* [PATCH 3.2 000/152] 3.2.84-rc1 review
@ 2016-11-14 0:14 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 011/152] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
` (153 more replies)
0 siblings, 154 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.2.84 release.
There are 152 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Nov 19 00:00:00 UTC 2016.
Anything received after that time might be too late.
A combined patch relative to 3.2.83 will be posted as an additional
response to this. A shortlog and diffstat can be found below.
Ben.
-------------
Al Viro (23):
alpha: fix copy_from_user()
[2561d309dfd1555e781484af757ed0115035ddb3]
asm-generic: make copy_from_user() zero the destination properly
[2545e5da080b4839dd859e3b09343a884f6ab0e3]
asm-generic: make get_user() clear the destination on errors
[9ad18b75c2f6e4a78ce204e79f37781f8815c0fa]
avr32: fix copy_from_user()
[8630c32275bac2de6ffb8aea9d9b11663e7ad28e]
blackfin: fix copy_from_user()
[8f035983dd826d7e04f67b28acf8e2f08c347e41]
cris: buggered copy_from_user/copy_to_user/clear_user
[eb47e0293baaa3044022059f1fa9ff474bfe35cb]
frv: fix clear_user()
[3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90]
hexagon: fix strncpy_from_user() error return
[f35c1e0671728d1c9abc405d05ef548b5fcb2fc4]
ia64: copy_from_user() should zero the destination on access_ok() failure
[a5e541f796f17228793694d64b507f5f57db4cd7]
m32r: fix __get_user()
[c90a3bc5061d57e7931a9b7ad14784e1a0ed497d]
microblaze: fix __get_user()
[e98b9e37ae04562d52c96f46b3cf4c2e80222dc1]
microblaze: fix copy_from_user()
[d0cf385160c12abd109746cad1f13e3b3e8b50b8]
mn10300: copy_from_user() should zero on access_ok() failure...
[ae7cc577ec2a4a6151c9e928fd1f595d953ecef1]
mn10300: failing __get_user() and get_user() should zero
[43403eabf558d2800b429cd886e996fd555aa542]
openrisc: fix copy_from_user()
[acb2505d0119033a80c85ac8d02dccae41271667]
parisc: fix copy_from_user()
[aace880feea38875fbc919761b77e5732a3659ef]
ppc32: fix copy_from_user()
[224264657b8b228f949b42346e09ed8c90136a8e]
s390: get_user() should zero on failure
[fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7]
score: fix __get_user/get_user
[c2f18fa4cbb3ad92e033a24efa27583978ce9600]
score: fix copy_from_user() and friends
[b615e3c74621e06cd97f86373ca90d43d6d998aa]
sh64: failing __get_user() should zero
[c6852389228df9fb3067f94f3b651de2a7921b36]
sh: fix copy_from_user()
[6e050503a150b2126620c1a1e9b3a368fcd51eac]
sparc32: fix copy_from_user()
[917400cecb4b52b5cde5417348322bb9c8272fa6]
Alan Stern (4):
USB: avoid left shift by -1
[53e5f36fbd2453ad69a3369a1db62dc06c30a4aa]
USB: change bInterval default to 10 ms
[08c5cd37480f59ea39682f4585d92269be6b1424]
USB: fix typo in wMaxPacketSize validation
[6c73358c83ce870c0cf32413e5cadb3b9a39c606]
USB: validate wMaxPacketValue entries in endpoint descriptors
[aed9d65ac3278d4febd8665bd7db59ef53e825fe]
Aleksandr Makarov (2):
USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
[40d9c32525cba79130612650b1abc47c0c0f19a8]
USB: serial: option: add WeTelecom WM-D200
[6695593e4a7659db49ac6eca98c164f7b5589f72]
Alex Deucher (1):
drm/radeon: fix firmware info version checks
[3edc38a0facef45ee22af8afdce3737f421f36ab]
Alex Vesker (1):
IB/ipoib: Don't allow MC joins during light MC flush
[344bacca8cd811809fc33a249f2738ab757d327f]
Alexey Khoroshilov (2):
USB: serial: mos7720: fix non-atomic allocation in write path
[5a5a1d614287a647b36dff3f40c2b0ceabbc83ec]
USB: serial: mos7840: fix non-atomic allocation in write path
[3b7c7e52efda0d4640060de747768360ba70a7c0]
Amadeusz Sławiński (1):
Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
[23bc6ab0a0912146fd674a0becc758c3162baabc]
Andrey Pronin (1):
tpm: read burstcount from TPM_STS in one 32-bit transaction
[9754d45e997000ad4021bc4606cc266bb38d876f]
Ard Biesheuvel (1):
crypto: cryptd - initialize child shash_desc on import
[0bd2223594a4dcddc1e34b15774a3a4776f7749e]
Ashish Samant (1):
ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
[d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960]
Balbir Singh (1):
sched/core: Fix a race between try_to_wake_up() and a woken up task
[135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf]
Benjamin Coddington (1):
nfs: don't create zero-length requests
[149a4fddd0a72d526abbeac0c8deaab03559836a]
Bharata B Rao (1):
powerpc/numa: Fix multiple bugs in memory_hotplug_max()
[45b64ee64970dee9392229302efe1d1567e8d304]
Cameron Gutman (1):
Input: xpad - validate USB endpoint count during probe
[caca925fca4fb30c67be88cacbe908eec6721e43]
Christian König (1):
drm/radeon: fix radeon_move_blit on 32bit systems
[13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455]
Chuck Lever (2):
NFS: Don't drop CB requests with invalid principals
[a4e187d83d88eeaba6252aac0a2ffe5eaa73a818]
svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
[0533b13072f4bf35738290d2cf9e299c7bc6c42a]
Dan Carpenter (7):
MIPS: RM7000: Double locking bug in rm7k_tc_disable()
[58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225]
avr32: off by one in at32_init_pio()
[55f1cf83d5cf885c75267269729805852039c834]
ext3: NULL dereference in ext3_evict_inode()
[bcdd0c1600903e9222abfcde28947406020ccb5d]
hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
[8a545f185145e3c09348cd74326268ecfc6715a3]
mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
[79ad07d45743721010e766e65dc004ad249bd429]
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
[7bc2b55a5c030685b399bb65b6baa9ccc3d1f167]
usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
[f4693b08cc901912a87369c46537b94ed4084ea0]
Daniel Vetter (1):
drm: Reject page_flip for !DRIVER_MODESET
[6f00975c619064a18c23fd3aced325ae165a73b9]
Daniele Palmas (1):
USB: serial: option: add support for Telit LE910 PID 0x1206
[3c0415fa08548e3bc63ef741762664497ab187ed]
Dave Carroll (1):
aacraid: Check size values after double-fetch from user
[fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3]
Dave Weinstein (1):
arm: oabi compat: add missing access checks
[7de249964f5578e67b99699c5f0b405738d820a2]
David Howells (3):
KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
[20f06ed9f61a185c6dabd662c310bed6189470df]
KEYS: Fix short sprintf buffer in /proc/keys show function
[03dab869b7b239c4e013ec82aea22e181e441cfc]
x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace
[f7d665627e103e82d34306c7d3f6f46f387c0d8b]
Dmitry Torokhov (3):
Input: i8042 - break load dependency between atkbd/psmouse and i8042
[4097461897df91041382ff6fcd2bfa7ee6b2448c]
Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
[47af45d684b5f3ae000ad448db02ce4f13f73273]
tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
[510cccb5b0c8868a2b302a0ab524da7912da648b]
Dmitry Tunin (1):
Bluetooth: Add support of 13d3:3490 AR3012 device
[12d868964f7352e8b18e755488f7265a93431de1]
Erez Shitrit (2):
IB/core: Fix use after free in send_leave function
[68c6bcdd8bd00394c234b915ab9b97c74104130c]
IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
[546481c2816ea3c061ee9d5658eb48070f69212e]
Eric Dumazet (1):
tcp: fix use after free in tcp_xmit_retransmit_queue()
[bb1fceca22492109be12640d49f5ea5a544c6bb4]
Florian Fainelli (2):
brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
[f823a2aa8f4674c095a5413b9e3ba12d82df06f2]
net: ethoc: Fix early error paths
[386512d18b268c6182903239f9f3390f03ce4c7b]
Gavin Li (1):
cdc-acm: fix wrong pipe type on rx interrupt xfers
[add125054b8727103631dce116361668436ef6a7]
Guenter Roeck (2):
avr32: fix 'undefined reference to `___copy_from_user'
[65c0044ca8d7c7bbccae37f0ff2972f0210e9f41]
openrisc: fix the fix of copy_from_user()
[8e4b72054f554967827e18be1de0e8122e6efc04]
Hector Palacios (1):
mtd: nand: fix bug writing 1 byte less than page size
[144f4c98399e2c0ca60eb414c15a2c68125c18b8]
Helge Deller (1):
parisc: Fix order of EREFUSED define in errno.h
[3eb53b20d7bd1374598cfb1feaa081fcac0e76cd]
Herbert Xu (3):
crypto: gcm - Filter out async ghash if necessary
[b30bdfa86431afbafe15284a3ad5ac19b49b88e3]
crypto: scatterwalk - Fix test in scatterwalk_done
[5f070e81bee35f1b7bd1477bb223a873ff657803]
crypto: skcipher - Fix blkcipher walk OOM crash
[acdb04d0b36769b3e05990c488dc74d8b7ac8060]
Ilan Tayari (1):
xfrm: Fix memory leak of aead algorithm name
[b588479358ce26f32138e0f0a7ab0678f8e3e601]
Iosif Harutyunov (1):
ubi: Fix race condition between ubi device creation and udev
[714fb87e8bc05ff78255afc0dca981e8c5242785]
Jaganath Kanakkassery (1):
Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
[951b6a0717db97ce420547222647bcc40bf1eacd]
James Hogan (1):
s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
[68c5cf5a6091c2c3fabccfd42ca844d730ec24c6]
Jan Beulich (2):
xenbus: don't BUG() on user mode induced condition
[0beef634b86a1350c31da5fcc2992f0d7c8a622b]
xenbus: don't look up transaction IDs for ordinary writes
[9a035a40f7f3f6708b79224b86c5777a3334f7ea]
Jan Kara (3):
fs: Avoid premature clearing of capabilities
[030b533c4fd4d2ec3402363323de4bb2983c9cee]
fs: Give dentry to inode_change_ok() instead of inode
[31051c85b5e2aaaf6315f74c72a732673632a905]
posix_acl: Clear SGID bit when setting file permissions
[073931017b49d9458aa351605b43a7e34598caef]
Jeff Mahoney (1):
btrfs: ensure that file descriptor used with subvol ioctls is a dir
[325c50e3cebb9208009083e841550f98a863bfa0]
Jia He (1):
mm/hugetlb: avoid soft lockup in set_max_huge_pages()
[649920c6ab93429b94bc7c1aa7c0e8395351be32]
Jim Lin (1):
usb: xhci: Fix panic if disconnect
[88716a93766b8f095cdef37a8e8f2c93aa233b21]
Jim Mattson (1):
KVM: nVMX: Fix memory corruption when using VMCS shadowing
[2f1fe81123f59271bddda673b60116bde9660385]
Jiri Slaby (1):
pps: do not crash when failed to register
[368301f2fe4b07e5fb71dba3cc566bc59eb6705f]
Joseph Qi (1):
ocfs2/dlm: fix race between convert and migration
[e6f0c6e6170fec175fe676495f29029aecdf486c]
Karl Beldan (1):
mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
[f6d7c1b5598b6407c3f1da795dd54acf99c1990c]
Konstantin Neumoin (1):
balloon: check the number of available pages in leak balloon
[37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711]
Krzysztof Kozlowski (1):
serial: samsung: Fix possible out of bounds access on non-DT platform
[926b7b5122c96e1f18cd20e85a286c7ec8d18c97]
Lauro Costa (1):
Bluetooth: Add USB ID 13D3:3487 to ath3k
[72f9f8b58bc743e6b6abdc68f60db98486c3ffcf]
Linus Walleij (2):
iio: accel: kxsd9: Fix raw read return
[7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8]
iio: accel: kxsd9: Fix scaling bug
[307fe9dd11ae44d4f8881ee449a7cbac36e1f5de]
Liping Zhang (1):
netfilter: nfnetlink_queue: reject verdict request from different portid
[00a3101f561816e58de054a470484996f78eb5eb]
Liu Bo (1):
Btrfs: skip adding an acl attribute if we don't have to
[755ac67f83e515af55adbfe55134eb7d90839cdb]
Lubomir Rintel (1):
USB: serial: option: add D-Link DWM-156/A3
[cf1b18030de29e4e5b0a57695ae5db4a89da0ff7]
Lukas Wunner (3):
x86/quirks: Add early quirk to reset Apple AirPort card
[abb2bafd295fe962bbadc329dbfb2146457283ac]
x86/quirks: Apply nvidia_bugs quirk only on root bus
[447d29d1d3aed839e74c2401ef63387780ac51ed]
x86/quirks: Reintroduce scanning of secondary buses
[850c321027c2e31d0afc71588974719a4b565550]
Lyude (1):
drm/radeon: Poll for both connect/disconnect on analog connectors
[14ff8d48f2235295dfb3117693008e367b49cdb5]
Mario Kleiner (1):
drm/edid: Add 6 bpc quirk for display AEO model 0.
[e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd]
Mathias Krause (1):
xfrm_user: propagate sec ctx allocation errors
[2f30ea5090cbc57ea573cdc66421264b3de3fb0a]
Mathias Nyman (1):
xhci: don't dereference a xhci member after removing xhci
[f1f6d9a8b540df22b87a5bf6bc104edaade81f47]
Michael Walle (1):
hwmon: (adt7411) set bit 3 in CFG1 register
[b53893aae441a034bf4dbbad42fe218561d7d81f]
Mike Snitzer (1):
dm flakey: error READ bios during the down_interval
[99f3c90d0d85708e7401a81ce3314e50bf7f2819]
Nikolay Aleksandrov (1):
ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
[2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8]
Paolo Bonzini (1):
KVM: nVMX: fix lifetime issues for vmcs02
[4fa7734c62cdd8c07edd54fa5a5e91482273071a]
Paul Moore (1):
netlabel: add address family checks to netlbl_{sock,req}_delattr()
[0e0e36774081534783aa8eeb9f6fbddf98d3c061]
Phil Turnbull (1):
ceph: Correctly return NXIO errors from ceph_llseek
[955818cd5b6c4b58ea574ace4573e7afa4c19c1e]
Phil.Turnbull@Oracle.Com (2):
irda: Free skb on irda_accept error path.
[8ab86c00e349cef9fb14719093a7f198bcc72629]
l2tp: Correctly return -EBADF from pppol2tp_getname.
[4ac36a4adaf80013a60013d6f829f5863d5d0e05]
Robert Deliën (1):
USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices
[6977495c06f7f47636a076ee5a0ca571279d9697]
Russell King (1):
ARM: sa1111: fix pcmcia suspend/resume
[06dfe5cc0cc684e735cb0232fdb756d30780b05d]
Sebastian Andrzej Siewior (1):
x86/mm: Disable preemption during CR3 read+write
[5cf0791da5c162ebc14b01eb01631cfa7ed4fa6e]
Sebastian Reichel (1):
ARM: OMAP3: hwmod data: Add sysc information for DSI
[b46211d6dcfb81a8af66b8684a42d629183670d4]
Sergei Miroshnichenko (1):
can: dev: fix deadlock reported after bus-off
[9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8]
Sheng-Hui J. Chu (1):
USB: serial: ftdi_sio: add device ID for WICED USB UART dev board
[ae34d12cc1e212ffcd92e069030e54dae69c832f]
Soheil Hassas Yeganeh (1):
tcp: consider recv buf for the initial window scale
[f626300a3e776ccc9671b0dd94698fb3aa315966]
Stefan Haberland (1):
s390/dasd: fix hanging device after clear subchannel
[9ba333dc55cbb9523553df973adb3024d223e905]
Stefan Richter (1):
firewire: net: guard against rx buffer overflows
[667121ace9dbafb368618dbabcf07901c962ddac]
Steven Rostedt (2):
tracing: Move mutex to protect against resetting of seq data
[1245800c0f96eb6ebb368593e251d66c01e61022]
x86/paravirt: Do not trace _paravirt_ident_*() functions
[15301a570754c7af60335d094dd2d1808b0641a5]
Takashi Iwai (4):
ALSA: ctl: Stop notification after disconnection
[f388cdcdd160687c6650833f286b9c89c50960ff]
ALSA: rawmidi: Fix possible deadlock with virmidi registration
[816f318b2364262a51024096da7ca3b84e78e3b5]
ALSA: timer: Code cleanup
[c3b1681375dc6e71d89a3ae00cc3ce9e775a8917]
ALSA: timer: Fix zero-division by continue of uninitialized instance
[9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b]
Theodore Ts'o (2):
ext4: validate s_reserved_gdt_blocks on mount
[5b9554dc5bf008ae7f68a52e3d7e76c0920938a2]
ext4: validate that metadata blocks do not overlap superblock
[829fa70dddadf9dd041d62b82cd7cea63943899d]
Trond Myklebust (1):
NFSv4.1: Fix the CREATE_SESSION slot number accounting
[b519d408ea32040b1c7e10b155a3ee9a36660947]
Vegard Nossum (10):
ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
[11749e086b2766cccf6217a527ef5c5604ba069c]
ALSA: timer: fix NULL pointer dereference on memory allocation failure
[8ddc05638ee42b18ba4fe99b5fb647fa3ad20456]
ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
[6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33]
block: fix use-after-free in seq file
[77da160530dd1dc94f6ae15a981f24e5f0021e84]
ext4: check for extents that wrap around
[f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6]
ext4: don't call ext4_should_journal_data() on the journal inode
[6a7fd522a7c94cdef0a3b08acf8e6702056e635c]
ext4: fix reference counting bug on block allocation error
[554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e]
ext4: short-cut orphan cleanup on error
[c65d5c6c81a1f27dec5f627f67840726fcd146de]
fs/seq_file: fix out-of-bounds read
[088bf2ff5d12e2e32ee52a4024fec26e582f44d3]
net/irda: fix NULL pointer dereference on memory allocation failure
[d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d]
Vincent Stehlé (1):
ubifs: Fix assertion in layout_in_gaps()
[c0082e985fdf77b02fc9e0dac3b58504dcf11b7a]
Vladis Dronov (1):
[media] usbvision: revert commit 588afcc1
[d5468d7afaa9c9e961e150f0455a14a9f4872a98]
WANG Cong (1):
ppp: defer netns reference release for ppp channel
[205e1e255c479f3fd77446415706463b282f94e4]
Wanpeng Li (2):
sched/cputime: Fix prev steal time accouting during CPU hotplug
[3d89e5478bf550a50c99e93adf659369798263b0]
x86/apic: Do not init irq remapping if ioapic is disabled
[2e63ad4bd5dd583871e6602f9d398b9322d358d9]
Yadi.hu (1):
i2c-eg20t: fix race between i2c init and interrupt enable
[371a015344b6e270e7e3632107d9554ec6d27a6b]
Yinghai Lu (1):
megaraid_sas: Fix probing cards without io port
[e7f851684efb3377e9c93aca7fae6e76212e5680]
Yoshihiro Shimoda (2):
usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
[4fdef698383db07d829da567e0e405fc41ff3a89]
usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
[15e4292a2d21e9997fdb2b8c014cc461b3f268f0]
Zhong Jiang (1):
mm,ksm: fix endless looping in allocating memory when ksm enable
[5b398e416e880159fe55eefd93c6588fa072cd66]
Documentation/filesystems/porting | 4 +-
Makefile | 4 +-
arch/alpha/include/asm/uaccess.h | 19 ++---
arch/arm/common/sa1111.c | 22 +++--
arch/arm/kernel/sys_oabi-compat.c | 8 +-
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 +++
arch/avr32/include/asm/uaccess.h | 11 ++-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 8 +-
arch/avr32/mach-at32ap/pio.c | 2 +-
arch/blackfin/include/asm/uaccess.h | 9 +-
arch/cris/include/asm/uaccess.h | 71 +++++++---------
arch/frv/include/asm/uaccess.h | 12 ++-
arch/hexagon/include/asm/uaccess.h | 3 +-
arch/ia64/include/asm/uaccess.h | 20 ++---
arch/m32r/include/asm/uaccess.h | 2 +-
arch/microblaze/include/asm/uaccess.h | 11 ++-
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
arch/mips/mm/sc-rm7k.c | 2 +-
arch/mn10300/include/asm/uaccess.h | 1 +
arch/mn10300/lib/usercopy.c | 5 +-
arch/openrisc/include/asm/uaccess.h | 35 +++-----
arch/parisc/include/asm/errno.h | 4 +-
arch/parisc/include/asm/uaccess.h | 7 +-
arch/powerpc/include/asm/uaccess.h | 21 +----
arch/powerpc/mm/numa.c | 18 +++-
arch/s390/include/asm/auxvec.h | 2 +
arch/s390/include/asm/elf.h | 1 +
arch/s390/include/asm/uaccess.h | 8 +-
arch/score/include/asm/uaccess.h | 46 +++++-----
arch/sh/include/asm/uaccess.h | 5 +-
arch/sh/include/asm/uaccess_64.h | 1 +
arch/sparc/include/asm/uaccess_32.h | 4 +-
arch/x86/ia32/ia32entry.S | 2 +-
arch/x86/include/asm/tlbflush.h | 7 ++
arch/x86/kernel/apic/apic.c | 3 +
arch/x86/kernel/early-quirks.c | 106 +++++++++++++++++++++---
arch/x86/kernel/paravirt.c | 4 +-
arch/x86/kvm/vmx.c | 62 ++++++++++----
block/genhd.c | 1 +
crypto/blkcipher.c | 3 +-
crypto/cryptd.c | 9 +-
crypto/gcm.c | 4 +-
crypto/scatterwalk.c | 3 +-
drivers/bcma/bcma_private.h | 2 -
drivers/bluetooth/ath3k.c | 4 +
drivers/bluetooth/btusb.c | 2 +
drivers/char/tpm/tpm_tis.c | 9 +-
drivers/firewire/net.c | 46 +++++++---
drivers/gpu/drm/drm_crtc.c | 3 +
drivers/gpu/drm/drm_edid.c | 8 ++
drivers/gpu/drm/radeon/radeon_atombios.c | 4 +-
drivers/gpu/drm/radeon/radeon_connectors.c | 15 ++--
drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
drivers/hwmon/adt7411.c | 5 +-
drivers/i2c/busses/i2c-eg20t.c | 18 ++--
drivers/infiniband/core/multicast.c | 13 +--
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 ++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
drivers/input/joystick/xpad.c | 3 +
drivers/input/serio/i8042.c | 17 +---
drivers/input/serio/libps2.c | 10 +--
drivers/md/dm-flakey.c | 23 +++--
drivers/media/video/usbvision/usbvision-video.c | 7 --
drivers/mtd/maps/pmcmsp-flash.c | 6 +-
drivers/mtd/nand/davinci_nand.c | 3 +
drivers/mtd/nand/nand_base.c | 2 +-
drivers/mtd/ubi/build.c | 5 +-
drivers/net/can/dev.c | 27 +++---
drivers/net/ethernet/ethoc.c | 10 +--
drivers/net/ppp/ppp_generic.c | 5 +-
drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
drivers/pps/clients/pps_parport.c | 2 +-
drivers/s390/block/dasd.c | 10 ++-
drivers/scsi/aacraid/commctrl.c | 13 ++-
drivers/scsi/arcmsr/arcmsr_hba.c | 8 +-
drivers/scsi/megaraid/megaraid_sas_base.c | 6 +-
drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
drivers/staging/iio/accel/kxsd9.c | 2 +
drivers/staging/pohmelfs/Kconfig | 1 +
drivers/tty/serial/samsung.c | 4 +-
drivers/tty/vt/keyboard.c | 30 ++-----
drivers/usb/class/cdc-acm.c | 5 +-
drivers/usb/class/cdc-acm.h | 1 -
drivers/usb/core/config.c | 93 +++++++++++++++++----
drivers/usb/core/devio.c | 16 ++--
drivers/usb/gadget/fsl_qe_udc.c | 7 +-
drivers/usb/host/xhci-hub.c | 3 +
drivers/usb/host/xhci-pci.c | 3 +-
drivers/usb/renesas_usbhs/fifo.c | 18 +++-
drivers/usb/renesas_usbhs/mod_gadget.c | 9 +-
drivers/usb/serial/ftdi_sio.c | 3 +
drivers/usb/serial/ftdi_sio_ids.h | 12 +++
drivers/usb/serial/mos7720.c | 2 +-
drivers/usb/serial/mos7840.c | 4 +-
drivers/usb/serial/option.c | 13 +++
drivers/virtio/virtio_balloon.c | 2 +
drivers/xen/xenfs/xenbus.c | 14 ++--
fs/9p/acl.c | 40 ++++-----
fs/9p/vfs_inode.c | 2 +-
fs/9p/vfs_inode_dotl.c | 2 +-
fs/adfs/inode.c | 2 +-
fs/affs/inode.c | 2 +-
fs/attr.c | 35 +++++---
fs/btrfs/acl.c | 4 +-
fs/btrfs/inode.c | 2 +-
fs/btrfs/ioctl.c | 12 +++
fs/ceph/file.c | 13 ++-
fs/ceph/inode.c | 2 +-
fs/cifs/inode.c | 4 +-
fs/ecryptfs/inode.c | 2 +-
fs/exofs/inode.c | 2 +-
fs/ext2/acl.c | 12 +--
fs/ext2/inode.c | 2 +-
fs/ext3/acl.c | 12 +--
fs/ext3/inode.c | 6 +-
fs/ext4/acl.c | 12 +--
fs/ext4/extents.c | 8 +-
fs/ext4/inode.c | 8 +-
fs/ext4/mballoc.c | 17 +---
fs/ext4/super.c | 35 +++++++-
fs/fat/file.c | 2 +-
fs/fuse/dir.c | 2 +-
fs/generic_acl.c | 15 ++--
fs/gfs2/acl.c | 16 ++--
fs/gfs2/inode.c | 2 +-
fs/hfs/inode.c | 2 +-
fs/hfsplus/inode.c | 2 +-
fs/hostfs/hostfs_kern.c | 9 +-
fs/hpfs/inode.c | 2 +-
fs/hugetlbfs/inode.c | 2 +-
fs/jffs2/acl.c | 9 +-
fs/jffs2/fs.c | 2 +-
fs/jfs/file.c | 2 +-
fs/jfs/xattr.c | 6 +-
fs/libfs.c | 2 +-
fs/logfs/file.c | 2 +-
fs/minix/file.c | 2 +-
fs/ncpfs/inode.c | 2 +-
fs/nfs/callback_xdr.c | 6 +-
fs/nfs/nfs4proc.c | 15 +++-
fs/nfs/write.c | 5 +-
fs/nfsd/vfs.c | 12 +--
fs/nilfs2/inode.c | 2 +-
fs/ntfs/inode.c | 2 +-
fs/ocfs2/acl.c | 9 +-
fs/ocfs2/dlm/dlmconvert.c | 12 +--
fs/ocfs2/dlmfs/dlmfs.c | 2 +-
fs/ocfs2/file.c | 36 +++++---
fs/omfs/file.c | 2 +-
fs/posix_acl.c | 30 +++++++
fs/proc/base.c | 2 +-
fs/proc/generic.c | 2 +-
fs/proc/proc_sysctl.c | 2 +-
fs/ramfs/file-nommu.c | 2 +-
fs/reiserfs/inode.c | 2 +-
fs/reiserfs/xattr_acl.c | 8 +-
fs/seq_file.c | 4 +-
fs/sysfs/inode.c | 2 +-
fs/sysv/file.c | 2 +-
fs/ubifs/file.c | 2 +-
fs/ubifs/tnc_commit.c | 2 +-
fs/udf/file.c | 2 +-
fs/ufs/truncate.c | 2 +-
fs/utimes.c | 4 +-
fs/xfs/xfs_acl.c | 26 +++---
fs/xfs/xfs_file.c | 6 +-
fs/xfs/xfs_ioctl.c | 3 +-
fs/xfs/xfs_iops.c | 26 ++++--
fs/xfs/xfs_vnodeops.c | 5 +-
fs/xfs/xfs_vnodeops.h | 7 +-
include/asm-generic/uaccess.h | 20 +++--
include/linux/bcma/bcma.h | 1 +
include/linux/bcma/bcma_regs.h | 1 +
include/linux/can/dev.h | 3 +-
include/linux/fs.h | 2 +-
include/linux/i8042.h | 6 --
include/linux/mroute.h | 2 +-
include/linux/mroute6.h | 2 +-
include/linux/posix_acl.h | 1 +
include/linux/serio.h | 24 ++++--
include/net/tcp.h | 2 +
kernel/sched.c | 36 ++++----
kernel/trace/trace.c | 15 ++--
mm/hugetlb.c | 4 +
mm/ksm.c | 3 +-
mm/shmem.c | 2 +-
net/bluetooth/l2cap_sock.c | 2 +-
net/bluetooth/rfcomm/sock.c | 19 +++--
net/ipv4/ipmr.c | 3 +-
net/ipv4/route.c | 3 +-
net/ipv4/tcp_output.c | 3 +-
net/ipv6/ip6mr.c | 5 +-
net/ipv6/route.c | 4 +-
net/irda/af_irda.c | 12 +--
net/l2tp/l2tp_ppp.c | 7 +-
net/netfilter/nfnetlink_queue.c | 3 -
net/netlabel/netlabel_kapi.c | 12 ++-
net/sunrpc/svc.c | 7 +-
net/xfrm/xfrm_state.c | 1 +
net/xfrm/xfrm_user.c | 9 +-
security/keys/proc.c | 2 +-
sound/core/control.c | 2 +
sound/core/rawmidi.c | 4 +-
sound/core/timer.c | 72 ++++++++++------
virt/kvm/kvm_main.c | 2 +
209 files changed, 1278 insertions(+), 731 deletions(-)
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 111/152] mn10300: failing __get_user() and get_user() should zero
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 048/152] tcp: consider recv buf for the initial window scale Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 052/152] balloon: check the number of available pages in leak balloon Ben Hutchings
` (110 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mn10300/include/asm/uaccess.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -181,6 +181,7 @@ struct __large_struct { unsigned long bu
"2:\n" \
" .section .fixup,\"ax\"\n" \
"3:\n\t" \
+ " mov 0,%1\n" \
" mov %3,%0\n" \
" jmp 2b\n" \
" .previous\n" \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 033/152] mtd: nand: fix bug writing 1 byte less than page size
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 050/152] ext4: validate that metadata blocks do not overlap superblock Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 030/152] crypto: scatterwalk - Fix test in scatterwalk_done Ben Hutchings
` (62 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Brian Norris, Boris Brezillon, Hector Palacios
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hector Palacios <hector.palacios@digi.com>
commit 144f4c98399e2c0ca60eb414c15a2c68125c18b8 upstream.
nand_do_write_ops() determines if it is writing a partial page with the
formula:
part_pagewr = (column || writelen < (mtd->writesize - 1))
When 'writelen' is exactly 1 byte less than the NAND page size the formula
equates to zero, so the code doesn't process it as a partial write,
although it should.
As a consequence the function remains in the while(1) loop with 'writelen'
becoming 0xffffffff and iterating endlessly.
The bug may not be easy to reproduce in Linux since user space tools
usually force the padding or round-up the write size to a page-size
multiple.
This was discovered in U-Boot where the issue can be reproduced by
writing any size that is 1 byte less than a page-size multiple.
For example, on a NAND with 2K page (0x800):
=> nand erase.part <partition>
=> nand write $loadaddr <partition> 7ff
[Editor's note: the bug was added in commit 29072b96078f, but moved
around in commit 66507c7bc8895 ("mtd: nand: Add support to use nand_base
poi databuf as bounce buffer")]
Fixes: 29072b96078f ("[MTD] NAND: add subpage write support")
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
[bwh: Backported to 3.2: adjusted context as noted above]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/nand_base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -2229,7 +2229,7 @@ static int nand_do_write_ops(struct mtd_
uint8_t *wbuf = buf;
/* Partial page write? */
- if (unlikely(column || writelen < (mtd->writesize - 1))) {
+ if (unlikely(column || writelen < mtd->writesize)) {
cached = 0;
bytes = min_t(int, bytes - column, (int) writelen);
chip->pagebuf = -1;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 146/152] fs: Avoid premature clearing of capabilities
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 039/152] ARM: OMAP3: hwmod data: Add sysc information for DSI Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 007/152] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Ben Hutchings
` (65 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christoph Hellwig, Jan Kara
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 030b533c4fd4d2ec3402363323de4bb2983c9cee upstream.
Currently, notify_change() clears capabilities or IMA attributes by
calling security_inode_killpriv() before calling into ->setattr. Thus it
happens before any other permission checks in inode_change_ok() and user
is thus allowed to trigger clearing of capabilities or IMA attributes
for any file he can look up e.g. by calling chown for that file. This is
unexpected and can lead to user DoSing a system.
Fix the problem by calling security_inode_killpriv() at the end of
inode_change_ok() instead of from notify_change(). At that moment we are
sure user has permissions to do the requested change.
References: CVE-2015-1350
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/attr.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -46,7 +46,7 @@ int setattr_prepare(struct dentry *dentr
/* If force is set do it anyway. */
if (ia_valid & ATTR_FORCE)
- return 0;
+ goto kill_priv;
/* Make sure a caller can chown. */
if ((ia_valid & ATTR_UID) &&
@@ -77,6 +77,16 @@ int setattr_prepare(struct dentry *dentr
return -EPERM;
}
+kill_priv:
+ /* User has permission for the change */
+ if (ia_valid & ATTR_KILL_PRIV) {
+ int error;
+
+ error = security_inode_killpriv(dentry);
+ if (error)
+ return error;
+ }
+
return 0;
}
EXPORT_SYMBOL(setattr_prepare);
@@ -199,13 +209,11 @@ int notify_change(struct dentry * dentry
if (!(ia_valid & ATTR_MTIME_SET))
attr->ia_mtime = now;
if (ia_valid & ATTR_KILL_PRIV) {
- attr->ia_valid &= ~ATTR_KILL_PRIV;
- ia_valid &= ~ATTR_KILL_PRIV;
error = security_inode_need_killpriv(dentry);
- if (error > 0)
- error = security_inode_killpriv(dentry);
- if (error)
+ if (error < 0)
return error;
+ if (error == 0)
+ ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
}
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 017/152] x86/quirks: Add early quirk to reset Apple AirPort card
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 031/152] tpm: read burstcount from TPM_STS in one 32-bit transaction Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 062/152] netfilter: nfnetlink_queue: reject verdict request from different portid Ben Hutchings
` (17 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Denys Vlasenko, linux-wireless, H. Peter Anvin,
Andy Lutomirski, Thomas Gleixner, Matt Fleming, Peter Zijlstra,
Konstantin Simanov, Borislav Petkov, linux-pci, Brian Gerst,
Michael Buesch, Andrew Worsley, Lukas Wunner,
Rafał Miłecki, Chris Bainbridge, b43-dev,
Bryan Paradis, Linus Torvalds, Josh Poimboeuf, Chris Milsted,
Matthew Garrett, Bjorn Helgaas, Yinghai Lu, Ingo Molnar
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit abb2bafd295fe962bbadc329dbfb2146457283ac upstream.
The EFI firmware on Macs contains a full-fledged network stack for
downloading OS X images from osrecovery.apple.com. Unfortunately
on Macs introduced 2011 and 2012, EFI brings up the Broadcom 4331
wireless card on every boot and leaves it enabled even after
ExitBootServices has been called. The card continues to assert its IRQ
line, causing spurious interrupts if the IRQ is shared. It also corrupts
memory by DMAing received packets, allowing for remote code execution
over the air. This only stops when a driver is loaded for the wireless
card, which may be never if the driver is not installed or blacklisted.
The issue seems to be constrained to the Broadcom 4331. Chris Milsted
has verified that the newer Broadcom 4360 built into the MacBookPro11,3
(2013/2014) does not exhibit this behaviour. The chances that Apple will
ever supply a firmware fix for the older machines appear to be zero.
The solution is to reset the card on boot by writing to a reset bit in
its mmio space. This must be done as an early quirk and not as a plain
vanilla PCI quirk to successfully combat memory corruption by DMAed
packets: Matthew Garrett found out in 2012 that the packets are written
to EfiBootServicesData memory (http://mjg59.dreamwidth.org/11235.html).
This type of memory is made available to the page allocator by
efi_free_boot_services(). Plain vanilla PCI quirks run much later, in
subsys initcall level. In-between a time window would be open for memory
corruption. Random crashes occurring in this time window and attributed
to DMAed packets have indeed been observed in the wild by Chris
Bainbridge.
When Matthew Garrett analyzed the memory corruption issue in 2012, he
sought to fix it with a grub quirk which transitions the card to D3hot:
http://git.savannah.gnu.org/cgit/grub.git/commit/?id=9d34bb85da56
This approach does not help users with other bootloaders and while it
may prevent DMAed packets, it does not cure the spurious interrupts
emanating from the card. Unfortunately the card's mmio space is
inaccessible in D3hot, so to reset it, we have to undo the effect of
Matthew's grub patch and transition the card back to D0.
Note that the quirk takes a few shortcuts to reduce the amount of code:
The size of BAR 0 and the location of the PM capability is identical
on all affected machines and therefore hardcoded. Only the address of
BAR 0 differs between models. Also, it is assumed that the BCMA core
currently mapped is the 802.11 core. The EFI driver seems to always take
care of this.
Michael Büsch, Bjorn Helgaas and Matt Fleming contributed feedback
towards finding the best solution to this problem.
The following should be a comprehensive list of affected models:
iMac13,1 2012 21.5" [Root Port 00:1c.3 = 8086:1e16]
iMac13,2 2012 27" [Root Port 00:1c.3 = 8086:1e16]
Macmini5,1 2011 i5 2.3 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini5,2 2011 i5 2.5 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini5,3 2011 i7 2.0 GHz [Root Port 00:1c.1 = 8086:1c12]
Macmini6,1 2012 i5 2.5 GHz [Root Port 00:1c.1 = 8086:1e12]
Macmini6,2 2012 i7 2.3 GHz [Root Port 00:1c.1 = 8086:1e12]
MacBookPro8,1 2011 13" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro8,2 2011 15" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro8,3 2011 17" [Root Port 00:1c.1 = 8086:1c12]
MacBookPro9,1 2012 15" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro9,2 2012 13" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro10,1 2012 15" [Root Port 00:1c.1 = 8086:1e12]
MacBookPro10,2 2012 13" [Root Port 00:1c.1 = 8086:1e12]
For posterity, spurious interrupts caused by the Broadcom 4331 wireless
card resulted in splats like this (stacktrace omitted):
irq 17: nobody cared (try booting with the "irqpoll" option)
handlers:
[<ffffffff81374370>] pcie_isr
[<ffffffffc0704550>] sdhci_irq [sdhci] threaded [<ffffffffc07013c0>] sdhci_thread_irq [sdhci]
[<ffffffffc0a0b960>] azx_interrupt [snd_hda_codec]
Disabling IRQ #17
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=79301
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=111781
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=728916
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=895951#c16
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1009819
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1098621
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1149632#c5
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1279130
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1332732
Tested-by: Konstantin Simanov <k.simanov@stlk.ru> # [MacBookPro8,1]
Tested-by: Lukas Wunner <lukas@wunner.de> # [MacBookPro9,1]
Tested-by: Bryan Paradis <bryan.paradis@gmail.com> # [MacBookPro9,2]
Tested-by: Andrew Worsley <amworsley@gmail.com> # [MacBookPro10,1]
Tested-by: Chris Bainbridge <chris.bainbridge@gmail.com> # [MacBookPro10,2]
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Rafał Miłecki <zajec5@gmail.com>
Acked-by: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Chris Milsted <cmilsted@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Michael Buesch <m@bues.ch>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: b43-dev@lists.infradead.org
Cc: linux-pci@vger.kernel.org
Cc: linux-wireless@vger.kernel.org
Link: http://lkml.kernel.org/r/48d0972ac82a53d460e5fce77a07b2560db95203.1465690253.git.lukas@wunner.de
[ Did minor readability edits. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.2:
- early_ioremap() is declared in <asm/io.h> not <asm/early_ioremap.h>
- Add definition of BCMA_RESET_ST
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/early-quirks.c | 64 ++++++++++++++++++++++++++++++++++++++++++
drivers/bcma/bcma_private.h | 2 --
include/linux/bcma/bcma.h | 1 +
3 files changed, 65 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -11,13 +11,20 @@
#include <linux/pci.h>
#include <linux/acpi.h>
+#include <linux/delay.h>
+#include <linux/dmi.h>
#include <linux/pci_ids.h>
+#include <linux/bcma/bcma.h>
+#include <linux/bcma/bcma_regs.h>
#include <asm/pci-direct.h>
#include <asm/dma.h>
#include <asm/io_apic.h>
#include <asm/apic.h>
#include <asm/iommu.h>
#include <asm/gart.h>
+#include <asm/io.h>
+
+#define dev_err(msg) pr_err("pci 0000:%02x:%02x.%d: %s", bus, slot, func, msg)
static void __init fix_hypertransport_config(int num, int slot, int func)
{
@@ -199,6 +206,62 @@ static void __init ati_bugs_contd(int nu
}
#endif
+#define BCM4331_MMIO_SIZE 16384
+#define BCM4331_PM_CAP 0x40
+#define bcma_aread32(reg) ioread32(mmio + 1 * BCMA_CORE_SIZE + reg)
+#define bcma_awrite32(reg, val) iowrite32(val, mmio + 1 * BCMA_CORE_SIZE + reg)
+
+static void __init apple_airport_reset(int bus, int slot, int func)
+{
+ void __iomem *mmio;
+ u16 pmcsr;
+ u64 addr;
+ int i;
+
+ if (!dmi_match(DMI_SYS_VENDOR, "Apple Inc."))
+ return;
+
+ /* Card may have been put into PCI_D3hot by grub quirk */
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ write_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL, pmcsr);
+ mdelay(10);
+
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ dev_err("Cannot power up Apple AirPort card\n");
+ return;
+ }
+ }
+
+ addr = read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_0);
+ addr |= (u64)read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_1) << 32;
+ addr &= PCI_BASE_ADDRESS_MEM_MASK;
+
+ mmio = early_ioremap(addr, BCM4331_MMIO_SIZE);
+ if (!mmio) {
+ dev_err("Cannot iomap Apple AirPort card\n");
+ return;
+ }
+
+ pr_info("Resetting Apple AirPort card (left enabled by EFI)\n");
+
+ for (i = 0; bcma_aread32(BCMA_RESET_ST) && i < 30; i++)
+ udelay(10);
+
+ bcma_awrite32(BCMA_RESET_CTL, BCMA_RESET_CTL_RESET);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(1);
+
+ bcma_awrite32(BCMA_RESET_CTL, 0);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(10);
+
+ early_iounmap(mmio, BCM4331_MMIO_SIZE);
+}
+
#define QFLAG_APPLY_ONCE 0x1
#define QFLAG_APPLIED 0x2
#define QFLAG_DONE (QFLAG_APPLY_ONCE|QFLAG_APPLIED)
@@ -222,6 +285,8 @@ static struct chipset early_qrk[] __init
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs },
{ PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_SBX00_SMBUS,
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs_contd },
+ { PCI_VENDOR_ID_BROADCOM, 0x4331,
+ PCI_CLASS_NETWORK_OTHER, PCI_ANY_ID, 0, apple_airport_reset},
{}
};
--- a/drivers/bcma/bcma_private.h
+++ b/drivers/bcma/bcma_private.h
@@ -8,8 +8,6 @@
#include <linux/bcma/bcma.h>
#include <linux/delay.h>
-#define BCMA_CORE_SIZE 0x1000
-
struct bcma_bus;
/* main.c */
--- a/include/linux/bcma/bcma.h
+++ b/include/linux/bcma/bcma.h
@@ -124,6 +124,7 @@ struct bcma_host_ops {
#define BCMA_CORE_DEFAULT 0xFFF
#define BCMA_MAX_NR_CORES 16
+#define BCMA_CORE_SIZE 0x1000
struct bcma_device {
struct bcma_bus *bus;
--- a/include/linux/bcma/bcma_regs.h
+++ b/include/linux/bcma/bcma_regs.h
@@ -35,6 +35,7 @@
#define BCMA_IOST_BIST_DONE 0x8000
#define BCMA_RESET_CTL 0x0800
#define BCMA_RESET_CTL_RESET 0x0001
+#define BCMA_RESET_ST 0x0804
/* BCMA PCI config space registers. */
#define BCMA_PCI_PMCSR 0x44
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 102/152] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 135/152] i2c-eg20t: fix race between i2c init and interrupt enable Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 140/152] mm,ksm: fix endless looping in allocating memory when ksm enable Ben Hutchings
` (46 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Karl Beldan, Boris Brezillon, Brian Norris
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Karl Beldan <kbeldan@baylibre.com>
commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c upstream.
This fixes subpage writes when using 4-bit HW ECC.
There has been numerous reports about ECC errors with devices using this
driver for a while. Also the 4-bit ECC has been reported as broken with
subpages in [1] and with 16 bits NANDs in the driver and in mach* board
files both in mainline and in the vendor BSPs.
What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to
try reinitializing the ECC engine:
- R/W on whole pages properly generates/checks RS code
- try writing the 1st subpage only of a blank page, the subpage is well
written and the RS code properly generated, re-reading the same page
the HW detects some ECC error, reading the same page again no ECC
error is detected
Note that the ECC engine is already reinitialized in the 1-bit case.
Tested on my LCDK with UBI+UBIFS using subpages.
This could potentially get rid of the issue workarounded in [1].
[1] 28c015a9daab ("mtd: davinci-nand: disable subpage write for keystone-nand")
Fixes: 6a4123e581b3 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage")
Signed-off-by: Karl Beldan <kbeldan@baylibre.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/davinci_nand.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/mtd/nand/davinci_nand.c
+++ b/drivers/mtd/nand/davinci_nand.c
@@ -239,6 +239,9 @@ static void nand_davinci_hwctl_4bit(stru
unsigned long flags;
u32 val;
+ /* Reset ECC hardware */
+ davinci_nand_readl(info, NAND_4BIT_ECC1_OFFSET);
+
spin_lock_irqsave(&davinci_nand_lock, flags);
/* Start 4-bit ECC calculation for read/write */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 142/152] KEYS: Fix short sprintf buffer in /proc/keys show function
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 113/152] openrisc: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 022/152] net: ethoc: Fix early error paths Ben Hutchings
` (113 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Howells, Ondrej Kozina, James Morris
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.
This fixes CVE-2016-7042.
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943
That's 14 chars plus NUL, not 11 chars plus NUL.
Expand the buffer to 16 chars.
I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.
The panic incurred looks something like:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<ffffffff813d941f>] dump_stack+0x63/0x84
[<ffffffff811b2cb6>] panic+0xde/0x22a
[<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<ffffffff81350410>] ? key_validate+0x50/0x50
[<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<ffffffff8126b31c>] seq_read+0x2cc/0x390
[<ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<ffffffff81244fc7>] __vfs_read+0x37/0x150
[<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<ffffffff81246156>] vfs_read+0x96/0x130
[<ffffffff81247635>] SyS_read+0x55/0xc0
[<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -188,7 +188,7 @@ static int proc_keys_show(struct seq_fil
struct timespec now;
unsigned long timo;
key_ref_t key_ref, skey_ref;
- char xbuf[12];
+ char xbuf[16];
int rc;
key_ref = make_key_ref(key, 0);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 147/152] Btrfs: skip adding an acl attribute if we don't have to
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 080/152] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 145/152] fs: Give dentry to inode_change_ok() instead of inode Ben Hutchings
` (143 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chris Mason, Liu Bo
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo <bo.li.liu@oracle.com>
commit 755ac67f83e515af55adbfe55134eb7d90839cdb upstream.
If the acl can be exactly represented in the traditional file
mode permission bits, we don't set another acl attribute.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/acl.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -121,6 +121,8 @@ static int btrfs_set_acl(struct btrfs_tr
ret = posix_acl_equiv_mode(acl, &inode->i_mode);
if (ret < 0)
return ret;
+ if (ret == 0)
+ acl = NULL;
}
ret = 0;
break;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 107/152] cris: buggered copy_from_user/copy_to_user/clear_user Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 21:09 ` Stefan Richter
2016-11-14 0:14 ` [PATCH 3.2 038/152] pps: do not crash when failed to register Ben Hutchings
` (103 subsequent siblings)
153 siblings, 1 reply; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eyal Itkin, Stefan Richter
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Richter <stefanr@s5r6.in-berlin.de>
commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams. A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.
So, drop any packets carrying a fragment with offset + length larger
than datagram_size.
In addition, ensure that
- GASP header, unfragmented encapsulation header, or fragment
encapsulation header actually exists before we access it,
- the encapsulated datagram or fragment is of nonzero size.
Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -677,6 +677,9 @@ static int fwnet_incoming_packet(struct
int retval;
u16 ether_type;
+ if (len <= RFC2374_UNFRAG_HDR_SIZE)
+ return 0;
+
hdr.w0 = be32_to_cpu(buf[0]);
lf = fwnet_get_hdr_lf(&hdr);
if (lf == RFC2374_HDR_UNFRAG) {
@@ -702,7 +705,12 @@ static int fwnet_incoming_packet(struct
return fwnet_finish_incoming_packet(net, skb, source_node_id,
is_broadcast, ether_type);
}
+
/* A datagram fragment has been received, now the fun begins. */
+
+ if (len <= RFC2374_FRAG_HDR_SIZE)
+ return 0;
+
hdr.w1 = ntohl(buf[1]);
buf += 2;
len -= RFC2374_FRAG_HDR_SIZE;
@@ -716,6 +724,9 @@ static int fwnet_incoming_packet(struct
datagram_label = fwnet_get_hdr_dgl(&hdr);
dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */
+ if (fg_off + len > dg_size)
+ return 0;
+
spin_lock_irqsave(&dev->lock, flags);
peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);
@@ -822,6 +833,22 @@ static void fwnet_receive_packet(struct
fw_send_response(card, r, rcode);
}
+static int gasp_source_id(__be32 *p)
+{
+ return be32_to_cpu(p[0]) >> 16;
+}
+
+static u32 gasp_specifier_id(__be32 *p)
+{
+ return (be32_to_cpu(p[0]) & 0xffff) << 8 |
+ (be32_to_cpu(p[1]) & 0xff000000) >> 24;
+}
+
+static u32 gasp_version(__be32 *p)
+{
+ return be32_to_cpu(p[1]) & 0xffffff;
+}
+
static void fwnet_receive_broadcast(struct fw_iso_context *context,
u32 cycle, size_t header_length, void *header, void *data)
{
@@ -832,9 +859,6 @@ static void fwnet_receive_broadcast(stru
__be32 *buf_ptr;
int retval;
u32 length;
- u16 source_node_id;
- u32 specifier_id;
- u32 ver;
unsigned long offset;
unsigned long flags;
@@ -852,17 +876,13 @@ static void fwnet_receive_broadcast(stru
spin_unlock_irqrestore(&dev->lock, flags);
- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8
- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;
- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff;
- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16;
-
- if (specifier_id == IANA_SPECIFIER_ID && ver == RFC2734_SW_VERSION) {
- buf_ptr += 2;
- length -= IEEE1394_GASP_HDR_SIZE;
- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id,
+ if (length > IEEE1394_GASP_HDR_SIZE &&
+ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&
+ gasp_version(buf_ptr) == RFC2734_SW_VERSION)
+ fwnet_incoming_packet(dev, buf_ptr + 2,
+ length - IEEE1394_GASP_HDR_SIZE,
+ gasp_source_id(buf_ptr),
context->card->generation, true);
- }
packet.payload_length = dev->rcv_buffer_size;
packet.interrupt = 1;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 141/152] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 061/152] aacraid: Check size values after double-fetch from user Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 087/152] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Ben Hutchings
` (11 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jaganath Kanakkassery, Marcel Holtmann
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jaganath Kanakkassery <jaganath.k@samsung.com>
commit 951b6a0717db97ce420547222647bcc40bf1eacd upstream.
addr can be NULL and it should not be dereferenced before NULL checking.
Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
[bwh: Backported to 3.2:
- There's no 'chan' variable
- Keep using batostr() to log addresses
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/rfcomm/sock.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -349,15 +349,19 @@ static int rfcomm_sock_create(struct net
static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
{
- struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
+ struct sockaddr_rc sa;
struct sock *sk = sock->sk;
- int err = 0;
-
- BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
+ int len, err = 0;
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ memset(&sa, 0, sizeof(sa));
+ len = min_t(unsigned int, sizeof(sa), addr_len);
+ memcpy(&sa, addr, len);
+
+ BT_DBG("sk %p %s", sk, batostr(&sa.rc_bdaddr));
+
lock_sock(sk);
if (sk->sk_state != BT_OPEN) {
@@ -372,12 +376,13 @@ static int rfcomm_sock_bind(struct socke
write_lock_bh(&rfcomm_sk_list.lock);
- if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
+ if (sa.rc_channel &&
+ __rfcomm_get_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
err = -EADDRINUSE;
} else {
/* Save source address */
- bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
- rfcomm_pi(sk)->channel = sa->rc_channel;
+ bacpy(&bt_sk(sk)->src, &sa.rc_bdaddr);
+ rfcomm_pi(sk)->channel = sa.rc_channel;
sk->sk_state = BT_BOUND;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 139/152] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 103/152] NFSv4.1: Fix the CREATE_SESSION slot number accounting Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 116/152] s390: get_user() should zero on failure Ben Hutchings
` (35 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Nikolay Aleksandrov
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
commit 2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8 upstream.
Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid
instead of the previous dst_pid which was copied from in_skb's portid.
Since the skb is new the portid is 0 at that point so the packets are sent
to the kernel and we get scheduling while atomic or a deadlock (depending
on where it happens) by trying to acquire rtnl two times.
Also since this is RTM_GETROUTE, it can be triggered by a normal user.
Here's the sleeping while atomic trace:
[ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
[ 7858.212881] 2 locks held by swapper/0/0:
[ 7858.213013] #0: (((&mrt->ipmr_expire_timer))){+.-...}, at: [<ffffffff810fbbf5>] call_timer_fn+0x5/0x350
[ 7858.213422] #1: (mfc_unres_lock){+.....}, at: [<ffffffff8161e005>] ipmr_expire_process+0x25/0x130
[ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179
[ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 7858.214108] 0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000
[ 7858.214412] ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e
[ 7858.214716] 000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f
[ 7858.215251] Call Trace:
[ 7858.215412] <IRQ> [<ffffffff813a7804>] dump_stack+0x85/0xc1
[ 7858.215662] [<ffffffff810a4a72>] ___might_sleep+0x192/0x250
[ 7858.215868] [<ffffffff810a4b9f>] __might_sleep+0x6f/0x100
[ 7858.216072] [<ffffffff8165bea3>] mutex_lock_nested+0x33/0x4d0
[ 7858.216279] [<ffffffff815a7a5f>] ? netlink_lookup+0x25f/0x460
[ 7858.216487] [<ffffffff8157474b>] rtnetlink_rcv+0x1b/0x40
[ 7858.216687] [<ffffffff815a9a0c>] netlink_unicast+0x19c/0x260
[ 7858.216900] [<ffffffff81573c70>] rtnl_unicast+0x20/0x30
[ 7858.217128] [<ffffffff8161cd39>] ipmr_destroy_unres+0xa9/0xf0
[ 7858.217351] [<ffffffff8161e06f>] ipmr_expire_process+0x8f/0x130
[ 7858.217581] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.217785] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.217990] [<ffffffff810fbc95>] call_timer_fn+0xa5/0x350
[ 7858.218192] [<ffffffff810fbbf5>] ? call_timer_fn+0x5/0x350
[ 7858.218415] [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
[ 7858.218656] [<ffffffff810fde10>] run_timer_softirq+0x260/0x640
[ 7858.218865] [<ffffffff8166379b>] ? __do_softirq+0xbb/0x54f
[ 7858.219068] [<ffffffff816637c8>] __do_softirq+0xe8/0x54f
[ 7858.219269] [<ffffffff8107a948>] irq_exit+0xb8/0xc0
[ 7858.219463] [<ffffffff81663452>] smp_apic_timer_interrupt+0x42/0x50
[ 7858.219678] [<ffffffff816625bc>] apic_timer_interrupt+0x8c/0xa0
[ 7858.219897] <EOI> [<ffffffff81055f16>] ? native_safe_halt+0x6/0x10
[ 7858.220165] [<ffffffff810d64dd>] ? trace_hardirqs_on+0xd/0x10
[ 7858.220373] [<ffffffff810298e3>] default_idle+0x23/0x190
[ 7858.220574] [<ffffffff8102a20f>] arch_cpu_idle+0xf/0x20
[ 7858.220790] [<ffffffff810c9f8c>] default_idle_call+0x4c/0x60
[ 7858.221016] [<ffffffff810ca33b>] cpu_startup_entry+0x39b/0x4d0
[ 7858.221257] [<ffffffff8164f995>] rest_init+0x135/0x140
[ 7858.221469] [<ffffffff81f83014>] start_kernel+0x50e/0x51b
[ 7858.221670] [<ffffffff81f82120>] ? early_idt_handler_array+0x120/0x120
[ 7858.221894] [<ffffffff81f8243f>] x86_64_start_reservations+0x2a/0x2c
[ 7858.222113] [<ffffffff81f8257c>] x86_64_start_kernel+0x13b/0x14a
Fixes: 2942e9005056 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2:
- Use 'pid' instead of 'portid' where necessary
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/mroute.h | 2 +-
include/linux/mroute6.h | 2 +-
net/ipv4/ipmr.c | 3 ++-
net/ipv4/route.c | 3 ++-
net/ipv6/ip6mr.c | 5 +++--
net/ipv6/route.c | 4 +++-
6 files changed, 12 insertions(+), 7 deletions(-)
--- a/include/linux/mroute.h
+++ b/include/linux/mroute.h
@@ -245,7 +245,7 @@ struct mfc_cache {
struct rtmsg;
extern int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#endif
#endif
--- a/include/linux/mroute6.h
+++ b/include/linux/mroute6.h
@@ -228,7 +228,7 @@ struct mfc6_cache {
#ifdef __KERNEL__
struct rtmsg;
extern int ip6mr_get_route(struct net *net, struct sk_buff *skb,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#ifdef CONFIG_IPV6_MROUTE
extern struct sock *mroute6_socket(struct net *net, struct sk_buff *skb);
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -2058,7 +2058,7 @@ rtattr_failure:
int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait)
+ struct rtmsg *rtm, int nowait, u32 portid)
{
struct mfc_cache *cache;
struct mr_table *mrt;
@@ -2098,6 +2098,7 @@ int ipmr_get_route(struct net *net, stru
return -ENOMEM;
}
+ NETLINK_CB(skb2).pid = portid;
skb_push(skb2, sizeof(struct iphdr));
skb_reset_network_header(skb2);
iph = ip_hdr(skb2);
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3077,7 +3077,8 @@ static int rt_fill_info(struct net *net,
IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
int err = ipmr_get_route(net, skb,
rt->rt_src, rt->rt_dst,
- r, nowait);
+ r, nowait, pid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -2137,8 +2137,8 @@ rtattr_failure:
return -EMSGSIZE;
}
-int ip6mr_get_route(struct net *net,
- struct sk_buff *skb, struct rtmsg *rtm, int nowait)
+int ip6mr_get_route(struct net *net, struct sk_buff *skb, struct rtmsg *rtm,
+ int nowait, u32 portid)
{
int err;
struct mr6_table *mrt;
@@ -2176,6 +2176,7 @@ int ip6mr_get_route(struct net *net,
return -ENOMEM;
}
+ NETLINK_CB(skb2).pid = portid;
skb_reset_transport_header(skb2);
skb_put(skb2, sizeof(struct ipv6hdr));
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2416,7 +2416,9 @@ static int rt6_fill_node(struct net *net
if (iif) {
#ifdef CONFIG_IPV6_MROUTE
if (ipv6_addr_is_multicast(&rt->rt6i_dst.addr)) {
- int err = ip6mr_get_route(net, skb, rtm, nowait);
+ int err = ip6mr_get_route(net, skb, rtm, nowait,
+ pid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 149/152] [media] usbvision: revert commit 588afcc1
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 140/152] mm,ksm: fix endless looping in allocating memory when ksm enable Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 074/152] drm/radeon: fix radeon_move_blit on 32bit systems Ben Hutchings
` (44 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Vladis Dronov, Luis Henriques, Hans Verkuil, Mauro Carvalho Chehab
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladis Dronov <vdronov@redhat.com>
commit d5468d7afaa9c9e961e150f0455a14a9f4872a98 upstream.
Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces
array")' should be reverted, because:
* "!dev->actconfig->interface[ifnum]" won't catch a case where the value
is not NULL but some garbage. This way the system may crash later with
GPF.
* "(ifnum >= USB_MAXINTERFACES)" does not cover all the error
conditions. "ifnum" should be compared to "dev->actconfig->
desc.bNumInterfaces", i.e. compared to the number of "struct
usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES.
* There is a "struct usb_device" leak in this error path, as there is
usb_get_dev(), but no usb_put_dev() on this path.
* There is a bug of the same type several lines below with number of
endpoints. The code is accessing hard-coded second endpoint
("interface->endpoint[1].desc") which may not exist. It would be great
to handle this in the same patch too.
* All the concerns above are resolved by already-accepted commit fa52bd50
("[media] usbvision: fix crash on detecting device with invalid
configuration")
* Mailing list message:
http://www.spinics.net/lists/linux-media/msg94832.html
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Luis Henriques <luis.henriques@canonical.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/video/usbvision/usbvision-video.c | 7 -------
1 file changed, 7 deletions(-)
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
@@ -1502,13 +1502,6 @@ static int __devinit usbvision_probe(str
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
- /*
- * this is a security check.
- * an exploit using an incorrect bInterfaceNumber is known
- */
- if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
- return -ENODEV;
-
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
else if (ifnum < dev->actconfig->desc.bNumInterfaces)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 132/152] xfrm: Fix memory leak of aead algorithm name
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 099/152] xfrm_user: propagate sec ctx allocation errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 117/152] score: fix __get_user/get_user Ben Hutchings
` (28 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rami Rosen, Ilan Tayari, Steffen Klassert
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Tayari <ilant@mellanox.com>
commit b588479358ce26f32138e0f0a7ab0678f8e3e601 upstream.
commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
introduced aead. The function attach_aead kmemdup()s the algorithm
name during xfrm_state_construct().
However this memory is never freed.
Implementation has since been slightly modified in
commit ee5c23176fcc ("xfrm: Clone states properly on migration")
without resolving this leak.
This patch adds a kfree() call for the aead algorithm name.
Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms")
Signed-off-by: Ilan Tayari <ilant@mellanox.com>
Acked-by: Rami Rosen <roszenrami@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -351,6 +351,7 @@ static void xfrm_state_gc_destroy(struct
{
tasklet_hrtimer_cancel(&x->mtimer);
del_timer_sync(&x->rtimer);
+ kfree(x->aead);
kfree(x->aalg);
kfree(x->ealg);
kfree(x->calg);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 145/152] fs: Give dentry to inode_change_ok() instead of inode
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 147/152] Btrfs: skip adding an acl attribute if we don't have to Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 136/152] btrfs: ensure that file descriptor used with subvol ioctls is a dir Ben Hutchings
` (142 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Christoph Hellwig
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.
inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.2:
- Drop changes to f2fs, lustre, orangefs, overlayfs
- Adjust filenames, context
- In nfsd, pass dentry to nfsd_sanitize_attrs()
- In xfs, pass dentry to xfs_change_file_space(), xfs_set_mode(),
xfs_setattr_nonsize(), and xfs_setattr_size()
- Update ext3 as well
- Mark pohmelfs as BROKEN; it's long dead upstream]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/Documentation/filesystems/porting
+++ b/Documentation/filesystems/porting
@@ -288,8 +288,8 @@ implementing on-disk size changes. Star
and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
be in order of zeroing blocks using block_truncate_page or similar helpers,
size update and on finally on-disk truncation which should not fail.
-inode_change_ok now includes the size checks for ATTR_SIZE and must be called
-in the beginning of ->setattr unconditionally.
+setattr_prepare (which used to be inode_change_ok) now includes the size checks
+for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
[mandatory]
--- a/drivers/staging/pohmelfs/Kconfig
+++ b/drivers/staging/pohmelfs/Kconfig
@@ -1,5 +1,6 @@
config POHMELFS
tristate "POHMELFS filesystem support"
+ depends on BROKEN
depends on NET
select CONNECTOR
select CRYPTO
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -1068,7 +1068,7 @@ static int v9fs_vfs_setattr(struct dentr
struct p9_wstat wstat;
P9_DPRINTK(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -538,7 +538,7 @@ int v9fs_vfs_setattr_dotl(struct dentry
P9_DPRINTK(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;
--- a/fs/adfs/inode.c
+++ b/fs/adfs/inode.c
@@ -298,7 +298,7 @@ adfs_notify_change(struct dentry *dentry
unsigned int ia_valid = attr->ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
/*
* we can't change the UID or GID of any file -
--- a/fs/affs/inode.c
+++ b/fs/affs/inode.c
@@ -222,7 +222,7 @@ affs_notify_change(struct dentry *dentry
pr_debug("AFFS: notify_change(%lu,0x%x)\n",inode->i_ino,attr->ia_valid);
- error = inode_change_ok(inode,attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -16,19 +16,22 @@
#include <linux/evm.h>
/**
- * inode_change_ok - check if attribute changes to an inode are allowed
- * @inode: inode to check
+ * setattr_prepare - check if attribute changes to a dentry are allowed
+ * @dentry: dentry to check
* @attr: attributes to change
*
* Check if we are allowed to change the attributes contained in @attr
- * in the given inode. This includes the normal unix access permission
- * checks, as well as checks for rlimits and others.
+ * in the given dentry. This includes the normal unix access permission
+ * checks, as well as checks for rlimits and others. The function also clears
+ * SGID bit from mode if user is not allowed to set it. Also file capabilities
+ * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
*
* Should be called as the first thing in ->setattr implementations,
* possibly after taking additional locks.
*/
-int inode_change_ok(const struct inode *inode, struct iattr *attr)
+int setattr_prepare(struct dentry *dentry, struct iattr *attr)
{
+ struct inode *inode = dentry->d_inode;
unsigned int ia_valid = attr->ia_valid;
/*
@@ -76,7 +79,7 @@ int inode_change_ok(const struct inode *
return 0;
}
-EXPORT_SYMBOL(inode_change_ok);
+EXPORT_SYMBOL(setattr_prepare);
/**
* inode_newsize_ok - may this inode be truncated to a given size
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3533,7 +3533,7 @@ static int btrfs_setattr(struct dentry *
if (btrfs_root_readonly(root))
return -EROFS;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1541,7 +1541,7 @@ int ceph_setattr(struct dentry *dentry,
__ceph_do_pending_vmtruncate(inode);
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err != 0)
return err;
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1948,7 +1948,7 @@ cifs_setattr_unix(struct dentry *direntr
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;
- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0)
goto out;
@@ -2089,7 +2089,7 @@ cifs_setattr_nounix(struct dentry *diren
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;
- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0) {
FreeXid(xid);
return rc;
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -1026,7 +1026,7 @@ static int ecryptfs_setattr(struct dentr
}
mutex_unlock(&crypt_stat->cs_mutex);
- rc = inode_change_ok(inode, ia);
+ rc = setattr_prepare(dentry, ia);
if (rc)
goto out;
if (ia->ia_valid & ATTR_SIZE) {
--- a/fs/exofs/inode.c
+++ b/fs/exofs/inode.c
@@ -1018,7 +1018,7 @@ int exofs_setattr(struct dentry *dentry,
if (unlikely(error))
return error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (unlikely(error))
return error;
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1530,7 +1530,7 @@ int ext2_setattr(struct dentry *dentry,
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -3271,7 +3271,7 @@ int ext3_setattr(struct dentry *dentry,
int error, rc = 0;
const unsigned int ia_valid = attr->ia_valid;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4291,7 +4291,7 @@ int ext4_setattr(struct dentry *dentry,
int orphan = 0;
const unsigned int ia_valid = attr->ia_valid;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -382,7 +382,7 @@ int fat_setattr(struct dentry *dentry, s
attr->ia_valid &= ~TIMES_SET_FLAGS;
}
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
attr->ia_valid = ia_valid;
if (error) {
if (sbi->options.quiet)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1298,7 +1298,7 @@ static int fuse_do_setattr(struct dentry
if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
attr->ia_valid |= ATTR_FORCE;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(entry, attr);
if (err)
return err;
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -1646,7 +1646,7 @@ static int gfs2_setattr(struct dentry *d
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
goto out;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -588,7 +588,7 @@ int hfs_inode_setattr(struct dentry *den
struct hfs_sb_info *hsb = HFS_SB(inode->i_sb);
int error;
- error = inode_change_ok(inode, attr); /* basic permission checks */
+ error = setattr_prepare(dentry, attr); /* basic permission checks */
if (error)
return error;
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -292,7 +292,7 @@ static int hfsplus_setattr(struct dentry
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -792,7 +792,7 @@ int hostfs_setattr(struct dentry *dentry
int fd = HOSTFS_I(inode)->fd;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/hpfs/inode.c
+++ b/fs/hpfs/inode.c
@@ -268,7 +268,7 @@ int hpfs_setattr(struct dentry *dentry,
if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
goto out_unlock;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out_unlock;
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -422,7 +422,7 @@ static int hugetlbfs_setattr(struct dent
BUG_ON(!inode);
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -186,7 +186,7 @@ int jffs2_setattr(struct dentry *dentry,
{
int rc;
- rc = inode_change_ok(dentry->d_inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;
--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -102,7 +102,7 @@ int jfs_setattr(struct dentry *dentry, s
struct inode *inode = dentry->d_inode;
int rc;
- rc = inode_change_ok(inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -364,7 +364,7 @@ int simple_setattr(struct dentry *dentry
WARN_ON_ONCE(inode->i_op->truncate);
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
--- a/fs/logfs/file.c
+++ b/fs/logfs/file.c
@@ -241,7 +241,7 @@ static int logfs_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int err = 0;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/minix/file.c
+++ b/fs/minix/file.c
@@ -28,7 +28,7 @@ static int minix_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ncpfs/inode.c
+++ b/fs/ncpfs/inode.c
@@ -880,7 +880,7 @@ int ncp_notify_change(struct dentry *den
/* ageing the dentry to force validation */
ncp_age_dentry(server, dentry);
- result = inode_change_ok(inode, attr);
+ result = setattr_prepare(dentry, attr);
if (result < 0)
goto out;
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -301,17 +301,19 @@ commit_metadata(struct svc_fh *fhp)
* NFS semantics and what Linux expects.
*/
static void
-nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
+nfsd_sanitize_attrs(struct dentry *dentry, struct iattr *iap)
{
+ struct inode *inode = dentry->d_inode;
+
/*
* NFSv2 does not differentiate between "set-[ac]time-to-now"
* which only requires access, and "set-[ac]time-to-X" which
* requires ownership.
* So if it looks like it might be "set both to the same time which
- * is close to now", and if inode_change_ok fails, then we
+ * is close to now", and if setattr_prepare fails, then we
* convert to "set to now" instead of "set to explicit time"
*
- * We only call inode_change_ok as the last test as technically
+ * We only call setattr_prepare as the last test as technically
* it is not an interface that we should be using.
*/
#define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
@@ -329,7 +331,7 @@ nfsd_sanitize_attrs(struct inode *inode,
if (delta < 0)
delta = -delta;
if (delta < MAX_TOUCH_TIME_ERROR &&
- inode_change_ok(inode, iap) != 0) {
+ setattr_prepare(dentry, iap) != 0) {
/*
* Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
* This will cause notify_change to set these times
@@ -437,7 +439,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
if (!iap->ia_valid)
goto out;
- nfsd_sanitize_attrs(inode, iap);
+ nfsd_sanitize_attrs(dentry, iap);
/*
* The size case is special, it changes the file in addition to the
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -792,7 +792,7 @@ int nilfs_setattr(struct dentry *dentry,
struct super_block *sb = inode->i_sb;
int err;
- err = inode_change_ok(inode, iattr);
+ err = setattr_prepare(dentry, iattr);
if (err)
return err;
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -2890,7 +2890,7 @@ int ntfs_setattr(struct dentry *dentry,
int err;
unsigned int ia_valid = attr->ia_valid;
- err = inode_change_ok(vi, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
goto out;
/* We do not support NTFS ACLs yet. */
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -212,7 +212,7 @@ static int dlmfs_file_setattr(struct den
struct inode *inode = dentry->d_inode;
attr->ia_valid &= ~ATTR_SIZE;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1127,7 +1127,7 @@ int ocfs2_setattr(struct dentry *dentry,
if (!(attr->ia_valid & OCFS2_VALID_ATTRS))
return 0;
- status = inode_change_ok(inode, attr);
+ status = setattr_prepare(dentry, attr);
if (status)
return status;
--- a/fs/omfs/file.c
+++ b/fs/omfs/file.c
@@ -345,7 +345,7 @@ static int omfs_setattr(struct dentry *d
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -558,7 +558,7 @@ int proc_setattr(struct dentry *dentry,
if (attr->ia_valid & ATTR_MODE)
return -EPERM;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -257,7 +257,7 @@ static int proc_notify_change(struct den
struct proc_dir_entry *de = PDE(inode);
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -387,7 +387,7 @@ static int proc_sys_setattr(struct dentr
if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
return -EPERM;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ramfs/file-nommu.c
+++ b/fs/ramfs/file-nommu.c
@@ -164,7 +164,7 @@ static int ramfs_nommu_setattr(struct de
int ret = 0;
/* POSIX UID/GID verification for setting inode attributes */
- ret = inode_change_ok(inode, ia);
+ ret = setattr_prepare(dentry, ia);
if (ret)
return ret;
--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -3107,7 +3107,7 @@ int reiserfs_setattr(struct dentry *dent
int depth;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/sysfs/inode.c
+++ b/fs/sysfs/inode.c
@@ -114,7 +114,7 @@ int sysfs_setattr(struct dentry *dentry,
return -EINVAL;
mutex_lock(&sysfs_mutex);
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
goto out;
--- a/fs/sysv/file.c
+++ b/fs/sysv/file.c
@@ -35,7 +35,7 @@ static int sysv_setattr(struct dentry *d
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -1260,7 +1260,7 @@ int ubifs_setattr(struct dentry *dentry,
dbg_gen("ino %lu, mode %#x, ia_valid %#x",
inode->i_ino, inode->i_mode, attr->ia_valid);
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
--- a/fs/udf/file.c
+++ b/fs/udf/file.c
@@ -251,7 +251,7 @@ static int udf_setattr(struct dentry *de
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/ufs/truncate.c
+++ b/fs/ufs/truncate.c
@@ -496,7 +496,7 @@ int ufs_setattr(struct dentry *dentry, s
unsigned int ia_valid = attr->ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -80,7 +80,7 @@ static int utimes_common(struct path *pa
newattrs.ia_valid |= ATTR_MTIME_SET;
}
/*
- * Tell inode_change_ok(), that this is an explicit time
+ * Tell setattr_prepare(), that this is an explicit time
* update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
* were used.
*/
@@ -89,7 +89,7 @@ static int utimes_common(struct path *pa
/*
* If times is NULL (or both times are UTIME_NOW),
* then we need to check permissions, because
- * inode_change_ok() won't do it.
+ * setattr_prepare() won't do it.
*/
error = -EACCES;
if (IS_IMMUTABLE(inode))
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -223,7 +223,7 @@ xfs_set_acl(struct inode *inode, int typ
}
static int
-xfs_set_mode(struct inode *inode, umode_t mode)
+xfs_set_mode(struct dentry *dentry, struct inode *inode, umode_t mode)
{
int error = 0;
@@ -234,7 +234,8 @@ xfs_set_mode(struct inode *inode, umode_
iattr.ia_mode = mode;
iattr.ia_ctime = current_fs_time(inode->i_sb);
- error = -xfs_setattr_nonsize(XFS_I(inode), &iattr, XFS_ATTR_NOACL);
+ error = -xfs_setattr_nonsize(dentry, XFS_I(inode), &iattr,
+ XFS_ATTR_NOACL);
}
return error;
@@ -290,7 +291,7 @@ xfs_inherit_acl(struct inode *inode, str
if (error > 0)
inherit = 1;
- error = xfs_set_mode(inode, mode);
+ error = xfs_set_mode(NULL, inode, mode);
if (error)
goto out;
@@ -394,7 +395,7 @@ xfs_xattr_acl_set(struct dentry *dentry,
return error;
}
- error = xfs_set_mode(inode, mode);
+ error = xfs_set_mode(dentry, inode, mode);
if (error)
goto out_release;
}
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -1026,7 +1026,8 @@ xfs_file_fallocate(
if (file->f_flags & O_DSYNC)
attr_flags |= XFS_ATTR_SYNC;
- error = -xfs_change_file_space(ip, cmd, &bf, 0, attr_flags);
+ error = -xfs_change_file_space(file->f_dentry, cmd, &bf, 0,
+ attr_flags);
if (error)
goto out_unlock;
@@ -1036,7 +1037,8 @@ xfs_file_fallocate(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = new_size;
- error = -xfs_setattr_size(ip, &iattr, XFS_ATTR_NOLOCK);
+ error = -xfs_setattr_size(file->f_dentry, &iattr,
+ XFS_ATTR_NOLOCK);
}
out_unlock:
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -632,7 +632,8 @@ xfs_ioc_space(
if (ioflags & IO_INVIS)
attr_flags |= XFS_ATTR_DMI;
- error = xfs_change_file_space(ip, cmd, bf, filp->f_pos, attr_flags);
+ error = xfs_change_file_space(filp->f_dentry, cmd, bf, filp->f_pos,
+ attr_flags);
return -error;
}
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -531,6 +531,7 @@ xfs_setattr_mode(
int
xfs_setattr_nonsize(
+ struct dentry *dentry,
struct xfs_inode *ip,
struct iattr *iattr,
int flags)
@@ -553,9 +554,15 @@ xfs_setattr_nonsize(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);
- error = -inode_change_ok(inode, iattr);
- if (error)
- return XFS_ERROR(error);
+ /*
+ * dentry can be NULL only when we're called from xfs_inherit_acl(),
+ * in which case no permission checks are needed
+ */
+ if (dentry) {
+ error = -setattr_prepare(dentry, iattr);
+ if (error)
+ return XFS_ERROR(error);
+ }
ASSERT((mask & ATTR_SIZE) == 0);
@@ -755,12 +762,13 @@ out_dqrele:
*/
int
xfs_setattr_size(
- struct xfs_inode *ip,
+ struct dentry *dentry,
struct iattr *iattr,
int flags)
{
+ struct inode *inode = dentry->d_inode;
+ struct xfs_inode *ip = XFS_I(inode);
struct xfs_mount *mp = ip->i_mount;
- struct inode *inode = VFS_I(ip);
int mask = iattr->ia_valid;
struct xfs_trans *tp;
int error;
@@ -776,7 +784,7 @@ xfs_setattr_size(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);
- error = -inode_change_ok(inode, iattr);
+ error = -setattr_prepare(dentry, iattr);
if (error)
return XFS_ERROR(error);
@@ -802,7 +810,7 @@ xfs_setattr_size(
*/
xfs_iunlock(ip, lock_flags);
iattr->ia_valid &= ~ATTR_SIZE;
- return xfs_setattr_nonsize(ip, iattr, 0);
+ return xfs_setattr_nonsize(dentry, ip, iattr, 0);
}
/*
@@ -950,8 +958,8 @@ xfs_vn_setattr(
struct iattr *iattr)
{
if (iattr->ia_valid & ATTR_SIZE)
- return -xfs_setattr_size(XFS_I(dentry->d_inode), iattr, 0);
- return -xfs_setattr_nonsize(XFS_I(dentry->d_inode), iattr, 0);
+ return -xfs_setattr_size(dentry, iattr, 0);
+ return -xfs_setattr_nonsize(dentry, XFS_I(dentry->d_inode), iattr, 0);
}
#define XFS_FIEMAP_FLAGS (FIEMAP_FLAG_SYNC|FIEMAP_FLAG_XATTR)
--- a/fs/xfs/xfs_vnodeops.c
+++ b/fs/xfs/xfs_vnodeops.c
@@ -2234,12 +2234,13 @@ xfs_free_file_space(
*/
int
xfs_change_file_space(
- xfs_inode_t *ip,
+ struct dentry *dentry,
int cmd,
xfs_flock64_t *bf,
xfs_off_t offset,
int attr_flags)
{
+ xfs_inode_t *ip = XFS_I(dentry->d_inode);
xfs_mount_t *mp = ip->i_mount;
int clrprealloc;
int error;
@@ -2329,7 +2330,7 @@ xfs_change_file_space(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = startoffset;
- error = xfs_setattr_size(ip, &iattr, attr_flags);
+ error = xfs_setattr_size(dentry, &iattr, attr_flags);
if (error)
return error;
--- a/fs/xfs/xfs_vnodeops.h
+++ b/fs/xfs/xfs_vnodeops.h
@@ -13,8 +13,9 @@ struct xfs_inode;
struct xfs_iomap;
-int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap, int flags);
-int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap, int flags);
+int xfs_setattr_nonsize(struct dentry *dentry, struct xfs_inode *ip,
+ struct iattr *vap, int flags);
+int xfs_setattr_size(struct dentry *dentry, struct iattr *vap, int flags);
#define XFS_ATTR_DMI 0x01 /* invocation from a DMI function */
#define XFS_ATTR_NONBLOCK 0x02 /* return EAGAIN if operation would block */
#define XFS_ATTR_NOLOCK 0x04 /* Don't grab any conflicting locks */
@@ -37,7 +38,7 @@ int xfs_readdir(struct xfs_inode *dp, vo
int xfs_symlink(struct xfs_inode *dp, struct xfs_name *link_name,
const char *target_path, mode_t mode, struct xfs_inode **ipp);
int xfs_set_dmattrs(struct xfs_inode *ip, u_int evmask, u_int16_t state);
-int xfs_change_file_space(struct xfs_inode *ip, int cmd,
+int xfs_change_file_space(struct dentry *dentry, int cmd,
xfs_flock64_t *bf, xfs_off_t offset, int attr_flags);
int xfs_rename(struct xfs_inode *src_dp, struct xfs_name *src_name,
struct xfs_inode *src_ip, struct xfs_inode *target_dp,
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2615,7 +2615,7 @@ extern int buffer_migrate_page(struct ad
#define buffer_migrate_page NULL
#endif
-extern int inode_change_ok(const struct inode *, struct iattr *);
+extern int setattr_prepare(struct dentry *, struct iattr *);
extern int inode_newsize_ok(const struct inode *, loff_t offset);
extern void setattr_copy(struct inode *inode, const struct iattr *attr);
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -562,7 +562,7 @@ static int shmem_setattr(struct dentry *
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 137/152] can: dev: fix deadlock reported after bus-off
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 015/152] x86/quirks: Apply nvidia_bugs quirk only on root bus Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 071/152] usb: xhci: Fix panic if disconnect Ben Hutchings
` (38 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Sergei Miroshnichenko
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Miroshnichenko <sergeimir@emcraft.com>
commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 upstream.
A timer was used to restart after the bus-off state, leading to a
relatively large can_restart() executed in an interrupt context,
which in turn sets up pinctrl. When this happens during system boot,
there is a high probability of grabbing the pinctrl_list_mutex,
which is locked already by the probe() of other device, making the
kernel suspect a deadlock condition [1].
To resolve this issue, the restart_timer is replaced by a delayed
work.
[1] https://github.com/victronenergy/venus/issues/24
Signed-off-by: Sergei Miroshnichenko <sergeimir@emcraft.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/dev.c | 27 +++++++++++++++++----------
include/linux/can/dev.h | 3 ++-
2 files changed, 19 insertions(+), 11 deletions(-)
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <linux/netdevice.h>
#include <linux/if_arp.h>
+#include <linux/workqueue.h>
#include <linux/can.h>
#include <linux/can/dev.h>
#include <linux/can/netlink.h>
@@ -361,9 +362,8 @@ EXPORT_SYMBOL_GPL(can_free_echo_skb);
/*
* CAN device restart for bus-off recovery
*/
-void can_restart(unsigned long data)
+void can_restart(struct net_device *dev)
{
- struct net_device *dev = (struct net_device *)data;
struct can_priv *priv = netdev_priv(dev);
struct net_device_stats *stats = &dev->stats;
struct sk_buff *skb;
@@ -403,6 +403,14 @@ restart:
dev_err(dev->dev.parent, "Error %d during restart", err);
}
+static void can_restart_work(struct work_struct *work)
+{
+ struct delayed_work *dwork = to_delayed_work(work);
+ struct can_priv *priv = container_of(dwork, struct can_priv, restart_work);
+
+ can_restart(priv->dev);
+}
+
int can_restart_now(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
@@ -416,8 +424,8 @@ int can_restart_now(struct net_device *d
if (priv->state != CAN_STATE_BUS_OFF)
return -EBUSY;
- /* Runs as soon as possible in the timer context */
- mod_timer(&priv->restart_timer, jiffies);
+ cancel_delayed_work_sync(&priv->restart_work);
+ can_restart(dev);
return 0;
}
@@ -439,8 +447,8 @@ void can_bus_off(struct net_device *dev)
priv->can_stats.bus_off++;
if (priv->restart_ms)
- mod_timer(&priv->restart_timer,
- jiffies + (priv->restart_ms * HZ) / 1000);
+ schedule_delayed_work(&priv->restart_work,
+ msecs_to_jiffies(priv->restart_ms));
}
EXPORT_SYMBOL_GPL(can_bus_off);
@@ -515,6 +523,7 @@ struct net_device *alloc_candev(int size
return NULL;
priv = netdev_priv(dev);
+ priv->dev = dev;
if (echo_skb_max) {
priv->echo_skb_max = echo_skb_max;
@@ -524,7 +533,7 @@ struct net_device *alloc_candev(int size
priv->state = CAN_STATE_STOPPED;
- init_timer(&priv->restart_timer);
+ INIT_DELAYED_WORK(&priv->restart_work, can_restart_work);
return dev;
}
@@ -558,8 +567,6 @@ int open_candev(struct net_device *dev)
if (!netif_carrier_ok(dev))
netif_carrier_on(dev);
- setup_timer(&priv->restart_timer, can_restart, (unsigned long)dev);
-
return 0;
}
EXPORT_SYMBOL_GPL(open_candev);
@@ -574,7 +581,7 @@ void close_candev(struct net_device *dev
{
struct can_priv *priv = netdev_priv(dev);
- del_timer_sync(&priv->restart_timer);
+ cancel_delayed_work_sync(&priv->restart_work);
can_flush_echo_skb(dev);
}
EXPORT_SYMBOL_GPL(close_candev);
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -30,6 +30,7 @@ enum can_mode {
* CAN common private data
*/
struct can_priv {
+ struct net_device *dev;
struct can_device_stats can_stats;
struct can_bittiming bittiming;
@@ -41,7 +42,7 @@ struct can_priv {
u32 ctrlmode_supported;
int restart_ms;
- struct timer_list restart_timer;
+ struct delayed_work restart_work;
int (*do_set_bittiming)(struct net_device *dev);
int (*do_set_mode)(struct net_device *dev, enum can_mode mode);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 136/152] btrfs: ensure that file descriptor used with subvol ioctls is a dir
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 145/152] fs: Give dentry to inode_change_ok() instead of inode Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 106/152] asm-generic: make get_user() clear the destination on errors Ben Hutchings
` (141 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jeff Mahoney, Chris Mason
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <jeffm@suse.com>
commit 325c50e3cebb9208009083e841550f98a863bfa0 upstream.
If the subvol/snapshot create/destroy ioctls are passed a regular file
with execute permissions set, we'll eventually Oops while trying to do
inode->i_op->lookup via lookup_one_len.
This patch ensures that the file descriptor refers to a directory.
Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules)
Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl)
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
[bwh: Backported to 3.2:
- Open-code file_inode()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ioctl.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1302,6 +1302,9 @@ static noinline int btrfs_ioctl_snap_cre
int namelen;
int ret = 0;
+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
if (root->fs_info->sb->s_flags & MS_RDONLY)
return -EROFS;
@@ -1350,6 +1353,9 @@ static noinline int btrfs_ioctl_snap_cre
struct btrfs_ioctl_vol_args *vol_args;
int ret;
+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1372,6 +1378,9 @@ static noinline int btrfs_ioctl_snap_cre
u64 *ptr = NULL;
bool readonly = false;
+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1848,6 +1857,9 @@ static noinline int btrfs_ioctl_snap_des
int ret;
int err = 0;
+ if (!S_ISDIR(dir->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 135/152] i2c-eg20t: fix race between i2c init and interrupt enable
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 094/152] sched/core: Fix a race between try_to_wake_up() and a woken up task Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 102/152] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl Ben Hutchings
` (47 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Wolfram Sang, Yadi.hu
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Yadi.hu" <yadi.hu@windriver.com>
commit 371a015344b6e270e7e3632107d9554ec6d27a6b upstream.
the eg20t driver call request_irq() function before the pch_base_address,
base address of i2c controller's register, is assigned an effective value.
there is one possible scenario that an interrupt which isn't inside eg20t
arrives immediately after request_irq() is executed when i2c controller
shares an interrupt number with others. since the interrupt handler
pch_i2c_handler() has already active as shared action, it will be called
and read its own register to determine if this interrupt is from itself.
At that moment, since base address of i2c registers is not remapped
in kernel space yet,so the INT handler will access an illegal address
and then a error occurs.
Signed-off-by: Yadi.hu <yadi.hu@windriver.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/i2c/busses/i2c-eg20t.c
+++ b/drivers/i2c/busses/i2c-eg20t.c
@@ -893,13 +893,6 @@ static int __devinit pch_i2c_probe(struc
/* Set the number of I2C channel instance */
adap_info->ch_num = id->driver_data;
- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
- KBUILD_MODNAME, adap_info);
- if (ret) {
- pch_pci_err(pdev, "request_irq FAILED\n");
- goto err_request_irq;
- }
-
for (i = 0; i < adap_info->ch_num; i++) {
pch_adap = &adap_info->pch_data[i].pch_adapter;
adap_info->pch_i2c_suspended = false;
@@ -916,6 +909,17 @@ static int __devinit pch_i2c_probe(struc
adap_info->pch_data[i].pch_base_address = base_addr + 0x100 * i;
pch_adap->dev.parent = &pdev->dev;
+ }
+
+ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+ KBUILD_MODNAME, adap_info);
+ if (ret) {
+ pch_pci_err(pdev, "request_irq FAILED\n");
+ goto err_request_irq;
+ }
+
+ for (i = 0; i < adap_info->ch_num; i++) {
+ pch_adap = &adap_info->pch_data[i].pch_adapter;
pch_i2c_init(&adap_info->pch_data[i]);
ret = i2c_add_adapter(pch_adap);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 014/152] ppp: defer netns reference release for ppp channel
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 056/152] block: fix use-after-free in seq file Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 061/152] aacraid: Check size values after double-fetch from user Ben Hutchings
` (13 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matt Bennett, Guillaume Nault, Cyrill Gorcunov,
David S. Miller, linux-ppp, Paul Mackerras, WANG Cong
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 205e1e255c479f3fd77446415706463b282f94e4 upstream.
Matt reported that we have a NULL pointer dereference
in ppp_pernet() from ppp_connect_channel(),
i.e. pch->chan_net is NULL.
This is due to that a parallel ppp_unregister_channel()
could happen while we are in ppp_connect_channel(), during
which pch->chan_net set to NULL. Since we need a reference
to net per channel, it makes sense to sync the refcnt
with the life time of the channel, therefore we should
release this reference when we destroy it.
Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2275,8 +2275,6 @@ ppp_unregister_channel(struct ppp_channe
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;
pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2883,6 +2881,9 @@ ppp_disconnect_channel(struct channel *p
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);
if (!pch->file.dead) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 105/152] crypto: skcipher - Fix blkcipher walk OOM crash
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 044/152] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 013/152] ALSA: ctl: Stop notification after disconnection Ben Hutchings
` (70 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, xiakaixu, Ard Biesheuvel, Herbert Xu
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 upstream.
When we need to allocate a temporary blkcipher_walk_next and it
fails, the code is supposed to take the slow path of processing
the data block by block. However, due to an unrelated change
we instead end up dereferencing the NULL pointer.
This patch fixes it by moving the unrelated bsize setting out
of the way so that we enter the slow path as inteded.
Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
Reported-by: xiakaixu <xiakaixu@huawei.com>
Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[bwh: Backported to 3.2: s/walk_blocksize/blocksize/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/blkcipher.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -238,6 +238,8 @@ static int blkcipher_walk_next(struct bl
return blkcipher_walk_done(desc, walk, -EINVAL);
}
+ bsize = min(walk->blocksize, n);
+
walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
BLKCIPHER_WALK_DIFF);
if (!scatterwalk_aligned(&walk->in, alignmask) ||
@@ -250,7 +252,6 @@ static int blkcipher_walk_next(struct bl
}
}
- bsize = min(walk->blocksize, n);
n = scatterwalk_clamp(&walk->in, n);
n = scatterwalk_clamp(&walk->out, n);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 127/152] USB: change bInterval default to 10 ms
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 001/152] netlabel: add address family checks to netlbl_{sock,req}_delattr() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 090/152] x86/paravirt: Do not trace _paravirt_ident_*() functions Ben Hutchings
` (120 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Wade Berrier, Greg Kroah-Hartman
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.
Some full-speed mceusb infrared transceivers contain invalid endpoint
descriptors for their interrupt endpoints, with bInterval set to 0.
In the past they have worked out okay with the mceusb driver, because
the driver sets the bInterval field in the descriptor to 1,
overwriting whatever value may have been there before. However, this
approach was never sanctioned by the USB core, and in fact it does not
work with xHCI controllers, because they use the bInterval value that
was present when the configuration was installed.
Currently usbcore uses 32 ms as the default interval if the value in
the endpoint descriptor is invalid. It turns out that these IR
transceivers don't work properly unless the interval is set to 10 ms
or below. To work around this mceusb problem, this patch changes the
endpoint-descriptor parsing routine, making the default interval value
be 10 ms rather than 32 ms.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Wade Berrier <wberrier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -213,8 +213,10 @@ static int usb_parse_endpoint(struct dev
memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);
- /* Fix up bInterval values outside the legal range. Use 32 ms if no
- * proper value can be guessed. */
+ /*
+ * Fix up bInterval values outside the legal range.
+ * Use 10 or 8 ms if no proper value can be guessed.
+ */
i = 0; /* i = min, j = max, n = default */
j = 255;
if (usb_endpoint_xfer_int(d)) {
@@ -222,13 +224,15 @@ static int usb_parse_endpoint(struct dev
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_SUPER:
case USB_SPEED_HIGH:
- /* Many device manufacturers are using full-speed
+ /*
+ * Many device manufacturers are using full-speed
* bInterval values in high-speed interrupt endpoint
- * descriptors. Try to fix those and fall back to a
- * 32 ms default value otherwise. */
+ * descriptors. Try to fix those and fall back to an
+ * 8-ms default value otherwise.
+ */
n = fls(d->bInterval*8);
if (n == 0)
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
j = 16;
/*
@@ -243,10 +247,12 @@ static int usb_parse_endpoint(struct dev
}
break;
default: /* USB_SPEED_FULL or _LOW */
- /* For low-speed, 10 ms is the official minimum.
+ /*
+ * For low-speed, 10 ms is the official minimum.
* But some "overclocked" devices might want faster
- * polling so we'll allow it. */
- n = 32;
+ * polling so we'll allow it.
+ */
+ n = 10;
break;
}
} else if (usb_endpoint_xfer_isoc(d)) {
@@ -254,10 +260,10 @@ static int usb_parse_endpoint(struct dev
j = 16;
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_HIGH:
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
break;
default: /* USB_SPEED_FULL */
- n = 6; /* 32 ms = 2^(6-1) frames */
+ n = 4; /* 8 ms = 2^(4-1) frames */
break;
}
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 128/152] IB/ipoib: Don't allow MC joins during light MC flush
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 123/152] m32r: fix __get_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 113/152] openrisc: fix copy_from_user() Ben Hutchings
` (115 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Doug Ledford, Alex Vesker
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Vesker <valex@mellanox.com>
commit 344bacca8cd811809fc33a249f2738ab757d327f upstream.
This fix solves a race between light flush and on the fly joins.
Light flush doesn't set the device to down and unset IPOIB_OPER_UP
flag, this means that if while flushing we have a MC join in progress
and the QP was attached to BC MGID we can have a mismatches when
re-attaching a QP to the BC MGID.
The light flush would set the broadcast group to NULL causing an on
the fly join to rejoin and reattach to the BC MCG as well as adding
the BC MGID to the multicast list. The flush process would later on
remove the BC MGID and detach it from the QP. On the next flush
the BC MGID is present in the multicast list but not found when trying
to detach it because of the previous double attach and single detach.
[18332.714265] ------------[ cut here ]------------
[18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
...
[18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
[18332.779411] 0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
[18332.784960] 0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
[18332.790547] ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
[18332.796199] Call Trace:
[18332.798015] [<ffffffff813fed47>] dump_stack+0x63/0x8c
[18332.801831] [<ffffffff8109add1>] __warn+0xd1/0xf0
[18332.805403] [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
[18332.809706] [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
[18332.814384] [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
[18332.820031] [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
[18332.825220] [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
[18332.830290] [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
[18332.834911] [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
[18332.839741] [<ffffffff81772bd1>] rollback_registered+0x31/0x40
[18332.844091] [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
[18332.848880] [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
[18332.853848] [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
[18332.858474] [<ffffffff81520c08>] dev_attr_store+0x18/0x30
[18332.862510] [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
[18332.866349] [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
[18332.870471] [<ffffffff81207198>] __vfs_write+0x28/0xe0
[18332.874152] [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
[18332.878274] [<ffffffff81208062>] vfs_write+0xa2/0x1a0
[18332.881896] [<ffffffff812093a6>] SyS_write+0x46/0xa0
[18332.885632] [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
[18332.889709] [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
[18332.894727] ---[ end trace 09ebbe31f831ef17 ]---
Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -973,8 +973,17 @@ static void __ipoib_ib_dev_flush(struct
}
if (level == IPOIB_FLUSH_LIGHT) {
+ int oper_up;
ipoib_mark_paths_invalid(dev);
+ /* Set IPoIB operation as down to prevent races between:
+ * the flush flow which leaves MCG and on the fly joins
+ * which can happen during that time. mcast restart task
+ * should deal with join requests we missed.
+ */
+ oper_up = test_and_clear_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
ipoib_mcast_dev_flush(dev);
+ if (oper_up)
+ set_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
}
if (level >= IPOIB_FLUSH_NORMAL)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 117/152] score: fix __get_user/get_user
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 132/152] xfrm: Fix memory leak of aead algorithm name Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 042/152] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Ben Hutchings
` (27 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.
* should zero on any failure
* __get_user() should use __copy_from_user(), not copy_from_user()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/score/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -158,7 +158,7 @@ do { \
__get_user_asm(val, "lw", ptr); \
break; \
case 8: \
- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
+ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
__gu_err = 0; \
else \
__gu_err = -EFAULT; \
@@ -183,6 +183,8 @@ do { \
\
if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
__get_user_common((x), size, __gu_ptr); \
+ else \
+ (x) = 0; \
\
__gu_err; \
})
@@ -196,6 +198,7 @@ do { \
"2:\n" \
".section .fixup,\"ax\"\n" \
"3:li %0, %4\n" \
+ "li %1, 0\n" \
"j 2b\n" \
".previous\n" \
".section __ex_table,\"a\"\n" \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 121/152] sparc32: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 097/152] ALSA: timer: Fix zero-division by continue of uninitialized instance Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 005/152] serial: samsung: Fix possible out of bounds access on non-DT platform Ben Hutchings
` (20 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, David S. Miller
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/include/asm/uaccess_32.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -264,8 +264,10 @@ static inline unsigned long copy_from_us
{
if (n && __access_ok((unsigned long) from, n))
return __copy_user((__force void __user *) to, from, n);
- else
+ else {
+ memset(to, 0, n);
return n;
+ }
}
static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 002/152] powerpc/numa: Fix multiple bugs in memory_hotplug_max()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 041/152] l2tp: Correctly return -EBADF from pppol2tp_getname Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 091/152] IB/core: Fix use after free in send_leave function Ben Hutchings
` (107 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Bharata B Rao, David Gibson
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bharata B Rao <bharata@linux.vnet.ibm.com>
commit 45b64ee64970dee9392229302efe1d1567e8d304 upstream.
memory_hotplug_max() uses hot_add_drconf_memory_max() to get maxmimum
addressable memory by referring to ibm,dyanamic-memory property. There
are three problems with the current approach:
1 hot_add_drconf_memory_max() assumes that ibm,dynamic-memory includes
all the LMBs of the guest, but that is not true for PowerKVM which
populates only DR LMBs (LMBs that can be hotplugged/removed) in that
property.
2 hot_add_drconf_memory_max() multiplies lmb-size with lmb-count to arrive
at the max possible address. Since ibm,dynamic-memory doesn't include
RMA LMBs, the address thus obtained will be less than the actual max
address. For example, if max possible memory size is 32G, with lmb-size
of 256MB there can be 127 LMBs in ibm,dynamic-memory (1 LMB for RMA
which won't be present here). hot_add_drconf_memory_max() would then
return the max addressable memory as 127 * 256MB = 31.75GB, the max
address should have been 32G which is what ibm,lrdr-capacity shows.
3 In PowerKVM, there can be a gap between the end of boot time RAM and
beginning of hotplug RAM area. So just multiplying lmb-count with
lmb-size will not provide the correct max possible address for PowerKVM.
This patch fixes 1 by using ibm,lrdr-capacity property to return the max
addressable memory whenever the property is present. Then it fixes 2 & 3
by fetching the address of the last LMB in ibm,dynamic-memory property.
Fixes: cd34206e949b ("powerpc: Add memory_hotplug_max()")
Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/mm/numa.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1275,17 +1275,33 @@ int hot_add_scn_to_nid(unsigned long scn
static u64 hot_add_drconf_memory_max(void)
{
struct device_node *memory = NULL;
+ struct device_node *dn = NULL;
unsigned int drconf_cell_cnt = 0;
u64 lmb_size = 0;
const u32 *dm = 0;
+ const __be64 *lrdr = NULL;
+ struct of_drconf_cell drmem;
+
+ dn = of_find_node_by_path("/rtas");
+ if (dn) {
+ lrdr = of_get_property(dn, "ibm,lrdr-capacity", NULL);
+ of_node_put(dn);
+ if (lrdr)
+ return be64_to_cpup(lrdr);
+ }
memory = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory");
if (memory) {
drconf_cell_cnt = of_get_drconf_memory(memory, &dm);
lmb_size = of_get_lmb_size(memory);
+
+ /* Advance to the last cell, each cell has 6 32 bit integers */
+ dm += (drconf_cell_cnt - 1) * 6;
+ read_drconf_cell(&drmem, &dm);
of_node_put(memory);
+ return drmem.base_addr + lmb_size;
}
- return lmb_size * drconf_cell_cnt;
+ return 0;
}
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 068/152] USB: serial: mos7720: fix non-atomic allocation in write path
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 133/152] ocfs2/dlm: fix race between convert and migration Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 097/152] ALSA: timer: Fix zero-division by continue of uninitialized instance Ben Hutchings
` (22 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Alexey Khoroshilov
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
commit 5a5a1d614287a647b36dff3f40c2b0ceabbc83ec upstream.
There is an allocation with GFP_KERNEL flag in mos7720_write(),
while it may be called from interrupt context.
Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
allocation in write path")
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1320,7 +1320,7 @@ static int mos7720_write(struct tty_stru
if (urb->transfer_buffer == NULL) {
urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
- GFP_KERNEL);
+ GFP_ATOMIC);
if (urb->transfer_buffer == NULL) {
dev_err(&port->dev, "%s no more kernel memory...\n",
__func__);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 104/152] ARM: sa1111: fix pcmcia suspend/resume
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 072/152] xhci: don't dereference a xhci member after removing xhci Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 138/152] tracing: Move mutex to protect against resetting of seq data Ben Hutchings
` (81 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Russell King
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d upstream.
SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for
the PCMCIA socket class. PCMCIA used to handle suspend/resume via the
socket hosting device, which happened at normal device suspend/resume
time.
However, the referenced commit changed this: much of the resume now
happens much earlier, in the noirq resume handler of dev_pm_ops.
However, on SA1111, the PCMCIA device is not accessible as the SA1111
has not been resumed at _noirq time. It's slightly worse than that,
because the SA1111 has already been put to sleep at _noirq time, so
suspend doesn't work properly.
Fix this by converting the core SA1111 code to use dev_pm_ops as well,
and performing its own suspend/resume at noirq time.
This fixes these errors in the kernel log:
pcmcia_socket pcmcia_socket0: time out after reset
pcmcia_socket pcmcia_socket1: time out after reset
and the resulting lack of PCMCIA cards after a S2RAM cycle.
Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/common/sa1111.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
--- a/arch/arm/common/sa1111.c
+++ b/arch/arm/common/sa1111.c
@@ -878,9 +878,9 @@ struct sa1111_save_data {
#ifdef CONFIG_PM
-static int sa1111_suspend(struct platform_device *dev, pm_message_t state)
+static int sa1111_suspend_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags;
unsigned int val;
@@ -938,9 +938,9 @@ static int sa1111_suspend(struct platfor
* restored by their respective drivers, and must be called
* via LDM after this function.
*/
-static int sa1111_resume(struct platform_device *dev)
+static int sa1111_resume_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags, id;
void __iomem *base;
@@ -956,7 +956,7 @@ static int sa1111_resume(struct platform
id = sa1111_readl(sachip->base + SA1111_SKID);
if ((id & SKID_ID_MASK) != SKID_SA1111_ID) {
__sa1111_remove(sachip);
- platform_set_drvdata(dev, NULL);
+ dev_set_drvdata(dev, NULL);
kfree(save);
return 0;
}
@@ -1002,8 +1002,8 @@ static int sa1111_resume(struct platform
}
#else
-#define sa1111_suspend NULL
-#define sa1111_resume NULL
+#define sa1111_suspend_noirq NULL
+#define sa1111_resume_noirq NULL
#endif
static int __devinit sa1111_probe(struct platform_device *pdev)
@@ -1037,6 +1037,11 @@ static int sa1111_remove(struct platform
return 0;
}
+static struct dev_pm_ops sa1111_pm_ops = {
+ .suspend_noirq = sa1111_suspend_noirq,
+ .resume_noirq = sa1111_resume_noirq,
+};
+
/*
* Not sure if this should be on the system bus or not yet.
* We really want some way to register a system device at
@@ -1049,10 +1054,9 @@ static int sa1111_remove(struct platform
static struct platform_driver sa1111_device_driver = {
.probe = sa1111_probe,
.remove = sa1111_remove,
- .suspend = sa1111_suspend,
- .resume = sa1111_resume,
.driver = {
.name = "sa1111",
+ .pm = &sa1111_pm_ops,
},
};
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 073/152] tcp: fix use after free in tcp_xmit_retransmit_queue()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 049/152] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 064/152] s390/dasd: fix hanging device after clear subchannel Ben Hutchings
` (87 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Cong Wang, Yuchung Cheng, Neal Cardwell,
Ilpo Järvinen, Marco Grassi, Eric Dumazet, David S. Miller
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit bb1fceca22492109be12640d49f5ea5a544c6bb4 upstream.
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/tcp.h | 2 ++
1 file changed, 2 insertions(+)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1293,6 +1293,8 @@ static inline void tcp_check_send_head(s
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}
static inline void tcp_init_send_head(struct sock *sk)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 148/152] posix_acl: Clear SGID bit when setting file permissions
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 098/152] ALSA: rawmidi: Fix possible deadlock with virmidi registration Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 010/152] ext4: don't call ext4_should_journal_data() on the journal inode Ben Hutchings
` (132 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jeff Layton, Jan Kara, Christoph Hellwig, Andreas Gruenbacher
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 073931017b49d9458aa351605b43a7e34598caef upstream.
When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2). Fix that.
References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[bwh: Backported to 3.2:
- Drop changes to ceph, f2fs, hfsplus, orangefs
- Use capable() instead of capable_wrt_inode_uidgid()
- Update ext3 and generic_acl.c as well
- In gfs2, jfs, and xfs, take care to avoid leaking the allocated ACL if
posix_acl_update_mode() determines it's not needed
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -319,32 +319,26 @@ static int v9fs_xattr_set_acl(struct den
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- retval = posix_acl_equiv_mode(acl, &mode);
- if (retval < 0)
+ struct iattr iattr;
+
+ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+ if (retval)
goto err_out;
- else {
- struct iattr iattr;
- if (retval == 0) {
- /*
- * ACL can be represented
- * by the mode bits. So don't
- * update ACL.
- */
- acl = NULL;
- value = NULL;
- size = 0;
- }
- /* Updte the mode bits */
- iattr.ia_mode = ((mode & S_IALLUGO) |
- (inode->i_mode & ~S_IALLUGO));
- iattr.ia_valid = ATTR_MODE;
- /* FIXME should we update ctime ?
- * What is the following setxattr update the
- * mode ?
+ if (!acl) {
+ /*
+ * ACL can be represented
+ * by the mode bits. So don't
+ * update ACL.
*/
- v9fs_vfs_setattr_dotl(dentry, &iattr);
+ value = NULL;
+ size = 0;
}
+ iattr.ia_valid = ATTR_MODE;
+ /* FIXME should we update ctime ?
+ * What is the following setxattr update the
+ * mode ?
+ */
+ v9fs_vfs_setattr_dotl(dentry, &iattr);
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_tr
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- ret = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (ret < 0)
+ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (ret)
return ret;
- if (ret == 0)
- acl = NULL;
}
ret = 0;
break;
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -194,15 +194,11 @@ ext2_set_acl(struct inode *inode, int ty
case ACL_TYPE_ACCESS:
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- mark_inode_dirty(inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ mark_inode_dirty(inode);
}
break;
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -199,15 +199,11 @@ ext3_set_acl(handle_t *handle, struct in
case ACL_TYPE_ACCESS:
name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- ext3_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ ext3_mark_inode_dirty(handle, inode);
}
break;
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -198,15 +198,11 @@ ext4_set_acl(handle_t *handle, struct in
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
}
break;
--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -86,16 +86,17 @@ generic_acl_set(struct dentry *dentry, c
if (error)
goto failed;
switch (type) {
- case ACL_TYPE_ACCESS:
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ case ACL_TYPE_ACCESS: {
+ struct posix_acl *saved_acl = acl;
+
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
goto failed;
inode->i_ctime = CURRENT_TIME;
- if (error == 0) {
- posix_acl_release(acl);
- acl = NULL;
- }
break;
+ }
case ACL_TYPE_DEFAULT:
if (!S_ISDIR(inode->i_mode)) {
error = -EINVAL;
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -277,16 +277,14 @@ static int gfs2_xattr_system_set(struct
goto out_release;
if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
+ struct posix_acl *saved_acl = acl;
+ umode_t mode;
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error || acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
+ return error;
error = gfs2_set_mode(inode, mode);
if (error)
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -227,9 +227,10 @@ static int jffs2_set_acl(struct inode *i
case ACL_TYPE_ACCESS:
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- rc = posix_acl_equiv_mode(acl, &mode);
- if (rc < 0)
+ umode_t mode;
+
+ rc = posix_acl_update_mode(inode, &mode, &acl);
+ if (rc)
return rc;
if (inode->i_mode != mode) {
struct iattr attr;
@@ -241,8 +242,6 @@ static int jffs2_set_acl(struct inode *i
if (rc < 0)
return rc;
}
- if (rc == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -693,9 +693,11 @@ static int can_set_system_xattr(struct i
return rc;
}
if (acl) {
- rc = posix_acl_equiv_mode(acl, &inode->i_mode);
+ struct posix_acl *dummy = acl;
+
+ rc = posix_acl_update_mode(inode, &inode->i_mode, &dummy);
posix_acl_release(acl);
- if (rc < 0) {
+ if (rc) {
printk(KERN_ERR
"posix_acl_equiv_mode returned %d\n",
rc);
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -247,14 +247,11 @@ static int ocfs2_set_acl(handle_t *handl
case ACL_TYPE_ACCESS:
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- ret = posix_acl_equiv_mode(acl, &mode);
- if (ret < 0)
+ umode_t mode;
+ ret = posix_acl_update_mode(inode, &mode, &acl);
+ if (ret)
return ret;
else {
- if (ret == 0)
- acl = NULL;
-
ret = ocfs2_acl_set_mode(inode, di_bh,
handle, mode);
if (ret)
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -341,6 +341,36 @@ static int posix_acl_create_masq(struct
return not_equiv;
}
+/**
+ * posix_acl_update_mode - update mode in set_acl
+ *
+ * Update the file mode when setting an ACL: compute the new file permission
+ * bits based on the ACL. In addition, if the ACL is equivalent to the new
+ * file mode, set *acl to NULL to indicate that no ACL should be set.
+ *
+ * As with chmod, clear the setgit bit if the caller is not in the owning group
+ * or capable of CAP_FSETID (see inode_change_ok).
+ *
+ * Called from set_acl inode operations.
+ */
+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
+ struct posix_acl **acl)
+{
+ umode_t mode = inode->i_mode;
+ int error;
+
+ error = posix_acl_equiv_mode(*acl, &mode);
+ if (error < 0)
+ return error;
+ if (error == 0)
+ *acl = NULL;
+ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
+ mode &= ~S_ISGID;
+ *mode_p = mode;
+ return 0;
+}
+EXPORT_SYMBOL(posix_acl_update_mode);
+
/*
* Modify the ACL for the chmod syscall.
*/
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -272,13 +272,9 @@ reiserfs_set_acl(struct reiserfs_transac
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- if (error == 0)
- acl = NULL;
- }
}
break;
case ACL_TYPE_DEFAULT:
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -384,17 +384,14 @@ xfs_xattr_acl_set(struct dentry *dentry,
goto out_release;
if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
-
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ struct posix_acl *saved_acl = acl;
+ umode_t mode;
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error || acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
+ return error;
error = xfs_set_mode(dentry, inode, mode);
if (error)
goto out_release;
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -83,6 +83,7 @@ extern struct posix_acl *posix_acl_from_
extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
extern struct posix_acl *get_posix_acl(struct inode *, int);
extern int set_posix_acl(struct inode *, int, struct posix_acl *);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 022/152] net: ethoc: Fix early error paths
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 142/152] KEYS: Fix short sprintf buffer in /proc/keys show function Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 048/152] tcp: consider recv buf for the initial window scale Ben Hutchings
` (112 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 386512d18b268c6182903239f9f3390f03ce4c7b upstream.
In case any operation fails before we can successfully go the point
where we would register a MDIO bus, we would be going to an error label
which involves unregistering then freeing this yet to be created MDIO
bus. Update all error paths to go to label free which is the only one
valid until either the clock is enabled, or the MDIO bus is allocated
and registered. This fixes kernel oops observed while trying to
dereference the MDIO bus structure which is not yet allocated.
Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/ethoc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/ethoc.c
+++ b/drivers/net/ethernet/ethoc.c
@@ -976,7 +976,7 @@ static int __devinit ethoc_probe(struct
if (!priv->iobase) {
dev_err(&pdev->dev, "cannot remap I/O memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
if (netdev->mem_end) {
@@ -985,7 +985,7 @@ static int __devinit ethoc_probe(struct
if (!priv->membase) {
dev_err(&pdev->dev, "cannot remap memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
} else {
/* Allocate buffer memory */
@@ -996,7 +996,7 @@ static int __devinit ethoc_probe(struct
dev_err(&pdev->dev, "cannot allocate %dB buffer\n",
buffer_size);
ret = -ENOMEM;
- goto error;
+ goto free;
}
netdev->mem_end = netdev->mem_start + buffer_size;
priv->dma_alloc = buffer_size;
@@ -1007,7 +1007,7 @@ static int __devinit ethoc_probe(struct
128, (netdev->mem_end - netdev->mem_start + 1) / ETHOC_BUFSIZ);
if (num_bd < 4) {
ret = -ENODEV;
- goto error;
+ goto free;
}
/* num_tx must be a power of two */
priv->num_tx = rounddown_pow_of_two(num_bd >> 1);
@@ -1019,7 +1019,7 @@ static int __devinit ethoc_probe(struct
priv->vma = devm_kzalloc(&pdev->dev, num_bd*sizeof(void*), GFP_KERNEL);
if (!priv->vma) {
ret = -ENOMEM;
- goto error;
+ goto free;
}
/* Allow the platform setup code to pass in a MAC address. */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 026/152] ext4: short-cut orphan cleanup on error
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 054/152] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 047/152] ubi: Fix race condition between ubi device creation and udev Ben Hutchings
` (8 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Vegard Nossum, Theodore Ts'o
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit c65d5c6c81a1f27dec5f627f67840726fcd146de upstream.
If we encounter a filesystem error during orphan cleanup, we should stop.
Otherwise, we may end up in an infinite loop where the same inode is
processed again and again.
EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
Aborting journal on device loop0-8.
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!
[...]
See-also: c9eb13a9105 ("ext4: fix hang when processing corrupted orphaned inode list")
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2246,6 +2246,16 @@ static void ext4_orphan_cleanup(struct s
while (es->s_last_orphan) {
struct inode *inode;
+ /*
+ * We may have encountered an error during cleanup; if
+ * so, skip the rest.
