_spin_lock+0x27/0x30
handle_pte_fault+0x13db/0x16b0
handle_mm_fault+0x312/0x670
__do_page_fault+0x1b1/0x4e0
do_page_fault+0x22/0x30
page_fault+0x28/0x30
__vfs_read+0x28/0xe0
vfs_read+0x86/0x130
SyS_read+0x46/0xa0
entry_SYSCALL_64_fastpath+0x1e/0xa8
Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b
Reported-by: Łukasz Daniluk <lukasz.daniluk@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/paravirt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -55,12 +55,12 @@ asm (".pushsection .entry.text, \"ax\"\n
".popsection");
/* identity function, which can be inlined */
-u32 _paravirt_ident_32(u32 x)
+u32 notrace _paravirt_ident_32(u32 x)
{
return x;
}
-u64 _paravirt_ident_64(u64 x)
+u64 notrace _paravirt_ident_64(u64 x)
{
return x;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 211/346] USB: fix typo in wMaxPacketSize validation
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (297 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 056/346] x86/quirks: Reintroduce scanning of secondary buses Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 126/346] fuse: fix wrong assignment of ->flags in fuse_send_init() Ben Hutchings
` (47 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 6c73358c83ce870c0cf32413e5cadb3b9a39c606 upstream.
The maximum value allowed for wMaxPacketSize of a high-speed interrupt
endpoint is 1024 bytes, not 1023.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -158,7 +158,7 @@ static const unsigned short high_speed_m
[USB_ENDPOINT_XFER_CONTROL] = 64,
[USB_ENDPOINT_XFER_ISOC] = 1024,
[USB_ENDPOINT_XFER_BULK] = 512,
- [USB_ENDPOINT_XFER_INT] = 1023,
+ [USB_ENDPOINT_XFER_INT] = 1024,
};
static const unsigned short super_speed_maxpacket_maxes[4] = {
[USB_ENDPOINT_XFER_CONTROL] = 512,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 209/346] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (236 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 325/346] ARM: 8617/1: dma: fix dma_max_pfn() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 083/346] netfilter: x_tables: validate targets of jumps Ben Hutchings
` (108 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Peter Chen, Felipe Balbi, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit f4693b08cc901912a87369c46537b94ed4084ea0 upstream.
We can't assign -EINVAL to a u16.
Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver')
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/fsl_qe_udc.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/usb/gadget/fsl_qe_udc.c
+++ b/drivers/usb/gadget/fsl_qe_udc.c
@@ -1881,11 +1881,8 @@ static int qe_get_frame(struct usb_gadge
tmp = in_be16(&udc->usb_param->frame_n);
if (tmp & 0x8000)
- tmp = tmp & 0x07ff;
- else
- tmp = -EINVAL;
-
- return (int)tmp;
+ return tmp & 0x07ff;
+ return -EINVAL;
}
static int fsl_qe_start(struct usb_gadget *gadget,
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 283/346] parisc: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (261 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 299/346] IB/ipoib: Don't allow MC joins during light MC flush Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 113/346] module: Invalidate signatures on force-loaded modules Ben Hutchings
` (83 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit aace880feea38875fbc919761b77e5732a3659ef upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -9,6 +9,8 @@
#include <asm/errno.h>
#include <asm-generic/uaccess-unaligned.h>
+#include <linux/string.h>
+
#define VERIFY_READ 0
#define VERIFY_WRITE 1
@@ -248,13 +250,14 @@ static inline unsigned long __must_check
unsigned long n)
{
int sz = __compiletime_object_size(to);
- int ret = -EFAULT;
+ unsigned long ret = n;
if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
-
+ if (unlikely(ret))
+ memset(to + (n - ret), 0, ret);
return ret;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 199/346] net/mlx5: Added missing check of msg length in verifying its signature
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (251 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 068/346] USB: quirks: Fix another ELAN touchscreen Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 154/346] USB: serial: option: add support for Telit LE920A4 Ben Hutchings
` (93 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Saeed Mahameed, Paul Blakey
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Blakey <paulb@mellanox.com>
commit 2c0f8ce1b584a4d7b8ff53140d21dfed99834940 upstream.
Set and verify signature calculates the signature for each of the
mailbox nodes, even for those that are unused (from cache). Added
a missing length check to set and verify only those which are used.
While here, also moved the setting of msg's nodes token to where we
already go over them. This saves a pass because checksum is disabled,
and the only useful thing remaining that set signature does is setting
the token.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB
adapters')
Signed-off-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 85 +++++++++++++++++----------
1 file changed, 54 insertions(+), 31 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -159,13 +159,14 @@ static struct mlx5_cmd_layout *get_inst(
return cmd->cmd_buf + (idx << cmd->log_stride);
}
-static u8 xor8_buf(void *buf, int len)
+static u8 xor8_buf(void *buf, size_t offset, int len)
{
u8 *ptr = buf;
u8 sum = 0;
int i;
+ int end = len + offset;
- for (i = 0; i < len; i++)
+ for (i = offset; i < end; i++)
sum ^= ptr[i];
return sum;
@@ -173,41 +174,49 @@ static u8 xor8_buf(void *buf, int len)
static int verify_block_sig(struct mlx5_cmd_prot_block *block)
{
- if (xor8_buf(block->rsvd0, sizeof(*block) - sizeof(block->data) - 1) != 0xff)
+ size_t rsvd0_off = offsetof(struct mlx5_cmd_prot_block, rsvd0);
+ int xor_len = sizeof(*block) - sizeof(block->data) - 1;
+
+ if (xor8_buf(block, rsvd0_off, xor_len) != 0xff)
return -EINVAL;
- if (xor8_buf(block, sizeof(*block)) != 0xff)
+ if (xor8_buf(block, 0, sizeof(*block)) != 0xff)
return -EINVAL;
return 0;
}
-static void calc_block_sig(struct mlx5_cmd_prot_block *block, u8 token,
- int csum)
+static void calc_block_sig(struct mlx5_cmd_prot_block *block)
{
- block->token = token;
- if (csum) {
- block->ctrl_sig = ~xor8_buf(block->rsvd0, sizeof(*block) -
- sizeof(block->data) - 2);
- block->sig = ~xor8_buf(block, sizeof(*block) - 1);
- }
+ int ctrl_xor_len = sizeof(*block) - sizeof(block->data) - 2;
+ size_t rsvd0_off = offsetof(struct mlx5_cmd_prot_block, rsvd0);
+
+ block->ctrl_sig = ~xor8_buf(block, rsvd0_off, ctrl_xor_len);
+ block->sig = ~xor8_buf(block, 0, sizeof(*block) - 1);
}
-static void calc_chain_sig(struct mlx5_cmd_msg *msg, u8 token, int csum)
+static void calc_chain_sig(struct mlx5_cmd_msg *msg)
{
struct mlx5_cmd_mailbox *next = msg->next;
+ int size = msg->len;
+ int blen = size - min_t(int, sizeof(msg->first.data), size);
+ int n = (blen + MLX5_CMD_DATA_BLOCK_SIZE - 1)
+ / MLX5_CMD_DATA_BLOCK_SIZE;
+ int i = 0;
- while (next) {
- calc_block_sig(next->buf, token, csum);
+ for (i = 0; i < n && next; i++) {
+ calc_block_sig(next->buf);
next = next->next;
}
}
static void set_signature(struct mlx5_cmd_work_ent *ent, int csum)
{
- ent->lay->sig = ~xor8_buf(ent->lay, sizeof(*ent->lay));
- calc_chain_sig(ent->in, ent->token, csum);
- calc_chain_sig(ent->out, ent->token, csum);
+ ent->lay->sig = ~xor8_buf(ent->lay, 0, sizeof(*ent->lay));
+ if (csum) {
+ calc_chain_sig(ent->in);
+ calc_chain_sig(ent->out);
+ }
}
static void poll_timeout(struct mlx5_cmd_work_ent *ent)
@@ -238,12 +247,17 @@ static int verify_signature(struct mlx5_
struct mlx5_cmd_mailbox *next = ent->out->next;
int err;
u8 sig;
+ int size = ent->out->len;
+ int blen = size - min_t(int, sizeof(ent->out->first.data), size);
+ int n = (blen + MLX5_CMD_DATA_BLOCK_SIZE - 1)
+ / MLX5_CMD_DATA_BLOCK_SIZE;
+ int i = 0;
- sig = xor8_buf(ent->lay, sizeof(*ent->lay));
+ sig = xor8_buf(ent->lay, 0, sizeof(*ent->lay));
if (sig != 0xff)
return -EINVAL;
- while (next) {
+ for (i = 0; i < n && next; i++) {
err = verify_block_sig(next->buf);
if (err)
return err;
@@ -555,7 +569,6 @@ static void cmd_work_handler(struct work
ent->idx = cmd->max_reg_cmds;
}
- ent->token = alloc_token(cmd);
cmd->ent_arr[ent->idx] = ent;
lay = get_inst(cmd, ent->idx);
ent->lay = lay;
@@ -654,7 +667,8 @@ static int wait_func(struct mlx5_core_de
static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
struct mlx5_cmd_msg *out, void *uout, int uout_size,
mlx5_cmd_cbk_t callback,
- void *context, int page_queue, u8 *status)
+ void *context, int page_queue, u8 *status,
+ u8 token)
{
struct mlx5_cmd *cmd = &dev->cmd;
struct mlx5_cmd_work_ent *ent;
@@ -672,6 +686,8 @@ static int mlx5_cmd_invoke(struct mlx5_c
if (IS_ERR(ent))
return PTR_ERR(ent);
+ ent->token = token;
+
if (!callback)
init_completion(&ent->done);
@@ -746,7 +762,8 @@ static const struct file_operations fops
.write = dbg_write,
};
-static int mlx5_copy_to_msg(struct mlx5_cmd_msg *to, void *from, int size)
+static int mlx5_copy_to_msg(struct mlx5_cmd_msg *to, void *from, int size,
+ u8 token)
{
struct mlx5_cmd_prot_block *block;
struct mlx5_cmd_mailbox *next;
@@ -772,6 +789,7 @@ static int mlx5_copy_to_msg(struct mlx5_
memcpy(block->data, from, copy);
from += copy;
size -= copy;
+ block->token = token;
next = next->next;
}
@@ -841,7 +859,8 @@ static void free_cmd_box(struct mlx5_cor
}
static struct mlx5_cmd_msg *mlx5_alloc_cmd_msg(struct mlx5_core_dev *dev,
- gfp_t flags, int size)
+ gfp_t flags, int size,
+ u8 token)
{
struct mlx5_cmd_mailbox *tmp, *head = NULL;
struct mlx5_cmd_prot_block *block;
@@ -870,6 +889,7 @@ static struct mlx5_cmd_msg *mlx5_alloc_c
tmp->next = head;
block->next = cpu_to_be64(tmp->next ? tmp->next->dma : 0);
block->block_num = cpu_to_be32(n - i - 1);
+ block->token = token;
head = tmp;
}
msg->next = head;
@@ -1239,7 +1259,7 @@ static struct mlx5_cmd_msg *alloc_msg(st
}
if (IS_ERR(msg))
- msg = mlx5_alloc_cmd_msg(dev, gfp, in_size);
+ msg = mlx5_alloc_cmd_msg(dev, gfp, in_size, 0);
return msg;
}
@@ -1258,6 +1278,7 @@ static int cmd_exec(struct mlx5_core_dev
gfp_t gfp;
int err;
u8 status = 0;
+ u8 token;
pages_queue = is_manage_pages(in);
gfp = callback ? GFP_ATOMIC : GFP_KERNEL;
@@ -1268,20 +1289,22 @@ static int cmd_exec(struct mlx5_core_dev
return err;
}
- err = mlx5_copy_to_msg(inb, in, in_size);
+ token = alloc_token(&dev->cmd);
+
+ err = mlx5_copy_to_msg(inb, in, in_size, token);
if (err) {
mlx5_core_warn(dev, "err %d\n", err);
goto out_in;
}
- outb = mlx5_alloc_cmd_msg(dev, gfp, out_size);
+ outb = mlx5_alloc_cmd_msg(dev, gfp, out_size, token);
if (IS_ERR(outb)) {
err = PTR_ERR(outb);
goto out_in;
}
err = mlx5_cmd_invoke(dev, inb, outb, out, out_size, callback, context,
- pages_queue, &status);
+ pages_queue, &status, token);
if (err)
goto out_out;
@@ -1348,7 +1371,7 @@ static int create_msg_cache(struct mlx5_
INIT_LIST_HEAD(&cmd->cache.med.head);
for (i = 0; i < NUM_LONG_LISTS; i++) {
- msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, LONG_LIST_SIZE);
+ msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, LONG_LIST_SIZE, 0);
if (IS_ERR(msg)) {
err = PTR_ERR(msg);
goto ex_err;
@@ -1358,7 +1381,7 @@ static int create_msg_cache(struct mlx5_
}
for (i = 0; i < NUM_MED_LISTS; i++) {
- msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, MED_LIST_SIZE);
+ msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, MED_LIST_SIZE, 0);
if (IS_ERR(msg)) {
err = PTR_ERR(msg);
goto ex_err;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 205/346] iio: accel: kxsd9: Fix raw read return
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 152/346] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 057/346] x86/quirks: Add early quirk to reset Apple AirPort card Ben Hutchings
` (272 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Jonathan Cameron
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.
Any readings from the raw interface of the KXSD9 driver will
return an empty string, because it does not return
IIO_VAL_INT but rather some random value from the accelerometer
to the caller.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev
if (ret < 0)
goto error_ret;
*val = ret;
+ ret = IIO_VAL_INT;
break;
case IIO_CHAN_INFO_SCALE:
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 235/346] kernfs: don't depend on d_find_any_alias() when generating notifications
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (218 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 311/346] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 214/346] ubifs: Fix assertion in layout_in_gaps() Ben Hutchings
` (126 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, John McCutchan, Robert Love, Tejun Heo,
Evgeny Vereshchagin, Eric Paris
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream.
kernfs_notify_workfn() sends out file modified events for the
scheduled kernfs_nodes. Because the modifications aren't from
userland, it doesn't have the matching file struct at hand and can't
use fsnotify_modify(). Instead, it looked up the inode and then used
d_find_any_alias() to find the dentry and used fsnotify_parent() and
fsnotify() directly to generate notifications.
The assumption was that the relevant dentries would have been pinned
if there are listeners, which isn't true as inotify doesn't pin
dentries at all and watching the parent doesn't pin the child dentries
even for dnotify. This led to, for example, inotify watchers not
getting notifications if the system is under memory pressure and the
matching dentries got reclaimed. It can also be triggered through
/proc/sys/vm/drop_caches or a remount attempt which involves shrinking
dcache.
fsnotify_parent() only uses the dentry to access the parent inode,
which kernfs can do easily. Update kernfs_notify_workfn() so that it
uses fsnotify() directly for both the parent and target inodes without
going through d_find_any_alias(). While at it, supply the target file
name to fsnotify() from kernfs_node->name.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too")
Cc: John McCutchan <john@johnmccutchan.com>
Cc: Robert Love <rlove@rlove.org>
Cc: Eric Paris <eparis@parisplace.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/kernfs/file.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -828,21 +828,35 @@ repeat:
mutex_lock(&kernfs_mutex);
list_for_each_entry(info, &kernfs_root(kn)->supers, node) {
+ struct kernfs_node *parent;
struct inode *inode;
- struct dentry *dentry;
+ /*
+ * We want fsnotify_modify() on @kn but as the
+ * modifications aren't originating from userland don't
+ * have the matching @file available. Look up the inodes
+ * and generate the events manually.
+ */
inode = ilookup(info->sb, kn->ino);
if (!inode)
continue;
- dentry = d_find_any_alias(inode);
- if (dentry) {
- fsnotify_parent(NULL, dentry, FS_MODIFY);
- fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
- NULL, 0);
- dput(dentry);
+ parent = kernfs_get_parent(kn);
+ if (parent) {
+ struct inode *p_inode;
+
+ p_inode = ilookup(info->sb, parent->ino);
+ if (p_inode) {
+ fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD,
+ inode, FSNOTIFY_EVENT_INODE, kn->name, 0);
+ iput(p_inode);
+ }
+
+ kernfs_put(parent);
}
+ fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
+ kn->name, 0);
iput(inode);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 224/346] ARM: sa1100: clear reset status prior to reboot
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 172/346] megaraid_sas: Fix probing cards without io port Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 256/346] crypto: cryptd - initialize child shash_desc on import Ben Hutchings
` (198 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Russell King
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit da60626e7d02a4f385cae80e450afc8b07035368 upstream.
Clear the current reset status prior to rebooting the platform. This
adds the bit missing from 04fef228fb00 ("[ARM] pxa: introduce
reset_status and clear_reset_status for driver's usage").
Fixes: 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-sa1100/generic.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm/mach-sa1100/generic.c
+++ b/arch/arm/mach-sa1100/generic.c
@@ -31,6 +31,7 @@
#include <mach/hardware.h>
#include <mach/irqs.h>
+#include <mach/reset.h>
#include "generic.h"
@@ -91,6 +92,8 @@ static void sa1100_power_off(void)
void sa11x0_restart(enum reboot_mode mode, const char *cmd)
{
+ clear_reset_status(RESET_STATUS_ALL);
+
if (mode == REBOOT_SOFT) {
/* Jump into ROM at address 0 */
soft_restart(0);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 206/346] powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 156/346] vfio/pci: Fix NULL pointer oops in error interrupt setup handling Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 017/346] IB/mlx5: Fix MODIFY_QP command input structure Ben Hutchings
` (236 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Benjamin Herrenschmidt, Andrew Donnellan,
Mauricio Faria de Oliveira, Gavin Shan
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
commit 2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 upstream.
This patch leverages 'struct pci_host_bridge' from the PCI subsystem
in order to free the pci_controller only after the last reference to
its devices is dropped (avoiding an oops in pcibios_release_device()
if the last reference is dropped after pcibios_free_controller()).
The patch relies on pci_host_bridge.release_fn() (and .release_data),
which is called automatically by the PCI subsystem when the root bus
is released (i.e., the last reference is dropped). Those fields are
set via pci_set_host_bridge_release() (e.g. in the platform-specific
implementation of pcibios_root_bridge_prepare()).
It introduces the 'pcibios_free_controller_deferred()' .release_fn()
and it expects .release_data to hold a pointer to the pci_controller.
The function implictly calls 'pcibios_free_controller()', so an user
must *NOT* explicitly call it if using the new _deferred() callback.
The functionality is enabled for pseries (although it isn't platform
specific, and may be used by cxl).
Details on not-so-elegant design choices:
- Use 'pci_host_bridge.release_data' field as pointer to associated
'struct pci_controller' so *not* to 'pci_bus_to_host(bridge->bus)'
in pcibios_free_controller_deferred().
That's because pci_remove_root_bus() sets 'host_bridge->bus = NULL'
(so, if the last reference is released after pci_remove_root_bus()
runs, which eventually reaches pcibios_free_controller_deferred(),
that would hit a null pointer dereference).
The cxl/vphb.c code calls pci_remove_root_bus(), and the cxl folks
are interested in this fix.
Test-case #1 (hold references)
# ls -ld /sys/block/sd* | grep -m1 0021:01:00.0
<...> /sys/block/sdaa -> ../devices/pci0021:01/0021:01:00.0/<...>
# ls -ld /sys/block/sd* | grep -m1 0021:01:00.1
<...> /sys/block/sdab -> ../devices/pci0021:01/0021:01:00.1/<...>
# cat >/dev/sdaa & pid1=$!
# cat >/dev/sdab & pid2=$!
# drmgr -w 5 -d 1 -c phb -s 'PHB 33' -r
Validating PHB DLPAR capability...yes.
[ 594.306719] pci_hp_remove_devices: PCI: Removing devices on bus 0021:01
[ 594.306738] pci_hp_remove_devices: Removing 0021:01:00.0...
...
[ 598.236381] pci_hp_remove_devices: Removing 0021:01:00.1...
...
[ 611.972077] pci_bus 0021:01: busn_res: [bus 01-ff] is released
[ 611.972140] rpadlpar_io: slot PHB 33 removed
# kill -9 $pid1
# kill -9 $pid2
[ 632.918088] pcibios_free_controller_deferred: domain 33, dynamic 1
Test-case #2 (don't hold references)
# drmgr -w 5 -d 1 -c phb -s 'PHB 33' -r
Validating PHB DLPAR capability...yes.
[ 916.357363] pci_hp_remove_devices: PCI: Removing devices on bus 0021:01
[ 916.357386] pci_hp_remove_devices: Removing 0021:01:00.0...
...
[ 920.566527] pci_hp_remove_devices: Removing 0021:01:00.1...
...
[ 933.955873] pci_bus 0021:01: busn_res: [bus 01-ff] is released
[ 933.955977] pcibios_free_controller_deferred: domain 33, dynamic 1
[ 933.955999] rpadlpar_io: slot PHB 33 removed
Suggested-By: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> # cxl
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/pci-bridge.h | 1 +
arch/powerpc/kernel/pci-common.c | 36 ++++++++++++++++++++++++++++++
arch/powerpc/platforms/pseries/pci.c | 4 ++++
arch/powerpc/platforms/pseries/pci_dlpar.c | 7 ++++--
4 files changed, 46 insertions(+), 2 deletions(-)
--- a/arch/powerpc/include/asm/pci-bridge.h
+++ b/arch/powerpc/include/asm/pci-bridge.h
@@ -246,6 +246,7 @@ extern void pci_process_bridge_OF_ranges
/* Allocate & free a PCI host bridge structure */
extern struct pci_controller *pcibios_alloc_controller(struct device_node *dev);
extern void pcibios_free_controller(struct pci_controller *phb);
+extern void pcibios_free_controller_deferred(struct pci_host_bridge *bridge);
#ifdef CONFIG_PCI
extern int pcibios_vaddr_is_ioport(void __iomem *address);
--- a/arch/powerpc/kernel/pci-common.c
+++ b/arch/powerpc/kernel/pci-common.c
@@ -102,6 +102,42 @@ void pcibios_free_controller(struct pci_
}
/*
+ * This function is used to call pcibios_free_controller()
+ * in a deferred manner: a callback from the PCI subsystem.
+ *
+ * _*DO NOT*_ call pcibios_free_controller() explicitly if
+ * this is used (or it may access an invalid *phb pointer).
+ *
+ * The callback occurs when all references to the root bus
+ * are dropped (e.g., child buses/devices and their users).
+ *
+ * It's called as .release_fn() of 'struct pci_host_bridge'
+ * which is associated with the 'struct pci_controller.bus'
+ * (root bus) - it expects .release_data to hold a pointer
+ * to 'struct pci_controller'.
+ *
+ * In order to use it, register .release_fn()/release_data
+ * like this:
+ *
+ * pci_set_host_bridge_release(bridge,
+ * pcibios_free_controller_deferred
+ * (void *) phb);
+ *
+ * e.g. in the pcibios_root_bridge_prepare() callback from
+ * pci_create_root_bus().
+ */
+void pcibios_free_controller_deferred(struct pci_host_bridge *bridge)
+{
+ struct pci_controller *phb = (struct pci_controller *)
+ bridge->release_data;
+
+ pr_debug("domain %d, dynamic %d\n", phb->global_number, phb->is_dynamic);
+
+ pcibios_free_controller(phb);
+}
+EXPORT_SYMBOL_GPL(pcibios_free_controller_deferred);
+
+/*
* The function is used to return the minimal alignment
* for memory or I/O windows of the associated P2P bridge.
* By default, 4KiB alignment for I/O windows and 1MiB for
--- a/arch/powerpc/platforms/pseries/pci.c
+++ b/arch/powerpc/platforms/pseries/pci.c
@@ -118,6 +118,10 @@ int pseries_root_bridge_prepare(struct p
bus = bridge->bus;
+ /* Rely on the pcibios_free_controller_deferred() callback. */
+ pci_set_host_bridge_release(bridge, pcibios_free_controller_deferred,
+ (void *) pci_bus_to_host(bus));
+
dn = pcibios_get_phb_of_node(bus);
if (!dn)
return 0;
--- a/arch/powerpc/platforms/pseries/pci_dlpar.c
+++ b/arch/powerpc/platforms/pseries/pci_dlpar.c
@@ -135,8 +135,11 @@ int remove_phb_dynamic(struct pci_contro
release_resource(res);
}
- /* Free pci_controller data structure */
- pcibios_free_controller(phb);
+ /*
+ * The pci_controller data structure is freed by
+ * the pcibios_free_controller_deferred() callback;
+ * see pseries_root_bridge_prepare().
+ */
return 0;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 222/346] batman-adv: Add missing refcnt for last_candidate
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 197/346] drm/radeon: fix radeon_move_blit on 32bit systems Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 108/346] pps: do not crash when failed to register Ben Hutchings
` (159 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Wunderlich, Marek Lindner, Sven Eckelmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 936523441bb64cdc9a5b263e8fd2782e70313a57 upstream.
batadv_find_router dereferences last_bonding_candidate from
orig_node without making sure that it has a valid reference. This reference
has to be retrieved by increasing the reference counter while holding
neigh_list_lock. The lock is required to avoid that
batadv_last_bonding_replace removes the current last_bonding_candidate,
reduces the reference counter and maybe destroys the object in this
process.
Fixes: f3b3d9018975 ("batman-adv: add bonding again")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- s/kref_get/atomic_inc/
- s/_put/_free_ref/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/routing.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -425,6 +425,29 @@ static int batadv_check_unicast_packet(s
}
/**
+ * batadv_last_bonding_get - Get last_bonding_candidate of orig_node
+ * @orig_node: originator node whose last bonding candidate should be retrieved
+ *
+ * Return: last bonding candidate of router or NULL if not found
+ *
+ * The object is returned with refcounter increased by 1.
+ */
+static struct batadv_orig_ifinfo *
+batadv_last_bonding_get(struct batadv_orig_node *orig_node)
+{
+ struct batadv_orig_ifinfo *last_bonding_candidate;
+
+ spin_lock_bh(&orig_node->neigh_list_lock);
+ last_bonding_candidate = orig_node->last_bonding_candidate;
+
+ if (last_bonding_candidate)
+ atomic_inc(&last_bonding_candidate->refcount);
+ spin_unlock_bh(&orig_node->neigh_list_lock);
+
+ return last_bonding_candidate;
+}
+
+/**
* batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node
* @orig_node: originator node whose bonding candidates should be replaced
* @new_candidate: new bonding candidate or NULL
@@ -492,7 +515,7 @@ batadv_find_router(struct batadv_priv *b
* router - obviously there are no other candidates.
*/
rcu_read_lock();
- last_candidate = orig_node->last_bonding_candidate;
+ last_candidate = batadv_last_bonding_get(orig_node);
if (last_candidate)
last_cand_router = rcu_dereference(last_candidate->router);
@@ -584,6 +607,9 @@ next:
batadv_orig_ifinfo_free_ref(next_candidate);
}
+ if (last_candidate)
+ batadv_orig_ifinfo_free_ref(last_candidate);
+
return router;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 220/346] qdisc: fix a module refcount leak in qdisc_create_dflt()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (322 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 266/346] USB: serial: simple: add support for another Infineon flashloader Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 148/346] block: fix bdi vs gendisk lifetime mismatch Ben Hutchings
` (22 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, John Fastabend, Eric Dumazet, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 166ee5b87866de07a3e56c1b757f2b5cabba72a5 upstream.
Should qdisc_alloc() fail, we must release the module refcount
we got right before.
Fixes: 6da7c8fcbcbd ("qdisc: allow setting default queuing discipline")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_generic.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -590,18 +590,19 @@ struct Qdisc *qdisc_create_dflt(struct n
struct Qdisc *sch;
if (!try_module_get(ops->owner))
- goto errout;
+ return NULL;
sch = qdisc_alloc(dev_queue, ops);
- if (IS_ERR(sch))
- goto errout;
+ if (IS_ERR(sch)) {
+ module_put(ops->owner);
+ return NULL;
+ }
sch->parent = parentid;
if (!ops->init || ops->init(sch, NULL) == 0)
return sch;
qdisc_destroy(sch);
-errout:
return NULL;
}
EXPORT_SYMBOL(qdisc_create_dflt);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 130/346] drm/nouveau/fbcon: fix font width not divisible by 8
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 046/346] drm/radeon: add a delay after ATPX dGPU power off Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 282/346] openrisc: fix copy_from_user() Ben Hutchings
` (344 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ben Skeggs, Mikulas Patocka
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 28668f43b8e421634e1623f72a879812288dd06b upstream.
The patch f045f459d925 ("drm/nouveau/fbcon: fix out-of-bounds memory accesses")
tries to fix some out of memory accesses. Unfortunatelly, the patch breaks the
display when using fonts with width that is not divisiable by 8.
The monochrome bitmap for each character is stored in memory by lines from top
to bottom. Each line is padded to a full byte.
For example, for 22x11 font, each line is padded to 16 bits, so each
character is consuming 44 bytes total, that is 11 32-bit words. The patch
f045f459d925 changed the logic to "dsize = ALIGN(image->width *
image->height, 32) >> 5", that is just 8 words - this is incorrect and it
causes display corruption.
This patch adds the necesary padding of lines to 8 bytes.
This patch should be backported to stable kernels where f045f459d925 was
backported.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: f045f459d925 ("drm/nouveau/fbcon: fix out-of-bounds memory accesses")
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nv04_fbcon.c | 4 ++--
drivers/gpu/drm/nouveau/nv50_fbcon.c | 2 +-
drivers/gpu/drm/nouveau/nvc0_fbcon.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
@@ -109,11 +109,11 @@ nv04_fbcon_imageblit(struct fb_info *inf
((image->dx + image->width) & 0xffff));
OUT_RING(chan, bg);
OUT_RING(chan, fg);
- OUT_RING(chan, (image->height << 16) | image->width);
+ OUT_RING(chan, (image->height << 16) | ALIGN(image->width, 8));
OUT_RING(chan, (image->height << 16) | image->width);
OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff));
- dsize = ALIGN(image->width * image->height, 32) >> 5;
+ dsize = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
while (dsize) {
int iter_len = dsize > 128 ? 128 : dsize;
--- a/drivers/gpu/drm/nouveau/nv50_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c
@@ -125,7 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *inf
OUT_RING(chan, 0);
OUT_RING(chan, image->dy);
- dwords = ALIGN(image->width * image->height, 32) >> 5;
+ dwords = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
while (dwords) {
int push = dwords > 2047 ? 2047 : dwords;
--- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c
@@ -125,7 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf
OUT_RING (chan, 0);
OUT_RING (chan, image->dy);
- dwords = ALIGN(image->width * image->height, 32) >> 5;
+ dwords = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
while (dwords) {
int push = dwords > 2047 ? 2047 : dwords;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 289/346] sh: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (204 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 019/346] drm/radeon: Don't leak runtime pm ref on driver unload Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 026/346] usb: renesas_usbhs: fix the sequence in xfer_work() Ben Hutchings
` (140 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __us
__kernel_size_t __copy_size = (__kernel_size_t) n;
if (__copy_size && __access_ok(__copy_from, __copy_size))
- return __copy_user(to, from, __copy_size);
+ __copy_size = __copy_user(to, from, __copy_size);
+
+ if (unlikely(__copy_size))
+ memset(to + (n - __copy_size), 0, __copy_size);
return __copy_size;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 241/346] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 108/346] pps: do not crash when failed to register Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 200/346] parisc: Fix order of EREFUSED define in errno.h Ben Hutchings
` (157 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Vegard Nossum
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 11749e086b2766cccf6217a527ef5c5604ba069c upstream.
I got this with syzkaller:
==================================================================
BUG: KASAN: null-ptr-deref on address 0000000000000020
Read of size 32 by task syz-executor/22519
CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
014
0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
Call Trace:
[<ffffffff81f9f141>] dump_stack+0x83/0xb2
[<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
[<ffffffff8161ff74>] kasan_report+0x34/0x40
[<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
[<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
[<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
[<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
[<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
[<ffffffff8127c278>] ? do_group_exit+0x108/0x330
[<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
[<ffffffff81674dfe>] __vfs_read+0x10e/0x550
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
[<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
[<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
[<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
[<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
[<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
[<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
[<ffffffff81675355>] vfs_read+0x115/0x330
[<ffffffff81676371>] SyS_read+0xd1/0x1a0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
[<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
[<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
==================================================================
There are a couple of problems that I can see:
- ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
would get a NULL pointer dereference like the above splat
- the same ioctl() can free tu->queue/to->tqueue which means read()
could potentially see (and dereference) the freed pointer
We can fix both by taking the ioctl_lock mutex when dereferencing
->queue/->tqueue, since that's always held over all the ioctl() code.
Just looking at the code I find it likely that there are more problems
here such as tu->qhead pointing outside the buffer if the size is
changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1985,6 +1985,7 @@ static ssize_t snd_timer_user_read(struc
tu->qused--;
spin_unlock_irq(&tu->qlock);
+ mutex_lock(&tu->ioctl_lock);
if (tu->tread) {
if (copy_to_user(buffer, &tu->tqueue[qhead],
sizeof(struct snd_timer_tread)))
@@ -1994,6 +1995,7 @@ static ssize_t snd_timer_user_read(struc
sizeof(struct snd_timer_read)))
err = -EFAULT;
}
+ mutex_unlock(&tu->ioctl_lock);
spin_lock_irq(&tu->qlock);
if (err < 0)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 223/346] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 147/346] block: fix use-after-free in seq file Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 194/346] tcp: fix use after free in tcp_xmit_retransmit_queue() Ben Hutchings
` (193 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chen-Yu Tsai, Maxime Ripard, Daniel Lezcano
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wens@csie.org>
commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e upstream.
The bootloader (U-boot) sometimes uses this timer for various delays.
It uses it as a ongoing counter, and does comparisons on the current
counter value. The timer counter is never stopped.
In some cases when the user interacts with the bootloader, or lets
it idle for some time before loading Linux, the timer may expire,
and an interrupt will be pending. This results in an unexpected
interrupt when the timer interrupt is enabled by the kernel, at
which point the event_handler isn't set yet. This results in a NULL
pointer dereference exception, panic, and no way to reboot.
Clear any pending interrupts after we stop the timer in the probe
function to avoid this.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/clocksource/sun4i_timer.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/clocksource/sun4i_timer.c
+++ b/drivers/clocksource/sun4i_timer.c
@@ -120,12 +120,16 @@ static struct clock_event_device sun4i_c
.set_next_event = sun4i_clkevt_next_event,
};
+static void sun4i_timer_clear_interrupt(void)
+{
+ writel(TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_ST_REG);
+}
static irqreturn_t sun4i_timer_interrupt(int irq, void *dev_id)
{
struct clock_event_device *evt = (struct clock_event_device *)dev_id;
- writel(0x1, timer_base + TIMER_IRQ_ST_REG);
+ sun4i_timer_clear_interrupt();
evt->event_handler(evt);
return IRQ_HANDLED;
@@ -182,6 +186,9 @@ static void __init sun4i_timer_init(stru
/* Make sure timer is stopped before playing with interrupts */
sun4i_clkevt_time_stop(0);
+ /* clear timer0 interrupt */
+ sun4i_timer_clear_interrupt();
+
sun4i_clockevent.cpumask = cpu_possible_mask;
sun4i_clockevent.irq = irq;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 326/346] MIPS: Malta: Fix IOCU disable switch read for MIPS64
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 216/346] timekeeping: Cap array access in timekeeping_debug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 084/346] netfilter: x_tables: speed up jump target validation Ben Hutchings
` (332 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paul Burton, Masahiro Yamada, Matt Redfearn, Ralf Baechle,
Kees Cook, linux-mips
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Burton <paul.burton@imgtec.com>
commit 305723ab439e14debc1d339aa04e835d488b8253 upstream.
Malta boards used with CPU emulators feature a switch to disable use of
an IOCU. Software has to check this switch & ignore any present IOCU if
the switch is closed. The read used to do this was unsafe for 64 bit
kernels, as it simply casted the address 0xbf403000 to a pointer &
dereferenced it. Whilst in a 32 bit kernel this would access kseg1, in a
64 bit kernel this attempts to access xuseg & results in an address
error exception.
Fix by accessing a correctly formed ckseg1 address generated using the
CKSEG1ADDR macro.
Whilst modifying this code, define the name of the register and the bit
we care about within it, which indicates whether PCI DMA is routed to
the IOCU or straight to DRAM. The code previously checked that bit 0 was
also set, but the least significant 7 bits of the CONFIG_GEN0 register
contain the value of the MReqInfo signal provided to the IOCU OCP bus,
so singling out bit 0 makes little sense & that part of the check is
dropped.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: b6d92b4a6bdb ("MIPS: Add option to disable software I/O coherency.")
Cc: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14187/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/mti-malta/malta-setup.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/mips/mti-malta/malta-setup.c
+++ b/arch/mips/mti-malta/malta-setup.c
@@ -36,6 +36,9 @@
#include <linux/console.h>
#endif
+#define ROCIT_CONFIG_GEN0 0x1f403000
+#define ROCIT_CONFIG_GEN0_PCI_IOCU BIT(7)
+
extern void malta_be_init(void);
extern int malta_be_handler(struct pt_regs *regs, int is_fixup);
@@ -104,6 +107,8 @@ static void __init fd_activate(void)
static int __init plat_enable_iocoherency(void)
{
int supported = 0;
+ u32 cfg;
+
if (mips_revision_sconid == MIPS_REVISION_SCON_BONITO) {
if (BONITO_PCICACHECTRL & BONITO_PCICACHECTRL_CPUCOH_PRES) {
BONITO_PCICACHECTRL |= BONITO_PCICACHECTRL_CPUCOH_EN;
@@ -126,7 +131,8 @@ static int __init plat_enable_iocoherenc
} else if (mips_cm_numiocu() != 0) {
/* Nothing special needs to be done to enable coherency */
pr_info("CMP IOCU detected\n");
- if ((*(unsigned int *)0xbf403000 & 0x81) != 0x81) {
+ cfg = __raw_readl((u32 *)CKSEG1ADDR(ROCIT_CONFIG_GEN0));
+ if (!(cfg & ROCIT_CONFIG_GEN0_PCI_IOCU)) {
pr_crit("IOCU OPERATION DISABLED BY SWITCH - DEFAULTING TO SW IO COHERENCY\n");
return 0;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 116/346] ceph: Correctly return NXIO errors from ceph_llseek
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (287 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 042/346] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 317/346] i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended Ben Hutchings
` (57 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yan, Zheng, Phil Turnbull
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Phil Turnbull <phil.turnbull@oracle.com>
commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.
ceph_llseek does not correctly return NXIO errors because the 'out' path
always returns 'offset'.
Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Yan, Zheng <zyan@redhat.com>
[bwh: Backported to 3.16; adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ceph/file.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -985,16 +985,14 @@ out_unlocked:
static loff_t ceph_llseek(struct file *file, loff_t offset, int whence)
{
struct inode *inode = file->f_mapping->host;
- int ret;
+ loff_t ret;
mutex_lock(&inode->i_mutex);
if (whence == SEEK_END || whence == SEEK_DATA || whence == SEEK_HOLE) {
ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE);
- if (ret < 0) {
- offset = ret;
+ if (ret < 0)
goto out;
- }
}
switch (whence) {
@@ -1009,7 +1007,7 @@ static loff_t ceph_llseek(struct file *f
* write() or lseek() might have altered it
*/
if (offset == 0) {
- offset = file->f_pos;
+ ret = file->f_pos;
goto out;
}
offset += file->f_pos;
@@ -1029,11 +1027,11 @@ static loff_t ceph_llseek(struct file *f
break;
}
- offset = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
+ ret = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
out:
mutex_unlock(&inode->i_mutex);
- return offset;
+ return ret;
}
static inline void ceph_zero_partial_page(
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 117/346] CIFS: Fix a possible invalid memory access in smb2_query_symlink()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 125/346] fuse: fuse_flush must check mapping->flags for errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 049/346] ALSA: pcm: Free chmap at PCM free callback, too Ben Hutchings
` (243 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Dan Carpenter, Pavel Shilovsky
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Shilovsky <pshilovsky@samba.org>
commit 7893242e2465aea6f2cbc2639da8fa5ce96e8cc2 upstream.
