linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 000/254] 3.16.55-rc1 review
@ 2018-02-28 15:20 Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 138/254] iw_cxgb4: Only validate the MSN for successful completions Ben Hutchings
                   ` (254 more replies)
  0 siblings, 255 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm

This is the start of the stable review cycle for the 3.16.55 release.
There are 254 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Mar 02 18:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Aaron Ma (2):
      Input: elantech - add new icbody type 15
         [10d900303f1c3a821eb0bef4e7b7ece16768fba4]
      Input: trackpoint - force 3 buttons if 0 button is reported
         [f5d07b9e98022d50720e38aa936fc11c67868ece]

Adam Wallis (2):
      dmaengine: dmatest: move callback wait queue to thread context
         [6f6a23a213be51728502b88741ba6a10cda2441d]
      dmaengine: dmatest: warn user when dma test times out
         [a9df21e34b422f79d9a9fa5c3eff8c2a53491be6]

Alan Stern (3):
      USB: Gadget core: fix inconsistency in the interface tousb_add_gadget_udc_release()
         [afd7fd81f22bf90474216515dbd6088f9bd70343]
      USB: UDC core: fix double-free in usb_add_gadget_udc_release
         [7ae2c3c280db183ca9ada2675c34ec2f7378abfa]
      usb: udc: core: add device_del() call to error pathway
         [c93e64e91248becd0edb8f01723dff9da890e2ab]

Alexey Kodanev (1):
      dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
         [dd5684ecae3bd8e44b644f50e2c12c7e57fdfef5]

Andrew Bresticker (1):
      mac80211_hwsim: fix compiler warning on MIPS
         [5d26b50813ea6206a7bbab2e645e68044f101ac5]

Andrew Honig (1):
      KVM: x86: Add memory barrier on vmcs field lookup
         [75f139aaf896d6fdeec2e468ddfa4b2fe469bf40]

Anshuman Khandual (1):
      mm/mprotect: add a cond_resched() inside change_pmd_range()
         [4991c09c7c812dba13ea9be79a68b4565bb1fa4e]

Arnd Bergmann (1):
      mmc: s3mci: mark debug_regs[] as static
         [2bd7b4aacdb6efa5ccd4749c365c171b884791d2]

Bart Van Assche (1):
      IB/srpt: Disable RDMA access by the initiator
         [bec40c26041de61162f7be9d2ce548c756ce0f65]

Ben Hutchings (3):
      ASoC: wm_adsp: Fix validation of firmware and coeff lengths
         [50dd2ea8ef67a1617e0c0658bcbec4b9fb03b936]
      nfsd: auth: Fix gid sorting when rootsquash enabled
         [1995266727fa8143897e89b55f5d3c79aa828420]
      of: fdt: Fix return with value in void function
         [not upstream; fixes incorrect backport]

Benjamin Herrenschmidt (1):
      powerpc: Don't preempt_disable() in show_cpuinfo()
         [349524bc0da698ec77f2057cf4a4948eb6349265]

Benjamin Poirier (2):
      e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
         [4110e02eb45ea447ec6f5459c9934de0a273fb91]
      e1000e: Separate signaling for link check/link up
         [19110cfbb34d4af0cdfe14cd243f3b09dc95b013]

Bin Liu (1):
      usb: musb: da8xx: fix babble condition handling
         [bd3486ded7a0c313a6575343e6c2b21d14476645]

Chandan Rajendra (1):
      ext4: fix crash when a directory's i_size is too small
         [9d5afec6b8bd46d6ed821aa1579634437f58ef1f]

Christian Holl (1):
      USB: serial: cp210x: add new device ID ELV ALC 8xxx
         [d14ac576d10f865970bb1324d337e5e24d79aaf4]

Christoph Hellwig (1):
      scsi: dma-mapping: always provide dma_get_cache_alignment
         [860dd4424f344400b491b212ee4acb3a358ba9d9]

Christoph Paasch (1):
      tcp md5sig: Use skb's saddr when replying to an incoming segment
         [30791ac41927ebd3e75486f9504b6d2280463bf0]

Christophe JAILLET (1):
      mdio-sun4i: Fix a memory leak
         [56c0290202ab94a2f2780c449395d4ae8495fab4]

Christophe Leroy (1):
      net: fs_enet: do not call phy_stop() in interrupts
         [f8b39039cbf2a15f2b8c9f081e1cbd5dee00aaf5]

Colin Ian King (2):
      usb: gadget: don't dereference g until after it has been null checked
         [b2fc059fa549fe6881d4c1f8d698b0f50bcd16ec]
      usb: host: fix incorrect updating of offset
         [1d5a31582ef046d3b233f0da1a68ae26519b2f0a]

Cong Wang (1):
      8021q: fix a memory leak for VLAN 0 device
         [78bbb15f2239bc8e663aa20bbe1987c91a0b75f6]

Daniel Mentz (2):
      media: v4l2-compat-ioctl32.c: refactor  compat ioctl32 logic
         [a1dfb4c48cc1e64eeb7800a27c66a6f7e88d075a]
      media: v4l2-compat-ioctl32: Copy  v4l2_window->global_alpha
         [025a26fa14f8fd55d50ab284a30c016a5be953d0]

Daniel Thompson (2):
      kdb: Fix handling of kallsyms_symbol_next() return value
         [c07d35338081d107e57cf37572d8cc931a8e32e2]
      usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201
         [da99706689481717998d1d48edd389f339eea979]

Daniele Palmas (1):
      USB: serial: option: add support for Telit ME910 PID 0x1101
         [08933099e6404f588f81c2050bfec7313e06eeaf]

Dave Martin (2):
      arm64: fpsimd: Prevent registers leaking from dead tasks
         [071b6d4a5d343046f253a5a8835d477d93992002]
      mips/ptrace: Preserve previous registers for short regset write
         [d614fd58a2834cfe4efa472c33c8f3ce2338b09b]

David Howells (1):
      fscache: Fix the default for fscache_maybe_release_page()
         [98801506552593c9b8ac11021b0cdad12cab4f6b]

David Kozub (1):
      USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
         [62354454625741f0569c2cbe45b2d192f8fd258e]

David Woodhouse (1):
      x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
         [b9e705ef7cfaf22db0daab91ad3cd33b0fa32eb9]

Dennis Yang (1):
      dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
         [490ae017f54e55bde382d45ea24bddfb6d1a0aaf]

Denys Vlasenko (1):
      include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header
         [3876488444e71238e287459c39d7692b6f718c3e]

Diego Elio Pettenò (1):
      USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
         [4307413256ac1e09b8f53e8715af3df9e49beec3]

Dmitry Fleytman Dmitry Fleytman (1):
      usb: Add device quirk for Logitech HD Pro Webcam C925e
         [7f038d256c723dd390d2fca942919573995f4cfd]

Dominik Brodowski (1):
      nl80211: take RCU read lock when calling ieee80211_bss_get_ie()
         [7a94b8c2eee7083ddccd0515830f8c81a8e44b1a]

Erez Shitrit (1):
      IB/ipoib: Fix race condition in neigh creation
         [16ba3defb8bd01a9464ba4820a487f5b196b455b]

Eric Biggers (8):
      509: fix printing uninitialized stack memory when OID is empty
         [8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1]
      ASN.1: check for error from ASN1_OP_END__ACT actions
         [81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955]
      ASN.1: fix out-of-bounds read when parsing indefinite length item
         [e0058f3a874ebb48b25be7ff79bc3b4e59929f90]
      X.509: fix buffer overflow detection in sprint_oid()
         [47e0a208fb9d91e3f3c86309e752b13a36470ae8]
      X.509: reject invalid BIT STRING for subjectPublicKey
         [0f30cbea005bd3077bd98cd29277d7fc2699c1da]
      af_key: fix buffer overread in parse_exthdrs()
         [4e765b4972af7b07adcb1feb16e7a525ce1f6b28]
      af_key: fix buffer overread in verify_address_len()
         [06b335cb51af018d5feeff5dd4fd53847ddb675a]
      crypto: algapi - fix NULL dereference in crypto_remove_spawns()
         [9a00674213a3f00394f4e3221b88f2d21fc05789]

Eric Dumazet (1):
      net/packet: fix a race in packet_bind() and packet_notifier()
         [15fe076edea787807a7cdc168df832544b58eba6]

Eryu Guan (1):
      ext4: fix fdatasync(2) after fallocate(2) operation
         [c894aa97577e47d3066b27b32499ecf899bfa8b0]

Eugenia Emantayev (1):
      net/mlx5: Fix misspelling in the error message and comment
         [777ec2b2a3f2760505db395de1a9fa4115d74548]

Felix Fietkau (1):
      net: igmp: fix source address check for IGMPv3 reports
         [ad23b750933ea7bf962678972a286c78a8fa36aa]

Florian Fainelli (1):
      net: phy: Add phy_interface_is_rgmii helper
         [e463d88c36d42211aa72ed76d32fb8bf37820ef1]

Greg Kroah-Hartman (2):
      ACPI: sbshc: remove raw pointer from printk() message
         [43cdd1b716b26f6af16da4e145b6578f98798bf6]
      efi: Move some sysfs files to be read-only by root
         [af97a77bc01ce49a466f9d4c0125479e2e2230b6]

Guennadi Liakhovetski (1):
      [media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back
         [6ed9b28504326f8cf542e6b68245b2f7ce009216]

Guillaume Nault (1):
      pppoe: take ->needed_headroom of lower device into account on xmit
         [02612bb05e51df8489db5e94d0cf8d1c81f87b0c]

H. Nikolaus Schaller (1):
      Input: twl6040-vibra - fix DT node memory management
         [c52c545ead97fcc2f4f8ea38f1ae3c23211e09a8]

Hans Verkuil (13):
      [media] v4l2-compat-ioctl32: fix sparse warnings
         [8ae632b11775254c5e555ee8c42b7d19baeb1473]
      adv7604: use correct drive strength defines
         [not upstream; fixes incorrect backport]
      media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32
         [037e0865c2ecbaa4558feba239ece08d7e457ec0]
      media: v4l2-compat-ioctl32.c: add missing  VIDIOC_PREPARE_BUF
         [3ee6d040719ae09110e5cdf24d5386abe5d1b776]
      media: v4l2-compat-ioctl32.c: avoid  sizeof(type)
         [333b1e9f96ce05f7498b581509bb30cde03018bf]
      media: v4l2-compat-ioctl32.c: copy  m.userptr in put_v4l2_plane32
         [8ed5a59dcb47a6f76034ee760b36e089f3e82529]
      media: v4l2-compat-ioctl32.c: copy clip  list in put_v4l2_window32
         [a751be5b142ef6bcbbb96d9899516f4d9c8d0ef4]
      media: v4l2-compat-ioctl32.c: don't copy  back the result for certain errors
         [d83a8243aaefe62ace433e4384a4f077bed86acb]
      media: v4l2-compat-ioctl32.c: drop pr_info  for unknown buffer type
         [169f24ca68bf0f247d111aef07af00dd3a02ae88]
      media: v4l2-compat-ioctl32.c: fix  ctrl_is_pointer
         [b8c601e8af2d08f733d74defa8465303391bb930]
      media: v4l2-compat-ioctl32.c: fix the  indentation
         [b7b957d429f601d6d1942122b339474f31191d75]
      media: v4l2-compat-ioctl32.c: move  'helper' functions to __get/put_v4l2_format32
         [486c521510c44a04cd756a9267e7d1e271c8a4ba]
      media: v4l2-ioctl.c: don't copy back the  result for -ENOTTY
         [181a4a2d5a0a7b43cab08a70710d727e7764ccdd]

Hans de Goede (1):
      uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
         [7fee72d5e8f1e7b8d8212e28291b1a0243ecf2f1]

Heiko Carstens (1):
      s390: always save and restore all registers on context switch
         [fbbd7f1a51965b50dd12924841da0d478f3da71b]

Heiner Kallweit (1):
      eeprom: at24: check at24_read/write arguments
         [d9bcd462daf34aebb8de9ad7f76de0198bb5a0f0]

Helge Deller (1):
      parisc: Hide Diva-built-in serial aux and graphics card
         [bcf3f1752a622f1372d3252d0fea8855d89812e7]

Herbert Xu (5):
      ipv4: Avoid reading user iov twice after raw_probe_proto_opt
         [c008ba5bdc9fa830e1a349b20b0be5a137bdef7a]
      ipv4: Use standard iovec primitive in raw_probe_proto_opt
         [32b5913a931fd753faf3d4e1124b2bc2edb364da]
      xfrm: Reinject transport-mode packets through tasklet
         [acf568ee859f098279eadf551612f103afdacb4e]
      xfrm: Return error on unknown encap_type in init_state
         [bcfd09f7837f5240c30fd2f52ee7293516641faa]
      xfrm: Use __skb_queue_tail in xfrm_trans_queue
         [d16b46e4fd8bc6063624605f25b8c0835bb1fbe3]

Huacai Chen (2):
      scsi: libsas: align sata_device's rps_resp on a cacheline
         [c2e8fbf908afd81ad502b567a6639598f92c9b9d]
      scsi: use dma_get_cache_alignment() as minimum DMA alignment
         [90addc6b3c9cda0146fbd62a08e234c2b224a80c]

Hui Wang (1):
      ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines
         [322f74ede933b3e2cb78768b6a6fdbfbf478a0c1]

Håkon Bugge (1):
      rds: Fix NULL pointer dereference in __rds_rdma_map
         [f3069c6d33f6ae63a1668737bc78aaaa51bff7ca]

Icenowy Zheng (1):
      uas: ignore UAS for Norelsys NS1068(X) chips
         [928afc85270753657b5543e052cc270c279a3fe9]

Iyappan Subramanian (1):
      phy: Add helper function to check phy interface mode
         [32d0f7830d9be5b1652a718e050d808b4908155f]

Jaejoong Kim (2):
      ALSA: usb-audio: Add check return value for usb_string()
         [89b89d121ffcf8d9546633b98ded9d18b8f75891]
      ALSA: usb-audio: Fix out-of-bound error
         [251552a2b0d454badc8f486e6d79100970c744b0]

James Hogan (3):
      MIPS: CPS: Fix r1 .set mt assembler warning
         [17278a91e04f858155d54bee5528ba4fbcec6f87]
      MIPS: Clear [MSA]FPE CSR.Cause after notify_die()
         [64bedffe496820dbb6b53302d80dd0f04db33d8e]
      MIPS: lose_fpu(): Disable FPU when MSA enabled
         [acaf6a97d623af123314c2f8ce4cf7254f6b2fc1]

Jan Engelhardt (1):
      crypto: n2 - cure use after free
         [203f45003a3d03eea8fa28d74cfc74c354416fdb]

Jann Horn (1):
      netfilter: xt_bpf: add overflow checks
         [6ab405114b0b229151ef06f4e31c7834dd09d0c0]

Jeff Mahoney (1):
      btrfs: fix missing error return in btrfs_drop_snapshot
         [e19182c0fff451e3744c1107d98f072e7ca377a0]

Jens Axboe (1):
      blktrace: fix trace mutex deadlock
         [2967acbb257a6a9bf912f4778b727e00972eac9b]

Jeremy Compostella (1):
      i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
         [89c6efa61f5709327ecfa24bff18e57a4e80c7fa]

Jerome Brunet (1):
      net: stmmac: enable EEE in MII, GMII or RGMII only
         [879626e3a52630316d817cbda7cec9a5446d1d82]

Jia Zhang (2):
      x86/microcode/intel: Extend BDW late-loading further with LLC size check
         [7e702d17ed138cf4ae7c00e8c00681ed464587c7]
      x86/microcode/intel: Extend BDW late-loading with a revision check
         [b94b7373317164402ff7728d10f7023127a02b60]

Jimmy Assarsson (3):
      can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
         [e84f44eb5523401faeb9cc1c97895b68e3cfb78d]
      can: kvaser_usb: free buf in error paths
         [435019b48033138581a6171093b181fc6b4d3d30]
      can: kvaser_usb: ratelimit errors if incomplete messages are received
         [8bd13bd522ff7dfa0eb371921aeb417155f7a3be]

Jing Xia (1):
      tracing: Fix crash when it fails to alloc ring buffer
         [24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5]

Joe Perches (1):
      stddef.h: move offsetofend inside #ifndef/#endif guard, neaten
         [8c7fbe5795a016259445a61e072eb0118aaf6a61]

Joe Thornber (1):
      dm btree: fix serious bug in btree_split_beneath()
         [bc68d0a43560e950850fc69b58f0f8254b28f6d6]

Johan Hovold (6):
      ASoC: twl4030: fix child-node lookup
         [15f8c5f2415bfac73f33a14bcd83422bcbfb5298]
      Input: 88pm860x-ts - fix child-node lookup
         [906bf7daa0618d0ef39f4872ca42218c29a3631f]
      Input: twl4030-vibra - fix sibling-node lookup
         [5b189201993ab03001a398de731045bfea90c689]
      Input: twl6040-vibra - fix child-node lookup
         [dcaf12a8b0bbdbfcfa2be8dff2c4948d9844b4ad]
      mfd: twl4030-audio: Fix sibling-node lookup
         [0a423772de2f3d7b00899987884f62f63ae00dcb]
      mfd: twl6040: Fix child-node lookup
         [85e9b13cbb130a3209f21bd7933933399c389ffe]

Johannes Berg (4):
      cfg80211: check dev_set_name() return value
         [59b179b48ce2a6076448a44531242ac2b3f6cef2]
      cfg80211: fix station info handling bugs
         [5762d7d3eda25c03cc2d9d45227be3f5ab6bec9e]
      mac80211_hwsim: validate number of different channels
         [51a1aaa631c90223888d8beac4d649dc11d2ca55]
      nl80211: fix nl80211_send_iface() error paths
         [4564b187c16327045d87596e8980c65ba7b84c50]

Johannes Thumshirn (1):
      dm mpath: simplify failure path of dm_multipath_init()
         [ff658e9c1aae9a84dd06d46f847dc0cd2bf0dd11]

Jon Hunter (1):
      mfd: cros ec: spi: Don't send first message too soon
         [15d8374874ded0bec37ef27f8301a6d54032c0e5]

Josef Bacik (1):
      btrfs: clear space cache inode generation always
         [8e138e0d92c6c9d3d481674fb14e3439b495be37]

Juan Zea (1):
      usbip: fix usbip bind writing random string after command in match_busid
         [544c4605acc5ae4afe7dd5914147947db182f2fb]

Kai-Heng Feng (1):
      usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
         [e43a12f1793ae1fe006e26fe9327a8840a92233c]

Kevin Cernekee (1):
      net: igmp: Use correct source address on IGMPv3 reports
         [a46182b00290839fa3fa159d54fd3237bd8669f0]

Kristina Martsenko (1):
      arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
         [26aa7b3b1c0fb3f1a6176a0c1847204ef4355693]

Lan Tianyu (1):
      KVM/x86: Check input paging mode when cs.l is set
         [f29810335965ac1f7bcb501ee2af5f039f792416]

Laurent Caumont (1):
      media: dvb: i2c transfers over usb cannot be done from stack
         [6d33377f2abbf9f0e561b116dd468d1c3ff36a6a]

Li Jinyue (1):
      futex: Prevent overflow by strengthen input validation
         [fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a]

Linus Torvalds (2):
      kbuild: add '-fno-stack-check' to kernel build options
         [3ce120b16cc548472f80cf8644f90eda958cf1b6]
      n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)
         [966031f340185eddd05affcf72b740549f056348]

Liran Alon (3):
      KVM: x86: Don't re-execute instruction when not passing CR2 value
         [9b8ae63798cb97e785a667ff27e43fa6220cb734]
      KVM: x86: Exit to user-mode on #UD intercept when emulator requires
         [61cb57c9ed631c95b54f8e9090c89d18b3695b3c]
      KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure
         [1f4dcb3b213235e642088709a1c54964d23365e9]

Lixin Wang (1):
      i2c: core: decrease reference count of device node in i2c_unregister_device
         [e0638fa400eaccf9fa8060f67140264c4e276552]

Maciej S. Szmigiero (2):
      ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure
         [695b78b548d8a26288f041e907ff17758df9e1d5]
      ASoC: fsl_ssi: add AC'97 ops setting check and cleanup
         [04143d614f3af84a3f39e79a24a7ca740bd39efd]

Maciej W. Rozycki (13):
      MIPS: Always clear FCSR cause bits after emulation
         [443c44032a54f9acf027a8e688380fddc809bc19]
      MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
         [c8c5a3a24d395b14447a9a89d61586a913840a3b]
      MIPS: Factor out NT_PRFPREG regset access helpers
         [a03fe72572c12e98f4173f8a535f32468e48b6ec]
      MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
         [5a1aca4469fdccd5b74ba0b4e490173b2b447895]
      MIPS: Fix a preemption issue with thread's FPU defaults
         [03dce595270f22d59a6f37e9170287c1afd94bc2]
      MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
         [be07a6a1188372b6d19a3307ec33211fc9c9439d]
      MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
         [dc24d0edf33c3e15099688b6bbdf7bdc24bf6e91]
      MIPS: Respect the FCSR exception mask for `si_code'
         [ed2d72c1eb3643b7c109bdf387563d9b9a30c279]
      MIPS: Respect the ISA level in FCSR handling
         [9b26616c8d9dae53fbac7f7cb2c6dd1308102976]
      MIPS: Set `si_code' for SIGFPE signals sent from emulation too
         [304acb717e5b67cf56f05bc5b21123758e1f7ea0]
      MIPS: math-emu: Define IEEE 754-2008 feature control bits
         [f1f3b7ebac08161761c352fd070cfa07b7b94c54]
      MIPS: ptrace: Fix FP context restoration FCSR regression
         [4249548454f7ba4581aeee26bd83f42b48a14d15]
      MIPS: ptrace: Prevent writes to read-only FCSR bits
         [abf378be49f38c4d3e23581d3df3fa9f1b1b11d2]

Marc Kleine-Budde (2):
      can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
         [8cb68751c115d176ec851ca56ecfbb411568c9e8]
      can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
         [d4689846881d160a4d12a514e991a740bcb5d65a]

Marc Zyngier (3):
      KVM: arm/arm64: Fix HYP unmapping going off limits
         [7839c672e58bf62da8f2f0197fefb442c02ba1dd]
      arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
         [acfb3b883f6d6a4b5d27ad7fdded11f6a09ae6dd]
      arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
         [5553b142be11e794ebc0805950b2e8313f93d718]

Marek Belisko (1):
      Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning
         [e661d0a04462dd98667f8947141bd8defab5b34a]

Martin Kelly (4):
      can: ems_usb: cancel urb on -EPIPE and -EPROTO
         [bd352e1adfe0d02d3ea7c8e3fb19183dc317e679]
      can: esd_usb2: cancel urb on -EPIPE and -EPROTO
         [7a31ced3de06e9878e4f9c3abe8f87d9344d8144]
      can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
         [6aa8d5945502baf4687d80de59b7ac865e9e666b]
      can: usb_8dev: cancel urb on -EPIPE and -EPROTO
         [12147edc434c9e4c7c2f5fee2e5519b2e5ac34ce]

Masakazu Mokuno (1):
      USB: core: Add type-specific length check of BOS descriptors
         [81cf4a45360f70528f1f64ba018d61cb5767249a]

Mathias Nyman (2):
      xhci: Don't add a virt_dev to the devs array before it's fully allocated
         [5d9b70f7d52eb14bb37861c663bae44de9521c35]
      xhci: Don't show incorrect WARN message about events for empty rings
         [e4ec40ec4b260efcca15089de4285a0a3411259b]

Matt Wilson (1):
      serial: 8250_pci: Add Amazon PCI serial device ID
         [3bfd1300abfe3adb18e84a89d97a0e82a22124bb]

Max Schulze (1):
      USB: serial: ftdi_sio: add id for Airbus DS P8GR
         [c6a36ad383559a60a249aa6016cebf3cb8b6c485]

Mike Looijmans (1):
      usb: hub: Cycle HUB power when initialization fails
         [973593a960ddac0f14f0d8877d2d0abe0afda795]

Ming Lei (1):
      blk-mq: fix race between timeout and freeing request
         [0048b4837affd153897ed1222283492070027aa9]

Mohamed Ghannam (1):
      net: ipv4: fix for a race condition in raw_sendmsg
         [8f659a03a0ba9289b9aeb9b4470e6fb263d6f483]

Monty_pavel@Sina.Com (1):
      dm: fix various targets to dm_register_target after module __init resources created
         [7e6358d244e4706fe612a77b9c36519a33600ac0]

Moshe Shemesh (2):
      net/mlx5: Cleanup IRQs in case of unload failure
         [d6b2785cd55ee72e9608762650b3ef299f801b1b]
      net/mlx5: Stay in polling mode when command EQ destroy fails
         [a2fba188fd5eadd6061bef4f2f2577a43231ebf3]

Nicolai Stange (1):
      net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()
         [20b50d79974ea3192e8c3ab7faf4e536e5f14d8f]

Nikolay Aleksandrov (1):
      net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks
         [84aeb437ab98a2bce3d4b2111c79723aedfceb33]

Nikolay Borisov (1):
      btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
         [c8bcbfbd239ed60a6562964b58034ac8a25f4c31]

Nogah Frankel (2):
      net_sched: red: Avoid devision by zero
         [5c472203421ab4f928aa1ae9e1dbcfdd80324148]
      net_sched: red: Avoid illegal values
         [8afa10cbe281b10371fee5a87ab266e48d71a7f9]

Oleg Nesterov (1):
      kernel/acct.c: fix the acct->needcheck check in check_free_space()
         [4d9570158b6260f449e317a5f9ed030c2504a615]

Oliver Neukum (2):
      USB: usbfs: Filter flags passed in from user space
         [446f666da9f019ce2ffd03800995487e79a91462]
      usb: add RESET_RESUME for ELSA MicroLink 56K
         [b9096d9f15c142574ebebe8fbb137012bb9d99c2]

Oliver Stäbler (1):
      can: ti_hecc: Fix napi poll return value for repoll
         [f6c23b174c3c96616514827407769cbcfc8005cf]

Omar Sandoval (1):
      Btrfs: disable FUA if mounted with nobarrier
         [1b9e619c5bc8235cfba3dc4ced2fb0e3554a05d4]

Oscar Campos (1):
      Input: trackpoint - assume 3 buttons when buttons detection fails
         [293b915fd9bebf33cdc906516fb28d54649a25ac]

Paul Burton (2):
      MIPS: clear MSACSR cause bits when handling MSA FP exception
         [091be550a70a086c3b4420c6155e733dc410f190]
      MIPS: prevent FP context set via ptrace being discarded
         [ac9ad83bc318635ed7496e9dff30beaa522eaec7]

Paul Meyer (1):
      hv: kvp: Avoid reading past allocated blocks from KVP file
         [297d6b6e56c2977fc504c61bbeeaa21296923f89]

Pete Zaitcev (1):
      USB: fix usbmon BUG trigger
         [46eb14a6e1585d99c1b9f58d0e7389082a5f466b]

Petri Gynther (1):
      net: bcmgenet: fix bcmgenet_open()
         [fac25940c5e0d6f31d56bb2a704fadad6d5e382a]

Rafael J. Wysocki (2):
      PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
         [5839ee7389e893a31e4e3c9cf17b50d14103c902]
      x86/PCI: Make broadcom_postcore_init() check acpi_disabled
         [ddec3bdee05b06f1dda20ded003c3e10e4184cab]

Ralf Baechle (1):
      MIPS: MSA: bugfix - disable MSA correctly for new threads/processes.
         [9cc719ab3f4f639d629ac8ff09e9b998bc006f68]

Ravi Bangoria (1):
      powerpc/perf: Dereference BHRB entries safely
         [f41d84dddc66b164ac16acf3f584c276146f1c48]

Ricardo Ribalda (1):
      vb2: V4L2_BUF_FLAG_DONE is set after DQBUF
         [3171cc2b4eb9831ab4df1d80d0410a945b8bc84e]

Richard Fitzgerald (1):
      ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data
         [1cab2a84f470e15ecc8e5143bfe9398c6e888032]

Robb Glasser (1):
      ALSA: pcm: prevent UAF in snd_pcm_info
         [362bca57f5d78220f8b5907b875961af9436e229]

Robert Lippert (1):
      hwmon: (pmbus) Use 64bit math for DIRECT format values
         [bd467e4eababe4c04272c1e646f066db02734c79]

Robin Murphy (1):
      iommu/vt-d: Fix scatterlist offset handling
         [29a90b70893817e2f2bb3cea40a29f5308e21b21]

Rui Hua (1):
      bcache: recover data from backing when data is clean
         [e393aa2446150536929140739f09c6ecbcbea7f0]

SZ Lin (1):
      USB: serial: option: adding support for YUGA CLM920-NC5
         [3920bb713038810f25770e7545b79f204685c8f2]

Sebastian Sjoholm (1):
      USB: serial: option: add Quectel BG96 id
         [c654b21ede93845863597de9ad774fd30db5f2ab]

Sergei Shtylyov (5):
      SolutionEngine771x: add Ether TSU resource
         [f9a531d6731d74f1e24298d9641c2dc1fef2631b]
      SolutionEngine771x: fix Ether platform data
         [195e2addbce09e5afbc766efc1e6567c9ce840d3]
      sh_eth: fix SH7757 GEther initialization
         [5133550296d43236439494aa955bfb765a89f615]
      sh_eth: fix TSU resource handling
         [dfe8266b8dd10e12a731c985b725fcf7f0e537f0]
      sh_eth: fix TXALCR1 offsets
         [50f3d740d376f664f6accc7e86c9afd8f1c7e1e4]

Shuah Khan (4):
      usbip: prevent leaking socket pointer address in messages
         [90120d15f4c397272aaf41077960a157fc4212bf]
      usbip: remove kernel addresses from usb device and urb debug msgs
         [e1346fd87c71a1f61de1fe476ec8df1425ac931c]
      usbip: stub: stop printing kernel pointer addresses in messages
         [248a22044366f588d46754c54dfe29ffe4f8b4df]
      usbip: vhci: stop printing kernel pointer addresses in messages
         [8272d099d05f7ab2776cf56a2ab9f9443be18907]

Stefan Agner (1):
      usb: misc: usb3503: make sure reset is low for at least 100us
         [b8626f1dc29d3eee444bfaa92146ec7b291ef41c]

Steve Wise (1):
      iw_cxgb4: Only validate the MSN for successful completions
         [f55688c45442bc863f40ad678c638785b26cdce6]

Steven Rostedt (2):
      ring-buffer: Mask out the info bits when returning buffer page length
         [45d8b80c2ac5d21cd1e2954431fb676bc2b1e099]
      tracing: Fix possible double free on failure of allocating trace buffer
         [4397f04575c44e1440ec2e49b6302785c95fd2f8]

Sven Eckelmann (1):
      batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
         [5ba7dcfe77037b67016263ea597a8b431692ecab]

Takashi Iwai (15):
      ACPI: APEI / ERST: Fix missing error handling in erst_reader()
         [bb82e0b4a7e96494f0c1004ce50cec3d7b5fb3d1]
      ALSA: aloop: Fix inconsistent format due to incomplete rule
         [b088b53e20c7d09b5ab84c5688e609f478e5c417]
      ALSA: aloop: Fix racy hw constraints adjustment
         [898dfe4687f460ba337a01c11549f87269a13fa2]
      ALSA: aloop: Release cable upon open error path
         [9685347aa0a5c2869058ca6ab79fd8e93084a67f]
      ALSA: hda - Apply the existing quirk to iMac 14,1
         [031f335cda879450095873003abb03ae8ed3b74a]
      ALSA: pcm: Abort properly at pending signal in OSS read/write loops
         [29159a4ed7044c52e3e2cf1a9fb55cec4745c60b]
      ALSA: pcm: Add missing error checks in OSS emulation plugin builder
         [6708913750344a900f2e73bfe4a4d6dbbce4fe8d]
      ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
         [900498a34a3ac9c611e9b425094c8106bdd7dc1c]
      ALSA: pcm: Remove incorrect snd_BUG_ON() usages
         [fe08f34d066f4404934a509b6806db1a4f700c86]
      ALSA: pcm: Remove yet superfluous WARN_ON()
         [23b19b7b50fe1867da8d431eea9cd3e4b6328c2c]
      ALSA: rawmidi: Avoid racy info ioctl via ctl device
         [c1cfd9025cc394fd137a01159d74335c5ac978ce]
      ALSA: seq: Fix regression by incorrect ioctl_mutex usages
         [not upstream; fixes incorrect backport]
      ALSA: seq: Remove spurious WARN_ON() at timer check
         [43a3542870328601be02fcc9d27b09db467336ef]
      ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
         [5a15f289ee87eaf33f13f08a4909ec99d837ec5f]
      lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string
         [afdb05e9d61905220f09268535235288e6ba3a16]

Tetsuo Handa (1):
      quota: Check for register_shrinker() failure.
         [88bc0ede8d35edc969350852894dc864a2dc1859]

Thiago Rafael Becker (1):
      kernel: make groups_sort calling a responsibility group_info allocators
         [bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758]

Thomas Gleixner (4):
      hrtimer: Reset hrtimer cpu base proper on CPU hotplug
         [d5421ea43d30701e03cadc56a38854c36a8b4433]
      nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()
         [5d62c183f9e9df1deeea0906d099a94e8a43047a]
      posix-timer: Properly check sigevent->sigev_notify
         [cef31d9af908243421258f1df35a4a644604efbe]
      x86/mce: Make machine check speculation protected
         [6f41c34d69eb005e7848716bbcafc979b35037d5]

Thomas Petazzoni (1):
      ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
         [56aeb07c914a616ab84357d34f8414a69b140cdf]

Tianyu Lan (1):
      KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs()
         [37b95951c58fdf08dc10afa9d02066ed9f176fb5]

Tiffany Lin (1):
      [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32
         [baf43c6eace43868e490f18560287fa3481b2159]

Tobias Jordan (2):
      dmaengine: jz4740: disable/unprepare clk if probe fails
         [eb9436966fdc84cebdf222952a99898ab46d9bb0]
      net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case
         [589bf32f09852041fbd3b7ce1a9e703f95c230ba]

Tonghao Zhang (1):
      sctp: Replace use of sockets_allocated with specified macro.
         [8cb38a602478e9f806571f6920b0a3298aabf042]

Ville Syrjälä (2):
      drm/i915: Don't try indexed reads to alternate slave addresses
         [c4deb62d7821672265b87952bcd1c808f3bf3e8f]
      drm/i915: Prevent zero length "index" write
         [bb9e0d4bca50f429152e74a459160b41f3d60fb2]

Wanpeng Li (1):
      KVM: X86: Fix load RFLAGS w/o the fixed bit
         [d73235d17ba63b53dc0e1051dbc10a1f1be91b71]

Weiping Zhang (1):
      virtio: release virtio index when fail to device_register
         [e60ea67bb60459b95a50a156296041a13e0e380e]

William Breathitt Gray (1):
      isa: Prevent NULL dereference in isa_bus driver callbacks
         [5a244727f428a06634f22bb890e78024ab0c89f3]

Wolfgang Grandegger (1):
      can: gs_usb: fix return value of the "set_bittiming" callback
         [d5b42e6607661b198d8b26a0c30969605b1bf5c7]

Xin Long (4):
      sctp: do not allow the v4 socket to bind a v4mapped v6 address
         [c5006b8aa74599ce19104b31d322d2ea9ff887cc]
      sctp: force the params with right types for sctp csum apis
         [af2697a0273f7665429c47d71ab26f2412af924e]
      sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
         [a0ff660058b88d12625a783ce9e5c1371c87951f]
      sctp: use the right sk after waking up from wait_buf sleep
         [cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff]

Yelena Krivosheev (1):
      net: mvneta: clear interface link status on port disable
         [4423c18e466afdfb02a36ee8b9f901d144b3c607]

Yu Chen (1):
      usb: xhci: fix panic in xhci_free_virt_devices_depth_first
         [80e457699a8dbdd70f2d26911e46f538645c55fc]

Zhao Qiang (1):
      net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
         [c505873eaece2b4aefd07d339dc7e1400e0235ac]

 Makefile                                           |    7 +-
 arch/arm/boot/dts/kirkwood-openblocks_a7.dts       |   10 +-
 arch/arm/include/asm/kvm_arm.h                     |    3 +-
 arch/arm/kvm/mmu.c                                 |   10 +-
 arch/arm64/include/asm/kvm_arm.h                   |    3 +-
 arch/arm64/kernel/process.c                        |    9 +
 arch/arm64/kvm/handle_exit.c                       |    4 +-
 arch/mips/include/asm/cpu-info.h                   |    2 +
 arch/mips/include/asm/elf.h                        |    7 +
 arch/mips/include/asm/fpu.h                        |    6 +-
 arch/mips/include/asm/fpu_emulator.h               |   18 +-
 arch/mips/include/asm/kdebug.h                     |    3 +-
 arch/mips/include/asm/mipsregs.h                   |   14 +-
 arch/mips/include/asm/switch_to.h                  |   21 +-
 arch/mips/kernel/cps-vec.S                         |    2 +
 arch/mips/kernel/cpu-probe.c                       |   55 +-
 arch/mips/kernel/genex.S                           |   15 +-
 arch/mips/kernel/ptrace.c                          |  197 +++-
 arch/mips/kernel/r2300_switch.S                    |    7 +-
 arch/mips/kernel/r4k_switch.S                      |    7 +-
 arch/mips/kernel/traps.c                           |  153 ++-
 arch/mips/kernel/unaligned.c                       |    4 +-
 arch/mips/math-emu/cp1emu.c                        |    8 +-
 arch/mips/math-emu/ieee754.h                       |   12 +-
 arch/powerpc/kernel/setup-common.c                 |   11 -
 arch/powerpc/perf/core-book3s.c                    |    8 +-
 arch/s390/include/asm/switch_to.h                  |   24 +-
 arch/s390/kernel/compat_linux.c                    |    1 +
 arch/sh/boards/mach-se/770x/setup.c                |   24 +-
 arch/sh/include/mach-se/mach/se.h                  |    1 +
 arch/x86/include/asm/alternative.h                 |    4 +-
 arch/x86/include/asm/kvm_host.h                    |    3 +-
 arch/x86/include/asm/traps.h                       |    1 +
 arch/x86/kernel/cpu/mcheck/mce.c                   |    6 +
 arch/x86/kernel/cpu/microcode/intel.c              |   29 +-
 arch/x86/kernel/entry_64.S                         |    2 +-
 arch/x86/kvm/svm.c                                 |    2 +
 arch/x86/kvm/vmx.c                                 |   16 +-
 arch/x86/kvm/x86.c                                 |   30 +-
 arch/x86/pci/broadcom_bus.c                        |    2 +-
 block/blk-flush.c                                  |    6 +
 block/blk-mq-tag.h                                 |   12 +
 block/blk-mq.c                                     |   16 +-
 crypto/algapi.c                                    |   12 +
 crypto/asymmetric_keys/x509_cert_parser.c          |    2 +
 drivers/acpi/apei/erst.c                           |    2 +-
 drivers/acpi/sbshc.c                               |    4 +-
 drivers/base/isa.c                                 |   10 +-
 drivers/crypto/n2_core.c                           |    3 +
 drivers/dma/dma-jz4740.c                           |    4 +-
 drivers/dma/dmatest.c                              |   54 +-
 drivers/firmware/efi/efi.c                         |    3 +-
 drivers/firmware/efi/runtime-map.c                 |   10 +-
 drivers/gpu/drm/i915/intel_i2c.c                   |    4 +-
 drivers/hwmon/pmbus/pmbus_core.c                   |   21 +-
 drivers/i2c/i2c-core.c                             |   17 +-
 drivers/infiniband/hw/cxgb4/cq.c                   |    6 +-
 drivers/infiniband/ulp/ipoib/ipoib_main.c          |   25 +-
 drivers/infiniband/ulp/ipoib/ipoib_multicast.c     |    5 +-
 drivers/infiniband/ulp/srpt/ib_srpt.c              |    3 +-
 drivers/input/misc/twl4030-vibra.c                 |    7 +-
 drivers/input/misc/twl6040-vibra.c                 |    2 +-
 drivers/input/mouse/elantech.c                     |    2 +-
 drivers/input/mouse/trackpoint.c                   |    7 +-
 drivers/input/touchscreen/88pm860x-ts.c            |   16 +-
 drivers/iommu/intel-iommu.c                        |    8 +-
 drivers/md/bcache/request.c                        |   13 +-
 drivers/md/dm-cache-target.c                       |   12 +-
 drivers/md/dm-mpath.c                              |   34 +-
 drivers/md/dm-snap.c                               |   48 +-
 drivers/md/dm-thin-metadata.c                      |    6 +-
 drivers/md/dm-thin.c                               |   22 +-
 drivers/md/persistent-data/dm-btree.c              |   19 +-
 drivers/media/i2c/adv7604.c                        |    6 +-
 drivers/media/usb/dvb-usb/dibusb-common.c          |   16 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      | 1025 ++++++++++++--------
 drivers/media/v4l2-core/v4l2-ioctl.c               |    5 +-
 drivers/media/v4l2-core/videobuf2-core.c           |    5 +
 drivers/mfd/cros_ec_spi.c                          |    4 +
 drivers/mfd/twl4030-audio.c                        |    9 +-
 drivers/mfd/twl6040.c                              |   12 +-
 drivers/misc/eeprom/at24.c                         |    6 +
 drivers/mmc/host/s3cmci.c                          |    6 +-
 drivers/net/can/ti_hecc.c                          |    3 +
 drivers/net/can/usb/ems_usb.c                      |    2 +
 drivers/net/can/usb/esd_usb2.c                     |    2 +
 drivers/net/can/usb/gs_usb.c                       |    2 +-
 drivers/net/can/usb/kvaser_usb.c                   |   13 +-
 drivers/net/can/usb/usb_8dev.c                     |    2 +
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     |    2 +-
 .../net/ethernet/freescale/fs_enet/fs_enet-main.c  |   16 +-
 drivers/net/ethernet/freescale/fs_enet/fs_enet.h   |    1 +
 drivers/net/ethernet/intel/e1000e/ich8lan.c        |   11 +-
 drivers/net/ethernet/intel/e1000e/mac.c            |   11 +-
 drivers/net/ethernet/intel/e1000e/netdev.c         |    2 +-
 drivers/net/ethernet/marvell/mvmdio.c              |    3 +-
 drivers/net/ethernet/marvell/mvneta.c              |    4 +
 drivers/net/ethernet/mellanox/mlx5/core/eq.c       |   17 +-
 drivers/net/ethernet/renesas/sh_eth.c              |   33 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |    6 +
 drivers/net/phy/marvell.c                          |    2 +-
 drivers/net/phy/mdio-sun4i.c                       |    6 +-
 drivers/net/ppp/pppoe.c                            |   11 +-
 drivers/net/wireless/mac80211_hwsim.c              |   14 +-
 drivers/of/fdt.c                                   |    2 +-
 drivers/parisc/lba_pci.c                           |   33 +
 drivers/pci/pci-driver.c                           |    7 +-
 drivers/scsi/scsi_lib.c                            |   10 +-
 drivers/staging/usbip/stub_dev.c                   |    3 +-
 drivers/staging/usbip/stub_main.c                  |    5 +-
 drivers/staging/usbip/stub_rx.c                    |    7 +-
 drivers/staging/usbip/stub_tx.c                    |    4 +-
 drivers/staging/usbip/usbip_common.c               |   31 +-
 drivers/staging/usbip/userspace/src/utils.c        |    9 +-
 drivers/staging/usbip/vhci_hcd.c                   |   12 +-
 drivers/staging/usbip/vhci_rx.c                    |   23 +-
 drivers/staging/usbip/vhci_tx.c                    |    3 +-
 drivers/tty/n_tty.c                                |    4 +-
 drivers/tty/serial/8250/8250_pci.c                 |    3 +
 drivers/usb/core/config.c                          |   16 +-
 drivers/usb/core/devio.c                           |   14 +-
 drivers/usb/core/hub.c                             |    9 +
 drivers/usb/core/quirks.c                          |    9 +-
 drivers/usb/gadget/composite.c                     |    7 +-
 drivers/usb/gadget/udc-core.c                      |   32 +-
 drivers/usb/host/ehci-dbg.c                        |    2 +-
 drivers/usb/host/xhci-mem.c                        |   24 +-
 drivers/usb/host/xhci-pci.c                        |    3 +
 drivers/usb/host/xhci-ring.c                       |   12 +-
 drivers/usb/misc/usb3503.c                         |    2 +
 drivers/usb/mon/mon_bin.c                          |    8 +-
 drivers/usb/musb/da8xx.c                           |   10 +-
 drivers/usb/serial/cp210x.c                        |    2 +
 drivers/usb/serial/ftdi_sio.c                      |    1 +
 drivers/usb/serial/ftdi_sio_ids.h                  |    6 +
 drivers/usb/serial/option.c                        |   20 +
 drivers/usb/storage/uas-detect.h                   |    4 +
 drivers/usb/storage/unusual_devs.h                 |    7 +
 drivers/usb/storage/unusual_uas.h                  |   14 +
 drivers/virtio/virtio.c                            |    2 +
 fs/btrfs/disk-io.c                                 |    9 +-
 fs/btrfs/extent-tree.c                             |   15 +-
 fs/btrfs/ioctl.c                                   |    2 +-
 fs/ext4/extents.c                                  |    1 +
 fs/ext4/namei.c                                    |    4 +
 fs/nfsd/auth.c                                     |    3 +
 fs/quota/dquot.c                                   |    3 +-
 include/asm-generic/dma-mapping-broken.h           |    3 -
 include/linux/blkdev.h                             |    6 +
 include/linux/cred.h                               |    1 +
 include/linux/dma-mapping.h                        |    2 -
 include/linux/fscache.h                            |    2 +-
 include/linux/mlx5/driver.h                        |    2 +-
 include/linux/phy.h                                |   21 +
 include/linux/sh_eth.h                             |    1 -
 include/linux/stddef.h                             |   15 +-
 include/linux/sysfs.h                              |    6 +
 include/linux/vfio.h                               |   13 -
 include/net/cfg80211.h                             |    2 +
 include/net/red.h                                  |   13 +-
 include/net/sctp/checksum.h                        |   13 +-
 include/net/xfrm.h                                 |    1 +
 include/scsi/libsas.h                              |    2 +-
 include/uapi/linux/usb/ch9.h                       |    2 +
 kernel/acct.c                                      |    2 +-
 kernel/debug/kdb/kdb_io.c                          |    2 +-
 kernel/futex.c                                     |    3 +
 kernel/groups.c                                    |    5 +-
 kernel/hrtimer.c                                   |    2 +
 kernel/posix-timers.c                              |   37 +-
 kernel/time/tick-sched.c                           |   19 +-
 kernel/trace/blktrace.c                            |    4 +-
 kernel/trace/ring_buffer.c                         |    6 +-
 kernel/trace/trace.c                               |    3 +
 kernel/uid16.c                                     |    1 +
 lib/asn1_decoder.c                                 |   45 +-
 lib/oid_registry.c                                 |   16 +-
 mm/mprotect.c                                      |    6 +-
 net/8021q/vlan.c                                   |    7 +-
 net/batman-adv/bat_iv_ogm.c                        |    4 +-
 net/bridge/br_netlink.c                            |    7 +-
 net/can/af_can.c                                   |   22 +-
 net/dccp/ccids/ccid2.c                             |    3 +
 net/ipv4/esp4.c                                    |    1 +
 net/ipv4/igmp.c                                    |   20 +-
 net/ipv4/raw.c                                     |  121 ++-
 net/ipv4/tcp_ipv4.c                                |    2 +-
 net/ipv4/xfrm4_input.c                             |   11 +-
 net/ipv6/esp6.c                                    |    3 +-
 net/ipv6/tcp_ipv6.c                                |    2 +-
 net/ipv6/xfrm6_input.c                             |    9 +-
 net/key/af_key.c                                   |    8 +
 net/netfilter/xt_bpf.c                             |    6 +-
 net/packet/af_packet.c                             |    5 +
 net/rds/rdma.c                                     |    2 +-
 net/sched/sch_choke.c                              |    3 +
 net/sched/sch_gred.c                               |    3 +
 net/sched/sch_red.c                                |    2 +
 net/sched/sch_sfq.c                                |    3 +
 net/sctp/socket.c                                  |   31 +-
 net/sunrpc/auth_gss/gss_rpc_xdr.c                  |    1 +
 net/sunrpc/auth_gss/svcauth_gss.c                  |    1 +
 net/sunrpc/svcauth_unix.c                          |    2 +
 net/wireless/core.c                                |    7 +-
 net/wireless/core.h                                |    2 -
 net/wireless/nl80211.c                             |   15 +-
 net/wireless/wext-compat.c                         |    3 +-
 net/xfrm/xfrm_input.c                              |   56 ++
 sound/core/oss/pcm_oss.c                           |   41 +-
 sound/core/oss/pcm_plugin.c                        |   14 +-
 sound/core/pcm.c                                   |    2 +
 sound/core/pcm_lib.c                               |    5 +-
 sound/core/rawmidi.c                               |   15 +-
 sound/core/seq/seq_clientmgr.c                     |   15 +-
 sound/core/seq/seq_timer.c                         |    2 +-
 sound/drivers/aloop.c                              |   98 +-
 sound/pci/hda/patch_cirrus.c                       |    1 +
 sound/pci/hda/patch_conexant.c                     |   29 +
 sound/soc/codecs/twl4030.c                         |    4 +-
 sound/soc/codecs/wm_adsp.c                         |   29 +-
 sound/soc/fsl/fsl_ssi.c                            |   17 +-
 sound/usb/mixer.c                                  |   26 +-
 tools/hv/hv_kvp_daemon.c                           |   70 +-
 223 files changed, 2532 insertions(+), 1264 deletions(-)

-- 
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 161/254] USB: serial: cp210x: add new device ID ELV ALC 8xxx Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 17:47   ` Adam Wallis
  2018-02-28 15:20 ` [PATCH 3.16 251/254] media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors Ben Hutchings
                   ` (126 subsequent siblings)
  254 siblings, 1 reply; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sinan Kaya, Vinod Koul, Shunyong Yang, Adam Wallis

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Adam Wallis <awallis@codeaurora.org>

commit 6f6a23a213be51728502b88741ba6a10cda2441d upstream.

Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
introduced a bug (that is in fact documented by the patch commit text)
that leaves behind a dangling pointer. Since the done_wait structure is
allocated on the stack, future invocations to the DMATEST can produce
undesirable results (e.g., corrupted spinlocks).

Commit a9df21e34b42 ("dmaengine: dmatest: warn user when dma test times
out") attempted to WARN the user that the stack was likely corrupted but
did not fix the actual issue.

This patch fixes the issue by pushing the wait queue and callback
structs into the the thread structure. If a failure occurs due to time,
dmaengine_terminate_all will force the callback to safely call
wake_up_all() without possibility of using a freed pointer.

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=197605
Fixes: adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
Reviewed-by: Sinan Kaya <okaya@codeaurora.org>
Suggested-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
Signed-off-by: Adam Wallis <awallis@codeaurora.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/dmatest.c | 55 +++++++++++++++++++++++++++++----------------------
 1 file changed, 31 insertions(+), 24 deletions(-)

--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -148,6 +148,12 @@ MODULE_PARM_DESC(run, "Run the test (def
 #define PATTERN_OVERWRITE	0x20
 #define PATTERN_COUNT_MASK	0x1f
 
+/* poor man's completion - we want to use wait_event_freezable() on it */
+struct dmatest_done {
+	bool			done;
+	wait_queue_head_t	*wait;
+};
+
 struct dmatest_thread {
 	struct list_head	node;
 	struct dmatest_info	*info;
@@ -156,6 +162,8 @@ struct dmatest_thread {
 	u8			**srcs;
 	u8			**dsts;
 	enum dma_transaction_type type;
+	wait_queue_head_t done_wait;
+	struct dmatest_done test_done;
 	bool			done;
 };
 
@@ -316,18 +324,25 @@ static unsigned int dmatest_verify(u8 **
 	return error_count;
 }
 
-/* poor man's completion - we want to use wait_event_freezable() on it */
-struct dmatest_done {
-	bool			done;
-	wait_queue_head_t	*wait;
-};
 
 static void dmatest_callback(void *arg)
 {
 	struct dmatest_done *done = arg;
-
-	done->done = true;
-	wake_up_all(done->wait);
+	struct dmatest_thread *thread =
+		container_of(arg, struct dmatest_thread, done_wait);
+	if (!thread->done) {
+		done->done = true;
+		wake_up_all(done->wait);
+	} else {
+		/*
+		 * If thread->done, it means that this callback occurred
+		 * after the parent thread has cleaned up. This can
+		 * happen in the case that driver doesn't implement
+		 * the terminate_all() functionality and a dma operation
+		 * did not occur within the timeout period
+		 */
+		WARN(1, "dmatest: Kernel memory may be corrupted!!\n");
+	}
 }
 
 static unsigned int min_odd(unsigned int x, unsigned int y)
@@ -398,9 +413,8 @@ static unsigned long long dmatest_KBs(s6
  */
 static int dmatest_func(void *data)
 {
-	DECLARE_WAIT_QUEUE_HEAD_ONSTACK(done_wait);
 	struct dmatest_thread	*thread = data;
-	struct dmatest_done	done = { .wait = &done_wait };
+	struct dmatest_done	*done = &thread->test_done;
 	struct dmatest_info	*info;
 	struct dmatest_params	*params;
 	struct dma_chan		*chan;
@@ -604,9 +618,9 @@ static int dmatest_func(void *data)
 			continue;
 		}
 
-		done.done = false;
+		done->done = false;
 		tx->callback = dmatest_callback;
-		tx->callback_param = &done;
+		tx->callback_param = done;
 		cookie = tx->tx_submit(tx);
 
 		if (dma_submit_error(cookie)) {
@@ -619,21 +633,12 @@ static int dmatest_func(void *data)
 		}
 		dma_async_issue_pending(chan);
 
-		wait_event_freezable_timeout(done_wait, done.done,
+		wait_event_freezable_timeout(thread->done_wait, done->done,
 					     msecs_to_jiffies(params->timeout));
 
 		status = dma_async_is_tx_complete(chan, cookie, NULL, NULL);
 
-		if (!done.done) {
-			/*
-			 * We're leaving the timed out dma operation with
-			 * dangling pointer to done_wait.  To make this
-			 * correct, we'll need to allocate wait_done for
-			 * each test iteration and perform "who's gonna
-			 * free it this time?" dancing.  For now, just
-			 * leave it dangling.
-			 */
-			WARN(1, "dmatest: Kernel stack may be corrupted!!\n");
+		if (!done->done) {
 			dmaengine_unmap_put(um);
 			result("test timed out", total_tests, src_off, dst_off,
 			       len, 0);
@@ -707,7 +712,7 @@ err_thread_type:
 		dmatest_KBs(runtime, total_len), ret);
 
 	/* terminate all transfers on specified channels */
-	if (ret)
+	if (ret || failed_tests)
 		dmaengine_terminate_all(chan);
 
 	thread->done = true;
@@ -765,6 +770,8 @@ static int dmatest_add_threads(struct dm
 		thread->info = info;
 		thread->chan = dtc->chan;
 		thread->type = type;
+		thread->test_done.wait = &thread->done_wait;
+		init_waitqueue_head(&thread->done_wait);
 		smp_wmb();
 		thread->task = kthread_create(dmatest_func, thread, "%s-%s%u",
 				dma_chan_name(chan), op, i);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 031/254] net/packet: fix a race in packet_bind() and packet_notifier()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (179 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 172/254] xfrm: Use __skb_queue_tail in xfrm_trans_queue Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 233/254] mac80211_hwsim: fix compiler warning on MIPS Ben Hutchings
                   ` (73 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, syzbot, David S. Miller, Francesco Ruggeri, Eric Dumazet

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 15fe076edea787807a7cdc168df832544b58eba6 upstream.

syzbot reported crashes [1] and provided a C repro easing bug hunting.

When/if packet_do_bind() calls __unregister_prot_hook() and releases
po->bind_lock, another thread can run packet_notifier() and process an
NETDEV_UP event.

This calls register_prot_hook() and hooks again the socket right before
first thread is able to grab again po->bind_lock.

Fixes this issue by temporarily setting po->num to 0, as suggested by
David Miller.

[1]
dev_remove_pack: ffff8801bf16fa80 not found
------------[ cut here ]------------
kernel BUG at net/core/dev.c:7945!  ( BUG_ON(!list_empty(&dev->ptype_all)); )
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
device syz0 entered promiscuous mode
CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cc57a500 task.stack: ffff8801cc588000
RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945
RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293
RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2
RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810
device syz0 entered promiscuous mode
RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8
R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0
FS:  0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106
 tun_detach drivers/net/tun.c:670 [inline]
 tun_chr_close+0x49/0x60 drivers/net/tun.c:2845
 __fput+0x333/0x7f0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ae0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 SYSC_exit_group kernel/exit.c:979 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:977
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x44ad19

Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Francesco Ruggeri <fruggeri@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2732,6 +2732,10 @@ static int packet_do_bind(struct sock *s
 	if (need_rehook) {
 		if (po->running) {
 			rcu_read_unlock();
+			/* prevents packet_notifier() from calling
+			 * register_prot_hook()
+			 */
+			po->num = 0;
 			__unregister_prot_hook(sk, true);
 			rcu_read_lock();
 			dev_curr = po->prot_hook.dev;
@@ -2740,6 +2744,7 @@ static int packet_do_bind(struct sock *s
 								 dev->ifindex);
 		}
 
+		BUG_ON(po->running);
 		po->num = proto;
 		po->prot_hook.type = proto;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 238/254] media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 006/254] iommu/vt-d: Fix scatterlist offset handling Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 209/254] sctp: use the right sk after waking up from wait_buf sleep Ben Hutchings
                   ` (136 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hans Verkuil, Hans Verkuil, Mauro Carvalho Chehab

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hverkuil@xs4all.nl>

commit 037e0865c2ecbaa4558feba239ece08d7e457ec0 upstream.

The v4l2_input32 struct wasn't updated when this field was added.
It didn't cause a failure in the compat code, but it is better to
keep it in sync with v4l2_input to avoid confusion.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -576,7 +576,8 @@ struct v4l2_input32 {
 	__u32        tuner;             /*  Associated tuner */
 	compat_u64   std;
 	__u32	     status;
-	__u32	     reserved[4];
+	__u32	     capabilities;
+	__u32	     reserved[3];
 };
 
 /* The 64-bit v4l2_input struct has extra padding at the end of the struct.

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 247/254] media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 169/254] kernel/acct.c: fix the acct->needcheck check in check_free_space() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 016/254] blktrace: fix trace mutex deadlock Ben Hutchings
                   ` (140 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit b8c601e8af2d08f733d74defa8465303391bb930 upstream.

ctrl_is_pointer just hardcoded two known string controls, but that
caused problems when using e.g. custom controls that use a pointer
for the payload.

Reimplement this function: it now finds the v4l2_ctrl (if the driver
uses the control framework) or it calls vidioc_query_ext_ctrl (if the
driver implements that directly).

In both cases it can now check if the control is a pointer control
or not.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Rebased on top of some earlier fixes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -18,6 +18,8 @@
 #include <linux/videodev2.h>
 #include <linux/v4l2-subdev.h>
 #include <media/v4l2-dev.h>
+#include <media/v4l2-fh.h>
+#include <media/v4l2-ctrls.h>
 #include <media/v4l2-ioctl.h>
 
 static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
@@ -571,24 +573,32 @@ struct v4l2_ext_control32 {
 	};
 } __attribute__ ((packed));
 
-/* The following function really belong in v4l2-common, but that causes
-   a circular dependency between modules. We need to think about this, but
-   for now this will do. */
-
-/* Return non-zero if this control is a pointer type. Currently only
-   type STRING is a pointer type. */
-static inline int ctrl_is_pointer(u32 id)
-{
-	switch (id) {
-	case V4L2_CID_RDS_TX_PS_NAME:
-	case V4L2_CID_RDS_TX_RADIO_TEXT:
-		return 1;
-	default:
-		return 0;
+/* Return true if this control is a pointer type. */
+static inline bool ctrl_is_pointer(struct file *file, u32 id)
+{
+	struct video_device *vdev = video_devdata(file);
+	struct v4l2_fh *fh = NULL;
+	struct v4l2_ctrl_handler *hdl = NULL;
+
+	if (test_bit(V4L2_FL_USES_V4L2_FH, &vdev->flags))
+		fh = file->private_data;
+
+	if (fh && fh->ctrl_handler)
+		hdl = fh->ctrl_handler;
+	else if (vdev->ctrl_handler)
+		hdl = vdev->ctrl_handler;
+
+	if (hdl) {
+		struct v4l2_ctrl *ctrl = v4l2_ctrl_find(hdl, id);
+
+		return ctrl && ctrl->type == V4L2_CTRL_TYPE_STRING;
 	}
+	return false;
 }
 
-static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
+static int get_v4l2_ext_controls32(struct file *file,
+				   struct v4l2_ext_controls *kp,
+				   struct v4l2_ext_controls32 __user *up)
 {
 	struct v4l2_ext_control32 __user *ucontrols;
 	struct v4l2_ext_control __user *kcontrols;
@@ -620,7 +630,7 @@ static int get_v4l2_ext_controls32(struc
 			return -EFAULT;
 		if (get_user(id, &kcontrols->id))
 			return -EFAULT;
-		if (ctrl_is_pointer(id)) {
+		if (ctrl_is_pointer(file, id)) {
 			void __user *s;
 
 			if (get_user(p, &ucontrols->string))
@@ -635,7 +645,9 @@ static int get_v4l2_ext_controls32(struc
 	return 0;
 }
 
-static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
+static int put_v4l2_ext_controls32(struct file *file,
+				   struct v4l2_ext_controls *kp,
+				   struct v4l2_ext_controls32 __user *up)
 {
 	struct v4l2_ext_control32 __user *ucontrols;
 	struct v4l2_ext_control __user *kcontrols =
@@ -667,7 +679,7 @@ static int put_v4l2_ext_controls32(struc
 		/* Do not modify the pointer when copying a pointer control.
 		   The contents of the pointer was changed, not the pointer
 		   itself. */
-		if (ctrl_is_pointer(id))
+		if (ctrl_is_pointer(file, id))
 			size -= sizeof(ucontrols->value64);
 		if (copy_in_user(ucontrols, kcontrols, size))
 			return -EFAULT;
@@ -881,7 +893,7 @@ static long do_video_ioctl(struct file *
 	case VIDIOC_G_EXT_CTRLS:
 	case VIDIOC_S_EXT_CTRLS:
 	case VIDIOC_TRY_EXT_CTRLS:
-		err = get_v4l2_ext_controls32(&karg.v2ecs, up);
+		err = get_v4l2_ext_controls32(file, &karg.v2ecs, up);
 		compatible_arg = 0;
 		break;
 	case VIDIOC_DQEVENT:
@@ -908,7 +920,7 @@ static long do_video_ioctl(struct file *
 	case VIDIOC_G_EXT_CTRLS:
 	case VIDIOC_S_EXT_CTRLS:
 	case VIDIOC_TRY_EXT_CTRLS:
-		if (put_v4l2_ext_controls32(&karg.v2ecs, up))
+		if (put_v4l2_ext_controls32(file, &karg.v2ecs, up))
 			err = -EFAULT;
 		break;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 177/254] ALSA: aloop: Fix racy hw constraints adjustment
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 062/254] kdb: Fix handling of kallsyms_symbol_next() return value Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 129/254] usbip: prevent leaking socket pointer address in messages Ben Hutchings
                   ` (154 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 898dfe4687f460ba337a01c11549f87269a13fa2 upstream.

The aloop driver tries to update the hw constraints of the connected
target on the cable of the opened PCM substream.  This is done by
adding the extra hw constraints rules referring to the substream
runtime->hw fields, while the other substream may update the runtime
hw of another side on the fly.

This is, however, racy and may result in the inconsistent values when
both PCM streams perform the prepare concurrently.  One of the reason
is that it overwrites the other's runtime->hw field; which is not only
racy but also broken when it's called before the open of another side
finishes.  And, since the reference to runtime->hw isn't protected,
the concurrent write may give the partial value update and become
inconsistent.

This patch is an attempt to fix and clean up:
- The prepare doesn't change the runtime->hw of other side any longer,
  but only update the cable->hw that is referred commonly.
- The extra rules refer to the loopback_pcm object instead of the
  runtime->hw.  The actual hw is deduced from cable->hw.
- The extra rules take the cable_lock to protect against the race.

Fixes: b1c73fc8e697 ("ALSA: snd-aloop: Fix hw_params restrictions and checking")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/drivers/aloop.c | 51 +++++++++++++++++++++------------------------------
 1 file changed, 21 insertions(+), 30 deletions(-)

--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -307,19 +307,6 @@ static int loopback_trigger(struct snd_p
 	return 0;
 }
 
-static void params_change_substream(struct loopback_pcm *dpcm,
-				    struct snd_pcm_runtime *runtime)
-{
-	struct snd_pcm_runtime *dst_runtime;
-
-	if (dpcm == NULL || dpcm->substream == NULL)
-		return;
-	dst_runtime = dpcm->substream->runtime;
-	if (dst_runtime == NULL)
-		return;
-	dst_runtime->hw = dpcm->cable->hw;
-}
-
 static void params_change(struct snd_pcm_substream *substream)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
@@ -331,10 +318,6 @@ static void params_change(struct snd_pcm
 	cable->hw.rate_max = runtime->rate;
 	cable->hw.channels_min = runtime->channels;
 	cable->hw.channels_max = runtime->channels;
-	params_change_substream(cable->streams[SNDRV_PCM_STREAM_PLAYBACK],
-				runtime);
-	params_change_substream(cable->streams[SNDRV_PCM_STREAM_CAPTURE],
-				runtime);
 }
 
 static int loopback_prepare(struct snd_pcm_substream *substream)
@@ -622,24 +605,29 @@ static unsigned int get_cable_index(stru
 static int rule_format(struct snd_pcm_hw_params *params,
 		       struct snd_pcm_hw_rule *rule)
 {
-
-	struct snd_pcm_hardware *hw = rule->private;
+	struct loopback_pcm *dpcm = rule->private;
+	struct loopback_cable *cable = dpcm->cable;
 	struct snd_mask m;
 
 	snd_mask_none(&m);
-	m.bits[0] = (u_int32_t)hw->formats;
-	m.bits[1] = (u_int32_t)(hw->formats >> 32);
+	mutex_lock(&dpcm->loopback->cable_lock);
+	m.bits[0] = (u_int32_t)cable->hw.formats;
+	m.bits[1] = (u_int32_t)(cable->hw.formats >> 32);
+	mutex_unlock(&dpcm->loopback->cable_lock);
 	return snd_mask_refine(hw_param_mask(params, rule->var), &m);
 }
 
 static int rule_rate(struct snd_pcm_hw_params *params,
 		     struct snd_pcm_hw_rule *rule)
 {
-	struct snd_pcm_hardware *hw = rule->private;
+	struct loopback_pcm *dpcm = rule->private;
+	struct loopback_cable *cable = dpcm->cable;
 	struct snd_interval t;
 
-        t.min = hw->rate_min;
-        t.max = hw->rate_max;
+	mutex_lock(&dpcm->loopback->cable_lock);
+	t.min = cable->hw.rate_min;
+	t.max = cable->hw.rate_max;
+	mutex_unlock(&dpcm->loopback->cable_lock);
         t.openmin = t.openmax = 0;
         t.integer = 0;
 	return snd_interval_refine(hw_param_interval(params, rule->var), &t);
@@ -648,11 +636,14 @@ static int rule_rate(struct snd_pcm_hw_p
 static int rule_channels(struct snd_pcm_hw_params *params,
 			 struct snd_pcm_hw_rule *rule)
 {
-	struct snd_pcm_hardware *hw = rule->private;
+	struct loopback_pcm *dpcm = rule->private;
+	struct loopback_cable *cable = dpcm->cable;
 	struct snd_interval t;
 
-        t.min = hw->channels_min;
-        t.max = hw->channels_max;
+	mutex_lock(&dpcm->loopback->cable_lock);
+	t.min = cable->hw.channels_min;
+	t.max = cable->hw.channels_max;
+	mutex_unlock(&dpcm->loopback->cable_lock);
         t.openmin = t.openmax = 0;
         t.integer = 0;
 	return snd_interval_refine(hw_param_interval(params, rule->var), &t);
@@ -718,19 +709,19 @@ static int loopback_open(struct snd_pcm_
 	/* are cached -> they do not reflect the actual state */
 	err = snd_pcm_hw_rule_add(runtime, 0,
 				  SNDRV_PCM_HW_PARAM_FORMAT,
-				  rule_format, &runtime->hw,
+				  rule_format, dpcm,
 				  SNDRV_PCM_HW_PARAM_FORMAT, -1);
 	if (err < 0)
 		goto unlock;
 	err = snd_pcm_hw_rule_add(runtime, 0,
 				  SNDRV_PCM_HW_PARAM_RATE,
-				  rule_rate, &runtime->hw,
+				  rule_rate, dpcm,
 				  SNDRV_PCM_HW_PARAM_RATE, -1);
 	if (err < 0)
 		goto unlock;
 	err = snd_pcm_hw_rule_add(runtime, 0,
 				  SNDRV_PCM_HW_PARAM_CHANNELS,
-				  rule_channels, &runtime->hw,
+				  rule_channels, dpcm,
 				  SNDRV_PCM_HW_PARAM_CHANNELS, -1);
 	if (err < 0)
 		goto unlock;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 173/254] ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 061/254] efi: Move some sysfs files to be read-only by root Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 145/254] tracing: Fix crash when it fails to alloc ring buffer Ben Hutchings
                   ` (198 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Gregory CLEMENT, Thomas Petazzoni, Andrew Lunn

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

commit 56aeb07c914a616ab84357d34f8414a69b140cdf upstream.

MPP7 is currently muxed as "gpio", but this function doesn't exist for
MPP7, only "gpo" is available. This causes the following error:

kirkwood-pinctrl f1010000.pin-controller: unsupported function gpio on pin mpp7
pinctrl core: failed to register map default (6): invalid type given
kirkwood-pinctrl f1010000.pin-controller: error claiming hogs: -22
kirkwood-pinctrl f1010000.pin-controller: could not claim hogs: -22
kirkwood-pinctrl f1010000.pin-controller: unable to register pinctrl driver
kirkwood-pinctrl: probe of f1010000.pin-controller failed with error -22

So the pinctrl driver is not probed, all device drivers (including the
UART driver) do a -EPROBE_DEFER, and therefore the system doesn't
really boot (well, it boots, but with no UART, and no devices that
require pin-muxing).

Back when the Device Tree file for this board was introduced, the
definition was already wrong. The pinctrl driver also always described
as "gpo" this function for MPP7. However, between Linux 4.10 and 4.11,
a hog pin failing to be muxed was turned from a simple warning to a
hard error that caused the entire pinctrl driver probe to bail
out. This is probably the result of commit 6118714275f0a ("pinctrl:
core: Fix pinctrl_register_and_init() with pinctrl_enable()").

This commit fixes the Device Tree to use the proper "gpo" function for
MPP7, which fixes the boot of OpenBlocks A7, which was broken since
Linux 4.11.

Fixes: f24b56cbcd9d ("ARM: kirkwood: add support for OpenBlocks A7 platform")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/boot/dts/kirkwood-openblocks_a7.dts | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
+++ b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
@@ -53,7 +53,8 @@
 		};
 
 		pinctrl: pin-controller@10000 {
-			pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header>;
+			pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header
+				     &pmx_gpio_header_gpo>;
 			pinctrl-names = "default";
 
 			pmx_uart0: pmx-uart0 {
@@ -85,11 +86,16 @@
 			 * ground.
 			 */
 			pmx_gpio_header: pmx-gpio-header {
-				marvell,pins = "mpp17", "mpp7", "mpp29", "mpp28",
+				marvell,pins = "mpp17", "mpp29", "mpp28",
 					       "mpp35", "mpp34", "mpp40";
 				marvell,function = "gpio";
 			};
 
+			pmx_gpio_header_gpo: pxm-gpio-header-gpo {
+				marvell,pins = "mpp7";
+				marvell,function = "gpo";
+			};
+
 			pmx_gpio_init: pmx-init {
 				marvell,pins = "mpp38";
 				marvell,function = "gpio";

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 211/254] sctp: do not allow the v4 socket to bind a v4mapped v6 address
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 119/254] KVM: arm/arm64: Fix HYP unmapping going off limits Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 227/254] pppoe: take ->needed_headroom of lower device into account on xmit Ben Hutchings
                   ` (176 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, syzbot+7b7b518b1228d2743963, Marcelo Ricardo Leitner,
	David S. Miller, Neil Horman, Xin Long

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit c5006b8aa74599ce19104b31d322d2ea9ff887cc upstream.

The check in sctp_sockaddr_af is not robust enough to forbid binding a
v4mapped v6 addr on a v4 socket.

The worse thing is that v4 socket's bind_verify would not convert this
v4mapped v6 addr to a v4 addr. syzbot even reported a crash as the v4
socket bound a v6 addr.

This patch is to fix it by doing the common sa.sa_family check first,
then AF_INET check for v4mapped v6 addrs.

Fixes: 7dab83de50c7 ("sctp: Support ipv6only AF_INET6 sockets.")
Reported-by: syzbot+7b7b518b1228d2743963@syzkaller.appspotmail.com
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/socket.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -303,16 +303,14 @@ static struct sctp_af *sctp_sockaddr_af(
 	if (len < sizeof (struct sockaddr))
 		return NULL;
 
+	if (!opt->pf->af_supported(addr->sa.sa_family, opt))
+		return NULL;
+
 	/* V4 mapped address are really of AF_INET family */
 	if (addr->sa.sa_family == AF_INET6 &&
-	    ipv6_addr_v4mapped(&addr->v6.sin6_addr)) {
-		if (!opt->pf->af_supported(AF_INET, opt))
-			return NULL;
-	} else {
-		/* Does this PF support this AF? */
-		if (!opt->pf->af_supported(addr->sa.sa_family, opt))
-			return NULL;
-	}
+	    ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+	    !opt->pf->af_supported(AF_INET, opt))
+		return NULL;
 
 	/* If we get this far, af is valid. */
 	af = sctp_get_af_specific(addr->sa.sa_family);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 041/254] can: kvaser_usb: free buf in error paths
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (175 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 112/254] KVM: X86: Fix load RFLAGS w/o the fixed bit Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 012/254] Input: elantech - add new icbody type 15 Ben Hutchings
                   ` (77 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jimmy Assarsson, Marc Kleine-Budde

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 435019b48033138581a6171093b181fc6b4d3d30 upstream.

The allocated buffer was not freed if usb_submit_urb() failed.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/kvaser_usb.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -608,6 +608,7 @@ static int kvaser_usb_simple_msg_async(s
 	if (err) {
 		netdev_err(netdev, "Error transmitting URB\n");
 		usb_unanchor_urb(urb);
+		kfree(buf);
 		usb_free_urb(urb);
 		return err;
 	}
@@ -1406,6 +1407,7 @@ static netdev_tx_t kvaser_usb_start_xmit
 		spin_unlock_irqrestore(&priv->tx_contexts_lock, flags);
 
 		usb_unanchor_urb(urb);
+		kfree(buf);
 
 		stats->tx_dropped++;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 150/254] af_key: fix buffer overread in verify_address_len()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (216 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 080/254] ASoC: wm_adsp: Fix validation of firmware and coeff lengths Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 163/254] ALSA: pcm: Add missing error checks in OSS emulation plugin builder Ben Hutchings
                   ` (36 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Biggers, Steffen Klassert, Alexander Potapenko

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 06b335cb51af018d5feeff5dd4fd53847ddb675a upstream.

If a message sent to a PF_KEY socket ended with one of the extensions
that takes a 'struct sadb_address' but there were not enough bytes
remaining in the message for the ->sa_family member of the 'struct
sockaddr' which is supposed to follow, then verify_address_len() read
past the end of the message, into uninitialized memory.  Fix it by
returning -EINVAL in this case.

This bug was found using syzkaller with KMSAN.

Reproducer:

	#include <linux/pfkeyv2.h>
	#include <sys/socket.h>
	#include <unistd.h>

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[24] = { 0 };
		struct sadb_msg *msg = (void *)buf;
		struct sadb_address *addr = (void *)(msg + 1);

		msg->sadb_msg_version = PF_KEY_V2;
		msg->sadb_msg_type = SADB_DELETE;
		msg->sadb_msg_len = 3;
		addr->sadb_address_len = 1;
		addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;

		write(sock, buf, 24);
	}

Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/key/af_key.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -397,6 +397,11 @@ static int verify_address_len(const void
 #endif
 	int len;
 
+	if (sp->sadb_address_len <
+	    DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
+			 sizeof(uint64_t)))
+		return -EINVAL;
+
 	switch (addr->sa_family) {
 	case AF_INET:
 		len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 214/254] dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 181/254] ALSA: pcm: Abort properly at pending signal in OSS read/write loops Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 076/254] 509: fix printing uninitialized stack memory when OID is empty Ben Hutchings
                   ` (159 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mike Snitzer, Joe Thornber, Dennis Yang

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dennis Yang <dennisyang@qnap.com>

commit 490ae017f54e55bde382d45ea24bddfb6d1a0aaf upstream.

For btree removal, there is a corner case that a single thread
could takes 6 locks which is more than THIN_MAX_CONCURRENT_LOCKS(5)
and leads to deadlock.

A btree removal might eventually call
rebalance_children()->rebalance3() to rebalance entries of three
neighbor child nodes when shadow_spine has already acquired two
write locks. In rebalance3(), it tries to shadow and acquire the
write locks of all three child nodes. However, shadowing a child
node requires acquiring a read lock of the original child node and
a write lock of the new block. Although the read lock will be
released after block shadowing, shadowing the third child node
in rebalance3() could still take the sixth lock.
(2 write locks for shadow_spine +
 2 write locks for the first two child nodes's shadow +
 1 write lock for the last child node's shadow +
 1 read lock for the last child node)

Signed-off-by: Dennis Yang <dennisyang@qnap.com>
Acked-by: Joe Thornber <thornber@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-thin-metadata.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -81,10 +81,14 @@
 #define SECTOR_TO_BLOCK_SHIFT 3
 
 /*
+ * For btree insert:
  *  3 for btree insert +
  *  2 for btree lookup used within space map
+ * For btree remove:
+ *  2 for shadow spine +
+ *  4 for rebalance 3 child node
  */
-#define THIN_MAX_CONCURRENT_LOCKS 5
+#define THIN_MAX_CONCURRENT_LOCKS 6
 
 /* This should be plenty */
 #define SPACE_MAP_ROOT_SIZE 128

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 216/254] i2c: core: decrease reference count of device node in i2c_unregister_device
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (223 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 193/254] USB: UDC core: fix double-free in usb_add_gadget_udc_release Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 056/254] net_sched: red: Avoid devision by zero Ben Hutchings
                   ` (29 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Wolfram Sang, Lixin Wang

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lixin Wang <alan.1.wang@nokia-sbell.com>

commit e0638fa400eaccf9fa8060f67140264c4e276552 upstream.

Reference count of device node was increased in of_i2c_register_device,
but without decreasing it in i2c_unregister_device. Then the added
device node will never be released. Fix this by adding the of_node_put.

Signed-off-by: Lixin Wang <alan.1.wang@nokia-sbell.com>
Tested-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/i2c/i2c-core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -740,6 +740,10 @@ EXPORT_SYMBOL_GPL(i2c_new_device);
  */
 void i2c_unregister_device(struct i2c_client *client)
 {
+	if (client->dev.of_node) {
+		of_node_put(client->dev.of_node);
+	}
+
 	device_unregister(&client->dev);
 }
 EXPORT_SYMBOL_GPL(i2c_unregister_device);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 229/254] dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 042/254] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 004/254] KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure Ben Hutchings
                   ` (230 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alexey Kodanev, David S. Miller, Eric Dumazet

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <alexey.kodanev@oracle.com>

commit dd5684ecae3bd8e44b644f50e2c12c7e57fdfef5 upstream.

ccid2_hc_tx_rto_expire() timer callback always restarts the timer
again and can run indefinitely (unless it is stopped outside), and after
commit 120e9dabaf55 ("dccp: defer ccid_hc_tx_delete() at dismantle time"),
which moved ccid_hc_tx_delete() (also includes sk_stop_timer()) from
dccp_destroy_sock() to sk_destruct(), this started to happen quite often.
The timer prevents releasing the socket, as a result, sk_destruct() won't
be called.

Found with LTP/dccp_ipsec tests running on the bonding device,
which later couldn't be unloaded after the tests were completed:

  unregister_netdevice: waiting for bond0 to become free. Usage count = 148

Fixes: 2a91aa396739 ("[DCCP] CCID2: Initial CCID2 (TCP-Like) implementation")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/dccp/ccids/ccid2.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -140,6 +140,9 @@ static void ccid2_hc_tx_rto_expire(unsig
 
 	ccid2_pr_debug("RTO_EXPIRE\n");
 
+	if (sk->sk_state == DCCP_CLOSED)
+		goto out;
+
 	/* back-off timer */
 	hc->tx_rto <<= 1;
 	if (hc->tx_rto > DCCP_RTO_MAX)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 134/254] net/mlx5: Cleanup IRQs in case of unload failure
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 199/254] powerpc: Don't preempt_disable() in show_cpuinfo() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 059/254] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Ben Hutchings
                   ` (241 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Moshe Shemesh, Saeed Mahameed

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Moshe Shemesh <moshe@mellanox.com>

commit d6b2785cd55ee72e9608762650b3ef299f801b1b upstream.

When mlx5_stop_eqs fails to destroy any of the eqs it returns with an error.
In such failure flow the function will return without
releasing all EQs irqs and then pci_free_irq_vectors will fail.
Fix by only warn on destroy EQ failure and continue to release other
EQs and their irqs.

It fixes the following kernel trace:
kernel: kernel BUG at drivers/pci/msi.c:352!
...
...
kernel: Call Trace:
kernel: pci_disable_msix+0xd3/0x100
kernel: pci_free_irq_vectors+0xe/0x20
kernel: mlx5_load_one.isra.17+0x9f5/0xec0 [mlx5_core]

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
[bwh: Backported to 3.16: there's no pfault_eq]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
@@ -485,23 +485,28 @@ err1:
 	return err;
 }
 
-int mlx5_stop_eqs(struct mlx5_core_dev *dev)
+void mlx5_stop_eqs(struct mlx5_core_dev *dev)
 {
 	struct mlx5_eq_table *table = &dev->priv.eq_table;
 	int err;
 
 	err = mlx5_destroy_unmap_eq(dev, &table->pages_eq);
 	if (err)
-		return err;
+		mlx5_core_err(dev, "failed to destroy pages eq, err(%d)\n",
+			      err);
 
-	mlx5_destroy_unmap_eq(dev, &table->async_eq);
+	err = mlx5_destroy_unmap_eq(dev, &table->async_eq);
+	if (err)
+		mlx5_core_err(dev, "failed to destroy async eq, err(%d)\n",
+			      err);
 	mlx5_cmd_use_polling(dev);
 
 	err = mlx5_destroy_unmap_eq(dev, &table->cmd_eq);
-	if (err)
+	if (err) {
+		mlx5_core_err(dev, "failed to destroy command eq, err(%d)\n",
+			      err);
 		mlx5_cmd_use_events(dev);
-
-	return err;
+	}
 }
 
 int mlx5_core_eq_query(struct mlx5_core_dev *dev, struct mlx5_eq *eq,
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -759,7 +759,7 @@ int mlx5_create_map_eq(struct mlx5_core_
 		       int nent, u64 mask, const char *name, struct mlx5_uar *uar);
 int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq);
 int mlx5_start_eqs(struct mlx5_core_dev *dev);
-int mlx5_stop_eqs(struct mlx5_core_dev *dev);
+void mlx5_stop_eqs(struct mlx5_core_dev *dev);
 int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
 int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 016/254] blktrace: fix trace mutex deadlock
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (113 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 247/254] media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 179/254] x86/microcode/intel: Extend BDW late-loading with a revision check Ben Hutchings
                   ` (139 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jens Axboe

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jens Axboe <axboe@kernel.dk>

commit 2967acbb257a6a9bf912f4778b727e00972eac9b upstream.

A previous commit changed the locking around registration/cleanup,
but direct callers of blk_trace_remove() were missed. This means
that if we hit the error path in setup, we will deadlock on
attempting to re-acquire the queue trace mutex.

Fixes: 1f2cac107c59 ("blktrace: fix unlocked access to init/start-stop/teardown")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/blktrace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -562,7 +562,7 @@ static int __blk_trace_setup(struct requ
 		return ret;
 
 	if (copy_to_user(arg, &buts, sizeof(buts))) {
-		blk_trace_remove(q);
+		__blk_trace_remove(q);
 		return -EFAULT;
 	}
 	return 0;
@@ -608,7 +608,7 @@ static int compat_blk_trace_setup(struct
 		return ret;
 
 	if (copy_to_user(arg, &buts.name, ARRAY_SIZE(buts.name))) {
-		blk_trace_remove(q);
+		__blk_trace_remove(q);
 		return -EFAULT;
 	}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 030/254] sctp: force the params with right types for sctp csum apis
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 158/254] e1000e: Fix e1000_check_for_copper_link_ich8lan return value Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 106/254] mips/ptrace: Preserve previous registers for short regset write Ben Hutchings
                   ` (185 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Xin Long, David S. Miller, Marcelo Ricardo Leitner

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit af2697a0273f7665429c47d71ab26f2412af924e upstream.

Now sctp_csum_xxx doesn't really match the param types of these common
csum apis. As sctp_csum_xxx is defined in sctp/checksum.h, many sparse
errors occur when make C=2 not only with M=net/sctp but also with other
modules that include this header file.

This patch is to force them fit in csum apis with the right types.

Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/sctp/checksum.h | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/include/net/sctp/checksum.h
+++ b/include/net/sctp/checksum.h
@@ -48,31 +48,32 @@ static inline __wsum sctp_csum_update(co
 	/* This uses the crypto implementation of crc32c, which is either
 	 * implemented w/ hardware support or resolves to __crc32c_le().
 	 */
-	return crc32c(sum, buff, len);
+	return (__force __wsum)crc32c((__force __u32)sum, buff, len);
 }
 
 static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2,
 				       int offset, int len)
 {
-	return __crc32c_le_combine(csum, csum2, len);
+	return (__force __wsum)__crc32c_le_combine((__force __u32)csum,
+						   (__force __u32)csum2, len);
 }
 
 static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
 					unsigned int offset)
 {
 	struct sctphdr *sh = sctp_hdr(skb);
-        __le32 ret, old = sh->checksum;
 	const struct skb_checksum_ops ops = {
 		.update  = sctp_csum_update,
 		.combine = sctp_csum_combine,
 	};
+	__le32 old = sh->checksum;
+	__wsum new;
 
 	sh->checksum = 0;
-	ret = cpu_to_le32(~__skb_checksum(skb, offset, skb->len - offset,
-					  ~(__u32)0, &ops));
+	new = ~__skb_checksum(skb, offset, skb->len - offset, ~(__wsum)0, &ops);
 	sh->checksum = old;
 
-	return ret;
+	return cpu_to_le32((__force __u32)new);
 }
 
 #endif /* __sctp_checksum_h__ */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 139/254] crypto: n2 - cure use after free
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 123/254] net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 100/254] MIPS: Respect the ISA level in FCSR handling Ben Hutchings
                   ` (189 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Jan Engelhardt, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Engelhardt <jengelh@inai.de>

commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream.

queue_cache_init is first called for the Control Word Queue
(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
kmem_cache will be allocated. If the subsequent n2_register_algs call
fails, the kmem_cache will be released in queue_cache_destroy, but
queue_cache_init[0] is not set back to NULL.

So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
queue_cache_init will not allocate a kmem_cache again, but leave it
as its bogus value, causing a BUG() to trigger when queue_cache[0] is
eventually passed to kmem_cache_zalloc:

	n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
	n2_crypto: Registered NCS HVAPI version 2.0
	called queue_cache_init
	n2_crypto: md5 alg registration failed
	n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
	called queue_cache_destroy
	n2cp: probe of f028687c failed with error -22
	n2_crypto: Found NCP at /virtual-devices@100/ncp@6
	n2_crypto: Registered NCS HVAPI version 2.0
	called queue_cache_init
	kernel BUG at mm/slab.c:2993!
	Call Trace:
	 [0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
                  (inlined) kmem_cache_zalloc
                  (inlined) new_queue
                  (inlined) spu_queue_setup
                  (inlined) handle_exec_unit
	 [0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
	 [0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
	 [000000000084b174] platform_drv_probe+0x34/0xc0

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/crypto/n2_core.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/crypto/n2_core.c
+++ b/drivers/crypto/n2_core.c
@@ -1644,6 +1644,7 @@ static int queue_cache_init(void)
 					  CWQ_ENTRY_SIZE, 0, NULL);
 	if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
 		kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
+		queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
 		return -ENOMEM;
 	}
 	return 0;
@@ -1653,6 +1654,8 @@ static void queue_cache_destroy(void)
 {
 	kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
 	kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
+	queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
+	queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
 }
 
 static int spu_queue_register(struct spu_queue *p, unsigned long q_type)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 144/254] ring-buffer: Mask out the info bits when returning buffer page length
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (129 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 099/254] MIPS: math-emu: Define IEEE 754-2008 feature control bits Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 025/254] usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub Ben Hutchings
                   ` (123 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware)

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 45d8b80c2ac5d21cd1e2954431fb676bc2b1e099 upstream.

Two info bits were added to the "commit" part of the ring buffer data page
when returned to be consumed. This was to inform the user space readers that
events have been missed, and that the count may be stored at the end of the
page.

What wasn't handled, was the splice code that actually called a function to
return the length of the data in order to zero out the rest of the page
before sending it up to user space. These data bits were returned with the
length making the value negative, and that negative value was not checked.
It was compared to PAGE_SIZE, and only used if the size was less than
PAGE_SIZE. Luckily PAGE_SIZE is unsigned long which made the compare an
unsigned compare, meaning the negative size value did not end up causing a
large portion of memory to be randomly zeroed out.

Fixes: 66a8cb95ed040 ("ring-buffer: Add place holder recording of dropped events")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/ring_buffer.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -336,6 +336,8 @@ EXPORT_SYMBOL_GPL(ring_buffer_event_data
 /* Missed count stored at end */
 #define RB_MISSED_STORED	(1 << 30)
 
+#define RB_MISSED_FLAGS		(RB_MISSED_EVENTS|RB_MISSED_STORED)
+
 struct buffer_data_page {
 	u64		 time_stamp;	/* page time stamp */
 	local_t		 commit;	/* write committed index */
@@ -387,7 +389,9 @@ static void rb_init_page(struct buffer_d
  */
 size_t ring_buffer_page_len(void *page)
 {
-	return local_read(&((struct buffer_data_page *)page)->commit)
+	struct buffer_data_page *bpage = page;
+
+	return (local_read(&bpage->commit) & ~RB_MISSED_FLAGS)
 		+ BUF_PAGE_HDR_SIZE;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 155/254] ALSA: pcm: Remove incorrect snd_BUG_ON() usages
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (157 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 015/254] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 142/254] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 Ben Hutchings
                   ` (95 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot+6f11c7e2a1b91d466432, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit fe08f34d066f4404934a509b6806db1a4f700c86 upstream.

syzkaller triggered kernel warnings through PCM OSS emulation at
closing a stream:
  WARNING: CPU: 0 PID: 3502 at sound/core/pcm_lib.c:1635
  snd_pcm_hw_param_first+0x289/0x690 sound/core/pcm_lib.c:1635
  Call Trace:
  ....
   snd_pcm_hw_param_near.constprop.27+0x78d/0x9a0 sound/core/oss/pcm_oss.c:457
   snd_pcm_oss_change_params+0x17d3/0x3720 sound/core/oss/pcm_oss.c:969
   snd_pcm_oss_make_ready+0xaa/0x130 sound/core/oss/pcm_oss.c:1128
   snd_pcm_oss_sync+0x257/0x830 sound/core/oss/pcm_oss.c:1638
   snd_pcm_oss_release+0x20b/0x280 sound/core/oss/pcm_oss.c:2431
   __fput+0x327/0x7e0 fs/file_table.c:210
   ....

This happens while it tries to open and set up the aloop device
concurrently.  The warning above (invoked from snd_BUG_ON() macro) is
to detect the unexpected logical error where snd_pcm_hw_refine() call
shouldn't fail.  The theory is true for the case where the hw_params
config rules are static.  But for an aloop device, the hw_params rule
condition does vary dynamically depending on the connected target;
when another device is opened and changes the parameters, the device
connected in another side is also affected, and it caused the error
from snd_pcm_hw_refine().

That is, the simplest "solution" for this is to remove the incorrect
assumption of static rules, and treat such an error as a normal error
path.  As there are a couple of other places using snd_BUG_ON()
incorrectly, this patch removes these spurious snd_BUG_ON() calls.

Reported-by: syzbot+6f11c7e2a1b91d466432@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/oss/pcm_oss.c | 1 -
 sound/core/pcm_lib.c     | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -465,7 +465,6 @@ static int snd_pcm_hw_param_near(struct
 		v = snd_pcm_hw_param_last(pcm, params, var, dir);
 	else
 		v = snd_pcm_hw_param_first(pcm, params, var, dir);
-	snd_BUG_ON(v < 0);
 	return v;
 }
 
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1631,7 +1631,7 @@ int snd_pcm_hw_param_first(struct snd_pc
 		return changed;
 	if (params->rmask) {
 		int err = snd_pcm_hw_refine(pcm, params);
-		if (snd_BUG_ON(err < 0))
+		if (err < 0)
 			return err;
 	}
 	return snd_pcm_hw_param_value(params, var, dir);
@@ -1678,7 +1678,7 @@ int snd_pcm_hw_param_last(struct snd_pcm
 		return changed;
 	if (params->rmask) {
 		int err = snd_pcm_hw_refine(pcm, params);
-		if (snd_BUG_ON(err < 0))
+		if (err < 0)
 			return err;
 	}
 	return snd_pcm_hw_param_value(params, var, dir);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 166/254] phy: Add helper function to check phy interface mode
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (191 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 029/254] hv: kvp: Avoid reading past allocated blocks from KVP file Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 051/254] netfilter: xt_bpf: add overflow checks Ben Hutchings
                   ` (61 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Andrew Lunn, Florian Fainelli,
	Iyappan Subramanian

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Iyappan Subramanian <isubramanian@apm.com>

commit 32d0f7830d9be5b1652a718e050d808b4908155f upstream.

Added helper function that checks phy_mode is RGMII (all variants)
'bool phy_interface_mode_is_rgmii(phy_interface_t mode)'

Changed the following function, to use the above.
'bool phy_interface_is_rgmii(struct phy_device *phydev)'

Signed-off-by: Iyappan Subramanian <isubramanian@apm.com>
Suggested-by: Florian Fainelli <f.fainelli@gmail.com>
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/phy.h | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -630,14 +630,24 @@ static inline bool phy_is_internal(struc
 }
 
 /**
+ * phy_interface_mode_is_rgmii - Convenience function for testing if a
+ * PHY interface mode is RGMII (all variants)
+ * @mode: the phy_interface_t enum
+ */
+static inline bool phy_interface_mode_is_rgmii(phy_interface_t mode)
+{
+	return mode >= PHY_INTERFACE_MODE_RGMII &&
+		mode <= PHY_INTERFACE_MODE_RGMII_TXID;
+};
+
+/**
  * phy_interface_is_rgmii - Convenience function for testing if a PHY interface
  * is RGMII (all variants)
  * @phydev: the phy_device struct
  */
 static inline bool phy_interface_is_rgmii(struct phy_device *phydev)
 {
-	return phydev->interface >= PHY_INTERFACE_MODE_RGMII &&
-		phydev->interface <= PHY_INTERFACE_MODE_RGMII_TXID;
+	return phy_interface_mode_is_rgmii(phydev->interface);
 }
 
 /**

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 141/254] USB: serial: ftdi_sio: add id for Airbus DS P8GR
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (150 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 078/254] USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning Ben Hutchings
                   ` (102 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Max Schulze

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Schulze <max.schulze@posteo.de>

commit c6a36ad383559a60a249aa6016cebf3cb8b6c485 upstream.

Add AIRBUS_DS_P8GR device IDs to ftdi_sio driver.

Signed-off-by: Max Schulze <max.schulze@posteo.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ftdi_sio.c     | 1 +
 drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
 2 files changed, 7 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1030,6 +1030,7 @@ static const struct usb_device_id id_tab
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
 	{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
+	{ USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -914,6 +914,12 @@
 #define ICPDAS_I7563U_PID		0x0105
 
 /*
+ * Airbus Defence and Space
+ */
+#define AIRBUS_DS_VID			0x1e8e  /* Vendor ID */
+#define AIRBUS_DS_P8GR			0x6001  /* Tetra P8GR */
+
+/*
  * RT Systems programming cables for various ham radios
  */
 #define RTSYSTEMS_VID		0x2100	/* Vendor ID */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 223/254] net: igmp: Use correct source address on IGMPv3 reports
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (162 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 034/254] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 186/254] Input: twl4030-vibra - fix sibling-node lookup Ben Hutchings
                   ` (90 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Andrew Lunn, Kevin Cernekee, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kevin Cernekee <cernekee@chromium.org>

commit a46182b00290839fa3fa159d54fd3237bd8669f0 upstream.

Closing a multicast socket after the final IPv4 address is deleted
from an interface can generate a membership report that uses the
source IP from a different interface.  The following test script, run
from an isolated netns, reproduces the issue:

    #!/bin/bash

    ip link add dummy0 type dummy
    ip link add dummy1 type dummy
    ip link set dummy0 up
    ip link set dummy1 up
    ip addr add 10.1.1.1/24 dev dummy0
    ip addr add 192.168.99.99/24 dev dummy1

    tcpdump -U -i dummy0 &
    socat EXEC:"sleep 2" \
        UDP4-DATAGRAM:239.101.1.68:8889,ip-add-membership=239.0.1.68:10.1.1.1 &

    sleep 1
    ip addr del 10.1.1.1/24 dev dummy0
    sleep 5
    kill %tcpdump

RFC 3376 specifies that the report must be sent with a valid IP source
address from the destination subnet, or from address 0.0.0.0.  Add an
extra check to make sure this is the case.

Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/igmp.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -89,6 +89,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/times.h>
 #include <linux/pkt_sched.h>
+#include <linux/byteorder/generic.h>
 
 #include <net/net_namespace.h>
 #include <net/arp.h>
@@ -323,6 +324,23 @@ igmp_scount(struct ip_mc_list *pmc, int
 	return scount;
 }
 
+/* source address selection per RFC 3376 section 4.2.13 */
+static __be32 igmpv3_get_srcaddr(struct net_device *dev,
+				 const struct flowi4 *fl4)
+{
+	struct in_device *in_dev = __in_dev_get_rcu(dev);
+
+	if (!in_dev)
+		return htonl(INADDR_ANY);
+
+	for_ifa(in_dev) {
+		if (inet_ifa_match(fl4->saddr, ifa))
+			return fl4->saddr;
+	} endfor_ifa(in_dev);
+
+	return htonl(INADDR_ANY);
+}
+
 static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
 {
 	struct sk_buff *skb;
@@ -370,7 +388,7 @@ static struct sk_buff *igmpv3_newpack(st
 	pip->frag_off = htons(IP_DF);
 	pip->ttl      = 1;
 	pip->daddr    = fl4.daddr;
-	pip->saddr    = fl4.saddr;
+	pip->saddr    = igmpv3_get_srcaddr(dev, &fl4);
 	pip->protocol = IPPROTO_IGMP;
 	pip->tot_len  = 0;	/* filled in later */
 	ip_select_ident(skb, NULL);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 224/254] net: igmp: fix source address check for IGMPv3 reports
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (199 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 017/254] hwmon: (pmbus) Use 64bit math for DIRECT format values Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 245/254] media: v4l2-compat-ioctl32.c: avoid sizeof(type) Ben Hutchings
                   ` (53 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Kevin Cernekee, Sebastian Gottschall,
	Felix Fietkau

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <nbd@nbd.name>

commit ad23b750933ea7bf962678972a286c78a8fa36aa upstream.

Commit "net: igmp: Use correct source address on IGMPv3 reports"
introduced a check to validate the source address of locally generated
IGMPv3 packets.
Instead of checking the local interface address directly, it uses
inet_ifa_match(fl4->saddr, ifa), which checks if the address is on the
local subnet (or equal to the point-to-point address if used).

This breaks for point-to-point interfaces, so check against
ifa->ifa_local directly.

Cc: Kevin Cernekee <cernekee@chromium.org>
Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
Reported-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/igmp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -334,7 +334,7 @@ static __be32 igmpv3_get_srcaddr(struct
 		return htonl(INADDR_ANY);
 
 	for_ifa(in_dev) {
-		if (inet_ifa_match(fl4->saddr, ifa))
+		if (fl4->saddr == ifa->ifa_local)
 			return fl4->saddr;
 	} endfor_ifa(in_dev);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 070/254] can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 095/254] MIPS: lose_fpu(): Disable FPU when MSA enabled Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 039/254] ALSA: seq: Remove spurious WARN_ON() at timer check Ben Hutchings
                   ` (143 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Martin Kelly, Marc Kleine-Budde

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 12147edc434c9e4c7c2f5fee2e5519b2e5ac34ce upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/usb_8dev.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -527,6 +527,8 @@ static void usb_8dev_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 126/254] USB: serial: option: adding support for YUGA CLM920-NC5
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (210 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 217/254] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 122/254] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well Ben Hutchings
                   ` (42 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Johan Hovold, SZ Lin (林上智), Taiyi Wu

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: SZ Lin (林上智)
 <sz.lin@moxa.com>

commit 3920bb713038810f25770e7545b79f204685c8f2 upstream.

This patch adds support for YUGA CLM920-NC5 PID 0x9625 USB modem to option
driver.

Interface layout:
0: QCDM/DIAG
1: ADB
2: MODEM
3: AT
4: RMNET

Signed-off-by: Taiyi Wu <taiyity.wu@moxa.com>
Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -237,6 +237,8 @@ static void option_instat_callback(struc
 /* These Quectel products use Qualcomm's vendor ID */
 #define QUECTEL_PRODUCT_UC20			0x9003
 #define QUECTEL_PRODUCT_UC15			0x9090
+/* These Yuga products use Qualcomm's vendor ID */
+#define YUGA_PRODUCT_CLM920_NC5			0x9625
 
 #define QUECTEL_VENDOR_ID			0x2c7c
 /* These Quectel products use Quectel's vendor ID */
@@ -698,6 +700,10 @@ static const struct option_blacklist_inf
 	.reserved = BIT(4) | BIT(5),
 };
 
+static const struct option_blacklist_info yuga_clm920_nc5_blacklist = {
+	.reserved = BIT(1) | BIT(4),
+};
+
 static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
 	{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
@@ -1206,6 +1212,9 @@ static const struct usb_device_id option
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+	/* Yuga products use Qualcomm vendor ID */
+	{ USB_DEVICE(QUALCOMM_VENDOR_ID, YUGA_PRODUCT_CLM920_NC5),
+	  .driver_info = (kernel_ulong_t)&yuga_clm920_nc5_blacklist },
 	/* Quectel products using Quectel vendor ID */
 	{ USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 124/254] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 171/254] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 024/254] usb: hub: Cycle HUB power when initialization fails Ben Hutchings
                   ` (179 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 5a15f289ee87eaf33f13f08a4909ec99d837ec5f upstream.

The commit 89b89d121ffc ("ALSA: usb-audio: Add check return value for
usb_string()") added the check of the return value from
snd_usb_copy_string_desc(), which is correct per se, but it introduced
a regression.  In the original code, either the "Clock Source",
"Playback Source" or "Capture Source" suffix is added after the
terminal string, while the commit changed it to add the suffix only
when get_term_name() is failing.  It ended up with an incorrect ctl
name like "PCM" instead of "PCM Capture Source".

Also, even the original code has a similar bug: when the ctl name is
generated from snd_usb_copy_string_desc() for the given iSelector, it
also doesn't put the suffix.

This patch addresses these issues: the suffix is added always when no
static mapping is found.  Also the patch tries to put more comments
and cleans up the if/else block for better readability in order to
avoid the same pitfall again.

Fixes: 89b89d121ffc ("ALSA: usb-audio: Add check return value for usb_string()")
Reported-and-tested-by: Mauro Santos <registo.mailling@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/mixer.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2095,20 +2095,25 @@ static int parse_audio_selector_unit(str
 	kctl->private_value = (unsigned long)namelist;
 	kctl->private_free = usb_mixer_selector_elem_free;
 
-	nameid = uac_selector_unit_iSelector(desc);
+	/* check the static mapping table at first */
 	len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name));
-	if (len)
-		;
-	else if (nameid)
-		len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
-					 sizeof(kctl->id.name));
-	else
-		len = get_term_name(state, &state->oterm,
-				    kctl->id.name, sizeof(kctl->id.name), 0);
-
 	if (!len) {
-		strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+		/* no mapping ? */
+		/* if iSelector is given, use it */
+		nameid = uac_selector_unit_iSelector(desc);
+		if (nameid)
+			len = snd_usb_copy_string_desc(state, nameid,
+						       kctl->id.name,
+						       sizeof(kctl->id.name));
+		/* ... or pick up the terminal name at next */
+		if (!len)
+			len = get_term_name(state, &state->oterm,
+				    kctl->id.name, sizeof(kctl->id.name), 0);
+		/* ... or use the fixed string "USB" as the last resort */
+		if (!len)
+			strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
 
+		/* and add the proper suffix */
 		if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
 			append_ctl_name(kctl, " Clock Source");
 		else if ((state->oterm.type & 0xff00) == 0x0100)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 122/254] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (211 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 126/254] USB: serial: option: adding support for YUGA CLM920-NC5 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 137/254] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) Ben Hutchings
                   ` (41 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Zhao Qiang

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zhao Qiang <qiang.zhao@nxp.com>

commit c505873eaece2b4aefd07d339dc7e1400e0235ac upstream.

88E1145 also need this autoneg errata.

Fixes: f2899788353c ("net: phy: marvell: Limit errata to 88m1101")
Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/phy/marvell.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/phy/marvell.c
+++ b/drivers/net/phy/marvell.c
@@ -988,7 +988,7 @@ static struct phy_driver marvell_drivers
 		.features = PHY_GBIT_FEATURES,
 		.flags = PHY_HAS_INTERRUPT,
 		.config_init = &m88e1145_config_init,
-		.config_aneg = &marvell_config_aneg,
+		.config_aneg = &m88e1101_config_aneg,
 		.read_status = &genphy_read_status,
 		.ack_interrupt = &marvell_ack_interrupt,
 		.config_intr = &marvell_config_intr,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 050/254] ALSA: usb-audio: Add check return value for usb_string()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (242 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 055/254] s390: always save and restore all registers on context switch Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 027/254] serial: 8250_pci: Add Amazon PCI serial device ID Ben Hutchings
                   ` (10 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jaejoong Kim, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.

snd_usb_copy_string_desc() returns zero if usb_string() fails.
In case of failure, we need to check the snd_usb_copy_string_desc()'s
return value and add an exception case

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/mixer.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2100,13 +2100,14 @@ static int parse_audio_selector_unit(str
 	if (len)
 		;
 	else if (nameid)
-		snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+		len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
 					 sizeof(kctl->id.name));
-	else {
+	else
 		len = get_term_name(state, &state->oterm,
 				    kctl->id.name, sizeof(kctl->id.name), 0);
-		if (!len)
-			strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+	if (!len) {
+		strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
 
 		if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
 			append_ctl_name(kctl, " Clock Source");

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 009/254] scsi: use dma_get_cache_alignment() as minimum DMA alignment
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (244 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 027/254] serial: 8250_pci: Add Amazon PCI serial device ID Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 228/254] x86/microcode/intel: Extend BDW late-loading further with LLC size check Ben Hutchings
                   ` (8 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Huacai Chen, Christoph Hellwig

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.

In non-coherent DMA mode, kernel uses cache flushing operations to
maintain I/O coherency, so scsi's block queue should be aligned to the
value returned by dma_get_cache_alignment().  Otherwise, If a DMA buffer
and a kernel structure share a same cache line, and if the kernel
structure has dirty data, cache_invalidate (no writeback) will cause
data corruption.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
[hch: rebased and updated the comment and changelog]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/scsi_lib.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1671,11 +1671,13 @@ struct request_queue *__scsi_alloc_queue
 		q->limits.cluster = 0;
 
 	/*
-	 * set a reasonable default alignment on word boundaries: the
-	 * host and device may alter it using
-	 * blk_queue_update_dma_alignment() later.
+	 * Set a reasonable default alignment:  The larger of 32-byte (dword),
+	 * which is a common minimum for HBAs, and the minimum DMA alignment,
+	 * which is set by the platform.
+	 *
+	 * Devices that require a bigger alignment can increase it later.
 	 */
-	blk_queue_dma_alignment(q, 0x03);
+	blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
 
 	return q;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 213/254] KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (166 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 254/254] rds: Fix NULL pointer dereference in __rds_rdma_map Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 175/254] ALSA: aloop: Release cable upon open error path Ben Hutchings
                   ` (86 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tianyu Lan, Radim Krčmář,
	Paolo Bonzini, Jeremi Piotrowski, Tianyu Lan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tianyu Lan <lantianyu1986@gmail.com>

commit 37b95951c58fdf08dc10afa9d02066ed9f176fb5 upstream.

kvm_valid_sregs() should use X86_CR0_PG and X86_CR4_PAE to check bit
status rather than X86_CR0_PG_BIT and X86_CR4_PAE_BIT. This patch is
to fix it.

Fixes: f29810335965a(KVM/x86: Check input paging mode when cs.l is set)
Reported-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6581,13 +6581,13 @@ EXPORT_SYMBOL_GPL(kvm_task_switch);
 
 int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
 {
-	if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG_BIT)) {
+	if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG)) {
 		/*
 		 * When EFER.LME and CR0.PG are set, the processor is in
 		 * 64-bit mode (though maybe in a 32-bit code segment).
 		 * CR4.PAE and EFER.LMA must be set.
 		 */
-		if (!(sregs->cr4 & X86_CR4_PAE_BIT)
+		if (!(sregs->cr4 & X86_CR4_PAE)
 		    || !(sregs->efer & EFER_LMA))
 			return -EINVAL;
 	} else {

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 185/254] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 200/254] 8021q: fix a memory leak for VLAN 0 device Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 215/254] dm btree: fix serious bug in btree_split_beneath() Ben Hutchings
                   ` (221 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marek Belisko, Dmitry Torokhov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Belisko <marek@goldelico.com>

commit e661d0a04462dd98667f8947141bd8defab5b34a upstream.

Fix following:
[    8.862274] ERROR: Bad of_node_put() on /ocp/i2c@48070000/twl@48/audio
[    8.869293] CPU: 0 PID: 1003 Comm: modprobe Not tainted 4.2.0-rc2-letux+ #1175
[    8.876922] Hardware name: Generic OMAP36xx (Flattened Device Tree)
[    8.883514] [<c00159e0>] (unwind_backtrace) from [<c0012488>] (show_stack+0x10/0x14)
[    8.891693] [<c0012488>] (show_stack) from [<c05cb810>] (dump_stack+0x78/0x94)
[    8.899322] [<c05cb810>] (dump_stack) from [<c02cfd5c>] (kobject_release+0x68/0x7c)
[    8.907409] [<c02cfd5c>] (kobject_release) from [<bf0040c4>] (twl4030_vibra_probe+0x74/0x188 [twl4030_vibra])
[    8.917877] [<bf0040c4>] (twl4030_vibra_probe [twl4030_vibra]) from [<c03816ac>] (platform_drv_probe+0x48/0x90)
[    8.928497] [<c03816ac>] (platform_drv_probe) from [<c037feb4>] (really_probe+0xd4/0x238)
[    8.937103] [<c037feb4>] (really_probe) from [<c0380160>] (driver_probe_device+0x30/0x48)
[    8.945678] [<c0380160>] (driver_probe_device) from [<c03801e0>] (__driver_attach+0x68/0x8c)
[    8.954589] [<c03801e0>] (__driver_attach) from [<c037ea60>] (bus_for_each_dev+0x50/0x84)
[    8.963226] [<c037ea60>] (bus_for_each_dev) from [<c037f828>] (bus_add_driver+0xcc/0x1e4)
[    8.971832] [<c037f828>] (bus_add_driver) from [<c0380b60>] (driver_register+0x9c/0xe0)
[    8.980255] [<c0380b60>] (driver_register) from [<c00097e0>] (do_one_initcall+0x100/0x1b8)
[    8.988983] [<c00097e0>] (do_one_initcall) from [<c00b8008>] (do_init_module+0x58/0x1c0)
[    8.997497] [<c00b8008>] (do_init_module) from [<c00b8cac>] (SyS_init_module+0x54/0x64)
[    9.005950] [<c00b8cac>] (SyS_init_module) from [<c000ed20>] (ret_fast_syscall+0x0/0x54)
[    9.015838] input: twl4030:vibrator as /devices/platform/68000000.ocp/48070000.i2c/i2c-0/0-0048/48070000.i2c:twl@48:audio/input/input2

node passed to of_find_node_by_name is put inside that function and new node
is returned if found. Free returned node not already freed node.

Signed-off-by: Marek Belisko <marek@goldelico.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/misc/twl4030-vibra.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/input/misc/twl4030-vibra.c
+++ b/drivers/input/misc/twl4030-vibra.c
@@ -185,7 +185,8 @@ static bool twl4030_vibra_check_coexist(
 	if (pdata && pdata->coexist)
 		return true;
 
-	if (of_find_node_by_name(node, "codec")) {
+	node = of_find_node_by_name(node, "codec");
+	if (node) {
 		of_node_put(node);
 		return true;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 020/254] usb: gadget: don't dereference g until after it has been null checked
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (131 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 025/254] usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 148/254] include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header Ben Hutchings
                   ` (121 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Colin Ian King

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit b2fc059fa549fe6881d4c1f8d698b0f50bcd16ec upstream.

Avoid dereferencing pointer g until after g has been sanity null checked;
move the assignment of cdev much later when it is required into a more
local scope.

Detected by CoverityScan, CID#1222135 ("Dereference before null check")

Fixes: b785ea7ce662 ("usb: gadget: composite: fix ep->maxburst initialization")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/composite.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -103,7 +103,6 @@ int config_ep_by_speed(struct usb_gadget
 			struct usb_function *f,
 			struct usb_ep *_ep)
 {
-	struct usb_composite_dev	*cdev = get_gadget_data(g);
 	struct usb_endpoint_descriptor *chosen_desc = NULL;
 	struct usb_descriptor_header **speed_desc = NULL;
 
@@ -175,8 +174,12 @@ ep_found:
 			_ep->maxburst = comp_desc->bMaxBurst + 1;
 			break;
 		default:
-			if (comp_desc->bMaxBurst != 0)
+			if (comp_desc->bMaxBurst != 0) {
+				struct usb_composite_dev *cdev;
+
+				cdev = get_gadget_data(g);
 				ERROR(cdev, "ep0 bMaxBurst must be 0\n");
+			}
 			_ep->maxburst = 1;
 			break;
 		}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 143/254] sctp: Replace use of sockets_allocated with specified macro.
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 235/254] [media] v4l2-compat-ioctl32: fix sparse warnings Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 151/254] af_key: fix buffer overread in parse_exthdrs() Ben Hutchings
                   ` (194 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Glauber Costa, Tonghao Zhang, Tonghao Zhang, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tonghao Zhang <xiangxia.m.yue@gmail.com>

commit 8cb38a602478e9f806571f6920b0a3298aabf042 upstream.

The patch(180d8cd942ce) replaces all uses of struct sock fields'
memory_pressure, memory_allocated, sockets_allocated, and sysctl_mem
to accessor macros. But the sockets_allocated field of sctp sock is
not replaced at all. Then replace it now for unifying the code.

Fixes: 180d8cd942ce ("foundations of per-cgroup memory pressure controlling.")
Cc: Glauber Costa <glommer@parallels.com>
Signed-off-by: Tonghao Zhang <zhangtonghao@didichuxing.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/socket.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4021,7 +4021,7 @@ static int sctp_init_sock(struct sock *s
 	SCTP_DBG_OBJCNT_INC(sock);
 
 	local_bh_disable();
-	percpu_counter_inc(&sctp_sockets_allocated);
+	sk_sockets_allocated_inc(sk);
 	sock_prot_inuse_add(net, sk->sk_prot, 1);
 
 	/* Nothing can fail after this block, otherwise
@@ -4065,7 +4065,7 @@ static void sctp_destroy_sock(struct soc
 	}
 	sctp_endpoint_free(sp->ep);
 	local_bh_disable();
-	percpu_counter_dec(&sctp_sockets_allocated);
+	sk_sockets_allocated_dec(sk);
 	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
 	local_bh_enable();
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 179/254] x86/microcode/intel: Extend BDW late-loading with a revision check
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 016/254] blktrace: fix trace mutex deadlock Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 006/254] iommu/vt-d: Fix scatterlist offset handling Ben Hutchings
                   ` (138 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tony Luck, Jia Zhang, Thomas Gleixner, Borislav Petkov, x86-ml

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jia Zhang <qianyue.zj@alibaba-inc.com>

commit b94b7373317164402ff7728d10f7023127a02b60 upstream.

Instead of blacklisting all model 79 CPUs when attempting a late
microcode loading, limit that only to CPUs with microcode revisions <
0x0b000021 because only on those late loading may cause a system hang.

For such processors either:

a) a BIOS update which might contain a newer microcode revision

or

b) the early microcode loading method

should be considered.

Processors with revisions 0x0b000021 or higher will not experience such
hangs.

For more details, see erratum BDF90 in document #334165 (Intel Xeon
Processor E7-8800/4800 v4 Product Family Specification Update) from
September 2017.

[ bp: Heavily massage commit message and pr_* statements. ]

Fixes: 723f2828a98c ("x86/microcode/intel: Disable late loading on model 79")
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Tony Luck <tony.luck@intel.com>
Cc: x86-ml <x86@kernel.org>
Link: http://lkml.kernel.org/r/1514772287-92959-1-git-send-email-qianyue.zj@alibaba-inc.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/microcode/intel.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -271,8 +271,17 @@ static bool is_blacklisted(unsigned int
 {
 	struct cpuinfo_x86 *c = &cpu_data(cpu);
 
-	if (c->x86 == 6 && c->x86_model == 0x4F) {
-		pr_err_once("late loading on model 79 is disabled.\n");
+	/*
+	 * Late loading on model 79 with microcode revision less than 0x0b000021
+	 * may result in a system hang. This behavior is documented in item
+	 * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).
+	 */
+	if (c->x86 == 6 &&
+	    c->x86_model == 0x4F &&
+	    c->x86_mask == 0x01 &&
+	    c->microcode < 0x0b000021) {
+		pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
+		pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
 		return true;
 	}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 088/254] net: ipv4: fix for a race condition in raw_sendmsg
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 246/254] media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 036/254] mfd: cros ec: spi: Don't send first message too soon Ben Hutchings
                   ` (168 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mohamed Ghannam, David S. Miller, Eric Dumazet

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mohamed Ghannam <simo.ghannam@gmail.com>

commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 upstream.

inet->hdrincl is racy, and could lead to uninitialized stack pointer
usage, so its value should be read only once.

Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/raw.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -490,11 +490,16 @@ static int raw_sendmsg(struct kiocb *ioc
 	int err;
 	struct ip_options_data opt_copy;
 	struct raw_frag_vec rfv;
+	int hdrincl;
 
 	err = -EMSGSIZE;
 	if (len > 0xFFFF)
 		goto out;
 
+	/* hdrincl should be READ_ONCE(inet->hdrincl)
+	 * but READ_ONCE() doesn't work with bit fields
+	 */
+	hdrincl = inet->hdrincl;
 	/*
 	 *	Check the flags.
 	 */
@@ -569,7 +574,7 @@ static int raw_sendmsg(struct kiocb *ioc
 		/* Linux does not mangle headers on raw sockets,
 		 * so that IP options + IP_HDRINCL is non-sense.
 		 */
-		if (inet->hdrincl)
+		if (hdrincl)
 			goto done;
 		if (ipc.opt->opt.srr) {
 			if (!daddr)
@@ -591,12 +596,12 @@ static int raw_sendmsg(struct kiocb *ioc
 
 	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
 			   RT_SCOPE_UNIVERSE,
-			   inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+			   hdrincl ? IPPROTO_RAW : sk->sk_protocol,
 			   inet_sk_flowi_flags(sk) |
-			    (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+			    (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
 			   daddr, saddr, 0, 0);
 
-	if (!inet->hdrincl) {
+	if (!hdrincl) {
 		rfv.iov = msg->msg_iov;
 		rfv.hlen = 0;
 
@@ -621,7 +626,7 @@ static int raw_sendmsg(struct kiocb *ioc
 		goto do_confirm;
 back_from_confirm:
 
-	if (inet->hdrincl)
+	if (hdrincl)
 		err = raw_send_hdrinc(sk, &fl4, msg->msg_iov, len,
 				      &rt, msg->msg_flags);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 105/254] MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (205 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 060/254] arm64: fpsimd: Prevent registers leaking from dead tasks Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 092/254] MIPS: clear MSACSR cause bits when handling MSA FP exception Ben Hutchings
                   ` (47 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Burton, Ralf Baechle, Maciej W. Rozycki, linux-mips,
	James Hogan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@imgtec.com>

commit 5a1aca4469fdccd5b74ba0b4e490173b2b447895 upstream.

Sanitize FCSR Cause bit handling, following a trail of past attempts:

* commit 4249548454f7 ("MIPS: ptrace: Fix FP context restoration FCSR
regression"),

* commit 443c44032a54 ("MIPS: Always clear FCSR cause bits after
emulation"),

* commit 64bedffe4968 ("MIPS: Clear [MSA]FPE CSR.Cause after
notify_die()"),

* commit b1442d39fac2 ("MIPS: Prevent user from setting FCSR cause
bits"),

* commit b54d2901517d ("Properly handle branch delay slots in connection
with signals.").

Specifically do not mask these bits out in ptrace(2) processing and send
a SIGFPE signal instead whenever a matching pair of an FCSR Cause and
Enable bit is seen as execution of an affected context is about to
resume.  Only then clear Cause bits, and even then do not clear any bits
that are set but masked with the respective Enable bits.  Adjust Cause
bit clearing throughout code likewise, except within the FPU emulator
proper where they are set according to IEEE 754 exceptions raised as the
operation emulated executed.  Do so so that any IEEE 754 exceptions
subject to their default handling are recorded like with operations
executed by FPU hardware.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14460/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16:
 - Drop changes in mips-r2-to-r6-emul and simulate_fp()
 - Add #include <asm/fpu.h> in <asm/switch_to.h>
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/include/asm/fpu_emulator.h
+++ b/arch/mips/include/asm/fpu_emulator.h
@@ -65,6 +65,8 @@ extern int do_dsemulret(struct pt_regs *
 extern int fpu_emulator_cop1Handler(struct pt_regs *xcp,
 				    struct mips_fpu_struct *ctx, int has_fpu,
 				    void *__user *fault_addr);
+void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr,
+		     struct task_struct *tsk);
 int process_fpemu_return(int sig, void __user *fault_addr,
 			 unsigned long fcr31);
 int mm_isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
@@ -91,4 +93,15 @@ static inline void fpu_emulator_init_fpu
 		set_fpr64(&t->thread.fpu.fpr[i], 0, SIGNALLING_NAN);
 }
 
+/*
+ * Mask the FCSR Cause bits according to the Enable bits, observing
+ * that Unimplemented is always enabled.
+ */
+static inline unsigned long mask_fcr31_x(unsigned long fcr31)
+{
+	return fcr31 & (FPU_CSR_UNI_X |
+			((fcr31 & FPU_CSR_ALL_E) <<
+			 (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E))));
+}
+
 #endif /* _ASM_FPU_EMULATOR_H */
--- a/arch/mips/include/asm/switch_to.h
+++ b/arch/mips/include/asm/switch_to.h
@@ -17,6 +17,7 @@
 #include <asm/dsp.h>
 #include <asm/cop2.h>
 #include <asm/msa.h>
+#include <asm/fpu.h>
 
 struct task_struct;
 
@@ -80,11 +81,29 @@ do {									\
 		ll_bit = 0;						\
 } while (0)
 
+/*
+ * Check FCSR for any unmasked exceptions pending set with `ptrace',
+ * clear them and send a signal.
+ */
+#define __sanitize_fcr31(next)						\
+do {									\
+	unsigned long fcr31 = mask_fcr31_x(next->thread.fpu.fcr31);	\
+	void __user *pc;						\
+									\
+	if (unlikely(fcr31)) {						\
+		pc = (void __user *)task_pt_regs(next)->cp0_epc;	\
+		next->thread.fpu.fcr31 &= ~fcr31;			\
+		force_fcr31_sig(fcr31, pc, next);			\
+	}								\
+} while (0)
+
 #define switch_to(prev, next, last)					\
 do {									\
 	u32 __c0_stat;							\
 	s32 __fpsave = FP_SAVE_NONE;					\
 	__mips_mt_fpaff_switch_to(prev);				\
+	if (tsk_used_math(next))					\
+		__sanitize_fcr31(next);					\
 	if (cpu_has_dsp)						\
 		__save_dsp(prev);					\
 	if (cop2_present && (KSTK_STATUS(prev) & ST0_CU2)) {		\
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -79,16 +79,15 @@ void ptrace_disable(struct task_struct *
 }
 
 /*
- * Poke at FCSR according to its mask.  Don't set the cause bits as
- * this is currently not handled correctly in FP context restoration
- * and will cause an oops if a corresponding enable bit is set.
+ * Poke at FCSR according to its mask.  Set the Cause bits even
+ * if a corresponding Enable bit is set.  This will be noticed at
+ * the time the thread is switched to and SIGFPE thrown accordingly.
  */
 static void ptrace_setfcr31(struct task_struct *child, u32 value)
 {
 	u32 fcr31;
 	u32 mask;
 
-	value &= ~FPU_CSR_ALL_X;
 	fcr31 = child->thread.fpu.fcr31;
 	mask = boot_cpu_data.fpu_msk31;
 	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -707,6 +707,32 @@ asmlinkage void do_ov(struct pt_regs *re
 	exception_exit(prev_state);
 }
 
+/*
+ * Send SIGFPE according to FCSR Cause bits, which must have already
+ * been masked against Enable bits.  This is impotant as Inexact can
+ * happen together with Overflow or Underflow, and `ptrace' can set
+ * any bits.
+ */
+void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr,
+		     struct task_struct *tsk)
+{
+	struct siginfo si = { .si_addr = fault_addr, .si_signo = SIGFPE };
+
+	if (fcr31 & FPU_CSR_INV_X)
+		si.si_code = FPE_FLTINV;
+	else if (fcr31 & FPU_CSR_DIV_X)
+		si.si_code = FPE_FLTDIV;
+	else if (fcr31 & FPU_CSR_OVF_X)
+		si.si_code = FPE_FLTOVF;
+	else if (fcr31 & FPU_CSR_UDF_X)
+		si.si_code = FPE_FLTUND;
+	else if (fcr31 & FPU_CSR_INE_X)
+		si.si_code = FPE_FLTRES;
+	else
+		si.si_code = __SI_FAULT;
+	force_sig_info(SIGFPE, &si, tsk);
+}
+
 int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31)
 {
 	struct siginfo si = { 0 };
@@ -716,27 +742,7 @@ int process_fpemu_return(int sig, void _
 		return 0;
 
 	case SIGFPE:
-		si.si_addr = fault_addr;
-		si.si_signo = sig;
-		/*
-		 * Inexact can happen together with Overflow or Underflow.
-		 * Respect the mask to deliver the correct exception.
-		 */
-		fcr31 &= (fcr31 & FPU_CSR_ALL_E) <<
-			 (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E));
-		if (fcr31 & FPU_CSR_INV_X)
-			si.si_code = FPE_FLTINV;
-		else if (fcr31 & FPU_CSR_DIV_X)
-			si.si_code = FPE_FLTDIV;
-		else if (fcr31 & FPU_CSR_OVF_X)
-			si.si_code = FPE_FLTOVF;
-		else if (fcr31 & FPU_CSR_UDF_X)
-			si.si_code = FPE_FLTUND;
-		else if (fcr31 & FPU_CSR_INE_X)
-			si.si_code = FPE_FLTRES;
-		else
-			si.si_code = __SI_FAULT;
-		force_sig_info(sig, &si, current);
+		force_fcr31_sig(fcr31, fault_addr, current);
 		return 1;
 
 	case SIGBUS:
@@ -779,7 +785,7 @@ asmlinkage void do_fpe(struct pt_regs *r
 		goto out;
 
 	/* Clear FCSR.Cause before enabling interrupts */
-	write_32bit_cp1_register(CP1_STATUS, fcr31 & ~FPU_CSR_ALL_X);
+	write_32bit_cp1_register(CP1_STATUS, fcr31 & ~mask_fcr31_x(fcr31));
 	local_irq_enable();
 
 	die_if_kernel("FP exception in kernel code", regs);
@@ -801,13 +807,13 @@ asmlinkage void do_fpe(struct pt_regs *r
 		/* Run the emulator */
 		sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 1,
 					       &fault_addr);
-		fcr31 = current->thread.fpu.fcr31;
 
 		/*
-		 * We can't allow the emulated instruction to leave any of
-		 * the cause bits set in $fcr31.
+		 * We can't allow the emulated instruction to leave any
+		 * enabled Cause bits set in $fcr31.
 		 */
-		current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+		fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
+		current->thread.fpu.fcr31 &= ~fcr31;
 
 		/* Restore the hardware register state */
 		own_fpu(1);	/* Using the FPU again.	 */
@@ -1302,13 +1308,13 @@ asmlinkage void do_cpu(struct pt_regs *r
 
 		sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 0,
 					       &fault_addr);
-		fcr31 = current->thread.fpu.fcr31;
 
 		/*
 		 * We can't allow the emulated instruction to leave
-		 * any of the cause bits set in $fcr31.
+		 * any enabled Cause bits set in $fcr31.
 		 */
-		current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+		fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
+		current->thread.fpu.fcr31 &= ~fcr31;
 
 		/* Send a signal if required.  */
 		if (!process_fpemu_return(sig, fault_addr, fcr31) && !err)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 123/254] net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 221/254] cfg80211: fix station info handling bugs Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 139/254] crypto: n2 - cure use after free Ben Hutchings
                   ` (190 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nikolay Aleksandrov, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 84aeb437ab98a2bce3d4b2111c79723aedfceb33 upstream.

The early call to br_stp_change_bridge_id in bridge's newlink can cause
a memory leak if an error occurs during the newlink because the fdb
entries are not cleaned up if a different lladdr was specified, also
another minor issue is that it generates fdb notifications with
ifindex = 0. Another unrelated memory leak is the bridge sysfs entries
which get added on NETDEV_REGISTER event, but are not cleaned up in the
newlink error path. To remove this special case the call to
br_stp_change_bridge_id is done after netdev register and we cleanup the
bridge on changelink error via br_dev_delete to plug all leaks.

This patch makes netlink bridge destruction on newlink error the same as
dellink and ioctl del which is necessary since at that point we have a
fully initialized bridge device.

To reproduce the issue:
$ ip l add br0 address 00:11:22:33:44:55 type bridge group_fwd_mask 1
RTNETLINK answers: Invalid argument

$ rmmod bridge
[ 1822.142525] =============================================================================
[ 1822.143640] BUG bridge_fdb_cache (Tainted: G           O    ): Objects remaining in bridge_fdb_cache on __kmem_cache_shutdown()
[ 1822.144821] -----------------------------------------------------------------------------

[ 1822.145990] Disabling lock debugging due to kernel taint
[ 1822.146732] INFO: Slab 0x0000000092a844b2 objects=32 used=2 fp=0x00000000fef011b0 flags=0x1ffff8000000100
[ 1822.147700] CPU: 2 PID: 13584 Comm: rmmod Tainted: G    B      O     4.15.0-rc2+ #87
[ 1822.148578] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 1822.150008] Call Trace:
[ 1822.150510]  dump_stack+0x78/0xa9
[ 1822.151156]  slab_err+0xb1/0xd3
[ 1822.151834]  ? __kmalloc+0x1bb/0x1ce
[ 1822.152546]  __kmem_cache_shutdown+0x151/0x28b
[ 1822.153395]  shutdown_cache+0x13/0x144
[ 1822.154126]  kmem_cache_destroy+0x1c0/0x1fb
[ 1822.154669]  SyS_delete_module+0x194/0x244
[ 1822.155199]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 1822.155773]  entry_SYSCALL_64_fastpath+0x23/0x9a
[ 1822.156343] RIP: 0033:0x7f929bd38b17
[ 1822.156859] RSP: 002b:00007ffd160e9a98 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
[ 1822.157728] RAX: ffffffffffffffda RBX: 00005578316ba090 RCX: 00007f929bd38b17
[ 1822.158422] RDX: 00007f929bd9ec60 RSI: 0000000000000800 RDI: 00005578316ba0f0
[ 1822.159114] RBP: 0000000000000003 R08: 00007f929bff5f20 R09: 00007ffd160e8a11
[ 1822.159808] R10: 00007ffd160e9860 R11: 0000000000000202 R12: 00007ffd160e8a80
[ 1822.160513] R13: 0000000000000000 R14: 0000000000000000 R15: 00005578316ba090
[ 1822.161278] INFO: Object 0x000000007645de29 @offset=0
[ 1822.161666] INFO: Object 0x00000000d5df2ab5 @offset=128

Fixes: 30313a3d5794 ("bridge: Handle IFLA_ADDRESS correctly when creating bridge device")
Fixes: 5b8d5429daa0 ("bridge: netlink: register netdevice before executing changelink")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: register_netdevice() was the last thing done in
 br_dev_newlink(), so no extra cleanup is needed]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -452,6 +452,11 @@ static int br_dev_newlink(struct net *sr
 			  struct nlattr *tb[], struct nlattr *data[])
 {
 	struct net_bridge *br = netdev_priv(dev);
+	int err;
+
+	err = register_netdevice(dev);
+	if (err)
+		return err;
 
 	if (tb[IFLA_ADDRESS]) {
 		spin_lock_bh(&br->lock);
@@ -459,7 +464,7 @@ static int br_dev_newlink(struct net *sr
 		spin_unlock_bh(&br->lock);
 	}
 
-	return register_netdevice(dev);
+	return 0;
 }
 
 static size_t br_get_link_af_size(const struct net_device *dev)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 154/254] fscache: Fix the default for fscache_maybe_release_page()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (140 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 156/254] IB/ipoib: Fix race condition in neigh creation Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 011/254] bcache: recover data from backing when data is clean Ben Hutchings
                   ` (112 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Marc Dionne, Al Viro, David Howells, Jeff Layton

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit 98801506552593c9b8ac11021b0cdad12cab4f6b upstream.

Fix the default for fscache_maybe_release_page() for when the cookie isn't
valid or the page isn't cached.  It mustn't return false as that indicates
the page cannot yet be freed.

The problem with the default is that if, say, there's no cache, but a
network filesystem's pages are using up almost all the available memory, a
system can OOM because the filesystem ->releasepage() op will not allow
them to be released as fscache_maybe_release_page() incorrectly prevents
it.

This can be tested by writing a sequence of 512MiB files to an AFS mount.
It does not affect NFS or CIFS because both of those wrap the call in a
check of PG_fscache and it shouldn't bother Ceph as that only has
PG_private set whilst writeback is in progress.  This might be an issue for
9P, however.

Note that the pages aren't entirely stuck.  Removing a file or unmounting
will clear things because that uses ->invalidatepage() instead.

Fixes: 201a15428bd5 ("FS-Cache: Handle pages pending storage that get evicted under OOM conditions")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/fscache.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/fscache.h
+++ b/include/linux/fscache.h
@@ -764,7 +764,7 @@ bool fscache_maybe_release_page(struct f
 {
 	if (fscache_cookie_valid(cookie) && PageFsCache(page))
 		return __fscache_maybe_release_page(cookie, page, gfp);
-	return false;
+	return true;
 }
 
 /**

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 230/254] hrtimer: Reset hrtimer cpu base proper on CPU hotplug
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (193 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 051/254] netfilter: xt_bpf: add overflow checks Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 001/254] ALSA: seq: Fix regression by incorrect ioctl_mutex usages Ben Hutchings
                   ` (59 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, Sebastian Sewior, Paul E. McKenney,
	Peter Zijlstra, Anna-Maria Gleixner

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit d5421ea43d30701e03cadc56a38854c36a8b4433 upstream.

The hrtimer interrupt code contains a hang detection and mitigation
mechanism, which prevents that a long delayed hrtimer interrupt causes a
continous retriggering of interrupts which prevent the system from making
progress. If a hang is detected then the timer hardware is programmed with
a certain delay into the future and a flag is set in the hrtimer cpu base
which prevents newly enqueued timers from reprogramming the timer hardware
prior to the chosen delay. The subsequent hrtimer interrupt after the delay
clears the flag and resumes normal operation.

If such a hang happens in the last hrtimer interrupt before a CPU is
unplugged then the hang_detected flag is set and stays that way when the
CPU is plugged in again. At that point the timer hardware is not armed and
it cannot be armed because the hang_detected flag is still active, so
nothing clears that flag. As a consequence the CPU does not receive hrtimer
interrupts and no timers expire on that CPU which results in RCU stalls and
other malfunctions.

Clear the flag along with some other less critical members of the hrtimer
cpu base to ensure starting from a clean state when a CPU is plugged in.

Thanks to Paul, Sebastian and Anna-Maria for their help to get down to the
root cause of that hard to reproduce heisenbug. Once understood it's
trivial and certainly justifies a brown paperbag.

Fixes: 41d2e4949377 ("hrtimer: Tune hrtimer_interrupt hang logic")
Reported-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Sewior <bigeasy@linutronix.de>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801261447590.2067@nanos
[bwh: Backported to 3.16:
 - There's no next_timer field to reset
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/hrtimer.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -659,6 +659,7 @@ static int hrtimer_reprogram(struct hrti
 static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
 {
 	base->expires_next.tv64 = KTIME_MAX;
+	base->hang_detected = 0;
 	base->hres_active = 0;
 }
 
@@ -1680,6 +1681,7 @@ static void init_hrtimers_cpu(int cpu)
 		timerqueue_init_head(&cpu_base->clock_base[i].active);
 	}
 
+	cpu_base->active_bases = 0;
 	hrtimer_init_hres(cpu_base);
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 032/254] eeprom: at24: check at24_read/write arguments
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 253/254] ACPI: sbshc: remove raw pointer from printk() message Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 098/254] MIPS: Set `si_code' for SIGFPE signals sent from emulation too Ben Hutchings
                   ` (247 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Heiner Kallweit, Bartosz Golaszewski

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Heiner Kallweit <hkallweit1@gmail.com>

commit d9bcd462daf34aebb8de9ad7f76de0198bb5a0f0 upstream.

So far we completely rely on the caller to provide valid arguments.
To be on the safe side perform an own sanity check.

Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/misc/eeprom/at24.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/misc/eeprom/at24.c
+++ b/drivers/misc/eeprom/at24.c
@@ -274,6 +274,9 @@ static ssize_t at24_read(struct at24_dat
 	if (unlikely(!count))
 		return count;
 
+	if (off + count > at24->chip.byte_len)
+		return -EINVAL;
+
 	/*
 	 * Read data from chip, protecting against concurrent updates
 	 * from this host, but not from other I2C masters.
@@ -396,6 +399,9 @@ static ssize_t at24_write(struct at24_da
 	if (unlikely(!count))
 		return count;
 
+	if (off + count > at24->chip.byte_len)
+		return -EINVAL;
+
 	/*
 	 * Write data to chip, protecting against concurrent updates
 	 * from this host, but not from other I2C masters.

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 202/254] KVM: x86: Add memory barrier on vmcs field lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (168 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 175/254] ALSA: aloop: Release cable upon open error path Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 023/254] USB: core: Add type-specific length check of BOS descriptors Ben Hutchings
                   ` (84 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jim Mattson, Andrew Honig, Paolo Bonzini

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Honig <ahonig@google.com>

commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.

This adds a memory barrier when performing a lookup into
the vmcs_field_to_offset_table.  This is related to
CVE-2017-5753.

Signed-off-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -698,8 +698,18 @@ static const int max_vmcs_field = ARRAY_
 
 static inline short vmcs_field_to_offset(unsigned long field)
 {
-	if (field >= max_vmcs_field || vmcs_field_to_offset_table[field] == 0)
+	if (field >= max_vmcs_field)
 		return -1;
+
+	/*
+	 * FIXME: Mitigation for CVE-2017-5753.  To be replaced with a
+	 * generic mechanism.
+	 */
+	asm("lfence");
+
+	if (vmcs_field_to_offset_table[field] == 0)
+		return -1;
+
 	return vmcs_field_to_offset_table[field];
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 044/254] can: ti_hecc: Fix napi poll return value for repoll
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 054/254] dm: fix various targets to dm_register_target after module __init resources created Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 026/254] uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices Ben Hutchings
                   ` (235 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Oliver Stäbler, Marc Kleine-Budde

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Stäbler <oliver.staebler@bytesatwork.ch>

commit f6c23b174c3c96616514827407769cbcfc8005cf upstream.

After commit d75b1ade567f ("net: less interrupt masking in NAPI") napi
repoll is done only when work_done == budget.
So we need to return budget if there are still packets to receive.

Signed-off-by: Oliver Stäbler <oliver.staebler@bytesatwork.ch>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/ti_hecc.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -652,6 +652,9 @@ static int ti_hecc_rx_poll(struct napi_s
 		mbx_mask = hecc_read(priv, HECC_CANMIM);
 		mbx_mask |= HECC_TX_MBOX_MASK;
 		hecc_write(priv, HECC_CANMIM, mbx_mask);
+	} else {
+		/* repoll is done only if whole budget is used */
+		num_pkts = quota;
 	}
 
 	return num_pkts;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 199/254] powerpc: Don't preempt_disable() in show_cpuinfo()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 018/254] drm/i915: Don't try indexed reads to alternate slave addresses Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 134/254] net/mlx5: Cleanup IRQs in case of unload failure Ben Hutchings
                   ` (242 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Benjamin Herrenschmidt, Michael Ellerman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Herrenschmidt <benh@kernel.crashing.org>

commit 349524bc0da698ec77f2057cf4a4948eb6349265 upstream.

This causes warnings from cpufreq mutex code. This is also rather
unnecessary and ineffective. If we really want to prevent concurrent
unplug, we could take the unplug read lock but I don't see this being
critical.

Fixes: cd77b5ce208c ("powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo")
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/setup-common.c | 11 -----------
 1 file changed, 11 deletions(-)

--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -216,14 +216,6 @@ static int show_cpuinfo(struct seq_file
 	unsigned short maj;
 	unsigned short min;
 
-	/* We only show online cpus: disable preempt (overzealous, I
-	 * knew) to prevent cpu going down. */
-	preempt_disable();
-	if (!cpu_online(cpu_id)) {
-		preempt_enable();
-		return 0;
-	}
-
 #ifdef CONFIG_SMP
 	pvr = per_cpu(cpu_pvr, cpu_id);
 #else
@@ -328,9 +320,6 @@ static int show_cpuinfo(struct seq_file
 #ifdef CONFIG_SMP
 	seq_printf(m, "\n");
 #endif
-
-	preempt_enable();
-
 	/* If this is the last cpu, print the summary */
 	if (cpumask_next(cpu_id, cpu_online_mask) >= nr_cpu_ids)
 		show_cpuinfo_summary(m);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 250/254] media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (250 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 003/254] KVM: x86: Exit to user-mode on #UD intercept when emulator requires Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 048/254] ext4: fix fdatasync(2) after fallocate(2) operation Ben Hutchings
                   ` (2 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hans Verkuil, Sakari Ailus, Mauro Carvalho Chehab

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 169f24ca68bf0f247d111aef07af00dd3a02ae88 upstream.

There is nothing wrong with using an unknown buffer type. So
stop spamming the kernel log whenever this happens. The kernel
will just return -EINVAL to signal this.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -170,8 +170,6 @@ static int __get_v4l2_format32(struct v4
 		return copy_from_user(&kp->fmt.sliced, &up->fmt.sliced,
 				      sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
 	default:
-		printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
-		       kp->type);
 		return -EINVAL;
 	}
 }
@@ -217,8 +215,6 @@ static int __put_v4l2_format32(struct v4
 		return copy_to_user(&up->fmt.sliced, &kp->fmt.sliced,
 				    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
 	default:
-		printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
-		       kp->type);
 		return -EINVAL;
 	}
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 186/254] Input: twl4030-vibra - fix sibling-node lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (163 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 223/254] net: igmp: Use correct source address on IGMPv3 reports Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 206/254] mac80211_hwsim: validate number of different channels Ben Hutchings
                   ` (89 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Johan Hovold

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 5b189201993ab03001a398de731045bfea90c689 upstream.

A helper purported to look up a child node based on its name was using
the wrong of-helper and ended up prematurely freeing the parent of-node
while searching the whole device tree depth-first starting at the parent
node.

Fixes: 64b9e4d803b1 ("input: twl4030-vibra: Support for DT booted kernel")
Fixes: e661d0a04462 ("Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/misc/twl4030-vibra.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/input/misc/twl4030-vibra.c
+++ b/drivers/input/misc/twl4030-vibra.c
@@ -180,12 +180,14 @@ static SIMPLE_DEV_PM_OPS(twl4030_vibra_p
 			 twl4030_vibra_suspend, twl4030_vibra_resume);
 
 static bool twl4030_vibra_check_coexist(struct twl4030_vibra_data *pdata,
-			      struct device_node *node)
+			      struct device_node *parent)
 {
+	struct device_node *node;
+
 	if (pdata && pdata->coexist)
 		return true;
 
-	node = of_find_node_by_name(node, "codec");
+	node = of_get_child_by_name(parent, "codec");
 	if (node) {
 		of_node_put(node);
 		return true;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 112/254] KVM: X86: Fix load RFLAGS w/o the fixed bit
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (174 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 225/254] Input: trackpoint - assume 3 buttons when buttons detection fails Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 041/254] can: kvaser_usb: free buf in error paths Ben Hutchings
                   ` (78 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Radim Krčmář,
	David Hildenbrand, Wanpeng Li, Paolo Bonzini, Quan Xu,
	Jim Mattson

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpeng.li@hotmail.com>

commit d73235d17ba63b53dc0e1051dbc10a1f1be91b71 upstream.

 *** Guest State ***
 CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7
 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871
 CR3 = 0x00000000fffbc000
 RSP = 0x0000000000000000  RIP = 0x0000000000000000
 RFLAGS=0x00000000         DR7 = 0x0000000000000400
        ^^^^^^^^^^

The failed vmentry is triggered by the following testcase when ept=Y:

    #include <unistd.h>
    #include <sys/syscall.h>
    #include <string.h>
    #include <stdint.h>
    #include <linux/kvm.h>
    #include <fcntl.h>
    #include <sys/ioctl.h>

    long r[5];
    int main()
    {
    	r[2] = open("/dev/kvm", O_RDONLY);
    	r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
    	r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
    	struct kvm_regs regs = {
    		.rflags = 0,
    	};
    	ioctl(r[4], KVM_SET_REGS, &regs);
    	ioctl(r[4], KVM_RUN, 0);
    }

X86 RFLAGS bit 1 is fixed set, userspace can simply clearing bit 1
of RFLAGS with KVM_SET_REGS ioctl which results in vmentry fails.
This patch fixes it by oring X86_EFLAGS_FIXED during ioctl.

Suggested-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Quan Xu <quan.xu0@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Jim Mattson <jmattson@google.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6471,7 +6471,7 @@ int kvm_arch_vcpu_ioctl_set_regs(struct
 #endif
 
 	kvm_rip_write(vcpu, regs->rip);
-	kvm_set_rflags(vcpu, regs->rflags);
+	kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED);
 
 	vcpu->arch.exception.pending = false;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 060/254] arm64: fpsimd: Prevent registers leaking from dead tasks
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (204 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 203/254] usb: misc: usb3503: make sure reset is low for at least 100us Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 105/254] MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue Ben Hutchings
                   ` (48 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Will Deacon, Ard Biesheuvel, Dave Martin

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.

Currently, loading of a task's fpsimd state into the CPU registers
is skipped if that task's state is already present in the registers
of that CPU.

However, the code relies on the struct fpsimd_state * (and by
extension struct task_struct *) to unambiguously identify a task.

There is a particular case in which this doesn't work reliably:
when a task exits, its task_struct may be recycled to describe a
new task.

Consider the following scenario:

 1) Task P loads its fpsimd state onto cpu C.
        per_cpu(fpsimd_last_state, C) := P;
        P->thread.fpsimd_state.cpu := C;

 2) Task X is scheduled onto C and loads its fpsimd state on C.
        per_cpu(fpsimd_last_state, C) := X;
        X->thread.fpsimd_state.cpu := C;

 3) X exits, causing X's task_struct to be freed.

 4) P forks a new child T, which obtains X's recycled task_struct.
	T == X.
	T->thread.fpsimd_state.cpu == C (inherited from P).

 5) T is scheduled on C.
	T's fpsimd state is not loaded, because
	per_cpu(fpsimd_last_state, C) == T (== X) &&
	T->thread.fpsimd_state.cpu == C.

        (This is the check performed by fpsimd_thread_switch().)

So, T gets X's registers because the last registers loaded onto C
were those of X, in (2).

This patch fixes the problem by ensuring that the sched-in check
fails in (5): fpsimd_flush_task_state(T) is called when T is
forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
This relies on the fact that T is not schedulable until after
copy_thread() completes.

Once T's fpsimd state has been loaded on some CPU C there may still
be other cpus D for which per_cpu(fpsimd_last_state, D) ==
&X->thread.fpsimd_state.  But D is necessarily != C in this case,
and the check in (5) must fail.

An alternative fix would be to do refcounting on task_struct.  This
would result in each CPU holding a reference to the last task whose
fpsimd state was loaded there.  It's not clear whether this is
preferable, and it involves higher overhead than the fix proposed
in this patch.  It would also move all the task_struct freeing
work into the context switch critical section, or otherwise some
deferred cleanup mechanism would need to be introduced, neither of
which seems obviously justified.

Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[will: word-smithed the comment so it makes more sense]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/process.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -269,6 +269,15 @@ int copy_thread(unsigned long clone_flag
 
 	memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
 
+	/*
+	 * In case p was allocated the same task_struct pointer as some
+	 * other recently-exited task, make sure p is disassociated from
+	 * any cpu that may have run that now-exited task recently.
+	 * Otherwise we could erroneously skip reloading the FPSIMD
+	 * registers for p.
+	 */
+	fpsimd_flush_task_state(p);
+
 	if (likely(!(p->flags & PF_KTHREAD))) {
 		*childregs = *current_pt_regs();
 		childregs->regs[0] = 0;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 149/254] stddef.h: move offsetofend inside #ifndef/#endif guard, neaten
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (229 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 037/254] mfd: twl4030-audio: Fix sibling-node lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 114/254] kernel: make groups_sort calling a responsibility group_info allocators Ben Hutchings
                   ` (23 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denys Vlasenko, Joe Perches, Linus Torvalds

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Perches <joe@perches.com>

commit 8c7fbe5795a016259445a61e072eb0118aaf6a61 upstream.

Commit 3876488444e7 ("include/stddef.h: Move offsetofend() from vfio.h
to a generic kernel header") added offsetofend outside the normal
include #ifndef/#endif guard.  Move it inside.

Miscellanea:

o remove unnecessary blank line
o standardize offsetof macros whitespace style

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/stddef.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/include/linux/stddef.h
+++ b/include/linux/stddef.h
@@ -3,7 +3,6 @@
 
 #include <uapi/linux/stddef.h>
 
-
 #undef NULL
 #define NULL ((void *)0)
 
@@ -14,10 +13,9 @@ enum {
 
 #undef offsetof
 #ifdef __compiler_offsetof
-#define offsetof(TYPE,MEMBER) __compiler_offsetof(TYPE,MEMBER)
+#define offsetof(TYPE, MEMBER)	__compiler_offsetof(TYPE, MEMBER)
 #else
-#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
-#endif
+#define offsetof(TYPE, MEMBER)	((size_t)&((TYPE *)0)->MEMBER)
 #endif
 
 /**
@@ -28,3 +26,5 @@ enum {
  */
 #define offsetofend(TYPE, MEMBER) \
 	(offsetof(TYPE, MEMBER)	+ sizeof(((TYPE *)0)->MEMBER))
+
+#endif

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 118/254] parisc: Hide Diva-built-in serial aux and graphics card
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 010/254] scsi: libsas: align sata_device's rps_resp on a cacheline Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 095/254] MIPS: lose_fpu(): Disable FPU when MSA enabled Ben Hutchings
                   ` (145 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Helge Deller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Helge Deller <deller@gmx.de>

commit bcf3f1752a622f1372d3252d0fea8855d89812e7 upstream.

Diva GSP card has built-in serial AUX port and ATI graphic card which simply
don't work and which both don't have external connectors.  User Guides even
mention that those devices shouldn't be used.
So, prevent that Linux drivers try to enable those devices.

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/parisc/lba_pci.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

--- a/drivers/parisc/lba_pci.c
+++ b/drivers/parisc/lba_pci.c
@@ -1652,3 +1652,36 @@ void lba_set_iregs(struct parisc_device
 	iounmap(base_addr);
 }
 
+
+/*
+ * The design of the Diva management card in rp34x0 machines (rp3410, rp3440)
+ * seems rushed, so that many built-in components simply don't work.
+ * The following quirks disable the serial AUX port and the built-in ATI RV100
+ * Radeon 7000 graphics card which both don't have any external connectors and
+ * thus are useless, and even worse, e.g. the AUX port occupies ttyS0 and as
+ * such makes those machines the only PARISC machines on which we can't use
+ * ttyS0 as boot console.
+ */
+static void quirk_diva_ati_card(struct pci_dev *dev)
+{
+	if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
+	    dev->subsystem_device != 0x1292)
+		return;
+
+	dev_info(&dev->dev, "Hiding Diva built-in ATI card");
+	dev->device = 0;
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RADEON_QY,
+	quirk_diva_ati_card);
+
+static void quirk_diva_aux_disable(struct pci_dev *dev)
+{
+	if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
+	    dev->subsystem_device != 0x1291)
+		return;
+
+	dev_info(&dev->dev, "Hiding Diva built-in AUX serial device");
+	dev->device = 0;
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_DIVA_AUX,
+	quirk_diva_aux_disable);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 254/254] rds: Fix NULL pointer dereference in __rds_rdma_map
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (165 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 206/254] mac80211_hwsim: validate number of different channels Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 213/254] KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs() Ben Hutchings
                   ` (87 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Santosh Shilimkar, syzbot, David S. Miller,
	Håkon Bugge, Håkon Bugge

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Håkon Bugge <Haakon.Bugge@oracle.com>

commit f3069c6d33f6ae63a1668737bc78aaaa51bff7ca upstream.

This is a fix for syzkaller719569, where memory registration was
attempted without any underlying transport being loaded.

Analysis of the case reveals that it is the setsockopt() RDS_GET_MR
(2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable.

Here is an example stack trace when the bug is hit:

BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0
IP: __rds_rdma_map+0x36/0x440 [rds]
PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4
dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp
coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul
ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd
iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd
shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core
auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2
mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect
sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm
crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror
dm_region_hash dm_log dm_mod
CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2
Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017
task: ffff882f9190db00 task.stack: ffffc9002b994000
RIP: 0010:__rds_rdma_map+0x36/0x440 [rds]
RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580
RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002
R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580
R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc
FS:  00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0
Call Trace:
 rds_get_mr+0x56/0x80 [rds]
 rds_setsockopt+0x172/0x340 [rds]
 ? __fget_light+0x25/0x60
 ? __fdget+0x13/0x20
 SyS_setsockopt+0x80/0xe0
 do_syscall_64+0x67/0x1b0
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x7fbff9b117f9
RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9
RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b
RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860
R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000
R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021

Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48
89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48>
83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08

The fix is to check the existence of an underlying transport in
__rds_rdma_map().

Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/rds/rdma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -184,7 +184,7 @@ static int __rds_rdma_map(struct rds_soc
 	long i;
 	int ret;
 
-	if (rs->rs_bound_addr == 0) {
+	if (rs->rs_bound_addr == 0 || !rs->rs_transport) {
 		ret = -ENOTCONN; /* XXX not a great errno */
 		goto out;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 098/254] MIPS: Set `si_code' for SIGFPE signals sent from emulation too
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 032/254] eeprom: at24: check at24_read/write arguments Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 195/254] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() Ben Hutchings
                   ` (246 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, Maciej W. Rozycki, linux-mips

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit 304acb717e5b67cf56f05bc5b21123758e1f7ea0 upstream.

Rework `process_fpemu_return' and move IEEE 754 exception interpretation
there, from `do_fpe'.  Record the cause bits set in FCSR before they are
cleared and pass them through to `process_fpemu_return' so as to set
`si_code' correctly too for SIGFPE signals sent from emulation rather
than those issued by hardware with the FPE processor exception only.

For simplicity `mipsr2_decoder' assumes `*fcr31' has been preinitialised
and only sets it to anything if an FPU instruction has been emulated,
which in turn is the only case SIGFPE can be issued for here.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9705/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16:
 - Drop changes in mips-r2-to-r6-emul and simulate_fp()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/include/asm/fpu_emulator.h
+++ b/arch/mips/include/asm/fpu_emulator.h
@@ -65,7 +65,8 @@ extern int do_dsemulret(struct pt_regs *
 extern int fpu_emulator_cop1Handler(struct pt_regs *xcp,
 				    struct mips_fpu_struct *ctx, int has_fpu,
 				    void *__user *fault_addr);
-int process_fpemu_return(int sig, void __user *fault_addr);
+int process_fpemu_return(int sig, void __user *fault_addr,
+			 unsigned long fcr31);
 int mm_isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
 		     unsigned long *contpc);
 
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -707,29 +707,60 @@ asmlinkage void do_ov(struct pt_regs *re
 	exception_exit(prev_state);
 }
 
-int process_fpemu_return(int sig, void __user *fault_addr)
+int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31)
 {
-	if (sig == SIGSEGV || sig == SIGBUS) {
-		struct siginfo si = {0};
+	struct siginfo si = { 0 };
+
+	switch (sig) {
+	case 0:
+		return 0;
+
+	case SIGFPE:
 		si.si_addr = fault_addr;
 		si.si_signo = sig;
-		if (sig == SIGSEGV) {
-			down_read(&current->mm->mmap_sem);
-			if (find_vma(current->mm, (unsigned long)fault_addr))
-				si.si_code = SEGV_ACCERR;
-			else
-				si.si_code = SEGV_MAPERR;
-			up_read(&current->mm->mmap_sem);
-		} else {
-			si.si_code = BUS_ADRERR;
-		}
+		/*
+		 * Inexact can happen together with Overflow or Underflow.
+		 * Respect the mask to deliver the correct exception.
+		 */
+		fcr31 &= (fcr31 & FPU_CSR_ALL_E) <<
+			 (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E));
+		if (fcr31 & FPU_CSR_INV_X)
+			si.si_code = FPE_FLTINV;
+		else if (fcr31 & FPU_CSR_DIV_X)
+			si.si_code = FPE_FLTDIV;
+		else if (fcr31 & FPU_CSR_OVF_X)
+			si.si_code = FPE_FLTOVF;
+		else if (fcr31 & FPU_CSR_UDF_X)
+			si.si_code = FPE_FLTUND;
+		else if (fcr31 & FPU_CSR_INE_X)
+			si.si_code = FPE_FLTRES;
+		else
+			si.si_code = __SI_FAULT;
+		force_sig_info(sig, &si, current);
+		return 1;
+
+	case SIGBUS:
+		si.si_addr = fault_addr;
+		si.si_signo = sig;
+		si.si_code = BUS_ADRERR;
+		force_sig_info(sig, &si, current);
+		return 1;
+
+	case SIGSEGV:
+		si.si_addr = fault_addr;
+		si.si_signo = sig;
+		down_read(&current->mm->mmap_sem);
+		if (find_vma(current->mm, (unsigned long)fault_addr))
+			si.si_code = SEGV_ACCERR;
+		else
+			si.si_code = SEGV_MAPERR;
+		up_read(&current->mm->mmap_sem);
 		force_sig_info(sig, &si, current);
 		return 1;
-	} else if (sig) {
+
+	default:
 		force_sig(sig, current);
 		return 1;
-	} else {
-		return 0;
 	}
 }
 
@@ -739,7 +770,8 @@ int process_fpemu_return(int sig, void _
 asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31)
 {
 	enum ctx_state prev_state;
-	siginfo_t info = {0};
+	void __user *fault_addr;
+	int sig;
 
 	prev_state = exception_enter();
 	if (notify_die(DIE_FP, "FP exception", regs, 0, regs_to_trapnr(regs),
@@ -753,9 +785,6 @@ asmlinkage void do_fpe(struct pt_regs *r
 	die_if_kernel("FP exception in kernel code", regs);
 
 	if (fcr31 & FPU_CSR_UNI_X) {
-		int sig;
-		void __user *fault_addr = NULL;
-
 		/*
 		 * Unimplemented operation exception.  If we've got the full
 		 * software emulator on-board, let's use it...
@@ -772,6 +801,7 @@ asmlinkage void do_fpe(struct pt_regs *r
 		/* Run the emulator */
 		sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 1,
 					       &fault_addr);
+		fcr31 = current->thread.fpu.fcr31;
 
 		/*
 		 * We can't allow the emulated instruction to leave any of
@@ -781,35 +811,13 @@ asmlinkage void do_fpe(struct pt_regs *r
 
 		/* Restore the hardware register state */
 		own_fpu(1);	/* Using the FPU again.	 */
-
-		/* If something went wrong, signal */
-		process_fpemu_return(sig, fault_addr);
-
-		goto out;
+	} else {
+		sig = SIGFPE;
+		fault_addr = (void __user *) regs->cp0_epc;
 	}
 
-	/*
-	 * Inexact can happen together with Overflow or Underflow.
-	 * Respect the mask to deliver the correct exception.
-	 */
-	fcr31 &= (fcr31 & FPU_CSR_ALL_E) <<
-		 (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E));
-	if (fcr31 & FPU_CSR_INV_X)
-		info.si_code = FPE_FLTINV;
-	else if (fcr31 & FPU_CSR_DIV_X)
-		info.si_code = FPE_FLTDIV;
-	else if (fcr31 & FPU_CSR_OVF_X)
-		info.si_code = FPE_FLTOVF;
-	else if (fcr31 & FPU_CSR_UDF_X)
-		info.si_code = FPE_FLTUND;
-	else if (fcr31 & FPU_CSR_INE_X)
-		info.si_code = FPE_FLTRES;
-	else
-		info.si_code = __SI_FAULT;
-	info.si_signo = SIGFPE;
-	info.si_errno = 0;
-	info.si_addr = (void __user *) regs->cp0_epc;
-	force_sig_info(SIGFPE, &info, current);
+	/* Send a signal if required.  */
+	process_fpemu_return(sig, fault_addr, fcr31);
 
 out:
 	exception_exit(prev_state);
@@ -1210,10 +1218,13 @@ asmlinkage void do_cpu(struct pt_regs *r
 	enum ctx_state prev_state;
 	unsigned int __user *epc;
 	unsigned long old_epc, old31;
+	void __user *fault_addr;
 	unsigned int opcode;
+	unsigned long fcr31;
 	unsigned int cpid;
 	int status, err;
 	unsigned long __maybe_unused flags;
+	int sig;
 
 	prev_state = exception_enter();
 	cpid = (regs->cp0_cause >> CAUSEB_CE) & 3;
@@ -1286,22 +1297,22 @@ asmlinkage void do_cpu(struct pt_regs *r
 	case 1:
 		err = enable_restore_fp_context(0);
 
-		if (!raw_cpu_has_fpu || err) {
-			int sig;
-			void __user *fault_addr = NULL;
-			sig = fpu_emulator_cop1Handler(regs,
-						       &current->thread.fpu,
-						       0, &fault_addr);
-
-			/*
-			 * We can't allow the emulated instruction to leave
-			 * any of the cause bits set in $fcr31.
-			 */
-			current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+		if (raw_cpu_has_fpu && !err)
+			break;
 
-			if (!process_fpemu_return(sig, fault_addr) && !err)
-				mt_ase_fp_affinity();
-		}
+		sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 0,
+					       &fault_addr);
+		fcr31 = current->thread.fpu.fcr31;
+
+		/*
+		 * We can't allow the emulated instruction to leave
+		 * any of the cause bits set in $fcr31.
+		 */
+		current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+
+		/* Send a signal if required.  */
+		if (!process_fpemu_return(sig, fault_addr, fcr31) && !err)
+			mt_ase_fp_affinity();
 
 		goto out;
 
--- a/arch/mips/kernel/unaligned.c
+++ b/arch/mips/kernel/unaligned.c
@@ -697,7 +697,7 @@ static void emulate_load_store_insn(stru
 		own_fpu(1);	/* Restore FPU state. */
 
 		/* Signal if something went wrong. */
-		process_fpemu_return(res, fault_addr);
+		process_fpemu_return(res, fault_addr, 0);
 
 		if (res == 0)
 			break;
@@ -1129,7 +1129,7 @@ fpu_emul:
 		own_fpu(1);	/* restore FPU state */
 
 		/* If something went wrong, signal */
-		process_fpemu_return(res, fault_addr);
+		process_fpemu_return(res, fault_addr, 0);
 
 		if (res == 0)
 			goto success;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 171/254] crypto: algapi - fix NULL dereference in crypto_remove_spawns()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 207/254] cfg80211: check dev_set_name() return value Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 124/254] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU Ben Hutchings
                   ` (180 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot, Herbert Xu, Eric Biggers

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 9a00674213a3f00394f4e3221b88f2d21fc05789 upstream.

syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
via a program that repeatedly and concurrently requests AEADs
"authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
through AF_ALG, where the hashes are requested as "untested"
(CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
causes the template to be instantiated for every request).

Although AF_ALG users really shouldn't be able to request an "untested"
algorithm, the NULL pointer dereference is actually caused by a
longstanding race condition where crypto_remove_spawns() can encounter
an instance which has had spawn(s) "grabbed" but hasn't yet been
registered, resulting in ->cra_users still being NULL.

We probably should properly initialize ->cra_users earlier, but that
would require updating many templates individually.  For now just fix
the bug in a simple way that can easily be backported: make
crypto_remove_spawns() treat a NULL ->cra_users list as empty.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/algapi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -147,6 +147,18 @@ void crypto_remove_spawns(struct crypto_
 
 			spawn->alg = NULL;
 			spawns = &inst->alg.cra_users;
+
+			/*
+			 * We may encounter an unregistered instance here, since
+			 * an instance's spawns are set up prior to the instance
+			 * being registered.  An unregistered instance will have
+			 * NULL ->cra_users.next, since ->cra_users isn't
+			 * properly initialized until registration.  But an
+			 * unregistered instance cannot have any users, so treat
+			 * it the same as ->cra_users being empty.
+			 */
+			if (spawns->next == NULL)
+				break;
 		}
 	} while ((spawns = crypto_more_spawns(alg, &stack, &top,
 					      &secondary_spawns)));

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 048/254] ext4: fix fdatasync(2) after fallocate(2) operation
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (251 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 250/254] media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 087/254] ipv4: Avoid reading user iov twice after raw_probe_proto_opt Ben Hutchings
  2018-02-28 16:57 ` [PATCH 3.16 000/254] 3.16.55-rc1 review Guenter Roeck
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Eryu Guan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eryu Guan <eguan@redhat.com>

commit c894aa97577e47d3066b27b32499ecf899bfa8b0 upstream.

Currently, fallocate(2) with KEEP_SIZE followed by a fdatasync(2)
then crash, we'll see wrong allocated block number (stat -c %b), the
blocks allocated beyond EOF are all lost. fstests generic/468
exposes this bug.

Commit 67a7d5f561f4 ("ext4: fix fdatasync(2) after extent
manipulation operations") fixed all the other extent manipulation
operation paths such as hole punch, zero range, collapse range etc.,
but forgot the fallocate case.

So similarly, fix it by recording the correct journal tid in ext4
inode in fallocate(2) path, so that ext4_sync_file() will wait for
the right tid to be committed on fdatasync(2).

This addresses the test failure in xfstests test generic/468.

Signed-off-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/extents.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4726,6 +4726,7 @@ retry:
 						    EXT4_INODE_EOFBLOCKS);
 		}
 		ext4_mark_inode_dirty(handle, inode);
+		ext4_update_inode_fsync_trans(handle, inode, 1);
 		ret2 = ext4_journal_stop(handle);
 		if (ret2)
 			break;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 054/254] dm: fix various targets to dm_register_target after module __init resources created
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 005/254] KVM: x86: Don't re-execute instruction when not passing CR2 value Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 044/254] can: ti_hecc: Fix napi poll return value for repoll Ben Hutchings
                   ` (236 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mike Snitzer, monty_pavel

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "monty_pavel@sina.com" <monty_pavel@sina.com>

commit 7e6358d244e4706fe612a77b9c36519a33600ac0 upstream.

A NULL pointer is seen if two concurrent "vgchange -ay -K <vg name>"
processes race to load the dm-thin-pool module:

 PID: 25992 TASK: ffff883cd7d23500 CPU: 4 COMMAND: "vgchange"
  #0 [ffff883cd743d600] machine_kexec at ffffffff81038fa9
  0000001 [ffff883cd743d660] crash_kexec at ffffffff810c5992
  0000002 [ffff883cd743d730] oops_end at ffffffff81515c90
  0000003 [ffff883cd743d760] no_context at ffffffff81049f1b
  0000004 [ffff883cd743d7b0] __bad_area_nosemaphore at ffffffff8104a1a5
  0000005 [ffff883cd743d800] bad_area at ffffffff8104a2ce
  0000006 [ffff883cd743d830] __do_page_fault at ffffffff8104aa6f
  0000007 [ffff883cd743d950] do_page_fault at ffffffff81517bae
  0000008 [ffff883cd743d980] page_fault at ffffffff81514f95
     [exception RIP: kmem_cache_alloc+108]
     RIP: ffffffff8116ef3c RSP: ffff883cd743da38 RFLAGS: 00010046
     RAX: 0000000000000004 RBX: ffffffff81121b90 RCX: ffff881bf1e78cc0
     RDX: 0000000000000000 RSI: 00000000000000d0 RDI: 0000000000000000
     RBP: ffff883cd743da68 R8: ffff881bf1a4eb00 R9: 0000000080042000
     R10: 0000000000002000 R11: 0000000000000000 R12: 00000000000000d0
     R13: 0000000000000000 R14: 00000000000000d0 R15: 0000000000000246
     ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
  0000009 [ffff883cd743da70] mempool_alloc_slab at ffffffff81121ba5
 0000010 [ffff883cd743da80] mempool_create_node at ffffffff81122083
 0000011 [ffff883cd743dad0] mempool_create at ffffffff811220f4
 0000012 [ffff883cd743dae0] pool_ctr at ffffffffa08de049 [dm_thin_pool]
 0000013 [ffff883cd743dbd0] dm_table_add_target at ffffffffa0005f2f [dm_mod]
 0000014 [ffff883cd743dc30] table_load at ffffffffa0008ba9 [dm_mod]
 0000015 [ffff883cd743dc90] ctl_ioctl at ffffffffa0009dc4 [dm_mod]

The race results in a NULL pointer because:

Process A (vgchange -ay -K):
 	a. send DM_LIST_VERSIONS_CMD ioctl;
 	b. pool_target not registered;
 	c. modprobe dm_thin_pool and wait until end.

Process B (vgchange -ay -K):
 	a. send DM_LIST_VERSIONS_CMD ioctl;
 	b. pool_target registered;
 	c. table_load->dm_table_add_target->pool_ctr;
 	d. _new_mapping_cache is NULL and panic.
Note:
 	1. process A and process B are two concurrent processes.
 	2. pool_target can be detected by process B but
 	_new_mapping_cache initialization has not ended.