+ */
+ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
+ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
+ es->s_last_orphan = 0;
+ break;
+ }
+
inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
if (IS_ERR(inode)) {
es->s_last_orphan = 0;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 028/152] USB: serial: option: add support for Telit LE910 PID 0x1206
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 036/152] MIPS: RM7000: Double locking bug in rm7k_tc_disable() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 003/152] sched/cputime: Fix prev steal time accouting during CPU hotplug Ben Hutchings
` (84 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniele Palmas, Johan Hovold
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit 3c0415fa08548e3bc63ef741762664497ab187ed upstream.
This patch adds support for 0x1206 PID of Telit LE910.
Since the interfaces positions are the same than the ones for
0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -273,6 +273,7 @@ static void option_instat_callback(struc
#define TELIT_PRODUCT_LE922_USBCFG3 0x1043
#define TELIT_PRODUCT_LE920 0x1200
#define TELIT_PRODUCT_LE910 0x1201
+#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
/* ZTE PRODUCTS */
#define ZTE_VENDOR_ID 0x19d2
@@ -1193,6 +1194,8 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 106/152] asm-generic: make get_user() clear the destination on errors
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 136/152] btrfs: ensure that file descriptor used with subvol ioctls is a dir Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 012/152] drm/radeon: Poll for both connect/disconnect on analog connectors Ben Hutchings
` (140 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
both for access_ok() failures and for faults halfway through
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/asm-generic/uaccess.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -221,13 +221,17 @@ extern int __put_user_bad(void) __attrib
might_sleep(); \
access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
__get_user(x, ptr) : \
- -EFAULT; \
+ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
})
static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
{
- size = __copy_from_user(x, ptr, size);
- return size ? -EFAULT : size;
+ size_t n = __copy_from_user(x, ptr, size);
+ if (unlikely(n)) {
+ memset(x + (size - n), 0, n);
+ return -EFAULT;
+ }
+ return 0;
}
extern int __get_user_bad(void) __attribute__((noreturn));
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 049/152] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 057/152] USB: serial: option: add D-Link DWM-156/A3 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 073/152] tcp: fix use after free in tcp_xmit_retransmit_queue() Ben Hutchings
` (88 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Heiko Carstens, linux-s390, James Hogan, Martin Schwidefsky
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 68c5cf5a6091c2c3fabccfd42ca844d730ec24c6 upstream.
AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
for s390 at all even though ARCH_DLINFO can contain one NEW_AUX_ENT when
VDSO is enabled.
This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
AT_BASE_PLATFORM which s390 doesn't use, but lets define it now and add
the comment above ARCH_DLINFO as found in several other architectures to
remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
date.
Fixes: b020632e40c3 ("[S390] introduce vdso on s390")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux-s390@vger.kernel.org
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/elf.h | 1 +
arch/s390/include/asm/auxvec.h | 2 ++
2 files changed, 3 insertions(+)
--- a/arch/s390/include/asm/elf.h
+++ b/arch/s390/include/asm/elf.h
@@ -199,6 +199,7 @@ do { \
#define STACK_RND_MASK 0x7ffUL
+/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
do { \
if (vdso_enabled) \
--- a/arch/s390/include/asm/auxvec.h
+++ b/arch/s390/include/asm/auxvec.h
@@ -3,4 +3,6 @@
#define AT_SYSINFO_EHDR 33
+#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
+
#endif
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 113/152] openrisc: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 128/152] IB/ipoib: Don't allow MC joins during light MC flush Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 142/152] KEYS: Fix short sprintf buffer in /proc/keys show function Ben Hutchings
` (114 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.
... that should zero on faults. Also remove the <censored> helpful
logics wrt range truncation copied from ppc32. Where it had ever
been needed only in case of copy_from_user() *and* had not been merged
into the mainline until a month after the need had disappeared.
A decade before openrisc went into mainline, I might add...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/openrisc/include/asm/uaccess.h | 35 +++++++++++------------------------
1 file changed, 11 insertions(+), 24 deletions(-)
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -274,28 +274,20 @@ __copy_tofrom_user(void *to, const void
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
+ unsigned long res = n;
- if (access_ok(VERIFY_READ, from, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ n = __copy_tofrom_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, to, n)))
+ n = __copy_tofrom_user(to, from, n);
return n;
}
@@ -304,13 +296,8 @@ extern unsigned long __clear_user(void *
static inline __must_check unsigned long
clear_user(void *addr, unsigned long size)
{
-
- if (access_ok(VERIFY_WRITE, addr, size))
- return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, addr, size)))
+ size = __clear_user(addr, size);
return size;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 122/152] blackfin: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 125/152] microblaze: fix __get_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 020/152] Bluetooth: Add USB ID 13D3:3487 to ath3k Ben Hutchings
` (136 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/blackfin/include/asm/uaccess.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -194,11 +194,12 @@ static inline int bad_user_access_length
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n))) {
memcpy(to, (const void __force *)from, n);
- else
- return n;
- return 0;
+ return 0;
+ }
+ memset(to, 0, n);
+ return n;
}
static inline unsigned long __must_check
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 143/152] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 070/152] cdc-acm: fix wrong pipe type on rx interrupt xfers Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 039/152] ARM: OMAP3: hwmod data: Add sysc information for DSI Ben Hutchings
` (67 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Carpenter, Marco Grassi, Tomas Henzl, Martin K. Petersen
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream.
We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.2:
- Adjust context
- Use literal 1032 insetad of ARCMSR_API_DATA_BUFLEN]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -1803,7 +1803,8 @@ static int arcmsr_iop_message_xfer(struc
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
+ uint32_t user_len;
+ int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
uint8_t *pQbuffer, *ptmpuserbuffer;
ver_addr = kmalloc(1032, GFP_ATOMIC);
@@ -1820,6 +1821,11 @@ static int arcmsr_iop_message_xfer(struc
}
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > 1032) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ kfree(ver_addr);
+ goto message_out;
+ }
memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);
wqbuf_lastindex = acb->wqbuf_lastindex;
wqbuf_firstindex = acb->wqbuf_firstindex;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 024/152] KVM: nVMX: Fix memory corruption when using VMCS shadowing
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 043/152] ceph: Correctly return NXIO errors from ceph_llseek Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 093/152] iio: accel: kxsd9: Fix scaling bug Ben Hutchings
` (52 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Bonzini, Jim Mattson
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 2f1fe81123f59271bddda673b60116bde9660385 upstream.
When freeing the nested resources of a vcpu, there is an assumption that
the vcpu's vmcs01 is the current VMCS on the CPU that executes
nested_release_vmcs12(). If this assumption is violated, the vcpu's
vmcs01 may be made active on multiple CPUs at the same time, in
violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
not VMCLEARed on every CPU on which it is active, it can linger in a
CPU's VMCS cache after it has been freed and potentially
repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
miss can result in memory corruption.
It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
the vcpu in question was last loaded on a different CPU, it must be
migrated to the current CPU before calling vmx_load_vmcs01().
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.2: vcpu_load() returns void]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6328,14 +6328,27 @@ static void vmx_load_vmcs01(struct kvm_v
put_cpu();
}
+/*
+ * Ensure that the current vmcs of the logical processor is the
+ * vmcs01 of the vcpu before calling free_nested().
+ */
+static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ vcpu_load(vcpu);
+ vmx_load_vmcs01(vcpu);
+ free_nested(vmx);
+ vcpu_put(vcpu);
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
free_vpid(vmx);
leave_guest_mode(vcpu);
- vmx_load_vmcs01(vcpu);
- free_nested(vmx);
+ vmx_free_vcpu_nested(vcpu);
free_loaded_vmcs(vmx->loaded_vmcs);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -156,6 +156,7 @@ void vcpu_load(struct kvm_vcpu *vcpu)
kvm_arch_vcpu_load(vcpu, cpu);
put_cpu();
}
+EXPORT_SYMBOL_GPL(vcpu_load);
void vcpu_put(struct kvm_vcpu *vcpu)
{
@@ -165,6 +166,7 @@ void vcpu_put(struct kvm_vcpu *vcpu)
preempt_enable();
mutex_unlock(&vcpu->mutex);
}
+EXPORT_SYMBOL_GPL(vcpu_put);
static void ack_flush(void *_completed)
{
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 067/152] megaraid_sas: Fix probing cards without io port
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 006/152] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 130/152] avr32: fix 'undefined reference to `___copy_from_user' Ben Hutchings
` (128 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yinghai Lu, Martin K. Petersen, Kashyap Desai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yinghai Lu <yinghai@kernel.org>
commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.
Found one megaraid_sas HBA probe fails,
[ 187.235190] scsi host2: Avago SAS based MegaRAID driver
[ 191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io 0x0000-0x00ff]
[ 191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!
and the card has resource like,
[ 125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
[ 125.104446] pci 0000:89:00.0: reg 0x10: [io 0x0000-0x00ff]
[ 125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
[ 125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
[ 125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]
that does not io port resource allocated from BIOS, and kernel can not
assign one as io port shortage.
The driver is only looking for MEM, and should not fail.
It turns out megasas_init_fw() etc are using bar index as mask. index 1
is used as mask 1, so that pci_request_selected_regions() is trying to
request BAR0 instead of BAR1.
Fix all related reference.
Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Kashyap Desai <kashyap.desai@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++---
drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3508,7 +3508,7 @@ static int megasas_init_fw(struct megasa
/* Find first memory bar */
bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
- if (pci_request_selected_regions(instance->pdev, instance->bar,
+ if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
"megasas: LSI")) {
printk(KERN_DEBUG "megasas: IO memory region busy!\n");
return -EBUSY;
@@ -3661,7 +3661,7 @@ fail_ready_state:
iounmap(instance->reg_set);
fail_ioremap:
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
return -EINVAL;
}
@@ -3682,7 +3682,7 @@ static void megasas_release_mfi(struct m
iounmap(instance->reg_set);
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}
/**
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2026,7 +2026,7 @@ megasas_release_fusion(struct megasas_in
iounmap(instance->reg_set);
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}
/**
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 152/152] ext3: NULL dereference in ext3_evict_inode()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 051/152] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 078/152] iio: accel: kxsd9: Fix raw read return Ben Hutchings
` (123 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Amir Goldstein, Jan Kara
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit bcdd0c1600903e9222abfcde28947406020ccb5d upstream.
This is an fsfuzzer bug. ->s_journal is set at the end of
ext3_load_journal() but we try to use it in the error handling from
ext3_get_journal() while it's still NULL.
[ 337.039041] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
[ 337.040380] IP: [<ffffffff816e6539>] _raw_spin_lock+0x9/0x30
[ 337.041687] PGD 0
[ 337.043118] Oops: 0002 [#1] SMP
[ 337.044483] CPU 3
[ 337.044495] Modules linked in: ecb md4 cifs fuse kvm_intel kvm brcmsmac brcmutil crc8 cordic r8169 [last unloaded: scsi_wait_scan]
[ 337.047633]
[ 337.049259] Pid: 8308, comm: mount Not tainted 3.2.0-rc2-next-20111121+ #24 SAMSUNG ELECTRONICS CO., LTD. RV411/RV511/E3511/S3511 /RV411/RV511/E3511/S3511
[ 337.051064] RIP: 0010:[<ffffffff816e6539>] [<ffffffff816e6539>] _raw_spin_lock+0x9/0x30
[ 337.052879] RSP: 0018:ffff8800b1d11ae8 EFLAGS: 00010282
[ 337.054668] RAX: 0000000000000100 RBX: 0000000000000000 RCX: ffff8800b77c2000
[ 337.056400] RDX: ffff8800a97b5c00 RSI: 0000000000000000 RDI: 0000000000000024
[ 337.058099] RBP: ffff8800b1d11ae8 R08: 6000000000000000 R09: e018000000000000
[ 337.059841] R10: ff67366cc2607c03 R11: 00000000110688e6 R12: 0000000000000000
[ 337.061607] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8800a78f06e8
[ 337.063385] FS: 00007f9d95652800(0000) GS:ffff8800b7180000(0000) knlGS:0000000000000000
[ 337.065110] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 337.066801] CR2: 0000000000000024 CR3: 00000000aef2c000 CR4: 00000000000006e0
[ 337.068581] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 337.070321] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 337.072105] Process mount (pid: 8308, threadinfo ffff8800b1d10000, task ffff8800b1d02be0)
[ 337.073800] Stack:
[ 337.075487] ffff8800b1d11b08 ffffffff811f48cf ffff88007ac9b158 0000000000000000
[ 337.077255] ffff8800b1d11b38 ffffffff8119405d ffff88007ac9b158 ffff88007ac9b250
[ 337.078851] ffffffff8181bda0 ffffffff8181bda0 ffff8800b1d11b68 ffffffff81131e31
[ 337.080284] Call Trace:
[ 337.081706] [<ffffffff811f48cf>] log_start_commit+0x1f/0x40
[ 337.083107] [<ffffffff8119405d>] ext3_evict_inode+0x1fd/0x2a0
[ 337.084490] [<ffffffff81131e31>] evict+0xa1/0x1a0
[ 337.085857] [<ffffffff81132031>] iput+0x101/0x210
[ 337.087220] [<ffffffff811339d1>] iget_failed+0x21/0x30
[ 337.088581] [<ffffffff811905fc>] ext3_iget+0x15c/0x450
[ 337.089936] [<ffffffff8118b0c1>] ? ext3_rsv_window_add+0x81/0x100
[ 337.091284] [<ffffffff816df9a4>] ext3_get_journal+0x15/0xde
[ 337.092641] [<ffffffff811a2e9b>] ext3_fill_super+0xf2b/0x1c30
[ 337.093991] [<ffffffff810ddf7d>] ? register_shrinker+0x4d/0x60
[ 337.095332] [<ffffffff8111c112>] mount_bdev+0x1a2/0x1e0
[ 337.096680] [<ffffffff811a1f70>] ? ext3_setup_super+0x210/0x210
[ 337.098026] [<ffffffff8119a770>] ext3_mount+0x10/0x20
[ 337.099362] [<ffffffff8111cbee>] mount_fs+0x3e/0x1b0
[ 337.100759] [<ffffffff810eda1b>] ? __alloc_percpu+0xb/0x10
[ 337.102330] [<ffffffff81135385>] vfs_kern_mount+0x65/0xc0
[ 337.103889] [<ffffffff8113611f>] do_kern_mount+0x4f/0x100
[ 337.105442] [<ffffffff811378fc>] do_mount+0x19c/0x890
[ 337.106989] [<ffffffff810e8456>] ? memdup_user+0x46/0x90
[ 337.108572] [<ffffffff810e84f3>] ? strndup_user+0x53/0x70
[ 337.110114] [<ffffffff811383fb>] sys_mount+0x8b/0xe0
[ 337.111617] [<ffffffff816ed93b>] system_call_fastpath+0x16/0x1b
[ 337.113133] Code: 38 c2 74 0f 66 0f 1f 44 00 00 f3 90 0f b6 03 38 c2 75 f7 48 83 c4 08 5b 5d c3 0f 1f 84 00 00 00 00 00 55 b8 00 01 00 00 48 89 e5 <f0> 66 0f c1 07 0f b6 d4 38 c2 74 0c 0f 1f 00 f3 90 0f b6 07 38
[ 337.116588] RIP [<ffffffff816e6539>] _raw_spin_lock+0x9/0x30
[ 337.118260] RSP <ffff8800b1d11ae8>
[ 337.119998] CR2: 0000000000000024
[ 337.188701] ---[ end trace c36d790becac1615 ]---
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext3/inode.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -223,8 +223,12 @@ void ext3_evict_inode (struct inode *ino
*
* Note that directories do not have this problem because they don't
* use page cache.
+ *
+ * The s_journal check handles the case when ext3_get_journal() fails
+ * and puts the journal inode.
*/
if (inode->i_nlink && ext3_should_journal_data(inode) &&
+ EXT3_SB(inode->i_sb)->s_journal &&
(S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
tid_t commit_tid = atomic_read(&ei->i_datasync_tid);
journal_t *journal = EXT3_SB(inode->i_sb)->s_journal;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 087/152] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 141/152] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 054/152] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Ben Hutchings
` (10 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, Takashi Iwai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 upstream.
I got this:
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff8801120a9580 task.stack: ffff8801120b0000
RIP: 0010:[<ffffffff82c8bd9a>] [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006
RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
Stack:
0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
Call Trace:
<IRQ>
[<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
[<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
[<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
[<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
[<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
[<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
[<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
[<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
[<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
<EOI>
[<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
[<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
[<ffffffff82c87015>] snd_timer_continue+0x45/0x80
[<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
[<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
RIP [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
RSP <ffff88011aa87da8>
---[ end trace 6aa380f756a21074 ]---
The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
completely new/unused timer -- it will have ->sticks == 0, which causes a
divide by 0 in snd_hrtimer_callback().
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -822,6 +822,7 @@ int snd_timer_new(struct snd_card *card,
timer->tmr_subdevice = tid->subdevice;
if (id)
strlcpy(timer->id, id, sizeof(timer->id));
+ timer->sticks = 1;
INIT_LIST_HEAD(&timer->device_list);
INIT_LIST_HEAD(&timer->open_list_head);
INIT_LIST_HEAD(&timer->active_list_head);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 031/152] tpm: read burstcount from TPM_STS in one 32-bit transaction
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 005/152] serial: samsung: Fix possible out of bounds access on non-DT platform Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 017/152] x86/quirks: Add early quirk to reset Apple AirPort card Ben Hutchings
` (18 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jarkko Sakkinen, Andrey Pronin
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Pronin <apronin@chromium.org>
commit 9754d45e997000ad4021bc4606cc266bb38d876f upstream.
Some chips incorrectly support partial reads from TPM_STS register
at non-zero offsets. Read the entire 32-bits register instead of
making two 8-bit reads to support such devices and reduce the number
of bus transactions when obtaining the burstcount from TPM_STS.
Fixes: 27084efee0c3 ("tpm: driver for next generation TPM chips")
Signed-off-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
[bwh: Backported to 3.2:
- Use raw ioread32() instead of tpm_tis_read32()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -176,16 +176,15 @@ static int get_burstcount(struct tpm_chi
{
unsigned long stop;
int burstcnt;
+ u32 value;
/* wait for burstcount */
/* which timeout value, spec has 2 answers (c & d) */
stop = jiffies + chip->vendor.timeout_d;
do {
- burstcnt = ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) + 1);
- burstcnt += ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) +
- 2) << 8;
+ value = ioread32(chip->vendor.iobase +
+ TPM_STS(chip->vendor.locality));
+ burstcnt = (value >> 8) & 0xFFFF;
if (burstcnt)
return burstcnt;
msleep(TPM_TIMEOUT);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 094/152] sched/core: Fix a race between try_to_wake_up() and a woken up task
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 009/152] ext4: check for extents that wrap around Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 135/152] i2c-eg20t: fix race between i2c init and interrupt enable Ben Hutchings
` (48 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ingo Molnar, Nicholas Piggin, Oleg Nesterov,
Linus Torvalds, Balbir Singh, Benjamin Herrenschmidt,
Peter Zijlstra (Intel),
Thomas Gleixner, Nicholas Piggin, Alexey Kardashevskiy
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Balbir Singh <bsingharora@gmail.com>
commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream.
The origin of the issue I've seen is related to
a missing memory barrier between check for task->state and
the check for task->on_rq.
The task being woken up is already awake from a schedule()
and is doing the following:
do {
schedule()
set_current_state(TASK_(UN)INTERRUPTIBLE);
} while (!cond);
The waker, actually gets stuck doing the following in
try_to_wake_up():
while (p->on_cpu)
cpu_relax();
Analysis:
The instance I've seen involves the following race:
CPU1 CPU2
while () {
if (cond)
break;
do {
schedule();
set_current_state(TASK_UN..)
} while (!cond);
wakeup_routine()
spin_lock_irqsave(wait_lock)
raw_spin_lock_irqsave(wait_lock) wake_up_process()
} try_to_wake_up()
set_current_state(TASK_RUNNING); ..
list_del(&waiter.list);
CPU2 wakes up CPU1, but before it can get the wait_lock and set
current state to TASK_RUNNING the following occurs:
CPU3
wakeup_routine()
raw_spin_lock_irqsave(wait_lock)
if (!list_empty)
wake_up_process()
try_to_wake_up()
raw_spin_lock_irqsave(p->pi_lock)
..
if (p->on_rq && ttwu_wakeup())
..
while (p->on_cpu)
cpu_relax()
..
CPU3 tries to wake up the task on CPU1 again since it finds
it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
after CPU2, CPU3 got it.
CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
the task is spinning on the wait_lock. Interestingly since p->on_rq
is checked under pi_lock, I've noticed that try_to_wake_up() finds
p->on_rq to be 0. This was the most confusing bit of the analysis,
but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
check is not reliable without this fix IMHO. The race is visible
(based on the analysis) only when ttwu_queue() does a remote wakeup
via ttwu_queue_remote. In which case the p->on_rq change is not
done uder the pi_lock.
The result is that after a while the entire system locks up on
the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
Reproduction of the issue:
The issue can be reproduced after a long run on my system with 80
threads and having to tweak available memory to very low and running
memory stress-ng mmapfork test. It usually takes a long time to
reproduce. I am trying to work on a test case that can reproduce
the issue faster, but thats work in progress. I am still testing the
changes on my still in a loop and the tests seem OK thus far.
Big thanks to Benjamin and Nick for helping debug this as well.
Ben helped catch the missing barrier, Nick caught every missing
bit in my theory.
Signed-off-by: Balbir Singh <bsingharora@gmail.com>
[ Updated comment to clarify matching barriers. Many
architectures do not have a full barrier in switch_to()
so that cannot be relied upon. ]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -2833,6 +2833,28 @@ try_to_wake_up(struct task_struct *p, un
success = 1; /* we're going to change ->state */
cpu = task_cpu(p);
+ /*
+ * Ensure we load p->on_rq _after_ p->state, otherwise it would
+ * be possible to, falsely, observe p->on_rq == 0 and get stuck
+ * in smp_cond_load_acquire() below.
+ *
+ * sched_ttwu_pending() try_to_wake_up()
+ * [S] p->on_rq = 1; [L] P->state
+ * UNLOCK rq->lock -----.
+ * \
+ * +--- RMB
+ * schedule() /
+ * LOCK rq->lock -----'
+ * UNLOCK rq->lock
+ *
+ * [task p]
+ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
+ *
+ * Pairs with the UNLOCK+LOCK on rq->lock from the
+ * last wakeup of our task and the schedule that got our task
+ * current.
+ */
+ smp_rmb();
if (p->on_rq && ttwu_remote(p, wake_flags))
goto stat;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 098/152] ALSA: rawmidi: Fix possible deadlock with virmidi registration
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 059/152] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 148/152] posix_acl: Clear SGID bit when setting file permissions Ben Hutchings
` (133 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Vyukov, Takashi Iwai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 816f318b2364262a51024096da7ca3b84e78e3b5 upstream.
When a seq-virmidi driver is initialized, it registers a rawmidi
instance with its callback to create an associated seq kernel client.
Currently it's done throughly in rawmidi's register_mutex context.
Recently it was found that this may lead to a deadlock another rawmidi
device that is being attached with the sequencer is accessed, as both
open with the same register_mutex. This was actually triggered by
syzkaller, as Dmitry Vyukov reported:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
......
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
......
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
======================================================
The fix is to simply move the registration parts in
snd_rawmidi_dev_register() to the outside of the register_mutex lock.
The lock is needed only to manage the linked list, and it's not
necessarily to cover the whole initialization process.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/rawmidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1609,11 +1609,13 @@ static int snd_rawmidi_dev_register(stru
return -EBUSY;
}
list_add_tail(&rmidi->list, &snd_rawmidi_devices);
+ mutex_unlock(®ister_mutex);
sprintf(name, "midiC%iD%i", rmidi->card->number, rmidi->device);
if ((err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
rmidi->card, rmidi->device,
&snd_rawmidi_f_ops, rmidi, name)) < 0) {
snd_printk(KERN_ERR "unable to register rawmidi device %i:%i\n", rmidi->card->number, rmidi->device);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1621,6 +1623,7 @@ static int snd_rawmidi_dev_register(stru
if (rmidi->ops && rmidi->ops->dev_register &&
(err = rmidi->ops->dev_register(rmidi)) < 0) {
snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1649,7 +1652,6 @@ static int snd_rawmidi_dev_register(stru
}
}
#endif /* CONFIG_SND_OSSEMUL */
- mutex_unlock(®ister_mutex);
sprintf(name, "midi%d", rmidi->device);
entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
if (entry) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 099/152] xfrm_user: propagate sec ctx allocation errors
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 021/152] Bluetooth: Add support of 13d3:3490 AR3012 device Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 132/152] xfrm: Fix memory leak of aead algorithm name Ben Hutchings
` (29 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mathias Krause, Thomas Graf, Steffen Klassert
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 2f30ea5090cbc57ea573cdc66421264b3de3fb0a upstream.
When we fail to attach the security context in xfrm_state_construct()
we'll return 0 as error value which, in turn, will wrongly claim success
to userland when, in fact, we won't be adding / updating the XFRM state.
This is a regression introduced by commit fd21150a0fe1 ("[XFRM] netlink:
Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()").
Fix it by propagating the error returned by security_xfrm_state_alloc()
in this case.
Fixes: fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl()...")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_user.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -558,9 +558,12 @@ static struct xfrm_state *xfrm_state_con
if (err)
goto error;
- if (attrs[XFRMA_SEC_CTX] &&
- security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
- goto error;
+ if (attrs[XFRMA_SEC_CTX]) {
+ err = security_xfrm_state_alloc(x,
+ nla_data(attrs[XFRMA_SEC_CTX]));
+ if (err)
+ goto error;
+ }
if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
attrs[XFRMA_REPLAY_ESN_VAL])))
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 093/152] iio: accel: kxsd9: Fix scaling bug
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 024/152] KVM: nVMX: Fix memory corruption when using VMCS shadowing Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 092/152] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow Ben Hutchings
` (51 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Linus Walleij
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.
All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.
However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:
$cat in_accel_scale
-1057462640.011978
Fix this by assigning zero to the integer part.
Tested-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/staging/iio/accel/kxsd9.c
+++ b/drivers/staging/iio/accel/kxsd9.c
@@ -169,6 +169,7 @@ static int kxsd9_read_raw(struct iio_dev
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
if (ret < 0)
goto error_ret;
+ *val = 0;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
break;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 091/152] IB/core: Fix use after free in send_leave function
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 002/152] powerpc/numa: Fix multiple bugs in memory_hotplug_max() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 095/152] crypto: cryptd - initialize child shash_desc on import Ben Hutchings
` (106 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Erez Shitrit, Leon Romanovsky
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erez Shitrit <erezsh@mellanox.com>
commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream.
The function send_leave sets the member: group->query_id
(group->query_id = ret) after calling the sa_query, but leave_handler
can be executed before the setting and it might delete the group object,
and will get a memory corruption.
Additionally, this patch gets rid of group->query_id variable which is
not used.
Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/multicast.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -106,7 +106,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -339,11 +338,7 @@ static int send_join(struct mcast_group
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -363,11 +358,7 @@ static int send_leave(struct mcast_group
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static void join_group(struct mcast_group *group, struct mcast_member *member,
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 082/152] USB: avoid left shift by -1
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 037/152] nfs: don't create zero-length requests Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 069/152] USB: serial: mos7840: fix non-atomic allocation in write path Ben Hutchings
` (148 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Alan Stern, Vittorio Zecca, Bjørn Mork
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa upstream.
UBSAN complains about a left shift by -1 in proc_do_submiturb(). This
can occur when an URB is submitted for a bulk or control endpoint on
a high-speed device, since the code doesn't bother to check the
endpoint type; normally only interrupt or isochronous endpoints have
a nonzero bInterval value.
Aside from the fact that the operation is illegal, it shouldn't matter
because the result isn't used. Still, in theory it could cause a
hardware exception or other problem, so we should work around it.
This patch avoids doing the left shift unless the shift amount is >= 0.
The same piece of code has another problem. When checking the device
speed (the exponential encoding for interrupt endpoints is used only
by high-speed or faster devices), we need to look for speed >=
USB_SPEED_SUPER as well as speed == USB_SPEED HIGH. The patch adds
this check.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Vittorio Zecca <zeccav@gmail.com>
Tested-by: Vittorio Zecca <zeccav@gmail.com>
Suggested-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/devio.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1281,11 +1281,17 @@ static int proc_do_submiturb(struct dev_
as->urb->setup_packet = (unsigned char *)dr;
as->urb->start_frame = uurb->start_frame;
as->urb->number_of_packets = uurb->number_of_packets;
- if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
- ps->dev->speed == USB_SPEED_HIGH)
- as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
- else
- as->urb->interval = ep->desc.bInterval;
+
+ if (ep->desc.bInterval) {
+ if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
+ ps->dev->speed == USB_SPEED_HIGH ||
+ ps->dev->speed >= USB_SPEED_SUPER)
+ as->urb->interval = 1 <<
+ min(15, ep->desc.bInterval - 1);
+ else
+ as->urb->interval = ep->desc.bInterval;
+ }
+
as->urb->context = as;
as->urb->complete = async_completed;
for (totlen = u = 0; u < uurb->number_of_packets; u++) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 076/152] parisc: Fix order of EREFUSED define in errno.h
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 045/152] drm/radeon: fix firmware info version checks Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 080/152] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() Ben Hutchings
` (145 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Helge Deller
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream.
When building gccgo in userspace, errno.h gets parsed and the go include file
sysinfo.go is generated.
Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
is defined later on in errno.h, this leads to go complaining that EREFUSED
isn't defined yet.
Fix this trivial problem by moving the define of EREFUSED down after
ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
Signed-off-by: Helge Deller <deller@gmx.de>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/include/asm/errno.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/parisc/include/asm/errno.h
+++ b/arch/parisc/include/asm/errno.h
@@ -97,10 +97,10 @@
#define ENOTCONN 235 /* Transport endpoint is not connected */
#define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */
#define ETOOMANYREFS 237 /* Too many references: cannot splice */
-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
#define ETIMEDOUT 238 /* Connection timed out */
#define ECONNREFUSED 239 /* Connection refused */
-#define EREMOTERELEASE 240 /* Remote peer released connection */
+#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+#define EREMOTERELEASE 240 /* Remote peer released connection */
#define EHOSTDOWN 241 /* Host is down */
#define EHOSTUNREACH 242 /* No route to host */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 095/152] crypto: cryptd - initialize child shash_desc on import
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 091/152] IB/core: Fix use after free in send_leave function Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 107/152] cris: buggered copy_from_user/copy_to_user/clear_user Ben Hutchings
` (105 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Ard Biesheuvel
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.
When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/cryptd.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct aha
static int cryptd_hash_import(struct ahash_request *req, const void *in)
{
- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct shash_desc *desc = cryptd_shash_desc(req);
- return crypto_shash_import(&rctx->desc, in);
+ desc->tfm = ctx->child;
+ desc->flags = req->base.flags;
+
+ return crypto_shash_import(desc, in);
}
static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 126/152] avr32: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 058/152] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 051/152] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Ben Hutchings
` (125 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.
really ugly, but apparently avr32 compilers turns access_ok() into
something so bad that they want it in assembler. Left that way,
zeroing added in inline wrapper.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 4 ++--
3 files changed, 13 insertions(+), 4 deletions(-)
--- a/arch/avr32/include/asm/uaccess.h
+++ b/arch/avr32/include/asm/uaccess.h
@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void
extern __kernel_size_t copy_to_user(void __user *to, const void *from,
__kernel_size_t n);
-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
+extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
__kernel_size_t n);
static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
{
return __copy_user(to, (const void __force *)from, n);
}
+static inline __kernel_size_t copy_from_user(void *to,
+ const void __user *from,
+ __kernel_size_t n)
+{
+ size_t res = ___copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
+}
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
--- a/arch/avr32/kernel/avr32_ksyms.c
+++ b/arch/avr32/kernel/avr32_ksyms.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
/*
* Userspace access stuff.
*/
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(___copy_from_user);
EXPORT_SYMBOL(copy_to_user);
EXPORT_SYMBOL(__copy_user);
EXPORT_SYMBOL(strncpy_from_user);
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -25,11 +25,11 @@
.align 1
.global copy_from_user
.type copy_from_user, @function
-copy_from_user:
+___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
rjmp __copy_user
- .size copy_from_user, . - copy_from_user
+ .size ___copy_from_user, . - ___copy_from_user
.global copy_to_user
.type copy_to_user, @function
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 047/152] ubi: Fix race condition between ubi device creation and udev
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 026/152] ext4: short-cut orphan cleanup on error Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 079/152] drm: Reject page_flip for !DRIVER_MODESET Ben Hutchings
` (7 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Iosif Harutyunov, Iosif Harutyunov, Richard Weinberger
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Iosif Harutyunov <iharutyunov@SonicWALL.com>
commit 714fb87e8bc05ff78255afc0dca981e8c5242785 upstream.
Install the UBI device object before we arm sysfs.
Otherwise udev tries to read sysfs attributes before UBI is ready and
udev rules will not match.
Signed-off-by: Iosif Harutyunov <iharutyunov@sonicwall.com>
[rw: massaged commit message]
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/build.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -974,6 +974,9 @@ int ubi_attach_mtd_dev(struct mtd_info *
goto out_detach;
}
+ /* Make device "available" before it becomes accessible via sysfs */
+ ubi_devices[ubi_num] = ubi;
+
err = uif_init(ubi, &ref);
if (err)
goto out_detach;
@@ -1017,7 +1020,6 @@ int ubi_attach_mtd_dev(struct mtd_info *
wake_up_process(ubi->bgt_thread);
spin_unlock(&ubi->wl_lock);
- ubi_devices[ubi_num] = ubi;
ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL);
return ubi_num;
@@ -1028,6 +1030,7 @@ out_uif:
ubi_assert(ref);
uif_close(ubi);
out_detach:
+ ubi_devices[ubi_num] = NULL;
ubi_wl_close(ubi);
free_internal_volumes(ubi);
vfree(ubi->vtbl);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 092/152] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 093/152] iio: accel: kxsd9: Fix scaling bug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 009/152] ext4: check for extents that wrap around Ben Hutchings
` (50 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Doug Ledford, Erez Shitrit
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erez Shitrit <erezsh@mellanox.com>
commit 546481c2816ea3c061ee9d5658eb48070f69212e upstream.
When a new CM connection is being requested, ipoib driver copies data
from the path pointer in the CM/tx object, the path object might be
invalid at the point and memory corruption will happened later when now
the CM driver will try using that data.
The next scenario demonstrates it:
neigh_add_path --> ipoib_cm_create_tx -->
queue_work (pointer to path is in the cm/tx struct)
#while the work is still in the queue,
#the port goes down and causes the ipoib_flush_paths:
ipoib_flush_paths --> path_free --> kfree(path)
#at this point the work scheduled starts.
ipoib_cm_tx_start --> copy from the (invalid)path pointer:
(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
-> memory corruption.
To fix that the driver now starts the CM/tx connection only if that
specific path exists in the general paths database.
This check is protected with the relevant locks, and uses the gid from
the neigh member in the CM/tx object which is valid according to the ref
count that was taken by the CM/tx.
Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.2: s/neigh->daddr/neigh->neighbour->ha/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++++++++++++++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
3 files changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -434,6 +434,7 @@ void ipoib_send(struct net_device *dev,
struct ipoib_ah *address, u32 qpn);
void ipoib_reap_ah(struct work_struct *work);
+struct ipoib_path *__path_find(struct net_device *dev, void *gid);
void ipoib_mark_paths_invalid(struct net_device *dev);
void ipoib_flush_paths(struct net_device *dev);
struct ipoib_dev_priv *ipoib_intf_alloc(const char *format);
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1288,6 +1288,8 @@ void ipoib_cm_destroy_tx(struct ipoib_cm
}
}
+#define QPN_AND_OPTIONS_OFFSET 4
+
static void ipoib_cm_tx_start(struct work_struct *work)
{
struct ipoib_dev_priv *priv = container_of(work, struct ipoib_dev_priv,
@@ -1296,6 +1298,7 @@ static void ipoib_cm_tx_start(struct wor
struct ipoib_neigh *neigh;
struct ipoib_cm_tx *p;
unsigned long flags;
+ struct ipoib_path *path;
int ret;
struct ib_sa_path_rec pathrec;
@@ -1308,7 +1311,19 @@ static void ipoib_cm_tx_start(struct wor
p = list_entry(priv->cm.start_list.next, typeof(*p), list);
list_del_init(&p->list);
neigh = p->neigh;
+
qpn = IPOIB_QPN(neigh->neighbour->ha);
+ /*
+ * As long as the search is with these 2 locks,
+ * path existence indicates its validity.
+ */
+ path = __path_find(dev, neigh->neighbour->ha + QPN_AND_OPTIONS_OFFSET);
+ if (!path) {
+ pr_info("%s ignore not valid path %pI6\n",
+ __func__,
+ neigh->neighbour->ha + QPN_AND_OPTIONS_OFFSET);
+ goto free_neigh;
+ }
memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);
spin_unlock_irqrestore(&priv->lock, flags);
@@ -1320,6 +1335,7 @@ static void ipoib_cm_tx_start(struct wor
spin_lock_irqsave(&priv->lock, flags);
if (ret) {
+free_neigh:
neigh = p->neigh;
if (neigh) {
neigh->cm = NULL;
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -208,7 +208,7 @@ static int ipoib_change_mtu(struct net_d
return 0;
}
-static struct ipoib_path *__path_find(struct net_device *dev, void *gid)
+struct ipoib_path *__path_find(struct net_device *dev, void *gid)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
struct rb_node *n = priv->path_tree.rb_node;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 109/152] hexagon: fix strncpy_from_user() error return
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 120/152] sh: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 129/152] irda: Free skb on irda_accept error path Ben Hutchings
` (78 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Richard Kuo
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.
It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).
Acked-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/hexagon/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_
{
long res = __strnlen_user(src, n);
- /* return from strnlen can't be zero -- that would be rubbish. */
+ if (unlikely(!res))
+ return -EFAULT;
if (res > n) {
copy_from_user(dst, src, n);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 046/152] avr32: off by one in at32_init_pio()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 150/152] xenbus: don't BUG() on user mode induced condition Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 008/152] Input: xpad - validate USB endpoint count during probe Ben Hutchings
` (99 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 55f1cf83d5cf885c75267269729805852039c834 upstream.
The pio_dev[] array has MAX_NR_PIO_DEVICES elements so the > should be
>=.
Fixes: 5f97f7f9400d ('[PATCH] avr32 architecture')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/mach-at32ap/pio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/avr32/mach-at32ap/pio.c
+++ b/arch/avr32/mach-at32ap/pio.c
@@ -435,7 +435,7 @@ void __init at32_init_pio(struct platfor
struct resource *regs;
struct pio_device *pio;
- if (pdev->id > MAX_NR_PIO_DEVICES) {
+ if (pdev->id >= MAX_NR_PIO_DEVICES) {
dev_err(&pdev->dev, "only %d PIO devices supported\n",
MAX_NR_PIO_DEVICES);
return;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 039/152] ARM: OMAP3: hwmod data: Add sysc information for DSI
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 143/152] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 146/152] fs: Avoid premature clearing of capabilities Ben Hutchings
` (66 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tony Lindgren, Sebastian Reichel
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sre@kernel.org>
commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.
Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.
Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -1470,8 +1470,20 @@ static struct omap_hwmod omap3xxx_dss_di
* display serial interface controller
*/
+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+ .rev_offs = 0x0000,
+ .sysc_offs = 0x0010,
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+};
+
static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
.name = "dsi",
+ .sysc = &omap3xxx_dsi_sysc,
};
static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 040/152] net/irda: fix NULL pointer dereference on memory allocation failure
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 075/152] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 044/152] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Ben Hutchings
` (72 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, David S. Miller
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d upstream.
I ran into this:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
RIP: 0010:[<ffffffff82bbf066>] [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP: 0018:ffff880111747bb8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
FS: 00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
Stack:
0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
Call Trace:
[<ffffffff82bca542>] irda_connect+0x562/0x1190
[<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
[<ffffffff825b4489>] SyS_connect+0x9/0x10
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
RIP [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP <ffff880111747bb8>
---[ end trace 4cda2588bc055b30 ]---
The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/irda/af_irda.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1040,8 +1040,11 @@ static int irda_connect(struct socket *s
}
/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }
/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 038/152] pps: do not crash when failed to register
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 029/152] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Ben Hutchings
` (102 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rodolfo Giometti, Linus Torvalds, Jiri Slaby
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 368301f2fe4b07e5fb71dba3cc566bc59eb6705f upstream.
With this command sequence:
modprobe plip
modprobe pps_parport
rmmod pps_parport
the partport_pps modules causes this crash:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: parport_detach+0x1d/0x60 [pps_parport]
Oops: 0000 [#1] SMP
...
Call Trace:
parport_unregister_driver+0x65/0xc0 [parport]
SyS_delete_module+0x187/0x210
The sequence that builds up to this is:
1) plip is loaded and takes the parport device for exclusive use:
plip0: Parallel port at 0x378, using IRQ 7.
2) pps_parport then fails to grab the device:
pps_parport: parallel port PPS client
parport0: cannot grant exclusive access for device pps_parport
pps_parport: couldn't register with parport0
3) rmmod of pps_parport is then killed because it tries to access
pardev->name, but pardev (taken from port->cad) is NULL.
So add a check for NULL in the test there too.
Link: http://lkml.kernel.org/r/20160714115245.12651-1-jslaby@suse.cz
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pps/clients/pps_parport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -194,7 +194,7 @@ static void parport_detach(struct parpor
struct pps_client_pp *device;
/* FIXME: oooh, this is ugly! */
- if (strcmp(pardev->name, KBUILD_MODNAME))
+ if (!pardev || strcmp(pardev->name, KBUILD_MODNAME))
/* not our port */
return;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 034/152] hwmon: (adt7411) set bit 3 in CFG1 register
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 019/152] NFS: Don't drop CB requests with invalid principals Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 115/152] ppc32: fix copy_from_user() Ben Hutchings
` (75 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Guenter Roeck, Michael Walle
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Walle <michael@walle.cc>
commit b53893aae441a034bf4dbbad42fe218561d7d81f upstream.
According to the datasheet you should only write 1 to this bit. If it is
not set, at least AIN3 will return bad values on newer silicon revisions.
Fixes: d84ca5b345c2 ("hwmon: Add driver for ADT7411 voltage and temperature sensor")
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hwmon/adt7411.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/hwmon/adt7411.c
+++ b/drivers/hwmon/adt7411.c
@@ -31,6 +31,7 @@
#define ADT7411_REG_CFG1 0x18
#define ADT7411_CFG1_START_MONITOR (1 << 0)
+#define ADT7411_CFG1_RESERVED_BIT3 (1 << 3)
#define ADT7411_REG_CFG2 0x19
#define ADT7411_CFG2_DISABLE_AVG (1 << 5)
@@ -291,8 +292,10 @@ static int __devinit adt7411_probe(struc
mutex_init(&data->device_lock);
mutex_init(&data->update_lock);
+ /* According to the datasheet, we must only write 1 to bit 3 */
ret = adt7411_modify_bit(client, ADT7411_REG_CFG1,
- ADT7411_CFG1_START_MONITOR, 1);
+ ADT7411_CFG1_RESERVED_BIT3
+ | ADT7411_CFG1_START_MONITOR, 1);
if (ret < 0)
goto exit_free;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 032/152] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 151/152] xenbus: don't look up transaction IDs for ordinary writes Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 110/152] ia64: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
` (41 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Fainelli, Kalle Valo, coverity, Arend van Spriel
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.
wlc_phy_txpower_get_current() does a logical OR of power->flags, which
presumes that power.flags was initiliazed earlier by the caller,
unfortunately, this is not the case, so make sure we zero out the struct
tx_power before calling into wlc_phy_txpower_get_current().
Reported-by: coverity (CID 146011)
Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmsmac/stf.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/stf.c
@@ -86,7 +86,7 @@ void
brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel,
u16 chanspec)
{
- struct tx_power power;
+ struct tx_power power = { };
u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id;
/* Clear previous settings */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 083/152] ubifs: Fix assertion in layout_in_gaps()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 053/152] dm flakey: error READ bios during the down_interval Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 4:05 ` [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
2016-11-14 5:47 ` Guenter Roeck
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Artem Bityutskiy, Richard Weinberger, Vincent Stehlé
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Stehlé <vincent.stehle@intel.com>
commit c0082e985fdf77b02fc9e0dac3b58504dcf11b7a upstream.
An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
below the maximum bound. When computing this maximum bound the idx_lebs
count is multiplied by sizeof(int), while C pointers arithmetic does take
into account the size of the pointed elements implicitly already. Remove
the multiplication to fix the assertion.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Signed-off-by: Vincent Stehlé <vincent.stehle@intel.com>
Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ubifs/tnc_commit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ubifs/tnc_commit.c
+++ b/fs/ubifs/tnc_commit.c
@@ -373,7 +373,7 @@ static int layout_in_gaps(struct ubifs_i
p = c->gap_lebs;
do {
- ubifs_assert(p < c->gap_lebs + sizeof(int) * c->lst.idx_lebs);
+ ubifs_assert(p < c->gap_lebs + c->lst.idx_lebs);
written = layout_leb_in_gaps(c, p);
if (written < 0) {
err = written;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 011/152] ext4: validate s_reserved_gdt_blocks on mount
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 066/152] arm: oabi compat: add missing access checks Ben Hutchings
` (152 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Vegard Nossum
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 5b9554dc5bf008ae7f68a52e3d7e76c0920938a2 upstream.
If s_reserved_gdt_blocks is extremely large, it's possible for
ext4_init_block_bitmap(), which is called when ext4 sets up an
uninitialized block bitmap, to corrupt random kernel memory. Add the
same checks which e2fsck has --- it must never be larger than
blocksize / sizeof(__u32) --- and then add a backup check in
ext4_init_block_bitmap() in case the superblock gets modified after
the file system is mounted.
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.2:
- Drop the second check in ext4_init_block_bitmap() since it can't return
an error code
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3429,6 +3429,13 @@ static int ext4_fill_super(struct super_
goto failed_mount;
}
+ if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
+ ext4_msg(sb, KERN_ERR,
+ "Number of reserved GDT blocks insanely large: %d",
+ le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks));
+ goto failed_mount;
+ }
+
if (sb->s_blocksize != blocksize) {
/* Validate the filesystem blocksize */
if (!sb_set_blocksize(sb, blocksize)) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 001/152] netlabel: add address family checks to netlbl_{sock,req}_delattr()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 078/152] iio: accel: kxsd9: Fix raw read return Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 127/152] USB: change bInterval default to 10 ms Ben Hutchings
` (121 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Maninder Singh, Paul Moore
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
commit 0e0e36774081534783aa8eeb9f6fbddf98d3c061 upstream.
It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help prevent future
problems.
Reported-by: Maninder Singh <maninder1.s@samsung.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlabel/netlabel_kapi.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -710,7 +710,11 @@ socket_setattr_return:
*/
void netlbl_sock_delattr(struct sock *sk)
{
- cipso_v4_sock_delattr(sk);
+ switch (sk->sk_family) {
+ case AF_INET:
+ cipso_v4_sock_delattr(sk);
+ break;
+ }
}
/**
@@ -889,7 +893,11 @@ req_setattr_return:
*/
void netlbl_req_delattr(struct request_sock *req)
{
- cipso_v4_req_delattr(req);
+ switch (req->rsk_ops->family) {
+ case AF_INET:
+ cipso_v4_req_delattr(req);
+ break;
+ }
}
/**
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 096/152] ALSA: timer: Code cleanup
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 065/152] x86/mm: Disable preemption during CR3 read+write Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 119/152] sh64: failing __get_user() should zero Ben Hutchings
` (94 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 upstream.
This is a minor code cleanup without any functional changes:
- Kill keep_flag argument from _snd_timer_stop(), as all callers pass
only it false.
- Remove redundant NULL check in _snd_timer_stop().
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: adjust to apply after previously backported
"ALSA: timer: Fix race between stop and interrupt"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 28 +++++++++++-----------------
1 file changed, 11 insertions(+), 17 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -310,8 +310,7 @@ int snd_timer_open(struct snd_timer_inst
return 0;
}
-static int _snd_timer_stop(struct snd_timer_instance *timeri,
- int keep_flag, int event);
+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
/*
* close a timer instance
@@ -353,7 +352,7 @@ int snd_timer_close(struct snd_timer_ins
spin_unlock_irq(&timer->lock);
mutex_lock(®ister_mutex);
list_del(&timeri->open_list);
- if (timer && list_empty(&timer->open_list_head) &&
+ if (list_empty(&timer->open_list_head) &&
timer->hw.close)
timer->hw.close(timer);
/* remove slave links */
@@ -505,8 +504,7 @@ int snd_timer_start(struct snd_timer_ins
return result;
}
-static int _snd_timer_stop(struct snd_timer_instance * timeri,
- int keep_flag, int event)
+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
{
struct snd_timer *timer;
unsigned long flags;
@@ -515,21 +513,19 @@ static int _snd_timer_stop(struct snd_ti
return -ENXIO;
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
- if (!keep_flag) {
- spin_lock_irqsave(&slave_active_lock, flags);
- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
- spin_unlock_irqrestore(&slave_active_lock, flags);
- return -EBUSY;
- }
- if (timeri->timer)
- spin_lock(&timeri->timer->lock);
- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
- list_del_init(&timeri->ack_list);
- list_del_init(&timeri->active_list);
- if (timeri->timer)
- spin_unlock(&timeri->timer->lock);
+ spin_lock_irqsave(&slave_active_lock, flags);
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
spin_unlock_irqrestore(&slave_active_lock, flags);
+ return -EBUSY;
}
+ if (timeri->timer)
+ spin_lock(&timeri->timer->lock);
+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
+ if (timeri->timer)
+ spin_unlock(&timeri->timer->lock);
+ spin_unlock_irqrestore(&slave_active_lock, flags);
goto __end;
}
timer = timeri->timer;
@@ -555,9 +551,7 @@ static int _snd_timer_stop(struct snd_ti
}
}
}
- if (!keep_flag)
- timeri->flags &=
- ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
spin_unlock_irqrestore(&timer->lock, flags);
__end:
if (event != SNDRV_TIMER_EVENT_RESOLUTION)
@@ -576,7 +570,7 @@ int snd_timer_stop(struct snd_timer_inst
unsigned long flags;
int err;
- err = _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_STOP);
+ err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
if (err < 0)
return err;
timer = timeri->timer;
@@ -625,7 +619,7 @@ int snd_timer_continue(struct snd_timer_
*/
int snd_timer_pause(struct snd_timer_instance * timeri)
{
- return _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_PAUSE);
+ return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
}
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 115/152] ppc32: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 034/152] hwmon: (adt7411) set bit 3 in CFG1 register Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 075/152] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Ben Hutchings
` (74 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.
should clear on access_ok() failures. Also remove the useless
range truncation logics.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: no calls to check_object_size()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -332,30 +332,17 @@ extern unsigned long __copy_tofrom_user(
static inline unsigned long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_tofrom_user((__force void __user *)to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user((__force void __user *)to, from,
- n - over) + over;
- }
+ memset(to, 0, n);
return n;
}
static inline unsigned long copy_to_user(void __user *to,
const void *from, unsigned long n)
{
- unsigned long over;
-
if (access_ok(VERIFY_WRITE, to, n))
return __copy_tofrom_user(to, (__force void __user *)from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, (__force void __user *)from,
- n - over) + over;
- }
return n;
}
@@ -446,10 +433,6 @@ static inline unsigned long clear_user(v
might_sleep();
if (likely(access_ok(VERIFY_WRITE, addr, size)))
return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
return size;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 005/152] serial: samsung: Fix possible out of bounds access on non-DT platform
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 121/152] sparc32: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 031/152] tpm: read burstcount from TPM_STS in one 32-bit transaction Ben Hutchings
` (19 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bartlomiej Zolnierkiewicz, Greg Kroah-Hartman, Krzysztof Kozlowski
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
commit 926b7b5122c96e1f18cd20e85a286c7ec8d18c97 upstream.
On non-DeviceTree platforms, the index of serial device is a static
variable incremented on each probe. It is incremented even if deferred
probe happens when getting the clock in s3c24xx_serial_init_port().
This index is used for referencing elements of statically allocated
s3c24xx_serial_ports array. In case of re-probe, the index will point
outside of this array leading to memory corruption.
Increment the index only on successful probe.
Reported-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/samsung.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1237,8 +1237,6 @@ int s3c24xx_serial_probe(struct platform
dbg("s3c24xx_serial_probe(%p, %p) %d\n", dev, info, probe_index);
ourport = &s3c24xx_serial_ports[probe_index];
- probe_index++;
-
dbg("%s: initialising port %p...\n", __func__, ourport);
ret = s3c24xx_serial_init_port(ourport, info, dev);
@@ -1275,6 +1273,8 @@ int __devexit s3c24xx_serial_remove(stru
uart_remove_one_port(&s3c24xx_uart_drv, port);
}
+ probe_index++;
+
return 0;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 004/152] crypto: gcm - Filter out async ghash if necessary
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 086/152] fs/seq_file: fix out-of-bounds read Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 077/152] USB: serial: option: add WeTelecom WM-D200 Ben Hutchings
` (91 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 upstream.
As it is if you ask for a sync gcm you may actually end up with
an async one because it does not filter out async implementations
of ghash.
This patch fixes this by adding the necessary filter when looking
for ghash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/gcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -711,7 +711,9 @@ static struct crypto_instance *crypto_gc
ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
CRYPTO_ALG_TYPE_HASH,
- CRYPTO_ALG_TYPE_AHASH_MASK);
+ CRYPTO_ALG_TYPE_AHASH_MASK |
+ crypto_requires_sync(algt->type,
+ algt->mask));
err = PTR_ERR(ghash_alg);
if (IS_ERR(ghash_alg))
return ERR_PTR(err);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 119/152] sh64: failing __get_user() should zero
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 096/152] ALSA: timer: Code cleanup Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 086/152] fs/seq_file: fix out-of-bounds read Ben Hutchings
` (93 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.
It could be done in exception-handling bits in __get_user_b() et.al.,
but the surgery involved would take more knowledge of sh64 details
than I have or _want_ to have.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/asm/uaccess_64.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/sh/include/asm/uaccess_64.h
+++ b/arch/sh/include/asm/uaccess_64.h
@@ -24,6 +24,7 @@
#define __get_user_size(x,ptr,size,retval) \
do { \
retval = 0; \
+ x = 0; \
switch (size) { \
case 1: \
retval = __get_user_asm_b((void *)&x, \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 025/152] ext4: fix reference counting bug on block allocation error
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 118/152] score: fix copy_from_user() and friends Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 053/152] dm flakey: error READ bios during the down_interval Ben Hutchings
` (3 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Aneesh Kumar K.V, Vegard Nossum, Theodore Ts'o
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e upstream.
If we hit this error when mounted with errors=continue or
errors=remount-ro:
EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:2940: comm ext4.exe: Allocating blocks 5090-6081 which overlap fs metadata
then ext4_mb_new_blocks() will call ext4_mb_release_context() and try to
continue. However, ext4_mb_release_context() is the wrong thing to call
here since we are still actually using the allocation context.
Instead, just error out. We could retry the allocation, but there is a
possibility of getting stuck in an infinite loop instead, so this seems
safer.
[ Fixed up so we don't return EAGAIN to userspace. --tytso ]
Fixes: 8556e8f3b6 ("ext4: Don't allow new groups to be added during block allocation")
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
[bwh: Backported to 3.2:
- Use EIO instead of EFSCORRUPTED
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/mballoc.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2824,7 +2824,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
"fs metadata\n", block, block+len);
/* File system mounted not to panic on error
- * Fix the bitmap and repeat the block allocation
+ * Fix the bitmap and return EIO
* We leak some of the blocks here.
*/
ext4_lock_group(sb, ac->ac_b_ex.fe_group);
@@ -2833,7 +2833,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
if (!err)
- err = -EAGAIN;
+ err = -EIO;
goto out_err;
}
@@ -4401,18 +4401,7 @@ repeat:
}
if (likely(ac->ac_status == AC_STATUS_FOUND)) {
*errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
- if (*errp == -EAGAIN) {
- /*
- * drop the reference that we took
- * in ext4_mb_use_best_found
- */
- ext4_mb_release_context(ac);
- ac->ac_b_ex.fe_group = 0;
- ac->ac_b_ex.fe_start = 0;
- ac->ac_b_ex.fe_len = 0;
- ac->ac_status = AC_STATUS_CONTINUE;
- goto repeat;
- } else if (*errp)
+ if (*errp)
errout:
ext4_discard_allocated_blocks(ac);
else {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 063/152] USB: validate wMaxPacketValue entries in endpoint descriptors
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 042/152] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 023/152] KVM: nVMX: fix lifetime issues for vmcs02 Ben Hutchings
` (25 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman, roswest
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit aed9d65ac3278d4febd8665bd7db59ef53e825fe upstream.
Erroneous or malicious endpoint descriptors may have non-zero bits in
reserved positions, or out-of-bounds values. This patch helps prevent
these from causing problems by bounds-checking the wMaxPacketValue
entries in endpoint descriptors and capping the values at the maximum
allowed.