During following a symbolic link we received err_buf from SMB2_open().
While the validity of SMB2 error response is checked previously
in smb2_check_message() a symbolic link payload is not checked at all.
Fix it by adding such checks.
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2ops.c | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -858,6 +858,9 @@ smb2_new_lease_key(struct cifs_fid *fid)
get_random_bytes(fid->lease_key, SMB2_LEASE_KEY_SIZE);
}
+#define SMB2_SYMLINK_STRUCT_SIZE \
+ (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
+
static int
smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
const char *full_path, char **target_path,
@@ -870,7 +873,10 @@ smb2_query_symlink(const unsigned int xi
struct cifs_fid fid;
struct smb2_err_rsp *err_buf = NULL;
struct smb2_symlink_err_rsp *symlink;
- unsigned int sub_len, sub_offset;
+ unsigned int sub_len;
+ unsigned int sub_offset;
+ unsigned int print_len;
+ unsigned int print_offset;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
@@ -891,11 +897,33 @@ smb2_query_symlink(const unsigned int xi
kfree(utf16_path);
return -ENOENT;
}
+
+ if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct smb2_symlink_err_rsp) ||
+ get_rfc1002_length(err_buf) + 4 < SMB2_SYMLINK_STRUCT_SIZE) {
+ kfree(utf16_path);
+ return -ENOENT;
+ }
+
/* open must fail on symlink - reset rc */
rc = 0;
symlink = (struct smb2_symlink_err_rsp *)err_buf->ErrorData;
sub_len = le16_to_cpu(symlink->SubstituteNameLength);
sub_offset = le16_to_cpu(symlink->SubstituteNameOffset);
+ print_len = le16_to_cpu(symlink->PrintNameLength);
+ print_offset = le16_to_cpu(symlink->PrintNameOffset);
+
+ if (get_rfc1002_length(err_buf) + 4 <
+ SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) {
+ kfree(utf16_path);
+ return -ENOENT;
+ }
+
+ if (get_rfc1002_length(err_buf) + 4 <
+ SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) {
+ kfree(utf16_path);
+ return -ENOENT;
+ }
+
*target_path = cifs_strndup_from_utf16(
(char *)symlink->PathBuffer + sub_offset,
sub_len, true, cifs_sb->local_nls);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 118/346] sparc: serial: sunhv: fix a double lock bug
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (314 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 127/346] ubi: Fix race condition between ubi device creation and udev Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 040/346] batman-adv: Fix reference leak in batadv_find_router Ben Hutchings
` (30 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 344e3c7734d5090b148c19ac6539b8947fed6767 upstream.
We accidentally take the "port->lock" twice in a row. This old code
was supposed to be deleted.
Fixes: e58e241c1788 ('sparc: serial: Clean up the locking for -rt')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/sunhv.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/tty/serial/sunhv.c
+++ b/drivers/tty/serial/sunhv.c
@@ -492,12 +492,6 @@ static void sunhv_console_write_bychar(s
locked = spin_trylock_irqsave(&port->lock, flags);
else
spin_lock_irqsave(&port->lock, flags);
- if (port->sysrq) {
- locked = 0;
- } else if (oops_in_progress) {
- locked = spin_trylock(&port->lock);
- } else
- spin_lock(&port->lock);
for (i = 0; i < n; i++) {
if (*s == '\n')
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 034/346] batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (270 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 114/346] Documentation/module-signing.txt: Note need for version info if reusing a key Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 155/346] USB: serial: fix memleak in driver-registration error path Ben Hutchings
` (74 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Wunderlich, Marek Lindner, Sven Eckelmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 10c78f5854d361ded4736c1831948e0a5f67b932 upstream.
vlan_insert_tag can return NULL on errors. The bridge loop avoidance code
therefore has to check the return value of vlan_insert_tag for NULL before
it can safely operate on this pointer.
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/bridge_loop_avoidance.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -338,9 +338,12 @@ static void batadv_bla_send_claim(struct
break;
}
- if (vid & BATADV_VLAN_HAS_TAG)
+ if (vid & BATADV_VLAN_HAS_TAG) {
skb = vlan_insert_tag(skb, htons(ETH_P_8021Q),
vid & VLAN_VID_MASK);
+ if (!skb)
+ goto out;
+ }
skb_reset_mac_header(skb);
skb->protocol = eth_type_trans(skb, soft_iface);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 020/346] drm/radeon: Don't leak runtime pm ref on driver load
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (295 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 082/346] mmc: block: fix packed command header endianness Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 056/346] x86/quirks: Reintroduce scanning of secondary buses Ben Hutchings
` (49 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Vetter, Lukas Wunner, Dave Airlie, Alex Deucher
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit b875194679b0f88ffdb2e2d68435572296628551 upstream.
radeon_device_init() returns an error if either of the two calls to
radeon_init() fail. One level up in the call stack,
radeon_driver_load_kms() will then skip runtime pm initialization and
call radeon_driver_unload_kms(), which acquires a runtime pm ref that
is leaked.
Balance by releasing a runtime pm ref in the error path of
radeon_device_init().
Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)")
Cc: Dave Airlie <airlied@redhat.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/fa5bb977c1fe00474acedae5b03232dbf0b49410.1465392124.git.lukas@wunner.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_device.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -30,6 +30,7 @@
#include <drm/drmP.h>
#include <drm/drm_crtc_helper.h>
#include <drm/radeon_drm.h>
+#include <linux/pm_runtime.h>
#include <linux/vgaarb.h>
#include <linux/vga_switcheroo.h>
#include <linux/efi.h>
@@ -1465,6 +1466,9 @@ int radeon_device_init(struct radeon_dev
return 0;
failed:
+ /* balance pm_runtime_get_sync() in radeon_driver_unload_kms() */
+ if (radeon_is_px(ddev))
+ pm_runtime_put_noidle(ddev->dev);
if (runtime)
vga_switcheroo_fini_domain_pm_ops(rdev->dev);
return r;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 035/346] batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 329/346] arm64: perf: reject groups spanning multiple HW PMUs Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 059/346] ALSA: hda - fix use-after-free after module unload Ben Hutchings
` (247 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marek Lindner, Simon Wunderlich, Sven Eckelmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 60154a1e0495ffb8343a95cefe1e874634572fa8 upstream.
vlan_insert_tag can return NULL on errors. The distributed arp table code
therefore has to check the return value of vlan_insert_tag for NULL before
it can safely operate on this pointer.
Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/distributed-arp-table.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -959,9 +959,12 @@ bool batadv_dat_snoop_outgoing_arp_reque
if (!skb_new)
goto out;
- if (vid & BATADV_VLAN_HAS_TAG)
+ if (vid & BATADV_VLAN_HAS_TAG) {
skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
vid & VLAN_VID_MASK);
+ if (!skb_new)
+ goto out;
+ }
skb_reset_mac_header(skb_new);
skb_new->protocol = eth_type_trans(skb_new,
@@ -1039,9 +1042,12 @@ bool batadv_dat_snoop_incoming_arp_reque
*/
skb_reset_mac_header(skb_new);
- if (vid & BATADV_VLAN_HAS_TAG)
+ if (vid & BATADV_VLAN_HAS_TAG) {
skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
vid & VLAN_VID_MASK);
+ if (!skb_new)
+ goto out;
+ }
/* To preserve backwards compatibility, the node has choose the outgoing
* format based on the incoming request packet type. The assumption is
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 046/346] drm/radeon: add a delay after ATPX dGPU power off
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 130/346] drm/nouveau/fbcon: fix font width not divisible by 8 Ben Hutchings
` (345 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hawking Zhang, Alex Deucher, Christian König
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit d814b24fb74cb9797d70cb8053961447c5879a5c upstream.
ATPX dGPU power control requires a 200ms delay between
power off and on. This should fix dGPU failures on
resume from power off.
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_atpx_handler.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
+++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
@@ -10,6 +10,7 @@
#include <linux/slab.h>
#include <linux/acpi.h>
#include <linux/pci.h>
+#include <linux/delay.h>
#include "radeon_acpi.h"
@@ -256,6 +257,10 @@ static int radeon_atpx_set_discrete_stat
if (!info)
return -EIO;
kfree(info);
+
+ /* 200ms delay is required after off */
+ if (state == 0)
+ msleep(200);
}
return 0;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 003/346] macvlan: Fix potential use-after free for broadcasts
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 312/346] fix fault_in_multipages_...() on architectures with no-op access_ok() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 321/346] tracing: Move mutex to protect against resetting of seq data Ben Hutchings
` (148 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Herbert Xu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 260916dfb48c374f7840f3b86e69afd3afdb6e96 upstream.
When we postpone a broadcast packet we save the source port in
the skb if it is local. However, the source port can disappear
before we get a chance to process the packet.
This patch fixes this by holding a ref count on the netdev.
It also delays the skb->cb modification until after we allocate
the new skb as you should not modify shared skbs.
Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/macvlan.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -234,11 +234,14 @@ static void macvlan_process_broadcast(st
rcu_read_unlock();
+ if (src)
+ dev_put(src->dev);
kfree_skb(skb);
}
}
static void macvlan_broadcast_enqueue(struct macvlan_port *port,
+ const struct macvlan_dev *src,
struct sk_buff *skb)
{
struct sk_buff *nskb;
@@ -248,8 +251,12 @@ static void macvlan_broadcast_enqueue(st
if (!nskb)
goto err;
+ MACVLAN_SKB_CB(nskb)->src = src;
+
spin_lock(&port->bc_queue.lock);
if (skb_queue_len(&port->bc_queue) < MACVLAN_BC_QUEUE_LEN) {
+ if (src)
+ dev_hold(src->dev);
__skb_queue_tail(&port->bc_queue, nskb);
err = 0;
}
@@ -296,8 +303,7 @@ static rx_handler_result_t macvlan_handl
goto out;
}
- MACVLAN_SKB_CB(skb)->src = src;
- macvlan_broadcast_enqueue(port, skb);
+ macvlan_broadcast_enqueue(port, src, skb);
return RX_HANDLER_PASS;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 048/346] ALSA: ctl: Stop notification after disconnection
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (243 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 257/346] ALSA: timer: Fix zero-division by continue of uninitialized instance Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 207/346] powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support Ben Hutchings
` (101 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit f388cdcdd160687c6650833f286b9c89c50960ff upstream.
snd_ctl_remove() has a notification for the removal event. It's
superfluous when done during the device got disconnected. Although
the notification itself is mostly harmless, it may potentially be
harmful, and should be suppressed. Actually some components PCM may
free ctl elements during the disconnect or free callbacks, thus it's
no theoretical issue.
This patch adds the check of card->shutdown flag for avoiding
unnecessary notifications after (or during) the disconnect.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/control.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *car
if (snd_BUG_ON(!card || !id))
return;
+ if (card->shutdown)
+ return;
read_lock(&card->ctl_files_rwlock);
#if IS_ENABLED(CONFIG_SND_MIXER_OSS)
card->mixer_oss_change_count++;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 018/346] drm/nouveau: Don't leak runtime pm ref on driver unload
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 237/346] serial: 8250: added acces i/o products quad and octal serial cards Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 198/346] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Ben Hutchings
` (295 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Karol Herbst, Dave Airlie, Lukas Wunner, Daniel Vetter,
Ben Skeggs, Peter Wu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit c1b16b45607976c76a3c41b8a319172b8b83f996 upstream.
nouveau_drm_load() calls pm_runtime_put() if nouveau_runtime_pm != 0,
but nouveau_drm_unload() calls pm_runtime_get_sync() unconditionally.
We therefore leak a runtime pm ref whenever nouveau is loaded with
runpm=0 and then unloaded. The GPU will subsequently never runtime
suspend even if nouveau is loaded again with runpm=1.
Fix by taking the runtime pm ref under the same condition that it was
released on driver load.
Fixes: 5addcf0a5f0f ("nouveau: add runtime PM support (v0.9)")
Cc: Dave Airlie <airlied@redhat.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Reported-by: Karol Herbst <karolherbst@gmail.com>
Tested-by: Karol Herbst <karolherbst@gmail.com>
Tested-by: Peter Wu <peter@lekensteyn.nl>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1544b82007037601fbc510b1a50edc56c529e75f.1465392124.git.lukas@wunner.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nouveau_drm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -472,7 +472,10 @@ nouveau_drm_unload(struct drm_device *de
{
struct nouveau_drm *drm = nouveau_drm(dev);
- pm_runtime_get_sync(dev->dev);
+ if (nouveau_runtime_pm != 0) {
+ pm_runtime_get_sync(dev->dev);
+ }
+
nouveau_fbcon_fini(dev);
nouveau_accel_fini(drm);
nouveau_hwmon_fini(dev);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 019/346] drm/radeon: Don't leak runtime pm ref on driver unload
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (203 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 142/346] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 289/346] sh: fix copy_from_user() Ben Hutchings
` (141 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Deucher, Dave Airlie, Lukas Wunner, Daniel Vetter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 19de659cb7216eb1c04889bd1a248593f296e19f upstream.
radeon_driver_load_kms() calls pm_runtime_put_autosuspend() if
radeon_is_px(dev), but radeon_driver_unload_kms() calls
pm_runtime_get_sync() unconditionally. We therefore leak a runtime pm
ref whenever radeon is unloaded on a non-PX machine or if runpm=0. The
GPU will subsequently never runtime suspend after loading radeon again.
Fix by taking the runtime pm ref under the same condition that it was
released on driver load.
Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)")
Cc: Dave Airlie <airlied@redhat.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/aaf71106c042126817aeca8b8e54ed468ab61ef7.1465392124.git.lukas@wunner.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_kms.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -61,7 +61,9 @@ int radeon_driver_unload_kms(struct drm_
if (rdev->rmmio == NULL)
goto done_free;
- pm_runtime_get_sync(dev->dev);
+ if (radeon_is_px(dev)) {
+ pm_runtime_get_sync(dev->dev);
+ }
radeon_acpi_fini(rdev);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 036/346] batman-adv: Fix orig_node_vlan leak on orig_node_release
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 193/346] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 045/346] batman-adv: Fix speedy join in gateway client mode Ben Hutchings
` (285 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Simon Wunderlich, Marek Lindner
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 33fbb1f3db87ce53da925b3e034b4dd446d483f8 upstream.
batadv_orig_node_new uses batadv_orig_node_vlan_new to allocate a new
batadv_orig_node_vlan and add it to batadv_orig_node::vlan_list. References
to this list have also to be cleaned when the batadv_orig_node is removed.
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- vlan_list is a list not an hlist
- s/_put/_free_ref/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/originator.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -529,6 +529,7 @@ static void batadv_orig_node_release(str
struct hlist_node *node_tmp;
struct batadv_neigh_node *neigh_node;
struct batadv_orig_ifinfo *orig_ifinfo;
+ struct batadv_orig_node_vlan *vlan, *vlan_tmp;
spin_lock_bh(&orig_node->neigh_list_lock);
@@ -546,6 +547,13 @@ static void batadv_orig_node_release(str
}
spin_unlock_bh(&orig_node->neigh_list_lock);
+ spin_lock_bh(&orig_node->vlan_list_lock);
+ list_for_each_entry_safe(vlan, vlan_tmp, &orig_node->vlan_list, list) {
+ list_del_rcu(&vlan->list);
+ batadv_orig_node_vlan_free_ref(vlan);
+ }
+ spin_unlock_bh(&orig_node->vlan_list_lock);
+
/* Free nc_nodes */
batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 042/346] ext4: validate s_reserved_gdt_blocks on mount
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (286 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 181/346] ipv6: suppress sparse warnings in IP6_ECN_set_ce() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 116/346] ceph: Correctly return NXIO errors from ceph_llseek Ben Hutchings
` (58 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Vegard Nossum
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 5b9554dc5bf008ae7f68a52e3d7e76c0920938a2 upstream.
If s_reserved_gdt_blocks is extremely large, it's possible for
ext4_init_block_bitmap(), which is called when ext4 sets up an
uninitialized block bitmap, to corrupt random kernel memory. Add the
same checks which e2fsck has --- it must never be larger than
blocksize / sizeof(__u32) --- and then add a backup check in
ext4_init_block_bitmap() in case the superblock gets modified after
the file system is mounted.
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16:
- Use EIO instead of EFSCORRUPTED
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/balloc.c | 3 +++
fs/ext4/super.c | 7 +++++++
2 files changed, 10 insertions(+)
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -209,6 +209,9 @@ static int ext4_init_block_bitmap(struct
memset(bh->b_data, 0, sb->s_blocksize);
bit_max = ext4_num_base_meta_clusters(sb, block_group);
+ if ((bit_max >> 3) >= bh->b_size)
+ return -EIO;
+
for (bit = 0; bit < bit_max; bit++)
ext4_set_bit(bit, bh->b_data);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3644,6 +3644,13 @@ static int ext4_fill_super(struct super_
goto failed_mount;
}
+ if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
+ ext4_msg(sb, KERN_ERR,
+ "Number of reserved GDT blocks insanely large: %d",
+ le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks));
+ goto failed_mount;
+ }
+
if (sb->s_blocksize != blocksize) {
/* Validate the filesystem blocksize */
if (!sb_set_blocksize(sb, blocksize)) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 027/346] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 268/346] crypto: skcipher - Fix blkcipher walk OOM crash Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 294/346] microblaze: fix __get_user() Ben Hutchings
` (180 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 4fdef698383db07d829da567e0e405fc41ff3a89 upstream.
This patch fixes an issue that the xfer_work() is possible to cause
NULL pointer dereference if the usb cable is disconnected while data
transfer is running.
In such case, a gadget driver may call usb_ep_disable()) before
xfer_work() is actually called. In this case, the usbhs_pkt_pop()
will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
in xfer_work() will return NULL.
Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/fifo.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -780,27 +780,34 @@ static void xfer_work(struct work_struct
{
struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
struct usbhs_pipe *pipe = pkt->pipe;
- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
+ struct usbhs_fifo *fifo;
struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
struct dma_async_tx_descriptor *desc;
- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
+ struct dma_chan *chan;
struct device *dev = usbhs_priv_to_dev(priv);
enum dma_transfer_direction dir;
+ unsigned long flags;
+ usbhs_lock(priv, flags);
+ fifo = usbhs_pipe_to_fifo(pipe);
+ if (!fifo)
+ goto xfer_work_end;
+
+ chan = usbhsf_dma_chan_get(fifo, pkt);
dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
desc = dmaengine_prep_slave_single(chan, pkt->dma + pkt->actual,
pkt->trans, dir,
DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!desc)
- return;
+ goto xfer_work_end;
desc->callback = usbhsf_dma_complete;
desc->callback_param = pipe;
if (dmaengine_submit(desc) < 0) {
dev_err(dev, "Failed to submit dma descriptor\n");
- return;
+ goto xfer_work_end;
}
dev_dbg(dev, " %s %d (%d/ %d)\n",
@@ -810,6 +817,9 @@ static void xfer_work(struct work_struct
usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
dma_async_issue_pending(chan);
usbhs_pipe_enable(pipe);
+
+xfer_work_end:
+ usbhs_unlock(priv, flags);
}
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 028/346] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 039/346] batman-adv: Fix non-atomic bla_claim::backbone_gw access Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 242/346] x86/paravirt: Do not trace _paravirt_ident_*() functions Ben Hutchings
` (315 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 upstream.
This patch fixes an issue that the CFIFOSEL register value is possible
to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
using CFIFO may not work correctly.
For example:
# modprobe g_multi file=usb-storage.bin
# ifconfig usb0 192.168.1.1 up
(During the USB host is sending file to the mass storage)
# ifconfig usb0 down
In this case, since the u_ether.c may call usb_ep_enable() in
eth_stop(), if the renesas_usbhs driver is also using CFIFO for
mass storage, the mass storage may not work correctly.
So, this patch adds usbhs_lock() and usbhs_unlock() calling in
usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
- CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
- The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()
Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/mod_gadget.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -558,6 +558,9 @@ static int usbhsg_ep_enable(struct usb_e
struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
struct usbhs_pipe *pipe;
int ret = -EIO;
+ unsigned long flags;
+
+ usbhs_lock(priv, flags);
/*
* if it already have pipe,
@@ -566,7 +569,8 @@ static int usbhsg_ep_enable(struct usb_e
if (uep->pipe) {
usbhs_pipe_clear(uep->pipe);
usbhs_pipe_sequence_data0(uep->pipe);
- return 0;
+ ret = 0;
+ goto usbhsg_ep_enable_end;
}
pipe = usbhs_pipe_malloc(priv,
@@ -594,6 +598,9 @@ static int usbhsg_ep_enable(struct usb_e
ret = 0;
}
+usbhsg_ep_enable_end:
+ usbhs_unlock(priv, flags);
+
return ret;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 025/346] hp-wmi: Fix wifi cannot be hard-unblocked
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 307/346] can: flexcan: fix resume function Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 111/346] net/irda: fix NULL pointer dereference on memory allocation failure Ben Hutchings
` (253 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Hung, Darren Hart, Evgenii Shatokhin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@canonical.com>
commit fc8a601e1175ae351f662506030f9939cb7fdbfe upstream.
Several users reported wifi cannot be unblocked as discussed in [1].
This patch removes the use of the 2009 flag by BIOS but uses the actual
WMI function calls - it will be skipped if WMI reports unsupported.
[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131
Signed-off-by: Alex Hung <alex.hung@canonical.com>
Tested-by: Evgenii Shatokhin <eugene.shatokhin@yandex.ru>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/platform/x86/hp-wmi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/platform/x86/hp-wmi.c
+++ b/drivers/platform/x86/hp-wmi.c
@@ -723,6 +723,11 @@ static int __init hp_wmi_rfkill_setup(st
if (err)
return err;
+ err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
+ sizeof(wireless), 0);
+ if (err)
+ return err;
+
if (wireless & 0x1) {
wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
RFKILL_TYPE_WLAN,
@@ -910,7 +915,7 @@ static int __init hp_wmi_bios_setup(stru
gps_rfkill = NULL;
rfkill2_count = 0;
- if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device))
+ if (hp_wmi_rfkill_setup(device))
hp_wmi_rfkill2_setup(device);
err = device_create_file(&device->dev, &dev_attr_display);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 032/346] ext4: fix deadlock during page writeback
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (331 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 249/346] sched/core: Fix a race between try_to_wake_up() and a woken up task Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 291/346] blackfin: fix copy_from_user() Ben Hutchings
` (13 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 upstream.
Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a
deadlock in ext4_writepages() which was previously much harder to hit.
After this commit xfstest generic/130 reproduces the deadlock on small
filesystems.
The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
and marks current inode handle as synchronous. That subsequently results
in ext4_journal_stop() called from ext4_writepages() to block waiting for
transaction commit while still holding page locks, reference to io_end,
and some prepared bio in mpd structure each of which can possibly block
transaction commit from completing and thus results in deadlock.
Fix the problem by releasing page locks, io_end reference, and
submitting prepared bio before calling ext4_journal_stop().
[ Changed to defer the call to ext4_journal_stop() only if the handle
is synchronous. --tytso ]
Reported-and-tested-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inode.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2610,13 +2610,36 @@ retry:
done = true;
}
}
- ext4_journal_stop(handle);
+ /*
+ * Caution: If the handle is synchronous,
+ * ext4_journal_stop() can wait for transaction commit
+ * to finish which may depend on writeback of pages to
+ * complete or on page lock to be released. In that
+ * case, we have to wait until after after we have
+ * submitted all the IO, released page locks we hold,
+ * and dropped io_end reference (for extent conversion
+ * to be able to complete) before stopping the handle.
+ */
+ if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
+ ext4_journal_stop(handle);
+ handle = NULL;
+ }
/* Submit prepared bio */
ext4_io_submit(&mpd.io_submit);
/* Unlock pages we didn't use */
mpage_release_unused_pages(&mpd, give_up_on_write);
- /* Drop our io_end reference we got from init */
- ext4_put_io_end(mpd.io_submit.io_end);
+ /*
+ * Drop our io_end reference we got from init. We have
+ * to be careful and use deferred io_end finishing if
+ * we are still holding the transaction as we can
+ * release the last reference to io_end which may end
+ * up doing unwritten extent conversion.
+ */
+ if (handle) {
+ ext4_put_io_end_defer(mpd.io_submit.io_end);
+ ext4_journal_stop(handle);
+ } else
+ ext4_put_io_end(mpd.io_submit.io_end);
if (ret == -ENOSPC && sbi->s_journal) {
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 005/346] s5p-mfc: Add release callback for memory region devs
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 084/346] netfilter: x_tables: speed up jump target validation Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 320/346] ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() Ben Hutchings
` (330 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sylwester Nawrocki, Marek Szyprowski, Javier Martinez Canillas
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Javier Martinez Canillas <javier@osg.samsung.com>
commit 6311f1261f59ce5e51fbe5cc3b5e7737197316ac upstream.
When s5p_mfc_remove() calls put_device() for the reserved memory region
devs, the driver core warns that the dev doesn't have a release callback:
WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed.
Also, the declared DMA memory using dma_declare_coherent_memory() isn't
relased so add a dev .release that calls dma_release_declared_memory().
Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -1003,6 +1003,11 @@ static int match_child(struct device *de
return !strcmp(dev_name(dev), (char *)data);
}
+static void s5p_mfc_memdev_release(struct device *dev)
+{
+ dma_release_declared_memory(dev);
+}
+
static void *mfc_get_drv_data(struct platform_device *pdev);
static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
@@ -1017,6 +1022,7 @@ static int s5p_mfc_alloc_memdevs(struct
}
dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
+ dev->mem_dev_l->release = s5p_mfc_memdev_release;
device_initialize(dev->mem_dev_l);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-l", mem_info, 2);
@@ -1036,6 +1042,7 @@ static int s5p_mfc_alloc_memdevs(struct
}
dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
+ dev->mem_dev_r->release = s5p_mfc_memdev_release;
device_initialize(dev->mem_dev_r);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-r", mem_info, 2);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 004/346] s5p-mfc: Set device name for reserved memory region devs
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 096/346] cifs: fix crash due to race in hmac(md5) handling Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 152/346] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices Ben Hutchings
` (274 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sylwester Nawrocki, Marek Szyprowski, Javier Martinez Canillas
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Javier Martinez Canillas <javier@osg.samsung.com>
commit 29debab0a94035a390801d1f177d171d014b7765 upstream.
The devices don't have a name set, so makes dev_name() returns NULL which
makes harder to identify the devices that are causing issues, for example:
WARNING: CPU: 2 PID: 616 at drivers/base/core.c:251 device_release+0x8c/0x90
Device '(null)' does not have a release() function, it is broken and must be fixed.
And after setting the device name:
WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
Device 's5p-mfc-l' does not have a release() function, it is broken and must be fixed.
Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -1015,6 +1015,8 @@ static int s5p_mfc_alloc_memdevs(struct
mfc_err("Not enough memory\n");
return -ENOMEM;
}
+
+ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
device_initialize(dev->mem_dev_l);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-l", mem_info, 2);
@@ -1032,6 +1034,8 @@ static int s5p_mfc_alloc_memdevs(struct
mfc_err("Not enough memory\n");
return -ENOMEM;
}
+
+ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
device_initialize(dev->mem_dev_r);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-r", mem_info, 2);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 011/346] random: add interrupt callback to VMBus IRQ handler
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (281 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 103/346] libceph: apply new_state before new_up_client on incrementals Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 182/346] USB: serial: mos7720: fix non-atomic allocation in write path Ben Hutchings
` (63 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Stephan Mueller, Theodore Ts'o, Stephan Mueller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Mueller <smueller@chronox.de>
commit 4b44f2d18a330565227a7348844493c59366171e upstream.
The Hyper-V Linux Integration Services use the VMBus implementation for
communication with the Hypervisor. VMBus registers its own interrupt
handler that completely bypasses the common Linux interrupt handling.
This implies that the interrupt entropy collector is not triggered.
This patch adds the interrupt entropy collection callback into the VMBus
interrupt handler function.
Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/random.c | 1 +
drivers/hv/vmbus_drv.c | 3 +++
2 files changed, 4 insertions(+)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -956,6 +956,7 @@ static void _xfer_secondary_pool(struct
mix_pool_bytes(r, tmp, bytes, NULL);
credit_entropy_bits(r, bytes*8);
}
+EXPORT_SYMBOL_GPL(add_interrupt_randomness);
/*
* Used as a workqueue function so that when the input pool is getting
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -33,6 +33,7 @@
#include <linux/hyperv.h>
#include <linux/kernel_stat.h>
#include <linux/cpu.h>
+#include <linux/random.h>
#include <asm/hyperv.h>
#include <asm/hypervisor.h>
#include <asm/mshyperv.h>
@@ -795,6 +796,8 @@ int __vmbus_driver_register(struct hv_dr
EXPORT_SYMBOL_GPL(__vmbus_driver_register);
/**
+
+ add_interrupt_randomness(HYPERVISOR_CALLBACK_VECTOR, 0);
* vmbus_driver_unregister() - Unregister a vmbus's driver
* @drv: Pointer to driver structure you want to un-register
*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 007/346] [media] em28xx-i2c: rt_mutex_trylock() returns zero on failure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (259 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 250/346] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 299/346] IB/ipoib: Don't allow MC joins during light MC flush Ben Hutchings
` (85 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit e44c153b30c9a0580fc2b5a93f3c6d593def2278 upstream.
The code is checking for negative returns but it should be checking for
zero.
Fixes: aab3125c43d8 ('[media] em28xx: add support for registering multiple i2c buses')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/em28xx/em28xx-i2c.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/em28xx/em28xx-i2c.c
+++ b/drivers/media/usb/em28xx/em28xx-i2c.c
@@ -501,9 +501,8 @@ static int em28xx_i2c_xfer(struct i2c_ad
int addr, rc, i;
u8 reg;
- rc = rt_mutex_trylock(&dev->i2c_bus_lock);
- if (rc < 0)
- return rc;
+ if (!rt_mutex_trylock(&dev->i2c_bus_lock))
+ return -EAGAIN;
/* Switch I2C bus if needed */
if (bus != dev->cur_i2c_bus &&
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 084/346] netfilter: x_tables: speed up jump target validation
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 326/346] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 005/346] s5p-mfc: Add release callback for memory region devs Ben Hutchings
` (331 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jeff Wu, Sasha Levin, Florian Westphal, Pablo Neira Ayuso
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit f4dc77713f8016d2e8a3295e1c9c53a21f296def upstream.
The dummy ruleset I used to test the original validation change was broken,
most rules were unreachable and were not tested by mark_source_chains().
In some cases rulesets that used to load in a few seconds now require
several minutes.
sample ruleset that shows the behaviour:
echo "*filter"
for i in $(seq 0 100000);do
printf ":chain_%06x - [0:0]\n" $i
done
for i in $(seq 0 100000);do
printf -- "-A INPUT -j chain_%06x\n" $i
printf -- "-A INPUT -j chain_%06x\n" $i
printf -- "-A INPUT -j chain_%06x\n" $i
done
echo COMMIT
[ pipe result into iptables-restore ]
This ruleset will be about 74mbyte in size, with ~500k searches
though all 500k[1] rule entries. iptables-restore will take forever
(gave up after 10 minutes)
Instead of always searching the entire blob for a match, fill an
array with the start offsets of every single ipt_entry struct,
then do a binary search to check if the jump target is present or not.
After this change ruleset restore times get again close to what one
gets when reverting 36472341017529e (~3 seconds on my workstation).
[1] every user-defined rule gets an implicit RETURN, so we get
300k jumps + 100k userchains + 100k returns -> 500k rule entries
Fixes: 36472341017529e ("netfilter: x_tables: validate targets of jumps")
Reported-by: Jeff Wu <wujiafu@gmail.com>
Tested-by: Jeff Wu <wujiafu@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[carnil: backport to 3.16, adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netfilter/x_tables.h | 4 +++
net/ipv4/netfilter/arp_tables.c | 48 ++++++++++++++++++------------------
net/ipv4/netfilter/ip_tables.c | 45 ++++++++++++++++++----------------
net/ipv6/netfilter/ip6_tables.c | 45 ++++++++++++++++++----------------
net/netfilter/x_tables.c | 50 ++++++++++++++++++++++++++++++++++++++
5 files changed, 127 insertions(+), 65 deletions(-)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -243,6 +243,10 @@ int xt_check_entry_offsets(const void *b
unsigned int target_offset,
unsigned int next_offset);
+unsigned int *xt_alloc_entry_offsets(unsigned int size);
+bool xt_find_jump_offset(const unsigned int *offsets,
+ unsigned int target, unsigned int size);
+
int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
bool inv_proto);
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -363,24 +363,12 @@ static inline bool unconditional(const s
memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
}
-static bool find_jump_target(const struct xt_table_info *t,
- const void *entry0,
- const struct arpt_entry *target)
-{
- struct arpt_entry *iter;
-
- xt_entry_foreach(iter, entry0, t->size) {
- if (iter == target)
- return true;
- }
- return false;
-}
-
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
*/
static int mark_source_chains(const struct xt_table_info *newinfo,
- unsigned int valid_hooks, void *entry0)
+ unsigned int valid_hooks, void *entry0,
+ unsigned int *offsets)
{
unsigned int hook;
@@ -469,10 +457,11 @@ static int mark_source_chains(const stru
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ if (!xt_find_jump_offset(offsets, newpos,
+ newinfo->number))
+ return 0;
e = (struct arpt_entry *)
(entry0 + newpos);
- if (!find_jump_target(newinfo, entry0, e))
- return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
@@ -632,6 +621,7 @@ static int translate_table(struct xt_tab
const struct arpt_replace *repl)
{
struct arpt_entry *iter;
+ unsigned int *offsets;
unsigned int i;
int ret = 0;
@@ -645,8 +635,10 @@ static int translate_table(struct xt_tab
}
duprintf("translate_table: size %u\n", newinfo->size);
+ offsets = xt_alloc_entry_offsets(newinfo->number);
+ if (!offsets)
+ return -ENOMEM;
i = 0;
-
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
ret = check_entry_size_and_hooks(iter, newinfo, entry0,
@@ -655,7 +647,9 @@ static int translate_table(struct xt_tab
repl->underflow,
repl->valid_hooks);
if (ret != 0)
- break;
+ goto out_free;
+ if (i < repl->num_entries)
+ offsets[i] = (void *)iter - entry0;
++i;
if (strcmp(arpt_get_target(iter)->u.user.name,
XT_ERROR_TARGET) == 0)
@@ -663,12 +657,13 @@ static int translate_table(struct xt_tab
}
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
- return ret;
+ goto out_free;
+ ret = -EINVAL;
if (i != repl->num_entries) {
duprintf("translate_table: %u not %u entries\n",
i, repl->num_entries);
- return -EINVAL;
+ goto out_free;
}
/* Check hooks all assigned */
@@ -679,17 +674,20 @@ static int translate_table(struct xt_tab
if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
i, repl->hook_entry[i]);
- return -EINVAL;
+ goto out_free;
}
if (newinfo->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
i, repl->underflow[i]);
- return -EINVAL;
+ goto out_free;
}
}
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
- return -ELOOP;
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
+ ret = -ELOOP;
+ goto out_free;
+ }
+ kvfree(offsets);
/* Finally, each sanity check must pass */
i = 0;
@@ -716,6 +714,9 @@ static int translate_table(struct xt_tab
}
return ret;
+ out_free:
+ kvfree(offsets);
+ return ret;
}
static void get_counters(const struct xt_table_info *t,
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -439,24 +439,12 @@ ipt_do_table(struct sk_buff *skb,
#endif
}
-static bool find_jump_target(const struct xt_table_info *t,
- const void *entry0,
- const struct ipt_entry *target)
-{
- struct ipt_entry *iter;
-
- xt_entry_foreach(iter, entry0, t->size) {
- if (iter == target)
- return true;
- }
- return false;
-}
-
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
mark_source_chains(const struct xt_table_info *newinfo,
- unsigned int valid_hooks, void *entry0)
+ unsigned int valid_hooks, void *entry0,
+ unsigned int *offsets)
{
unsigned int hook;
@@ -549,10 +537,11 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ if (!xt_find_jump_offset(offsets, newpos,
+ newinfo->number))
+ return 0;
e = (struct ipt_entry *)
(entry0 + newpos);
- if (!find_jump_target(newinfo, entry0, e))
- return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
@@ -799,6 +788,7 @@ translate_table(struct net *net, struct
const struct ipt_replace *repl)
{
struct ipt_entry *iter;
+ unsigned int *offsets;
unsigned int i;
int ret = 0;
@@ -812,6 +802,9 @@ translate_table(struct net *net, struct
}
duprintf("translate_table: size %u\n", newinfo->size);
+ offsets = xt_alloc_entry_offsets(newinfo->number);
+ if (!offsets)
+ return -ENOMEM;
i = 0;
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
@@ -821,17 +814,20 @@ translate_table(struct net *net, struct
repl->underflow,
repl->valid_hooks);
if (ret != 0)
- return ret;
+ goto out_free;
+ if (i < repl->num_entries)
+ offsets[i] = (void *)iter - entry0;
++i;
if (strcmp(ipt_get_target(iter)->u.user.name,
XT_ERROR_TARGET) == 0)
++newinfo->stacksize;
}
+ ret = -EINVAL;
if (i != repl->num_entries) {
duprintf("translate_table: %u not %u entries\n",
i, repl->num_entries);
- return -EINVAL;
+ goto out_free;
}
/* Check hooks all assigned */
@@ -842,17 +838,20 @@ translate_table(struct net *net, struct
if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
i, repl->hook_entry[i]);
- return -EINVAL;
+ goto out_free;
}
if (newinfo->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
i, repl->underflow[i]);
- return -EINVAL;
+ goto out_free;
}
}
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
- return -ELOOP;
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
+ ret = -ELOOP;
+ goto out_free;
+ }
+ kvfree(offsets);
/* Finally, each sanity check must pass */
i = 0;
@@ -879,6 +878,9 @@ translate_table(struct net *net, struct
}
return ret;
+ out_free:
+ kvfree(offsets);
+ return ret;
}
static void
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -449,24 +449,12 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
-static bool find_jump_target(const struct xt_table_info *t,
- const void *entry0,
- const struct ip6t_entry *target)
-{
- struct ip6t_entry *iter;
-
- xt_entry_foreach(iter, entry0, t->size) {
- if (iter == target)
- return true;
- }
- return false;
-}
-
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
mark_source_chains(const struct xt_table_info *newinfo,
- unsigned int valid_hooks, void *entry0)
+ unsigned int valid_hooks, void *entry0,
+ unsigned int *offsets)
{
unsigned int hook;
@@ -559,10 +547,11 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ if (!xt_find_jump_offset(offsets, newpos,
+ newinfo->number))
+ return 0;
e = (struct ip6t_entry *)
(entry0 + newpos);
- if (!find_jump_target(newinfo, entry0, e))
- return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
@@ -809,6 +798,7 @@ translate_table(struct net *net, struct
const struct ip6t_replace *repl)
{
struct ip6t_entry *iter;
+ unsigned int *offsets;
unsigned int i;
int ret = 0;
@@ -822,6 +812,9 @@ translate_table(struct net *net, struct
}
duprintf("translate_table: size %u\n", newinfo->size);
+ offsets = xt_alloc_entry_offsets(newinfo->number);
+ if (!offsets)
+ return -ENOMEM;
i = 0;
/* Walk through entries, checking offsets. */
xt_entry_foreach(iter, entry0, newinfo->size) {
@@ -831,17 +824,20 @@ translate_table(struct net *net, struct
repl->underflow,
repl->valid_hooks);
if (ret != 0)
- return ret;
+ goto out_free;
+ if (i < repl->num_entries)
+ offsets[i] = (void *)iter - entry0;
++i;
if (strcmp(ip6t_get_target(iter)->u.user.name,
XT_ERROR_TARGET) == 0)
++newinfo->stacksize;
}
+ ret = -EINVAL;
if (i != repl->num_entries) {
duprintf("translate_table: %u not %u entries\n",
i, repl->num_entries);
- return -EINVAL;
+ goto out_free;
}
/* Check hooks all assigned */
@@ -852,17 +848,20 @@ translate_table(struct net *net, struct
if (newinfo->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
i, repl->hook_entry[i]);
- return -EINVAL;
+ goto out_free;
}
if (newinfo->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
i, repl->underflow[i]);
- return -EINVAL;
+ goto out_free;
}
}
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
- return -ELOOP;
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {
+ ret = -ELOOP;
+ goto out_free;
+ }
+ kvfree(offsets);
/* Finally, each sanity check must pass */
i = 0;
@@ -889,6 +888,9 @@ translate_table(struct net *net, struct
}
return ret;
+ out_free:
+ kvfree(offsets);
+ return ret;
}
static void
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -721,6 +721,56 @@ int xt_check_entry_offsets(const void *b
}
EXPORT_SYMBOL(xt_check_entry_offsets);
+/**
+ * xt_alloc_entry_offsets - allocate array to store rule head offsets
+ *
+ * @size: number of entries
+ *
+ * Return: NULL or kmalloc'd or vmalloc'd array
+ */
+unsigned int *xt_alloc_entry_offsets(unsigned int size)
+{
+ unsigned int *off;
+
+ off = kcalloc(size, sizeof(unsigned int), GFP_KERNEL | __GFP_NOWARN);
+
+ if (off)
+ return off;
+
+ if (size < (SIZE_MAX / sizeof(unsigned int)))
+ off = vmalloc(size * sizeof(unsigned int));
+
+ return off;
+}
+EXPORT_SYMBOL(xt_alloc_entry_offsets);
+
+/**
+ * xt_find_jump_offset - check if target is a valid jump offset
+ *
+ * @offsets: array containing all valid rule start offsets of a rule blob
+ * @target: the jump target to search for
+ * @size: entries in @offset
+ */
+bool xt_find_jump_offset(const unsigned int *offsets,
+ unsigned int target, unsigned int size)
+{
+ int m, low = 0, hi = size;
+
+ while (hi > low) {
+ m = (low + hi) / 2u;
+
+ if (offsets[m] > target)
+ hi = m;
+ else if (offsets[m] < target)
+ low = m + 1;
+ else
+ return true;
+ }
+
+ return false;
+}
+EXPORT_SYMBOL(xt_find_jump_offset);
+
int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 022/346] serial: samsung: Fix ERR pointer dereference on deferred probe
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (209 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 333/346] firewire: net: guard against rx buffer overflows Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 202/346] staging: comedi: daqboard2000: bug fix board type matching code Ben Hutchings
` (135 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Krzysztof Kozlowski, Greg Kroah-Hartman,
Javier Martinez Canillas, Kevin Hilman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
commit e51e4d8a185de90424b03f30181b35f29c46a25a upstream.