To fix dm-thin-pool, and other targets (cache, multipath, and snapshot)
with the same problem, simply dm_register_target() after all resources
created during module init (as labelled with __init) are finished.

Signed-off-by: monty <monty_pavel@sina.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-cache-target.c | 12 +++++------
 drivers/md/dm-mpath.c        | 18 ++++++++---------
 drivers/md/dm-snap.c         | 48 ++++++++++++++++++++++----------------------
 drivers/md/dm-thin.c         | 22 +++++++++-----------
 4 files changed, 49 insertions(+), 51 deletions(-)

--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -3108,18 +3108,18 @@ static int __init dm_cache_init(void)
 {
 	int r;
 
-	r = dm_register_target(&cache_target);
-	if (r) {
-		DMERR("cache target registration failed: %d", r);
-		return r;
-	}
-
 	migration_cache = KMEM_CACHE(dm_cache_migration, 0);
 	if (!migration_cache) {
 		dm_unregister_target(&cache_target);
 		return -ENOMEM;
 	}
 
+	r = dm_register_target(&cache_target);
+	if (r) {
+		DMERR("cache target registration failed: %d", r);
+		return r;
+	}
+
 	return 0;
 }
 
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1688,13 +1688,6 @@ static int __init dm_multipath_init(void
 	if (!_mpio_cache)
 		return -ENOMEM;
 
-	r = dm_register_target(&multipath_target);
-	if (r < 0) {
-		DMERR("register failed %d", r);
-		r = -EINVAL;
-		goto bad_register_target;
-	}
-
 	kmultipathd = alloc_workqueue("kmpathd", WQ_MEM_RECLAIM, 0);
 	if (!kmultipathd) {
 		DMERR("failed to create workqueue kmpathd");
@@ -1716,17 +1709,24 @@ static int __init dm_multipath_init(void
 		goto bad_alloc_kmpath_handlerd;
 	}
 
+	r = dm_register_target(&multipath_target);
+	if (r < 0) {
+		DMERR("register failed %d", r);
+		r = -EINVAL;
+		goto bad_register_target;
+	}
+
 	DMINFO("version %u.%u.%u loaded",
 	       multipath_target.version[0], multipath_target.version[1],
 	       multipath_target.version[2]);
 
 	return 0;
 
+bad_register_target:
+	destroy_workqueue(kmpath_handlerd);
 bad_alloc_kmpath_handlerd:
 	destroy_workqueue(kmultipathd);
 bad_alloc_kmultipathd:
-	dm_unregister_target(&multipath_target);
-bad_register_target:
 	kmem_cache_destroy(_mpio_cache);
 
 	return r;
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -2404,24 +2404,6 @@ static int __init dm_snapshot_init(void)
 		return r;
 	}
 
-	r = dm_register_target(&snapshot_target);
-	if (r < 0) {
-		DMERR("snapshot target register failed %d", r);
-		goto bad_register_snapshot_target;
-	}
-
-	r = dm_register_target(&origin_target);
-	if (r < 0) {
-		DMERR("Origin target register failed %d", r);
-		goto bad_register_origin_target;
-	}
-
-	r = dm_register_target(&merge_target);
-	if (r < 0) {
-		DMERR("Merge target register failed %d", r);
-		goto bad_register_merge_target;
-	}
-
 	r = init_origin_hash();
 	if (r) {
 		DMERR("init_origin_hash failed.");
@@ -2442,19 +2424,37 @@ static int __init dm_snapshot_init(void)
 		goto bad_pending_cache;
 	}
 
+	r = dm_register_target(&snapshot_target);
+	if (r < 0) {
+		DMERR("snapshot target register failed %d", r);
+		goto bad_register_snapshot_target;
+	}
+
+	r = dm_register_target(&origin_target);
+	if (r < 0) {
+		DMERR("Origin target register failed %d", r);
+		goto bad_register_origin_target;
+	}
+
+	r = dm_register_target(&merge_target);
+	if (r < 0) {
+		DMERR("Merge target register failed %d", r);
+		goto bad_register_merge_target;
+	}
+
 	return 0;
 
-bad_pending_cache:
-	kmem_cache_destroy(exception_cache);
-bad_exception_cache:
-	exit_origin_hash();
-bad_origin_hash:
-	dm_unregister_target(&merge_target);
 bad_register_merge_target:
 	dm_unregister_target(&origin_target);
 bad_register_origin_target:
 	dm_unregister_target(&snapshot_target);
 bad_register_snapshot_target:
+	kmem_cache_destroy(pending_cache);
+bad_pending_cache:
+	kmem_cache_destroy(exception_cache);
+bad_exception_cache:
+	exit_origin_hash();
+bad_origin_hash:
 	dm_exception_store_exit();
 
 	return r;
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -3521,30 +3521,28 @@ static struct target_type thin_target =
 
 static int __init dm_thin_init(void)
 {
-	int r;
+	int r = -ENOMEM;
 
 	pool_table_init();
 
+	_new_mapping_cache = KMEM_CACHE(dm_thin_new_mapping, 0);
+	if (!_new_mapping_cache)
+		return r;
+
 	r = dm_register_target(&thin_target);
 	if (r)
-		return r;
+		goto bad_new_mapping_cache;
 
 	r = dm_register_target(&pool_target);
 	if (r)
-		goto bad_pool_target;
-
-	r = -ENOMEM;
-
-	_new_mapping_cache = KMEM_CACHE(dm_thin_new_mapping, 0);
-	if (!_new_mapping_cache)
-		goto bad_new_mapping_cache;
+		goto bad_thin_target;
 
 	return 0;
 
-bad_new_mapping_cache:
-	dm_unregister_target(&pool_target);
-bad_pool_target:
+bad_thin_target:
 	dm_unregister_target(&thin_target);
+bad_new_mapping_cache:
+	kmem_cache_destroy(_new_mapping_cache);
 
 	return r;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 136/254] net: mvneta: clear interface link status on port disable
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 049/254] ALSA: usb-audio: Fix out-of-bound error Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 110/254] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Ben Hutchings
                   ` (173 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Gregory CLEMENT, Dmitri Epshtein, David S. Miller,
	Yelena Krivosheev

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yelena Krivosheev <yelena@marvell.com>

commit 4423c18e466afdfb02a36ee8b9f901d144b3c607 upstream.

When port connect to PHY in polling mode (with poll interval 1 sec),
port and phy link status must be synchronize in order don't loss link
change event.

[gregory.clement@free-electrons.com: add fixes tag]
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
Signed-off-by: Yelena Krivosheev <yelena@marvell.com>
Tested-by: Dmitri Epshtein <dima@marvell.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/marvell/mvneta.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -851,6 +851,10 @@ static void mvneta_port_disable(struct m
 	val &= ~MVNETA_GMAC0_PORT_ENABLE;
 	mvreg_write(pp, MVNETA_GMAC_CTRL_0, val);
 
+	pp->link = 0;
+	pp->duplex = -1;
+	pp->speed = 0;
+
 	udelay(200);
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 198/254] ALSA: hda - Apply the existing quirk to iMac 14,1
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 232/254] net: bcmgenet: fix bcmgenet_open() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 035/254] quota: Check for register_shrinker() failure Ben Hutchings
                   ` (225 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Freaky, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 031f335cda879450095873003abb03ae8ed3b74a upstream.

iMac 14,1 requires the same quirk as iMac 12,2, using GPIO 2 and 3 for
headphone and speaker output amps.  Add the codec SSID quirk entry
(106b:0600) accordingly.

BugLink: http://lkml.kernel.org/r/CAEw6Zyteav09VGHRfD5QwsfuWv5a43r0tFBNbfcHXoNrxVz7ew@mail.gmail.com
Reported-by: Freaky <freaky2000@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_cirrus.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -396,6 +396,7 @@ static const struct snd_pci_quirk cs420x
 	/*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/
 
 	/* codec SSID */
+	SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
 	SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
 	SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
 	SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 194/254] uas: ignore UAS for Norelsys NS1068(X) chips
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (136 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 111/254] powerpc/perf: Dereference BHRB entries safely Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 021/254] USB: usbfs: Filter flags passed in from user space Ben Hutchings
                   ` (116 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Icenowy Zheng, Greg Kroah-Hartman, Hans de Goede

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Icenowy Zheng <icenowy@aosc.io>

commit 928afc85270753657b5543e052cc270c279a3fe9 upstream.

The UAS mode of Norelsys NS1068(X) is reported to fail to work on
several platforms with the following error message:

xhci-hcd xhci-hcd.0.auto: ERROR Transfer event for unknown stream ring slot 1 ep 8
xhci-hcd xhci-hcd.0.auto: @00000000bf04a400 00000000 00000000 1b000000 01098001

And when trying to mount a partition on the disk the disk will
disconnect from the USB controller, then after re-connecting the device
will be offlined and not working at all.

Falling back to USB mass storage can solve this problem, so ignore UAS
function of this chip.

Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/unusual_uas.h | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -145,6 +145,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x99
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
 		US_FL_NO_ATA_1X),
 
+/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */
+UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
+		"Norelsys",
+		"NS1068X",
+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+		US_FL_IGNORE_UAS),
+
 /* Reported-by: Takeo Nakayama <javhera@gmx.com> */
 UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
 		"JMicron",

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 080/254] ASoC: wm_adsp: Fix validation of firmware and coeff lengths
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (215 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 140/254] ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 150/254] af_key: fix buffer overread in verify_address_len() Ben Hutchings
                   ` (37 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ben Hutchings, Charles Keepax, Mark Brown

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

commit 50dd2ea8ef67a1617e0c0658bcbec4b9fb03b936 upstream.

The checks for whether another region/block header could be present
are subtracting the size from the current offset.  Obviously we should
instead subtract the offset from the size.

The checks for whether the region/block data fit in the file are
adding the data size to the current offset and header size, without
checking for integer overflow.  Rearrange these so that overflow is
impossible.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/codecs/wm_adsp.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/sound/soc/codecs/wm_adsp.c
+++ b/sound/soc/codecs/wm_adsp.c
@@ -622,7 +622,7 @@ static int wm_adsp_load(struct wm_adsp *
 		 le64_to_cpu(footer->timestamp));
 
 	while (pos < firmware->size &&
-	       pos - firmware->size > sizeof(*region)) {
+	       sizeof(*region) < firmware->size - pos) {
 		region = (void *)&(firmware->data[pos]);
 		region_name = "Unknown";
 		reg = 0;
@@ -677,8 +677,8 @@ static int wm_adsp_load(struct wm_adsp *
 			 regions, le32_to_cpu(region->len), offset,
 			 region_name);
 
-		if ((pos + le32_to_cpu(region->len) + sizeof(*region)) >
-		    firmware->size) {
+		if (le32_to_cpu(region->len) >
+		    firmware->size - pos - sizeof(*region)) {
 			adsp_err(dsp,
 				 "%s.%d: %s region len %d bytes exceeds file length %zu\n",
 				 file, regions, region_name,
@@ -1248,7 +1248,7 @@ static int wm_adsp_load_coeff(struct wm_
 
 	blocks = 0;
 	while (pos < firmware->size &&
-	       pos - firmware->size > sizeof(*blk)) {
+	       sizeof(*blk) < firmware->size - pos) {
 		blk = (void*)(&firmware->data[pos]);
 
 		type = le16_to_cpu(blk->type);
@@ -1328,8 +1328,8 @@ static int wm_adsp_load_coeff(struct wm_
 		}
 
 		if (reg) {
-			if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) >
-			    firmware->size) {
+			if (le32_to_cpu(blk->len) >
+			    firmware->size - pos - sizeof(*blk)) {
 				adsp_err(dsp,
 					 "%s.%d: %s region len %d bytes exceeds file length %zu\n",
 					 file, blocks, region_name,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 142/254] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (158 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 155/254] ALSA: pcm: Remove incorrect snd_BUG_ON() usages Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 057/254] net_sched: red: Avoid illegal values Ben Hutchings
                   ` (94 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ard Biesheuvel, Greg Kroah-Hartman, Mathias Nyman, Daniel Thompson

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Thompson <daniel.thompson@linaro.org>

commit da99706689481717998d1d48edd389f339eea979 upstream.

When plugging in a USB webcam I see the following message:
xhci_hcd 0000:04:00.0: WARN Successful completion on short TX: needs
XHCI_TRUST_TX_LENGTH quirk?
handle_tx_event: 913 callbacks suppressed

All is quiet again with this patch (and I've done a fair but of soak
testing with the camera since).

Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-pci.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -183,6 +183,9 @@ static void xhci_pci_quirks(struct devic
 		xhci->quirks |= XHCI_BROKEN_STREAMS;
 	}
 	if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
+			pdev->device == 0x0014)
+		xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+	if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
 			pdev->device == 0x0015)
 		xhci->quirks |= XHCI_RESET_ON_RESUME;
 	if (pdev->vendor == PCI_VENDOR_ID_VIA)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 028/254] isa: Prevent NULL dereference in isa_bus driver callbacks
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 101/254] MIPS: Fix a preemption issue with thread's FPU defaults Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 093/254] MIPS: Clear [MSA]FPE CSR.Cause after notify_die() Ben Hutchings
                   ` (216 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, William Breathitt Gray, Linus Torvalds, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: William Breathitt Gray <vilhelm.gray@gmail.com>

commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.

The isa_driver structure for an isa_bus device is stored in the device
platform_data member of the respective device structure. This
platform_data member may be reset to NULL if isa_driver match callback
for the device fails, indicating a device unsupported by the ISA driver.

This patch fixes a possible NULL pointer dereference if one of the
isa_driver callbacks to attempted for an unsupported device. This error
should not occur in practice since ISA devices are typically manually
configured and loaded by the users, but we may as well prevent this
error from popping up for the 0day testers.

Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/base/isa.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/base/isa.c
+++ b/drivers/base/isa.c
@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->probe)
+	if (isa_driver && isa_driver->probe)
 		return isa_driver->probe(dev, to_isa_dev(dev)->id);
 
 	return 0;
@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->remove)
+	if (isa_driver && isa_driver->remove)
 		return isa_driver->remove(dev, to_isa_dev(dev)->id);
 
 	return 0;
@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->shutdown)
+	if (isa_driver && isa_driver->shutdown)
 		isa_driver->shutdown(dev, to_isa_dev(dev)->id);
 }
 
@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->suspend)
+	if (isa_driver && isa_driver->suspend)
 		return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
 
 	return 0;
@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->resume)
+	if (isa_driver && isa_driver->resume)
 		return isa_driver->resume(dev, to_isa_dev(dev)->id);
 
 	return 0;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 253/254] ACPI: sbshc: remove raw pointer from printk() message
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 008/254] scsi: dma-mapping: always provide dma_get_cache_alignment Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 032/254] eeprom: at24: check at24_read/write arguments Ben Hutchings
                   ` (248 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wang Qize, Greg Kroah-Hartman, Rafael J. Wysocki

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43cdd1b716b26f6af16da4e145b6578f98798bf6 upstream.

There's no need to be printing a raw kernel pointer to the kernel log at
every boot.  So just remove it, and change the whole message to use the
correct dev_info() call at the same time.

Reported-by: Wang Qize <wang_qize@venustech.com.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/sbshc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/acpi/sbshc.c
+++ b/drivers/acpi/sbshc.c
@@ -287,8 +287,8 @@ static int acpi_smbus_hc_add(struct acpi
 	device->driver_data = hc;
 
 	acpi_ec_add_query_handler(hc->ec, hc->query_bit, NULL, smbus_alarm, hc);
-	printk(KERN_INFO PREFIX "SBS HC: EC = 0x%p, offset = 0x%0x, query_bit = 0x%0x\n",
-		hc->ec, hc->offset, hc->query_bit);
+	dev_info(&device->dev, "SBS HC: offset = 0x%0x, query_bit = 0x%0x\n",
+		 hc->offset, hc->query_bit);
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 181/254] ALSA: pcm: Abort properly at pending signal in OSS read/write loops
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 063/254] btrfs: fix missing error return in btrfs_drop_snapshot Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 214/254] dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 Ben Hutchings
                   ` (160 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, syzbot+993cb4cfcbbff3947c21

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 29159a4ed7044c52e3e2cf1a9fb55cec4745c60b upstream.

The loops for read and write in PCM OSS emulation have no proper check
of pending signals, and they keep processing even after user tries to
break.  This results in a very long delay, often seen as RCU stall
when a huge unprocessed bytes remain queued.  The bug could be easily
triggered by syzkaller.

As a simple workaround, this patch adds the proper check of pending
signals and aborts the loop appropriately.

Reported-by: syzbot+993cb4cfcbbff3947c21@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/oss/pcm_oss.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1417,6 +1417,10 @@ static ssize_t snd_pcm_oss_write1(struct
 			    tmp != runtime->oss.period_bytes)
 				break;
 		}
+		if (signal_pending(current)) {
+			tmp = -ERESTARTSYS;
+			goto err;
+		}
 	}
 	mutex_unlock(&runtime->oss.params_lock);
 	return xfer;
@@ -1502,6 +1506,10 @@ static ssize_t snd_pcm_oss_read1(struct
 			bytes -= tmp;
 			xfer += tmp;
 		}
+		if (signal_pending(current)) {
+			tmp = -ERESTARTSYS;
+			goto err;
+		}
 	}
 	mutex_unlock(&runtime->oss.params_lock);
 	return xfer;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 151/254] af_key: fix buffer overread in parse_exthdrs()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 143/254] sctp: Replace use of sockets_allocated with specified macro Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 072/254] ASN.1: check for error from ASN1_OP_END__ACT actions Ben Hutchings
                   ` (193 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Biggers, Steffen Klassert

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 upstream.

If a message sent to a PF_KEY socket ended with an incomplete extension
header (fewer than 4 bytes remaining), then parse_exthdrs() read past
the end of the message, into uninitialized memory.  Fix it by returning
-EINVAL in this case.

Reproducer:

	#include <linux/pfkeyv2.h>
	#include <sys/socket.h>
	#include <unistd.h>

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[17] = { 0 };
		struct sadb_msg *msg = (void *)buf;

		msg->sadb_msg_version = PF_KEY_V2;
		msg->sadb_msg_type = SADB_DELETE;
		msg->sadb_msg_len = 2;

		write(sock, buf, 17);
	}

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/key/af_key.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -513,6 +513,9 @@ static int parse_exthdrs(struct sk_buff
 		uint16_t ext_type;
 		int ext_len;
 
+		if (len < sizeof(*ehdr))
+			return -EINVAL;
+
 		ext_len  = ehdr->sadb_ext_len;
 		ext_len *= sizeof(uint64_t);
 		ext_type = ehdr->sadb_ext_type;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 187/254] Input: twl6040-vibra - fix DT node memory management
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (183 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 103/254] MIPS: ptrace: Prevent writes to read-only FCSR bits Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 167/254] net: stmmac: enable EEE in MII, GMII or RGMII only Ben Hutchings
                   ` (69 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, H. Nikolaus Schaller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "H. Nikolaus Schaller" <hns@goldelico.com>

commit c52c545ead97fcc2f4f8ea38f1ae3c23211e09a8 upstream.

commit e7ec014a47e4 ("Input: twl6040-vibra - update for device tree support")

made the separate vibra DT node to a subnode of the twl6040.

It now calls of_find_node_by_name() to locate the "vibra" subnode.
This function has a side effect to call of_node_put on() for the twl6040
parent node passed in as a parameter. This causes trouble later on.

Solution: we must call of_node_get() before of_find_node_by_name()

Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/misc/twl6040-vibra.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/input/misc/twl6040-vibra.c
+++ b/drivers/input/misc/twl6040-vibra.c
@@ -264,6 +264,7 @@ static int twl6040_vibra_probe(struct pl
 	int vddvibr_uV = 0;
 	int error;
 
+	of_node_get(twl6040_core_dev->of_node);
 	twl6040_core_node = of_find_node_by_name(twl6040_core_dev->of_node,
 						 "vibra");
 	if (!twl6040_core_node) {

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 203/254] usb: misc: usb3503: make sure reset is low for at least 100us
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (203 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 182/254] ALSA: pcm: Allow aborting mutex lock at OSS read/write loops Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 060/254] arm64: fpsimd: Prevent registers leaking from dead tasks Ben Hutchings
                   ` (49 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Stefan Agner, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Agner <stefan@agner.ch>

commit b8626f1dc29d3eee444bfaa92146ec7b291ef41c upstream.

When using a GPIO which is high by default, and initialize the
driver in USB Hub mode, initialization fails with:
  [  111.757794] usb3503 0-0008: SP_ILOCK failed (-5)

The reason seems to be that the chip is not properly reset.
Probe does initialize reset low, however some lines later the
code already set it back high, which is not long enouth.

Make sure reset is asserted for at least 100us by inserting a
delay after initializing the reset pin during probe.

Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/usb3503.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/misc/usb3503.c
+++ b/drivers/usb/misc/usb3503.c
@@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503
 	if (gpio_is_valid(hub->gpio_reset)) {
 		err = devm_gpio_request_one(dev, hub->gpio_reset,
 				GPIOF_OUT_INIT_LOW, "usb3503 reset");
+		/* Datasheet defines a hardware reset to be at least 100us */
+		usleep_range(100, 10000);
 		if (err) {
 			dev_err(dev,
 				"unable to request GPIO %d as reset pin (%d)\n",

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (151 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 141/254] USB: serial: ftdi_sio: add id for Airbus DS P8GR Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-03-01 13:44   ` James Hogan
  2018-02-28 15:20 ` [PATCH 3.16 033/254] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Ben Hutchings
                   ` (101 subsequent siblings)
  254 siblings, 1 reply; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, James Hogan, Paul Burton, linux-mips, James Hogan, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <jhogan@kernel.org>

commit 17278a91e04f858155d54bee5528ba4fbcec6f87 upstream.

MIPS CPS has a build warning on kernels configured for MIPS32R1 or
MIPS64R1, due to the use of .set mt without a prior .set mips{32,64}r2:

arch/mips/kernel/cps-vec.S Assembler messages:
arch/mips/kernel/cps-vec.S:238: Warning: the `mt' extension requires MIPS32 revision 2 or greater

Add .set MIPS_ISA_LEVEL_RAW before .set mt to silence the warning.

Fixes: 245a7868d2f2 ("MIPS: smp-cps: rework core/VPE initialisation")
Signed-off-by: James Hogan <jhogan@kernel.org>
Cc: Paul Burton <paul.burton@mips.com>
Cc: James Hogan <james.hogan@mips.com>
Cc: James Hogan <jhogan@kernel.org>
Cc: Paul Burton <paul.burton@mips.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/17699/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/cps-vec.S | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/mips/kernel/cps-vec.S
+++ b/arch/mips/kernel/cps-vec.S
@@ -229,6 +229,7 @@ LEAF(mips_cps_core_init)
 	has_mt	t0, 3f
 
 	.set	push
+	.set	MIPS_ISA_LEVEL_RAW
 	.set	mt
 
 	/* Only allow 1 TC per VPE to execute... */
@@ -347,6 +348,7 @@ LEAF(mips_cps_boot_vpes)
 	 nop
 
 	.set	push
+	.set	MIPS_ISA_LEVEL_RAW
 	.set	mt
 
 1:	/* Enter VPE configuration state */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 159/254] IB/srpt: Disable RDMA access by the initiator
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (123 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 234/254] blk-mq: fix race between timeout and freeing request Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 218/254] net: fs_enet: do not call phy_stop() in interrupts Ben Hutchings
                   ` (129 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Bart Van Assche, Jason Gunthorpe

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit bec40c26041de61162f7be9d2ce548c756ce0f65 upstream.

With the SRP protocol all RDMA operations are initiated by the target.
Since no RDMA operations are initiated by the initiator, do not grant
the initiator permission to submit RDMA reads or writes to the target.

Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -958,8 +958,7 @@ static int srpt_init_ch_qp(struct srpt_r
 		return -ENOMEM;
 
 	attr->qp_state = IB_QPS_INIT;
-	attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ |
-	    IB_ACCESS_REMOTE_WRITE;
+	attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE;
 	attr->port_num = ch->sport->port;
 	attr->pkey_index = 0;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 010/254] scsi: libsas: align sata_device's rps_resp on a cacheline
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (106 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 184/254] sh_eth: fix TXALCR1 offsets Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 118/254] parisc: Hide Diva-built-in serial aux and graphics card Ben Hutchings
                   ` (146 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Christoph Hellwig, Martin K. Petersen, Huacai Chen

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit c2e8fbf908afd81ad502b567a6639598f92c9b9d upstream.

The rps_resp buffer in ata_device is a DMA target, but it isn't
explicitly cacheline aligned. Due to this, adjacent fields can be
overwritten with stale data from memory on non-coherent architectures.
As a result, the kernel is sometimes unable to communicate with an SATA
device behind a SAS expander.

Fix this by ensuring that the rps_resp buffer is cacheline aligned.

This issue is similar to that fixed by Commit 84bda12af31f93 ("libata:
align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align
ata_device's id on a cacheline").

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/scsi/libsas.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/scsi/libsas.h
+++ b/include/scsi/libsas.h
@@ -170,11 +170,11 @@ enum ata_command_set {
 
 struct sata_device {
         enum   ata_command_set command_set;
-        struct smp_resp        rps_resp; /* report_phy_sata_resp */
         u8     port_no;        /* port number, if this is a PM (Port) */
 
 	struct ata_port *ap;
 	struct ata_host ata_host;
+	struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */
 	u8     fis[ATA_RESP_FIS_SIZE];
 };
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 087/254] ipv4: Avoid reading user iov twice after raw_probe_proto_opt
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (252 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 048/254] ext4: fix fdatasync(2) after fallocate(2) operation Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 16:57 ` [PATCH 3.16 000/254] 3.16.55-rc1 review Guenter Roeck
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Herbert Xu, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit c008ba5bdc9fa830e1a349b20b0be5a137bdef7a upstream.

Ever since raw_probe_proto_opt was added it had the problem of
causing the user iov to be read twice, once during the probe for
the protocol header and once again in ip_append_data.

This is a potential security problem since it means that whatever
we're probing may be invalid.  This patch plugs the hole by
firstly advancing the iov so we don't read the same spot again,
and secondly saving what we read the first time around for use
by ip_append_data.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/raw.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 54 insertions(+), 8 deletions(-)

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -78,6 +78,16 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/compat.h>
+#include <linux/uio.h>
+
+struct raw_frag_vec {
+	struct iovec *iov;
+	union {
+		struct icmphdr icmph;
+		char c[1];
+	} hdr;
+	int hlen;
+};
 
 static struct raw_hashinfo raw_v4_hashinfo = {
 	.lock = __RW_LOCK_UNLOCKED(raw_v4_hashinfo.lock),
@@ -415,25 +425,57 @@ error:
 	return err;
 }
 
-static int raw_probe_proto_opt(struct flowi4 *fl4, struct msghdr *msg)
+static int raw_probe_proto_opt(struct raw_frag_vec *rfv, struct flowi4 *fl4)
 {
-	struct icmphdr icmph;
 	int err;
 
 	if (fl4->flowi4_proto != IPPROTO_ICMP)
 		return 0;
 
 	/* We only need the first two bytes. */
-	err = memcpy_fromiovecend((void *)&icmph, msg->msg_iov, 0, 2);
+	rfv->hlen = 2;
+
+	err = memcpy_fromiovec(rfv->hdr.c, rfv->iov, rfv->hlen);
 	if (err)
 		return err;
 
-	fl4->fl4_icmp_type = icmph.type;
-	fl4->fl4_icmp_code = icmph.code;
+	fl4->fl4_icmp_type = rfv->hdr.icmph.type;
+	fl4->fl4_icmp_code = rfv->hdr.icmph.code;
 
 	return 0;
 }
 
+static int raw_getfrag(void *from, char *to, int offset, int len, int odd,
+		       struct sk_buff *skb)
+{
+	struct raw_frag_vec *rfv = from;
+
+	if (offset < rfv->hlen) {
+		int copy = min(rfv->hlen - offset, len);
+
+		if (skb->ip_summed == CHECKSUM_PARTIAL)
+			memcpy(to, rfv->hdr.c + offset, copy);
+		else
+			skb->csum = csum_block_add(
+				skb->csum,
+				csum_partial_copy_nocheck(rfv->hdr.c + offset,
+							  to, copy, 0),
+				odd);
+
+		odd = 0;
+		offset += copy;
+		to += copy;
+		len -= copy;
+
+		if (!len)
+			return 0;
+	}
+
+	offset -= rfv->hlen;
+
+	return ip_generic_getfrag(rfv->iov, to, offset, len, odd, skb);
+}
+
 static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 		       size_t len)
 {
@@ -447,6 +489,7 @@ static int raw_sendmsg(struct kiocb *ioc
 	u8  tos;
 	int err;
 	struct ip_options_data opt_copy;
+	struct raw_frag_vec rfv;
 
 	err = -EMSGSIZE;
 	if (len > 0xFFFF)
@@ -554,7 +597,10 @@ static int raw_sendmsg(struct kiocb *ioc
 			   daddr, saddr, 0, 0);
 
 	if (!inet->hdrincl) {
-		err = raw_probe_proto_opt(&fl4, msg);
+		rfv.iov = msg->msg_iov;
+		rfv.hlen = 0;
+
+		err = raw_probe_proto_opt(&rfv, &fl4);
 		if (err)
 			goto done;
 	}
@@ -583,8 +629,8 @@ back_from_confirm:
 		if (!ipc.addr)
 			ipc.addr = fl4.daddr;
 		lock_sock(sk);
-		err = ip_append_data(sk, &fl4, ip_generic_getfrag,
-				     msg->msg_iov, len, 0,
+		err = ip_append_data(sk, &fl4, raw_getfrag,
+				     &rfv, len, 0,
 				     &ipc, &rt, msg->msg_flags);
 		if (err)
 			ip_flush_pending_frames(sk);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 094/254] MIPS: prevent FP context set via ptrace being discarded
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 191/254] usb: udc: core: add device_del() call to error pathway Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 246/254] media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 Ben Hutchings
                   ` (170 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, linux-mips, Paul Burton, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@imgtec.com>

commit ac9ad83bc318635ed7496e9dff30beaa522eaec7 upstream.

If a ptracee has not used the FPU and the ptracer sets its FP context
using PTRACE_POKEUSR, PTRACE_SETFPREGS or PTRACE_SETREGSET then that
context will be discarded upon either the ptracee using the FPU or a
further write to the context via ptrace. Prevent this loss by recording
that the task has "used" math once its FP context has been written to.
The context initialisation code that was present for the PTRACE_POKEUSR
case is reused for the other 2 cases to provide consistent behaviour
for the different ptrace requests.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9166/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -47,6 +47,26 @@
 #define CREATE_TRACE_POINTS
 #include <trace/events/syscalls.h>
 
+static void init_fp_ctx(struct task_struct *target)
+{
+	/* If FP has been used then the target already has context */
+	if (tsk_used_math(target))
+		return;
+
+	/* Begin with data registers set to all 1s... */
+	memset(&target->thread.fpu.fpr, ~0, sizeof(target->thread.fpu.fpr));
+
+	/* ...and FCSR zeroed */
+	target->thread.fpu.fcr31 = 0;
+
+	/*
+	 * Record that the target has "used" math, such that the context
+	 * just initialised, and any modifications made by the caller,
+	 * aren't discarded.
+	 */
+	set_stopped_child_used_math(target);
+}
+
 /*
  * Called by kernel/ptrace.c when detaching..
  *
@@ -143,6 +163,7 @@ int ptrace_setfpregs(struct task_struct
 	if (!access_ok(VERIFY_READ, data, 33 * 8))
 		return -EIO;
 
+	init_fp_ctx(child);
 	fregs = get_fpu_regs(child);
 
 	for (i = 0; i < 32; i++) {
@@ -440,6 +461,8 @@ static int fpr_set(struct task_struct *t
 
 	/* XXX fcr31  */
 
+	init_fp_ctx(target);
+
 	if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
 		return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 					  &target->thread.fpu,
@@ -678,12 +701,7 @@ long arch_ptrace(struct task_struct *chi
 		case FPR_BASE ... FPR_BASE + 31: {
 			union fpureg *fregs = get_fpu_regs(child);
 
-			if (!tsk_used_math(child)) {
-				/* FP not yet used  */
-				memset(&child->thread.fpu, ~0,
-				       sizeof(child->thread.fpu));
-				child->thread.fpu.fcr31 = 0;
-			}
+			init_fp_ctx(child);
 #ifdef CONFIG_32BIT
 			if (test_thread_flag(TIF_32BIT_FPREGS)) {
 				/*

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 218/254] net: fs_enet: do not call phy_stop() in interrupts
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 159/254] IB/srpt: Disable RDMA access by the initiator Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 161/254] USB: serial: cp210x: add new device ID ELV ALC 8xxx Ben Hutchings
                   ` (128 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Christophe Leroy

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit f8b39039cbf2a15f2b8c9f081e1cbd5dee00aaf5 upstream.

In case of TX timeout, fs_timeout() calls phy_stop(), which
triggers the following BUG_ON() as we are in interrupt.

[92708.199889] kernel BUG at drivers/net/phy/mdio_bus.c:482!
[92708.204985] Oops: Exception in kernel mode, sig: 5 [#1]
[92708.210119] PREEMPT
[92708.212107] CMPC885
[92708.214216] CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G        W       4.9.61 #39
[92708.223227] task: c60f0a40 task.stack: c6104000
[92708.227697] NIP: c02a84bc LR: c02a947c CTR: c02a93d8
[92708.232614] REGS: c6105c70 TRAP: 0700   Tainted: G        W        (4.9.61)
[92708.241193] MSR: 00021032 <ME,IR,DR,RI>[92708.244818]   CR: 24000822  XER: 20000000
[92708.248767]
GPR00: c02a947c c6105d20 c60f0a40 c62b4c00 00000005 0000001f c069aad8 0001a688
GPR08: 00000007 00000100 c02a93d8 00000000 000005fc 00000000 c6213240 c06338e4
GPR16: 00000001 c06330d4 c0633094 00000000 c0680000 c6104000 c6104000 00000000
GPR24: 00000200 00000000 ffffffff 00000004 00000078 00009032 00000000 c62b4c00
NIP [c02a84bc] mdiobus_read+0x20/0x74
[92708.281517] LR [c02a947c] kszphy_config_intr+0xa4/0xc4
[92708.286547] Call Trace:
[92708.288980] [c6105d20] [c6104000] 0xc6104000 (unreliable)
[92708.294339] [c6105d40] [c02a947c] kszphy_config_intr+0xa4/0xc4
[92708.300098] [c6105d50] [c02a5330] phy_stop+0x60/0x9c
[92708.305007] [c6105d60] [c02c84d0] fs_timeout+0xdc/0x110
[92708.310197] [c6105d80] [c035cd48] dev_watchdog+0x268/0x2a0
[92708.315593] [c6105db0] [c0060288] call_timer_fn+0x34/0x17c
[92708.321014] [c6105dd0] [c00605f0] run_timer_softirq+0x21c/0x2e4
[92708.326887] [c6105e50] [c001e19c] __do_softirq+0xf4/0x2f4
[92708.332207] [c6105eb0] [c001e3c8] run_ksoftirqd+0x2c/0x40
[92708.337560] [c6105ec0] [c003b420] smpboot_thread_fn+0x1f0/0x258
[92708.343405] [c6105ef0] [c003745c] kthread+0xbc/0xd0
[92708.348217] [c6105f40] [c000c400] ret_from_kernel_thread+0x5c/0x64
[92708.354275] Instruction dump:
[92708.357207] 7c0803a6 bbc10018 38210020 4e800020 7c0802a6 9421ffe0 54290024 bfc10018
[92708.364865] 90010024 7c7f1b78 81290008 552902ee <0f090000> 3bc3002c 7fc3f378 90810008
[92708.372711] ---[ end trace 42b05441616fafd7 ]---

This patch moves fs_timeout() actions into an async worker.

Fixes: commit 48257c4f168e5 ("Add fs_enet ethernet network driver, for several embedded platforms")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c | 16 +++++++++++++---
 drivers/net/ethernet/freescale/fs_enet/fs_enet.h      |  1 +
 2 files changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
+++ b/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
@@ -696,9 +696,11 @@ static int fs_enet_start_xmit(struct sk_
 	return NETDEV_TX_OK;
 }
 
-static void fs_timeout(struct net_device *dev)
+static void fs_timeout_work(struct work_struct *work)
 {
-	struct fs_enet_private *fep = netdev_priv(dev);
+	struct fs_enet_private *fep = container_of(work, struct fs_enet_private,
+						   timeout_work);
+	struct net_device *dev = fep->ndev;
 	unsigned long flags;
 	int wake = 0;
 
@@ -710,7 +712,6 @@ static void fs_timeout(struct net_device
 		phy_stop(fep->phydev);
 		(*fep->ops->stop)(dev);
 		(*fep->ops->restart)(dev);
-		phy_start(fep->phydev);
 	}
 
 	phy_start(fep->phydev);
@@ -721,6 +722,13 @@ static void fs_timeout(struct net_device
 		netif_wake_queue(dev);
 }
 
+static void fs_timeout(struct net_device *dev)
+{
+	struct fs_enet_private *fep = netdev_priv(dev);
+
+	schedule_work(&fep->timeout_work);
+}
+
 /*-----------------------------------------------------------------------------
  *  generic link-change handler - should be sufficient for most cases
  *-----------------------------------------------------------------------------*/
@@ -847,6 +855,7 @@ static int fs_enet_close(struct net_devi
 	netif_carrier_off(dev);
 	if (fep->fpi->use_napi)
 		napi_disable(&fep->napi);
+	cancel_work_sync(&fep->timeout_work);
 	phy_stop(fep->phydev);
 
 	spin_lock_irqsave(&fep->lock, flags);
@@ -1102,6 +1111,7 @@ static int fs_enet_probe(struct platform
 
 	ndev->netdev_ops = &fs_enet_netdev_ops;
 	ndev->watchdog_timeo = 2 * HZ;
+	INIT_WORK(&fep->timeout_work, fs_timeout_work);
 	if (fpi->use_napi)
 		netif_napi_add(ndev, &fep->napi, fs_enet_rx_napi,
 		               fpi->napi_weight);
--- a/drivers/net/ethernet/freescale/fs_enet/fs_enet.h
+++ b/drivers/net/ethernet/freescale/fs_enet/fs_enet.h
@@ -124,6 +124,7 @@ struct fs_enet_private {
 	spinlock_t lock;	/* during all ops except TX pckt processing */
 	spinlock_t tx_lock;	/* during fs_start_xmit and fs_tx         */
 	struct fs_platform_info *fpi;
+	struct work_struct timeout_work;
 	const struct fs_ops *ops;
 	int rx_ring, tx_ring;
 	dma_addr_t ring_mem_addr;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 090/254] tcp md5sig: Use skb's saddr when replying to an incoming segment
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 026/254] uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 089/254] ext4: fix crash when a directory's i_size is too small Ben Hutchings
                   ` (233 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Christoph Paasch, David S. Miller, Eric Dumazet

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Paasch <cpaasch@apple.com>

commit 30791ac41927ebd3e75486f9504b6d2280463bf0 upstream.

The MD5-key that belongs to a connection is identified by the peer's
IP-address. When we are in tcp_v4(6)_reqsk_send_ack(), we are replying
to an incoming segment from tcp_check_req() that failed the seq-number
checks.

Thus, to find the correct key, we need to use the skb's saddr and not
the daddr.

This bug seems to have been there since quite a while, but probably got
unnoticed because the consequences are not catastrophic. We will call
tcp_v4_reqsk_send_ack only to send a challenge-ACK back to the peer,
thus the connection doesn't really fail.

Fixes: 9501f9722922 ("tcp md5sig: Let the caller pass appropriate key for tcp_v{4,6}_do_calc_md5_hash().")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/tcp_ipv4.c | 2 +-
 net/ipv6/tcp_ipv6.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -809,7 +809,7 @@ static void tcp_v4_reqsk_send_ack(struct
 			tcp_time_stamp,
 			req->ts_recent,
 			0,
-			tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr,
+			tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr,
 					  AF_INET),
 			inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0,
 			ip_hdr(skb)->tos);
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -941,7 +941,7 @@ static void tcp_v6_reqsk_send_ack(struct
 			tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
 			tcp_rsk(req)->rcv_nxt,
 			req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
-			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
+			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr),
 			0, 0);
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 025/254] usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 144/254] ring-buffer: Mask out the info bits when returning buffer page length Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 020/254] usb: gadget: don't dereference g until after it has been null checked Ben Hutchings
                   ` (122 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kai-Heng Feng, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit e43a12f1793ae1fe006e26fe9327a8840a92233c upstream.

KY-688 USB 3.1 Type-C Hub internally uses a Genesys Logic hub to connect
to Realtek r8153.

Similar to commit ("7496cfe5431f2 usb: quirks: Add no-lpm quirk for Moshi
USB to Ethernet Adapter"), no-lpm can make r8153 ethernet work.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -148,6 +148,9 @@ static const struct usb_device_id usb_qu
 	/* appletouch */
 	{ USB_DEVICE(0x05ac, 0x021a), .driver_info = USB_QUIRK_RESET_RESUME },
 
+	/* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */
+	{ USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */
 	{ USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM },
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 058/254] ALSA: pcm: prevent UAF in snd_pcm_info
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (189 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 212/254] KVM/x86: Check input paging mode when cs.l is set Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 029/254] hv: kvp: Avoid reading past allocated blocks from KVP file Ben Hutchings
                   ` (63 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nick Desaulniers, Takashi Iwai, Robb Glasser

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Robb Glasser <rglasser@google.com>

commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.

When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Note: this fixes CVE-2017-0861

Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/pcm.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct
 				err = -ENXIO;
 				goto _error;
 			}
+			mutex_lock(&pcm->open_mutex);
 			err = snd_pcm_info_user(substream, info);
+			mutex_unlock(&pcm->open_mutex);
 		_error:
 			mutex_unlock(&register_mutex);
 			return err;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 137/254] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD)
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (212 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 122/254] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 131/254] usb: add RESET_RESUME for ELSA MicroLink 56K Ben Hutchings
                   ` (40 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Jiri Slaby, syzkaller, Greg Kroah-Hartman,
	Tetsuo Handa

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 966031f340185eddd05affcf72b740549f056348 upstream.

We added support for EXTPROC back in 2010 in commit 26df6d13406d ("tty:
Add EXTPROC support for LINEMODE") and the intent was to allow it to
override some (all?) ICANON behavior.  Quoting from that original commit
message:

         There is a new bit in the termios local flag word, EXTPROC.
         When this bit is set, several aspects of the terminal driver
         are disabled.  Input line editing, character echo, and mapping
         of signals are all disabled.  This allows the telnetd to turn
         off these functions when in linemode, but still keep track of
         what state the user wants the terminal to be in.

but the problem turns out that "several aspects of the terminal driver
are disabled" is a bit ambiguous, and you can really confuse the n_tty
layer by setting EXTPROC and then causing some of the ICANON invariants
to no longer be maintained.

This fixes at least one such case (TIOCINQ) becoming unhappy because of
the confusion over whether ICANON really means ICANON when EXTPROC is set.

This basically makes TIOCINQ match the case of read: if EXTPROC is set,
we ignore ICANON.  Also, make sure to reset the ICANON state ie EXTPROC
changes, not just if ICANON changes.

Fixes: 26df6d13406d ("tty: Add EXTPROC support for LINEMODE")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Cc: Jiri Slaby <jslaby@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/n_tty.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1809,7 +1809,7 @@ static void n_tty_set_termios(struct tty
 {
 	struct n_tty_data *ldata = tty->disc_data;
 
-	if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
+	if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) {
 		bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
 		ldata->line_start = ldata->read_tail;
 		if (!L_ICANON(tty) || !read_cnt(ldata)) {
@@ -2520,7 +2520,7 @@ static int n_tty_ioctl(struct tty_struct
 		return put_user(tty_chars_in_buffer(tty), (int __user *) arg);
 	case TIOCINQ:
 		down_write(&tty->termios_rwsem);
-		if (L_ICANON(tty))
+		if (L_ICANON(tty) && !L_EXTPROC(tty))
 			retval = inq_canon(ldata);
 		else
 			retval = read_cnt(ldata);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 062/254] kdb: Fix handling of kallsyms_symbol_next() return value
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 068/254] can: esd_usb2: cancel urb on -EPIPE and -EPROTO Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 177/254] ALSA: aloop: Fix racy hw constraints adjustment Ben Hutchings
                   ` (155 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Jason Wessel, Daniel Thompson

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Thompson <daniel.thompson@linaro.org>

commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.

kallsyms_symbol_next() returns a boolean (true on success). Currently
kdb_read() tests the return value with an inequality that
unconditionally evaluates to true.

This is fixed in the obvious way and, since the conditional branch is
supposed to be unreachable, we also add a WARN_ON().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/debug/kdb/kdb_io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/debug/kdb/kdb_io.c
+++ b/kernel/debug/kdb/kdb_io.c
@@ -349,7 +349,7 @@ poll_again:
 			}
 			kdb_printf("\n");
 			for (i = 0; i < count; i++) {
-				if (kallsyms_symbol_next(p_tmp, i) < 0)
+				if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
 					break;
 				kdb_printf("%s ", p_tmp);
 				*(p_tmp + len) = '\0';

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 130/254] usbip: fix usbip bind writing random string after command in match_busid
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 076/254] 509: fix printing uninitialized stack memory when OID is empty Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 068/254] can: esd_usb2: cancel urb on -EPIPE and -EPROTO Ben Hutchings
                   ` (157 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Greg Kroah-Hartman, Juan Zea

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Juan Zea <juan.zea@qindel.com>

commit 544c4605acc5ae4afe7dd5914147947db182f2fb upstream.

usbip bind writes commands followed by random string when writing to
match_busid attribute in sysfs, caused by using full variable size
instead of string length.

Signed-off-by: Juan Zea <juan.zea@qindel.com>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/usbip/userspace/src/utils.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/staging/usbip/userspace/src/utils.c
+++ b/drivers/staging/usbip/userspace/src/utils.c
@@ -30,6 +30,7 @@ int modify_match_busid(char *busid, int
 	char command[SYSFS_BUS_ID_SIZE + 4];
 	char match_busid_attr_path[SYSFS_PATH_MAX];
 	int rc;
+	int cmd_size;
 
 	snprintf(match_busid_attr_path, sizeof(match_busid_attr_path),
 		 "%s/%s/%s/%s/%s/%s", SYSFS_MNT_PATH, SYSFS_BUS_NAME,
@@ -37,12 +38,14 @@ int modify_match_busid(char *busid, int
 		 attr_name);
 
 	if (add)
-		snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", busid);
+		cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s",
+				    busid);
 	else
-		snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", busid);
+		cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s",
+				    busid);
 
 	rc = write_sysfs_attribute(match_busid_attr_path, command,
-				   sizeof(command));
+				   cmd_size);
 	if (rc < 0) {
 		dbg("failed to write match_busid: %s", strerror(errno));
 		return -1;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 180/254] xfrm: Return error on unknown encap_type in init_state
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 176/254] ALSA: aloop: Fix inconsistent format due to incomplete rule Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 064/254] Btrfs: disable FUA if mounted with nobarrier Ben Hutchings
                   ` (150 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, Herbert Xu

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit bcfd09f7837f5240c30fd2f52ee7293516641faa upstream.

Currently esp will happily create an xfrm state with an unknown
encap type for IPv4, without setting the necessary state parameters.
This patch fixes it by returning -EINVAL.

There is a similar problem in IPv6 where if the mode is unknown
we will skip initialisation while returning zero.  However, this
is harmless as the mode has already been checked further up the
stack.  This patch removes this anomaly by aligning the IPv6
behaviour with IPv4 and treating unknown modes (which cannot
actually happen) as transport mode.

Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/esp4.c | 1 +
 net/ipv6/esp6.c | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -657,6 +657,7 @@ static int esp_init_state(struct xfrm_st
 
 		switch (encap->encap_type) {
 		default:
+			err = -EINVAL;
 			goto error;
 		case UDP_ENCAP_ESPINUDP:
 			x->props.header_len += sizeof(struct udphdr);
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -600,13 +600,12 @@ static int esp6_init_state(struct xfrm_s
 			x->props.header_len += IPV4_BEET_PHMAXLEN +
 				               (sizeof(struct ipv6hdr) - sizeof(struct iphdr));
 		break;
+	default:
 	case XFRM_MODE_TRANSPORT:
 		break;
 	case XFRM_MODE_TUNNEL:
 		x->props.header_len += sizeof(struct ipv6hdr);
 		break;
-	default:
-		goto error;
 	}
 
 	align = ALIGN(crypto_aead_blocksize(aead), 4);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 191/254] usb: udc: core: add device_del() call to error pathway
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 110/254] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 094/254] MIPS: prevent FP context set via ptrace being discarded Ben Hutchings
                   ` (171 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alan Stern, Felipe Balbi, Peter Chen

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit c93e64e91248becd0edb8f01723dff9da890e2ab upstream.

This patch fixes a bug in the error pathway of
usb_add_gadget_udc_release() in udc-core.c.  If the udc registration
fails, the gadget registration is not fully undone; there's a
put_device(&gadget->dev) call but no device_del().

Acked-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/udc-core.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/gadget/udc-core.c
+++ b/drivers/usb/gadget/udc-core.c
@@ -252,6 +252,7 @@ err4:
 
 err3:
 	put_device(&udc->dev);
+	device_del(&gadget->dev);
 
 err2:
 	put_device(&gadget->dev);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 165/254] net: phy: Add phy_interface_is_rgmii helper
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 035/254] quota: Check for register_shrinker() failure Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 200/254] 8021q: fix a memory leak for VLAN 0 device Ben Hutchings
                   ` (223 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit e463d88c36d42211aa72ed76d32fb8bf37820ef1 upstream.

RGMII interfaces come in 4 different flavors that the PHY library needs
to care about: regular RGMII (no delays), RGMII with either RX or TX
delay, and both. In order to avoid errors of checking only for one type
of RGMII interface and miss the 3 others, introduce a convenience
function which tests for all values.

Suggested-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/phy.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -630,6 +630,17 @@ static inline bool phy_is_internal(struc
 }
 
 /**
+ * phy_interface_is_rgmii - Convenience function for testing if a PHY interface
+ * is RGMII (all variants)
+ * @phydev: the phy_device struct
+ */
+static inline bool phy_interface_is_rgmii(struct phy_device *phydev)
+{
+	return phydev->interface >= PHY_INTERFACE_MODE_RGMII &&
+		phydev->interface <= PHY_INTERFACE_MODE_RGMII_TXID;
+}
+
+/**
  * phy_write_mmd - Convenience function for writing a register
  * on an MMD on a given PHY.
  * @phydev: The phy_device struct

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 175/254] ALSA: aloop: Release cable upon open error path
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (167 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 213/254] KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 202/254] KVM: x86: Add memory barrier on vmcs field lookup Ben Hutchings
                   ` (85 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 9685347aa0a5c2869058ca6ab79fd8e93084a67f upstream.

The aloop runtime object and its assignment in the cable are left even
when opening a substream fails.  This doesn't mean any memory leak,
but it still keeps the invalid pointer that may be referred by the
another side of the cable spontaneously, which is a potential Oops
cause.

Clean up the cable assignment and the empty cable upon the error path
properly.

Fixes: 597603d615d2 ("ALSA: introduce the snd-aloop module for the PCM loopback")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/drivers/aloop.c | 38 +++++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 13 deletions(-)

--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -659,12 +659,31 @@ static int rule_channels(struct snd_pcm_
 	return snd_interval_refine(hw_param_interval(params, rule->var), &t);
 }
 
+static void free_cable(struct snd_pcm_substream *substream)
+{
+	struct loopback *loopback = substream->private_data;
+	int dev = get_cable_index(substream);
+	struct loopback_cable *cable;
+
+	cable = loopback->cables[substream->number][dev];
+	if (!cable)
+		return;
+	if (cable->streams[!substream->stream]) {
+		/* other stream is still alive */
+		cable->streams[substream->stream] = NULL;
+	} else {
+		/* free the cable */
+		loopback->cables[substream->number][dev] = NULL;
+		kfree(cable);
+	}
+}
+
 static int loopback_open(struct snd_pcm_substream *substream)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
 	struct loopback *loopback = substream->private_data;
 	struct loopback_pcm *dpcm;
-	struct loopback_cable *cable;
+	struct loopback_cable *cable = NULL;
 	int err = 0;
 	int dev = get_cable_index(substream);
 
@@ -683,7 +702,6 @@ static int loopback_open(struct snd_pcm_
 	if (!cable) {
 		cable = kzalloc(sizeof(*cable), GFP_KERNEL);
 		if (!cable) {
-			kfree(dpcm);
 			err = -ENOMEM;
 			goto unlock;
 		}
@@ -725,6 +743,10 @@ static int loopback_open(struct snd_pcm_
 	else
 		runtime->hw = cable->hw;
  unlock:
+	if (err < 0) {
+		free_cable(substream);
+		kfree(dpcm);
+	}
 	mutex_unlock(&loopback->cable_lock);
 	return err;
 }
@@ -733,20 +755,10 @@ static int loopback_close(struct snd_pcm
 {
 	struct loopback *loopback = substream->private_data;
 	struct loopback_pcm *dpcm = substream->runtime->private_data;
-	struct loopback_cable *cable;
-	int dev = get_cable_index(substream);
 
 	loopback_timer_stop(dpcm);
 	mutex_lock(&loopback->cable_lock);
-	cable = loopback->cables[substream->number][dev];
-	if (cable->streams[!substream->stream]) {
-		/* other stream is still alive */
-		cable->streams[substream->stream] = NULL;
-	} else {
-		/* free the cable */
-		loopback->cables[substream->number][dev] = NULL;
-		kfree(cable);
-	}
+	free_cable(substream);
 	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 172/254] xfrm: Use __skb_queue_tail in xfrm_trans_queue
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (178 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 107/254] MIPS: Factor out NT_PRFPREG regset access helpers Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 031/254] net/packet: fix a race in packet_bind() and packet_notifier() Ben Hutchings
                   ` (74 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, Herbert Xu

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit d16b46e4fd8bc6063624605f25b8c0835bb1fbe3 upstream.

We do not need locking in xfrm_trans_queue because it is designed
to use per-CPU buffers.  However, the original code incorrectly
used skb_queue_tail which takes the lock.  This patch switches
it to __skb_queue_tail instead.

Reported-and-tested-by: Artem Savkov <asavkov@redhat.com>
Fixes: acf568ee859f ("xfrm: Reinject transport-mode packets...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -414,7 +414,7 @@ int xfrm_trans_queue(struct sk_buff *skb
 		return -ENOBUFS;
 
 	XFRM_TRANS_SKB_CB(skb)->finish = finish;
-	skb_queue_tail(&trans->queue, skb);
+	__skb_queue_tail(&trans->queue, skb);
 	tasklet_schedule(&trans->tasklet);
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 182/254] ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (202 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 117/254] posix-timer: Properly check sigevent->sigev_notify Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 203/254] usb: misc: usb3503: make sure reset is low for at least 100us Ben Hutchings
                   ` (50 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 900498a34a3ac9c611e9b425094c8106bdd7dc1c upstream.

PCM OSS read/write loops keep taking the mutex lock for the whole
read/write, and this might take very long when the exceptionally high
amount of data is given.  Also, since it invokes with mutex_lock(),
the concurrent read/write becomes unbreakable.

This patch tries to address these issues by replacing mutex_lock()
with mutex_lock_interruptible(), and also splits / re-takes the lock
at each read/write period chunk, so that it can switch the context
more finely if requested.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/oss/pcm_oss.c | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1370,8 +1370,11 @@ static ssize_t snd_pcm_oss_write1(struct
 
 	if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
 		return tmp;
-	mutex_lock(&runtime->oss.params_lock);
 	while (bytes > 0) {
+		if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+			tmp = -ERESTARTSYS;
+			break;
+		}
 		if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
 			tmp = bytes;
 			if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes)
@@ -1415,18 +1418,18 @@ static ssize_t snd_pcm_oss_write1(struct
 			xfer += tmp;
 			if ((substream->f_flags & O_NONBLOCK) != 0 &&
 			    tmp != runtime->oss.period_bytes)
-				break;
+				tmp = -EAGAIN;
 		}
+ err:
+		mutex_unlock(&runtime->oss.params_lock);
+		if (tmp < 0)
+			break;
 		if (signal_pending(current)) {
 			tmp = -ERESTARTSYS;
-			goto err;
+			break;
 		}
+		tmp = 0;
 	}
-	mutex_unlock(&runtime->oss.params_lock);
-	return xfer;
-
- err:
-	mutex_unlock(&runtime->oss.params_lock);
 	return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
 }
 
@@ -1474,8 +1477,11 @@ static ssize_t snd_pcm_oss_read1(struct
 
 	if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
 		return tmp;
-	mutex_lock(&runtime->oss.params_lock);
 	while (bytes > 0) {
+		if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+			tmp = -ERESTARTSYS;
+			break;
+		}
 		if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
 			if (runtime->oss.buffer_used == 0) {
 				tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1);
@@ -1506,16 +1512,16 @@ static ssize_t snd_pcm_oss_read1(struct
 			bytes -= tmp;
 			xfer += tmp;
 		}
+ err:
+		mutex_unlock(&runtime->oss.params_lock);
+		if (tmp < 0)
+			break;
 		if (signal_pending(current)) {
 			tmp = -ERESTARTSYS;
-			goto err;
+			break;
 		}
+		tmp = 0;
 	}
-	mutex_unlock(&runtime->oss.params_lock);
-	return xfer;
-
- err:
-	mutex_unlock(&runtime->oss.params_lock);
 	return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 100/254] MIPS: Respect the ISA level in FCSR handling
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 139/254] crypto: n2 - cure use after free Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 153/254] USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Ben Hutchings
                   ` (188 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, linux-mips, Maciej W. Rozycki, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit 9b26616c8d9dae53fbac7f7cb2c6dd1308102976 upstream.

Define the central place the default FCSR value is set from, initialised
in `cpu_probe'.  Determine the FCSR mask applied to values written to
the register with CTC1 in the full emulation mode and via ptrace(2),
according to the ISA level of processor hardware or the writability of
bits 31:18 if actual FPU hardware is used.

Software may rely on FCSR bits whose functions our emulator does not
implement, so it should not allow them to be set or software may get
confused.  For ptrace(2) it's just sanity.

[ralf@linux-mips.org: Fixed double inclusion of <asm/current.h>.]

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9711/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16:
 - In cop1Emulate(), keep converting the rounding mode
 - Drop change in loongson_cu2_call()
 - Add definitions of FPU_CSR_{FS,CONDX} in <asm/mipsregs.h>
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/include/asm/cpu-info.h
+++ b/arch/mips/include/asm/cpu-info.h
@@ -49,6 +49,8 @@ struct cpuinfo_mips {
 	unsigned int		udelay_val;
 	unsigned int		processor_id;
 	unsigned int		fpu_id;
+	unsigned int		fpu_csr31;
+	unsigned int		fpu_msk31;
 	unsigned int		msa_id;
 	unsigned int		cputype;
 	int			isa_level;
--- a/arch/mips/include/asm/elf.h
+++ b/arch/mips/include/asm/elf.h
@@ -9,6 +9,9 @@
 #define _ASM_ELF_H
 
 
+#include <asm/cpu-info.h>
+#include <asm/current.h>
+
 /* ELF header e_flags defines. */
 /* MIPS architecture level. */
 #define EF_MIPS_ARCH_1		0x00000000	/* -mips1 code.	 */
@@ -273,6 +276,8 @@ do {									\
 		set_personality(PER_LINUX);				\
 									\
 	current->thread.abi = &mips_abi;				\
+									\
+	current->thread.fpu.fcr31 = current_cpu_data.fpu_csr31;		\
 } while (0)
 
 #endif /* CONFIG_32BIT */
@@ -332,6 +337,8 @@ do {									\
 	else								\
 		current->thread.abi = &mips_abi;			\
 									\
+	current->thread.fpu.fcr31 = current_cpu_data.fpu_csr31;		\
+									\
 	p = personality(current->personality);				\
 	if (p != PER_LINUX32 && p != PER_LINUX)				\
 		set_personality(PER_LINUX);				\
--- a/arch/mips/include/asm/fpu.h
+++ b/arch/mips/include/asm/fpu.h
@@ -30,7 +30,7 @@
 struct sigcontext;
 struct sigcontext32;
 
-extern void _init_fpu(void);
+extern void _init_fpu(unsigned int);
 extern void _save_fp(struct task_struct *);
 extern void _restore_fp(struct task_struct *);
 
@@ -163,6 +163,7 @@ static inline void lose_fpu(int save)
 
 static inline int init_fpu(void)
 {
+	unsigned int fcr31 = current->thread.fpu.fcr31;
 	int ret = 0;
 
 	preempt_disable();
@@ -170,7 +171,7 @@ static inline int init_fpu(void)
 	if (cpu_has_fpu) {
 		ret = __own_fpu();
 		if (!ret)
-			_init_fpu();
+			_init_fpu(fcr31);
 	} else
 		fpu_emulator_init_fpu();
 
--- a/arch/mips/include/asm/fpu_emulator.h
+++ b/arch/mips/include/asm/fpu_emulator.h
@@ -87,8 +87,6 @@ static inline void fpu_emulator_init_fpu
 	struct task_struct *t = current;
 	int i;
 
-	t->thread.fpu.fcr31 = 0;
-
 	for (i = 0; i < 32; i++)
 		set_fpr64(&t->thread.fpu.fpr[i], 0, SIGNALLING_NAN);
 }
--- a/arch/mips/kernel/cpu-probe.c
+++ b/arch/mips/kernel/cpu-probe.c
@@ -30,11 +30,44 @@
 #include <asm/spram.h>
 #include <asm/uaccess.h>
 
+/*
+ * Determine the FCSR mask for FPU hardware.
+ */
+static inline void cpu_set_fpu_fcsr_mask(struct cpuinfo_mips *c)
+{
+	unsigned long sr, mask, fcsr, fcsr0, fcsr1;
+
+	mask = FPU_CSR_ALL_X | FPU_CSR_ALL_E | FPU_CSR_ALL_S | FPU_CSR_RM;
+
+	sr = read_c0_status();
+	__enable_fpu(FPU_AS_IS);
+
+	fcsr = read_32bit_cp1_register(CP1_STATUS);
+
+	fcsr0 = fcsr & mask;
+	write_32bit_cp1_register(CP1_STATUS, fcsr0);
+	fcsr0 = read_32bit_cp1_register(CP1_STATUS);
+
+	fcsr1 = fcsr | ~mask;
+	write_32bit_cp1_register(CP1_STATUS, fcsr1);
+	fcsr1 = read_32bit_cp1_register(CP1_STATUS);
+
+	write_32bit_cp1_register(CP1_STATUS, fcsr);
+
+	write_c0_status(sr);
+
+	c->fpu_msk31 = ~(fcsr0 ^ fcsr1) & ~mask;
+}
+
+/* Determined FPU emulator mask to use for the boot CPU with "nofpu".  */
+static unsigned int mips_nofpu_msk31;
+
 static int mips_fpu_disabled;
 
 static int __init fpu_disable(char *s)
 {
-	cpu_data[0].options &= ~MIPS_CPU_FPU;
+	boot_cpu_data.options &= ~MIPS_CPU_FPU;
+	boot_cpu_data.fpu_msk31 = mips_nofpu_msk31;
 	mips_fpu_disabled = 1;
 
 	return 1;
@@ -470,6 +503,7 @@ static inline void cpu_probe_legacy(stru
 	case PRID_IMP_R2000:
 		c->cputype = CPU_R2000;
 		__cpu_name[cpu] = "R2000";
+		c->fpu_msk31 |= FPU_CSR_CONDX | FPU_CSR_FS;
 		c->options = MIPS_CPU_TLB | MIPS_CPU_3K_CACHE |
 			     MIPS_CPU_NOFPUEX;
 		if (__cpu_has_fpu())
@@ -489,6 +523,7 @@ static inline void cpu_probe_legacy(stru
 			c->cputype = CPU_R3000;
 			__cpu_name[cpu] = "R3000";
 		}
+		c->fpu_msk31 |= FPU_CSR_CONDX | FPU_CSR_FS;
 		c->options = MIPS_CPU_TLB | MIPS_CPU_3K_CACHE |
 			     MIPS_CPU_NOFPUEX;
 		if (__cpu_has_fpu())
@@ -537,6 +572,7 @@ static inline void cpu_probe_legacy(stru
 		}
 
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS | MIPS_CPU_FPU | MIPS_CPU_32FPR |
 			     MIPS_CPU_WATCH | MIPS_CPU_VCE |
 			     MIPS_CPU_LLSC;
@@ -544,6 +580,7 @@ static inline void cpu_probe_legacy(stru
 		break;
 	case PRID_IMP_VR41XX:
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS;
 		c->tlbsize = 32;
 		switch (c->processor_id & 0xf0) {
@@ -585,6 +622,7 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_R4300;
 		__cpu_name[cpu] = "R4300";
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS | MIPS_CPU_FPU | MIPS_CPU_32FPR |
 			     MIPS_CPU_LLSC;
 		c->tlbsize = 32;
@@ -593,6 +631,7 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_R4600;
 		__cpu_name[cpu] = "R4600";
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS | MIPS_CPU_FPU | MIPS_CPU_32FPR |
 			     MIPS_CPU_LLSC;
 		c->tlbsize = 48;
@@ -608,11 +647,13 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_R4650;
 		__cpu_name[cpu] = "R4650";
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS | MIPS_CPU_FPU | MIPS_CPU_LLSC;
 		c->tlbsize = 48;
 		break;
 	#endif
 	case PRID_IMP_TX39:
+		c->fpu_msk31 |= FPU_CSR_CONDX | FPU_CSR_FS;
 		c->options = MIPS_CPU_TLB | MIPS_CPU_TX39_CACHE;
 
 		if ((c->processor_id & 0xf0) == (PRID_REV_TX3927 & 0xf0)) {
@@ -638,6 +679,7 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_R4700;
 		__cpu_name[cpu] = "R4700";
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS | MIPS_CPU_FPU | MIPS_CPU_32FPR |
 			     MIPS_CPU_LLSC;
 		c->tlbsize = 48;
@@ -646,6 +688,7 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_TX49XX;
 		__cpu_name[cpu] = "R49XX";
 		set_isa(c, MIPS_CPU_ISA_III);
+		c->fpu_msk31 |= FPU_CSR_CONDX;
 		c->options = R4K_OPTS | MIPS_CPU_LLSC;
 		if (!(c->processor_id & 0x08))
 			c->options |= MIPS_CPU_FPU | MIPS_CPU_32FPR;
@@ -687,6 +730,7 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_R6000;
 		__cpu_name[cpu] = "R6000";
 		set_isa(c, MIPS_CPU_ISA_II);
+		c->fpu_msk31 |= FPU_CSR_CONDX | FPU_CSR_FS;
 		c->options = MIPS_CPU_TLB | MIPS_CPU_FPU |
 			     MIPS_CPU_LLSC;
 		c->tlbsize = 32;
@@ -695,6 +739,7 @@ static inline void cpu_probe_legacy(stru
 		c->cputype = CPU_R6000A;
 		__cpu_name[cpu] = "R6000A";
 		set_isa(c, MIPS_CPU_ISA_II);
+		c->fpu_msk31 |= FPU_CSR_CONDX | FPU_CSR_FS;
 		c->options = MIPS_CPU_TLB | MIPS_CPU_FPU |
 			     MIPS_CPU_LLSC;
 		c->tlbsize = 32;
@@ -760,11 +805,13 @@ static inline void cpu_probe_legacy(stru
 			c->cputype = CPU_LOONGSON2;
 			__cpu_name[cpu] = "ICT Loongson-2";
 			set_elf_platform(cpu, "loongson2e");
+			c->fpu_msk31 |= FPU_CSR_CONDX;
 			break;
 		case PRID_REV_LOONGSON2F:
 			c->cputype = CPU_LOONGSON2;
 			__cpu_name[cpu] = "ICT Loongson-2";
 			set_elf_platform(cpu, "loongson2f");
+			c->fpu_msk31 |= FPU_CSR_CONDX;
 			break;
 		case PRID_REV_LOONGSON3A:
 			c->cputype = CPU_LOONGSON3;
@@ -1168,6 +1215,9 @@ void cpu_probe(void)
 	c->fpu_id	= FPIR_IMP_NONE;
 	c->cputype	= CPU_UNKNOWN;
 
+	c->fpu_csr31	= FPU_CSR_RN;
+	c->fpu_msk31	= FPU_CSR_RSVD | FPU_CSR_ABS2008 | FPU_CSR_NAN2008;
+
 	c->processor_id = read_c0_prid();
 	switch (c->processor_id & PRID_COMP_MASK) {
 	case PRID_COMP_LEGACY:
@@ -1220,12 +1270,15 @@ void cpu_probe(void)
 
 	if (c->options & MIPS_CPU_FPU) {
 		c->fpu_id = cpu_get_fpu_id();
+		mips_nofpu_msk31 = c->fpu_msk31;
 
 		if (c->isa_level & (MIPS_CPU_ISA_M32R1 | MIPS_CPU_ISA_M32R2 |
 				    MIPS_CPU_ISA_M64R1 | MIPS_CPU_ISA_M64R2)) {
 			if (c->fpu_id & MIPS_FPIR_3D)
 				c->ases |= MIPS_ASE_MIPS3D;
 		}
+
+		cpu_set_fpu_fcsr_mask(c);
 	}
 
 	if (cpu_has_mips_r2) {
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -33,6 +33,7 @@
 
 #include <asm/byteorder.h>
 #include <asm/cpu.h>
+#include <asm/cpu-info.h>
 #include <asm/dsp.h>
 #include <asm/fpu.h>
 #include <asm/mipsregs.h>
@@ -158,6 +159,9 @@ int ptrace_setfpregs(struct task_struct
 {
 	union fpureg *fregs;
 	u64 fpr_val;
+	u32 fcr31;
+	u32 value;
+	u32 mask;
 	int i;
 
 	if (!access_ok(VERIFY_READ, data, 33 * 8))
@@ -171,8 +175,10 @@ int ptrace_setfpregs(struct task_struct
 		set_fpr64(&fregs[i], 0, fpr_val);
 	}
 
-	__get_user(child->thread.fpu.fcr31, data + 64);
-	child->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+	__get_user(value, data + 64);
+	fcr31 = child->thread.fpu.fcr31;
+	mask = current_cpu_data.fpu_msk31;
+	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
 
 	/* FIR may not be written.  */
 
--- a/arch/mips/kernel/r2300_switch.S
+++ b/arch/mips/kernel/r2300_switch.S
@@ -115,11 +115,9 @@ LEAF(_restore_fp)
  * the property that no matter whether considered as single or as double
  * precision represents signaling NANS.
  *
- * We initialize fcr31 to rounding to nearest, no exceptions.
+ * The value to initialize fcr31 to comes in $a0.
  */
 
-#define FPU_DEFAULT  0x00000000
-
 	.set push
 	SET_HARDFLOAT
 
@@ -129,8 +127,7 @@ LEAF(_init_fpu)
 	or	t0, t1
 	mtc0	t0, CP0_STATUS
 
-	li	t1, FPU_DEFAULT
-	ctc1	t1, fcr31
+	ctc1	a0, fcr31
 
 	li	t0, -1
 
--- a/arch/mips/kernel/r4k_switch.S
+++ b/arch/mips/kernel/r4k_switch.S
@@ -163,11 +163,9 @@ LEAF(_init_msa_upper)
  * the property that no matter whether considered as single or as double
  * precision represents signaling NANS.
  *
- * We initialize fcr31 to rounding to nearest, no exceptions.
+ * The value to initialize fcr31 to comes in $a0.
  */
 
-#define FPU_DEFAULT  0x00000000
-
 	.set push
 	SET_HARDFLOAT
 
@@ -178,8 +176,7 @@ LEAF(_init_fpu)
 	mtc0	t0, CP0_STATUS
 	enable_fpu_hazard
 
-	li	t1, FPU_DEFAULT
-	ctc1	t1, fcr31
+	ctc1	a0, fcr31
 
 	li	t1, -1				# SNaN
 
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -924,17 +924,19 @@ emul:
 			/* we only have one writable control reg
 			 */
 			if (MIPSInst_RD(ir) == FPCREG_CSR) {
+				u32 mask;
+
 				pr_debug("%p gpr[%d]->csr=%08x\n",
 					 (void *) (xcp->cp0_epc),
 					 MIPSInst_RT(ir), value);
 
 				/*
-				 * Don't write unsupported bits,
+				 * Preserve read-only bits,
 				 * and convert to ieee library modes
 				 */
-				ctx->fcr31 = (value &
-					      ~(FPU_CSR_RSVD | FPU_CSR_ABS2008 |
-						FPU_CSR_NAN2008 | FPU_CSR_RM)) |
+				mask = current_cpu_data.fpu_msk31;
+				ctx->fcr31 = (value & ~(mask | FPU_CSR_RM)) |
+					     (ctx->fcr31 & mask) |
 					     modeindex(value);
 			}
 			if ((ctx->fcr31 >> 5) & ctx->fcr31 & FPU_CSR_ALL_E) {
--- a/arch/mips/include/asm/mipsregs.h
+++ b/arch/mips/include/asm/mipsregs.h
@@ -123,6 +123,11 @@
 /*
  * Status Register Values
  */
+#define FPU_CSR_FS_S	24		/* flush denormalised results to 0 */
+#define FPU_CSR_FS	(_ULCAST_(1) << FPU_CSR_FS_S)
+
+#define FPU_CSR_CONDX_S	25					/* $fcc[7:1] */
+#define FPU_CSR_CONDX	(_ULCAST_(127) << FPU_CSR_CONDX_S)
 
 #define FPU_CSR_FLUSH	0x01000000	/* flush denormalised results to 0 */
 #define FPU_CSR_COND	0x00800000	/* $fcc0 */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 153/254] USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 100/254] MIPS: Respect the ISA level in FCSR handling Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 158/254] e1000e: Fix e1000_check_for_copper_link_ich8lan return value Ben Hutchings
                   ` (187 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Diego Elio Pettenò, Johan Hovold

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Diego Elio Pettenò <flameeyes@flameeyes.eu>

commit 4307413256ac1e09b8f53e8715af3df9e49beec3 upstream.

Add IDs for the OneTouch Verio IQ that comes with an embedded
USB-to-serial converter.

Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -120,6 +120,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
 	{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
 	{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
+	{ USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
 	{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
 	{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 152/254] kbuild: add '-fno-stack-check' to kernel build options
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (160 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 057/254] net_sched: red: Avoid illegal values Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 034/254] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one Ben Hutchings
                   ` (92 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Jiri Kosina, Dave Hansen, Andy Lutomirski

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 3ce120b16cc548472f80cf8644f90eda958cf1b6 upstream.

It appears that hardened gentoo enables "-fstack-check" by default for
gcc.

That doesn't work _at_all_ for the kernel, because the kernel stack
doesn't act like a user stack at all: it's much smaller, and it doesn't
auto-expand on use.  So the extra "probe one page below the stack" code
generated by -fstack-check just breaks the kernel in horrible ways,
causing infinite double faults etc.

[ I have to say, that the particular code gcc generates looks very
  stupid even for user space where it works, but that's a separate
  issue.  ]

Reported-and-tested-by: Alexander Tsoy <alexander@tsoy.me>
Reported-and-tested-by: Toralf Förster <toralf.foerster@gmx.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

--- a/Makefile
+++ b/Makefile
@@ -736,6 +736,9 @@ KBUILD_CFLAGS += $(call cc-disable-warni
 # disable invalid "can't wrap" optimizations for signed / pointers
 KBUILD_CFLAGS	+= $(call cc-option,-fno-strict-overflow)
 
+# Make sure -fstack-check isn't enabled (like gentoo apparently did)
+KBUILD_CFLAGS  += $(call cc-option,-fno-stack-check,)
+
 # conserve stack if available
 KBUILD_CFLAGS   += $(call cc-option,-fconserve-stack)
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 217/254] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (209 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 116/254] USB: serial: option: add support for Telit ME910 PID 0x1101 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 126/254] USB: serial: option: adding support for YUGA CLM920-NC5 Ben Hutchings
                   ` (43 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Wolfram Sang, Jeremy Compostella

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Compostella <jeremy.compostella@intel.com>

commit 89c6efa61f5709327ecfa24bff18e57a4e80c7fa upstream.

On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
data out of the msgbuf1 array boundary.

It is possible from a user application to run into that issue by
calling the I2C_SMBUS ioctl with data.block[0] greater than
I2C_SMBUS_BLOCK_MAX + 1.

This patch makes the code compliant with
Documentation/i2c/dev-interface by raising an error when the requested
size is larger than 32 bytes.

Call Trace:
 [<ffffffff8139f695>] dump_stack+0x67/0x92
 [<ffffffff811802a4>] panic+0xc5/0x1eb
 [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
 [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
 [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
 [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
 [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
 [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
 [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
 [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a

Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/i2c/i2c-core.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/i2c/i2c-core.c
+++ b/drivers/i2c/i2c-core.c
@@ -2481,16 +2481,17 @@ static s32 i2c_smbus_xfer_emulated(struc
 				   the underlying bus driver */
 		break;
 	case I2C_SMBUS_I2C_BLOCK_DATA:
+		if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+			dev_err(&adapter->dev, "Invalid block %s size %d\n",
+				read_write == I2C_SMBUS_READ ? "read" : "write",
+				data->block[0]);
+			return -EINVAL;
+		}
+
 		if (read_write == I2C_SMBUS_READ) {
 			msg[1].len = data->block[0];
 		} else {
 			msg[0].len = data->block[0] + 1;
-			if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
-				dev_err(&adapter->dev,
-					"Invalid block write size %d\n",
-					data->block[0]);
-				return -EINVAL;
-			}
 			for (i = 1; i <= data->block[0]; i++)
 				msgbuf0[i] = data->block[i];
 		}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 002/254] ASoC: twl4030: fix child-node lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 036/254] mfd: cros ec: spi: Don't send first message too soon Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 243/254] media: v4l2-compat-ioctl32.c: fix the indentation Ben Hutchings
                   ` (166 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Mark Brown

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 15f8c5f2415bfac73f33a14bcd83422bcbfb5298 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent codec node was also prematurely freed,
while the child node was leaked.

Fixes: 2d6d649a2e0f ("ASoC: twl4030: Support for DT booted kernel")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/codecs/twl4030.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/soc/codecs/twl4030.c
+++ b/sound/soc/codecs/twl4030.c
@@ -232,7 +232,7 @@ static struct twl4030_codec_data *twl403
 	struct twl4030_codec_data *pdata = dev_get_platdata(codec->dev);
 	struct device_node *twl4030_codec_node = NULL;
 
-	twl4030_codec_node = of_find_node_by_name(codec->dev->parent->of_node,
+	twl4030_codec_node = of_get_child_by_name(codec->dev->parent->of_node,
 						  "codec");
 
 	if (!pdata && twl4030_codec_node) {
@@ -241,9 +241,11 @@ static struct twl4030_codec_data *twl403
 				     GFP_KERNEL);
 		if (!pdata) {
 			dev_err(codec->dev, "Can not allocate memory\n");
+			of_node_put(twl4030_codec_node);
 			return NULL;
 		}
 		twl4030_setup_pdata_of(pdata, twl4030_codec_node);
+		of_node_put(twl4030_codec_node);
 	}
 
 	return pdata;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 235/254] [media] v4l2-compat-ioctl32: fix sparse warnings
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 022/254] usb: host: fix incorrect updating of offset Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 143/254] sctp: Replace use of sockets_allocated with specified macro Ben Hutchings
                   ` (195 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Hans Verkuil, Mauro Carvalho Chehab

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 8ae632b11775254c5e555ee8c42b7d19baeb1473 upstream.

A lot of these warnings are caused by the fact that we don't generally use
__user in videodev2.h. Normally the video_usercopy function will copy anything
pointed to by pointers into kernel space, so having __user in the struct will only
cause lots of warnings in the drivers. But the flip side of that is that you
need to add __force casts here.

drivers/media/v4l2-core/v4l2-compat-ioctl32.c:337:26: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:337:30: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:338:31: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:338:49: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:343:21: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:346:21: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:349:35: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:349:46: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:352:35: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:352:54: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:363:26: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:363:32: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:364:31: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:364:51: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:371:35: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:371:56: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:376:35: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:376:48: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:430:30: warning: incorrect type in assignment (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:433:48: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:433:56: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:501:24: warning: incorrect type in assignment (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:507:48: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:507:56: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:565:18: warning: incorrect type in assignment (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:670:22: warning: incorrect type in assignment (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:680:29: warning: incorrect type in assignment (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:692:55: warning: incorrect type in initializer (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:773:18: warning: incorrect type in assignment (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:786:30: warning: incorrect type in argument 1 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:786:44: warning: incorrect type in argument 2 (different address spaces)
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:674:37: warning: dereference of noderef expression
drivers/media/v4l2-core/v4l2-compat-ioctl32.c:718:37: warning: dereference of noderef expression

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 30 +++++++++++++++++----------
 1 file changed, 19 insertions(+), 11 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -328,7 +328,7 @@ struct v4l2_buffer32 {
 	__u32			reserved;
 };
 
-static int get_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
+static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
 				enum v4l2_memory memory)
 {
 	void __user *up_pln;
@@ -357,7 +357,7 @@ static int get_v4l2_plane32(struct v4l2_
 	return 0;
 }
 
-static int put_v4l2_plane32(struct v4l2_plane *up, struct v4l2_plane32 *up32,
+static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
 				enum v4l2_memory memory)
 {
 	if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
@@ -425,7 +425,7 @@ static int get_v4l2_buffer32(struct v4l2
 		 * by passing a very big num_planes value */
 		uplane = compat_alloc_user_space(num_planes *
 						sizeof(struct v4l2_plane));
-		kp->m.planes = uplane;
+		kp->m.planes = (__force struct v4l2_plane *)uplane;
 
 		while (--num_planes >= 0) {
 			ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
@@ -495,7 +495,7 @@ static int put_v4l2_buffer32(struct v4l2
 		if (num_planes == 0)
 			return 0;
 
-		uplane = kp->m.planes;
+		uplane = (__force struct v4l2_plane __user *)kp->m.planes;
 		if (get_user(p, &up->m.planes))
 			return -EFAULT;
 		uplane32 = compat_ptr(p);
@@ -547,7 +547,7 @@ static int get_v4l2_framebuffer32(struct
 		get_user(kp->capability, &up->capability) ||
 		get_user(kp->flags, &up->flags))
 			return -EFAULT;
-	kp->base = compat_ptr(tmp);
+	kp->base = (__force void *)compat_ptr(tmp);
 	get_v4l2_pix_format(&kp->fmt, &up->fmt);
 	return 0;
 }
@@ -653,11 +653,15 @@ static int get_v4l2_ext_controls32(struc
 			n * sizeof(struct v4l2_ext_control32)))
 		return -EFAULT;
 	kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
-	kp->controls = kcontrols;
+	kp->controls = (__force struct v4l2_ext_control *)kcontrols;
 	while (--n >= 0) {
+		u32 id;
+
 		if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols)))
 			return -EFAULT;
-		if (ctrl_is_pointer(kcontrols->id)) {
+		if (get_user(id, &kcontrols->id))
+			return -EFAULT;
+		if (ctrl_is_pointer(id)) {
 			void __user *s;
 
 			if (get_user(p, &ucontrols->string))
@@ -675,7 +679,8 @@ static int get_v4l2_ext_controls32(struc
 static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
 {
 	struct v4l2_ext_control32 __user *ucontrols;
-	struct v4l2_ext_control __user *kcontrols = kp->controls;
+	struct v4l2_ext_control __user *kcontrols =
+		(__force struct v4l2_ext_control __user *)kp->controls;
 	int n = kp->count;
 	compat_caddr_t p;
 
@@ -697,11 +702,14 @@ static int put_v4l2_ext_controls32(struc
 
 	while (--n >= 0) {
 		unsigned size = sizeof(*ucontrols);
+		u32 id;
 
+		if (get_user(id, &kcontrols->id))
+			return -EFAULT;
 		/* Do not modify the pointer when copying a pointer control.
 		   The contents of the pointer was changed, not the pointer
 		   itself. */
-		if (ctrl_is_pointer(kcontrols->id))
+		if (ctrl_is_pointer(id))
 			size -= sizeof(ucontrols->value64);
 		if (copy_in_user(ucontrols, kcontrols, size))
 			return -EFAULT;
@@ -758,7 +766,7 @@ static int get_v4l2_edid32(struct v4l2_e
 		get_user(tmp, &up->edid) ||
 		copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
 			return -EFAULT;
-	kp->edid = compat_ptr(tmp);
+	kp->edid = (__force u8 *)compat_ptr(tmp);
 	return 0;
 }
 
@@ -771,7 +779,7 @@ static int put_v4l2_edid32(struct v4l2_e
 		put_user(kp->start_block, &up->start_block) ||
 		put_user(kp->blocks, &up->blocks) ||
 		put_user(tmp, &up->edid) ||
-		copy_to_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
+		copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
 			return -EFAULT;
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 183/254] mdio-sun4i: Fix a memory leak
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 138/254] iw_cxgb4: Only validate the MSN for successful completions Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 046/254] xhci: Don't show incorrect WARN message about events for empty rings Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 007/254] btrfs: clear space cache inode generation always Ben Hutchings
                   ` (251 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Christophe JAILLET

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 56c0290202ab94a2f2780c449395d4ae8495fab4 upstream.

If the probing of the regulator is deferred, the memory allocated by
'mdiobus_alloc_size()' will be leaking.
It should be freed before the next call to 'sun4i_mdio_probe()' which will
reallocate it.