This issue was first discovered and tests were conducted by Jake Lamberson
<jake.lamberson1@gmail.com>, an intern working for Rosie Hall.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: roswest <roswest@cisco.com>
Tested-by: roswest <roswest@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: drop the USB_SPEED_SUPER_PLUS case]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -144,6 +144,31 @@ static void usb_parse_ss_endpoint_compan
}
}
+static const unsigned short low_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 8,
+ [USB_ENDPOINT_XFER_ISOC] = 0,
+ [USB_ENDPOINT_XFER_BULK] = 0,
+ [USB_ENDPOINT_XFER_INT] = 8,
+};
+static const unsigned short full_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1023,
+ [USB_ENDPOINT_XFER_BULK] = 64,
+ [USB_ENDPOINT_XFER_INT] = 64,
+};
+static const unsigned short high_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+ [USB_ENDPOINT_XFER_INT] = 1023,
+};
+static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 1024,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+
static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
int asnum, struct usb_host_interface *ifp, int num_ep,
unsigned char *buffer, int size)
@@ -152,6 +177,8 @@ static int usb_parse_endpoint(struct dev
struct usb_endpoint_descriptor *d;
struct usb_host_endpoint *endpoint;
int n, i, j, retval;
+ unsigned int maxp;
+ const unsigned short *maxpacket_maxes;
d = (struct usb_endpoint_descriptor *) buffer;
buffer += d->bLength;
@@ -258,6 +285,41 @@ static int usb_parse_endpoint(struct dev
endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
}
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_LOW:
+ maxpacket_maxes = low_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_FULL:
+ maxpacket_maxes = full_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_HIGH:
+ /* Bits 12..11 are allowed only for HS periodic endpoints */
+ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
+ i = maxp & (BIT(12) | BIT(11));
+ maxp &= ~i;
+ }
+ /* fallthrough */
+ default:
+ maxpacket_maxes = high_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_SUPER:
+ maxpacket_maxes = super_speed_maxpacket_maxes;
+ break;
+ }
+ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)];
+
+ if (maxp > j) {
+ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n",
+ cfgno, inum, asnum, d->bEndpointAddress, maxp, j);
+ maxp = j;
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp);
+ }
+
/*
* Some buggy high speed devices have bulk endpoints using
* maxpacket sizes other than 512. High speed HCDs may not
@@ -265,9 +327,6 @@ static int usb_parse_endpoint(struct dev
*/
if (to_usb_device(ddev)->speed == USB_SPEED_HIGH
&& usb_endpoint_xfer_bulk(d)) {
- unsigned maxp;
-
- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff;
if (maxp != 512)
dev_warn(ddev, "config %d interface %d altsetting %d "
"bulk endpoint 0x%X has invalid maxpacket %d\n",
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 100/152] alpha: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 090/152] x86/paravirt: Do not trace _paravirt_ident_*() functions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 114/152] parisc: " Ben Hutchings
` (118 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.
it should clear the destination even when access_ok() fails.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
return __cu_len;
}
-extern inline long
-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
-{
- if (__access_ok((unsigned long)validate, len, get_fs()))
- len = __copy_tofrom_user_nocheck(to, from, len);
- return len;
-}
-
#define __copy_to_user(to,from,n) \
({ \
__chk_user_ptr(to); \
@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
-
extern inline long
copy_to_user(void __user *to, const void *from, long n)
{
- return __copy_tofrom_user((__force void *)to, from, n, to);
+ if (likely(__access_ok((unsigned long)to, n, get_fs())))
+ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
+ return n;
}
extern inline long
copy_from_user(void *to, const void __user *from, long n)
{
- return __copy_tofrom_user(to, (__force void *)from, n, from);
+ if (likely(__access_ok((unsigned long)from, n, get_fs())))
+ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
+ else
+ memset(to, 0, n);
+ return n;
}
extern void __do_clear_user(void);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 062/152] netfilter: nfnetlink_queue: reject verdict request from different portid
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 017/152] x86/quirks: Add early quirk to reset Apple AirPort card Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 035/152] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Ben Hutchings
` (16 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pablo Neira Ayuso, Florian Westphal, Liping Zhang
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <liping.zhang@spreadtrum.com>
commit 00a3101f561816e58de054a470484996f78eb5eb upstream.
Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).
Fixes: 97d32cf9440d ("netfilter: nfnetlink_queue: batch verdict support")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nfnetlink_queue.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -716,9 +716,6 @@ nfqnl_recv_verdict(struct sock *ctnl, st
unsigned int verdict;
struct nf_queue_entry *entry;
- queue = instance_lookup(queue_num);
- if (!queue)
-
queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).pid);
if (IS_ERR(queue))
return PTR_ERR(queue);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 071/152] usb: xhci: Fix panic if disconnect
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 137/152] can: dev: fix deadlock reported after bus-off Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 103/152] NFSv4.1: Fix the CREATE_SESSION slot number accounting Ben Hutchings
` (37 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jim Lin, Mathias Nyman, Greg Kroah-Hartman
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Lin <jilin@nvidia.com>
commit 88716a93766b8f095cdef37a8e8f2c93aa233b21 upstream.
After a device is disconnected, xhci_stop_device() will be invoked
in xhci_bus_suspend().
Also the "disconnect" IRQ will have ISR to invoke
xhci_free_virt_device() in this sequence.
xhci_irq -> xhci_handle_event -> handle_cmd_completion ->
xhci_handle_cmd_disable_slot -> xhci_free_virt_device
If xhci->devs[slot_id] has been assigned to NULL in
xhci_free_virt_device(), then virt_dev->eps[i].ring in
xhci_stop_device() may point to an invlid address to cause kernel
panic.
virt_dev = xhci->devs[slot_id];
:
if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue)
[] Unable to handle kernel paging request at virtual address 00001a68
[] pgd=ffffffc001430000
[] [00001a68] *pgd=000000013c807003, *pud=000000013c807003,
*pmd=000000013c808003, *pte=0000000000000000
[] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G U
[] Workqueue: pm pm_runtime_work
[] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti:
ffffffc0bc0ec000
[] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4
This issue is found when running with realtek ethernet device
(0bda:8153).
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-hub.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -278,6 +278,9 @@ static int xhci_stop_device(struct xhci_
ret = 0;
virt_dev = xhci->devs[slot_id];
+ if (!virt_dev)
+ return -ENODEV;
+
cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO);
if (!cmd) {
xhci_dbg(xhci, "Couldn't allocate command structure.\n");
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 140/152] mm,ksm: fix endless looping in allocating memory when ksm enable
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 102/152] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 149/152] [media] usbvision: revert commit 588afcc1 Ben Hutchings
` (45 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Michal Hocko, Hugh Dickins, zhong jiang,
Michal Hocko
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: zhong jiang <zhongjiang@huawei.com>
commit 5b398e416e880159fe55eefd93c6588fa072cd66 upstream.
I hit the following hung task when runing a OOM LTP test case with 4.1
kernel.
Call trace:
[<ffffffc000086a88>] __switch_to+0x74/0x8c
[<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
[<ffffffc000a1c09c>] schedule+0x3c/0x94
[<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
[<ffffffc000a1e32c>] down_write+0x64/0x80
[<ffffffc00021f794>] __ksm_exit+0x90/0x19c
[<ffffffc0000be650>] mmput+0x118/0x11c
[<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
[<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
[<ffffffc0000d0f34>] get_signal+0x444/0x5e0
[<ffffffc000089fcc>] do_signal+0x1d8/0x450
[<ffffffc00008a35c>] do_notify_resume+0x70/0x78
The oom victim cannot terminate because it needs to take mmap_sem for
write while the lock is held by ksmd for read which loops in the page
allocator
ksm_do_scan
scan_get_next_rmap_item
down_read
get_next_rmap_item
alloc_rmap_item #ksmd will loop permanently.
There is no way forward because the oom victim cannot release any memory
in 4.1 based kernel. Since 4.6 we have the oom reaper which would solve
this problem because it would release the memory asynchronously.
Nevertheless we can relax alloc_rmap_item requirements and use
__GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
would just retry later after the lock got dropped.
Such a patch would be also easy to backport to older stable kernels which
do not have oom_reaper.
While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
by the allocation failure.
Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Suggested-by: Hugh Dickins <hughd@google.com>
Suggested-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/ksm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -238,7 +238,8 @@ static inline struct rmap_item *alloc_rm
{
struct rmap_item *rmap_item;
- rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL);
+ rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL |
+ __GFP_NORETRY | __GFP_NOWARN);
if (rmap_item)
ksm_rmap_items++;
return rmap_item;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 110/152] ia64: copy_from_user() should zero the destination on access_ok() failure
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 032/152] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 015/152] x86/quirks: Apply nvidia_bugs quirk only on root bus Ben Hutchings
` (40 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: no calls to check_object_size()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void _
__cu_len; \
})
-#define copy_from_user(to, from, n) \
-({ \
- void *__cu_to = (to); \
- const void __user *__cu_from = (from); \
- long __cu_len = (n); \
- \
- __chk_user_ptr(__cu_from); \
- if (__access_ok(__cu_from, __cu_len, get_fs())) \
- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
- __cu_len; \
-})
+static inline unsigned long
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+ if (likely(__access_ok(from, n, get_fs())))
+ n = __copy_user((__force void __user *) to, from, n);
+ else
+ memset(to, 0, n);
+ return n;
+}
#define __copy_in_user(to, from, size) __copy_user((to), (from), (size))
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 085/152] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 008/152] Input: xpad - validate USB endpoint count during probe Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 088/152] ALSA: timer: fix NULL pointer dereference on memory allocation failure Ben Hutchings
` (97 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Aleksandr Makarov
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
commit 40d9c32525cba79130612650b1abc47c0c0f19a8 upstream.
These product IDs are listed in Windows driver.
0x6803 corresponds to WeTelecom WM-D300.
0x6802 name is unknown.
Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -515,6 +515,8 @@ static void option_instat_callback(struc
/* WeTelecom products */
#define WETELECOM_VENDOR_ID 0x22de
#define WETELECOM_PRODUCT_WMD200 0x6801
+#define WETELECOM_PRODUCT_6802 0x6802
+#define WETELECOM_PRODUCT_WMD300 0x6803
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
@@ -1953,6 +1955,8 @@ static const struct usb_device_id option
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 055/152] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 060/152] drm/edid: Add 6 bpc quirk for display AEO model 0 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 134/152] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Ben Hutchings
` (59 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Richard Weinberger
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream.
We can't pass error pointers to kfree() or it causes an oops.
Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hostfs/hostfs_kern.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -955,10 +955,11 @@ static int hostfs_fill_sb_common(struct
if (S_ISLNK(root_inode->i_mode)) {
char *name = follow_link(host_root_path);
- if (IS_ERR(name))
+ if (IS_ERR(name)) {
err = PTR_ERR(name);
- else
- err = read_name(root_inode, name);
+ goto out_put;
+ }
+ err = read_name(root_inode, name);
kfree(name);
if (err)
goto out_put;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 059/152] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 020/152] Bluetooth: Add USB ID 13D3:3487 to ath3k Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 098/152] ALSA: rawmidi: Fix possible deadlock with virmidi registration Ben Hutchings
` (134 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Sheng-Hui J. Chu
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Sheng-Hui J. Chu" <s.jeffrey.chu@gmail.com>
commit ae34d12cc1e212ffcd92e069030e54dae69c832f upstream.
BCM20706V2_EVAL is a WICED dev board designed with FT2232H USB 2.0
UART/FIFO IC.
To support BCM920706V2_EVAL dev board for WICED development on Linux.
Add the VID(0a5c) and PID(6422) to ftdi_sio driver to allow loading
ftdi_sio for this board.
Signed-off-by: Sheng-Hui J. Chu <s.jeffrey.chu@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1032,6 +1032,7 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
{ }, /* Optional parameter entry */
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -673,6 +673,12 @@
#define INTREPID_NEOVI_PID 0x0701
/*
+ * WICED USB UART
+ */
+#define WICED_VID 0x0A5C
+#define WICED_USB20706V2_PID 0x6422
+
+/*
* Definitions for ID TECH (www.idt-net.com) devices
*/
#define IDTECH_VID 0x0ACD /* ID TECH Vendor ID */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 075/152] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 115/152] ppc32: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 040/152] net/irda: fix NULL pointer dereference on memory allocation failure Ben Hutchings
` (73 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Bruno Wolff III
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 47af45d684b5f3ae000ad448db02ce4f13f73273 upstream.
The commit 4097461897df ("Input: i8042 - break load dependency ...")
correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
the same for AUX port(s), which results in communication on KBD and AUX
ports to clash with each other.
Fixes: 4097461897df ("Input: i8042 - break load dependency ...")
Reported-by: Bruno Wolff III <bruno@wolff.to>
Tested-by: Bruno Wolff III <bruno@wolff.to>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/serio/i8042.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1249,6 +1249,7 @@ static int __init i8042_create_aux_port(
serio->write = i8042_aux_write;
serio->start = i8042_start;
serio->stop = i8042_stop;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
if (idx < 0) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 120/152] sh: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 138/152] tracing: Move mutex to protect against resetting of seq data Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 109/152] hexagon: fix strncpy_from_user() error return Ben Hutchings
` (79 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -175,7 +175,10 @@ copy_from_user(void *to, const void __us
__kernel_size_t __copy_size = (__kernel_size_t) n;
if (__copy_size && __access_ok(__copy_from, __copy_size))
- return __copy_user(to, from, __copy_size);
+ __copy_size = __copy_user(to, from, __copy_size);
+
+ if (unlikely(__copy_size))
+ memset(to + (n - __copy_size), 0, __copy_size);
return __copy_size;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 061/152] aacraid: Check size values after double-fetch from user
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 014/152] ppp: defer netns reference release for ppp channel Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 141/152] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback Ben Hutchings
` (12 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johannes Thumshirn, Dave Carroll, Martin K. Petersen, Pengfei Wang
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Carroll <david.carroll@microsemi.com>
commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
get the fib header's size and one for the fib itself. Later we use the
size field from the second fetch to further process the fib. If for some
reason the size from the second fetch is different than from the first
fix, we may encounter an out-of- bounds access in aac_fib_send(). We
also check the sender size to insure it is not out of bounds. This was
reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
assigned CVE-2016-6480.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
- unsigned size;
+ unsigned int size, osize;
int retval;
if (dev->in_reset) {
@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+ osize = size = le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev
goto cleanup;
}
+ /* Sanity check the second copy */
+ if ((osize != le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr))
+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
+ retval = -EINVAL;
+ goto cleanup;
+ }
+
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 116/152] s390: get_user() should zero on failure
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 139/152] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 101/152] asm-generic: make copy_from_user() zero the destination properly Ben Hutchings
` (34 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/uaccess.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -147,28 +147,28 @@ extern int __put_user_bad(void) __attrib
__chk_user_ptr(ptr); \
switch (sizeof(*(ptr))) { \
case 1: { \
- unsigned char __x; \
+ unsigned char __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 2: { \
- unsigned short __x; \
+ unsigned short __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 4: { \
- unsigned int __x; \
+ unsigned int __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 8: { \
- unsigned long long __x; \
+ unsigned long long __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 056/152] block: fix use-after-free in seq file
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 035/152] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 014/152] ppp: defer netns reference release for ppp channel Ben Hutchings
` (14 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Vegard Nossum, Jens Axboe
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
block/genhd.c | 1 +
1 file changed, 1 insertion(+)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_fi
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 123/152] m32r: fix __get_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 114/152] parisc: " Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 128/152] IB/ipoib: Don't allow MC joins during light MC flush Ben Hutchings
` (116 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/m32r/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_reg
#define __get_user_nocheck(x,ptr,size) \
({ \
long __gu_err = 0; \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
might_sleep(); \
__get_user_size(__gu_val,(ptr),(size),__gu_err); \
(x) = (__typeof__(*(ptr)))__gu_val; \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 074/152] drm/radeon: fix radeon_move_blit on 32bit systems
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 149/152] [media] usbvision: revert commit 588afcc1 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 151/152] xenbus: don't look up transaction IDs for ordinary writes Ben Hutchings
` (43 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christian König, Alex Deucher
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 upstream.
This bug seems to be present for a very long time.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -248,8 +248,8 @@ static int radeon_move_blit(struct ttm_b
if (unlikely(r)) {
return r;
}
- old_start = old_mem->start << PAGE_SHIFT;
- new_start = new_mem->start << PAGE_SHIFT;
+ old_start = (u64)old_mem->start << PAGE_SHIFT;
+ new_start = (u64)new_mem->start << PAGE_SHIFT;
switch (old_mem->mem_type) {
case TTM_PL_VRAM:
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 060/152] drm/edid: Add 6 bpc quirk for display AEO model 0.
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 030/152] crypto: scatterwalk - Fix test in scatterwalk_done Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 055/152] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Ben Hutchings
` (60 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mario Kleiner, Ville Syrjälä,
Daniel Vetter, Jani Nikula, Dave Airlie
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mario Kleiner <mario.kleiner.de@gmail.com>
commit e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd upstream.
Bugzilla https://bugzilla.kernel.org/show_bug.cgi?id=105331
reports that the "AEO model 0" display is driven with 8 bpc
without dithering by default, which looks bad because that
panel is apparently a 6 bpc DP panel with faulty EDID.
A fix for this was made by commit 013dd9e03872
("drm/i915/dp: fall back to 18 bpp when sink capability is unknown").
That commit triggers new regressions in precision for DP->DVI and
DP->VGA displays. A patch is out to revert that commit, but it will
revert video output for the AEO model 0 panel to 8 bpc without
dithering.
The EDID 1.3 of that panel, as decoded from the xrandr output
attached to that bugzilla bug report, is somewhat faulty, and beyond
other problems also sets the "DFP 1.x compliant TMDS" bit, which
according to DFP spec means to drive the panel with 8 bpc and
no dithering in absence of other colorimetry information.
Try to make the original bug reporter happy despite the
faulty EDID by adding a quirk to mark that panel as 6 bpc,
so 6 bpc output with dithering creates a nice picture.
Tested by injecting the edid from the fdo bug into a DP connector
via drm_kms_helper.edid_firmware and verifying the 6 bpc + dithering
is selected.
This patch should be backported to stable.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_edid.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -68,6 +68,8 @@
#define EDID_QUIRK_DETAILED_SYNC_PP (1 << 6)
/* Force reduced-blanking timings for detailed modes */
#define EDID_QUIRK_FORCE_REDUCED_BLANKING (1 << 7)
+/* Force 6bpc */
+#define EDID_QUIRK_FORCE_6BPC (1 << 10)
struct detailed_mode_closure {
struct drm_connector *connector;
@@ -94,6 +96,9 @@ static struct edid_quirk {
/* Unknown Acer */
{ "ACR", 2423, EDID_QUIRK_FIRST_DETAILED_PREFERRED },
+ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
+ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+
/* Belinea 10 15 55 */
{ "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
{ "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
@@ -1752,6 +1757,9 @@ int drm_add_edid_modes(struct drm_connec
drm_add_display_info(edid, &connector->display_info);
+ if (quirks & EDID_QUIRK_FORCE_6BPC)
+ connector->display_info.bpc = 6;
+
return num_modes;
}
EXPORT_SYMBOL(drm_add_edid_modes);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 023/152] KVM: nVMX: fix lifetime issues for vmcs02
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 063/152] USB: validate wMaxPacketValue entries in endpoint descriptors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 133/152] ocfs2/dlm: fix race between convert and migration Ben Hutchings
` (24 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Bonzini, Wanpeng Li
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 4fa7734c62cdd8c07edd54fa5a5e91482273071a upstream.
free_nested needs the loaded_vmcs to be valid if it is a vmcs02, in
order to detach it from the shadow vmcs. However, this is not
available anymore after commit 26a865f4aa8e (KVM: VMX: fix use after
free of vmx->loaded_vmcs, 2014-01-03).
Revert that patch, and fix its problem by forcing a vmcs01 as the
active VMCS before freeing all the nested VMX state.
Reported-by: Wanpeng Li <wanpeng.li@linux.intel.com>
Tested-by: Wanpeng Li <wanpeng.li@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 49 +++++++++++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 16 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4999,22 +4999,27 @@ static void nested_free_vmcs02(struct vc
/*
* Free all VMCSs saved for this vcpu, except the one pointed by
- * vmx->loaded_vmcs. These include the VMCSs in vmcs02_pool (except the one
- * currently used, if running L2), and vmcs01 when running L2.
+ * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
+ * must be &vmx->vmcs01.
*/
static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
{
struct vmcs02_list *item, *n;
+
+ WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
- if (vmx->loaded_vmcs != &item->vmcs02)
- free_loaded_vmcs(&item->vmcs02);
+ /*
+ * Something will leak if the above WARN triggers. Better than
+ * a use-after-free.
+ */
+ if (vmx->loaded_vmcs == &item->vmcs02)
+ continue;
+
+ free_loaded_vmcs(&item->vmcs02);
list_del(&item->list);
kfree(item);
+ vmx->nested.vmcs02_num--;
}
- vmx->nested.vmcs02_num = 0;
-
- if (vmx->loaded_vmcs != &vmx->vmcs01)
- free_loaded_vmcs(&vmx->vmcs01);
}
/*
@@ -6307,13 +6312,31 @@ static void __noclone vmx_vcpu_run(struc
#undef R
#undef Q
+static void vmx_load_vmcs01(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ int cpu;
+
+ if (vmx->loaded_vmcs == &vmx->vmcs01)
+ return;
+
+ cpu = get_cpu();
+ vmx->loaded_vmcs = &vmx->vmcs01;
+ vmx_vcpu_put(vcpu);
+ vmx_vcpu_load(vcpu, cpu);
+ vcpu->cpu = cpu;
+ put_cpu();
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
free_vpid(vmx);
- free_loaded_vmcs(vmx->loaded_vmcs);
+ leave_guest_mode(vcpu);
+ vmx_load_vmcs01(vcpu);
free_nested(vmx);
+ free_loaded_vmcs(vmx->loaded_vmcs);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
kmem_cache_free(kvm_vcpu_cache, vmx);
@@ -7059,18 +7082,12 @@ void load_vmcs12_host_state(struct kvm_v
static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
- int cpu;
struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
leave_guest_mode(vcpu);
prepare_vmcs12(vcpu, vmcs12);
- cpu = get_cpu();
- vmx->loaded_vmcs = &vmx->vmcs01;
- vmx_vcpu_put(vcpu);
- vmx_vcpu_load(vcpu, cpu);
- vcpu->cpu = cpu;
- put_cpu();
+ vmx_load_vmcs01(vcpu);
/* if no vmcs02 cache requested, remove the one we used */
if (VMCS02_POOL_SIZE == 0)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 114/152] parisc: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 100/152] alpha: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 123/152] m32r: fix __get_user() Ben Hutchings
` (117 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit aace880feea38875fbc919761b77e5732a3659ef upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -10,6 +10,8 @@
#include <asm/errno.h>
#include <asm-generic/uaccess-unaligned.h>
+#include <linux/string.h>
+
#define VERIFY_READ 0
#define VERIFY_WRITE 1
@@ -255,13 +257,14 @@ static inline unsigned long __must_check
unsigned long n)
{
int sz = __compiletime_object_size(to);
- int ret = -EFAULT;
+ unsigned long ret = n;
if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
-
+ if (unlikely(ret))
+ memset(to + (n - ret), 0, ret);
return ret;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 151/152] xenbus: don't look up transaction IDs for ordinary writes
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 074/152] drm/radeon: fix radeon_move_blit on 32bit systems Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 032/152] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Ben Hutchings
` (42 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Vrabel, Jan Beulich, Jan Beulich,
Richard Schütz, Ed Swierk
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea upstream.
This should really only be done for XS_TRANSACTION_END messages, or
else at least some of the xenstore-* tools don't work anymore.
Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition")
Reported-by: Richard Schütz <rschuetz@uni-koblenz.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Richard Schütz <rschuetz@uni-koblenz.de>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Ed Swierk <eswierk@skyportsystems.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xenfs/xenbus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/xen/xenfs/xenbus.c
+++ b/drivers/xen/xenfs/xenbus.c
@@ -310,7 +310,7 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
- } else {
+ } else if (msg_type == XS_TRANSACTION_END) {
list_for_each_entry(trans, &u->transactions, list)
if (trans->handle.id == u->u.msg.tx_id)
break;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 150/152] xenbus: don't BUG() on user mode induced condition
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 029/152] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 046/152] avr32: off by one in at32_init_pio() Ben Hutchings
` (100 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Vrabel, Ed Swierk, Jan Beulich, Jan Beulich
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b upstream.
Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Ed Swierk <eswierk@skyportsystems.com>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xenfs/xenbus.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/xen/xenfs/xenbus.c
+++ b/drivers/xen/xenfs/xenbus.c
@@ -310,11 +310,18 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
+ } else {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+ if (&trans->list == &u->transactions)
+ return -ESRCH;
}
reply = xenbus_dev_request_and_reply(&u->u.msg);
if (IS_ERR(reply)) {
- kfree(trans);
+ if (msg_type == XS_TRANSACTION_START)
+ kfree(trans);
rc = PTR_ERR(reply);
goto out;
}
@@ -324,12 +331,7 @@ static int xenbus_write_transaction(unsi
list_add(&trans->list, &u->transactions);
} else if (msg_type == XS_TRANSACTION_END) {
- list_for_each_entry(trans, &u->transactions, list)
- if (trans->handle.id == u->u.msg.tx_id)
- break;
- BUG_ON(&trans->list == &u->transactions);
list_del(&trans->list);
-
kfree(trans);
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 133/152] ocfs2/dlm: fix race between convert and migration
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 023/152] KVM: nVMX: fix lifetime issues for vmcs02 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 068/152] USB: serial: mos7720: fix non-atomic allocation in write path Ben Hutchings
` (23 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jun Piao, Linus Torvalds, Joel Becker, Mark Fasheh,
Joseph Qi, Junxiao Bi
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@huawei.com>
commit e6f0c6e6170fec175fe676495f29029aecdf486c upstream.
Commit ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
checks if lockres master has changed to identify whether new master has
finished recovery or not. This will introduce a race that right after
old master does umount ( means master will change), a new convert
request comes.
In this case, it will reset lockres state to DLM_RECOVERING and then
retry convert, and then fail with lockres->l_action being set to
OCFS2_AST_INVALID, which will cause inconsistent lock level between
ocfs2 and dlm, and then finally BUG.
Since dlm recovery will clear lock->convert_pending in
dlm_move_lockres_to_recovery_list, we can use it to correctly identify
the race case between convert and recovery. So fix it.
Fixes: ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery")
Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.com
Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Signed-off-by: Jun Piao <piaojun@huawei.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/dlm/dlmconvert.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -265,7 +265,6 @@ enum dlm_status dlmconvert_remote(struct
struct dlm_lock *lock, int flags, int type)
{
enum dlm_status status;
- u8 old_owner = res->owner;
mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -332,7 +331,6 @@ enum dlm_status dlmconvert_remote(struct
spin_lock(&res->spinlock);
res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
- lock->convert_pending = 0;
/* if it failed, move it back to granted queue.
* if master returns DLM_NORMAL and then down before sending ast,
* it may have already been moved to granted queue, reset to
@@ -341,12 +339,14 @@ enum dlm_status dlmconvert_remote(struct
if (status != DLM_NOTQUEUED)
dlm_error(status);
dlm_revert_pending_convert(res, lock);
- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
- (old_owner != res->owner)) {
- mlog(0, "res %.*s is in recovering or has been recovered.\n",
- res->lockname.len, res->lockname.name);
+ } else if (!lock->convert_pending) {
+ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
+ "to granted list, retry convert.\n",
+ dlm->name, res->lockname.len, res->lockname.name);
status = DLM_RECOVERING;
}
+
+ lock->convert_pending = 0;
bail:
spin_unlock(&res->spinlock);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 058/152] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 130/152] avr32: fix 'undefined reference to `___copy_from_user' Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 126/152] avr32: fix copy_from_user() Ben Hutchings
` (126 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Robert Deliën, Johan Hovold
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Robert Deliën <robert@delien.nl>
commit 6977495c06f7f47636a076ee5a0ca571279d9697 upstream.
Ivium Technologies uses the FTDI VID with custom PIDs for their line of
electrochemical interfaces and the PalmSens they developed for PalmSens
BV.
Signed-off-by: Robert Delien <robert@delien.nl>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -672,6 +672,8 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(FTDI_VID, FTDI_ELV_TFD128_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_FM3RX_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_WS777_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_PALMSENS_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_IVIUM_XSTAT_PID) },
{ USB_DEVICE(FTDI_VID, LINX_SDMUSBQSS_PID) },
{ USB_DEVICE(FTDI_VID, LINX_MASTERDEVEL2_PID) },
{ USB_DEVICE(FTDI_VID, LINX_FUTURE_0_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -406,6 +406,12 @@
#define FTDI_4N_GALAXY_DE_3_PID 0xF3C2
/*
+ * Ivium Technologies product IDs
+ */
+#define FTDI_PALMSENS_PID 0xf440
+#define FTDI_IVIUM_XSTAT_PID 0xf441
+
+/*
* Linx Technologies product ids
*/
#define LINX_SDMUSBQSS_PID 0xF448 /* Linx SDM-USB-QS-S */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 079/152] drm: Reject page_flip for !DRIVER_MODESET
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 047/152] ubi: Fix race condition between ubi device creation and udev Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 084/152] x86/apic: Do not init irq remapping if ioapic is disabled Ben Hutchings
` (6 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chris Wilson, Alexander Potapenko, Daniel Vetter,
Dave Airlie, Daniel Vetter
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Vetter <daniel.vetter@ffwll.ch>
commit 6f00975c619064a18c23fd3aced325ae165a73b9 upstream.
Somehow this one slipped through, which means drivers without modeset
support can be oopsed (since those also don't call
drm_mode_config_init, which means the crtc lookup will chase an
uninitalized idr).
Reported-by: Alexander Potapenko <glider@google.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_crtc.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -2675,6 +2675,9 @@ int drm_mode_page_flip_ioctl(struct drm_
unsigned long flags;
int ret = -EINVAL;
+ if (!drm_core_check_feature(dev, DRIVER_MODESET))
+ return -EINVAL;
+
if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS ||
page_flip->reserved != 0)
return -EINVAL;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 080/152] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 076/152] parisc: Fix order of EREFUSED define in errno.h Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 147/152] Btrfs: skip adding an acl attribute if we don't have to Ben Hutchings
` (144 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Peter Chen, Felipe Balbi
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit f4693b08cc901912a87369c46537b94ed4084ea0 upstream.
We can't assign -EINVAL to a u16.
Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver')
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/fsl_qe_udc.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/usb/gadget/fsl_qe_udc.c
+++ b/drivers/usb/gadget/fsl_qe_udc.c
@@ -1883,11 +1883,8 @@ static int qe_get_frame(struct usb_gadge
tmp = in_be16(&udc_controller->usb_param->frame_n);
if (tmp & 0x8000)
- tmp = tmp & 0x07ff;
- else
- tmp = -EINVAL;
-
- return (int)tmp;
+ return tmp & 0x07ff;
+ return -EINVAL;
}
/* Tries to wake up the host connected to this gadget
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 069/152] USB: serial: mos7840: fix non-atomic allocation in write path
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 082/152] USB: avoid left shift by -1 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 045/152] drm/radeon: fix firmware info version checks Ben Hutchings
` (147 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexey Khoroshilov, Johan Hovold
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov <khoroshilov@ispras.ru>
commit 3b7c7e52efda0d4640060de747768360ba70a7c0 upstream.
There is an allocation with GFP_KERNEL flag in mos7840_write(),
while it may be called from interrupt context.
Follow-up for commit 191252837626 ("USB: kobil_sct: fix non-atomic
allocation in write path")
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mos7840.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1524,8 +1524,8 @@ static int mos7840_write(struct tty_stru
}
if (urb->transfer_buffer == NULL) {
- urb->transfer_buffer =
- kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL);
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+ GFP_ATOMIC);
if (urb->transfer_buffer == NULL) {
dev_err(&port->dev, "%s no more kernel memory...\n",
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 072/152] xhci: don't dereference a xhci member after removing xhci
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 003/152] sched/cputime: Fix prev steal time accouting during CPU hotplug Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 104/152] ARM: sa1111: fix pcmcia suspend/resume Ben Hutchings
` (82 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit f1f6d9a8b540df22b87a5bf6bc104edaade81f47 upstream.
Remove the hcd after checking for the xhci last quirks, not before.
This caused a hang on a Alpine Ridge xhci based maching which remove
the whole xhci controller when unplugging the last usb device
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -252,12 +252,13 @@ static void xhci_pci_remove(struct pci_d
usb_remove_hcd(xhci->shared_hcd);
usb_put_hcd(xhci->shared_hcd);
}
- usb_hcd_pci_remove(dev);
/* Workaround for spurious wakeups at shutdown with HSW */
if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
pci_set_power_state(dev, PCI_D3hot);
+ usb_hcd_pci_remove(dev);
+
kfree(xhci);
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 052/152] balloon: check the number of available pages in leak balloon
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 111/152] mn10300: failing __get_user() and get_user() should zero Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 041/152] l2tp: Correctly return -EBADF from pppol2tp_getname Ben Hutchings
` (109 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Konstantin Neumoin, Michael S. Tsirkin, Denis V. Lunev
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Neumoin <kneumoin@virtuozzo.com>
commit 37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711 upstream.
The balloon has a special mechanism that is subscribed to the oom
notification which leads to deflation for a fixed number of pages.
The number is always fixed even when the balloon is fully deflated.
But leak_balloon did not expect that the pages to deflate will be more
than taken, and raise a "BUG" in balloon_page_dequeue when page list
will be empty.
So, the simplest solution would be to check that the number of releases
pages is less or equal to the number taken pages.
Signed-off-by: Konstantin Neumoin <kneumoin@virtuozzo.com>
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/virtio/virtio_balloon.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -142,6 +142,8 @@ static void leak_balloon(struct virtio_b
/* We can only do one array worth at a time. */
num = min(num, ARRAY_SIZE(vb->pfns));
+ /* We can't release more pages than taken */
+ num = min(num, (size_t)vb->num_pages);
for (vb->num_pfns = 0; vb->num_pfns < num; vb->num_pfns++) {
page = list_first_entry(&vb->pages, struct page, lru);
list_del(&page->lru);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 027/152] mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 012/152] drm/radeon: Poll for both connect/disconnect on analog connectors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 125/152] microblaze: fix __get_user() Ben Hutchings
` (138 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Brian Norris, Dan Carpenter
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 79ad07d45743721010e766e65dc004ad249bd429 upstream.
There is a cut and paste issue here. The bug is that we are allocating
more memory than necessary for msp_maps. We should be allocating enough
space for a map_info struct (144 bytes) but we instead allocate enough
for an mtd_info struct (1840 bytes). It's a small waste.
The other part of this is not harmful but when we allocated msp_flash
then we allocated enough space fro a map_info pointer instead of an
mtd_info pointer. But since pointers are the same size it works out
fine.
Anyway, I decided to clean up all three allocations a bit to make them
a bit more consistent and clear.
Fixes: 68aa0fa87f6d ('[MTD] PMC MSP71xx flash/rootfs mappings')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/maps/pmcmsp-flash.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mtd/maps/pmcmsp-flash.c
+++ b/drivers/mtd/maps/pmcmsp-flash.c
@@ -75,15 +75,15 @@ static int __init init_msp_flash(void)
printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt);
- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL);
+ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL);
if (!msp_flash)
return -ENOMEM;
- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL);
+ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL);
if (!msp_parts)
goto free_msp_flash;
- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL);
+ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL);
if (!msp_maps)
goto free_msp_parts;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 134/152] ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 055/152] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 016/152] x86/quirks: Reintroduce scanning of secondary buses Ben Hutchings
` (58 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Saar Maoz, Junxiao Bi, Ashish Samant, Eric Ren, Joseph Qi,
Mark Fasheh, Linus Torvalds, Joel Becker, Srinivas Eeda
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Samant <ashish.samant@oracle.com>
commit d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960 upstream.
If we punch a hole on a reflink such that following conditions are met:
1. start offset is on a cluster boundary
2. end offset is not on a cluster boundary
3. (end offset is somewhere in another extent) or
(hole range > MAX_CONTIG_BYTES(1MB)),
we dont COW the first cluster starting at the start offset. But in this
case, we were wrongly passing this cluster to
ocfs2_zero_range_for_truncate() to zero out. This will modify the
cluster in place and zero it in the source too.
Fix this by skipping this cluster in such a scenario.
To reproduce:
1. Create a random file of say 10 MB
xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile
2. Reflink it
reflink -f 10MBfile reflnktest
3. Punch a hole at starting at cluster boundary with range greater that
1MB. You can also use a range that will put the end offset in another
extent.
fallocate -p -o 0 -l 1048615 reflnktest
4. sync
5. Check the first cluster in the source file. (It will be zeroed out).
dd if=10MBfile iflag=direct bs=<cluster size> count=1 | hexdump -C
Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.com
Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
Reported-by: Saar Maoz <saar.maoz@oracle.com>
Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <joseph.qi@huawei.com>
Cc: Eric Ren <zren@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ocfs2/file.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1518,7 +1518,8 @@ static int ocfs2_zero_partial_clusters(s
u64 start, u64 len)
{
int ret = 0;
- u64 tmpend, end = start + len;
+ u64 tmpend = 0;
+ u64 end = start + len;
struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
unsigned int csize = osb->s_clustersize;
handle_t *handle;
@@ -1550,18 +1551,31 @@ static int ocfs2_zero_partial_clusters(s
}
/*
- * We want to get the byte offset of the end of the 1st cluster.
+ * If start is on a cluster boundary and end is somewhere in another
+ * cluster, we have not COWed the cluster starting at start, unless
+ * end is also within the same cluster. So, in this case, we skip this
+ * first call to ocfs2_zero_range_for_truncate() truncate and move on
+ * to the next one.
*/
- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
- if (tmpend > end)
- tmpend = end;
-
- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
- (unsigned long long)tmpend);
-
- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
- if (ret)
- mlog_errno(ret);
+ if ((start & (csize - 1)) != 0) {
+ /*
+ * We want to get the byte offset of the end of the 1st
+ * cluster.
+ */
+ tmpend = (u64)osb->s_clustersize +
+ (start & ~(osb->s_clustersize - 1));
+ if (tmpend > end)
+ tmpend = end;
+
+ trace_ocfs2_zero_partial_clusters_range1(
+ (unsigned long long)start,
+ (unsigned long long)tmpend);
+
+ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
+ tmpend);
+ if (ret)
+ mlog_errno(ret);
+ }
if (tmpend < end) {
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 129/152] irda: Free skb on irda_accept error path.
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 109/152] hexagon: fix strncpy_from_user() error return Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 019/152] NFS: Don't drop CB requests with invalid principals Ben Hutchings
` (77 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, phil.turnbull
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "phil.turnbull@oracle.com" <phil.turnbull@oracle.com>
commit 8ab86c00e349cef9fb14719093a7f198bcc72629 upstream.
skb is not freed if newsk is NULL. Rework the error path so free_skb is
unconditionally called on function exit.
Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/irda/af_irda.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -846,7 +846,7 @@ static int irda_accept(struct socket *so
struct sock *sk = sock->sk;
struct irda_sock *new, *self = irda_sk(sk);
struct sock *newsk;
- struct sk_buff *skb;
+ struct sk_buff *skb = NULL;
int err;
IRDA_DEBUG(2, "%s()\n", __func__);
@@ -916,7 +916,6 @@ static int irda_accept(struct socket *so
err = -EPERM; /* value does not seem to make sense. -arnd */
if (!new->tsap) {
IRDA_DEBUG(0, "%s(), dup failed!\n", __func__);
- kfree_skb(skb);
goto out;
}
@@ -935,7 +934,6 @@ static int irda_accept(struct socket *so
/* Clean up the original one to keep it in listen state */
irttp_listen(self->tsap);
- kfree_skb(skb);
sk->sk_ack_backlog--;
newsock->state = SS_CONNECTED;
@@ -943,6 +941,7 @@ static int irda_accept(struct socket *so
irda_connect_response(new);
err = 0;
out:
+ kfree_skb(skb);
release_sock(sk);
return err;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 130/152] avr32: fix 'undefined reference to `___copy_from_user'
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 067/152] megaraid_sas: Fix probing cards without io port Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 058/152] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices Ben Hutchings
` (127 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Havard Skinnemoen, Guenter Roeck, Al Viro,
Hans-Christian Noren Egtvedt
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 upstream.
avr32 builds fail with:
arch/avr32/kernel/built-in.o: In function `arch_ptrace':
(.text+0x650): undefined reference to `___copy_from_user'
arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
reference to `___copy_from_user'
kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
(.text+0x5dd8): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
kernel/built-in.o: In function `ptrace_has_cap':
ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
`___copy_from_user' follow
Fixes: 8630c32275ba ("avr32: fix copy_from_user()")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Havard Skinnemoen <hskinnemoen@gmail.com>
Acked-by: Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/avr32/lib/copy_user.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -23,8 +23,8 @@
*/
.text
.align 1
- .global copy_from_user
- .type copy_from_user, @function
+ .global ___copy_from_user
+ .type ___copy_from_user, @function
___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 065/152] x86/mm: Disable preemption during CR3 read+write
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 088/152] ALSA: timer: fix NULL pointer dereference on memory allocation failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 096/152] ALSA: timer: Code cleanup Ben Hutchings
` (95 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra (Intel),
Mel Gorman, Thomas Gleixner, H. Peter Anvin, Andy Lutomirski,
Rik van Riel, Denys Vlasenko, Sebastian Andrzej Siewior,
Ingo Molnar, Josh Poimboeuf, Linus Torvalds, linux-mm,
Borislav Petkov, Brian Gerst, Peter Zijlstra, Borislav Petkov
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 5cf0791da5c162ebc14b01eb01631cfa7ed4fa6e upstream.
There's a subtle preemption race on UP kernels:
Usually current->mm (and therefore mm->pgd) stays the same during the
lifetime of a task so it does not matter if a task gets preempted during
the read and write of the CR3.
But then, there is this scenario on x86-UP:
TaskA is in do_exit() and exit_mm() sets current->mm = NULL followed by:
-> mmput()
-> exit_mmap()
-> tlb_finish_mmu()
-> tlb_flush_mmu()
-> tlb_flush_mmu_tlbonly()
-> tlb_flush()
-> flush_tlb_mm_range()
-> __flush_tlb_up()
-> __flush_tlb()
-> __native_flush_tlb()
At this point current->mm is NULL but current->active_mm still points to
the "old" mm.
Let's preempt taskA _after_ native_read_cr3() by taskB. TaskB has its
own mm so CR3 has changed.
Now preempt back to taskA. TaskA has no ->mm set so it borrows taskB's
mm and so CR3 remains unchanged. Once taskA gets active it continues
where it was interrupted and that means it writes its old CR3 value
back. Everything is fine because userland won't need its memory
anymore.
Now the fun part:
Let's preempt taskA one more time and get back to taskB. This
time switch_mm() won't do a thing because oldmm (->active_mm)
is the same as mm (as per context_switch()). So we remain
with a bad CR3 / PGD and return to userland.
The next thing that happens is handle_mm_fault() with an address for
the execution of its code in userland. handle_mm_fault() realizes that
it has a PTE with proper rights so it returns doing nothing. But the
CPU looks at the wrong PGD and insists that something is wrong and
faults again. And again. And one more time…
This pagefault circle continues until the scheduler gets tired of it and
puts another task on the CPU. It gets little difficult if the task is a
RT task with a high priority. The system will either freeze or it gets
fixed by the software watchdog thread which usually runs at RT-max prio.
But waiting for the watchdog will increase the latency of the RT task
which is no good.
Fix this by disabling preemption across the critical code section.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/1470404259-26290-1-git-send-email-bigeasy@linutronix.de
[ Prettified the changelog. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/tlbflush.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -17,7 +17,14 @@
static inline void __native_flush_tlb(void)
{
+ /*
+ * If current->mm == NULL then we borrow a mm which may change during a
+ * task switch and therefore we must not be preempted while we write CR3
+ * back:
+ */
+ preempt_disable();
native_write_cr3(native_read_cr3());
+ preempt_enable();
}
static inline void __native_flush_tlb_global(void)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 081/152] USB: fix typo in wMaxPacketSize validation
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 108/152] frv: fix clear_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 021/152] Bluetooth: Add support of 13d3:3490 AR3012 device Ben Hutchings
` (31 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alan Stern, Greg Kroah-Hartman
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 6c73358c83ce870c0cf32413e5cadb3b9a39c606 upstream.
The maximum value allowed for wMaxPacketSize of a high-speed interrupt
endpoint is 1024 bytes, not 1023.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -160,7 +160,7 @@ static const unsigned short high_speed_m
[USB_ENDPOINT_XFER_CONTROL] = 64,
[USB_ENDPOINT_XFER_ISOC] = 1024,
[USB_ENDPOINT_XFER_BULK] = 512,
- [USB_ENDPOINT_XFER_INT] = 1023,
+ [USB_ENDPOINT_XFER_INT] = 1024,
};
static const unsigned short super_speed_maxpacket_maxes[4] = {
[USB_ENDPOINT_XFER_CONTROL] = 512,
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 086/152] fs/seq_file: fix out-of-bounds read
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 119/152] sh64: failing __get_user() should zero Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 004/152] crypto: gcm - Filter out async ghash if necessary Ben Hutchings
` (92 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Al Viro, Dave Jones, Vegard Nossum, Linus Torvalds
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream.
seq_read() is a nasty piece of work, not to mention buggy.
It has (I think) an old bug which allows unprivileged userspace to read
beyond the end of m->buf.
I was getting these:
BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
Read of size 2713 by task trinity-c2/1329
CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
kasan_object_err+0x1c/0x80
kasan_report_error+0x2cb/0x7e0
kasan_report+0x4e/0x80
check_memory_region+0x13e/0x1a0
kasan_check_read+0x11/0x20
seq_read+0xcd2/0x1480
proc_reg_read+0x10b/0x260
do_loop_readv_writev.part.5+0x140/0x2c0
do_readv_writev+0x589/0x860
vfs_readv+0x7b/0xd0
do_readv+0xd8/0x2c0
SyS_readv+0xb/0x10
do_syscall_64+0x1b3/0x4b0
entry_SYSCALL64_slow_path+0x25/0x25
Object at ffff880116889100, in cache kmalloc-4096 size: 4096
Allocated:
PID = 1329
save_stack_trace+0x26/0x80
save_stack+0x46/0xd0
kasan_kmalloc+0xad/0xe0
__kmalloc+0x1aa/0x4a0
seq_buf_alloc+0x35/0x40
seq_read+0x7d8/0x1480
proc_reg_read+0x10b/0x260
do_loop_readv_writev.part.5+0x140/0x2c0
do_readv_writev+0x589/0x860
vfs_readv+0x7b/0xd0
do_readv+0xd8/0x2c0
SyS_readv+0xb/0x10
do_syscall_64+0x1b3/0x4b0
return_from_SYSCALL_64+0x0/0x6a
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
This seems to be the same thing that Dave Jones was seeing here:
https://lkml.org/lkml/2016/8/12/334
There are multiple issues here:
1) If we enter the function with a non-empty buffer, there is an attempt
to flush it. But it was not clearing m->from after doing so, which
means that if we try to do this flush twice in a row without any call
to traverse() in between, we are going to be reading from the wrong
place -- the splat above, fixed by this patch.
2) If there's a short write to userspace because of page faults, the
buffer may already contain multiple lines (i.e. pos has advanced by
more than 1), but we don't save the progress that was made so the
next call will output what we've already returned previously. Since
that is a much less serious issue (and I have a headache after
staring at seq_read() for the past 8 hours), I'll leave that for now.
Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/seq_file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -184,8 +184,10 @@ ssize_t seq_read(struct file *file, char
size -= n;
buf += n;
copied += n;
- if (!m->count)
+ if (!m->count) {
+ m->from = 0;
m->index++;
+ }
if (!size)
goto Done;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 054/152] mm/hugetlb: avoid soft lockup in set_max_huge_pages()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 087/152] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 026/152] ext4: short-cut orphan cleanup on error Ben Hutchings
` (9 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kirill A. Shutemov, Michal Hocko, Paul Gortmaker,
Naoya Horiguchi, Mike Kravetz, Linus Torvalds, Jia He,
Dave Hansen
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jia He <hejianet@gmail.com>
commit 649920c6ab93429b94bc7c1aa7c0e8395351be32 upstream.
In powerpc servers with large memory(32TB), we watched several soft
lockups for hugepage under stress tests.
The call traces are as follows:
1.
get_page_from_freelist+0x2d8/0xd50
__alloc_pages_nodemask+0x180/0xc20
alloc_fresh_huge_page+0xb0/0x190
set_max_huge_pages+0x164/0x3b0
2.
prep_new_huge_page+0x5c/0x100
alloc_fresh_huge_page+0xc8/0x190
set_max_huge_pages+0x164/0x3b0
This patch fixes such soft lockups. It is safe to call cond_resched()
there because it is out of spin_lock/unlock section.
Link: http://lkml.kernel.org/r/1469674442-14848-1-git-send-email-hejianet@gmail.com
Signed-off-by: Jia He <hejianet@gmail.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/hugetlb.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1417,6 +1417,10 @@ static unsigned long set_max_huge_pages(
* and reducing the surplus.
*/
spin_unlock(&hugetlb_lock);
+
+ /* yield cpu to avoid soft lockup */
+ cond_resched();
+
ret = alloc_fresh_huge_page(h, nodes_allowed);
spin_lock(&hugetlb_lock);
if (!ret)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 064/152] s390/dasd: fix hanging device after clear subchannel
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 073/152] tcp: fix use after free in tcp_xmit_retransmit_queue() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 036/152] MIPS: RM7000: Double locking bug in rm7k_tc_disable() Ben Hutchings
` (86 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Schwidefsky, Sebastian Ott, Stefan Haberland
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.vnet.ibm.com>
commit 9ba333dc55cbb9523553df973adb3024d223e905 upstream.
When a device is in a status where CIO has killed all I/O by itself the
interrupt for a clear request may not contain an irb to determine the
clear function. Instead it contains an error pointer -EIO.
This was ignored by the DASD int_handler leading to a hanging device
waiting for a clear interrupt.
Handle -EIO error pointer correctly for requests that are clear pending and
treat the clear as successful.
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Reviewed-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/block/dasd.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -1593,9 +1593,18 @@ void dasd_int_handler(struct ccw_device
unsigned long long now;
int expires;
+ cqr = (struct dasd_ccw_req *) intparm;
if (IS_ERR(irb)) {
switch (PTR_ERR(irb)) {
case -EIO:
+ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) {
+ device = (struct dasd_device *) cqr->startdev;
+ cqr->status = DASD_CQR_CLEARED;
+ dasd_device_clear_timer(device);
+ wake_up(&dasd_flush_wq);
+ dasd_schedule_device_bh(device);
+ return;
+ }
break;
case -ETIMEDOUT:
DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: "
@@ -1611,7 +1620,6 @@ void dasd_int_handler(struct ccw_device
}
now = get_clock();
- cqr = (struct dasd_ccw_req *) intparm;
/* check for conditions that should be handled immediately */
if (!cqr ||
!(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) &&
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 103/152] NFSv4.1: Fix the CREATE_SESSION slot number accounting
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 071/152] usb: xhci: Fix panic if disconnect Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 139/152] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Ben Hutchings
` (36 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Trond Myklebust
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream.
Ensure that we conform to the algorithm described in RFC5661, section
18.36.4 for when to bump the sequence id. In essence we do it for all
cases except when the RPC call timed out, or in case of the server returning
NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[bwh: Backported to 3.2:
- Add the 'out' label
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5360,14 +5360,21 @@ static int _nfs4_proc_create_session(str
status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
+ switch (status) {
+ case -NFS4ERR_STALE_CLIENTID:
+ case -NFS4ERR_DELAY:
+ case -ETIMEDOUT:
+ case -EACCES:
+ case -EAGAIN:
+ goto out;
+ };
+
+ clp->cl_seqid++;
if (!status)
/* Verify the session's negotiated channel_attrs values */
status = nfs4_verify_channel_attrs(&args, session);
- if (!status) {
- /* Increment the clientid slot sequence id */
- clp->cl_seqid++;
- }
+out:
return status;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 138/152] tracing: Move mutex to protect against resetting of seq data
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 104/152] ARM: sa1111: fix pcmcia suspend/resume Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 120/152] sh: fix copy_from_user() Ben Hutchings
` (80 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Steven Rostedt (Red Hat)
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 1245800c0f96eb6ebb368593e251d66c01e61022 upstream.
The iter->seq can be reset outside the protection of the mutex. So can
reading of user data. Move the mutex up to the beginning of the function.
Fixes: d7350c3f45694 ("tracing/core: make the read callbacks reentrants")
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3331,13 +3331,6 @@ tracing_read_pipe(struct file *filp, cha
static struct tracer *old_tracer;
ssize_t sret;
- /* return any leftover data */
- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
- if (sret != -EBUSY)
- return sret;
-
- trace_seq_init(&iter->seq);
-
/* copy the tracer to avoid using a global lock all around */
mutex_lock(&trace_types_lock);
if (unlikely(old_tracer != current_trace && current_trace)) {
@@ -3352,6 +3345,14 @@ tracing_read_pipe(struct file *filp, cha
* is protected.
*/
mutex_lock(&iter->mutex);
+
+ /* return any leftover data */
+ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+ if (sret != -EBUSY)
+ goto out;
+
+ trace_seq_init(&iter->seq);
+
if (iter->trace->read) {
sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
if (sret)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 050/152] ext4: validate that metadata blocks do not overlap superblock
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 007/152] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 033/152] mtd: nand: fix bug writing 1 byte less than page size Ben Hutchings
` (63 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream.
A number of fuzzing failures seem to be caused by allocation bitmaps
or other metadata blocks being pointed at the superblock.
This can cause kernel BUG or WARNings once the superblock is
overwritten, so validate the group descriptor blocks to make sure this
doesn't happen.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/super.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2097,6 +2097,7 @@ int ext4_group_desc_csum_verify(struct e
/* Called at mount-time, super-block is locked */
static int ext4_check_descriptors(struct super_block *sb,
+ ext4_fsblk_t sb_block,
ext4_group_t *first_not_zeroed)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -2127,6 +2128,11 @@ static int ext4_check_descriptors(struct
grp = i;
block_bitmap = ext4_block_bitmap(sb, gdp);
+ if (block_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Block bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (block_bitmap < first_block || block_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Block bitmap for group %u not in group "
@@ -2134,6 +2140,11 @@ static int ext4_check_descriptors(struct
return 0;
}
inode_bitmap = ext4_inode_bitmap(sb, gdp);
+ if (inode_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (inode_bitmap < first_block || inode_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Inode bitmap for group %u not in group "
@@ -2141,6 +2152,11 @@ static int ext4_check_descriptors(struct
return 0;
}
inode_table = ext4_inode_table(sb, gdp);
+ if (inode_table == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode table for group %u overlaps "
+ "superblock", i);
+ }
if (inode_table < first_block ||
inode_table + sbi->s_itb_per_group - 1 > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
@@ -3674,7 +3690,7 @@ static int ext4_fill_super(struct super_
goto failed_mount2;
}
}
- if (!ext4_check_descriptors(sb, &first_not_zeroed)) {
+ if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
goto failed_mount2;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 057/152] USB: serial: option: add D-Link DWM-156/A3
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 077/152] USB: serial: option: add WeTelecom WM-D200 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 049/152] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
` (89 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Lubomir Rintel
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lubomir Rintel <lkundrak@v3.sk>
commit cf1b18030de29e4e5b0a57695ae5db4a89da0ff7 upstream.
The device has four interfaces; the three serial ports ought to be
handled by this driver:
00 Diagnostic interface serial port
01 NMEA device serial port
02 Mass storage (sd card)
03 Modem serial port
The other product ids listed in the Windows driver are present already.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1945,6 +1945,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
{ } /* Terminating entry */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 125/152] microblaze: fix __get_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 027/152] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 122/152] blackfin: fix copy_from_user() Ben Hutchings
` (137 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/microblaze/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -218,7 +218,7 @@ extern long __user_bad(void);
#define __get_user(x, ptr) \
({ \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
/*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
long __gu_err; \
switch (sizeof(*(ptr))) { \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 070/152] cdc-acm: fix wrong pipe type on rx interrupt xfers
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 013/152] ALSA: ctl: Stop notification after disconnection Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 143/152] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Ben Hutchings
` (68 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gavin Li, Oliver Neukum, Greg Kroah-Hartman
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Li <git@thegavinli.com>
commit add125054b8727103631dce116361668436ef6a7 upstream.
This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb().
Signed-off-by: Gavin Li <git@thegavinli.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 5 ++---
drivers/usb/class/cdc-acm.h | 1 -
2 files changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1156,7 +1156,6 @@ made_compressed_probe:
spin_lock_init(&acm->write_lock);
spin_lock_init(&acm->read_lock);
mutex_init(&acm->mutex);
- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
acm->is_int_ep = usb_endpoint_xfer_int(epread);
if (acm->is_int_ep)
acm->bInterval = epread->bInterval;
@@ -1205,14 +1204,14 @@ made_compressed_probe:
urb->transfer_dma = rb->dma;
if (acm->is_int_ep) {
usb_fill_int_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb,
acm->bInterval);
} else {
usb_fill_bulk_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb);
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -95,7 +95,6 @@ struct acm {
struct urb *read_urbs[ACM_NR];
struct acm_rb read_buffers[ACM_NR];
int rx_buflimit;
- int rx_endpoint;
spinlock_t read_lock;
int write_used; /* number of non-empty write buffers */
int transmitting;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 066/152] arm: oabi compat: add missing access checks
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 011/152] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 131/152] openrisc: fix the fix of copy_from_user() Ben Hutchings
` (151 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Weinstein, Nicolas Pitre, Kees Cook, Chiachih Wu,
Linus Torvalds
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Weinstein <olorin@google.com>
commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.
Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
This fixes CVE-2016-3857, a local privilege escalation under
CONFIG_OABI_COMPAT.
Reported-by: Chiachih Wu <wuchiachih@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Dave Weinstein <olorin@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int
mm_segment_t fs;
long ret, err, i;
- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
+ if (maxevents <= 0 ||
+ maxevents > (INT_MAX/sizeof(*kbuf)) ||
+ maxevents > (INT_MAX/sizeof(*events)))
return -EINVAL;
+ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+ return -EFAULT;
kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
if (!kbuf)
return -ENOMEM;
@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int
if (nsops < 1 || nsops > SEMOPM)
return -EINVAL;
+ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+ return -EFAULT;
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
if (!sops)
return -ENOMEM;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 084/152] x86/apic: Do not init irq remapping if ioapic is disabled
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 079/152] drm: Reject page_flip for !DRIVER_MODESET Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 118/152] score: fix copy_from_user() and friends Ben Hutchings
` (5 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Peter Zijlstra, Wanpeng Li, Joerg Roedel
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit 2e63ad4bd5dd583871e6602f9d398b9322d358d9 upstream.
native_smp_prepare_cpus
-> default_setup_apic_routing
-> enable_IR_x2apic
-> irq_remapping_prepare
-> intel_prepare_irq_remapping
-> intel_setup_irq_remapping
So IR table is setup even if "noapic" boot parameter is added. As a result we
crash later when the interrupt affinity is set due to a half initialized
remapping infrastructure.
Prevent remap initialization when IOAPIC is disabled.