When the clk_get() of "uart" clock returns EPROBE_DEFER, the next re-probe
finishes with success but uses invalid (ERR_PTR) values. This leads to
dereferencing of ERR_PTR stored under ourport->clk:
12c30000.serial: Controller clock not found
(...)
12c30000.serial: ttySAC3 at MMIO 0x12c30000 (irq = 61, base_baud = 0) is a S3C6400/10
Unable to handle kernel paging request at virtual address fffffdfb
(clk_prepare) from [<c039f7d0>] (s3c24xx_serial_pm+0x20/0x128)
(s3c24xx_serial_pm) from [<c0395414>] (uart_change_pm+0x38/0x40)
(uart_change_pm) from [<c039689c>] (uart_add_one_port+0x31c/0x44c)
(uart_add_one_port) from [<c03a035c>] (s3c24xx_serial_probe+0x2a8/0x418)
(s3c24xx_serial_probe) from [<c03ee110>] (platform_drv_probe+0x50/0xb0)
(platform_drv_probe) from [<c03ecb44>] (driver_probe_device+0x1f4/0x2b0)
(driver_probe_device) from [<c03eb0c0>] (bus_for_each_drv+0x44/0x8c)
(bus_for_each_drv) from [<c03ec8c8>] (__device_attach+0x9c/0x100)
(__device_attach) from [<c03ebf54>] (bus_probe_device+0x84/0x8c)
(bus_probe_device) from [<c03ec388>] (deferred_probe_work_func+0x60/0x8c)
(deferred_probe_work_func) from [<c012fee4>] (process_one_work+0x120/0x328)
(process_one_work) from [<c0130150>] (worker_thread+0x2c/0x4ac)
(worker_thread) from [<c0135320>] (kthread+0xd8/0xf4)
(kthread) from [<c0107978>] (ret_from_fork+0x14/0x3c)
The first unsuccessful clk_get() causes s3c24xx_serial_init_port() to
exit with failure but the s3c24xx_uart_port is left half-configured
(e.g. port->mapbase is set, clk contains ERR_PTR). On next re-probe,
the function s3c24xx_serial_init_port() will exit early with success
because of configured port->mapbase and driver will use old values,
including the ERR_PTR as clock.
Fix this by cleaning the port->mapbase on error path so each re-probe
will initialize all of the port settings.
Fixes: 60e93575476f ("serial: samsung: enable clock before clearing pending interrupts during init")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
Tested-by: Javier Martinez Canillas <javier@osg.samsung.com>
Tested-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: driver doesn't set up DMA here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1163,7 +1163,7 @@ static int s3c24xx_serial_init_port(stru
return -ENODEV;
if (port->mapbase != 0)
- return 0;
+ return -EINVAL;
/* setup info for port */
port->dev = &platdev->dev;
@@ -1213,14 +1213,15 @@ static int s3c24xx_serial_init_port(stru
if (IS_ERR(ourport->clk)) {
pr_err("%s: Controller clock not found\n",
dev_name(&platdev->dev));
- return PTR_ERR(ourport->clk);
+ ret = PTR_ERR(ourport->clk);
+ goto err;
}
ret = clk_prepare_enable(ourport->clk);
if (ret) {
pr_err("uart: clock failed to prepare+enable: %d\n", ret);
clk_put(ourport->clk);
- return ret;
+ goto err;
}
/* Keep all interrupts masked and cleared */
@@ -1236,7 +1237,12 @@ static int s3c24xx_serial_init_port(stru
/* reset the fifos (and setup the uart) */
s3c24xx_serial_resetport(port, cfg);
+
return 0;
+
+err:
+ port->mapbase = 0;
+ return ret;
}
#ifdef CONFIG_SAMSUNG_CLOCK
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 026/346] usb: renesas_usbhs: fix the sequence in xfer_work()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (205 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 289/346] sh: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 015/346] crypto: gcm - Filter out async ghash if necessary Ben Hutchings
` (139 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 9b53d9af7aac09cf249d72bfbf15f08e47c4f7fe upstream.
This patch fixes the setup sequence in xfer_work(). Otherwise,
sometimes a usb transaction will get stuck.
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/fifo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -806,10 +806,10 @@ static void xfer_work(struct work_struct
dev_dbg(dev, " %s %d (%d/ %d)\n",
fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero);
- usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
- usbhs_pipe_enable(pipe);
usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
dma_async_issue_pending(chan);
+ usbhs_pipe_enable(pipe);
}
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 016/346] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (312 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 076/346] powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 127/346] ubi: Fix race condition between ubi device creation and udev Ben Hutchings
` (32 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tony Lindgren, Keerthy
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Keerthy <j-keerthy@ti.com>
commit b00ccf5b684992829610d162e78a7836933a1b19 upstream.
pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of
am43xx. Fix the RSTST register offset value.
This can lead to setting of wrong power state values for PER domain.
Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update")
Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
arch/arm/mach-omap2/prcm43xx.h | 1 +
2 files changed, 2 insertions(+)
--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
@@ -1460,6 +1460,7 @@ static void omap_hwmod_am43xx_rst(void)
{
RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET);
RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET);
+ RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET);
RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET);
}
--- a/arch/arm/mach-omap2/prcm43xx.h
+++ b/arch/arm/mach-omap2/prcm43xx.h
@@ -32,6 +32,7 @@
/* RM RSTST offsets */
#define AM43XX_RM_GFX_RSTST_OFFSET 0x0014
+#define AM43XX_RM_PER_RSTST_OFFSET 0x0014
#define AM43XX_RM_WKUP_RSTST_OFFSET 0x0014
/* CM instances */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 023/346] serial: samsung: Fix possible out of bounds access on non-DT platform
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 063/346] Bluetooth: Add support of 13d3:3490 AR3012 device Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 247/346] iio: fix pressure data output unit in hid-sensor-attributes Ben Hutchings
` (230 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Krzysztof Kozlowski, Greg Kroah-Hartman, Bartlomiej Zolnierkiewicz
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
commit 926b7b5122c96e1f18cd20e85a286c7ec8d18c97 upstream.
On non-DeviceTree platforms, the index of serial device is a static
variable incremented on each probe. It is incremented even if deferred
probe happens when getting the clock in s3c24xx_serial_init_port().
This index is used for referencing elements of statically allocated
s3c24xx_serial_ports array. In case of re-probe, the index will point
outside of this array leading to memory corruption.
Increment the index only on successful probe.
Reported-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/samsung.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1307,8 +1307,6 @@ static int s3c24xx_serial_probe(struct p
ourport->info->fifosize :
ourport->drv_data->fifosize[probe_index];
- probe_index++;
-
dbg("%s: initialising port %p...\n", __func__, ourport);
ret = s3c24xx_serial_init_port(ourport, pdev);
@@ -1344,6 +1342,8 @@ static int s3c24xx_serial_probe(struct p
if (ret < 0)
dev_err(&pdev->dev, "failed to add cpufreq notifier\n");
+ probe_index++;
+
return 0;
probe_err:
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 014/346] usb: dwc3: fix for the isoc transfer EP_BUSY flag
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 157/346] drm/edid: Add 6 bpc quirk for display AEO model 0 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 237/346] serial: 8250: added acces i/o products quad and octal serial cards Ben Hutchings
` (297 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Rafal Redzimski, Konrad Leszczynski, Felipe Balbi
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Leszczynski <konrad.leszczynski@intel.com>
commit 9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b upstream.
commit f3af36511e60 ("usb: dwc3: gadget: always
enable IOC on bulk/interrupt transfers") ended up
regressing Isochronous endpoints by clearing
DWC3_EP_BUSY flag too early, which resulted in
choppy audio playback over USB.
Fix that by partially reverting original commit and
making sure that we check for isochronous endpoints.
Fixes: f3af36511e60 ("usb: dwc3: gadget: always enable IOC
on bulk/interrupt transfers")
Signed-off-by: Konrad Leszczynski <konrad.leszczynski@intel.com>
Signed-off-by: Rafal Redzimski <rafal.f.redzimski@intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/gadget.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2016,6 +2016,10 @@ static int dwc3_cleanup_done_reqs(struct
return 1;
}
+ if (usb_endpoint_xfer_isoc(dep->endpoint.desc))
+ if ((event->status & DEPEVT_STATUS_IOC) &&
+ (trb->ctrl & DWC3_TRB_CTRL_IOC))
+ return 0;
return 1;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 038/346] batman-adv: lock crc access in bridge loop avoidance
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 066/346] net: ethoc: Fix early error paths Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 173/346] usb: gadget: fsl_qe_udc: off by one in setup_received_handle() Ben Hutchings
` (168 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Antonio Quartulli, Simon Wunderlich, Marek Lindner, Alfons Name
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Wunderlich <sw@simonwunderlich.de>
commit 5a1dd8a4773d4c24e925cc6154826d555a85c370 upstream.
We have found some networks in which nodes were constantly requesting
other nodes BLA claim tables to synchronize, just to ask for that again
once completed. The reason was that the crc checksum of the asked nodes
were out of sync due to missing locking and multiple writes to the same
crc checksum when adding/removing entries. Therefore the asked nodes
constantly reported the wrong crc, which caused repeating requests.
To avoid multiple functions changing a backbone gateways crc entry at
the same time, lock it using a spinlock.
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Tested-by: Alfons Name <AlfonsName@web.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/bridge_loop_avoidance.c | 35 +++++++++++++++++++++++++++++-----
net/batman-adv/types.h | 2 ++
2 files changed, 32 insertions(+), 5 deletions(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -242,7 +242,9 @@ batadv_bla_del_backbone_claims(struct ba
}
/* all claims gone, intialize CRC */
+ spin_lock_bh(&backbone_gw->crc_lock);
backbone_gw->crc = BATADV_BLA_CRC_INIT;
+ spin_unlock_bh(&backbone_gw->crc_lock);
}
/**
@@ -392,6 +394,7 @@ batadv_bla_get_backbone_gw(struct batadv
entry->lasttime = jiffies;
entry->crc = BATADV_BLA_CRC_INIT;
entry->bat_priv = bat_priv;
+ spin_lock_init(&entry->crc_lock);
atomic_set(&entry->request_sent, 0);
atomic_set(&entry->wait_periods, 0);
ether_addr_copy(entry->orig, orig);
@@ -540,7 +543,9 @@ static void batadv_bla_send_announce(str
__be16 crc;
memcpy(mac, batadv_announce_mac, 4);
+ spin_lock_bh(&backbone_gw->crc_lock);
crc = htons(backbone_gw->crc);
+ spin_unlock_bh(&backbone_gw->crc_lock);
memcpy(&mac[4], &crc, 2);
batadv_bla_send_claim(bat_priv, mac, backbone_gw->vid,
@@ -601,14 +606,18 @@ static void batadv_bla_add_claim(struct
"bla_add_claim(): changing ownership for %pM, vid %d\n",
mac, BATADV_PRINT_VID(vid));
+ spin_lock_bh(&claim->backbone_gw->crc_lock);
claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+ spin_unlock_bh(&claim->backbone_gw->crc_lock);
batadv_backbone_gw_free_ref(claim->backbone_gw);
}
/* set (new) backbone gw */
atomic_inc(&backbone_gw->refcount);
claim->backbone_gw = backbone_gw;
+ spin_lock_bh(&backbone_gw->crc_lock);
backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+ spin_unlock_bh(&backbone_gw->crc_lock);
backbone_gw->lasttime = jiffies;
claim_free_ref:
@@ -636,7 +645,9 @@ static void batadv_bla_del_claim(struct
batadv_choose_claim, claim);
batadv_claim_free_ref(claim); /* reference from the hash is gone */
+ spin_lock_bh(&claim->backbone_gw->crc_lock);
claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+ spin_unlock_bh(&claim->backbone_gw->crc_lock);
/* don't need the reference from hash_find() anymore */
batadv_claim_free_ref(claim);
@@ -648,7 +659,7 @@ static int batadv_handle_announce(struct
unsigned short vid)
{
struct batadv_bla_backbone_gw *backbone_gw;
- uint16_t crc;
+ uint16_t backbone_crc, crc;
if (memcmp(an_addr, batadv_announce_mac, 4) != 0)
return 0;
@@ -668,12 +679,16 @@ static int batadv_handle_announce(struct
"handle_announce(): ANNOUNCE vid %d (sent by %pM)... CRC = %#.4x\n",
BATADV_PRINT_VID(vid), backbone_gw->orig, crc);
- if (backbone_gw->crc != crc) {
+ spin_lock_bh(&backbone_gw->crc_lock);
+ backbone_crc = backbone_gw->crc;
+ spin_unlock_bh(&backbone_gw->crc_lock);
+
+ if (backbone_crc != crc) {
batadv_dbg(BATADV_DBG_BLA, backbone_gw->bat_priv,
"handle_announce(): CRC FAILED for %pM/%d (my = %#.4x, sent = %#.4x)\n",
backbone_gw->orig,
BATADV_PRINT_VID(backbone_gw->vid),
- backbone_gw->crc, crc);
+ backbone_crc, crc);
batadv_bla_send_request(backbone_gw);
} else {
@@ -1635,6 +1650,7 @@ int batadv_bla_claim_table_seq_print_tex
struct batadv_bla_claim *claim;
struct batadv_hard_iface *primary_if;
struct hlist_head *head;
+ u16 backbone_crc;
uint32_t i;
bool is_own;
uint8_t *primary_addr;
@@ -1657,11 +1673,15 @@ int batadv_bla_claim_table_seq_print_tex
hlist_for_each_entry_rcu(claim, head, hash_entry) {
is_own = batadv_compare_eth(claim->backbone_gw->orig,
primary_addr);
+
+ spin_lock_bh(&claim->backbone_gw->crc_lock);
+ backbone_crc = claim->backbone_gw->crc;
+ spin_unlock_bh(&claim->backbone_gw->crc_lock);
seq_printf(seq, " * %pM on %5d by %pM [%c] (%#.4x)\n",
claim->addr, BATADV_PRINT_VID(claim->vid),
claim->backbone_gw->orig,
(is_own ? 'x' : ' '),
- claim->backbone_gw->crc);
+ backbone_crc);
}
rcu_read_unlock();
}
@@ -1680,6 +1700,7 @@ int batadv_bla_backbone_table_seq_print_
struct batadv_hard_iface *primary_if;
struct hlist_head *head;
int secs, msecs;
+ u16 backbone_crc;
uint32_t i;
bool is_own;
uint8_t *primary_addr;
@@ -1710,10 +1731,14 @@ int batadv_bla_backbone_table_seq_print_
if (is_own)
continue;
+ spin_lock_bh(&backbone_gw->crc_lock);
+ backbone_crc = backbone_gw->crc;
+ spin_unlock_bh(&backbone_gw->crc_lock);
+
seq_printf(seq, " * %pM on %5d %4i.%03is (%#.4x)\n",
backbone_gw->orig,
BATADV_PRINT_VID(backbone_gw->vid), secs,
- msecs, backbone_gw->crc);
+ msecs, backbone_crc);
}
rcu_read_unlock();
}
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -871,6 +871,7 @@ struct batadv_socket_packet {
* backbone gateway - no bcast traffic is formwared until the situation was
* resolved
* @crc: crc16 checksum over all claims
+ * @crc_lock: lock protecting crc
* @refcount: number of contexts the object is used
* @rcu: struct used for freeing in an RCU-safe manner
*/
@@ -884,6 +885,7 @@ struct batadv_bla_backbone_gw {
atomic_t wait_periods;
atomic_t request_sent;
uint16_t crc;
+ spinlock_t crc_lock; /* protects crc */
atomic_t refcount;
struct rcu_head rcu;
};
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 031/346] ext4: check for extents that wrap around
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 009/346] gpio: pca953x: Fix NBANK calculation for PCA9536 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 107/346] tools/vm/slabinfo: fix an unintentional printf Ben Hutchings
` (291 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eryu Guan, Phil Turnbull, Vegard Nossum, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
An extent with lblock = 4294967295 and len = 1 will pass the
ext4_valid_extent() test:
ext4_lblk_t last = lblock + len - 1;
if (len == 0 || lblock > last)
return 0;
since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
We can simplify it by removing the - 1 altogether and changing the test
to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
lblock and it fails, and if len > 0 then lblock + len > lblock in order
to pass (i.e. it doesn't overflow).
Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
Cc: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -359,9 +359,13 @@ static int ext4_valid_extent(struct inod
ext4_fsblk_t block = ext4_ext_pblock(ext);
int len = ext4_ext_get_actual_len(ext);
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
- ext4_lblk_t last = lblock + len - 1;
- if (len == 0 || lblock > last)
+ /*
+ * We allow neither:
+ * - zero length
+ * - overflow/wrap-around
+ */
+ if (lblock + len <= lblock)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 006/346] netlabel: add address family checks to netlbl_{sock,req}_delattr()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 247/346] iio: fix pressure data output unit in hid-sensor-attributes Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 176/346] MIPS: KVM: Add missing gfn range check Ben Hutchings
` (228 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul Moore, Maninder Singh
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
commit 0e0e36774081534783aa8eeb9f6fbddf98d3c061 upstream.
It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help prevent future
problems.
Reported-by: Maninder Singh <maninder1.s@samsung.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlabel/netlabel_kapi.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -699,7 +699,11 @@ socket_setattr_return:
*/
void netlbl_sock_delattr(struct sock *sk)
{
- cipso_v4_sock_delattr(sk);
+ switch (sk->sk_family) {
+ case AF_INET:
+ cipso_v4_sock_delattr(sk);
+ break;
+ }
}
/**
@@ -862,7 +866,11 @@ req_setattr_return:
*/
void netlbl_req_delattr(struct request_sock *req)
{
- cipso_v4_req_delattr(req);
+ switch (req->rsk_ops->family) {
+ case AF_INET:
+ cipso_v4_req_delattr(req);
+ break;
+ }
}
/**
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 098/346] iscsi-target: Fix panic when adding second TCP connection to iSCSI session
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 141/346] dm flakey: error READ bios during the down_interval Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 138/346] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Ben Hutchings
` (205 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Feng Li, Sumit Rai, Nicholas Bellinger
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Feng Li <lifeng1519@gmail.com>
commit 8abc718de6e9e52d8a6bfdb735060554aeae25e4 upstream.
In MC/S scenario, the conn->sess has been set NULL in
iscsi_login_non_zero_tsih_s1 when the second connection comes here,
then kernel panic.
The conn->sess will be assigned in iscsi_login_non_zero_tsih_s2. So
we should check whether it's NULL before calling.
Signed-off-by: Feng Li <lifeng1519@gmail.com>
Tested-by: Sumit Rai <sumit.rai@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/iscsi/iscsi_target_login.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -1418,8 +1418,9 @@ static int __iscsi_target_login_thread(s
}
login->zero_tsih = zero_tsih;
- conn->sess->se_sess->sup_prot_ops =
- conn->conn_transport->iscsit_get_sup_prot_ops(conn);
+ if (conn->sess)
+ conn->sess->se_sess->sup_prot_ops =
+ conn->conn_transport->iscsit_get_sup_prot_ops(conn);
tpg = conn->tpg;
if (!tpg) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 086/346] i2c: efm32: fix a failure path in efm32_i2c_probe()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 244/346] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 233/346] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Ben Hutchings
` (184 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Uwe Kleine-König, Wolfram Sang, Alexey Khoroshilov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
commit 7dd91d52a813f99a95d20f539b777e9e6198b931 upstream.
There is the only failure path in efm32_i2c_probe(),
where clk_disable_unprepare() is missed.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Fixes: 1b5b23718b84 ("i2c: efm32: new bus driver")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/busses/i2c-efm32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-efm32.c
+++ b/drivers/i2c/busses/i2c-efm32.c
@@ -427,7 +427,7 @@ static int efm32_i2c_probe(struct platfo
ret = request_irq(ddata->irq, efm32_i2c_irq, 0, DRIVER_NAME, ddata);
if (ret < 0) {
dev_err(&pdev->dev, "failed to request irq (%d)\n", ret);
- return ret;
+ goto err_disable_clk;
}
ret = i2c_add_adapter(&ddata->adapter);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 060/346] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (232 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 052/346] rtc: ds1307: Fix relying on reset value for weekday Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 159/346] aacraid: Check size values after double-fetch from user Ben Hutchings
` (112 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chuck Lever, Steve Wise, Anna Schumaker
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream.
If an RPC program does not set vs_dispatch and pc_func() returns
rpc_drop_reply, the server sends a reply anyway containing a single
word containing the value RPC_DROP_REPLY (in network byte-order, of
course). This is a nonsense RPC message.
Fixes: 9e701c610923 ("svcrpc: simpler request dropping")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1189,7 +1189,7 @@ svc_process_common(struct svc_rqst *rqst
*statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
/* Encode reply */
- if (rqstp->rq_dropme) {
+ if (*statp == rpc_drop_reply || rqstp->rq_dropme) {
if (procp->pc_release)
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 061/346] NFS: Don't drop CB requests with invalid principals
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (207 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 015/346] crypto: gcm - Filter out async ghash if necessary Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 333/346] firewire: net: guard against rx buffer overflows Ben Hutchings
` (137 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chuck Lever, Anna Schumaker, Steve Wise
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream.
Before commit 778be232a207 ("NFS do not find client in NFSv4
pg_authenticate"), the Linux callback server replied with
RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB
request. Let's restore that behavior so the server has a chance to
do something useful about it, and provide a warning that helps
admins correct the problem.
Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/callback_xdr.c | 6 +++++-
net/sunrpc/svc.c | 5 +++++
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -915,7 +915,7 @@ static __be32 nfs4_callback_compound(str
if (hdr_arg.minorversion == 0) {
cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident);
if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp))
- return rpc_drop_reply;
+ goto out_invalidcred;
}
cps.minorversion = hdr_arg.minorversion;
@@ -943,6 +943,10 @@ static __be32 nfs4_callback_compound(str
nfs_put_client(cps.clp);
dprintk("%s: done, status = %u\n", __func__, ntohl(status));
return rpc_success;
+
+out_invalidcred:
+ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n");
+ return rpc_autherr_badcred;
}
/*
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1194,6 +1194,11 @@ svc_process_common(struct svc_rqst *rqst
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;
}
+ if (*statp == rpc_autherr_badcred) {
+ if (procp->pc_release)
+ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
+ goto err_bad_auth;
+ }
if (*statp == rpc_success &&
(xdr = procp->pc_encode) &&
!xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 053/346] [media] ngene: properly handle __user ptr
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (256 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 278/346] ARC: uaccess: get_user to zero out dest in cause of fault Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 110/346] tile: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
` (88 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, kbuild test robot, Mauro Carvalho Chehab
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <m.chehab@samsung.com>
commit 04da2daee383391954b34e7d0fe0281d75447d61 upstream.
Sparse is complaining about ngene's bad usage of a __user ptr:
>> drivers/media/pci/ngene/ngene-dvb.c:62:48: sparse: incorrect type in argument 2 (different address spaces)
drivers/media/pci/ngene/ngene-dvb.c:62:48: expected unsigned char const [usertype] *buf
drivers/media/pci/ngene/ngene-dvb.c:62:48: got char const [noderef] <asn:1>*buf
As this is intercepting a .write() file ops, we can't just memcpy. We need to use
copy_from_user.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/dvb-core/dvb_ringbuffer.c | 26 ++++++++++++++++++++++++++
drivers/media/dvb-core/dvb_ringbuffer.h | 2 ++
drivers/media/pci/ngene/ngene-dvb.c | 2 +-
3 files changed, 29 insertions(+), 1 deletion(-)
--- a/drivers/media/dvb-core/dvb_ringbuffer.c
+++ b/drivers/media/dvb-core/dvb_ringbuffer.c
@@ -166,6 +166,31 @@ ssize_t dvb_ringbuffer_write(struct dvb_
return len;
}
+ssize_t dvb_ringbuffer_write_user(struct dvb_ringbuffer *rbuf,
+ const u8 __user *buf, size_t len)
+{
+ int status;
+ size_t todo = len;
+ size_t split;
+
+ split = (rbuf->pwrite + len > rbuf->size) ? rbuf->size - rbuf->pwrite : 0;
+
+ if (split > 0) {
+ status = copy_from_user(rbuf->data+rbuf->pwrite, buf, split);
+ if (status)
+ return len - todo;
+ buf += split;
+ todo -= split;
+ rbuf->pwrite = 0;
+ }
+ status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo);
+ if (status)
+ return len - todo;
+ rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
+
+ return len;
+}
+
ssize_t dvb_ringbuffer_pkt_write(struct dvb_ringbuffer *rbuf, u8* buf, size_t len)
{
int status;
@@ -297,3 +322,4 @@ EXPORT_SYMBOL(dvb_ringbuffer_flush_spinl
EXPORT_SYMBOL(dvb_ringbuffer_read_user);
EXPORT_SYMBOL(dvb_ringbuffer_read);
EXPORT_SYMBOL(dvb_ringbuffer_write);
+EXPORT_SYMBOL(dvb_ringbuffer_write_user);
--- a/drivers/media/dvb-core/dvb_ringbuffer.h
+++ b/drivers/media/dvb-core/dvb_ringbuffer.h
@@ -133,6 +133,8 @@ extern void dvb_ringbuffer_read(struct d
*/
extern ssize_t dvb_ringbuffer_write(struct dvb_ringbuffer *rbuf, const u8 *buf,
size_t len);
+extern ssize_t dvb_ringbuffer_write_user(struct dvb_ringbuffer *rbuf,
+ const u8 __user *buf, size_t len);
/**
--- a/drivers/media/pci/ngene/ngene-dvb.c
+++ b/drivers/media/pci/ngene/ngene-dvb.c
@@ -59,7 +59,7 @@ static ssize_t ts_write(struct file *fil
(&dev->tsout_rbuf) >= count) < 0)
return 0;
- dvb_ringbuffer_write(&dev->tsout_rbuf, buf, count);
+ dvb_ringbuffer_write_user(&dev->tsout_rbuf, buf, count);
return count;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 096/346] cifs: fix crash due to race in hmac(md5) handling
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 319/346] ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 004/346] s5p-mfc: Set device name for reserved memory region devs Ben Hutchings
` (275 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rabin Vincent, Sachin Prabhu, Steve French
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rabin Vincent <rabinv@axis.com>
commit bd975d1eead2558b76e1079e861eacf1f678b73b upstream.
The secmech hmac(md5) structures are present in the TCP_Server_Info
struct and can be shared among multiple CIFS sessions. However, the
server mutex is not currently held when these structures are allocated
and used, which can lead to a kernel crashes, as in the scenario below:
mount.cifs(8) #1 mount.cifs(8) #2
Is secmech.sdeschmaccmd5 allocated?
// false
Is secmech.sdeschmaccmd5 allocated?
// false
secmech.hmacmd = crypto_alloc_shash..
secmech.sdeschmaccmd5 = kzalloc..
sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
secmech.sdeschmaccmd5 = kzalloc
// sdeschmaccmd5->shash.tfm
// not yet assigned
crypto_shash_update()
deref NULL sdeschmaccmd5->shash.tfm
Unable to handle kernel paging request at virtual address 00000030
epc : 8027ba34 crypto_shash_update+0x38/0x158
ra : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
Call Trace:
crypto_shash_update+0x38/0x158
setup_ntlmv2_rsp+0x4bc/0xa84
build_ntlmssp_auth_blob+0xbc/0x34c
sess_auth_rawntlmssp_authenticate+0xac/0x248
CIFS_SessSetup+0xf0/0x178
cifs_setup_session+0x4c/0x84
cifs_get_smb_ses+0x2c8/0x314
cifs_mount+0x38c/0x76c
cifs_do_mount+0x98/0x440
mount_fs+0x20/0xc0
vfs_kern_mount+0x58/0x138
do_mount+0x1e8/0xccc
SyS_mount+0x88/0xd4
syscall_common+0x30/0x54
Fix this by locking the srv_mutex around the code which uses these
hmac(md5) structures. All the other secmech algos already have similar
locking.
Fixes: 95dc8dd14e2e84cc ("Limit allocation of crypto mechanisms to dialect which requires")
Signed-off-by: Rabin Vincent <rabinv@axis.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifsencrypt.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -727,24 +727,26 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
memcpy(ses->auth_key.response + baselen, tiblob, tilen);
+ mutex_lock(&ses->server->srv_mutex);
+
rc = crypto_hmacmd5_alloc(ses->server);
if (rc) {
cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* calculate ntlmv2_hash */
rc = calc_ntlmv2_hash(ses, ntlmv2_hash, nls_cp);
if (rc) {
cifs_dbg(VFS, "could not get v2 hash rc %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* calculate first part of the client response (CR1) */
rc = CalcNTLMv2_response(ses, ntlmv2_hash);
if (rc) {
cifs_dbg(VFS, "Could not calculate CR1 rc: %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* now calculate the session key for NTLMv2 */
@@ -753,13 +755,13 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
if (rc) {
cifs_dbg(VFS, "%s: Could not set NTLMV2 Hash as a key\n",
__func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_init(&ses->server->secmech.sdeschmacmd5->shash);
if (rc) {
cifs_dbg(VFS, "%s: Could not init hmacmd5\n", __func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash,
@@ -767,7 +769,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
CIFS_HMAC_MD5_HASH_SIZE);
if (rc) {
cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_final(&ses->server->secmech.sdeschmacmd5->shash,
@@ -775,6 +777,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
if (rc)
cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);
+unlock:
+ mutex_unlock(&ses->server->srv_mutex);
setup_ntlmv2_rsp_ret:
kfree(tiblob);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 093/346] target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 102/346] libceph: set 'exists' flag for newly up osd Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 277/346] metag: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
` (341 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mike Christie, Christoph Hellwig, Hannes Reinecke,
Himanshu Madhani, Quinn Tran, Nicholas Bellinger
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 5e2c956b8aa24d4f33ff7afef92d409eed164746 upstream.
During transport_generic_free_cmd() with a concurrent TMR
ABORT_TASK and shutdown CMD_T_FABRIC_STOP bit set, the
caller will be blocked on se_cmd->cmd_wait_stop completion
until the final kref_put() -> target_release_cmd_kref()
has been invoked to call complete().
However, when ABORT_TASK is completed with FUNCTION_COMPLETE
in core_tmr_abort_task(), the aborted se_cmd will have already
been removed from se_sess->sess_cmd_list via list_del_init().
This results in target_release_cmd_kref() hitting the
legacy list_empty() == true check, invoking ->release_cmd()
but skipping complete() to wakeup se_cmd->cmd_wait_stop
blocked earlier in transport_generic_free_cmd() code.
To address this bug, it's safe to go ahead and drop the
original list_empty() check so that fabric_stop invokes
the complete() as expected, since list_del_init() can
safely be used on a empty list.
Cc: Mike Christie <mchristi@redhat.com>
Cc: Quinn Tran <quinn.tran@qlogic.com>
Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Tested-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/target_core_transport.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2455,12 +2455,6 @@ static void target_release_cmd_kref(stru
struct se_session *se_sess = se_cmd->se_sess;
bool fabric_stop;
- if (list_empty(&se_cmd->se_cmd_list)) {
- spin_unlock(&se_sess->sess_cmd_lock);
- target_free_cmd_mem(se_cmd);
- se_cmd->se_tfo->release_cmd(se_cmd);
- return;
- }
spin_lock(&se_cmd->t_state_lock);
fabric_stop = (se_cmd->transport_state & CMD_T_FABRIC_STOP);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 095/346] target: Fix max_unmap_lba_count calc overflow
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (284 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 104/346] gpio: intel-mid: Remove potentially harmful code Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 181/346] ipv6: suppress sparse warnings in IP6_ECN_set_ce() Ben Hutchings
` (60 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bart Van Assche, Mike Christie, Nicholas Bellinger
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Christie <mchristi@redhat.com>
commit ea263c7fada4af8ec7fe5fcfd6e7d7705a89351b upstream.
max_discard_sectors only 32bits, and some non scsi backend
devices will set this to the max 0xffffffff, so we can end up
overflowing during the max_unmap_lba_count calculation.
This fixes a regression caused by my patch:
commit 8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3
Author: Mike Christie <mchristi@redhat.com>
Date: Mon Jan 18 14:09:27 2016 -0600
target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
which can result in extra discards being sent to due the overflow
causing max_unmap_lba_count to be smaller than what the backing
device can actually support.
Signed-off-by: Mike Christie <mchristi@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/target_core_device.c | 8 +++++---
drivers/target/target_core_file.c | 3 +--
drivers/target/target_core_iblock.c | 3 +--
include/target/target_core_backend.h | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/target/target_core_device.c
+++ b/drivers/target/target_core_device.c
@@ -1583,13 +1583,15 @@ struct se_device *target_alloc_device(st
* in ATA and we need to set TPE=1
*/
bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib,
- struct request_queue *q, int block_size)
+ struct request_queue *q)
{
+ int block_size = queue_logical_block_size(q);
+
if (!blk_queue_discard(q))
return false;
- attrib->max_unmap_lba_count = (q->limits.max_discard_sectors << 9) /
- block_size;
+ attrib->max_unmap_lba_count =
+ q->limits.max_discard_sectors >> (ilog2(block_size) - 9);
/*
* Currently hardcoded to 1 in Linux/SCSI code..
*/
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -165,8 +165,7 @@ static int fd_configure_device(struct se
dev_size, div_u64(dev_size, fd_dev->fd_block_size),
fd_dev->fd_block_size);
- if (target_configure_unmap_from_queue(&dev->dev_attrib, q,
- fd_dev->fd_block_size))
+ if (target_configure_unmap_from_queue(&dev->dev_attrib, q))
pr_debug("IFILE: BLOCK Discard support available,"
" disabled by default\n");
/*
--- a/drivers/target/target_core_iblock.c
+++ b/drivers/target/target_core_iblock.c
@@ -126,8 +126,7 @@ static int iblock_configure_device(struc
dev->dev_attrib.hw_max_sectors = queue_max_hw_sectors(q);
dev->dev_attrib.hw_queue_depth = q->nr_requests;
- if (target_configure_unmap_from_queue(&dev->dev_attrib, q,
- dev->dev_attrib.hw_block_size))
+ if (target_configure_unmap_from_queue(&dev->dev_attrib, q))
pr_debug("IBLOCK: BLOCK Discard support available,"
" disabled by default\n");
--- a/include/target/target_core_backend.h
+++ b/include/target/target_core_backend.h
@@ -97,6 +97,6 @@ sense_reason_t transport_generic_map_mem
void array_free(void *array, int n);
sector_t target_to_linux_sector(struct se_device *dev, sector_t lb);
bool target_configure_unmap_from_queue(struct se_dev_attrib *attrib,
- struct request_queue *q, int block_size);
+ struct request_queue *q);
#endif /* TARGET_CORE_BACKEND_H */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 070/346] ARM: 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is coherent
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 186/346] iio: adc: at91: unbreak channel adc channel 3 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 307/346] can: flexcan: fix resume function Ben Hutchings
` (255 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gregory CLEMENT, Nadav Haklai, Russell King
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gregory CLEMENT <gregory.clement@free-electrons.com>
commit f12708965069410691e47d1d216ec7ad1516bfd2 upstream.
When a L2 cache controller is used in a system that provides hardware
coherency, the entire outer cache operations are useless, and can be
skipped. Moreover, on some systems, it is harmful as it causes
deadlocks between the Marvell coherency mechanism, the Marvell PCIe
controller and the Cortex-A9.
In the current kernel implementation, the outer cache flush range
operation is triggered by the dma_alloc function.
This operation can be take place during runtime and in some
circumstances may lead to the PCIe/PL310 deadlock on Armada 375/38x
SoCs.
This patch extends the __dma_clear_buffer() function to receive a
boolean argument related to the coherency of the system. The same
things is done for the calling functions.
Reported-by: Nadav Haklai <nadavh@marvell.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[bwh: Backported to 3.16:
- Drop changes to struct arm_dm_alloc_args, cma_allocator_alloc()
- Pass the new parameter to __alloc_from_contiguous() from __dma_alloc()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mm/dma-mapping.c | 62 ++++++++++++++++++++++++++++++++---------------
1 file changed, 42 insertions(+), 20 deletions(-)
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -39,6 +39,9 @@
#include "mm.h"
+#define NORMAL 0
+#define COHERENT 1
+
/*
* The DMA API is built upon the notion of "buffer ownership". A buffer
* is either exclusively owned by the CPU (and therefore may be accessed
@@ -219,7 +222,7 @@ static u64 get_coherent_dma_mask(struct
return mask;
}
-static void __dma_clear_buffer(struct page *page, size_t size)
+static void __dma_clear_buffer(struct page *page, size_t size, int coherent_flag)
{
/*
* Ensure that the allocated pages are zeroed, and that any data
@@ -231,17 +234,21 @@ static void __dma_clear_buffer(struct pa
while (size > 0) {
void *ptr = kmap_atomic(page);
memset(ptr, 0, PAGE_SIZE);
- dmac_flush_range(ptr, ptr + PAGE_SIZE);
+ if (coherent_flag != COHERENT)
+ dmac_flush_range(ptr, ptr + PAGE_SIZE);
kunmap_atomic(ptr);
page++;
size -= PAGE_SIZE;
}
- outer_flush_range(base, end);
+ if (coherent_flag != COHERENT)
+ outer_flush_range(base, end);
} else {
void *ptr = page_address(page);
memset(ptr, 0, size);
- dmac_flush_range(ptr, ptr + size);
- outer_flush_range(__pa(ptr), __pa(ptr) + size);
+ if (coherent_flag != COHERENT) {
+ dmac_flush_range(ptr, ptr + size);
+ outer_flush_range(__pa(ptr), __pa(ptr) + size);
+ }
}
}
@@ -249,7 +256,8 @@ static void __dma_clear_buffer(struct pa
* Allocate a DMA buffer for 'dev' of size 'size' using the
* specified gfp mask. Note that 'size' must be page aligned.