Fixes: 4bdcb1dd9feb ("net: Add MDIO bus driver for the Allwinner EMAC")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/phy/mdio-sun4i.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/net/phy/mdio-sun4i.c
+++ b/drivers/net/phy/mdio-sun4i.c
@@ -128,8 +128,10 @@ static int sun4i_mdio_probe(struct platf
 
 	data->regulator = devm_regulator_get(&pdev->dev, "phy");
 	if (IS_ERR(data->regulator)) {
-		if (PTR_ERR(data->regulator) == -EPROBE_DEFER)
-			return -EPROBE_DEFER;
+		if (PTR_ERR(data->regulator) == -EPROBE_DEFER) {
+			ret = -EPROBE_DEFER;
+			goto err_out_free_mdiobus;
+		}
 
 		dev_info(&pdev->dev, "no regulator found\n");
 		data->regulator = NULL;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 074/254] X.509: reject invalid BIT STRING for subjectPublicKey
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (219 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 190/254] USB: fix usbmon BUG trigger Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 019/254] drm/i915: Prevent zero length "index" write Ben Hutchings
                   ` (33 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells, James Morris

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.

Adding a specially crafted X.509 certificate whose subjectPublicKey
ASN.1 value is zero-length caused x509_extract_key_data() to set the
public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
metadata byte.  Then, x509_cert_parse() called kmemdup() with that bogus
size, triggering the WARN_ON_ONCE() in kmalloc_slab().

This appears to be harmless, but it still must be fixed since WARNs are
never supposed to be user-triggerable.

Fix it by updating x509_cert_parse() to validate that the value has a
BIT STRING metadata byte, and that the byte is 0 which indicates that
the number of bits in the bitstring is a multiple of 8.

It would be nice to handle the metadata byte in asn1_ber_decoder()
instead.  But that would be tricky because in the general case a BIT
STRING could be implicitly tagged, and/or could legitimately have a
length that is not a whole number of bytes.

Here was the WARN (cleaned up slightly):

    WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
    Modules linked in:
    CPU: 1 PID: 202 Comm: keyctl Tainted: G    B            4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    task: ffff880033014180 task.stack: ffff8800305c8000
    Call Trace:
     __do_kmalloc mm/slab.c:3706 [inline]
     __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
     kmemdup+0x17/0x40 mm/util.c:118
     kmemdup include/linux/string.h:414 [inline]
     x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -348,6 +348,8 @@ int x509_extract_key_data(void *context,
 	ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA;
 
 	/* Discard the BIT STRING metadata */
+	if (vlen < 1 || *(const u8 *)value != 0)
+		return -EBADMSG;
 	ctx->key = value + 1;
 	ctx->key_size = vlen - 1;
 	return 0;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 245/254] media: v4l2-compat-ioctl32.c: avoid sizeof(type)
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (200 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 224/254] net: igmp: fix source address check for IGMPv3 reports Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 117/254] posix-timer: Properly check sigevent->sigev_notify Ben Hutchings
                   ` (52 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hans Verkuil, Mauro Carvalho Chehab, Sakari Ailus

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 333b1e9f96ce05f7498b581509bb30cde03018bf upstream.

Instead of doing sizeof(struct foo) use sizeof(*up). There even were
cases where 4 * sizeof(__u32) was used instead of sizeof(kp->reserved),
which is very dangerous when the size of the reserved array changes.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Rebased on top of some earlier fixes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -47,7 +47,7 @@ struct v4l2_window32 {
 
 static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
 {
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
 	    get_user(kp->field, &up->field) ||
 	    get_user(kp->chromakey, &up->chromakey) ||
@@ -64,7 +64,7 @@ static int get_v4l2_window32(struct v4l2
 		if (get_user(p, &up->clips))
 			return -EFAULT;
 		uclips = compat_ptr(p);
-		kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip));
+		kclips = compat_alloc_user_space(n * sizeof(*kclips));
 		kp->clips = kclips;
 		while (--n >= 0) {
 			if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
@@ -152,14 +152,14 @@ static int __get_v4l2_format32(struct v4
 
 static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
 {
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)))
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
 		return -EFAULT;
 	return __get_v4l2_format32(kp, up);
 }
 
 static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
 {
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
 		return -EFAULT;
 	return __get_v4l2_format32(&kp->format, &up->format);
@@ -199,14 +199,14 @@ static int __put_v4l2_format32(struct v4
 
 static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
 {
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)))
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)))
 		return -EFAULT;
 	return __put_v4l2_format32(kp, up);
 }
 
 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
 {
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
 	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
@@ -225,7 +225,7 @@ struct v4l2_standard32 {
 static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
 {
 	/* other fields are not set by the user, nor used by the driver */
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    get_user(kp->index, &up->index))
 		return -EFAULT;
 	return 0;
@@ -233,13 +233,13 @@ static int get_v4l2_standard32(struct v4
 
 static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
 {
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    put_user(kp->index, &up->index) ||
 	    put_user(kp->id, &up->id) ||
-	    copy_to_user(up->name, kp->name, 24) ||
+	    copy_to_user(up->name, kp->name, sizeof(up->name)) ||
 	    copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
 	    put_user(kp->framelines, &up->framelines) ||
-	    copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32)))
+	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
 	return 0;
 }
@@ -287,7 +287,7 @@ static int get_v4l2_plane32(struct v4l2_
 
 	if (copy_in_user(up, up32, 2 * sizeof(__u32)) ||
 	    copy_in_user(&up->data_offset, &up32->data_offset,
-			 sizeof(__u32)))
+			 sizeof(up->data_offset)))
 		return -EFAULT;
 
 	if (memory == V4L2_MEMORY_USERPTR) {
@@ -297,11 +297,11 @@ static int get_v4l2_plane32(struct v4l2_
 		if (put_user((unsigned long)up_pln, &up->m.userptr))
 			return -EFAULT;
 	} else if (memory == V4L2_MEMORY_DMABUF) {
-		if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(int)))
+		if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd)))
 			return -EFAULT;
 	} else {
 		if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
-				 sizeof(__u32)))
+				 sizeof(up32->m.mem_offset)))
 			return -EFAULT;
 	}
 
@@ -313,19 +313,19 @@ static int put_v4l2_plane32(struct v4l2_
 {
 	if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
 	    copy_in_user(&up32->data_offset, &up->data_offset,
-			 sizeof(__u32)))
+			 sizeof(up->data_offset)))
 		return -EFAULT;
 
 	/* For MMAP, driver might've set up the offset, so copy it back.
 	 * USERPTR stays the same (was userspace-provided), so no copying. */
 	if (memory == V4L2_MEMORY_MMAP)
 		if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset,
-				 sizeof(__u32)))
+				 sizeof(up->m.mem_offset)))
 			return -EFAULT;
 	/* For DMABUF, driver might've set up the fd, so copy it back. */
 	if (memory == V4L2_MEMORY_DMABUF)
 		if (copy_in_user(&up32->m.fd, &up->m.fd,
-				 sizeof(int)))
+				 sizeof(up->m.fd)))
 			return -EFAULT;
 
 	return 0;
@@ -339,7 +339,7 @@ static int get_v4l2_buffer32(struct v4l2
 	int num_planes;
 	int ret;
 
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    get_user(kp->index, &up->index) ||
 	    get_user(kp->type, &up->type) ||
 	    get_user(kp->flags, &up->flags) ||
@@ -351,8 +351,7 @@ static int get_v4l2_buffer32(struct v4l2
 		if (get_user(kp->bytesused, &up->bytesused) ||
 		    get_user(kp->field, &up->field) ||
 		    get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-		    get_user(kp->timestamp.tv_usec,
-			     &up->timestamp.tv_usec))
+		    get_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec))
 			return -EFAULT;
 
 	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
@@ -369,13 +368,13 @@ static int get_v4l2_buffer32(struct v4l2
 
 		uplane32 = compat_ptr(p);
 		if (!access_ok(VERIFY_READ, uplane32,
-			       num_planes * sizeof(struct v4l2_plane32)))
+			       num_planes * sizeof(*uplane32)))
 			return -EFAULT;
 
 		/* We don't really care if userspace decides to kill itself
 		 * by passing a very big num_planes value */
 		uplane = compat_alloc_user_space(num_planes *
-						 sizeof(struct v4l2_plane));
+						 sizeof(*uplane));
 		kp->m.planes = (__force struct v4l2_plane *)uplane;
 
 		while (--num_planes >= 0) {
@@ -423,7 +422,7 @@ static int put_v4l2_buffer32(struct v4l2
 	int num_planes;
 	int ret;
 
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    put_user(kp->index, &up->index) ||
 	    put_user(kp->type, &up->type) ||
 	    put_user(kp->flags, &up->flags) ||
@@ -434,7 +433,7 @@ static int put_v4l2_buffer32(struct v4l2
 	    put_user(kp->field, &up->field) ||
 	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
 	    put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
-	    copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
+	    copy_to_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
 	    put_user(kp->sequence, &up->sequence) ||
 	    put_user(kp->reserved2, &up->reserved2) ||
 	    put_user(kp->reserved, &up->reserved) ||
@@ -493,7 +492,7 @@ static int get_v4l2_framebuffer32(struct
 {
 	u32 tmp;
 
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    get_user(tmp, &up->base) ||
 	    get_user(kp->capability, &up->capability) ||
 	    get_user(kp->flags, &up->flags) ||
@@ -507,7 +506,7 @@ static int put_v4l2_framebuffer32(struct
 {
 	u32 tmp = (u32)((unsigned long)kp->base);
 
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    put_user(tmp, &up->base) ||
 	    put_user(kp->capability, &up->capability) ||
 	    put_user(kp->flags, &up->flags) ||
@@ -532,14 +531,14 @@ struct v4l2_input32 {
    Otherwise it is identical to the 32-bit version. */
 static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
 {
-	if (copy_from_user(kp, up, sizeof(struct v4l2_input32)))
+	if (copy_from_user(kp, up, sizeof(*up)))
 		return -EFAULT;
 	return 0;
 }
 
 static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
 {
-	if (copy_to_user(up, kp, sizeof(struct v4l2_input32)))
+	if (copy_to_user(up, kp, sizeof(*up)))
 		return -EFAULT;
 	return 0;
 }
@@ -587,7 +586,7 @@ static int get_v4l2_ext_controls32(struc
 	int n;
 	compat_caddr_t p;
 
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_ext_controls32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    get_user(kp->ctrl_class, &up->ctrl_class) ||
 	    get_user(kp->count, &up->count) ||
 	    get_user(kp->error_idx, &up->error_idx) ||
@@ -601,10 +600,9 @@ static int get_v4l2_ext_controls32(struc
 	if (get_user(p, &up->controls))
 		return -EFAULT;
 	ucontrols = compat_ptr(p);
-	if (!access_ok(VERIFY_READ, ucontrols,
-		       n * sizeof(struct v4l2_ext_control32)))
+	if (!access_ok(VERIFY_READ, ucontrols, n * sizeof(*ucontrols)))
 		return -EFAULT;
-	kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
+	kcontrols = compat_alloc_user_space(n * sizeof(*kcontrols));
 	kp->controls = (__force struct v4l2_ext_control *)kcontrols;
 	while (--n >= 0) {
 		u32 id;
@@ -636,7 +634,7 @@ static int put_v4l2_ext_controls32(struc
 	int n = kp->count;
 	compat_caddr_t p;
 
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_ext_controls32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    put_user(kp->ctrl_class, &up->ctrl_class) ||
 	    put_user(kp->count, &up->count) ||
 	    put_user(kp->error_idx, &up->error_idx) ||
@@ -648,8 +646,7 @@ static int put_v4l2_ext_controls32(struc
 	if (get_user(p, &up->controls))
 		return -EFAULT;
 	ucontrols = compat_ptr(p);
-	if (!access_ok(VERIFY_WRITE, ucontrols,
-		       n * sizeof(struct v4l2_ext_control32)))
+	if (!access_ok(VERIFY_WRITE, ucontrols, n * sizeof(*ucontrols)))
 		return -EFAULT;
 
 	while (--n >= 0) {
@@ -686,7 +683,7 @@ struct v4l2_event32 {
 
 static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up)
 {
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_event32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    put_user(kp->type, &up->type) ||
 	    copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
 	    put_user(kp->pending, &up->pending) ||
@@ -694,7 +691,7 @@ static int put_v4l2_event32(struct v4l2_
 	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
 	    put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
 	    put_user(kp->id, &up->id) ||
-	    copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
+	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
 	return 0;
 }
@@ -711,7 +708,7 @@ static int get_v4l2_edid32(struct v4l2_e
 {
 	u32 tmp;
 
-	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_edid32)) ||
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    get_user(kp->pad, &up->pad) ||
 	    get_user(kp->start_block, &up->start_block) ||
 	    get_user(kp->blocks, &up->blocks) ||
@@ -726,7 +723,7 @@ static int put_v4l2_edid32(struct v4l2_e
 {
 	u32 tmp = (u32)((unsigned long)kp->edid);
 
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_edid32)) ||
+	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
 	    put_user(kp->pad, &up->pad) ||
 	    put_user(kp->start_block, &up->start_block) ||
 	    put_user(kp->blocks, &up->blocks) ||

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 228/254] x86/microcode/intel: Extend BDW late-loading further with LLC size check
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (245 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 009/254] scsi: use dma_get_cache_alignment() as minimum DMA alignment Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 065/254] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Ben Hutchings
                   ` (7 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jia Zhang, Borislav Petkov, Tony Luck, Thomas Gleixner

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jia Zhang <zhang.jia@linux.alibaba.com>

commit 7e702d17ed138cf4ae7c00e8c00681ed464587c7 upstream.

Commit b94b73733171 ("x86/microcode/intel: Extend BDW late-loading with a
revision check") reduced the impact of erratum BDF90 for Broadwell model
79.

The impact can be reduced further by checking the size of the last level
cache portion per core.

Tony: "The erratum says the problem only occurs on the large-cache SKUs.
So we only need to avoid the update if we are on a big cache SKU that is
also running old microcode."

For more details, see erratum BDF90 in document #334165 (Intel Xeon
Processor E7-8800/4800 v4 Product Family Specification Update) from
September 2017.

Fixes: b94b73733171 ("x86/microcode/intel: Extend BDW late-loading with a revision check")
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Tony Luck <tony.luck@intel.com>
Link: https://lkml.kernel.org/r/1516321542-31161-1-git-send-email-zhang.jia@linux.alibaba.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/microcode/intel.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -87,6 +87,9 @@ MODULE_DESCRIPTION("Microcode Update Dri
 MODULE_AUTHOR("Tigran Aivazian <tigran@aivazian.fsnet.co.uk>");
 MODULE_LICENSE("GPL");
 
+/* last level cache size per core */
+static int llc_size_per_core;
+
 static int collect_cpu_info(int cpu_num, struct cpu_signature *csig)
 {
 	struct cpuinfo_x86 *c = &cpu_data(cpu_num);
@@ -273,12 +276,14 @@ static bool is_blacklisted(unsigned int
 
 	/*
 	 * Late loading on model 79 with microcode revision less than 0x0b000021
-	 * may result in a system hang. This behavior is documented in item
-	 * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).
+	 * and LLC size per core bigger than 2.5MB may result in a system hang.
+	 * This behavior is documented in item BDF90, #334165 (Intel Xeon
+	 * Processor E7-8800/4800 v4 Product Family).
 	 */
 	if (c->x86 == 6 &&
 	    c->x86_model == 0x4F &&
 	    c->x86_mask == 0x01 &&
+	    llc_size_per_core > 2621440 &&
 	    c->microcode < 0x0b000021) {
 		pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
 		pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
@@ -345,6 +350,15 @@ static struct microcode_ops microcode_in
 	.microcode_fini_cpu               = microcode_fini_cpu,
 };
 
+static int __init calc_llc_size_per_core(struct cpuinfo_x86 *c)
+{
+	u64 llc_size = c->x86_cache_size * 1024;
+
+	do_div(llc_size, c->x86_max_cores);
+
+	return (int)llc_size;
+}
+
 struct microcode_ops * __init init_intel_microcode(void)
 {
 	struct cpuinfo_x86 *c = &cpu_data(0);
@@ -355,6 +369,8 @@ struct microcode_ops * __init init_intel
 		return NULL;
 	}
 
+	llc_size_per_core = calc_llc_size_per_core(c);
+
 	return &microcode_intel_ops;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 184/254] sh_eth: fix TXALCR1 offsets
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 239/254] adv7604: use correct drive strength defines Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 010/254] scsi: libsas: align sata_device's rps_resp on a cacheline Ben Hutchings
                   ` (147 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sergei Shtylyov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 50f3d740d376f664f6accc7e86c9afd8f1c7e1e4 upstream.

The  TXALCR1 offsets are incorrect in the register offset tables, most
probably due to copy&paste error.  Luckily, the driver never uses this
register. :-)

Fixes: 4a55530f38e4 ("net: sh_eth: modify the definitions of register")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -142,7 +142,7 @@ static const u16 sh_eth_offset_gigabit[S
 	[FWNLCR0]	= 0x0090,
 	[FWALCR0]	= 0x0094,
 	[TXNLCR1]	= 0x00a0,
-	[TXALCR1]	= 0x00a0,
+	[TXALCR1]	= 0x00a4,
 	[RXNLCR1]	= 0x00a8,
 	[RXALCR1]	= 0x00ac,
 	[FWNLCR1]	= 0x00b0,
@@ -384,7 +384,7 @@ static const u16 sh_eth_offset_fast_sh3_
 	[FWNLCR0]	= 0x0090,
 	[FWALCR0]	= 0x0094,
 	[TXNLCR1]	= 0x00a0,
-	[TXALCR1]	= 0x00a0,
+	[TXALCR1]	= 0x00a4,
 	[RXNLCR1]	= 0x00a8,
 	[RXALCR1]	= 0x00ac,
 	[FWNLCR1]	= 0x00b0,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 197/254] SolutionEngine771x: add Ether TSU resource
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (148 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 220/254] can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 078/254] USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID Ben Hutchings
                   ` (104 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sergei Shtylyov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit f9a531d6731d74f1e24298d9641c2dc1fef2631b upstream.

After the  Ether platform data is fixed, the driver probe() method would
still fail since the 'struct sh_eth_cpu_data' corresponding  to SH771x
indicates the presence of TSU but the memory resource for it is absent.
Add the missing TSU resource  to both Ether devices and fix the harmless
off-by-one error in the main memory resources, while at it...

Fixes: 4986b996882d ("net: sh_eth: remove the SH_TSU_ADDR")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/sh/boards/mach-se/770x/setup.c | 14 ++++++++++++--
 arch/sh/include/mach-se/mach/se.h   |  1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

--- a/arch/sh/boards/mach-se/770x/setup.c
+++ b/arch/sh/boards/mach-se/770x/setup.c
@@ -123,10 +123,15 @@ static struct sh_eth_plat_data sh_eth_pl
 static struct resource sh_eth0_resources[] = {
 	[0] = {
 		.start = SH_ETH0_BASE,
-		.end = SH_ETH0_BASE + 0x1B8,
+		.end = SH_ETH0_BASE + 0x1B8 - 1,
 		.flags = IORESOURCE_MEM,
 	},
 	[1] = {
+		.start = SH_TSU_BASE,
+		.end = SH_TSU_BASE + 0x200 - 1,
+		.flags = IORESOURCE_MEM,
+	},
+	[2] = {
 		.start = SH_ETH0_IRQ,
 		.end = SH_ETH0_IRQ,
 		.flags = IORESOURCE_IRQ,
@@ -146,10 +151,15 @@ static struct platform_device sh_eth0_de
 static struct resource sh_eth1_resources[] = {
 	[0] = {
 		.start = SH_ETH1_BASE,
-		.end = SH_ETH1_BASE + 0x1B8,
+		.end = SH_ETH1_BASE + 0x1B8 - 1,
 		.flags = IORESOURCE_MEM,
 	},
 	[1] = {
+		.start = SH_TSU_BASE,
+		.end = SH_TSU_BASE + 0x200 - 1,
+		.flags = IORESOURCE_MEM,
+	},
+	[2] = {
 		.start = SH_ETH1_IRQ,
 		.end = SH_ETH1_IRQ,
 		.flags = IORESOURCE_IRQ,
--- a/arch/sh/include/mach-se/mach/se.h
+++ b/arch/sh/include/mach-se/mach/se.h
@@ -99,6 +99,7 @@
 /* Base address */
 #define SH_ETH0_BASE 0xA7000000
 #define SH_ETH1_BASE 0xA7000400
+#define SH_TSU_BASE  0xA7000800
 /* PHY ID */
 #if defined(CONFIG_CPU_SUBTYPE_SH7710)
 # define PHY_ID 0x00

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 133/254] net/mlx5: Fix misspelling in the error message and comment
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (133 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 148/254] include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 067/254] can: ems_usb: cancel urb on -EPIPE and -EPROTO Ben Hutchings
                   ` (119 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Saeed Mahameed, Eugenia Emantayev

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eugenia Emantayev <eugenia@mellanox.com>

commit 777ec2b2a3f2760505db395de1a9fa4115d74548 upstream.

Fix misspelling in word syndrome.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
[bwh: Backported to 3.16: drop change in health.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
@@ -261,7 +261,7 @@ static int mlx5_eq_int(struct mlx5_core_
 			break;
 		case MLX5_EVENT_TYPE_CQ_ERROR:
 			cqn = be32_to_cpu(eqe->data.cq_err.cqn) & 0xffffff;
-			mlx5_core_warn(dev, "CQ error on CQN 0x%x, syndrom 0x%x\n",
+			mlx5_core_warn(dev, "CQ error on CQN 0x%x, syndrome 0x%x\n",
 				       cqn, eqe->data.cq_err.syndrome);
 			mlx5_cq_event(dev, cqn, eqe->type);
 			break;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 092/254] MIPS: clear MSACSR cause bits when handling MSA FP exception
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (206 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 105/254] MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 127/254] usbip: vhci: stop printing kernel pointer addresses in messages Ben Hutchings
                   ` (46 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, linux-mips, Ralf Baechle, Paul Burton

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@imgtec.com>

commit 091be550a70a086c3b4420c6155e733dc410f190 upstream.

Much like for traditional scalar FP exceptions, the cause bits in the
MSACSR register need to be cleared following an MSA FP exception.
Without doing so the exception will simply be raised again whenever
the kernel restores MSACSR from a tasks saved context, leading to
undesirable spurious exceptions. Clear the cause bits from the
handle_msa_fpe function, mirroring the way handle_fpe clears the
cause bits in FCSR.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9164/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/genex.S | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/arch/mips/kernel/genex.S
+++ b/arch/mips/kernel/genex.S
@@ -368,6 +368,15 @@ NESTED(nmi_handler, PT_SIZE, sp)
 	STI
 	.endm
 
+	.macro	__build_clear_msa_fpe
+	_cfcmsa	a1, MSA_CSR
+	li	a2, ~(0x3f << 12)
+	and	a1, a1, a2
+	_ctcmsa	MSA_CSR, a1
+	TRACE_IRQS_ON
+	STI
+	.endm
+
 	.macro	__build_clear_ade
 	MFC0	t0, CP0_BADVADDR
 	PTR_S	t0, PT_BVADDR(sp)
@@ -426,7 +435,7 @@ NESTED(nmi_handler, PT_SIZE, sp)
 	BUILD_HANDLER cpu cpu sti silent		/* #11 */
 	BUILD_HANDLER ov ov sti silent			/* #12 */
 	BUILD_HANDLER tr tr sti silent			/* #13 */
-	BUILD_HANDLER msa_fpe msa_fpe sti silent	/* #14 */
+	BUILD_HANDLER msa_fpe msa_fpe msa_fpe silent	/* #14 */
 	BUILD_HANDLER fpe fpe fpe silent		/* #15 */
 	BUILD_HANDLER ftlb ftlb none silent		/* #16 */
 	BUILD_HANDLER msa msa sti silent		/* #21 */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 045/254] virtio: release virtio index when fail to device_register
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 240/254] media: v4l2-ioctl.c: don't copy back the result for -ENOTTY Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 109/254] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Ben Hutchings
                   ` (203 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, weiping zhang, weiping zhang, Michael S. Tsirkin, Cornelia Huck

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: weiping zhang <zwp10758@gmail.com>

commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.

index can be reused by other virtio device.

Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/virtio/virtio.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -223,6 +223,8 @@ int register_virtio_device(struct virtio
 	/* device_register() causes the bus infrastructure to look for a
 	 * matching driver. */
 	err = device_register(&dev->dev);
+	if (err)
+		ida_simple_remove(&virtio_index_ida, dev->index);
 out:
 	if (err)
 		add_status(dev, VIRTIO_CONFIG_S_FAILED);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 227/254] pppoe: take ->needed_headroom of lower device into account on xmit
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 211/254] sctp: do not allow the v4 socket to bind a v4mapped v6 address Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 049/254] ALSA: usb-audio: Fix out-of-bound error Ben Hutchings
                   ` (175 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Guillaume Nault, David S. Miller,
	syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d, Xin Long

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 02612bb05e51df8489db5e94d0cf8d1c81f87b0c upstream.

In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom
was probably fine before the introduction of ->needed_headroom in
commit f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom").

But now, virtual devices typically advertise the size of their overhead
in dev->needed_headroom, so we must also take it into account in
skb_reserve().
Allocation size of skb is also updated to take dev->needed_tailroom
into account and replace the arbitrary 32 bytes with the real size of
a PPPoE header.

This issue was discovered by syzbot, who connected a pppoe socket to a
gre device which had dev->header_ops->create == ipgre_header and
dev->hard_header_len == 0. Therefore, PPPoE didn't reserve any
headroom, and dev_hard_header() crashed when ipgre_header() tried to
prepend its header to skb->data.

skbuff: skb_under_panic: text:000000001d390b3a len:31 put:24
head:00000000d8ed776f data:000000008150e823 tail:0x7 end:0xc0 dev:gre0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3670 Comm: syzkaller801466 Not tainted
4.15.0-rc7-next-20180115+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:skb_panic+0x162/0x1f0 net/core/skbuff.c:100
RSP: 0018:ffff8801d9bd7840 EFLAGS: 00010282
RAX: 0000000000000083 RBX: ffff8801d4f083c0 RCX: 0000000000000000
RDX: 0000000000000083 RSI: 1ffff1003b37ae92 RDI: ffffed003b37aefc
RBP: ffff8801d9bd78a8 R08: 1ffff1003b37ae8a R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff86200de0
R13: ffffffff84a981ad R14: 0000000000000018 R15: ffff8801d2d34180
FS:  00000000019c4880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208bc000 CR3: 00000001d9111001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  skb_under_panic net/core/skbuff.c:114 [inline]
  skb_push+0xce/0xf0 net/core/skbuff.c:1714
  ipgre_header+0x6d/0x4e0 net/ipv4/ip_gre.c:879
  dev_hard_header include/linux/netdevice.h:2723 [inline]
  pppoe_sendmsg+0x58e/0x8b0 drivers/net/ppp/pppoe.c:890
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  sock_write_iter+0x31a/0x5d0 net/socket.c:909
  call_write_iter include/linux/fs.h:1775 [inline]
  do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
  do_iter_write+0x154/0x540 fs/read_write.c:932
  vfs_writev+0x18a/0x340 fs/read_write.c:977
  do_writev+0xfc/0x2a0 fs/read_write.c:1012
  SYSC_writev fs/read_write.c:1085 [inline]
  SyS_writev+0x27/0x30 fs/read_write.c:1082
  entry_SYSCALL_64_fastpath+0x29/0xa0

Admittedly PPPoE shouldn't be allowed to run on non Ethernet-like
interfaces, but reserving space for ->needed_headroom is a more
fundamental issue that needs to be addressed first.

Same problem exists for __pppoe_xmit(), which also needs to take
dev->needed_headroom into account in skb_cow_head().

Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom")
Reported-by: syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c14d@syzkaller.appspotmail.com
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ppp/pppoe.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -832,6 +832,7 @@ static int pppoe_sendmsg(struct kiocb *i
 	struct pppoe_hdr *ph;
 	struct net_device *dev;
 	char *start;
+	int hlen;
 
 	lock_sock(sk);
 	if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -850,16 +851,16 @@ static int pppoe_sendmsg(struct kiocb *i
 	if (total_len > (dev->mtu + dev->hard_header_len))
 		goto end;
 
-
-	skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
-			   0, GFP_KERNEL);
+	hlen = LL_RESERVED_SPACE(dev);
+	skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len +
+			   dev->needed_tailroom, 0, GFP_KERNEL);
 	if (!skb) {
 		error = -ENOMEM;
 		goto end;
 	}
 
 	/* Reserve space for headers. */
-	skb_reserve(skb, dev->hard_header_len);
+	skb_reserve(skb, hlen);
 	skb_reset_network_header(skb);
 
 	skb->dev = dev;
@@ -920,7 +921,7 @@ static int __pppoe_xmit(struct sock *sk,
 	/* Copy the data if there is no space for the header or if it's
 	 * read-only.
 	 */
-	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+	if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
 		goto abort;
 
 	__skb_push(skb, sizeof(*ph));

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 095/254] MIPS: lose_fpu(): Disable FPU when MSA enabled
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 118/254] parisc: Hide Diva-built-in serial aux and graphics card Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 070/254] can: usb_8dev: cancel urb on -EPIPE and -EPROTO Ben Hutchings
                   ` (144 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ralf Baechle, Paul Burton, linux-mips, James Hogan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit acaf6a97d623af123314c2f8ce4cf7254f6b2fc1 upstream.

The lose_fpu() function only disables the FPU in CP0_Status.CU1 if the
FPU is in use and MSA isn't enabled.

This isn't necessarily a problem because KSTK_STATUS(current), the
version of CP0_Status stored on the kernel stack on entry from user
mode, does always get updated and gets restored when returning to user
mode, but I don't think it was intended, and it is inconsistent with the
case of only the FPU being in use. Sometimes leaving the FPU enabled may
also mask kernel bugs where FPU operations are executed when the FPU
might not be enabled.

So lets disable the FPU in the MSA case too.

Fixes: 33c771ba5c5d ("MIPS: save/disable MSA in lose_fpu")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9323/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/fpu.h | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/mips/include/asm/fpu.h
+++ b/arch/mips/include/asm/fpu.h
@@ -150,6 +150,7 @@ static inline void lose_fpu(int save)
 		}
 		disable_msa();
 		clear_thread_flag(TIF_USEDMSA);
+		__disable_fpu();
 	} else if (is_fpu_owner()) {
 		if (save)
 			_save_fp(current);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 066/254] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (171 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 147/254] nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 237/254] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Ben Hutchings
                   ` (81 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Andrew Lunn, David S. Miller, Tobias Jordan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Jordan <Tobias.Jordan@elektrobit.com>

commit 589bf32f09852041fbd3b7ce1a9e703f95c230ba upstream.

add appropriate calls to clk_disable_unprepare() by jumping to out_mdio
in case orion_mdio_probe() returns -EPROBE_DEFER.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 3d604da1e954 ("net: mvmdio: get and enable optional clock")
Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/marvell/mvmdio.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/marvell/mvmdio.c
+++ b/drivers/net/ethernet/marvell/mvmdio.c
@@ -241,7 +241,8 @@ static int orion_mdio_probe(struct platf
 			dev->regs + MVMDIO_ERR_INT_MASK);
 
 	} else if (dev->err_interrupt == -EPROBE_DEFER) {
-		return -EPROBE_DEFER;
+		ret = -EPROBE_DEFER;
+		goto out_mdio;
 	}
 
 	mutex_init(&dev->lock);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 234/254] blk-mq: fix race between timeout and freeing request
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 146/254] tracing: Fix possible double free on failure of allocating trace buffer Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 159/254] IB/srpt: Disable RDMA access by the initiator Ben Hutchings
                   ` (130 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jens Axboe, Ming Lei

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <ming.lei@canonical.com>

commit 0048b4837affd153897ed1222283492070027aa9 upstream.

Inside timeout handler, blk_mq_tag_to_rq() is called
to retrieve the request from one tag. This way is obviously
wrong because the request can be freed any time and some
fiedds of the request can't be trusted, then kernel oops
might be triggered[1].

Currently wrt. blk_mq_tag_to_rq(), the only special case is
that the flush request can share same tag with the request
cloned from, and the two requests can't be active at the same
time, so this patch fixes the above issue by updating tags->rqs[tag]
with the active request(either flush rq or the request cloned
from) of the tag.

Also blk_mq_tag_to_rq() gets much simplified with this patch.

Given blk_mq_tag_to_rq() is mainly for drivers and the caller must
make sure the request can't be freed, so in bt_for_each() this
helper is replaced with tags->rqs[tag].

[1] kernel oops log
[  439.696220] BUG: unable to handle kernel NULL pointer dereference at 0000000000000158^M
[  439.697162] IP: [<ffffffff812d89ba>] blk_mq_tag_to_rq+0x21/0x6e^M
[  439.700653] PGD 7ef765067 PUD 7ef764067 PMD 0 ^M
[  439.700653] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
[  439.700653] Dumping ftrace buffer:^M
[  439.700653]    (ftrace buffer empty)^M
[  439.700653] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
[  439.700653] CPU: 6 PID: 2779 Comm: stress-ng-sigfd Not tainted 4.2.0-rc5-next-20150805+ #265^M
[  439.730500] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
[  439.730500] task: ffff880605308000 ti: ffff88060530c000 task.ti: ffff88060530c000^M
[  439.730500] RIP: 0010:[<ffffffff812d89ba>]  [<ffffffff812d89ba>] blk_mq_tag_to_rq+0x21/0x6e^M
[  439.730500] RSP: 0018:ffff880819203da0  EFLAGS: 00010283^M
[  439.730500] RAX: ffff880811b0e000 RBX: ffff8800bb465f00 RCX: 0000000000000002^M
[  439.730500] RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000^M
[  439.730500] RBP: ffff880819203db0 R08: 0000000000000002 R09: 0000000000000000^M
[  439.730500] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000202^M
[  439.730500] R13: ffff880814104800 R14: 0000000000000002 R15: ffff880811a2ea00^M
[  439.730500] FS:  00007f165b3f5740(0000) GS:ffff880819200000(0000) knlGS:0000000000000000^M
[  439.730500] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b^M
[  439.730500] CR2: 0000000000000158 CR3: 00000007ef766000 CR4: 00000000000006e0^M
[  439.730500] Stack:^M
[  439.730500]  0000000000000008 ffff8808114eed90 ffff880819203e00 ffffffff812dc104^M
[  439.755663]  ffff880819203e40 ffffffff812d9f5e 0000020000000000 ffff8808114eed80^M
[  439.755663] Call Trace:^M
[  439.755663]  <IRQ> ^M
[  439.755663]  [<ffffffff812dc104>] bt_for_each+0x6e/0xc8^M
[  439.755663]  [<ffffffff812d9f5e>] ? blk_mq_rq_timed_out+0x6a/0x6a^M
[  439.755663]  [<ffffffff812d9f5e>] ? blk_mq_rq_timed_out+0x6a/0x6a^M
[  439.755663]  [<ffffffff812dc1b3>] blk_mq_tag_busy_iter+0x55/0x5e^M
[  439.755663]  [<ffffffff812d88b4>] ? blk_mq_bio_to_request+0x38/0x38^M
[  439.755663]  [<ffffffff812d8911>] blk_mq_rq_timer+0x5d/0xd4^M
[  439.755663]  [<ffffffff810a3e10>] call_timer_fn+0xf7/0x284^M
[  439.755663]  [<ffffffff810a3d1e>] ? call_timer_fn+0x5/0x284^M
[  439.755663]  [<ffffffff812d88b4>] ? blk_mq_bio_to_request+0x38/0x38^M
[  439.755663]  [<ffffffff810a46d6>] run_timer_softirq+0x1ce/0x1f8^M
[  439.755663]  [<ffffffff8104c367>] __do_softirq+0x181/0x3a4^M
[  439.755663]  [<ffffffff8104c76e>] irq_exit+0x40/0x94^M
[  439.755663]  [<ffffffff81031482>] smp_apic_timer_interrupt+0x33/0x3e^M
[  439.755663]  [<ffffffff815559a4>] apic_timer_interrupt+0x84/0x90^M
[  439.755663]  <EOI> ^M
[  439.755663]  [<ffffffff81554350>] ? _raw_spin_unlock_irq+0x32/0x4a^M
[  439.755663]  [<ffffffff8106a98b>] finish_task_switch+0xe0/0x163^M
[  439.755663]  [<ffffffff8106a94d>] ? finish_task_switch+0xa2/0x163^M
[  439.755663]  [<ffffffff81550066>] __schedule+0x469/0x6cd^M
[  439.755663]  [<ffffffff8155039b>] schedule+0x82/0x9a^M
[  439.789267]  [<ffffffff8119b28b>] signalfd_read+0x186/0x49a^M
[  439.790911]  [<ffffffff8106d86a>] ? wake_up_q+0x47/0x47^M
[  439.790911]  [<ffffffff811618c2>] __vfs_read+0x28/0x9f^M
[  439.790911]  [<ffffffff8117a289>] ? __fget_light+0x4d/0x74^M
[  439.790911]  [<ffffffff811620a7>] vfs_read+0x7a/0xc6^M
[  439.790911]  [<ffffffff8116292b>] SyS_read+0x49/0x7f^M
[  439.790911]  [<ffffffff81554c17>] entry_SYSCALL_64_fastpath+0x12/0x6f^M
[  439.790911] Code: 48 89 e5 e8 a9 b8 e7 ff 5d c3 0f 1f 44 00 00 55 89
f2 48 89 e5 41 54 41 89 f4 53 48 8b 47 60 48 8b 1c d0 48 8b 7b 30 48 8b
53 38 <48> 8b 87 58 01 00 00 48 85 c0 75 09 48 8b 97 88 0c 00 00 eb 10
^M
[  439.790911] RIP  [<ffffffff812d89ba>] blk_mq_tag_to_rq+0x21/0x6e^M
[  439.790911]  RSP <ffff880819203da0>^M
[  439.790911] CR2: 0000000000000158^M
[  439.790911] ---[ end trace d40af58949325661 ]---^M

Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.16:
 - Flush state is in struct request_queue, not struct blk_flush_queue
 - Flush request cloning is done in blk_mq_clone_flush_request() rather
   than blk_kick_flush()
 - Drop changes in bt{,_tags}_for_each()
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/blk-flush.c  | 15 ++++++++++++++-
 block/blk-mq-tag.c |  4 ++--
 block/blk-mq-tag.h | 12 ++++++++++++
 block/blk-mq.c     | 16 +---------------
 block/blk.h        |  6 ++++++
 5 files changed, 35 insertions(+), 18 deletions(-)

--- a/block/blk-flush.c
+++ b/block/blk-flush.c
@@ -73,6 +73,7 @@
 
 #include "blk.h"
 #include "blk-mq.h"
+#include "blk-mq-tag.h"
 
 /* FLUSH/FUA sequences */
 enum {
@@ -224,7 +225,12 @@ static void flush_end_io(struct request
 	unsigned long flags = 0;
 
 	if (q->mq_ops) {
+		struct blk_mq_hw_ctx *hctx;
+
+		/* release the tag's ownership to the req cloned from */
 		spin_lock_irqsave(&q->mq_flush_lock, flags);
+		hctx = q->mq_ops->map_queue(q, q->flush_rq->mq_ctx->cpu);
+		blk_mq_tag_set_rq(hctx, q->flush_rq->tag, q->orig_rq);
 		q->flush_rq->tag = -1;
 	}
 
--- a/block/blk-mq-tag.h
+++ b/block/blk-mq-tag.h
@@ -85,4 +85,16 @@ static inline void blk_mq_tag_idle(struc
 	__blk_mq_tag_idle(hctx);
 }
 
+/*
+ * This helper should only be used for flush request to share tag
+ * with the request cloned from, and both the two requests can't be
+ * in flight at the same time. The caller has to make sure the tag
+ * can't be freed.
+ */
+static inline void blk_mq_tag_set_rq(struct blk_mq_hw_ctx *hctx,
+		unsigned int tag, struct request *rq)
+{
+	hctx->tags->rqs[tag] = rq;
+}
+
 #endif
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -310,6 +310,9 @@ void blk_mq_clone_flush_request(struct r
 	flush_rq->tag = orig_rq->tag;
 	memcpy(blk_mq_rq_to_pdu(flush_rq), blk_mq_rq_to_pdu(orig_rq),
 		hctx->cmd_size);
+	orig_rq->q->orig_rq = orig_rq;
+
+	blk_mq_tag_set_rq(hctx, orig_rq->tag, flush_rq);
 }
 
 inline void __blk_mq_end_io(struct request *rq, int error)
@@ -520,20 +523,9 @@ void blk_mq_kick_requeue_list(struct req
 }
 EXPORT_SYMBOL(blk_mq_kick_requeue_list);
 
-static inline bool is_flush_request(struct request *rq, unsigned int tag)
-{
-	return ((rq->cmd_flags & REQ_FLUSH_SEQ) &&
-			rq->q->flush_rq->tag == tag);
-}
-
 struct request *blk_mq_tag_to_rq(struct blk_mq_tags *tags, unsigned int tag)
 {
-	struct request *rq = tags->rqs[tag];
-
-	if (!is_flush_request(rq, tag))
-		return rq;
-
-	return rq->q->flush_rq;
+	return tags->rqs[tag];
 }
 EXPORT_SYMBOL(blk_mq_tag_to_rq);
 
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -462,6 +462,12 @@ struct request_queue {
 	struct list_head	flush_queue[2];
 	struct list_head	flush_data_in_flight;
 	struct request		*flush_rq;
+
+	/*
+	 * flush_rq shares tag with this rq, both can't be active
+	 * at the same time
+	 */
+	struct request		*orig_rq;
 	spinlock_t		mq_flush_lock;
 
 	struct list_head	requeue_list;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 248/254] media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 164/254] usbip: remove kernel addresses from usb device and urb debug msgs Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 170/254] mm/mprotect: add a cond_resched() inside change_pmd_range() Ben Hutchings
                   ` (208 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Hans Verkuil, Daniel Mentz

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Mentz <danielmentz@google.com>

commit 025a26fa14f8fd55d50ab284a30c016a5be953d0 upstream.

Commit b2787845fb91 ("V4L/DVB (5289): Add support for video output
overlays.") added the field global_alpha to struct v4l2_window but did
not update the compat layer accordingly. This change adds global_alpha
to struct v4l2_window32 and copies the value for global_alpha back and
forth.

Signed-off-by: Daniel Mentz <danielmentz@google.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -45,6 +45,7 @@ struct v4l2_window32 {
 	compat_caddr_t		clips; /* actually struct v4l2_clip32 * */
 	__u32			clipcount;
 	compat_caddr_t		bitmap;
+	__u8                    global_alpha;
 };
 
 static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
@@ -53,7 +54,8 @@ static int get_v4l2_window32(struct v4l2
 	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
 	    get_user(kp->field, &up->field) ||
 	    get_user(kp->chromakey, &up->chromakey) ||
-	    get_user(kp->clipcount, &up->clipcount))
+	    get_user(kp->clipcount, &up->clipcount) ||
+	    get_user(kp->global_alpha, &up->global_alpha))
 		return -EFAULT;
 	if (kp->clipcount > 2048)
 		return -EINVAL;
@@ -86,7 +88,8 @@ static int put_v4l2_window32(struct v4l2
 	if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
 	    put_user(kp->field, &up->field) ||
 	    put_user(kp->chromakey, &up->chromakey) ||
-	    put_user(kp->clipcount, &up->clipcount))
+	    put_user(kp->clipcount, &up->clipcount) ||
+	    put_user(kp->global_alpha, &up->global_alpha))
 		return -EFAULT;
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 221/254] cfg80211: fix station info handling bugs
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 072/254] ASN.1: check for error from ASN1_OP_END__ACT actions Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 123/254] net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks Ben Hutchings
                   ` (191 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Johannes Berg

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 5762d7d3eda25c03cc2d9d45227be3f5ab6bec9e upstream.

Fix two places where the structure isn't initialized to zero,
and thus can't be filled properly by the driver.

Fixes: 4a4b8169501b ("cfg80211: Accept multiple RSSI thresholds for CQM")
Fixes: 9930380f0bd8 ("cfg80211: implement IWRATE")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: drop change in cfg80211_cqm_rssi_update()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -1273,8 +1273,7 @@ static int cfg80211_wext_giwrate(struct
 {
 	struct wireless_dev *wdev = dev->ieee80211_ptr;
 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
-	/* we are under RTNL - globally locked - so can use a static struct */
-	static struct station_info sinfo;
+	struct station_info sinfo = {};
 	u8 addr[ETH_ALEN];
 	int err;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 029/254] hv: kvp: Avoid reading past allocated blocks from KVP file
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (190 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 058/254] ALSA: pcm: prevent UAF in snd_pcm_info Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 166/254] phy: Add helper function to check phy interface mode Ben Hutchings
                   ` (62 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Long Li, K. Y. Srinivasan, Paul Meyer, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Meyer <Paul.Meyer@microsoft.com>

commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.

While reading in more than one block (50) of KVP records, the allocation
goes per block, but the reads used the total number of allocated records
(without resetting the pointer/stream). This causes the records buffer to
overrun when the refresh reads more than one block over the previous
capacity (e.g. reading more than 100 KVP records whereas the in-memory
database was empty before).

Fix this by reading the correct number of KVP records from file each time.

Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
Signed-off-by: Long Li <longli@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/hv/hv_kvp_daemon.c | 70 ++++++++++--------------------------------------
 1 file changed, 14 insertions(+), 56 deletions(-)

--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -196,11 +196,14 @@ static void kvp_update_mem_state(int poo
 	for (;;) {
 		readp = &record[records_read];
 		records_read += fread(readp, sizeof(struct kvp_record),
-					ENTRIES_PER_BLOCK * num_blocks,
-					filep);
+				ENTRIES_PER_BLOCK * num_blocks - records_read,
+				filep);
 
 		if (ferror(filep)) {
-			syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
+			syslog(LOG_ERR,
+				"Failed to read file, pool: %d; error: %d %s",
+				 pool, errno, strerror(errno));
+			kvp_release_lock(pool);
 			exit(EXIT_FAILURE);
 		}
 
@@ -213,6 +216,7 @@ static void kvp_update_mem_state(int poo
 
 			if (record == NULL) {
 				syslog(LOG_ERR, "malloc failed");
+				kvp_release_lock(pool);
 				exit(EXIT_FAILURE);
 			}
 			continue;
@@ -227,15 +231,11 @@ static void kvp_update_mem_state(int poo
 	fclose(filep);
 	kvp_release_lock(pool);
 }
+
 static int kvp_file_init(void)
 {
 	int  fd;
-	FILE *filep;
-	size_t records_read;
 	char *fname;
-	struct kvp_record *record;
-	struct kvp_record *readp;
-	int num_blocks;
 	int i;
 	int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
 
@@ -249,61 +249,19 @@ static int kvp_file_init(void)
 
 	for (i = 0; i < KVP_POOL_COUNT; i++) {
 		fname = kvp_file_info[i].fname;
-		records_read = 0;
-		num_blocks = 1;
 		sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
 		fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
 
 		if (fd == -1)
 			return 1;
 
-
-		filep = fopen(fname, "re");
-		if (!filep) {
-			close(fd);
-			return 1;
-		}
-
-		record = malloc(alloc_unit * num_blocks);
-		if (record == NULL) {
-			fclose(filep);
-			close(fd);
-			return 1;
-		}
-		for (;;) {
-			readp = &record[records_read];
-			records_read += fread(readp, sizeof(struct kvp_record),
-					ENTRIES_PER_BLOCK,
-					filep);
-
-			if (ferror(filep)) {
-				syslog(LOG_ERR, "Failed to read file, pool: %d",
-				       i);
-				exit(EXIT_FAILURE);
-			}
-
-			if (!feof(filep)) {
-				/*
-				 * We have more data to read.
-				 */
-				num_blocks++;
-				record = realloc(record, alloc_unit *
-						num_blocks);
-				if (record == NULL) {
-					fclose(filep);
-					close(fd);
-					return 1;
-				}
-				continue;
-			}
-			break;
-		}
 		kvp_file_info[i].fd = fd;
-		kvp_file_info[i].num_blocks = num_blocks;
-		kvp_file_info[i].records = record;
-		kvp_file_info[i].num_records = records_read;
-		fclose(filep);
-
+		kvp_file_info[i].num_blocks = 1;
+		kvp_file_info[i].records = malloc(alloc_unit);
+		if (kvp_file_info[i].records == NULL)
+			return 1;
+		kvp_file_info[i].num_records = 0;
+		kvp_update_mem_state(i);
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 168/254] sh_eth: fix TSU resource handling
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 243/254] media: v4l2-compat-ioctl32.c: fix the indentation Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 085/254] nl80211: fix nl80211_send_iface() error paths Ben Hutchings
                   ` (164 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Sergei Shtylyov, Nobuhiro Iwamatsu

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit dfe8266b8dd10e12a731c985b725fcf7f0e537f0 upstream.

When switching  the driver to the managed device API,  I managed to break
the  case of a  dual Ether devices sharing a single TSU: the 2nd Ether port
wouldn't probe. Iwamatsu-san has tried to fix this but his patch was buggy
and he then dropped the ball...

The solution is to  limit calling devm_request_mem_region() to the first
of  the two  ports  sharing the same TSU, so devm_ioremap_resource() can't
be used anymore for the TSU resource...

Fixes: d5e07e69218f ("sh_eth: use managed device API")
Reported-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/renesas/sh_eth.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -2873,10 +2873,29 @@ static int sh_eth_drv_probe(struct platf
 	/* ioremap the TSU registers */
 	if (mdp->cd->tsu) {
 		struct resource *rtsu;
+
 		rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1);
-		mdp->tsu_addr = devm_ioremap_resource(&pdev->dev, rtsu);
-		if (IS_ERR(mdp->tsu_addr)) {
-			ret = PTR_ERR(mdp->tsu_addr);
+		if (!rtsu) {
+			dev_err(&pdev->dev, "no TSU resource\n");
+			ret = -ENODEV;
+			goto out_release;
+		}
+		/* We can only request the  TSU region  for the first port
+		 * of the two  sharing this TSU for the probe to succeed...
+		 */
+		if (devno % 2 == 0 &&
+		    !devm_request_mem_region(&pdev->dev, rtsu->start,
+					     resource_size(rtsu),
+					     dev_name(&pdev->dev))) {
+			dev_err(&pdev->dev, "can't request TSU resource.\n");
+			ret = -EBUSY;
+			goto out_release;
+		}
+		mdp->tsu_addr = devm_ioremap(&pdev->dev, rtsu->start,
+					     resource_size(rtsu));
+		if (!mdp->tsu_addr) {
+			dev_err(&pdev->dev, "TSU region ioremap() failed.\n");
+			ret = -ENOMEM;
 			goto out_release;
 		}
 		mdp->port = devno % 2;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 243/254] media: v4l2-compat-ioctl32.c: fix the indentation
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 002/254] ASoC: twl4030: fix child-node lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 168/254] sh_eth: fix TSU resource handling Ben Hutchings
                   ` (165 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit b7b957d429f601d6d1942122b339474f31191d75 upstream.

The indentation of this source is all over the place. Fix this.
This patch only changes whitespace.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Rebased on top of some earlier fixes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -48,11 +48,11 @@ struct v4l2_window32 {
 static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
 {
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) ||
-		copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
-		get_user(kp->field, &up->field) ||
-		get_user(kp->chromakey, &up->chromakey) ||
-		get_user(kp->clipcount, &up->clipcount))
-			return -EFAULT;
+	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
+	    get_user(kp->field, &up->field) ||
+	    get_user(kp->chromakey, &up->chromakey) ||
+	    get_user(kp->clipcount, &up->clipcount))
+		return -EFAULT;
 	if (kp->clipcount > 2048)
 		return -EINVAL;
 	if (kp->clipcount) {
@@ -82,10 +82,10 @@ static int get_v4l2_window32(struct v4l2
 static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
 {
 	if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
-		put_user(kp->field, &up->field) ||
-		put_user(kp->chromakey, &up->chromakey) ||
-		put_user(kp->clipcount, &up->clipcount))
-			return -EFAULT;
+	    put_user(kp->field, &up->field) ||
+	    put_user(kp->chromakey, &up->chromakey) ||
+	    put_user(kp->clipcount, &up->clipcount))
+		return -EFAULT;
 	return 0;
 }
 
@@ -97,7 +97,7 @@ static inline int get_v4l2_pix_format(st
 }
 
 static inline int get_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
-				struct v4l2_pix_format_mplane __user *up)
+					     struct v4l2_pix_format_mplane __user *up)
 {
 	if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format_mplane)))
 		return -EFAULT;
@@ -112,7 +112,7 @@ static inline int put_v4l2_pix_format(st
 }
 
 static inline int put_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
-				struct v4l2_pix_format_mplane __user *up)
+					     struct v4l2_pix_format_mplane __user *up)
 {
 	if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format_mplane)))
 		return -EFAULT;
@@ -200,7 +200,7 @@ static int __get_v4l2_format32(struct v4
 		return get_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
 	default:
 		printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
-								kp->type);
+		       kp->type);
 		return -EINVAL;
 	}
 }
@@ -244,7 +244,7 @@ static int __put_v4l2_format32(struct v4
 		return put_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
 	default:
 		printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
-								kp->type);
+		       kp->type);
 		return -EINVAL;
 	}
 }
@@ -278,7 +278,7 @@ static int get_v4l2_standard32(struct v4
 {
 	/* other fields are not set by the user, nor used by the driver */
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) ||
-		get_user(kp->index, &up->index))
+	    get_user(kp->index, &up->index))
 		return -EFAULT;
 	return 0;
 }
@@ -286,13 +286,13 @@ static int get_v4l2_standard32(struct v4
 static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) ||
-		put_user(kp->index, &up->index) ||
-		put_user(kp->id, &up->id) ||
-		copy_to_user(up->name, kp->name, 24) ||
-		copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
-		put_user(kp->framelines, &up->framelines) ||
-		copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32)))
-			return -EFAULT;
+	    put_user(kp->index, &up->index) ||
+	    put_user(kp->id, &up->id) ||
+	    copy_to_user(up->name, kp->name, 24) ||
+	    copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
+	    put_user(kp->framelines, &up->framelines) ||
+	    copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32)))
+		return -EFAULT;
 	return 0;
 }
 
@@ -332,14 +332,14 @@ struct v4l2_buffer32 {
 };
 
 static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
-				enum v4l2_memory memory)
+			    enum v4l2_memory memory)
 {
 	void __user *up_pln;
 	compat_long_t p;
 
 	if (copy_in_user(up, up32, 2 * sizeof(__u32)) ||
-		copy_in_user(&up->data_offset, &up32->data_offset,
-				sizeof(__u32)))
+	    copy_in_user(&up->data_offset, &up32->data_offset,
+			 sizeof(__u32)))
 		return -EFAULT;
 
 	if (memory == V4L2_MEMORY_USERPTR) {
@@ -353,7 +353,7 @@ static int get_v4l2_plane32(struct v4l2_
 			return -EFAULT;
 	} else {
 		if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
-					sizeof(__u32)))
+				 sizeof(__u32)))
 			return -EFAULT;
 	}
 
@@ -361,23 +361,23 @@ static int get_v4l2_plane32(struct v4l2_
 }
 
 static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
-				enum v4l2_memory memory)
+			    enum v4l2_memory memory)
 {
 	if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
-		copy_in_user(&up32->data_offset, &up->data_offset,
-				sizeof(__u32)))
+	    copy_in_user(&up32->data_offset, &up->data_offset,
+			 sizeof(__u32)))
 		return -EFAULT;
 
 	/* For MMAP, driver might've set up the offset, so copy it back.
 	 * USERPTR stays the same (was userspace-provided), so no copying. */
 	if (memory == V4L2_MEMORY_MMAP)
 		if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset,
-					sizeof(__u32)))
+				 sizeof(__u32)))
 			return -EFAULT;
 	/* For DMABUF, driver might've set up the fd, so copy it back. */
 	if (memory == V4L2_MEMORY_DMABUF)
 		if (copy_in_user(&up32->m.fd, &up->m.fd,
-					sizeof(int)))
+				 sizeof(int)))
 			return -EFAULT;
 
 	return 0;
@@ -392,19 +392,19 @@ static int get_v4l2_buffer32(struct v4l2
 	int ret;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) ||
-		get_user(kp->index, &up->index) ||
-		get_user(kp->type, &up->type) ||
-		get_user(kp->flags, &up->flags) ||
-		get_user(kp->memory, &up->memory) ||
-		get_user(kp->length, &up->length))
-			return -EFAULT;
+	    get_user(kp->index, &up->index) ||
+	    get_user(kp->type, &up->type) ||
+	    get_user(kp->flags, &up->flags) ||
+	    get_user(kp->memory, &up->memory) ||
+	    get_user(kp->length, &up->length))
+		return -EFAULT;
 
 	if (V4L2_TYPE_IS_OUTPUT(kp->type))
 		if (get_user(kp->bytesused, &up->bytesused) ||
-			get_user(kp->field, &up->field) ||
-			get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-			get_user(kp->timestamp.tv_usec,
-					&up->timestamp.tv_usec))
+		    get_user(kp->field, &up->field) ||
+		    get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+		    get_user(kp->timestamp.tv_usec,
+			     &up->timestamp.tv_usec))
 			return -EFAULT;
 
 	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
@@ -421,13 +421,13 @@ static int get_v4l2_buffer32(struct v4l2
 
 		uplane32 = compat_ptr(p);
 		if (!access_ok(VERIFY_READ, uplane32,
-				num_planes * sizeof(struct v4l2_plane32)))
+			       num_planes * sizeof(struct v4l2_plane32)))
 			return -EFAULT;
 
 		/* We don't really care if userspace decides to kill itself
 		 * by passing a very big num_planes value */
 		uplane = compat_alloc_user_space(num_planes *
-						sizeof(struct v4l2_plane));
+						 sizeof(struct v4l2_plane));
 		kp->m.planes = (__force struct v4l2_plane *)uplane;
 
 		while (--num_planes >= 0) {
@@ -445,12 +445,12 @@ static int get_v4l2_buffer32(struct v4l2
 			break;
 		case V4L2_MEMORY_USERPTR:
 			{
-			compat_long_t tmp;
+				compat_long_t tmp;
 
-			if (get_user(tmp, &up->m.userptr))
-				return -EFAULT;
+				if (get_user(tmp, &up->m.userptr))
+					return -EFAULT;
 
-			kp->m.userptr = (unsigned long)compat_ptr(tmp);
+				kp->m.userptr = (unsigned long)compat_ptr(tmp);
 			}
 			break;
 		case V4L2_MEMORY_OVERLAY:
@@ -476,22 +476,22 @@ static int put_v4l2_buffer32(struct v4l2
 	int ret;
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) ||
-		put_user(kp->index, &up->index) ||
-		put_user(kp->type, &up->type) ||
-		put_user(kp->flags, &up->flags) ||
-		put_user(kp->memory, &up->memory))
-			return -EFAULT;
+	    put_user(kp->index, &up->index) ||
+	    put_user(kp->type, &up->type) ||
+	    put_user(kp->flags, &up->flags) ||
+	    put_user(kp->memory, &up->memory))
+		return -EFAULT;
 
 	if (put_user(kp->bytesused, &up->bytesused) ||
-		put_user(kp->field, &up->field) ||
-		put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-		put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
-		copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
-		put_user(kp->sequence, &up->sequence) ||
-		put_user(kp->reserved2, &up->reserved2) ||
-		put_user(kp->reserved, &up->reserved) ||
-		put_user(kp->length, &up->length))
-			return -EFAULT;
+	    put_user(kp->field, &up->field) ||
+	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+	    put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
+	    copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
+	    put_user(kp->sequence, &up->sequence) ||
+	    put_user(kp->reserved2, &up->reserved2) ||
+	    put_user(kp->reserved, &up->reserved) ||
+	    put_user(kp->length, &up->length))
+		return -EFAULT;
 
 	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
 		num_planes = kp->length;
@@ -546,10 +546,10 @@ static int get_v4l2_framebuffer32(struct
 	u32 tmp;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) ||
-		get_user(tmp, &up->base) ||
-		get_user(kp->capability, &up->capability) ||
-		get_user(kp->flags, &up->flags))
-			return -EFAULT;
+	    get_user(tmp, &up->base) ||
+	    get_user(kp->capability, &up->capability) ||
+	    get_user(kp->flags, &up->flags))
+		return -EFAULT;
 	kp->base = (__force void *)compat_ptr(tmp);
 	get_v4l2_pix_format(&kp->fmt, &up->fmt);
 	return 0;
@@ -560,10 +560,10 @@ static int put_v4l2_framebuffer32(struct
 	u32 tmp = (u32)((unsigned long)kp->base);
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) ||
-		put_user(tmp, &up->base) ||
-		put_user(kp->capability, &up->capability) ||
-		put_user(kp->flags, &up->flags))
-			return -EFAULT;
+	    put_user(tmp, &up->base) ||
+	    put_user(kp->capability, &up->capability) ||
+	    put_user(kp->flags, &up->flags))
+		return -EFAULT;
 	put_v4l2_pix_format(&kp->fmt, &up->fmt);
 	return 0;
 }
@@ -597,11 +597,11 @@ static inline int put_v4l2_input32(struc
 }
 
 struct v4l2_ext_controls32 {
-       __u32 ctrl_class;
-       __u32 count;
-       __u32 error_idx;
-       __u32 reserved[2];
-       compat_caddr_t controls; /* actually struct v4l2_ext_control32 * */
+	__u32 ctrl_class;
+	__u32 count;
+	__u32 error_idx;
+	__u32 reserved[2];
+	compat_caddr_t controls; /* actually struct v4l2_ext_control32 * */
 };
 
 struct v4l2_ext_control32 {
@@ -640,11 +640,11 @@ static int get_v4l2_ext_controls32(struc
 	compat_caddr_t p;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_ext_controls32)) ||
-		get_user(kp->ctrl_class, &up->ctrl_class) ||
-		get_user(kp->count, &up->count) ||
-		get_user(kp->error_idx, &up->error_idx) ||
-		copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
-			return -EFAULT;
+	    get_user(kp->ctrl_class, &up->ctrl_class) ||
+	    get_user(kp->count, &up->count) ||
+	    get_user(kp->error_idx, &up->error_idx) ||
+	    copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
+		return -EFAULT;
 	n = kp->count;
 	if (n == 0) {
 		kp->controls = NULL;
@@ -654,7 +654,7 @@ static int get_v4l2_ext_controls32(struc
 		return -EFAULT;
 	ucontrols = compat_ptr(p);
 	if (!access_ok(VERIFY_READ, ucontrols,
-			n * sizeof(struct v4l2_ext_control32)))
+		       n * sizeof(struct v4l2_ext_control32)))
 		return -EFAULT;
 	kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
 	kp->controls = (__force struct v4l2_ext_control *)kcontrols;
@@ -689,11 +689,11 @@ static int put_v4l2_ext_controls32(struc
 	compat_caddr_t p;
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_ext_controls32)) ||
-		put_user(kp->ctrl_class, &up->ctrl_class) ||
-		put_user(kp->count, &up->count) ||
-		put_user(kp->error_idx, &up->error_idx) ||
-		copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
-			return -EFAULT;
+	    put_user(kp->ctrl_class, &up->ctrl_class) ||
+	    put_user(kp->count, &up->count) ||
+	    put_user(kp->error_idx, &up->error_idx) ||
+	    copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+		return -EFAULT;
 	if (!kp->count)
 		return 0;
 
@@ -701,7 +701,7 @@ static int put_v4l2_ext_controls32(struc
 		return -EFAULT;
 	ucontrols = compat_ptr(p);
 	if (!access_ok(VERIFY_WRITE, ucontrols,
-			n * sizeof(struct v4l2_ext_control32)))
+		       n * sizeof(struct v4l2_ext_control32)))
 		return -EFAULT;
 
 	while (--n >= 0) {
@@ -739,15 +739,15 @@ struct v4l2_event32 {
 static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_event32)) ||
-		put_user(kp->type, &up->type) ||
-		copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
-		put_user(kp->pending, &up->pending) ||
-		put_user(kp->sequence, &up->sequence) ||
-		put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-		put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
-		put_user(kp->id, &up->id) ||
-		copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
-			return -EFAULT;
+	    put_user(kp->type, &up->type) ||
+	    copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
+	    put_user(kp->pending, &up->pending) ||
+	    put_user(kp->sequence, &up->sequence) ||
+	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
+	    put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
+	    put_user(kp->id, &up->id) ||
+	    copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
+		return -EFAULT;
 	return 0;
 }
 
@@ -764,12 +764,12 @@ static int get_v4l2_edid32(struct v4l2_e
 	u32 tmp;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_edid32)) ||
-		get_user(kp->pad, &up->pad) ||
-		get_user(kp->start_block, &up->start_block) ||
-		get_user(kp->blocks, &up->blocks) ||
-		get_user(tmp, &up->edid) ||
-		copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
-			return -EFAULT;
+	    get_user(kp->pad, &up->pad) ||
+	    get_user(kp->start_block, &up->start_block) ||
+	    get_user(kp->blocks, &up->blocks) ||
+	    get_user(tmp, &up->edid) ||
+	    copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
+		return -EFAULT;
 	kp->edid = (__force u8 *)compat_ptr(tmp);
 	return 0;
 }
@@ -779,12 +779,12 @@ static int put_v4l2_edid32(struct v4l2_e
 	u32 tmp = (u32)((unsigned long)kp->edid);
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_edid32)) ||
-		put_user(kp->pad, &up->pad) ||
-		put_user(kp->start_block, &up->start_block) ||
-		put_user(kp->blocks, &up->blocks) ||
-		put_user(tmp, &up->edid) ||
-		copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
-			return -EFAULT;
+	    put_user(kp->pad, &up->pad) ||
+	    put_user(kp->start_block, &up->start_block) ||
+	    put_user(kp->blocks, &up->blocks) ||
+	    put_user(tmp, &up->edid) ||
+	    copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+		return -EFAULT;
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 052/254] batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 222/254] x86/mce: Make machine check speculation protected Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 207/254] cfg80211: check dev_set_name() return value Ben Hutchings
                   ` (182 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, Simon Wunderlich

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 5ba7dcfe77037b67016263ea597a8b431692ecab upstream.

The originator node object orig_neigh_node is used to when accessing the
bcast_own(_sum) and real_packet_count information. The access to them has
to be protected with the spinlock in orig_neigh_node.

But the function uses the lock in orig_node instead. This is incorrect
because they could be two different originator node objects.

Fixes: 0ede9f41b217 ("batman-adv: protect bit operations to count OGMs with spinlock")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/bat_iv_ogm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1174,7 +1174,7 @@ static int batadv_iv_ogm_calc_tq(struct
 	orig_node->last_seen = jiffies;
 
 	/* find packet count of corresponding one hop neighbor */
-	spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
+	spin_lock_bh(&orig_neigh_node->bat_iv.ogm_cnt_lock);
 	if_num = if_incoming->if_num;
 	orig_eq_count = orig_neigh_node->bat_iv.bcast_own_sum[if_num];
 	neigh_ifinfo = batadv_neigh_ifinfo_new(neigh_node, if_outgoing);
@@ -1184,7 +1184,7 @@ static int batadv_iv_ogm_calc_tq(struct
 	} else {
 		neigh_rq_count = 0;
 	}
-	spin_unlock_bh(&orig_node->bat_iv.ogm_cnt_lock);
+	spin_unlock_bh(&orig_neigh_node->bat_iv.ogm_cnt_lock);
 
 	/* pay attention to not get a value bigger than 100 % */
 	if (orig_eq_count > neigh_rq_count)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 051/254] netfilter: xt_bpf: add overflow checks
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (192 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 166/254] phy: Add helper function to check phy interface mode Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 230/254] hrtimer: Reset hrtimer cpu base proper on CPU hotplug Ben Hutchings
                   ` (60 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Jann Horn

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 6ab405114b0b229151ef06f4e31c7834dd09d0c0 upstream.

Check whether inputs from userspace are too long (explicit length field too
big or string not null-terminated) to avoid out-of-bounds reads.

As far as I can tell, this can at worst lead to very limited kernel heap
memory disclosure or oopses.

This bug can be triggered by an unprivileged user even if the xt_bpf module
is not loaded: iptables is available in network namespaces, and the xt_bpf
module can be autoloaded.

Triggering the bug with a classic BPF filter with fake length 0x1000 causes
the following KASAN report:

==================================================================
BUG: KASAN: slab-out-of-bounds in bpf_prog_create+0x84/0xf0
Read of size 32768 at addr ffff8801eff2c494 by task test/4627

CPU: 0 PID: 4627 Comm: test Not tainted 4.15.0-rc1+ #1
[...]
Call Trace:
 dump_stack+0x5c/0x85
 print_address_description+0x6a/0x260
 kasan_report+0x254/0x370
 ? bpf_prog_create+0x84/0xf0
 memcpy+0x1f/0x50
 bpf_prog_create+0x84/0xf0
 bpf_mt_check+0x90/0xd6 [xt_bpf]
[...]
Allocated by task 4627:
 kasan_kmalloc+0xa0/0xd0
 __kmalloc_node+0x47/0x60
 xt_alloc_table_info+0x41/0x70 [x_tables]
[...]
The buggy address belongs to the object at ffff8801eff2c3c0
                which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 212 bytes inside of
                2048-byte region [ffff8801eff2c3c0, ffff8801eff2cbc0)
[...]
==================================================================

Fixes: e6f30c731718 ("netfilter: x_tables: add xt_bpf match")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16:
 - Add len variable in bpf_mt_check()
 - Drop change in __bpf_mt_check_path()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -24,8 +24,12 @@ static int bpf_mt_check(const struct xt_
 {
 	struct xt_bpf_info *info = par->matchinfo;
 	struct sock_fprog_kern program;
+	u16 len = info->bpf_program_num_elem;
 
-	program.len = info->bpf_program_num_elem;
+	if (len > XT_BPF_MAX_NUM_INSTR)
+		return -EINVAL;
+
+	program.len = len;
 	program.filter = info->bpf_program;
 
 	if (sk_unattached_filter_create(&info->filter, &program)) {

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 102/254] MIPS: ptrace: Fix FP context restoration FCSR regression
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 004/254] KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 231/254] of: fdt: Fix return with value in void function Ben Hutchings
                   ` (228 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, linux-mips, Maciej W. Rozycki

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@imgtec.com>

commit 4249548454f7ba4581aeee26bd83f42b48a14d15 upstream.

Fix a floating-point context restoration regression introduced with
commit 9b26616c8d9d ("MIPS: Respect the ISA level in FCSR handling")
that causes a Floating Point exception and consequently a kernel oops
with hard float configurations when one or more FCSR Enable and their
corresponding Cause bits are set both at a time via a ptrace(2) call.

To do so reinstate Cause bit masking originally introduced with commit
b1442d39fac2 ("MIPS: Prevent user from setting FCSR cause bits") to
address this exact problem and then inadvertently removed from the
PTRACE_SETFPREGS request with the commit referred above.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13238/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -176,6 +176,7 @@ int ptrace_setfpregs(struct task_struct
 	}
 
 	__get_user(value, data + 64);
+	value &= ~FPU_CSR_ALL_X;
 	fcr31 = child->thread.fpu.fcr31;
 	mask = boot_cpu_data.fpu_msk31;
 	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 240/254] media: v4l2-ioctl.c: don't copy back the result for -ENOTTY
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 113/254] ALSA: rawmidi: Avoid racy info ioctl via ctl device Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 045/254] virtio: release virtio index when fail to device_register Ben Hutchings
                   ` (204 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hans Verkuil, Mauro Carvalho Chehab, Sakari Ailus

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 181a4a2d5a0a7b43cab08a70710d727e7764ccdd upstream.

If the ioctl returned -ENOTTY, then don't bother copying
back the result as there is no point.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-ioctl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
index 16bffd851bf9..e2f71def945a 100644
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -2402,8 +2402,11 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
 
 	/* Handles IOCTL */
 	err = func(file, cmd, parg);
-	if (err == -ENOIOCTLCMD)
+	if (err == -ENOTTY || err == -ENOIOCTLCMD) {
 		err = -ENOTTY;
+		goto out;
+	}
+
 	if (err == 0) {
 		if (cmd == VIDIOC_DQBUF)
 			trace_v4l2_dqbuf(video_devdata(file)->minor, parg);

^ permalink raw reply related	[flat|nested] 261+ messages in thread

* [PATCH 3.16 222/254] x86/mce: Make machine check speculation protected
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 106/254] mips/ptrace: Preserve previous registers for short regset write Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 052/254] batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq Ben Hutchings
                   ` (183 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, David Woodhouse, Borislav Petkov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 6f41c34d69eb005e7848716bbcafc979b35037d5 upstream.

The machine check idtentry uses an indirect branch directly from the low
level code. This evades the speculation protection.

Replace it by a direct call into C code and issue the indirect call there
so the compiler can apply the proper speculation protection.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by:Borislav Petkov <bp@alien8.de>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Niced-by: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801181626290.1847@nanos
[bwh: Backported to 3.16
 - #include <asm/traps.h> in mce.c
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/traps.h
+++ b/arch/x86/include/asm/traps.h
@@ -91,6 +91,7 @@ dotraplinkage void do_simd_coprocessor_e
 #ifdef CONFIG_X86_32
 dotraplinkage void do_iret_error(struct pt_regs *, long);
 #endif
+dotraplinkage void do_mce(struct pt_regs *, long);
 
 static inline int get_si_code(unsigned long condition)
 {
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -46,6 +46,7 @@
 #include <asm/tlbflush.h>
 #include <asm/mce.h>
 #include <asm/msr.h>
+#include <asm/traps.h>
 
 #include "mce-internal.h"
 
@@ -1693,6 +1694,11 @@ static void unexpected_machine_check(str
 void (*machine_check_vector)(struct pt_regs *, long error_code) =
 						unexpected_machine_check;
 
+dotraplinkage void do_mce(struct pt_regs *regs, long error_code)
+{
+	machine_check_vector(regs, error_code);
+}
+
 /*
  * Called for each booted CPU to set up machine checks.
  * Must be called with preempt off:
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1320,7 +1320,7 @@ trace_idtentry page_fault do_page_fault
 idtentry async_page_fault do_async_page_fault has_error_code=1
 #endif
 #ifdef CONFIG_X86_MCE
-idtentry machine_check has_error_code=0 paranoid=1 do_sym=*machine_check_vector(%rip)
+idtentry machine_check		do_mce			has_error_code=0	paranoid=1
 #endif
 
 	/*

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 101/254] MIPS: Fix a preemption issue with thread's FPU defaults
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 086/254] ipv4: Use standard iovec primitive in raw_probe_proto_opt Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 028/254] isa: Prevent NULL dereference in isa_bus driver callbacks Ben Hutchings
                   ` (217 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ralf Baechle, Ezequiel Garcia, Markos Chandras,
	Paul Martin, Maciej W. Rozycki, linux-mips, James Hogan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit 03dce595270f22d59a6f37e9170287c1afd94bc2 upstream.

Fix "BUG: using smp_processor_id() in preemptible" reported in accesses
to thread's FPU defaults: the value to initialise FSCR to at program
startup, the FCSR r/w mask and the contents of FIR in full FPU
emulation, removing a regression introduced with 9b26616c [MIPS: Respect
the ISA level in FCSR handling] and f6843626 [MIPS: math-emu: Set FIR
feature flags for full emulation].

Use `boot_cpu_data' to obtain the data from, following the approach that
`cpu_has_*' macros take and avoiding the call to `smp_processor_id' made
in the reference to `current_cpu_data'.  The contents of FSCR have to be
consistent across processors in an SMP system, the settings there must
not change as a thread is migrated across processors.  And the contents
of FIR are guaranteed to be consistent in FPU emulation, by definition.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Tested-by: Ezequiel Garcia <ezequiel.garcia@imgtec.com>
Tested-by: Paul Martin <paul.martin@codethink.co.uk>
Cc: Markos Chandras <Markos.Chandras@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10030/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16:
 - Drop change in cop1_cfc()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/include/asm/elf.h
+++ b/arch/mips/include/asm/elf.h
@@ -277,7 +277,7 @@ do {									\
 									\
 	current->thread.abi = &mips_abi;				\
 									\
-	current->thread.fpu.fcr31 = current_cpu_data.fpu_csr31;		\
+	current->thread.fpu.fcr31 = boot_cpu_data.fpu_csr31;		\
 } while (0)
 
 #endif /* CONFIG_32BIT */
@@ -337,7 +337,7 @@ do {									\
 	else								\
 		current->thread.abi = &mips_abi;			\
 									\
-	current->thread.fpu.fcr31 = current_cpu_data.fpu_csr31;		\
+	current->thread.fpu.fcr31 = boot_cpu_data.fpu_csr31;		\
 									\
 	p = personality(current->personality);				\
 	if (p != PER_LINUX32 && p != PER_LINUX)				\
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -177,7 +177,7 @@ int ptrace_setfpregs(struct task_struct
 
 	__get_user(value, data + 64);
 	fcr31 = child->thread.fpu.fcr31;
-	mask = current_cpu_data.fpu_msk31;
+	mask = boot_cpu_data.fpu_msk31;
 	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
 
 	/* FIR may not be written.  */
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -934,7 +934,7 @@ emul:
 				 * Preserve read-only bits,
 				 * and convert to ieee library modes
 				 */
-				mask = current_cpu_data.fpu_msk31;
+				mask = boot_cpu_data.fpu_msk31;
 				ctx->fcr31 = (value & ~(mask | FPU_CSR_RM)) |
 					     (ctx->fcr31 & mask) |
 					     modeindex(value);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 232/254] net: bcmgenet: fix bcmgenet_open()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 231/254] of: fdt: Fix return with value in void function Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 198/254] ALSA: hda - Apply the existing quirk to iMac 14,1 Ben Hutchings
                   ` (226 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Petri Gynther, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Petri Gynther <pgynther@google.com>

commit fac25940c5e0d6f31d56bb2a704fadad6d5e382a upstream.

If bcmgenet_init_dma() fails, it cleans up after itself. Rx and Tx
DMAs are off, and NAPI instances haven't been netif_napi_add()'ed.
Therefore, we need to skip calling bcmgenet_fini_dma() on the error
handling path. bcmgenet_resume() already does this correctly.

Signed-off-by: Petri Gynther <pgynther@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -2058,7 +2058,7 @@ static int bcmgenet_open(struct net_devi
 	ret = bcmgenet_init_dma(priv);
 	if (ret) {
 		netdev_err(dev, "failed to initialize DMA\n");
-		goto err_fini_dma;
+		goto err_clk_disable;
 	}
 
 	/* Always enable ring 16 - descriptor ring */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 188/254] Input: twl6040-vibra - fix child-node lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 209/254] sctp: use the right sk after waking up from wait_buf sleep Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 174/254] x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm Ben Hutchings
                   ` (134 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Torokhov, Johan Hovold, Peter Ujfalusi,
	H. Nikolaus Schaller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit dcaf12a8b0bbdbfcfa2be8dff2c4948d9844b4ad upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at parent rather than just matching on
its children.

Later sanity checks on node properties (which would likely be missing)
should prevent this from causing much trouble however, especially as the
original premature free of the parent node has already been fixed
separately (but that "fix" was apparently never backported to stable).

Fixes: e7ec014a47e4 ("Input: twl6040-vibra - update for device tree support")
Fixes: c52c545ead97 ("Input: twl6040-vibra - fix DT node memory management")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Tested-by: H. Nikolaus Schaller <hns@goldelico.com> (on Pyra OMAP5 hardware)
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/misc/twl6040-vibra.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/input/misc/twl6040-vibra.c
+++ b/drivers/input/misc/twl6040-vibra.c
@@ -264,8 +264,7 @@ static int twl6040_vibra_probe(struct pl
 	int vddvibr_uV = 0;
 	int error;
 
-	of_node_get(twl6040_core_dev->of_node);
-	twl6040_core_node = of_find_node_by_name(twl6040_core_dev->of_node,
+	twl6040_core_node = of_get_child_by_name(twl6040_core_dev->of_node,
 						 "vibra");
 	if (!twl6040_core_node) {
 		dev_err(&pdev->dev, "parent of node is missing?\n");

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 244/254] media: v4l2-compat-ioctl32.c: move  'helper' functions to __get/put_v4l2_format32
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (145 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 013/254] USB: serial: option: add Quectel BG96 id Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 038/254] mfd: twl6040: Fix child-node lookup Ben Hutchings
                   ` (107 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 486c521510c44a04cd756a9267e7d1e271c8a4ba upstream.

These helper functions do not really help. Move the code to the
__get/put_v4l2_format32 functions.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Rebased on top of some earlier fixes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -89,64 +89,6 @@ static int put_v4l2_window32(struct v4l2
 	return 0;
 }
 
-static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
-{
-	if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int get_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
-					     struct v4l2_pix_format_mplane __user *up)
-{
-	if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format_mplane)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
-{
-	if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int put_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
-					     struct v4l2_pix_format_mplane __user *up)
-{
-	if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format_mplane)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
-{
-	if (copy_from_user(kp, up, sizeof(struct v4l2_vbi_format)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
-{
-	if (copy_to_user(up, kp, sizeof(struct v4l2_vbi_format)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int get_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up)
-{
-	if (copy_from_user(kp, up, sizeof(struct v4l2_sliced_vbi_format)))
-		return -EFAULT;
-	return 0;
-}
-
-static inline int put_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up)
-{
-	if (copy_to_user(up, kp, sizeof(struct v4l2_sliced_vbi_format)))
-		return -EFAULT;
-	return 0;
-}
-
 struct v4l2_format32 {
 	__u32	type;	/* enum v4l2_buf_type */
 	union {
@@ -184,20 +126,23 @@ static int __get_v4l2_format32(struct v4
 	switch (kp->type) {
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
-		return get_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix);
+		return copy_from_user(&kp->fmt.pix, &up->fmt.pix,
+				      sizeof(kp->fmt.pix)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-		return get_v4l2_pix_format_mplane(&kp->fmt.pix_mp,
-						  &up->fmt.pix_mp);
+		return copy_from_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
+				      sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
 		return get_v4l2_window32(&kp->fmt.win, &up->fmt.win);
 	case V4L2_BUF_TYPE_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_VBI_OUTPUT:
-		return get_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi);
+		return copy_from_user(&kp->fmt.vbi, &up->fmt.vbi,
+				      sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
-		return get_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
+		return copy_from_user(&kp->fmt.sliced, &up->fmt.sliced,
+				      sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
 	default:
 		printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
 		       kp->type);
@@ -228,20 +173,23 @@ static int __put_v4l2_format32(struct v4
 	switch (kp->type) {
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
-		return put_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix);
+		return copy_to_user(&up->fmt.pix, &kp->fmt.pix,
+				    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-		return put_v4l2_pix_format_mplane(&kp->fmt.pix_mp,
-						  &up->fmt.pix_mp);
+		return copy_to_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
+				    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
 		return put_v4l2_window32(&kp->fmt.win, &up->fmt.win);
 	case V4L2_BUF_TYPE_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_VBI_OUTPUT:
-		return put_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi);
+		return copy_to_user(&up->fmt.vbi, &kp->fmt.vbi,
+				    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
-		return put_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
+		return copy_to_user(&up->fmt.sliced, &kp->fmt.sliced,
+				    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
 	default:
 		printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
 		       kp->type);
@@ -548,10 +496,10 @@ static int get_v4l2_framebuffer32(struct
 	if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) ||
 	    get_user(tmp, &up->base) ||
 	    get_user(kp->capability, &up->capability) ||
-	    get_user(kp->flags, &up->flags))
+	    get_user(kp->flags, &up->flags) ||
+	    copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
 		return -EFAULT;
 	kp->base = (__force void *)compat_ptr(tmp);
-	get_v4l2_pix_format(&kp->fmt, &up->fmt);
 	return 0;
 }
 
@@ -562,9 +510,9 @@ static int put_v4l2_framebuffer32(struct
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) ||
 	    put_user(tmp, &up->base) ||
 	    put_user(kp->capability, &up->capability) ||
-	    put_user(kp->flags, &up->flags))
+	    put_user(kp->flags, &up->flags) ||
+	    copy_to_user(&up->fmt, &kp->fmt, sizeof(up->fmt)))
 		return -EFAULT;
-	put_v4l2_pix_format(&kp->fmt, &up->fmt);
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 113/254] ALSA: rawmidi: Avoid racy info ioctl via ctl device
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 077/254] usb: musb: da8xx: fix babble condition handling Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 240/254] media: v4l2-ioctl.c: don't copy back the result for -ENOTTY Ben Hutchings
                   ` (205 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit c1cfd9025cc394fd137a01159d74335c5ac978ce upstream.

The rawmidi also allows to obtaining the information via ioctl of ctl
API.  It means that user can issue an ioctl to the rawmidi device even
when it's being removed as long as the control device is present.
Although the code has some protection via the global register_mutex,
its range is limited to the search of the corresponding rawmidi
object, and the mutex is already unlocked at accessing the rawmidi
object.  This may lead to a use-after-free.

For avoiding it, this patch widens the application of register_mutex
to the whole snd_rawmidi_info_select() function.  We have another
mutex per rawmidi object, but this operation isn't very hot path, so
it shouldn't matter from the performance POV.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/rawmidi.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -589,15 +589,14 @@ static int snd_rawmidi_info_user(struct
 	return 0;
 }
 
-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+static int __snd_rawmidi_info_select(struct snd_card *card,
+				     struct snd_rawmidi_info *info)
 {
 	struct snd_rawmidi *rmidi;
 	struct snd_rawmidi_str *pstr;
 	struct snd_rawmidi_substream *substream;
 
-	mutex_lock(&register_mutex);
 	rmidi = snd_rawmidi_search(card, info->device);
-	mutex_unlock(&register_mutex);
 	if (!rmidi)
 		return -ENXIO;
 	if (info->stream < 0 || info->stream > 1)
@@ -613,6 +612,16 @@ int snd_rawmidi_info_select(struct snd_c
 	}
 	return -ENXIO;
 }
+
+int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+{
+	int ret;
+
+	mutex_lock(&register_mutex);
+	ret = __snd_rawmidi_info_select(card, info);
+	mutex_unlock(&register_mutex);
+	return ret;
+}
 EXPORT_SYMBOL(snd_rawmidi_info_select);
 
 static int snd_rawmidi_info_select_user(struct snd_card *card,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 117/254] posix-timer: Properly check sigevent->sigev_notify
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (201 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 245/254] media: v4l2-compat-ioctl32.c: avoid sizeof(type) Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 182/254] ALSA: pcm: Allow aborting mutex lock at OSS read/write loops Ben Hutchings
                   ` (51 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, John Stultz, Eric Biggers, Alexey Dobriyan,
	Thomas Gleixner, Dmitry Vyukov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit cef31d9af908243421258f1df35a4a644604efbe upstream.

timer_create() specifies via sigevent->sigev_notify the signal delivery for
the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD
and (SIGEV_SIGNAL | SIGEV_THREAD_ID).