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Joerg Roedel <joro@8bytes.org>
Link: http://lkml.kernel.org/r/1471954039-3942-1-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/apic/apic.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1481,6 +1481,9 @@ void __init enable_IR_x2apic(void)
int ret, x2apic_enabled = 0;
int dmar_table_init_ret;
+ if (skip_ioapic_setup)
+ return;
+
dmar_table_init_ret = dmar_table_init();
if (dmar_table_init_ret && !x2apic_supported())
return;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 118/152] score: fix copy_from_user() and friends
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 084/152] x86/apic: Do not init irq remapping if ioapic is disabled Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 025/152] ext4: fix reference counting bug on block allocation error Ben Hutchings
` (4 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/score/include/asm/uaccess.h | 41 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 21 deletions(-)
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -296,35 +296,34 @@ extern int __copy_tofrom_user(void *to,
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
+ unsigned long res = len;
- if (access_ok(VERIFY_READ, from, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_READ, from, len)))
+ res = __copy_tofrom_user(to, from, len);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
- return len;
+ if (unlikely(res))
+ memset(to + (len - res), 0, res);
+
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_WRITE, to, len)))
+ len = __copy_tofrom_user(to, from, len);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
return len;
}
-#define __copy_from_user(to, from, len) \
- __copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+ unsigned long left = __copy_tofrom_user(to, from, len);
+ if (unlikely(left))
+ memset(to + (len - left), 0, left);
+ return left;
+}
#define __copy_to_user(to, from, len) \
__copy_tofrom_user((to), (from), (len))
@@ -338,17 +337,17 @@ __copy_to_user_inatomic(void *to, const
static inline unsigned long
__copy_from_user_inatomic(void *to, const void *from, unsigned long len)
{
- return __copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
static inline unsigned long
copy_in_user(void *to, const void *from, unsigned long len)
{
if (access_ok(VERIFY_READ, from, len) &&
access_ok(VERFITY_WRITE, to, len))
- return copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 124/152] microblaze: fix copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 018/152] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 112/152] mn10300: copy_from_user() should zero on access_ok() failure Ben Hutchings
` (55 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/microblaze/include/asm/uaccess.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -364,10 +364,13 @@ extern long __user_bad(void);
static inline long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
+ unsigned long res = n;
might_sleep();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
#define __copy_to_user(to, from, n) \
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 051/152] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 126/152] avr32: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 152/152] ext3: NULL dereference in ext3_evict_inode() Ben Hutchings
` (124 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, David Howells, Thomas Gleixner,
Stephan Mueller, Andy Lutomirski, H. Peter Anvin, Denys Vlasenko,
Ingo Molnar, linux-security-module, Josh Poimboeuf,
Linus Torvalds, keyrings, Borislav Petkov, Brian Gerst
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit f7d665627e103e82d34306c7d3f6f46f387c0d8b upstream.
x86_64 needs to use compat_sys_keyctl for 32-bit userspace rather than
calling sys_keyctl(). The latter will work in a lot of cases, thereby
hiding the issue.
Reported-by: Stephan Mueller <smueller@chronox.de>
Tested-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Link: http://lkml.kernel.org/r/146961615805.14395.5581949237156769439.stgit@warthog.procyon.org.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.2: compat system call table is in ia32entry.S]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -791,7 +791,7 @@ ia32_sys_call_table:
.quad quiet_ni_syscall /* 285: sys_altroot */
.quad sys_add_key
.quad sys_request_key
- .quad sys_keyctl
+ .quad compat_sys_keyctl
.quad sys_ioprio_set
.quad sys_ioprio_get /* 290 */
.quad sys_inotify_init
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 010/152] ext4: don't call ext4_should_journal_data() on the journal inode
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 148/152] posix_acl: Clear SGID bit when setting file permissions Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 089/152] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Ben Hutchings
` (131 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Vegard Nossum, Jan Kara
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c upstream.
If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
to call ext4_should_journal_data() before superblock options and flags
are fully set up. In that case, the iput() on the journal inode can
end up causing a BUG().
Work around this problem by reordering the tests so we only call
ext4_should_journal_data() after we know it's not the journal inode.
Fixes: 2d859db3e4 ("ext4: fix data corruption in inodes with journalled data")
Fixes: 2b405bfa84 ("ext4: fix data=journal fast mount/umount hang")
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -142,9 +142,9 @@ void ext4_evict_inode(struct inode *inod
* Note that directories do not have this problem because they
* don't use page cache.
*/
- if (ext4_should_journal_data(inode) &&
- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
- inode->i_ino != EXT4_JOURNAL_INO) {
+ if (inode->i_ino != EXT4_JOURNAL_INO &&
+ ext4_should_journal_data(inode) &&
+ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 020/152] Bluetooth: Add USB ID 13D3:3487 to ath3k
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 122/152] blackfin: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 059/152] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Ben Hutchings
` (135 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcel Holtmann, Lauro Costa
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lauro Costa <lauro@polilinux.com.br>
commit 72f9f8b58bc743e6b6abdc68f60db98486c3ffcf upstream.
Add hw id to ath3k usb device list and btusb blacklist
T: Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3487 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
Requires these firmwares:
ar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu
Firmwares are available in linux-firmware.
Device found in a laptop ASUS model N552VW. It's an Atheros AR9462 chip.
Signed-off-by: Lauro Costa <lauro@polilinux.com.br>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -118,6 +118,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x13d3, 0x3432) },
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
+ { USB_DEVICE(0x13d3, 0x3487) },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -182,6 +183,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -203,6 +203,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 009/152] ext4: check for extents that wrap around
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 092/152] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 15:29 ` Vegard Nossum
2016-11-14 0:14 ` [PATCH 3.2 094/152] sched/core: Fix a race between try_to_wake_up() and a woken up task Ben Hutchings
` (49 subsequent siblings)
153 siblings, 1 reply; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Phil Turnbull, Eryu Guan, Vegard Nossum, Theodore Ts'o
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
An extent with lblock = 4294967295 and len = 1 will pass the
ext4_valid_extent() test:
ext4_lblk_t last = lblock + len - 1;
if (len == 0 || lblock > last)
return 0;
since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
We can simplify it by removing the - 1 altogether and changing the test
to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
lblock and it fails, and if len > 0 then lblock + len > lblock in order
to pass (i.e. it doesn't overflow).
Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
Cc: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/extents.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -319,9 +319,13 @@ static int ext4_valid_extent(struct inod
ext4_fsblk_t block = ext4_ext_pblock(ext);
int len = ext4_ext_get_actual_len(ext);
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
- ext4_lblk_t last = lblock + len - 1;
- if (len == 0 || lblock > last)
+ /*
+ * We allow neither:
+ * - zero length
+ * - overflow/wrap-around
+ */
+ if (lblock + len <= lblock)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 131/152] openrisc: fix the fix of copy_from_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 011/152] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 066/152] arm: oabi compat: add missing access checks Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 037/152] nfs: don't create zero-length requests Ben Hutchings
` (150 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Guenter Roeck
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit 8e4b72054f554967827e18be1de0e8122e6efc04 upstream.
Since commit acb2505d0119 ("openrisc: fix copy_from_user()"),
copy_from_user() returns the number of bytes requested, not the
number of bytes not copied.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: acb2505d0119 ("openrisc: fix copy_from_user()")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/openrisc/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -277,7 +277,7 @@ copy_from_user(void *to, const void *fro
unsigned long res = n;
if (likely(access_ok(VERIFY_READ, from, n)))
- n = __copy_tofrom_user(to, from, n);
+ res = __copy_tofrom_user(to, from, n);
if (unlikely(res))
memset(to + (n - res), 0, res);
return res;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 101/152] asm-generic: make copy_from_user() zero the destination properly
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 116/152] s390: get_user() should zero on failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 108/152] frv: fix clear_user() Ben Hutchings
` (33 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
... in all cases, including the failing access_ok()
Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through. This variant works either way.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/asm-generic/uaccess.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -243,11 +243,13 @@ extern int __get_user_bad(void) __attrib
static inline long copy_from_user(void *to,
const void __user * from, unsigned long n)
{
+ unsigned long res = n;
might_sleep();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- else
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline long copy_to_user(void __user *to,
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 112/152] mn10300: copy_from_user() should zero on access_ok() failure...
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 124/152] microblaze: fix copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 043/152] ceph: Correctly return NXIO errors from ceph_llseek Ben Hutchings
` (54 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: include <linux/string.h> to get declaration of memset()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mn10300/lib/usercopy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,8 @@
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
-#include <asm/uaccess.h>
+#include <linux/string.h>
+#include <linux/uaccess.h>
unsigned long
__generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +25,8 @@ __generic_copy_from_user(void *to, const
{
if (access_ok(VERIFY_READ, from, n))
__copy_user_zeroing(to, from, n);
+ else
+ memset(to, 0, n);
return n;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 097/152] ALSA: timer: Fix zero-division by continue of uninitialized instance
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 068/152] USB: serial: mos7720: fix non-atomic allocation in write path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 121/152] sparc32: fix copy_from_user() Ben Hutchings
` (21 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dmitry Vyukov
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b upstream.
When a user timer instance is continued without the explicit start
beforehand, the system gets eventually zero-division error like:
divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003c9b2280 task.stack: ffff880027280000
RIP: 0010:[<ffffffff858e1a6c>] [< inline >] ktime_divns include/linux/ktime.h:195
RIP: 0010:[<ffffffff858e1a6c>] [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
Call Trace:
<IRQ>
[< inline >] __run_hrtimer kernel/time/hrtimer.c:1238
[<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
[<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
[<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
[<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
<EOI>
.....
Although a similar issue was spotted and a fix patch was merged in
commit [6b760bb2c63a: ALSA: timer: fix division by zero after
SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
iceberg.
In this patch, we fix the issue a bit more drastically. Basically the
continue of an uninitialized timer is supposed to be a fresh start, so
we do it for user timers. For the direct snd_timer_continue() call,
there is no way to pass the initial tick value, so we kick out for the
uninitialized case.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2:
- Adjust context
- In _snd_timer_stop(), check the value of 'event' instead of 'stop']
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -34,6 +34,9 @@
#include <sound/initval.h>
#include <linux/kmod.h>
+/* internal flags */
+#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
+
#if defined(CONFIG_SND_HRTIMER) || defined(CONFIG_SND_HRTIMER_MODULE)
#define DEFAULT_TIMER_LIMIT 4
#elif defined(CONFIG_SND_RTCTIMER) || defined(CONFIG_SND_RTCTIMER_MODULE)
@@ -552,6 +555,10 @@ static int _snd_timer_stop(struct snd_ti
}
}
timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ if (event == SNDRV_TIMER_EVENT_STOP)
+ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
+ else
+ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
spin_unlock_irqrestore(&timer->lock, flags);
__end:
if (event != SNDRV_TIMER_EVENT_RESOLUTION)
@@ -594,6 +601,10 @@ int snd_timer_continue(struct snd_timer_
if (timeri == NULL)
return result;
+ /* timer can continue only after pause */
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return -EINVAL;
+
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
return snd_timer_start_slave(timeri);
timer = timeri->timer;
@@ -1798,6 +1809,9 @@ static int snd_timer_user_continue(struc
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
+ /* start timer instead of continue if it's not used before */
+ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return snd_timer_user_start(file);
tu->timeri->lost = 0;
return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 088/152] ALSA: timer: fix NULL pointer dereference on memory allocation failure
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 085/152] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 065/152] x86/mm: Disable preemption during CR3 read+write Ben Hutchings
` (96 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, Takashi Iwai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream.
I hit this with syzkaller:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff88011278d600 task.stack: ffff8801120c0000
RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
Stack:
ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
Call Trace:
[<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
[<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
[<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP <ffff8801120c7a60>
---[ end trace 5955b08db7f2b029 ]---
This can happen if snd_hrtimer_open() fails to allocate memory and
returns an error, which is currently not checked by snd_timer_open():
ioctl(SNDRV_TIMER_IOCTL_SELECT)
- snd_timer_user_tselect()
- snd_timer_close()
- snd_hrtimer_close()
- (struct snd_timer *) t->private_data = NULL
- snd_timer_open()
- snd_hrtimer_open()
- kzalloc() fails; t->private_data is still NULL
ioctl(SNDRV_TIMER_IOCTL_START)
- snd_timer_user_start()
- snd_timer_start()
- snd_timer_start1()
- snd_hrtimer_start()
- t->private_data == NULL // boom
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.2: don't put_device() since snd_timer_instance_new()
doesn't take a device reference]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -290,8 +290,19 @@ int snd_timer_open(struct snd_timer_inst
}
timeri->slave_class = tid->dev_sclass;
timeri->slave_id = slave_id;
- if (list_empty(&timer->open_list_head) && timer->hw.open)
- timer->hw.open(timer);
+
+ if (list_empty(&timer->open_list_head) && timer->hw.open) {
+ int err = timer->hw.open(timer);
+ if (err) {
+ kfree(timeri->owner);
+ kfree(timeri);
+
+ module_put(timer->module);
+ mutex_unlock(®ister_mutex);
+ return err;
+ }
+ }
+
list_add_tail(&timeri->open_list, &timer->open_list_head);
snd_timer_check_master(timeri);
mutex_unlock(®ister_mutex);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 037/152] nfs: don't create zero-length requests
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 131/152] openrisc: fix the fix of copy_from_user() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 082/152] USB: avoid left shift by -1 Ben Hutchings
` (149 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alexey Dobriyan, Benjamin Coddington, Trond Myklebust,
Weston Andros Adamson
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <bcodding@redhat.com>
commit 149a4fddd0a72d526abbeac0c8deaab03559836a upstream.
NFS doesn't expect requests with wb_bytes set to zero and may make
unexpected decisions about how to handle that request at the page IO layer.
Skip request creation if we won't have any wb_bytes in the request.
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Reviewed-by: Weston Andros Adamson <dros@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/write.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -747,6 +747,9 @@ int nfs_updatepage(struct file *file, st
file->f_path.dentry->d_name.name, count,
(long long)(page_offset(page) + offset));
+ if (!count)
+ goto out;
+
/* If we're not using byte range locks, and we know the page
* is up to date, it may be more efficient to extend the write
* to cover the entire page in order to avoid fragmentation
@@ -764,7 +767,7 @@ int nfs_updatepage(struct file *file, st
nfs_set_pageerror(page);
else
__set_page_dirty_nobuffers(page);
-
+out:
dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n",
status, (long long)i_size_read(inode));
return status;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 107/152] cris: buggered copy_from_user/copy_to_user/clear_user
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 095/152] crypto: cryptd - initialize child shash_desc on import Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows Ben Hutchings
` (104 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jesper Nilsson, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.
* copy_from_user() on access_ok() failure ought to zero the destination
* none of those primitives should skip the access_ok() check in case of
small constant size.
Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 39 deletions(-)
--- a/arch/cris/include/asm/uaccess.h
+++ b/arch/cris/include/asm/uaccess.h
@@ -176,30 +176,6 @@ extern unsigned long __copy_user(void __
extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
extern unsigned long __do_clear_user(void __user *to, unsigned long n);
-static inline unsigned long
-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_user(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
-{
- if (access_ok(VERIFY_READ, from, n))
- return __copy_user_zeroing(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_clear_user(void __user *to, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __do_clear_user(to,n);
- return n;
-}
-
static inline long
__strncpy_from_user(char *dst, const char __user *src, long count)
{
@@ -262,7 +238,7 @@ __constant_copy_from_user(void *to, cons
else if (n == 24)
__asm_copy_from_user_24(to, from, ret);
else
- ret = __generic_copy_from_user(to, from, n);
+ ret = __copy_user_zeroing(to, from, n);
return ret;
}
@@ -312,7 +288,7 @@ __constant_copy_to_user(void __user *to,
else if (n == 24)
__asm_copy_to_user_24(to, from, ret);
else
- ret = __generic_copy_to_user(to, from, n);
+ ret = __copy_user(to, from, n);
return ret;
}
@@ -344,26 +320,43 @@ __constant_clear_user(void __user *to, u
else if (n == 24)
__asm_clear_24(to, ret);
else
- ret = __generic_clear_user(to, n);
+ ret = __do_clear_user(to, n);
return ret;
}
-#define clear_user(to, n) \
-(__builtin_constant_p(n) ? \
- __constant_clear_user(to, n) : \
- __generic_clear_user(to, n))
-
-#define copy_from_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_from_user(to, from, n) : \
- __generic_copy_from_user(to, from, n))
-
-#define copy_to_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_to_user(to, from, n) : \
- __generic_copy_to_user(to, from, n))
+static inline size_t clear_user(void __user *to, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_clear_user(to, n);
+ else
+ return __do_clear_user(to, n);
+}
+
+static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
+ memset(to, 0, n);
+ return n;
+ }
+ if (__builtin_constant_p(n))
+ return __constant_copy_from_user(to, from, n);
+ else
+ return __copy_user_zeroing(to, from, n);
+}
+
+static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_copy_to_user(to, from, n);
+ else
+ return __copy_user(to, from, n);
+}
/* We let the __ versions of copy_from/to_user inline, because they're often
* used in fast paths and have only a small space overhead.
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 090/152] x86/paravirt: Do not trace _paravirt_ident_*() functions
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 127/152] USB: change bInterval default to 10 ms Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 100/152] alpha: fix copy_from_user() Ben Hutchings
` (119 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Łukasz Daniluk, Steven Rostedt, Linus Torvalds
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 15301a570754c7af60335d094dd2d1808b0641a5 upstream.
Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
after enabling function tracer. I asked him to bisect the functions within
available_filter_functions, which he did and it came down to three:
_paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()
It was found that this is only an issue when noreplace-paravirt is added
to the kernel command line.
This means that those functions are most likely called within critical
sections of the funtion tracer, and must not be traced.
In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
longer an issue. But both _paravirt_ident_{32,64}() causes the
following splat when they are traced:
mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
Modules linked in: e1000e
CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
RIP: 0010:[<ffffffff81134148>] [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
Call Trace:
_raw_spin_lock+0x27/0x30
handle_pte_fault+0x13db/0x16b0
handle_mm_fault+0x312/0x670
__do_page_fault+0x1b1/0x4e0
do_page_fault+0x22/0x30
page_fault+0x28/0x30
__vfs_read+0x28/0xe0
vfs_read+0x86/0x130
SyS_read+0x46/0xa0
entry_SYSCALL_64_fastpath+0x1e/0xa8
Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b
Reported-by: Łukasz Daniluk <lukasz.daniluk@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/paravirt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -52,12 +52,12 @@ asm (".pushsection .entry.text, \"ax\"\n
".popsection");
/* identity function, which can be inlined */
-u32 _paravirt_ident_32(u32 x)
+u32 notrace _paravirt_ident_32(u32 x)
{
return x;
}
-u64 _paravirt_ident_64(u64 x)
+u64 notrace _paravirt_ident_64(u64 x)
{
return x;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 108/152] frv: fix clear_user()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 101/152] asm-generic: make copy_from_user() zero the destination properly Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 081/152] USB: fix typo in wMaxPacketSize validation Ben Hutchings
` (32 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.
It should check access_ok(). Otherwise a bunch of places turn into
trivially exploitable rootholes.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/frv/include/asm/uaccess.h | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do { \
extern long __memset_user(void *dst, unsigned long count);
extern long __memcpy_user(void *dst, const void *src, unsigned long count);
-#define clear_user(dst,count) __memset_user(____force(dst), (count))
+#define __clear_user(dst,count) __memset_user(____force(dst), (count))
#define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
#define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
#else
-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
#define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
#define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
#endif
-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+ if (likely(__access_ok(to, n)))
+ n = __clear_user(to, n);
+ return n;
+}
static inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 078/152] iio: accel: kxsd9: Fix raw read return
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 152/152] ext3: NULL dereference in ext3_evict_inode() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 001/152] netlabel: add address family checks to netlbl_{sock,req}_delattr() Ben Hutchings
` (122 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Jonathan Cameron
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.
Any readings from the raw interface of the KXSD9 driver will
return an empty string, because it does not return
IIO_VAL_INT but rather some random value from the accelerometer
to the caller.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/staging/iio/accel/kxsd9.c
+++ b/drivers/staging/iio/accel/kxsd9.c
@@ -163,6 +163,7 @@ static int kxsd9_read_raw(struct iio_dev
if (ret < 0)
goto error_ret;
*val = ret;
+ ret = IIO_VAL_INT;
break;
case (1 << IIO_CHAN_INFO_SCALE_SHARED):
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 043/152] ceph: Correctly return NXIO errors from ceph_llseek
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 112/152] mn10300: copy_from_user() should zero on access_ok() failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 024/152] KVM: nVMX: Fix memory corruption when using VMCS shadowing Ben Hutchings
` (53 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Phil Turnbull, Yan, Zheng
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Phil Turnbull <phil.turnbull@oracle.com>
commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.
ceph_llseek does not correctly return NXIO errors because the 'out' path
always returns 'offset'.
Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Yan, Zheng <zyan@redhat.com>
[bwh: Backported to 3.2:
- We don't use vfs_setpos(); instead set ret = -EINVAL or ret = offset
directly
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ceph/file.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -793,17 +793,15 @@ out:
static loff_t ceph_llseek(struct file *file, loff_t offset, int origin)
{
struct inode *inode = file->f_mapping->host;
- int ret;
+ loff_t ret;
mutex_lock(&inode->i_mutex);
__ceph_do_pending_vmtruncate(inode);
if (origin == SEEK_END || origin == SEEK_DATA || origin == SEEK_HOLE) {
ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE);
- if (ret < 0) {
- offset = ret;
+ if (ret < 0)
goto out;
- }
}
switch (origin) {
@@ -818,7 +816,7 @@ static loff_t ceph_llseek(struct file *f
* write() or lseek() might have altered it
*/
if (offset == 0) {
- offset = file->f_pos;
+ ret = file->f_pos;
goto out;
}
offset += file->f_pos;
@@ -839,7 +837,7 @@ static loff_t ceph_llseek(struct file *f
}
if (offset < 0 || offset > inode->i_sb->s_maxbytes) {
- offset = -EINVAL;
+ ret = -EINVAL;
goto out;
}
@@ -848,10 +846,11 @@ static loff_t ceph_llseek(struct file *f
file->f_pos = offset;
file->f_version = 0;
}
+ ret = offset;
out:
mutex_unlock(&inode->i_mutex);
- return offset;
+ return ret;
}
const struct file_operations ceph_file_fops = {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 041/152] l2tp: Correctly return -EBADF from pppol2tp_getname.
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 052/152] balloon: check the number of available pages in leak balloon Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 002/152] powerpc/numa: Fix multiple bugs in memory_hotplug_max() Ben Hutchings
` (108 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, phil.turnbull
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "phil.turnbull@oracle.com" <phil.turnbull@oracle.com>
commit 4ac36a4adaf80013a60013d6f829f5863d5d0e05 upstream.
If 'tunnel' is NULL we should return -EBADF but the 'end_put_sess' path
unconditionally sets 'error' back to zero. Rework the error path so it
more closely matches pppol2tp_sendmsg.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ppp.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -914,10 +914,8 @@ static int pppol2tp_getname(struct socke
pls = l2tp_session_priv(session);
tunnel = l2tp_sock_to_tunnel(pls->tunnel_sock);
- if (tunnel == NULL) {
- error = -EBADF;
+ if (tunnel == NULL)
goto end_put_sess;
- }
inet = inet_sk(tunnel->sock);
if (tunnel->version == 2) {
@@ -955,12 +953,11 @@ static int pppol2tp_getname(struct socke
}
*usockaddr_len = len;
+ error = 0;
sock_put(pls->tunnel_sock);
end_put_sess:
sock_put(sk);
- error = 0;
-
end:
return error;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 016/152] x86/quirks: Reintroduce scanning of secondary buses
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 134/152] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 018/152] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply Ben Hutchings
` (57 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Brian Gerst, Denys Vlasenko, linux-pci, Borislav Petkov,
Lukas Wunner, H. Peter Anvin, Andy Lutomirski, Thomas Gleixner,
Linus Torvalds, Josh Poimboeuf, Bjorn Helgaas, Yinghai Lu,
Ingo Molnar, Peter Zijlstra
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 850c321027c2e31d0afc71588974719a4b565550 upstream.
We used to scan secondary buses until the following commit that
was applied in 2009:
8659c406ade3 ("x86: only scan the root bus in early PCI quirks")
which commit constrained early quirks to the root bus only. Its
motivation was to prevent application of the nvidia_bugs quirk
on secondary buses.
We're about to add a quirk to reset the Broadcom 4331 wireless card on
2011/2012 Macs, which is located on a secondary bus behind a PCIe root
port. To facilitate that, reintroduce scanning of secondary buses.
The commit message of 8659c406ade3 notes that scanning only the root bus
"saves quite some unnecessary scanning work". The algorithm used prior
to 8659c406ade3 was particularly time consuming because it scanned
buses 0 to 31 brute force. To avoid lengthening boot time, employ a
recursive strategy which only scans buses that are actually reachable
from the root bus.
Yinghai Lu pointed out that the secondary bus number read from a
bridge's config space may be invalid, in particular a value of 0 would
cause an infinite loop. The PCI core goes beyond that and recurses to a
child bus only if its bus number is greater than the parent bus number
(see pci_scan_bridge()). Since the root bus is numbered 0, this implies
that secondary buses may not be 0. Do the same on early scanning.
If this algorithm is found to significantly impact boot time or cause
infinite loops on broken hardware, it would be possible to limit its
recursion depth: The Broadcom 4331 quirk applies at depth 1, all others
at depth 0, so the bus need not be scanned deeper than that for now. An
alternative approach would be to revert to scanning only the root bus,
and apply the Broadcom 4331 quirk to the root ports 8086:1c12, 8086:1e12
and 8086:1e16. Apple always positioned the card behind either of these
three ports. The quirk would then check presence of the card in slot 0
below the root port and do its deed.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: linux-pci@vger.kernel.org
Link: http://lkml.kernel.org/r/f0daa70dac1a9b2483abdb31887173eb6ab77bdf.1465690253.git.lukas@wunner.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/early-quirks.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -211,12 +211,6 @@ struct chipset {
void (*f)(int num, int slot, int func);
};
-/*
- * Only works for devices on the root bus. If you add any devices
- * not on bus 0 readd another loop level in early_quirks(). But
- * be careful because at least the Nvidia quirk here relies on
- * only matching on bus 0.
- */
static struct chipset early_qrk[] __initdata = {
{ PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID,
PCI_CLASS_BRIDGE_PCI, PCI_ANY_ID, QFLAG_APPLY_ONCE, nvidia_bugs },
@@ -231,6 +225,8 @@ static struct chipset early_qrk[] __init
{}
};
+static void __init early_pci_scan_bus(int bus);
+
/**
* check_dev_quirk - apply early quirks to a given PCI device
* @num: bus number
@@ -239,7 +235,7 @@ static struct chipset early_qrk[] __init
*
* Check the vendor & device ID against the early quirks table.
*
- * If the device is single function, let early_quirks() know so we don't
+ * If the device is single function, let early_pci_scan_bus() know so we don't
* poke at this device again.
*/
static int __init check_dev_quirk(int num, int slot, int func)
@@ -248,6 +244,7 @@ static int __init check_dev_quirk(int nu
u16 vendor;
u16 device;
u8 type;
+ u8 sec;
int i;
class = read_pci_config_16(num, slot, func, PCI_CLASS_DEVICE);
@@ -275,25 +272,36 @@ static int __init check_dev_quirk(int nu
type = read_pci_config_byte(num, slot, func,
PCI_HEADER_TYPE);
+
+ if ((type & 0x7f) == PCI_HEADER_TYPE_BRIDGE) {
+ sec = read_pci_config_byte(num, slot, func, PCI_SECONDARY_BUS);
+ if (sec > num)
+ early_pci_scan_bus(sec);
+ }
+
if (!(type & 0x80))
return -1;
return 0;
}
-void __init early_quirks(void)
+static void __init early_pci_scan_bus(int bus)
{
int slot, func;
- if (!early_pci_allowed())
- return;
-
/* Poor man's PCI discovery */
- /* Only scan the root bus */
for (slot = 0; slot < 32; slot++)
for (func = 0; func < 8; func++) {
/* Only probe function 0 on single fn devices */
- if (check_dev_quirk(0, slot, func))
+ if (check_dev_quirk(bus, slot, func))
break;
}
}
+
+void __init early_quirks(void)
+{
+ if (!early_pci_allowed())
+ return;
+
+ early_pci_scan_bus(0);
+}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 030/152] crypto: scatterwalk - Fix test in scatterwalk_done
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 033/152] mtd: nand: fix bug writing 1 byte less than page size Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 060/152] drm/edid: Add 6 bpc quirk for display AEO model 0 Ben Hutchings
` (61 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 5f070e81bee35f1b7bd1477bb223a873ff657803 upstream.
When there is more data to be processed, the current test in
scatterwalk_done may prevent us from calling pagedone even when
we should.
In particular, if we're on an SG entry spanning multiple pages
where the last page is not a full page, we will incorrectly skip
calling pagedone on the second last page.
This patch fixes this by adding a separate test for whether we've
reached the end of a page.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/scatterwalk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct
void scatterwalk_done(struct scatter_walk *walk, int out, int more)
{
- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
+ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
+ !(walk->offset & (PAGE_SIZE - 1)))
scatterwalk_pagedone(walk, out, more);
}
EXPORT_SYMBOL_GPL(scatterwalk_done);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 053/152] dm flakey: error READ bios during the down_interval
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 025/152] ext4: fix reference counting bug on block allocation error Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 083/152] ubifs: Fix assertion in layout_in_gaps() Ben Hutchings
` (2 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mike Snitzer, Akira Hayakawa
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit 99f3c90d0d85708e7401a81ce3314e50bf7f2819 upstream.
When the corrupt_bio_byte feature was introduced it caused READ bios to
no longer be errored with -EIO during the down_interval. This had to do
with the complexity of needing to submit READs if the corrupt_bio_byte
feature was used.
Fix it so READ bios are properly errored with -EIO; doing so early in
flakey_map() as long as there isn't a match for the corrupt_bio_byte
feature.
Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
Reported-by: Akira Hayakawa <ruby.wktk@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[bwh: Backported to 3.2: in flakey_end_io(), keep using
bio_submitted_while_down instead of pb->bio_submitted]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm-flakey.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -279,10 +279,16 @@ static int flakey_map(struct dm_target *
map_context->ll = 1;
/*
- * Map reads as normal.
+ * Map reads as normal only if corrupt_bio_byte set.
*/
- if (bio_data_dir(bio) == READ)
- goto map_bio;
+ if (bio_data_dir(bio) == READ) {
+ /* If flags were specified, only corrupt those that match. */
+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+ all_corrupt_bio_flags_match(bio, fc))
+ goto map_bio;
+ else
+ return -EIO;
+ }
/*
* Drop writes?
@@ -321,12 +327,13 @@ static int flakey_end_io(struct dm_targe
/*
* Corrupt successful READs while in down state.
- * If flags were specified, only corrupt those that match.
*/
- if (fc->corrupt_bio_byte && !error && bio_submitted_while_down &&
- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
- all_corrupt_bio_flags_match(bio, fc))
- corrupt_bio_data(bio, fc);
+ if (!error && bio_submitted_while_down && (bio_data_dir(bio) == READ)) {
+ if (fc->corrupt_bio_byte)
+ corrupt_bio_data(bio, fc);
+ else
+ return -EIO;
+ }
return error;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 048/152] tcp: consider recv buf for the initial window scale
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 022/152] net: ethoc: Fix early error paths Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 111/152] mn10300: failing __get_user() and get_user() should zero Ben Hutchings
` (111 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Soheil Hassas Yeganeh, David S. Miller, Neal Cardwell
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Soheil Hassas Yeganeh <soheil@google.com>
commit f626300a3e776ccc9671b0dd94698fb3aa315966 upstream.
tcp_select_initial_window() intends to advertise a window
scaling for the maximum possible window size. To do so,
it considers the maximum of net.ipv4.tcp_rmem[2] and
net.core.rmem_max as the only possible upper-bounds.
However, users with CAP_NET_ADMIN can use SO_RCVBUFFORCE
to set the socket's receive buffer size to values
larger than net.ipv4.tcp_rmem[2] and net.core.rmem_max.
Thus, SO_RCVBUFFORCE is effectively ignored by
tcp_select_initial_window().
To fix this, consider the maximum of net.ipv4.tcp_rmem[2],
net.core.rmem_max and socket's initial buffer space.
Fixes: b0573dea1fb3 ("[NET]: Introduce SO_{SND,RCV}BUFFORCE socket options")
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Suggested-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -220,7 +220,8 @@ void tcp_select_initial_window(int __spa
/* Set window scaling on max possible window
* See RFC1323 for an explanation of the limit to 14
*/
- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+ space = max_t(u32, space, sysctl_tcp_rmem[2]);
+ space = max_t(u32, space, sysctl_rmem_max);
space = min_t(u32, space, *window_clamp);
while (space > 65535 && (*rcv_wscale) < 14) {
space >>= 1;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 045/152] drm/radeon: fix firmware info version checks
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 069/152] USB: serial: mos7840: fix non-atomic allocation in write path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 076/152] parisc: Fix order of EREFUSED define in errno.h Ben Hutchings
` (146 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3edc38a0facef45ee22af8afdce3737f421f36ab upstream.
Some of the checks didn't handle frev 2 tables properly.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -1138,7 +1138,7 @@ bool radeon_atom_get_clock_info(struct d
le16_to_cpu(firmware_info->info.usReferenceClock);
p1pll->reference_div = 0;
- if (crev < 2)
+ if ((frev < 2) && (crev < 2))
p1pll->pll_out_min =
le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
else
@@ -1147,7 +1147,7 @@ bool radeon_atom_get_clock_info(struct d
p1pll->pll_out_max =
le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
- if (crev >= 4) {
+ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
p1pll->lcd_pll_out_min =
le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
if (p1pll->lcd_pll_out_min == 0)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 077/152] USB: serial: option: add WeTelecom WM-D200
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 004/152] crypto: gcm - Filter out async ghash if necessary Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 057/152] USB: serial: option: add D-Link DWM-156/A3 Ben Hutchings
` (90 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aleksandr Makarov, Johan Hovold
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
commit 6695593e4a7659db49ac6eca98c164f7b5589f72 upstream.
Add support for WeTelecom WM-D200.
T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=22de ProdID=6801 Rev=00.00
S: Manufacturer=WeTelecom Incorporated
S: Product=WeTelecom Mobile Products
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I: If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -512,6 +512,10 @@ static void option_instat_callback(struc
#define VIATELECOM_VENDOR_ID 0x15eb
#define VIATELECOM_PRODUCT_CDS7 0x0001
+/* WeTelecom products */
+#define WETELECOM_VENDOR_ID 0x22de
+#define WETELECOM_PRODUCT_WMD200 0x6801
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -1948,6 +1952,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 089/152] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 010/152] ext4: don't call ext4_should_journal_data() on the journal inode Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 006/152] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Ben Hutchings
` (130 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vegard Nossum, Takashi Iwai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 11749e086b2766cccf6217a527ef5c5604ba069c upstream.
I got this with syzkaller:
==================================================================
BUG: KASAN: null-ptr-deref on address 0000000000000020
Read of size 32 by task syz-executor/22519
CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
014
0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
Call Trace:
[<ffffffff81f9f141>] dump_stack+0x83/0xb2
[<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
[<ffffffff8161ff74>] kasan_report+0x34/0x40
[<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
[<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
[<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
[<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
[<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
[<ffffffff8127c278>] ? do_group_exit+0x108/0x330
[<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
[<ffffffff81674dfe>] __vfs_read+0x10e/0x550
[<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
[<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
[<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
[<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
[<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
[<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
[<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
[<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
[<ffffffff81675355>] vfs_read+0x115/0x330
[<ffffffff81676371>] SyS_read+0xd1/0x1a0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
[<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
[<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
[<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
==================================================================
There are a couple of problems that I can see:
- ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
would get a NULL pointer dereference like the above splat
- the same ioctl() can free tu->queue/to->tqueue which means read()
could potentially see (and dereference) the freed pointer
We can fix both by taking the ioctl_lock mutex when dereferencing
->queue/->tqueue, since that's always held over all the ioctl() code.
Just looking at the code I find it likely that there are more problems
here such as tu->qhead pointing outside the buffer if the size is
changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1941,6 +1941,7 @@ static ssize_t snd_timer_user_read(struc
tu->qused--;
spin_unlock_irq(&tu->qlock);
+ mutex_lock(&tu->ioctl_lock);
if (tu->tread) {
if (copy_to_user(buffer, &tu->tqueue[qhead],
sizeof(struct snd_timer_tread)))
@@ -1950,6 +1951,7 @@ static ssize_t snd_timer_user_read(struc
sizeof(struct snd_timer_read)))
err = -EFAULT;
}
+ mutex_unlock(&tu->ioctl_lock);
spin_lock_irq(&tu->qlock);
if (err < 0)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 042/152] Input: i8042 - break load dependency between atkbd/psmouse and i8042
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 117/152] score: fix __get_user/get_user Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 063/152] USB: validate wMaxPacketValue entries in endpoint descriptors Ben Hutchings
` (26 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Mark Laws
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream.
As explained in 1407814240-4275-1-git-send-email-decui@microsoft.com we
have a hard load dependency between i8042 and atkbd which prevents
keyboard from working on Gen2 Hyper-V VMs.
> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio
> driver like atkbd.c. atkbd.c depends on libps2.c because it invokes
> ps2_command(). libps2.c depends on i8042.c because it invokes
> i8042_check_port_owner(). As a result, hyperv_keyboard actually
> depends on i8042.c.
>
> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a
> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m
> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to
> no i8042 device emulated) and finally hyperv_keyboard can't work and
> the user can't input: https://bugs.archlinux.org/task/39820
> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y)
To break the dependency we move away from using i8042_check_port_owner()
and instead allow serio port owner specify a mutex that clients should use
to serialize PS/2 command stream.
Reported-by: Mark Laws <mdl@60hz.org>
Tested-by: Mark Laws <mdl@60hz.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/serio/i8042.c | 16 +---------------
drivers/input/serio/libps2.c | 10 ++++------
include/linux/i8042.h | 6 ------
include/linux/serio.h | 24 +++++++++++++++++++-----
4 files changed, 24 insertions(+), 32 deletions(-)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1223,6 +1223,7 @@ static int __init i8042_create_kbd_port(
serio->start = i8042_start;
serio->stop = i8042_stop;
serio->close = i8042_port_close;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name));
@@ -1310,21 +1311,6 @@ static void __devexit i8042_unregister_p
}
}
-/*
- * Checks whether port belongs to i8042 controller.
- */
-bool i8042_check_port_owner(const struct serio *port)
-{
- int i;
-
- for (i = 0; i < I8042_NUM_PORTS; i++)
- if (i8042_ports[i].serio == port)
- return true;
-
- return false;
-}
-EXPORT_SYMBOL(i8042_check_port_owner);
-
static void i8042_free_irqs(void)
{
if (i8042_aux_irq_registered)
--- a/drivers/input/serio/libps2.c
+++ b/drivers/input/serio/libps2.c
@@ -57,19 +57,17 @@ EXPORT_SYMBOL(ps2_sendbyte);
void ps2_begin_command(struct ps2dev *ps2dev)
{
- mutex_lock(&ps2dev->cmd_mutex);
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_lock_chip();
+ mutex_lock(m);
}
EXPORT_SYMBOL(ps2_begin_command);
void ps2_end_command(struct ps2dev *ps2dev)
{
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_unlock_chip();
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- mutex_unlock(&ps2dev->cmd_mutex);
+ mutex_unlock(m);
}
EXPORT_SYMBOL(ps2_end_command);
--- a/include/linux/i8042.h
+++ b/include/linux/i8042.h
@@ -38,7 +38,6 @@ struct serio;
void i8042_lock_chip(void);
void i8042_unlock_chip(void);
int i8042_command(unsigned char *param, int command);
-bool i8042_check_port_owner(const struct serio *);
int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio));
int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str,
@@ -59,11 +58,6 @@ static inline int i8042_command(unsigned
return -ENODEV;
}
-static inline bool i8042_check_port_owner(const struct serio *serio)
-{
- return false;
-}
-
static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio))
{
--- a/include/linux/serio.h
+++ b/include/linux/serio.h
@@ -33,7 +33,8 @@ struct serio {
struct serio_device_id id;
- spinlock_t lock; /* protects critical sections from port's interrupt handler */
+ /* Protects critical sections from port's interrupt handler */
+ spinlock_t lock;
int (*write)(struct serio *, unsigned char);
int (*open)(struct serio *);
@@ -42,16 +43,29 @@ struct serio {
void (*stop)(struct serio *);
struct serio *parent;
- struct list_head child_node; /* Entry in parent->children list */
+ /* Entry in parent->children list */
+ struct list_head child_node;
struct list_head children;
- unsigned int depth; /* level of nesting in serio hierarchy */
+ /* Level of nesting in serio hierarchy */
+ unsigned int depth;
- struct serio_driver *drv; /* accessed from interrupt, must be protected by serio->lock and serio->sem */
- struct mutex drv_mutex; /* protects serio->drv so attributes can pin driver */
+ /*
+ * serio->drv is accessed from interrupt handlers; when modifying
+ * caller should acquire serio->drv_mutex and serio->lock.
+ */
+ struct serio_driver *drv;
+ /* Protects serio->drv so attributes can pin current driver */
+ struct mutex drv_mutex;
struct device dev;
struct list_head node;
+
+ /*
+ * For use by PS/2 layer when several ports share hardware and
+ * may get indigestion when exposed to concurrent access (i8042).
+ */
+ struct mutex *ps2_cmd_mutex;
};
#define to_serio_port(d) container_of(d, struct serio, dev)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 044/152] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 040/152] net/irda: fix NULL pointer dereference on memory allocation failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 105/152] crypto: skcipher - Fix blkcipher walk OOM crash Ben Hutchings
` (71 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-security-module, keyrings, David Howells, linux-mips,
Ralf Baechle, Stephan Mueller
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream.
MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than
calling sys_keyctl. The latter will work in a lot of cases, thereby hiding
the issue.
Reported-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: keyrings@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13832/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -366,7 +366,7 @@ EXPORT(sysn32_call_table)
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key
PTR sys_request_key
- PTR sys_keyctl /* 6245 */
+ PTR compat_sys_keyctl /* 6245 */
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -486,7 +486,7 @@ sys_call_table:
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key /* 4280 */
PTR sys_request_key
- PTR sys_keyctl
+ PTR compat_sys_keyctl
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch /* 4285 */
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 036/152] MIPS: RM7000: Double locking bug in rm7k_tc_disable()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 064/152] s390/dasd: fix hanging device after clear subchannel Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 028/152] USB: serial: option: add support for Telit LE910 PID 0x1206 Ben Hutchings
` (85 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, kernel-janitors, linux-mips, Ralf Baechle, Dan Carpenter
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 upstream.
We obviously intended to enable IRQs again at the end.
Fixes: 745aef5df1e2 ('MIPS: RM7000: Add support for tertiary cache')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-janitors@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13815/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/mm/sc-rm7k.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/mm/sc-rm7k.c
+++ b/arch/mips/mm/sc-rm7k.c
@@ -162,7 +162,7 @@ static void rm7k_tc_disable(void)
local_irq_save(flags);
blast_rm7k_tcache();
clear_c0_config(RM7K_CONF_TE);
- local_irq_save(flags);
+ local_irq_restore(flags);
}
static void rm7k_sc_disable(void)
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 029/152] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 038/152] pps: do not crash when failed to register Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 150/152] xenbus: don't BUG() on user mode induced condition Ben Hutchings
` (101 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcel Holtmann, Amadeusz Sławiński
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Amadeusz Sławiński
<amadeusz.slawinski@tieto.com>
commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
When we retrieve imtu value from userspace we should use 16 bit pointer
cast instead of 32 as it's defined that way in headers. Fixes setsockopt
calls on big-endian platforms.
Signed-off-by: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/l2cap_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -630,7 +630,7 @@ static int l2cap_sock_setsockopt(struct
break;
}
- if (get_user(opt, (u32 __user *) optval)) {
+ if (get_user(opt, (u16 __user *) optval)) {
err = -EFAULT;
break;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 018/152] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 016/152] x86/quirks: Reintroduce scanning of secondary buses Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 124/152] microblaze: fix copy_from_user() Ben Hutchings
` (56 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Anna Schumaker, Steve Wise, Chuck Lever
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream.
If an RPC program does not set vs_dispatch and pc_func() returns
rpc_drop_reply, the server sends a reply anyway containing a single
word containing the value RPC_DROP_REPLY (in network byte-order, of
course). This is a nonsense RPC message.
Fixes: 9e701c610923 ("svcrpc: simpler request dropping")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1167,7 +1167,7 @@ svc_process_common(struct svc_rqst *rqst
*statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
/* Encode reply */
- if (rqstp->rq_dropme) {
+ if (*statp == rpc_drop_reply || rqstp->rq_dropme) {
if (procp->pc_release)
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 035/152] tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 062/152] netfilter: nfnetlink_queue: reject verdict request from different portid Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 056/152] block: fix use-after-free in seq file Ben Hutchings
` (15 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sasha Levin, Dmitry Torokhov, Guenter Roeck
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.
The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do
sym = U(key_maps[0][k]);
with large 'k'.
To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.
Also while at it let's switch to for_each_set_bit() instead of open-coding
it.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/keyboard.c | 30 +++++++++---------------------
1 file changed, 9 insertions(+), 21 deletions(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -386,34 +386,22 @@ static void to_utf8(struct vc_data *vc,
*/
void compute_shiftstate(void)
{
- unsigned int i, j, k, sym, val;
+ unsigned int k, sym, val;
shift_state = 0;
memset(shift_down, 0, sizeof(shift_down));
- for (i = 0; i < ARRAY_SIZE(key_down); i++) {
-
- if (!key_down[i])
+ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) {
+ sym = U(key_maps[0][k]);
+ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
continue;
- k = i * BITS_PER_LONG;
-
- for (j = 0; j < BITS_PER_LONG; j++, k++) {
-
- if (!test_bit(k, key_down))
- continue;
-
- sym = U(key_maps[0][k]);
- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
- continue;
-
- val = KVAL(sym);
- if (val == KVAL(K_CAPSSHIFT))
- val = KVAL(K_SHIFT);
+ val = KVAL(sym);
+ if (val == KVAL(K_CAPSSHIFT))
+ val = KVAL(K_SHIFT);
- shift_down[val]++;
- shift_state |= (1 << val);
- }
+ shift_down[val]++;
+ shift_state |= BIT(val);
}
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 019/152] NFS: Don't drop CB requests with invalid principals
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 129/152] irda: Free skb on irda_accept error path Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 034/152] hwmon: (adt7411) set bit 3 in CFG1 register Ben Hutchings
` (76 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Anna Schumaker, Steve Wise, Chuck Lever
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream.
Before commit 778be232a207 ("NFS do not find client in NFSv4
pg_authenticate"), the Linux callback server replied with
RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB
request. Let's restore that behavior so the server has a chance to
do something useful about it, and provide a warning that helps
admins correct the problem.
Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/callback_xdr.c | 6 +++++-
net/sunrpc/svc.c | 5 +++++
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -878,7 +878,7 @@ static __be32 nfs4_callback_compound(str
if (hdr_arg.minorversion == 0) {
cps.clp = nfs4_find_client_ident(hdr_arg.cb_ident);
if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp))
- return rpc_drop_reply;
+ goto out_invalidcred;
}
hdr_res.taglen = hdr_arg.taglen;
@@ -905,6 +905,10 @@ static __be32 nfs4_callback_compound(str
nfs_put_client(cps.clp);
dprintk("%s: done, status = %u\n", __func__, ntohl(status));
return rpc_success;
+
+out_invalidcred:
+ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n");
+ return rpc_autherr_badcred;
}
/*
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1172,6 +1172,11 @@ svc_process_common(struct svc_rqst *rqst
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;
}
+ if (*statp == rpc_autherr_badcred) {
+ if (procp->pc_release)
+ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
+ goto err_bad_auth;
+ }
if (*statp == rpc_success &&
(xdr = procp->pc_encode) &&
!xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 015/152] x86/quirks: Apply nvidia_bugs quirk only on root bus
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 110/152] ia64: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 137/152] can: dev: fix deadlock reported after bus-off Ben Hutchings
` (39 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, Ingo Molnar, Yinghai Lu, Bjorn Helgaas,
Thomas Gleixner, Linus Torvalds, Josh Poimboeuf, Andy Lutomirski,
H. Peter Anvin, Lukas Wunner, Denys Vlasenko, Brian Gerst,
Borislav Petkov
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 447d29d1d3aed839e74c2401ef63387780ac51ed upstream.
Since the following commit:
8659c406ade3 ("x86: only scan the root bus in early PCI quirks")
... early quirks are only applied to devices on the root bus.
The motivation was to prevent application of the nvidia_bugs quirk on
secondary buses.
We're about to reintroduce scanning of secondary buses for a quirk to
reset the Broadcom 4331 wireless card on 2011/2012 Macs. To prevent
regressions, open code the requirement to apply nvidia_bugs only on the
root bus.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/4d5477c1d76b2f0387a780f2142bbcdd9fee869b.1465690253.git.lukas@wunner.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/early-quirks.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -73,6 +73,13 @@ static void __init nvidia_bugs(int num,
#ifdef CONFIG_ACPI
#ifdef CONFIG_X86_IO_APIC
/*
+ * Only applies to Nvidia root ports (bus 0) and not to
+ * Nvidia graphics cards with PCI ports on secondary buses.
+ */
+ if (num)
+ return;
+
+ /*
* All timer overrides on Nvidia are
* wrong unless HPET is enabled.
* Unfortunately that's not true on many Asus boards.
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 007/152] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 146/152] fs: Avoid premature clearing of capabilities Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 050/152] ext4: validate that metadata blocks do not overlap superblock Ben Hutchings
` (64 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 upstream.
This patch fixes an issue that the CFIFOSEL register value is possible
to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
using CFIFO may not work correctly.
For example:
# modprobe g_multi file=usb-storage.bin
# ifconfig usb0 192.168.1.1 up
(During the USB host is sending file to the mass storage)
# ifconfig usb0 down
In this case, since the u_ether.c may call usb_ep_enable() in
eth_stop(), if the renesas_usbhs driver is also using CFIFO for
mass storage, the mass storage may not work correctly.
So, this patch adds usbhs_lock() and usbhs_unlock() calling in
usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
- CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
- The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()
Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/mod_gadget.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -472,6 +472,9 @@ static int usbhsg_ep_enable(struct usb_e
struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
struct usbhs_pipe *pipe;
int ret = -EIO;
+ unsigned long flags;
+
+ usbhs_lock(priv, flags);
/*
* if it already have pipe,
@@ -480,7 +483,8 @@ static int usbhsg_ep_enable(struct usb_e
if (uep->pipe) {
usbhs_pipe_clear(uep->pipe);
usbhs_pipe_sequence_data0(uep->pipe);
- return 0;
+ ret = 0;
+ goto usbhsg_ep_enable_end;
}
pipe = usbhs_pipe_malloc(priv,
@@ -508,6 +512,9 @@ static int usbhsg_ep_enable(struct usb_e
ret = 0;
}
+usbhsg_ep_enable_end:
+ usbhs_unlock(priv, flags);
+
return ret;
}
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 006/152] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 089/152] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 067/152] megaraid_sas: Fix probing cards without io port Ben Hutchings
` (129 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Yoshihiro Shimoda, Felipe Balbi
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 4fdef698383db07d829da567e0e405fc41ff3a89 upstream.
This patch fixes an issue that the xfer_work() is possible to cause
NULL pointer dereference if the usb cable is disconnected while data
transfer is running.
In such case, a gadget driver may call usb_ep_disable()) before
xfer_work() is actually called. In this case, the usbhs_pkt_pop()
will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
in xfer_work() will return NULL.
Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/renesas_usbhs/fifo.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -760,15 +760,22 @@ static void usbhsf_dma_prepare_tasklet(u
{
struct usbhs_pkt *pkt = (struct usbhs_pkt *)data;
struct usbhs_pipe *pipe = pkt->pipe;
- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
+ struct usbhs_fifo *fifo;
struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
struct scatterlist sg;
struct dma_async_tx_descriptor *desc;
- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
+ struct dma_chan *chan;
struct device *dev = usbhs_priv_to_dev(priv);
enum dma_data_direction dir;
dma_cookie_t cookie;
+ unsigned long flags;
+ usbhs_lock(priv, flags);
+ fifo = usbhs_pipe_to_fifo(pipe);
+ if (!fifo)
+ goto xfer_work_end;
+
+ chan = usbhsf_dma_chan_get(fifo, pkt);
dir = usbhs_pipe_is_dir_in(pipe) ? DMA_FROM_DEVICE : DMA_TO_DEVICE;
sg_init_table(&sg, 1);
@@ -781,7 +788,7 @@ static void usbhsf_dma_prepare_tasklet(u
DMA_PREP_INTERRUPT |
DMA_CTRL_ACK);
if (!desc)
- return;
+ goto xfer_work_end;
desc->callback = usbhsf_dma_complete;
desc->callback_param = pipe;
@@ -789,7 +796,7 @@ static void usbhsf_dma_prepare_tasklet(u
cookie = desc->tx_submit(desc);
if (cookie < 0) {
dev_err(dev, "Failed to submit dma descriptor\n");
- return;
+ goto xfer_work_end;
}
dev_dbg(dev, " %s %d (%d/ %d)\n",
@@ -797,6 +804,9 @@ static void usbhsf_dma_prepare_tasklet(u
usbhsf_dma_start(pipe, fifo);
dma_async_issue_pending(chan);
+
+xfer_work_end:
+ usbhs_unlock(priv, flags);
}
/*
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 008/152] Input: xpad - validate USB endpoint count during probe
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 046/152] avr32: off by one in at32_init_pio() Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 085/152] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products Ben Hutchings
` (98 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Cameron Gutman
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Gutman <aicommander@gmail.com>
commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
This prevents a malicious USB device from causing an oops.
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/joystick/xpad.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -825,6 +825,9 @@ static int xpad_probe(struct usb_interfa
struct usb_endpoint_descriptor *ep_irq_in;
int i, error;
+ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+ return -ENODEV;
+
for (i = 0; xpad_device[i].idVendor; i++) {
if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
(le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 013/152] ALSA: ctl: Stop notification after disconnection
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 105/152] crypto: skcipher - Fix blkcipher walk OOM crash Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 070/152] cdc-acm: fix wrong pipe type on rx interrupt xfers Ben Hutchings
` (69 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit f388cdcdd160687c6650833f286b9c89c50960ff upstream.
snd_ctl_remove() has a notification for the removal event. It's
superfluous when done during the device got disconnected. Although
the notification itself is mostly harmless, it may potentially be
harmful, and should be suppressed. Actually some components PCM may
free ctl elements during the disconnect or free callbacks, thus it's
no theoretical issue.
This patch adds the check of card->shutdown flag for avoiding
unnecessary notifications after (or during) the disconnect.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/control.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *car
if (snd_BUG_ON(!card || !id))
return;
+ if (card->shutdown)
+ return;
read_lock(&card->ctl_files_rwlock);
#if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE)
card->mixer_oss_change_count++;
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 012/152] drm/radeon: Poll for both connect/disconnect on analog connectors
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 106/152] asm-generic: make get_user() clear the destination on errors Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 027/152] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Ben Hutchings
` (139 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher, Lyude
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lyude <cpaul@redhat.com>
commit 14ff8d48f2235295dfb3117693008e367b49cdb5 upstream.
DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
disconnections. Because of this, we end up losing hotplug polling for
analog connectors once they get connected.
Easy way to reproduce:
- Grab a machine with a radeon GPU and a VGA port
- Plug a monitor into the VGA port, wait for it to update the connector
from disconnected to connected
- Disconnect the monitor on VGA, a hotplug event is never sent for the
removal of the connector.
Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
idea since doing VGA polling can sometimes result in having to mess with
the DAC voltages to figure out whether or not there's actually something
there since VGA doesn't have HPD. Doing this would have the potential of
showing visible artifacts on the screen every time we ran a poll while a
VGA display was connected. Luckily, radeon_vga_detect() only resorts to
this sort of polling if the poll is forced, and DRM's polling helper
doesn't force it's polls.
Additionally, this removes some assignments to connector->polled that
weren't actually doing anything.
Signed-off-by: Lyude <cpaul@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -1589,7 +1589,6 @@ radeon_add_atom_connector(struct drm_dev
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1787,8 +1786,10 @@ radeon_add_atom_connector(struct drm_dev
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
@@ -1860,7 +1861,6 @@ radeon_add_legacy_connector(struct drm_d
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1945,10 +1945,13 @@ radeon_add_legacy_connector(struct drm_d
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
+
connector->display_info.subpixel_order = subpixel_order;
drm_sysfs_connector_add(connector);
if (connector_type == DRM_MODE_CONNECTOR_LVDS) {
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 021/152] Bluetooth: Add support of 13d3:3490 AR3012 device
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 081/152] USB: fix typo in wMaxPacketSize validation Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 099/152] xfrm_user: propagate sec ctx allocation errors Ben Hutchings
` (30 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Tunin, Marcel Holtmann
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Tunin <hanipouspilot@gmail.com>
commit 12d868964f7352e8b18e755488f7265a93431de1 upstream.
T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3490 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
BugLink: https://bugs.launchpad.net/bugs/1600623
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -119,6 +119,7 @@ static struct usb_device_id ath3k_table[
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
{ USB_DEVICE(0x13d3, 0x3487) },
+ { USB_DEVICE(0x13d3, 0x3490) },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -184,6 +185,7 @@ static struct usb_device_id ath3k_blist_
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -204,6 +204,7 @@ static struct usb_device_id blacklist_ta
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
^ permalink raw reply [flat|nested] 159+ messages in thread
* [PATCH 3.2 003/152] sched/cputime: Fix prev steal time accouting during CPU hotplug
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 028/152] USB: serial: option: add support for Telit LE910 PID 0x1206 Ben Hutchings
@ 2016-11-14 0:14 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 072/152] xhci: don't dereference a xhci member after removing xhci Ben Hutchings
` (83 subsequent siblings)
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 0:14 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mike Galbraith, Rik van Riel, Frederic Weisbecker,
Thomas Gleixner, Linus Torvalds, Wanpeng Li,
Radim Krčmář,
Paolo Bonzini, Ingo Molnar, Peter Zijlstra (Intel)
3.2.84-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit 3d89e5478bf550a50c99e93adf659369798263b0 upstream.
Commit:
e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")
... set rq->prev_* to 0 after a CPU hotplug comes back, in order to
fix the case where (after CPU hotplug) steal time is smaller than
rq->prev_steal_time.
However, this should never happen. Steal time was only smaller because of the
KVM-specific bug fixed by the previous patch. Worse, the previous patch
triggers a bug on CPU hot-unplug/plug operation: because
rq->prev_steal_time is cleared, all of the CPU's past steal time will be
accounted again on hot-plug.
Since the root cause has been fixed, we can just revert commit e9532e69b8d1.
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 'commit e9532e69b8d1 ("sched/cputime: Fix steal time accounting vs. CPU hotplug")'
Link: http://lkml.kernel.org/r/1465813966-3116-3-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -2084,19 +2084,6 @@ EXPORT_SYMBOL_GPL(account_system_vtime);
#endif /* CONFIG_IRQ_TIME_ACCOUNTING */
-static inline void account_reset_rq(struct rq *rq)
-{
-#ifdef CONFIG_IRQ_TIME_ACCOUNTING
- rq->prev_irq_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT
- rq->prev_steal_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
- rq->prev_steal_time_rq = 0;
-#endif
-}
-
#ifdef CONFIG_PARAVIRT
static inline u64 steal_ticks(u64 steal)
{
@@ -6869,7 +6856,6 @@ migration_call(struct notifier_block *nf
case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
- account_reset_rq(rq);
break;
case CPU_ONLINE:
^ permalink raw reply [flat|nested] 159+ messages in thread
* Re: [PATCH 3.2 000/152] 3.2.84-rc1 review
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2016-11-14 0:14 ` [PATCH 3.2 083/152] ubifs: Fix assertion in layout_in_gaps() Ben Hutchings
@ 2016-11-14 4:05 ` Ben Hutchings
2016-11-14 5:47 ` Guenter Roeck
153 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 4:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
[-- Attachment #1.1: Type: text/plain, Size: 163 bytes --]
This is the combined diff for 3.2.84-rc1 relative to 3.2.83.