*/
-static struct page *__dma_alloc_buffer(struct device *dev, size_t size, gfp_t gfp)
+static struct page *__dma_alloc_buffer(struct device *dev, size_t size,
+ gfp_t gfp, int coherent_flag)
{
unsigned long order = get_order(size);
struct page *page, *p, *e;
@@ -265,7 +273,7 @@ static struct page *__dma_alloc_buffer(s
for (p = page + (size >> PAGE_SHIFT), e = page + (1 << order); p < e; p++)
__free_page(p);
- __dma_clear_buffer(page, size);
+ __dma_clear_buffer(page, size, coherent_flag);
return page;
}
@@ -287,7 +295,7 @@ static void __dma_free_buffer(struct pag
static void *__alloc_from_contiguous(struct device *dev, size_t size,
pgprot_t prot, struct page **ret_page,
- const void *caller);
+ const void *caller, int coherent_flag);
static void *__alloc_remap_buffer(struct device *dev, size_t size, gfp_t gfp,
pgprot_t prot, struct page **ret_page,
@@ -389,10 +397,13 @@ static int __init atomic_pool_init(void)
pages = kzalloc(nr_pages * sizeof(struct page *), GFP_KERNEL);
if (!pages)
goto no_pages;
-
+ /*
+ * The atomic pool is only used for non-coherent allocations
+ * so we must pass NORMAL for coherent_flag.
+ */
if (dev_get_cma_area(NULL))
ptr = __alloc_from_contiguous(NULL, pool->size, prot, &page,
- atomic_pool_init);
+ atomic_pool_init, NORMAL);
else
ptr = __alloc_remap_buffer(NULL, pool->size, gfp, prot, &page,
atomic_pool_init);
@@ -505,7 +516,11 @@ static void *__alloc_remap_buffer(struct
{
struct page *page;
void *ptr;
- page = __dma_alloc_buffer(dev, size, gfp);
+ /*
+ * __alloc_remap_buffer is only called when the device is
+ * non-coherent
+ */
+ page = __dma_alloc_buffer(dev, size, gfp, NORMAL);
if (!page)
return NULL;
@@ -597,7 +612,7 @@ static int __free_from_pool(void *start,
static void *__alloc_from_contiguous(struct device *dev, size_t size,
pgprot_t prot, struct page **ret_page,
- const void *caller)
+ const void *caller, int coherent_flag)
{
unsigned long order = get_order(size);
size_t count = size >> PAGE_SHIFT;
@@ -608,7 +623,7 @@ static void *__alloc_from_contiguous(str
if (!page)
return NULL;
- __dma_clear_buffer(page, size);
+ __dma_clear_buffer(page, size, coherent_flag);
if (PageHighMem(page)) {
ptr = __dma_alloc_remap(page, size, GFP_KERNEL, prot, caller);
@@ -651,7 +666,7 @@ static inline pgprot_t __get_dma_pgprot(
#define __get_dma_pgprot(attrs, prot) __pgprot(0)
#define __alloc_remap_buffer(dev, size, gfp, prot, ret, c) NULL
#define __alloc_from_pool(size, ret_page) NULL
-#define __alloc_from_contiguous(dev, size, prot, ret, c) NULL
+#define __alloc_from_contiguous(dev, size, prot, ret, c, coherent_flag) NULL
#define __free_from_pool(cpu_addr, size) 0
#define __free_from_contiguous(dev, page, cpu_addr, size) do { } while (0)
#define __dma_free_remap(cpu_addr, size) do { } while (0)
@@ -662,7 +677,8 @@ static void *__alloc_simple_buffer(struc
struct page **ret_page)
{
struct page *page;
- page = __dma_alloc_buffer(dev, size, gfp);
+ /* __alloc_simple_buffer is only called when the device is coherent */
+ page = __dma_alloc_buffer(dev, size, gfp, COHERENT);
if (!page)
return NULL;
@@ -713,7 +729,8 @@ static void *__dma_alloc(struct device *
else if (!dev_get_cma_area(dev))
addr = __alloc_remap_buffer(dev, size, gfp, prot, &page, caller);
else
- addr = __alloc_from_contiguous(dev, size, prot, &page, caller);
+ addr = __alloc_from_contiguous(dev, size, prot, &page, caller,
+ NORMAL);
if (addr)
*handle = pfn_to_dma(dev, page_to_pfn(page));
@@ -1172,7 +1189,8 @@ static inline void __free_iova(struct dm
}
static struct page **__iommu_alloc_buffer(struct device *dev, size_t size,
- gfp_t gfp, struct dma_attrs *attrs)
+ gfp_t gfp, struct dma_attrs *attrs,
+ int coherent_flag)
{
struct page **pages;
int count = size >> PAGE_SHIFT;
@@ -1195,7 +1213,7 @@ static struct page **__iommu_alloc_buffe
if (!page)
goto error;
- __dma_clear_buffer(page, size);
+ __dma_clear_buffer(page, size, coherent_flag);
for (i = 0; i < count; i++)
pages[i] = page + i;
@@ -1224,7 +1242,7 @@ static struct page **__iommu_alloc_buffe
pages[i + j] = pages[i] + j;
}
- __dma_clear_buffer(pages[i], PAGE_SIZE << order);
+ __dma_clear_buffer(pages[i], PAGE_SIZE << order, coherent_flag);
i += 1 << order;
count -= 1 << order;
}
@@ -1427,7 +1445,8 @@ static void *arm_iommu_alloc_attrs(struc
*/
gfp &= ~(__GFP_COMP);
- pages = __iommu_alloc_buffer(dev, size, gfp, attrs);
+ /* For now always consider we are in a non-coherent case */
+ pages = __iommu_alloc_buffer(dev, size, gfp, attrs, NORMAL);
if (!pages)
return NULL;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 055/346] x86/quirks: Apply nvidia_bugs quirk only on root bus
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (289 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 317/346] i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 248/346] iio: accel: kxsd9: Fix scaling bug Ben Hutchings
` (55 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yinghai Lu, Borislav Petkov, Josh Poimboeuf, Lukas Wunner,
Thomas Gleixner, Denys Vlasenko, Ingo Molnar, Peter Zijlstra,
Brian Gerst, Andy Lutomirski, Bjorn Helgaas, Linus Torvalds,
H. Peter Anvin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 447d29d1d3aed839e74c2401ef63387780ac51ed upstream.
Since the following commit:
8659c406ade3 ("x86: only scan the root bus in early PCI quirks")
... early quirks are only applied to devices on the root bus.
The motivation was to prevent application of the nvidia_bugs quirk on
secondary buses.
We're about to reintroduce scanning of secondary buses for a quirk to
reset the Broadcom 4331 wireless card on 2011/2012 Macs. To prevent
regressions, open code the requirement to apply nvidia_bugs only on the
root bus.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/4d5477c1d76b2f0387a780f2142bbcdd9fee869b.1465690253.git.lukas@wunner.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/early-quirks.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -76,6 +76,13 @@ static void __init nvidia_bugs(int num,
#ifdef CONFIG_ACPI
#ifdef CONFIG_X86_IO_APIC
/*
+ * Only applies to Nvidia root ports (bus 0) and not to
+ * Nvidia graphics cards with PCI ports on secondary buses.
+ */
+ if (num)
+ return;
+
+ /*
* All timer overrides on Nvidia are
* wrong unless HPET is enabled.
* Unfortunately that's not true on many Asus boards.
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 012/346] sched/cputime: Fix prev steal time accouting during CPU hotplug
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (326 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 054/346] [media] media: dvb_ringbuffer: Add memory barriers Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 033/346] ext4: don't call ext4_should_journal_data() on the journal inode Ben Hutchings
` (18 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ingo Molnar, Rik van Riel, Peter Zijlstra (Intel),
Thomas Gleixner, Wanpeng Li, Frederic Weisbecker,
Radim Krčmář,
Linus Torvalds, Mike Galbraith, Paolo Bonzini
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit 3d89e5478bf550a50c99e93adf659369798263b0 upstream.
Commit:
e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")
... set rq->prev_* to 0 after a CPU hotplug comes back, in order to
fix the case where (after CPU hotplug) steal time is smaller than
rq->prev_steal_time.
However, this should never happen. Steal time was only smaller because of the
KVM-specific bug fixed by the previous patch. Worse, the previous patch
triggers a bug on CPU hot-unplug/plug operation: because
rq->prev_steal_time is cleared, all of the CPU's past steal time will be
accounted again on hot-plug.
Since the root cause has been fixed, we can just revert commit e9532e69b8d1.
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 'commit e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")'
Link: http://lkml.kernel.org/r/1465813966-3116-3-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 1 -
kernel/sched/sched.h | 13 -------------
2 files changed, 14 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5147,7 +5147,6 @@ migration_call(struct notifier_block *nf
case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
- account_reset_rq(rq);
break;
case CPU_ONLINE:
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -1563,16 +1563,3 @@ static inline u64 irq_time_read(int cpu)
}
#endif /* CONFIG_64BIT */
#endif /* CONFIG_IRQ_TIME_ACCOUNTING */
-
-static inline void account_reset_rq(struct rq *rq)
-{
-#ifdef CONFIG_IRQ_TIME_ACCOUNTING
- rq->prev_irq_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT
- rq->prev_steal_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
- rq->prev_steal_time_rq = 0;
-#endif
-}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 037/346] batman-adv: Fix kerneldoc member names in for main structs
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 178/346] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 230/346] powerpc/powernv : Drop reference added by kset_find_obj() Ben Hutchings
` (279 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marek Lindner, Antonio Quartulli, Sven Eckelmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 006a199d5d1d4e1666b0d8b4f51b5a978ddc6aab upstream.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/types.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -202,12 +202,12 @@ struct batadv_orig_bat_iv {
* @primary_addr: hosts primary interface address
* @ifinfo_list: list for routers per outgoing interface
* @last_bonding_candidate: pointer to last ifinfo of last used router
- * @batadv_dat_addr_t: address of the orig node in the distributed hash
+ * @dat_addr: address of the orig node in the distributed hash
* @last_seen: time when last packet from this node was received
* @bcast_seqno_reset: time when the broadcast seqno window was reset
* @mcast_handler_lock: synchronizes mcast-capability and -flag changes
* @mcast_flags: multicast flags announced by the orig node
- * @mcast_want_all_unsnoop_node: a list node for the
+ * @mcast_want_all_unsnoopables_node: a list node for the
* mcast.want_all_unsnoopables list
* @mcast_want_all_ipv4_node: a list node for the mcast.want_all_ipv4 list
* @mcast_want_all_ipv6_node: a list node for the mcast.want_all_ipv6 list
@@ -390,7 +390,7 @@ struct batadv_neigh_ifinfo {
/**
* struct batadv_bcast_duplist_entry - structure for LAN broadcast suppression
- * @orig[ETH_ALEN]: mac address of orig node orginating the broadcast
+ * @orig: mac address of orig node orginating the broadcast
* @crc: crc32 checksum of broadcast payload
* @entrytime: time when the broadcast packet was received
*/
@@ -538,7 +538,7 @@ struct batadv_priv_tt {
/**
* struct batadv_priv_bla - per mesh interface bridge loope avoidance data
- * @num_requests; number of bla requests in flight
+ * @num_requests: number of bla requests in flight
* @claim_hash: hash table containing mesh nodes this host has claimed
* @backbone_hash: hash table containing all detected backbone gateways
* @bcast_duplist: recently received broadcast packets array (for broadcast
@@ -760,7 +760,7 @@ struct batadv_softif_vlan {
* @dat: distributed arp table data
* @mcast: multicast data
* @network_coding: bool indicating whether network coding is enabled
- * @batadv_priv_nc: network coding data
+ * @nc: network coding data
*/
struct batadv_priv {
atomic_t mesh_state;
@@ -892,7 +892,7 @@ struct batadv_bla_backbone_gw {
* struct batadv_bla_claim - claimed non-mesh client structure
* @addr: mac address of claimed non-mesh client
* @vid: vlan id this client was detected on
- * @batadv_bla_backbone_gw: pointer to backbone gw claiming this client
+ * @backbone_gw: pointer to backbone gw claiming this client
* @lasttime: last time we heard of claim (locals only)
* @hash_entry: hlist node for batadv_priv_bla::claim_hash
* @refcount: number of contexts the object is used
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 097/346] hwmon: (adt7411) set bit 3 in CFG1 register
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 163/346] powerpc/book3s: Fix MCE console messages for unrecoverable MCE Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 081/346] crypto: scatterwalk - Fix test in scatterwalk_done Ben Hutchings
` (189 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Walle, Guenter Roeck
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Walle <michael@walle.cc>
commit b53893aae441a034bf4dbbad42fe218561d7d81f upstream.
According to the datasheet you should only write 1 to this bit. If it is
not set, at least AIN3 will return bad values on newer silicon revisions.
Fixes: d84ca5b345c2 ("hwmon: Add driver for ADT7411 voltage and temperature sensor")
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hwmon/adt7411.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/adt7411.c
+++ b/drivers/hwmon/adt7411.c
@@ -30,6 +30,7 @@
#define ADT7411_REG_CFG1 0x18
#define ADT7411_CFG1_START_MONITOR (1 << 0)
+#define ADT7411_CFG1_RESERVED_BIT3 (1 << 3)
#define ADT7411_REG_CFG2 0x19
#define ADT7411_CFG2_DISABLE_AVG (1 << 5)
@@ -292,8 +293,10 @@ static int adt7411_probe(struct i2c_clie
mutex_init(&data->device_lock);
mutex_init(&data->update_lock);
+ /* According to the datasheet, we must only write 1 to bit 3 */
ret = adt7411_modify_bit(client, ADT7411_REG_CFG1,
- ADT7411_CFG1_START_MONITOR, 1);
+ ADT7411_CFG1_RESERVED_BIT3
+ | ADT7411_CFG1_START_MONITOR, 1);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 092/346] mtd: nand: fix bug writing 1 byte less than page size
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 160/346] powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 309/346] fsnotify: add a way to stop queueing events on group shutdown Ben Hutchings
` (171 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Brian Norris, Hector Palacios
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hector Palacios <hector.palacios@digi.com>
commit 144f4c98399e2c0ca60eb414c15a2c68125c18b8 upstream.
nand_do_write_ops() determines if it is writing a partial page with the
formula:
part_pagewr = (column || writelen < (mtd->writesize - 1))
When 'writelen' is exactly 1 byte less than the NAND page size the formula
equates to zero, so the code doesn't process it as a partial write,
although it should.
As a consequence the function remains in the while(1) loop with 'writelen'
becoming 0xffffffff and iterating endlessly.
The bug may not be easy to reproduce in Linux since user space tools
usually force the padding or round-up the write size to a page-size
multiple.
This was discovered in U-Boot where the issue can be reproduced by
writing any size that is 1 byte less than a page-size multiple.
For example, on a NAND with 2K page (0x800):
=> nand erase.part <partition>
=> nand write $loadaddr <partition> 7ff
[Editor's note: the bug was added in commit 29072b96078f, but moved
around in commit 66507c7bc8895 ("mtd: nand: Add support to use nand_base
poi databuf as bounce buffer")]
Fixes: 29072b96078f ("[MTD] NAND: add subpage write support")
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/nand_base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -2389,7 +2389,7 @@ static int nand_do_write_ops(struct mtd_
int cached = writelen > bytes && page != blockmask;
uint8_t *wbuf = buf;
int use_bufpoi;
- int part_pagewr = (column || writelen < (mtd->writesize - 1));
+ int part_pagewr = (column || writelen < mtd->writesize);
if (part_pagewr)
use_bufpoi = 1;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 076/346] powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (311 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 203/346] staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 016/346] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss Ben Hutchings
` (33 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Neuling, Michael Ellerman, Cyril Bur
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Neuling <mikey@neuling.org>
commit 6bcb80143e792becfd2b9cc6a339ce523e4e2219 upstream.
At the start of __tm_recheckpoint() we save the kernel stack pointer
(r1) in SPRG SCRATCH0 (SPRG2) so that we can restore it after the
trecheckpoint.
Unfortunately, the same SPRG is used in the SLB miss handler. If an
SLB miss is taken between the save and restore of r1 to the SPRG, the
SPRG is changed and hence r1 is also corrupted. We can end up with
the following crash when we start using r1 again after the restore
from the SPRG:
Oops: Bad kernel stack pointer, sig: 6 [#1]
SMP NR_CPUS=2048 NUMA pSeries
CPU: 658 PID: 143777 Comm: htm_demo Tainted: G EL X 4.4.13-0-default #1
task: c0000b56993a7810 ti: c00000000cfec000 task.ti: c0000b56993bc000
NIP: c00000000004f188 LR: 00000000100040b8 CTR: 0000000010002570
REGS: c00000000cfefd40 TRAP: 0300 Tainted: G EL X (4.4.13-0-default)
MSR: 8000000300001033 <SF,ME,IR,DR,RI,LE> CR: 02000424 XER: 20000000
CFAR: c000000000008468 DAR: 00003ffd84e66880 DSISR: 40000000 SOFTE: 0
PACATMSCRATCH: 00003ffbc865e680
GPR00: fffffffcfabc4268 00003ffd84e667a0 00000000100d8c38 000000030544bb80
GPR04: 0000000000000002 00000000100cf200 0000000000000449 00000000100cf100
GPR08: 000000000000c350 0000000000002569 0000000000002569 00000000100d6c30
GPR12: 00000000100d6c28 c00000000e6a6b00 00003ffd84660000 0000000000000000
GPR16: 0000000000000003 0000000000000449 0000000010002570 0000010009684f20
GPR20: 0000000000800000 00003ffd84e5f110 00003ffd84e5f7a0 00000000100d0f40
GPR24: 0000000000000000 0000000000000000 0000000000000000 00003ffff0673f50
GPR28: 00003ffd84e5e960 00000000003d0f00 00003ffd84e667a0 00003ffd84e5e680
NIP [c00000000004f188] restore_gprs+0x110/0x17c
LR [00000000100040b8] 0x100040b8
Call Trace:
Instruction dump:
f8a1fff0 e8e700a8 38a00000 7ca10164 e8a1fff8 e821fff0 7c0007dd 7c421378
7db142a6 7c3242a6 38800002 7c810164 <e9c100e0> e9e100e8 ea0100f0 ea2100f8
We hit this on large memory machines (> 2TB) but it can also be hit on
smaller machines when 1TB segments are disabled.
To hit this, you also need to be virtualised to ensure SLBs are
periodically removed by the hypervisor.
This patches moves the saving of r1 to the SPRG to the region where we
are guaranteed not to take any further SLB misses.
Fixes: 98ae22e15b43 ("powerpc: Add helper functions for transactional memory context switching")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Acked-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/tm.S | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/powerpc/kernel/tm.S
+++ b/arch/powerpc/kernel/tm.S
@@ -338,8 +338,6 @@ _GLOBAL(__tm_recheckpoint)
*/
subi r7, r7, STACK_FRAME_OVERHEAD
- SET_SCRATCH0(r1)
-
mfmsr r6
/* R4 = original MSR to indicate whether thread used FP/Vector etc. */
@@ -468,6 +466,7 @@ restore_gprs:
* until we turn MSR RI back on.
*/
+ SET_SCRATCH0(r1)
ld r5, -8(r1)
ld r1, -16(r1)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 091/346] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (214 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 088/346] arm64: debug: unmask PSTATE.D earlier Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 120/346] drm/radeon: fix firmware info version checks Ben Hutchings
` (130 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kalle Valo, coverity, Florian Fainelli, Arend van Spriel
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.
wlc_phy_txpower_get_current() does a logical OR of power->flags, which
presumes that power.flags was initiliazed earlier by the caller,
unfortunately, this is not the case, so make sure we zero out the struct
tx_power before calling into wlc_phy_txpower_get_current().
Reported-by: coverity (CID 146011)
Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmsmac/stf.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/stf.c
@@ -87,7 +87,7 @@ void
brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel,
u16 chanspec)
{
- struct tx_power power;
+ struct tx_power power = { };
u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id;
/* Clear previous settings */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 102/346] libceph: set 'exists' flag for newly up osd
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 282/346] openrisc: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 093/346] target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP Ben Hutchings
` (342 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ilya Dryomov, Sage Weil, Yan, Zheng
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Yan, Zheng" <zyan@redhat.com>
commit 6dd74e44dc1df85f125982a8d6591bc4a76c9f5d upstream.
Signed-off-by: Yan, Zheng <zyan@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ceph/osdmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1275,7 +1275,7 @@ struct ceph_osdmap *osdmap_apply_increme
ceph_decode_addr(&addr);
pr_info("osd%d up\n", osd);
BUG_ON(osd >= map->max_osd);
- map->osd_state[osd] |= CEPH_OSD_UP;
+ map->osd_state[osd] |= CEPH_OSD_UP | CEPH_OSD_EXISTS;
map->osd_addr[osd] = addr;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 100/346] MIPS: RM7000: Double locking bug in rm7k_tc_disable()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (245 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 207/346] powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 243/346] IB/core: Fix use after free in send_leave function Ben Hutchings
` (99 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, kernel-janitors, Ralf Baechle, linux-mips, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 upstream.
We obviously intended to enable IRQs again at the end.
Fixes: 745aef5df1e2 ('MIPS: RM7000: Add support for tertiary cache')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-janitors@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13815/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/mm/sc-rm7k.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/mm/sc-rm7k.c
+++ b/arch/mips/mm/sc-rm7k.c
@@ -161,7 +161,7 @@ static void rm7k_tc_disable(void)
local_irq_save(flags);
blast_rm7k_tcache();
clear_c0_config(RM7K_CONF_TE);
- local_irq_save(flags);
+ local_irq_restore(flags);
}
static void rm7k_sc_disable(void)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 107/346] tools/vm/slabinfo: fix an unintentional printf
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 031/346] ext4: check for extents that wrap around Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 246/346] l2tp: fix use-after-free during module unload Ben Hutchings
` (290 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Laura Abbott, Sergey Senozhatsky,
Christoph Lameter, Dan Carpenter, Colin Ian King
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 2d6a4d64812bb12dda53704943b61a7496d02098 upstream.
The curly braces are missing here so we print stuff unintentionally.
Fixes: 9da4714a2d44 ('slub: slabinfo update for cmpxchg handling')
Link: http://lkml.kernel.org/r/20160715211243.GE19522@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/vm/slabinfo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/vm/slabinfo.c
+++ b/tools/vm/slabinfo.c
@@ -493,10 +493,11 @@ static void slab_stats(struct slabinfo *
s->alloc_node_mismatch, (s->alloc_node_mismatch * 100) / total);
}
- if (s->cmpxchg_double_fail || s->cmpxchg_double_cpu_fail)
+ if (s->cmpxchg_double_fail || s->cmpxchg_double_cpu_fail) {
printf("\nCmpxchg_double Looping\n------------------------\n");
printf("Locked Cmpxchg Double redos %lu\nUnlocked Cmpxchg Double redos %lu\n",
s->cmpxchg_double_fail, s->cmpxchg_double_cpu_fail);
+ }
}
static void report(struct slabinfo *s)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 106/346] radix-tree: fix radix_tree_iter_retry() for tagged iterators.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 045/346] batman-adv: Fix speedy join in gateway client mode Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 185/346] iio: proximity: as3935: set up buffer timestamps for non-zero values Ben Hutchings
` (283 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ross Zwisler, Dmitry Vyukov, Andrey Ryabinin,
Matthew Wilcox, Hugh Dickins, Linus Torvalds,
Konstantin Khlebnikov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
commit 3cb9185c67304b2a7ea9be73e7d13df6fb2793a1 upstream.
radix_tree_iter_retry() resets slot to NULL, but it doesn't reset tags.
Then NULL slot and non-zero iter.tags passed to radix_tree_next_slot()
leading to crash:
RIP: radix_tree_next_slot include/linux/radix-tree.h:473
find_get_pages_tag+0x334/0x930 mm/filemap.c:1452
....
Call Trace:
pagevec_lookup_tag+0x3a/0x80 mm/swap.c:960
mpage_prepare_extent_to_map+0x321/0xa90 fs/ext4/inode.c:2516
ext4_writepages+0x10be/0x2b20 fs/ext4/inode.c:2736
do_writepages+0x97/0x100 mm/page-writeback.c:2364
__filemap_fdatawrite_range+0x248/0x2e0 mm/filemap.c:300
filemap_write_and_wait_range+0x121/0x1b0 mm/filemap.c:490
ext4_sync_file+0x34d/0xdb0 fs/ext4/fsync.c:115
vfs_fsync_range+0x10a/0x250 fs/sync.c:195
vfs_fsync fs/sync.c:209
do_fsync+0x42/0x70 fs/sync.c:219
SYSC_fdatasync fs/sync.c:232
SyS_fdatasync+0x19/0x20 fs/sync.c:230
entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207
We must reset iterator's tags to bail out from radix_tree_next_slot()
and go to the slow-path in radix_tree_next_chunk().
Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
Link: http://lkml.kernel.org/r/1468495196-10604-1-git-send-email-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Matthew Wilcox <willy@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/radix-tree.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/radix-tree.h
+++ b/include/linux/radix-tree.h
@@ -382,6 +382,7 @@ static inline __must_check
void **radix_tree_iter_retry(struct radix_tree_iter *iter)
{
iter->next_index = iter->index;
+ iter->tags = 0;
return NULL;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 059/346] ALSA: hda - fix use-after-free after module unload
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 035/346] batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 151/346] USB: serial: option: add D-Link DWM-156/A3 Ben Hutchings
` (246 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Peter Wu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wu <peter@lekensteyn.nl>
commit ab58d8cc870ef3f0771c197700441936898d1f1d upstream.
register_vga_switcheroo() sets the PM ops from the hda structure which
is freed later in azx_free. Make sure that these ops are cleared.
Caught by KASAN, initially noticed due to a general protection fault.
Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)")
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/hda_intel.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -950,8 +950,10 @@ static int azx_free(struct azx *chip)
if (use_vga_switcheroo(chip)) {
if (chip->disabled && chip->bus)
snd_hda_unlock_devices(chip->bus);
- if (chip->vga_switcheroo_registered)
+ if (chip->vga_switcheroo_registered) {
vga_switcheroo_unregister_client(chip->pci);
+ vga_switcheroo_fini_domain_pm_ops(chip->card->dev);
+ }
}
if (chip->initialized) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 090/346] brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (183 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 297/346] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 197/346] drm/radeon: fix radeon_move_blit on 32bit systems Ben Hutchings
` (161 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arend van Spriel, Florian Fainelli, Kalle Valo, coverity
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream.
In case dma_mapping_error() returns an error in dma_rxfill, we would be
leaking a packet that we allocated with brcmu_pkt_buf_get_skb().
Reported-by: coverity (CID 1081819)
Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmsmac/dma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
@@ -1079,8 +1079,10 @@ bool dma_rxfill(struct dma_pub *pub)
pa = dma_map_single(di->dmadev, p->data, di->rxbufsize,
DMA_FROM_DEVICE);
- if (dma_mapping_error(di->dmadev, pa))
+ if (dma_mapping_error(di->dmadev, pa)) {
+ brcmu_pkt_buf_free_skb(p);
return false;
+ }
/* save the free packet pointer */
di->rxp[rxout] = p;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 099/346] tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 295/346] avr32: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 288/346] sh64: failing __get_user() should zero Ben Hutchings
` (209 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Guenter Roeck, Sasha Levin
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.
The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do
sym = U(key_maps[0][k]);
with large 'k'.
To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.
Also while at it let's switch to for_each_set_bit() instead of open-coding
it.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/keyboard.c | 30 +++++++++---------------------
1 file changed, 9 insertions(+), 21 deletions(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -365,34 +365,22 @@ static void to_utf8(struct vc_data *vc,
static void do_compute_shiftstate(void)
{
- unsigned int i, j, k, sym, val;
+ unsigned int k, sym, val;
shift_state = 0;
memset(shift_down, 0, sizeof(shift_down));
- for (i = 0; i < ARRAY_SIZE(key_down); i++) {
-
- if (!key_down[i])
+ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) {
+ sym = U(key_maps[0][k]);
+ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
continue;
- k = i * BITS_PER_LONG;
-
- for (j = 0; j < BITS_PER_LONG; j++, k++) {
-
- if (!test_bit(k, key_down))
- continue;
-
- sym = U(key_maps[0][k]);
- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
- continue;
-
- val = KVAL(sym);
- if (val == KVAL(K_CAPSSHIFT))
- val = KVAL(K_SHIFT);
+ val = KVAL(sym);
+ if (val == KVAL(K_CAPSSHIFT))
+ val = KVAL(K_SHIFT);
- shift_down[val]++;
- shift_state |= (1 << val);
- }
+ shift_down[val]++;
+ shift_state |= BIT(val);
}
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 103/346] libceph: apply new_state before new_up_client on incrementals
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (280 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 292/346] m32r: fix __get_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 011/346] random: add interrupt callback to VMBus IRQ handler Ben Hutchings
` (64 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Josh Durgin, Ilya Dryomov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 930c532869774ebf8af9efe9484c597f896a7d46 upstream.
Currently, osd_weight and osd_state fields are updated in the encoding
order. This is wrong, because an incremental map may look like e.g.
new_up_client: { osd=6, addr=... } # set osd_state and addr
new_state: { osd=6, xorstate=EXISTS } # clear osd_state
Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down). After
applying new_up_client, osd_state is changed to EXISTS | UP. Carrying
on with the new_state update, we flip EXISTS and leave osd6 in a weird
"!EXISTS but UP" state. A non-existent OSD is considered down by the
mapping code
2087 for (i = 0; i < pg->pg_temp.len; i++) {
2088 if (ceph_osd_is_down(osdmap, pg->pg_temp.osds[i])) {
2089 if (ceph_can_shift_osds(pi))
2090 continue;
2091
2092 temp->osds[temp->size++] = CRUSH_ITEM_NONE;
and so requests get directed to the second OSD in the set instead of
the first, resulting in OSD-side errors like:
[WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680
and hung rbds on the client:
[ 493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
[ 493.566805] rbd: rbd0: result -6 xferred 400000
[ 493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688
The fix is to decouple application from the decoding and:
- apply new_weight first
- apply new_state before new_up_client
- twiddle osd_state flags if marking in
- clear out some of the state if osd is destroyed
Fixes: http://tracker.ceph.com/issues/14901
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Josh Durgin <jdurgin@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ceph/osdmap.c | 156 +++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 113 insertions(+), 43 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1167,6 +1167,115 @@ struct ceph_osdmap *ceph_osdmap_decode(v
}
/*
+ * Encoding order is (new_up_client, new_state, new_weight). Need to
+ * apply in the (new_weight, new_state, new_up_client) order, because
+ * an incremental map may look like e.g.
+ *
+ * new_up_client: { osd=6, addr=... } # set osd_state and addr
+ * new_state: { osd=6, xorstate=EXISTS } # clear osd_state
+ */
+static int decode_new_up_state_weight(void **p, void *end,
+ struct ceph_osdmap *map)
+{
+ void *new_up_client;
+ void *new_state;
+ void *new_weight_end;
+ u32 len;
+
+ new_up_client = *p;
+ ceph_decode_32_safe(p, end, len, e_inval);
+ len *= sizeof(u32) + sizeof(struct ceph_entity_addr);
+ ceph_decode_need(p, end, len, e_inval);
+ *p += len;
+
+ new_state = *p;
+ ceph_decode_32_safe(p, end, len, e_inval);
+ len *= sizeof(u32) + sizeof(u8);
+ ceph_decode_need(p, end, len, e_inval);
+ *p += len;
+
+ /* new_weight */
+ ceph_decode_32_safe(p, end, len, e_inval);
+ while (len--) {
+ s32 osd;
+ u32 w;
+
+ ceph_decode_need(p, end, 2*sizeof(u32), e_inval);
+ osd = ceph_decode_32(p);
+ w = ceph_decode_32(p);
+ BUG_ON(osd >= map->max_osd);
+ pr_info("osd%d weight 0x%x %s\n", osd, w,
+ w == CEPH_OSD_IN ? "(in)" :
+ (w == CEPH_OSD_OUT ? "(out)" : ""));
+ map->osd_weight[osd] = w;
+
+ /*
+ * If we are marking in, set the EXISTS, and clear the
+ * AUTOOUT and NEW bits.
+ */
+ if (w) {
+ map->osd_state[osd] |= CEPH_OSD_EXISTS;
+ map->osd_state[osd] &= ~(CEPH_OSD_AUTOOUT |
+ CEPH_OSD_NEW);
+ }
+ }
+ new_weight_end = *p;
+
+ /* new_state (up/down) */
+ *p = new_state;
+ len = ceph_decode_32(p);
+ while (len--) {
+ s32 osd;
+ u8 xorstate;
+ int ret;
+
+ osd = ceph_decode_32(p);
+ xorstate = ceph_decode_8(p);
+ if (xorstate == 0)
+ xorstate = CEPH_OSD_UP;
+ BUG_ON(osd >= map->max_osd);
+ if ((map->osd_state[osd] & CEPH_OSD_UP) &&
+ (xorstate & CEPH_OSD_UP))
+ pr_info("osd%d down\n", osd);
+ if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
+ (xorstate & CEPH_OSD_EXISTS)) {
+ pr_info("osd%d does not exist\n", osd);
+ map->osd_weight[osd] = CEPH_OSD_IN;
+ ret = set_primary_affinity(map, osd,
+ CEPH_OSD_DEFAULT_PRIMARY_AFFINITY);
+ if (ret)
+ return ret;
+ memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr));
+ map->osd_state[osd] = 0;
+ } else {
+ map->osd_state[osd] ^= xorstate;
+ }
+ }
+
+ /* new_up_client */
+ *p = new_up_client;
+ len = ceph_decode_32(p);
+ while (len--) {
+ s32 osd;
+ struct ceph_entity_addr addr;
+
+ osd = ceph_decode_32(p);
+ ceph_decode_copy(p, &addr, sizeof(addr));
+ ceph_decode_addr(&addr);
+ BUG_ON(osd >= map->max_osd);
+ pr_info("osd%d up\n", osd);
+ map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP;
+ map->osd_addr[osd] = addr;
+ }
+
+ *p = new_weight_end;
+ return 0;
+
+e_inval:
+ return -EINVAL;
+}
+
+/*
* decode and apply an incremental map update.
*/
struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
@@ -1265,49 +1374,10 @@ struct ceph_osdmap *osdmap_apply_increme
__remove_pg_pool(&map->pg_pools, pi);
}
- /* new_up */
- ceph_decode_32_safe(p, end, len, e_inval);
- while (len--) {
- u32 osd;
- struct ceph_entity_addr addr;
- ceph_decode_32_safe(p, end, osd, e_inval);
- ceph_decode_copy_safe(p, end, &addr, sizeof(addr), e_inval);
- ceph_decode_addr(&addr);
- pr_info("osd%d up\n", osd);
- BUG_ON(osd >= map->max_osd);
- map->osd_state[osd] |= CEPH_OSD_UP | CEPH_OSD_EXISTS;
- map->osd_addr[osd] = addr;
- }
-
- /* new_state */
- ceph_decode_32_safe(p, end, len, e_inval);
- while (len--) {
- u32 osd;
- u8 xorstate;
- ceph_decode_32_safe(p, end, osd, e_inval);
- xorstate = **(u8 **)p;
- (*p)++; /* clean flag */
- if (xorstate == 0)
- xorstate = CEPH_OSD_UP;
- if (xorstate & CEPH_OSD_UP)
- pr_info("osd%d down\n", osd);
- if (osd < map->max_osd)
- map->osd_state[osd] ^= xorstate;
- }
-
- /* new_weight */
- ceph_decode_32_safe(p, end, len, e_inval);
- while (len--) {
- u32 osd, off;
- ceph_decode_need(p, end, sizeof(u32)*2, e_inval);
- osd = ceph_decode_32(p);
- off = ceph_decode_32(p);
- pr_info("osd%d weight 0x%x %s\n", osd, off,
- off == CEPH_OSD_IN ? "(in)" :
- (off == CEPH_OSD_OUT ? "(out)" : ""));
- if (osd < map->max_osd)
- map->osd_weight[osd] = off;
- }
+ /* new_up_client, new_state, new_weight */
+ err = decode_new_up_state_weight(p, end, map);
+ if (err)
+ goto bad;
/* new_pg_temp */
err = decode_new_pg_temp(p, end, map);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 105/346] nfs: don't create zero-length requests
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 139/346] balloon: check the number of available pages in leak balloon Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 240/346] kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd Ben Hutchings
` (267 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Weston Andros Adamson, Benjamin Coddington,
Trond Myklebust, Alexey Dobriyan
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <bcodding@redhat.com>
commit 149a4fddd0a72d526abbeac0c8deaab03559836a upstream.
NFS doesn't expect requests with wb_bytes set to zero and may make
unexpected decisions about how to handle that request at the page IO layer.
Skip request creation if we won't have any wb_bytes in the request.
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Reviewed-by: Weston Andros Adamson <dros@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/write.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -1222,6 +1222,9 @@ int nfs_updatepage(struct file *file, st
dprintk("NFS: nfs_updatepage(%pD2 %d@%lld)\n",
file, count, (long long)(page_file_offset(page) + offset));
+ if (!count)
+ goto out;
+
if (nfs_can_extend_write(file, page, inode)) {
count = max(count + offset, nfs_page_length(page));
offset = 0;
@@ -1232,7 +1235,7 @@ int nfs_updatepage(struct file *file, st
nfs_set_pageerror(page);
else
__set_page_dirty_nobuffers(page);
-
+out:
dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n",
status, (long long)i_size_read(inode));
return status;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 044/346] MIPS: Fix page table corruption on THP permission changes.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (229 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 188/346] xhci: always handle "Command Ring Stopped" events Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 302/346] IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV Ben Hutchings
` (115 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-mips, Aaro Koskinen, Ralf Baechle, David Daney
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Daney <david.daney@cavium.com>
commit acd168c0bf2ce709f056a6b1bf21634b1207d7a5 upstream.
When the core THP code is modifying the permissions of a huge page it
calls pmd_modify(), which unfortunately was clearing the _PAGE_HUGE bit
of the page table entry. The result can be kernel messages like:
mm/memory.c:397: bad pmd 000000040080004d.
mm/memory.c:397: bad pmd 00000003ff00004d.
mm/memory.c:397: bad pmd 000000040100004d.
or:
------------[ cut here ]------------
WARNING: at mm/mmap.c:3200 exit_mmap+0x150/0x158()
Modules linked in: ipv6 at24 octeon3_ethernet octeon_srio_nexus m25p80
CPU: 12 PID: 1295 Comm: pmderr Not tainted 3.10.87-rt80-Cavium-Octeon #4
Stack : 0000000040808000 0000000014009ce1 0000000000400004 ffffffff81076ba0
0000000000000000 0000000000000000 ffffffff85110000 0000000000000119
0000000000000004 0000000000000000 0000000000000119 43617669756d2d4f
0000000000000000 ffffffff850fda40 ffffffff85110000 0000000000000000
0000000000000000 0000000000000009 ffffffff809207a0 0000000000000c80
ffffffff80f1bf20 0000000000000001 000000ffeca36828 0000000000000001
0000000000000000 0000000000000001 000000ffeca7e700 ffffffff80886924
80000003fd7a0000 80000003fd7a39b0 80000003fdea8000 ffffffff80885780
80000003fdea8000 ffffffff80f12218 000000000000000c 000000000000050f
0000000000000000 ffffffff80865c4c 0000000000000000 0000000000000000
...