The sanity check in good_sigevent() is only checking the valid combination
for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is
not set it accepts any random value.

This has no real effects on the posix timer and signal delivery code, but
it affects show_timer() which handles the output of /proc/$PID/timers. That
function uses a string array to pretty print sigev_notify. The access to
that array has no bound checks, so random sigev_notify cause access beyond
the array bounds.

Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID
masking from various code pathes as SIGEV_NONE can never be set in
combination with SIGEV_THREAD_ID.

Reported-by: Eric Biggers <ebiggers3@gmail.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <john.stultz@linaro.org>
[bwh: Backported to 3.16:
 - Add sig_none variable in common_timer_get(), added earlier upstream
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/posix-timers.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -498,17 +498,22 @@ static struct pid *good_sigevent(sigeven
 {
 	struct task_struct *rtn = current->group_leader;
 
-	if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
-		(!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
-		 !same_thread_group(rtn, current) ||
-		 (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
+	switch (event->sigev_notify) {
+	case SIGEV_SIGNAL | SIGEV_THREAD_ID:
+		rtn = find_task_by_vpid(event->sigev_notify_thread_id);
+		if (!rtn || !same_thread_group(rtn, current))
+			return NULL;
+		/* FALLTHRU */
+	case SIGEV_SIGNAL:
+	case SIGEV_THREAD:
+		if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
+			return NULL;
+		/* FALLTHRU */
+	case SIGEV_NONE:
+		return task_pid(rtn);
+	default:
 		return NULL;
-
-	if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
-	    ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
-		return NULL;
-
-	return task_pid(rtn);
+	}
 }
 
 void posix_timers_register_clock(const clockid_t clock_id,
@@ -728,16 +733,17 @@ common_timer_get(struct k_itimer *timr,
 {
 	ktime_t now, remaining, iv;
 	struct hrtimer *timer = &timr->it.real.timer;
+	bool sig_none;
 
 	memset(cur_setting, 0, sizeof(struct itimerspec));
 
+	sig_none = timr->it_sigev_notify == SIGEV_NONE;
 	iv = timr->it.real.interval;
 
 	/* interval timer ? */
 	if (iv.tv64)
 		cur_setting->it_interval = ktime_to_timespec(iv);
-	else if (!hrtimer_active(timer) &&
-		 (timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
+	else if (!hrtimer_active(timer) && !sig_none)
 		return;
 
 	now = timer->base->get_time();
@@ -747,8 +753,7 @@ common_timer_get(struct k_itimer *timr,
 	 * timer move the expiry time forward by intervals, so
 	 * expiry is > now.
 	 */
-	if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING ||
-	    (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE))
+	if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING || sig_none))
 		timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv);
 
 	remaining = ktime_sub(hrtimer_get_expires(timer), now);
@@ -758,7 +763,7 @@ common_timer_get(struct k_itimer *timr,
 		 * A single shot SIGEV_NONE timer must return 0, when
 		 * it is expired !
 		 */
-		if ((timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
+		if (!sig_none)
 			cur_setting->it_value.tv_nsec = 1;
 	} else
 		cur_setting->it_value = ktime_to_timespec(remaining);
@@ -856,7 +861,7 @@ common_timer_set(struct k_itimer *timr,
 	timr->it.real.interval = timespec_to_ktime(new_setting->it_interval);
 
 	/* SIGEV_NONE timers are not queued ! See common_timer_get */
-	if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
+	if (timr->it_sigev_notify == SIGEV_NONE) {
 		/* Setup correct expiry time for relative timers */
 		if (mode == HRTIMER_MODE_REL) {
 			hrtimer_add_expires(timer, timer->base->get_time());

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 097/254] MIPS: Always clear FCSR cause bits after emulation
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 093/254] MIPS: Clear [MSA]FPE CSR.Cause after notify_die() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 096/254] MIPS: Respect the FCSR exception mask for `si_code' Ben Hutchings
                   ` (214 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Maciej W. Rozycki, linux-mips, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit 443c44032a54f9acf027a8e688380fddc809bc19 upstream.

Clear any FCSR cause bits recorded in the saved FPU context after
emulation in all cases rather than in `do_fpe' only, so that any
unmasked IEEE 754 exception left from emulation does not cause a fatal
kernel-mode FPE hardware exception with the CTC1 instruction used by the
kernel to subsequently restore FCSR hardware from the saved FPU context.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9704/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16: drop changes in mips-r2-to-r6-emul and simulate_fp()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -775,7 +775,7 @@ asmlinkage void do_fpe(struct pt_regs *r
 
 		/*
 		 * We can't allow the emulated instruction to leave any of
-		 * the cause bit set in $fcr31.
+		 * the cause bits set in $fcr31.
 		 */
 		current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
 
@@ -1292,6 +1292,13 @@ asmlinkage void do_cpu(struct pt_regs *r
 			sig = fpu_emulator_cop1Handler(regs,
 						       &current->thread.fpu,
 						       0, &fault_addr);
+
+			/*
+			 * We can't allow the emulated instruction to leave
+			 * any of the cause bits set in $fcr31.
+			 */
+			current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+
 			if (!process_fpemu_return(sig, fault_addr) && !err)
 				mt_ase_fp_affinity();
 		}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 205/254] nl80211: take RCU read lock when calling ieee80211_bss_get_ie()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 109/254] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 201/254] ALSA: pcm: Remove yet superfluous WARN_ON() Ben Hutchings
                   ` (201 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dominik Brodowski, Johannes Berg

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dominik Brodowski <linux@dominikbrodowski.net>

commit 7a94b8c2eee7083ddccd0515830f8c81a8e44b1a upstream.

As ieee80211_bss_get_ie() derefences an RCU to return ssid_ie, both
the call to this function and any operation on this variable need
protection by the RCU read lock.

Fixes: 44905265bc15 ("nl80211: don't expose wdev->ssid for most interfaces")
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/wireless/nl80211.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2354,12 +2354,13 @@ static int nl80211_send_iface(struct sk_
 		const u8 *ssid_ie;
 		if (!wdev->current_bss)
 			break;
+		rcu_read_lock();
 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
 					       WLAN_EID_SSID);
-		if (!ssid_ie)
-			break;
-		if (nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
-			goto nla_put_failure_locked;
+		if (ssid_ie &&
+		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
+			goto nla_put_failure_rcu_locked;
+		rcu_read_unlock();
 		break;
 		}
 	default:
@@ -2370,6 +2371,8 @@ static int nl80211_send_iface(struct sk_
 
 	return genlmsg_end(msg, hdr);
 
+ nla_put_failure_rcu_locked:
+	rcu_read_unlock();
  nla_put_failure_locked:
 	wdev_unlock(wdev);
  nla_put_failure:

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 096/254] MIPS: Respect the FCSR exception mask for `si_code'
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 097/254] MIPS: Always clear FCSR cause bits after emulation Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 210/254] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Ben Hutchings
                   ` (213 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, linux-mips, Maciej W. Rozycki, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit ed2d72c1eb3643b7c109bdf387563d9b9a30c279 upstream.

Respect the FCSR exception mask when interpreting the IEEE 754 exception
condition to report with SIGFPE in `si_code', so as not to use one that
has been masked where a different one set in parallel caused the FPE
hardware exception to trigger.  As per the IEEE Std 754 the Inexact
exception can happen together with Overflow or Underflow.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9703/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/traps.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -12,6 +12,7 @@
  * Copyright (C) 2000, 2001, 2012 MIPS Technologies, Inc.  All rights reserved.
  * Copyright (C) 2014, Imagination Technologies Ltd.
  */
+#include <linux/bitops.h>
 #include <linux/bug.h>
 #include <linux/compiler.h>
 #include <linux/context_tracking.h>
@@ -785,7 +786,15 @@ asmlinkage void do_fpe(struct pt_regs *r
 		process_fpemu_return(sig, fault_addr);
 
 		goto out;
-	} else if (fcr31 & FPU_CSR_INV_X)
+	}
+
+	/*
+	 * Inexact can happen together with Overflow or Underflow.
+	 * Respect the mask to deliver the correct exception.
+	 */
+	fcr31 &= (fcr31 & FPU_CSR_ALL_E) <<
+		 (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E));
+	if (fcr31 & FPU_CSR_INV_X)
 		info.si_code = FPE_FLTINV;
 	else if (fcr31 & FPU_CSR_DIV_X)
 		info.si_code = FPE_FLTDIV;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 093/254] MIPS: Clear [MSA]FPE CSR.Cause after notify_die()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 028/254] isa: Prevent NULL dereference in isa_bus driver callbacks Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 097/254] MIPS: Always clear FCSR cause bits after emulation Ben Hutchings
                   ` (215 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paolo Bonzini, Ralf Baechle, Paul Burton, kvm, James Hogan,
	Gleb Natapov, linux-mips

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit 64bedffe496820dbb6b53302d80dd0f04db33d8e upstream.

When handling floating point exceptions (FPEs) and MSA FPEs the Cause
bits of the appropriate control and status register (FCSR for FPEs and
MSACSR for MSA FPEs) are read and cleared before enabling interrupts,
presumably so that it doesn't have to go through the pain of restoring
those bits if the process is pre-empted, since writing those bits would
cause another immediate exception while still in the kernel.

The bits aren't normally ever restored again, since userland never
expects to see them set.

However for virtualisation it is necessary for the kernel to be able to
restore these Cause bits, as the guest may have been interrupted in an
FP exception handler but before it could read the Cause bits. This can
be done by registering a die notifier, to get notified of the exception
when such a value is restored, and if the PC was at the instruction
which is used to restore the guest state, the handler can step over it
and continue execution. The Cause bits can then remain set without
causing further exceptions.

For this to work safely a few changes are made:
- __build_clear_fpe and __build_clear_msa_fpe no longer clear the Cause
  bits, and now return from exception level with interrupts disabled
  instead of enabled.
- do_fpe() now clears the Cause bits and enables interrupts after
  notify_die() is called, so that the notifier can chose to return from
  exception without this happening.
- do_msa_fpe() acts similarly, but now actually makes use of the second
  argument (msacsr) and calls notify_die() with the new DIE_MSAFP,
  allowing die notifiers to be informed of MSA FPEs too.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Acked-by: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/kdebug.h |  3 ++-
 arch/mips/kernel/genex.S       | 14 ++++----------
 arch/mips/kernel/traps.c       | 16 +++++++++++++++-
 3 files changed, 21 insertions(+), 12 deletions(-)

--- a/arch/mips/include/asm/kdebug.h
+++ b/arch/mips/include/asm/kdebug.h
@@ -10,7 +10,8 @@ enum die_val {
 	DIE_RI,
 	DIE_PAGE_FAULT,
 	DIE_BREAK,
-	DIE_SSTEPBP
+	DIE_SSTEPBP,
+	DIE_MSAFP
 };
 
 #endif /* _ASM_MIPS_KDEBUG_H */
--- a/arch/mips/kernel/genex.S
+++ b/arch/mips/kernel/genex.S
@@ -360,21 +360,15 @@ NESTED(nmi_handler, PT_SIZE, sp)
 	.set	mips1
 	SET_HARDFLOAT
 	cfc1	a1, fcr31
-	li	a2, ~(0x3f << 12)
-	and	a2, a1
-	ctc1	a2, fcr31
 	.set	pop
-	TRACE_IRQS_ON
-	STI
+	CLI
+	TRACE_IRQS_OFF
 	.endm
 
 	.macro	__build_clear_msa_fpe
 	_cfcmsa	a1, MSA_CSR
-	li	a2, ~(0x3f << 12)
-	and	a1, a1, a2
-	_ctcmsa	MSA_CSR, a1
-	TRACE_IRQS_ON
-	STI
+	CLI
+	TRACE_IRQS_OFF
 	.endm
 
 	.macro	__build_clear_ade
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -744,6 +744,11 @@ asmlinkage void do_fpe(struct pt_regs *r
 	if (notify_die(DIE_FP, "FP exception", regs, 0, regs_to_trapnr(regs),
 		       SIGFPE) == NOTIFY_STOP)
 		goto out;
+
+	/* Clear FCSR.Cause before enabling interrupts */
+	write_32bit_cp1_register(CP1_STATUS, fcr31 & ~FPU_CSR_ALL_X);
+	local_irq_enable();
+
 	die_if_kernel("FP exception in kernel code", regs);
 
 	if (fcr31 & FPU_CSR_UNI_X) {
@@ -1295,13 +1300,22 @@ out:
 	exception_exit(prev_state);
 }
 
-asmlinkage void do_msa_fpe(struct pt_regs *regs)
+asmlinkage void do_msa_fpe(struct pt_regs *regs, unsigned int msacsr)
 {
 	enum ctx_state prev_state;
 
 	prev_state = exception_enter();
+	if (notify_die(DIE_MSAFP, "MSA FP exception", regs, 0,
+		       regs_to_trapnr(regs), SIGFPE) == NOTIFY_STOP)
+		goto out;
+
+	/* Clear MSACSR.Cause before enabling interrupts */
+	write_msa_csr(msacsr & ~MSA_CSR_CAUSEF);
+	local_irq_enable();
+
 	die_if_kernel("do_msa_fpe invoked from kernel context!", regs);
 	force_sig(SIGFPE, current);
+out:
 	exception_exit(prev_state);
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 027/254] serial: 8250_pci: Add Amazon PCI serial device ID
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (243 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 050/254] ALSA: usb-audio: Add check return value for usb_string() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 009/254] scsi: use dma_get_cache_alignment() as minimum DMA alignment Ben Hutchings
                   ` (9 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Matt Wilson, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Wilson <msw@amazon.com>

commit 3bfd1300abfe3adb18e84a89d97a0e82a22124bb upstream.

This device will be used in future Amazon EC2 instances as the primary
serial port (i.e., data sent to this port will be available via the
GetConsoleOuput [1] EC2 API).

[1] http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetConsoleOutput.html

Signed-off-by: Matt Wilson <msw@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/8250/8250_pci.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -5542,6 +5542,9 @@ static struct pci_device_id serial_pci_t
 	{ PCI_DEVICE(0x1601, 0x0800), .driver_data = pbn_b0_4_1250000 },
 	{ PCI_DEVICE(0x1601, 0xa801), .driver_data = pbn_b0_4_1250000 },
 
+	/* Amazon PCI serial device */
+	{ PCI_DEVICE(0x1d0f, 0x8250), .driver_data = pbn_b0_1_115200 },
+
 	/*
 	 * These entries match devices with class COMMUNICATION_SERIAL,
 	 * COMMUNICATION_MODEM or COMMUNICATION_MULTISERIAL

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 018/254] drm/i915: Don't try indexed reads to alternate slave addresses
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 071/254] ASN.1: fix out-of-bounds read when parsing indefinite length item Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 199/254] powerpc: Don't preempt_disable() in show_cpuinfo() Ben Hutchings
                   ` (243 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ville Syrjälä,
	Joonas Lahtinen, Daniel Vetter, Chris Wilson, Daniel Kurtz,
	Sean Paul

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit ae5c631e605a452a5a0e73205a92810c01ed954b upstream.

We can only specify the one slave address to indexed reads/writes.
Make sure the messages we check are destined to the same slave
address before deciding to do an indexed transfer.

Cc: Daniel Kurtz <djkurtz@chromium.org>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Sean Paul <seanpaul@chromium.org>
Fixes: 56f9eac05489 ("drm/i915/intel_i2c: use INDEX cycles for i2c read transactions")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171123194157.25367-2-ville.syrjala@linux.intel.com
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit c4deb62d7821672265b87952bcd1c808f3bf3e8f)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/i915/intel_i2c.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/i915/intel_i2c.c
+++ b/drivers/gpu/drm/i915/intel_i2c.c
@@ -448,6 +448,7 @@ static bool
 gmbus_is_index_read(struct i2c_msg *msgs, int i, int num)
 {
 	return (i + 1 < num &&
+		msgs[i].addr == msgs[i + 1].addr &&
 		!(msgs[i].flags & I2C_M_RD) && msgs[i].len <= 2 &&
 		(msgs[i + 1].flags & I2C_M_RD));
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 145/254] tracing: Fix crash when it fails to alloc ring buffer
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 173/254] ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 022/254] usb: host: fix incorrect updating of offset Ben Hutchings
                   ` (197 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Chunyan Zhang, Jing Xia, Steven Rostedt (VMware)

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jing Xia <jing.xia@spreadtrum.com>

commit 24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5 upstream.

Double free of the ring buffer happens when it fails to alloc new
ring buffer instance for max_buffer if TRACER_MAX_TRACE is configured.
The root cause is that the pointer is not set to NULL after the buffer
is freed in allocate_trace_buffers(), and the freeing of the ring
buffer is invoked again later if the pointer is not equal to Null,
as:

instance_mkdir()
    |-allocate_trace_buffers()
        |-allocate_trace_buffer(tr, &tr->trace_buffer...)
	|-allocate_trace_buffer(tr, &tr->max_buffer...)

          // allocate fail(-ENOMEM),first free
          // and the buffer pointer is not set to null
        |-ring_buffer_free(tr->trace_buffer.buffer)

       // out_free_tr
    |-free_trace_buffers()
        |-free_trace_buffer(&tr->trace_buffer);

	      //if trace_buffer is not null, free again
	    |-ring_buffer_free(buf->buffer)
                |-rb_free_cpu_buffer(buffer->buffers[cpu])
                    // ring_buffer_per_cpu is null, and
                    // crash in ring_buffer_per_cpu->pages

Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com

Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code")
Signed-off-by: Jing Xia <jing.xia@spreadtrum.com>
Signed-off-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6243,7 +6243,9 @@ static int allocate_trace_buffers(struct
 				    allocate_snapshot ? size : 1);
 	if (WARN_ON(ret)) {
 		ring_buffer_free(tr->trace_buffer.buffer);
+		tr->trace_buffer.buffer = NULL;
 		free_percpu(tr->trace_buffer.data);
+		tr->trace_buffer.data = NULL;
 		return -ENOMEM;
 	}
 	tr->allocated_snapshot = allocate_snapshot;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 162/254] can: gs_usb: fix return value of the "set_bittiming" callback
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 104/254] MIPS: MSA: bugfix - disable MSA correctly for new threads/processes Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 164/254] usbip: remove kernel addresses from usb device and urb debug msgs Ben Hutchings
                   ` (210 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Wolfgang Grandegger, Marc Kleine-Budde

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfgang Grandegger <wg@grandegger.com>

commit d5b42e6607661b198d8b26a0c30969605b1bf5c7 upstream.

The "set_bittiming" callback treats a positive return value as error!
For that reason "can_changelink()" will quit silently after setting
the bittiming values without processing ctrlmode, restart-ms, etc.

Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/gs_usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -430,7 +430,7 @@ static int gs_usb_set_bittiming(struct n
 		dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)",
 			rc);
 
-	return rc;
+	return (rc > 0) ? 0 : rc;
 }
 
 static void gs_usb_xmit_callback(struct urb *urb)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 084/254] dmaengine: jz4740: disable/unprepare clk if probe fails
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (238 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 108/254] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 047/254] usb: xhci: fix panic in xhci_free_virt_devices_depth_first Ben Hutchings
                   ` (14 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Vinod Koul, Tobias Jordan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Jordan <Tobias.Jordan@elektrobit.com>

commit eb9436966fdc84cebdf222952a99898ab46d9bb0 upstream.

in error path of jz4740_dma_probe(), call clk_disable_unprepare() to clean
up.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 25ce6c35fea0 MIPS: jz4740: Remove custom DMA API
Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/dma-jz4740.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/dma/dma-jz4740.c
+++ b/drivers/dma/dma-jz4740.c
@@ -574,7 +574,7 @@ static int jz4740_dma_probe(struct platf
 
 	ret = dma_async_device_register(dd);
 	if (ret)
-		return ret;
+		goto err_clk;
 
 	irq = platform_get_irq(pdev, 0);
 	ret = request_irq(irq, jz4740_dma_irq, 0, dev_name(&pdev->dev), dmadev);
@@ -587,6 +587,8 @@ static int jz4740_dma_probe(struct platf
 
 err_unregister:
 	dma_async_device_unregister(dd);
+err_clk:
+	clk_disable_unprepare(dmadev->clk);
 	return ret;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 252/254] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 085/254] nl80211: fix nl80211_send_iface() error paths Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 063/254] btrfs: fix missing error return in btrfs_drop_snapshot Ben Hutchings
                   ` (162 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Daniel Mentz, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Mentz <danielmentz@google.com>

commit a1dfb4c48cc1e64eeb7800a27c66a6f7e88d075a upstream.

The 32-bit compat v4l2 ioctl handling is implemented based on its 64-bit
equivalent. It converts 32-bit data structures into its 64-bit
equivalents and needs to provide the data to the 64-bit ioctl in user
space memory which is commonly allocated using
compat_alloc_user_space().

However, due to how that function is implemented, it can only be called
a single time for every syscall invocation.

Supposedly to avoid this limitation, the existing code uses a mix of
memory from the kernel stack and memory allocated through
compat_alloc_user_space().

Under normal circumstances, this would not work, because the 64-bit
ioctl expects all pointers to point to user space memory. As a
workaround, set_fs(KERNEL_DS) is called to temporarily disable this
extra safety check and allow kernel pointers. However, this might
introduce a security vulnerability: The result of the 32-bit to 64-bit
conversion is writeable by user space because the output buffer has been
allocated via compat_alloc_user_space(). A malicious user space process
could then manipulate pointers inside this output buffer, and due to the
previous set_fs(KERNEL_DS) call, functions like get_user() or put_user()
no longer prevent kernel memory access.

The new approach is to pre-calculate the total amount of user space
memory that is needed, allocate it using compat_alloc_user_space() and
then divide up the allocated memory to accommodate all data structures
that need to be converted.

An alternative approach would have been to retain the union type karg
that they allocated on the kernel stack in do_video_ioctl(), copy all
data from user space into karg and then back to user space. However, we
decided against this approach because it does not align with other
compat syscall implementations. Instead, we tried to replicate the
get_user/put_user pairs as found in other places in the kernel:

    if (get_user(clipcount, &up->clipcount) ||
        put_user(clipcount, &kp->clipcount)) return -EFAULT;

Notes from hans.verkuil@cisco.com:

This patch was taken from:
    https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/97b733953c06e4f0398ade18850f0817778255f7

Clearly nobody could be bothered to upstream this patch or at minimum
tell us :-( We only heard about this a week ago.

This patch was rebased and cleaned up. Compared to the original I
also swapped the order of the convert_in_user arguments so that they
matched copy_in_user. It was hard to review otherwise. I also replaced
the ALLOC_USER_SPACE/ALLOC_AND_GET by a normal function.

Fixes: 6b5a9492ca ("v4l: introduce string control support.")

Signed-off-by: Daniel Mentz <danielmentz@google.com>
Co-developed-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Rebased on top of some earlier fixes]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -22,6 +22,14 @@
 #include <media/v4l2-ctrls.h>
 #include <media/v4l2-ioctl.h>
 
+/* Use the same argument order as copy_in_user */
+#define assign_in_user(to, from)					\
+({									\
+	typeof(*from) __assign_tmp;					\
+									\
+	get_user(__assign_tmp, from) || put_user(__assign_tmp, to);	\
+})
+
 static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
 	long ret = -ENOIOCTLCMD;
@@ -35,12 +43,12 @@ static long native_ioctl(struct file *fi
 
 struct v4l2_clip32 {
 	struct v4l2_rect        c;
-	compat_caddr_t 		next;
+	compat_caddr_t		next;
 };
 
 struct v4l2_window32 {
 	struct v4l2_rect        w;
-	__u32		  	field;	/* enum v4l2_field */
+	__u32			field;	/* enum v4l2_field */
 	__u32			chromakey;
 	compat_caddr_t		clips; /* actually struct v4l2_clip32 * */
 	__u32			clipcount;
@@ -48,37 +56,41 @@ struct v4l2_window32 {
 	__u8                    global_alpha;
 };
 
-static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
+static int get_v4l2_window32(struct v4l2_window __user *kp,
+			     struct v4l2_window32 __user *up,
+			     void __user *aux_buf, u32 aux_space)
 {
 	struct v4l2_clip32 __user *uclips;
 	struct v4l2_clip __user *kclips;
 	compat_caddr_t p;
-	u32 n;
+	u32 clipcount;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
-	    get_user(kp->field, &up->field) ||
-	    get_user(kp->chromakey, &up->chromakey) ||
-	    get_user(kp->clipcount, &up->clipcount) ||
-	    get_user(kp->global_alpha, &up->global_alpha))
+	    copy_in_user(&kp->w, &up->w, sizeof(up->w)) ||
+	    assign_in_user(&kp->field, &up->field) ||
+	    assign_in_user(&kp->chromakey, &up->chromakey) ||
+	    assign_in_user(&kp->global_alpha, &up->global_alpha) ||
+	    get_user(clipcount, &up->clipcount) ||
+	    put_user(clipcount, &kp->clipcount))
 		return -EFAULT;
-	if (kp->clipcount > 2048)
+	if (clipcount > 2048)
 		return -EINVAL;
-	if (!kp->clipcount) {
-		kp->clips = NULL;
-		return 0;
-	}
+	if (!clipcount)
+		return put_user(NULL, &kp->clips);
 
-	n = kp->clipcount;
 	if (get_user(p, &up->clips))
 		return -EFAULT;
 	uclips = compat_ptr(p);
-	kclips = compat_alloc_user_space(n * sizeof(*kclips));
-	kp->clips = kclips;
-	while (n--) {
+	if (aux_space < clipcount * sizeof(*kclips))
+		return -EFAULT;
+	kclips = aux_buf;
+	if (put_user(kclips, &kp->clips))
+		return -EFAULT;
+
+	while (clipcount--) {
 		if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
 			return -EFAULT;
-		if (put_user(n ? kclips + 1 : NULL, &kclips->next))
+		if (put_user(clipcount ? kclips + 1 : NULL, &kclips->next))
 			return -EFAULT;
 		uclips++;
 		kclips++;
@@ -86,27 +98,28 @@ static int get_v4l2_window32(struct v4l2
 	return 0;
 }
 
-static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
+static int put_v4l2_window32(struct v4l2_window __user *kp,
+			     struct v4l2_window32 __user *up)
 {
 	struct v4l2_clip __user *kclips = kp->clips;
 	struct v4l2_clip32 __user *uclips;
-	u32 n = kp->clipcount;
 	compat_caddr_t p;
+	u32 clipcount;
 
-	if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
-	    put_user(kp->field, &up->field) ||
-	    put_user(kp->chromakey, &up->chromakey) ||
-	    put_user(kp->clipcount, &up->clipcount) ||
-	    put_user(kp->global_alpha, &up->global_alpha))
+	if (copy_in_user(&up->w, &kp->w, sizeof(kp->w)) ||
+	    assign_in_user(&up->field, &kp->field) ||
+	    assign_in_user(&up->chromakey, &kp->chromakey) ||
+	    assign_in_user(&up->global_alpha, &kp->global_alpha) ||
+	    get_user(clipcount, &kp->clipcount) ||
+	    put_user(clipcount, &up->clipcount))
 		return -EFAULT;
-
-	if (!kp->clipcount)
+	if (!clipcount)
 		return 0;
 
 	if (get_user(p, &up->clips))
 		return -EFAULT;
 	uclips = compat_ptr(p);
-	while (n--) {
+	while (clipcount--) {
 		if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c)))
 			return -EFAULT;
 		uclips++;
@@ -144,93 +157,150 @@ struct v4l2_create_buffers32 {
 	__u32			reserved[8];
 };
 
-static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int __bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size)
+{
+	u32 type;
+
+	if (get_user(type, &up->type))
+		return -EFAULT;
+
+	switch (type) {
+	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
+	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: {
+		u32 clipcount;
+
+		if (get_user(clipcount, &up->fmt.win.clipcount))
+			return -EFAULT;
+		if (clipcount > 2048)
+			return -EINVAL;
+		*size = clipcount * sizeof(struct v4l2_clip);
+		return 0;
+	}
+	default:
+		*size = 0;
+		return 0;
+	}
+}
+
+static int bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size)
 {
-	if (get_user(kp->type, &up->type))
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
 		return -EFAULT;
+	return __bufsize_v4l2_format(up, size);
+}
 
-	switch (kp->type) {
+static int __get_v4l2_format32(struct v4l2_format __user *kp,
+			       struct v4l2_format32 __user *up,
+			       void __user *aux_buf, u32 aux_space)
+{
+	u32 type;
+
+	if (get_user(type, &up->type) || put_user(type, &kp->type))
+		return -EFAULT;
+
+	switch (type) {
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
-		return copy_from_user(&kp->fmt.pix, &up->fmt.pix,
-				      sizeof(kp->fmt.pix)) ? -EFAULT : 0;
+		return copy_in_user(&kp->fmt.pix, &up->fmt.pix,
+				    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-		return copy_from_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
-				      sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
+		return copy_in_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
+				    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
-		return get_v4l2_window32(&kp->fmt.win, &up->fmt.win);
+		return get_v4l2_window32(&kp->fmt.win, &up->fmt.win,
+					 aux_buf, aux_space);
 	case V4L2_BUF_TYPE_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_VBI_OUTPUT:
-		return copy_from_user(&kp->fmt.vbi, &up->fmt.vbi,
-				      sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
+		return copy_in_user(&kp->fmt.vbi, &up->fmt.vbi,
+				    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
-		return copy_from_user(&kp->fmt.sliced, &up->fmt.sliced,
-				      sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
+		return copy_in_user(&kp->fmt.sliced, &up->fmt.sliced,
+				    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
 	default:
 		return -EINVAL;
 	}
 }
 
-static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int get_v4l2_format32(struct v4l2_format __user *kp,
+			     struct v4l2_format32 __user *up,
+			     void __user *aux_buf, u32 aux_space)
+{
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
+		return -EFAULT;
+	return __get_v4l2_format32(kp, up, aux_buf, aux_space);
+}
+
+static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *up,
+			       u32 *size)
 {
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
 		return -EFAULT;
-	return __get_v4l2_format32(kp, up);
+	return __bufsize_v4l2_format(&up->format, size);
 }
 
-static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
+static int get_v4l2_create32(struct v4l2_create_buffers __user *kp,
+			     struct v4l2_create_buffers32 __user *up,
+			     void __user *aux_buf, u32 aux_space)
 {
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-	    copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
+	    copy_in_user(kp, up,
+			 offsetof(struct v4l2_create_buffers32, format)))
 		return -EFAULT;
-	return __get_v4l2_format32(&kp->format, &up->format);
+	return __get_v4l2_format32(&kp->format, &up->format,
+				   aux_buf, aux_space);
 }
 
-static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int __put_v4l2_format32(struct v4l2_format __user *kp,
+			       struct v4l2_format32 __user *up)
 {
-	if (put_user(kp->type, &up->type))
+	u32 type;
+
+	if (get_user(type, &kp->type))
 		return -EFAULT;
 
-	switch (kp->type) {
+	switch (type) {
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
-		return copy_to_user(&up->fmt.pix, &kp->fmt.pix,
+		return copy_in_user(&up->fmt.pix, &kp->fmt.pix,
 				    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
-		return copy_to_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
+		return copy_in_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
 				    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
 		return put_v4l2_window32(&kp->fmt.win, &up->fmt.win);
 	case V4L2_BUF_TYPE_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_VBI_OUTPUT:
-		return copy_to_user(&up->fmt.vbi, &kp->fmt.vbi,
+		return copy_in_user(&up->fmt.vbi, &kp->fmt.vbi,
 				    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
 	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
 	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
-		return copy_to_user(&up->fmt.sliced, &kp->fmt.sliced,
+		return copy_in_user(&up->fmt.sliced, &kp->fmt.sliced,
 				    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
 	default:
 		return -EINVAL;
 	}
 }
 
-static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
+static int put_v4l2_format32(struct v4l2_format __user *kp,
+			     struct v4l2_format32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)))
 		return -EFAULT;
 	return __put_v4l2_format32(kp, up);
 }
 
-static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
+static int put_v4l2_create32(struct v4l2_create_buffers __user *kp,
+			     struct v4l2_create_buffers32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
-	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
+	    copy_in_user(up, kp,
+			 offsetof(struct v4l2_create_buffers32, format)) ||
+	    copy_in_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
 	return __put_v4l2_format32(&kp->format, &up->format);
 }
@@ -244,24 +314,27 @@ struct v4l2_standard32 {
 	__u32		     reserved[4];
 };
 
-static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
+static int get_v4l2_standard32(struct v4l2_standard __user *kp,
+			       struct v4l2_standard32 __user *up)
 {
 	/* other fields are not set by the user, nor used by the driver */
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-	    get_user(kp->index, &up->index))
+	    assign_in_user(&kp->index, &up->index))
 		return -EFAULT;
 	return 0;
 }
 
-static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
+static int put_v4l2_standard32(struct v4l2_standard __user *kp,
+			       struct v4l2_standard32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    put_user(kp->index, &up->index) ||
-	    put_user(kp->id, &up->id) ||
-	    copy_to_user(up->name, kp->name, sizeof(up->name)) ||
-	    copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
-	    put_user(kp->framelines, &up->framelines) ||
-	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
+	    assign_in_user(&up->index, &kp->index) ||
+	    assign_in_user(&up->id, &kp->id) ||
+	    copy_in_user(up->name, kp->name, sizeof(up->name)) ||
+	    copy_in_user(&up->frameperiod, &kp->frameperiod,
+			 sizeof(up->frameperiod)) ||
+	    assign_in_user(&up->framelines, &kp->framelines) ||
+	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
 		return -EFAULT;
 	return 0;
 }
@@ -301,11 +374,11 @@ struct v4l2_buffer32 {
 	__u32			reserved;
 };
 
-static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
+static int get_v4l2_plane32(struct v4l2_plane __user *up,
+			    struct v4l2_plane32 __user *up32,
 			    enum v4l2_memory memory)
 {
-	void __user *up_pln;
-	compat_long_t p;
+	compat_ulong_t p;
 
 	if (copy_in_user(up, up32, 2 * sizeof(__u32)) ||
 	    copy_in_user(&up->data_offset, &up32->data_offset,
@@ -320,10 +393,8 @@ static int get_v4l2_plane32(struct v4l2_
 			return -EFAULT;
 		break;
 	case V4L2_MEMORY_USERPTR:
-		if (get_user(p, &up32->m.userptr))
-			return -EFAULT;
-		up_pln = compat_ptr(p);
-		if (put_user((unsigned long)up_pln, &up->m.userptr))
+		if (get_user(p, &up32->m.userptr) ||
+		    put_user((unsigned long)compat_ptr(p), &up->m.userptr))
 			return -EFAULT;
 		break;
 	case V4L2_MEMORY_DMABUF:
@@ -335,7 +406,8 @@ static int get_v4l2_plane32(struct v4l2_
 	return 0;
 }
 
-static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
+static int put_v4l2_plane32(struct v4l2_plane __user *up,
+			    struct v4l2_plane32 __user *up32,
 			    enum v4l2_memory memory)
 {
 	unsigned long p;
@@ -359,8 +431,7 @@ static int put_v4l2_plane32(struct v4l2_
 			return -EFAULT;
 		break;
 	case V4L2_MEMORY_DMABUF:
-		if (copy_in_user(&up32->m.fd, &up->m.fd,
-				 sizeof(up->m.fd)))
+		if (copy_in_user(&up32->m.fd, &up->m.fd, sizeof(up->m.fd)))
 			return -EFAULT;
 		break;
 	}
@@ -368,37 +439,75 @@ static int put_v4l2_plane32(struct v4l2_
 	return 0;
 }
 
-static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
+static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *up, u32 *size)
 {
+	u32 type;
+	u32 length;
+
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+	    get_user(type, &up->type) ||
+	    get_user(length, &up->length))
+		return -EFAULT;
+
+	if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
+		if (length > VIDEO_MAX_PLANES)
+			return -EINVAL;
+
+		/*
+		 * We don't really care if userspace decides to kill itself
+		 * by passing a very big length value
+		 */
+		*size = length * sizeof(struct v4l2_plane);
+	} else {
+		*size = 0;
+	}
+	return 0;
+}
+
+static int get_v4l2_buffer32(struct v4l2_buffer __user *kp,
+			     struct v4l2_buffer32 __user *up,
+			     void __user *aux_buf, u32 aux_space)
+{
+	u32 type;
+	u32 length;
+	enum v4l2_memory memory;
 	struct v4l2_plane32 __user *uplane32;
 	struct v4l2_plane __user *uplane;
 	compat_caddr_t p;
-	int num_planes;
 	int ret;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-	    get_user(kp->index, &up->index) ||
-	    get_user(kp->type, &up->type) ||
-	    get_user(kp->flags, &up->flags) ||
-	    get_user(kp->memory, &up->memory) ||
-	    get_user(kp->length, &up->length))
-		return -EFAULT;
-
-	if (V4L2_TYPE_IS_OUTPUT(kp->type))
-		if (get_user(kp->bytesused, &up->bytesused) ||
-		    get_user(kp->field, &up->field) ||
-		    get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-		    get_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec))
+	    assign_in_user(&kp->index, &up->index) ||
+	    get_user(type, &up->type) ||
+	    put_user(type, &kp->type) ||
+	    assign_in_user(&kp->flags, &up->flags) ||
+	    get_user(memory, &up->memory) ||
+	    put_user(memory, &kp->memory) ||
+	    get_user(length, &up->length) ||
+	    put_user(length, &kp->length))
+		return -EFAULT;
+
+	if (V4L2_TYPE_IS_OUTPUT(type))
+		if (assign_in_user(&kp->bytesused, &up->bytesused) ||
+		    assign_in_user(&kp->field, &up->field) ||
+		    assign_in_user(&kp->timestamp.tv_sec,
+				   &up->timestamp.tv_sec) ||
+		    assign_in_user(&kp->timestamp.tv_usec,
+				   &up->timestamp.tv_usec))
 			return -EFAULT;
 
-	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
-		num_planes = kp->length;
+	if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
+		u32 num_planes = length;
+
 		if (num_planes == 0) {
-			kp->m.planes = NULL;
-			/* num_planes == 0 is legal, e.g. when userspace doesn't
-			 * need planes array on DQBUF*/
-			return 0;
+			/*
+			 * num_planes == 0 is legal, e.g. when userspace doesn't
+			 * need planes array on DQBUF
+			 */
+			return put_user(NULL, &kp->m.planes);
 		}
+		if (num_planes > VIDEO_MAX_PLANES)
+			return -EINVAL;
 
 		if (get_user(p, &up->m.planes))
 			return -EFAULT;
@@ -408,38 +517,43 @@ static int get_v4l2_buffer32(struct v4l2
 			       num_planes * sizeof(*uplane32)))
 			return -EFAULT;
 
-		/* We don't really care if userspace decides to kill itself
-		 * by passing a very big num_planes value */
-		uplane = compat_alloc_user_space(num_planes *
-						 sizeof(*uplane));
-		kp->m.planes = (__force struct v4l2_plane *)uplane;
+		/*
+		 * We don't really care if userspace decides to kill itself
+		 * by passing a very big num_planes value
+		 */
+		if (aux_space < num_planes * sizeof(*uplane))
+			return -EFAULT;
+
+		uplane = aux_buf;
+		if (put_user((__force struct v4l2_plane *)uplane,
+			     &kp->m.planes))
+			return -EFAULT;
 
-		while (--num_planes >= 0) {
-			ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
+		while (num_planes--) {
+			ret = get_v4l2_plane32(uplane, uplane32, memory);
 			if (ret)
 				return ret;
-			++uplane;
-			++uplane32;
+			uplane++;
+			uplane32++;
 		}
 	} else {
-		switch (kp->memory) {
+		switch (memory) {
 		case V4L2_MEMORY_MMAP:
 		case V4L2_MEMORY_OVERLAY:
-			if (get_user(kp->m.offset, &up->m.offset))
+			if (assign_in_user(&kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
-		case V4L2_MEMORY_USERPTR:
-			{
-				compat_long_t tmp;
+		case V4L2_MEMORY_USERPTR: {
+			compat_ulong_t userptr;
 
-				if (get_user(tmp, &up->m.userptr))
-					return -EFAULT;
-
-				kp->m.userptr = (unsigned long)compat_ptr(tmp);
-			}
+			if (get_user(userptr, &up->m.userptr) ||
+			    put_user((unsigned long)compat_ptr(userptr),
+				     &kp->m.userptr))
+				return -EFAULT;
 			break;
+		}
 		case V4L2_MEMORY_DMABUF:
-			if (get_user(kp->m.fd, &up->m.fd))
+			if (assign_in_user(&kp->m.fd, &up->m.fd))
 				return -EFAULT;
 			break;
 		}
@@ -448,62 +562,70 @@ static int get_v4l2_buffer32(struct v4l2
 	return 0;
 }
 
-static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
+static int put_v4l2_buffer32(struct v4l2_buffer __user *kp,
+			     struct v4l2_buffer32 __user *up)
 {
+	u32 type;
+	u32 length;
+	enum v4l2_memory memory;
 	struct v4l2_plane32 __user *uplane32;
 	struct v4l2_plane __user *uplane;
 	compat_caddr_t p;
-	int num_planes;
 	int ret;
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    put_user(kp->index, &up->index) ||
-	    put_user(kp->type, &up->type) ||
-	    put_user(kp->flags, &up->flags) ||
-	    put_user(kp->memory, &up->memory))
-		return -EFAULT;
-
-	if (put_user(kp->bytesused, &up->bytesused) ||
-	    put_user(kp->field, &up->field) ||
-	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-	    put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
-	    copy_to_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
-	    put_user(kp->sequence, &up->sequence) ||
-	    put_user(kp->reserved2, &up->reserved2) ||
-	    put_user(kp->reserved, &up->reserved) ||
-	    put_user(kp->length, &up->length))
+	    assign_in_user(&up->index, &kp->index) ||
+	    get_user(type, &kp->type) ||
+	    put_user(type, &up->type) ||
+	    assign_in_user(&up->flags, &kp->flags) ||
+	    get_user(memory, &kp->memory) ||
+	    put_user(memory, &up->memory))
+		return -EFAULT;
+
+	if (assign_in_user(&up->bytesused, &kp->bytesused) ||
+	    assign_in_user(&up->field, &kp->field) ||
+	    assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
+	    assign_in_user(&up->timestamp.tv_usec, &kp->timestamp.tv_usec) ||
+	    copy_in_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
+	    assign_in_user(&up->sequence, &kp->sequence) ||
+	    assign_in_user(&up->reserved2, &kp->reserved2) ||
+	    assign_in_user(&up->reserved, &kp->reserved) ||
+	    get_user(length, &kp->length) ||
+	    put_user(length, &up->length))
 		return -EFAULT;
 
-	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
-		num_planes = kp->length;
+	if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
+		u32 num_planes = length;
+
 		if (num_planes == 0)
 			return 0;
 
-		uplane = (__force struct v4l2_plane __user *)kp->m.planes;
+		if (get_user(uplane, ((__force struct v4l2_plane __user **)&kp->m.planes)))
+			return -EFAULT;
 		if (get_user(p, &up->m.planes))
 			return -EFAULT;
 		uplane32 = compat_ptr(p);
 
-		while (--num_planes >= 0) {
-			ret = put_v4l2_plane32(uplane, uplane32, kp->memory);
+		while (num_planes--) {
+			ret = put_v4l2_plane32(uplane, uplane32, memory);
 			if (ret)
 				return ret;
 			++uplane;
 			++uplane32;
 		}
 	} else {
-		switch (kp->memory) {
+		switch (memory) {
 		case V4L2_MEMORY_MMAP:
 		case V4L2_MEMORY_OVERLAY:
-			if (put_user(kp->m.offset, &up->m.offset))
+			if (assign_in_user(&up->m.offset, &kp->m.offset))
 				return -EFAULT;
 			break;
 		case V4L2_MEMORY_USERPTR:
-			if (put_user(kp->m.userptr, &up->m.userptr))
+			if (assign_in_user(&up->m.userptr, &kp->m.userptr))
 				return -EFAULT;
 			break;
 		case V4L2_MEMORY_DMABUF:
-			if (put_user(kp->m.fd, &up->m.fd))
+			if (assign_in_user(&up->m.fd, &kp->m.fd))
 				return -EFAULT;
 			break;
 		}
@@ -515,33 +637,45 @@ static int put_v4l2_buffer32(struct v4l2
 struct v4l2_framebuffer32 {
 	__u32			capability;
 	__u32			flags;
-	compat_caddr_t 		base;
-	struct v4l2_pix_format	fmt;
+	compat_caddr_t		base;
+	struct {
+		__u32		width;
+		__u32		height;
+		__u32		pixelformat;
+		__u32		field;
+		__u32		bytesperline;
+		__u32		sizeimage;
+		__u32		colorspace;
+		__u32		priv;
+	} fmt;
 };
 
-static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
+static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
+				  struct v4l2_framebuffer32 __user *up)
 {
-	u32 tmp;
+	compat_caddr_t tmp;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    get_user(tmp, &up->base) ||
-	    get_user(kp->capability, &up->capability) ||
-	    get_user(kp->flags, &up->flags) ||
-	    copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
+	    put_user((__force void *)compat_ptr(tmp), &kp->base) ||
+	    assign_in_user(&kp->capability, &up->capability) ||
+	    assign_in_user(&kp->flags, &up->flags) ||
+	    copy_in_user(&kp->fmt, &up->fmt, sizeof(kp->fmt)))
 		return -EFAULT;
-	kp->base = (__force void *)compat_ptr(tmp);
 	return 0;
 }
 
-static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
+static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
+				  struct v4l2_framebuffer32 __user *up)
 {
-	u32 tmp = (u32)((unsigned long)kp->base);
+	void *base;
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    put_user(tmp, &up->base) ||
-	    put_user(kp->capability, &up->capability) ||
-	    put_user(kp->flags, &up->flags) ||
-	    copy_to_user(&up->fmt, &kp->fmt, sizeof(up->fmt)))
+	    get_user(base, &kp->base) ||
+	    put_user(ptr_to_compat(base), &up->base) ||
+	    assign_in_user(&up->capability, &kp->capability) ||
+	    assign_in_user(&up->flags, &kp->flags) ||
+	    copy_in_user(&up->fmt, &kp->fmt, sizeof(kp->fmt)))
 		return -EFAULT;
 	return 0;
 }
@@ -558,18 +692,22 @@ struct v4l2_input32 {
 	__u32	     reserved[3];
 };
 
-/* The 64-bit v4l2_input struct has extra padding at the end of the struct.
-   Otherwise it is identical to the 32-bit version. */
-static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
+/*
+ * The 64-bit v4l2_input struct has extra padding at the end of the struct.
+ * Otherwise it is identical to the 32-bit version.
+ */
+static inline int get_v4l2_input32(struct v4l2_input __user *kp,
+				   struct v4l2_input32 __user *up)
 {
-	if (copy_from_user(kp, up, sizeof(*up)))
+	if (copy_in_user(kp, up, sizeof(*up)))
 		return -EFAULT;
 	return 0;
 }
 
-static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
+static inline int put_v4l2_input32(struct v4l2_input __user *kp,
+				   struct v4l2_input32 __user *up)
 {
-	if (copy_to_user(up, kp, sizeof(*up)))
+	if (copy_in_user(up, kp, sizeof(*up)))
 		return -EFAULT;
 	return 0;
 }
@@ -616,40 +754,64 @@ static inline bool ctrl_is_pointer(struc
 	return false;
 }
 
+static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *up,
+				     u32 *size)
+{
+	u32 count;
+
+	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+	    get_user(count, &up->count))
+		return -EFAULT;
+	if (count > V4L2_CID_MAX_CTRLS)
+		return -EINVAL;
+	*size = count * sizeof(struct v4l2_ext_control);
+	return 0;
+}
+
 static int get_v4l2_ext_controls32(struct file *file,
-				   struct v4l2_ext_controls *kp,
-				   struct v4l2_ext_controls32 __user *up)
+				   struct v4l2_ext_controls __user *kp,
+				   struct v4l2_ext_controls32 __user *up,
+				   void __user *aux_buf, u32 aux_space)
 {
 	struct v4l2_ext_control32 __user *ucontrols;
 	struct v4l2_ext_control __user *kcontrols;
-	int n;
+	u32 count;
+	u32 n;
 	compat_caddr_t p;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-	    get_user(kp->ctrl_class, &up->ctrl_class) ||
-	    get_user(kp->count, &up->count) ||
-	    get_user(kp->error_idx, &up->error_idx) ||
-	    copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
-		return -EFAULT;
-	n = kp->count;
-	if (n == 0) {
-		kp->controls = NULL;
-		return 0;
-	}
+	    assign_in_user(&kp->ctrl_class, &up->ctrl_class) ||
+	    get_user(count, &up->count) ||
+	    put_user(count, &kp->count) ||
+	    assign_in_user(&kp->error_idx, &up->error_idx) ||
+	    copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
+		return -EFAULT;
+
+	if (count == 0)
+		return put_user(NULL, &kp->controls);
+	if (count > V4L2_CID_MAX_CTRLS)
+		return -EINVAL;
 	if (get_user(p, &up->controls))
 		return -EFAULT;
 	ucontrols = compat_ptr(p);
-	if (!access_ok(VERIFY_READ, ucontrols, n * sizeof(*ucontrols)))
+	if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
+		return -EFAULT;
+	if (aux_space < count * sizeof(*kcontrols))
 		return -EFAULT;
-	kcontrols = compat_alloc_user_space(n * sizeof(*kcontrols));
-	kp->controls = (__force struct v4l2_ext_control *)kcontrols;
-	while (--n >= 0) {
+	kcontrols = aux_buf;
+	if (put_user((__force struct v4l2_ext_control *)kcontrols,
+		     &kp->controls))
+		return -EFAULT;
+
+	for (n = 0; n < count; n++) {
 		u32 id;
 
 		if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols)))
 			return -EFAULT;
+
 		if (get_user(id, &kcontrols->id))
 			return -EFAULT;
+
 		if (ctrl_is_pointer(file, id)) {
 			void __user *s;
 
@@ -666,43 +828,54 @@ static int get_v4l2_ext_controls32(struc
 }
 
 static int put_v4l2_ext_controls32(struct file *file,
-				   struct v4l2_ext_controls *kp,
+				   struct v4l2_ext_controls __user *kp,
 				   struct v4l2_ext_controls32 __user *up)
 {
 	struct v4l2_ext_control32 __user *ucontrols;
-	struct v4l2_ext_control __user *kcontrols =
-		(__force struct v4l2_ext_control __user *)kp->controls;
-	int n = kp->count;
+	struct v4l2_ext_control __user *kcontrols;
+	u32 count;
+	u32 n;
 	compat_caddr_t p;
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    put_user(kp->ctrl_class, &up->ctrl_class) ||
-	    put_user(kp->count, &up->count) ||
-	    put_user(kp->error_idx, &up->error_idx) ||
-	    copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+	    assign_in_user(&up->ctrl_class, &kp->ctrl_class) ||
+	    get_user(count, &kp->count) ||
+	    put_user(count, &up->count) ||
+	    assign_in_user(&up->error_idx, &kp->error_idx) ||
+	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)) ||
+	    get_user(kcontrols, &kp->controls))
 		return -EFAULT;
-	if (!kp->count)
-		return 0;
 
+	if (!count)
+		return 0;
 	if (get_user(p, &up->controls))
 		return -EFAULT;
 	ucontrols = compat_ptr(p);
-	if (!access_ok(VERIFY_WRITE, ucontrols, n * sizeof(*ucontrols)))
+	if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
 		return -EFAULT;
 
-	while (--n >= 0) {
-		unsigned size = sizeof(*ucontrols);
+	for (n = 0; n < count; n++) {
+		unsigned int size = sizeof(*ucontrols);
 		u32 id;
 
-		if (get_user(id, &kcontrols->id))
+		if (get_user(id, &kcontrols->id) ||
+		    put_user(id, &ucontrols->id) ||
+		    assign_in_user(&ucontrols->size, &kcontrols->size) ||
+		    copy_in_user(&ucontrols->reserved2, &kcontrols->reserved2,
+				 sizeof(ucontrols->reserved2)))
 			return -EFAULT;
-		/* Do not modify the pointer when copying a pointer control.
-		   The contents of the pointer was changed, not the pointer
-		   itself. */
+
+		/*
+		 * Do not modify the pointer when copying a pointer control.
+		 * The contents of the pointer was changed, not the pointer
+		 * itself.
+		 */
 		if (ctrl_is_pointer(file, id))
 			size -= sizeof(ucontrols->value64);
+
 		if (copy_in_user(ucontrols, kcontrols, size))
 			return -EFAULT;
+
 		ucontrols++;
 		kcontrols++;
 	}
@@ -722,17 +895,18 @@ struct v4l2_event32 {
 	__u32				reserved[8];
 };
 
-static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up)
+static int put_v4l2_event32(struct v4l2_event __user *kp,
+			    struct v4l2_event32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    put_user(kp->type, &up->type) ||
-	    copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
-	    put_user(kp->pending, &up->pending) ||
-	    put_user(kp->sequence, &up->sequence) ||
-	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
-	    put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
-	    put_user(kp->id, &up->id) ||
-	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
+	    assign_in_user(&up->type, &kp->type) ||
+	    copy_in_user(&up->u, &kp->u, sizeof(kp->u)) ||
+	    assign_in_user(&up->pending, &kp->pending) ||
+	    assign_in_user(&up->sequence, &kp->sequence) ||
+	    assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
+	    assign_in_user(&up->timestamp.tv_nsec, &kp->timestamp.tv_nsec) ||
+	    assign_in_user(&up->id, &kp->id) ||
+	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
 		return -EFAULT;
 	return 0;
 }
@@ -745,31 +919,34 @@ struct v4l2_edid32 {
 	compat_caddr_t edid;
 };
 
-static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
+static int get_v4l2_edid32(struct v4l2_edid __user *kp,
+			   struct v4l2_edid32 __user *up)
 {
-	u32 tmp;
+	compat_uptr_t tmp;
 
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
-	    get_user(kp->pad, &up->pad) ||
-	    get_user(kp->start_block, &up->start_block) ||
-	    get_user(kp->blocks, &up->blocks) ||
+	    assign_in_user(&kp->pad, &up->pad) ||
+	    assign_in_user(&kp->start_block, &up->start_block) ||
+	    assign_in_user(&kp->blocks, &up->blocks) ||
 	    get_user(tmp, &up->edid) ||
-	    copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
+	    put_user(compat_ptr(tmp), &kp->edid) ||
+	    copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
-	kp->edid = (__force u8 *)compat_ptr(tmp);
 	return 0;
 }
 
-static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
+static int put_v4l2_edid32(struct v4l2_edid __user *kp,
+			   struct v4l2_edid32 __user *up)
 {
-	u32 tmp = (u32)((unsigned long)kp->edid);
+	void *edid;
 
 	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
-	    put_user(kp->pad, &up->pad) ||
-	    put_user(kp->start_block, &up->start_block) ||
-	    put_user(kp->blocks, &up->blocks) ||
-	    put_user(tmp, &up->edid) ||
-	    copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
+	    assign_in_user(&up->pad, &kp->pad) ||
+	    assign_in_user(&up->start_block, &kp->start_block) ||
+	    assign_in_user(&up->blocks, &kp->blocks) ||
+	    get_user(edid, &kp->edid) ||
+	    put_user(ptr_to_compat(edid), &up->edid) ||
+	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
 		return -EFAULT;
 	return 0;
 }
@@ -786,7 +963,7 @@ static int put_v4l2_edid32(struct v4l2_e
 #define VIDIOC_ENUMINPUT32	_IOWR('V', 26, struct v4l2_input32)
 #define VIDIOC_G_EDID32		_IOWR('V', 40, struct v4l2_edid32)
 #define VIDIOC_S_EDID32		_IOWR('V', 41, struct v4l2_edid32)
-#define VIDIOC_TRY_FMT32      	_IOWR('V', 64, struct v4l2_format32)
+#define VIDIOC_TRY_FMT32	_IOWR('V', 64, struct v4l2_format32)
 #define VIDIOC_G_EXT_CTRLS32    _IOWR('V', 71, struct v4l2_ext_controls32)
 #define VIDIOC_S_EXT_CTRLS32    _IOWR('V', 72, struct v4l2_ext_controls32)
 #define VIDIOC_TRY_EXT_CTRLS32  _IOWR('V', 73, struct v4l2_ext_controls32)
@@ -802,22 +979,23 @@ static int put_v4l2_edid32(struct v4l2_e
 #define VIDIOC_G_OUTPUT32	_IOR ('V', 46, s32)
 #define VIDIOC_S_OUTPUT32	_IOWR('V', 47, s32)
 
+static int alloc_userspace(unsigned int size, u32 aux_space,
+			   void __user **up_native)
+{
+	*up_native = compat_alloc_user_space(size + aux_space);
+	if (!*up_native)
+		return -ENOMEM;
+	if (clear_user(*up_native, size))
+		return -EFAULT;
+	return 0;
+}
+
 static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
-	union {
-		struct v4l2_format v2f;
-		struct v4l2_buffer v2b;
-		struct v4l2_framebuffer v2fb;
-		struct v4l2_input v2i;
-		struct v4l2_standard v2s;
-		struct v4l2_ext_controls v2ecs;
-		struct v4l2_event v2ev;
-		struct v4l2_create_buffers v2crt;
-		struct v4l2_edid v2edid;
-		unsigned long vx;
-		int vi;
-	} karg;
 	void __user *up = compat_ptr(arg);
+	void __user *up_native = NULL;
+	void __user *aux_buf;
+	u32 aux_space;
 	int compatible_arg = 1;
 	long err = 0;
 
@@ -856,30 +1034,52 @@ static long do_video_ioctl(struct file *
 	case VIDIOC_STREAMOFF:
 	case VIDIOC_S_INPUT:
 	case VIDIOC_S_OUTPUT:
-		err = get_user(karg.vi, (s32 __user *)up);
+		err = alloc_userspace(sizeof(unsigned int), 0, &up_native);
+		if (!err && assign_in_user((unsigned int __user *)up_native,
+					   (compat_uint_t __user *)up))
+			err = -EFAULT;
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_G_INPUT:
 	case VIDIOC_G_OUTPUT:
+		err = alloc_userspace(sizeof(unsigned int), 0, &up_native);
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_G_EDID:
 	case VIDIOC_S_EDID:
-		err = get_v4l2_edid32(&karg.v2edid, up);
+		err = alloc_userspace(sizeof(struct v4l2_edid), 0, &up_native);
+		if (!err)
+			err = get_v4l2_edid32(up_native, up);
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_G_FMT:
 	case VIDIOC_S_FMT:
 	case VIDIOC_TRY_FMT:
-		err = get_v4l2_format32(&karg.v2f, up);
+		err = bufsize_v4l2_format(up, &aux_space);
+		if (!err)
+			err = alloc_userspace(sizeof(struct v4l2_format),
+					      aux_space, &up_native);
+		if (!err) {
+			aux_buf = up_native + sizeof(struct v4l2_format);
+			err = get_v4l2_format32(up_native, up,
+						aux_buf, aux_space);
+		}
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_CREATE_BUFS:
-		err = get_v4l2_create32(&karg.v2crt, up);
+		err = bufsize_v4l2_create(up, &aux_space);
+		if (!err)
+			err = alloc_userspace(sizeof(struct v4l2_create_buffers),
+					      aux_space, &up_native);
+		if (!err) {
+			aux_buf = up_native + sizeof(struct v4l2_create_buffers);
+			err = get_v4l2_create32(up_native, up,
+						aux_buf, aux_space);
+		}
 		compatible_arg = 0;
 		break;
 
@@ -887,36 +1087,63 @@ static long do_video_ioctl(struct file *
 	case VIDIOC_QUERYBUF:
 	case VIDIOC_QBUF:
 	case VIDIOC_DQBUF:
-		err = get_v4l2_buffer32(&karg.v2b, up);
+		err = bufsize_v4l2_buffer(up, &aux_space);
+		if (!err)
+			err = alloc_userspace(sizeof(struct v4l2_buffer),
+					      aux_space, &up_native);
+		if (!err) {
+			aux_buf = up_native + sizeof(struct v4l2_buffer);
+			err = get_v4l2_buffer32(up_native, up,
+						aux_buf, aux_space);
+		}
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_S_FBUF:
-		err = get_v4l2_framebuffer32(&karg.v2fb, up);
+		err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+				      &up_native);
+		if (!err)
+			err = get_v4l2_framebuffer32(up_native, up);
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_G_FBUF:
+		err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+				      &up_native);
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_ENUMSTD:
-		err = get_v4l2_standard32(&karg.v2s, up);
+		err = alloc_userspace(sizeof(struct v4l2_standard), 0,
+				      &up_native);
+		if (!err)
+			err = get_v4l2_standard32(up_native, up);
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_ENUMINPUT:
-		err = get_v4l2_input32(&karg.v2i, up);
+		err = alloc_userspace(sizeof(struct v4l2_input), 0, &up_native);
+		if (!err)
+			err = get_v4l2_input32(up_native, up);
 		compatible_arg = 0;
 		break;
 
 	case VIDIOC_G_EXT_CTRLS:
 	case VIDIOC_S_EXT_CTRLS:
 	case VIDIOC_TRY_EXT_CTRLS:
-		err = get_v4l2_ext_controls32(file, &karg.v2ecs, up);
+		err = bufsize_v4l2_ext_controls(up, &aux_space);
+		if (!err)
+			err = alloc_userspace(sizeof(struct v4l2_ext_controls),
+					      aux_space, &up_native);
+		if (!err) {
+			aux_buf = up_native + sizeof(struct v4l2_ext_controls);
+			err = get_v4l2_ext_controls32(file, up_native, up,
+						      aux_buf, aux_space);
+		}
 		compatible_arg = 0;
 		break;
 	case VIDIOC_DQEVENT:
+		err = alloc_userspace(sizeof(struct v4l2_event), 0, &up_native);
 		compatible_arg = 0;
 		break;
 	}
@@ -925,25 +1152,26 @@ static long do_video_ioctl(struct file *
 
 	if (compatible_arg)
 		err = native_ioctl(file, cmd, (unsigned long)up);
-	else {
-		mm_segment_t old_fs = get_fs();
-
-		set_fs(KERNEL_DS);
-		err = native_ioctl(file, cmd, (unsigned long)&karg);
-		set_fs(old_fs);
-	}
+	else
+		err = native_ioctl(file, cmd, (unsigned long)up_native);
 
 	if (err == -ENOTTY)
 		return err;
 
-	/* Special case: even after an error we need to put the
-	   results back for these ioctls since the error_idx will
-	   contain information on which control failed. */
+	/*
+	 * Special case: even after an error we need to put the
+	 * results back for these ioctls since the error_idx will
+	 * contain information on which control failed.
+	 */
 	switch (cmd) {
 	case VIDIOC_G_EXT_CTRLS:
 	case VIDIOC_S_EXT_CTRLS:
 	case VIDIOC_TRY_EXT_CTRLS:
-		if (put_v4l2_ext_controls32(file, &karg.v2ecs, up))
+		if (put_v4l2_ext_controls32(file, up_native, up))
+			err = -EFAULT;
+		break;
+	case VIDIOC_S_EDID:
+		if (put_v4l2_edid32(up_native, up))
 			err = -EFAULT;
 		break;
 	}
@@ -955,45 +1183,46 @@ static long do_video_ioctl(struct file *
 	case VIDIOC_S_OUTPUT:
 	case VIDIOC_G_INPUT:
 	case VIDIOC_G_OUTPUT:
-		err = put_user(((s32)karg.vi), (s32 __user *)up);
+		if (assign_in_user((compat_uint_t __user *)up,
+				   ((unsigned int __user *)up_native)))
+			err = -EFAULT;
 		break;
 
 	case VIDIOC_G_FBUF:
-		err = put_v4l2_framebuffer32(&karg.v2fb, up);
+		err = put_v4l2_framebuffer32(up_native, up);
 		break;
 
 	case VIDIOC_DQEVENT:
-		err = put_v4l2_event32(&karg.v2ev, up);
+		err = put_v4l2_event32(up_native, up);
 		break;
 
 	case VIDIOC_G_EDID:
-	case VIDIOC_S_EDID:
-		err = put_v4l2_edid32(&karg.v2edid, up);
+		err = put_v4l2_edid32(up_native, up);
 		break;
 
 	case VIDIOC_G_FMT:
 	case VIDIOC_S_FMT:
 	case VIDIOC_TRY_FMT:
-		err = put_v4l2_format32(&karg.v2f, up);
+		err = put_v4l2_format32(up_native, up);
 		break;
 
 	case VIDIOC_CREATE_BUFS:
-		err = put_v4l2_create32(&karg.v2crt, up);
+		err = put_v4l2_create32(up_native, up);
 		break;
 
 	case VIDIOC_PREPARE_BUF:
 	case VIDIOC_QUERYBUF:
 	case VIDIOC_QBUF:
 	case VIDIOC_DQBUF:
-		err = put_v4l2_buffer32(&karg.v2b, up);
+		err = put_v4l2_buffer32(up_native, up);
 		break;
 
 	case VIDIOC_ENUMSTD:
-		err = put_v4l2_standard32(&karg.v2s, up);
+		err = put_v4l2_standard32(up_native, up);
 		break;
 
 	case VIDIOC_ENUMINPUT:
-		err = put_v4l2_input32(&karg.v2i, up);
+		err = put_v4l2_input32(up_native, up);
 		break;
 	}
 	return err;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 219/254] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (197 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 135/254] net/mlx5: Stay in polling mode when command EQ destroy fails Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 017/254] hwmon: (pmbus) Use 64bit math for DIRECT format values Ben Hutchings
                   ` (55 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Vyukov, Oliver Hartkopp, Marc Kleine-Budde,
	syzbot+4386709c0c1284dca827

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 8cb68751c115d176ec851ca56ecfbb411568c9e8 upstream.

If an invalid CAN frame is received, from a driver or from a tun
interface, a Kernel warning is generated.

This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
kernel, bootet with panic_on_warn, does not panic. A printk seems to be
more appropriate here.

Reported-by: syzbot+4386709c0c1284dca827@syzkaller.appspotmail.com
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16:
 - Keep using the 'drop' label, as it has another user
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -719,13 +719,12 @@ static int can_rcv(struct sk_buff *skb,
 	if (unlikely(!net_eq(dev_net(dev), &init_net)))
 		goto drop;
 
-	if (WARN_ONCE(dev->type != ARPHRD_CAN ||
-		      skb->len != CAN_MTU ||
-		      cfd->len > CAN_MAX_DLEN,
-		      "PF_CAN: dropped non conform CAN skbuf: "
-		      "dev type %d, len %d, datalen %d\n",
-		      dev->type, skb->len, cfd->len))
+	if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU ||
+		     cfd->len > CAN_MAX_DLEN)) {
+		pr_warn_once("PF_CAN: dropped non conform CAN skbuf: dev type %d, len %d, datalen %d\n",
+			     dev->type, skb->len, cfd->len);
 		goto drop;
+	}
 
 	can_receive(skb, dev);
 	return NET_RX_SUCCESS;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 085/254] nl80211: fix nl80211_send_iface() error paths
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 168/254] sh_eth: fix TSU resource handling Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 252/254] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic Ben Hutchings
                   ` (163 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johannes Berg

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 4564b187c16327045d87596e8980c65ba7b84c50 upstream.

Evidently I introduced a locking bug in my change here,
the nla_put_failure sometimes needs to unlock. Fix it.

Fixes: 44905265bc15 ("nl80211: don't expose wdev->ssid for most interfaces")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/wireless/nl80211.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2346,7 +2346,7 @@ static int nl80211_send_iface(struct sk_
 	case NL80211_IFTYPE_AP:
 		if (wdev->ssid_len &&
 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
-			goto nla_put_failure;
+			goto nla_put_failure_locked;
 		break;
 	case NL80211_IFTYPE_STATION:
 	case NL80211_IFTYPE_P2P_CLIENT:
@@ -2359,7 +2359,7 @@ static int nl80211_send_iface(struct sk_
 		if (!ssid_ie)
 			break;
 		if (nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
-			goto nla_put_failure;
+			goto nla_put_failure_locked;
 		break;
 		}
 	default:
@@ -2370,6 +2370,8 @@ static int nl80211_send_iface(struct sk_
 
 	return genlmsg_end(msg, hdr);
 
+ nla_put_failure_locked:
+	wdev_unlock(wdev);
  nla_put_failure:
 	genlmsg_cancel(msg, hdr);
 	return -EMSGSIZE;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 251/254] media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (127 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 099/254] MIPS: math-emu: Define IEEE 754-2008 feature control bits Ben Hutchings
                   ` (125 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hans Verkuil, Mauro Carvalho Chehab, Sakari Ailus

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit d83a8243aaefe62ace433e4384a4f077bed86acb upstream.

Some ioctls need to copy back the result even if the ioctl returned
an error. However, don't do this for the error code -ENOTTY.
It makes no sense in that cases.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -933,6 +933,9 @@ static long do_video_ioctl(struct file *
 		set_fs(old_fs);
 	}
 
+	if (err == -ENOTTY)
+		return err;
+
 	/* Special case: even after an error we need to put the
 	   results back for these ioctls since the error_idx will
 	   contain information on which control failed. */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 196/254] SolutionEngine771x: fix Ether platform data
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (240 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 047/254] usb: xhci: fix panic in xhci_free_virt_devices_depth_first Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 055/254] s390: always save and restore all registers on context switch Ben Hutchings
                   ` (12 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sergei Shtylyov, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 195e2addbce09e5afbc766efc1e6567c9ce840d3 upstream.

The 'sh_eth' driver's probe() method would fail  on the SolutionEngine7710
board and crash on SolutionEngine7712 board  as the platform code is
hopelessly behind the driver's platform data --  it passes the PHY address
instead of 'struct sh_eth_plat_data *'; pass the latter to the driver in
order to fix the bug...

Fixes: 71557a37adb5 ("[netdrvr] sh_eth: Add SH7619 support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/sh/boards/mach-se/770x/setup.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/arch/sh/boards/mach-se/770x/setup.c
+++ b/arch/sh/boards/mach-se/770x/setup.c
@@ -8,6 +8,7 @@
  */
 #include <linux/init.h>
 #include <linux/platform_device.h>
+#include <linux/sh_eth.h>
 #include <mach-se/mach/se.h>
 #include <mach-se/mach/mrshpc.h>
 #include <asm/machvec.h>
@@ -114,6 +115,11 @@ static struct platform_device heartbeat_
 #if defined(CONFIG_CPU_SUBTYPE_SH7710) ||\
 	defined(CONFIG_CPU_SUBTYPE_SH7712)
 /* SH771X Ethernet driver */
+static struct sh_eth_plat_data sh_eth_plat = {
+	.phy = PHY_ID,
+	.phy_interface = PHY_INTERFACE_MODE_MII,
+};
+
 static struct resource sh_eth0_resources[] = {
 	[0] = {
 		.start = SH_ETH0_BASE,
@@ -131,7 +137,7 @@ static struct platform_device sh_eth0_de
 	.name = "sh771x-ether",
 	.id = 0,
 	.dev = {
-		.platform_data = PHY_ID,
+		.platform_data = &sh_eth_plat,
 	},
 	.num_resources = ARRAY_SIZE(sh_eth0_resources),
 	.resource = sh_eth0_resources,
@@ -154,7 +160,7 @@ static struct platform_device sh_eth1_de
 	.name = "sh771x-ether",
 	.id = 1,
 	.dev = {
-		.platform_data = PHY_ID,
+		.platform_data = &sh_eth_plat,
 	},
 	.num_resources = ARRAY_SIZE(sh_eth1_resources),
 	.resource = sh_eth1_resources,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 059/254] x86/PCI: Make broadcom_postcore_init() check acpi_disabled
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 134/254] net/mlx5: Cleanup IRQs in case of unload failure Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 120/254] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() Ben Hutchings
                   ` (240 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dave Hansen, Thomas Gleixner, Bjorn Helgaas,
	Rafael J. Wysocki, Ingo Molnar, Linux PCI

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.

acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
is set, but the host bridge information from the ACPI tables is not going
to be used in that case and the Broadcom host bridge initialization should
not be skipped then, So make broadcom_postcore_init() check acpi_disabled
too to avoid this issue.

Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Linux PCI <linux-pci@vger.kernel.org>
Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/pci/broadcom_bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/pci/broadcom_bus.c
+++ b/arch/x86/pci/broadcom_bus.c
@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
 	 * We should get host bridge information from ACPI unless the BIOS
 	 * doesn't support it.
 	 */
-	if (acpi_os_get_root_pointer())
+	if (!acpi_disabled && acpi_os_get_root_pointer())
 		return 0;
 #endif
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 158/254] e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 153/254] USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 030/254] sctp: force the params with right types for sctp csum apis Ben Hutchings
                   ` (186 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jeff Kirsher, Christian Hesse, Aaron Brown, Gabriel C,
	Benjamin Poirier

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Poirier <bpoirier@suse.com>

commit 4110e02eb45ea447ec6f5459c9934de0a273fb91 upstream.

e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
are the two functions that may be assigned to mac.ops.check_for_link when
phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
Separate signaling for link check/link up") changed the meaning of the
return value of check_for_link for copper media but only adjusted the first
function. This patch adjusts the second function likewise.

Reported-by: Christian Hesse <list@eworm.de>
Reported-by: Gabriel C <nix.or.die@gmail.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Tested-by: Christian Hesse <list@eworm.de>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -1300,6 +1300,9 @@ out:
  *  Checks to see of the link status of the hardware has changed.  If a
  *  change in link status has been detected, then we read the PHY registers
  *  to get the current speed/duplex if link exists.
+ *
+ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
+ *  up).
  **/
 static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
 {
@@ -1314,7 +1317,7 @@ static s32 e1000_check_for_copper_link_i
 	 * Change or Rx Sequence Error interrupt.
 	 */
 	if (!mac->get_link_status)
-		return 0;
+		return 1;
 
 	/* First we want to see if the MII Status Register reports
 	 * link.  If so, then we want to get the current speed/duplex
@@ -1453,10 +1456,12 @@ static s32 e1000_check_for_copper_link_i
 	 * different link partner.
 	 */
 	ret_val = e1000e_config_fc_after_link_up(hw);
-	if (ret_val)
+	if (ret_val) {
 		e_dbg("Error configuring flow control\n");
+		return ret_val;
+	}
 
-	return ret_val;
+	return 1;
 }
 
 static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 212/254] KVM/x86: Check input paging mode when cs.l is set
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (188 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 079/254] ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 058/254] ALSA: pcm: prevent UAF in snd_pcm_info Ben Hutchings
                   ` (64 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Vyukov, Jim Mattson, Paolo Bonzini,
	Radim Krčmář,
	Lan Tianyu

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lan Tianyu <tianyu.lan@intel.com>

commit f29810335965ac1f7bcb501ee2af5f039f792416 upstream.

Reported by syzkaller:
    WARNING: CPU: 0 PID: 27962 at arch/x86/kvm/emulate.c:5631 x86_emulate_insn+0x557/0x15f0 [kvm]
    Modules linked in: kvm_intel kvm [last unloaded: kvm]
    CPU: 0 PID: 27962 Comm: syz-executor Tainted: G    B   W        4.15.0-rc2-next-20171208+ #32
    Hardware name: Intel Corporation S1200SP/S1200SP, BIOS S1200SP.86B.01.03.0006.040720161253 04/07/2016
    RIP: 0010:x86_emulate_insn+0x557/0x15f0 [kvm]
    RSP: 0018:ffff8807234476d0 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffff88072d0237a0 RCX: ffffffffa0065c4d
    RDX: 1ffff100e5a046f9 RSI: 0000000000000003 RDI: ffff88072d0237c8
    RBP: ffff880723447728 R08: ffff88072d020000 R09: ffffffffa008d240
    R10: 0000000000000002 R11: ffffed00e7d87db3 R12: ffff88072d0237c8
    R13: ffff88072d023870 R14: ffff88072d0238c2 R15: ffffffffa008d080
    FS:  00007f8a68666700(0000) GS:ffff880802200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000002009506c CR3: 000000071fec4005 CR4: 00000000003626f0
    Call Trace:
     x86_emulate_instruction+0x3bc/0xb70 [kvm]
     ? reexecute_instruction.part.162+0x130/0x130 [kvm]
     vmx_handle_exit+0x46d/0x14f0 [kvm_intel]
     ? trace_event_raw_event_kvm_entry+0xe7/0x150 [kvm]
     ? handle_vmfunc+0x2f0/0x2f0 [kvm_intel]
     ? wait_lapic_expire+0x25/0x270 [kvm]
     vcpu_enter_guest+0x720/0x1ef0 [kvm]
     ...

When CS.L is set, vcpu should run in the 64 bit paging mode.
Current kvm set_sregs function doesn't have such check when
userspace inputs sreg values. This will lead unexpected behavior.
This patch is to add checks for CS.L, EFER.LME, EFER.LMA and
CR4.PAE when get SREG inputs from userspace in order to avoid
unexpected behavior.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Jim Mattson <jmattson@google.com>
Signed-off-by: Tianyu Lan <tianyu.lan@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6579,6 +6579,29 @@ int kvm_task_switch(struct kvm_vcpu *vcp
 }
 EXPORT_SYMBOL_GPL(kvm_task_switch);
 
+int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
+{
+	if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG_BIT)) {
+		/*
+		 * When EFER.LME and CR0.PG are set, the processor is in
+		 * 64-bit mode (though maybe in a 32-bit code segment).
+		 * CR4.PAE and EFER.LMA must be set.
+		 */
+		if (!(sregs->cr4 & X86_CR4_PAE_BIT)
+		    || !(sregs->efer & EFER_LMA))
+			return -EINVAL;
+	} else {
+		/*
+		 * Not in 64-bit mode: EFER.LMA is clear and the code
+		 * segment cannot be 64-bit.
+		 */
+		if (sregs->efer & EFER_LMA || sregs->cs.l)
+			return -EINVAL;
+	}
+
+	return 0;
+}
+
 int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
 				  struct kvm_sregs *sregs)
 {
@@ -6590,6 +6613,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct
 	if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE))
 		return -EINVAL;
 
+	if (kvm_valid_sregs(vcpu, sregs))
+		return -EINVAL;
+
 	dt.size = sregs->idt.limit;
 	dt.address = sregs->idt.base;
 	kvm_x86_ops->set_idt(vcpu, &dt);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 005/254] KVM: x86: Don't re-execute instruction when not passing CR2 value
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 249/254] media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 054/254] dm: fix various targets to dm_register_target after module __init resources created Ben Hutchings
                   ` (237 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Nikita Leshenko, Konrad Rzeszutek Wilk, Liran Alon,
	Wanpeng Li, Radim Krčmář

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Liran Alon <liran.alon@oracle.com>

commit 9b8ae63798cb97e785a667ff27e43fa6220cb734 upstream.

In case of instruction-decode failure or emulation failure,
x86_emulate_instruction() will call reexecute_instruction() which will
attempt to use the cr2 value passed to x86_emulate_instruction().
However, when x86_emulate_instruction() is called from
emulate_instruction(), cr2 is not passed (passed as 0) and therefore
it doesn't make sense to execute reexecute_instruction() logic at all.

Fixes: 51d8b66199e9 ("KVM: cleanup emulate_instruction")

Signed-off-by: Liran Alon <liran.alon@oracle.com>
Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/kvm_host.h | 3 ++-
 arch/x86/kvm/vmx.c              | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -847,7 +847,8 @@ int x86_emulate_instruction(struct kvm_v
 static inline int emulate_instruction(struct kvm_vcpu *vcpu,
 			int emulation_type)
 {
-	return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
+	return x86_emulate_instruction(vcpu, 0,
+			emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
 }
 
 void kvm_enable_efer_bits(u64);
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5659,7 +5659,7 @@ static int handle_invalid_guest_state(st
 		if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
 			return 1;
 
-		err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
+		err = emulate_instruction(vcpu, 0);
 
 		if (err == EMULATE_USER_EXIT) {
 			++vcpu->stat.mmio_exits;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 067/254] can: ems_usb: cancel urb on -EPIPE and -EPROTO
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (134 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 133/254] net/mlx5: Fix misspelling in the error message and comment Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 111/254] powerpc/perf: Dereference BHRB entries safely Ben Hutchings
                   ` (118 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Martin Kelly, Marc Kleine-Budde

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/ems_usb.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -290,6 +290,8 @@ static void ems_usb_read_interrupt_callb
 
 	case -ECONNRESET: /* unlink */
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 178/254] sh_eth: fix SH7757 GEther initialization
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (247 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 065/254] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 081/254] xhci: Don't add a virt_dev to the devs array before it's fully allocated Ben Hutchings
                   ` (5 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sergei Shtylyov, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 5133550296d43236439494aa955bfb765a89f615 upstream.

Renesas  SH7757 has 2 Fast and 2 Gigabit Ether controllers, while the
'sh_eth' driver can only reset and initialize TSU of the first controller
pair. Shimoda-san tried to solve that adding the 'needs_init' member to the
'struct sh_eth_plat_data', however the platform code still never sets this
flag. I think  that we can infer this information from the 'devno' variable
(set  to 'platform_device::id') and reset/init the Ether controller pair
only for an even 'devno'; therefore 'sh_eth_plat_data::needs_init' can be
removed...

Fixes: 150647fb2c31 ("net: sh_eth: change the condition of initialization")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
 include/linux/sh_eth.h                | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -2902,8 +2902,8 @@ static int sh_eth_drv_probe(struct platf
 		ndev->features = NETIF_F_HW_VLAN_CTAG_FILTER;
 	}
 
-	/* initialize first or needed device */
-	if (!devno || pd->needs_init) {
+	/* Need to init only the first port of the two sharing a TSU */
+	if (devno % 2 == 0) {
 		if (mdp->cd->chip_reset)
 			mdp->cd->chip_reset(ndev);
 
--- a/include/linux/sh_eth.h
+++ b/include/linux/sh_eth.h
@@ -16,7 +16,6 @@ struct sh_eth_plat_data {
 	unsigned char mac_addr[ETH_ALEN];
 	unsigned no_ether_link:1;
 	unsigned ether_link_active_low:1;
-	unsigned needs_init:1;
 };
 
 #endif

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 225/254] Input: trackpoint - assume 3 buttons when buttons detection fails
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (173 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 237/254] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 112/254] KVM: X86: Fix load RFLAGS w/o the fixed bit Ben Hutchings
                   ` (79 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Oscar Campos, Peter Hutterer

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oscar Campos <oscar.campos@member.fsf.org>

commit 293b915fd9bebf33cdc906516fb28d54649a25ac upstream.

Trackpoint buttons detection fails on ThinkPad 570 and 470 series,
this makes the middle button of the trackpoint to not being recogized.
As I don't believe there is any trackpoint with less than 3 buttons this
patch just assumes three buttons when the extended button information
read fails.

Signed-off-by: Oscar Campos <oscar.campos@member.fsf.org>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/trackpoint.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/input/mouse/trackpoint.c
+++ b/drivers/input/mouse/trackpoint.c
@@ -377,8 +377,8 @@ int trackpoint_detect(struct psmouse *ps
 		return 0;
 
 	if (trackpoint_read(&psmouse->ps2dev, TP_EXT_BTN, &button_info)) {
-		psmouse_warn(psmouse, "failed to get extended button data\n");
-		button_info = 0;
+		psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
+		button_info = 0x33;
 	}
 
 	psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 019/254] drm/i915: Prevent zero length "index" write
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (220 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 074/254] X.509: reject invalid BIT STRING for subjectPublicKey Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 128/254] usbip: stub: stop printing kernel pointer addresses in messages Ben Hutchings
                   ` (32 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Chris Wilson, Daniel Vetter, Daniel Kurtz, Sean Paul,
	Ville Syrjälä,
	Joonas Lahtinen

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 56350fb8978bbf4aafe08f21234e161dd128b417 upstream.

The hardware always writes one or two bytes in the index portion of
an indexed transfer. Make sure the message we send as the index
doesn't have a zero length.

Cc: Daniel Kurtz <djkurtz@chromium.org>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Sean Paul <seanpaul@chromium.org>
Fixes: 56f9eac05489 ("drm/i915/intel_i2c: use INDEX cycles for i2c read transactions")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171123194157.25367-3-ville.syrjala@linux.intel.com
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit bb9e0d4bca50f429152e74a459160b41f3d60fb2)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/i915/intel_i2c.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/intel_i2c.c
+++ b/drivers/gpu/drm/i915/intel_i2c.c
@@ -449,7 +449,8 @@ gmbus_is_index_read(struct i2c_msg *msgs
 {
 	return (i + 1 < num &&
 		msgs[i].addr == msgs[i + 1].addr &&
-		!(msgs[i].flags & I2C_M_RD) && msgs[i].len <= 2 &&
+		!(msgs[i].flags & I2C_M_RD) &&
+		(msgs[i].len == 1 || msgs[i].len == 2) &&
 		(msgs[i + 1].flags & I2C_M_RD));
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 103/254] MIPS: ptrace: Prevent writes to read-only FCSR bits
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (182 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 160/254] mmc: s3mci: mark debug_regs[] as static Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 187/254] Input: twl6040-vibra - fix DT node memory management Ben Hutchings
                   ` (70 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, linux-mips, Maciej W. Rozycki, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@imgtec.com>

commit abf378be49f38c4d3e23581d3df3fa9f1b1b11d2 upstream.

Correct the cases missed with commit 9b26616c8d9d ("MIPS: Respect the
ISA level in FCSR handling") and prevent writes to read-only FCSR bits
there.