Ben.
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
[-- Attachment #1.2: linux-3.2.84-rc1.patch --]
[-- Type: text/x-patch, Size: 188500 bytes --]
diff --git a/Documentation/filesystems/porting b/Documentation/filesystems/porting
index b4a3d765ff9a..56a9c6eab33f 100644
--- a/Documentation/filesystems/porting
+++ b/Documentation/filesystems/porting
@@ -288,8 +288,8 @@ implementing on-disk size changes. Start with a copy of the old inode_setattr
and vmtruncate, and the reorder the vmtruncate + foofs_vmtruncate sequence to
be in order of zeroing blocks using block_truncate_page or similar helpers,
size update and on finally on-disk truncation which should not fail.
-inode_change_ok now includes the size checks for ATTR_SIZE and must be called
-in the beginning of ->setattr unconditionally.
+setattr_prepare (which used to be inode_change_ok) now includes the size checks
+for ATTR_SIZE and must be called in the beginning of ->setattr unconditionally.
[mandatory]
diff --git a/Makefile b/Makefile
index 716cdade034d..c8266a0f6a9d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 3
PATCHLEVEL = 2
-SUBLEVEL = 83
-EXTRAVERSION =
+SUBLEVEL = 84
+EXTRAVERSION = -rc1
NAME = Saber-toothed Squirrel
# *DOCUMENTATION*
diff --git a/arch/alpha/include/asm/uaccess.h b/arch/alpha/include/asm/uaccess.h
index b49ec2f8d6e3..3cd61320e024 100644
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, const void *from, long len)
return __cu_len;
}
-extern inline long
-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
-{
- if (__access_ok((unsigned long)validate, len, get_fs()))
- len = __copy_tofrom_user_nocheck(to, from, len);
- return len;
-}
-
#define __copy_to_user(to,from,n) \
({ \
__chk_user_ptr(to); \
@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void *from, long len, const void __user *vali
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
-
extern inline long
copy_to_user(void __user *to, const void *from, long n)
{
- return __copy_tofrom_user((__force void *)to, from, n, to);
+ if (likely(__access_ok((unsigned long)to, n, get_fs())))
+ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
+ return n;
}
extern inline long
copy_from_user(void *to, const void __user *from, long n)
{
- return __copy_tofrom_user(to, (__force void *)from, n, from);
+ if (likely(__access_ok((unsigned long)from, n, get_fs())))
+ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
+ else
+ memset(to, 0, n);
+ return n;
}
extern void __do_clear_user(void);
diff --git a/arch/arm/common/sa1111.c b/arch/arm/common/sa1111.c
index 61691cdbdcf2..cab1725a1017 100644
--- a/arch/arm/common/sa1111.c
+++ b/arch/arm/common/sa1111.c
@@ -878,9 +878,9 @@ struct sa1111_save_data {
#ifdef CONFIG_PM
-static int sa1111_suspend(struct platform_device *dev, pm_message_t state)
+static int sa1111_suspend_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags;
unsigned int val;
@@ -938,9 +938,9 @@ static int sa1111_suspend(struct platform_device *dev, pm_message_t state)
* restored by their respective drivers, and must be called
* via LDM after this function.
*/
-static int sa1111_resume(struct platform_device *dev)
+static int sa1111_resume_noirq(struct device *dev)
{
- struct sa1111 *sachip = platform_get_drvdata(dev);
+ struct sa1111 *sachip = dev_get_drvdata(dev);
struct sa1111_save_data *save;
unsigned long flags, id;
void __iomem *base;
@@ -956,7 +956,7 @@ static int sa1111_resume(struct platform_device *dev)
id = sa1111_readl(sachip->base + SA1111_SKID);
if ((id & SKID_ID_MASK) != SKID_SA1111_ID) {
__sa1111_remove(sachip);
- platform_set_drvdata(dev, NULL);
+ dev_set_drvdata(dev, NULL);
kfree(save);
return 0;
}
@@ -1002,8 +1002,8 @@ static int sa1111_resume(struct platform_device *dev)
}
#else
-#define sa1111_suspend NULL
-#define sa1111_resume NULL
+#define sa1111_suspend_noirq NULL
+#define sa1111_resume_noirq NULL
#endif
static int __devinit sa1111_probe(struct platform_device *pdev)
@@ -1037,6 +1037,11 @@ static int sa1111_remove(struct platform_device *pdev)
return 0;
}
+static struct dev_pm_ops sa1111_pm_ops = {
+ .suspend_noirq = sa1111_suspend_noirq,
+ .resume_noirq = sa1111_resume_noirq,
+};
+
/*
* Not sure if this should be on the system bus or not yet.
* We really want some way to register a system device at
@@ -1049,10 +1054,9 @@ static int sa1111_remove(struct platform_device *pdev)
static struct platform_driver sa1111_device_driver = {
.probe = sa1111_probe,
.remove = sa1111_remove,
- .suspend = sa1111_suspend,
- .resume = sa1111_resume,
.driver = {
.name = "sa1111",
+ .pm = &sa1111_pm_ops,
},
};
diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index af0aaebf4de6..32884a6006cf 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
mm_segment_t fs;
long ret, err, i;
- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
+ if (maxevents <= 0 ||
+ maxevents > (INT_MAX/sizeof(*kbuf)) ||
+ maxevents > (INT_MAX/sizeof(*events)))
return -EINVAL;
+ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+ return -EFAULT;
kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
if (!kbuf)
return -ENOMEM;
@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid,
if (nsops < 1 || nsops > SEMOPM)
return -EINVAL;
+ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+ return -EFAULT;
sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
if (!sops)
return -ENOMEM;
diff --git a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
index eef43e2e163e..d8a185d7bdc1 100644
--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -1470,8 +1470,20 @@ static struct omap_hwmod omap3xxx_dss_dispc_hwmod = {
* display serial interface controller
*/
+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+ .rev_offs = 0x0000,
+ .sysc_offs = 0x0010,
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+};
+
static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
.name = "dsi",
+ .sysc = &omap3xxx_dsi_sysc,
};
static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
diff --git a/arch/avr32/include/asm/uaccess.h b/arch/avr32/include/asm/uaccess.h
index 245b2ee213c9..a0a9b8c31041 100644
--- a/arch/avr32/include/asm/uaccess.h
+++ b/arch/avr32/include/asm/uaccess.h
@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void *to, const void *from,
extern __kernel_size_t copy_to_user(void __user *to, const void *from,
__kernel_size_t n);
-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
+extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
__kernel_size_t n);
static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_from_user(void *to,
{
return __copy_user(to, (const void __force *)from, n);
}
+static inline __kernel_size_t copy_from_user(void *to,
+ const void __user *from,
+ __kernel_size_t n)
+{
+ size_t res = ___copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
+}
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
diff --git a/arch/avr32/kernel/avr32_ksyms.c b/arch/avr32/kernel/avr32_ksyms.c
index d93ead02daed..7c6cf14f0985 100644
--- a/arch/avr32/kernel/avr32_ksyms.c
+++ b/arch/avr32/kernel/avr32_ksyms.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
/*
* Userspace access stuff.
*/
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(___copy_from_user);
EXPORT_SYMBOL(copy_to_user);
EXPORT_SYMBOL(__copy_user);
EXPORT_SYMBOL(strncpy_from_user);
diff --git a/arch/avr32/lib/copy_user.S b/arch/avr32/lib/copy_user.S
index ea59c04b07de..075373471da1 100644
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -23,13 +23,13 @@
*/
.text
.align 1
- .global copy_from_user
- .type copy_from_user, @function
-copy_from_user:
+ .global ___copy_from_user
+ .type ___copy_from_user, @function
+___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
rjmp __copy_user
- .size copy_from_user, . - copy_from_user
+ .size ___copy_from_user, . - ___copy_from_user
.global copy_to_user
.type copy_to_user, @function
diff --git a/arch/avr32/mach-at32ap/pio.c b/arch/avr32/mach-at32ap/pio.c
index 903c7d81d0d5..a8e208eaf2a4 100644
--- a/arch/avr32/mach-at32ap/pio.c
+++ b/arch/avr32/mach-at32ap/pio.c
@@ -435,7 +435,7 @@ void __init at32_init_pio(struct platform_device *pdev)
struct resource *regs;
struct pio_device *pio;
- if (pdev->id > MAX_NR_PIO_DEVICES) {
+ if (pdev->id >= MAX_NR_PIO_DEVICES) {
dev_err(&pdev->dev, "only %d PIO devices supported\n",
MAX_NR_PIO_DEVICES);
return;
diff --git a/arch/blackfin/include/asm/uaccess.h b/arch/blackfin/include/asm/uaccess.h
index 5cc111502822..8f9d497a20a3 100644
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -194,11 +194,12 @@ static inline int bad_user_access_length(void)
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n))) {
memcpy(to, (const void __force *)from, n);
- else
- return n;
- return 0;
+ return 0;
+ }
+ memset(to, 0, n);
+ return n;
}
static inline unsigned long __must_check
diff --git a/arch/cris/include/asm/uaccess.h b/arch/cris/include/asm/uaccess.h
index 914540801c5e..93bfa8acc38b 100644
--- a/arch/cris/include/asm/uaccess.h
+++ b/arch/cris/include/asm/uaccess.h
@@ -176,30 +176,6 @@ extern unsigned long __copy_user(void __user *to, const void *from, unsigned lon
extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
extern unsigned long __do_clear_user(void __user *to, unsigned long n);
-static inline unsigned long
-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_user(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
-{
- if (access_ok(VERIFY_READ, from, n))
- return __copy_user_zeroing(to,from,n);
- return n;
-}
-
-static inline unsigned long
-__generic_clear_user(void __user *to, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __do_clear_user(to,n);
- return n;
-}
-
static inline long
__strncpy_from_user(char *dst, const char __user *src, long count)
{
@@ -262,7 +238,7 @@ __constant_copy_from_user(void *to, const void __user *from, unsigned long n)
else if (n == 24)
__asm_copy_from_user_24(to, from, ret);
else
- ret = __generic_copy_from_user(to, from, n);
+ ret = __copy_user_zeroing(to, from, n);
return ret;
}
@@ -312,7 +288,7 @@ __constant_copy_to_user(void __user *to, const void *from, unsigned long n)
else if (n == 24)
__asm_copy_to_user_24(to, from, ret);
else
- ret = __generic_copy_to_user(to, from, n);
+ ret = __copy_user(to, from, n);
return ret;
}
@@ -344,26 +320,43 @@ __constant_clear_user(void __user *to, unsigned long n)
else if (n == 24)
__asm_clear_24(to, ret);
else
- ret = __generic_clear_user(to, n);
+ ret = __do_clear_user(to, n);
return ret;
}
-#define clear_user(to, n) \
-(__builtin_constant_p(n) ? \
- __constant_clear_user(to, n) : \
- __generic_clear_user(to, n))
+static inline size_t clear_user(void __user *to, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_clear_user(to, n);
+ else
+ return __do_clear_user(to, n);
+}
-#define copy_from_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_from_user(to, from, n) : \
- __generic_copy_from_user(to, from, n))
+static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
+ memset(to, 0, n);
+ return n;
+ }
+ if (__builtin_constant_p(n))
+ return __constant_copy_from_user(to, from, n);
+ else
+ return __copy_user_zeroing(to, from, n);
+}
-#define copy_to_user(to, from, n) \
-(__builtin_constant_p(n) ? \
- __constant_copy_to_user(to, from, n) : \
- __generic_copy_to_user(to, from, n))
+static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_copy_to_user(to, from, n);
+ else
+ return __copy_user(to, from, n);
+}
/* We let the __ versions of copy_from/to_user inline, because they're often
* used in fast paths and have only a small space overhead.
diff --git a/arch/frv/include/asm/uaccess.h b/arch/frv/include/asm/uaccess.h
index 0b67ec5b4414..3a74137eeef8 100644
--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do { \
extern long __memset_user(void *dst, unsigned long count);
extern long __memcpy_user(void *dst, const void *src, unsigned long count);
-#define clear_user(dst,count) __memset_user(____force(dst), (count))
+#define __clear_user(dst,count) __memset_user(____force(dst), (count))
#define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
#define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
#else
-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
#define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
#define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
#endif
-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+ if (likely(__access_ok(to, n)))
+ n = __clear_user(to, n);
+ return n;
+}
static inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)
diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
index 7e706eadbf0a..c73897c5f7b3 100644
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_user(char *dst, const char __user *src,
{
long res = __strnlen_user(src, n);
- /* return from strnlen can't be zero -- that would be rubbish. */
+ if (unlikely(!res))
+ return -EFAULT;
if (res > n) {
copy_from_user(dst, src, n);
diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
index 449c8c0fa2bd..810926c56e31 100644
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
__cu_len; \
})
-#define copy_from_user(to, from, n) \
-({ \
- void *__cu_to = (to); \
- const void __user *__cu_from = (from); \
- long __cu_len = (n); \
- \
- __chk_user_ptr(__cu_from); \
- if (__access_ok(__cu_from, __cu_len, get_fs())) \
- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
- __cu_len; \
-})
+static inline unsigned long
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+ if (likely(__access_ok(from, n, get_fs())))
+ n = __copy_user((__force void __user *) to, from, n);
+ else
+ memset(to, 0, n);
+ return n;
+}
#define __copy_in_user(to, from, size) __copy_user((to), (from), (size))
diff --git a/arch/m32r/include/asm/uaccess.h b/arch/m32r/include/asm/uaccess.h
index 1c7047bea200..a26d28d59ae6 100644
--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_regs *regs);
#define __get_user_nocheck(x,ptr,size) \
({ \
long __gu_err = 0; \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
might_sleep(); \
__get_user_size(__gu_val,(ptr),(size),__gu_err); \
(x) = (__typeof__(*(ptr)))__gu_val; \
diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
index 072b0077abf9..7a5b1ee22586 100644
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -218,7 +218,7 @@ extern long __user_bad(void);
#define __get_user(x, ptr) \
({ \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
/*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
long __gu_err; \
switch (sizeof(*(ptr))) { \
@@ -364,10 +364,13 @@ extern long __user_bad(void);
static inline long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
+ unsigned long res = n;
might_sleep();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
#define __copy_to_user(to, from, n) \
diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
index 5476ce4ca35e..cf6852086055 100644
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -366,7 +366,7 @@ EXPORT(sysn32_call_table)
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key
PTR sys_request_key
- PTR sys_keyctl /* 6245 */
+ PTR compat_sys_keyctl /* 6245 */
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6651759edde0..4eb5391007ee 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -486,7 +486,7 @@ sys_call_table:
PTR sys_ni_syscall /* available, was setaltroot */
PTR sys_add_key /* 4280 */
PTR sys_request_key
- PTR sys_keyctl
+ PTR compat_sys_keyctl
PTR sys_set_thread_area
PTR sys_inotify_init
PTR sys_inotify_add_watch /* 4285 */
diff --git a/arch/mips/mm/sc-rm7k.c b/arch/mips/mm/sc-rm7k.c
index 274af3be1442..a30eb5d7d50a 100644
--- a/arch/mips/mm/sc-rm7k.c
+++ b/arch/mips/mm/sc-rm7k.c
@@ -162,7 +162,7 @@ static void rm7k_tc_disable(void)
local_irq_save(flags);
blast_rm7k_tcache();
clear_c0_config(RM7K_CONF_TE);
- local_irq_save(flags);
+ local_irq_restore(flags);
}
static void rm7k_sc_disable(void)
diff --git a/arch/mn10300/include/asm/uaccess.h b/arch/mn10300/include/asm/uaccess.h
index 780560b330d9..570a25db8df2 100644
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -181,6 +181,7 @@ struct __large_struct { unsigned long buf[100]; };
"2:\n" \
" .section .fixup,\"ax\"\n" \
"3:\n\t" \
+ " mov 0,%1\n" \
" mov %3,%0\n" \
" jmp 2b\n" \
" .previous\n" \
diff --git a/arch/mn10300/lib/usercopy.c b/arch/mn10300/lib/usercopy.c
index 7826e6c364e7..a29c5dc2ab5e 100644
--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,8 @@
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
-#include <asm/uaccess.h>
+#include <linux/string.h>
+#include <linux/uaccess.h>
unsigned long
__generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +25,8 @@ __generic_copy_from_user(void *to, const void *from, unsigned long n)
{
if (access_ok(VERIFY_READ, from, n))
__copy_user_zeroing(to, from, n);
+ else
+ memset(to, 0, n);
return n;
}
diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
index c310e45b538e..1acfe52f6929 100644
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -274,28 +274,20 @@ __copy_tofrom_user(void *to, const void *from, unsigned long size);
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_READ, from, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
- return n;
+ unsigned long res = n;
+
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_tofrom_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, to, n)))
+ n = __copy_tofrom_user(to, from, n);
return n;
}
@@ -304,13 +296,8 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
static inline __must_check unsigned long
clear_user(void *addr, unsigned long size)
{
-
- if (access_ok(VERIFY_WRITE, addr, size))
- return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, addr, size)))
+ size = __clear_user(addr, size);
return size;
}
diff --git a/arch/parisc/include/asm/errno.h b/arch/parisc/include/asm/errno.h
index 135ad6047e51..290112edb9ca 100644
--- a/arch/parisc/include/asm/errno.h
+++ b/arch/parisc/include/asm/errno.h
@@ -97,10 +97,10 @@
#define ENOTCONN 235 /* Transport endpoint is not connected */
#define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */
#define ETOOMANYREFS 237 /* Too many references: cannot splice */
-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
#define ETIMEDOUT 238 /* Connection timed out */
#define ECONNREFUSED 239 /* Connection refused */
-#define EREMOTERELEASE 240 /* Remote peer released connection */
+#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+#define EREMOTERELEASE 240 /* Remote peer released connection */
#define EHOSTDOWN 241 /* Host is down */
#define EHOSTUNREACH 242 /* No route to host */
diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
index 337353de237b..a615403907a2 100644
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -10,6 +10,8 @@
#include <asm/errno.h>
#include <asm-generic/uaccess-unaligned.h>
+#include <linux/string.h>
+
#define VERIFY_READ 0
#define VERIFY_WRITE 1
@@ -255,13 +257,14 @@ static inline unsigned long __must_check copy_from_user(void *to,
unsigned long n)
{
int sz = __compiletime_object_size(to);
- int ret = -EFAULT;
+ unsigned long ret = n;
if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
-
+ if (unlikely(ret))
+ memset(to + (n - ret), 0, ret);
return ret;
}
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index bd0fb8495154..4d4a30ccc249 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -332,30 +332,17 @@ extern unsigned long __copy_tofrom_user(void __user *to,
static inline unsigned long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_tofrom_user((__force void __user *)to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user((__force void __user *)to, from,
- n - over) + over;
- }
+ memset(to, 0, n);
return n;
}
static inline unsigned long copy_to_user(void __user *to,
const void *from, unsigned long n)
{
- unsigned long over;
-
if (access_ok(VERIFY_WRITE, to, n))
return __copy_tofrom_user(to, (__force void __user *)from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, (__force void __user *)from,
- n - over) + over;
- }
return n;
}
@@ -446,10 +433,6 @@ static inline unsigned long clear_user(void __user *addr, unsigned long size)
might_sleep();
if (likely(access_ok(VERIFY_WRITE, addr, size)))
return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
return size;
}
diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
index f4b78a39b79b..9a5ec9aacbc1 100644
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1275,17 +1275,33 @@ int hot_add_scn_to_nid(unsigned long scn_addr)
static u64 hot_add_drconf_memory_max(void)
{
struct device_node *memory = NULL;
+ struct device_node *dn = NULL;
unsigned int drconf_cell_cnt = 0;
u64 lmb_size = 0;
const u32 *dm = 0;
+ const __be64 *lrdr = NULL;
+ struct of_drconf_cell drmem;
+
+ dn = of_find_node_by_path("/rtas");
+ if (dn) {
+ lrdr = of_get_property(dn, "ibm,lrdr-capacity", NULL);
+ of_node_put(dn);
+ if (lrdr)
+ return be64_to_cpup(lrdr);
+ }
memory = of_find_node_by_path("/ibm,dynamic-reconfiguration-memory");
if (memory) {
drconf_cell_cnt = of_get_drconf_memory(memory, &dm);
lmb_size = of_get_lmb_size(memory);
+
+ /* Advance to the last cell, each cell has 6 32 bit integers */
+ dm += (drconf_cell_cnt - 1) * 6;
+ read_drconf_cell(&drmem, &dm);
of_node_put(memory);
+ return drmem.base_addr + lmb_size;
}
- return lmb_size * drconf_cell_cnt;
+ return 0;
}
/*
diff --git a/arch/s390/include/asm/auxvec.h b/arch/s390/include/asm/auxvec.h
index a1f153e89133..c53e08442255 100644
--- a/arch/s390/include/asm/auxvec.h
+++ b/arch/s390/include/asm/auxvec.h
@@ -3,4 +3,6 @@
#define AT_SYSINFO_EHDR 33
+#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
+
#endif
diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
index 547f1a6a35d4..c6e4c837c248 100644
--- a/arch/s390/include/asm/elf.h
+++ b/arch/s390/include/asm/elf.h
@@ -199,6 +199,7 @@ do { \
#define STACK_RND_MASK 0x7ffUL
+/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
do { \
if (vdso_enabled) \
diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index 2b23885e81e9..7aee41b624ff 100644
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -147,28 +147,28 @@ extern int __put_user_bad(void) __attribute__((noreturn));
__chk_user_ptr(ptr); \
switch (sizeof(*(ptr))) { \
case 1: { \
- unsigned char __x; \
+ unsigned char __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 2: { \
- unsigned short __x; \
+ unsigned short __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 4: { \
- unsigned int __x; \
+ unsigned int __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 8: { \
- unsigned long long __x; \
+ unsigned long long __x = 0; \
__gu_err = __get_user_fn(sizeof (*(ptr)), \
ptr, &__x); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
diff --git a/arch/score/include/asm/uaccess.h b/arch/score/include/asm/uaccess.h
index ab66ddde777b..69326dfb894d 100644
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -158,7 +158,7 @@ do { \
__get_user_asm(val, "lw", ptr); \
break; \
case 8: \
- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
+ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
__gu_err = 0; \
else \
__gu_err = -EFAULT; \
@@ -183,6 +183,8 @@ do { \
\
if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
__get_user_common((x), size, __gu_ptr); \
+ else \
+ (x) = 0; \
\
__gu_err; \
})
@@ -196,6 +198,7 @@ do { \
"2:\n" \
".section .fixup,\"ax\"\n" \
"3:li %0, %4\n" \
+ "li %1, 0\n" \
"j 2b\n" \
".previous\n" \
".section __ex_table,\"a\"\n" \
@@ -293,35 +296,34 @@ extern int __copy_tofrom_user(void *to, const void *from, unsigned long len);
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
+ unsigned long res = len;
- if (access_ok(VERIFY_READ, from, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_READ, from, len)))
+ res = __copy_tofrom_user(to, from, len);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
- return len;
+ if (unlikely(res))
+ memset(to + (len - res), 0, res);
+
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_WRITE, to, len)))
+ len = __copy_tofrom_user(to, from, len);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
return len;
}
-#define __copy_from_user(to, from, len) \
- __copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+ unsigned long left = __copy_tofrom_user(to, from, len);
+ if (unlikely(left))
+ memset(to + (len - left), 0, left);
+ return left;
+}
#define __copy_to_user(to, from, len) \
__copy_tofrom_user((to), (from), (len))
@@ -335,17 +337,17 @@ __copy_to_user_inatomic(void *to, const void *from, unsigned long len)
static inline unsigned long
__copy_from_user_inatomic(void *to, const void *from, unsigned long len)
{
- return __copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
static inline unsigned long
copy_in_user(void *to, const void *from, unsigned long len)
{
if (access_ok(VERIFY_READ, from, len) &&
access_ok(VERFITY_WRITE, to, len))
- return copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
/*
diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
index 075848f43b6a..0e7971185be5 100644
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -175,7 +175,10 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
__kernel_size_t __copy_size = (__kernel_size_t) n;
if (__copy_size && __access_ok(__copy_from, __copy_size))
- return __copy_user(to, from, __copy_size);
+ __copy_size = __copy_user(to, from, __copy_size);
+
+ if (unlikely(__copy_size))
+ memset(to + (n - __copy_size), 0, __copy_size);
return __copy_size;
}
diff --git a/arch/sh/include/asm/uaccess_64.h b/arch/sh/include/asm/uaccess_64.h
index 56fd20b8cdcc..1a48a4ab8c69 100644
--- a/arch/sh/include/asm/uaccess_64.h
+++ b/arch/sh/include/asm/uaccess_64.h
@@ -24,6 +24,7 @@
#define __get_user_size(x,ptr,size,retval) \
do { \
retval = 0; \
+ x = 0; \
switch (size) { \
case 1: \
retval = __get_user_asm_b((void *)&x, \
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index 8303ac481034..43c2a0df4368 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -264,8 +264,10 @@ static inline unsigned long copy_from_user(void *to, const void __user *from, un
{
if (n && __access_ok((unsigned long) from, n))
return __copy_user((__force void __user *) to, from, n);
- else
+ else {
+ memset(to, 0, n);
return n;
+ }
}
static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 95b4eb3424a0..2b5527726ae1 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -791,7 +791,7 @@ ia32_sys_call_table:
.quad quiet_ni_syscall /* 285: sys_altroot */
.quad sys_add_key
.quad sys_request_key
- .quad sys_keyctl
+ .quad compat_sys_keyctl
.quad sys_ioprio_set
.quad sys_ioprio_get /* 290 */
.quad sys_inotify_init
diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
index 169be8938b96..a7973ddf2d1b 100644
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -17,7 +17,14 @@
static inline void __native_flush_tlb(void)
{
+ /*
+ * If current->mm == NULL then we borrow a mm which may change during a
+ * task switch and therefore we must not be preempted while we write CR3
+ * back:
+ */
+ preempt_disable();
native_write_cr3(native_read_cr3());
+ preempt_enable();
}
static inline void __native_flush_tlb_global(void)
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index 838a3b40a4b0..8fcd92e9589b 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1481,6 +1481,9 @@ void __init enable_IR_x2apic(void)
int ret, x2apic_enabled = 0;
int dmar_table_init_ret;
+ if (skip_ioapic_setup)
+ return;
+
dmar_table_init_ret = dmar_table_init();
if (dmar_table_init_ret && !x2apic_supported())
return;
diff --git a/arch/x86/kernel/early-quirks.c b/arch/x86/kernel/early-quirks.c
index 3755ef494390..083a36eb2a06 100644
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -11,13 +11,20 @@
#include <linux/pci.h>
#include <linux/acpi.h>
+#include <linux/delay.h>
+#include <linux/dmi.h>
#include <linux/pci_ids.h>
+#include <linux/bcma/bcma.h>
+#include <linux/bcma/bcma_regs.h>
#include <asm/pci-direct.h>
#include <asm/dma.h>
#include <asm/io_apic.h>
#include <asm/apic.h>
#include <asm/iommu.h>
#include <asm/gart.h>
+#include <asm/io.h>
+
+#define dev_err(msg) pr_err("pci 0000:%02x:%02x.%d: %s", bus, slot, func, msg)
static void __init fix_hypertransport_config(int num, int slot, int func)
{
@@ -73,6 +80,13 @@ static void __init nvidia_bugs(int num, int slot, int func)
#ifdef CONFIG_ACPI
#ifdef CONFIG_X86_IO_APIC
/*
+ * Only applies to Nvidia root ports (bus 0) and not to
+ * Nvidia graphics cards with PCI ports on secondary buses.
+ */
+ if (num)
+ return;
+
+ /*
* All timer overrides on Nvidia are
* wrong unless HPET is enabled.
* Unfortunately that's not true on many Asus boards.
@@ -192,6 +206,62 @@ static void __init ati_bugs_contd(int num, int slot, int func)
}
#endif
+#define BCM4331_MMIO_SIZE 16384
+#define BCM4331_PM_CAP 0x40
+#define bcma_aread32(reg) ioread32(mmio + 1 * BCMA_CORE_SIZE + reg)
+#define bcma_awrite32(reg, val) iowrite32(val, mmio + 1 * BCMA_CORE_SIZE + reg)
+
+static void __init apple_airport_reset(int bus, int slot, int func)
+{
+ void __iomem *mmio;
+ u16 pmcsr;
+ u64 addr;
+ int i;
+
+ if (!dmi_match(DMI_SYS_VENDOR, "Apple Inc."))
+ return;
+
+ /* Card may have been put into PCI_D3hot by grub quirk */
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ write_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL, pmcsr);
+ mdelay(10);
+
+ pmcsr = read_pci_config_16(bus, slot, func, BCM4331_PM_CAP + PCI_PM_CTRL);
+ if ((pmcsr & PCI_PM_CTRL_STATE_MASK) != PCI_D0) {
+ dev_err("Cannot power up Apple AirPort card\n");
+ return;
+ }
+ }
+
+ addr = read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_0);
+ addr |= (u64)read_pci_config(bus, slot, func, PCI_BASE_ADDRESS_1) << 32;
+ addr &= PCI_BASE_ADDRESS_MEM_MASK;
+
+ mmio = early_ioremap(addr, BCM4331_MMIO_SIZE);
+ if (!mmio) {
+ dev_err("Cannot iomap Apple AirPort card\n");
+ return;
+ }
+
+ pr_info("Resetting Apple AirPort card (left enabled by EFI)\n");
+
+ for (i = 0; bcma_aread32(BCMA_RESET_ST) && i < 30; i++)
+ udelay(10);
+
+ bcma_awrite32(BCMA_RESET_CTL, BCMA_RESET_CTL_RESET);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(1);
+
+ bcma_awrite32(BCMA_RESET_CTL, 0);
+ bcma_aread32(BCMA_RESET_CTL);
+ udelay(10);
+
+ early_iounmap(mmio, BCM4331_MMIO_SIZE);
+}
+
#define QFLAG_APPLY_ONCE 0x1
#define QFLAG_APPLIED 0x2
#define QFLAG_DONE (QFLAG_APPLY_ONCE|QFLAG_APPLIED)
@@ -204,12 +274,6 @@ struct chipset {
void (*f)(int num, int slot, int func);
};
-/*
- * Only works for devices on the root bus. If you add any devices
- * not on bus 0 readd another loop level in early_quirks(). But
- * be careful because at least the Nvidia quirk here relies on
- * only matching on bus 0.
- */
static struct chipset early_qrk[] __initdata = {
{ PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID,
PCI_CLASS_BRIDGE_PCI, PCI_ANY_ID, QFLAG_APPLY_ONCE, nvidia_bugs },
@@ -221,9 +285,13 @@ static struct chipset early_qrk[] __initdata = {
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs },
{ PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_SBX00_SMBUS,
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs_contd },
+ { PCI_VENDOR_ID_BROADCOM, 0x4331,
+ PCI_CLASS_NETWORK_OTHER, PCI_ANY_ID, 0, apple_airport_reset},
{}
};
+static void __init early_pci_scan_bus(int bus);
+
/**
* check_dev_quirk - apply early quirks to a given PCI device
* @num: bus number
@@ -232,7 +300,7 @@ static struct chipset early_qrk[] __initdata = {
*
* Check the vendor & device ID against the early quirks table.
*
- * If the device is single function, let early_quirks() know so we don't
+ * If the device is single function, let early_pci_scan_bus() know so we don't
* poke at this device again.
*/
static int __init check_dev_quirk(int num, int slot, int func)
@@ -241,6 +309,7 @@ static int __init check_dev_quirk(int num, int slot, int func)
u16 vendor;
u16 device;
u8 type;
+ u8 sec;
int i;
class = read_pci_config_16(num, slot, func, PCI_CLASS_DEVICE);
@@ -268,25 +337,36 @@ static int __init check_dev_quirk(int num, int slot, int func)
type = read_pci_config_byte(num, slot, func,
PCI_HEADER_TYPE);
+
+ if ((type & 0x7f) == PCI_HEADER_TYPE_BRIDGE) {
+ sec = read_pci_config_byte(num, slot, func, PCI_SECONDARY_BUS);
+ if (sec > num)
+ early_pci_scan_bus(sec);
+ }
+
if (!(type & 0x80))
return -1;
return 0;
}
-void __init early_quirks(void)
+static void __init early_pci_scan_bus(int bus)
{
int slot, func;
- if (!early_pci_allowed())
- return;
-
/* Poor man's PCI discovery */
- /* Only scan the root bus */
for (slot = 0; slot < 32; slot++)
for (func = 0; func < 8; func++) {
/* Only probe function 0 on single fn devices */
- if (check_dev_quirk(0, slot, func))
+ if (check_dev_quirk(bus, slot, func))
break;
}
}
+
+void __init early_quirks(void)
+{
+ if (!early_pci_allowed())
+ return;
+
+ early_pci_scan_bus(0);
+}
diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
index af5b675c7f68..d21b32eeaa59 100644
--- a/arch/x86/kernel/paravirt.c
+++ b/arch/x86/kernel/paravirt.c
@@ -52,12 +52,12 @@ asm (".pushsection .entry.text, \"ax\"\n"
".popsection");
/* identity function, which can be inlined */
-u32 _paravirt_ident_32(u32 x)
+u32 notrace _paravirt_ident_32(u32 x)
{
return x;
}
-u64 _paravirt_ident_64(u64 x)
+u64 notrace _paravirt_ident_64(u64 x)
{
return x;
}
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index fb8c23d2fdf6..bd0ed47989e4 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4999,22 +4999,27 @@ static void nested_free_vmcs02(struct vcpu_vmx *vmx, gpa_t vmptr)
/*
* Free all VMCSs saved for this vcpu, except the one pointed by
- * vmx->loaded_vmcs. These include the VMCSs in vmcs02_pool (except the one
- * currently used, if running L2), and vmcs01 when running L2.
+ * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
+ * must be &vmx->vmcs01.
*/
static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
{
struct vmcs02_list *item, *n;
+
+ WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
- if (vmx->loaded_vmcs != &item->vmcs02)
- free_loaded_vmcs(&item->vmcs02);
+ /*
+ * Something will leak if the above WARN triggers. Better than
+ * a use-after-free.
+ */
+ if (vmx->loaded_vmcs == &item->vmcs02)
+ continue;
+
+ free_loaded_vmcs(&item->vmcs02);
list_del(&item->list);
kfree(item);
+ vmx->nested.vmcs02_num--;
}
- vmx->nested.vmcs02_num = 0;
-
- if (vmx->loaded_vmcs != &vmx->vmcs01)
- free_loaded_vmcs(&vmx->vmcs01);
}
/*
@@ -6307,13 +6312,44 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
#undef R
#undef Q
+static void vmx_load_vmcs01(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ int cpu;
+
+ if (vmx->loaded_vmcs == &vmx->vmcs01)
+ return;
+
+ cpu = get_cpu();
+ vmx->loaded_vmcs = &vmx->vmcs01;
+ vmx_vcpu_put(vcpu);
+ vmx_vcpu_load(vcpu, cpu);
+ vcpu->cpu = cpu;
+ put_cpu();
+}
+
+/*
+ * Ensure that the current vmcs of the logical processor is the
+ * vmcs01 of the vcpu before calling free_nested().
+ */
+static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ vcpu_load(vcpu);
+ vmx_load_vmcs01(vcpu);
+ free_nested(vmx);
+ vcpu_put(vcpu);
+}
+
static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
free_vpid(vmx);
+ leave_guest_mode(vcpu);
+ vmx_free_vcpu_nested(vcpu);
free_loaded_vmcs(vmx->loaded_vmcs);
- free_nested(vmx);
kfree(vmx->guest_msrs);
kvm_vcpu_uninit(vcpu);
kmem_cache_free(kvm_vcpu_cache, vmx);
@@ -7059,18 +7095,12 @@ void load_vmcs12_host_state(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
- int cpu;
struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
leave_guest_mode(vcpu);
prepare_vmcs12(vcpu, vmcs12);
- cpu = get_cpu();
- vmx->loaded_vmcs = &vmx->vmcs01;
- vmx_vcpu_put(vcpu);
- vmx_vcpu_load(vcpu, cpu);
- vcpu->cpu = cpu;
- put_cpu();
+ vmx_load_vmcs01(vcpu);
/* if no vmcs02 cache requested, remove the one we used */
if (VMCS02_POOL_SIZE == 0)
diff --git a/block/genhd.c b/block/genhd.c
index 424d1fa1c039..4c3f6db08626 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}
diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
index 7b69d7a902a9..a5284e0a523d 100644
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -238,6 +238,8 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
return blkcipher_walk_done(desc, walk, -EINVAL);
}
+ bsize = min(walk->blocksize, n);
+
walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
BLKCIPHER_WALK_DIFF);
if (!scatterwalk_aligned(&walk->in, alignmask) ||
@@ -250,7 +252,6 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
}
}
- bsize = min(walk->blocksize, n);
n = scatterwalk_clamp(&walk->in, n);
n = scatterwalk_clamp(&walk->out, n);
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 75c415d37086..d85fab975514 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct ahash_request *req, void *out)
static int cryptd_hash_import(struct ahash_request *req, const void *in)
{
- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct shash_desc *desc = cryptd_shash_desc(req);
+
+ desc->tfm = ctx->child;
+ desc->flags = req->base.flags;
- return crypto_shash_import(&rctx->desc, in);
+ return crypto_shash_import(desc, in);
}
static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
diff --git a/crypto/gcm.c b/crypto/gcm.c
index 943cbceca426..9e47c4dfa91c 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -711,7 +711,9 @@ static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb,
ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
CRYPTO_ALG_TYPE_HASH,
- CRYPTO_ALG_TYPE_AHASH_MASK);
+ CRYPTO_ALG_TYPE_AHASH_MASK |
+ crypto_requires_sync(algt->type,
+ algt->mask));
err = PTR_ERR(ghash_alg);
if (IS_ERR(ghash_alg))
return ERR_PTR(err);
diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
index 41e529af0773..8b5969987c0d 100644
--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk, int out,
void scatterwalk_done(struct scatter_walk *walk, int out, int more)
{
- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
+ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
+ !(walk->offset & (PAGE_SIZE - 1)))
scatterwalk_pagedone(walk, out, more);
}
EXPORT_SYMBOL_GPL(scatterwalk_done);
diff --git a/drivers/bcma/bcma_private.h b/drivers/bcma/bcma_private.h
index fda56bde36b8..3872e0d833be 100644
--- a/drivers/bcma/bcma_private.h
+++ b/drivers/bcma/bcma_private.h
@@ -8,8 +8,6 @@
#include <linux/bcma/bcma.h>
#include <linux/delay.h>
-#define BCMA_CORE_SIZE 0x1000
-
struct bcma_bus;
/* main.c */
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 0b87fb6cc365..5554a5b713a9 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -118,6 +118,8 @@ static struct usb_device_id ath3k_table[] = {
{ USB_DEVICE(0x13d3, 0x3432) },
{ USB_DEVICE(0x13d3, 0x3472) },
{ USB_DEVICE(0x13d3, 0x3474) },
+ { USB_DEVICE(0x13d3, 0x3487) },
+ { USB_DEVICE(0x13d3, 0x3490) },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -182,6 +184,8 @@ static struct usb_device_id ath3k_blist_tbl[] = {
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 1cba113f27ce..59838695c46b 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -203,6 +203,8 @@ static struct usb_device_id blacklist_table[] = {
{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index f8e94fe197b9..0c4885dd43b8 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -176,16 +176,15 @@ static int get_burstcount(struct tpm_chip *chip)
{
unsigned long stop;
int burstcnt;
+ u32 value;
/* wait for burstcount */
/* which timeout value, spec has 2 answers (c & d) */
stop = jiffies + chip->vendor.timeout_d;
do {
- burstcnt = ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) + 1);
- burstcnt += ioread8(chip->vendor.iobase +
- TPM_STS(chip->vendor.locality) +
- 2) << 8;
+ value = ioread32(chip->vendor.iobase +
+ TPM_STS(chip->vendor.locality));
+ burstcnt = (value >> 8) & 0xFFFF;
if (burstcnt)
return burstcnt;
msleep(TPM_TIMEOUT);
diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
index 7c869b73a57e..418c4da54fdc 100644
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -677,6 +677,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,
int retval;
u16 ether_type;
+ if (len <= RFC2374_UNFRAG_HDR_SIZE)
+ return 0;
+
hdr.w0 = be32_to_cpu(buf[0]);
lf = fwnet_get_hdr_lf(&hdr);
if (lf == RFC2374_HDR_UNFRAG) {
@@ -702,7 +705,12 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,
return fwnet_finish_incoming_packet(net, skb, source_node_id,
is_broadcast, ether_type);
}
+
/* A datagram fragment has been received, now the fun begins. */
+
+ if (len <= RFC2374_FRAG_HDR_SIZE)
+ return 0;
+
hdr.w1 = ntohl(buf[1]);
buf += 2;
len -= RFC2374_FRAG_HDR_SIZE;
@@ -716,6 +724,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,
datagram_label = fwnet_get_hdr_dgl(&hdr);
dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */
+ if (fg_off + len > dg_size)
+ return 0;
+
spin_lock_irqsave(&dev->lock, flags);
peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);
@@ -822,6 +833,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,
fw_send_response(card, r, rcode);
}
+static int gasp_source_id(__be32 *p)
+{
+ return be32_to_cpu(p[0]) >> 16;
+}
+
+static u32 gasp_specifier_id(__be32 *p)
+{
+ return (be32_to_cpu(p[0]) & 0xffff) << 8 |
+ (be32_to_cpu(p[1]) & 0xff000000) >> 24;
+}
+
+static u32 gasp_version(__be32 *p)
+{
+ return be32_to_cpu(p[1]) & 0xffffff;
+}
+
static void fwnet_receive_broadcast(struct fw_iso_context *context,
u32 cycle, size_t header_length, void *header, void *data)
{
@@ -832,9 +859,6 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,
__be32 *buf_ptr;
int retval;
u32 length;
- u16 source_node_id;
- u32 specifier_id;
- u32 ver;
unsigned long offset;
unsigned long flags;
@@ -852,17 +876,13 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,
spin_unlock_irqrestore(&dev->lock, flags);
- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8
- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;
- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff;
- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16;
-
- if (specifier_id == IANA_SPECIFIER_ID && ver == RFC2734_SW_VERSION) {
- buf_ptr += 2;
- length -= IEEE1394_GASP_HDR_SIZE;
- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id,
+ if (length > IEEE1394_GASP_HDR_SIZE &&
+ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&
+ gasp_version(buf_ptr) == RFC2734_SW_VERSION)
+ fwnet_incoming_packet(dev, buf_ptr + 2,
+ length - IEEE1394_GASP_HDR_SIZE,
+ gasp_source_id(buf_ptr),
context->card->generation, true);
- }
packet.payload_length = dev->rcv_buffer_size;
packet.interrupt = 1;
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 20110b4ad791..4ca454bf69a3 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -2675,6 +2675,9 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev,
unsigned long flags;
int ret = -EINVAL;
+ if (!drm_core_check_feature(dev, DRIVER_MODESET))
+ return -EINVAL;
+
if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS ||
page_flip->reserved != 0)
return -EINVAL;
diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index 72f460e22b76..bcfcfbb32877 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -68,6 +68,8 @@
#define EDID_QUIRK_DETAILED_SYNC_PP (1 << 6)
/* Force reduced-blanking timings for detailed modes */
#define EDID_QUIRK_FORCE_REDUCED_BLANKING (1 << 7)
+/* Force 6bpc */
+#define EDID_QUIRK_FORCE_6BPC (1 << 10)
struct detailed_mode_closure {
struct drm_connector *connector;
@@ -94,6 +96,9 @@ static struct edid_quirk {
/* Unknown Acer */
{ "ACR", 2423, EDID_QUIRK_FIRST_DETAILED_PREFERRED },
+ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
+ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+
/* Belinea 10 15 55 */
{ "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
{ "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
@@ -1752,6 +1757,9 @@ int drm_add_edid_modes(struct drm_connector *connector, struct edid *edid)
drm_add_display_info(edid, &connector->display_info);
+ if (quirks & EDID_QUIRK_FORCE_6BPC)
+ connector->display_info.bpc = 6;
+
return num_modes;
}
EXPORT_SYMBOL(drm_add_edid_modes);
diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index 473bd330032e..fde52a05d919 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -1138,7 +1138,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
le16_to_cpu(firmware_info->info.usReferenceClock);
p1pll->reference_div = 0;
- if (crev < 2)
+ if ((frev < 2) && (crev < 2))
p1pll->pll_out_min =
le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
else
@@ -1147,7 +1147,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
p1pll->pll_out_max =
le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
- if (crev >= 4) {
+ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
p1pll->lcd_pll_out_min =
le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
if (p1pll->lcd_pll_out_min == 0)
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
index 6303fc8fcb8e..40633f3ad044 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -1589,7 +1589,6 @@ radeon_add_atom_connector(struct drm_device *dev,
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1787,8 +1786,10 @@ radeon_add_atom_connector(struct drm_device *dev,
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
@@ -1860,7 +1861,6 @@ radeon_add_legacy_connector(struct drm_device *dev,
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1945,10 +1945,13 @@ radeon_add_legacy_connector(struct drm_device *dev,
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
+
connector->display_info.subpixel_order = subpixel_order;
drm_sysfs_connector_add(connector);
if (connector_type == DRM_MODE_CONNECTOR_LVDS) {
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
index 0b5468bfaf54..a4327436221b 100644
--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -248,8 +248,8 @@ static int radeon_move_blit(struct ttm_buffer_object *bo,
if (unlikely(r)) {
return r;
}
- old_start = old_mem->start << PAGE_SHIFT;
- new_start = new_mem->start << PAGE_SHIFT;
+ old_start = (u64)old_mem->start << PAGE_SHIFT;
+ new_start = (u64)new_mem->start << PAGE_SHIFT;
switch (old_mem->mem_type) {
case TTM_PL_VRAM:
diff --git a/drivers/hwmon/adt7411.c b/drivers/hwmon/adt7411.c
index 5cc3e3784b42..aa09f269a7d6 100644
--- a/drivers/hwmon/adt7411.c
+++ b/drivers/hwmon/adt7411.c
@@ -31,6 +31,7 @@
#define ADT7411_REG_CFG1 0x18
#define ADT7411_CFG1_START_MONITOR (1 << 0)
+#define ADT7411_CFG1_RESERVED_BIT3 (1 << 3)
#define ADT7411_REG_CFG2 0x19
#define ADT7411_CFG2_DISABLE_AVG (1 << 5)
@@ -291,8 +292,10 @@ static int __devinit adt7411_probe(struct i2c_client *client,
mutex_init(&data->device_lock);
mutex_init(&data->update_lock);
+ /* According to the datasheet, we must only write 1 to bit 3 */
ret = adt7411_modify_bit(client, ADT7411_REG_CFG1,
- ADT7411_CFG1_START_MONITOR, 1);
+ ADT7411_CFG1_RESERVED_BIT3
+ | ADT7411_CFG1_START_MONITOR, 1);
if (ret < 0)
goto exit_free;
diff --git a/drivers/i2c/busses/i2c-eg20t.c b/drivers/i2c/busses/i2c-eg20t.c
index 2cda65bf2c0e..46f7bea0385c 100644
--- a/drivers/i2c/busses/i2c-eg20t.c
+++ b/drivers/i2c/busses/i2c-eg20t.c
@@ -893,13 +893,6 @@ static int __devinit pch_i2c_probe(struct pci_dev *pdev,
/* Set the number of I2C channel instance */
adap_info->ch_num = id->driver_data;
- ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
- KBUILD_MODNAME, adap_info);
- if (ret) {
- pch_pci_err(pdev, "request_irq FAILED\n");
- goto err_request_irq;
- }
-
for (i = 0; i < adap_info->ch_num; i++) {
pch_adap = &adap_info->pch_data[i].pch_adapter;
adap_info->pch_i2c_suspended = false;
@@ -916,6 +909,17 @@ static int __devinit pch_i2c_probe(struct pci_dev *pdev,
adap_info->pch_data[i].pch_base_address = base_addr + 0x100 * i;
pch_adap->dev.parent = &pdev->dev;
+ }
+
+ ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+ KBUILD_MODNAME, adap_info);
+ if (ret) {
+ pch_pci_err(pdev, "request_irq FAILED\n");
+ goto err_request_irq;
+ }
+
+ for (i = 0; i < adap_info->ch_num; i++) {
+ pch_adap = &adap_info->pch_data[i].pch_adapter;
pch_i2c_init(&adap_info->pch_data[i]);
ret = i2c_add_adapter(pch_adap);
diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
index d2360a8ef0b2..180d7f436ed5 100644
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -106,7 +106,6 @@ struct mcast_group {
atomic_t refcount;
enum mcast_group_state state;
struct ib_sa_query *query;
- int query_id;
u16 pkey_index;
u8 leave_state;
int retries;
@@ -339,11 +338,7 @@ static int send_join(struct mcast_group *group, struct mcast_member *member)
member->multicast.comp_mask,
3000, GFP_KERNEL, join_handler, group,
&group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static int send_leave(struct mcast_group *group, u8 leave_state)
@@ -363,11 +358,7 @@ static int send_leave(struct mcast_group *group, u8 leave_state)
IB_SA_MCMEMBER_REC_JOIN_STATE,
3000, GFP_KERNEL, leave_handler,
group, &group->query);
- if (ret >= 0) {
- group->query_id = ret;
- ret = 0;
- }
- return ret;
+ return (ret > 0) ? 0 : ret;
}
static void join_group(struct mcast_group *group, struct mcast_member *member,
diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
index 86df632ea612..19b70c0c56dd 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -434,6 +434,7 @@ void ipoib_send(struct net_device *dev, struct sk_buff *skb,
struct ipoib_ah *address, u32 qpn);
void ipoib_reap_ah(struct work_struct *work);
+struct ipoib_path *__path_find(struct net_device *dev, void *gid);
void ipoib_mark_paths_invalid(struct net_device *dev);
void ipoib_flush_paths(struct net_device *dev);
struct ipoib_dev_priv *ipoib_intf_alloc(const char *format);
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
index 376785364420..0bbe030d26a8 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1288,6 +1288,8 @@ void ipoib_cm_destroy_tx(struct ipoib_cm_tx *tx)
}
}
+#define QPN_AND_OPTIONS_OFFSET 4
+
static void ipoib_cm_tx_start(struct work_struct *work)
{
struct ipoib_dev_priv *priv = container_of(work, struct ipoib_dev_priv,
@@ -1296,6 +1298,7 @@ static void ipoib_cm_tx_start(struct work_struct *work)
struct ipoib_neigh *neigh;
struct ipoib_cm_tx *p;
unsigned long flags;
+ struct ipoib_path *path;
int ret;
struct ib_sa_path_rec pathrec;
@@ -1308,7 +1311,19 @@ static void ipoib_cm_tx_start(struct work_struct *work)
p = list_entry(priv->cm.start_list.next, typeof(*p), list);
list_del_init(&p->list);
neigh = p->neigh;
+
qpn = IPOIB_QPN(neigh->neighbour->ha);
+ /*
+ * As long as the search is with these 2 locks,
+ * path existence indicates its validity.
+ */
+ path = __path_find(dev, neigh->neighbour->ha + QPN_AND_OPTIONS_OFFSET);
+ if (!path) {
+ pr_info("%s ignore not valid path %pI6\n",
+ __func__,
+ neigh->neighbour->ha + QPN_AND_OPTIONS_OFFSET);
+ goto free_neigh;
+ }
memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);
spin_unlock_irqrestore(&priv->lock, flags);
@@ -1320,6 +1335,7 @@ static void ipoib_cm_tx_start(struct work_struct *work)
spin_lock_irqsave(&priv->lock, flags);
if (ret) {
+free_neigh:
neigh = p->neigh;
if (neigh) {
neigh->cm = NULL;
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
index 4115be54ba3b..1282cb31653d 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -973,8 +973,17 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv,
}
if (level == IPOIB_FLUSH_LIGHT) {
+ int oper_up;
ipoib_mark_paths_invalid(dev);
+ /* Set IPoIB operation as down to prevent races between:
+ * the flush flow which leaves MCG and on the fly joins
+ * which can happen during that time. mcast restart task
+ * should deal with join requests we missed.
+ */
+ oper_up = test_and_clear_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
ipoib_mcast_dev_flush(dev);
+ if (oper_up)
+ set_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
}
if (level >= IPOIB_FLUSH_NORMAL)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 1740b8217c4d..ae3b1d21e9eb 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -208,7 +208,7 @@ static int ipoib_change_mtu(struct net_device *dev, int new_mtu)
return 0;
}
-static struct ipoib_path *__path_find(struct net_device *dev, void *gid)
+struct ipoib_path *__path_find(struct net_device *dev, void *gid)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
struct rb_node *n = priv->path_tree.rb_node;
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 7f39abd566c2..37471e004a29 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -825,6 +825,9 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
struct usb_endpoint_descriptor *ep_irq_in;
int i, error;
+ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+ return -ENODEV;
+
for (i = 0; xpad_device[i].idVendor; i++) {
if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
(le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
index 178e75d6bb06..1284b9221179 100644
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1223,6 +1223,7 @@ static int __init i8042_create_kbd_port(void)
serio->start = i8042_start;
serio->stop = i8042_stop;
serio->close = i8042_port_close;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name));
@@ -1248,6 +1249,7 @@ static int __init i8042_create_aux_port(int idx)
serio->write = i8042_aux_write;
serio->start = i8042_start;
serio->stop = i8042_stop;
+ serio->ps2_cmd_mutex = &i8042_mutex;
serio->port_data = port;
serio->dev.parent = &i8042_platform_device->dev;
if (idx < 0) {
@@ -1310,21 +1312,6 @@ static void __devexit i8042_unregister_ports(void)
}
}
-/*
- * Checks whether port belongs to i8042 controller.
- */
-bool i8042_check_port_owner(const struct serio *port)
-{
- int i;
-
- for (i = 0; i < I8042_NUM_PORTS; i++)
- if (i8042_ports[i].serio == port)
- return true;
-
- return false;
-}
-EXPORT_SYMBOL(i8042_check_port_owner);
-
static void i8042_free_irqs(void)
{
if (i8042_aux_irq_registered)
diff --git a/drivers/input/serio/libps2.c b/drivers/input/serio/libps2.c
index 07a8363f3c5c..b5ec313cb9c9 100644
--- a/drivers/input/serio/libps2.c
+++ b/drivers/input/serio/libps2.c
@@ -57,19 +57,17 @@ EXPORT_SYMBOL(ps2_sendbyte);
void ps2_begin_command(struct ps2dev *ps2dev)
{
- mutex_lock(&ps2dev->cmd_mutex);
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_lock_chip();
+ mutex_lock(m);
}
EXPORT_SYMBOL(ps2_begin_command);
void ps2_end_command(struct ps2dev *ps2dev)
{
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_unlock_chip();
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- mutex_unlock(&ps2dev->cmd_mutex);
+ mutex_unlock(m);
}
EXPORT_SYMBOL(ps2_end_command);
diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
index 746b5e8bcacd..63226d1c67f3 100644
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -279,10 +279,16 @@ static int flakey_map(struct dm_target *ti, struct bio *bio,
map_context->ll = 1;
/*
- * Map reads as normal.
+ * Map reads as normal only if corrupt_bio_byte set.
*/
- if (bio_data_dir(bio) == READ)
- goto map_bio;
+ if (bio_data_dir(bio) == READ) {
+ /* If flags were specified, only corrupt those that match. */
+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+ all_corrupt_bio_flags_match(bio, fc))
+ goto map_bio;
+ else
+ return -EIO;
+ }
/*
* Drop writes?
@@ -321,12 +327,13 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio,
/*
* Corrupt successful READs while in down state.
- * If flags were specified, only corrupt those that match.
*/
- if (fc->corrupt_bio_byte && !error && bio_submitted_while_down &&
- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
- all_corrupt_bio_flags_match(bio, fc))
- corrupt_bio_data(bio, fc);
+ if (!error && bio_submitted_while_down && (bio_data_dir(bio) == READ)) {
+ if (fc->corrupt_bio_byte)
+ corrupt_bio_data(bio, fc);
+ else
+ return -EIO;
+ }
return error;
}
diff --git a/drivers/media/video/usbvision/usbvision-video.c b/drivers/media/video/usbvision/usbvision-video.c
index 902140e8db3e..8f7408116362 100644
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
@@ -1502,13 +1502,6 @@ static int __devinit usbvision_probe(struct usb_interface *intf,
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
- /*
- * this is a security check.