Call Trace:
[<ffffffff80865c4c>] show_stack+0x6c/0xf8
[<ffffffff80885780>] warn_slowpath_common+0x78/0xa8
[<ffffffff809207a0>] exit_mmap+0x150/0x158
[<ffffffff80882d44>] mmput+0x5c/0x110
[<ffffffff8088b450>] do_exit+0x230/0xa68
[<ffffffff8088be34>] do_group_exit+0x54/0x1d0
[<ffffffff8088bfc0>] __wake_up_parent+0x0/0x18
---[ end trace c7b38293191c57dc ]---
BUG: Bad rss-counter state mm:80000003fa168000 idx:1 val:1536
Fix by not clearing _PAGE_HUGE bit.
Signed-off-by: David Daney <david.daney@cavium.com>
Tested-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13687/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16:
- Adjust context
- _PAGE_HUGE might not be defined]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -572,7 +572,11 @@ static inline struct page *pmd_page(pmd_
static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot)
{
- pmd_val(pmd) = (pmd_val(pmd) & _PAGE_CHG_MASK) | pgprot_val(newprot);
+ pmd_val(pmd) = (pmd_val(pmd) & (_PAGE_CHG_MASK
+#ifdef _PAGE_HUGE
+ | _PAGE_HUGE
+#endif
+ )) | pgprot_val(newprot);
return pmd;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 088/346] arm64: debug: unmask PSTATE.D earlier
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (213 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 071/346] KVM: nVMX: fix lifetime issues for vmcs02 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 091/346] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Ben Hutchings
` (131 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marc Zyngier, Catalin Marinas, Mark Rutland, Will Deacon
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 upstream.
Clearing PSTATE.D is one of the requirements for generating a debug
exception. The arm64 booting protocol requires that PSTATE.D is set,
since many of the debug registers (for example, the hw_breakpoint
registers) are UNKNOWN out of reset and could potentially generate
spurious, fatal debug exceptions in early boot code if PSTATE.D was
clear. Once the debug registers have been safely initialised, PSTATE.D
is cleared, however this is currently broken for two reasons:
(1) The boot CPU clears PSTATE.D in a postcore_initcall and secondary
CPUs clear PSTATE.D in secondary_start_kernel. Since the initcall
runs after SMP (and the scheduler) have been initialised, there is
no guarantee that it is actually running on the boot CPU. In this
case, the boot CPU is left with PSTATE.D set and is not capable of
generating debug exceptions.
(2) In a preemptible kernel, we may explicitly schedule on the IRQ
return path to EL1. If an IRQ occurs with PSTATE.D set in the idle
thread, then we may schedule the kthread_init thread, run the
postcore_initcall to clear PSTATE.D and then context switch back
to the idle thread before returning from the IRQ. The exception
return path will then restore PSTATE.D from the stack, and set it
again.
This patch fixes the problem by moving the clearing of PSTATE.D earlier
to proc.S. This has the desirable effect of clearing it in one place for
all CPUs, long before we have to worry about the scheduler or any
exception handling. We ensure that the previous reset of MDSCR_EL1 has
completed before unmasking the exception, so that any spurious
exceptions resulting from UNKNOWN debug registers are not generated.
Without this patch applied, the kprobes selftests have been seen to fail
under KVM, where we end up attempting to step the OOL instruction buffer
with PSTATE.D set and therefore fail to complete the step.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/debug-monitors.c | 1 -
arch/arm64/kernel/smp.c | 1 -
arch/arm64/mm/proc.S | 2 ++
3 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -159,7 +159,6 @@ static int debug_monitors_init(void)
/* Clear the OS lock. */
on_each_cpu(clear_os_lock, NULL, 1);
isb();
- local_dbg_enable();
/* Register hotplug handler. */
__register_cpu_notifier(&os_lock_nb);
--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -174,7 +174,6 @@ asmlinkage void secondary_start_kernel(v
set_cpu_online(cpu, true);
complete(&cpu_running);
- local_dbg_enable();
local_irq_enable();
local_async_enable();
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -189,6 +189,8 @@ ENTRY(__cpu_setup)
msr cpacr_el1, x0 // Enable FP/ASIMD
mov x0, #1 << 12 // Reset mdscr_el1 and disable
msr mdscr_el1, x0 // access to the DCC from EL0
+ isb // Unmask debug exceptions now,
+ enable_dbg // since this is per-cpu
reset_pmuserenr_el0 x0 // Disable PMU access from EL0
/*
* Memory region attributes for LPAE:
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 080/346] xfrm: fix crash in XFRM_MSG_GETSA netlink handler
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 240/346] kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 085/346] crypto: nx - off by one bug in nx_of_update_msc() Ben Hutchings
` (265 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Steffen Klassert, Vegard Nossum, Nicolas Dichtel
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 1ba5bf993c6a3142e18e68ea6452b347f9cb5635 upstream.
If we hit any of the error conditions inside xfrm_dump_sa(), then
xfrm_state_walk_init() never gets called. However, we still call
xfrm_state_walk_done() from xfrm_dump_sa_done(), which will crash
because the state walk was never initialized properly.
We can fix this by setting cb->args[0] only after we've processed the
first element and checking this before calling xfrm_state_walk_done().
Fixes: d3623099d3 ("ipsec: add support of limited SA dump")
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_user.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -869,7 +869,8 @@ static int xfrm_dump_sa_done(struct netl
struct sock *sk = cb->skb->sk;
struct net *net = sock_net(sk);
- xfrm_state_walk_done(walk, net);
+ if (cb->args[0])
+ xfrm_state_walk_done(walk, net);
return 0;
}
@@ -894,8 +895,6 @@ static int xfrm_dump_sa(struct sk_buff *
u8 proto = 0;
int err;
- cb->args[0] = 1;
-
err = nlmsg_parse(cb->nlh, 0, attrs, XFRMA_MAX,
xfrma_policy);
if (err < 0)
@@ -914,6 +913,7 @@ static int xfrm_dump_sa(struct sk_buff *
proto = nla_get_u8(attrs[XFRMA_PROTO]);
xfrm_state_walk_init(walk, proto, filter);
+ cb->args[0] = 1;
}
(void) xfrm_state_walk(net, walk, dump_one_state, &info);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 101/346] bpf, mips: fix off-by-one in ctx offset allocation
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 143/346] sysv, ipc: fix security-layer leaking Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 262/346] alpha: fix copy_from_user() Ben Hutchings
` (258 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alexei Starovoitov, Daniel Borkmann, linux-mips,
Ralf Baechle, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit b4e76f7e6d3200462c6354a6ad4ae167459e61f8 upstream.
Dan Carpenter reported [1] a static checker warning that ctx->offsets[]
may be accessed off by one from build_body(), since it's allocated with
fp->len * sizeof(*ctx.offsets) as length. The cBPF arm and ppc code
doesn't have this issue as claimed, so only mips seems to be affected and
should like most other JITs allocate with fp->len + 1. A few number of
JITs (x86, sparc, arm64) handle this differently, where they only require
fp->len array elements.
[1] http://www.spinics.net/lists/mips/msg64193.html
Fixes: c6610de353da ("MIPS: net: Add BPF JIT")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: ast@kernel.org
Cc: linux-mips@linux-mips.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13814/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/net/bpf_jit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/net/bpf_jit.c
+++ b/arch/mips/net/bpf_jit.c
@@ -1365,7 +1365,7 @@ void bpf_jit_compile(struct sk_filter *f
memset(&ctx, 0, sizeof(ctx));
- ctx.offsets = kcalloc(fp->len, sizeof(*ctx.offsets), GFP_KERNEL);
+ ctx.offsets = kcalloc(fp->len + 1, sizeof(*ctx.offsets), GFP_KERNEL);
if (ctx.offsets == NULL)
return;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 079/346] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (300 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 310/346] fanotify: fix list corruption in fanotify_get_response() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 254/346] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns Ben Hutchings
` (44 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Amadeusz Sławiński, Marcel Holtmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Amadeusz Sławiński
<amadeusz.slawinski@tieto.com>
commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
When we retrieve imtu value from userspace we should use 16 bit pointer
cast instead of 32 as it's defined that way in headers. Fixes setsockopt
calls on big-endian platforms.
Signed-off-by: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/l2cap_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -921,7 +921,7 @@ static int l2cap_sock_setsockopt(struct
break;
}
- if (get_user(opt, (u32 __user *) optval)) {
+ if (get_user(opt, (u16 __user *) optval)) {
err = -EFAULT;
break;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 087/346] tpm: read burstcount from TPM_STS in one 32-bit transaction
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 296/346] fix minor infoleak in get_user_ex() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 298/346] USB: change bInterval default to 10 ms Ben Hutchings
` (318 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andrey Pronin, Jarkko Sakkinen
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Pronin <apronin@chromium.org>
commit 9754d45e997000ad4021bc4606cc266bb38d876f upstream.
Some chips incorrectly support partial reads from TPM_STS register
at non-zero offsets. Read the entire 32-bits register instead of
making two 8-bit reads to support such devices and reduce the number
of bus transactions when obtaining the burstcount from TPM_STS.
Fixes: 27084efee0c3 ("tpm: driver for next generation TPM chips")
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
[bwh: Backported to 3.16:
- Use raw ioread32() instead of tpm_tis_read32()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -197,16 +197,15 @@ static int get_burstcount(struct tpm_chi
{
unsigned long stop;
int burstcnt;
+ u32 value;
/* wait for burstcount */
/* which timeout value, spec has 2 answers (c & d) */
stop = jiffies + chip->vendor.timeout_d;
do {
- burstcnt = ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) + 1);
- burstcnt += ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) +
- 2) << 8;
+ value = ioread32(chip->vendor.iobase +
+ TPM_STS(chip->vendor.locality));
+ burstcnt = (value >> 8) & 0xFFFF;
if (burstcnt)
return burstcnt;
msleep(TPM_TIMEOUT);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 082/346] mmc: block: fix packed command header endianness
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (294 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 078/346] USB: serial: option: add support for Telit LE910 PID 0x1206 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 020/346] drm/radeon: Don't leak runtime pm ref on driver load Ben Hutchings
` (50 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Taras Kondratiuk
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Taras Kondratiuk <takondra@cisco.com>
commit f68381a70bb2b26c31b13fdaf67c778f92fd32b4 upstream.
The code that fills packed command header assumes that CPU runs in
little-endian mode. Hence the header is malformed in big-endian mode
and causes MMC data transfer errors:
[ 563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc40
[ 563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1
Convert header data to LE.
Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
Fixes: ce39f9d17c14 ("mmc: support packed write command for eMMC4.5 devices")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/card/block.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -1659,8 +1659,8 @@ static void mmc_blk_packed_hdr_wrq_prep(
packed_cmd_hdr = packed->cmd_hdr;
memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr));
- packed_cmd_hdr[0] = (packed->nr_entries << 16) |
- (PACKED_CMD_WR << 8) | PACKED_CMD_VER;
+ packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) |
+ (PACKED_CMD_WR << 8) | PACKED_CMD_VER);
hdr_blocks = mmc_large_sector(card) ? 8 : 1;
/*
@@ -1674,14 +1674,14 @@ static void mmc_blk_packed_hdr_wrq_prep(
((brq->data.blocks * brq->data.blksz) >=
card->ext_csd.data_tag_unit_size);
/* Argument of CMD23 */
- packed_cmd_hdr[(i * 2)] =
+ packed_cmd_hdr[(i * 2)] = cpu_to_le32(
(do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) |
(do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) |
- blk_rq_sectors(prq);
+ blk_rq_sectors(prq));
/* Argument of CMD18 or CMD25 */
- packed_cmd_hdr[((i * 2)) + 1] =
+ packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32(
mmc_card_blockaddr(card) ?
- blk_rq_pos(prq) : blk_rq_pos(prq) << 9;
+ blk_rq_pos(prq) : blk_rq_pos(prq) << 9);
packed->blocks += blk_rq_sectors(prq);
i++;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 104/346] gpio: intel-mid: Remove potentially harmful code
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (283 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 182/346] USB: serial: mos7720: fix non-atomic allocation in write path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 095/346] target: Fix max_unmap_lba_count calc overflow Ben Hutchings
` (61 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mika Westerberg, Linus Walleij, Andy Shevchenko
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 3dbd3212f81b2b410a34a922055e2da792864829 upstream.
The commit d56d6b3d7d69 ("gpio: langwell: add Intel Merrifield support")
doesn't look at all as a proper support for Intel Merrifield and I dare to say
that it distorts the behaviour of the hardware.
The register map is different on Intel Merrifield, i.e. only 6 out of 8
register have the same purpose but none of them has same location in the
address space. The current case potentially harmful to existing hardware since
it's poking registers on wrong offsets and may set some pin to be GPIO output
when connected hardware doesn't expect such.
Besides the above GPIO and pinctrl on Intel Merrifield have been located in
different IP blocks. The functionality has been extended as well, i.e. added
support of level interrupts, special registers for wake capable sources and
thus, in my opinion, requires a completele separate driver.
If someone wondering the existing gpio-intel-mid.c would be converted to actual
pinctrl (which by the fact it is now), though I wouldn't be a volunteer to do
that.
Fixes: d56d6b3d7d69 ("gpio: langwell: add Intel Merrifield support")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpio/gpio-intel-mid.c | 19 -------------------
1 file changed, 19 deletions(-)
--- a/drivers/gpio/gpio-intel-mid.c
+++ b/drivers/gpio/gpio-intel-mid.c
@@ -17,7 +17,6 @@
* Moorestown platform Langwell chip.
* Medfield platform Penwell chip.
* Clovertrail platform Cloverview chip.
- * Merrifield platform Tangier chip.
*/
#include <linux/module.h>
@@ -66,10 +65,6 @@ enum GPIO_REG {
/* intel_mid gpio driver data */
struct intel_mid_gpio_ddata {
u16 ngpio; /* number of gpio pins */
- u32 gplr_offset; /* offset of first GPLR register from base */
- u32 flis_base; /* base address of FLIS registers */
- u32 flis_len; /* length of FLIS registers */
- u32 (*get_flis_offset)(int gpio);
u32 chip_irq_type; /* chip interrupt type */
};
@@ -284,15 +279,6 @@ static const struct intel_mid_gpio_ddata
.chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE,
};
-static const struct intel_mid_gpio_ddata gpio_tangier = {
- .ngpio = 192,
- .gplr_offset = 4,
- .flis_base = 0xff0c0000,
- .flis_len = 0x8000,
- .get_flis_offset = NULL,
- .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE,
-};
-
static const struct pci_device_id intel_gpio_ids[] = {
{
/* Lincroft */
@@ -319,11 +305,6 @@ static const struct pci_device_id intel_
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x08f7),
.driver_data = (kernel_ulong_t)&gpio_cloverview_core,
},
- {
- /* Tangier */
- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1199),
- .driver_data = (kernel_ulong_t)&gpio_tangier,
- },
{ 0 }
};
MODULE_DEVICE_TABLE(pci, intel_gpio_ids);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 081/346] crypto: scatterwalk - Fix test in scatterwalk_done
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 097/346] hwmon: (adt7411) set bit 3 in CFG1 register Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 285/346] s390: get_user() should zero on failure Ben Hutchings
` (188 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 5f070e81bee35f1b7bd1477bb223a873ff657803 upstream.
When there is more data to be processed, the current test in
scatterwalk_done may prevent us from calling pagedone even when
we should.
In particular, if we're on an SG entry spanning multiple pages
where the last page is not a full page, we will incorrectly skip
calling pagedone on the second last page.
This patch fixes this by adding a separate test for whether we've
reached the end of a page.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/scatterwalk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct
void scatterwalk_done(struct scatter_walk *walk, int out, int more)
{
- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
+ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
+ !(walk->offset & (PAGE_SIZE - 1)))
scatterwalk_pagedone(walk, out, more);
}
EXPORT_SYMBOL_GPL(scatterwalk_done);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 085/346] crypto: nx - off by one bug in nx_of_update_msc()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 080/346] xfrm: fix crash in XFRM_MSG_GETSA netlink handler Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() Ben Hutchings
` (264 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit e514cc0a492a3f39ef71b31590a7ef67537ee04b upstream.
The props->ap[] array is defined like this:
struct alg_props ap[NX_MAX_FC][NX_MAX_MODE][3];
So we can see that if msc->fc and msc->mode are == to NX_MAX_FC or
NX_MAX_MODE then we're off by one.
Fixes: ae0222b7289d ('powerpc/crypto: nx driver code supporting nx encryption')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/nx/nx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/nx/nx.c
+++ b/drivers/crypto/nx/nx.c
@@ -330,7 +330,7 @@ static void nx_of_update_msc(struct devi
((bytes_so_far + sizeof(struct msc_triplet)) <= lenp) &&
i < msc->triplets;
i++) {
- if (msc->fc > NX_MAX_FC || msc->mode > NX_MAX_MODE) {
+ if (msc->fc >= NX_MAX_FC || msc->mode >= NX_MAX_MODE) {
dev_err(dev, "unknown function code/mode "
"combo: %d/%d (ignored)\n", msc->fc,
msc->mode);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 050/346] net: mvneta: set real interrupt per packet for tx_done
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 242/346] x86/paravirt: Do not trace _paravirt_ident_*() functions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 271/346] nl80211: validate number of probe response CSA counters Ben Hutchings
` (313 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Willy Tarreau, Dmitri Epshtein, David S. Miller, Marcin Wojtas
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitri Epshtein <dima@marvell.com>
commit 06708f81528725148473c0869d6af5f809c6824b upstream.
Commit aebea2ba0f74 ("net: mvneta: fix Tx interrupt delay") intended to
set coalescing threshold to a value guaranteeing interrupt generation
per each sent packet, so that buffers can be released with no delay.
In fact setting threshold to '1' was wrong, because it causes interrupt
every two packets. According to the documentation a reason behind it is
following - interrupt occurs once sent buffers counter reaches a value,
which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This
behavior was confirmed during tests. Also when testing the SoC working
as a NAS device, better performance was observed with int-per-packet,
as it strongly depends on the fact that all transmitted packets are
released immediately.
This commit enables NETA controller work in interrupt per sent packet mode
by setting coalescing threshold to 0.
Signed-off-by: Dmitri Epshtein <dima@marvell.com>
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Fixes aebea2ba0f74 ("net: mvneta: fix Tx interrupt delay")
Acked-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/marvell/mvneta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -216,7 +216,7 @@
/* Various constants */
/* Coalescing */
-#define MVNETA_TXDONE_COAL_PKTS 1
+#define MVNETA_TXDONE_COAL_PKTS 0 /* interrupt per packet */
#define MVNETA_RX_COAL_PKTS 32
#define MVNETA_RX_COAL_USEC 100
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 089/346] brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (307 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 225/346] printk: fix parsing of "brl=" option Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 315/346] btrfs: ensure that file descriptor used with subvol ioctls is a dir Ben Hutchings
` (37 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arend van Spriel, Florian Fainelli, Kalle Valo, coverity
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream.
In case brcmf_sdiod_recv_chain() cannot complete a succeful call to
brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we
should, fix this.
Reported-by: coverity (CID 1164856)
Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
@@ -708,8 +708,10 @@ int brcmf_sdiod_recv_chain(struct brcmf_
return -ENOMEM;
err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
glom_skb);
- if (err)
+ if (err) {
+ brcmu_pkt_buf_free_skb(glom_skb);
goto done;
+ }
skb_queue_walk(pktq, skb) {
memcpy(skb->data, glom_skb->data, skb->len);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 083/346] netfilter: x_tables: validate targets of jumps
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (237 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 209/346] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 313/346] i2c-eg20t: fix race between i2c init and interrupt enable Ben Hutchings
` (107 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Florian Westphal, Pablo Neira Ayuso
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 36472341017529e2b12573093cc0f68719300997 upstream.
When we see a jump also check that the offset gets us to beginning of
a rule (an ipt_entry).
The extra overhead is negible, even with absurd cases.
300k custom rules, 300k jumps to 'next' user chain:
[ plus one jump from INPUT to first userchain ]:
Before:
real 0m24.874s
user 0m7.532s
sys 0m16.076s
After:
real 0m27.464s
user 0m7.436s
sys 0m18.840s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++
net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++++
net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++++
3 files changed, 48 insertions(+)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -363,6 +363,19 @@ static inline bool unconditional(const s
memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
}
+static bool find_jump_target(const struct xt_table_info *t,
+ const void *entry0,
+ const struct arpt_entry *target)
+{
+ struct arpt_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
*/
@@ -456,6 +469,10 @@ static int mark_source_chains(const stru
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct arpt_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -439,6 +439,19 @@ ipt_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
+ const void *entry0,
+ const struct ipt_entry *target)
+{
+ struct ipt_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
@@ -536,6 +549,10 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ipt_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -449,6 +449,19 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
+ const void *entry0,
+ const struct ip6t_entry *target)
+{
+ struct ip6t_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
@@ -546,6 +559,10 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ip6t_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 041/346] batman-adv: Free last_bonding_candidate on release of orig_node
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (266 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 219/346] usb: gadget: udc: core: don't starve DMA resources Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 275/346] hexagon: fix strncpy_from_user() error return Ben Hutchings
` (78 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Marek Lindner, Simon Wunderlich
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cbef1e102003edb236c6b2319ab269ccef963731 upstream.
The orig_ifinfo reference counter for last_bonding_candidate in
batadv_orig_node has to be reduced when an originator node is released.
Otherwise the orig_ifinfo is leaked and the reference counter the netdevice
is not reduced correctly.
Fixes: f3b3d9018975 ("batman-adv: add bonding again")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- s/_put/_free_ref/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/originator.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -530,6 +530,7 @@ static void batadv_orig_node_release(str
struct batadv_neigh_node *neigh_node;
struct batadv_orig_ifinfo *orig_ifinfo;
struct batadv_orig_node_vlan *vlan, *vlan_tmp;
+ struct batadv_orig_ifinfo *last_candidate;
spin_lock_bh(&orig_node->neigh_list_lock);
@@ -545,8 +546,14 @@ static void batadv_orig_node_release(str
hlist_del_rcu(&orig_ifinfo->list);
batadv_orig_ifinfo_free_ref(orig_ifinfo);
}
+
+ last_candidate = orig_node->last_bonding_candidate;
+ orig_node->last_bonding_candidate = NULL;
spin_unlock_bh(&orig_node->neigh_list_lock);
+ if (last_candidate)
+ batadv_orig_ifinfo_free_ref(last_candidate);
+
spin_lock_bh(&orig_node->vlan_list_lock);
list_for_each_entry_safe(vlan, vlan_tmp, &orig_node->vlan_list, list) {
list_del_rcu(&vlan->list);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 063/346] Bluetooth: Add support of 13d3:3490 AR3012 device
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 124/346] fuse: fsync() did not return IO errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 023/346] serial: samsung: Fix possible out of bounds access on non-DT platform Ben Hutchings
` (231 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Tunin, Marcel Holtmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Tunin <hanipouspilot@gmail.com>
commit 12d868964f7352e8b18e755488f7265a93431de1 upstream.
T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3490 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
BugLink: https://bugs.launchpad.net/bugs/1600623
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -123,6 +123,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
{ USB_DEVICE(0x13d3, 0x3487) },
+ { USB_DEVICE(0x13d3, 0x3490) },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -190,6 +191,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -217,6 +217,7 @@ static const struct usb_device_id blackl
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 074/346] ext4: fix reference counting bug on block allocation error
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 335/346] vfio/pci: Fix integer overflows, bitmask check Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 183/346] USB: serial: mos7840: fix non-atomic allocation in write path Ben Hutchings
` (164 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Aneesh Kumar K.V, Vegard Nossum, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e upstream.
If we hit this error when mounted with errors=continue or
errors=remount-ro:
EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:2940: comm ext4.exe: Allocating blocks 5090-6081 which overlap fs metadata
then ext4_mb_new_blocks() will call ext4_mb_release_context() and try to
continue. However, ext4_mb_release_context() is the wrong thing to call
here since we are still actually using the allocation context.
Instead, just error out. We could retry the allocation, but there is a
possibility of getting stuck in an infinite loop instead, so this seems
safer.
[ Fixed up so we don't return EAGAIN to userspace. --tytso ]
Fixes: 8556e8f3b6 ("ext4: Don't allow new groups to be added during block allocation")
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
[bwh: Backported to 3.16: use EIO instead of EFSCORRUPTED]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/mballoc.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2911,7 +2911,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
"fs metadata", block, block+len);
/* File system mounted not to panic on error
- * Fix the bitmap and repeat the block allocation
+ * Fix the bitmap and return EFSCORRUPTED
* We leak some of the blocks here.
*/
ext4_lock_group(sb, ac->ac_b_ex.fe_group);
@@ -2920,7 +2920,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
if (!err)
- err = -EAGAIN;
+ err = -EIO;
goto out_err;
}
@@ -4489,18 +4489,7 @@ repeat:
}
if (likely(ac->ac_status == AC_STATUS_FOUND)) {
*errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
- if (*errp == -EAGAIN) {
- /*
- * drop the reference that we took
- * in ext4_mb_use_best_found
- */
- ext4_mb_release_context(ac);
- ac->ac_b_ex.fe_group = 0;
- ac->ac_b_ex.fe_start = 0;
- ac->ac_b_ex.fe_len = 0;
- ac->ac_status = AC_STATUS_CONTINUE;
- goto repeat;
- } else if (*errp) {
+ if (*errp) {
ext4_discard_allocated_blocks(ac);
goto errout;
} else {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 075/346] ext4: short-cut orphan cleanup on error
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 057/346] x86/quirks: Add early quirk to reset Apple AirPort card Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 153/346] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Ben Hutchings
` (270 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Vegard Nossum, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit c65d5c6c81a1f27dec5f627f67840726fcd146de upstream.
If we encounter a filesystem error during orphan cleanup, we should stop.
Otherwise, we may end up in an infinite loop where the same inode is
processed again and again.
EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
Aborting journal on device loop0-8.
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!
[...]
See-also: c9eb13a9105 ("ext4: fix hang when processing corrupted orphaned inode list")
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2228,6 +2228,16 @@ static void ext4_orphan_cleanup(struct s
while (es->s_last_orphan) {
struct inode *inode;
+ /*
+ * We may have encountered an error during cleanup; if
+ * so, skip the rest.
+ */
+ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
+ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
+ es->s_last_orphan = 0;
+ break;
+ }
+
inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
if (IS_ERR(inode)) {
es->s_last_orphan = 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 073/346] drm/radeon: support backlight control for UNIPHY3
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (249 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 303/346] irda: Free skb on irda_accept error path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 068/346] USB: quirks: Fix another ELAN touchscreen Ben Hutchings
` (95 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit d3200be6c423afa1c34f7e39e9f6d04dd5b0af9d upstream.
Same interface as other UNIPHY blocks
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/atombios_encoders.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -119,6 +119,7 @@ atombios_set_backlight_level(struct rade
case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA:
case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1:
case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2:
+ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY3:
if (dig->backlight_level == 0)
atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_LCD_BLOFF, 0, 0);
else {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 064/346] qxl: check for kmap failures
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (224 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 077/346] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 062/346] Bluetooth: Add USB ID 13D3:3487 to ath3k Ben Hutchings
` (120 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Daniel Vetter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit f4cceb2affcd1285d4ce498089e8a79f4cd2fa66 upstream.
If kmap fails, it leads to memory corruption.
Fixes: f64122c1f6ad ('drm: add new QXL driver. (v1.4)')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20160711084633.GA31411@mwanda
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/qxl/qxl_draw.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/qxl/qxl_draw.c
+++ b/drivers/gpu/drm/qxl/qxl_draw.c
@@ -136,6 +136,8 @@ static int qxl_palette_create_1bit(struc
* correctly globaly, since that would require
* tracking all of our palettes. */
ret = qxl_bo_kmap(palette_bo, (void **)&pal);
+ if (ret)
+ return ret;
pal->num_ents = 2;
pal->unique = unique++;
if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) {
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 033/346] ext4: don't call ext4_should_journal_data() on the journal inode
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (327 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 012/346] sched/cputime: Fix prev steal time accouting during CPU hotplug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 167/346] s390/dasd: fix hanging device after clear subchannel Ben Hutchings
` (17 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Vegard Nossum, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c upstream.
If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
to call ext4_should_journal_data() before superblock options and flags
are fully set up. In that case, the iput() on the journal inode can
end up causing a BUG().
Work around this problem by reordering the tests so we only call
ext4_should_journal_data() after we know it's not the journal inode.
Fixes: 2d859db3e4 ("ext4: fix data corruption in inodes with journalled data")
Fixes: 2b405bfa84 ("ext4: fix data=journal fast mount/umount hang")
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -207,9 +207,9 @@ void ext4_evict_inode(struct inode *inod
* Note that directories do not have this problem because they
* don't use page cache.
*/
- if (ext4_should_journal_data(inode) &&
- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
- inode->i_ino != EXT4_JOURNAL_INO) {
+ if (inode->i_ino != EXT4_JOURNAL_INO &&
+ ext4_should_journal_data(inode) &&
+ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 078/346] USB: serial: option: add support for Telit LE910 PID 0x1206
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (293 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 274/346] frv: fix clear_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 082/346] mmc: block: fix packed command header endianness Ben Hutchings
` (51 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniele Palmas, Johan Hovold
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit 3c0415fa08548e3bc63ef741762664497ab187ed upstream.
This patch adds support for 0x1206 PID of Telit LE910.
Since the interfaces positions are the same than the ones for
0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -276,6 +276,7 @@ static void option_instat_callback(struc
#define TELIT_PRODUCT_LE922_USBCFG5 0x1045
#define TELIT_PRODUCT_LE920 0x1200
#define TELIT_PRODUCT_LE910 0x1201
+#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
/* ZTE PRODUCTS */
#define ZTE_VENDOR_ID 0x19d2
@@ -1217,6 +1218,8 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 077/346] mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (223 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 323/346] drm/radeon/si/dpm: add workaround for for Jet parts Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 064/346] qxl: check for kmap failures Ben Hutchings
` (121 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Brian Norris, Dan Carpenter
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 79ad07d45743721010e766e65dc004ad249bd429 upstream.
There is a cut and paste issue here. The bug is that we are allocating
more memory than necessary for msp_maps. We should be allocating enough
space for a map_info struct (144 bytes) but we instead allocate enough
for an mtd_info struct (1840 bytes). It's a small waste.
The other part of this is not harmful but when we allocated msp_flash
then we allocated enough space fro a map_info pointer instead of an
mtd_info pointer. But since pointers are the same size it works out
fine.
Anyway, I decided to clean up all three allocations a bit to make them
a bit more consistent and clear.
Fixes: 68aa0fa87f6d ('[MTD] PMC MSP71xx flash/rootfs mappings')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/maps/pmcmsp-flash.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mtd/maps/pmcmsp-flash.c
+++ b/drivers/mtd/maps/pmcmsp-flash.c
@@ -75,15 +75,15 @@ static int __init init_msp_flash(void)
printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt);
- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL);
+ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL);
if (!msp_flash)
return -ENOMEM;
- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL);
+ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL);
if (!msp_parts)
goto free_msp_flash;
- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL);
+ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL);
if (!msp_maps)
goto free_msp_parts;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 029/346] Input: xpad - validate USB endpoint count during probe
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 185/346] iio: proximity: as3935: set up buffer timestamps for non-zero values Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 178/346] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Ben Hutchings
` (281 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Cameron Gutman, Dmitry Torokhov
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Gutman <aicommander@gmail.com>
commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
This prevents a malicious USB device from causing an oops.
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/joystick/xpad.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -883,6 +883,9 @@ static int xpad_probe(struct usb_interfa
struct usb_endpoint_descriptor *ep_irq_in;
int i, error;
+ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+ return -ENODEV;
+
for (i = 0; xpad_device[i].idVendor; i++) {
if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
(le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 069/346] usb: quirks: Add no-lpm quirk for Elan
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (200 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 253/346] Btrfs: add missing blk_finish_plug in btrfs_sync_log() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 169/346] x86/mm: Disable preemption during CR3 read+write Ben Hutchings
` (144 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joseph Salisbury, Greg Kroah-Hartman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@canonical.com>
commit 25b1f9acc452209ae0fcc8c1332be852b5c52f53 upstream.
BugLink: http://bugs.launchpad.net/bugs/1498667
As reported in BugLink, this device has an issue with Linux Power
Management so adding a quirk. This quirk was reccomended by Alan Stern:
http://lkml.iu.edu/hypermail/linux/kernel/1606.2/05590.html
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -125,6 +125,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x04f3, 0x016f), .driver_info =
USB_QUIRK_DEVICE_QUALIFIER },
+ { USB_DEVICE(0x04f3, 0x0381), .driver_info =
+ USB_QUIRK_NO_LPM },
+
{ USB_DEVICE(0x04f3, 0x21b8), .driver_info =
USB_QUIRK_DEVICE_QUALIFIER },
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 065/346] cifs: Check for existing directory when opening file with O_CREAT
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 111/346] net/irda: fix NULL pointer dereference on memory allocation failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 286/346] score: fix __get_user/get_user Ben Hutchings
` (251 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Xiaoli Feng, Steve French, Sachin Prabhu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit 8d9535b6efd86e6c07da59f97e68f44efb7fe080 upstream.
When opening a file with O_CREAT flag, check to see if the file opened
is an existing directory.
This prevents the directory from being opened which subsequently causes
a crash when the close function for directories cifs_closedir() is called
which frees up the file->private_data memory while the file is still
listed on the open file list for the tcon.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reported-by: Xiaoli Feng <xifeng@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/dir.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -229,6 +229,13 @@ cifs_do_create(struct inode *inode, stru
goto cifs_create_get_file_info;
}
+ if (S_ISDIR(newinode->i_mode)) {
+ CIFSSMBClose(xid, tcon, fid->netfid);
+ iput(newinode);
+ rc = -EISDIR;
+ goto out;
+ }
+
if (!S_ISREG(newinode->i_mode)) {
/*
* The server may allow us to open things like
@@ -399,10 +406,14 @@ cifs_create_set_dentry:
if (rc != 0) {
cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n",
rc);
- if (server->ops->close)
- server->ops->close(xid, tcon, fid);
- goto out;
+ goto out_err;
}
+
+ if (S_ISDIR(newinode->i_mode)) {
+ rc = -EISDIR;
+ goto out_err;
+ }
+
d_drop(direntry);
d_add(direntry, newinode);
@@ -410,6 +421,13 @@ out:
kfree(buf);
kfree(full_path);
return rc;
+
+out_err:
+ if (server->ops->close)
+ server->ops->close(xid, tcon, fid);
+ if (newinode)
+ iput(newinode);
+ goto out;
}
int
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 067/346] s390/mm: fix gmap tlb flush issues
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 166/346] cpuset: make sure new tasks conform to the current config of the cpuset Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 192/346] bcache: register_bcache(): call blkdev_put() when cache_alloc() fails Ben Hutchings
` (304 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Schwidefsky, Sascha Silbe, David Hildenbrand
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <dahi@linux.vnet.ibm.com>
commit f045402984404ddc11016358411e445192919047 upstream.
__tlb_flush_asce() should never be used if multiple asce belong to a mm.
As this function changes mm logic determining if local or global tlb
flushes will be neded, we might end up flushing only the gmap asce on all
CPUs and a follow up mm asce flushes will only flush on the local CPU,
although that asce ran on multiple CPUs.
The missing tlb flushes will provoke strange faults in user space and even
low address protections in user space, crashing the kernel.
Fixes: 1b948d6caec4 ("s390/mm,tlb: optimize TLB flushing for zEC12")
Reported-by: Sascha Silbe <silbe@linux.vnet.ibm.com>
Acked-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/tlbflush.h | 3 ++-
arch/s390/mm/pgtable.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/arch/s390/include/asm/tlbflush.h
+++ b/arch/s390/include/asm/tlbflush.h
@@ -88,7 +88,8 @@ static inline void __tlb_flush_full(stru
}
/*
- * Flush TLB entries for a specific ASCE on all CPUs.
+ * Flush TLB entries for a specific ASCE on all CPUs. Should never be used
+ * when more than one asce (e.g. gmap) ran on this mm.
*/
static inline void __tlb_flush_asce(struct mm_struct *mm, unsigned long asce)
{
--- a/arch/s390/mm/pgtable.c
+++ b/arch/s390/mm/pgtable.c
@@ -202,7 +202,7 @@ static int gmap_unlink_segment(struct gm
static void gmap_flush_tlb(struct gmap *gmap)
{
if (MACHINE_HAS_IDTE)
- __tlb_flush_asce(gmap->mm, (unsigned long) gmap->table |
+ __tlb_flush_idte((unsigned long) gmap->table |
_ASCE_TYPE_REGION1);
else
__tlb_flush_global();
@@ -221,7 +221,7 @@ void gmap_free(struct gmap *gmap)
/* Flush tlb. */
if (MACHINE_HAS_IDTE)
- __tlb_flush_asce(gmap->mm, (unsigned long) gmap->table |
+ __tlb_flush_idte((unsigned long) gmap->table |
_ASCE_TYPE_REGION1);
else
__tlb_flush_global();
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 058/346] posix_cpu_timer: Exit early when process has been reaped
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 133/346] drm/nouveau/acpi: check for function 0x1B before using it Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 290/346] sparc32: fix copy_from_user() Ben Hutchings
` (175 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Thomas Gleixner, Alexey Dobriyan
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Dobriyan <adobriyan@gmail.com>
commit 2c13ce8f6b2f6fd9ba2f9261b1939fc0f62d1307 upstream.
Variable "now" seems to be genuinely used unintialized
if branch
if (CPUCLOCK_PERTHREAD(timer->it_clock)) {
is not taken and branch
if (unlikely(sighand == NULL)) {
is taken. In this case the process has been reaped and the timer is marked as
disarmed anyway. So none of the postprocessing of the sample is
required. Return right away.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Link: http://lkml.kernel.org/r/20160707223911.GA26483@p183.telecom.by
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/posix-cpu-timers.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
@@ -798,6 +798,7 @@ static void posix_cpu_timer_get(struct k
timer->it.cpu.expires = 0;
sample_to_timespec(timer->it_clock, timer->it.cpu.expires,
&itp->it_value);
+ return;
} else {
cpu_timer_sample_group(timer->it_clock, p, &now);
unlock_task_sighand(p, &flags);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 002/346] HID: uhid: fix timeout when probe races with IO
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 246/346] l2tp: fix use-after-free during module unload Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 306/346] xfrm: Fix memory leak of aead algorithm name Ben Hutchings
` (288 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jiri Kosina, Roderick Colenbrander
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roderick Colenbrander <roderick.colenbrander@sony.com>
commit 67f8ecc550b5bda03335f845dc869b8501d25fd0 upstream.
Many devices use userspace bluetooth stacks like BlueZ or Bluedroid in combination
with uhid. If any of these stacks is used with a HID device for which the driver
performs a HID request as part .probe (or technically another HID operation),
this results in a deadlock situation. The deadlock results in a 5 second timeout
for I/O operations in HID drivers, so isn't fatal, but none of the I/O operations
have a chance of succeeding.
The root cause for the problem is that uhid only allows for one request to be
processed at a time per uhid instance and locks out other operations. This means
that if a user space is creating a new HID device through 'UHID_CREATE', which
ultimately triggers '.probe' through the HID layer. Then any HID request e.g. a
read for calibration data would trigger a HID operation on uhid again, but it
won't go out to userspace, because it is still stuck in UHID_CREATE.
In addition bluetooth stacks are typically single threaded, so they wouldn't be
able to handle any requests while waiting on uhid.
Lucikly the UHID spec is somewhat flexible and allows for fixing the issue,
without breaking user space. The idea which the patch implements as discussed
with David Herrmann is to decouple adding of a hid device (which triggers .probe)
from UHID_CREATE. The work will kick off roughly once UHID_CREATE completed (or
else will wait a tiny bit of time in .probe for a lock). A HID driver has to call
HID to call 'hid_hw_start()' as part of .probe once it is ready for I/O, which
triggers UHID_START to user space. Any HID operations should function now within
.probe and won't deadlock because userspace is stuck on UHID_CREATE.