This in particular applies to FP context initialisation where any IEEE
754-2008 bits preset by `mips_set_personality_nan' are cleared before
the relevant ptrace(2) call takes effect and the PTRACE_POKEUSR request
addressing FPC_CSR where no masking of read-only FCSR bits is done.

Remove the FCSR clearing from FP context initialisation then and unify
PTRACE_POKEUSR/FPC_CSR and PTRACE_SETFPREGS handling, by factoring out
code from `ptrace_setfpregs' and calling it from both places.

This mostly matters to soft float configurations where the emulator can
be switched this way to a mode which should not be accessible and cannot
be set with the CTC1 instruction.  With hard float configurations any
effect is transient anyway as read-only bits will retain their values at
the time the FP context is restored.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13239/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16: There is no mips_set_personality_nan(), so make
 init_fp_ctx() copy the initial value of FCSR31]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -57,8 +57,7 @@ static void init_fp_ctx(struct task_stru
 	/* Begin with data registers set to all 1s... */
 	memset(&target->thread.fpu.fpr, ~0, sizeof(target->thread.fpu.fpr));
 
-	/* ...and FCSR zeroed */
-	target->thread.fpu.fcr31 = 0;
+	target->thread.fpu.fcr31 = boot_cpu_data.fpu_csr31;
 
 	/*
 	 * Record that the target has "used" math, such that the context
@@ -80,6 +79,22 @@ void ptrace_disable(struct task_struct *
 }
 
 /*
+ * Poke at FCSR according to its mask.  Don't set the cause bits as
+ * this is currently not handled correctly in FP context restoration
+ * and will cause an oops if a corresponding enable bit is set.
+ */
+static void ptrace_setfcr31(struct task_struct *child, u32 value)
+{
+	u32 fcr31;
+	u32 mask;
+
+	value &= ~FPU_CSR_ALL_X;
+	fcr31 = child->thread.fpu.fcr31;
+	mask = boot_cpu_data.fpu_msk31;
+	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
+}
+
+/*
  * Read a general register set.	 We always use the 64-bit format, even
  * for 32-bit kernels and for 32-bit processes on a 64-bit kernel.
  * Registers are sign extended to fill the available space.
@@ -159,9 +174,7 @@ int ptrace_setfpregs(struct task_struct
 {
 	union fpureg *fregs;
 	u64 fpr_val;
-	u32 fcr31;
 	u32 value;
-	u32 mask;
 	int i;
 
 	if (!access_ok(VERIFY_READ, data, 33 * 8))
@@ -176,10 +189,7 @@ int ptrace_setfpregs(struct task_struct
 	}
 
 	__get_user(value, data + 64);
-	value &= ~FPU_CSR_ALL_X;
-	fcr31 = child->thread.fpu.fcr31;
-	mask = boot_cpu_data.fpu_msk31;
-	child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
+	ptrace_setfcr31(child, value);
 
 	/* FIR may not be written.  */
 
@@ -739,7 +749,7 @@ long arch_ptrace(struct task_struct *chi
 			break;
 #endif
 		case FPC_CSR:
-			child->thread.fpu.fcr31 = data & ~FPU_CSR_ALL_X;
+			ptrace_setfcr31(child, data);
 			break;
 		case DSP_BASE ... DSP_BASE + 5: {
 			dspreg_t *dregs;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 004/254] KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 229/254] dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 102/254] MIPS: ptrace: Fix FP context restoration FCSR regression Ben Hutchings
                   ` (229 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Radim Krčmář,
	Konrad Rzeszutek Wilk, Liran Alon, Nikita Leshenko, Wanpeng Li

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Liran Alon <liran.alon@oracle.com>

commit 1f4dcb3b213235e642088709a1c54964d23365e9 upstream.

On this case, handle_emulation_failure() fills kvm_run with
internal-error information which it expects to be delivered
to user-mode for further processing.
However, the code reports a wrong return-value which makes KVM to never
return to user-mode on this scenario.

Fixes: 6d77dbfc88e3 ("KVM: inject #UD if instruction emulation fails and exit to
userspace")

Signed-off-by: Liran Alon <liran.alon@oracle.com>
Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5009,7 +5009,7 @@ static int handle_emulation_failure(stru
 		vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
 		vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
 		vcpu->run->internal.ndata = 0;
-		r = EMULATE_FAIL;
+		r = EMULATE_USER_EXIT;
 	}
 	kvm_queue_exception(vcpu, UD_VECTOR);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 106/254] mips/ptrace: Preserve previous registers for short regset write
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 030/254] sctp: force the params with right types for sctp csum apis Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 222/254] x86/mce: Make machine check speculation protected Ben Hutchings
                   ` (184 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dave Martin, Linus Torvalds

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -484,7 +484,8 @@ static int fpr_set(struct task_struct *t
 					  &target->thread.fpu,
 					  0, sizeof(elf_fpregset_t));
 
-	for (i = 0; i < NUM_FPU_REGS; i++) {
+	BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+	for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
 		err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 					 &fpr_val, i * sizeof(elf_fpreg_t),
 					 (i + 1) * sizeof(elf_fpreg_t));

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 076/254] 509: fix printing uninitialized stack memory when OID is empty
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 214/254] dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 130/254] usbip: fix usbip bind writing random string after command in match_busid Ben Hutchings
                   ` (158 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Biggers, Eric Biggers, David Howells

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers3@gmail.com>

commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 upstream.

Callers of sprint_oid() do not check its return value before printing
the result.  In the case where the OID is zero-length, -EBADMSG was
being returned without anything being written to the buffer, resulting
in uninitialized stack memory being printed.  Fix this by writing
"(bad)" to the buffer in the cases where -EBADMSG is returned.

Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/oid_registry.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t
 	int count;
 
 	if (v >= end)
-		return -EBADMSG;
+		goto bad;
 
 	n = *v++;
 	ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
@@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t
 			num = n & 0x7f;
 			do {
 				if (v >= end)
-					return -EBADMSG;
+					goto bad;
 				n = *v++;
 				num <<= 7;
 				num |= n & 0x7f;
@@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t
 	}
 
 	return ret;
+
+bad:
+	snprintf(buffer, bufsize, "(bad)");
+	return -EBADMSG;
 }
 EXPORT_SYMBOL_GPL(sprint_oid);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 071/254] ASN.1: fix out-of-bounds read when parsing indefinite length item
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 195/254] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 018/254] drm/i915: Don't try indexed reads to alternate slave addresses Ben Hutchings
                   ` (244 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Biggers, Alexander Potapenko, David Howells

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.

In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
to the action functions before their lengths had been computed, using
the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH).  This resulted in
reading data past the end of the input buffer, when given a specially
crafted message.

Fix it by rearranging the code so that the indefinite length is resolved
before the action is called.

This bug was originally found by fuzzing the X.509 parser in userspace
using libFuzzer from the LLVM project.

KASAN report (cleaned up slightly):

    BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
    BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
    Read of size 128 at addr ffff880035dd9eaf by task keyctl/195

    CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0xd1/0x175 lib/dump_stack.c:53
     print_address_description+0x78/0x260 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x23f/0x350 mm/kasan/report.c:409
     memcpy+0x1f/0x50 mm/kasan/kasan.c:302
     memcpy ./include/linux/string.h:341 [inline]
     x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
     asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
     x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

    Allocated by task 195:
     __do_kmalloc_node mm/slab.c:3675 [inline]
     __kmalloc_node+0x47/0x60 mm/slab.c:3682
     kvmalloc ./include/linux/mm.h:540 [inline]
     SYSC_add_key security/keys/keyctl.c:104 [inline]
     SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: drop ASN1_OP_{COND_,}MATCH_ANY_{ACT_,}OR_SKIP cases]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/asn1_decoder.c | 47 ++++++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 21 deletions(-)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -305,38 +305,43 @@ next_op:
 
 	/* Decide how to handle the operation */
 	switch (op) {
-	case ASN1_OP_MATCH_ANY_ACT:
-	case ASN1_OP_COND_MATCH_ANY_ACT:
-		ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
-		if (ret < 0)
-			return ret;
-		goto skip_data;
-
-	case ASN1_OP_MATCH_ACT:
-	case ASN1_OP_MATCH_ACT_OR_SKIP:
-	case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
-		ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
-		if (ret < 0)
-			return ret;
-		goto skip_data;
-
 	case ASN1_OP_MATCH:
 	case ASN1_OP_MATCH_OR_SKIP:
+	case ASN1_OP_MATCH_ACT:
+	case ASN1_OP_MATCH_ACT_OR_SKIP:
 	case ASN1_OP_MATCH_ANY:
+	case ASN1_OP_MATCH_ANY_ACT:
 	case ASN1_OP_COND_MATCH_OR_SKIP:
+	case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
 	case ASN1_OP_COND_MATCH_ANY:
-	skip_data:
+	case ASN1_OP_COND_MATCH_ANY_ACT:
+
 		if (!(flags & FLAG_CONS)) {
 			if (flags & FLAG_INDEFINITE_LENGTH) {
+				size_t tmp = dp;
+
 				ret = asn1_find_indefinite_length(
-					data, datalen, &dp, &len, &errmsg);
+					data, datalen, &tmp, &len, &errmsg);
 				if (ret < 0)
 					goto error;
-			} else {
-				dp += len;
 			}
 			pr_debug("- LEAF: %zu\n", len);
 		}
+
+		if (op & ASN1_OP_MATCH__ACT) {
+			unsigned char act;
+
+			if (op & ASN1_OP_MATCH__ANY)
+				act = machine[pc + 1];
+			else
+				act = machine[pc + 2];
+			ret = actions[act](context, hdr, tag, data + dp, len);
+			if (ret < 0)
+				return ret;
+		}
+
+		if (!(flags & FLAG_CONS))
+			dp += len;
 		pc += asn1_op_lengths[op];
 		goto next_op;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 146/254] tracing: Fix possible double free on failure of allocating trace buffer
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (121 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 082/254] dmaengine: dmatest: warn user when dma test times out Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 234/254] blk-mq: fix race between timeout and freeing request Ben Hutchings
                   ` (131 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steven Rostedt (VMware), Chunyan Zhang, Jing Xia

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 4397f04575c44e1440ec2e49b6302785c95fd2f8 upstream.

Jing Xia and Chunyan Zhang reported that on failing to allocate part of the
tracing buffer, memory is freed, but the pointers that point to them are not
initialized back to NULL, and later paths may try to free the freed memory
again. Jing and Chunyan fixed one of the locations that does this, but
missed a spot.

Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com

Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code")
Reported-by: Jing Xia <jing.xia@spreadtrum.com>
Reported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6220,6 +6220,7 @@ allocate_trace_buffer(struct trace_array
 	buf->data = alloc_percpu(struct trace_array_cpu);
 	if (!buf->data) {
 		ring_buffer_free(buf->buffer);
+		buf->buffer = NULL;
 		return -ENOMEM;
 	}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 082/254] dmaengine: dmatest: warn user when dma test times out
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 174/254] x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 146/254] tracing: Fix possible double free on failure of allocating trace buffer Ben Hutchings
                   ` (132 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Adam Wallis, Vinod Koul

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Adam Wallis <awallis@codeaurora.org>

commit a9df21e34b422f79d9a9fa5c3eff8c2a53491be6 upstream.

Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
introduced a bug (that is in fact documented by the patch commit text)
that leaves behind a dangling pointer. Since the done_wait structure is
allocated on the stack, future invocations to the DMATEST can produce
undesirable results (e.g., corrupted spinlocks). Ideally, this would be
cleaned up in the thread handler, but at the very least, the kernel
is left in a very precarious scenario that can lead to some long debug
sessions when the crash comes later.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197605
Signed-off-by: Adam Wallis <awallis@codeaurora.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/dmatest.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -633,6 +633,7 @@ static int dmatest_func(void *data)
 			 * free it this time?" dancing.  For now, just
 			 * leave it dangling.
 			 */
+			WARN(1, "dmatest: Kernel stack may be corrupted!!\n");
 			dmaengine_unmap_put(um);
 			result("test timed out", total_tests, src_off, dst_off,
 			       len, 0);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 089/254] ext4: fix crash when a directory's i_size is too small
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 090/254] tcp md5sig: Use skb's saddr when replying to an incoming segment Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 042/254] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Ben Hutchings
                   ` (232 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chandan Rajendra, Abdul Haleem

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chandan Rajendra <chandan@linux.vnet.ibm.com>

commit 9d5afec6b8bd46d6ed821aa1579634437f58ef1f upstream.

On a ppc64 machine, when mounting a fuzzed ext2 image (generated by
fsfuzzer) the following call trace is seen,

VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 6913 at /root/repos/linux/fs/buffer.c:1165 .__brelse.part.6+0x24/0x40
.__brelse.part.6+0x20/0x40 (unreliable)
.ext4_find_entry+0x384/0x4f0
.ext4_lookup+0x84/0x250
.lookup_slow+0xdc/0x230
.walk_component+0x268/0x400
.path_lookupat+0xec/0x2d0
.filename_lookup+0x9c/0x1d0
.vfs_statx+0x98/0x140
.SyS_newfstatat+0x48/0x80
system_call+0x58/0x6c

This happens because the directory that ext4_find_entry() looks up has
inode->i_size that is less than the block size of the filesystem. This
causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not
reading any of the directory file's blocks. This renders the entries in
bh_use[] array to continue to have garbage data. buffer_uptodate() on
bh_use[0] can then return a zero value upon which brelse() function is
invoked.

This commit fixes the bug by returning -ENOENT when the directory file
has no associated blocks.

Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/namei.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1267,6 +1267,10 @@ static struct buffer_head * ext4_find_en
 			       "falling back\n"));
 	}
 	nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb);
+	if (!nblocks) {
+		ret = NULL;
+		goto cleanup_and_exit;
+	}
 	start = EXT4_I(dir)->i_dir_start_lookup;
 	if (start >= nblocks)
 		start = 0;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 204/254] futex: Prevent overflow by strengthen input validation
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (185 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 167/254] net: stmmac: enable EEE in MII, GMII or RGMII only Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 043/254] can: kvaser_usb: ratelimit errors if incomplete messages are received Ben Hutchings
                   ` (67 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Thomas Gleixner, peterz, Li Jinyue, dvhart

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Li Jinyue <lijinyue@huawei.com>

commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.

UBSAN reports signed integer overflow in kernel/futex.c:

 UBSAN: Undefined behaviour in kernel/futex.c:2041:18
 signed integer overflow:
 0 - -2147483648 cannot be represented in type 'int'

Add a sanity check to catch negative values of nr_wake and nr_requeue.

Signed-off-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Cc: dvhart@infradead.org
Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/futex.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1531,6 +1531,9 @@ static int futex_requeue(u32 __user *uad
 	struct futex_hash_bucket *hb1, *hb2;
 	struct futex_q *this, *next;
 
+	if (nr_wake < 0 || nr_requeue < 0)
+		return -EINVAL;
+
 	if (requeue_pi) {
 		/*
 		 * Requeue PI only works on two distinct uaddrs. This

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 160/254] mmc: s3mci: mark debug_regs[] as static
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (181 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 233/254] mac80211_hwsim: fix compiler warning on MIPS Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 103/254] MIPS: ptrace: Prevent writes to read-only FCSR bits Ben Hutchings
                   ` (71 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Ulf Hansson

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 2bd7b4aacdb6efa5ccd4749c365c171b884791d2 upstream.

The global array clashes with a newly added symbol of the same name:

drivers/staging/ccree/cc_debugfs.o:(.data+0x0): multiple definition of `debug_regs'
drivers/mmc/host/s3cmci.o:(.data+0x70): first defined here

We should fix both, this one addresses the s3cmci driver by removing
the symbol from the global namespace. While at it, this separates
the declaration from the type definition and makes the variable const.

Fixes: 9bdd203b4dc8 ("s3cmci: add debugfs support for examining driver and hardware state")
Fixes: b3ec9a6736f2 ("staging: ccree: staging: ccree: replace sysfs by debugfs interface")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/s3cmci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/s3cmci.c
+++ b/drivers/mmc/host/s3cmci.c
@@ -1537,7 +1537,9 @@ static const struct file_operations s3cm
 struct s3cmci_reg {
 	unsigned short	addr;
 	unsigned char	*name;
-} debug_regs[] = {
+};
+
+static const struct s3cmci_reg debug_regs[] = {
 	DBG_REG(CON),
 	DBG_REG(PRE),
 	DBG_REG(CMDARG),
@@ -1559,7 +1561,7 @@ struct s3cmci_reg {
 static int s3cmci_regs_show(struct seq_file *seq, void *v)
 {
 	struct s3cmci_host *host = seq->private;
-	struct s3cmci_reg *rptr = debug_regs;
+	const struct s3cmci_reg *rptr = debug_regs;
 
 	for (; rptr->name; rptr++)
 		seq_printf(seq, "SDI%s\t=0x%08x\n", rptr->name,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 190/254] USB: fix usbmon BUG trigger
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (218 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 163/254] ALSA: pcm: Add missing error checks in OSS emulation plugin builder Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 074/254] X.509: reject invalid BIT STRING for subjectPublicKey Ben Hutchings
                   ` (34 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, syzbot+f9831b881b3e849829fc, Pete Zaitcev

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pete Zaitcev <zaitcev@redhat.com>

commit 46eb14a6e1585d99c1b9f58d0e7389082a5f466b upstream.

Automated tests triggered this by opening usbmon and accessing the
mmap while simultaneously resizing the buffers. This bug was with
us since 2006, because typically applications only size the buffers
once and thus avoid racing. Reported by Kirill A. Shutemov.

Reported-by: <syzbot+f9831b881b3e849829fc@syzkaller.appspotmail.com>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/mon/mon_bin.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -1000,7 +1000,9 @@ static long mon_bin_ioctl(struct file *f
 		break;
 
 	case MON_IOCQ_RING_SIZE:
+		mutex_lock(&rp->fetch_lock);
 		ret = rp->b_size;
+		mutex_unlock(&rp->fetch_lock);
 		break;
 
 	case MON_IOCT_RING_SIZE:
@@ -1227,12 +1229,16 @@ static int mon_bin_vma_fault(struct vm_a
 	unsigned long offset, chunk_idx;
 	struct page *pageptr;
 
+	mutex_lock(&rp->fetch_lock);
 	offset = vmf->pgoff << PAGE_SHIFT;
-	if (offset >= rp->b_size)
+	if (offset >= rp->b_size) {
+		mutex_unlock(&rp->fetch_lock);
 		return VM_FAULT_SIGBUS;
+	}
 	chunk_idx = offset / CHUNK_SIZE;
 	pageptr = rp->b_vec[chunk_idx].pg;
 	get_page(pageptr);
+	mutex_unlock(&rp->fetch_lock);
 	vmf->page = pageptr;
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 201/254] ALSA: pcm: Remove yet superfluous WARN_ON()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 205/254] nl80211: take RCU read lock when calling ieee80211_bss_get_ie() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 061/254] efi: Move some sysfs files to be read-only by root Ben Hutchings
                   ` (200 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, syzbot+7e6ee55011deeebce15d

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c upstream.

muldiv32() contains a snd_BUG_ON() (which is morphed as WARN_ON() with
debug option) for checking the case of 0 / 0.  This would be helpful
if this happens only as a logical error; however, since the hw refine
is performed with any data set provided by user, the inconsistent
values that can trigger such a condition might be passed easily.
Actually, syzbot caught this by passing some zero'ed old hw_params
ioctl.

So, having snd_BUG_ON() there is simply superfluous and rather
harmful to give unnecessary confusions.  Let's get rid of it.

Reported-by: syzbot+7e6ee55011deeebce15d@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/pcm_lib.c | 1 -
 1 file changed, 1 deletion(-)

--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -644,7 +644,6 @@ static inline unsigned int muldiv32(unsi
 {
 	u_int64_t n = (u_int64_t) a * b;
 	if (c == 0) {
-		snd_BUG_ON(!n);
 		*r = 0;
 		return UINT_MAX;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 206/254] mac80211_hwsim: validate number of different channels
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (164 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 186/254] Input: twl4030-vibra - fix sibling-node lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 254/254] rds: Fix NULL pointer dereference in __rds_rdma_map Ben Hutchings
                   ` (88 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johannes Berg, syzbot+8dd9051ff19940290931

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 51a1aaa631c90223888d8beac4d649dc11d2ca55 upstream.

When creating a new radio on the fly, hwsim allows this
to be done with an arbitrary number of channels, but
cfg80211 only supports a limited number of simultaneous
channels, leading to a warning.

Fix this by validating the number - this requires moving
the define for the maximum out to a visible header file.

Reported-by: syzbot+8dd9051ff19940290931@syzkaller.appspotmail.com
Fixes: b59ec8dd4394 ("mac80211_hwsim: fix number of channels in interface combinations")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16:
 - Test chans intead of param.channels
 - GENL_SET_ERR_MSG() is not available
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2439,6 +2439,9 @@ static int hwsim_create_radio_nl(struct
 	if (info->attrs[HWSIM_ATTR_CHANNELS])
 		chans = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]);
 
+	if (chans > CFG80211_MAX_NUM_DIFFERENT_CHANNELS)
+		return -EINVAL;
+
 	if (info->attrs[HWSIM_ATTR_USE_CHANCTX])
 		use_chanctx = true;
 	else
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -716,6 +716,8 @@ struct cfg80211_csa_settings {
 	u8 count;
 };
 
+#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10
+
 /**
  * enum station_parameters_apply_mask - station parameter values to apply
  * @STATION_PARAM_APPLY_UAPSD: apply new uAPSD parameters (uapsd_queues, max_sp)
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -456,8 +456,6 @@ void cfg80211_leave(struct cfg80211_regi
 void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,
 			      struct wireless_dev *wdev);
 
-#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10
-
 #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS
 #define CFG80211_DEV_WARN_ON(cond)	WARN_ON(cond)
 #else

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 107/254] MIPS: Factor out NT_PRFPREG regset access helpers
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (177 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 012/254] Input: elantech - add new icbody type 15 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 172/254] xfrm: Use __skb_queue_tail in xfrm_trans_queue Ben Hutchings
                   ` (75 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dave Martin, Paul Burton, Alex Smith, Ralf Baechle,
	Maciej W. Rozycki, James Hogan, linux-mips

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@mips.com>

commit a03fe72572c12e98f4173f8a535f32468e48b6ec upstream.

In preparation to fix a commit 72b22bbad1e7 ("MIPS: Don't assume 64-bit
FP registers for FP regset") FCSR access regression factor out
NT_PRFPREG regset access helpers for the non-MSA and the MSA variants
respectively, to avoid having to deal with excessive indentation in the
actual fix.

No functional change, however use `target->thread.fpu.fpr[0]' rather
than `target->thread.fpu.fpr[i]' for FGR holding type size determination
as there's no `i' variable to refer to anymore, and for the factored out
`i' variable declaration use `unsigned int' rather than `unsigned' as
its type, following the common style.

Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset")
Cc: James Hogan <james.hogan@mips.com>
Cc: Paul Burton <Paul.Burton@mips.com>
Cc: Alex Smith <alex@alex-smith.me.uk>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17925/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 108 +++++++++++++++++++++++++++++++++++-----------
 1 file changed, 83 insertions(+), 25 deletions(-)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -438,25 +438,36 @@ static int gpr64_set(struct task_struct
 
 #endif /* CONFIG_64BIT */
 
-static int fpr_get(struct task_struct *target,
-		   const struct user_regset *regset,
-		   unsigned int pos, unsigned int count,
-		   void *kbuf, void __user *ubuf)
+/*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
+ * !CONFIG_CPU_HAS_MSA variant.  FP context's general register slots
+ * correspond 1:1 to buffer slots.
+ */
+static int fpr_get_fpa(struct task_struct *target,
+		       unsigned int *pos, unsigned int *count,
+		       void **kbuf, void __user **ubuf)
 {
-	unsigned i;
-	int err;
-	u64 fpr_val;
-
-	/* XXX fcr31  */
+	return user_regset_copyout(pos, count, kbuf, ubuf,
+				   &target->thread.fpu,
+				   0, sizeof(elf_fpregset_t));
+}
 
-	if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
-		return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
-					   &target->thread.fpu,
-					   0, sizeof(elf_fpregset_t));
+/*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
+ * CONFIG_CPU_HAS_MSA variant.  Only lower 64 bits of FP context's
+ * general register slots are copied to buffer slots.
+ */
+static int fpr_get_msa(struct task_struct *target,
+		       unsigned int *pos, unsigned int *count,
+		       void **kbuf, void __user **ubuf)
+{
+	unsigned int i;
+	u64 fpr_val;
+	int err;
 
 	for (i = 0; i < NUM_FPU_REGS; i++) {
 		fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
-		err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+		err = user_regset_copyout(pos, count, kbuf, ubuf,
 					  &fpr_val, i * sizeof(elf_fpreg_t),
 					  (i + 1) * sizeof(elf_fpreg_t));
 		if (err)
@@ -466,27 +477,54 @@ static int fpr_get(struct task_struct *t
 	return 0;
 }
 
-static int fpr_set(struct task_struct *target,
+/* Copy the floating-point context to the supplied NT_PRFPREG buffer.  */
+static int fpr_get(struct task_struct *target,
 		   const struct user_regset *regset,
 		   unsigned int pos, unsigned int count,
-		   const void *kbuf, const void __user *ubuf)
+		   void *kbuf, void __user *ubuf)
 {
-	unsigned i;
 	int err;
-	u64 fpr_val;
 
 	/* XXX fcr31  */
 
-	init_fp_ctx(target);
+	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
+		err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);
+	else
+		err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);
+
+	return err;
+}
 
-	if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
-		return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-					  &target->thread.fpu,
-					  0, sizeof(elf_fpregset_t));
+/*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
+ * !CONFIG_CPU_HAS_MSA variant.   Buffer slots correspond 1:1 to FP
+ * context's general register slots.
+ */
+static int fpr_set_fpa(struct task_struct *target,
+		       unsigned int *pos, unsigned int *count,
+		       const void **kbuf, const void __user **ubuf)
+{
+	return user_regset_copyin(pos, count, kbuf, ubuf,
+				  &target->thread.fpu,
+				  0, sizeof(elf_fpregset_t));
+}
+
+/*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
+ * CONFIG_CPU_HAS_MSA variant.  Buffer slots are copied to lower 64
+ * bits only of FP context's general register slots.
+ */
+static int fpr_set_msa(struct task_struct *target,
+		       unsigned int *pos, unsigned int *count,
+		       const void **kbuf, const void __user **ubuf)
+{
+	unsigned int i;
+	u64 fpr_val;
+	int err;
 
 	BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
-	for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
-		err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+	for (i = 0; i < NUM_FPU_REGS && *count >= sizeof(elf_fpreg_t); i++) {
+		err = user_regset_copyin(pos, count, kbuf, ubuf,
 					 &fpr_val, i * sizeof(elf_fpreg_t),
 					 (i + 1) * sizeof(elf_fpreg_t));
 		if (err)
@@ -497,6 +535,26 @@ static int fpr_set(struct task_struct *t
 	return 0;
 }
 
+/* Copy the supplied NT_PRFPREG buffer to the floating-point context.  */
+static int fpr_set(struct task_struct *target,
+		   const struct user_regset *regset,
+		   unsigned int pos, unsigned int count,
+		   const void *kbuf, const void __user *ubuf)
+{
+	int err;
+
+	/* XXX fcr31  */
+
+	init_fp_ctx(target);
+
+	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
+		err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);
+	else
+		err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);
+
+	return err;
+}
+
 enum mips_regset {
 	REGSET_GPR,
 	REGSET_FPR,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 161/254] USB: serial: cp210x: add new device ID ELV ALC 8xxx
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (125 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 218/254] net: fs_enet: do not call phy_stop() in interrupts Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context Ben Hutchings
                   ` (127 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Christian Holl

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Holl <cyborgx1@gmail.com>

commit d14ac576d10f865970bb1324d337e5e24d79aaf4 upstream.

This adds the ELV ALC 8xxx Battery Charging device
to the list of USB IDs of drivers/usb/serial/cp210x.c

Signed-off-by: Christian Holl <cyborgx1@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -171,6 +171,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
 	{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
 	{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
+	{ USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
 	{ USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
 	{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
 	{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 046/254] xhci: Don't show incorrect WARN message about events for empty rings
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 138/254] iw_cxgb4: Only validate the MSN for successful completions Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 183/254] mdio-sun4i: Fix a memory leak Ben Hutchings
                   ` (252 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mathias Nyman, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit e4ec40ec4b260efcca15089de4285a0a3411259b upstream.

xHC can generate two events for a short transfer if the short TRB and
last TRB in the TD are not the same TRB.

The driver will handle the TD after the first short event, and remove
it from its internal list. Driver then incorrectly prints a warning
for the second event:

"WARN Event TRB for slot x ep y with no TDs queued"

Fix this by not printing a warning if we get a event on a empty list
if the previous event was a short event.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-ring.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2442,12 +2442,16 @@ static int handle_tx_event(struct xhci_h
 		 */
 		if (list_empty(&ep_ring->td_list)) {
 			/*
-			 * A stopped endpoint may generate an extra completion
-			 * event if the device was suspended.  Don't print
-			 * warnings.
+			 * Don't print wanings if it's due to a stopped endpoint
+			 * generating an extra completion event if the device
+			 * was suspended. Or, a event for the last TRB of a
+			 * short TD we already got a short event for.
+			 * The short TD is already removed from the TD list.
 			 */
+
 			if (!(trb_comp_code == COMP_STOP ||
-						trb_comp_code == COMP_STOP_INVAL)) {
+			      trb_comp_code == COMP_STOP_INVAL ||
+			      ep_ring->last_td_was_short)) {
 				xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n",
 						TRB_TO_SLOT_ID(le32_to_cpu(event->flags)),
 						ep_index);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 015/254] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (156 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 040/254] media: dvb: i2c transfers over usb cannot be done from stack Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 155/254] ALSA: pcm: Remove incorrect snd_BUG_ON() usages Ben Hutchings
                   ` (96 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Maciej S. Szmigiero, Nicolin Chen, Mark Brown

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>

commit 695b78b548d8a26288f041e907ff17758df9e1d5 upstream.

AC'97 ops (register read / write) need SSI regmap and clock, so they have
to be set after them.

We also need to set these ops back to NULL if we fail the probe.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/fsl_ssi.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/sound/soc/fsl/fsl_ssi.c
+++ b/sound/soc/fsl/fsl_ssi.c
@@ -1273,12 +1273,6 @@ static int fsl_ssi_probe(struct platform
 				sizeof(fsl_ssi_ac97_dai));
 
 		fsl_ac97_data = ssi_private;
-
-		ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev);
-		if (ret) {
-			dev_err(&pdev->dev, "could not set AC'97 ops\n");
-			return ret;
-		}
 	} else {
 		/* Initialize this copy of the CPU DAI driver structure */
 		memcpy(&ssi_private->cpu_dai_drv, &fsl_ssi_dai_template,
@@ -1336,6 +1330,14 @@ static int fsl_ssi_probe(struct platform
 			goto error_irqmap;
 	}
 
+	if (fsl_ssi_is_ac97(ssi_private)) {
+		ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev);
+		if (ret) {
+			dev_err(&pdev->dev, "could not set AC'97 ops\n");
+			goto error_ac97_ops;
+		}
+	}
+
 	ret = snd_soc_register_component(&pdev->dev, &fsl_ssi_component,
 					 &ssi_private->cpu_dai_drv, 1);
 	if (ret) {
@@ -1400,6 +1402,10 @@ error_irq:
 	snd_soc_unregister_component(&pdev->dev);
 
 error_asoc_register:
+	if (fsl_ssi_is_ac97(ssi_private))
+		snd_soc_set_ac97_ops(NULL);
+
+error_ac97_ops:
 	if (ssi_private->soc->imx)
 		fsl_ssi_imx_clean(pdev, ssi_private);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 125/254] xfrm: Reinject transport-mode packets through tasklet
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (233 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 242/254] media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 014/254] ASoC: fsl_ssi: add AC'97 ops setting check and cleanup Ben Hutchings
                   ` (19 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Steffen Klassert

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit acf568ee859f098279eadf551612f103afdacb4e upstream.

This is an old bugbear of mine:

https://www.mail-archive.com/netdev@vger.kernel.org/msg03894.html

By crafting special packets, it is possible to cause recursion
in our kernel when processing transport-mode packets at levels
that are only limited by packet size.

The easiest one is with DNAT, but an even worse one is where
UDP encapsulation is used in which case you just have to insert
an UDP encapsulation header in between each level of recursion.

This patch avoids this problem by reinjecting tranport-mode packets
through a tasklet.

Fixes: b05e106698d9 ("[IPV4/6]: Netfilter IPsec input hooks")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[bwh: Backported to 3.16:
 - netfilter finish callbacks only receive an sk_buff pointer
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1496,6 +1496,7 @@ int xfrm_init_state(struct xfrm_state *x
 int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb);
 int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
 int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
+int xfrm_trans_queue(struct sk_buff *skb, int (*finish)(struct sk_buff *));
 int xfrm_output_resume(struct sk_buff *skb, int err);
 int xfrm_output(struct sk_buff *skb);
 int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -22,6 +22,11 @@ int xfrm4_extract_input(struct xfrm_stat
 	return xfrm4_extract_header(skb);
 }
 
+static int xfrm4_rcv_encap_finish2(struct sk_buff *skb)
+{
+	return dst_input(skb);
+}
+
 static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
 {
 	if (skb_dst(skb) == NULL) {
@@ -31,7 +36,11 @@ static inline int xfrm4_rcv_encap_finish
 					 iph->tos, skb->dev))
 			goto drop;
 	}
-	return dst_input(skb);
+
+	if (xfrm_trans_queue(skb, xfrm4_rcv_encap_finish2))
+		goto drop;
+
+	return 0;
 drop:
 	kfree_skb(skb);
 	return NET_RX_DROP;
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -29,6 +29,13 @@ int xfrm6_rcv_spi(struct sk_buff *skb, i
 }
 EXPORT_SYMBOL(xfrm6_rcv_spi);
 
+static int xfrm6_transport_finish2(struct sk_buff *skb)
+{
+	if (xfrm_trans_queue(skb, ip6_rcv_finish))
+		__kfree_skb(skb);
+	return -1;
+}
+
 int xfrm6_transport_finish(struct sk_buff *skb, int async)
 {
 	skb_network_header(skb)[IP6CB(skb)->nhoff] =
@@ -43,7 +50,7 @@ int xfrm6_transport_finish(struct sk_buf
 	__skb_push(skb, skb->data - skb_network_header(skb));
 
 	NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
-		ip6_rcv_finish);
+		xfrm6_transport_finish2);
 	return -1;
 }
 
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -7,18 +7,34 @@
  *
  */
 
+#include <linux/bottom_half.h>
+#include <linux/interrupt.h>
 #include <linux/slab.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
+#include <linux/percpu.h>
 #include <net/dst.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
 
+struct xfrm_trans_tasklet {
+	struct tasklet_struct tasklet;
+	struct sk_buff_head queue;
+};
+
+struct xfrm_trans_cb {
+	int (*finish)(struct sk_buff *skb);
+};
+
+#define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0]))
+
 static struct kmem_cache *secpath_cachep __read_mostly;
 
 static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
 static struct xfrm_input_afinfo __rcu *xfrm_input_afinfo[NPROTO];
 
+static DEFINE_PER_CPU(struct xfrm_trans_tasklet, xfrm_trans_tasklet);
+
 int xfrm_input_register_afinfo(struct xfrm_input_afinfo *afinfo)
 {
 	int err = 0;
@@ -375,10 +391,50 @@ int xfrm_input_resume(struct sk_buff *sk
 }
 EXPORT_SYMBOL(xfrm_input_resume);
 
+static void xfrm_trans_reinject(unsigned long data)
+{
+	struct xfrm_trans_tasklet *trans = (void *)data;
+	struct sk_buff_head queue;
+	struct sk_buff *skb;
+
+	__skb_queue_head_init(&queue);
+	skb_queue_splice_init(&trans->queue, &queue);
+
+	while ((skb = __skb_dequeue(&queue)))
+		XFRM_TRANS_SKB_CB(skb)->finish(skb);
+}
+
+int xfrm_trans_queue(struct sk_buff *skb, int (*finish)(struct sk_buff *))
+{
+	struct xfrm_trans_tasklet *trans;
+
+	trans = this_cpu_ptr(&xfrm_trans_tasklet);
+
+	if (skb_queue_len(&trans->queue) >= netdev_max_backlog)
+		return -ENOBUFS;
+
+	XFRM_TRANS_SKB_CB(skb)->finish = finish;
+	skb_queue_tail(&trans->queue, skb);
+	tasklet_schedule(&trans->tasklet);
+	return 0;
+}
+EXPORT_SYMBOL(xfrm_trans_queue);
+
 void __init xfrm_input_init(void)
 {
+	int i;
+
 	secpath_cachep = kmem_cache_create("secpath_cache",
 					   sizeof(struct sec_path),
 					   0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
 					   NULL);
+
+	for_each_possible_cpu(i) {
+		struct xfrm_trans_tasklet *trans;
+
+		trans = &per_cpu(xfrm_trans_tasklet, i);
+		__skb_queue_head_init(&trans->queue);
+		tasklet_init(&trans->tasklet, xfrm_trans_reinject,
+			     (unsigned long)trans);
+	}
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 192/254] USB: Gadget core: fix inconsistency in the interface tousb_add_gadget_udc_release()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 215/254] dm btree: fix serious bug in btree_split_beneath() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 086/254] ipv4: Use standard iovec primitive in raw_probe_proto_opt Ben Hutchings
                   ` (219 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alan Stern, Alexey Khoroshilov, Felipe Balbi

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit afd7fd81f22bf90474216515dbd6088f9bd70343 upstream.

The usb_add_gadget_udc_release() routine in the USB gadget core will
sometimes but not always call the gadget's release function when an
error occurs.  More specifically, if the struct usb_udc allocation
fails then the release function is not called, and for other errors it
is.

As a result, users of this routine cannot know whether they need to
deallocate the memory containing the gadget structure following an
error.  This leads to unavoidable memory leaks or double frees.

This patch fixes the problem by splitting the existing
device_register() call into device_initialize() and device_add(), and
doing the udc allocation in between.  That way, even if the allocation
fails it is still possible to call device_del(), and so the release
function will be always called following an error.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/udc-core.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/usb/gadget/udc-core.c
+++ b/drivers/usb/gadget/udc-core.c
@@ -192,6 +192,7 @@ static void usb_udc_nop_release(struct d
  * @release: a gadget release function.
  *
  * Returns zero on success, negative errno otherwise.
+ * Calls the gadget release function in the latter case.
  */
 int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
 		void (*release)(struct device *dev))
@@ -199,10 +200,6 @@ int usb_add_gadget_udc_release(struct de
 	struct usb_udc		*udc;
 	int			ret = -ENOMEM;
 
-	udc = kzalloc(sizeof(*udc), GFP_KERNEL);
-	if (!udc)
-		goto err1;
-
 	dev_set_name(&gadget->dev, "gadget");
 	INIT_WORK(&gadget->work, usb_gadget_state_work);
 	gadget->dev.parent = parent;
@@ -218,7 +215,13 @@ int usb_add_gadget_udc_release(struct de
 	else
 		gadget->dev.release = usb_udc_nop_release;
 
-	ret = device_register(&gadget->dev);
+	device_initialize(&gadget->dev);
+
+	udc = kzalloc(sizeof(*udc), GFP_KERNEL);
+	if (!udc)
+		goto err1;
+
+	ret = device_add(&gadget->dev);
 	if (ret)
 		goto err2;
 
@@ -255,10 +258,10 @@ err3:
 	device_del(&gadget->dev);
 
 err2:
-	put_device(&gadget->dev);
 	kfree(udc);
 
 err1:
+	put_device(&gadget->dev);
 	return ret;
 }
 EXPORT_SYMBOL_GPL(usb_add_gadget_udc_release);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 242/254] media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (232 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 226/254] Input: trackpoint - force 3 buttons if 0 button is reported Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 125/254] xfrm: Reinject transport-mode packets through tasklet Ben Hutchings
                   ` (20 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 3ee6d040719ae09110e5cdf24d5386abe5d1b776 upstream.

The result of the VIDIOC_PREPARE_BUF ioctl was never copied back
to userspace since it was missing in the switch.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -992,6 +992,7 @@ static long do_video_ioctl(struct file *
 		err = put_v4l2_create32(&karg.v2crt, up);
 		break;
 
+	case VIDIOC_PREPARE_BUF:
 	case VIDIOC_QUERYBUF:
 	case VIDIOC_QBUF:
 	case VIDIOC_DQBUF:

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 148/254] include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (132 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 020/254] usb: gadget: don't dereference g until after it has been null checked Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 133/254] net/mlx5: Fix misspelling in the error message and comment Ben Hutchings
                   ` (120 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denys Vlasenko, Kees Cook, Frederic Weisbecker,
	Will Drewry, H. Peter Anvin, Borislav Petkov, Linus Torvalds,
	Alexei Starovoitov, Andy Lutomirski, Ingo Molnar, Oleg Nesterov,
	Steven Rostedt

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Denys Vlasenko <dvlasenk@redhat.com>

commit 3876488444e71238e287459c39d7692b6f718c3e upstream.

Suggested by Andy.

Suggested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Will Drewry <wad@chromium.org>
Link: http://lkml.kernel.org/r/1425912738-559-1-git-send-email-dvlasenk@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/stddef.h |  9 +++++++++
 include/linux/vfio.h   | 13 -------------
 2 files changed, 9 insertions(+), 13 deletions(-)

--- a/include/linux/stddef.h
+++ b/include/linux/stddef.h
@@ -19,3 +19,12 @@ enum {
 #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
 #endif
 #endif
+
+/**
+ * offsetofend(TYPE, MEMBER)
+ *
+ * @TYPE: The type of the structure
+ * @MEMBER: The member within the structure to get the end offset of
+ */
+#define offsetofend(TYPE, MEMBER) \
+	(offsetof(TYPE, MEMBER)	+ sizeof(((TYPE *)0)->MEMBER))
--- a/include/linux/vfio.h
+++ b/include/linux/vfio.h
@@ -76,19 +76,6 @@ extern int vfio_register_iommu_driver(co
 extern void vfio_unregister_iommu_driver(
 				const struct vfio_iommu_driver_ops *ops);
 
-/**
- * offsetofend(TYPE, MEMBER)
- *
- * @TYPE: The type of the structure
- * @MEMBER: The member within the structure to get the end offset of
- *
- * Simple helper macro for dealing with variable sized structures passed
- * from user space.  This allows us to easily determine if the provided
- * structure is sized to include various fields.
- */
-#define offsetofend(TYPE, MEMBER) \
-	(offsetof(TYPE, MEMBER)	+ sizeof(((TYPE *)0)->MEMBER))
-
 /*
  * External user API
  */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 057/254] net_sched: red: Avoid illegal values
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (159 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 142/254] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 152/254] kbuild: add '-fno-stack-check' to kernel build options Ben Hutchings
                   ` (93 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nogah Frankel, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nogah Frankel <nogahf@mellanox.com>

commit 8afa10cbe281b10371fee5a87ab266e48d71a7f9 upstream.

Check the qmin & qmax values doesn't overflow for the given Wlog value.
Check that qmin <= qmax.

Fixes: a783474591f2 ("[PKT_SCHED]: Generic RED layer")
Signed-off-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/red.h     | 11 +++++++++++
 net/sched/sch_choke.c |  3 +++
 net/sched/sch_gred.c  |  3 +++
 net/sched/sch_red.c   |  2 ++
 net/sched/sch_sfq.c   |  3 +++
 5 files changed, 22 insertions(+)

--- a/include/net/red.h
+++ b/include/net/red.h
@@ -167,6 +167,17 @@ static inline void red_set_vars(struct r
 	v->qcount	= -1;
 }
 
+static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog)
+{
+	if (fls(qth_min) + Wlog > 32)
+		return false;
+	if (fls(qth_max) + Wlog > 32)
+		return false;
+	if (qth_max < qth_min)
+		return false;
+	return true;
+}
+
 static inline void red_set_parms(struct red_parms *p,
 				 u32 qth_min, u32 qth_max, u8 Wlog, u8 Plog,
 				 u8 Scell_log, u8 *stab, u32 max_P)
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -419,6 +419,9 @@ static int choke_change(struct Qdisc *sc
 
 	ctl = nla_data(tb[TCA_CHOKE_PARMS]);
 
+	if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+		return -EINVAL;
+
 	if (ctl->limit > CHOKE_MAX_QUEUE)
 		return -EINVAL;
 
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -388,6 +388,9 @@ static inline int gred_change_vq(struct
 	struct gred_sched *table = qdisc_priv(sch);
 	struct gred_sched_data *q = table->tab[dp];
 
+	if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+		return -EINVAL;
+
 	if (!q) {
 		table->tab[dp] = q = *prealloc;
 		*prealloc = NULL;
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -199,6 +199,8 @@ static int red_change(struct Qdisc *sch,
 	max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0;
 
 	ctl = nla_data(tb[TCA_RED_PARMS]);
+	if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+		return -EINVAL;
 
 	if (ctl->limit > 0) {
 		child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit);
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -658,6 +658,9 @@ static int sfq_change(struct Qdisc *sch,
 	if (ctl->divisor &&
 	    (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
 		return -EINVAL;
+	if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+					ctl_v1->Wlog))
+		return -EINVAL;
 	if (ctl_v1 && ctl_v1->qth_min) {
 		p = kmalloc(sizeof(*p), GFP_KERNEL);
 		if (!p)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 233/254] mac80211_hwsim: fix compiler warning on MIPS
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (180 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 031/254] net/packet: fix a race in packet_bind() and packet_notifier() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 160/254] mmc: s3mci: mark debug_regs[] as static Ben Hutchings
                   ` (72 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, John W. Linville, Andrew Bresticker

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Bresticker <abrestic@chromium.org>

commit 5d26b50813ea6206a7bbab2e645e68044f101ac5 upstream.

The dividend in do_div() is expected to be an unsigned 64-bit integer,
which leads to the following warning when building for 32-bit MIPS:

  drivers/net/wireless/mac80211_hwsim.c: In function 'mac80211_hwsim_set_tsf':
  drivers/net/wireless/mac80211_hwsim.c:664:98: warning: comparison of distinct pointer types lacks a cast [enabled by default]
    data->bcn_delta = do_div(delta, bcn_int);

Since we care about the signedness of delta when adjusting tsf_offset
and bcm_delta, use the absolute value for the division and compare
the two timestamps to determine the sign.

Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mac80211_hwsim.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -685,11 +685,16 @@ static void mac80211_hwsim_set_tsf(struc
 	struct mac80211_hwsim_data *data = hw->priv;
 	u64 now = mac80211_hwsim_get_tsf(hw, vif);
 	u32 bcn_int = data->beacon_int;
-	s64 delta = tsf - now;
+	u64 delta = abs64(tsf - now);
 
-	data->tsf_offset += delta;
 	/* adjust after beaconing with new timestamp at old TBTT */
-	data->bcn_delta = do_div(delta, bcn_int);
+	if (tsf > now) {
+		data->tsf_offset += delta;
+		data->bcn_delta = do_div(delta, bcn_int);
+	} else {
+		data->tsf_offset -= delta;
+		data->bcn_delta = -do_div(delta, bcn_int);
+	}
 }
 
 static void mac80211_hwsim_monitor_rx(struct ieee80211_hw *hw,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 132/254] usb: Add device quirk for Logitech HD Pro Webcam C925e
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (143 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 189/254] Input: 88pm860x-ts - fix child-node lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 013/254] USB: serial: option: add Quectel BG96 id Ben Hutchings
                   ` (109 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Fleytman Dmitry Fleytman, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Fleytman Dmitry Fleytman <dmitry.fleytman@gmail.com>

commit 7f038d256c723dd390d2fca942919573995f4cfd upstream.

Commit e0429362ab15
("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
introduced quirk to workaround an issue with some Logitech webcams.

There is one more model that has the same issue - C925e, so applying
the same quirk as well.

See aforementioned commit message for detailed explanation of the problem.

Signed-off-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -57,10 +57,11 @@ static const struct usb_device_id usb_qu
 	/* Microsoft LifeCam-VX700 v2.0 */
 	{ USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
 
-	/* Logitech HD Pro Webcams C920, C920-C and C930e */
+	/* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */
 	{ USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
 	{ USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT },
 	{ USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT },
+	{ USB_DEVICE(0x046d, 0x085b), .driver_info = USB_QUIRK_DELAY_INIT },
 
 	/* Logitech ConferenceCam CC3000e */
 	{ USB_DEVICE(0x046d, 0x0847), .driver_info = USB_QUIRK_DELAY_INIT },

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 073/254] lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (153 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 033/254] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 115/254] nfsd: auth: Fix gid sorting when rootsquash enabled Ben Hutchings
                   ` (99 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, David Howells, Rusty Russell, Lee, Chun-Yi,
	Pawel Wieczorkiewicz, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit afdb05e9d61905220f09268535235288e6ba3a16 upstream.

The sprint_oid() utility function doesn't properly check the buffer size
that it causes that the warning in vsnprintf() be triggered.  For
example on v4.1 kernel:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 2357 at lib/vsprintf.c:1867 vsnprintf+0x5a7/0x5c0()
  ...

We can trigger this issue by injecting maliciously crafted x509 cert in
DER format.  Just using hex editor to change the length of OID to over
the length of the SEQUENCE container.  For example:

    0:d=0  hl=4 l= 980 cons: SEQUENCE
    4:d=1  hl=4 l= 700 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   9 prim:   INTEGER           :9B47FAF791E7D1E3
   24:d=2  hl=2 l=  13 cons:   SEQUENCE
   26:d=3  hl=2 l=   9 prim:    OBJECT            :sha256WithRSAEncryption
   37:d=3  hl=2 l=   0 prim:    NULL
   39:d=2  hl=2 l= 121 cons:   SEQUENCE
   41:d=3  hl=2 l=  22 cons:    SET
   43:d=4  hl=2 l=  20 cons:     SEQUENCE      <=== the SEQ length is 20
   45:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
	<=== the original length is 3, change the length of OID to over the length of SEQUENCE

Pawel Wieczorkiewicz reported this problem and Takashi Iwai provided
patch to fix it by checking the bufsize in sprint_oid().

Link: http://lkml.kernel.org/r/20170903021646.2080-1-jlee@suse.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Reported-by: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Pawel Wieczorkiewicz <pwieczorkiewicz@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/oid_registry.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -142,9 +142,9 @@ int sprint_oid(const void *data, size_t
 		}
 		ret += count = snprintf(buffer, bufsize, ".%lu", num);
 		buffer += count;
-		bufsize -= count;
-		if (bufsize == 0)
+		if (bufsize <= count)
 			return -ENOBUFS;
+		bufsize -= count;
 	}
 
 	return ret;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 001/254] ALSA: seq: Fix regression by incorrect ioctl_mutex usages
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (194 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 230/254] hrtimer: Reset hrtimer cpu base proper on CPU hotplug Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 157/254] e1000e: Separate signaling for link check/link up Ben Hutchings
                   ` (58 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

This is the revised backport of the upstream commit
b3defb791b26ea0683a93a4f49c77ec45ec96f10

We had another backport (e.g. 623e5c8ae32b in 4.4.115), but it applies
the new mutex also to the code paths that are invoked via faked
kernel-to-kernel ioctls.  As reported recently, this leads to a
deadlock at suspend (or other scenarios triggering the kernel
sequencer client).

This patch addresses the issue by taking the mutex only in the code
paths invoked by user-space, just like the original fix patch does.

Reported-and-tested-by: Andres Bertens <abertensu@yahoo.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/seq/seq_clientmgr.c |   15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -2201,7 +2201,6 @@ static int snd_seq_do_ioctl(struct snd_s
 			    void __user *arg)
 {
 	struct seq_ioctl_table *p;
-	int ret;
 
 	switch (cmd) {
 	case SNDRV_SEQ_IOCTL_PVERSION:
@@ -2215,12 +2214,8 @@ static int snd_seq_do_ioctl(struct snd_s
 	if (! arg)
 		return -EFAULT;
 	for (p = ioctl_tables; p->cmd; p++) {
-		if (p->cmd == cmd) {
-			mutex_lock(&client->ioctl_mutex);
-			ret = p->func(client, arg);
-			mutex_unlock(&client->ioctl_mutex);
-			return ret;
-		}
+		if (p->cmd == cmd)
+			return p->func(client, arg);
 	}
 	pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
 		   cmd, _IOC_TYPE(cmd), _IOC_NR(cmd));
@@ -2231,11 +2226,15 @@ static int snd_seq_do_ioctl(struct snd_s
 static long snd_seq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 {
 	struct snd_seq_client *client = file->private_data;
+	long ret;
 
 	if (snd_BUG_ON(!client))
 		return -ENXIO;
 		
-	return snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+	mutex_lock(&client->ioctl_mutex);
+	ret = snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+	mutex_unlock(&client->ioctl_mutex);
+	return ret;
 }
 
 #ifdef CONFIG_COMPAT

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 215/254] dm btree: fix serious bug in btree_split_beneath()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 185/254] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 192/254] USB: Gadget core: fix inconsistency in the interface tousb_add_gadget_udc_release() Ben Hutchings
                   ` (220 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Monty Pavel, Joe Thornber, Mike Snitzer

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Thornber <thornber@redhat.com>

commit bc68d0a43560e950850fc69b58f0f8254b28f6d6 upstream.

When inserting a new key/value pair into a btree we walk down the spine of
btree nodes performing the following 2 operations:

  i) space for a new entry
  ii) adjusting the first key entry if the new key is lower than any in the node.

If the _root_ node is full, the function btree_split_beneath() allocates 2 new
nodes, and redistibutes the root nodes entries between them.  The root node is
left with 2 entries corresponding to the 2 new nodes.

btree_split_beneath() then adjusts the spine to point to one of the two new
children.  This means the first key is never adjusted if the new key was lower,
ie. operation (ii) gets missed out.  This can result in the new key being
'lost' for a period; until another low valued key is inserted that will uncover
it.

This is a serious bug, and quite hard to make trigger in normal use.  A
reproducing test case ("thin create devices-in-reverse-order") is
available as part of the thin-provision-tools project:
  https://github.com/jthornber/thin-provisioning-tools/blob/master/functional-tests/device-mapper/dm-tests.scm#L593

Fix the issue by changing btree_split_beneath() so it no longer adjusts
the spine.  Instead it unlocks both the new nodes, and lets the main
loop in btree_insert_raw() relock the appropriate one and make any
neccessary adjustments.

Reported-by: Monty Pavel <monty_pavel@sina.com>
Signed-off-by: Joe Thornber <thornber@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/persistent-data/dm-btree.c | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

--- a/drivers/md/persistent-data/dm-btree.c
+++ b/drivers/md/persistent-data/dm-btree.c
@@ -588,23 +588,8 @@ static int btree_split_beneath(struct sh
 	pn->keys[1] = rn->keys[0];
 	memcpy_disk(value_ptr(pn, 1), &val, sizeof(__le64));
 
-	/*
-	 * rejig the spine.  This is ugly, since it knows too
-	 * much about the spine
-	 */
-	if (s->nodes[0] != new_parent) {
-		unlock_block(s->info, s->nodes[0]);
-		s->nodes[0] = new_parent;
-	}
-	if (key < le64_to_cpu(rn->keys[0])) {
-		unlock_block(s->info, right);
-		s->nodes[1] = left;
-	} else {
-		unlock_block(s->info, left);
-		s->nodes[1] = right;
-	}
-	s->count = 2;
-
+	unlock_block(s->info, left);
+	unlock_block(s->info, right);
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 056/254] net_sched: red: Avoid devision by zero
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (224 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 216/254] i2c: core: decrease reference count of device node in i2c_unregister_device Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 208/254] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Ben Hutchings
                   ` (28 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nogah Frankel, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nogah Frankel <nogahf@mellanox.com>

commit 5c472203421ab4f928aa1ae9e1dbcfdd80324148 upstream.

Do not allow delta value to be zero since it is used as a divisor.

Fixes: 8af2a218de38 ("sch_red: Adaptative RED AQM")
Signed-off-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/red.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/red.h
+++ b/include/net/red.h
@@ -178,7 +178,7 @@ static inline void red_set_parms(struct
 	p->qth_max	= qth_max << Wlog;
 	p->Wlog		= Wlog;
 	p->Plog		= Plog;
-	if (delta < 0)
+	if (delta <= 0)
 		delta = 1;
 	p->qth_delta	= delta;
 	if (!max_P) {

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 176/254] ALSA: aloop: Fix inconsistent format due to incomplete rule
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (101 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 121/254] ACPI: APEI / ERST: Fix missing error handling in erst_reader() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 180/254] xfrm: Return error on unknown encap_type in init_state Ben Hutchings
                   ` (151 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot+3902b5220e8ca27889ca, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit b088b53e20c7d09b5ab84c5688e609f478e5c417 upstream.

The extra hw constraint rule for the formats the aloop driver
introduced has a slight flaw, where it doesn't return a positive value
when the mask got changed.  It came from the fact that it's basically
a copy&paste from snd_hw_constraint_mask64().  The original code is
supposed to be a single-shot and it modifies the mask bits only once
and never after, while what we need for aloop is the dynamic hw rule
that limits the mask bits.

This difference results in the inconsistent state, as the hw_refine
doesn't apply the dependencies fully.  The worse and surprisingly
result is that it causes a crash in OSS emulation when multiple
full-duplex reads/writes are performed concurrently (I leave why it
triggers Oops to readers as a homework).

For fixing this, replace a few open-codes with the standard
snd_mask_*() macros.

Reported-by: syzbot+3902b5220e8ca27889ca@syzkaller.appspotmail.com
Fixes: b1c73fc8e697 ("ALSA: snd-aloop: Fix hw_params restrictions and checking")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/drivers/aloop.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -39,6 +39,7 @@
 #include <sound/core.h>
 #include <sound/control.h>
 #include <sound/pcm.h>
+#include <sound/pcm_params.h>
 #include <sound/info.h>
 #include <sound/initval.h>
 
@@ -623,14 +624,12 @@ static int rule_format(struct snd_pcm_hw
 {
 
 	struct snd_pcm_hardware *hw = rule->private;
-	struct snd_mask *maskp = hw_param_mask(params, rule->var);
+	struct snd_mask m;
 
-	maskp->bits[0] &= (u_int32_t)hw->formats;
-	maskp->bits[1] &= (u_int32_t)(hw->formats >> 32);
-	memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */
-	if (! maskp->bits[0] && ! maskp->bits[1])
-		return -EINVAL;
-	return 0;
+	snd_mask_none(&m);
+	m.bits[0] = (u_int32_t)hw->formats;
+	m.bits[1] = (u_int32_t)(hw->formats >> 32);
+	return snd_mask_refine(hw_param_mask(params, rule->var), &m);
 }
 
 static int rule_rate(struct snd_pcm_hw_params *params,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 237/254] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (172 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 066/254] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 225/254] Input: trackpoint - assume 3 buttons when buttons detection fails Ben Hutchings
                   ` (80 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tiffany Lin, Mauro Carvalho Chehab, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tiffany Lin <tiffany.lin@mediatek.com>

commit baf43c6eace43868e490f18560287fa3481b2159 upstream.

In v4l2-compliance utility, test VIDIOC_CREATE_BUFS will check whether reserved
filed of v4l2_create_buffers filled with zero
Reserved field is filled with zero in v4l_create_bufs.
This patch copy reserved field of v4l2_create_buffer from kernel space to user
space

Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -259,7 +259,8 @@ static int put_v4l2_format32(struct v4l2
 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
-	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)))
+	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
+	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
 		return -EFAULT;
 	return __put_v4l2_format32(&kp->format, &up->format);
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 207/254] cfg80211: check dev_set_name() return value
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 052/254] batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 171/254] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Ben Hutchings
                   ` (181 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot+1ddfb3357e1d7bb5b5d3, Johannes Berg

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 59b179b48ce2a6076448a44531242ac2b3f6cef2 upstream.

syzbot reported a warning from rfkill_alloc(), and after a while
I think that the reason is that it was doing fault injection and
the dev_set_name() failed, leaving the name NULL, and we didn't
check the return value and got to rfkill_alloc() with a NULL name.
Since we really don't want a NULL name, we ought to check the
return value.

Fixes: fb28ad35906a ("net: struct device - replace bus_id with dev_name(), dev_set_name()")
Reported-by: syzbot+1ddfb3357e1d7bb5b5d3@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -315,6 +315,7 @@ struct wiphy *wiphy_new(const struct cfg
 
 	struct cfg80211_registered_device *rdev;
 	int alloc_size;
+	int rv;
 
 	WARN_ON(ops->add_key && (!ops->del_key || !ops->set_default_key));
 	WARN_ON(ops->auth && (!ops->assoc || !ops->deauth || !ops->disassoc));
@@ -346,7 +347,11 @@ struct wiphy *wiphy_new(const struct cfg
 	rdev->wiphy_idx--;
 
 	/* give it a proper name */
-	dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+	rv = dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+	if (rv < 0) {
+		kfree(rdev);
+		return NULL;
+	}
 
 	INIT_LIST_HEAD(&rdev->wdev_list);
 	INIT_LIST_HEAD(&rdev->beacon_registrations);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 200/254] 8021q: fix a memory leak for VLAN 0 device
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 165/254] net: phy: Add phy_interface_is_rgmii helper Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 185/254] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning Ben Hutchings
                   ` (222 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Cong Wang, Vlad Yasevich, Dmitry Vyukov, Ben Hutchings,
	David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

commit 78bbb15f2239bc8e663aa20bbe1987c91a0b75f6 upstream.

A vlan device with vid 0 is allow to creat by not able to be fully
cleaned up by unregister_vlan_dev() which checks for vlan_id!=0.

Also, VLAN 0 is probably not a valid number and it is kinda
"reserved" for HW accelerating devices, but it is probably too
late to reject it from creation even if makes sense. Instead,
just remove the check in unregister_vlan_dev().

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/8021q/vlan.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_devi
 		vlan_gvrp_uninit_applicant(real_dev);
 	}
 
-	/* Take it out of our own structures, but be sure to interlock with
-	 * HW accelerating devices or SW vlan input packet processing if
-	 * VLAN is not 0 (leave it there for 802.1p).
-	 */
-	if (vlan_id)
-		vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
+	vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
 
 	/* Get rid of the vlan's reference to real_dev */
 	dev_put(real_dev);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 241/254] vb2: V4L2_BUF_FLAG_DONE is set after DQBUF
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (138 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 021/254] USB: usbfs: Filter flags passed in from user space Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 156/254] IB/ipoib: Fix race condition in neigh creation Ben Hutchings
                   ` (114 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Hans Verkuil, Ricardo Ribalda,
	Dimitrios Katsaros

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ricardo Ribalda <ricardo.ribalda@gmail.com>

commit 3171cc2b4eb9831ab4df1d80d0410a945b8bc84e upstream.

According to the doc, V4L2_BUF_FLAG_DONE is cleared after DQBUF:

V4L2_BUF_FLAG_DONE 0x00000004  ... After calling the VIDIOC_QBUF or
VIDIOC_DQBUF it is always cleared ...

Unfortunately, it seems that videobuf2 keeps it set after DQBUF. This
can be tested with vivid and dev_debug:

[257604.338082] video1: VIDIOC_DQBUF: 71:33:25.00260479 index=3,
type=vid-cap, flags=0x00002004, field=none, sequence=163,
memory=userptr, bytesused=460800, offset/userptr=0x344b000,
length=460800

This patch forces FLAG_DONE to 0 after calling DQBUF.

Reported-by: Dimitrios Katsaros <patcherwork@gmail.com>
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/videobuf2-core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index e63a7904bf5b..ee8b697972bb 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -2069,6 +2069,11 @@ static int vb2_internal_dqbuf(struct vb2_queue *q, struct v4l2_buffer *b, bool n
 	dprintk(1, "dqbuf of buffer %d, with state %d\n",
 			vb->v4l2_buf.index, vb->state);
 
+	/*
+	 * After calling the VIDIOC_DQBUF V4L2_BUF_FLAG_DONE must be
+	 * cleared.
+	 */
+	b->flags &= ~V4L2_BUF_FLAG_DONE;
 	return 0;
 }
 

^ permalink raw reply related	[flat|nested] 261+ messages in thread

* [PATCH 3.16 209/254] sctp: use the right sk after waking up from wait_buf sleep
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (117 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 238/254] media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 188/254] Input: twl6040-vibra - fix child-node lookup Ben Hutchings
                   ` (135 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Xin Long, Neil Horman, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff upstream.

Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
sleeping on it") fixed the race between peeloff and wait sndbuf by
checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().

But it actually doesn't work, as even if waitqueue_active returns false
the waiting sndbuf thread may still not yet hold sk lock. After asoc is
peeled off, sk is not asoc->base.sk any more, then to hold the old sk
lock couldn't make assoc safe to access.

This patch is to fix this by changing to hold the new sk lock if sk is
not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
new sk.

With this fix, there is no more race between peeloff and waitbuf, the
check 'waitqueue_active' in sctp_do_peeloff can be removed.

Thanks Marcelo and Neil for making this clear.

v1->v2:
  fix it by changing to lock the new sock instead of adding a flag in asoc.

Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/socket.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -82,8 +82,8 @@
 /* Forward declarations for internal helper functions. */
 static int sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
-				size_t msg_len);
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+				size_t msg_len, struct sock **orig_sk);
 static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
 static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
 static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1905,7 +1905,8 @@ static int sctp_sendmsg(struct kiocb *io
 
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 	if (!sctp_wspace(asoc)) {
-		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+		/* sk can be changed by peel off when waiting for buf. */
+		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
 		if (err)
 			goto out_free;
 	}
@@ -4335,12 +4336,6 @@ int sctp_do_peeloff(struct sock *sk, sct
 	if (!asoc)
 		return -EINVAL;
 
-	/* If there is a thread waiting on more sndbuf space for
-	 * sending on this asoc, it cannot be peeled.
-	 */
-	if (waitqueue_active(&asoc->wait))
-		return -EBUSY;
-
 	/* An association cannot be branched off from an already peeled-off
 	 * socket, nor is this supported for tcp style sockets.
 	 */
@@ -6737,7 +6732,7 @@ void sctp_sock_rfree(struct sk_buff *skb
 
 /* Helper function to wait for space in the sndbuf.  */
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-				size_t msg_len)
+				size_t msg_len, struct sock **orig_sk)
 {
 	struct sock *sk = asoc->base.sk;
 	int err = 0;
@@ -6770,11 +6765,17 @@ static int sctp_wait_for_sndbuf(struct s
 		release_sock(sk);
 		current_timeo = schedule_timeout(current_timeo);
 		lock_sock(sk);
+		if (sk != asoc->base.sk) {
+			release_sock(sk);
+			sk = asoc->base.sk;
+			lock_sock(sk);
+		}
 
 		*timeo_p = current_timeo;
 	}
 
 out:
+	*orig_sk = sk;
 	finish_wait(&asoc->wait, &wait);
 
 	/* Release the association's refcnt.  */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 108/254] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (237 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 069/254] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 084/254] dmaengine: jz4740: disable/unprepare clk if probe fails Ben Hutchings
                   ` (15 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dave Martin, Paul Burton, Ralf Baechle, Maciej W. Rozycki,
	Alex Smith, James Hogan, linux-mips

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@mips.com>

commit dc24d0edf33c3e15099688b6bbdf7bdc24bf6e91 upstream.

Complement commit d614fd58a283 ("mips/ptrace: Preserve previous
registers for short regset write") and ensure that no partial register
write attempt is made with PTRACE_SETREGSET, as we do not preinitialize
any temporaries used to hold incoming register data and consequently
random data could be written.

It is the responsibility of the caller, such as `ptrace_regset', to
arrange for writes to span whole registers only, so here we only assert
that it has indeed happened.

Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset")
Cc: James Hogan <james.hogan@mips.com>
Cc: Paul Burton <Paul.Burton@mips.com>
Cc: Alex Smith <alex@alex-smith.me.uk>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17926/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -535,7 +535,15 @@ static int fpr_set_msa(struct task_struc
 	return 0;
 }
 
-/* Copy the supplied NT_PRFPREG buffer to the floating-point context.  */
+/*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context.
+ *
+ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
+ * which is supposed to have been guaranteed by the kernel before
+ * calling us, e.g. in `ptrace_regset'.  We enforce that requirement,
+ * so that we can safely avoid preinitializing temporaries for
+ * partial register writes.
+ */
 static int fpr_set(struct task_struct *target,
 		   const struct user_regset *regset,
 		   unsigned int pos, unsigned int count,
@@ -543,6 +551,8 @@ static int fpr_set(struct task_struct *t
 {
 	int err;
 
+	BUG_ON(count % sizeof(elf_fpreg_t));
+
 	/* XXX fcr31  */
 
 	init_fp_ctx(target);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 119/254] KVM: arm/arm64: Fix HYP unmapping going off limits
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 024/254] usb: hub: Cycle HUB power when initialization fails Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 211/254] sctp: do not allow the v4 socket to bind a v4mapped v6 address Ben Hutchings
                   ` (177 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Christoffer Dall, Andre Przywara, Marc Zyngier

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 7839c672e58bf62da8f2f0197fefb442c02ba1dd upstream.

When we unmap the HYP memory, we try to be clever and unmap one
PGD at a time. If we start with a non-PGD aligned address and try
to unmap a whole PGD, things go horribly wrong in unmap_hyp_range
(addr and end can never match, and it all goes really badly as we
keep incrementing pgd and parse random memory as page tables...).

The obvious fix is to let unmap_hyp_range do what it does best,
which is to iterate over a range.

The size of the linear mapping, which begins at PAGE_OFFSET, can be
easily calculated by subtracting PAGE_OFFSET form high_memory, because
high_memory is defined as the linear map address of the last byte of
DRAM, plus one.

The size of the vmalloc region is given trivially by VMALLOC_END -
VMALLOC_START.

Reported-by: Andre Przywara <andre.przywara@arm.com>
Tested-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/kvm/mmu.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -345,17 +345,15 @@ void free_boot_hyp_pgd(void)
  */
 void free_hyp_pgds(void)
 {
-	unsigned long addr;
-
 	free_boot_hyp_pgd();
 
 	mutex_lock(&kvm_hyp_pgd_mutex);
 
 	if (hyp_pgd) {
-		for (addr = PAGE_OFFSET; virt_addr_valid(addr); addr += PGDIR_SIZE)
-			unmap_range(NULL, hyp_pgd, KERN_TO_HYP(addr), PGDIR_SIZE);
-		for (addr = VMALLOC_START; is_vmalloc_addr((void*)addr); addr += PGDIR_SIZE)
-			unmap_range(NULL, hyp_pgd, KERN_TO_HYP(addr), PGDIR_SIZE);
+		unmap_range(NULL, hyp_pgd, KERN_TO_HYP(PAGE_OFFSET),
+			    (uintptr_t)high_memory - PAGE_OFFSET);
+		unmap_range(NULL, hyp_pgd, KERN_TO_HYP(VMALLOC_START),
+			    VMALLOC_END - VMALLOC_START);
 
 		free_pages((unsigned long)hyp_pgd, pgd_order);
 		hyp_pgd = NULL;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 099/254] MIPS: math-emu: Define IEEE 754-2008 feature control bits
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 251/254] media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 144/254] ring-buffer: Mask out the info bits when returning buffer page length Ben Hutchings
                   ` (124 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Maciej W. Rozycki, linux-mips, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@linux-mips.org>

commit f1f3b7ebac08161761c352fd070cfa07b7b94c54 upstream.

Define IEEE 754-2008 feature control bits: FIR.HAS2008, FCSR.ABS2008 and
FCSR.NAN2008, and update the `_ieee754_csr' structure accordingly.

For completeness define FIR.UFRP too.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9709/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16: In cop1Emulate(), keep converting the rounding mode]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/include/asm/mipsregs.h
+++ b/arch/mips/include/asm/mipsregs.h
@@ -136,10 +136,13 @@
 #define FPU_CSR_COND7	0x80000000	/* $fcc7 */
 
 /*
- * Bits 18 - 20 of the FPU Status Register will be read as 0,
+ * Bits 22:20 of the FPU Status Register will be read as 0,
  * and should be written as zero.
  */
-#define FPU_CSR_RSVD	0x001c0000
+#define FPU_CSR_RSVD	(_ULCAST_(7) << 20)
+
+#define FPU_CSR_ABS2008	(_ULCAST_(1) << 19)
+#define FPU_CSR_NAN2008	(_ULCAST_(1) << 18)
 
 /*
  * X the exception cause indicator
@@ -687,6 +690,8 @@
 #define MIPS_FPIR_W		(_ULCAST_(1) << 20)
 #define MIPS_FPIR_L		(_ULCAST_(1) << 21)
 #define MIPS_FPIR_F64		(_ULCAST_(1) << 22)
+#define MIPS_FPIR_HAS2008	(_ULCAST_(1) << 23)
+#define MIPS_FPIR_UFRP		(_ULCAST_(1) << 28)
 
 /*
  * Bits in the MIPS32 Memory Segmentation registers.
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -929,10 +929,12 @@ emul:
 					 MIPSInst_RT(ir), value);
 
 				/*
-				 * Don't write reserved bits,
+				 * Don't write unsupported bits,
 				 * and convert to ieee library modes
 				 */
-				ctx->fcr31 = (value & ~(FPU_CSR_RSVD | FPU_CSR_RM)) |
+				ctx->fcr31 = (value &
+					      ~(FPU_CSR_RSVD | FPU_CSR_ABS2008 |
+						FPU_CSR_NAN2008 | FPU_CSR_RM)) |
 					     modeindex(value);
 			}
 			if ((ctx->fcr31 >> 5) & ctx->fcr31 & FPU_CSR_ALL_E) {
--- a/arch/mips/math-emu/ieee754.h
+++ b/arch/mips/math-emu/ieee754.h
@@ -195,15 +195,17 @@ static inline int ieee754dp_ge(union iee
  * The control status register
  */
 struct _ieee754_csr {
-	__BITFIELD_FIELD(unsigned pad0:7,
-	__BITFIELD_FIELD(unsigned nod:1,	/* set 1 for no denormalised numbers */
-	__BITFIELD_FIELD(unsigned c:1,		/* condition */
-	__BITFIELD_FIELD(unsigned pad1:5,
+	__BITFIELD_FIELD(unsigned fcc:7,	/* condition[7:1] */
+	__BITFIELD_FIELD(unsigned nod:1,	/* set 1 for no denormals */
+	__BITFIELD_FIELD(unsigned c:1,		/* condition[0] */
+	__BITFIELD_FIELD(unsigned pad0:3,
+	__BITFIELD_FIELD(unsigned abs2008:1,	/* IEEE 754-2008 ABS/NEG.fmt */
+	__BITFIELD_FIELD(unsigned nan2008:1,	/* IEEE 754-2008 NaN mode */
 	__BITFIELD_FIELD(unsigned cx:6,		/* exceptions this operation */
 	__BITFIELD_FIELD(unsigned mx:5,		/* exception enable  mask */
 	__BITFIELD_FIELD(unsigned sx:5,		/* exceptions total */
 	__BITFIELD_FIELD(unsigned rm:2,		/* current rounding mode */
-	;))))))))
+	;))))))))))
 };
 #define ieee754_csr (*(struct _ieee754_csr *)(&current->thread.fpu.fcr31))
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 170/254] mm/mprotect: add a cond_resched() inside change_pmd_range()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 248/254] media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 077/254] usb: musb: da8xx: fix babble condition handling Ben Hutchings
                   ` (207 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Nicholas Piggin, Anshuman Khandual, Michal Hocko

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anshuman Khandual <khandual@linux.vnet.ibm.com>

commit 4991c09c7c812dba13ea9be79a68b4565bb1fa4e upstream.

While testing on a large CPU system, detected the following RCU stall
many times over the span of the workload.  This problem is solved by
adding a cond_resched() in the change_pmd_range() function.

  INFO: rcu_sched detected stalls on CPUs/tasks:
   154-....: (670 ticks this GP) idle=022/140000000000000/0 softirq=2825/2825 fqs=612
   (detected by 955, t=6002 jiffies, g=4486, c=4485, q=90864)
  Sending NMI from CPU 955 to CPUs 154:
  NMI backtrace for cpu 154
  CPU: 154 PID: 147071 Comm: workload Not tainted 4.15.0-rc3+ #3
  NIP:  c0000000000b3f64 LR: c0000000000b33d4 CTR: 000000000000aa18
  REGS: 00000000a4b0fb44 TRAP: 0501   Not tainted  (4.15.0-rc3+)
  MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 22422082  XER: 00000000
  CFAR: 00000000006cf8f0 SOFTE: 1
  GPR00: 0010000000000000 c00003ef9b1cb8c0 c0000000010cc600 0000000000000000
  GPR04: 8e0000018c32b200 40017b3858fd6e00 8e0000018c32b208 40017b3858fd6e00
  GPR08: 8e0000018c32b210 40017b3858fd6e00 8e0000018c32b218 40017b3858fd6e00
  GPR12: ffffffffffffffff c00000000fb25100
  NIP [c0000000000b3f64] plpar_hcall9+0x44/0x7c
  LR [c0000000000b33d4] pSeries_lpar_flush_hash_range+0x384/0x420
  Call Trace:
    flush_hash_range+0x48/0x100
    __flush_tlb_pending+0x44/0xd0
    hpte_need_flush+0x408/0x470
    change_protection_range+0xaac/0xf10
    change_prot_numa+0x30/0xb0
    task_numa_work+0x2d0/0x3e0
    task_work_run+0x130/0x190
    do_notify_resume+0x118/0x120
    ret_from_except_lite+0x70/0x74
  Instruction dump:
  60000000 f8810028 7ca42b78 7cc53378 7ce63b78 7d074378 7d284b78 7d495378
  e9410060 e9610068 e9810070 44000022 <7d806378> e9810028 f88c0000 f8ac0008

Link: http://lkml.kernel.org/r/20171214140551.5794-1-khandual@linux.vnet.ibm.com
Signed-off-by: Anshuman Khandual <khandual@linux.vnet.ibm.com>
Suggested-by: Nicholas Piggin <npiggin@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/mprotect.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -152,7 +152,7 @@ static inline unsigned long change_pmd_r
 
 		next = pmd_addr_end(addr, end);
 		if (!pmd_trans_huge(*pmd) && pmd_none_or_clear_bad(pmd))
-			continue;
+			goto next;
 
 		/* invoke the mmu notifier if the pmd is populated */
 		if (!mni_start) {
@@ -174,7 +174,7 @@ static inline unsigned long change_pmd_r
 					}
 
 					/* huge pmd was handled */
-					continue;
+					goto next;
 				}
 			}
 			/* fall through, the trans huge pmd just split */
@@ -182,6 +182,8 @@ static inline unsigned long change_pmd_r
 		this_pages = change_pte_range(vma, pmd, addr, next, newprot,
 				 dirty_accountable, prot_numa);
 		pages += this_pages;
+next:
+		cond_resched();
 	} while (pmd++, addr = next, addr != end);
 
 	if (mni_start)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 164/254] usbip: remove kernel addresses from usb device and urb debug msgs
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 162/254] can: gs_usb: fix return value of the "set_bittiming" callback Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 248/254] media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha Ben Hutchings
                   ` (209 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Shuah Khan <shuahkh@osg.samsung.com>

commit e1346fd87c71a1f61de1fe476ec8df1425ac931c upstream.

usbip_dump_usb_device() and usbip_dump_urb() print kernel addresses.
Remove kernel addresses from usb device and urb debug msgs and improve
the message content.

Instead of printing parent device and bus addresses, print parent device
and bus names.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/usbip/usbip_common.c | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

--- a/drivers/staging/usbip/usbip_common.c
+++ b/drivers/staging/usbip/usbip_common.c
@@ -103,7 +103,7 @@ static void usbip_dump_usb_device(struct
 	dev_dbg(dev, "       devnum(%d) devpath(%s) usb speed(%s)",
 		udev->devnum, udev->devpath, usb_speed_string(udev->speed));
 
-	pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
+	pr_debug("tt hub ttport %d\n", udev->ttport);
 
 	dev_dbg(dev, "                    ");
 	for (i = 0; i < 16; i++)
@@ -136,12 +136,8 @@ static void usbip_dump_usb_device(struct
 	}
 	pr_debug("\n");
 
-	dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
-
-	dev_dbg(dev,
-		"descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
-		&udev->descriptor, udev->config,
-		udev->actconfig, udev->rawdescriptors);
+	dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
+		udev->bus->bus_name);
 
 	dev_dbg(dev, "have_langid %d, string_langid %d\n",
 		udev->have_langid, udev->string_langid);
@@ -249,9 +245,6 @@ void usbip_dump_urb(struct urb *urb)
 
 	dev = &urb->dev->dev;
 
-	dev_dbg(dev, "   urb                   :%p\n", urb);
-	dev_dbg(dev, "   dev                   :%p\n", urb->dev);
-
 	usbip_dump_usb_device(urb->dev);
 
 	dev_dbg(dev, "   pipe                  :%08x ", urb->pipe);
@@ -260,11 +253,9 @@ void usbip_dump_urb(struct urb *urb)
 
 	dev_dbg(dev, "   status                :%d\n", urb->status);
 	dev_dbg(dev, "   transfer_flags        :%08X\n", urb->transfer_flags);
-	dev_dbg(dev, "   transfer_buffer       :%p\n", urb->transfer_buffer);
 	dev_dbg(dev, "   transfer_buffer_length:%d\n",
 						urb->transfer_buffer_length);
 	dev_dbg(dev, "   actual_length         :%d\n", urb->actual_length);
-	dev_dbg(dev, "   setup_packet          :%p\n", urb->setup_packet);
 
 	if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
 		usbip_dump_usb_ctrlrequest(
@@ -274,8 +265,6 @@ void usbip_dump_urb(struct urb *urb)
 	dev_dbg(dev, "   number_of_packets     :%d\n", urb->number_of_packets);
 	dev_dbg(dev, "   interval              :%d\n", urb->interval);
 	dev_dbg(dev, "   error_count           :%d\n", urb->error_count);
-	dev_dbg(dev, "   context               :%p\n", urb->context);
-	dev_dbg(dev, "   complete              :%p\n", urb->complete);
 }
 EXPORT_SYMBOL_GPL(usbip_dump_urb);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 138/254] iw_cxgb4: Only validate the MSN for successful completions
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 046/254] xhci: Don't show incorrect WARN message about events for empty rings Ben Hutchings
                   ` (253 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steve Wise, Jason Gunthorpe

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve Wise <swise@opengridcomputing.com>

commit f55688c45442bc863f40ad678c638785b26cdce6 upstream.

If the RECV CQE is in error, ignore the MSN check.  This was causing
recvs that were flushed into the sw cq to be completed with the wrong
status (BAD_MSN instead of FLUSHED).

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/cxgb4/cq.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/hw/cxgb4/cq.c
+++ b/drivers/infiniband/hw/cxgb4/cq.c
@@ -574,10 +574,10 @@ static int poll_cq(struct t4_wq *wq, str
 			ret = -EAGAIN;
 			goto skip_cqe;
 		}
-		if (unlikely((CQE_WRID_MSN(hw_cqe) != (wq->rq.msn)))) {
+		if (unlikely(!CQE_STATUS(hw_cqe) &&
+			     CQE_WRID_MSN(hw_cqe) != wq->rq.msn)) {
 			t4_set_wq_in_error(wq);
-			hw_cqe->header |= htonl(V_CQE_STATUS(T4_ERR_MSN));
-			goto proc_cqe;
+			hw_cqe->header |= cpu_to_be32(V_CQE_STATUS(T4_ERR_MSN));
 		}
 		goto proc_cqe;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 239/254] adv7604: use correct drive strength defines
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (104 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 064/254] Btrfs: disable FUA if mounted with nobarrier Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 184/254] sh_eth: fix TXALCR1 offsets Ben Hutchings
                   ` (148 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

The prefix is ADV7604_, not ADV76XX.

Fixes: f31b62e14a ("adv7604: add hdmi driver strength adjustment")
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/i2c/adv7604.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
index af8a99716de5..9e0e592f50ab 100644
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -2735,9 +2735,9 @@ static int adv7604_parse_dt(struct adv7604_state *state)
 	state->pdata.alt_data_sat = 1;
 	state->pdata.op_format_mode_sel = ADV7604_OP_FORMAT_MODE0;
 	state->pdata.bus_order = ADV7604_BUS_ORDER_RGB;
-	state->pdata.dr_str_data = ADV76XX_DR_STR_MEDIUM_HIGH;
-	state->pdata.dr_str_clk = ADV76XX_DR_STR_MEDIUM_HIGH;
-	state->pdata.dr_str_sync = ADV76XX_DR_STR_MEDIUM_HIGH;
+	state->pdata.dr_str_data = ADV7604_DR_STR_MEDIUM_HIGH;
+	state->pdata.dr_str_clk = ADV7604_DR_STR_MEDIUM_HIGH;
+	state->pdata.dr_str_sync = ADV7604_DR_STR_MEDIUM_HIGH;
 
 	return 0;
 }

^ permalink raw reply related	[flat|nested] 261+ messages in thread

* [PATCH 3.16 086/254] ipv4: Use standard iovec primitive in raw_probe_proto_opt
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 192/254] USB: Gadget core: fix inconsistency in the interface tousb_add_gadget_udc_release() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 101/254] MIPS: Fix a preemption issue with thread's FPU defaults Ben Hutchings
                   ` (218 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Herbert Xu, David S. Miller

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 32b5913a931fd753faf3d4e1124b2bc2edb364da upstream.

The function raw_probe_proto_opt tries to extract the first two
bytes from the user input in order to seed the IPsec lookup for
ICMP packets.  In doing so it's processing iovec by hand and
overcomplicating things.