- * an exploit using an incorrect bInterfaceNumber is known
- */
- if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
- return -ENODEV;
-
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
else if (ifnum < dev->actconfig->desc.bNumInterfaces)
diff --git a/drivers/mtd/maps/pmcmsp-flash.c b/drivers/mtd/maps/pmcmsp-flash.c
index 744ca5cacc9b..f9fa3fad728e 100644
--- a/drivers/mtd/maps/pmcmsp-flash.c
+++ b/drivers/mtd/maps/pmcmsp-flash.c
@@ -75,15 +75,15 @@ static int __init init_msp_flash(void)
printk(KERN_NOTICE "Found %d PMC flash devices\n", fcnt);
- msp_flash = kmalloc(fcnt * sizeof(struct map_info *), GFP_KERNEL);
+ msp_flash = kcalloc(fcnt, sizeof(*msp_flash), GFP_KERNEL);
if (!msp_flash)
return -ENOMEM;
- msp_parts = kmalloc(fcnt * sizeof(struct mtd_partition *), GFP_KERNEL);
+ msp_parts = kcalloc(fcnt, sizeof(*msp_parts), GFP_KERNEL);
if (!msp_parts)
goto free_msp_flash;
- msp_maps = kcalloc(fcnt, sizeof(struct mtd_info), GFP_KERNEL);
+ msp_maps = kcalloc(fcnt, sizeof(*msp_maps), GFP_KERNEL);
if (!msp_maps)
goto free_msp_parts;
diff --git a/drivers/mtd/nand/davinci_nand.c b/drivers/mtd/nand/davinci_nand.c
index c153e1f77f90..4aa25d73dfef 100644
--- a/drivers/mtd/nand/davinci_nand.c
+++ b/drivers/mtd/nand/davinci_nand.c
@@ -239,6 +239,9 @@ static void nand_davinci_hwctl_4bit(struct mtd_info *mtd, int mode)
unsigned long flags;
u32 val;
+ /* Reset ECC hardware */
+ davinci_nand_readl(info, NAND_4BIT_ECC1_OFFSET);
+
spin_lock_irqsave(&davinci_nand_lock, flags);
/* Start 4-bit ECC calculation for read/write */
diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index 46ed2962ad08..89b85838cf3f 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -2229,7 +2229,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
uint8_t *wbuf = buf;
/* Partial page write? */
- if (unlikely(column || writelen < (mtd->writesize - 1))) {
+ if (unlikely(column || writelen < mtd->writesize)) {
cached = 0;
bytes = min_t(int, bytes - column, (int) writelen);
chip->pagebuf = -1;
diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 1f9c3637755a..5c87c94d6eab 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -974,6 +974,9 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, int vid_hdr_offset)
goto out_detach;
}
+ /* Make device "available" before it becomes accessible via sysfs */
+ ubi_devices[ubi_num] = ubi;
+
err = uif_init(ubi, &ref);
if (err)
goto out_detach;
@@ -1017,7 +1020,6 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, int vid_hdr_offset)
wake_up_process(ubi->bgt_thread);
spin_unlock(&ubi->wl_lock);
- ubi_devices[ubi_num] = ubi;
ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL);
return ubi_num;
@@ -1028,6 +1030,7 @@ out_uif:
ubi_assert(ref);
uif_close(ubi);
out_detach:
+ ubi_devices[ubi_num] = NULL;
ubi_wl_close(ubi);
free_internal_volumes(ubi);
vfree(ubi->vtbl);
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 217b0a3893fc..a1f434e1b29f 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <linux/netdevice.h>
#include <linux/if_arp.h>
+#include <linux/workqueue.h>
#include <linux/can.h>
#include <linux/can/dev.h>
#include <linux/can/netlink.h>
@@ -361,9 +362,8 @@ EXPORT_SYMBOL_GPL(can_free_echo_skb);
/*
* CAN device restart for bus-off recovery
*/
-void can_restart(unsigned long data)
+void can_restart(struct net_device *dev)
{
- struct net_device *dev = (struct net_device *)data;
struct can_priv *priv = netdev_priv(dev);
struct net_device_stats *stats = &dev->stats;
struct sk_buff *skb;
@@ -403,6 +403,14 @@ restart:
dev_err(dev->dev.parent, "Error %d during restart", err);
}
+static void can_restart_work(struct work_struct *work)
+{
+ struct delayed_work *dwork = to_delayed_work(work);
+ struct can_priv *priv = container_of(dwork, struct can_priv, restart_work);
+
+ can_restart(priv->dev);
+}
+
int can_restart_now(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
@@ -416,8 +424,8 @@ int can_restart_now(struct net_device *dev)
if (priv->state != CAN_STATE_BUS_OFF)
return -EBUSY;
- /* Runs as soon as possible in the timer context */
- mod_timer(&priv->restart_timer, jiffies);
+ cancel_delayed_work_sync(&priv->restart_work);
+ can_restart(dev);
return 0;
}
@@ -439,8 +447,8 @@ void can_bus_off(struct net_device *dev)
priv->can_stats.bus_off++;
if (priv->restart_ms)
- mod_timer(&priv->restart_timer,
- jiffies + (priv->restart_ms * HZ) / 1000);
+ schedule_delayed_work(&priv->restart_work,
+ msecs_to_jiffies(priv->restart_ms));
}
EXPORT_SYMBOL_GPL(can_bus_off);
@@ -515,6 +523,7 @@ struct net_device *alloc_candev(int sizeof_priv, unsigned int echo_skb_max)
return NULL;
priv = netdev_priv(dev);
+ priv->dev = dev;
if (echo_skb_max) {
priv->echo_skb_max = echo_skb_max;
@@ -524,7 +533,7 @@ struct net_device *alloc_candev(int sizeof_priv, unsigned int echo_skb_max)
priv->state = CAN_STATE_STOPPED;
- init_timer(&priv->restart_timer);
+ INIT_DELAYED_WORK(&priv->restart_work, can_restart_work);
return dev;
}
@@ -558,8 +567,6 @@ int open_candev(struct net_device *dev)
if (!netif_carrier_ok(dev))
netif_carrier_on(dev);
- setup_timer(&priv->restart_timer, can_restart, (unsigned long)dev);
-
return 0;
}
EXPORT_SYMBOL_GPL(open_candev);
@@ -574,7 +581,7 @@ void close_candev(struct net_device *dev)
{
struct can_priv *priv = netdev_priv(dev);
- del_timer_sync(&priv->restart_timer);
+ cancel_delayed_work_sync(&priv->restart_work);
can_flush_echo_skb(dev);
}
EXPORT_SYMBOL_GPL(close_candev);
diff --git a/drivers/net/ethernet/ethoc.c b/drivers/net/ethernet/ethoc.c
index 251b635fe75a..b3b22f487b41 100644
--- a/drivers/net/ethernet/ethoc.c
+++ b/drivers/net/ethernet/ethoc.c
@@ -976,7 +976,7 @@ static int __devinit ethoc_probe(struct platform_device *pdev)
if (!priv->iobase) {
dev_err(&pdev->dev, "cannot remap I/O memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
if (netdev->mem_end) {
@@ -985,7 +985,7 @@ static int __devinit ethoc_probe(struct platform_device *pdev)
if (!priv->membase) {
dev_err(&pdev->dev, "cannot remap memory space\n");
ret = -ENXIO;
- goto error;
+ goto free;
}
} else {
/* Allocate buffer memory */
@@ -996,7 +996,7 @@ static int __devinit ethoc_probe(struct platform_device *pdev)
dev_err(&pdev->dev, "cannot allocate %dB buffer\n",
buffer_size);
ret = -ENOMEM;
- goto error;
+ goto free;
}
netdev->mem_end = netdev->mem_start + buffer_size;
priv->dma_alloc = buffer_size;
@@ -1007,7 +1007,7 @@ static int __devinit ethoc_probe(struct platform_device *pdev)
128, (netdev->mem_end - netdev->mem_start + 1) / ETHOC_BUFSIZ);
if (num_bd < 4) {
ret = -ENODEV;
- goto error;
+ goto free;
}
/* num_tx must be a power of two */
priv->num_tx = rounddown_pow_of_two(num_bd >> 1);
@@ -1019,7 +1019,7 @@ static int __devinit ethoc_probe(struct platform_device *pdev)
priv->vma = devm_kzalloc(&pdev->dev, num_bd*sizeof(void*), GFP_KERNEL);
if (!priv->vma) {
ret = -ENOMEM;
- goto error;
+ goto free;
}
/* Allow the platform setup code to pass in a MAC address. */
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 9907ac78aed0..4810d2628b10 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2275,8 +2275,6 @@ ppp_unregister_channel(struct ppp_channel *chan)
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;
pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2883,6 +2881,9 @@ ppp_disconnect_channel(struct channel *pch)
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);
if (!pch->file.dead) {
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/stf.c b/drivers/net/wireless/brcm80211/brcmsmac/stf.c
index d8f528eb180c..6fc47ff0c9f9 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/stf.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/stf.c
@@ -86,7 +86,7 @@ void
brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel,
u16 chanspec)
{
- struct tx_power power;
+ struct tx_power power = { };
u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id;
/* Clear previous settings */
diff --git a/drivers/pps/clients/pps_parport.c b/drivers/pps/clients/pps_parport.c
index e1b4705ae3ec..7e9bcd4a187e 100644
--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -194,7 +194,7 @@ static void parport_detach(struct parport *port)
struct pps_client_pp *device;
/* FIXME: oooh, this is ugly! */
- if (strcmp(pardev->name, KBUILD_MODNAME))
+ if (!pardev || strcmp(pardev->name, KBUILD_MODNAME))
/* not our port */
return;
diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c
index 65894f05a801..a0630eb41ae1 100644
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -1593,9 +1593,18 @@ void dasd_int_handler(struct ccw_device *cdev, unsigned long intparm,
unsigned long long now;
int expires;
+ cqr = (struct dasd_ccw_req *) intparm;
if (IS_ERR(irb)) {
switch (PTR_ERR(irb)) {
case -EIO:
+ if (cqr && cqr->status == DASD_CQR_CLEAR_PENDING) {
+ device = (struct dasd_device *) cqr->startdev;
+ cqr->status = DASD_CQR_CLEARED;
+ dasd_device_clear_timer(device);
+ wake_up(&dasd_flush_wq);
+ dasd_schedule_device_bh(device);
+ return;
+ }
break;
case -ETIMEDOUT:
DBF_EVENT_DEVID(DBF_WARNING, cdev, "%s: "
@@ -1611,7 +1620,6 @@ void dasd_int_handler(struct ccw_device *cdev, unsigned long intparm,
}
now = get_clock();
- cqr = (struct dasd_ccw_req *) intparm;
/* check for conditions that should be handled immediately */
if (!cqr ||
!(scsw_dstat(&irb->scsw) == (DEV_STAT_CHN_END | DEV_STAT_DEV_END) &&
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index 1254431d3053..e68febdf1a40 100644
--- a/drivers/scsi/aacraid/commctrl.c
+++ b/drivers/scsi/aacraid/commctrl.c
@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
- unsigned size;
+ unsigned int size, osize;
int retval;
if (dev->in_reset) {
@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+ osize = size = le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
goto cleanup;
}
+ /* Sanity check the second copy */
+ if ((osize != le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr))
+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
+ retval = -EINVAL;
+ goto cleanup;
+ }
+
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c
index f980600f78a8..2dcbb970deba 100644
--- a/drivers/scsi/arcmsr/arcmsr_hba.c
+++ b/drivers/scsi/arcmsr/arcmsr_hba.c
@@ -1803,7 +1803,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
unsigned char *ver_addr;
- int32_t my_empty_len, user_len, wqbuf_firstindex, wqbuf_lastindex;
+ uint32_t user_len;
+ int32_t my_empty_len, wqbuf_firstindex, wqbuf_lastindex;
uint8_t *pQbuffer, *ptmpuserbuffer;
ver_addr = kmalloc(1032, GFP_ATOMIC);
@@ -1820,6 +1821,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
}
ptmpuserbuffer = ver_addr;
user_len = pcmdmessagefld->cmdmessage.Length;
+ if (user_len > 1032) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ kfree(ver_addr);
+ goto message_out;
+ }
memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len);
wqbuf_lastindex = acb->wqbuf_lastindex;
wqbuf_firstindex = acb->wqbuf_firstindex;
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index 3b1ba103de2b..10550f3c7b45 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3508,7 +3508,7 @@ static int megasas_init_fw(struct megasas_instance *instance)
/* Find first memory bar */
bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
- if (pci_request_selected_regions(instance->pdev, instance->bar,
+ if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
"megasas: LSI")) {
printk(KERN_DEBUG "megasas: IO memory region busy!\n");
return -EBUSY;
@@ -3661,7 +3661,7 @@ fail_ready_state:
iounmap(instance->reg_set);
fail_ioremap:
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
return -EINVAL;
}
@@ -3682,7 +3682,7 @@ static void megasas_release_mfi(struct megasas_instance *instance)
iounmap(instance->reg_set);
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}
/**
diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
index 3e0f71c155a3..1951f4e73bb5 100644
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -2026,7 +2026,7 @@ megasas_release_fusion(struct megasas_instance *instance)
iounmap(instance->reg_set);
- pci_release_selected_regions(instance->pdev, instance->bar);
+ pci_release_selected_regions(instance->pdev, 1<<instance->bar);
}
/**
diff --git a/drivers/staging/iio/accel/kxsd9.c b/drivers/staging/iio/accel/kxsd9.c
index 5541ed38e090..3ec7e34e8ada 100644
--- a/drivers/staging/iio/accel/kxsd9.c
+++ b/drivers/staging/iio/accel/kxsd9.c
@@ -163,11 +163,13 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
if (ret < 0)
goto error_ret;
*val = ret;
+ ret = IIO_VAL_INT;
break;
case (1 << IIO_CHAN_INFO_SCALE_SHARED):
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
if (ret < 0)
goto error_ret;
+ *val = 0;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
break;
diff --git a/drivers/staging/pohmelfs/Kconfig b/drivers/staging/pohmelfs/Kconfig
index 8d53b1a1e715..b88769c03ccb 100644
--- a/drivers/staging/pohmelfs/Kconfig
+++ b/drivers/staging/pohmelfs/Kconfig
@@ -1,5 +1,6 @@
config POHMELFS
tristate "POHMELFS filesystem support"
+ depends on BROKEN
depends on NET
select CONNECTOR
select CRYPTO
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index 626e75b60caa..808d171bd1af 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1237,8 +1237,6 @@ int s3c24xx_serial_probe(struct platform_device *dev,
dbg("s3c24xx_serial_probe(%p, %p) %d\n", dev, info, probe_index);
ourport = &s3c24xx_serial_ports[probe_index];
- probe_index++;
-
dbg("%s: initialising port %p...\n", __func__, ourport);
ret = s3c24xx_serial_init_port(ourport, info, dev);
@@ -1275,6 +1273,8 @@ int __devexit s3c24xx_serial_remove(struct platform_device *dev)
uart_remove_one_port(&s3c24xx_uart_drv, port);
}
+ probe_index++;
+
return 0;
}
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index a605549ee28f..89c07d69a54a 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -386,34 +386,22 @@ static void to_utf8(struct vc_data *vc, uint c)
*/
void compute_shiftstate(void)
{
- unsigned int i, j, k, sym, val;
+ unsigned int k, sym, val;
shift_state = 0;
memset(shift_down, 0, sizeof(shift_down));
- for (i = 0; i < ARRAY_SIZE(key_down); i++) {
-
- if (!key_down[i])
+ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) {
+ sym = U(key_maps[0][k]);
+ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
continue;
- k = i * BITS_PER_LONG;
-
- for (j = 0; j < BITS_PER_LONG; j++, k++) {
-
- if (!test_bit(k, key_down))
- continue;
+ val = KVAL(sym);
+ if (val == KVAL(K_CAPSSHIFT))
+ val = KVAL(K_SHIFT);
- sym = U(key_maps[0][k]);
- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
- continue;
-
- val = KVAL(sym);
- if (val == KVAL(K_CAPSSHIFT))
- val = KVAL(K_SHIFT);
-
- shift_down[val]++;
- shift_state |= (1 << val);
- }
+ shift_down[val]++;
+ shift_state |= BIT(val);
}
}
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 3d96de0b278c..a1b384ecabba 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1156,7 +1156,6 @@ made_compressed_probe:
spin_lock_init(&acm->write_lock);
spin_lock_init(&acm->read_lock);
mutex_init(&acm->mutex);
- acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
acm->is_int_ep = usb_endpoint_xfer_int(epread);
if (acm->is_int_ep)
acm->bInterval = epread->bInterval;
@@ -1205,14 +1204,14 @@ made_compressed_probe:
urb->transfer_dma = rb->dma;
if (acm->is_int_ep) {
usb_fill_int_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb,
acm->bInterval);
} else {
usb_fill_bulk_urb(urb, acm->dev,
- acm->rx_endpoint,
+ usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
rb->base,
acm->readsize,
acm_read_bulk_callback, rb);
diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
index dfd66bb5977a..32ef178b8f86 100644
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -95,7 +95,6 @@ struct acm {
struct urb *read_urbs[ACM_NR];
struct acm_rb read_buffers[ACM_NR];
int rx_buflimit;
- int rx_endpoint;
spinlock_t read_lock;
int write_used; /* number of non-empty write buffers */
int transmitting;
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index ffc69891318a..5a28a14ffa1b 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -144,6 +144,31 @@ static void usb_parse_ss_endpoint_companion(struct device *ddev, int cfgno,
}
}
+static const unsigned short low_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 8,
+ [USB_ENDPOINT_XFER_ISOC] = 0,
+ [USB_ENDPOINT_XFER_BULK] = 0,
+ [USB_ENDPOINT_XFER_INT] = 8,
+};
+static const unsigned short full_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1023,
+ [USB_ENDPOINT_XFER_BULK] = 64,
+ [USB_ENDPOINT_XFER_INT] = 64,
+};
+static const unsigned short high_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 64,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 512,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+static const unsigned short super_speed_maxpacket_maxes[4] = {
+ [USB_ENDPOINT_XFER_CONTROL] = 512,
+ [USB_ENDPOINT_XFER_ISOC] = 1024,
+ [USB_ENDPOINT_XFER_BULK] = 1024,
+ [USB_ENDPOINT_XFER_INT] = 1024,
+};
+
static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
int asnum, struct usb_host_interface *ifp, int num_ep,
unsigned char *buffer, int size)
@@ -152,6 +177,8 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
struct usb_endpoint_descriptor *d;
struct usb_host_endpoint *endpoint;
int n, i, j, retval;
+ unsigned int maxp;
+ const unsigned short *maxpacket_maxes;
d = (struct usb_endpoint_descriptor *) buffer;
buffer += d->bLength;
@@ -186,8 +213,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);
- /* Fix up bInterval values outside the legal range. Use 32 ms if no
- * proper value can be guessed. */
+ /*
+ * Fix up bInterval values outside the legal range.
+ * Use 10 or 8 ms if no proper value can be guessed.
+ */
i = 0; /* i = min, j = max, n = default */
j = 255;
if (usb_endpoint_xfer_int(d)) {
@@ -195,13 +224,15 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_SUPER:
case USB_SPEED_HIGH:
- /* Many device manufacturers are using full-speed
+ /*
+ * Many device manufacturers are using full-speed
* bInterval values in high-speed interrupt endpoint
- * descriptors. Try to fix those and fall back to a
- * 32 ms default value otherwise. */
+ * descriptors. Try to fix those and fall back to an
+ * 8-ms default value otherwise.
+ */
n = fls(d->bInterval*8);
if (n == 0)
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
j = 16;
/*
@@ -216,10 +247,12 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
}
break;
default: /* USB_SPEED_FULL or _LOW */
- /* For low-speed, 10 ms is the official minimum.
+ /*
+ * For low-speed, 10 ms is the official minimum.
* But some "overclocked" devices might want faster
- * polling so we'll allow it. */
- n = 32;
+ * polling so we'll allow it.
+ */
+ n = 10;
break;
}
} else if (usb_endpoint_xfer_isoc(d)) {
@@ -227,10 +260,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
j = 16;
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_HIGH:
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
break;
default: /* USB_SPEED_FULL */
- n = 6; /* 32 ms = 2^(6-1) frames */
+ n = 4; /* 8 ms = 2^(4-1) frames */
break;
}
}
@@ -258,6 +291,41 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
}
+ /* Validate the wMaxPacketSize field */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+
+ /* Find the highest legal maxpacket size for this endpoint */
+ i = 0; /* additional transactions per microframe */
+ switch (to_usb_device(ddev)->speed) {
+ case USB_SPEED_LOW:
+ maxpacket_maxes = low_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_FULL:
+ maxpacket_maxes = full_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_HIGH:
+ /* Bits 12..11 are allowed only for HS periodic endpoints */
+ if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
+ i = maxp & (BIT(12) | BIT(11));
+ maxp &= ~i;
+ }
+ /* fallthrough */
+ default:
+ maxpacket_maxes = high_speed_maxpacket_maxes;
+ break;
+ case USB_SPEED_SUPER:
+ maxpacket_maxes = super_speed_maxpacket_maxes;
+ break;
+ }
+ j = maxpacket_maxes[usb_endpoint_type(&endpoint->desc)];
+
+ if (maxp > j) {
+ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid maxpacket %d, setting to %d\n",
+ cfgno, inum, asnum, d->bEndpointAddress, maxp, j);
+ maxp = j;
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(i | maxp);
+ }
+
/*
* Some buggy high speed devices have bulk endpoints using
* maxpacket sizes other than 512. High speed HCDs may not
@@ -265,9 +333,6 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
*/
if (to_usb_device(ddev)->speed == USB_SPEED_HIGH
&& usb_endpoint_xfer_bulk(d)) {
- unsigned maxp;
-
- maxp = usb_endpoint_maxp(&endpoint->desc) & 0x07ff;
if (maxp != 512)
dev_warn(ddev, "config %d interface %d altsetting %d "
"bulk endpoint 0x%X has invalid maxpacket %d\n",
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index ed11901ab8ab..45d3007cf86e 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1281,11 +1281,17 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
as->urb->setup_packet = (unsigned char *)dr;
as->urb->start_frame = uurb->start_frame;
as->urb->number_of_packets = uurb->number_of_packets;
- if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
- ps->dev->speed == USB_SPEED_HIGH)
- as->urb->interval = 1 << min(15, ep->desc.bInterval - 1);
- else
- as->urb->interval = ep->desc.bInterval;
+
+ if (ep->desc.bInterval) {
+ if (uurb->type == USBDEVFS_URB_TYPE_ISO ||
+ ps->dev->speed == USB_SPEED_HIGH ||
+ ps->dev->speed >= USB_SPEED_SUPER)
+ as->urb->interval = 1 <<
+ min(15, ep->desc.bInterval - 1);
+ else
+ as->urb->interval = ep->desc.bInterval;
+ }
+
as->urb->context = as;
as->urb->complete = async_completed;
for (totlen = u = 0; u < uurb->number_of_packets; u++) {
diff --git a/drivers/usb/gadget/fsl_qe_udc.c b/drivers/usb/gadget/fsl_qe_udc.c
index e00cf92409ce..4e2b5a901ffe 100644
--- a/drivers/usb/gadget/fsl_qe_udc.c
+++ b/drivers/usb/gadget/fsl_qe_udc.c
@@ -1883,11 +1883,8 @@ static int qe_get_frame(struct usb_gadget *gadget)
tmp = in_be16(&udc_controller->usb_param->frame_n);
if (tmp & 0x8000)
- tmp = tmp & 0x07ff;
- else
- tmp = -EINVAL;
-
- return (int)tmp;
+ return tmp & 0x07ff;
+ return -EINVAL;
}
/* Tries to wake up the host connected to this gadget
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 860581308f87..13bb316e832b 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -278,6 +278,9 @@ static int xhci_stop_device(struct xhci_hcd *xhci, int slot_id, int suspend)
ret = 0;
virt_dev = xhci->devs[slot_id];
+ if (!virt_dev)
+ return -ENODEV;
+
cmd = xhci_alloc_command(xhci, false, true, GFP_NOIO);
if (!cmd) {
xhci_dbg(xhci, "Couldn't allocate command structure.\n");
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 50af559183eb..cc6aa66f4278 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -252,12 +252,13 @@ static void xhci_pci_remove(struct pci_dev *dev)
usb_remove_hcd(xhci->shared_hcd);
usb_put_hcd(xhci->shared_hcd);
}
- usb_hcd_pci_remove(dev);
/* Workaround for spurious wakeups at shutdown with HSW */
if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
pci_set_power_state(dev, PCI_D3hot);
+ usb_hcd_pci_remove(dev);
+
kfree(xhci);
}
diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
index 6fb551476cca..2eb39b39ea1b 100644
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -760,15 +760,22 @@ static void usbhsf_dma_prepare_tasklet(unsigned long data)
{
struct usbhs_pkt *pkt = (struct usbhs_pkt *)data;
struct usbhs_pipe *pipe = pkt->pipe;
- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
+ struct usbhs_fifo *fifo;
struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
struct scatterlist sg;
struct dma_async_tx_descriptor *desc;
- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
+ struct dma_chan *chan;
struct device *dev = usbhs_priv_to_dev(priv);
enum dma_data_direction dir;
dma_cookie_t cookie;
+ unsigned long flags;
+
+ usbhs_lock(priv, flags);
+ fifo = usbhs_pipe_to_fifo(pipe);
+ if (!fifo)
+ goto xfer_work_end;
+ chan = usbhsf_dma_chan_get(fifo, pkt);
dir = usbhs_pipe_is_dir_in(pipe) ? DMA_FROM_DEVICE : DMA_TO_DEVICE;
sg_init_table(&sg, 1);
@@ -781,7 +788,7 @@ static void usbhsf_dma_prepare_tasklet(unsigned long data)
DMA_PREP_INTERRUPT |
DMA_CTRL_ACK);
if (!desc)
- return;
+ goto xfer_work_end;
desc->callback = usbhsf_dma_complete;
desc->callback_param = pipe;
@@ -789,7 +796,7 @@ static void usbhsf_dma_prepare_tasklet(unsigned long data)
cookie = desc->tx_submit(desc);
if (cookie < 0) {
dev_err(dev, "Failed to submit dma descriptor\n");
- return;
+ goto xfer_work_end;
}
dev_dbg(dev, " %s %d (%d/ %d)\n",
@@ -797,6 +804,9 @@ static void usbhsf_dma_prepare_tasklet(unsigned long data)
usbhsf_dma_start(pipe, fifo);
dma_async_issue_pending(chan);
+
+xfer_work_end:
+ usbhs_unlock(priv, flags);
}
/*
diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
index 0b1fc0776b82..eb465621193b 100644
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -472,6 +472,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
struct usbhs_pipe *pipe;
int ret = -EIO;
+ unsigned long flags;
+
+ usbhs_lock(priv, flags);
/*
* if it already have pipe,
@@ -480,7 +483,8 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
if (uep->pipe) {
usbhs_pipe_clear(uep->pipe);
usbhs_pipe_sequence_data0(uep->pipe);
- return 0;
+ ret = 0;
+ goto usbhsg_ep_enable_end;
}
pipe = usbhs_pipe_malloc(priv,
@@ -508,6 +512,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
ret = 0;
}
+usbhsg_ep_enable_end:
+ usbhs_unlock(priv, flags);
+
return ret;
}
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index f0b752591f2e..93fe0077f108 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -672,6 +672,8 @@ static struct usb_device_id id_table_combined [] = {
{ USB_DEVICE(FTDI_VID, FTDI_ELV_TFD128_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_FM3RX_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_ELV_WS777_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_PALMSENS_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_IVIUM_XSTAT_PID) },
{ USB_DEVICE(FTDI_VID, LINX_SDMUSBQSS_PID) },
{ USB_DEVICE(FTDI_VID, LINX_MASTERDEVEL2_PID) },
{ USB_DEVICE(FTDI_VID, LINX_FUTURE_0_PID) },
@@ -1030,6 +1032,7 @@ static struct usb_device_id id_table_combined [] = {
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
{ }, /* Optional parameter entry */
{ } /* Terminating entry */
};
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index c2e80ebe34a9..559669786a20 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -406,6 +406,12 @@
#define FTDI_4N_GALAXY_DE_3_PID 0xF3C2
/*
+ * Ivium Technologies product IDs
+ */
+#define FTDI_PALMSENS_PID 0xf440
+#define FTDI_IVIUM_XSTAT_PID 0xf441
+
+/*
* Linx Technologies product ids
*/
#define LINX_SDMUSBQSS_PID 0xF448 /* Linx SDM-USB-QS-S */
@@ -667,6 +673,12 @@
#define INTREPID_NEOVI_PID 0x0701
/*
+ * WICED USB UART
+ */
+#define WICED_VID 0x0A5C
+#define WICED_USB20706V2_PID 0x6422
+
+/*
* Definitions for ID TECH (www.idt-net.com) devices
*/
#define IDTECH_VID 0x0ACD /* ID TECH Vendor ID */
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index 8e02ff2b7d7f..e3609b84b7a8 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1320,7 +1320,7 @@ static int mos7720_write(struct tty_struct *tty, struct usb_serial_port *port,
if (urb->transfer_buffer == NULL) {
urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
- GFP_KERNEL);
+ GFP_ATOMIC);
if (urb->transfer_buffer == NULL) {
dev_err(&port->dev, "%s no more kernel memory...\n",
__func__);
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 80fc40a0c99a..59fdb84d016f 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1524,8 +1524,8 @@ static int mos7840_write(struct tty_struct *tty, struct usb_serial_port *port,
}
if (urb->transfer_buffer == NULL) {
- urb->transfer_buffer =
- kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL);
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+ GFP_ATOMIC);
if (urb->transfer_buffer == NULL) {
dev_err(&port->dev, "%s no more kernel memory...\n",
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index d541b2540837..10e79b76e8d1 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -273,6 +273,7 @@ static void option_instat_callback(struct urb *urb);
#define TELIT_PRODUCT_LE922_USBCFG3 0x1043
#define TELIT_PRODUCT_LE920 0x1200
#define TELIT_PRODUCT_LE910 0x1201
+#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
/* ZTE PRODUCTS */
#define ZTE_VENDOR_ID 0x19d2
@@ -511,6 +512,12 @@ static void option_instat_callback(struct urb *urb);
#define VIATELECOM_VENDOR_ID 0x15eb
#define VIATELECOM_PRODUCT_CDS7 0x0001
+/* WeTelecom products */
+#define WETELECOM_VENDOR_ID 0x22de
+#define WETELECOM_PRODUCT_WMD200 0x6801
+#define WETELECOM_PRODUCT_6802 0x6802
+#define WETELECOM_PRODUCT_WMD300 0x6803
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -1193,6 +1200,8 @@ static const struct usb_device_id option_ids[] = {
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
@@ -1942,8 +1951,12 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
{ USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index 28153fb2225d..2975c5089dac 100644
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -142,6 +142,8 @@ static void leak_balloon(struct virtio_balloon *vb, size_t num)
/* We can only do one array worth at a time. */
num = min(num, ARRAY_SIZE(vb->pfns));
+ /* We can't release more pages than taken */
+ num = min(num, (size_t)vb->num_pages);
for (vb->num_pfns = 0; vb->num_pfns < num; vb->num_pfns++) {
page = list_first_entry(&vb->pages, struct page, lru);
list_del(&page->lru);
diff --git a/drivers/xen/xenfs/xenbus.c b/drivers/xen/xenfs/xenbus.c
index bbd000f88af7..98559b05aacd 100644
--- a/drivers/xen/xenfs/xenbus.c
+++ b/drivers/xen/xenfs/xenbus.c
@@ -310,11 +310,18 @@ static int xenbus_write_transaction(unsigned msg_type,
rc = -ENOMEM;
goto out;
}
+ } else if (msg_type == XS_TRANSACTION_END) {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+ if (&trans->list == &u->transactions)
+ return -ESRCH;
}
reply = xenbus_dev_request_and_reply(&u->u.msg);
if (IS_ERR(reply)) {
- kfree(trans);
+ if (msg_type == XS_TRANSACTION_START)
+ kfree(trans);
rc = PTR_ERR(reply);
goto out;
}
@@ -324,12 +331,7 @@ static int xenbus_write_transaction(unsigned msg_type,
list_add(&trans->list, &u->transactions);
} else if (msg_type == XS_TRANSACTION_END) {
- list_for_each_entry(trans, &u->transactions, list)
- if (trans->handle.id == u->u.msg.tx_id)
- break;
- BUG_ON(&trans->list == &u->transactions);
list_del(&trans->list);
-
kfree(trans);
}
diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 9a1d42630751..a4188cfcc9f9 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -319,32 +319,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- retval = posix_acl_equiv_mode(acl, &mode);
- if (retval < 0)
+ struct iattr iattr;
+
+ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+ if (retval)
goto err_out;
- else {
- struct iattr iattr;
- if (retval == 0) {
- /*
- * ACL can be represented
- * by the mode bits. So don't
- * update ACL.
- */
- acl = NULL;
- value = NULL;
- size = 0;
- }
- /* Updte the mode bits */
- iattr.ia_mode = ((mode & S_IALLUGO) |
- (inode->i_mode & ~S_IALLUGO));
- iattr.ia_valid = ATTR_MODE;
- /* FIXME should we update ctime ?
- * What is the following setxattr update the
- * mode ?
+ if (!acl) {
+ /*
+ * ACL can be represented
+ * by the mode bits. So don't
+ * update ACL.
*/
- v9fs_vfs_setattr_dotl(dentry, &iattr);
+ value = NULL;
+ size = 0;
}
+ iattr.ia_valid = ATTR_MODE;
+ /* FIXME should we update ctime ?
+ * What is the following setxattr update the
+ * mode ?
+ */
+ v9fs_vfs_setattr_dotl(dentry, &iattr);
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index adedfd401a30..34defa195a80 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -1068,7 +1068,7 @@ static int v9fs_vfs_setattr(struct dentry *dentry, struct iattr *iattr)
struct p9_wstat wstat;
P9_DPRINTK(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;
diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index dbbc83f6dc3b..781e56e328eb 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -538,7 +538,7 @@ int v9fs_vfs_setattr_dotl(struct dentry *dentry, struct iattr *iattr)
P9_DPRINTK(P9_DEBUG_VFS, "\n");
- retval = inode_change_ok(dentry->d_inode, iattr);
+ retval = setattr_prepare(dentry, iattr);
if (retval)
return retval;
diff --git a/fs/adfs/inode.c b/fs/adfs/inode.c
index 1dab6a174d6a..c5e42d8c06a1 100644
--- a/fs/adfs/inode.c
+++ b/fs/adfs/inode.c
@@ -298,7 +298,7 @@ adfs_notify_change(struct dentry *dentry, struct iattr *attr)
unsigned int ia_valid = attr->ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
/*
* we can't change the UID or GID of any file -
diff --git a/fs/affs/inode.c b/fs/affs/inode.c
index 88a4b0b50058..abda0dc63ec3 100644
--- a/fs/affs/inode.c
+++ b/fs/affs/inode.c
@@ -222,7 +222,7 @@ affs_notify_change(struct dentry *dentry, struct iattr *attr)
pr_debug("AFFS: notify_change(%lu,0x%x)\n",inode->i_ino,attr->ia_valid);
- error = inode_change_ok(inode,attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;
diff --git a/fs/attr.c b/fs/attr.c
index b8f55c40fb1d..a7f0c75734c2 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -16,19 +16,22 @@
#include <linux/evm.h>
/**
- * inode_change_ok - check if attribute changes to an inode are allowed
- * @inode: inode to check
+ * setattr_prepare - check if attribute changes to a dentry are allowed
+ * @dentry: dentry to check
* @attr: attributes to change
*
* Check if we are allowed to change the attributes contained in @attr
- * in the given inode. This includes the normal unix access permission
- * checks, as well as checks for rlimits and others.
+ * in the given dentry. This includes the normal unix access permission
+ * checks, as well as checks for rlimits and others. The function also clears
+ * SGID bit from mode if user is not allowed to set it. Also file capabilities
+ * and IMA extended attributes are cleared if ATTR_KILL_PRIV is set.
*
* Should be called as the first thing in ->setattr implementations,
* possibly after taking additional locks.
*/
-int inode_change_ok(const struct inode *inode, struct iattr *attr)
+int setattr_prepare(struct dentry *dentry, struct iattr *attr)
{
+ struct inode *inode = dentry->d_inode;
unsigned int ia_valid = attr->ia_valid;
/*
@@ -43,7 +46,7 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
/* If force is set do it anyway. */
if (ia_valid & ATTR_FORCE)
- return 0;
+ goto kill_priv;
/* Make sure a caller can chown. */
if ((ia_valid & ATTR_UID) &&
@@ -74,9 +77,19 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr)
return -EPERM;
}
+kill_priv:
+ /* User has permission for the change */
+ if (ia_valid & ATTR_KILL_PRIV) {
+ int error;
+
+ error = security_inode_killpriv(dentry);
+ if (error)
+ return error;
+ }
+
return 0;
}
-EXPORT_SYMBOL(inode_change_ok);
+EXPORT_SYMBOL(setattr_prepare);
/**
* inode_newsize_ok - may this inode be truncated to a given size
@@ -196,13 +209,11 @@ int notify_change(struct dentry * dentry, struct iattr * attr)
if (!(ia_valid & ATTR_MTIME_SET))
attr->ia_mtime = now;
if (ia_valid & ATTR_KILL_PRIV) {
- attr->ia_valid &= ~ATTR_KILL_PRIV;
- ia_valid &= ~ATTR_KILL_PRIV;
error = security_inode_need_killpriv(dentry);
- if (error > 0)
- error = security_inode_killpriv(dentry);
- if (error)
+ if (error < 0)
return error;
+ if (error == 0)
+ ia_valid = attr->ia_valid &= ~ATTR_KILL_PRIV;
}
/*
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 89b156d85d63..9f55b545ea44 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -118,8 +118,8 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- ret = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (ret < 0)
+ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (ret)
return ret;
}
ret = 0;
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 9a7efbec8c63..d84977d16b02 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3533,7 +3533,7 @@ static int btrfs_setattr(struct dentry *dentry, struct iattr *attr)
if (btrfs_root_readonly(root))
return -EROFS;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index eb6a0e6f6ecd..360072f42afe 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1302,6 +1302,9 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file,
int namelen;
int ret = 0;
+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
if (root->fs_info->sb->s_flags & MS_RDONLY)
return -EROFS;
@@ -1350,6 +1353,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file,
struct btrfs_ioctl_vol_args *vol_args;
int ret;
+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1372,6 +1378,9 @@ static noinline int btrfs_ioctl_snap_create_v2(struct file *file,
u64 *ptr = NULL;
bool readonly = false;
+ if (!S_ISDIR(file->f_dentry->d_inode->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
@@ -1848,6 +1857,9 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
int ret;
int err = 0;
+ if (!S_ISDIR(dir->i_mode))
+ return -ENOTDIR;
+
vol_args = memdup_user(arg, sizeof(*vol_args));
if (IS_ERR(vol_args))
return PTR_ERR(vol_args);
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index ed72428d9c75..3cdf137e9c5b 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -793,17 +793,15 @@ out:
static loff_t ceph_llseek(struct file *file, loff_t offset, int origin)
{
struct inode *inode = file->f_mapping->host;
- int ret;
+ loff_t ret;
mutex_lock(&inode->i_mutex);
__ceph_do_pending_vmtruncate(inode);
if (origin == SEEK_END || origin == SEEK_DATA || origin == SEEK_HOLE) {
ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE);
- if (ret < 0) {
- offset = ret;
+ if (ret < 0)
goto out;
- }
}
switch (origin) {
@@ -818,7 +816,7 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int origin)
* write() or lseek() might have altered it
*/
if (offset == 0) {
- offset = file->f_pos;
+ ret = file->f_pos;
goto out;
}
offset += file->f_pos;
@@ -839,7 +837,7 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int origin)
}
if (offset < 0 || offset > inode->i_sb->s_maxbytes) {
- offset = -EINVAL;
+ ret = -EINVAL;
goto out;
}
@@ -848,10 +846,11 @@ static loff_t ceph_llseek(struct file *file, loff_t offset, int origin)
file->f_pos = offset;
file->f_version = 0;
}
+ ret = offset;
out:
mutex_unlock(&inode->i_mutex);
- return offset;
+ return ret;
}
const struct file_operations ceph_file_fops = {
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 8e889b773d24..6a6c2e3f99ad 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1541,7 +1541,7 @@ int ceph_setattr(struct dentry *dentry, struct iattr *attr)
__ceph_do_pending_vmtruncate(inode);
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err != 0)
return err;
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index 1dc0af7f34c0..91f66c518a54 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -1948,7 +1948,7 @@ cifs_setattr_unix(struct dentry *direntry, struct iattr *attrs)
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;
- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0)
goto out;
@@ -2089,7 +2089,7 @@ cifs_setattr_nounix(struct dentry *direntry, struct iattr *attrs)
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_PERM)
attrs->ia_valid |= ATTR_FORCE;
- rc = inode_change_ok(inode, attrs);
+ rc = setattr_prepare(direntry, attrs);
if (rc < 0) {
FreeXid(xid);
return rc;
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index 782569be0bb4..03935798a45e 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -1026,7 +1026,7 @@ static int ecryptfs_setattr(struct dentry *dentry, struct iattr *ia)
}
mutex_unlock(&crypt_stat->cs_mutex);
- rc = inode_change_ok(inode, ia);
+ rc = setattr_prepare(dentry, ia);
if (rc)
goto out;
if (ia->ia_valid & ATTR_SIZE) {
diff --git a/fs/exofs/inode.c b/fs/exofs/inode.c
index f6dbf7768ce6..b43884261c48 100644
--- a/fs/exofs/inode.c
+++ b/fs/exofs/inode.c
@@ -1018,7 +1018,7 @@ int exofs_setattr(struct dentry *dentry, struct iattr *iattr)
if (unlikely(error))
return error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (unlikely(error))
return error;
diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
index 35d6a3cfd9ff..e38a9b61af3f 100644
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -194,15 +194,11 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
case ACL_TYPE_ACCESS:
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- mark_inode_dirty(inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ mark_inode_dirty(inode);
}
break;
diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
index 5a45b8fef4e6..0d0f1a63b691 100644
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1530,7 +1530,7 @@ int ext2_setattr(struct dentry *dentry, struct iattr *iattr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c
index 3091f62e55b6..880d3d64bb14 100644
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -199,15 +199,11 @@ ext3_set_acl(handle_t *handle, struct inode *inode, int type,
case ACL_TYPE_ACCESS:
name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = CURRENT_TIME_SEC;
- ext3_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = CURRENT_TIME_SEC;
+ ext3_mark_inode_dirty(handle, inode);
}
break;
diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c
index 71b263fbca32..ff33188d225e 100644
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -223,8 +223,12 @@ void ext3_evict_inode (struct inode *inode)
*
* Note that directories do not have this problem because they don't
* use page cache.
+ *
+ * The s_journal check handles the case when ext3_get_journal() fails
+ * and puts the journal inode.
*/
if (inode->i_nlink && ext3_should_journal_data(inode) &&
+ EXT3_SB(inode->i_sb)->s_journal &&
(S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
tid_t commit_tid = atomic_read(&ei->i_datasync_tid);
journal_t *journal = EXT3_SB(inode->i_sb)->s_journal;
@@ -3271,7 +3275,7 @@ int ext3_setattr(struct dentry *dentry, struct iattr *attr)
int error, rc = 0;
const unsigned int ia_valid = attr->ia_valid;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index 8535c45dfceb..5d419a496d96 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -198,15 +198,11 @@ ext4_set_acl(handle_t *handle, struct inode *inode, int type,
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
- if (error == 0)
- acl = NULL;
- }
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
}
break;
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index e3d65abb41b3..bb40a70ed412 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -319,9 +319,13 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext)
ext4_fsblk_t block = ext4_ext_pblock(ext);
int len = ext4_ext_get_actual_len(ext);
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
- ext4_lblk_t last = lblock + len - 1;
- if (len == 0 || lblock > last)
+ /*
+ * We allow neither:
+ * - zero length
+ * - overflow/wrap-around
+ */
+ if (lblock + len <= lblock)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
}
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 010f050a87b3..ff2e369de040 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -142,9 +142,9 @@ void ext4_evict_inode(struct inode *inode)
* Note that directories do not have this problem because they
* don't use page cache.
*/
- if (ext4_should_journal_data(inode) &&
- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
- inode->i_ino != EXT4_JOURNAL_INO) {
+ if (inode->i_ino != EXT4_JOURNAL_INO &&
+ ext4_should_journal_data(inode) &&
+ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
@@ -4291,7 +4291,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
int orphan = 0;
const unsigned int ia_valid = attr->ia_valid;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 7c03826bde26..242fe11aea20 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2824,7 +2824,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
"fs metadata\n", block, block+len);
/* File system mounted not to panic on error
- * Fix the bitmap and repeat the block allocation
+ * Fix the bitmap and return EIO
* We leak some of the blocks here.
*/
ext4_lock_group(sb, ac->ac_b_ex.fe_group);
@@ -2833,7 +2833,7 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
if (!err)
- err = -EAGAIN;
+ err = -EIO;
goto out_err;
}
@@ -4401,18 +4401,7 @@ repeat:
}
if (likely(ac->ac_status == AC_STATUS_FOUND)) {
*errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
- if (*errp == -EAGAIN) {
- /*
- * drop the reference that we took
- * in ext4_mb_use_best_found
- */
- ext4_mb_release_context(ac);
- ac->ac_b_ex.fe_group = 0;
- ac->ac_b_ex.fe_start = 0;
- ac->ac_b_ex.fe_len = 0;
- ac->ac_status = AC_STATUS_CONTINUE;
- goto repeat;
- } else if (*errp)
+ if (*errp)
errout:
ext4_discard_allocated_blocks(ac);
else {
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 52b8ac740201..7266a2e5befc 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2097,6 +2097,7 @@ int ext4_group_desc_csum_verify(struct ext4_sb_info *sbi, __u32 block_group,
/* Called at mount-time, super-block is locked */
static int ext4_check_descriptors(struct super_block *sb,
+ ext4_fsblk_t sb_block,
ext4_group_t *first_not_zeroed)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -2127,6 +2128,11 @@ static int ext4_check_descriptors(struct super_block *sb,
grp = i;
block_bitmap = ext4_block_bitmap(sb, gdp);
+ if (block_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Block bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (block_bitmap < first_block || block_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Block bitmap for group %u not in group "
@@ -2134,6 +2140,11 @@ static int ext4_check_descriptors(struct super_block *sb,
return 0;
}
inode_bitmap = ext4_inode_bitmap(sb, gdp);
+ if (inode_bitmap == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode bitmap for group %u overlaps "
+ "superblock", i);
+ }
if (inode_bitmap < first_block || inode_bitmap > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
"Inode bitmap for group %u not in group "
@@ -2141,6 +2152,11 @@ static int ext4_check_descriptors(struct super_block *sb,
return 0;
}
inode_table = ext4_inode_table(sb, gdp);
+ if (inode_table == sb_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode table for group %u overlaps "
+ "superblock", i);
+ }
if (inode_table < first_block ||
inode_table + sbi->s_itb_per_group - 1 > last_block) {
ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
@@ -2246,6 +2262,16 @@ static void ext4_orphan_cleanup(struct super_block *sb,
while (es->s_last_orphan) {
struct inode *inode;
+ /*
+ * We may have encountered an error during cleanup; if
+ * so, skip the rest.
+ */
+ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
+ jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
+ es->s_last_orphan = 0;
+ break;
+ }
+
inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
if (IS_ERR(inode)) {
es->s_last_orphan = 0;
@@ -3429,6 +3455,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
goto failed_mount;
}
+ if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
+ ext4_msg(sb, KERN_ERR,
+ "Number of reserved GDT blocks insanely large: %d",
+ le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks));
+ goto failed_mount;
+ }
+
if (sb->s_blocksize != blocksize) {
/* Validate the filesystem blocksize */
if (!sb_set_blocksize(sb, blocksize)) {
@@ -3657,7 +3690,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
goto failed_mount2;
}
}
- if (!ext4_check_descriptors(sb, &first_not_zeroed)) {
+ if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
goto failed_mount2;
}
diff --git a/fs/fat/file.c b/fs/fat/file.c
index c118acf16e43..ef4753ee220d 100644
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -382,7 +382,7 @@ int fat_setattr(struct dentry *dentry, struct iattr *attr)
attr->ia_valid &= ~TIMES_SET_FLAGS;
}
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
attr->ia_valid = ia_valid;
if (error) {
if (sbi->options.quiet)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index e13558ca4b09..15c1d2948f4a 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1298,7 +1298,7 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
attr->ia_valid |= ATTR_FORCE;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(entry, attr);
if (err)
return err;
diff --git a/fs/generic_acl.c b/fs/generic_acl.c
index d0dddaceac59..a3f3e70f9750 100644
--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -86,16 +86,17 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
if (error)
goto failed;
switch (type) {
- case ACL_TYPE_ACCESS:
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ case ACL_TYPE_ACCESS: {
+ struct posix_acl *saved_acl = acl;
+
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
goto failed;
inode->i_ctime = CURRENT_TIME;
- if (error == 0) {
- posix_acl_release(acl);
- acl = NULL;
- }
break;
+ }
case ACL_TYPE_DEFAULT:
if (!S_ISDIR(inode->i_mode)) {
error = -EINVAL;
diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
index 65978d7885c8..75f6085da350 100644
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -277,16 +277,14 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
goto out_release;
if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
+ struct posix_acl *saved_acl = acl;
+ umode_t mode;
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error || acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
+ return error;
error = gfs2_set_mode(inode, mode);
if (error)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index cfd4959b218c..d4f83804b008 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -1646,7 +1646,7 @@ static int gfs2_setattr(struct dentry *dentry, struct iattr *attr)
if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
goto out;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out;
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index a1a9fdcd2a00..532d6cb2dca8 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -588,7 +588,7 @@ int hfs_inode_setattr(struct dentry *dentry, struct iattr * attr)
struct hfs_sb_info *hsb = HFS_SB(inode->i_sb);
int error;
- error = inode_change_ok(inode, attr); /* basic permission checks */
+ error = setattr_prepare(dentry, attr); /* basic permission checks */
if (error)
return error;
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index 40e1413be4cf..63a252428370 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -292,7 +292,7 @@ static int hfsplus_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c
index 8db3979cdba6..3f3b1bd7d751 100644
--- a/fs/hostfs/hostfs_kern.c
+++ b/fs/hostfs/hostfs_kern.c
@@ -792,7 +792,7 @@ int hostfs_setattr(struct dentry *dentry, struct iattr *attr)
int fd = HOSTFS_I(inode)->fd;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
@@ -955,10 +955,11 @@ static int hostfs_fill_sb_common(struct super_block *sb, void *d, int silent)
if (S_ISLNK(root_inode->i_mode)) {
char *name = follow_link(host_root_path);
- if (IS_ERR(name))
+ if (IS_ERR(name)) {
err = PTR_ERR(name);
- else
- err = read_name(root_inode, name);
+ goto out_put;
+ }
+ err = read_name(root_inode, name);
kfree(name);
if (err)
goto out_put;
diff --git a/fs/hpfs/inode.c b/fs/hpfs/inode.c
index 3b2cec29972b..00fc9434501a 100644
--- a/fs/hpfs/inode.c
+++ b/fs/hpfs/inode.c
@@ -268,7 +268,7 @@ int hpfs_setattr(struct dentry *dentry, struct iattr *attr)
if ((attr->ia_valid & ATTR_SIZE) && attr->ia_size > inode->i_size)
goto out_unlock;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
goto out_unlock;
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index ebab116b0779..55573322d1bb 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -422,7 +422,7 @@ static int hugetlbfs_setattr(struct dentry *dentry, struct iattr *attr)
BUG_ON(!inode);
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
index 926d02068a14..d963e55f98fb 100644
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -227,9 +227,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
case ACL_TYPE_ACCESS:
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- rc = posix_acl_equiv_mode(acl, &mode);
- if (rc < 0)
+ umode_t mode;
+
+ rc = posix_acl_update_mode(inode, &mode, &acl);
+ if (rc)
return rc;
if (inode->i_mode != mode) {
struct iattr attr;
@@ -241,8 +242,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
if (rc < 0)
return rc;
}
- if (rc == 0)
- acl = NULL;
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
index 4b8afe39a87f..73652b2093b4 100644
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -186,7 +186,7 @@ int jffs2_setattr(struct dentry *dentry, struct iattr *iattr)
{
int rc;
- rc = inode_change_ok(dentry->d_inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;
diff --git a/fs/jfs/file.c b/fs/jfs/file.c
index 844f9460cb11..5ab3a0c214b5 100644
--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -102,7 +102,7 @@ int jfs_setattr(struct dentry *dentry, struct iattr *iattr)
struct inode *inode = dentry->d_inode;
int rc;
- rc = inode_change_ok(inode, iattr);
+ rc = setattr_prepare(dentry, iattr);
if (rc)
return rc;
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index 26683e15b3ac..1078c9382429 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -693,9 +693,11 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
return rc;
}
if (acl) {
- rc = posix_acl_equiv_mode(acl, &inode->i_mode);
+ struct posix_acl *dummy = acl;
+
+ rc = posix_acl_update_mode(inode, &inode->i_mode, &dummy);
posix_acl_release(acl);
- if (rc < 0) {
+ if (rc) {
printk(KERN_ERR
"posix_acl_equiv_mode returned %d\n",
rc);
diff --git a/fs/libfs.c b/fs/libfs.c
index ce85edf8aca5..d2f43c9068d2 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -364,7 +364,7 @@ int simple_setattr(struct dentry *dentry, struct iattr *iattr)
WARN_ON_ONCE(inode->i_op->truncate);
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
diff --git a/fs/logfs/file.c b/fs/logfs/file.c
index b548c87a86f1..562bbc62bec2 100644
--- a/fs/logfs/file.c
+++ b/fs/logfs/file.c
@@ -241,7 +241,7 @@ static int logfs_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int err = 0;
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
diff --git a/fs/minix/file.c b/fs/minix/file.c
index 4493ce695ab8..d23e13cbfb0c 100644
--- a/fs/minix/file.c
+++ b/fs/minix/file.c
@@ -28,7 +28,7 @@ static int minix_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ncpfs/inode.c b/fs/ncpfs/inode.c
index cbd1a61c110a..dce88e9399a4 100644
--- a/fs/ncpfs/inode.c
+++ b/fs/ncpfs/inode.c
@@ -880,7 +880,7 @@ int ncp_notify_change(struct dentry *dentry, struct iattr *attr)
/* ageing the dentry to force validation */
ncp_age_dentry(server, dentry);
- result = inode_change_ok(inode, attr);
+ result = setattr_prepare(dentry, attr);
if (result < 0)
goto out;
diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
index 6d22d356937b..9839726fe40c 100644
--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -878,7 +878,7 @@ static __be32 nfs4_callback_compound(struct svc_rqst *rqstp, void *argp, void *r
if (hdr_arg.minorversion == 0) {
cps.clp = nfs4_find_client_ident(hdr_arg.cb_ident);
if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp))
- return rpc_drop_reply;
+ goto out_invalidcred;
}
hdr_res.taglen = hdr_arg.taglen;
@@ -905,6 +905,10 @@ static __be32 nfs4_callback_compound(struct svc_rqst *rqstp, void *argp, void *r
nfs_put_client(cps.clp);
dprintk("%s: done, status = %u\n", __func__, ntohl(status));
return rpc_success;
+
+out_invalidcred:
+ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n");
+ return rpc_autherr_badcred;
}
/*
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 9fc799828ea7..0ba9bf7704d1 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5360,14 +5360,21 @@ static int _nfs4_proc_create_session(struct nfs_client *clp)
status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
+ switch (status) {
+ case -NFS4ERR_STALE_CLIENTID:
+ case -NFS4ERR_DELAY:
+ case -ETIMEDOUT:
+ case -EACCES:
+ case -EAGAIN:
+ goto out;
+ };
+
+ clp->cl_seqid++;
if (!status)
/* Verify the session's negotiated channel_attrs values */
status = nfs4_verify_channel_attrs(&args, session);
- if (!status) {
- /* Increment the clientid slot sequence id */
- clp->cl_seqid++;
- }
+out:
return status;
}
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 301391a0bffc..fccc545d1292 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -747,6 +747,9 @@ int nfs_updatepage(struct file *file, struct page *page,
file->f_path.dentry->d_name.name, count,
(long long)(page_offset(page) + offset));
+ if (!count)
+ goto out;
+
/* If we're not using byte range locks, and we know the page
* is up to date, it may be more efficient to extend the write
* to cover the entire page in order to avoid fragmentation
@@ -764,7 +767,7 @@ int nfs_updatepage(struct file *file, struct page *page,
nfs_set_pageerror(page);
else
__set_page_dirty_nobuffers(page);
-
+out:
dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n",
status, (long long)i_size_read(inode));
return status;
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index e2e7914aff3b..855e3f80e4e1 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -301,17 +301,19 @@ commit_metadata(struct svc_fh *fhp)
* NFS semantics and what Linux expects.
*/
static void
-nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
+nfsd_sanitize_attrs(struct dentry *dentry, struct iattr *iap)
{
+ struct inode *inode = dentry->d_inode;
+
/*
* NFSv2 does not differentiate between "set-[ac]time-to-now"
* which only requires access, and "set-[ac]time-to-X" which
* requires ownership.
* So if it looks like it might be "set both to the same time which
- * is close to now", and if inode_change_ok fails, then we
+ * is close to now", and if setattr_prepare fails, then we
* convert to "set to now" instead of "set to explicit time"
*
- * We only call inode_change_ok as the last test as technically
+ * We only call setattr_prepare as the last test as technically
* it is not an interface that we should be using.
*/
#define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
@@ -329,7 +331,7 @@ nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
if (delta < 0)
delta = -delta;
if (delta < MAX_TOUCH_TIME_ERROR &&
- inode_change_ok(inode, iap) != 0) {
+ setattr_prepare(dentry, iap) != 0) {
/*
* Turn off ATTR_[AM]TIME_SET but leave ATTR_[AM]TIME.
* This will cause notify_change to set these times
@@ -437,7 +439,7 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
if (!iap->ia_valid)
goto out;
- nfsd_sanitize_attrs(inode, iap);
+ nfsd_sanitize_attrs(dentry, iap);
/*
* The size case is special, it changes the file in addition to the
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index b2d8a967d1d6..3a708189e7a9 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -792,7 +792,7 @@ int nilfs_setattr(struct dentry *dentry, struct iattr *iattr)
struct super_block *sb = inode->i_sb;
int err;
- err = inode_change_ok(inode, iattr);
+ err = setattr_prepare(dentry, iattr);
if (err)
return err;
diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
index 97e2dacbc867..c84f026c79ab 100644
--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -2890,7 +2890,7 @@ int ntfs_setattr(struct dentry *dentry, struct iattr *attr)
int err;
unsigned int ia_valid = attr->ia_valid;
- err = inode_change_ok(vi, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
goto out;
/* We do not support NTFS ACLs yet. */
diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
index a7219075b4de..7e6e1f826358 100644
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -247,14 +247,11 @@ static int ocfs2_set_acl(handle_t *handle,
case ACL_TYPE_ACCESS:
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- umode_t mode = inode->i_mode;
- ret = posix_acl_equiv_mode(acl, &mode);
- if (ret < 0)
+ umode_t mode;
+ ret = posix_acl_update_mode(inode, &mode, &acl);
+ if (ret)
return ret;
else {
- if (ret == 0)
- acl = NULL;
-
ret = ocfs2_acl_set_mode(inode, di_bh,
handle, mode);
if (ret)
diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
index f65bdcf61526..6d97883e2652 100644
--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -265,7 +265,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
struct dlm_lock *lock, int flags, int type)
{
enum dlm_status status;
- u8 old_owner = res->owner;
mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -332,7 +331,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
spin_lock(&res->spinlock);
res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
- lock->convert_pending = 0;
/* if it failed, move it back to granted queue.
* if master returns DLM_NORMAL and then down before sending ast,
* it may have already been moved to granted queue, reset to
@@ -341,12 +339,14 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
if (status != DLM_NOTQUEUED)
dlm_error(status);
dlm_revert_pending_convert(res, lock);
- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
- (old_owner != res->owner)) {
- mlog(0, "res %.*s is in recovering or has been recovered.\n",
- res->lockname.len, res->lockname.name);
+ } else if (!lock->convert_pending) {
+ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
+ "to granted list, retry convert.\n",
+ dlm->name, res->lockname.len, res->lockname.name);
status = DLM_RECOVERING;
}
+
+ lock->convert_pending = 0;
bail:
spin_unlock(&res->spinlock);
diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c
index b42076797049..d0ab0bfd1efa 100644
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -212,7 +212,7 @@ static int dlmfs_file_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
attr->ia_valid &= ~ATTR_SIZE;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index 6a7a3d9a56b8..a678e2287f52 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1127,7 +1127,7 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
if (!(attr->ia_valid & OCFS2_VALID_ATTRS))
return 0;
- status = inode_change_ok(inode, attr);
+ status = setattr_prepare(dentry, attr);
if (status)
return status;
@@ -1518,7 +1518,8 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
u64 start, u64 len)
{
int ret = 0;
- u64 tmpend, end = start + len;
+ u64 tmpend = 0;
+ u64 end = start + len;
struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
unsigned int csize = osb->s_clustersize;
handle_t *handle;
@@ -1550,18 +1551,31 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
}
/*
- * We want to get the byte offset of the end of the 1st cluster.