We verified this patch on Bluedroid with Android 6.0 and on desktop Linux with
BlueZ stacks. Prior to the patch they had the deadlock issue.
[jkosina@suse.cz: reword subject]
Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/uhid.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -49,10 +49,26 @@ struct uhid_device {
atomic_t report_done;
atomic_t report_id;
struct uhid_event report_buf;
+ struct work_struct worker;
};
static struct miscdevice uhid_misc;
+static void uhid_device_add_worker(struct work_struct *work)
+{
+ struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
+ int ret;
+
+ ret = hid_add_device(uhid->hid);
+ if (ret) {
+ hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
+
+ hid_destroy_device(uhid->hid);
+ uhid->hid = NULL;
+ uhid->running = false;
+ }
+}
+
static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
{
__u8 newhead;
@@ -471,18 +487,14 @@ static int uhid_dev_create2(struct uhid_
uhid->hid = hid;
uhid->running = true;
- ret = hid_add_device(hid);
- if (ret) {
- hid_err(hid, "Cannot register HID device\n");
- goto err_hid;
- }
+ /* Adding of a HID device is done through a worker, to allow HID drivers
+ * which use feature requests during .probe to work, without they would
+ * be blocked on devlock, which is held by uhid_char_write.
+ */
+ schedule_work(&uhid->worker);
return 0;
-err_hid:
- hid_destroy_device(hid);
- uhid->hid = NULL;
- uhid->running = false;
err_free:
kfree(uhid->rd_data);
return ret;
@@ -499,6 +511,8 @@ static int uhid_dev_destroy(struct uhid_
atomic_set(&uhid->report_done, 1);
wake_up_interruptible(&uhid->report_wait);
+ cancel_work_sync(&uhid->worker);
+
hid_destroy_device(uhid->hid);
kfree(uhid->rd_data);
@@ -567,6 +581,7 @@ static int uhid_char_open(struct inode *
init_waitqueue_head(&uhid->report_wait);
uhid->running = false;
atomic_set(&uhid->report_done, 1);
+ INIT_WORK(&uhid->worker, uhid_device_add_worker);
file->private_data = uhid;
nonseekable_open(inode, file);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 068/346] USB: quirks: Fix another ELAN touchscreen
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (250 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 073/346] drm/radeon: support backlight control for UNIPHY3 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 199/346] net/mlx5: Added missing check of msg length in verifying its signature Ben Hutchings
` (94 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Adrien Vergé, Greg Kroah-Hartman
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrien Vergé <adrienverge@gmail.com>
commit df36c5bede207f734e4750beb2b14fb892050280 upstream.
Like other buggy models that had their fixes [1], the touchscreen with
id 04f3:21b8 from ELAN Microelectronics needs the device-qualifier
quirk. Otherwise, it fails to respond, blocks the boot for a random
amount of time and pollutes dmesg with:
[ 2887.373196] usb 1-5: new full-speed USB device number 41 using xhci_hcd
[ 2889.502000] usb 1-5: unable to read config index 0 descriptor/start: -71
[ 2889.502005] usb 1-5: can't read configurations, error -71
[ 2889.654571] usb 1-5: new full-speed USB device number 42 using xhci_hcd
[ 2891.783438] usb 1-5: unable to read config index 0 descriptor/start: -71
[ 2891.783443] usb 1-5: can't read configurations, error -71
[1]: See commits c68929f, 876af5d, d749947, a32c99e and dc703ec.
Tested-by: Adrien Vergé <adrienverge@gmail.com>
Signed-off-by: Adrien Vergé <adrienverge@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -125,6 +125,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x04f3, 0x016f), .driver_info =
USB_QUIRK_DEVICE_QUALIFIER },
+ { USB_DEVICE(0x04f3, 0x21b8), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
/* Roland SC-8820 */
{ USB_DEVICE(0x0582, 0x0007), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 072/346] KVM: nVMX: Fix memory corruption when using VMCS shadowing
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (227 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 204/346] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 188/346] xhci: always handle "Command Ring Stopped" events Ben Hutchings
` (117 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jim Mattson, Paolo Bonzini
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 2f1fe81123f59271bddda673b60116bde9660385 upstream.
When freeing the nested resources of a vcpu, there is an assumption that
the vcpu's vmcs01 is the current VMCS on the CPU that executes
nested_release_vmcs12(). If this assumption is violated, the vcpu's
vmcs01 may be made active on multiple CPUs at the same time, in
violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
not VMCLEARed on every CPU on which it is active, it can linger in a
CPU's VMCS cache after it has been freed and potentially
repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
miss can result in memory corruption.
It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
the vcpu in question was last loaded on a different CPU, it must be
migrated to the current CPU before calling vmx_load_vmcs01().
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 19 +++++++++++++++++--
virt/kvm/kvm_main.c | 2 ++
2 files changed, 19 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7578,14 +7578,29 @@ static void vmx_load_vmcs01(struct kvm_v
put_cpu();
}
+/*
+ * Ensure that the current vmcs of the logical processor is the
+ * vmcs01 of the vcpu before calling free_nested().
+ */
+static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ int r;
+
+ r = vcpu_load(vcpu);
+ BUG_ON(r);
+ vmx_load_vmcs01(vcpu);
+ free_nested(vmx);
+ vcpu_put(vcpu);
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
free_vpid(vmx);
leave_guest_mode(vcpu);
- vmx_load_vmcs01(vcpu);
- free_nested(vmx);
+ vmx_free_vcpu_nested(vcpu);
free_loaded_vmcs(vmx->loaded_vmcs);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -137,6 +137,7 @@ int vcpu_load(struct kvm_vcpu *vcpu)
put_cpu();
return 0;
}
+EXPORT_SYMBOL_GPL(vcpu_load);
void vcpu_put(struct kvm_vcpu *vcpu)
{
@@ -146,6 +147,7 @@ void vcpu_put(struct kvm_vcpu *vcpu)
preempt_enable();
mutex_unlock(&vcpu->mutex);
}
+EXPORT_SYMBOL_GPL(vcpu_put);
static void ack_flush(void *_completed)
{
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 039/346] batman-adv: Fix non-atomic bla_claim::backbone_gw access
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 298/346] USB: change bInterval default to 10 ms Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 028/346] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Ben Hutchings
` (316 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Simon Wunderlich, Marek Lindner
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 3db0decf1185357d6ab2256d0dede1ca9efda03d upstream.
The pointer batadv_bla_claim::backbone_gw can be changed at any time.
Therefore, access to it must be protected to ensure that two function
accessing the same backbone_gw are actually accessing the same. This is
especially important when the crc_lock is used or when the backbone_gw of a
claim is exchanged.
Not doing so leads to invalid memory access and/or reference leaks.
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Fixes: 5a1dd8a4773d ("batman-adv: lock crc access in bridge loop avoidance")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- s/kref_get/atomic_inc/
- s/_put/_free_ref/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/bridge_loop_avoidance.c | 111 ++++++++++++++++++++++++++-------
net/batman-adv/types.h | 2 +
2 files changed, 90 insertions(+), 23 deletions(-)
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -115,7 +115,18 @@ batadv_backbone_gw_free_ref(struct batad
/* finally deinitialize the claim */
static void batadv_claim_release(struct batadv_bla_claim *claim)
{
- batadv_backbone_gw_free_ref(claim->backbone_gw);
+ struct batadv_bla_backbone_gw *old_backbone_gw;
+ spin_lock_bh(&claim->backbone_lock);
+ old_backbone_gw = claim->backbone_gw;
+ claim->backbone_gw = NULL;
+ spin_unlock_bh(&claim->backbone_lock);
+
+ spin_lock_bh(&old_backbone_gw->crc_lock);
+ old_backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+ spin_unlock_bh(&old_backbone_gw->crc_lock);
+
+ batadv_backbone_gw_free_ref(old_backbone_gw);
+
kfree_rcu(claim, rcu);
}
@@ -563,8 +574,10 @@ static void batadv_bla_add_claim(struct
const uint8_t *mac, const unsigned short vid,
struct batadv_bla_backbone_gw *backbone_gw)
{
+ struct batadv_bla_backbone_gw *old_backbone_gw;
struct batadv_bla_claim *claim;
struct batadv_bla_claim search_claim;
+ bool remove_crc = false;
int hash_added;
ether_addr_copy(search_claim.addr, mac);
@@ -578,8 +591,10 @@ static void batadv_bla_add_claim(struct
return;
ether_addr_copy(claim->addr, mac);
+ spin_lock_init(&claim->backbone_lock);
claim->vid = vid;
claim->lasttime = jiffies;
+ atomic_inc(&backbone_gw->refcount);
claim->backbone_gw = backbone_gw;
atomic_set(&claim->refcount, 2);
@@ -606,15 +621,26 @@ static void batadv_bla_add_claim(struct
"bla_add_claim(): changing ownership for %pM, vid %d\n",
mac, BATADV_PRINT_VID(vid));
- spin_lock_bh(&claim->backbone_gw->crc_lock);
- claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
- spin_unlock_bh(&claim->backbone_gw->crc_lock);
- batadv_backbone_gw_free_ref(claim->backbone_gw);
+ remove_crc = true;
}
- /* set (new) backbone gw */
+
+ /* replace backbone_gw atomically and adjust reference counters */
+ spin_lock_bh(&claim->backbone_lock);
+ old_backbone_gw = claim->backbone_gw;
atomic_inc(&backbone_gw->refcount);
claim->backbone_gw = backbone_gw;
+ spin_unlock_bh(&claim->backbone_lock);
+
+ if (remove_crc) {
+ /* remove claim address from old backbone_gw */
+ spin_lock_bh(&old_backbone_gw->crc_lock);
+ old_backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+ spin_unlock_bh(&old_backbone_gw->crc_lock);
+ }
+ batadv_backbone_gw_free_ref(old_backbone_gw);
+
+ /* add claim address to new backbone_gw */
spin_lock_bh(&backbone_gw->crc_lock);
backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
spin_unlock_bh(&backbone_gw->crc_lock);
@@ -624,6 +650,26 @@ claim_free_ref:
batadv_claim_free_ref(claim);
}
+/**
+ * batadv_bla_claim_get_backbone_gw - Get valid reference for backbone_gw of
+ * claim
+ * @claim: claim whose backbone_gw should be returned
+ *
+ * Return: valid reference to claim::backbone_gw
+ */
+static struct batadv_bla_backbone_gw *
+batadv_bla_claim_get_backbone_gw(struct batadv_bla_claim *claim)
+{
+ struct batadv_bla_backbone_gw *backbone_gw;
+
+ spin_lock_bh(&claim->backbone_lock);
+ backbone_gw = claim->backbone_gw;
+ atomic_inc(&backbone_gw->refcount);
+ spin_unlock_bh(&claim->backbone_lock);
+
+ return backbone_gw;
+}
+
/* Delete a claim from the claim hash which has the
* given mac address and vid.
*/
@@ -645,10 +691,6 @@ static void batadv_bla_del_claim(struct
batadv_choose_claim, claim);
batadv_claim_free_ref(claim); /* reference from the hash is gone */
- spin_lock_bh(&claim->backbone_gw->crc_lock);
- claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
- spin_unlock_bh(&claim->backbone_gw->crc_lock);
-
/* don't need the reference from hash_find() anymore */
batadv_claim_free_ref(claim);
}
@@ -1059,6 +1101,7 @@ static void batadv_bla_purge_claims(stru
struct batadv_hard_iface *primary_if,
int now)
{
+ struct batadv_bla_backbone_gw *backbone_gw;
struct batadv_bla_claim *claim;
struct hlist_head *head;
struct batadv_hashtable *hash;
@@ -1073,14 +1116,17 @@ static void batadv_bla_purge_claims(stru
rcu_read_lock();
hlist_for_each_entry_rcu(claim, head, hash_entry) {
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
if (now)
goto purge_now;
- if (!batadv_compare_eth(claim->backbone_gw->orig,
+
+ if (!batadv_compare_eth(backbone_gw->orig,
primary_if->net_dev->dev_addr))
- continue;
+ goto skip;
+
if (!batadv_has_timed_out(claim->lasttime,
BATADV_BLA_CLAIM_TIMEOUT))
- continue;
+ goto skip;
batadv_dbg(BATADV_DBG_BLA, bat_priv,
"bla_purge_claims(): %pM, vid %d, time out\n",
@@ -1088,8 +1134,10 @@ static void batadv_bla_purge_claims(stru
purge_now:
batadv_handle_unclaim(bat_priv, primary_if,
- claim->backbone_gw->orig,
+ backbone_gw->orig,
claim->addr, claim->vid);
+skip:
+ batadv_backbone_gw_free_ref(backbone_gw);
}
rcu_read_unlock();
}
@@ -1476,9 +1524,11 @@ void batadv_bla_free(struct batadv_priv
int batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
unsigned short vid, bool is_bcast)
{
+ struct batadv_bla_backbone_gw *backbone_gw;
struct ethhdr *ethhdr;
struct batadv_bla_claim search_claim, *claim = NULL;
struct batadv_hard_iface *primary_if;
+ bool own_claim;
int ret;
ethhdr = eth_hdr(skb);
@@ -1511,8 +1561,12 @@ int batadv_bla_rx(struct batadv_priv *ba
}
/* if it is our own claim ... */
- if (batadv_compare_eth(claim->backbone_gw->orig,
- primary_if->net_dev->dev_addr)) {
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+ own_claim = batadv_compare_eth(backbone_gw->orig,
+ primary_if->net_dev->dev_addr);
+ batadv_backbone_gw_free_ref(backbone_gw);
+
+ if (own_claim) {
/* ... allow it in any case */
claim->lasttime = jiffies;
goto allow;
@@ -1575,7 +1629,9 @@ int batadv_bla_tx(struct batadv_priv *ba
{
struct ethhdr *ethhdr;
struct batadv_bla_claim search_claim, *claim = NULL;
+ struct batadv_bla_backbone_gw *backbone_gw;
struct batadv_hard_iface *primary_if;
+ bool client_roamed;
int ret = 0;
primary_if = batadv_primary_if_get_selected(bat_priv);
@@ -1605,8 +1661,12 @@ int batadv_bla_tx(struct batadv_priv *ba
goto allow;
/* check if we are responsible. */
- if (batadv_compare_eth(claim->backbone_gw->orig,
- primary_if->net_dev->dev_addr)) {
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+ client_roamed = batadv_compare_eth(backbone_gw->orig,
+ primary_if->net_dev->dev_addr);
+ batadv_backbone_gw_free_ref(backbone_gw);
+
+ if (client_roamed) {
/* if yes, the client has roamed and we have
* to unclaim it.
*/
@@ -1647,6 +1707,7 @@ int batadv_bla_claim_table_seq_print_tex
struct net_device *net_dev = (struct net_device *)seq->private;
struct batadv_priv *bat_priv = netdev_priv(net_dev);
struct batadv_hashtable *hash = bat_priv->bla.claim_hash;
+ struct batadv_bla_backbone_gw *backbone_gw;
struct batadv_bla_claim *claim;
struct batadv_hard_iface *primary_if;
struct hlist_head *head;
@@ -1671,17 +1732,21 @@ int batadv_bla_claim_table_seq_print_tex
rcu_read_lock();
hlist_for_each_entry_rcu(claim, head, hash_entry) {
- is_own = batadv_compare_eth(claim->backbone_gw->orig,
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+
+ is_own = batadv_compare_eth(backbone_gw->orig,
primary_addr);
- spin_lock_bh(&claim->backbone_gw->crc_lock);
- backbone_crc = claim->backbone_gw->crc;
- spin_unlock_bh(&claim->backbone_gw->crc_lock);
+ spin_lock_bh(&backbone_gw->crc_lock);
+ backbone_crc = backbone_gw->crc;
+ spin_unlock_bh(&backbone_gw->crc_lock);
seq_printf(seq, " * %pM on %5d by %pM [%c] (%#.4x)\n",
claim->addr, BATADV_PRINT_VID(claim->vid),
- claim->backbone_gw->orig,
+ backbone_gw->orig,
(is_own ? 'x' : ' '),
backbone_crc);
+
+ batadv_backbone_gw_free_ref(backbone_gw);
}
rcu_read_unlock();
}
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -895,6 +895,7 @@ struct batadv_bla_backbone_gw {
* @addr: mac address of claimed non-mesh client
* @vid: vlan id this client was detected on
* @backbone_gw: pointer to backbone gw claiming this client
+ * @backbone_lock: lock protecting backbone_gw pointer
* @lasttime: last time we heard of claim (locals only)
* @hash_entry: hlist node for batadv_priv_bla::claim_hash
* @refcount: number of contexts the object is used
@@ -904,6 +905,7 @@ struct batadv_bla_claim {
uint8_t addr[ETH_ALEN];
unsigned short vid;
struct batadv_bla_backbone_gw *backbone_gw;
+ spinlock_t backbone_lock; /* protects backbone_gw */
unsigned long lasttime;
struct hlist_node hash_entry;
struct rcu_head rcu;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 047/346] drm/radeon: Poll for both connect/disconnect on analog connectors
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 161/346] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 143/346] sysv, ipc: fix security-layer leaking Ben Hutchings
` (260 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lyude, Alex Deucher
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lyude <cpaul@redhat.com>
commit 14ff8d48f2235295dfb3117693008e367b49cdb5 upstream.
DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
disconnections. Because of this, we end up losing hotplug polling for
analog connectors once they get connected.
Easy way to reproduce:
- Grab a machine with a radeon GPU and a VGA port
- Plug a monitor into the VGA port, wait for it to update the connector
from disconnected to connected
- Disconnect the monitor on VGA, a hotplug event is never sent for the
removal of the connector.
Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
idea since doing VGA polling can sometimes result in having to mess with
the DAC voltages to figure out whether or not there's actually something
there since VGA doesn't have HPD. Doing this would have the potential of
showing visible artifacts on the screen every time we ran a poll while a
VGA display was connected. Luckily, radeon_vga_detect() only resorts to
this sort of polling if the poll is forced, and DRM's polling helper
doesn't force it's polls.
Additionally, this removes some assignments to connector->polled that
weren't actually doing anything.
Signed-off-by: Lyude <cpaul@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -1835,7 +1835,6 @@ radeon_add_atom_connector(struct drm_dev
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -2060,8 +2059,10 @@ radeon_add_atom_connector(struct drm_dev
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
@@ -2137,7 +2138,6 @@ radeon_add_legacy_connector(struct drm_d
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -2222,10 +2222,13 @@ radeon_add_legacy_connector(struct drm_d
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
+
connector->display_info.subpixel_order = subpixel_order;
drm_sysfs_connector_add(connector);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 049/346] ALSA: pcm: Free chmap at PCM free callback, too
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 117/346] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 174/346] usb: misc: usbtest: add fix for driver hang Ben Hutchings
` (242 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Laxminath Kasam, Takashi Iwai
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit a8ff48cb70835f48de5703052760312019afea55 upstream.
The chmap ctls assigned to PCM streams are freed in the PCM disconnect
callback. However, since the disconnect callback isn't called when
the card gets freed before registering, the chmap ctls may still be
left assigned. They are eventually freed together with other ctls,
but it may cause an Oops at pcm_chmap_ctl_private_free(), as the
function refers to the assigned PCM stream, while the PCM objects have
been already freed beforehand.
The fix is to free the chmap ctls also at PCM free callback, not only
at PCM disconnect.
Reported-by: Laxminath Kasam <b_lkasam@codeaurora.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/pcm.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -806,6 +806,14 @@ int snd_pcm_new_internal(struct snd_card
}
EXPORT_SYMBOL(snd_pcm_new_internal);
+static void free_chmap(struct snd_pcm_str *pstr)
+{
+ if (pstr->chmap_kctl) {
+ snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl);
+ pstr->chmap_kctl = NULL;
+ }
+}
+
static void snd_pcm_free_stream(struct snd_pcm_str * pstr)
{
struct snd_pcm_substream *substream, *substream_next;
@@ -828,6 +836,7 @@ static void snd_pcm_free_stream(struct s
kfree(setup);
}
#endif
+ free_chmap(pstr);
}
static int snd_pcm_free(struct snd_pcm *pcm)
@@ -1142,10 +1151,7 @@ static int snd_pcm_dev_disconnect(struct
break;
}
snd_unregister_device(devtype, pcm->card, pcm->device);
- if (pcm->streams[cidx].chmap_kctl) {
- snd_ctl_remove(pcm->card, pcm->streams[cidx].chmap_kctl);
- pcm->streams[cidx].chmap_kctl = NULL;
- }
+ free_chmap(&pcm->streams[cidx]);
}
mutex_unlock(&pcm->open_mutex);
unlock:
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 066/346] net: ethoc: Fix early error paths
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 309/346] fsnotify: add a way to stop queueing events on group shutdown Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 038/346] batman-adv: lock crc access in bridge loop avoidance Ben Hutchings
` (169 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 386512d18b268c6182903239f9f3390f03ce4c7b upstream.
In case any operation fails before we can successfully go the point
where we would register a MDIO bus, we would be going to an error label
which involves unregistering then freeing this yet to be created MDIO
bus. Update all error paths to go to label free which is the only one
valid until either the clock is enabled, or the MDIO bus is allocated
and registered. This fixes kernel oops observed while trying to
dereference the MDIO bus structure which is not yet allocated.
Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/ethoc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/ethoc.c
+++ b/drivers/net/ethernet/ethoc.c
@@ -1080,7 +1080,7 @@ static int ethoc_probe(struct platform_d
if (!priv->iobase) {
dev_err(&pdev->dev, "cannot remap I/O memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
if (netdev->mem_end) {
@@ -1089,7 +1089,7 @@ static int ethoc_probe(struct platform_d
if (!priv->membase) {
dev_err(&pdev->dev, "cannot remap memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
} else {
/* Allocate buffer memory */
@@ -1100,7 +1100,7 @@ static int ethoc_probe(struct platform_d
dev_err(&pdev->dev, "cannot allocate %dB buffer\n",
buffer_size);
ret = -ENOMEM;
- goto error;
+ goto free;
}
netdev->mem_end = netdev->mem_start + buffer_size;
priv->dma_alloc = buffer_size;
@@ -1111,7 +1111,7 @@ static int ethoc_probe(struct platform_d
128, (netdev->mem_end - netdev->mem_start + 1) / ETHOC_BUFSIZ);
if (num_bd < 4) {
ret = -ENODEV;
- goto error;
+ goto free;
}
priv->num_bd = num_bd;
/* num_tx must be a power of two */
@@ -1124,7 +1124,7 @@ static int ethoc_probe(struct platform_d
priv->vma = devm_kzalloc(&pdev->dev, num_bd*sizeof(void *), GFP_KERNEL);
if (!priv->vma) {
ret = -ENOMEM;
- goto error;
+ goto free;
}
/* Allow the platform setup code to pass in a MAC address. */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 043/346] iwlwifi: pcie: fix access to scratch buffer
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (241 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 215/346] tun: fix transmit timestamp support Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 257/346] ALSA: timer: Fix zero-division by continue of uninitialized instance Ben Hutchings
` (103 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sara Sharon, Luca Coelho
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sara Sharon <sara.sharon@intel.com>
commit d5d0689aefc59c6a5352ca25d7e6d47d03f543ce upstream.
This fixes a pretty ancient bug that hasn't manifested itself
until now.
The scratchbuf for command queue is allocated only for 32 slots
but is accessed with the queue write pointer - which can be
up to 256.
Since the scratch buf size was 16 and there are up to 256 TFDs
we never passed a page boundary when accessing the scratch buffer,
but when attempting to increase the size of the scratch buffer a
panic was quick to follow when trying to access the address resulted
in a page boundary.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Fixes: 38c0f334b359 ("iwlwifi: use coherent DMA memory for command header")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/iwlwifi/pcie/tx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
@@ -1364,9 +1364,9 @@ static int iwl_pcie_enqueue_hcmd(struct
/* start the TFD with the scratchbuf */
scratch_size = min_t(int, copy_size, IWL_HCMD_SCRATCHBUF_SIZE);
- memcpy(&txq->scratchbufs[q->write_ptr], &out_cmd->hdr, scratch_size);
+ memcpy(&txq->scratchbufs[idx], &out_cmd->hdr, scratch_size);
iwl_pcie_txq_build_tfd(trans, txq,
- iwl_pcie_get_scratchbuf_dma(txq, q->write_ptr),
+ iwl_pcie_get_scratchbuf_dma(txq, idx),
scratch_size, true);
/* map first command fragment, if any remains */
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 017/346] IB/mlx5: Fix MODIFY_QP command input structure
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 206/346] powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 231/346] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Ben Hutchings
` (235 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Artemy Kovalyov, Doug Ledford, Leon Romanovsky
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Artemy Kovalyov <artemyko@mellanox.com>
commit e3353c268b06236d6c40fa1714c114f21f44451c upstream.
Make MODIFY_QP command input structure compliant to specification
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/mlx5/qp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/linux/mlx5/qp.h
+++ b/include/linux/mlx5/qp.h
@@ -442,9 +442,9 @@ struct mlx5_destroy_qp_mbox_out {
struct mlx5_modify_qp_mbox_in {
struct mlx5_inbox_hdr hdr;
__be32 qpn;
- u8 rsvd1[4];
- __be32 optparam;
u8 rsvd0[4];
+ __be32 optparam;
+ u8 rsvd1[4];
struct mlx5_qp_context ctx;
u8 rsvd2[16];
};
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 010/346] random: print a warning for the first ten uninitialized random users
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 198/346] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 009/346] gpio: pca953x: Fix NBANK calculation for PCA9536 Ben Hutchings
` (293 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 9b4d008787f864f17d008c9c15bbe8a0f7e2fc24 upstream.
Since systemd is consistently using /dev/urandom before it is
initialized, we can't see the other potentially dangerous users of
/dev/urandom immediately after boot. So print the first ten such
complaints instead.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/random.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1379,12 +1379,16 @@ random_read(struct file *file, char __us
static ssize_t
urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
{
+ static int maxwarn = 10;
int ret;
- if (unlikely(nonblocking_pool.initialized == 0))
- printk_once(KERN_NOTICE "random: %s urandom read "
- "with %d bits of entropy available\n",
- current->comm, nonblocking_pool.entropy_total);
+ if (unlikely(nonblocking_pool.initialized == 0) &&
+ maxwarn > 0) {
+ maxwarn--;
+ printk(KERN_NOTICE "random: %s: uninitialized urandom read "
+ "(%zd bytes read, %d bits of entropy available)\n",
+ current->comm, nbytes, nonblocking_pool.entropy_total);
+ }
nbytes = min_t(size_t, nbytes, INT_MAX >> (ENTROPY_SHIFT + 3));
ret = extract_entropy_user(&nonblocking_pool, buf, nbytes);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 045/346] batman-adv: Fix speedy join in gateway client mode
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 036/346] batman-adv: Fix orig_node_vlan leak on orig_node_release Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 106/346] radix-tree: fix radix_tree_iter_retry() for tagged iterators Ben Hutchings
` (284 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marek Lindner, Simon Wunderlich, Sven Eckelmann, Antonio Quartulli
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d1fe176ca51fa3cb35f70c1d876d9a090e9befce upstream.
Speedy join only works when the received packet is either broadcast or an
4addr unicast packet. Thus packets converted from broadcast to unicast via
the gateway handling code have to be converted to 4addr packets to allow
the receiving gateway server to add the sender address as temporary entry
to the translation table.
Not doing it will make the batman-adv gateway server drop the DHCP response
in many situations because it doesn't yet have the TT entry for the
destination of the DHCP response.
Fixes: 371351731e9c ("batman-adv: change interface_rx to get orig node")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/send.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -363,8 +363,8 @@ int batadv_send_skb_via_gw(struct batadv
struct batadv_orig_node *orig_node;
orig_node = batadv_gw_get_selected_orig(bat_priv);
- return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST, 0,
- orig_node, vid);
+ return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST_4ADDR,
+ BATADV_P_DATA, orig_node, vid);
}
void batadv_schedule_bat_ogm(struct batadv_hard_iface *hard_iface)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 015/346] crypto: gcm - Filter out async ghash if necessary
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (206 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 026/346] usb: renesas_usbhs: fix the sequence in xfer_work() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 061/346] NFS: Don't drop CB requests with invalid principals Ben Hutchings
` (138 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 upstream.
As it is if you ask for a sync gcm you may actually end up with
an async one because it does not filter out async implementations
of ghash.
This patch fixes this by adding the necessary filter when looking
for ghash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/gcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gc
ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
CRYPTO_ALG_TYPE_HASH,
- CRYPTO_ALG_TYPE_AHASH_MASK);
+ CRYPTO_ALG_TYPE_AHASH_MASK |
+ crypto_requires_sync(algt->type,
+ algt->mask));
if (IS_ERR(ghash_alg))
return ERR_CAST(ghash_alg);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 009/346] gpio: pca953x: Fix NBANK calculation for PCA9536
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 010/346] random: print a warning for the first ten uninitialized random users Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 031/346] ext4: check for extents that wrap around Ben Hutchings
` (292 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vignesh R, Linus Walleij
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh R <vigneshr@ti.com>
commit a246b8198f776a16d1d3a3bbfc2d437bad766b29 upstream.
NBANK() macro assumes that ngpios is a multiple of 8(BANK_SZ) and
hence results in 0 banks for PCA9536 which has just 4 gpios. This is
wrong as PCA9356 has 1 bank with 4 gpios. This results in uninitialized
PCA953X_INVERT register. Fix this by using DIV_ROUND_UP macro in
NBANK().
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpio/gpio-pca953x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpio-pca953x.c
+++ b/drivers/gpio/gpio-pca953x.c
@@ -76,7 +76,7 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id);
#define MAX_BANK 5
#define BANK_SZ 8
-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ)
+#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ)
struct pca953x_chip {
unsigned gpio_start;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 054/346] [media] media: dvb_ringbuffer: Add memory barriers
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (325 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 287/346] score: fix copy_from_user() and friends Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 012/346] sched/cputime: Fix prev steal time accouting during CPU hotplug Ben Hutchings
` (19 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Soeren Moch, Mauro Carvalho Chehab
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Soeren Moch <smoch@web.de>
commit ca6e6126db5494f18c6c6615060d4d803b528bff upstream.
Implement memory barriers according to Documentation/circular-buffers.txt:
- use smp_store_release() to update ringbuffer read/write pointers
- use smp_load_acquire() to load write pointer on reader side
- use ACCESS_ONCE() to load read pointer on writer side
This fixes data stream corruptions observed e.g. on an ARM Cortex-A9
quad core system with different types (PCI, USB) of DVB tuners.
Signed-off-by: Soeren Moch <smoch@web.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/dvb-core/dvb_ringbuffer.c | 74 +++++++++++++++++++++++++++------
1 file changed, 61 insertions(+), 13 deletions(-)
--- a/drivers/media/dvb-core/dvb_ringbuffer.c
+++ b/drivers/media/dvb-core/dvb_ringbuffer.c
@@ -55,7 +55,13 @@ void dvb_ringbuffer_init(struct dvb_ring
int dvb_ringbuffer_empty(struct dvb_ringbuffer *rbuf)
{
- return (rbuf->pread==rbuf->pwrite);
+ /* smp_load_acquire() to load write pointer on reader side
+ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
+ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
+ *
+ * for memory barriers also see Documentation/circular-buffers.txt
+ */
+ return (rbuf->pread == smp_load_acquire(&rbuf->pwrite));
}
@@ -64,7 +70,12 @@ ssize_t dvb_ringbuffer_free(struct dvb_r
{
ssize_t free;
- free = rbuf->pread - rbuf->pwrite;
+ /* ACCESS_ONCE() to load read pointer on writer side
+ * this pairs with smp_store_release() in dvb_ringbuffer_read(),
+ * dvb_ringbuffer_read_user(), dvb_ringbuffer_flush(),
+ * or dvb_ringbuffer_reset()
+ */
+ free = ACCESS_ONCE(rbuf->pread) - rbuf->pwrite;
if (free <= 0)
free += rbuf->size;
return free-1;
@@ -76,7 +87,11 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
{
ssize_t avail;
- avail = rbuf->pwrite - rbuf->pread;
+ /* smp_load_acquire() to load write pointer on reader side
+ * this pairs with smp_store_release() in dvb_ringbuffer_write(),
+ * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
+ */
+ avail = smp_load_acquire(&rbuf->pwrite) - rbuf->pread;
if (avail < 0)
avail += rbuf->size;
return avail;
@@ -86,14 +101,25 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
void dvb_ringbuffer_flush(struct dvb_ringbuffer *rbuf)
{
- rbuf->pread = rbuf->pwrite;
+ /* dvb_ringbuffer_flush() counts as read operation
+ * smp_load_acquire() to load write pointer
+ * smp_store_release() to update read pointer, this ensures that the
+ * correct pointer is visible for subsequent dvb_ringbuffer_free()
+ * calls on other cpu cores
+ */
+ smp_store_release(&rbuf->pread, smp_load_acquire(&rbuf->pwrite));
rbuf->error = 0;
}
EXPORT_SYMBOL(dvb_ringbuffer_flush);
void dvb_ringbuffer_reset(struct dvb_ringbuffer *rbuf)
{
- rbuf->pread = rbuf->pwrite = 0;
+ /* dvb_ringbuffer_reset() counts as read and write operation
+ * smp_store_release() to update read pointer
+ */
+ smp_store_release(&rbuf->pread, 0);
+ /* smp_store_release() to update write pointer */
+ smp_store_release(&rbuf->pwrite, 0);
rbuf->error = 0;
}
@@ -119,12 +145,17 @@ ssize_t dvb_ringbuffer_read_user(struct
return -EFAULT;
buf += split;
todo -= split;
- rbuf->pread = 0;
+ /* smp_store_release() for read pointer update to ensure
+ * that buf is not overwritten until read is complete,
+ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
+ */
+ smp_store_release(&rbuf->pread, 0);
}
if (copy_to_user(buf, rbuf->data+rbuf->pread, todo))
return -EFAULT;
- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
+ /* smp_store_release() to update read pointer, see above */
+ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
return len;
}
@@ -139,11 +170,16 @@ void dvb_ringbuffer_read(struct dvb_ring
memcpy(buf, rbuf->data+rbuf->pread, split);
buf += split;
todo -= split;
- rbuf->pread = 0;
+ /* smp_store_release() for read pointer update to ensure
+ * that buf is not overwritten until read is complete,
+ * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
+ */
+ smp_store_release(&rbuf->pread, 0);
}
memcpy(buf, rbuf->data+rbuf->pread, todo);
- rbuf->pread = (rbuf->pread + todo) % rbuf->size;
+ /* smp_store_release() to update read pointer, see above */
+ smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
}
@@ -158,10 +194,16 @@ ssize_t dvb_ringbuffer_write(struct dvb_
memcpy(rbuf->data+rbuf->pwrite, buf, split);
buf += split;
todo -= split;
- rbuf->pwrite = 0;
+ /* smp_store_release() for write pointer update to ensure that
+ * written data is visible on other cpu cores before the pointer
+ * update, this pairs with smp_load_acquire() in
+ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
+ */
+ smp_store_release(&rbuf->pwrite, 0);
}
memcpy(rbuf->data+rbuf->pwrite, buf, todo);
- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
+ /* smp_store_release() for write pointer update, see above */
+ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
return len;
}
@@ -181,12 +223,18 @@ ssize_t dvb_ringbuffer_write_user(struct
return len - todo;
buf += split;
todo -= split;
- rbuf->pwrite = 0;
+ /* smp_store_release() for write pointer update to ensure that
+ * written data is visible on other cpu cores before the pointer
+ * update, this pairs with smp_load_acquire() in
+ * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
+ */
+ smp_store_release(&rbuf->pwrite, 0);
}
status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo);
if (status)
return len - todo;
- rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
+ /* smp_store_release() for write pointer update, see above */
+ smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
return len;
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 024/346] hwrng: omap - Fix assumption that runtime_get_sync will always succeed
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 279/346] mips: copy_from_user() must zero the destination on access_ok() failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 119/346] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Ben Hutchings
` (154 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nishanth Menon, Herbert Xu, Paul Walmsley
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nishanth Menon <nm@ti.com>
commit 61dc0a446e5d08f2de8a24b45f69a1e302bb1b1b upstream.
pm_runtime_get_sync does return a error value that must be checked for
error conditions, else, due to various reasons, the device maynot be
enabled and the system will crash due to lack of clock to the hardware
module.
Before:
12.562784] [00000000] *pgd=fe193835
12.562792] Internal error: : 1406 [#1] SMP ARM
[...]
12.562864] CPU: 1 PID: 241 Comm: modprobe Not tainted 4.7.0-rc4-next-20160624 #2
12.562867] Hardware name: Generic DRA74X (Flattened Device Tree)
12.562872] task: ed51f140 ti: ed44c000 task.ti: ed44c000
12.562886] PC is at omap4_rng_init+0x20/0x84 [omap_rng]
12.562899] LR is at set_current_rng+0xc0/0x154 [rng_core]
[...]
After the proper checks:
[ 94.366705] omap_rng 48090000.rng: _od_fail_runtime_resume: FIXME:
missing hwmod/omap_dev info
[ 94.375767] omap_rng 48090000.rng: Failed to runtime_get device -19
[ 94.382351] omap_rng 48090000.rng: initialization failed.
Fixes: 665d92fa85b5 ("hwrng: OMAP: convert to use runtime PM")
Cc: Paul Walmsley <paul@pwsan.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/hw_random/omap-rng.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/drivers/char/hw_random/omap-rng.c
+++ b/drivers/char/hw_random/omap-rng.c
@@ -384,7 +384,12 @@ static int omap_rng_probe(struct platfor
}
pm_runtime_enable(&pdev->dev);
- pm_runtime_get_sync(&pdev->dev);
+ ret = pm_runtime_get_sync(&pdev->dev);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to runtime_get device: %d\n", ret);
+ pm_runtime_put_noidle(&pdev->dev);
+ goto err_ioremap;
+ }
ret = (dev->of_node) ? of_get_omap_rng_device_details(priv, pdev) :
get_omap_rng_device_details(priv);
@@ -437,8 +442,15 @@ static int omap_rng_suspend(struct devic
static int omap_rng_resume(struct device *dev)
{
struct omap_rng_dev *priv = dev_get_drvdata(dev);
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+ if (ret) {
+ dev_err(dev, "Failed to runtime_get device: %d\n", ret);
+ pm_runtime_put_noidle(dev);
+ return ret;
+ }
- pm_runtime_get_sync(dev);
priv->pdata->init(priv);
return 0;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 052/346] rtc: ds1307: Fix relying on reset value for weekday
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (231 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 302/346] IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 060/346] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply Ben Hutchings
` (113 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Keerthy, Alexandre Belloni
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Keerthy <j-keerthy@ti.com>
commit e29385fab0bf94017fac130ee32f5bb2daf74417 upstream.
The reset value of weekday is 0x1. This is wrong since
the reset values of the day/month/year make up to Jan 1 2001.
When computed weekday comes out to be Monday. On a scale
of 1-7(Sunday - Saturday) it should be 0x2. So we should not
be relying on the reset value.
Hence compute the wday using the current date/month/year values.
Check if reset wday is any different from the computed wday,
If different then set the wday which we computed using
date/month/year values.
Document Referred:
http://ww1.microchip.com/downloads/en/DeviceDoc/20002266F.pdf
Fixes: 1d1945d261a2af "drivers/rtc/rtc-ds1307.c: add alarm support for mcp7941x chips"
Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
[bwh: Backported to 3.16:
- No 64-time rtc_time functions available
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/rtc/rtc-ds1307.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -611,6 +611,8 @@ static const struct rtc_class_ops ds13xx
* Alarm support for mcp7941x devices.