This patch replaces the manual iovec processing with a call to
memcpy_fromiovecend.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/raw.c | 50 +++++++++++---------------------------------------
 1 file changed, 11 insertions(+), 39 deletions(-)

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -417,48 +417,20 @@ error:
 
 static int raw_probe_proto_opt(struct flowi4 *fl4, struct msghdr *msg)
 {
-	struct iovec *iov;
-	u8 __user *type = NULL;
-	u8 __user *code = NULL;
-	int probed = 0;
-	unsigned int i;
+	struct icmphdr icmph;
+	int err;
 
-	if (!msg->msg_iov)
+	if (fl4->flowi4_proto != IPPROTO_ICMP)
 		return 0;
 
-	for (i = 0; i < msg->msg_iovlen; i++) {
-		iov = &msg->msg_iov[i];
-		if (!iov)
-			continue;
-
-		switch (fl4->flowi4_proto) {
-		case IPPROTO_ICMP:
-			/* check if one-byte field is readable or not. */
-			if (iov->iov_base && iov->iov_len < 1)
-				break;
-
-			if (!type) {
-				type = iov->iov_base;
-				/* check if code field is readable or not. */
-				if (iov->iov_len > 1)
-					code = type + 1;
-			} else if (!code)
-				code = iov->iov_base;
-
-			if (type && code) {
-				if (get_user(fl4->fl4_icmp_type, type) ||
-				    get_user(fl4->fl4_icmp_code, code))
-					return -EFAULT;
-				probed = 1;
-			}
-			break;
-		default:
-			probed = 1;
-			break;
-		}
-		if (probed)
-			break;
-	}
+	/* We only need the first two bytes. */
+	err = memcpy_fromiovecend((void *)&icmph, msg->msg_iov, 0, 2);
+	if (err)
+		return err;
+
+	fl4->fl4_icmp_type = icmph.type;
+	fl4->fl4_icmp_code = icmph.code;
+
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 104/254] MIPS: MSA: bugfix - disable MSA correctly for new threads/processes.
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 210/254] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 162/254] can: gs_usb: fix return value of the "set_bittiming" callback Ben Hutchings
                   ` (211 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ralf Baechle

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ralf@linux-mips.org>

commit 9cc719ab3f4f639d629ac8ff09e9b998bc006f68 upstream.

Due to the slightly odd way that new threads and processes start execution
when scheduled for the very first time they were bypassing the required
disable_msa call.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/switch_to.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/include/asm/switch_to.h
+++ b/arch/mips/include/asm/switch_to.h
@@ -101,7 +101,6 @@ do {									\
 	if (test_and_clear_tsk_thread_flag(prev, TIF_USEDMSA))		\
 		__fpsave = FP_SAVE_VECTOR;				\
 	(last) = resume(prev, next, task_thread_info(next), __fpsave);	\
-	disable_msa();							\
 } while (0)
 
 #define finish_arch_switch(prev)					\
@@ -119,6 +118,7 @@ do {									\
 	if (cpu_has_userlocal)						\
 		write_c0_userlocal(current_thread_info()->tp_value);	\
 	__restore_watch();						\
+	disable_msa();							\
 } while (0)
 
 #endif /* _ASM_SWITCH_TO_H */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 011/254] bcache: recover data from backing when data is clean
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (141 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 154/254] fscache: Fix the default for fscache_maybe_release_page() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 189/254] Input: 88pm860x-ts - fix child-node lookup Ben Hutchings
                   ` (111 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Lyle, Jens Axboe, Coly Li, Rui Hua

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Rui Hua <huarui.dev@gmail.com>

commit e393aa2446150536929140739f09c6ecbcbea7f0 upstream.

When we send a read request and hit the clean data in cache device, there
is a situation called cache read race in bcache(see the commit in the tail
of cache_look_up(), the following explaination just copy from there):
The bucket we're reading from might be reused while our bio is in flight,
and we could then end up reading the wrong data. We guard against this
by checking (in bch_cache_read_endio()) if the pointer is stale again;
if so, we treat it as an error (s->iop.error = -EINTR) and reread from
the backing device (but we don't pass that error up anywhere)

It should be noted that cache read race happened under normal
circumstances, not the circumstance when SSD failed, it was counted
and shown in  /sys/fs/bcache/XXX/internal/cache_read_races.

Without this patch, when we use writeback mode, we will never reread from
the backing device when cache read race happened, until the whole cache
device is clean, because the condition
(s->recoverable && (dc && !atomic_read(&dc->has_dirty))) is false in
cached_dev_read_error(). In this situation, the s->iop.error(= -EINTR)
will be passed up, at last, user will receive -EINTR when it's bio end,
this is not suitable, and wield to up-application.

In this patch, we use s->read_dirty_data to judge whether the read
request hit dirty data in cache device, it is safe to reread data from
the backing device when the read request hit clean data. This can not
only handle cache read race, but also recover data when failed read
request from cache device.

[edited by mlyle to fix up whitespace, commit log title, comment
spelling]

Fixes: d59b23795933 ("bcache: only permit to recovery read error when cache device is clean")
Signed-off-by: Hua Rui <huarui.dev@gmail.com>
Reviewed-by: Michael Lyle <mlyle@lyle.org>
Reviewed-by: Coly Li <colyli@suse.de>
Signed-off-by: Michael Lyle <mlyle@lyle.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/bcache/request.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -698,16 +698,15 @@ static void cached_dev_read_error(struct
 {
 	struct search *s = container_of(cl, struct search, cl);
 	struct bio *bio = &s->bio.bio;
-	struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 
 	/*
-	 * If cache device is dirty (dc->has_dirty is non-zero), then
-	 * recovery a failed read request from cached device may get a
-	 * stale data back. So read failure recovery is only permitted
-	 * when cache device is clean.
+	 * If read request hit dirty data (s->read_dirty_data is true),
+	 * then recovery a failed read request from cached device may
+	 * get a stale data back. So read failure recovery is only
+	 * permitted when read request hit clean data in cache device,
+	 * or when cache read race happened.
 	 */
-	if (s->recoverable &&
-	    (dc && !atomic_read(&dc->has_dirty))) {
+	if (s->recoverable && !s->read_dirty_data) {
 		/* Retry from the backing device: */
 		trace_bcache_read_retry(s->orig_bio);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 110/254] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 136/254] net: mvneta: clear interface link status on port disable Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 191/254] usb: udc: core: add device_del() call to error pathway Ben Hutchings
                   ` (172 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Burton, Dave Martin, James Hogan, Ralf Baechle,
	Maciej W. Rozycki, Alex Smith, linux-mips

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@mips.com>

commit c8c5a3a24d395b14447a9a89d61586a913840a3b upstream.

Complement commit c23b3d1a5311 ("MIPS: ptrace: Change GP regset to use
correct core dump register layout") and also reject outsized
PTRACE_SETREGSET requests to the NT_PRFPREG regset, like with the
NT_PRSTATUS regset.

Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Fixes: c23b3d1a5311 ("MIPS: ptrace: Change GP regset to use correct core dump register layout")
Cc: James Hogan <james.hogan@mips.com>
Cc: Paul Burton <Paul.Burton@mips.com>
Cc: Alex Smith <alex@alex-smith.me.uk>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17930/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -568,6 +568,9 @@ static int fpr_set(struct task_struct *t
 
 	BUG_ON(count % sizeof(elf_fpreg_t));
 
+	if (pos + count > sizeof(elf_fpregset_t))
+		return -EIO;
+
 	init_fp_ctx(target);
 
 	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 231/254] of: fdt: Fix return with value in void function
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 102/254] MIPS: ptrace: Fix FP context restoration FCSR regression Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 232/254] net: bcmgenet: fix bcmgenet_open() Ben Hutchings
                   ` (227 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Commit 49e67dd17649 "of: fdt: add missing allocation-failure check"
added a "return NULL" statement in __unflatten_device_tree().  When
applied to the 3.16-stable branch, this introduced a compiler warning
(not an error!) because the function returns void here.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -381,7 +381,7 @@ static void __unflatten_device_tree(void
 	/* Allocate memory for the expanded device tree */
 	mem = dt_alloc(size + 4, __alignof__(struct device_node));
 	if (!mem)
-		return NULL;
+		return;
 
 	memset(mem, 0, size);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 208/254] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (225 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 056/254] net_sched: red: Avoid devision by zero Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 075/254] X.509: fix buffer overflow detection in sprint_oid() Ben Hutchings
                   ` (27 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Christoffer Dall, Marc Zyngier

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit acfb3b883f6d6a4b5d27ad7fdded11f6a09ae6dd upstream.

KVM doesn't follow the SMCCC when it comes to unimplemented calls,
and inject an UNDEF instead of returning an error. Since firmware
calls are now used for security mitigation, they are becoming more
common, and the undef is counter productive.

Instead, let's follow the SMCCC which states that -1 must be returned
to the caller when getting an unknown function number.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
[bwh: Backported to 3.16: use vcpu_reg()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kvm/handle_exit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -34,7 +34,7 @@ static int handle_hvc(struct kvm_vcpu *v
 
 	ret = kvm_psci_call(vcpu);
 	if (ret < 0) {
-		kvm_inject_undefined(vcpu);
+		*vcpu_reg(vcpu, 0) = ~0UL;
 		return 1;
 	}
 
@@ -43,7 +43,7 @@ static int handle_hvc(struct kvm_vcpu *v
 
 static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
 {
-	kvm_inject_undefined(vcpu);
+	*vcpu_reg(vcpu, 0) = ~0UL;
 	return 1;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 116/254] USB: serial: option: add support for Telit ME910 PID 0x1101
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (208 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 127/254] usbip: vhci: stop printing kernel pointer addresses in messages Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 217/254] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Ben Hutchings
                   ` (44 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Daniele Palmas

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniele Palmas <dnlplm@gmail.com>

commit 08933099e6404f588f81c2050bfec7313e06eeaf upstream.

This patch adds support for PID 0x1101 of Telit ME910.

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -286,6 +286,7 @@ static void option_instat_callback(struc
 #define TELIT_PRODUCT_LE922_USBCFG3		0x1043
 #define TELIT_PRODUCT_LE922_USBCFG5		0x1045
 #define TELIT_PRODUCT_ME910			0x1100
+#define TELIT_PRODUCT_ME910_DUAL_MODEM		0x1101
 #define TELIT_PRODUCT_LE920			0x1200
 #define TELIT_PRODUCT_LE910			0x1201
 #define TELIT_PRODUCT_LE910_USBCFG4		0x1206
@@ -658,6 +659,11 @@ static const struct option_blacklist_inf
 	.reserved = BIT(1) | BIT(3),
 };
 
+static const struct option_blacklist_info telit_me910_dual_modem_blacklist = {
+	.sendsetup = BIT(0),
+	.reserved = BIT(3),
+};
+
 static const struct option_blacklist_info telit_le910_blacklist = {
 	.sendsetup = BIT(0),
 	.reserved = BIT(1) | BIT(2),
@@ -1266,6 +1272,8 @@ static const struct usb_device_id option
 		.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
 		.driver_info = (kernel_ulong_t)&telit_me910_blacklist },
+	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
+		.driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
 		.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 249/254] media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 120/254] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 005/254] KVM: x86: Don't re-execute instruction when not passing CR2 value Ben Hutchings
                   ` (238 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Hans Verkuil

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit a751be5b142ef6bcbbb96d9899516f4d9c8d0ef4 upstream.

put_v4l2_window32() didn't copy back the clip list to userspace.
Drivers can update the clip rectangles, so this should be done.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 59 ++++++++++++++++++---------
 1 file changed, 40 insertions(+), 19 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -50,6 +50,11 @@ struct v4l2_window32 {
 
 static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
 {
+	struct v4l2_clip32 __user *uclips;
+	struct v4l2_clip __user *kclips;
+	compat_caddr_t p;
+	u32 n;
+
 	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
 	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
 	    get_user(kp->field, &up->field) ||
@@ -59,38 +64,54 @@ static int get_v4l2_window32(struct v4l2
 		return -EFAULT;
 	if (kp->clipcount > 2048)
 		return -EINVAL;
-	if (kp->clipcount) {
-		struct v4l2_clip32 __user *uclips;
-		struct v4l2_clip __user *kclips;
-		int n = kp->clipcount;
-		compat_caddr_t p;
+	if (!kp->clipcount) {
+		kp->clips = NULL;
+		return 0;
+	}
 
-		if (get_user(p, &up->clips))
+	n = kp->clipcount;
+	if (get_user(p, &up->clips))
+		return -EFAULT;
+	uclips = compat_ptr(p);
+	kclips = compat_alloc_user_space(n * sizeof(*kclips));
+	kp->clips = kclips;
+	while (n--) {
+		if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
 			return -EFAULT;
-		uclips = compat_ptr(p);
-		kclips = compat_alloc_user_space(n * sizeof(*kclips));
-		kp->clips = kclips;
-		while (--n >= 0) {
-			if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
-				return -EFAULT;
-			if (put_user(n ? kclips + 1 : NULL, &kclips->next))
-				return -EFAULT;
-			uclips += 1;
-			kclips += 1;
-		}
-	} else
-		kp->clips = NULL;
+		if (put_user(n ? kclips + 1 : NULL, &kclips->next))
+			return -EFAULT;
+		uclips++;
+		kclips++;
+	}
 	return 0;
 }
 
 static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
 {
+	struct v4l2_clip __user *kclips = kp->clips;
+	struct v4l2_clip32 __user *uclips;
+	u32 n = kp->clipcount;
+	compat_caddr_t p;
+
 	if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
 	    put_user(kp->field, &up->field) ||
 	    put_user(kp->chromakey, &up->chromakey) ||
 	    put_user(kp->clipcount, &up->clipcount) ||
 	    put_user(kp->global_alpha, &up->global_alpha))
 		return -EFAULT;
+
+	if (!kp->clipcount)
+		return 0;
+
+	if (get_user(p, &up->clips))
+		return -EFAULT;
+	uclips = compat_ptr(p);
+	while (n--) {
+		if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c)))
+			return -EFAULT;
+		uclips++;
+		kclips++;
+	}
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 049/254] ALSA: usb-audio: Fix out-of-bound error
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 227/254] pppoe: take ->needed_headroom of lower device into account on xmit Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 136/254] net: mvneta: clear interface link status on port disable Ben Hutchings
                   ` (174 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Jaejoong Kim

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.

The snd_usb_copy_string_desc() retrieves the usb string corresponding to
the index number through the usb_string(). The problem is that the
usb_string() returns the length of the string (>= 0) when successful, but
it can also return a negative value about the error case or status of
usb_control_msg().

If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
This will result in '0' being inserted into buf[-22], and the following
KASAN out-of-bound error message will be output.

AudioControl Interface Descriptor:
  bLength                 8
  bDescriptorType        36
  bDescriptorSubtype     10 (CLOCK_SOURCE)
  bClockID                1
  bmAttributes         0x07 Internal programmable Clock (synced to SOF)
  bmControls           0x07
  Clock Frequency Control (read/write)
  Clock Validity Control (read-only)
  bAssocTerminal          0
  iClockSource            0

To fix it, check usb_string()'return value and bail out.

==================================================================
BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376

CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
Call Trace:
dump_stack+0x63/0x8d
print_address_description+0x70/0x290
? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
kasan_report+0x265/0x350
__asan_store1+0x4a/0x50
parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
? save_stack+0xb5/0xd0
? save_stack_trace+0x1b/0x20
? save_stack+0x46/0xd0
? kasan_kmalloc+0xad/0xe0
? kmem_cache_alloc_trace+0xff/0x230
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? usb_probe_interface+0x1f5/0x440
? driver_probe_device+0x3ed/0x660
? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
? save_stack_trace+0x1b/0x20
? init_object+0x69/0xa0
? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
? build_audio_procunit+0x890/0x890 [snd_usb_audio]
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? kmem_cache_alloc_trace+0xff/0x230
? usb_ifnum_to_if+0xbd/0xf0
snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
? __pm_runtime_idle+0x90/0x90
? kernfs_activate+0xa6/0xc0
? usb_match_one_id_intf+0xdc/0x130
? __pm_runtime_set_status+0x2d4/0x450
usb_probe_interface+0x1f5/0x440

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/mixer.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -199,6 +199,10 @@ static int snd_usb_copy_string_desc(stru
 				    int index, char *buf, int maxlen)
 {
 	int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
+
+	if (len < 0)
+		return 0;
+
 	buf[len] = 0;
 	return len;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 111/254] powerpc/perf: Dereference BHRB entries safely
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (135 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 067/254] can: ems_usb: cancel urb on -EPIPE and -EPROTO Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 194/254] uas: ignore UAS for Norelsys NS1068(X) chips Ben Hutchings
                   ` (117 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Ravi Bangoria, Naveen N. Rao

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>

commit f41d84dddc66b164ac16acf3f584c276146f1c48 upstream.

It's theoretically possible that branch instructions recorded in
BHRB (Branch History Rolling Buffer) entries have already been
unmapped before they are processed by the kernel. Hence, trying to
dereference such memory location will result in a crash. eg:

    Unable to handle kernel paging request for data at address 0xd000000019c41764
    Faulting instruction address: 0xc000000000084a14
    NIP [c000000000084a14] branch_target+0x4/0x70
    LR [c0000000000eb828] record_and_restart+0x568/0x5c0
    Call Trace:
    [c0000000000eb3b4] record_and_restart+0xf4/0x5c0 (unreliable)
    [c0000000000ec378] perf_event_interrupt+0x298/0x460
    [c000000000027964] performance_monitor_exception+0x54/0x70
    [c000000000009ba4] performance_monitor_common+0x114/0x120

Fix it by deferefencing the addresses safely.

Fixes: 691231846ceb ("powerpc/perf: Fix setting of "to" addresses for BHRB")
Suggested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
[mpe: Use probe_kernel_read() which is clearer, tweak change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/perf/core-book3s.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -391,8 +391,12 @@ static __u64 power_pmu_bhrb_to(u64 addr)
 	int ret;
 	__u64 target;
 
-	if (is_kernel_addr(addr))
-		return branch_target((unsigned int *)addr);
+	if (is_kernel_addr(addr)) {
+		if (probe_kernel_read(&instr, (void *)addr, sizeof(instr)))
+			return 0;
+
+		return branch_target(&instr);
+	}
 
 	/* Userspace: need copy instruction here then translate it */
 	pagefault_disable();

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 163/254] ALSA: pcm: Add missing error checks in OSS emulation plugin builder
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (217 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 150/254] af_key: fix buffer overread in verify_address_len() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 190/254] USB: fix usbmon BUG trigger Ben Hutchings
                   ` (35 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 6708913750344a900f2e73bfe4a4d6dbbce4fe8d upstream.

In the OSS emulation plugin builder where the frame size is parsed in
the plugin chain, some places miss the possible errors returned from
the plugin src_ or dst_frames callback.

This patch papers over such places.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/oss/pcm_plugin.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -591,18 +591,26 @@ snd_pcm_sframes_t snd_pcm_plug_write_tra
 	snd_pcm_sframes_t frames = size;
 
 	plugin = snd_pcm_plug_first(plug);
-	while (plugin && frames > 0) {
+	while (plugin) {
+		if (frames <= 0)
+			return frames;
 		if ((next = plugin->next) != NULL) {
 			snd_pcm_sframes_t frames1 = frames;
-			if (plugin->dst_frames)
+			if (plugin->dst_frames) {
 				frames1 = plugin->dst_frames(plugin, frames);
+				if (frames1 <= 0)
+					return frames1;
+			}
 			if ((err = next->client_channels(next, frames1, &dst_channels)) < 0) {
 				return err;
 			}
 			if (err != frames1) {
 				frames = err;
-				if (plugin->src_frames)
+				if (plugin->src_frames) {
 					frames = plugin->src_frames(plugin, frames1);
+					if (frames <= 0)
+						return frames;
+				}
 			}
 		} else
 			dst_channels = NULL;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 072/254] ASN.1: check for error from ASN1_OP_END__ACT actions
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 151/254] af_key: fix buffer overread in parse_exthdrs() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 221/254] cfg80211: fix station info handling bugs Ben Hutchings
                   ` (192 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Biggers, David Howells, James Morris

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.

asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes).  Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.

This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).

In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest.  But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/asn1_decoder.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -427,6 +427,8 @@ next_op:
 			else
 				act = machine[pc + 1];
 			ret = actions[act](context, hdr, 0, data + tdp, len);
+			if (ret < 0)
+				return ret;
 		}
 		pc += asn1_op_lengths[op];
 		goto next_op;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 167/254] net: stmmac: enable EEE in MII, GMII or RGMII only
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (184 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 187/254] Input: twl6040-vibra - fix DT node memory management Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 204/254] futex: Prevent overflow by strengthen input validation Ben Hutchings
                   ` (68 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jerome Brunet, David S. Miller, Arnaud Patard

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jerome Brunet <jbrunet@baylibre.com>

commit 879626e3a52630316d817cbda7cec9a5446d1d82 upstream.

Note in the databook - Section 4.4 - EEE :
" The EEE feature is not supported when the MAC is configured to use the
TBI, RTBI, SMII, RMII or SGMII single PHY interface. Even if the MAC
supports multiple PHY interfaces, you should activate the EEE mode only
when the MAC is operating with GMII, MII, or RGMII interface."

Applying this restriction solves a stability issue observed on Amlogic
gxl platforms operating with RMII interface and the internal PHY.

Fixes: 83bf79b6bb64 ("stmmac: disable at run-time the EEE if not supported")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Tested-by: Arnaud Patard <arnaud.patard@rtp-net.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjst context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -275,8 +275,14 @@ static void stmmac_eee_ctrl_timer(unsign
  */
 bool stmmac_eee_init(struct stmmac_priv *priv)
 {
+	int interface = priv->plat->interface;
 	bool ret = false;
 
+	if ((interface != PHY_INTERFACE_MODE_MII) &&
+	    (interface != PHY_INTERFACE_MODE_GMII) &&
+	    !phy_interface_mode_is_rgmii(interface))
+		goto out;
+
 	/* Using PCS we cannot dial with the phy registers at this stage
 	 * so we do not support extra feature like EEE.
 	 */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 135/254] net/mlx5: Stay in polling mode when command EQ destroy fails
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (196 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 157/254] e1000e: Separate signaling for link check/link up Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 219/254] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once Ben Hutchings
                   ` (56 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Saeed Mahameed, Moshe Shemesh

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Moshe Shemesh <moshe@mellanox.com>

commit a2fba188fd5eadd6061bef4f2f2577a43231ebf3 upstream.

During unload, on mlx5_stop_eqs we move command interface from events
mode to polling mode, but if command interface EQ destroy fail we move
back to events mode.
That's wrong since even if we fail to destroy command interface EQ, we
do release its irq, so no interrupts will be received.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/eq.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
@@ -502,11 +502,9 @@ void mlx5_stop_eqs(struct mlx5_core_dev
 	mlx5_cmd_use_polling(dev);
 
 	err = mlx5_destroy_unmap_eq(dev, &table->cmd_eq);
-	if (err) {
+	if (err)
 		mlx5_core_err(dev, "failed to destroy command eq, err(%d)\n",
 			      err);
-		mlx5_cmd_use_events(dev);
-	}
 }
 
 int mlx5_core_eq_query(struct mlx5_core_dev *dev, struct mlx5_eq *eq,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 012/254] Input: elantech - add new icbody type 15
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (176 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 041/254] can: kvaser_usb: free buf in error paths Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 107/254] MIPS: Factor out NT_PRFPREG regset access helpers Ben Hutchings
                   ` (76 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Aaron Ma

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit 10d900303f1c3a821eb0bef4e7b7ece16768fba4 upstream.

The touchpad of Lenovo Thinkpad L480 reports it's version as 15.

Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/elantech.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1481,7 +1481,7 @@ static int elantech_set_properties(struc
 		case 5:
 			etd->hw_version = 3;
 			break;
-		case 6 ... 14:
+		case 6 ... 15:
 			etd->hw_version = 4;
 			break;
 		default:

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 174/254] x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 188/254] Input: twl6040-vibra - fix child-node lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 082/254] dmaengine: dmatest: warn user when dma test times out Ben Hutchings
                   ` (133 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, ak, Kees Cook, Dave Hansen, Peter Zijlstra, Jiri Kosina,
	Linus Torvalds, Greg Kroah-Hartman, David Woodhouse, Tim Chen,
	Thomas Gleixner, Rik van Riel, Andy Lutomirski, Paul Turner,
	gnomes

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Woodhouse <dwmw@amazon.co.uk>

commit b9e705ef7cfaf22db0daab91ad3cd33b0fa32eb9 upstream.

Where an ALTERNATIVE is used in the middle of an inline asm block, this
would otherwise lead to the following instruction being appended directly
to the trailing ".popsection", and a failed compile.

Fixes: 9cebed423c84 ("x86, alternative: Use .pushsection/.popsection")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: Rik van Riel <riel@redhat.com>
Cc: ak@linux.intel.com
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Paul Turner <pjt@google.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
Link: https://lkml.kernel.org/r/20180104143710.8961-8-dwmw@amazon.co.uk
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/alternative.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/alternative.h
+++ b/arch/x86/include/asm/alternative.h
@@ -124,7 +124,7 @@ static inline int alternatives_text_rese
 	".popsection\n"							\
 	".pushsection .altinstr_replacement, \"ax\"\n"			\
 	ALTINSTR_REPLACEMENT(newinstr, feature, 1)			\
-	".popsection"
+	".popsection\n"
 
 #define ALTERNATIVE_2(oldinstr, newinstr1, feature1, newinstr2, feature2)\
 	OLDINSTR_2(oldinstr, 1, 2)					\
@@ -135,7 +135,7 @@ static inline int alternatives_text_rese
 	".pushsection .altinstr_replacement, \"ax\"\n"			\
 	ALTINSTR_REPLACEMENT(newinstr1, feature1, 1)			\
 	ALTINSTR_REPLACEMENT(newinstr2, feature2, 2)			\
-	".popsection"
+	".popsection\n"
 
 /*
  * This must be included *after* the definition of ALTERNATIVE due to

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 156/254] IB/ipoib: Fix race condition in neigh creation
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (139 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 241/254] vb2: V4L2_BUF_FLAG_DONE is set after DQBUF Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 154/254] fscache: Fix the default for fscache_maybe_release_page() Ben Hutchings
                   ` (113 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Erez Shitrit, Jason Gunthorpe, Alex Vesker, Leon Romanovsky

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Erez Shitrit <erezsh@mellanox.com>

commit 16ba3defb8bd01a9464ba4820a487f5b196b455b upstream.

When using enhanced mode for IPoIB, two threads may execute xmit in
parallel to two different TX queues while the target is the same.
In this case, both of them will add the same neighbor to the path's
neigh link list and we might see the following message:

  list_add double add: new=ffff88024767a348, prev=ffff88024767a348...
  WARNING: lib/list_debug.c:31__list_add_valid+0x4e/0x70
  ipoib_start_xmit+0x477/0x680 [ib_ipoib]
  dev_hard_start_xmit+0xb9/0x3e0
  sch_direct_xmit+0xf9/0x250
  __qdisc_run+0x176/0x5d0
  __dev_queue_xmit+0x1f5/0xb10
  __dev_queue_xmit+0x55/0xb10

Analysis:
Two SKB are scheduled to be transmitted from two cores.
In ipoib_start_xmit, both gets NULL when calling ipoib_neigh_get.
Two calls to neigh_add_path are made. One thread takes the spin-lock
and calls ipoib_neigh_alloc which creates the neigh structure,
then (after the __path_find) the neigh is added to the path's neigh
link list. When the second thread enters the critical section it also
calls ipoib_neigh_alloc but in this case it gets the already allocated
ipoib_neigh structure, which is already linked to the path's neigh
link list and adds it again to the list. Which beside of triggering
the list, it creates a loop in the linked list. This loop leads to
endless loop inside path_rec_completion.

Solution:
Check list_empty(&neigh->list) before adding to the list.
Add a similar fix in "ipoib_multicast.c::ipoib_mcast_send"

Fixes: b63b70d87741 ('IPoIB: Use a private hash table for path lookup in xmit path')
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/ipoib/ipoib_main.c      | 25 ++++++++++++++++++-------
 drivers/infiniband/ulp/ipoib/ipoib_multicast.c |  5 ++++-
 2 files changed, 22 insertions(+), 8 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -615,8 +615,8 @@ static int path_rec_start(struct net_dev
 	return 0;
 }
 
-static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
-			   struct net_device *dev)
+static struct ipoib_neigh *neigh_add_path(struct sk_buff *skb, u8 *daddr,
+					  struct net_device *dev)
 {
 	struct ipoib_dev_priv *priv = netdev_priv(dev);
 	struct ipoib_path *path;
@@ -629,7 +629,15 @@ static void neigh_add_path(struct sk_buf
 		spin_unlock_irqrestore(&priv->lock, flags);
 		++dev->stats.tx_dropped;
 		dev_kfree_skb_any(skb);
-		return;
+		return NULL;
+	}
+
+	/* To avoid race condition, make sure that the
+	 * neigh will be added only once.
+	 */
+	if (unlikely(!list_empty(&neigh->list))) {
+		spin_unlock_irqrestore(&priv->lock, flags);
+		return neigh;
 	}
 
 	path = __path_find(dev, daddr + 4);
@@ -665,7 +673,7 @@ static void neigh_add_path(struct sk_buf
 			spin_unlock_irqrestore(&priv->lock, flags);
 			ipoib_send(dev, skb, path->ah, IPOIB_QPN(daddr));
 			ipoib_neigh_put(neigh);
-			return;
+			return NULL;
 		}
 	} else {
 		neigh->ah  = NULL;
@@ -678,7 +686,7 @@ static void neigh_add_path(struct sk_buf
 
 	spin_unlock_irqrestore(&priv->lock, flags);
 	ipoib_neigh_put(neigh);
-	return;
+	return NULL;
 
 err_path:
 	ipoib_neigh_free(neigh);
@@ -688,6 +696,8 @@ err_drop:
 
 	spin_unlock_irqrestore(&priv->lock, flags);
 	ipoib_neigh_put(neigh);
+
+	return NULL;
 }
 
 static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev,
@@ -784,8 +794,9 @@ static int ipoib_start_xmit(struct sk_bu
 	case htons(ETH_P_TIPC):
 		neigh = ipoib_neigh_get(dev, cb->hwaddr);
 		if (unlikely(!neigh)) {
-			neigh_add_path(skb, cb->hwaddr, dev);
-			return NETDEV_TX_OK;
+			neigh = neigh_add_path(skb, cb->hwaddr, dev);
+			if (likely(!neigh))
+				return NETDEV_TX_OK;
 		}
 		break;
 	case htons(ETH_P_ARP):
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -728,7 +728,10 @@ out:
 		spin_lock_irqsave(&priv->lock, flags);
 		if (!neigh) {
 			neigh = ipoib_neigh_alloc(daddr, dev);
-			if (neigh) {
+			/* Make sure that the neigh will be added only
+			 * once to mcast list.
+			 */
+			if (neigh && list_empty(&neigh->list)) {
 				kref_get(&mcast->ah->ref);
 				neigh->ah	= mcast->ah;
 				list_add_tail(&neigh->list, &mcast->neigh_list);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 226/254] Input: trackpoint - force 3 buttons if 0 button is reported
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (231 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 114/254] kernel: make groups_sort calling a responsibility group_info allocators Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 242/254] media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Ben Hutchings
                   ` (21 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Aaron Ma

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit f5d07b9e98022d50720e38aa936fc11c67868ece upstream.

Lenovo introduced trackpoint compatible sticks with minimum PS/2 commands.
They supposed to reply with 0x02, 0x03, or 0x04 in response to the
"Read Extended ID" command, so we would know not to try certain extended
commands. Unfortunately even some trackpoints reporting the original IBM
version (0x01 firmware 0x0e) now respond with incorrect data to the "Get
Extended Buttons" command:

 thinkpad_acpi: ThinkPad BIOS R0DET87W (1.87 ), EC unknown
 thinkpad_acpi: Lenovo ThinkPad E470, model 20H1004SGE

 psmouse serio2: trackpoint: IBM TrackPoint firmware: 0x0e, buttons: 0/0

Since there are no trackpoints without buttons, let's assume the trackpoint
has 3 buttons when we get 0 response to the extended buttons query.

Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196253
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/trackpoint.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/input/mouse/trackpoint.c
+++ b/drivers/input/mouse/trackpoint.c
@@ -379,6 +379,9 @@ int trackpoint_detect(struct psmouse *ps
 	if (trackpoint_read(&psmouse->ps2dev, TP_EXT_BTN, &button_info)) {
 		psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
 		button_info = 0x33;
+	} else if (!button_info) {
+		psmouse_warn(psmouse, "got 0 in extended button data, assuming 3 buttons\n");
+		button_info = 0x33;
 	}
 
 	psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 081/254] xhci: Don't add a virt_dev to the devs array before it's fully allocated
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (248 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 178/254] sh_eth: fix SH7757 GEther initialization Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 003/254] KVM: x86: Exit to user-mode on #UD intercept when emulator requires Ben Hutchings
                   ` (4 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Mathias Nyman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 5d9b70f7d52eb14bb37861c663bae44de9521c35 upstream.

Avoid null pointer dereference if some function is walking through the
devs array accessing members of a new virt_dev that is mid allocation.

Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its
members are properly allocated.

issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port

"Quick analysis suggests that xhci_alloc_virt_device() is not mutex
protected. If so, there is a time frame where xhci->devs[slot_id] is set
but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL."

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: There is an extra failure path, so we may need to
 free dev->eps[0].ring] 
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1018,10 +1018,9 @@ int xhci_alloc_virt_device(struct xhci_h
 		return 0;
 	}
 
-	xhci->devs[slot_id] = kzalloc(sizeof(*xhci->devs[slot_id]), flags);
-	if (!xhci->devs[slot_id])
+	dev = kzalloc(sizeof(*dev), flags);
+	if (!dev)
 		return 0;
-	dev = xhci->devs[slot_id];
 
 	/* Allocate the (output) device context that will be used in the HC. */
 	dev->out_ctx = xhci_alloc_container_ctx(xhci, XHCI_CTX_TYPE_DEVICE, flags);
@@ -1069,9 +1068,19 @@ int xhci_alloc_virt_device(struct xhci_h
 		 &xhci->dcbaa->dev_context_ptrs[slot_id],
 		 le64_to_cpu(xhci->dcbaa->dev_context_ptrs[slot_id]));
 
+	xhci->devs[slot_id] = dev;
+
 	return 1;
 fail:
-	xhci_free_virt_device(xhci, slot_id);
+
+	if (dev->eps[0].ring)
+		xhci_ring_free(xhci, dev->eps[0].ring);
+	if (dev->in_ctx)
+		xhci_free_container_ctx(xhci, dev->in_ctx);
+	if (dev->out_ctx)
+		xhci_free_container_ctx(xhci, dev->out_ctx);
+	kfree(dev);
+
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 157/254] e1000e: Separate signaling for link check/link up
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (195 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 001/254] ALSA: seq: Fix regression by incorrect ioctl_mutex usages Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 135/254] net/mlx5: Stay in polling mode when command EQ destroy fails Ben Hutchings
                   ` (57 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Lennart Sorensen, Jeff Kirsher, Aaron Brown, Benjamin Poirier

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Poirier <bpoirier@suse.com>

commit 19110cfbb34d4af0cdfe14cd243f3b09dc95b013 upstream.

Lennart reported the following race condition:

\ e1000_watchdog_task
    \ e1000e_has_link
        \ hw->mac.ops.check_for_link() === e1000e_check_for_copper_link
            /* link is up */
            mac->get_link_status = false;

                            /* interrupt */
                            \ e1000_msix_other
                                hw->mac.get_link_status = true;

        link_active = !hw->mac.get_link_status
        /* link_active is false, wrongly */

This problem arises because the single flag get_link_status is used to
signal two different states: link status needs checking and link status is
down.

Avoid the problem by using the return value of .check_for_link to signal
the link status to e1000e_has_link().

Reported-by: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/intel/e1000e/mac.c    | 11 ++++++++---
 drivers/net/ethernet/intel/e1000e/netdev.c |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/intel/e1000e/mac.c
+++ b/drivers/net/ethernet/intel/e1000e/mac.c
@@ -410,6 +410,9 @@ void e1000e_clear_hw_cntrs_base(struct e
  *  Checks to see of the link status of the hardware has changed.  If a
  *  change in link status has been detected, then we read the PHY registers
  *  to get the current speed/duplex if link exists.
+ *
+ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
+ *  up).
  **/
 s32 e1000e_check_for_copper_link(struct e1000_hw *hw)
 {
@@ -423,7 +426,7 @@ s32 e1000e_check_for_copper_link(struct
 	 * Change or Rx Sequence Error interrupt.
 	 */
 	if (!mac->get_link_status)
-		return 0;
+		return 1;
 
 	/* First we want to see if the MII Status Register reports
 	 * link.  If so, then we want to get the current speed/duplex
@@ -461,10 +464,12 @@ s32 e1000e_check_for_copper_link(struct
 	 * different link partner.
 	 */
 	ret_val = e1000e_config_fc_after_link_up(hw);
-	if (ret_val)
+	if (ret_val) {
 		e_dbg("Error configuring flow control\n");
+		return ret_val;
+	}
 
-	return ret_val;
+	return 1;
 }
 
 /**
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -4844,7 +4844,7 @@ static bool e1000e_has_link(struct e1000
 	case e1000_media_type_copper:
 		if (hw->mac.get_link_status) {
 			ret_val = hw->mac.ops.check_for_link(hw);
-			link_active = !hw->mac.get_link_status;
+			link_active = ret_val > 0;
 		} else {
 			link_active = true;
 		}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 068/254] can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 130/254] usbip: fix usbip bind writing random string after command in match_busid Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 062/254] kdb: Fix handling of kallsyms_symbol_next() return value Ben Hutchings
                   ` (156 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Martin Kelly

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/esd_usb2.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -395,6 +395,8 @@ static void esd_usb2_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 140/254] ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (214 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 131/254] usb: add RESET_RESUME for ELSA MicroLink 56K Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 080/254] ASoC: wm_adsp: Fix validation of firmware and coeff lengths Ben Hutchings
                   ` (38 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Hui Wang

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Wang <hui.wang@canonical.com>

commit 322f74ede933b3e2cb78768b6a6fdbfbf478a0c1 upstream.

There is a headset jack on the front panel, when we plug a headset
into it, the headset mic can't trigger unsol events, and
read_pin_sense() can't detect its presence too. So add this fixup
to fix this issue.

Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_conexant.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -2845,6 +2845,8 @@ enum {
 	CXT_FIXUP_MUTE_LED_EAPD,
 	CXT_FIXUP_HP_SPECTRE,
 	CXT_FIXUP_HP_GATE_MIC,
+	CXT_FIXUP_HEADSET_MIC,
+	CXT_FIXUP_HP_MIC_NO_PRESENCE,
 };
 
 /* for hda_fixup_thinkpad_acpi() */
@@ -2923,6 +2925,18 @@ static void cxt_fixup_headphone_mic(stru
 	}
 }
 
+static void cxt_fixup_headset_mic(struct hda_codec *codec,
+				    const struct hda_fixup *fix, int action)
+{
+	struct conexant_spec *spec = codec->spec;
+
+	switch (action) {
+	case HDA_FIXUP_ACT_PRE_PROBE:
+		spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
+		break;
+	}
+}
+
 /* OPLC XO 1.5 fixup */
 
 /* OLPC XO-1.5 supports DC input mode (e.g. for use with analog sensors)
@@ -3374,6 +3388,19 @@ static const struct hda_fixup cxt_fixups
 		.type = HDA_FIXUP_FUNC,
 		.v.func = cxt_fixup_hp_gate_mic_jack,
 	},
+	[CXT_FIXUP_HEADSET_MIC] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = cxt_fixup_headset_mic,
+	},
+	[CXT_FIXUP_HP_MIC_NO_PRESENCE] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			{ 0x1a, 0x02a1113c },
+			{ }
+		},
+		.chained = true,
+		.chain_id = CXT_FIXUP_HEADSET_MIC,
+	},
 };
 
 static const struct snd_pci_quirk cxt5045_fixups[] = {
@@ -3425,6 +3452,8 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
 	SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
 	SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
+	SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
 	SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 114/254] kernel: make groups_sort calling a responsibility group_info allocators
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (230 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 149/254] stddef.h: move offsetofend inside #ifndef/#endif guard, neaten Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 226/254] Input: trackpoint - force 3 buttons if 0 button is reported Ben Hutchings
                   ` (22 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, NeilBrown, Linus Torvalds, Martin Schwidefsky,
	Matthew Wilcox, Al Viro, Thiago Rafael Becker, J. Bruce Fields

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thiago Rafael Becker <thiago.becker@gmail.com>

commit bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758 upstream.

In testing, we found that nfsd threads may call set_groups in parallel
for the same entry cached in auth.unix.gid, racing in the call of
groups_sort, corrupting the groups for that entry and leading to
permission denials for the client.

This patch:
 - Make groups_sort globally visible.
 - Move the call to groups_sort to the modifiers of group_info
 - Remove the call to groups_sort from set_groups

Link: http://lkml.kernel.org/r/20171211151420.18655-1-thiago.becker@gmail.com
Signed-off-by: Thiago Rafael Becker <thiago.becker@gmail.com>
Reviewed-by: Matthew Wilcox <mawilcox@microsoft.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Acked-by: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/s390/kernel/compat_linux.c   | 1 +
 fs/nfsd/auth.c                    | 3 +++
 include/linux/cred.h              | 1 +
 kernel/groups.c                   | 5 +++--
 kernel/uid16.c                    | 1 +
 net/sunrpc/auth_gss/gss_rpc_xdr.c | 1 +
 net/sunrpc/auth_gss/svcauth_gss.c | 1 +
 net/sunrpc/svcauth_unix.c         | 2 ++
 8 files changed, 13 insertions(+), 2 deletions(-)

--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16,
 		return retval;
 	}
 
+	groups_sort(group_info);
 	retval = set_current_groups(group_info);
 	put_group_info(group_info);
 
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -59,6 +59,9 @@ int nfsd_setuser(struct svc_rqst *rqstp,
 				GROUP_AT(gi, i) = exp->ex_anon_gid;
 			else
 				GROUP_AT(gi, i) = GROUP_AT(rqgi, i);
+
+			/* Each thread allocates its own gi, no race */
+			groups_sort(gi);
 		}
 	} else {
 		gi = get_group_info(rqgi);
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -69,6 +69,7 @@ extern int set_current_groups(struct gro
 extern void set_groups(struct cred *, struct group_info *);
 extern int groups_search(const struct group_info *, kgid_t);
 extern bool may_setgroups(void);
+extern void groups_sort(struct group_info *);
 
 /* access the groups "array" with this macro */
 #define GROUP_AT(gi, i) \
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -104,7 +104,7 @@ static int groups_from_user(struct group
 }
 
 /* a simple Shell sort */
-static void groups_sort(struct group_info *group_info)
+void groups_sort(struct group_info *group_info)
 {
 	int base, max, stride;
 	int gidsetsize = group_info->ngroups;
@@ -131,6 +131,7 @@ static void groups_sort(struct group_inf
 		stride /= 3;
 	}
 }
+EXPORT_SYMBOL(groups_sort);
 
 /* a simple bsearch */
 int groups_search(const struct group_info *group_info, kgid_t grp)
@@ -162,7 +163,6 @@ int groups_search(const struct group_inf
 void set_groups(struct cred *new, struct group_info *group_info)
 {
 	put_group_info(new->group_info);
-	groups_sort(group_info);
 	get_group_info(group_info);
 	new->group_info = group_info;
 }
@@ -246,6 +246,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsi
 		return retval;
 	}
 
+	groups_sort(group_info);
 	retval = set_current_groups(group_info);
 	put_group_info(group_info);
 
--- a/kernel/uid16.c
+++ b/kernel/uid16.c
@@ -190,6 +190,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidset
 		return retval;
 	}
 
+	groups_sort(group_info);
 	retval = set_current_groups(group_info);
 	put_group_info(group_info);
 
--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct x
 			goto out_free_groups;
 		GROUP_AT(creds->cr_group_info, i) = kgid;
 	}
+	groups_sort(creds->cr_group_info);
 
 	return 0;
 out_free_groups:
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -479,6 +479,7 @@ static int rsc_parse(struct cache_detail
 				goto out;
 			GROUP_AT(rsci.cred.cr_group_info, i) = kgid;
 		}
+		groups_sort(rsci.cred.cr_group_info);
 
 		/* mech name */
 		len = qword_get(&mesg, buf, mlen);
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_d
 		GROUP_AT(ug.gi, i) = kgid;
 	}
 
+	groups_sort(ug.gi);
 	ugp = unix_gid_lookup(cd, uid);
 	if (ugp) {
 		struct cache_head *ch;
@@ -827,6 +828,7 @@ svcauth_unix_accept(struct svc_rqst *rqs
 		kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
 		GROUP_AT(cred->cr_group_info, i) = kgid;
 	}
+	groups_sort(cred->cr_group_info);
 	if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
 		*authp = rpc_autherr_badverf;
 		return SVC_DENIED;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 147/254] nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (170 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 023/254] USB: core: Add type-specific length check of BOS descriptors Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 066/254] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case Ben Hutchings
                   ` (82 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sebastian Siewior, Thomas Gleixner, Anna-Maria Gleixner,
	Frederic Weisbecker, Peter Zijlstra, Sebastian Siewior,
	Paul McKenney

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 5d62c183f9e9df1deeea0906d099a94e8a43047a upstream.

The conditions in irq_exit() to invoke tick_nohz_irq_exit() which
subsequently invokes tick_nohz_stop_sched_tick() are:

  if ((idle_cpu(cpu) && !need_resched()) || tick_nohz_full_cpu(cpu))

If need_resched() is not set, but a timer softirq is pending then this is
an indication that the softirq code punted and delegated the execution to
softirqd. need_resched() is not true because the current interrupted task
takes precedence over softirqd.

Invoking tick_nohz_irq_exit() in this case can cause an endless loop of
timer interrupts because the timer wheel contains an expired timer, but
softirqs are not yet executed. So it returns an immediate expiry request,
which causes the timer to fire immediately again. Lather, rinse and
repeat....

Prevent that by adding a check for a pending timer soft interrupt to the
conditions in tick_nohz_stop_sched_tick() which avoid calling
get_next_timer_interrupt(). That keeps the tick sched timer on the tick and
prevents a repetitive programming of an already expired timer.

Reported-by: Sebastian Siewior <bigeasy@linutronix.d>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: Sebastian Siewior <bigeasy@linutronix.de>
Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1712272156050.2431@nanos
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time/tick-sched.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -527,6 +527,11 @@ u64 get_cpu_iowait_time_us(int cpu, u64
 }
 EXPORT_SYMBOL_GPL(get_cpu_iowait_time_us);
 
+static inline bool local_timer_softirq_pending(void)
+{
+	return local_softirq_pending() & TIMER_SOFTIRQ;
+}
+
 static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts,
 					 ktime_t now, int cpu)
 {
@@ -545,8 +550,18 @@ static ktime_t tick_nohz_stop_sched_tick
 		last_jiffies = jiffies;
 	} while (read_seqretry(&jiffies_lock, seq));
 
-	if (rcu_needs_cpu(cpu, &rcu_delta_jiffies) ||
-	    arch_needs_cpu(cpu) || irq_work_needs_cpu()) {
+	/*
+	 * Keep the periodic tick, when RCU, architecture or irq_work
+	 * requests it.
+	 * Aside of that check whether the local timer softirq is
+	 * pending. If so its a bad idea to call get_next_timer_interrupt()
+	 * because there is an already expired timer, so it will request
+	 * immeditate expiry, which rearms the hardware timer with a
+	 * minimal delta which brings us back to this place
+	 * immediately. Lather, rinse and repeat...
+	 */
+	if (rcu_needs_cpu(cpu, &rcu_delta_jiffies) || arch_needs_cpu(cpu) ||
+	    irq_work_needs_cpu() || local_timer_softirq_pending()) {
 		next_jiffies = last_jiffies + 1;
 		delta_jiffies = 1;
 	} else {

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 017/254] hwmon: (pmbus) Use 64bit math for DIRECT format values
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (198 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 219/254] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 224/254] net: igmp: fix source address check for IGMPv3 reports Ben Hutchings
                   ` (54 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Robert Lippert, Robert Lippert, Guenter Roeck

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Robert Lippert <roblip@gmail.com>

commit bd467e4eababe4c04272c1e646f066db02734c79 upstream.

Power values in the 100s of watt range can easily blow past
32bit math limits when processing everything in microwatts.

Use 64bit math instead to avoid these issues on common 32bit ARM
BMC platforms.

Fixes: 442aba78728e ("hwmon: PMBus device driver")
Signed-off-by: Robert Lippert <rlippert@google.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hwmon/pmbus/pmbus_core.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -20,6 +20,7 @@
  */
 
 #include <linux/kernel.h>
+#include <linux/math64.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/err.h>
@@ -443,8 +444,8 @@ static long pmbus_reg2data_linear(struct
 static long pmbus_reg2data_direct(struct pmbus_data *data,
 				  struct pmbus_sensor *sensor)
 {
-	long val = (s16) sensor->data;
-	long m, b, R;
+	s64 b, val = (s16)sensor->data;
+	s32 m, R;
 
 	m = data->info->m[sensor->class];
 	b = data->info->b[sensor->class];
@@ -472,11 +473,12 @@ static long pmbus_reg2data_direct(struct
 		R--;
 	}
 	while (R < 0) {
-		val = DIV_ROUND_CLOSEST(val, 10);
+		val = div_s64(val + 5LL, 10L);  /* round closest */
 		R++;
 	}
 
-	return (val - b) / m;
+	val = div_s64(val - b, m);
+	return clamp_val(val, LONG_MIN, LONG_MAX);
 }
 
 /*
@@ -588,7 +590,8 @@ static u16 pmbus_data2reg_linear(struct
 static u16 pmbus_data2reg_direct(struct pmbus_data *data,
 				 struct pmbus_sensor *sensor, long val)
 {
-	long m, b, R;
+	s64 b, val64 = val;
+	s32 m, R;
 
 	m = data->info->m[sensor->class];
 	b = data->info->b[sensor->class];
@@ -605,18 +608,18 @@ static u16 pmbus_data2reg_direct(struct
 		R -= 3;		/* Adjust R and b for data in milli-units */
 		b *= 1000;
 	}
-	val = val * m + b;
+	val64 = val64 * m + b;
 
 	while (R > 0) {
-		val *= 10;
+		val64 *= 10;
 		R--;
 	}
 	while (R < 0) {
-		val = DIV_ROUND_CLOSEST(val, 10);
+		val64 = div_s64(val64 + 5LL, 10L);  /* round closest */
 		R++;
 	}
 
-	return val;
+	return (u16)clamp_val(val64, S16_MIN, S16_MAX);
 }
 
 static u16 pmbus_data2reg_vid(struct pmbus_data *data,

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 169/254] kernel/acct.c: fix the acct->needcheck check in check_free_space()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 039/254] ALSA: seq: Remove spurious WARN_ON() at timer check Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 247/254] media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer Ben Hutchings
                   ` (141 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Oleg Nesterov, TSUKADA Koutaro, Al Viro, Linus Torvalds

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <oleg@redhat.com>

commit 4d9570158b6260f449e317a5f9ed030c2504a615 upstream.

As Tsukada explains, the time_is_before_jiffies(acct->needcheck) check
is very wrong, we need time_is_after_jiffies() to make sys_acct() work.

Ignoring the overflows, the code should "goto out" if needcheck >
jiffies, while currently it checks "needcheck < jiffies" and thus in the
likely case check_free_space() does nothing until jiffies overflow.

In particular this means that sys_acct() is simply broken, acct_on()
sets acct->needcheck = jiffies and expects that check_free_space()
should set acct->active = 1 after the free-space check, but this won't
happen if jiffies increments in between.

This was broken by commit 32dc73086015 ("get rid of timer in
kern/acct.c") in 2011, then another (correct) commit 795a2f22a8ea
("acct() should honour the limits from the very beginning") made the
problem more visible.

Link: http://lkml.kernel.org/r/20171213133940.GA6554@redhat.com
Fixes: 32dc73086015 ("get rid of timer in kern/acct.c")
Reported-by: TSUKADA Koutaro <tsukada@ascade.co.jp>
Suggested-by: TSUKADA Koutaro <tsukada@ascade.co.jp>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/acct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -107,7 +107,7 @@ static int check_free_space(struct bsd_a
 
 	spin_lock(&acct_lock);
 	res = acct->active;
-	if (!file || time_is_before_jiffies(acct->needcheck))
+	if (!file || time_is_after_jiffies(acct->needcheck))
 		goto out;
 	spin_unlock(&acct_lock);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 079/254] ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (187 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 043/254] can: kvaser_usb: ratelimit errors if incomplete messages are received Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 212/254] KVM/x86: Check input paging mode when cs.l is set Ben Hutchings
                   ` (65 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Richard Fitzgerald, Mark Brown

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>

commit 1cab2a84f470e15ecc8e5143bfe9398c6e888032 upstream.

Protect against corrupt firmware files by ensuring that the length we
get for the data in a region actually lies within the available firmware
file data buffer.

Signed-off-by: Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/codecs/wm_adsp.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

--- a/sound/soc/codecs/wm_adsp.c
+++ b/sound/soc/codecs/wm_adsp.c
@@ -532,7 +532,7 @@ static int wm_adsp_load(struct wm_adsp *
 	const struct wmfw_region *region;
 	const struct wm_adsp_region *mem;
 	const char *region_name;
-	char *file, *text;
+	char *file, *text = NULL;
 	struct wm_adsp_buf *buf;
 	unsigned int reg;
 	int regions = 0;
@@ -677,10 +677,21 @@ static int wm_adsp_load(struct wm_adsp *
 			 regions, le32_to_cpu(region->len), offset,
 			 region_name);
 
+		if ((pos + le32_to_cpu(region->len) + sizeof(*region)) >
+		    firmware->size) {
+			adsp_err(dsp,
+				 "%s.%d: %s region len %d bytes exceeds file length %zu\n",
+				 file, regions, region_name,
+				 le32_to_cpu(region->len), firmware->size);
+			ret = -EINVAL;
+			goto out_fw;
+		}
+
 		if (text) {
 			memcpy(text, region->data, le32_to_cpu(region->len));
 			adsp_info(dsp, "%s: %s\n", file, text);
 			kfree(text);
+			text = NULL;
 		}
 
 		if (reg) {
@@ -737,6 +748,7 @@ out_fw:
 	regmap_async_complete(regmap);
 	wm_adsp_buf_free(&buf_list);
 	release_firmware(firmware);
+	kfree(text);
 out:
 	kfree(file);
 
@@ -1316,6 +1328,17 @@ static int wm_adsp_load_coeff(struct wm_
 		}
 
 		if (reg) {
+			if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) >
+			    firmware->size) {
+				adsp_err(dsp,
+					 "%s.%d: %s region len %d bytes exceeds file length %zu\n",
+					 file, blocks, region_name,
+					 le32_to_cpu(blk->len),
+					 firmware->size);
+				ret = -EINVAL;
+				goto out_fw;
+			}
+
 			buf = wm_adsp_buf_alloc(blk->data,
 						le32_to_cpu(blk->len),
 						&buf_list);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 047/254] usb: xhci: fix panic in xhci_free_virt_devices_depth_first
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (239 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 084/254] dmaengine: jz4740: disable/unprepare clk if probe fails Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 196/254] SolutionEngine771x: fix Ether platform data Ben Hutchings
                   ` (13 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Guenter Roeck, Guenter Roeck, Fan Ning, yangdi, Li Rui,
	Greg Kroah-Hartman, Yu Chen, Mathias Nyman, Guenter Roeck

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yu Chen <chenyu56@huawei.com>

commit 80e457699a8dbdd70f2d26911e46f538645c55fc upstream.

Check vdev->real_port 0 to avoid panic
[    9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108
[    9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570
[    9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8
[    9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0
[    9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8
[    9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70
[    9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108
[    9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40
[    9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120
[    9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210
[    9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0
[    9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488
[    9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8
[    9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490
[    9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0
[    9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100
[    9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50

The problem can occur if xhci_plat_remove() is called shortly after
xhci_plat_probe(). While xhci_free_virt_devices_depth_first been
called before the device has been setup and get real_port initialized.
The problem occurred on Hikey960 and was reproduced by Guenter Roeck
on Kevin with chromeos-4.4.

Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first")
Cc: Guenter Roeck <groeck@google.com>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Fan Ning <fanning4@hisilicon.com>
Signed-off-by: Li Rui <lirui39@hisilicon.com>
Signed-off-by: yangdi <yangdi10@hisilicon.com>
Signed-off-by: Yu Chen <chenyu56@huawei.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-mem.c | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -982,6 +982,12 @@ void xhci_free_virt_devices_depth_first(
 	if (!vdev)
 		return;
 
+	if (vdev->real_port == 0 ||
+			vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) {
+		xhci_dbg(xhci, "Bad vdev->real_port.\n");
+		goto out;
+	}
+
 	tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts);
 	list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) {
 		/* is this a hub device that added a tt_info to the tts list */
@@ -995,6 +1001,7 @@ void xhci_free_virt_devices_depth_first(
 			}
 		}
 	}
+out:
 	/* we are now at a leaf device */
 	xhci_free_virt_device(xhci, slot_id);
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 189/254] Input: 88pm860x-ts - fix child-node lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (142 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 011/254] bcache: recover data from backing when data is clean Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 132/254] usb: Add device quirk for Logitech HD Pro Webcam C925e Ben Hutchings
                   ` (110 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Dmitry Torokhov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 906bf7daa0618d0ef39f4872ca42218c29a3631f upstream.

Fix child node-lookup during probe, which ended up searching the whole
device tree depth-first starting at parent rather than just matching on
its children.

To make things worse, the parent node was prematurely freed, while the
child node was leaked.

Fixes: 2e57d56747e6 ("mfd: 88pm860x: Device tree support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/touchscreen/88pm860x-ts.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/input/touchscreen/88pm860x-ts.c
+++ b/drivers/input/touchscreen/88pm860x-ts.c
@@ -126,7 +126,7 @@ static int pm860x_touch_dt_init(struct p
 	int data, n, ret;
 	if (!np)
 		return -ENODEV;
-	np = of_find_node_by_name(np, "touch");
+	np = of_get_child_by_name(np, "touch");
 	if (!np) {
 		dev_err(&pdev->dev, "Can't find touch node\n");
 		return -EINVAL;
@@ -144,13 +144,13 @@ static int pm860x_touch_dt_init(struct p
 	if (data) {
 		ret = pm860x_reg_write(i2c, PM8607_GPADC_MISC1, data);
 		if (ret < 0)
-			return -EINVAL;
+			goto err_put_node;
 	}
 	/* set tsi prebias time */
 	if (!of_property_read_u32(np, "marvell,88pm860x-tsi-prebias", &data)) {
 		ret = pm860x_reg_write(i2c, PM8607_TSI_PREBIAS, data);
 		if (ret < 0)
-			return -EINVAL;
+			goto err_put_node;
 	}
 	/* set prebias & prechg time of pen detect */
 	data = 0;
@@ -161,10 +161,18 @@ static int pm860x_touch_dt_init(struct p
 	if (data) {
 		ret = pm860x_reg_write(i2c, PM8607_PD_PREBIAS, data);
 		if (ret < 0)
-			return -EINVAL;
+			goto err_put_node;
 	}
 	of_property_read_u32(np, "marvell,88pm860x-resistor-X", res_x);
+
+	of_node_put(np);
+
 	return 0;
+
+err_put_node:
+	of_node_put(np);
+
+	return -EINVAL;
 }
 #else
 #define pm860x_touch_dt_init(x, y, z)	(-1)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 115/254] nfsd: auth: Fix gid sorting when rootsquash enabled
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (154 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 073/254] lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 040/254] media: dvb: i2c transfers over usb cannot be done from stack Ben Hutchings
                   ` (98 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Ben Hutchings, J. Bruce Fields

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

commit 1995266727fa8143897e89b55f5d3c79aa828420 upstream.

Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility
group_info allocators") appears to break nfsd rootsquash in a pretty
major way.

It adds a call to groups_sort() inside the loop that copies/squashes
gids, which means the valid gids are sorted along with the following
garbage.  The net result is that the highest numbered valid gids are
replaced with any lower-valued garbage gids, possibly including 0.

We should sort only once, after filling in all the gids.

Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility ...")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Acked-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/auth.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -59,10 +59,10 @@ int nfsd_setuser(struct svc_rqst *rqstp,
 				GROUP_AT(gi, i) = exp->ex_anon_gid;
 			else
 				GROUP_AT(gi, i) = GROUP_AT(rqgi, i);
-
-			/* Each thread allocates its own gi, no race */
-			groups_sort(gi);
 		}
+
+		/* Each thread allocates its own gi, no race */
+		groups_sort(gi);
 	} else {
 		gi = get_group_info(rqgi);
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 024/254] usb: hub: Cycle HUB power when initialization fails
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 124/254] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 119/254] KVM: arm/arm64: Fix HYP unmapping going off limits Ben Hutchings
                   ` (178 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alan Stern, Mike Looijmans, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Looijmans <mike.looijmans@topic.nl>

commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream.

Sometimes the USB device gets confused about the state of the initialization and
the connection fails. In particular, the device thinks that it's already set up
and running while the host thinks the device still needs to be configured. To
work around this issue, power-cycle the hub's output to issue a sort of "reset"
to the device. This makes the device restart its state machine and then the
initialization succeeds.

This fixes problems where the kernel reports a list of errors like this:

usb 1-1.3: device not accepting address 19, error -71

The end result is a non-functioning device. After this patch, the sequence
becomes like this:

usb 1-1.3: new high-speed USB device number 18 using ci_hdrc
usb 1-1.3: device not accepting address 18, error -71
usb 1-1.3: new high-speed USB device number 19 using ci_hdrc
usb 1-1.3: device not accepting address 19, error -71
usb 1-1-port3: attempt power cycle
usb 1-1.3: new high-speed USB device number 21 using ci_hdrc
usb-storage 1-1.3:1.2: USB Mass Storage device detected

Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4792,6 +4792,15 @@ loop:
 		usb_put_dev(udev);
 		if ((status == -ENOTCONN) || (status == -ENOTSUPP))
 			break;
+
+		/* When halfway through our retry count, power-cycle the port */
+		if (i == (SET_CONFIG_TRIES / 2) - 1) {
+			dev_info(&port_dev->dev, "attempt power cycle\n");
+			usb_hub_set_port_power(hdev, hub, port1, false);
+			msleep(2 * hub_power_on_good_delay(hub));
+			usb_hub_set_port_power(hdev, hub, port1, true);
+			msleep(hub_power_on_good_delay(hub));
+		}
 	}
 	if (hub->hdev->parent ||
 			!hcd->driver->port_handed_over ||

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 109/254] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 045/254] virtio: release virtio index when fail to device_register Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 205/254] nl80211: take RCU read lock when calling ieee80211_bss_get_ie() Ben Hutchings
                   ` (202 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, James Hogan, Ralf Baechle, Maciej W. Rozycki, Alex Smith,
	Paul Burton, Dave Martin, linux-mips

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej W. Rozycki" <macro@mips.com>

commit be07a6a1188372b6d19a3307ec33211fc9c9439d upstream.

Fix a commit 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for
FP regset") public API regression, then activated by commit 1db1af84d6df
("MIPS: Basic MSA context switching support"), that caused the FCSR
register not to be read or written for CONFIG_CPU_HAS_MSA kernel
configurations (regardless of actual presence or absence of the MSA
feature in a given processor) with ptrace(2) PTRACE_GETREGSET and
PTRACE_SETREGSET requests nor recorded in core dumps.

This is because with !CONFIG_CPU_HAS_MSA configurations the whole of
`elf_fpregset_t' array is bulk-copied as it is, which includes the FCSR
in one half of the last, 33rd slot, whereas with CONFIG_CPU_HAS_MSA
configurations array elements are copied individually, and then only the
leading 32 FGR slots while the remaining slot is ignored.

Correct the code then such that only FGR slots are copied in the
respective !MSA and MSA helpers an then the FCSR slot is handled
separately in common code.  Use `ptrace_setfcr31' to update the FCSR
too, so that the read-only mask is respected.

Retrieving a correct value of FCSR is important in debugging not only
for the human to be able to get the right interpretation of the
situation, but for correct operation of GDB as well.  This is because
the condition code bits in FSCR are used by GDB to determine the
location to place a breakpoint at when single-stepping through an FPU
branch instruction.  If such a breakpoint is placed incorrectly (i.e.
with the condition reversed), then it will be missed, likely causing the
debuggee to run away from the control of GDB and consequently breaking
the process of investigation.

Fortunately GDB continues using the older PTRACE_GETFPREGS ptrace(2)
request which is unaffected, so the regression only really hits with
post-mortem debug sessions using a core dump file, in which case
execution, and consequently single-stepping through branches is not
possible.  Of course core files created by buggy kernels out there will
have the value of FCSR recorded clobbered, but such core files cannot be
corrected and the person using them simply will have to be aware that
the value of FCSR retrieved is not reliable.

Which also means we can likely get away without defining a replacement
API which would ensure a correct value of FSCR to be retrieved, or none
at all.

This is based on previous work by Alex Smith, extensively rewritten.

Signed-off-by: Alex Smith <alex@alex-smith.me.uk>
Signed-off-by: James Hogan <james.hogan@mips.com>
Signed-off-by: Maciej W. Rozycki <macro@mips.com>
Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset")
Cc: Paul Burton <Paul.Burton@mips.com>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17928/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 11 deletions(-)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -441,7 +441,7 @@ static int gpr64_set(struct task_struct
 /*
  * Copy the floating-point context to the supplied NT_PRFPREG buffer,
  * !CONFIG_CPU_HAS_MSA variant.  FP context's general register slots
- * correspond 1:1 to buffer slots.
+ * correspond 1:1 to buffer slots.  Only general registers are copied.
  */
 static int fpr_get_fpa(struct task_struct *target,
 		       unsigned int *pos, unsigned int *count,
@@ -449,13 +449,14 @@ static int fpr_get_fpa(struct task_struc
 {
 	return user_regset_copyout(pos, count, kbuf, ubuf,
 				   &target->thread.fpu,
-				   0, sizeof(elf_fpregset_t));
+				   0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
 }
 
 /*
  * Copy the floating-point context to the supplied NT_PRFPREG buffer,
  * CONFIG_CPU_HAS_MSA variant.  Only lower 64 bits of FP context's
- * general register slots are copied to buffer slots.
+ * general register slots are copied to buffer slots.  Only general
+ * registers are copied.
  */
 static int fpr_get_msa(struct task_struct *target,
 		       unsigned int *pos, unsigned int *count,
@@ -477,20 +478,29 @@ static int fpr_get_msa(struct task_struc
 	return 0;
 }
 
-/* Copy the floating-point context to the supplied NT_PRFPREG buffer.  */
+/*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer.
+ * Choose the appropriate helper for general registers, and then copy
+ * the FCSR register separately.
+ */
 static int fpr_get(struct task_struct *target,
 		   const struct user_regset *regset,
 		   unsigned int pos, unsigned int count,
 		   void *kbuf, void __user *ubuf)
 {
+	const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
 	int err;
 
-	/* XXX fcr31  */
-
 	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
 		err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);
 	else
 		err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);
+	if (err)
+		return err;
+
+	err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+				  &target->thread.fpu.fcr31,
+				  fcr31_pos, fcr31_pos + sizeof(u32));
 
 	return err;
 }
@@ -498,7 +508,7 @@ static int fpr_get(struct task_struct *t
 /*
  * Copy the supplied NT_PRFPREG buffer to the floating-point context,
  * !CONFIG_CPU_HAS_MSA variant.   Buffer slots correspond 1:1 to FP
- * context's general register slots.
+ * context's general register slots.  Only general registers are copied.
  */
 static int fpr_set_fpa(struct task_struct *target,
 		       unsigned int *pos, unsigned int *count,
@@ -506,13 +516,14 @@ static int fpr_set_fpa(struct task_struc
 {
 	return user_regset_copyin(pos, count, kbuf, ubuf,
 				  &target->thread.fpu,
-				  0, sizeof(elf_fpregset_t));
+				  0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
 }
 
 /*
  * Copy the supplied NT_PRFPREG buffer to the floating-point context,
  * CONFIG_CPU_HAS_MSA variant.  Buffer slots are copied to lower 64
- * bits only of FP context's general register slots.
+ * bits only of FP context's general register slots.  Only general
+ * registers are copied.
  */
 static int fpr_set_msa(struct task_struct *target,
 		       unsigned int *pos, unsigned int *count,
@@ -537,6 +548,8 @@ static int fpr_set_msa(struct task_struc
 
 /*
  * Copy the supplied NT_PRFPREG buffer to the floating-point context.
+ * Choose the appropriate helper for general registers, and then copy
+ * the FCSR register separately.
  *
  * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
  * which is supposed to have been guaranteed by the kernel before
@@ -549,18 +562,30 @@ static int fpr_set(struct task_struct *t
 		   unsigned int pos, unsigned int count,
 		   const void *kbuf, const void __user *ubuf)
 {
+	const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+	u32 fcr31;
 	int err;
 
 	BUG_ON(count % sizeof(elf_fpreg_t));
 
-	/* XXX fcr31  */
-
 	init_fp_ctx(target);
 
 	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
 		err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);
 	else
 		err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);
+	if (err)
+		return err;
+
+	if (count > 0) {
+		err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+					 &fcr31,
+					 fcr31_pos, fcr31_pos + sizeof(u32));
+		if (err)
+			return err;
+
+		ptrace_setfcr31(target, fcr31);
+	}
 
 	return err;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 069/254] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (236 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 236/254] [media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 108/254] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Ben Hutchings
                   ` (16 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Martin Kelly

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 6aa8d5945502baf4687d80de59b7ac865e9e666b upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/kvaser_usb.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -975,6 +975,8 @@ static void kvaser_usb_read_bulk_callbac
 	case 0:
 		break;
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 	default:

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 195/254] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 098/254] MIPS: Set `si_code' for SIGFPE signals sent from emulation too Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 071/254] ASN.1: fix out-of-bounds read when parsing indefinite length item Ben Hutchings
                   ` (245 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Nicolai Stange, Stefano Brivio

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolai Stange <nstange@suse.de>

commit 20b50d79974ea3192e8c3ab7faf4e536e5f14d8f upstream.

Commit 8f659a03a0ba ("net: ipv4: fix for a race condition in
raw_sendmsg") fixed the issue of possibly inconsistent ->hdrincl handling
due to concurrent updates by reading this bit-field member into a local
variable and using the thus stabilized value in subsequent tests.

However, aforementioned commit also adds the (correct) comment that

  /* hdrincl should be READ_ONCE(inet->hdrincl)
   * but READ_ONCE() doesn't work with bit fields
   */

because as it stands, the compiler is free to shortcut or even eliminate
the local variable at its will.

Note that I have not seen anything like this happening in reality and thus,
the concern is a theoretical one.

However, in order to be on the safe side, emulate a READ_ONCE() on the
bit-field by doing it on the local 'hdrincl' variable itself:

	int hdrincl = inet->hdrincl;
	hdrincl = READ_ONCE(hdrincl);

This breaks the chain in the sense that the compiler is not allowed
to replace subsequent reads from hdrincl with reloads from inet->hdrincl.

Fixes: 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg")
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: use ACCESS_ONCE()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/raw.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -497,9 +497,11 @@ static int raw_sendmsg(struct kiocb *ioc
 		goto out;
 
 	/* hdrincl should be READ_ONCE(inet->hdrincl)
-	 * but READ_ONCE() doesn't work with bit fields
+	 * but READ_ONCE() doesn't work with bit fields.
+	 * Doing this indirectly yields the same result.
 	 */
 	hdrincl = inet->hdrincl;
+	hdrincl = ACCESS_ONCE(hdrincl);
 	/*
 	 *	Check the flags.
 	 */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 246/254] media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 094/254] MIPS: prevent FP context set via ptrace being discarded Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 088/254] net: ipv4: fix for a race condition in raw_sendmsg Ben Hutchings
                   ` (169 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hans Verkuil, Sakari Ailus, Mauro Carvalho Chehab

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 8ed5a59dcb47a6f76034ee760b36e089f3e82529 upstream.

The struct v4l2_plane32 should set m.userptr as well. The same
happens in v4l2_buffer32 and v4l2-compliance tests for this.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 47 ++++++++++++++++-----------
 1 file changed, 28 insertions(+), 19 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -290,19 +290,24 @@ static int get_v4l2_plane32(struct v4l2_
 			 sizeof(up->data_offset)))
 		return -EFAULT;
 
-	if (memory == V4L2_MEMORY_USERPTR) {
+	switch (memory) {
+	case V4L2_MEMORY_MMAP:
+	case V4L2_MEMORY_OVERLAY:
+		if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
+				 sizeof(up32->m.mem_offset)))
+			return -EFAULT;
+		break;
+	case V4L2_MEMORY_USERPTR:
 		if (get_user(p, &up32->m.userptr))
 			return -EFAULT;
 		up_pln = compat_ptr(p);
 		if (put_user((unsigned long)up_pln, &up->m.userptr))
 			return -EFAULT;
-	} else if (memory == V4L2_MEMORY_DMABUF) {
+		break;
+	case V4L2_MEMORY_DMABUF:
 		if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd)))
 			return -EFAULT;
-	} else {
-		if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
-				 sizeof(up32->m.mem_offset)))
-			return -EFAULT;
+		break;
 	}
 
 	return 0;
@@ -311,22 +316,32 @@ static int get_v4l2_plane32(struct v4l2_
 static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
 			    enum v4l2_memory memory)
 {
+	unsigned long p;
+
 	if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
 	    copy_in_user(&up32->data_offset, &up->data_offset,
 			 sizeof(up->data_offset)))
 		return -EFAULT;
 
-	/* For MMAP, driver might've set up the offset, so copy it back.
-	 * USERPTR stays the same (was userspace-provided), so no copying. */
-	if (memory == V4L2_MEMORY_MMAP)
+	switch (memory) {
+	case V4L2_MEMORY_MMAP:
+	case V4L2_MEMORY_OVERLAY:
 		if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset,
 				 sizeof(up->m.mem_offset)))
 			return -EFAULT;
-	/* For DMABUF, driver might've set up the fd, so copy it back. */
-	if (memory == V4L2_MEMORY_DMABUF)
+		break;
+	case V4L2_MEMORY_USERPTR:
+		if (get_user(p, &up->m.userptr) ||
+		    put_user((compat_ulong_t)ptr_to_compat((__force void *)p),
+			     &up32->m.userptr))
+			return -EFAULT;
+		break;
+	case V4L2_MEMORY_DMABUF:
 		if (copy_in_user(&up32->m.fd, &up->m.fd,
 				 sizeof(up->m.fd)))
 			return -EFAULT;
+		break;
+	}
 
 	return 0;
 }
@@ -387,6 +402,7 @@ static int get_v4l2_buffer32(struct v4l2
 	} else {
 		switch (kp->memory) {
 		case V4L2_MEMORY_MMAP:
+		case V4L2_MEMORY_OVERLAY:
 			if (get_user(kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
@@ -400,10 +416,6 @@ static int get_v4l2_buffer32(struct v4l2
 				kp->m.userptr = (unsigned long)compat_ptr(tmp);
 			}
 			break;
-		case V4L2_MEMORY_OVERLAY:
-			if (get_user(kp->m.offset, &up->m.offset))
-				return -EFAULT;
-			break;
 		case V4L2_MEMORY_DMABUF:
 			if (get_user(kp->m.fd, &up->m.fd))
 				return -EFAULT;
@@ -460,6 +472,7 @@ static int put_v4l2_buffer32(struct v4l2
 	} else {
 		switch (kp->memory) {
 		case V4L2_MEMORY_MMAP:
+		case V4L2_MEMORY_OVERLAY:
 			if (put_user(kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
@@ -467,10 +480,6 @@ static int put_v4l2_buffer32(struct v4l2
 			if (put_user(kp->m.userptr, &up->m.userptr))
 				return -EFAULT;
 			break;
-		case V4L2_MEMORY_OVERLAY:
-			if (put_user(kp->m.offset, &up->m.offset))
-				return -EFAULT;
-			break;
 		case V4L2_MEMORY_DMABUF:
 			if (put_user(kp->m.fd, &up->m.fd))
 				return -EFAULT;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 022/254] usb: host: fix incorrect updating of offset
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 145/254] tracing: Fix crash when it fails to alloc ring buffer Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 235/254] [media] v4l2-compat-ioctl32: fix sparse warnings Ben Hutchings
                   ` (196 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Colin Ian King, Alan Stern

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream.

The variable temp is incorrectly being updated, instead it should
be offset otherwise the loop just reads the same capability value
and loops forever.  Thanks to Alan Stern for pointing out the
correct fix to my original fix.  Fix also cleans up clang warning:

drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp'
is never read

Fixes: d49d43174400 ("USB: misc ehci updates")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/ehci-dbg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/ehci-dbg.c
+++ b/drivers/usb/host/ehci-dbg.c
@@ -850,7 +850,7 @@ static ssize_t fill_registers_buffer(str
 			default:		/* unknown */
 				break;
 			}
-			temp = (cap >> 8) & 0xff;
+			offset = (cap >> 8) & 0xff;
 		}
 	}
 #endif

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 236/254] [media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (235 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 014/254] ASoC: fsl_ssi: add AC'97 ops setting check and cleanup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 069/254] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Ben Hutchings
                   ` (17 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Laurent Pinchart, Guennadi Liakhovetski

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guennadi Liakhovetski <g.liakhovetski@gmx.de>

commit 6ed9b28504326f8cf542e6b68245b2f7ce009216 upstream.

Similar to an earlier patch, fixing reading user-space data for the
VIDIOC_CREATE_BUFS ioctl() in 32-bit compatibility mode, this patch fixes
writing back of the possibly modified struct to the user. However, unlike
the former bug, this one is much less harmful, because it only results in
the kernel failing to write the .type field back to the user, but in fact
this is likely unneeded, because the kernel will hardly want to change
that field. Therefore this bug is more of a theoretical nature.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -222,6 +222,9 @@ static int get_v4l2_create32(struct v4l2
 
 static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
 {
+	if (put_user(kp->type, &up->type))
+		return -EFAULT;
+
 	switch (kp->type) {
 	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
@@ -248,8 +251,7 @@ static int __put_v4l2_format32(struct v4
 
 static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
 {
-	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)) ||
-		put_user(kp->type, &up->type))
+	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)))
 		return -EFAULT;
 	return __put_v4l2_format32(kp, up);
 }
@@ -257,8 +259,8 @@ static int put_v4l2_format32(struct v4l2
 static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
 {
 	if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
-	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format.fmt)))
-			return -EFAULT;
+	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)))
+		return -EFAULT;
 	return __put_v4l2_format32(&kp->format, &up->format);
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 121/254] ACPI: APEI / ERST: Fix missing error handling in erst_reader()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 129/254] usbip: prevent leaking socket pointer address in messages Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 176/254] ALSA: aloop: Fix inconsistent format due to incomplete rule Ben Hutchings
                   ` (152 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jerry Tang, Rafael J. Wysocki, Takashi Iwai,
	Borislav Petkov, Kees Cook

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit bb82e0b4a7e96494f0c1004ce50cec3d7b5fb3d1 upstream.

The commit f6f828513290 ("pstore: pass allocated memory region back to
caller") changed the check of the return value from erst_read() in
erst_reader() in the following way:

        if (len == -ENOENT)
                goto skip;
-       else if (len < 0) {
-               rc = -1;
+       else if (len < sizeof(*rcd)) {
+               rc = -EIO;
                goto out;

This introduced another bug: since the comparison with sizeof() is
cast to unsigned, a negative len value doesn't hit any longer.
As a result, when an error is returned from erst_read(), the code
falls through, and it may eventually lead to some weird thing like
memory corruption.

This patch adds the negative error value check more explicitly for
addressing the issue.

Fixes: f6f828513290 (pstore: pass allocated memory region back to caller)
Tested-by: Jerry Tang <jtang@suse.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/apei/erst.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/apei/erst.c
+++ b/drivers/acpi/apei/erst.c
@@ -1023,7 +1023,7 @@ skip:
 	/* The record may be cleared by others, try read next record */
 	if (len == -ENOENT)
 		goto skip;
-	else if (len < sizeof(*rcd)) {
+	else if (len < 0 || len < sizeof(*rcd)) {
 		rc = -EIO;
 		goto out;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 193/254] USB: UDC core: fix double-free in usb_add_gadget_udc_release
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (222 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 128/254] usbip: stub: stop printing kernel pointer addresses in messages Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 216/254] i2c: core: decrease reference count of device node in i2c_unregister_device Ben Hutchings
                   ` (30 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Felipe Balbi, Peter Chen, Greg Kroah-Hartman, Fengguang Wu,
	Alan Stern

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 7ae2c3c280db183ca9ada2675c34ec2f7378abfa upstream.

The error-handling pathways in usb_add_gadget_udc_release() are messed
up.  Aside from the uninformative statement labels, they can deallocate
the udc structure after calling put_device(), which is a double-free.
This was observed by KASAN in automatic testing.

This patch cleans up the routine.  It preserves the requirement that
when any failure occurs, we call put_device(&gadget->dev).

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - The err5 path is not presnet
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/udc-core.c
+++ b/drivers/usb/gadget/udc-core.c
@@ -219,11 +219,7 @@ int usb_add_gadget_udc_release(struct de
 
 	udc = kzalloc(sizeof(*udc), GFP_KERNEL);
 	if (!udc)
-		goto err1;
-
-	ret = device_add(&gadget->dev);
-	if (ret)
-		goto err2;
+		goto err_put_gadget;
 
 	device_initialize(&udc->dev);
 	udc->dev.release = usb_udc_release;
@@ -232,7 +228,11 @@ int usb_add_gadget_udc_release(struct de
 	udc->dev.parent = parent;
 	ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
 	if (ret)
-		goto err3;
+		goto err_put_udc;
+
+	ret = device_add(&gadget->dev);
+	if (ret)
+		goto err_put_udc;
 
 	udc->gadget = gadget;
 
@@ -241,7 +241,7 @@ int usb_add_gadget_udc_release(struct de
 
 	ret = device_add(&udc->dev);
 	if (ret)
-		goto err4;
+		goto err_unlist_udc;
 
 	usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
 
@@ -249,18 +249,16 @@ int usb_add_gadget_udc_release(struct de
 
 	return 0;
 
-err4:
+ err_unlist_udc:
 	list_del(&udc->list);
 	mutex_unlock(&udc_lock);
 
-err3:
-	put_device(&udc->dev);
 	device_del(&gadget->dev);
 
-err2:
-	kfree(udc);
+ err_put_udc:
+	put_device(&udc->dev);
 
-err1:
+ err_put_gadget:
 	put_device(&gadget->dev);
 	return ret;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 003/254] KVM: x86: Exit to user-mode on #UD intercept when emulator requires
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (249 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 081/254] xhci: Don't add a virt_dev to the devs array before it's fully allocated Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 250/254] media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Ben Hutchings
                   ` (3 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paolo Bonzini, Wanpeng Li, Liran Alon,
	Konrad Rzeszutek Wilk, Nikita Leshenko,
	Radim Krčmář

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Liran Alon <liran.alon@oracle.com>

commit 61cb57c9ed631c95b54f8e9090c89d18b3695b3c upstream.

Instruction emulation after trapping a #UD exception can result in an
MMIO access, for example when emulating a MOVBE on a processor that
doesn't support the instruction.  In this case, the #UD vmexit handler
must exit to user mode, but there wasn't any code to do so.  Add it for
both VMX and SVM.

Signed-off-by: Liran Alon <liran.alon@oracle.com>
Reviewed-by: Nikita Leshenko <nikita.leshchenko@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/svm.c | 2 ++
 arch/x86/kvm/vmx.c | 2 ++
 2 files changed, 4 insertions(+)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1776,6 +1776,8 @@ static int ud_interception(struct vcpu_s
 	int er;
 
 	er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD);
+	if (er == EMULATE_USER_EXIT)
+		return 0;
 	if (er != EMULATE_DONE)
 		kvm_queue_exception(&svm->vcpu, UD_VECTOR);
 	return 1;
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4853,6 +4853,8 @@ static int handle_exception(struct kvm_v
 
 	if (is_invalid_opcode(intr_info)) {
 		er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
+		if (er == EMULATE_USER_EXIT)
+			return 0;
 		if (er != EMULATE_DONE)
 			kvm_queue_exception(vcpu, UD_VECTOR);
 		return 1;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 120/254] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 059/254] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 249/254] media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Ben Hutchings
                   ` (239 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, Bjorn Helgaas, Rafael J. Wysocki,
	Maarten Lankhorst

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

commit 5839ee7389e893a31e4e3c9cf17b50d14103c902 upstream.

It is incorrect to call pci_restore_state() for devices in low-power
states (D1-D3), as that involves the restoration of MSI setup which
requires MMIO to be operational and that is only the case in D0.

However, pci_pm_thaw_noirq() may do that if the driver's "freeze"
callbacks put the device into a low-power state, so fix it by making
it force devices into D0 via pci_set_power_state() instead of trying
to "update" their power state which is pointless.

Fixes: e60514bd4485 (PCI/PM: Restore the status of PCI devices across hibernation)
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Maarten Lankhorst <dev@mblankhorst.nl>
Tested-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Maarten Lankhorst <dev@mblankhorst.nl>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/pci-driver.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -921,7 +921,12 @@ static int pci_pm_thaw_noirq(struct devi
 	if (pci_has_legacy_pm_support(pci_dev))
 		return pci_legacy_resume_early(dev);
 
-	pci_update_current_state(pci_dev, PCI_D0);
+	/*
+	 * pci_restore_state() requires the device to be in D0 (because of MSI
+	 * restoration among other things), so force it into D0 in case the
+	 * driver's "freeze" callbacks put it into a low-power state directly.
+	 */
+	pci_set_power_state(pci_dev, PCI_D0);
 	pci_restore_state(pci_dev);
 
 	if (drv && drv->pm && drv->pm->thaw_noirq)

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 210/254] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 096/254] MIPS: Respect the FCSR exception mask for `si_code' Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 104/254] MIPS: MSA: bugfix - disable MSA correctly for new threads/processes Ben Hutchings
                   ` (212 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Neil Horman, syzbot+ac6ea7baa4432811eb50,
	Xin Long

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit a0ff660058b88d12625a783ce9e5c1371c87951f upstream.

After commit cea0cc80a677 ("sctp: use the right sk after waking up from
wait_buf sleep"), it may change to lock another sk if the asoc has been
peeled off in sctp_wait_for_sndbuf.