+ * If start is on a cluster boundary and end is somewhere in another
+ * cluster, we have not COWed the cluster starting at start, unless
+ * end is also within the same cluster. So, in this case, we skip this
+ * first call to ocfs2_zero_range_for_truncate() truncate and move on
+ * to the next one.
*/
- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
- if (tmpend > end)
- tmpend = end;
+ if ((start & (csize - 1)) != 0) {
+ /*
+ * We want to get the byte offset of the end of the 1st
+ * cluster.
+ */
+ tmpend = (u64)osb->s_clustersize +
+ (start & ~(osb->s_clustersize - 1));
+ if (tmpend > end)
+ tmpend = end;
- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
- (unsigned long long)tmpend);
+ trace_ocfs2_zero_partial_clusters_range1(
+ (unsigned long long)start,
+ (unsigned long long)tmpend);
- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
- if (ret)
- mlog_errno(ret);
+ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
+ tmpend);
+ if (ret)
+ mlog_errno(ret);
+ }
if (tmpend < end) {
/*
diff --git a/fs/omfs/file.c b/fs/omfs/file.c
index 2c6d95257a4d..26972e74b9aa 100644
--- a/fs/omfs/file.c
+++ b/fs/omfs/file.c
@@ -345,7 +345,7 @@ static int omfs_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 6c70ab22a3e3..0ff20797e162 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -341,6 +341,36 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
return not_equiv;
}
+/**
+ * posix_acl_update_mode - update mode in set_acl
+ *
+ * Update the file mode when setting an ACL: compute the new file permission
+ * bits based on the ACL. In addition, if the ACL is equivalent to the new
+ * file mode, set *acl to NULL to indicate that no ACL should be set.
+ *
+ * As with chmod, clear the setgit bit if the caller is not in the owning group
+ * or capable of CAP_FSETID (see inode_change_ok).
+ *
+ * Called from set_acl inode operations.
+ */
+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
+ struct posix_acl **acl)
+{
+ umode_t mode = inode->i_mode;
+ int error;
+
+ error = posix_acl_equiv_mode(*acl, &mode);
+ if (error < 0)
+ return error;
+ if (error == 0)
+ *acl = NULL;
+ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
+ mode &= ~S_ISGID;
+ *mode_p = mode;
+ return 0;
+}
+EXPORT_SYMBOL(posix_acl_update_mode);
+
/*
* Modify the ACL for the chmod syscall.
*/
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 402976ab746a..2c38a3e4fa51 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -558,7 +558,7 @@ int proc_setattr(struct dentry *dentry, struct iattr *attr)
if (attr->ia_valid & ATTR_MODE)
return -EPERM;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/proc/generic.c b/fs/proc/generic.c
index 10090d9c7ad5..d0d6bb6e62c8 100644
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -257,7 +257,7 @@ static int proc_notify_change(struct dentry *dentry, struct iattr *iattr)
struct proc_dir_entry *de = PDE(inode);
int error;
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
return error;
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 0be1aa46d9d1..ec205953fd58 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -387,7 +387,7 @@ static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
return -EPERM;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c
index d5378d028589..b79c545340a7 100644
--- a/fs/ramfs/file-nommu.c
+++ b/fs/ramfs/file-nommu.c
@@ -164,7 +164,7 @@ static int ramfs_nommu_setattr(struct dentry *dentry, struct iattr *ia)
int ret = 0;
/* POSIX UID/GID verification for setting inode attributes */
- ret = inode_change_ok(inode, ia);
+ ret = setattr_prepare(dentry, ia);
if (ret)
return ret;
diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
index fcb07e5a5159..ff10dda73bb5 100644
--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -3107,7 +3107,7 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
int depth;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
index 6da0396e5052..1d4f4c74d2c3 100644
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -272,13 +272,9 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
if (acl) {
- error = posix_acl_equiv_mode(acl, &inode->i_mode);
- if (error < 0)
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
return error;
- else {
- if (error == 0)
- acl = NULL;
- }
}
break;
case ACL_TYPE_DEFAULT:
diff --git a/fs/seq_file.c b/fs/seq_file.c
index dba43c3ea3af..253a33b8c57a 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -184,8 +184,10 @@ ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
size -= n;
buf += n;
copied += n;
- if (!m->count)
+ if (!m->count) {
+ m->from = 0;
m->index++;
+ }
if (!size)
goto Done;
}
diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c
index 9db61a41c1ad..6f54e62f464e 100644
--- a/fs/sysfs/inode.c
+++ b/fs/sysfs/inode.c
@@ -114,7 +114,7 @@ int sysfs_setattr(struct dentry *dentry, struct iattr *iattr)
return -EINVAL;
mutex_lock(&sysfs_mutex);
- error = inode_change_ok(inode, iattr);
+ error = setattr_prepare(dentry, iattr);
if (error)
goto out;
diff --git a/fs/sysv/file.c b/fs/sysv/file.c
index 0a65939508e9..e48fe258479f 100644
--- a/fs/sysv/file.c
+++ b/fs/sysv/file.c
@@ -35,7 +35,7 @@ static int sysv_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
index 9df621795ed2..3cc9067b714e 100644
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -1260,7 +1260,7 @@ int ubifs_setattr(struct dentry *dentry, struct iattr *attr)
dbg_gen("ino %lu, mode %#x, ia_valid %#x",
inode->i_ino, inode->i_mode, attr->ia_valid);
- err = inode_change_ok(inode, attr);
+ err = setattr_prepare(dentry, attr);
if (err)
return err;
diff --git a/fs/ubifs/tnc_commit.c b/fs/ubifs/tnc_commit.c
index 4c15f07a8bb2..ff108db16b75 100644
--- a/fs/ubifs/tnc_commit.c
+++ b/fs/ubifs/tnc_commit.c
@@ -373,7 +373,7 @@ static int layout_in_gaps(struct ubifs_info *c, int cnt)
p = c->gap_lebs;
do {
- ubifs_assert(p < c->gap_lebs + sizeof(int) * c->lst.idx_lebs);
+ ubifs_assert(p < c->gap_lebs + c->lst.idx_lebs);
written = layout_leb_in_gaps(c, p);
if (written < 0) {
err = written;
diff --git a/fs/udf/file.c b/fs/udf/file.c
index 874c9e3c0686..26f9b5206a78 100644
--- a/fs/udf/file.c
+++ b/fs/udf/file.c
@@ -251,7 +251,7 @@ static int udf_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/ufs/truncate.c b/fs/ufs/truncate.c
index f04f89fbd4d9..92cde998aead 100644
--- a/fs/ufs/truncate.c
+++ b/fs/ufs/truncate.c
@@ -496,7 +496,7 @@ int ufs_setattr(struct dentry *dentry, struct iattr *attr)
unsigned int ia_valid = attr->ia_valid;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/fs/utimes.c b/fs/utimes.c
index ba653f3dc1bc..cc428b21d789 100644
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -80,7 +80,7 @@ static int utimes_common(struct path *path, struct timespec *times)
newattrs.ia_valid |= ATTR_MTIME_SET;
}
/*
- * Tell inode_change_ok(), that this is an explicit time
+ * Tell setattr_prepare(), that this is an explicit time
* update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
* were used.
*/
@@ -89,7 +89,7 @@ static int utimes_common(struct path *path, struct timespec *times)
/*
* If times is NULL (or both times are UTIME_NOW),
* then we need to check permissions, because
- * inode_change_ok() won't do it.
+ * setattr_prepare() won't do it.
*/
error = -EACCES;
if (IS_IMMUTABLE(inode))
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index ac702a6eab9b..ebed5a825a58 100644
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -223,7 +223,7 @@ xfs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
}
static int
-xfs_set_mode(struct inode *inode, umode_t mode)
+xfs_set_mode(struct dentry *dentry, struct inode *inode, umode_t mode)
{
int error = 0;
@@ -234,7 +234,8 @@ xfs_set_mode(struct inode *inode, umode_t mode)
iattr.ia_mode = mode;
iattr.ia_ctime = current_fs_time(inode->i_sb);
- error = -xfs_setattr_nonsize(XFS_I(inode), &iattr, XFS_ATTR_NOACL);
+ error = -xfs_setattr_nonsize(dentry, XFS_I(inode), &iattr,
+ XFS_ATTR_NOACL);
}
return error;
@@ -290,7 +291,7 @@ xfs_inherit_acl(struct inode *inode, struct posix_acl *acl)
if (error > 0)
inherit = 1;
- error = xfs_set_mode(inode, mode);
+ error = xfs_set_mode(NULL, inode, mode);
if (error)
goto out;
@@ -383,18 +384,15 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
goto out_release;
if (type == ACL_TYPE_ACCESS) {
- umode_t mode = inode->i_mode;
- error = posix_acl_equiv_mode(acl, &mode);
+ struct posix_acl *saved_acl = acl;
+ umode_t mode;
- if (error <= 0) {
- posix_acl_release(acl);
- acl = NULL;
-
- if (error < 0)
- return error;
- }
-
- error = xfs_set_mode(inode, mode);
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error || acl == NULL)
+ posix_acl_release(saved_acl);
+ if (error)
+ return error;
+ error = xfs_set_mode(dentry, inode, mode);
if (error)
goto out_release;
}
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 8ae937a18da3..ba1d4779ece6 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -1026,7 +1026,8 @@ xfs_file_fallocate(
if (file->f_flags & O_DSYNC)
attr_flags |= XFS_ATTR_SYNC;
- error = -xfs_change_file_space(ip, cmd, &bf, 0, attr_flags);
+ error = -xfs_change_file_space(file->f_dentry, cmd, &bf, 0,
+ attr_flags);
if (error)
goto out_unlock;
@@ -1036,7 +1037,8 @@ xfs_file_fallocate(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = new_size;
- error = -xfs_setattr_size(ip, &iattr, XFS_ATTR_NOLOCK);
+ error = -xfs_setattr_size(file->f_dentry, &iattr,
+ XFS_ATTR_NOLOCK);
}
out_unlock:
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index eb519de68047..5a213c96d51f 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -632,7 +632,8 @@ xfs_ioc_space(
if (ioflags & IO_INVIS)
attr_flags |= XFS_ATTR_DMI;
- error = xfs_change_file_space(ip, cmd, bf, filp->f_pos, attr_flags);
+ error = xfs_change_file_space(filp->f_dentry, cmd, bf, filp->f_pos,
+ attr_flags);
return -error;
}
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 1c01f04f46d2..a20378e34122 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -531,6 +531,7 @@ xfs_setattr_mode(
int
xfs_setattr_nonsize(
+ struct dentry *dentry,
struct xfs_inode *ip,
struct iattr *iattr,
int flags)
@@ -553,9 +554,15 @@ xfs_setattr_nonsize(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);
- error = -inode_change_ok(inode, iattr);
- if (error)
- return XFS_ERROR(error);
+ /*
+ * dentry can be NULL only when we're called from xfs_inherit_acl(),
+ * in which case no permission checks are needed
+ */
+ if (dentry) {
+ error = -setattr_prepare(dentry, iattr);
+ if (error)
+ return XFS_ERROR(error);
+ }
ASSERT((mask & ATTR_SIZE) == 0);
@@ -755,12 +762,13 @@ out_dqrele:
*/
int
xfs_setattr_size(
- struct xfs_inode *ip,
+ struct dentry *dentry,
struct iattr *iattr,
int flags)
{
+ struct inode *inode = dentry->d_inode;
+ struct xfs_inode *ip = XFS_I(inode);
struct xfs_mount *mp = ip->i_mount;
- struct inode *inode = VFS_I(ip);
int mask = iattr->ia_valid;
struct xfs_trans *tp;
int error;
@@ -776,7 +784,7 @@ xfs_setattr_size(
if (XFS_FORCED_SHUTDOWN(mp))
return XFS_ERROR(EIO);
- error = -inode_change_ok(inode, iattr);
+ error = -setattr_prepare(dentry, iattr);
if (error)
return XFS_ERROR(error);
@@ -802,7 +810,7 @@ xfs_setattr_size(
*/
xfs_iunlock(ip, lock_flags);
iattr->ia_valid &= ~ATTR_SIZE;
- return xfs_setattr_nonsize(ip, iattr, 0);
+ return xfs_setattr_nonsize(dentry, ip, iattr, 0);
}
/*
@@ -950,8 +958,8 @@ xfs_vn_setattr(
struct iattr *iattr)
{
if (iattr->ia_valid & ATTR_SIZE)
- return -xfs_setattr_size(XFS_I(dentry->d_inode), iattr, 0);
- return -xfs_setattr_nonsize(XFS_I(dentry->d_inode), iattr, 0);
+ return -xfs_setattr_size(dentry, iattr, 0);
+ return -xfs_setattr_nonsize(dentry, XFS_I(dentry->d_inode), iattr, 0);
}
#define XFS_FIEMAP_FLAGS (FIEMAP_FLAG_SYNC|FIEMAP_FLAG_XATTR)
diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
index ee98d0bf0f6a..feb9e7556829 100644
--- a/fs/xfs/xfs_vnodeops.c
+++ b/fs/xfs/xfs_vnodeops.c
@@ -2234,12 +2234,13 @@ xfs_free_file_space(
*/
int
xfs_change_file_space(
- xfs_inode_t *ip,
+ struct dentry *dentry,
int cmd,
xfs_flock64_t *bf,
xfs_off_t offset,
int attr_flags)
{
+ xfs_inode_t *ip = XFS_I(dentry->d_inode);
xfs_mount_t *mp = ip->i_mount;
int clrprealloc;
int error;
@@ -2329,7 +2330,7 @@ xfs_change_file_space(
iattr.ia_valid = ATTR_SIZE;
iattr.ia_size = startoffset;
- error = xfs_setattr_size(ip, &iattr, attr_flags);
+ error = xfs_setattr_size(dentry, &iattr, attr_flags);
if (error)
return error;
diff --git a/fs/xfs/xfs_vnodeops.h b/fs/xfs/xfs_vnodeops.h
index c0f7714b98d0..938c4267d44b 100644
--- a/fs/xfs/xfs_vnodeops.h
+++ b/fs/xfs/xfs_vnodeops.h
@@ -13,8 +13,9 @@ struct xfs_inode;
struct xfs_iomap;
-int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap, int flags);
-int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap, int flags);
+int xfs_setattr_nonsize(struct dentry *dentry, struct xfs_inode *ip,
+ struct iattr *vap, int flags);
+int xfs_setattr_size(struct dentry *dentry, struct iattr *vap, int flags);
#define XFS_ATTR_DMI 0x01 /* invocation from a DMI function */
#define XFS_ATTR_NONBLOCK 0x02 /* return EAGAIN if operation would block */
#define XFS_ATTR_NOLOCK 0x04 /* Don't grab any conflicting locks */
@@ -37,7 +38,7 @@ int xfs_readdir(struct xfs_inode *dp, void *dirent, size_t bufsize,
int xfs_symlink(struct xfs_inode *dp, struct xfs_name *link_name,
const char *target_path, mode_t mode, struct xfs_inode **ipp);
int xfs_set_dmattrs(struct xfs_inode *ip, u_int evmask, u_int16_t state);
-int xfs_change_file_space(struct xfs_inode *ip, int cmd,
+int xfs_change_file_space(struct dentry *dentry, int cmd,
xfs_flock64_t *bf, xfs_off_t offset, int attr_flags);
int xfs_rename(struct xfs_inode *src_dp, struct xfs_name *src_name,
struct xfs_inode *src_ip, struct xfs_inode *target_dp,
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index ac68c999b6c2..5ba2c4570bd3 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -221,13 +221,17 @@ extern int __put_user_bad(void) __attribute__((noreturn));
might_sleep(); \
access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
__get_user(x, ptr) : \
- -EFAULT; \
+ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
})
static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
{
- size = __copy_from_user(x, ptr, size);
- return size ? -EFAULT : size;
+ size_t n = __copy_from_user(x, ptr, size);
+ if (unlikely(n)) {
+ memset(x + (size - n), 0, n);
+ return -EFAULT;
+ }
+ return 0;
}
extern int __get_user_bad(void) __attribute__((noreturn));
@@ -243,11 +247,13 @@ extern int __get_user_bad(void) __attribute__((noreturn));
static inline long copy_from_user(void *to,
const void __user * from, unsigned long n)
{
+ unsigned long res = n;
might_sleep();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- else
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline long copy_to_user(void __user *to,
diff --git a/include/linux/bcma/bcma.h b/include/linux/bcma/bcma.h
index 4d4b59de9467..7553789b9729 100644
--- a/include/linux/bcma/bcma.h
+++ b/include/linux/bcma/bcma.h
@@ -124,6 +124,7 @@ struct bcma_host_ops {
#define BCMA_CORE_DEFAULT 0xFFF
#define BCMA_MAX_NR_CORES 16
+#define BCMA_CORE_SIZE 0x1000
struct bcma_device {
struct bcma_bus *bus;
diff --git a/include/linux/bcma/bcma_regs.h b/include/linux/bcma/bcma_regs.h
index 9faae2ae02e8..b644d4392e43 100644
--- a/include/linux/bcma/bcma_regs.h
+++ b/include/linux/bcma/bcma_regs.h
@@ -35,6 +35,7 @@
#define BCMA_IOST_BIST_DONE 0x8000
#define BCMA_RESET_CTL 0x0800
#define BCMA_RESET_CTL_RESET 0x0001
+#define BCMA_RESET_ST 0x0804
/* BCMA PCI config space registers. */
#define BCMA_PCI_PMCSR 0x44
diff --git a/include/linux/can/dev.h b/include/linux/can/dev.h
index a0969fcb72b9..309d2aa3dfd8 100644
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -30,6 +30,7 @@ enum can_mode {
* CAN common private data
*/
struct can_priv {
+ struct net_device *dev;
struct can_device_stats can_stats;
struct can_bittiming bittiming;
@@ -41,7 +42,7 @@ struct can_priv {
u32 ctrlmode_supported;
int restart_ms;
- struct timer_list restart_timer;
+ struct delayed_work restart_work;
int (*do_set_bittiming)(struct net_device *dev);
int (*do_set_mode)(struct net_device *dev, enum can_mode mode);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index a509bee30c50..8c63ec58b015 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2615,7 +2615,7 @@ extern int buffer_migrate_page(struct address_space *,
#define buffer_migrate_page NULL
#endif
-extern int inode_change_ok(const struct inode *, struct iattr *);
+extern int setattr_prepare(struct dentry *, struct iattr *);
extern int inode_newsize_ok(const struct inode *, loff_t offset);
extern void setattr_copy(struct inode *inode, const struct iattr *attr);
diff --git a/include/linux/i8042.h b/include/linux/i8042.h
index a986ff588944..801c307f6fcc 100644
--- a/include/linux/i8042.h
+++ b/include/linux/i8042.h
@@ -38,7 +38,6 @@ struct serio;
void i8042_lock_chip(void);
void i8042_unlock_chip(void);
int i8042_command(unsigned char *param, int command);
-bool i8042_check_port_owner(const struct serio *);
int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio));
int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str,
@@ -59,11 +58,6 @@ static inline int i8042_command(unsigned char *param, int command)
return -ENODEV;
}
-static inline bool i8042_check_port_owner(const struct serio *serio)
-{
- return false;
-}
-
static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio))
{
diff --git a/include/linux/mroute.h b/include/linux/mroute.h
index 46caaf44339d..4e364bb6d1aa 100644
--- a/include/linux/mroute.h
+++ b/include/linux/mroute.h
@@ -245,7 +245,7 @@ struct mfc_cache {
struct rtmsg;
extern int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#endif
#endif
diff --git a/include/linux/mroute6.h b/include/linux/mroute6.h
index a3759cb0ac10..9b30150c973a 100644
--- a/include/linux/mroute6.h
+++ b/include/linux/mroute6.h
@@ -228,7 +228,7 @@ struct mfc6_cache {
#ifdef __KERNEL__
struct rtmsg;
extern int ip6mr_get_route(struct net *net, struct sk_buff *skb,
- struct rtmsg *rtm, int nowait);
+ struct rtmsg *rtm, int nowait, u32 portid);
#ifdef CONFIG_IPV6_MROUTE
extern struct sock *mroute6_socket(struct net *net, struct sk_buff *skb);
diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
index b7681102a4b9..da432868954f 100644
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -83,6 +83,7 @@ extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
extern struct posix_acl *get_posix_acl(struct inode *, int);
extern int set_posix_acl(struct inode *, int, struct posix_acl *);
diff --git a/include/linux/serio.h b/include/linux/serio.h
index ca82861b0e46..34b403a6d284 100644
--- a/include/linux/serio.h
+++ b/include/linux/serio.h
@@ -33,7 +33,8 @@ struct serio {
struct serio_device_id id;
- spinlock_t lock; /* protects critical sections from port's interrupt handler */
+ /* Protects critical sections from port's interrupt handler */
+ spinlock_t lock;
int (*write)(struct serio *, unsigned char);
int (*open)(struct serio *);
@@ -42,16 +43,29 @@ struct serio {
void (*stop)(struct serio *);
struct serio *parent;
- struct list_head child_node; /* Entry in parent->children list */
+ /* Entry in parent->children list */
+ struct list_head child_node;
struct list_head children;
- unsigned int depth; /* level of nesting in serio hierarchy */
+ /* Level of nesting in serio hierarchy */
+ unsigned int depth;
- struct serio_driver *drv; /* accessed from interrupt, must be protected by serio->lock and serio->sem */
- struct mutex drv_mutex; /* protects serio->drv so attributes can pin driver */
+ /*
+ * serio->drv is accessed from interrupt handlers; when modifying
+ * caller should acquire serio->drv_mutex and serio->lock.
+ */
+ struct serio_driver *drv;
+ /* Protects serio->drv so attributes can pin current driver */
+ struct mutex drv_mutex;
struct device dev;
struct list_head node;
+
+ /*
+ * For use by PS/2 layer when several ports share hardware and
+ * may get indigestion when exposed to concurrent access (i8042).
+ */
+ struct mutex *ps2_cmd_mutex;
};
#define to_serio_port(d) container_of(d, struct serio, dev)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index e90235fb1b18..0f4e1d419bfb 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1293,6 +1293,8 @@ static inline void tcp_check_send_head(struct sock *sk, struct sk_buff *skb_unli
{
if (sk->sk_send_head == skb_unlinked)
sk->sk_send_head = NULL;
+ if (tcp_sk(sk)->highest_sack == skb_unlinked)
+ tcp_sk(sk)->highest_sack = NULL;
}
static inline void tcp_init_send_head(struct sock *sk)
diff --git a/kernel/sched.c b/kernel/sched.c
index fb554299ca44..ffa3190df1ed 100644
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -2084,19 +2084,6 @@ EXPORT_SYMBOL_GPL(account_system_vtime);
#endif /* CONFIG_IRQ_TIME_ACCOUNTING */
-static inline void account_reset_rq(struct rq *rq)
-{
-#ifdef CONFIG_IRQ_TIME_ACCOUNTING
- rq->prev_irq_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT
- rq->prev_steal_time = 0;
-#endif
-#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
- rq->prev_steal_time_rq = 0;
-#endif
-}
-
#ifdef CONFIG_PARAVIRT
static inline u64 steal_ticks(u64 steal)
{
@@ -2846,6 +2833,28 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags)
success = 1; /* we're going to change ->state */
cpu = task_cpu(p);
+ /*
+ * Ensure we load p->on_rq _after_ p->state, otherwise it would
+ * be possible to, falsely, observe p->on_rq == 0 and get stuck
+ * in smp_cond_load_acquire() below.
+ *
+ * sched_ttwu_pending() try_to_wake_up()
+ * [S] p->on_rq = 1; [L] P->state
+ * UNLOCK rq->lock -----.
+ * \
+ * +--- RMB
+ * schedule() /
+ * LOCK rq->lock -----'
+ * UNLOCK rq->lock
+ *
+ * [task p]
+ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
+ *
+ * Pairs with the UNLOCK+LOCK on rq->lock from the
+ * last wakeup of our task and the schedule that got our task
+ * current.
+ */
+ smp_rmb();
if (p->on_rq && ttwu_remote(p, wake_flags))
goto stat;
@@ -6869,7 +6878,6 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
- account_reset_rq(rq);
break;
case CPU_ONLINE:
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index f4b93a207026..ca7396e4aff4 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3331,13 +3331,6 @@ tracing_read_pipe(struct file *filp, char __user *ubuf,
static struct tracer *old_tracer;
ssize_t sret;
- /* return any leftover data */
- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
- if (sret != -EBUSY)
- return sret;
-
- trace_seq_init(&iter->seq);
-
/* copy the tracer to avoid using a global lock all around */
mutex_lock(&trace_types_lock);
if (unlikely(old_tracer != current_trace && current_trace)) {
@@ -3352,6 +3345,14 @@ tracing_read_pipe(struct file *filp, char __user *ubuf,
* is protected.
*/
mutex_lock(&iter->mutex);
+
+ /* return any leftover data */
+ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+ if (sret != -EBUSY)
+ goto out;
+
+ trace_seq_init(&iter->seq);
+
if (iter->trace->read) {
sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
if (sret)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index c52095ce40b4..390f0ac4eed6 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1417,6 +1417,10 @@ static unsigned long set_max_huge_pages(struct hstate *h, unsigned long count,
* and reducing the surplus.
*/
spin_unlock(&hugetlb_lock);
+
+ /* yield cpu to avoid soft lockup */
+ cond_resched();
+
ret = alloc_fresh_huge_page(h, nodes_allowed);
spin_lock(&hugetlb_lock);
if (!ret)
diff --git a/mm/ksm.c b/mm/ksm.c
index 6741c9df5c80..168b980ac919 100644
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -238,7 +238,8 @@ static inline struct rmap_item *alloc_rmap_item(void)
{
struct rmap_item *rmap_item;
- rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL);
+ rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL |
+ __GFP_NORETRY | __GFP_NOWARN);
if (rmap_item)
ksm_rmap_items++;
return rmap_item;
diff --git a/mm/shmem.c b/mm/shmem.c
index 83efac6ddef0..0a9d8919ddfa 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -562,7 +562,7 @@ static int shmem_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = dentry->d_inode;
int error;
- error = inode_change_ok(inode, attr);
+ error = setattr_prepare(dentry, attr);
if (error)
return error;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 74e59cdd047b..6c89d61aaa6f 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -630,7 +630,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
break;
}
- if (get_user(opt, (u32 __user *) optval)) {
+ if (get_user(opt, (u16 __user *) optval)) {
err = -EFAULT;
break;
}
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 93a824179458..6c74264875c9 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -349,15 +349,19 @@ static int rfcomm_sock_create(struct net *net, struct socket *sock,
static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
{
- struct sockaddr_rc *sa = (struct sockaddr_rc *) addr;
+ struct sockaddr_rc sa;
struct sock *sk = sock->sk;
- int err = 0;
-
- BT_DBG("sk %p %s", sk, batostr(&sa->rc_bdaddr));
+ int len, err = 0;
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ memset(&sa, 0, sizeof(sa));
+ len = min_t(unsigned int, sizeof(sa), addr_len);
+ memcpy(&sa, addr, len);
+
+ BT_DBG("sk %p %s", sk, batostr(&sa.rc_bdaddr));
+
lock_sock(sk);
if (sk->sk_state != BT_OPEN) {
@@ -372,12 +376,13 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
write_lock_bh(&rfcomm_sk_list.lock);
- if (sa->rc_channel && __rfcomm_get_sock_by_addr(sa->rc_channel, &sa->rc_bdaddr)) {
+ if (sa.rc_channel &&
+ __rfcomm_get_sock_by_addr(sa.rc_channel, &sa.rc_bdaddr)) {
err = -EADDRINUSE;
} else {
/* Save source address */
- bacpy(&bt_sk(sk)->src, &sa->rc_bdaddr);
- rfcomm_pi(sk)->channel = sa->rc_channel;
+ bacpy(&bt_sk(sk)->src, &sa.rc_bdaddr);
+ rfcomm_pi(sk)->channel = sa.rc_channel;
sk->sk_state = BT_BOUND;
}
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 95b47ff4ce6f..6558a9182793 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -2058,7 +2058,7 @@ rtattr_failure:
int ipmr_get_route(struct net *net, struct sk_buff *skb,
__be32 saddr, __be32 daddr,
- struct rtmsg *rtm, int nowait)
+ struct rtmsg *rtm, int nowait, u32 portid)
{
struct mfc_cache *cache;
struct mr_table *mrt;
@@ -2098,6 +2098,7 @@ int ipmr_get_route(struct net *net, struct sk_buff *skb,
return -ENOMEM;
}
+ NETLINK_CB(skb2).pid = portid;
skb_push(skb2, sizeof(struct iphdr));
skb_reset_network_header(skb2);
iph = ip_hdr(skb2);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 8e79a9e04276..3026b65f9a84 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -3077,7 +3077,8 @@ static int rt_fill_info(struct net *net,
IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
int err = ipmr_get_route(net, skb,
rt->rt_src, rt->rt_dst,
- r, nowait);
+ r, nowait, pid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index e61481009801..918ecd724c1b 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -220,7 +220,8 @@ void tcp_select_initial_window(int __space, __u32 mss,
/* Set window scaling on max possible window
* See RFC1323 for an explanation of the limit to 14
*/
- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+ space = max_t(u32, space, sysctl_tcp_rmem[2]);
+ space = max_t(u32, space, sysctl_rmem_max);
space = min_t(u32, space, *window_clamp);
while (space > 65535 && (*rcv_wscale) < 14) {
space >>= 1;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 02b3c827dfe0..7a3923b3e828 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -2137,8 +2137,8 @@ rtattr_failure:
return -EMSGSIZE;
}
-int ip6mr_get_route(struct net *net,
- struct sk_buff *skb, struct rtmsg *rtm, int nowait)
+int ip6mr_get_route(struct net *net, struct sk_buff *skb, struct rtmsg *rtm,
+ int nowait, u32 portid)
{
int err;
struct mr6_table *mrt;
@@ -2176,6 +2176,7 @@ int ip6mr_get_route(struct net *net,
return -ENOMEM;
}
+ NETLINK_CB(skb2).pid = portid;
skb_reset_transport_header(skb2);
skb_put(skb2, sizeof(struct ipv6hdr));
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 3a8776d9b895..d4059fa59548 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2416,7 +2416,9 @@ static int rt6_fill_node(struct net *net,
if (iif) {
#ifdef CONFIG_IPV6_MROUTE
if (ipv6_addr_is_multicast(&rt->rt6i_dst.addr)) {
- int err = ip6mr_get_route(net, skb, rtm, nowait);
+ int err = ip6mr_get_route(net, skb, rtm, nowait,
+ pid);
+
if (err <= 0) {
if (!nowait) {
if (err == 0)
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 03c8ea9deaf6..078967fbb809 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -846,7 +846,7 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
struct sock *sk = sock->sk;
struct irda_sock *new, *self = irda_sk(sk);
struct sock *newsk;
- struct sk_buff *skb;
+ struct sk_buff *skb = NULL;
int err;
IRDA_DEBUG(2, "%s()\n", __func__);
@@ -916,7 +916,6 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
err = -EPERM; /* value does not seem to make sense. -arnd */
if (!new->tsap) {
IRDA_DEBUG(0, "%s(), dup failed!\n", __func__);
- kfree_skb(skb);
goto out;
}
@@ -935,7 +934,6 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
/* Clean up the original one to keep it in listen state */
irttp_listen(self->tsap);
- kfree_skb(skb);
sk->sk_ack_backlog--;
newsock->state = SS_CONNECTED;
@@ -943,6 +941,7 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
irda_connect_response(new);
err = 0;
out:
+ kfree_skb(skb);
release_sock(sk);
return err;
}
@@ -1040,8 +1039,11 @@ static int irda_connect(struct socket *sock, struct sockaddr *uaddr,
}
/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }
/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 767bf4afefbd..0417743b09e5 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -914,10 +914,8 @@ static int pppol2tp_getname(struct socket *sock, struct sockaddr *uaddr,
pls = l2tp_session_priv(session);
tunnel = l2tp_sock_to_tunnel(pls->tunnel_sock);
- if (tunnel == NULL) {
- error = -EBADF;
+ if (tunnel == NULL)
goto end_put_sess;
- }
inet = inet_sk(tunnel->sock);
if (tunnel->version == 2) {
@@ -955,12 +953,11 @@ static int pppol2tp_getname(struct socket *sock, struct sockaddr *uaddr,
}
*usockaddr_len = len;
+ error = 0;
sock_put(pls->tunnel_sock);
end_put_sess:
sock_put(sk);
- error = 0;
-
end:
return error;
}
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index a80b0cb03f17..275906c9a342 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -716,9 +716,6 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
unsigned int verdict;
struct nf_queue_entry *entry;
- queue = instance_lookup(queue_num);
- if (!queue)
-
queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).pid);
if (IS_ERR(queue))
return PTR_ERR(queue);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index bcecae0f00c6..290c7bb8865b 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -710,7 +710,11 @@ socket_setattr_return:
*/
void netlbl_sock_delattr(struct sock *sk)
{
- cipso_v4_sock_delattr(sk);
+ switch (sk->sk_family) {
+ case AF_INET:
+ cipso_v4_sock_delattr(sk);
+ break;
+ }
}
/**
@@ -889,7 +893,11 @@ req_setattr_return:
*/
void netlbl_req_delattr(struct request_sock *req)
{
- cipso_v4_req_delattr(req);
+ switch (req->rsk_ops->family) {
+ case AF_INET:
+ cipso_v4_req_delattr(req);
+ break;
+ }
}
/**
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index c80c16248a3c..efd443dbacf9 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1167,11 +1167,16 @@ svc_process_common(struct svc_rqst *rqstp, struct kvec *argv, struct kvec *resv)
*statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp);
/* Encode reply */
- if (rqstp->rq_dropme) {
+ if (*statp == rpc_drop_reply || rqstp->rq_dropme) {
if (procp->pc_release)
procp->pc_release(rqstp, NULL, rqstp->rq_resp);
goto dropit;
}
+ if (*statp == rpc_autherr_badcred) {
+ if (procp->pc_release)
+ procp->pc_release(rqstp, NULL, rqstp->rq_resp);
+ goto err_bad_auth;
+ }
if (*statp == rpc_success &&
(xdr = procp->pc_encode) &&
!xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) {
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9414b9c5b1e4..45f8d9256081 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -351,6 +351,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
{
tasklet_hrtimer_cancel(&x->mtimer);
del_timer_sync(&x->rtimer);
+ kfree(x->aead);
kfree(x->aalg);
kfree(x->ealg);
kfree(x->calg);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index ede01a8d9f4e..09542248f72b 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -558,9 +558,12 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
if (err)
goto error;
- if (attrs[XFRMA_SEC_CTX] &&
- security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
- goto error;
+ if (attrs[XFRMA_SEC_CTX]) {
+ err = security_xfrm_state_alloc(x,
+ nla_data(attrs[XFRMA_SEC_CTX]));
+ if (err)
+ goto error;
+ }
if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
attrs[XFRMA_REPLAY_ESN_VAL])))
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 49bbc97943ad..3f7b4102a350 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -188,7 +188,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
struct timespec now;
unsigned long timo;
key_ref_t key_ref, skey_ref;
- char xbuf[12];
+ char xbuf[16];
int rc;
key_ref = make_key_ref(key, 0);
diff --git a/sound/core/control.c b/sound/core/control.c
index 96c62e58d950..132856b16b8d 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *card, unsigned int mask,
if (snd_BUG_ON(!card || !id))
return;
+ if (card->shutdown)
+ return;
read_lock(&card->ctl_files_rwlock);
#if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE)
card->mixer_oss_change_count++;
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 14e7453969af..25f636536ec9 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1609,11 +1609,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
return -EBUSY;
}
list_add_tail(&rmidi->list, &snd_rawmidi_devices);
+ mutex_unlock(®ister_mutex);
sprintf(name, "midiC%iD%i", rmidi->card->number, rmidi->device);
if ((err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
rmidi->card, rmidi->device,
&snd_rawmidi_f_ops, rmidi, name)) < 0) {
snd_printk(KERN_ERR "unable to register rawmidi device %i:%i\n", rmidi->card->number, rmidi->device);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1621,6 +1623,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
if (rmidi->ops && rmidi->ops->dev_register &&
(err = rmidi->ops->dev_register(rmidi)) < 0) {
snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1649,7 +1652,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
}
}
#endif /* CONFIG_SND_OSSEMUL */
- mutex_unlock(®ister_mutex);
sprintf(name, "midi%d", rmidi->device);
entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
if (entry) {
diff --git a/sound/core/timer.c b/sound/core/timer.c
index bce3fe051fbf..5628b6548d18 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -34,6 +34,9 @@
#include <sound/initval.h>
#include <linux/kmod.h>
+/* internal flags */
+#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
+
#if defined(CONFIG_SND_HRTIMER) || defined(CONFIG_SND_HRTIMER_MODULE)
#define DEFAULT_TIMER_LIMIT 4
#elif defined(CONFIG_SND_RTCTIMER) || defined(CONFIG_SND_RTCTIMER_MODULE)
@@ -290,8 +293,19 @@ int snd_timer_open(struct snd_timer_instance **ti,
}
timeri->slave_class = tid->dev_sclass;
timeri->slave_id = slave_id;
- if (list_empty(&timer->open_list_head) && timer->hw.open)
- timer->hw.open(timer);
+
+ if (list_empty(&timer->open_list_head) && timer->hw.open) {
+ int err = timer->hw.open(timer);
+ if (err) {
+ kfree(timeri->owner);
+ kfree(timeri);
+
+ module_put(timer->module);
+ mutex_unlock(®ister_mutex);
+ return err;
+ }
+ }
+
list_add_tail(&timeri->open_list, &timer->open_list_head);
snd_timer_check_master(timeri);
mutex_unlock(®ister_mutex);
@@ -299,8 +313,7 @@ int snd_timer_open(struct snd_timer_instance **ti,
return 0;
}
-static int _snd_timer_stop(struct snd_timer_instance *timeri,
- int keep_flag, int event);
+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
/*
* close a timer instance
@@ -342,7 +355,7 @@ int snd_timer_close(struct snd_timer_instance *timeri)
spin_unlock_irq(&timer->lock);
mutex_lock(®ister_mutex);
list_del(&timeri->open_list);
- if (timer && list_empty(&timer->open_list_head) &&
+ if (list_empty(&timer->open_list_head) &&
timer->hw.close)
timer->hw.close(timer);
/* remove slave links */
@@ -494,8 +507,7 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
return result;
}
-static int _snd_timer_stop(struct snd_timer_instance * timeri,
- int keep_flag, int event)
+static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
{
struct snd_timer *timer;
unsigned long flags;
@@ -504,21 +516,19 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
return -ENXIO;
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
- if (!keep_flag) {
- spin_lock_irqsave(&slave_active_lock, flags);
- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
- spin_unlock_irqrestore(&slave_active_lock, flags);
- return -EBUSY;
- }
- if (timeri->timer)
- spin_lock(&timeri->timer->lock);
- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
- list_del_init(&timeri->ack_list);
- list_del_init(&timeri->active_list);
- if (timeri->timer)
- spin_unlock(&timeri->timer->lock);
+ spin_lock_irqsave(&slave_active_lock, flags);
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
spin_unlock_irqrestore(&slave_active_lock, flags);
+ return -EBUSY;
}
+ if (timeri->timer)
+ spin_lock(&timeri->timer->lock);
+ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+ list_del_init(&timeri->ack_list);
+ list_del_init(&timeri->active_list);
+ if (timeri->timer)
+ spin_unlock(&timeri->timer->lock);
+ spin_unlock_irqrestore(&slave_active_lock, flags);
goto __end;
}
timer = timeri->timer;
@@ -544,9 +554,11 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
}
}
}
- if (!keep_flag)
- timeri->flags &=
- ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
+ if (event == SNDRV_TIMER_EVENT_STOP)
+ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
+ else
+ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
spin_unlock_irqrestore(&timer->lock, flags);
__end:
if (event != SNDRV_TIMER_EVENT_RESOLUTION)
@@ -565,7 +577,7 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
unsigned long flags;
int err;
- err = _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_STOP);
+ err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
if (err < 0)
return err;
timer = timeri->timer;
@@ -589,6 +601,10 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
if (timeri == NULL)
return result;
+ /* timer can continue only after pause */
+ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return -EINVAL;
+
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
return snd_timer_start_slave(timeri);
timer = timeri->timer;
@@ -614,7 +630,7 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
*/
int snd_timer_pause(struct snd_timer_instance * timeri)
{
- return _snd_timer_stop(timeri, 0, SNDRV_TIMER_EVENT_PAUSE);
+ return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
}
/*
@@ -822,6 +838,7 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
timer->tmr_subdevice = tid->subdevice;
if (id)
strlcpy(timer->id, id, sizeof(timer->id));
+ timer->sticks = 1;
INIT_LIST_HEAD(&timer->device_list);
INIT_LIST_HEAD(&timer->open_list_head);
INIT_LIST_HEAD(&timer->active_list_head);
@@ -1792,6 +1809,9 @@ static int snd_timer_user_continue(struct file *file)
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
+ /* start timer instead of continue if it's not used before */
+ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
+ return snd_timer_user_start(file);
tu->timeri->lost = 0;
return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
}
@@ -1929,6 +1949,7 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
tu->qused--;
spin_unlock_irq(&tu->qlock);
+ mutex_lock(&tu->ioctl_lock);
if (tu->tread) {
if (copy_to_user(buffer, &tu->tqueue[qhead],
sizeof(struct snd_timer_tread)))
@@ -1938,6 +1959,7 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
sizeof(struct snd_timer_read)))
err = -EFAULT;
}
+ mutex_unlock(&tu->ioctl_lock);
spin_lock_irq(&tu->qlock);
if (err < 0)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 8b0617a648d1..375e0539597c 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -156,6 +156,7 @@ void vcpu_load(struct kvm_vcpu *vcpu)
kvm_arch_vcpu_load(vcpu, cpu);
put_cpu();
}
+EXPORT_SYMBOL_GPL(vcpu_load);
void vcpu_put(struct kvm_vcpu *vcpu)
{
@@ -165,6 +166,7 @@ void vcpu_put(struct kvm_vcpu *vcpu)
preempt_enable();
mutex_unlock(&vcpu->mutex);
}
+EXPORT_SYMBOL_GPL(vcpu_put);
static void ack_flush(void *_completed)
{
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply related [flat|nested] 159+ messages in thread
* Re: [PATCH 3.2 000/152] 3.2.84-rc1 review
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2016-11-14 4:05 ` [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
@ 2016-11-14 5:47 ` Guenter Roeck
2016-11-14 17:10 ` Ben Hutchings
153 siblings, 1 reply; 159+ messages in thread
From: Guenter Roeck @ 2016-11-14 5:47 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm
On 11/13/2016 04:14 PM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.2.84 release.
> There are 152 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Nov 19 00:00:00 UTC 2016.
> Anything received after that time might be too late.
>
Build results:
total: 89 pass: 89 fail: 0
Qemu test results:
total: 61 pass: 61 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 159+ messages in thread
* Re: [PATCH 3.2 009/152] ext4: check for extents that wrap around
2016-11-14 0:14 ` [PATCH 3.2 009/152] ext4: check for extents that wrap around Ben Hutchings
@ 2016-11-14 15:29 ` Vegard Nossum
2016-11-14 16:15 ` Ben Hutchings
0 siblings, 1 reply; 159+ messages in thread
From: Vegard Nossum @ 2016-11-14 15:29 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable, Greg Kroah-Hartman
Cc: akpm, Phil Turnbull, Eryu Guan, Theodore Ts'o
On 11/14/2016 01:14 AM, Ben Hutchings wrote:
> 3.2.84-rc1 review patch. If anyone has any objections, please let me know.
Just a general comment on stable review workflow, really:
It might be more useful to send the diff-of-diffs with the upstream
commit so I can easily see if you had any conflicts when cherry-picking
this and how they were resolved.
That's generally much more interesting than just the plain patch, where
I can't really tell if there were any changes at all (or conversely,
much more boring in case there were no changes, and thus easier to
review).
If you could push this commit to git before sending the review, you
could also include a command that I can use to quickly do the
diff-of-diffs myself without having to download and apply the patch (or
look for it), e.g. something like (using the 3.12 stable commit vs
upstream):
"""
diff -yw \
<(echo upstream; git log -p -W f70749c^..f70749c) \
<(echo 3.2; git log -p -W 33234c6^..33234c6)
"""
At least that would make it a lot easier for me (and I suspect other
casual stable contributors) to glance at a stable review email and tell
if the backport is correct or not. It should be pretty easy to script on
your end(s) for the benefit of everybody.
Just my 2 cents. Thanks,
Vegard
> ------------------
>
> From: Vegard Nossum <vegard.nossum@oracle.com>
>
> commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
>
> An extent with lblock = 4294967295 and len = 1 will pass the
> ext4_valid_extent() test:
>
> ext4_lblk_t last = lblock + len - 1;
>
> if (len == 0 || lblock > last)
> return 0;
>
> since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
> the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
>
> We can simplify it by removing the - 1 altogether and changing the test
> to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
> lblock and it fails, and if len > 0 then lblock + len > lblock in order
> to pass (i.e. it doesn't overflow).
>
> Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
> Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
> Cc: Eryu Guan <guaneryu@gmail.com>
> Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> fs/ext4/extents.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -319,9 +319,13 @@ static int ext4_valid_extent(struct inod
> ext4_fsblk_t block = ext4_ext_pblock(ext);
> int len = ext4_ext_get_actual_len(ext);
> ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
> - ext4_lblk_t last = lblock + len - 1;
>
> - if (len == 0 || lblock > last)
> + /*
> + * We allow neither:
> + * - zero length
> + * - overflow/wrap-around
> + */
> + if (lblock + len <= lblock)
> return 0;
> return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
> }
>
^ permalink raw reply [flat|nested] 159+ messages in thread
* Re: [PATCH 3.2 009/152] ext4: check for extents that wrap around
2016-11-14 15:29 ` Vegard Nossum
@ 2016-11-14 16:15 ` Ben Hutchings
0 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 16:15 UTC (permalink / raw)
To: Vegard Nossum, linux-kernel, stable, Greg Kroah-Hartman
Cc: akpm, Phil Turnbull, Eryu Guan, Theodore Ts'o
[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]
On Mon, 2016-11-14 at 16:29 +0100, Vegard Nossum wrote:
> On 11/14/2016 01:14 AM, Ben Hutchings wrote:
> > 3.2.84-rc1 review patch. If anyone has any objections, please let me know.
>
> Just a general comment on stable review workflow, really:
>
> It might be more useful to send the diff-of-diffs with the upstream
> commit so I can easily see if you had any conflicts when cherry-picking
> this and how they were resolved.
When there are conflicts, I explain how they were resolved before my
Signed-off-by: line. In this case there were none.
I'm not going to change to diff-of-diffs unless there is consensus for
this among stable maintainers and reviewers.
[...]
> If you could push this commit to git before sending the review, you
> could also include a command that I can use to quickly do the
> diff-of-diffs myself without having to download and apply the patch (or
> look for it), e.g. something like (using the 3.12 stable commit vs
> upstream):
[...]
You can find all the patches in a 3.2-rc or 3.16-rc review at
<https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-stable-queue.git/>.
Ben.
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 159+ messages in thread
* Re: [PATCH 3.2 000/152] 3.2.84-rc1 review
2016-11-14 5:47 ` Guenter Roeck
@ 2016-11-14 17:10 ` Ben Hutchings
0 siblings, 0 replies; 159+ messages in thread
From: Ben Hutchings @ 2016-11-14 17:10 UTC (permalink / raw)
To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm
[-- Attachment #1: Type: text/plain, Size: 784 bytes --]
On Sun, 2016-11-13 at 21:47 -0800, Guenter Roeck wrote:
> On 11/13/2016 04:14 PM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.2.84 release.
> > There are 152 patches in this series, which will be posted as responses
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat Nov 19 00:00:00 UTC 2016.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 89 pass: 89 fail: 0
> Qemu test results:
> total: 61 pass: 61 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking.
Ben.
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 159+ messages in thread
* Re: [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows
2016-11-14 0:14 ` [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows Ben Hutchings
@ 2016-11-14 21:09 ` Stefan Richter
0 siblings, 0 replies; 159+ messages in thread
From: Stefan Richter @ 2016-11-14 21:09 UTC (permalink / raw)
To: Ben Hutchings; +Cc: linux-kernel, stable, akpm, Eyal Itkin
On Nov 14 Ben Hutchings wrote:
> 3.2.84-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Stefan Richter <stefanr@s5r6.in-berlin.de>
>
> commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.
[...]
> [bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Backport looks correct to me; thanks.
--
Stefan Richter
-======----- =-== -===-
http://arcgraph.de/sr/
^ permalink raw reply [flat|nested] 159+ messages in thread
end of thread, other threads:[~2016-11-14 21:09 UTC | newest]
Thread overview: 159+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-14 0:14 [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 011/152] ext4: validate s_reserved_gdt_blocks on mount Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 066/152] arm: oabi compat: add missing access checks Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 131/152] openrisc: fix the fix of copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 037/152] nfs: don't create zero-length requests Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 082/152] USB: avoid left shift by -1 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 069/152] USB: serial: mos7840: fix non-atomic allocation in write path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 045/152] drm/radeon: fix firmware info version checks Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 076/152] parisc: Fix order of EREFUSED define in errno.h Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 080/152] usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 147/152] Btrfs: skip adding an acl attribute if we don't have to Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 145/152] fs: Give dentry to inode_change_ok() instead of inode Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 136/152] btrfs: ensure that file descriptor used with subvol ioctls is a dir Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 106/152] asm-generic: make get_user() clear the destination on errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 012/152] drm/radeon: Poll for both connect/disconnect on analog connectors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 027/152] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 125/152] microblaze: fix __get_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 122/152] blackfin: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 020/152] Bluetooth: Add USB ID 13D3:3487 to ath3k Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 059/152] USB: serial: ftdi_sio: add device ID for WICED USB UART dev board Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 098/152] ALSA: rawmidi: Fix possible deadlock with virmidi registration Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 148/152] posix_acl: Clear SGID bit when setting file permissions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 010/152] ext4: don't call ext4_should_journal_data() on the journal inode Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 089/152] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 006/152] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 067/152] megaraid_sas: Fix probing cards without io port Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 130/152] avr32: fix 'undefined reference to `___copy_from_user' Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 058/152] USB: serial: ftdi_sio: add PIDs for Ivium Technologies devices Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 126/152] avr32: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 051/152] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 152/152] ext3: NULL dereference in ext3_evict_inode() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 078/152] iio: accel: kxsd9: Fix raw read return Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 001/152] netlabel: add address family checks to netlbl_{sock,req}_delattr() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 127/152] USB: change bInterval default to 10 ms Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 090/152] x86/paravirt: Do not trace _paravirt_ident_*() functions Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 100/152] alpha: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 114/152] parisc: " Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 123/152] m32r: fix __get_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 128/152] IB/ipoib: Don't allow MC joins during light MC flush Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 113/152] openrisc: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 142/152] KEYS: Fix short sprintf buffer in /proc/keys show function Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 022/152] net: ethoc: Fix early error paths Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 048/152] tcp: consider recv buf for the initial window scale Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 111/152] mn10300: failing __get_user() and get_user() should zero Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 052/152] balloon: check the number of available pages in leak balloon Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 041/152] l2tp: Correctly return -EBADF from pppol2tp_getname Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 002/152] powerpc/numa: Fix multiple bugs in memory_hotplug_max() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 091/152] IB/core: Fix use after free in send_leave function Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 095/152] crypto: cryptd - initialize child shash_desc on import Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 107/152] cris: buggered copy_from_user/copy_to_user/clear_user Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 144/152] firewire: net: guard against rx buffer overflows Ben Hutchings
2016-11-14 21:09 ` Stefan Richter
2016-11-14 0:14 ` [PATCH 3.2 038/152] pps: do not crash when failed to register Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 029/152] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 150/152] xenbus: don't BUG() on user mode induced condition Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 046/152] avr32: off by one in at32_init_pio() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 008/152] Input: xpad - validate USB endpoint count during probe Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 085/152] USB: serial: option: add WeTelecom 0x6802 and 0x6803 products Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 088/152] ALSA: timer: fix NULL pointer dereference on memory allocation failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 065/152] x86/mm: Disable preemption during CR3 read+write Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 096/152] ALSA: timer: Code cleanup Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 119/152] sh64: failing __get_user() should zero Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 086/152] fs/seq_file: fix out-of-bounds read Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 004/152] crypto: gcm - Filter out async ghash if necessary Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 077/152] USB: serial: option: add WeTelecom WM-D200 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 057/152] USB: serial: option: add D-Link DWM-156/A3 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 049/152] s390: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 073/152] tcp: fix use after free in tcp_xmit_retransmit_queue() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 064/152] s390/dasd: fix hanging device after clear subchannel Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 036/152] MIPS: RM7000: Double locking bug in rm7k_tc_disable() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 028/152] USB: serial: option: add support for Telit LE910 PID 0x1206 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 003/152] sched/cputime: Fix prev steal time accouting during CPU hotplug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 072/152] xhci: don't dereference a xhci member after removing xhci Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 104/152] ARM: sa1111: fix pcmcia suspend/resume Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 138/152] tracing: Move mutex to protect against resetting of seq data Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 120/152] sh: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 109/152] hexagon: fix strncpy_from_user() error return Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 129/152] irda: Free skb on irda_accept error path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 019/152] NFS: Don't drop CB requests with invalid principals Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 034/152] hwmon: (adt7411) set bit 3 in CFG1 register Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 115/152] ppc32: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 075/152] Input: i8042 - set up shared ps2_cmd_mutex for AUX ports Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 040/152] net/irda: fix NULL pointer dereference on memory allocation failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 044/152] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 105/152] crypto: skcipher - Fix blkcipher walk OOM crash Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 013/152] ALSA: ctl: Stop notification after disconnection Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 070/152] cdc-acm: fix wrong pipe type on rx interrupt xfers Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 143/152] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 039/152] ARM: OMAP3: hwmod data: Add sysc information for DSI Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 146/152] fs: Avoid premature clearing of capabilities Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 007/152] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 050/152] ext4: validate that metadata blocks do not overlap superblock Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 033/152] mtd: nand: fix bug writing 1 byte less than page size Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 030/152] crypto: scatterwalk - Fix test in scatterwalk_done Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 060/152] drm/edid: Add 6 bpc quirk for display AEO model 0 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 055/152] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 134/152] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 016/152] x86/quirks: Reintroduce scanning of secondary buses Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 018/152] svc: Avoid garbage replies when pc_func() returns rpc_drop_reply Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 124/152] microblaze: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 112/152] mn10300: copy_from_user() should zero on access_ok() failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 043/152] ceph: Correctly return NXIO errors from ceph_llseek Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 024/152] KVM: nVMX: Fix memory corruption when using VMCS shadowing Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 093/152] iio: accel: kxsd9: Fix scaling bug Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 092/152] IB/ipoib: Fix memory corruption in ipoib cm mode connect flow Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 009/152] ext4: check for extents that wrap around Ben Hutchings
2016-11-14 15:29 ` Vegard Nossum
2016-11-14 16:15 ` Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 094/152] sched/core: Fix a race between try_to_wake_up() and a woken up task Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 135/152] i2c-eg20t: fix race between i2c init and interrupt enable Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 102/152] mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 140/152] mm,ksm: fix endless looping in allocating memory when ksm enable Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 149/152] [media] usbvision: revert commit 588afcc1 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 074/152] drm/radeon: fix radeon_move_blit on 32bit systems Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 151/152] xenbus: don't look up transaction IDs for ordinary writes Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 032/152] brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 110/152] ia64: copy_from_user() should zero the destination on access_ok() failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 015/152] x86/quirks: Apply nvidia_bugs quirk only on root bus Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 137/152] can: dev: fix deadlock reported after bus-off Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 071/152] usb: xhci: Fix panic if disconnect Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 103/152] NFSv4.1: Fix the CREATE_SESSION slot number accounting Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 139/152] ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 116/152] s390: get_user() should zero on failure Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 101/152] asm-generic: make copy_from_user() zero the destination properly Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 108/152] frv: fix clear_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 081/152] USB: fix typo in wMaxPacketSize validation Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 021/152] Bluetooth: Add support of 13d3:3490 AR3012 device Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 099/152] xfrm_user: propagate sec ctx allocation errors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 132/152] xfrm: Fix memory leak of aead algorithm name Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 117/152] score: fix __get_user/get_user Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 042/152] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 063/152] USB: validate wMaxPacketValue entries in endpoint descriptors Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 023/152] KVM: nVMX: fix lifetime issues for vmcs02 Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 133/152] ocfs2/dlm: fix race between convert and migration Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 068/152] USB: serial: mos7720: fix non-atomic allocation in write path Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 097/152] ALSA: timer: Fix zero-division by continue of uninitialized instance Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 121/152] sparc32: fix copy_from_user() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 005/152] serial: samsung: Fix possible out of bounds access on non-DT platform Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 031/152] tpm: read burstcount from TPM_STS in one 32-bit transaction Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 017/152] x86/quirks: Add early quirk to reset Apple AirPort card Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 062/152] netfilter: nfnetlink_queue: reject verdict request from different portid Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 035/152] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 056/152] block: fix use-after-free in seq file Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 014/152] ppp: defer netns reference release for ppp channel Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 061/152] aacraid: Check size values after double-fetch from user Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 141/152] Bluetooth: Fix potential NULL dereference in RFCOMM bind callback Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 087/152] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 054/152] mm/hugetlb: avoid soft lockup in set_max_huge_pages() Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 026/152] ext4: short-cut orphan cleanup on error Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 047/152] ubi: Fix race condition between ubi device creation and udev Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 079/152] drm: Reject page_flip for !DRIVER_MODESET Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 084/152] x86/apic: Do not init irq remapping if ioapic is disabled Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 118/152] score: fix copy_from_user() and friends Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 025/152] ext4: fix reference counting bug on block allocation error Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 053/152] dm flakey: error READ bios during the down_interval Ben Hutchings
2016-11-14 0:14 ` [PATCH 3.2 083/152] ubifs: Fix assertion in layout_in_gaps() Ben Hutchings
2016-11-14 4:05 ` [PATCH 3.2 000/152] 3.2.84-rc1 review Ben Hutchings
2016-11-14 5:47 ` Guenter Roeck
2016-11-14 17:10 ` Ben Hutchings
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).