*/
+#define MCP794XX_REG_WEEKDAY 0x3
+#define MCP794XX_REG_WEEKDAY_WDAY_MASK 0x7
#define MCP7941X_REG_CONTROL 0x07
# define MCP7941X_BIT_ALM0_EN 0x10
# define MCP7941X_BIT_ALM1_EN 0x20
@@ -840,12 +842,15 @@ static int ds1307_probe(struct i2c_clien
{
struct ds1307 *ds1307;
int err = -ENODEV;
- int tmp;
+ int tmp, wday;
const struct chip_desc *chip = &chips[id->driver_data];
struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent);
bool want_irq = false;
unsigned char *buf;
struct ds1307_platform_data *pdata = dev_get_platdata(&client->dev);
+ struct rtc_time tm;
+ unsigned long timestamp;
+
static const int bbsqi_bitpos[] = {
[ds_1337] = 0,
[ds_1339] = DS1339_BIT_BBSQI,
@@ -1115,6 +1120,27 @@ read_rtc:
return PTR_ERR(ds1307->rtc);
}
+ /*
+ * Some IPs have weekday reset value = 0x1 which might not correct
+ * hence compute the wday using the current date/month/year values
+ */
+ ds1307_get_time(&client->dev, &tm);
+ wday = tm.tm_wday;
+ rtc_tm_to_time(&tm, ×tamp);
+ rtc_time_to_tm(timestamp, &tm);
+
+ /*
+ * Check if reset wday is different from the computed wday
+ * If different then set the wday which we computed using
+ * timestamp
+ */
+ if (wday != tm.tm_wday) {
+ wday = i2c_smbus_read_byte_data(client, MCP794XX_REG_WEEKDAY);
+ wday = wday & ~MCP794XX_REG_WEEKDAY_WDAY_MASK;
+ wday = wday | (tm.tm_wday + 1);
+ i2c_smbus_write_byte_data(client, MCP794XX_REG_WEEKDAY, wday);
+ }
+
if (want_irq) {
err = request_irq(client->irq, ds1307_irq, IRQF_SHARED,
ds1307->rtc->name, client);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 040/346] batman-adv: Fix reference leak in batadv_find_router
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (315 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 118/346] sparc: serial: sunhv: fix a double lock bug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 251/346] efi/libstub: Allocate headspace in efi_get_memory_map() Ben Hutchings
` (29 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Wunderlich, Marek Lindner, Sven Eckelmann
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 15c2ed753cd9e3e746472deab8151337a5b6da56 upstream.
The replacement of last_bonding_candidate in batadv_orig_node has to be an
atomic operation. Otherwise it is possible that the reference counter of a
batadv_orig_ifinfo is reduced which was no longer the
last_bonding_candidate when the new candidate is added. This can either
lead to an invalid memory access or to reference leaks which make it
impossible to an interface which was added to batman-adv.
Fixes: f3b3d9018975 ("batman-adv: add bonding again")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- s/kref_get/atomic_inc/
- s/_put/_free_ref/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/routing.c | 52 ++++++++++++++++++++++++++++++++++++------------
net/batman-adv/types.h | 4 +++-
2 files changed, 42 insertions(+), 14 deletions(-)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -425,6 +425,29 @@ static int batadv_check_unicast_packet(s
}
/**
+ * batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node
+ * @orig_node: originator node whose bonding candidates should be replaced
+ * @new_candidate: new bonding candidate or NULL
+ */
+static void
+batadv_last_bonding_replace(struct batadv_orig_node *orig_node,
+ struct batadv_orig_ifinfo *new_candidate)
+{
+ struct batadv_orig_ifinfo *old_candidate;
+
+ spin_lock_bh(&orig_node->neigh_list_lock);
+ old_candidate = orig_node->last_bonding_candidate;
+
+ if (new_candidate)
+ atomic_inc(&new_candidate->refcount);
+ orig_node->last_bonding_candidate = new_candidate;
+ spin_unlock_bh(&orig_node->neigh_list_lock);
+
+ if (old_candidate)
+ batadv_orig_ifinfo_free_ref(old_candidate);
+}
+
+/**
* batadv_find_router - find a suitable router for this originator
* @bat_priv: the bat priv with all the soft interface information
* @orig_node: the destination node
@@ -529,10 +552,6 @@ next:
}
rcu_read_unlock();
- /* last_bonding_candidate is reset below, remove the old reference. */
- if (orig_node->last_bonding_candidate)
- batadv_orig_ifinfo_free_ref(orig_node->last_bonding_candidate);
-
/* After finding candidates, handle the three cases:
* 1) there is a next candidate, use that
* 2) there is no next candidate, use the first of the list
@@ -541,21 +560,28 @@ next:
if (next_candidate) {
batadv_neigh_node_free_ref(router);
- /* remove references to first candidate, we don't need it. */
- if (first_candidate) {
- batadv_neigh_node_free_ref(first_candidate_router);
- batadv_orig_ifinfo_free_ref(first_candidate);
- }
+ atomic_inc(&next_candidate_router->refcount);
router = next_candidate_router;
- orig_node->last_bonding_candidate = next_candidate;
+ batadv_last_bonding_replace(orig_node, next_candidate);
} else if (first_candidate) {
batadv_neigh_node_free_ref(router);
- /* refcounting has already been done in the loop above. */
+ atomic_inc(&first_candidate_router->refcount);
router = first_candidate_router;
- orig_node->last_bonding_candidate = first_candidate;
+ batadv_last_bonding_replace(orig_node, first_candidate);
} else {
- orig_node->last_bonding_candidate = NULL;
+ batadv_last_bonding_replace(orig_node, NULL);
+ }
+
+ /* cleanup of candidates */
+ if (first_candidate) {
+ batadv_neigh_node_free_ref(first_candidate_router);
+ batadv_orig_ifinfo_free_ref(first_candidate);
+ }
+
+ if (next_candidate) {
+ batadv_neigh_node_free_ref(next_candidate_router);
+ batadv_orig_ifinfo_free_ref(next_candidate);
}
return router;
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -272,7 +272,9 @@ struct batadv_orig_node {
DECLARE_BITMAP(bcast_bits, BATADV_TQ_LOCAL_WINDOW_SIZE);
uint32_t last_bcast_seqno;
struct hlist_head neigh_list;
- /* neigh_list_lock protects: neigh_list and router */
+ /* neigh_list_lock protects: neigh_list, ifinfo_list,
+ * last_bonding_candidate and router
+ */
spinlock_t neigh_list_lock;
struct hlist_node hash_entry;
struct batadv_priv *bat_priv;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 340/346] [media] usbvision: revert commit 588afcc1
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (334 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 129/346] ubi: Be more paranoid while seaching for the most recent Fastmap Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 341/346] staging: comedi: ni_mio_common: fix wrong insn_write handler Ben Hutchings
` (10 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hans Verkuil, Mauro Carvalho Chehab, Vladis Dronov, Luis Henriques
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladis Dronov <vdronov@redhat.com>
commit d5468d7afaa9c9e961e150f0455a14a9f4872a98 upstream.
Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces
array")' should be reverted, because:
* "!dev->actconfig->interface[ifnum]" won't catch a case where the value
is not NULL but some garbage. This way the system may crash later with
GPF.
* "(ifnum >= USB_MAXINTERFACES)" does not cover all the error
conditions. "ifnum" should be compared to "dev->actconfig->
desc.bNumInterfaces", i.e. compared to the number of "struct
usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES.
* There is a "struct usb_device" leak in this error path, as there is
usb_get_dev(), but no usb_put_dev() on this path.
* There is a bug of the same type several lines below with number of
endpoints. The code is accessing hard-coded second endpoint
("interface->endpoint[1].desc") which may not exist. It would be great
to handle this in the same patch too.
* All the concerns above are resolved by already-accepted commit fa52bd50
("[media] usbvision: fix crash on detecting device with invalid
configuration")
* Mailing list message:
http://www.spinics.net/lists/linux-media/msg94832.html
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/usbvision/usbvision-video.c | 7 -------
1 file changed, 7 deletions(-)
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1537,13 +1537,6 @@ static int usbvision_probe(struct usb_in
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
- /*
- * this is a security check.
- * an exploit using an incorrect bInterfaceNumber is known
- */
- if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
- return -ENODEV;
-
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
else if (ifnum < dev->actconfig->desc.bNumInterfaces)
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 346/346] KVM: MIPS: Drop other CPU ASIDs on guest MMU changes
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (340 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 338/346] posix_acl: Clear SGID bit when setting file permissions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 339/346] ARC: use ASL assembler mnemonic Ben Hutchings
` (4 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Hogan, linux-mips, Ralf Baechle, Paolo Bonzini, kvm,
Radim Krčmář
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 91e4f1b6073dd680d86cdb7e42d7cccca9db39d8 upstream.
When a guest TLB entry is replaced by TLBWI or TLBWR, we only invalidate
TLB entries on the local CPU. This doesn't work correctly on an SMP host
when the guest is migrated to a different physical CPU, as it could pick
up stale TLB mappings from the last time the vCPU ran on that physical
CPU.
Therefore invalidate both user and kernel host ASIDs on other CPUs,
which will cause new ASIDs to be generated when it next runs on those
CPUs.
We're careful only to do this if the TLB entry was already valid, and
only for the kernel ASID where the virtual address it mapped is outside
of the guest user address range.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
[james.hogan@imgtec.com: Backport to 3.10..3.16]
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kvm/kvm_mips_emul.c | 61 +++++++++++++++++++++++++++++++++++++------
1 file changed, 53 insertions(+), 8 deletions(-)
--- a/arch/mips/kvm/kvm_mips_emul.c
+++ b/arch/mips/kvm/kvm_mips_emul.c
@@ -817,6 +817,47 @@ enum emulation_result kvm_mips_emul_tlbr
return er;
}
+/**
+ * kvm_mips_invalidate_guest_tlb() - Indicates a change in guest MMU map.
+ * @vcpu: VCPU with changed mappings.
+ * @tlb: TLB entry being removed.
+ *
+ * This is called to indicate a single change in guest MMU mappings, so that we
+ * can arrange TLB flushes on this and other CPUs.
+ */
+static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu *vcpu,
+ struct kvm_mips_tlb *tlb)
+{
+ int cpu, i;
+ bool user;
+
+ /* No need to flush for entries which are already invalid */
+ if (!((tlb->tlb_lo0 | tlb->tlb_lo1) & MIPS3_PG_V))
+ return;
+ /* User address space doesn't need flushing for KSeg2/3 changes */
+ user = tlb->tlb_hi < KVM_GUEST_KSEG0;
+
+ preempt_disable();
+
+ /*
+ * Probe the shadow host TLB for the entry being overwritten, if one
+ * matches, invalidate it
+ */
+ kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi);
+
+ /* Invalidate the whole ASID on other CPUs */
+ cpu = smp_processor_id();
+ for_each_possible_cpu(i) {
+ if (i == cpu)
+ continue;
+ if (user)
+ vcpu->arch.guest_user_asid[i] = 0;
+ vcpu->arch.guest_kernel_asid[i] = 0;
+ }
+
+ preempt_enable();
+}
+
/* Write Guest TLB Entry @ Index */
enum emulation_result kvm_mips_emul_tlbwi(struct kvm_vcpu *vcpu)
{
@@ -838,10 +879,8 @@ enum emulation_result kvm_mips_emul_tlbw
}
tlb = &vcpu->arch.guest_tlb[index];
-#if 1
- /* Probe the shadow host TLB for the entry being overwritten, if one matches, invalidate it */
- kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi);
-#endif
+
+ kvm_mips_invalidate_guest_tlb(vcpu, tlb);
tlb->tlb_mask = kvm_read_c0_guest_pagemask(cop0);
tlb->tlb_hi = kvm_read_c0_guest_entryhi(cop0);
@@ -880,10 +919,7 @@ enum emulation_result kvm_mips_emul_tlbw
tlb = &vcpu->arch.guest_tlb[index];
-#if 1
- /* Probe the shadow host TLB for the entry being overwritten, if one matches, invalidate it */
- kvm_mips_host_tlb_inv(vcpu, tlb->tlb_hi);
-#endif
+ kvm_mips_invalidate_guest_tlb(vcpu, tlb);
tlb->tlb_mask = kvm_read_c0_guest_pagemask(cop0);
tlb->tlb_hi = kvm_read_c0_guest_entryhi(cop0);
@@ -926,6 +962,7 @@ kvm_mips_emulate_CP0(uint32_t inst, uint
int32_t rt, rd, copz, sel, co_bit, op;
uint32_t pc = vcpu->arch.pc;
unsigned long curr_pc;
+ int cpu, i;
/*
* Update PC and hold onto current PC in case there is
@@ -1037,8 +1074,16 @@ kvm_mips_emulate_CP0(uint32_t inst, uint
ASID_MASK,
vcpu->arch.gprs[rt] & ASID_MASK);
+ preempt_disable();
/* Blow away the shadow host TLBs */
kvm_mips_flush_host_tlb(1);
+ cpu = smp_processor_id();
+ for_each_possible_cpu(i)
+ if (i != cpu) {
+ vcpu->arch.guest_user_asid[i] = 0;
+ vcpu->arch.guest_kernel_asid[i] = 0;
+ }
+ preempt_enable();
}
kvm_write_c0_guest_entryhi(cop0,
vcpu->arch.gprs[rt]);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 342/346] xenbus: don't BUG() on user mode induced condition
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (336 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 341/346] staging: comedi: ni_mio_common: fix wrong insn_write handler Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 337/346] fs: Avoid premature clearing of capabilities Ben Hutchings
` (8 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jan Beulich, Jan Beulich, David Vrabel, Ed Swierk
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b upstream.
Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Ed Swierk <eswierk@skyportsystems.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
+ } else {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+ if (&trans->list == &u->transactions)
+ return -ESRCH;
}
reply = xenbus_dev_request_and_reply(&u->u.msg);
if (IS_ERR(reply)) {
- kfree(trans);
+ if (msg_type == XS_TRANSACTION_START)
+ kfree(trans);
rc = PTR_ERR(reply);
goto out;
}
@@ -330,12 +337,7 @@ static int xenbus_write_transaction(unsi
list_add(&trans->list, &u->transactions);
} else if (msg_type == XS_TRANSACTION_END) {
- list_for_each_entry(trans, &u->transactions, list)
- if (trans->handle.id == u->u.msg.tx_id)
- break;
- BUG_ON(&trans->list == &u->transactions);
list_del(&trans->list);
-
kfree(trans);
}
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 337/346] fs: Avoid premature clearing of capabilities
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (337 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 342/346] xenbus: don't BUG() on user mode induced condition Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 336/346] fs: Give dentry to inode_change_ok() instead of inode Ben Hutchings
` (7 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christoph Hellwig, Jan Kara
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 030b533c4fd4d2ec3402363323de4bb2983c9cee upstream.
Currently, notify_change() clears capabilities or IMA attributes by
calling security_inode_killpriv() before calling into ->setattr. Thus it
happens before any other permission checks in inode_change_ok() and user
is thus allowed to trigger clearing of capabilities or IMA attributes
for any file he can look up e.g. by calling chown for that file. This is
unexpected and can lead to user DoSing a system.
Fix the problem by calling security_inode_killpriv() at the end of
inode_change_ok() instead of from notify_change(). At that moment we are
sure user has permissions to do the requested change.
References: CVE-2015-1350
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/attr.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -47,7 +47,7 @@ int setattr_prepare(struct dentry *dentr
/* If force is set do it anyway. */
if (ia_valid & ATTR_FORCE)
- return 0;
+ goto kill_priv;
/* Make sure a caller can chown. */
if ((ia_valid & ATTR_UID) &&
@@ -80,6 +80,16 @@ int setattr_prepare(struct dentry *dentr
return -EPERM;
}
+kill_priv:
+ /* User has permission for the change */
+ if (ia_valid & ATTR_KILL_PRIV) {
+ int error;
+
+ error = security_inode_killpriv(dentry);
+ if (error)
+ return error;
+ }
+
return 0;
}
EXPORT_SYMBOL(setattr_prepare);
@@ -220,13 +230,11 @@ int notify_change(struct dentry * dentry
if (!(ia_valid & ATTR_MTIME_SET))
attr->ia_mtime = now;
if (ia_valid & ATTR_KILL_PRIV) {
- attr->ia_valid &= ~ATTR_KILL_PRIV;
- ia_valid &= ~ATTR_KILL_PRIV;
error = security_inode_need_killpriv(dentry);
- if (error > 0)
- error = security_inode_killpriv(dentry);
- if (error)
+ if (error < 0)
return error;
+ if (error == 0)
+ ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
}
/*
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 341/346] staging: comedi: ni_mio_common: fix wrong insn_write handler
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (335 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 340/346] [media] usbvision: revert commit 588afcc1 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 342/346] xenbus: don't BUG() on user mode induced condition Ben Hutchings
` (9 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ian Abbott, Éric Piel
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream.
For counter subdevices, the `s->insn_write` handler is being set to the
wrong function, `ni_tio_insn_read()`. It should be
`ni_tio_insn_write()`.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reported-by: Éric Piel <piel@delmic.com>
Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a
proper comedi (*insn_write)")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/comedi/drivers/ni_mio_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -4415,7 +4415,7 @@ static int ni_E_init(struct comedi_devic
else
s->maxdata = 0xffffff;
s->insn_read = ni_tio_insn_read;
- s->insn_write = ni_tio_insn_read;
+ s->insn_write = ni_tio_insn_write;
s->insn_config = ni_tio_insn_config;
#ifdef PCIDMA
s->subdev_flags |= SDF_CMD_READ /* | SDF_CMD_WRITE */;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 345/346] PM / devfreq: Fix incorrect type issue.
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (344 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 343/346] xenbus: don't look up transaction IDs for ordinary writes Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 5:49 ` [PATCH 3.16 000/346] 3.16.39-rc1 review Guenter Roeck
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Xiaolong Ye, MyungJoo Ham, Kevin Liu
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolong Ye <yexl@marvell.com>
commit 5f25f066f75a67835abb5e400471a27abd09395b upstream.
time_in_state in struct devfreq is defined as unsigned long, so
devm_kzalloc should use sizeof(unsigned long) as argument instead
of sizeof(unsigned int), otherwise it will cause unexpected result
in 64bit system.
Signed-off-by: Xiaolong Ye <yexl@marvell.com>
Signed-off-by: Kevin Liu <kliu5@marvell.com>
Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/devfreq/devfreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -483,7 +483,7 @@ struct devfreq *devfreq_add_device(struc
devfreq->profile->max_state *
devfreq->profile->max_state,
GFP_KERNEL);
- devfreq->time_in_state = devm_kzalloc(dev, sizeof(unsigned int) *
+ devfreq->time_in_state = devm_kzalloc(dev, sizeof(unsigned long) *
devfreq->profile->max_state,
GFP_KERNEL);
devfreq->last_stat_updated = jiffies;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 339/346] ARC: use ASL assembler mnemonic
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (341 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 346/346] KVM: MIPS: Drop other CPU ASIDs on guest MMU changes Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 344/346] compiler-gcc: disable -ftracer for __noclone functions Ben Hutchings
` (3 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vineet Gupta
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <vgupta@synopsys.com>
commit a6416f57ce57fb390b6ee30b12c01c29032a26af upstream.
ARCompact and ARCv2 only have ASL, while binutils used to support LSL as
a alias mnemonic.
Newer binutils (upstream) don't want to do that so replace it.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/mm/tlbex.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/arc/mm/tlbex.S
+++ b/arch/arc/mm/tlbex.S
@@ -89,7 +89,7 @@ ex_saved_reg1:
#ifdef CONFIG_SMP
sr r0, [ARC_REG_SCRATCH_DATA0] ; freeup r0 to code with
GET_CPU_ID r0 ; get to per cpu scratch mem,
- lsl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu
+ asl r0, r0, L1_CACHE_SHIFT ; cache line wide per cpu
add r0, @ex_saved_reg1, r0
#else
st r0, [@ex_saved_reg1]
@@ -108,7 +108,7 @@ ex_saved_reg1:
.macro TLBMISS_RESTORE_REGS
#ifdef CONFIG_SMP
GET_CPU_ID r0 ; get to per cpu scratch mem
- lsl r0, r0, L1_CACHE_SHIFT ; each is cache line wide
+ asl r0, r0, L1_CACHE_SHIFT ; each is cache line wide
add r0, @ex_saved_reg1, r0
ld_s r3, [r0,12]
ld_s r2, [r0, 8]
@@ -220,7 +220,7 @@ ex_saved_reg1:
.macro CONV_PTE_TO_TLB
and r3, r0, PTE_BITS_RWX ; r w x
- lsl r2, r3, 3 ; r w x 0 0 0
+ asl r2, r3, 3 ; r w x 0 0 0
and.f 0, r0, _PAGE_GLOBAL
or.z r2, r2, r3 ; r w x r w x
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 343/346] xenbus: don't look up transaction IDs for ordinary writes
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (343 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 344/346] compiler-gcc: disable -ftracer for __noclone functions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 345/346] PM / devfreq: Fix incorrect type issue Ben Hutchings
2016-11-14 5:49 ` [PATCH 3.16 000/346] 3.16.39-rc1 review Guenter Roeck
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ed Swierk, David Vrabel, Jan Beulich, Richard Schütz,
Jan Beulich
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea upstream.
This should really only be done for XS_TRANSACTION_END messages, or
else at least some of the xenstore-* tools don't work anymore.
Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition")
Reported-by: Richard Schütz <rschuetz@uni-koblenz.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Richard Schütz <rschuetz@uni-koblenz.de>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Ed Swierk <eswierk@skyportsystems.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
- } else {
+ } else if (msg_type == XS_TRANSACTION_END) {
list_for_each_entry(trans, &u->transactions, list)
if (trans->handle.id == u->u.msg.tx_id)
break;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 338/346] posix_acl: Clear SGID bit when setting file permissions
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (339 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 336/346] fs: Give dentry to inode_change_ok() instead of inode Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 346/346] KVM: MIPS: Drop other CPU ASIDs on guest MMU changes Ben Hutchings
` (5 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jeff Layton, Jan Kara, Christoph Hellwig, Andreas Gruenbacher
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.
When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2). Fix that.
References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[bwh: Backported to 3.16:
- Drop changes to orangefs
- Adjust context
- Update ext3 as well]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct den
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- retval = posix_acl_equiv_mode(acl, &mode);
- if (retval < 0)
+ struct iattr iattr;
+
+ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+ if (retval)
goto err_out;
- else {
- struct iattr iattr;
- if (retval == 0) {
- /*
- * ACL can be represented
- * by the mode bits. So don't
- * update ACL.
- */
- acl = NULL;
- value = NULL;
- size = 0;
- }
- /* Updte the mode bits */
- iattr.ia_mode = ((mode & S_IALLUGO) |
- (inode->i_mode & ~S_IALLUGO));
- iattr.ia_valid = ATTR_MODE;
- /* FIXME should we update ctime ?
- * What is the following setxattr update the
- * mode ?
+ if (!acl) {
+ /*
+ * ACL can be represented
+ * by the mode bits. So don't
+ * update ACL.
*/
- v9fs_vfs_setattr_dotl(dentry, &iattr);
+ value = NULL;
+ size = 0;
}
+ iattr.ia_valid = ATTR_MODE;
+ /* FIXME should we update ctime ?
+ * What is the following setxattr update the
+ * mode ?
+ */
+ v9fs_vfs_setattr_dotl(dentry, &iattr);
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -83,11 +83,9 @@ static int __btrfs_set_acl(struct btrfs_
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- ret = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (ret < 0)
+ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (ret)
return ret;
- if (ret == 0)
- acl = NULL;
}
ret = 0;
break;
--- a/fs/ceph/acl.c
+++ b/fs/ceph/acl.c
@@ -108,11 +108,9 @@ int ceph_set_acl(struct inode *inode, st
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- ret = posix_acl_equiv_mode(acl, &new_mode);
- if (ret < 0)
+ ret = posix_acl_update_mode(inode, &new_mode, &acl);
+ if (ret)
goto out;
- if (ret == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -193,15 +193,11 @@ ext2_set_acl(struct inode *inode, struct
case ACL_TYPE_ACCESS:
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- mark_inode_dirty(inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ mark_inode_dirty(inode);
}
break;
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -195,15 +195,11 @@ __ext3_set_acl(handle_t *handle, struct
case ACL_TYPE_ACCESS:
name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- ext3_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ ext3_mark_inode_dirty(handle, inode);
}
break;
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -201,15 +201,11 @@ __ext4_set_acl(handle_t *handle, struct
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
}
break;
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -213,12 +213,10 @@ static int __f2fs_set_acl(struct inode *
case ACL_TYPE_ACCESS:
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
set_acl_inode(fi, inode->i_mode);
- if (error == 0)
- acl = NULL;
}
break;
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -79,17 +79,11 @@ int gfs2_set_acl(struct inode *inode, st
if (type == ACL_TYPE_ACCESS) {
umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
-
- if (error == 0)
- acl = NULL;
-
- if (mode != inode->i_mode) {
- inode->i_mode = mode;
+ if (mode != inode->i_mode)
mark_inode_dirty(inode);
- }
}
if (acl) {
--- a/fs/hfsplus/posix_acl.c
+++ b/fs/hfsplus/posix_acl.c
@@ -68,8 +68,8 @@ int hfsplus_set_posix_acl(struct inode *
case ACL_TYPE_ACCESS:
xattr_name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- err = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (err < 0)
+ err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (err)
return err;
}
err = 0;
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -236,9 +236,10 @@ int jffs2_set_acl(struct inode *inode, s
case ACL_TYPE_ACCESS:
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- rc = posix_acl_equiv_mode(acl, &mode);
- if (rc < 0)
+ umode_t mode;
+
+ rc = posix_acl_update_mode(inode, &mode, &acl);
+ if (rc)
return rc;
if (inode->i_mode != mode) {
struct iattr attr;
@@ -250,8 +251,6 @@ int jffs2_set_acl(struct inode *inode, s
if (rc < 0)
return rc;
}
- if (rc == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/jfs/acl.c
+++ b/fs/jfs/acl.c
@@ -84,13 +84,11 @@ static int __jfs_set_acl(tid_t tid, stru
case ACL_TYPE_ACCESS:
ea_name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- rc = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (rc < 0)
+ rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (rc)
return rc;
inode->i_ctime = CURRENT_TIME;
mark_inode_dirty(inode);
- if (rc == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -241,14 +241,11 @@ int ocfs2_set_acl(handle_t *handle,
case ACL_TYPE_ACCESS:
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- ret = posix_acl_equiv_mode(acl, &mode);
- if (ret < 0)
+ umode_t mode;
+ ret = posix_acl_update_mode(inode, &mode, &acl);
+ if (ret)
return ret;
else {
- if (ret == 0)
- acl = NULL;
-
ret = ocfs2_acl_set_mode(inode, di_bh,
handle, mode);
if (ret)
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -594,6 +594,37 @@ no_acl:
}
EXPORT_SYMBOL_GPL(posix_acl_create);
+/**
+ * posix_acl_update_mode - update mode in set_acl
+ *
+ * Update the file mode when setting an ACL: compute the new file permission
+ * bits based on the ACL. In addition, if the ACL is equivalent to the new
+ * file mode, set *acl to NULL to indicate that no ACL should be set.
+ *
+ * As with chmod, clear the setgit bit if the caller is not in the owning group
+ * or capable of CAP_FSETID (see inode_change_ok).
+ *
+ * Called from set_acl inode operations.
+ */
+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
+ struct posix_acl **acl)
+{
+ umode_t mode = inode->i_mode;
+ int error;
+
+ error = posix_acl_equiv_mode(*acl, &mode);
+ if (error < 0)
+ return error;
+ if (error == 0)
+ *acl = NULL;
+ if (!in_group_p(inode->i_gid) &&
+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+ mode &= ~S_ISGID;
+ *mode_p = mode;
+ return 0;
+}
+EXPORT_SYMBOL(posix_acl_update_mode);
+
/*
* Fix up the uids and gids in posix acl extended attributes in place.
*/
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -246,13 +246,9 @@ __reiserfs_set_acl(struct reiserfs_trans
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- if (error == 0)
- acl = NULL;
- }
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -287,16 +287,11 @@ xfs_set_acl(struct inode *inode, struct
return error;
if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
-
- if (error <= 0) {
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ umode_t mode;
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error)
+ return error;
error = xfs_set_mode(inode, mode);
if (error)
return error;
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -95,6 +95,7 @@ extern int set_posix_acl(struct inode *,
extern int posix_acl_chmod(struct inode *, umode_t);
extern int posix_acl_create(struct inode *, umode_t *, struct posix_acl **,
struct posix_acl **);
+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
extern int simple_set_acl(struct inode *, struct posix_acl *, int);
extern int simple_acl_create(struct inode *, struct inode *);
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 336/346] fs: Give dentry to inode_change_ok() instead of inode
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (338 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 337/346] fs: Avoid premature clearing of capabilities Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 338/346] posix_acl: Clear SGID bit when setting file permissions Ben Hutchings
` (6 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Christoph Hellwig
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.
inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16:
- Drop changes to orangefs, overlayfs
- Adjust filenames, context
- In fuse, pass dentry to fuse_do_setattr()
- In nfsd, pass dentry to nfsd_sanitize_attrs()
- In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
- Update ext3 as well]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/Documentation/filesystems/porting
+++ b/Documentation/filesystems/porting
@@ -287,8 +287,8 @@ implementing on-disk size changes. Star
and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
be in order of zeroing blocks using block_truncate_page or similar helpers,
size update and on finally on-disk truncation which should not fail.
-inode_change_ok now includes the size checks for ATTR_SIZE and must be called
-in the beginning of ->setattr unconditionally.
+setattr_prepare (which used to be inode_change_ok) now includes the size checks
+for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
[mandatory]
--- a/drivers/staging/lustre/lustre/llite/llite_lib.c
+++ b/drivers/staging/lustre/lustre/llite/llite_lib.c
@@ -1386,7 +1386,7 @@ int ll_setattr_raw(struct dentry *dentry
attr->ia_valid |= ATTR_MTIME | ATTR_CTIME;
}
- /* POSIX: check before ATTR_*TIME_SET set (from inode_change_ok) */
+ /* POSIX: check before ATTR_*TIME_SET set (from setattr_prepare) */
if (attr->ia_valid & TIMES_SET_FLAGS) {
if ((!uid_eq(current_fsuid(), inode->i_uid)) &&
!capable(CFS_CAP_FOWNER))
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -1094,7 +1094,7 @@ static int v9fs_vfs_setattr(struct dentr
struct p9_wstat wstat;
p9_debug(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -560,7 +560,7 @@ int v9fs_vfs_setattr_dotl(struct dentry
p9_debug(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;
--- a/fs/adfs/inode.c
+++ b/fs/adfs/inode.c
@@ -303,7 +303,7 @@ adfs_notify_change(struct dentry *dentry
unsigned int ia_valid = attr->ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
/*
* we can't change the UID or GID of any file -
--- a/fs/affs/inode.c
+++ b/fs/affs/inode.c
@@ -222,7 +222,7 @@ affs_notify_change(struct dentry *dentry
pr_debug("notify_change(%lu,0x%x)\n", inode->i_ino, attr->ia_valid);
- error = inode_change_ok(inode,attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -17,19 +17,22 @@
#include <linux/ima.h>
/**
- * inode_change_ok - check if attribute changes to an inode are allowed
- * @inode: inode to check
+ * setattr_prepare - check if attribute changes to a dentry are allowed
+ * @dentry: dentry to check
* @attr: attributes to change
*
* Check if we are allowed to change the attributes contained in @attr
- * in the given inode. This includes the normal unix access permission
- * checks, as well as checks for rlimits and others.
+ * in the given dentry. This includes the normal unix access permission
+ * checks, as well as checks for rlimits and others. The function also clears
+ * SGID bit from mode if user is not allowed to set it. Also file capabilities
+ * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
*
* Should be called as the first thing in ->setattr implementations,
* possibly after taking additional locks.
*/
-int inode_change_ok(const struct inode *inode, struct iattr *attr)
+int setattr_prepare(struct dentry *dentry, struct iattr *attr)
{
+ struct inode *inode = d_inode(dentry);
unsigned int ia_valid = attr->ia_valid;
/*
@@ -79,7 +82,7 @@ int inode_change_ok(const struct inode *
return 0;
}
-EXPORT_SYMBOL(inode_change_ok);
+EXPORT_SYMBOL(setattr_prepare);
/**
* inode_newsize_ok - may this inode be truncated to a given size
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4690,7 +4690,7 @@ static int btrfs_setattr(struct dentry *
if (btrfs_root_readonly(root))
return -EROFS;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1708,7 +1708,7 @@ int ceph_setattr(struct dentry *dentry,
if (ceph_snap(inode) != CEPH_NOSNAP)
return -EROFS;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err != 0)
return err;
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -2074,7 +2074,7 @@ cifs_setattr_unix(struct dentry *direntr
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;
- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0)
goto out;
@@ -2215,7 +2215,7 @@ cifs_setattr_nounix(struct dentry *diren
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;
- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0) {
free_xid(xid);
return rc;
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -952,7 +952,7 @@ static int ecryptfs_setattr(struct dentr
}
mutex_unlock(&crypt_stat->cs_mutex);
- rc = inode_change_ok(inode, ia);
+ rc = setattr_prepare(dentry, ia);
if (rc)
goto out;
if (ia->ia_valid & ATTR_SIZE) {
--- a/fs/exofs/inode.c
+++ b/fs/exofs/inode.c
@@ -1039,7 +1039,7 @@ int exofs_setattr(struct dentry *dentry,
if (unlikely(error))
return error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (unlikely(error))
return error;
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1547,7 +1547,7 @@ int ext2_setattr(struct dentry *dentry,
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -3244,7 +3244,7 @@ int ext3_setattr(struct dentry *dentry,
int error, rc = 0;
const unsigned int ia_valid = attr->ia_valid;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4672,7 +4672,7 @@ int ext4_setattr(struct dentry *dentry,
int orphan = 0;
const unsigned int ia_valid = attr->ia_valid;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -500,7 +500,7 @@ int f2fs_setattr(struct dentry *dentry,
struct f2fs_inode_info *fi = F2FS_I(inode);
int err;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -394,7 +394,7 @@ int fat_setattr(struct dentry *dentry, s
attr->ia_valid &= ~TIMES_SET_FLAGS;
}
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
attr->ia_valid = ia_valid;
if (error) {
if (sbi->options.quiet)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1704,9 +1704,10 @@ int fuse_flush_times(struct inode *inode
* vmtruncate() doesn't allow for this case, so do the rlimit checking
* and the actual truncation by hand.
*/
-int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
struct file *file)
{
+ struct inode *inode = dentry->d_inode;
struct fuse_conn *fc = get_fuse_conn(inode);
struct fuse_inode *fi = get_fuse_inode(inode);
struct fuse_req *req;
@@ -1721,7 +1722,7 @@ int fuse_do_setattr(struct inode *inode,
if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
attr->ia_valid |= ATTR_FORCE;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
@@ -1826,9 +1827,9 @@ static int fuse_setattr(struct dentry *e
return -EACCES;
if (attr->ia_valid & ATTR_FILE)
- return fuse_do_setattr(inode, attr, attr->ia_file);
+ return fuse_do_setattr(entry, attr, attr->ia_file);
else
- return fuse_do_setattr(inode, attr, NULL);
+ return fuse_do_setattr(entry, attr, NULL);
}
static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -894,7 +894,7 @@ bool fuse_write_update_size(struct inode
int fuse_flush_times(struct inode *inode, struct fuse_file *ff);
int fuse_write_inode(struct inode *inode, struct writeback_control *wbc);
-int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
struct file *file);
#endif /* _FS_FUSE_I_H */
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -1774,7 +1774,7 @@ static int gfs2_setattr(struct dentry *d
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
goto out;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -604,7 +604,7 @@ int hfs_inode_setattr(struct dentry *den
struct hfs_sb_info *hsb = HFS_SB(inode->i_sb);
int error;
- error = inode_change_ok(inode, attr); /* basic permission checks */
+ error = setattr_prepare(dentry, attr); /* basic permission checks */
if (error)
return error;
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -247,7 +247,7 @@ static int hfsplus_setattr(struct dentry
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -792,7 +792,7 @@ static int hostfs_setattr(struct dentry
int fd = HOSTFS_I(inode)->fd;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/hpfs/inode.c
+++ b/fs/hpfs/inode.c
@@ -272,7 +272,7 @@ int hpfs_setattr(struct dentry *dentry,
if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
goto out_unlock;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out_unlock;
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -429,7 +429,7 @@ static int hugetlbfs_setattr(struct dent
BUG_ON(!inode);
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -193,7 +193,7 @@ int jffs2_setattr(struct dentry *dentry,
struct inode *inode = dentry->d_inode;
int rc;
- rc = inode_change_ok(inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;
--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -103,7 +103,7 @@ int jfs_setattr(struct dentry *dentry, s
struct inode *inode = dentry->d_inode;
int rc;
- rc = inode_change_ok(inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;
--- a/fs/kernfs/inode.c
+++ b/fs/kernfs/inode.c
@@ -131,7 +131,7 @@ int kernfs_iop_setattr(struct dentry *de
return -EINVAL;
mutex_lock(&kernfs_mutex);
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
goto out;
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -371,7 +371,7 @@ int simple_setattr(struct dentry *dentry
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
--- a/fs/logfs/file.c
+++ b/fs/logfs/file.c
@@ -244,7 +244,7 @@ static int logfs_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int err = 0;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/minix/file.c
+++ b/fs/minix/file.c
@@ -28,7 +28,7 @@ static int minix_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ncpfs/inode.c
+++ b/fs/ncpfs/inode.c
@@ -885,7 +885,7 @@ int ncp_notify_change(struct dentry *den
/* ageing the dentry to force validation */
ncp_age_dentry(server, dentry);
- result = inode_change_ok(inode, attr);
+ result = setattr_prepare(dentry, attr);
if (result < 0)
goto out;
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -300,17 +300,19 @@ commit_metadata(struct svc_fh *fhp)
* NFS semantics and what Linux expects.
*/
static void
-nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
+nfsd_sanitize_attrs(struct dentry *dentry, struct iattr *iap)
{
+ struct inode *inode = dentry->d_inode;
+
/*
* NFSv2 does not differentiate between "set-[ac]time-to-now"
* which only requires access, and "set-[ac]time-to-X" which
* requires ownership.
* So if it looks like it might be "set both to the same time which
- * is close to now", and if inode_change_ok fails, then we
+ * is close to now", and if setattr_prepare fails, then we
* convert to "set to now" instead of "set to explicit time"
*
- * We only call inode_change_ok as the last test as technically
+ * We only call setattr_prepare as the last test as technically
* it is not an interface that we should be using.
*/
#define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
@@ -328,7 +330,7 @@ nfsd_sanitize_attrs(struct inode *inode,
if (delta < 0)
delta = -delta;
if (delta < MAX_TOUCH_TIME_ERROR &&
- inode_change_ok(inode, iap) != 0) {
+ setattr_prepare(dentry, iap) != 0) {
/*
* Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
* This will cause notify_change to set these times
@@ -435,7 +437,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
if (!iap->ia_valid)
goto out;
- nfsd_sanitize_attrs(inode, iap);
+ nfsd_sanitize_attrs(dentry, iap);
/*
* The size case is special, it changes the file in addition to the
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -839,7 +839,7 @@ int nilfs_setattr(struct dentry *dentry,
struct super_block *sb = inode->i_sb;
int err;
- err = inode_change_ok(inode, iattr);
+ err = setattr_prepare(dentry, iattr);
if (err)
return err;
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -2891,7 +2891,7 @@ int ntfs_setattr(struct dentry *dentry,
int err;
unsigned int ia_valid = attr->ia_valid;
- err = inode_change_ok(vi, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
goto out;
/* We do not support NTFS ACLs yet. */
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -211,7 +211,7 @@ static int dlmfs_file_setattr(struct den
struct inode *inode = dentry->d_inode;
attr->ia_valid &= ~ATTR_SIZE;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1144,7 +1144,7 @@ int ocfs2_setattr(struct dentry *dentry,
if (!(attr->ia_valid & OCFS2_VALID_ATTRS))
return 0;
- status = inode_change_ok(inode, attr);
+ status = setattr_prepare(dentry, attr);
if (status)
return status;
--- a/fs/omfs/file.c
+++ b/fs/omfs/file.c
@@ -351,7 +351,7 @@ static int omfs_setattr(struct dentry *d
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -536,7 +536,7 @@ int proc_setattr(struct dentry *dentry,
if (attr->ia_valid & ATTR_MODE)
return -EPERM;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -41,7 +41,7 @@ static int proc_notify_change(struct den
struct proc_dir_entry *de = PDE(inode);
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -753,7 +753,7 @@ static int proc_sys_setattr(struct dentr
if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
return -EPERM;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ramfs/file-nommu.c
+++ b/fs/ramfs/file-nommu.c
@@ -163,7 +163,7 @@ static int ramfs_nommu_setattr(struct de
int ret = 0;
/* POSIX UID/GID verification for setting inode attributes */
- ret = inode_change_ok(inode, ia);
+ ret = setattr_prepare(dentry, ia);
if (ret)
return ret;
--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -3312,7 +3312,7 @@ int reiserfs_setattr(struct dentry *dent
unsigned int ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/sysv/file.c
+++ b/fs/sysv/file.c
@@ -35,7 +35,7 @@ static int sysv_setattr(struct dentry *d
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -1262,7 +1262,7 @@ int ubifs_setattr(struct dentry *dentry,
dbg_gen("ino %lu, mode %#x, ia_valid %#x",
inode->i_ino, inode->i_mode, attr->ia_valid);
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/udf/file.c
+++ b/fs/udf/file.c
@@ -269,7 +269,7 @@ static int udf_setattr(struct dentry *de
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ufs/truncate.c
+++ b/fs/ufs/truncate.c
@@ -496,7 +496,7 @@ int ufs_setattr(struct dentry *dentry, s
unsigned int ia_valid = attr->ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -81,7 +81,7 @@ static int utimes_common(struct path *pa
newattrs.ia_valid |= ATTR_MTIME_SET;
}
/*
- * Tell inode_change_ok(), that this is an explicit time
+ * Tell setattr_prepare(), that this is an explicit time
* update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
* were used.
*/
@@ -90,7 +90,7 @@ static int utimes_common(struct path *pa
/*
* If times is NULL (or both times are UTIME_NOW),
* then we need to check permissions, because
- * inode_change_ok() won't do it.
+ * setattr_prepare() won't do it.
*/
error = -EACCES;
if (IS_IMMUTABLE(inode))
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -244,7 +244,8 @@ xfs_set_mode(struct inode *inode, umode_
iattr.ia_mode = mode;
iattr.ia_ctime = current_fs_time(inode->i_sb);
- error = -xfs_setattr_nonsize(XFS_I(inode), &iattr, XFS_ATTR_NOACL);
+ error = -xfs_setattr_nonsize(NULL, XFS_I(inode), &iattr,
+ XFS_ATTR_NOACL);
}
return error;
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -862,7 +862,7 @@ xfs_file_fallocate(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = new_size;
- error = xfs_setattr_size(ip, &iattr);
+ error = xfs_setattr_size(file->f_dentry, &iattr);
}
out_unlock:
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -717,7 +717,7 @@ xfs_ioc_space(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = bf->l_start;
- error = xfs_setattr_size(ip, &iattr);
+ error = xfs_setattr_size(filp->f_dentry, &iattr);
if (!error)
clrprealloc = true;
break;
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -527,6 +527,7 @@ xfs_setattr_time(
int
xfs_setattr_nonsize(
+ struct dentry *dentry,
struct xfs_inode *ip,
struct iattr *iattr,
int flags)
@@ -551,7 +552,7 @@ xfs_setattr_nonsize(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);
- error = -inode_change_ok(inode, iattr);
+ error = -setattr_prepare(dentry, iattr);
if (error)
return XFS_ERROR(error);
}
@@ -734,11 +735,12 @@ out_dqrele:
*/
int
xfs_setattr_size(
- struct xfs_inode *ip,
+ struct dentry *dentry,
struct iattr *iattr)
{
+ struct inode *inode = dentry->d_inode;
+ struct xfs_inode *ip = XFS_I(inode);
struct xfs_mount *mp = ip->i_mount;
- struct inode *inode = VFS_I(ip);
xfs_off_t oldsize, newsize;
struct xfs_trans *tp;
int error;
@@ -754,7 +756,7 @@ xfs_setattr_size(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);
- error = -inode_change_ok(inode, iattr);
+ error = -setattr_prepare(dentry, iattr);
if (error)
return XFS_ERROR(error);
@@ -778,7 +780,7 @@ xfs_setattr_size(
* Use the regular setattr path to update the timestamps.
*/
iattr->ia_valid &= ~ATTR_SIZE;
- return xfs_setattr_nonsize(ip, iattr, 0);
+ return xfs_setattr_nonsize(dentry, ip, iattr, 0);
}
/*
@@ -939,10 +941,10 @@ xfs_vn_setattr(
if (iattr->ia_valid & ATTR_SIZE) {
xfs_ilock(ip, XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL);
- error = xfs_setattr_size(ip, iattr);
+ error = xfs_setattr_size(dentry, iattr);
xfs_iunlock(ip, XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL);
} else {
- error = xfs_setattr_nonsize(ip, iattr, 0);
+ error = xfs_setattr_nonsize(dentry, ip, iattr, 0);
}
return -error;
--- a/fs/xfs/xfs_iops.h
+++ b/fs/xfs/xfs_iops.h
@@ -32,8 +32,8 @@ extern void xfs_setup_inode(struct xfs_i
*/
#define XFS_ATTR_NOACL 0x01 /* Don't call posix_acl_chmod */
-extern int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap,
- int flags);
-extern int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap);
+extern int xfs_setattr_nonsize(struct dentry *dentry, struct xfs_inode *ip,
+ struct iattr *vap, int flags);
+extern int xfs_setattr_size(struct dentry *dentry, struct iattr *vap);
#endif /* __XFS_IOPS_H__ */
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2627,7 +2627,7 @@ extern int buffer_migrate_page(struct ad
#define buffer_migrate_page NULL
#endif
-extern int inode_change_ok(const struct inode *, struct iattr *);
+extern int setattr_prepare(struct dentry *, struct iattr *);
extern int inode_newsize_ok(const struct inode *, loff_t offset);
extern void setattr_copy(struct inode *inode, const struct iattr *attr);
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -540,7 +540,7 @@ static int shmem_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
^ permalink raw reply [flat|nested] 352+ messages in thread
* [PATCH 3.16 344/346] compiler-gcc: disable -ftracer for __noclone functions
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (342 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 339/346] ARC: use ASL assembler mnemonic Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 343/346] xenbus: don't look up transaction IDs for ordinary writes Ben Hutchings
` (2 subsequent siblings)
346 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linda Walsh, Philip Müller, Paolo Bonzini, kvm, Michal Marek
3.16.39-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 95272c29378ee7dc15f43fa2758cb28a5913a06d upstream.
-ftracer can duplicate asm blocks causing compilation to fail in
noclone functions. For example, KVM declares a global variable
in an asm like
asm("2: ... \n
.pushsection data \n
.global vmx_return \n
vmx_return: .long 2b");
and -ftracer causes a double declaration.
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: kvm@vger.kernel.org
Reported-by: Linda Walsh <lkml@tlinx.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Philip Müller <philm@manjaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/compiler-gcc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -177,7 +177,7 @@
#define unreachable() __builtin_unreachable()
/* Mark a function definition as prohibited from being cloned. */
-#define __noclone __attribute__((__noclone__))
+#define __noclone __attribute__((__noclone__, __optimize__("no-tracer")))
#endif /* GCC_VERSION >= 40500 */
^ permalink raw reply [flat|nested] 352+ messages in thread
* Re: [PATCH 3.16 296/346] fix minor infoleak in get_user_ex()
[not found] ` <CA+55aFyrySgb5rGq=0aON5tPu5_UR5CNn8T0FUqonMqSJUTXrQ@mail.gmail.com>
@ 2016-11-14 2:27 ` Ben Hutchings
0 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 2:27 UTC (permalink / raw)
To: Linus Torvalds, Alexander Levin
Cc: stable, Linux Kernel Mailing List, akpm, Al Viro
[-- Attachment #1: Type: text/plain, Size: 2818 bytes --]
On Sun, 2016-11-13 at 18:14 -0800, Linus Torvalds wrote:
> No, this is no good.
>
> I had a slightly different version of this that is OK for older
> kernels.
And I thought I'd dropped this after you mentioned the problem at
Kernel Summit. Thanks for checking.
Sasha, this still needs to be reverted in 3.18 and 4.1 stable branches.
Ben.
> Linus
>
> On Nov 13, 2016 6:04 PM, "Ben Hutchings" <ben@decadent.org.uk> wrote:
>
> > 3.16.39-rc1 review patch. If anyone has any objections, please let me
> > know.
> >
> > ------------------
> >
> > From: Al Viro <viro@ZenIV.linux.org.uk>
> >
> > commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
> >
> > get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
> > (at most we are leaking uninitialized 64bit value off the kernel stack,
> > and in a fairly constrained situation, at that), but the fix is trivial,
> > so...
> >
> > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> > [ This sat in different branch from the uaccess fixes since mid-August ]
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > ---
> > arch/x86/include/asm/uaccess.h | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > --- a/arch/x86/include/asm/uaccess.h
> > +++ b/arch/x86/include/asm/uaccess.h
> > @@ -391,7 +391,11 @@ do {
> > \
> > #define __get_user_asm_ex(x, addr, itype, rtype, ltype)
> > \
> > asm volatile("1: mov"itype" %1,%"rtype"0\n" \
> > "2:\n" \
> > - _ASM_EXTABLE_EX(1b, 2b) \
> > + ".section .fixup,\"ax\"\n" \
> > + "3:xor"itype" %"rtype"0,%"rtype"0\n" \
> > + " jmp 2b\n" \
> > + ".previous\n" \
> > + _ASM_EXTABLE_EX(1b, 3b) \
> > : ltype(x) : "m" (__m(addr)))
> >
> > #define __put_user_nocheck(x, ptr, size) \
> >
> >
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 352+ messages in thread
* Re: [PATCH 3.16 000/346] 3.16.39-rc1 review
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
` (345 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.16 345/346] PM / devfreq: Fix incorrect type issue Ben Hutchings
@ 2016-11-14 5:49 ` Guenter Roeck
2016-11-14 17:10 ` Ben Hutchings
346 siblings, 1 reply; 352+ messages in thread
From: Guenter Roeck @ 2016-11-14 5:49 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm
On 11/13/2016 04:14 PM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.39 release.
> There are 346 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Nov 10 00:00:00 UTC 2016.
> Anything received after that time might be too late.
>
Build results:
total: 140 pass: 140 fail: 0
Qemu test results:
total: 99 pass: 99 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 352+ messages in thread
* Re: [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page()
2016-11-14 0:14 ` [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() Ben Hutchings
@ 2016-11-14 15:42 ` Johannes Weiner
2016-11-20 1:13 ` Ben Hutchings
0 siblings, 1 reply; 352+ messages in thread
From: Johannes Weiner @ 2016-11-14 15:42 UTC (permalink / raw)
To: Ben Hutchings
Cc: linux-kernel, stable, akpm, Antonio SJ Musumeci, Linus Torvalds
On Mon, Nov 14, 2016 at 12:14:20AM +0000, Ben Hutchings wrote:
> 3.16.39-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Johannes Weiner <hannes@cmpxchg.org>
>
> commit 22f2ac51b6d643666f4db093f13144f773ff3f3a upstream.
>
> Antonio reports the following crash when using fuse under memory pressure:
>
> kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346!
> invalid opcode: 0000 [#1] SMP
> Modules linked in: all of them
> CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu
> Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013
> task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000
> RIP: shadow_lru_isolate+0x181/0x190
> Call Trace:
> __list_lru_walk_one.isra.3+0x8f/0x130
> list_lru_walk_one+0x23/0x30
> scan_shadow_nodes+0x34/0x50
> shrink_slab.part.40+0x1ed/0x3d0
> shrink_zone+0x2ca/0x2e0
> kswapd+0x51e/0x990
> kthread+0xd8/0xf0
> ret_from_fork+0x3f/0x70
>
> which corresponds to the following sanity check in the shadow node
> tracking:
>
> BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
>
> The workingset code tracks radix tree nodes that exclusively contain
> shadow entries of evicted pages in them, and this (somewhat obscure)
> line checks whether there are real pages left that would interfere with
> reclaim of the radix tree node under memory pressure.
>
> While discussing ways how fuse might sneak pages into the radix tree
> past the workingset code, Miklos pointed to replace_page_cache_page(),
> and indeed there is a problem there: it properly accounts for the old
> page being removed - __delete_from_page_cache() does that - but then
> does a raw raw radix_tree_insert(), not accounting for the replacement
> page. Eventually the page count bits in node->count underflow while
> leaving the node incorrectly linked to the shadow node LRU.
>
> To address this, make sure replace_page_cache_page() uses the tracked
> page insertion code, page_cache_tree_insert(). This fixes the page
> accounting and makes sure page-containing nodes are properly unlinked
> from the shadow node LRU again.
>
> Also, make the sanity checks a bit less obscure by using the helpers for
> checking the number of pages and shadows in a radix tree node.
>
> Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
> Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.org
> Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
> Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
> Debugged-by: Miklos Szeredi <miklos@szeredi.hu>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> [bwh: Backported to 3.16:
> - Implementation of page_cache_tree_insert() is different
> - Adjust context]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
The added sanity checks in this patch can crash kernels built with
CONFIG_DEBUG_VM. While I doubt many people run 3.16 with that enabled,
please also consider taking the following two changes. The first one
changes the new VM_BUG_ONs to mere warnings, and the second patch
addresses the underlying issue that triggered them in the first place.
21f54ddae449 Using BUG_ON() as an assert() is _never_ acceptable
d3798ae8c6f3 mm: filemap: don't plant shadow entries without radix tree node
Attaching the latter below, since it's drastically different than the
upstream change, but a lot simpler because it predates the DAX stuff.
Thanks
---
>From 06313bb20559e6da67dcc7fe6c66e928f713d061 Mon Sep 17 00:00:00 2001
From: Johannes Weiner <hannes@cmpxchg.org>
Date: Tue, 4 Oct 2016 22:02:08 +0200
Subject: [PATCH] mm: filemap: don't plant shadow entries without radix tree
node
commit d3798ae8c6f3767c726403c2ca6ecc317752c9dd upstream.
When the underflow checks were added to workingset_node_shadow_dec(),
they triggered immediately:
kernel BUG at ./include/linux/swap.h:276!
invalid opcode: 0000 [#1] SMP
Modules linked in: isofs usb_storage fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_reject_ipv6
soundcore wmi acpi_als pinctrl_sunrisepoint kfifo_buf tpm_tis industrialio acpi_pad pinctrl_intel tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc dm_crypt
CPU: 0 PID: 20929 Comm: blkid Not tainted 4.8.0-rc8-00087-gbe67d60ba944 #1
Hardware name: System manufacturer System Product Name/Z170-K, BIOS 1803 05/06/2016
task: ffff8faa93ecd940 task.stack: ffff8faa7f478000
RIP: page_cache_tree_insert+0xf1/0x100
Call Trace:
__add_to_page_cache_locked+0x12e/0x270
add_to_page_cache_lru+0x4e/0xe0
mpage_readpages+0x112/0x1d0
blkdev_readpages+0x1d/0x20
__do_page_cache_readahead+0x1ad/0x290
force_page_cache_readahead+0xaa/0x100
page_cache_sync_readahead+0x3f/0x50
generic_file_read_iter+0x5af/0x740
blkdev_read_iter+0x35/0x40
__vfs_read+0xe1/0x130
vfs_read+0x96/0x130
SyS_read+0x55/0xc0
entry_SYSCALL_64_fastpath+0x13/0x8f
Code: 03 00 48 8b 5d d8 65 48 33 1c 25 28 00 00 00 44 89 e8 75 19 48 83 c4 18 5b 41 5c 41 5d 41 5e 5d c3 0f 0b 41 bd ef ff ff ff eb d7 <0f> 0b e8 88 68 ef ff 0f 1f 84 00
RIP page_cache_tree_insert+0xf1/0x100
This is a long-standing bug in the way shadow entries are accounted in
the radix tree nodes. The shrinker needs to know when radix tree nodes
contain only shadow entries, no pages, so node->count is split in half
to count shadows in the upper bits and pages in the lower bits.
Unfortunately, the radix tree implementation doesn't know of this and
assumes all entries are in node->count. When there is a shadow entry
directly in root->rnode and the tree is later extended, the radix tree
implementation will copy that entry into the new node and and bump its
node->count, i.e. increases the page count bits. Once the shadow gets
removed and we subtract from the upper counter, node->count underflows
and triggers the warning. Afterwards, without node->count reaching 0
again, the radix tree node is leaked.
Limit shadow entries to when we have actual radix tree nodes and can
count them properly. That means we lose the ability to detect refaults
from files that had only the first page faulted in at eviction time.
Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
mm/filemap.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/mm/filemap.c b/mm/filemap.c
index 900edfaf6df5..eb228111ae6e 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -121,6 +121,13 @@ static void page_cache_tree_delete(struct address_space *mapping,
__radix_tree_lookup(&mapping->page_tree, page->index, &node, &slot);
+ /*
+ * We need a node to properly account shadow
+ * entries. Don't plant any without. XXX
+ */
+ if (!node)
+ shadow = NULL;
+
if (shadow) {
mapping->nrshadows++;
/*
--
2.10.1
^ permalink raw reply related [flat|nested] 352+ messages in thread
* Re: [PATCH 3.16 000/346] 3.16.39-rc1 review
2016-11-14 5:49 ` [PATCH 3.16 000/346] 3.16.39-rc1 review Guenter Roeck
@ 2016-11-14 17:10 ` Ben Hutchings
0 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-14 17:10 UTC (permalink / raw)
To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
On Sun, 2016-11-13 at 21:49 -0800, Guenter Roeck wrote:
> On 11/13/2016 04:14 PM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.39
> > release.
> > There are 346 patches in this series, which will be posted as
> > responses
> > to this one. If anyone has any issues with these being applied,
> > please
> > let me know.
> >
> > Responses should be made by Sat Nov 10 00:00:00 UTC 2016.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 140 pass: 140 fail: 0
> Qemu test results:
> total: 99 pass: 99 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking.
Ben.
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 352+ messages in thread
* Re: [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page()
2016-11-14 15:42 ` Johannes Weiner
@ 2016-11-20 1:13 ` Ben Hutchings
0 siblings, 0 replies; 352+ messages in thread
From: Ben Hutchings @ 2016-11-20 1:13 UTC (permalink / raw)
To: Johannes Weiner
Cc: linux-kernel, stable, akpm, Antonio SJ Musumeci, Linus Torvalds
[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]
On Mon, 2016-11-14 at 10:42 -0500, Johannes Weiner wrote:
> On Mon, Nov 14, 2016 at 12:14:20AM +0000, Ben Hutchings wrote:
> > 3.16.39-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Johannes Weiner <hannes@cmpxchg.org>
> >
> > commit 22f2ac51b6d643666f4db093f13144f773ff3f3a upstream.
[...]
> The added sanity checks in this patch can crash kernels built with
> CONFIG_DEBUG_VM. While I doubt many people run 3.16 with that enabled,
> please also consider taking the following two changes. The first one
> changes the new VM_BUG_ONs to mere warnings, and the second patch
> addresses the underlying issue that triggered them in the first place.
>
> 21f54ddae449 Using BUG_ON() as an assert() is _never_ acceptable
> d3798ae8c6f3 mm: filemap: don't plant shadow entries without radix tree node
>
> Attaching the latter below, since it's drastically different than the
> upstream change, but a lot simpler because it predates the DAX stuff.
[...]
Thanks, I've added these two.
Ben.
--
Ben Hutchings
Lowery's Law:
If it jams, force it. If it breaks, it needed replacing
anyway.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 352+ messages in thread
end of thread, other threads:[~2016-11-20 1:14 UTC | newest]
Thread overview: 352+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-14 0:14 [PATCH 3.16 000/346] 3.16.39-rc1 review Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 046/346] drm/radeon: add a delay after ATPX dGPU power off Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 130/346] drm/nouveau/fbcon: fix font width not divisible by 8 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 282/346] openrisc: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 102/346] libceph: set 'exists' flag for newly up osd Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 093/346] target: Fix missing complete during ABORT_TASK + CMD_T_FABRIC_STOP Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 277/346] metag: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 189/346] usb: xhci: Fix panic if disconnect Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 238/346] ipv6: add missing netconf notif when 'all' is updated Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 227/346] drm/msm: use mutex_lock_interruptible for submit ioctl Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 170/346] ARC: Call trace_hardirqs_on() before enabling irqs Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 281/346] mn10300: copy_from_user() should zero on access_ok() failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 121/346] MIPS: c-r4k: Fix protected_writeback_scache_line for EVA Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 216/346] timekeeping: Cap array access in timekeeping_debug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 326/346] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 084/346] netfilter: x_tables: speed up jump target validation Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 005/346] s5p-mfc: Add release callback for memory region devs Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 320/346] ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 201/346] USB: serial: option: add WeTelecom WM-D200 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 051/346] ppp: defer netns reference release for ppp channel Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 265/346] NFSv4.1: Fix the CREATE_SESSION slot number accounting Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 232/346] ALSA: timer: fix NULL pointer dereference on memory allocation failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 001/346] lib/mpi: mpi_read_raw_data(): fix nbits calculation Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 175/346] MIPS: KVM: Fix mapped fault broken commpage handling Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 134/346] tcp: consider recv buf for the initial window scale Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 318/346] tcp: fix a compile error in DBGUNDO() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 259/346] xfrm_user: propagate sec ctx allocation errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 296/346] fix minor infoleak in get_user_ex() Ben Hutchings
[not found] ` <CA+55aFyrySgb5rGq=0aON5tPu5_UR5CNn8T0FUqonMqSJUTXrQ@mail.gmail.com>
2016-11-14 2:27 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 087/346] tpm: read burstcount from TPM_STS in one 32-bit transaction Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 298/346] USB: change bInterval default to 10 ms Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 039/346] batman-adv: Fix non-atomic bla_claim::backbone_gw access Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 028/346] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 242/346] x86/paravirt: Do not trace _paravirt_ident_*() functions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 050/346] net: mvneta: set real interrupt per packet for tx_done Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 271/346] nl80211: validate number of probe response CSA counters Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 263/346] asm-generic: make copy_from_user() zero the destination properly Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 324/346] mm,ksm: fix endless looping in allocating memory when ksm enable Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 162/346] netfilter: nfnetlink_queue: reject verdict request from different portid Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 217/346] x86/apic: Do not init irq remapping if ioapic is disabled Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 331/346] KEYS: Fix short sprintf buffer in /proc/keys show function Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 280/346] mn10300: failing __get_user() and get_user() should zero Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 166/346] cpuset: make sure new tasks conform to the current config of the cpuset Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 067/346] s390/mm: fix gmap tlb flush issues Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 192/346] bcache: register_bcache(): call blkdev_put() when cache_alloc() fails Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 226/346] fs/seq_file: fix out-of-bounds read Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 269/346] crypto: arm64/aes-ctr - fix NULL dereference in tail processing Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 021/346] tty/serial: atmel: fix RS485 half duplex with DMA Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 276/346] ia64: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 157/346] drm/edid: Add 6 bpc quirk for display AEO model 0 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 014/346] usb: dwc3: fix for the isoc transfer EP_BUSY flag Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 237/346] serial: 8250: added acces i/o products quad and octal serial cards Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 018/346] drm/nouveau: Don't leak runtime pm ref on driver unload Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 198/346] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 010/346] random: print a warning for the first ten uninitialized random users Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 009/346] gpio: pca953x: Fix NBANK calculation for PCA9536 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 031/346] ext4: check for extents that wrap around Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 107/346] tools/vm/slabinfo: fix an unintentional printf Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 246/346] l2tp: fix use-after-free during module unload Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 002/346] HID: uhid: fix timeout when probe races with IO Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 306/346] xfrm: Fix memory leak of aead algorithm name Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 193/346] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 036/346] batman-adv: Fix orig_node_vlan leak on orig_node_release Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 045/346] batman-adv: Fix speedy join in gateway client mode Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 106/346] radix-tree: fix radix_tree_iter_retry() for tagged iterators Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 185/346] iio: proximity: as3935: set up buffer timestamps for non-zero values Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 029/346] Input: xpad - validate USB endpoint count during probe Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 178/346] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 037/346] batman-adv: Fix kerneldoc member names in for main structs Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 230/346] powerpc/powernv : Drop reference added by kset_find_obj() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 190/346] xhci: don't dereference a xhci member after removing xhci Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 319/346] ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 096/346] cifs: fix crash due to race in hmac(md5) handling Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 004/346] s5p-mfc: Set device name for reserved memory region devs Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 152/346] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 205/346] iio: accel: kxsd9: Fix raw read return Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 057/346] x86/quirks: Add early quirk to reset Apple AirPort card Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 075/346] ext4: short-cut orphan cleanup on error Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 153/346] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 139/346] balloon: check the number of available pages in leak balloon Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 105/346] nfs: don't create zero-length requests Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 240/346] kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 080/346] xfrm: fix crash in XFRM_MSG_GETSA netlink handler Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 085/346] crypto: nx - off by one bug in nx_of_update_msc() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 327/346] mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() Ben Hutchings
2016-11-14 15:42 ` Johannes Weiner
2016-11-20 1:13 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 135/346] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 161/346] netfilter: nf_ct_expect: remove the redundant slash when policy name is empty Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 047/346] drm/radeon: Poll for both connect/disconnect on analog connectors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 143/346] sysv, ipc: fix security-layer leaking Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 101/346] bpf, mips: fix off-by-one in ctx offset allocation Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 262/346] alpha: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 186/346] iio: adc: at91: unbreak channel adc channel 3 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 070/346] ARM: 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is coherent Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 307/346] can: flexcan: fix resume function Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 025/346] hp-wmi: Fix wifi cannot be hard-unblocked Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 111/346] net/irda: fix NULL pointer dereference on memory allocation failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 065/346] cifs: Check for existing directory when opening file with O_CREAT Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 286/346] score: fix __get_user/get_user Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 177/346] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 329/346] arm64: perf: reject groups spanning multiple HW PMUs Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 035/346] batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 059/346] ALSA: hda - fix use-after-free after module unload Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 151/346] USB: serial: option: add D-Link DWM-156/A3 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 125/346] fuse: fuse_flush must check mapping->flags for errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 117/346] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 049/346] ALSA: pcm: Free chmap at PCM free callback, too Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 174/346] usb: misc: usbtest: add fix for driver hang Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 171/346] arm: oabi compat: add missing access checks Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 264/346] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 184/346] cdc-acm: fix wrong pipe type on rx interrupt xfers Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 156/346] vfio/pci: Fix NULL pointer oops in error interrupt setup handling Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 206/346] powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 017/346] IB/mlx5: Fix MODIFY_QP command input structure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 231/346] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 030/346] ath9k: Fix programming of minCCA power threshold Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 124/346] fuse: fsync() did not return IO errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 063/346] Bluetooth: Add support of 13d3:3490 AR3012 device Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 023/346] serial: samsung: Fix possible out of bounds access on non-DT platform Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 247/346] iio: fix pressure data output unit in hid-sensor-attributes Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 006/346] netlabel: add address family checks to netlbl_{sock,req}_delattr() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 176/346] MIPS: KVM: Add missing gfn range check Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 328/346] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 013/346] ARM: mvebu: fix HW I/O coherency related deadlocks Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 158/346] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown" Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 137/346] ALSA: hda - On-board speaker fixup on ACER Veriton Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 334/346] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 123/346] avr32: off by one in at32_init_pio() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 196/346] MIPS: KVM: Check for pfn noslot case Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 144/346] ALSA: hda: Fix krealloc() with __GFP_ZERO usage Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 314/346] i2c: mux: pca954x: retry updating the mux selection on failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 245/346] x86/AMD: Apply erratum 665 on machines without a BIOS fix Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 109/346] ARM: OMAP3: hwmod data: Add sysc information for DSI Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 305/346] openrisc: fix the fix of copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 330/346] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 115/346] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 210/346] Input: tegra-kbc - fix inverted reset logic Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 221/346] ARM: kirkwood: ib62x0: fix size of u-boot environment partition Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 295/346] avr32: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 099/346] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 288/346] sh64: failing __get_user() should zero Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 146/346] metag: Fix __cmpxchg_u32 asm constraint for CMP Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 141/346] dm flakey: error READ bios during the down_interval Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 098/346] iscsi-target: Fix panic when adding second TCP connection to iSCSI session Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 138/346] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 236/346] ALSA: fireworks: accessing to user space outside spinlock Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 131/346] drm/nouveau/acpi: ensure matching ACPI handle and supported functions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 260/346] kvm-arm: Unmap shadow pagetables properly Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 094/346] target: Fix race between iscsi-target connection shutdown + ABORT_TASK Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 172/346] megaraid_sas: Fix probing cards without io port Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 224/346] ARM: sa1100: clear reset status prior to reboot Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 256/346] crypto: cryptd - initialize child shash_desc on import Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 308/346] ocfs2/dlm: fix race between convert and migration Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 234/346] dm crypt: fix free of bad values after tfm allocation failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 147/346] block: fix use-after-free in seq file Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 223/346] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 194/346] tcp: fix use after free in tcp_xmit_retransmit_queue() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 008/346] PCI: Mark Atheros AR9485 and QCA9882 to avoid bus reset Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 163/346] powerpc/book3s: Fix MCE console messages for unrecoverable MCE Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 097/346] hwmon: (adt7411) set bit 3 in CFG1 register Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 081/346] crypto: scatterwalk - Fix test in scatterwalk_done Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 285/346] s390: get_user() should zero on failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 322/346] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 244/346] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 086/346] i2c: efm32: fix a failure path in efm32_i2c_probe() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 233/346] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 150/346] SUNRPC: allow for upcalls for same uid but different gss service Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 268/346] crypto: skcipher - Fix blkcipher walk OOM crash Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 027/346] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 294/346] microblaze: fix __get_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 228/346] drm/msm: fix use of copy_from_user() while holding spinlock Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 164/346] crypto: caam - fix non-hmac hashes Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 133/346] drm/nouveau/acpi: check for function 0x1B before using it Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 058/346] posix_cpu_timer: Exit early when process has been reaped Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 290/346] sparc32: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 218/346] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 160/346] powerpc/powernv: Fix MCE handler to avoid trashing CR0/CR1 registers Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 092/346] mtd: nand: fix bug writing 1 byte less than page size Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 309/346] fsnotify: add a way to stop queueing events on group shutdown Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 066/346] net: ethoc: Fix early error paths Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 038/346] batman-adv: lock crc access in bridge loop avoidance Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 173/346] usb: gadget: fsl_qe_udc: off by one in setup_received_handle() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 179/346] power: supply: max17042_battery: fix model download bug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 335/346] vfio/pci: Fix integer overflows, bitmask check Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 074/346] ext4: fix reference counting bug on block allocation error Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 183/346] USB: serial: mos7840: fix non-atomic allocation in write path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 297/346] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 090/346] brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 197/346] drm/radeon: fix radeon_move_blit on 32bit systems Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 222/346] batman-adv: Add missing refcnt for last_candidate Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 108/346] pps: do not crash when failed to register Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 241/346] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 200/346] parisc: Fix order of EREFUSED define in errno.h Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 279/346] mips: copy_from_user() must zero the destination on access_ok() failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 024/346] hwrng: omap - Fix assumption that runtime_get_sync will always succeed Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 119/346] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 180/346] PM / hibernate: Restore processor state before using per-CPU variables Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 255/346] ipv6: addrconf: fix dev refcont leak when DAD failed Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 140/346] ftrace/recordmcount: Work around for addition of metag magic but not relocations Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 312/346] fix fault_in_multipages_...() on architectures with no-op access_ok() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 003/346] macvlan: Fix potential use-after free for broadcasts Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 321/346] tracing: Move mutex to protect against resetting of seq data Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 132/346] drm/nouveau/acpi: return supported DSM functions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 253/346] Btrfs: add missing blk_finish_plug in btrfs_sync_log() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 069/346] usb: quirks: Add no-lpm quirk for Elan Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 169/346] x86/mm: Disable preemption during CR3 read+write Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 142/346] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 019/346] drm/radeon: Don't leak runtime pm ref on driver unload Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 289/346] sh: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 026/346] usb: renesas_usbhs: fix the sequence in xfer_work() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 015/346] crypto: gcm - Filter out async ghash if necessary Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 061/346] NFS: Don't drop CB requests with invalid principals Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 333/346] firewire: net: guard against rx buffer overflows Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 022/346] serial: samsung: Fix ERR pointer dereference on deferred probe Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 202/346] staging: comedi: daqboard2000: bug fix board type matching code Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 136/346] ext4: validate that metadata blocks do not overlap superblock Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 071/346] KVM: nVMX: fix lifetime issues for vmcs02 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 088/346] arm64: debug: unmask PSTATE.D earlier Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 091/346] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 120/346] drm/radeon: fix firmware info version checks Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 270/346] MIPS: paravirt: Fix undefined reference to smp_bootstrap Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 311/346] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 235/346] kernfs: don't depend on d_find_any_alias() when generating notifications Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 214/346] ubifs: Fix assertion in layout_in_gaps() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 191/346] KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 252/346] iio:core: fix IIO_VAL_FRACTIONAL sign handling Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 323/346] drm/radeon/si/dpm: add workaround for for Jet parts Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 077/346] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 064/346] qxl: check for kmap failures Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 062/346] Bluetooth: Add USB ID 13D3:3487 to ath3k Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 204/346] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 072/346] KVM: nVMX: Fix memory corruption when using VMCS shadowing Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 188/346] xhci: always handle "Command Ring Stopped" events Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 044/346] MIPS: Fix page table corruption on THP permission changes Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 302/346] IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 052/346] rtc: ds1307: Fix relying on reset value for weekday Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 060/346] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 159/346] aacraid: Check size values after double-fetch from user Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 122/346] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 325/346] ARM: 8617/1: dma: fix dma_max_pfn() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 209/346] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 083/346] netfilter: x_tables: validate targets of jumps Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 313/346] i2c-eg20t: fix race between i2c init and interrupt enable Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 293/346] microblaze: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 215/346] tun: fix transmit timestamp support Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 043/346] iwlwifi: pcie: fix access to scratch buffer Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 257/346] ALSA: timer: Fix zero-division by continue of uninitialized instance Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 048/346] ALSA: ctl: Stop notification after disconnection Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 207/346] powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 100/346] MIPS: RM7000: Double locking bug in rm7k_tc_disable() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 243/346] IB/core: Fix use after free in send_leave function Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 284/346] ppc32: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 303/346] irda: Free skb on irda_accept error path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 073/346] drm/radeon: support backlight control for UNIPHY3 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 068/346] USB: quirks: Fix another ELAN touchscreen Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 199/346] net/mlx5: Added missing check of msg length in verifying its signature Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 154/346] USB: serial: option: add support for Telit LE920A4 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 112/346] l2tp: Correctly return -EBADF from pppol2tp_getname Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 258/346] ALSA: rawmidi: Fix possible deadlock with virmidi registration Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 278/346] ARC: uaccess: get_user to zero out dest in cause of fault Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 053/346] [media] ngene: properly handle __user ptr Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 110/346] tile: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 250/346] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 007/346] [media] em28xx-i2c: rt_mutex_trylock() returns zero on failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 299/346] IB/ipoib: Don't allow MC joins during light MC flush Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 283/346] parisc: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 113/346] module: Invalidate signatures on force-loaded modules Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 229/346] drm/msm: protect against faults from copy_from_user() in submit ioctl Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 212/346] ASoC: omap-mcpdm: Fix irq resource handling Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 219/346] usb: gadget: udc: core: don't starve DMA resources Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 041/346] batman-adv: Free last_bonding_candidate on release of orig_node Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 275/346] hexagon: fix strncpy_from_user() error return Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 273/346] cris: buggered copy_from_user/copy_to_user/clear_user Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 114/346] Documentation/module-signing.txt: Note need for version info if reusing a key Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 034/346] batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 155/346] USB: serial: fix memleak in driver-registration error path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 316/346] can: dev: fix deadlock reported after bus-off Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 267/346] ARM: sa1111: fix pcmcia suspend/resume Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 300/346] IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 208/346] drm: Reject page_flip for !DRIVER_MODESET Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 187/346] scsi: fix upper bounds check of sense key in scsi_sense_key_string() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 213/346] USB: avoid left shift by -1 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 304/346] avr32: fix 'undefined reference to `___copy_from_user' Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 292/346] m32r: fix __get_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 103/346] libceph: apply new_state before new_up_client on incrementals Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 011/346] random: add interrupt callback to VMBus IRQ handler Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 182/346] USB: serial: mos7720: fix non-atomic allocation in write path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 104/346] gpio: intel-mid: Remove potentially harmful code Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 095/346] target: Fix max_unmap_lba_count calc overflow Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 181/346] ipv6: suppress sparse warnings in IP6_ECN_set_ce() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 042/346] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 116/346] ceph: Correctly return NXIO errors from ceph_llseek Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 317/346] i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 055/346] x86/quirks: Apply nvidia_bugs quirk only on root bus Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 248/346] iio: accel: kxsd9: Fix scaling bug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 195/346] gpio: Fix OF build problem on UM Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 274/346] frv: fix clear_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 078/346] USB: serial: option: add support for Telit LE910 PID 0x1206 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 082/346] mmc: block: fix packed command header endianness Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 020/346] drm/radeon: Don't leak runtime pm ref on driver load Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 056/346] x86/quirks: Reintroduce scanning of secondary buses Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 211/346] USB: fix typo in wMaxPacketSize validation Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 126/346] fuse: fix wrong assignment of ->flags in fuse_send_init() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 310/346] fanotify: fix list corruption in fanotify_get_response() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 079/346] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 254/346] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 332/346] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 128/346] ubi: Make volume resize power cut aware Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 165/346] USB: validate wMaxPacketValue entries in endpoint descriptors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 261/346] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 225/346] printk: fix parsing of "brl=" option Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 089/346] brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 315/346] btrfs: ensure that file descriptor used with subvol ioctls is a dir Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 145/346] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 203/346] staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 076/346] powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 016/346] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 127/346] ubi: Fix race condition between ubi device creation and udev Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 118/346] sparc: serial: sunhv: fix a double lock bug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 040/346] batman-adv: Fix reference leak in batadv_find_router Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 251/346] efi/libstub: Allocate headspace in efi_get_memory_map() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 301/346] IB/mlx4: Fix code indentation in QP1 MAD flow Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 272/346] asm-generic: make get_user() clear the destination on errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 239/346] tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 168/346] usb: dwc3: gadget: increment request->actual once Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 266/346] USB: serial: simple: add support for another Infineon flashloader Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 220/346] qdisc: fix a module refcount leak in qdisc_create_dflt() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 148/346] block: fix bdi vs gendisk lifetime mismatch Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 287/346] score: fix copy_from_user() and friends Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 054/346] [media] media: dvb_ringbuffer: Add memory barriers Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 012/346] sched/cputime: Fix prev steal time accouting during CPU hotplug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 033/346] ext4: don't call ext4_should_journal_data() on the journal inode Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 167/346] s390/dasd: fix hanging device after clear subchannel Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 149/346] mac80211: fix purging multicast PS buffer queue Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 249/346] sched/core: Fix a race between try_to_wake_up() and a woken up task Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 032/346] ext4: fix deadlock during page writeback Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 291/346] blackfin: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 129/346] ubi: Be more paranoid while seaching for the most recent Fastmap Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 340/346] [media] usbvision: revert commit 588afcc1 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 341/346] staging: comedi: ni_mio_common: fix wrong insn_write handler Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 342/346] xenbus: don't BUG() on user mode induced condition Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 337/346] fs: Avoid premature clearing of capabilities Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 336/346] fs: Give dentry to inode_change_ok() instead of inode Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 338/346] posix_acl: Clear SGID bit when setting file permissions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 346/346] KVM: MIPS: Drop other CPU ASIDs on guest MMU changes Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 339/346] ARC: use ASL assembler mnemonic Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 344/346] compiler-gcc: disable -ftracer for __noclone functions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 343/346] xenbus: don't look up transaction IDs for ordinary writes Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.16 345/346] PM / devfreq: Fix incorrect type issue Ben Hutchings
2016-11-14 5:49 ` [PATCH 3.16 000/346] 3.16.39-rc1 review Guenter Roeck
2016-11-14 17:10 ` Ben Hutchings
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).