However, the asoc's new sk could be already closed elsewhere, as it's in
the sendmsg context of the old sk that can't avoid the new sk's closing.
If the sk's last one refcnt is held by this asoc, later on after putting
this asoc, the new sk will be freed, while under it's own lock.

This patch is to revert that commit, but fix the old issue by returning
error under the old sk's lock.

Fixes: cea0cc80a677 ("sctp: use the right sk after waking up from wait_buf sleep")
Reported-by: syzbot+ac6ea7baa4432811eb50@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/socket.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -83,7 +83,7 @@
 static int sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-				size_t msg_len, struct sock **orig_sk);
+				size_t msg_len);
 static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
 static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
 static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1906,7 +1906,7 @@ static int sctp_sendmsg(struct kiocb *io
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 	if (!sctp_wspace(asoc)) {
 		/* sk can be changed by peel off when waiting for buf. */
-		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
 		if (err)
 			goto out_free;
 	}
@@ -6732,12 +6732,12 @@ void sctp_sock_rfree(struct sk_buff *skb
 
 /* Helper function to wait for space in the sndbuf.  */
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-				size_t msg_len, struct sock **orig_sk)
+				size_t msg_len)
 {
 	struct sock *sk = asoc->base.sk;
-	int err = 0;
 	long current_timeo = *timeo_p;
 	DEFINE_WAIT(wait);
+	int err = 0;
 
 	pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
 		 *timeo_p, msg_len);
@@ -6765,17 +6765,13 @@ static int sctp_wait_for_sndbuf(struct s
 		release_sock(sk);
 		current_timeo = schedule_timeout(current_timeo);
 		lock_sock(sk);
-		if (sk != asoc->base.sk) {
-			release_sock(sk);
-			sk = asoc->base.sk;
-			lock_sock(sk);
-		}
+		if (sk != asoc->base.sk)
+			goto do_error;
 
 		*timeo_p = current_timeo;
 	}
 
 out:
-	*orig_sk = sk;
 	finish_wait(&asoc->wait, &wait);
 
 	/* Release the association's refcnt.  */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 220/254] can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (147 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 038/254] mfd: twl6040: Fix child-node lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 197/254] SolutionEngine771x: add Ether TSU resource Ben Hutchings
                   ` (105 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Marc Kleine-Budde, syzbot+e3b775f40babeff6e68b,
	Dmitry Vyukov, Oliver Hartkopp

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit d4689846881d160a4d12a514e991a740bcb5d65a upstream.

If an invalid CANFD frame is received, from a driver or from a tun
interface, a Kernel warning is generated.

This patch replaces the WARN_ONCE by a simple pr_warn_once, so that a
kernel, bootet with panic_on_warn, does not panic. A printk seems to be
more appropriate here.

Reported-by: syzbot+e3b775f40babeff6e68b@syzkaller.appspotmail.com
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16:
 - Keep using the 'drop' label, as it has another user
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -742,13 +742,12 @@ static int canfd_rcv(struct sk_buff *skb
 	if (unlikely(!net_eq(dev_net(dev), &init_net)))
 		goto drop;
 
-	if (WARN_ONCE(dev->type != ARPHRD_CAN ||
-		      skb->len != CANFD_MTU ||
-		      cfd->len > CANFD_MAX_DLEN,
-		      "PF_CAN: dropped non conform CAN FD skbuf: "
-		      "dev type %d, len %d, datalen %d\n",
-		      dev->type, skb->len, cfd->len))
+	if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU ||
+		     cfd->len > CANFD_MAX_DLEN)) {
+		pr_warn_once("PF_CAN: dropped non conform CAN FD skbuf: dev type %d, len %d, datalen %d\n",
+			     dev->type, skb->len, cfd->len);
 		goto drop;
+	}
 
 	can_receive(skb, dev);
 	return NET_RX_SUCCESS;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 042/254] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 089/254] ext4: fix crash when a directory's i_size is too small Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 229/254] dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state Ben Hutchings
                   ` (231 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jimmy Assarsson, Marc Kleine-Budde

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit e84f44eb5523401faeb9cc1c97895b68e3cfb78d upstream.

The conditon in the while-loop becomes true when actual_length is less than
2 (MSG_HEADER_LEN). In best case we end up with a former, already
dispatched msg, that got msg->len greater than actual_length. This will
result in a "Format error" error printout.

Problem seen when unplugging a Kvaser USB device connected to a vbox guest.

warning: comparison between signed and unsigned integer expressions
[-Wsign-compare]

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/kvaser_usb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -983,7 +983,7 @@ static void kvaser_usb_read_bulk_callbac
 		goto resubmit_urb;
 	}
 
-	while (pos <= urb->actual_length - MSG_HEADER_LEN) {
+	while (pos <= (int)(urb->actual_length - MSG_HEADER_LEN)) {
 		msg = urb->transfer_buffer + pos;
 
 		/* The Kvaser firmware can only read and write messages that

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 013/254] USB: serial: option: add Quectel BG96 id
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (144 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 132/254] usb: Add device quirk for Logitech HD Pro Webcam C925e Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 244/254] media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 Ben Hutchings
                   ` (108 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Sebastian Sjoholm

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Sjoholm <ssjoholm@mac.com>

commit c654b21ede93845863597de9ad774fd30db5f2ab upstream.

Quectel BG96 is an Qualcomm MDM9206 based IoT modem, supporting both
CAT-M and NB-IoT. Tested hardware is BG96 mounted on Quectel
development board (EVB). The USB id is added to option.c to allow
DIAG,GPS,AT and modem communication with the BG96.

Signed-off-by: Sebastian Sjoholm <ssjoholm@mac.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -242,6 +242,7 @@ static void option_instat_callback(struc
 /* These Quectel products use Quectel's vendor ID */
 #define QUECTEL_PRODUCT_EC21			0x0121
 #define QUECTEL_PRODUCT_EC25			0x0125
+#define QUECTEL_PRODUCT_BG96			0x0296
 
 #define SIERRA_VENDOR_ID			0x1199
 
@@ -1204,6 +1205,8 @@ static const struct usb_device_id option
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
 	{ USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+	{ USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_BG96),
+	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 037/254] mfd: twl4030-audio: Fix sibling-node lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (228 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 053/254] dm mpath: simplify failure path of dm_multipath_init() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 149/254] stddef.h: move offsetofend inside #ifndef/#endif guard, neaten Ben Hutchings
                   ` (24 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Peter Ujfalusi, Lee Jones, Johan Hovold

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 0a423772de2f3d7b00899987884f62f63ae00dcb upstream.

A helper purported to look up a child node based on its name was using
the wrong of-helper and ended up prematurely freeing the parent of-node
while leaking any matching node.

To make things worse, any matching node would not even necessarily be a
child node as the whole device tree was searched depth-first starting at
the parent.

Fixes: 019a7e6b7b31 ("mfd: twl4030-audio: Add DT support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/twl4030-audio.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/mfd/twl4030-audio.c
+++ b/drivers/mfd/twl4030-audio.c
@@ -159,13 +159,18 @@ unsigned int twl4030_audio_get_mclk(void
 EXPORT_SYMBOL_GPL(twl4030_audio_get_mclk);
 
 static bool twl4030_audio_has_codec(struct twl4030_audio_data *pdata,
-			      struct device_node *node)
+			      struct device_node *parent)
 {
+	struct device_node *node;
+
 	if (pdata && pdata->codec)
 		return true;
 
-	if (of_find_node_by_name(node, "codec"))
+	node = of_get_child_by_name(parent, "codec");
+	if (node) {
+		of_node_put(node);
 		return true;
+	}
 
 	return false;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 035/254] quota: Check for register_shrinker() failure.
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 198/254] ALSA: hda - Apply the existing quirk to iMac 14,1 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 165/254] net: phy: Add phy_interface_is_rgmii helper Ben Hutchings
                   ` (224 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Jan Kara, Michal Hocko, Tetsuo Handa

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 88bc0ede8d35edc969350852894dc864a2dc1859 upstream.

register_shrinker() might return -ENOMEM error since Linux 3.12.
Call panic() as with other failure checks in this function if
register_shrinker() failed.

Fixes: 1d3d4437eae1 ("vmscan: per-node deferred work")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jan Kara <jack@suse.com>
Cc: Michal Hocko <mhocko@suse.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/quota/dquot.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -2747,7 +2747,8 @@ static int __init dquot_init(void)
 	printk("Dquot-cache hash table entries: %ld (order %ld, %ld bytes)\n",
 			nr_hash, order, (PAGE_SIZE << order));
 
-	register_shrinker(&dqcache_shrinker);
+	if (register_shrinker(&dqcache_shrinker))
+		panic("Cannot register dquot shrinker");
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 063/254] btrfs: fix missing error return in btrfs_drop_snapshot
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 252/254] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 181/254] ALSA: pcm: Abort properly at pending signal in OSS read/write loops Ben Hutchings
                   ` (161 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jeff Mahoney, David Sterba

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit e19182c0fff451e3744c1107d98f072e7ca377a0 upstream.

If btrfs_del_root fails in btrfs_drop_snapshot, we'll pick up the
error but then return 0 anyway due to mixing err and ret.

Fixes: 79787eaab4612 ("btrfs: replace many BUG_ONs with proper error handling")
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/extent-tree.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -8071,6 +8071,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
 	ret = btrfs_del_root(trans, tree_root, &root->root_key);
 	if (ret) {
 		btrfs_abort_transaction(trans, tree_root, ret);
+		err = ret;
 		goto out_end_trans;
 	}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 064/254] Btrfs: disable FUA if mounted with nobarrier
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (103 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 180/254] xfrm: Return error on unknown encap_type in init_state Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 239/254] adv7604: use correct drive strength defines Ben Hutchings
                   ` (149 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Omar Sandoval, Qu Wenruo, David Sterba

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit 1b9e619c5bc8235cfba3dc4ced2fb0e3554a05d4 upstream.

I was seeing disk flushes still happening when I mounted a Btrfs
filesystem with nobarrier for testing. This is because we use FUA to
write out the first super block, and on devices without FUA support, the
block layer translates FUA to a flush. Even on devices supporting true
FUA, using FUA when we asked for no barriers is surprising.

Fixes: 387125fc722a8ed ("Btrfs: fix barrier flushes")
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - I/O flag names are different, and are combined with the operation type
 - Use the do_barrier parameter instead of checking the NOBARRIER option again]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3140,6 +3140,7 @@ static int write_dev_supers(struct btrfs
 	int errors = 0;
 	u32 crc;
 	u64 bytenr;
+	int op_flags;
 
 	if (max_mirrors == 0)
 		max_mirrors = BTRFS_SUPER_MIRROR_MAX;
@@ -3204,10 +3205,10 @@ static int write_dev_supers(struct btrfs
 		 * we fua the first super.  The others we allow
 		 * to go down lazy.
 		 */
-		if (i == 0)
-			ret = btrfsic_submit_bh(WRITE_FUA, bh);
-		else
-			ret = btrfsic_submit_bh(WRITE_SYNC, bh);
+		op_flags = REQ_SYNC | REQ_NOIDLE;
+		if (i == 0 && do_barriers)
+			op_flags |= REQ_FUA;
+		ret = btrfsic_submit_bh(WRITE | op_flags, bh);
 		if (ret)
 			errors++;
 	}

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 053/254] dm mpath: simplify failure path of dm_multipath_init()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (227 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 075/254] X.509: fix buffer overflow detection in sprint_oid() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 037/254] mfd: twl4030-audio: Fix sibling-node lookup Ben Hutchings
                   ` (25 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johannes Thumshirn, Mike Snitzer

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Thumshirn <morbidrsa@gmail.com>

commit ff658e9c1aae9a84dd06d46f847dc0cd2bf0dd11 upstream.

Currently the cleanup of all error cases are open-coded.  Introduce a
common exit path and labels.

Signed-off-by: Johannes Thumshirn <morbidrsa@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-mpath.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1691,16 +1691,15 @@ static int __init dm_multipath_init(void
 	r = dm_register_target(&multipath_target);
 	if (r < 0) {
 		DMERR("register failed %d", r);
-		kmem_cache_destroy(_mpio_cache);
-		return -EINVAL;
+		r = -EINVAL;
+		goto bad_register_target;
 	}
 
 	kmultipathd = alloc_workqueue("kmpathd", WQ_MEM_RECLAIM, 0);
 	if (!kmultipathd) {
 		DMERR("failed to create workqueue kmpathd");
-		dm_unregister_target(&multipath_target);
-		kmem_cache_destroy(_mpio_cache);
-		return -ENOMEM;
+		r = -ENOMEM;
+		goto bad_alloc_kmultipathd;
 	}
 
 	/*
@@ -1713,16 +1712,23 @@ static int __init dm_multipath_init(void
 						  WQ_MEM_RECLAIM);
 	if (!kmpath_handlerd) {
 		DMERR("failed to create workqueue kmpath_handlerd");
-		destroy_workqueue(kmultipathd);
-		dm_unregister_target(&multipath_target);
-		kmem_cache_destroy(_mpio_cache);
-		return -ENOMEM;
+		r = -ENOMEM;
+		goto bad_alloc_kmpath_handlerd;
 	}
 
 	DMINFO("version %u.%u.%u loaded",
 	       multipath_target.version[0], multipath_target.version[1],
 	       multipath_target.version[2]);
 
+	return 0;
+
+bad_alloc_kmpath_handlerd:
+	destroy_workqueue(kmultipathd);
+bad_alloc_kmultipathd:
+	dm_unregister_target(&multipath_target);
+bad_register_target:
+	kmem_cache_destroy(_mpio_cache);
+
 	return r;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 033/254] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (152 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 073/254] lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string Ben Hutchings
                   ` (100 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Marc Zyngier, Suzuki K Poulose, Kristina Martsenko,
	Christoffer Dall

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kristina Martsenko <kristina.martsenko@arm.com>

commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.

VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
VTTBR address. It seems to currently be off by one, thereby only
allowing up to 47-bit addresses (instead of 48-bit) and also
insufficiently checking the alignment. This patch fixes it.

As an example, with 4k pages, before this patch we have:

  PHYS_MASK_SHIFT = 48
  VTTBR_X = 37 - 24 = 13
  VTTBR_BADDR_SHIFT = 13 - 1 = 12
  VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000

Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
address to be set, and only requires the address to be 12-bit (4k)
aligned, while it actually needs to be 13-bit (8k) aligned because we
concatenate two 4k tables.

With this patch, the mask becomes 0x0000ffffffffe000, which is what we
want.

Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/include/asm/kvm_arm.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm64/include/asm/kvm_arm.h
+++ b/arch/arm64/include/asm/kvm_arm.h
@@ -164,8 +164,7 @@
 #define VTTBR_X		(37 - VTCR_EL2_T0SZ_40B)
 #endif
 
-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
-#define VTTBR_BADDR_MASK  (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
+#define VTTBR_BADDR_MASK  (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
 #define VTTBR_VMID_SHIFT  (UL(48))
 #define VTTBR_VMID_MASK	  (UL(0xFF) << VTTBR_VMID_SHIFT)
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 036/254] mfd: cros ec: spi: Don't send first message too soon
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 088/254] net: ipv4: fix for a race condition in raw_sendmsg Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 002/254] ASoC: twl4030: fix child-node lookup Ben Hutchings
                   ` (167 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Douglas Anderson, Jon Hunter, Lee Jones, Brian Norris,
	Benson Leung

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jon Hunter <jonathanh@nvidia.com>

commit 15d8374874ded0bec37ef27f8301a6d54032c0e5 upstream.

On the Tegra124 Nyan-Big chromebook the very first SPI message sent to
the EC is failing.

The Tegra SPI driver configures the SPI chip-selects to be active-high
by default (and always has for many years). The EC SPI requires an
active-low chip-select and so the Tegra chip-select is reconfigured to
be active-low when the EC SPI driver calls spi_setup(). The problem is
that if the first SPI message to the EC is sent too soon after
reconfiguring the SPI chip-select, it fails.

The EC SPI driver prevents back-to-back SPI messages being sent too
soon by keeping track of the time the last transfer was sent via the
variable 'last_transfer_ns'. To prevent the very first transfer being
sent too soon, initialise the 'last_transfer_ns' variable after calling
spi_setup() and before sending the first SPI message.

Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Acked-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
[bwh: Backported to 3.16: use ktime_get_ts() and timespec_to_ns()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mfd/cros_ec_spi.c
+++ b/drivers/mfd/cros_ec_spi.c
@@ -347,6 +347,7 @@ static int cros_ec_spi_probe(struct spi_
 	struct device *dev = &spi->dev;
 	struct cros_ec_device *ec_dev;
 	struct cros_ec_spi *ec_spi;
+	struct timespec ts;
 	int err;
 
 	spi->bits_per_word = 8;
@@ -379,6 +380,9 @@ static int cros_ec_spi_probe(struct spi_
 	ec_dev->din_size = EC_MSG_BYTES + EC_MSG_PREAMBLE_COUNT;
 	ec_dev->dout_size = EC_MSG_BYTES;
 
+	ktime_get_ts(&ts);
+	ec_spi->last_transfer_ns = timespec_to_ns(&ts);
+
 	err = cros_ec_register(ec_dev);
 	if (err) {
 		dev_err(dev, "cannot register EC\n");

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 039/254] ALSA: seq: Remove spurious WARN_ON() at timer check
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 070/254] can: usb_8dev: cancel urb on -EPIPE and -EPROTO Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 169/254] kernel/acct.c: fix the acct->needcheck check in check_free_space() Ben Hutchings
                   ` (142 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot, Takashi Iwai

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 43a3542870328601be02fcc9d27b09db467336ef upstream.

The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
WARN_ON() when a slave timer is deployed as its backend and a
corresponding master timer stops meanwhile.  The symptom was triggered
by syzkaller spontaneously.

Since the NULL timer is valid there, rip off snd_BUG_ON().

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/seq/seq_timer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
 	unsigned long freq;
 
 	t = tmr->timeri->timer;
-	if (snd_BUG_ON(!t))
+	if (!t)
 		return -EINVAL;
 
 	freq = tmr->preferred_resolution;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 043/254] can: kvaser_usb: ratelimit errors if incomplete messages are received
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (186 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 204/254] futex: Prevent overflow by strengthen input validation Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 079/254] ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data Ben Hutchings
                   ` (66 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Jimmy Assarsson

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 8bd13bd522ff7dfa0eb371921aeb417155f7a3be upstream.

Avoid flooding the kernel log with "Formate error", if incomplete message
are received.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/kvaser_usb.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -417,8 +417,8 @@ static int kvaser_usb_wait_msg(const str
 			}
 
 			if (pos + tmp->len > actual_len) {
-				dev_err(dev->udev->dev.parent,
-					"Format error\n");
+				dev_err_ratelimited(dev->udev->dev.parent,
+						    "Format error\n");
 				break;
 			}
 
@@ -1001,7 +1001,8 @@ static void kvaser_usb_read_bulk_callbac
 		}
 
 		if (pos + msg->len > urb->actual_length) {
-			dev_err(dev->udev->dev.parent, "Format error\n");
+			dev_err_ratelimited(dev->udev->dev.parent,
+					    "Format error\n");
 			break;
 		}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 040/254] media: dvb: i2c transfers over usb cannot be done from stack
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (155 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 115/254] nfsd: auth: Fix gid sorting when rootsquash enabled Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 015/254] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure Ben Hutchings
                   ` (97 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Laurent Caumont, Sean Young

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Caumont <lcaumont2@gmail.com>

commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.

Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/dvb-usb/dibusb-common.c
+++ b/drivers/media/usb/dvb-usb/dibusb-common.c
@@ -179,8 +179,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
 
 int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
 {
-	u8 wbuf[1] = { offs };
-	return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
+	u8 *buf;
+	int rc;
+
+	buf = kmalloc(2, GFP_KERNEL);
+	if (!buf)
+		return -ENOMEM;
+
+	buf[0] = offs;
+
+	rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
+	*val = buf[1];
+	kfree(buf);
+
+	return rc;
 }
 EXPORT_SYMBOL(dibusb_read_eeprom_byte);
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 055/254] s390: always save and restore all registers on context switch
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (241 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 196/254] SolutionEngine771x: fix Ether platform data Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 050/254] ALSA: usb-audio: Add check return value for usb_string() Ben Hutchings
                   ` (11 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Martin Schwidefsky, Heiko Carstens

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit fbbd7f1a51965b50dd12924841da0d478f3da71b upstream.

The switch_to() macro has an optimization to avoid saving and
restoring register contents that aren't needed for kernel threads.

There is however the possibility that a kernel thread execve's a user
space program. In such a case the execve'd process can partially see
the contents of the previous process, which shouldn't be allowed.

To avoid this, simply always save and restore register contents on
context switch.

Fixes: fdb6d070effba ("switch_to: dont restore/save access & fpu regs for kernel threads")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16:
 - The save/restore functions are different here
 - FP restore is non-lazy, so drop the comment about it being lazy]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/s390/include/asm/switch_to.h
+++ b/arch/s390/include/asm/switch_to.h
@@ -117,21 +117,17 @@ static inline void restore_access_regs(u
 	asm volatile("lam 0,15,%0" : : "Q" (*(acrstype *)acrs));
 }
 
-#define switch_to(prev,next,last) do {					\
-	if (prev->mm) {							\
-		save_fp_ctl(&prev->thread.fp_regs.fpc);			\
-		save_fp_regs(prev->thread.fp_regs.fprs);		\
-		save_access_regs(&prev->thread.acrs[0]);		\
-		save_ri_cb(prev->thread.ri_cb);				\
-	}								\
+#define switch_to(prev, next, last) do {				\
+	save_fp_ctl(&prev->thread.fp_regs.fpc);				\
+	save_fp_regs(prev->thread.fp_regs.fprs);			\
+	save_access_regs(&prev->thread.acrs[0]);			\
+	save_ri_cb(prev->thread.ri_cb);					\
 	update_cr_regs(next);						\
-	if (next->mm) {							\
-		restore_fp_ctl(&next->thread.fp_regs.fpc);		\
-		restore_fp_regs(next->thread.fp_regs.fprs);		\
-		restore_access_regs(&next->thread.acrs[0]);		\
-		restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb);	\
-	}								\
-	prev = __switch_to(prev,next);					\
+	restore_fp_ctl(&next->thread.fp_regs.fpc);			\
+	restore_fp_regs(next->thread.fp_regs.fprs);			\
+	restore_access_regs(&next->thread.acrs[0]);			\
+	restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb);		\
+	prev = __switch_to(prev, next);					\
 } while (0)
 
 #endif /* __ASM_SWITCH_TO_H */

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 034/254] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (161 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 152/254] kbuild: add '-fno-stack-check' to kernel build options Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 223/254] net: igmp: Use correct source address on IGMPv3 reports Ben Hutchings
                   ` (91 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Christoffer Dall, Kristina Martsenko, Marc Zyngier

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream.

VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
VTTBR address. It seems to currently be off by one, thereby only
allowing up to 39-bit addresses (instead of 40-bit) and also
insufficiently checking the alignment. This patch fixes it.

This patch is the 32bit pendent of Kristina's arm64 fix, and
she deserves the actual kudos for pinpointing that one.

Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation")
Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/include/asm/kvm_arm.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm/include/asm/kvm_arm.h
+++ b/arch/arm/include/asm/kvm_arm.h
@@ -161,8 +161,7 @@
 #else
 #define VTTBR_X		(5 - KVM_T0SZ)
 #endif
-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
-#define VTTBR_BADDR_MASK  (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
+#define VTTBR_BADDR_MASK  (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X)
 #define VTTBR_VMID_SHIFT  (48LLU)
 #define VTTBR_VMID_MASK	  (0xffLLU << VTTBR_VMID_SHIFT)
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 014/254] ASoC: fsl_ssi: add AC'97 ops setting check and cleanup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (234 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 125/254] xfrm: Reinject transport-mode packets through tasklet Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 236/254] [media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back Ben Hutchings
                   ` (18 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Maciej S. Szmigiero, Mark Brown

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>

commit 04143d614f3af84a3f39e79a24a7ca740bd39efd upstream.

Check whether setting AC'97 ops succeeded and clean them
on removal so the fsl_ssi driver can be reloaded.

Signed-off-by: Maciej Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/fsl_ssi.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/sound/soc/fsl/fsl_ssi.c
+++ b/sound/soc/fsl/fsl_ssi.c
@@ -1274,7 +1274,11 @@ static int fsl_ssi_probe(struct platform
 
 		fsl_ac97_data = ssi_private;
 
-		snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev);
+		ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev);
+		if (ret) {
+			dev_err(&pdev->dev, "could not set AC'97 ops\n");
+			return ret;
+		}
 	} else {
 		/* Initialize this copy of the CPU DAI driver structure */
 		memcpy(&ssi_private->cpu_dai_drv, &fsl_ssi_dai_template,
@@ -1422,6 +1426,9 @@ static int fsl_ssi_remove(struct platfor
 	if (ssi_private->use_dma)
 		irq_dispose_mapping(ssi_private->irq);
 
+	if (fsl_ssi_is_ac97(ssi_private))
+		snd_soc_set_ac97_ops(NULL);
+
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 006/254] iommu/vt-d: Fix scatterlist offset handling
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 179/254] x86/microcode/intel: Extend BDW late-loading with a revision check Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 238/254] media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32 Ben Hutchings
                   ` (137 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alex Williamson, Harsh Jain, Robin Murphy

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Robin Murphy <robin.murphy@arm.com>

commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.

The intel-iommu DMA ops fail to correctly handle scatterlists where
sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
appropriately based on the page-aligned portion of the offset, but the
mapping is set up relative to sg->page, which means it fails to actually
cover the whole buffer (and in the worst case doesn't cover it at all):

    (sg->dma_address + sg->dma_len) ----+
    sg->dma_address ---------+          |
    iov_pfn------+           |          |
                 |           |          |
                 v           v          v
iova:   a        b        c        d        e        f
        |--------|--------|--------|--------|--------|
                          <...calculated....>
                 [_____mapped______]
pfn:    0        1        2        3        4        5
        |--------|--------|--------|--------|--------|
                 ^           ^          ^
                 |           |          |
    sg->page ----+           |          |
    sg->offset --------------+          |
    (sg->offset + sg->length) ----------+

As a result, the caller ends up overrunning the mapping into whatever
lies beyond, which usually goes badly:

[  429.645492] DMAR: DRHD: handling fault status reg 2
[  429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...

Whilst this is a fairly rare occurrence, it can happen from the result
of intermediate scatterlist processing such as scatterwalk_ffwd() in the
crypto layer. Whilst that particular site could be fixed up, it still
seems worthwhile to bring intel-iommu in line with other DMA API
implementations in handling this robustly.

To that end, fix the intel_map_sg() path to line up the mapping
correctly (in units of MM pages rather than VT-d pages to match the
aligned_nrpages() calculation) regardless of the offset, and use
sg_phys() consistently for clarity.

Reported-by: Harsh Jain <Harsh@chelsio.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Reviewed by: Ashok Raj <ashok.raj@intel.com>
Tested by: Jacob Pan <jacob.jun.pan@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iommu/intel-iommu.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -2008,10 +2008,12 @@ static int __domain_mapping(struct dmar_
 		uint64_t tmp;
 
 		if (!sg_res) {
+			unsigned int pgoff = sg->offset & ~PAGE_MASK;
+
 			sg_res = aligned_nrpages(sg->offset, sg->length);
-			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
+			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
 			sg->dma_length = sg->length;
-			pteval = page_to_phys(sg_page(sg)) | prot;
+			pteval = (sg_phys(sg) - pgoff) | prot;
 			phys_pfn = pteval >> VTD_PAGE_SHIFT;
 		}
 
@@ -3345,7 +3347,7 @@ static int intel_nontranslate_map_sg(str
 
 	for_each_sg(sglist, sg, nelems, i) {
 		BUG_ON(!sg_page(sg));
-		sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
+		sg->dma_address = sg_phys(sg);
 		sg->dma_length = sg->length;
 	}
 	return nelems;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 007/254] btrfs: clear space cache inode generation always
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 183/254] mdio-sun4i: Fix a memory leak Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 008/254] scsi: dma-mapping: always provide dma_get_cache_alignment Ben Hutchings
                   ` (250 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Sterba, Josef Bacik

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <jbacik@fb.com>

commit 8e138e0d92c6c9d3d481674fb14e3439b495be37 upstream.

We discovered a box that had double allocations, and suspected the space
cache may be to blame.  While auditing the write out path I noticed that
if we've already setup the space cache we will just carry on.  This
means that any error we hit after cache_save_setup before we go to
actually write the cache out we won't reset the inode generation, so
whatever was already written will be considered correct, except it'll be
stale.  Fix this by _always_ resetting the generation on the block group
inode, this way we only ever have valid or invalid cache.

With this patch I was no longer able to reproduce cache corruption with
dm-log-writes and my bpf error injection tool.

Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/extent-tree.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -3236,13 +3236,6 @@ again:
 		goto again;
 	}
 
-	/* We've already setup this transaction, go ahead and exit */
-	if (block_group->cache_generation == trans->transid &&
-	    i_size_read(inode)) {
-		dcs = BTRFS_DC_SETUP;
-		goto out_put;
-	}
-
 	/*
 	 * We want to set the generation to 0, that way if anything goes wrong
 	 * from here on out we know not to trust this cache when we load up next
@@ -3252,6 +3245,13 @@ again:
 	ret = btrfs_update_inode(trans, root, inode);
 	WARN_ON(ret);
 
+	/* We've already setup this transaction, go ahead and exit */
+	if (block_group->cache_generation == trans->transid &&
+	    i_size_read(inode)) {
+		dcs = BTRFS_DC_SETUP;
+		goto out_put;
+	}
+
 	if (i_size_read(inode) > 0) {
 		ret = btrfs_check_trunc_cache_free_space(root,
 					&root->fs_info->global_block_rsv);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 008/254] scsi: dma-mapping: always provide dma_get_cache_alignment
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 007/254] btrfs: clear space cache inode generation always Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 253/254] ACPI: sbshc: remove raw pointer from printk() message Ben Hutchings
                   ` (249 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Christoph Hellwig, Martin K. Petersen

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <hch@lst.de>

commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.

Provide the dummy version of dma_get_cache_alignment that always returns
1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
use it without ifdefs.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: Also delete the conflicting declaration in
 <asm-generic/dma-mapping-broken.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -181,7 +181,6 @@ static inline void *dma_zalloc_coherent(
 	return ret;
 }
 
-#ifdef CONFIG_HAS_DMA
 static inline int dma_get_cache_alignment(void)
 {
 #ifdef ARCH_DMA_MINALIGN
@@ -189,7 +188,6 @@ static inline int dma_get_cache_alignmen
 #endif
 	return 1;
 }
-#endif
 
 /* flags for the coherent memory api */
 #define	DMA_MEMORY_MAP			0x01
--- a/include/asm-generic/dma-mapping-broken.h
+++ b/include/asm-generic/dma-mapping-broken.h
@@ -85,9 +85,6 @@ dma_supported(struct device *dev, u64 ma
 extern int
 dma_set_mask(struct device *dev, u64 mask);
 
-extern int
-dma_get_cache_alignment(void);
-
 extern void
 dma_cache_sync(struct device *dev, void *vaddr, size_t size,
 	       enum dma_data_direction direction);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 129/254] usbip: prevent leaking socket pointer address in messages
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (99 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 177/254] ALSA: aloop: Fix racy hw constraints adjustment Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 121/254] ACPI: APEI / ERST: Fix missing error handling in erst_reader() Ben Hutchings
                   ` (153 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Shuah Khan <shuahkh@osg.samsung.com>

commit 90120d15f4c397272aaf41077960a157fc4212bf upstream.

usbip driver is leaking socket pointer address in messages. Remove
the messages that aren't useful and print sockfd in the ones that
are useful for debugging.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/staging/usbip/stub_dev.c
+++ b/drivers/staging/usbip/stub_dev.c
@@ -190,8 +190,7 @@ static void stub_shutdown_connection(str
 	 * step 1?
 	 */
 	if (ud->tcp_socket) {
-		dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n",
-			ud->tcp_socket);
+		dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd);
 		kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
 	}
 
--- a/drivers/staging/usbip/usbip_common.c
+++ b/drivers/staging/usbip/usbip_common.c
@@ -333,13 +333,10 @@ int usbip_recv(struct socket *sock, void
 	char *bp = buf;
 	int osize = size;
 
-	usbip_dbg_xmit("enter\n");
-
-	if (!sock || !buf || !size) {
-		pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf,
-		       size);
+	if (!sock || !buf || !size)
 		return -EINVAL;
-	}
+
+	usbip_dbg_xmit("enter\n");
 
 	do {
 		sock->sk->sk_allocation = GFP_NOIO;
@@ -352,11 +349,8 @@ int usbip_recv(struct socket *sock, void
 		msg.msg_flags      = MSG_NOSIGNAL;
 
 		result = kernel_recvmsg(sock, &msg, &iov, 1, size, MSG_WAITALL);
-		if (result <= 0) {
-			pr_debug("receive sock %p buf %p size %u ret %d total %d\n",
-				 sock, buf, size, result, total);
+		if (result <= 0)
 			goto err;
-		}
 
 		size -= result;
 		buf += result;
--- a/drivers/staging/usbip/vhci_hcd.c
+++ b/drivers/staging/usbip/vhci_hcd.c
@@ -767,7 +767,7 @@ static void vhci_shutdown_connection(str
 
 	/* need this? see stub_dev.c */
 	if (ud->tcp_socket) {
-		pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket);
+		pr_debug("shutdown tcp_socket %d\n", ud->sockfd);
 		kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
 	}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 021/254] USB: usbfs: Filter flags passed in from user space
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (137 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 194/254] uas: ignore UAS for Norelsys NS1068(X) chips Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 241/254] vb2: V4L2_BUF_FLAG_DONE is set after DQBUF Ben Hutchings
                   ` (115 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Andrey Konovalov, Greg Kroah-Hartman, Alan Stern, Oliver Neukum

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 446f666da9f019ce2ffd03800995487e79a91462 upstream.

USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints.
Improve sanity checking.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/devio.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1295,14 +1295,18 @@ static int proc_do_submiturb(struct usb_
 	int number_of_packets = 0;
 	unsigned int stream_id = 0;
 	void *buf;
-
-	if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP |
-				USBDEVFS_URB_SHORT_NOT_OK |
+	unsigned long mask =	USBDEVFS_URB_SHORT_NOT_OK |
 				USBDEVFS_URB_BULK_CONTINUATION |
 				USBDEVFS_URB_NO_FSBR |
 				USBDEVFS_URB_ZERO_PACKET |
-				USBDEVFS_URB_NO_INTERRUPT))
-		return -EINVAL;
+				USBDEVFS_URB_NO_INTERRUPT;
+	/* USBDEVFS_URB_ISO_ASAP is a special case */
+	if (uurb->type == USBDEVFS_URB_TYPE_ISO)
+		mask |= USBDEVFS_URB_ISO_ASAP;
+
+	if (uurb->flags & ~mask)
+			return -EINVAL;
+
 	if (uurb->buffer_length > 0 && !uurb->buffer)
 		return -EINVAL;
 	if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL &&

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 128/254] usbip: stub: stop printing kernel pointer addresses in messages
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (221 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 019/254] drm/i915: Prevent zero length "index" write Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 193/254] USB: UDC core: fix double-free in usb_add_gadget_udc_release Ben Hutchings
                   ` (31 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Shuah Khan

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Shuah Khan <shuahkh@osg.samsung.com>

commit 248a22044366f588d46754c54dfe29ffe4f8b4df upstream.

Remove and/or change debug, info. and error messages to not print
kernel pointer addresses.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Drop change in stub_complete()
 - Adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/usbip/stub_main.c | 5 +++--
 drivers/staging/usbip/stub_rx.c   | 7 ++-----
 drivers/staging/usbip/stub_tx.c   | 6 +++---
 3 files changed, 8 insertions(+), 10 deletions(-)

--- a/drivers/staging/usbip/stub_main.c
+++ b/drivers/staging/usbip/stub_main.c
@@ -256,11 +256,12 @@ void stub_device_cleanup_urbs(struct stu
 	struct stub_priv *priv;
 	struct urb *urb;
 
-	dev_dbg(&sdev->udev->dev, "free sdev %p\n", sdev);
+	dev_dbg(&sdev->udev->dev, "Stub device cleaning up urbs\n");
 
 	while ((priv = stub_priv_pop(sdev))) {
 		urb = priv->urb;
-		dev_dbg(&sdev->udev->dev, "free urb %p\n", urb);
+		dev_dbg(&sdev->udev->dev, "free urb seqnum %lu\n",
+			priv->seqnum);
 		usb_kill_urb(urb);
 
 		kmem_cache_free(stub_priv_cache, priv);
--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -225,9 +225,6 @@ static int stub_recv_cmd_unlink(struct s
 		if (priv->seqnum != pdu->u.cmd_unlink.seqnum)
 			continue;
 
-		dev_info(&priv->urb->dev->dev, "unlink urb %p\n",
-			 priv->urb);
-
 		/*
 		 * This matched urb is not completed yet (i.e., be in
 		 * flight in usb hcd hardware/driver). Now we are
@@ -266,8 +263,8 @@ static int stub_recv_cmd_unlink(struct s
 		ret = usb_unlink_urb(priv->urb);
 		if (ret != -EINPROGRESS)
 			dev_err(&priv->urb->dev->dev,
-				"failed to unlink a urb %p, ret %d\n",
-				priv->urb, ret);
+				"failed to unlink a urb # %lu, ret %d\n",
+				priv->seqnum, ret);
 
 		return 0;
 	}
--- a/drivers/staging/usbip/stub_tx.c
+++ b/drivers/staging/usbip/stub_tx.c
@@ -201,8 +201,8 @@ static int stub_send_ret_submit(struct s
 
 		/* 1. setup usbip_header */
 		setup_ret_submit_pdu(&pdu_header, urb);
-		usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
-				  pdu_header.base.seqnum, urb);
+		usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
+				  pdu_header.base.seqnum);
 		usbip_header_correct_endian(&pdu_header, 1);
 
 		iov[iovnum].iov_base = &pdu_header;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 075/254] X.509: fix buffer overflow detection in sprint_oid()
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (226 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 208/254] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 053/254] dm mpath: simplify failure path of dm_multipath_init() Ben Hutchings
                   ` (26 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, James Morris, Takashi Iwai, Eric Biggers, David Howells

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 47e0a208fb9d91e3f3c86309e752b13a36470ae8 upstream.

In sprint_oid(), if the input buffer were to be more than 1 byte too
small for the first snprintf(), 'bufsize' would underflow, causing a
buffer overflow when printing the remainder of the OID.

Fortunately this cannot actually happen currently, because no users pass
in a buffer that can be too small for the first snprintf().

Regardless, fix it by checking the snprintf() return value correctly.

For consistency also tweak the second snprintf() check to look the same.

Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings")
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/oid_registry.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/lib/oid_registry.c
+++ b/lib/oid_registry.c
@@ -120,10 +120,10 @@ int sprint_oid(const void *data, size_t
 
 	n = *v++;
 	ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
+	if (count >= bufsize)
+		return -ENOBUFS;
 	buffer += count;
 	bufsize -= count;
-	if (bufsize == 0)
-		return -ENOBUFS;
 
 	while (v < end) {
 		num = 0;
@@ -141,9 +141,9 @@ int sprint_oid(const void *data, size_t
 			} while (n & 0x80);
 		}
 		ret += count = snprintf(buffer, bufsize, ".%lu", num);
-		buffer += count;
-		if (bufsize <= count)
+		if (count >= bufsize)
 			return -ENOBUFS;
+		buffer += count;
 		bufsize -= count;
 	}
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 038/254] mfd: twl6040: Fix child-node lookup
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (146 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 244/254] media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 220/254] can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once Ben Hutchings
                   ` (106 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Peter Ujfalusi, Lee Jones

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 85e9b13cbb130a3209f21bd7933933399c389ffe upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent node was prematurely freed, while the
child node was leaked.

Note that the CONFIG_OF compile guard can be removed as
of_get_child_by_name() provides a !CONFIG_OF implementation which always
fails.

Fixes: 37e13cecaa14 ("mfd: Add support for Device Tree to twl6040")
Fixes: ca2cad6ae38e ("mfd: Fix twl6040 build failure")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/twl6040.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/mfd/twl6040.c
+++ b/drivers/mfd/twl6040.c
@@ -97,12 +97,16 @@ static struct reg_default twl6040_patch[
 };
 
 
-static bool twl6040_has_vibra(struct device_node *node)
+static bool twl6040_has_vibra(struct device_node *parent)
 {
-#ifdef CONFIG_OF
-	if (of_find_node_by_name(node, "vibra"))
+	struct device_node *node;
+
+	node = of_get_child_by_name(parent, "vibra");
+	if (node) {
+		of_node_put(node);
 		return true;
-#endif
+	}
+
 	return false;
 }
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 065/254] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (246 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 228/254] x86/microcode/intel: Extend BDW late-loading further with LLC size check Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 178/254] sh_eth: fix SH7757 GEther initialization Ben Hutchings
                   ` (6 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Sterba, Nikolay Borisov

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Borisov <nborisov@suse.com>

commit c8bcbfbd239ed60a6562964b58034ac8a25f4c31 upstream.

The name char array passed to btrfs_search_path_in_tree is of size
BTRFS_INO_LOOKUP_PATH_MAX (4080). So the actual accessible char indexes
are in the range of [0, 4079]. Currently the code uses the define but this
represents an off-by-one.

Implications:

Size of btrfs_ioctl_ino_lookup_args is 4096, so the new byte will be
written to extra space, not some padding that could be provided by the
allocator.

btrfs-progs store the arguments on stack, but kernel does own copy of
the ioctl buffer and the off-by-one overwrite does not affect userspace,
but the ending 0 might be lost.

Kernel ioctl buffer is allocated dynamically so we're overwriting
somebody else's memory, and the ioctl is privileged if args.objectid is
not 256. Which is in most cases, but resolving a subvolume stored in
another directory will trigger that path.

Before this patch the buffer was one byte larger, but then the -1 was
not added.

Fixes: ac8e9819d71f907 ("Btrfs: add search and inode lookup ioctls")
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ added implications ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2253,7 +2253,7 @@ static noinline int btrfs_search_path_in
 	if (!path)
 		return -ENOMEM;
 
-	ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX];
+	ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX - 1];
 
 	key.objectid = tree_id;
 	key.type = BTRFS_ROOT_ITEM_KEY;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 023/254] USB: core: Add type-specific length check of BOS descriptors
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (169 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 202/254] KVM: x86: Add memory barrier on vmcs field lookup Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 147/254] nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() Ben Hutchings
                   ` (83 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Masakazu Mokuno, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masakazu Mokuno <masakazu.mokuno@gmail.com>

commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream.

As most of BOS descriptors are longer in length than their header
'struct usb_dev_cap_header', comparing solely with it is not sufficient
to avoid out-of-bounds access to BOS descriptors.

This patch adds descriptor type specific length check in
usb_get_bos_descriptor() to fix the issue.

Signed-off-by: Masakazu Mokuno <masakazu.mokuno@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: drop handling of USB_PTM_CAP_TYPE and USB_SSP_CAP_TYPE]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -871,6 +871,13 @@ void usb_release_bos_descriptor(struct u
 	}
 }
 
+static const __u8 bos_desc_len[256] = {
+	[USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE,
+	[USB_CAP_TYPE_EXT]          = USB_DT_USB_EXT_CAP_SIZE,
+	[USB_SS_CAP_TYPE]           = USB_DT_USB_SS_CAP_SIZE,
+	[CONTAINER_ID_TYPE]         = USB_DT_USB_SS_CONTN_ID_SIZE,
+};
+
 /* Get BOS descriptor set */
 int usb_get_bos_descriptor(struct usb_device *dev)
 {
@@ -879,6 +886,7 @@ int usb_get_bos_descriptor(struct usb_de
 	struct usb_dev_cap_header *cap;
 	unsigned char *buffer;
 	int length, total_len, num, i;
+	__u8 cap_type;
 	int ret;
 
 	bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL);
@@ -931,7 +939,13 @@ int usb_get_bos_descriptor(struct usb_de
 			dev->bos->desc->bNumDeviceCaps = i;
 			break;
 		}
+		cap_type = cap->bDevCapabilityType;
 		length = cap->bLength;
+		if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) {
+			dev->bos->desc->bNumDeviceCaps = i;
+			break;
+		}
+
 		total_len -= length;
 
 		if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
@@ -939,7 +953,7 @@ int usb_get_bos_descriptor(struct usb_de
 			continue;
 		}
 
-		switch (cap->bDevCapabilityType) {
+		switch (cap_type) {
 		case USB_CAP_TYPE_WIRELESS_USB:
 			/* Wireless USB cap descriptor is handled by wusb */
 			break;
--- a/include/uapi/linux/usb/ch9.h
+++ b/include/uapi/linux/usb/ch9.h
@@ -819,6 +819,8 @@ struct usb_wireless_cap_descriptor {	/*
 	__u8  bReserved;
 } __attribute__((packed));
 
+#define USB_DT_USB_WIRELESS_CAP_SIZE	11
+
 /* USB 2.0 Extension descriptor */
 #define	USB_CAP_TYPE_EXT		2
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 127/254] usbip: vhci: stop printing kernel pointer addresses in messages
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (207 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 092/254] MIPS: clear MSACSR cause bits when handling MSA FP exception Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 116/254] USB: serial: option: add support for Telit ME910 PID 0x1101 Ben Hutchings
                   ` (45 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Shuah Khan <shuahkh@osg.samsung.com>

commit 8272d099d05f7ab2776cf56a2ab9f9443be18907 upstream.

Remove and/or change debug, info. and error messages to not print
kernel pointer addresses.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/usbip/vhci_hcd.c | 10 ----------
 drivers/staging/usbip/vhci_rx.c  | 23 +++++++++++------------
 drivers/staging/usbip/vhci_tx.c  |  3 ++-
 3 files changed, 13 insertions(+), 23 deletions(-)

--- a/drivers/staging/usbip/vhci_hcd.c
+++ b/drivers/staging/usbip/vhci_hcd.c
@@ -466,9 +466,6 @@ static int vhci_urb_enqueue(struct usb_h
 	int ret = 0;
 	struct vhci_device *vdev;
 
-	usbip_dbg_vhci_hc("enter, usb_hcd %p urb %p mem_flags %d\n",
-			  hcd, urb, mem_flags);
-
 	/* patch to usb_sg_init() is in 2.5.60 */
 	BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length);
 
@@ -626,8 +623,6 @@ static int vhci_urb_dequeue(struct usb_h
 	struct vhci_priv *priv;
 	struct vhci_device *vdev;
 
-	pr_info("dequeue a urb %p\n", urb);
-
 	spin_lock(&the_controller->lock);
 
 	priv = urb->hcpriv;
@@ -655,7 +650,6 @@ static int vhci_urb_dequeue(struct usb_h
 		/* tcp connection is closed */
 		spin_lock(&vdev->priv_lock);
 
-		pr_info("device %p seems to be disconnected\n", vdev);
 		list_del(&priv->list);
 		kfree(priv);
 		urb->hcpriv = NULL;
@@ -667,8 +661,6 @@ static int vhci_urb_dequeue(struct usb_h
 		 * vhci_rx will receive RET_UNLINK and give back the URB.
 		 * Otherwise, we give back it here.
 		 */
-		pr_info("gives back urb %p\n", urb);
-
 		usb_hcd_unlink_urb_from_ep(hcd, urb);
 
 		spin_unlock(&the_controller->lock);
@@ -697,8 +689,6 @@ static int vhci_urb_dequeue(struct usb_h
 
 		unlink->unlink_seqnum = priv->seqnum;
 
-		pr_info("device %p seems to be still connected\n", vdev);
-
 		/* send cmd_unlink and try to cancel the pending URB in the
 		 * peer */
 		list_add_tail(&unlink->list, &vdev->unlink_tx);
--- a/drivers/staging/usbip/vhci_rx.c
+++ b/drivers/staging/usbip/vhci_rx.c
@@ -37,24 +37,23 @@ struct urb *pickup_urb_and_free_priv(str
 		urb = priv->urb;
 		status = urb->status;
 
-		usbip_dbg_vhci_rx("find urb %p vurb %p seqnum %u\n",
-				urb, priv, seqnum);
+		usbip_dbg_vhci_rx("find urb seqnum %u\n", seqnum);
 
 		switch (status) {
 		case -ENOENT:
 			/* fall through */
 		case -ECONNRESET:
-			dev_info(&urb->dev->dev,
-				 "urb %p was unlinked %ssynchronuously.\n", urb,
-				 status == -ENOENT ? "" : "a");
+			dev_dbg(&urb->dev->dev,
+				 "urb seq# %u was unlinked %ssynchronuously\n",
+				 seqnum, status == -ENOENT ? "" : "a");
 			break;
 		case -EINPROGRESS:
 			/* no info output */
 			break;
 		default:
-			dev_info(&urb->dev->dev,
-				 "urb %p may be in a error, status %d\n", urb,
-				 status);
+			dev_dbg(&urb->dev->dev,
+				 "urb seq# %u may be in a error, status %d\n",
+				 seqnum, status);
 		}
 
 		list_del(&priv->list);
@@ -78,8 +77,8 @@ static void vhci_recv_ret_submit(struct
 	spin_unlock(&vdev->priv_lock);
 
 	if (!urb) {
-		pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
-		pr_info("max seqnum %d\n",
+		pr_err("cannot find a urb of seqnum %u max seqnum %d\n",
+			pdu->base.seqnum,
 			atomic_read(&the_controller->seqnum));
 		usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
 		return;
@@ -102,7 +101,7 @@ static void vhci_recv_ret_submit(struct
 	if (usbip_dbg_flag_vhci_rx)
 		usbip_dump_urb(urb);
 
-	usbip_dbg_vhci_rx("now giveback urb %p\n", urb);
+	usbip_dbg_vhci_rx("now giveback urb %u\n", pdu->base.seqnum);
 
 	spin_lock(&the_controller->lock);
 	usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb);
@@ -167,7 +166,7 @@ static void vhci_recv_ret_unlink(struct
 		pr_info("the urb (seqnum %d) was already given back\n",
 			pdu->base.seqnum);
 	} else {
-		usbip_dbg_vhci_rx("now giveback urb %p\n", urb);
+		usbip_dbg_vhci_rx("now giveback urb %d\n", pdu->base.seqnum);
 
 		/* If unlink is successful, status is -ECONNRESET */
 		urb->status = pdu->u.ret_unlink.status;
--- a/drivers/staging/usbip/vhci_tx.c
+++ b/drivers/staging/usbip/vhci_tx.c
@@ -82,7 +82,8 @@ static int vhci_send_cmd_submit(struct v
 		memset(&msg, 0, sizeof(msg));
 		memset(&iov, 0, sizeof(iov));
 
-		usbip_dbg_vhci_tx("setup txdata urb %p\n", urb);
+		usbip_dbg_vhci_tx("setup txdata urb seqnum %lu\n",
+				  priv->seqnum);
 
 		/* 1. setup usbip_header */
 		setup_cmd_submit_pdu(&pdu_header, urb);

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 077/254] usb: musb: da8xx: fix babble condition handling
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 170/254] mm/mprotect: add a cond_resched() inside change_pmd_range() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 113/254] ALSA: rawmidi: Avoid racy info ioctl via ctl device Ben Hutchings
                   ` (206 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Bin Liu

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Liu <b-liu@ti.com>

commit bd3486ded7a0c313a6575343e6c2b21d14476645 upstream.

When babble condition happens, the musb controller might automatically
turns off VBUS. On DA8xx platform, the controller generates drvvbus
interrupt for turning off VBUS along with the babble interrupt.

In this case, we should handle the babble interrupt first and recover
from the babble condition.

This change ignores the drvvbus interrupt if babble interrupt is also
generated at the same time, so the babble recovery routine works
properly.

Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/musb/da8xx.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/usb/musb/da8xx.c
+++ b/drivers/usb/musb/da8xx.c
@@ -350,7 +350,15 @@ static irqreturn_t da8xx_musb_interrupt(
 			musb->xceiv->state = OTG_STATE_A_WAIT_VRISE;
 			portstate(musb->port1_status |= USB_PORT_STAT_POWER);
 			del_timer(&otg_workaround);
-		} else {
+		} else if (!(musb->int_usb & MUSB_INTR_BABBLE)) {
+			/*
+			 * When babble condition happens, drvvbus interrupt
+			 * is also generated. Ignore this drvvbus interrupt
+			 * and let babble interrupt handler recovers the
+			 * controller; otherwise, the host-mode flag is lost
+			 * due to the MUSB_DEV_MODE() call below and babble
+			 * recovery logic will not be called.
+			 */
 			musb->is_active = 0;
 			MUSB_DEV_MODE(musb);
 			otg->default_a = 0;

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 078/254] USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (149 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 197/254] SolutionEngine771x: add Ether TSU resource Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 141/254] USB: serial: ftdi_sio: add id for Airbus DS P8GR Ben Hutchings
                   ` (103 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alan Stern, David Kozub, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Kozub <zub@linux.fjfi.cvut.cz>

commit 62354454625741f0569c2cbe45b2d192f8fd258e upstream.

There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails
with the following error:

[sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[sda] tag#0 Sense Key : Illegal Request [current]
[sda] tag#0 Add. Sense: Invalid field in cdb

The issue occurs both with UAS (occasionally) and mass storage
(immediately after mounting a FS on a disk in the enclosure).

Enabling US_FL_BROKEN_FUA quirk solves this issue.

This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure
for both UAS and mass storage.

Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/unusual_devs.h | 7 +++++++
 drivers/usb/storage/unusual_uas.h  | 7 +++++++
 2 files changed, 14 insertions(+)

--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1981,6 +1981,13 @@ UNUSUAL_DEV(  0x152d, 0x0567, 0x0114, 0x
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
 		US_FL_BROKEN_FUA ),
 
+/* Reported by David Kozub <zub@linux.fjfi.cvut.cz> */
+UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999,
+		"JMicron",
+		"JMS567",
+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+		US_FL_BROKEN_FUA),
+
 /* Reported by Alexandre Oliva <oliva@lsd.ic.unicamp.br>
  * JMicron responds to USN and several other SCSI ioctls with a
  * residue that causes subsequent I/O requests to fail.  */
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -131,6 +131,13 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x99
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
 		US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES),
 
+/* Reported-by: David Kozub <zub@linux.fjfi.cvut.cz> */
+UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999,
+		"JMicron",
+		"JMS567",
+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+		US_FL_BROKEN_FUA),
+
 /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
 UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
 		"VIA",

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 131/254] usb: add RESET_RESUME for ELSA MicroLink 56K
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (213 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 137/254] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 140/254] ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines Ben Hutchings
                   ` (39 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Oliver Neukum, Greg Kroah-Hartman

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit b9096d9f15c142574ebebe8fbb137012bb9d99c2 upstream.

This modem needs this quirk to operate. It produces timeouts when
resumed without reset.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -151,6 +151,9 @@ static const struct usb_device_id usb_qu
 	/* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */
 	{ USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM },
 
+	/* ELSA MicroLink 56K */
+	{ USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME },
+
 	/* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */
 	{ USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM },
 

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 061/254] efi: Move some sysfs files to be read-only by root
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 201/254] ALSA: pcm: Remove yet superfluous WARN_ON() Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 173/254] ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 Ben Hutchings
                   ` (199 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, Ingo Molnar, Greg Kroah-Hartman,
	Ard Biesheuvel, Matt Fleming, Dave Young, Peter Zijlstra,
	linux-efi, Linus Torvalds, H. Peter Anvin

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.

Thanks to the scripts/leaking_addresses.pl script, it was found that
some EFI values should not be readable by non-root users.

So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
make this easier, and use it in other places at the same time.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: drop changes in esrt.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -72,8 +72,7 @@ static ssize_t systab_show(struct kobjec
 	return str - buf;
 }
 
-static struct kobj_attribute efi_attr_systab =
-			__ATTR(systab, 0400, systab_show, NULL);
+static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
 
 #define EFI_FIELD(var) efi.var
 
--- a/drivers/firmware/efi/runtime-map.c
+++ b/drivers/firmware/efi/runtime-map.c
@@ -67,11 +67,11 @@ static ssize_t map_attr_show(struct kobj
 	return map_attr->show(entry, buf);
 }
 
-static struct map_attribute map_type_attr = __ATTR_RO(type);
-static struct map_attribute map_phys_addr_attr   = __ATTR_RO(phys_addr);
-static struct map_attribute map_virt_addr_attr  = __ATTR_RO(virt_addr);
-static struct map_attribute map_num_pages_attr  = __ATTR_RO(num_pages);
-static struct map_attribute map_attribute_attr  = __ATTR_RO(attribute);
+static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
+static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
+static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
+static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
+static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
 
 /*
  * These are default attributes that are added for every memmap entry.
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -82,6 +82,12 @@ struct attribute_group {
 	.show	= _name##_show,						\
 }
 
+#define __ATTR_RO_MODE(_name, _mode) {					\
+	.attr	= { .name = __stringify(_name),				\
+		    .mode = VERIFY_OCTAL_PERMISSIONS(_mode) },		\
+	.show	= _name##_show,						\
+}
+
 #define __ATTR_WO(_name) {						\
 	.attr	= { .name = __stringify(_name), .mode = S_IWUSR },	\
 	.store	= _name##_store,					\

^ permalink raw reply	[flat|nested] 261+ messages in thread

* [PATCH 3.16 026/254] uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 044/254] can: ti_hecc: Fix napi poll return value for repoll Ben Hutchings
@ 2018-02-28 15:20 ` Ben Hutchings
  2018-02-28 15:20 ` [PATCH 3.16 090/254] tcp md5sig: Use skb's saddr when replying to an incoming segment Ben Hutchings
                   ` (234 subsequent siblings)
  254 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 15:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Hans de Goede

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 7fee72d5e8f1e7b8d8212e28291b1a0243ecf2f1 upstream.

We've been adding this as a quirk on a per device basis hoping that
newer disk enclosures would do better, but that has not happened,
so simply apply this quirk to all Seagate devices.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/uas-detect.h | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/storage/uas-detect.h
+++ b/drivers/usb/storage/uas-detect.h
@@ -111,6 +111,10 @@ static int uas_use_uas_driver(struct usb
 		}
 	}
 
+	/* All Seagate disk enclosures have broken ATA pass-through support */
+	if (le16_to_cpu(udev->descriptor.idVendor) == 0x0bc2)
+		flags |= US_FL_NO_ATA_1X;
+
 	usb_stor_adjust_quirks(udev, &flags);
 
 	if (flags & US_FL_IGNORE_UAS) {

^ permalink raw reply	[flat|nested] 261+ messages in thread

* Re: [PATCH 3.16 000/254] 3.16.55-rc1 review
  2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
                   ` (253 preceding siblings ...)
  2018-02-28 15:20 ` [PATCH 3.16 087/254] ipv4: Avoid reading user iov twice after raw_probe_proto_opt Ben Hutchings
@ 2018-02-28 16:57 ` Guenter Roeck
  2018-02-28 17:30   ` Ben Hutchings
  254 siblings, 1 reply; 261+ messages in thread
From: Guenter Roeck @ 2018-02-28 16:57 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, torvalds, akpm

On Wed, Feb 28, 2018 at 03:20:17PM +0000, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.55 release.
> There are 254 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Mar 02 18:00:00 UTC 2018.
> Anything received after that time might be too late.
> 

Build results:
	total: 136 pass: 136 fail: 0
Qemu test results:
	total: 108 pass: 108 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 261+ messages in thread

* Re: [PATCH 3.16 000/254] 3.16.55-rc1 review
  2018-02-28 16:57 ` [PATCH 3.16 000/254] 3.16.55-rc1 review Guenter Roeck
@ 2018-02-28 17:30   ` Ben Hutchings
  0 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-02-28 17:30 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: linux-kernel, stable, torvalds, akpm

[-- Attachment #1: Type: text/plain, Size: 818 bytes --]

On Wed, 2018-02-28 at 08:57 -0800, Guenter Roeck wrote:
> On Wed, Feb 28, 2018 at 03:20:17PM +0000, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.55 release.
> > There are 254 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Mar 02 18:00:00 UTC 2018.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 136 pass: 136 fail: 0
> Qemu test results:
> 	total: 108 pass: 108 fail: 0
> 
> Details are available at http://kerneltests.org/builders.

Thanks for testing both of these.

Ben.

-- 
Ben Hutchings
If the facts do not conform to your theory, they must be disposed of.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 261+ messages in thread

* Re: [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context
  2018-02-28 15:20 ` [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context Ben Hutchings
@ 2018-02-28 17:47   ` Adam Wallis
  2018-03-03 15:33     ` Ben Hutchings
  0 siblings, 1 reply; 261+ messages in thread
From: Adam Wallis @ 2018-02-28 17:47 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable
  Cc: akpm, Sinan Kaya, Vinod Koul, Shunyong Yang

Ben

On 2/28/2018 10:20 AM, Ben Hutchings wrote:
> 3.16.55-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Adam Wallis <awallis@codeaurora.org>
> 
> commit 6f6a23a213be51728502b88741ba6a10cda2441d upstream.
> 
> Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
> introduced a bug (that is in fact documented by the patch commit text)
> that leaves behind a dangling pointer. Since the done_wait structure is
> allocated on the stack, future invocations to the DMATEST can produce
> undesirable results (e.g., corrupted spinlocks).
> 
> Commit a9df21e34b42 ("dmaengine: dmatest: warn user when dma test times
> out") attempted to WARN the user that the stack was likely corrupted but
> did not fix the actual issue.
> 
> This patch fixes the issue by pushing the wait queue and callback
> structs into the the thread structure. If a failure occurs due to time,
> dmaengine_terminate_all will force the callback to safely call
> wake_up_all() without possibility of using a freed pointer.
> 
> Bug: https://bugzilla.kernel.org/show_bug.cgi?id=197605
> Fixes: adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
> Reviewed-by: Sinan Kaya <okaya@codeaurora.org>
> Suggested-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
> Signed-off-by: Adam Wallis <awallis@codeaurora.org>
> Signed-off-by: Vinod Koul <vinod.koul@intel.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[..]

Make sure you pick up the following bug fix on whatever branch you apply the
above patch to


>From 66b3bd2356e0a1531c71a3dcf96944621e25c17c Mon Sep 17 00:00:00 2001
From: Yang Shunyong <shunyong.yang@hxt-semitech.com>
Date: Mon, 29 Jan 2018 14:40:11 +0800
Subject: dmaengine: dmatest: fix container_of member in dmatest_callback

From: Yang Shunyong <shunyong.yang@hxt-semitech.com>

commit 66b3bd2356e0a1531c71a3dcf96944621e25c17c upstream.

The type of arg passed to dmatest_callback is struct dmatest_done.
It refers to test_done in struct dmatest_thread, not done_wait.

Fixes: 6f6a23a213be ("dmaengine: dmatest: move callback wait ...")
Signed-off-by: Yang Shunyong <shunyong.yang@hxt-semitech.com>
Acked-by: Adam Wallis <awallis@codeaurora.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>



-- 
Adam Wallis
Qualcomm Datacenter Technologies as an affiliate of Qualcomm Technologies, Inc.
Qualcomm Technologies, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.

^ permalink raw reply	[flat|nested] 261+ messages in thread

* Re: [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning
  2018-02-28 15:20 ` [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning Ben Hutchings
@ 2018-03-01 13:44   ` James Hogan
  2018-03-03 15:48     ` Ben Hutchings
  0 siblings, 1 reply; 261+ messages in thread
From: James Hogan @ 2018-03-01 13:44 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, akpm, Paul Burton, linux-mips, Ralf Baechle

[-- Attachment #1: Type: text/plain, Size: 661 bytes --]

On Wed, Feb 28, 2018 at 03:20:18PM +0000, Ben Hutchings wrote:
> 3.16.55-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: James Hogan <jhogan@kernel.org>
> 
> commit 17278a91e04f858155d54bee5528ba4fbcec6f87 upstream.

You'll want this too:

8dbc1864b74f5dea5a3f7c30ca8fd358a675132f
MIPS: CPS: Fix MIPS_ISA_LEVEL_RAW fallout

Its only tagged for stable 4.15 since the one it fixes wasn't tagged for
stable.

If you're going to select patches for backporting based on Fixes tags,
maybe its worth looking for patches which are marked as fixing ones
you've backported too.

Cheers
James

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 261+ messages in thread

* Re: [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context
  2018-02-28 17:47   ` Adam Wallis
@ 2018-03-03 15:33     ` Ben Hutchings
  0 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-03-03 15:33 UTC (permalink / raw)
  To: Adam Wallis, linux-kernel, stable
  Cc: akpm, Sinan Kaya, Vinod Koul, Shunyong Yang

[-- Attachment #1: Type: text/plain, Size: 2857 bytes --]

On Wed, 2018-02-28 at 12:47 -0500, Adam Wallis wrote:
> Ben
> 
> On 2/28/2018 10:20 AM, Ben Hutchings wrote:
> > 3.16.55-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Adam Wallis <awallis@codeaurora.org>
> > 
> > commit 6f6a23a213be51728502b88741ba6a10cda2441d upstream.
> > 
> > Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
> > introduced a bug (that is in fact documented by the patch commit text)
> > that leaves behind a dangling pointer. Since the done_wait structure is
> > allocated on the stack, future invocations to the DMATEST can produce
> > undesirable results (e.g., corrupted spinlocks).
> > 
> > Commit a9df21e34b42 ("dmaengine: dmatest: warn user when dma test times
> > out") attempted to WARN the user that the stack was likely corrupted but
> > did not fix the actual issue.
> > 
> > This patch fixes the issue by pushing the wait queue and callback
> > structs into the the thread structure. If a failure occurs due to time,
> > dmaengine_terminate_all will force the callback to safely call
> > wake_up_all() without possibility of using a freed pointer.
> > 
> > Bug: https://bugzilla.kernel.org/show_bug.cgi?id=197605
> > Fixes: adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
> > Reviewed-by: Sinan Kaya <okaya@codeaurora.org>
> > Suggested-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
> > Signed-off-by: Adam Wallis <awallis@codeaurora.org>
> > Signed-off-by: Vinod Koul <vinod.koul@intel.com>
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> 
> [..]
> 
> Make sure you pick up the following bug fix on whatever branch you apply the
> above patch to
> 
> 
> From 66b3bd2356e0a1531c71a3dcf96944621e25c17c Mon Sep 17 00:00:00 2001
> From: Yang Shunyong <shunyong.yang@hxt-semitech.com>
> Date: Mon, 29 Jan 2018 14:40:11 +0800
> Subject: dmaengine: dmatest: fix container_of member in dmatest_callback
> 
> From: Yang Shunyong <shunyong.yang@hxt-semitech.com>
> 
> commit 66b3bd2356e0a1531c71a3dcf96944621e25c17c upstream.

Thanks, I've added this.

Ben.

> The type of arg passed to dmatest_callback is struct dmatest_done.
> It refers to test_done in struct dmatest_thread, not done_wait.
> 
> Fixes: 6f6a23a213be ("dmaengine: dmatest: move callback wait ...")
> Signed-off-by: Yang Shunyong <shunyong.yang@hxt-semitech.com>
> Acked-by: Adam Wallis <awallis@codeaurora.org>
> Signed-off-by: Vinod Koul <vinod.koul@intel.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> 
> 
-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 261+ messages in thread

* Re: [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning
  2018-03-01 13:44   ` James Hogan
@ 2018-03-03 15:48     ` Ben Hutchings
  0 siblings, 0 replies; 261+ messages in thread
From: Ben Hutchings @ 2018-03-03 15:48 UTC (permalink / raw)
  To: James Hogan
  Cc: linux-kernel, stable, akpm, Paul Burton, linux-mips, Ralf Baechle


[-- Attachment #1.1: Type: text/plain, Size: 1104 bytes --]

On Thu, 2018-03-01 at 13:44 +0000, James Hogan wrote:
> On Wed, Feb 28, 2018 at 03:20:18PM +0000, Ben Hutchings wrote:
> > 3.16.55-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: James Hogan <jhogan@kernel.org>
> > 
> > commit 17278a91e04f858155d54bee5528ba4fbcec6f87 upstream.
> 
> You'll want this too:
> 
> 8dbc1864b74f5dea5a3f7c30ca8fd358a675132f
> MIPS: CPS: Fix MIPS_ISA_LEVEL_RAW fallout
> 
> Its only tagged for stable 4.15 since the one it fixes wasn't tagged for
> stable.
> 
> If you're going to select patches for backporting based on Fixes tags,
> maybe its worth looking for patches which are marked as fixing ones
> you've backported too.

I do that, but didn't look beyond v4.15 yet.  Here's the version of
that fix I've ended up with for 3.16.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought. ... I realized that a large part of my life from then on was
going to be spent in finding mistakes in my own programs. - Maurice
Wilkes, 1949


[-- Attachment #1.2: mips-cps-fix-mips_isa_level_raw-fallout.patch --]
[-- Type: text/x-patch, Size: 1960 bytes --]

From: James Hogan <jhogan@kernel.org>
Date: Fri, 2 Feb 2018 14:36:40 +0000
Subject: MIPS: CPS: Fix MIPS_ISA_LEVEL_RAW fallout

commit 8dbc1864b74f5dea5a3f7c30ca8fd358a675132f upstream.

Commit 17278a91e04f ("MIPS: CPS: Fix r1 .set mt assembler warning")
added .set MIPS_ISA_LEVEL_RAW to silence warnings about .set mt on r1,
however this can result in a MOVE being encoded as a 64-bit DADDU
instruction on certain version of binutils (e.g. 2.22), and reserved
instruction exceptions at runtime on 32-bit hardware.

Reduce the sizes of the push/pop sections to include only instructions
that are part of the MT ASE or which won't convert to 64-bit
instructions after .set mips64r2/mips64r6.

Reported-by: Greg Ungerer <gerg@linux-m68k.org>
Fixes: 17278a91e04f ("MIPS: CPS: Fix r1 .set mt assembler warning")
Signed-off-by: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Burton <paul.burton@mips.com>
Cc: linux-mips@linux-mips.org
Tested-by: Greg Ungerer <gerg@linux-m68k.org>
Patchwork: https://patchwork.linux-mips.org/patch/18578/
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/mips/kernel/cps-vec.S
+++ b/arch/mips/kernel/cps-vec.S
@@ -347,12 +347,13 @@ LEAF(mips_cps_boot_vpes)
 	jr	ra
 	 nop
 
+1:	/* Enter VPE configuration state */
 	.set	push
 	.set	MIPS_ISA_LEVEL_RAW
 	.set	mt
-
-1:	/* Enter VPE configuration state */
 	dvpe
+	.set	pop
+
 	la	t1, 1f
 	jr.hb	t1
 	 nop
@@ -379,6 +380,10 @@ LEAF(mips_cps_boot_vpes)
 	mtc0	t0, CP0_VPECONTROL
 	ehb
 
+	.set	push
+	.set	MIPS_ISA_LEVEL_RAW
+	.set	mt
+
 	/* Skip the VPE if its TC is not halted */
 	mftc0	t0, CP0_TCHALT
 	beqz	t0, 2f
@@ -437,6 +442,8 @@ LEAF(mips_cps_boot_vpes)
 	ehb
 	evpe
 
+	.set	pop
+
 	/* Check whether this VPE is meant to be running */
 	li	t0, 1
 	sll	t0, t0, t9
@@ -451,7 +458,7 @@ LEAF(mips_cps_boot_vpes)
 1:	jr.hb	t0
 	 nop
 
-2:	.set	pop
+2:
 
 #endif /* CONFIG_MIPS_MT_SMP */
 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 261+ messages in thread

end of thread, other threads:[~2018-03-03 15:49 UTC | newest]

Thread overview: 261+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-28 15:20 [PATCH 3.16 000/254] 3.16.55-rc1 review Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 138/254] iw_cxgb4: Only validate the MSN for successful completions Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 046/254] xhci: Don't show incorrect WARN message about events for empty rings Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 183/254] mdio-sun4i: Fix a memory leak Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 007/254] btrfs: clear space cache inode generation always Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 008/254] scsi: dma-mapping: always provide dma_get_cache_alignment Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 253/254] ACPI: sbshc: remove raw pointer from printk() message Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 032/254] eeprom: at24: check at24_read/write arguments Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 098/254] MIPS: Set `si_code' for SIGFPE signals sent from emulation too Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 195/254] net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 071/254] ASN.1: fix out-of-bounds read when parsing indefinite length item Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 018/254] drm/i915: Don't try indexed reads to alternate slave addresses Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 199/254] powerpc: Don't preempt_disable() in show_cpuinfo() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 134/254] net/mlx5: Cleanup IRQs in case of unload failure Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 059/254] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 120/254] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 249/254] media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 005/254] KVM: x86: Don't re-execute instruction when not passing CR2 value Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 054/254] dm: fix various targets to dm_register_target after module __init resources created Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 044/254] can: ti_hecc: Fix napi poll return value for repoll Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 026/254] uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 090/254] tcp md5sig: Use skb's saddr when replying to an incoming segment Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 089/254] ext4: fix crash when a directory's i_size is too small Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 042/254] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 229/254] dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 004/254] KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 102/254] MIPS: ptrace: Fix FP context restoration FCSR regression Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 231/254] of: fdt: Fix return with value in void function Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 232/254] net: bcmgenet: fix bcmgenet_open() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 198/254] ALSA: hda - Apply the existing quirk to iMac 14,1 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 035/254] quota: Check for register_shrinker() failure Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 165/254] net: phy: Add phy_interface_is_rgmii helper Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 200/254] 8021q: fix a memory leak for VLAN 0 device Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 185/254] Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 215/254] dm btree: fix serious bug in btree_split_beneath() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 192/254] USB: Gadget core: fix inconsistency in the interface tousb_add_gadget_udc_release() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 086/254] ipv4: Use standard iovec primitive in raw_probe_proto_opt Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 101/254] MIPS: Fix a preemption issue with thread's FPU defaults Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 028/254] isa: Prevent NULL dereference in isa_bus driver callbacks Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 093/254] MIPS: Clear [MSA]FPE CSR.Cause after notify_die() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 097/254] MIPS: Always clear FCSR cause bits after emulation Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 096/254] MIPS: Respect the FCSR exception mask for `si_code' Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 210/254] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 104/254] MIPS: MSA: bugfix - disable MSA correctly for new threads/processes Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 162/254] can: gs_usb: fix return value of the "set_bittiming" callback Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 164/254] usbip: remove kernel addresses from usb device and urb debug msgs Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 248/254] media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 170/254] mm/mprotect: add a cond_resched() inside change_pmd_range() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 077/254] usb: musb: da8xx: fix babble condition handling Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 113/254] ALSA: rawmidi: Avoid racy info ioctl via ctl device Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 240/254] media: v4l2-ioctl.c: don't copy back the result for -ENOTTY Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 045/254] virtio: release virtio index when fail to device_register Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 109/254] MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 205/254] nl80211: take RCU read lock when calling ieee80211_bss_get_ie() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 201/254] ALSA: pcm: Remove yet superfluous WARN_ON() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 061/254] efi: Move some sysfs files to be read-only by root Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 173/254] ARM: dts: kirkwood: fix pin-muxing of MPP7 on OpenBlocks A7 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 145/254] tracing: Fix crash when it fails to alloc ring buffer Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 022/254] usb: host: fix incorrect updating of offset Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 235/254] [media] v4l2-compat-ioctl32: fix sparse warnings Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 143/254] sctp: Replace use of sockets_allocated with specified macro Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 151/254] af_key: fix buffer overread in parse_exthdrs() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 072/254] ASN.1: check for error from ASN1_OP_END__ACT actions Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 221/254] cfg80211: fix station info handling bugs Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 123/254] net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 139/254] crypto: n2 - cure use after free Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 100/254] MIPS: Respect the ISA level in FCSR handling Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 153/254] USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 158/254] e1000e: Fix e1000_check_for_copper_link_ich8lan return value Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 030/254] sctp: force the params with right types for sctp csum apis Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 106/254] mips/ptrace: Preserve previous registers for short regset write Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 222/254] x86/mce: Make machine check speculation protected Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 052/254] batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 207/254] cfg80211: check dev_set_name() return value Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 171/254] crypto: algapi - fix NULL dereference in crypto_remove_spawns() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 124/254] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 024/254] usb: hub: Cycle HUB power when initialization fails Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 119/254] KVM: arm/arm64: Fix HYP unmapping going off limits Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 211/254] sctp: do not allow the v4 socket to bind a v4mapped v6 address Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 227/254] pppoe: take ->needed_headroom of lower device into account on xmit Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 049/254] ALSA: usb-audio: Fix out-of-bound error Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 136/254] net: mvneta: clear interface link status on port disable Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 110/254] MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 191/254] usb: udc: core: add device_del() call to error pathway Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 094/254] MIPS: prevent FP context set via ptrace being discarded Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 246/254] media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 088/254] net: ipv4: fix for a race condition in raw_sendmsg Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 036/254] mfd: cros ec: spi: Don't send first message too soon Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 002/254] ASoC: twl4030: fix child-node lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 243/254] media: v4l2-compat-ioctl32.c: fix the indentation Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 168/254] sh_eth: fix TSU resource handling Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 085/254] nl80211: fix nl80211_send_iface() error paths Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 252/254] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 063/254] btrfs: fix missing error return in btrfs_drop_snapshot Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 181/254] ALSA: pcm: Abort properly at pending signal in OSS read/write loops Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 214/254] dm thin metadata: THIN_MAX_CONCURRENT_LOCKS should be 6 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 076/254] 509: fix printing uninitialized stack memory when OID is empty Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 130/254] usbip: fix usbip bind writing random string after command in match_busid Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 068/254] can: esd_usb2: cancel urb on -EPIPE and -EPROTO Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 062/254] kdb: Fix handling of kallsyms_symbol_next() return value Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 177/254] ALSA: aloop: Fix racy hw constraints adjustment Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 129/254] usbip: prevent leaking socket pointer address in messages Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 121/254] ACPI: APEI / ERST: Fix missing error handling in erst_reader() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 176/254] ALSA: aloop: Fix inconsistent format due to incomplete rule Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 180/254] xfrm: Return error on unknown encap_type in init_state Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 064/254] Btrfs: disable FUA if mounted with nobarrier Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 239/254] adv7604: use correct drive strength defines Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 184/254] sh_eth: fix TXALCR1 offsets Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 010/254] scsi: libsas: align sata_device's rps_resp on a cacheline Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 118/254] parisc: Hide Diva-built-in serial aux and graphics card Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 095/254] MIPS: lose_fpu(): Disable FPU when MSA enabled Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 070/254] can: usb_8dev: cancel urb on -EPIPE and -EPROTO Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 039/254] ALSA: seq: Remove spurious WARN_ON() at timer check Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 169/254] kernel/acct.c: fix the acct->needcheck check in check_free_space() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 247/254] media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 016/254] blktrace: fix trace mutex deadlock Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 179/254] x86/microcode/intel: Extend BDW late-loading with a revision check Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 006/254] iommu/vt-d: Fix scatterlist offset handling Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 238/254] media: v4l2-compat-ioctl32.c: add capabilities field to, v4l2_input32 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 209/254] sctp: use the right sk after waking up from wait_buf sleep Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 188/254] Input: twl6040-vibra - fix child-node lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 174/254] x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 082/254] dmaengine: dmatest: warn user when dma test times out Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 146/254] tracing: Fix possible double free on failure of allocating trace buffer Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 234/254] blk-mq: fix race between timeout and freeing request Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 159/254] IB/srpt: Disable RDMA access by the initiator Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 218/254] net: fs_enet: do not call phy_stop() in interrupts Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 161/254] USB: serial: cp210x: add new device ID ELV ALC 8xxx Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 083/254] dmaengine: dmatest: move callback wait queue to thread context Ben Hutchings
2018-02-28 17:47   ` Adam Wallis
2018-03-03 15:33     ` Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 251/254] media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 099/254] MIPS: math-emu: Define IEEE 754-2008 feature control bits Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 144/254] ring-buffer: Mask out the info bits when returning buffer page length Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 025/254] usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 020/254] usb: gadget: don't dereference g until after it has been null checked Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 148/254] include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 133/254] net/mlx5: Fix misspelling in the error message and comment Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 067/254] can: ems_usb: cancel urb on -EPIPE and -EPROTO Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 111/254] powerpc/perf: Dereference BHRB entries safely Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 194/254] uas: ignore UAS for Norelsys NS1068(X) chips Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 021/254] USB: usbfs: Filter flags passed in from user space Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 241/254] vb2: V4L2_BUF_FLAG_DONE is set after DQBUF Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 156/254] IB/ipoib: Fix race condition in neigh creation Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 154/254] fscache: Fix the default for fscache_maybe_release_page() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 011/254] bcache: recover data from backing when data is clean Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 189/254] Input: 88pm860x-ts - fix child-node lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 132/254] usb: Add device quirk for Logitech HD Pro Webcam C925e Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 013/254] USB: serial: option: add Quectel BG96 id Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 244/254] media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 038/254] mfd: twl6040: Fix child-node lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 220/254] can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 197/254] SolutionEngine771x: add Ether TSU resource Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 078/254] USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 141/254] USB: serial: ftdi_sio: add id for Airbus DS P8GR Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 091/254] MIPS: CPS: Fix r1 .set mt assembler warning Ben Hutchings
2018-03-01 13:44   ` James Hogan
2018-03-03 15:48     ` Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 033/254] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 073/254] lib/oid_registry.c: X.509: fix the buffer overflow in the utility function for OID string Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 115/254] nfsd: auth: Fix gid sorting when rootsquash enabled Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 040/254] media: dvb: i2c transfers over usb cannot be done from stack Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 015/254] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 155/254] ALSA: pcm: Remove incorrect snd_BUG_ON() usages Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 142/254] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 057/254] net_sched: red: Avoid illegal values Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 152/254] kbuild: add '-fno-stack-check' to kernel build options Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 034/254] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 223/254] net: igmp: Use correct source address on IGMPv3 reports Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 186/254] Input: twl4030-vibra - fix sibling-node lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 206/254] mac80211_hwsim: validate number of different channels Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 254/254] rds: Fix NULL pointer dereference in __rds_rdma_map Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 213/254] KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 175/254] ALSA: aloop: Release cable upon open error path Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 202/254] KVM: x86: Add memory barrier on vmcs field lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 023/254] USB: core: Add type-specific length check of BOS descriptors Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 147/254] nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 066/254] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 237/254] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 225/254] Input: trackpoint - assume 3 buttons when buttons detection fails Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 112/254] KVM: X86: Fix load RFLAGS w/o the fixed bit Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 041/254] can: kvaser_usb: free buf in error paths Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 012/254] Input: elantech - add new icbody type 15 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 107/254] MIPS: Factor out NT_PRFPREG regset access helpers Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 172/254] xfrm: Use __skb_queue_tail in xfrm_trans_queue Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 031/254] net/packet: fix a race in packet_bind() and packet_notifier() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 233/254] mac80211_hwsim: fix compiler warning on MIPS Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 160/254] mmc: s3mci: mark debug_regs[] as static Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 103/254] MIPS: ptrace: Prevent writes to read-only FCSR bits Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 187/254] Input: twl6040-vibra - fix DT node memory management Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 167/254] net: stmmac: enable EEE in MII, GMII or RGMII only Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 204/254] futex: Prevent overflow by strengthen input validation Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 043/254] can: kvaser_usb: ratelimit errors if incomplete messages are received Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 079/254] ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 212/254] KVM/x86: Check input paging mode when cs.l is set Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 058/254] ALSA: pcm: prevent UAF in snd_pcm_info Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 029/254] hv: kvp: Avoid reading past allocated blocks from KVP file Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 166/254] phy: Add helper function to check phy interface mode Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 051/254] netfilter: xt_bpf: add overflow checks Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 230/254] hrtimer: Reset hrtimer cpu base proper on CPU hotplug Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 001/254] ALSA: seq: Fix regression by incorrect ioctl_mutex usages Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 157/254] e1000e: Separate signaling for link check/link up Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 135/254] net/mlx5: Stay in polling mode when command EQ destroy fails Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 219/254] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 017/254] hwmon: (pmbus) Use 64bit math for DIRECT format values Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 224/254] net: igmp: fix source address check for IGMPv3 reports Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 245/254] media: v4l2-compat-ioctl32.c: avoid sizeof(type) Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 117/254] posix-timer: Properly check sigevent->sigev_notify Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 182/254] ALSA: pcm: Allow aborting mutex lock at OSS read/write loops Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 203/254] usb: misc: usb3503: make sure reset is low for at least 100us Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 060/254] arm64: fpsimd: Prevent registers leaking from dead tasks Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 105/254] MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 092/254] MIPS: clear MSACSR cause bits when handling MSA FP exception Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 127/254] usbip: vhci: stop printing kernel pointer addresses in messages Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 116/254] USB: serial: option: add support for Telit ME910 PID 0x1101 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 217/254] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 126/254] USB: serial: option: adding support for YUGA CLM920-NC5 Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 122/254] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 137/254] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 131/254] usb: add RESET_RESUME for ELSA MicroLink 56K Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 140/254] ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 080/254] ASoC: wm_adsp: Fix validation of firmware and coeff lengths Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 150/254] af_key: fix buffer overread in verify_address_len() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 163/254] ALSA: pcm: Add missing error checks in OSS emulation plugin builder Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 190/254] USB: fix usbmon BUG trigger Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 074/254] X.509: reject invalid BIT STRING for subjectPublicKey Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 019/254] drm/i915: Prevent zero length "index" write Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 128/254] usbip: stub: stop printing kernel pointer addresses in messages Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 193/254] USB: UDC core: fix double-free in usb_add_gadget_udc_release Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 216/254] i2c: core: decrease reference count of device node in i2c_unregister_device Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 056/254] net_sched: red: Avoid devision by zero Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 208/254] arm64: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 075/254] X.509: fix buffer overflow detection in sprint_oid() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 053/254] dm mpath: simplify failure path of dm_multipath_init() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 037/254] mfd: twl4030-audio: Fix sibling-node lookup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 149/254] stddef.h: move offsetofend inside #ifndef/#endif guard, neaten Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 114/254] kernel: make groups_sort calling a responsibility group_info allocators Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 226/254] Input: trackpoint - force 3 buttons if 0 button is reported Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 242/254] media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 125/254] xfrm: Reinject transport-mode packets through tasklet Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 014/254] ASoC: fsl_ssi: add AC'97 ops setting check and cleanup Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 236/254] [media] V4L2: fix VIDIOC_CREATE_BUFS 32-bit compatibility mode data copy-back Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 069/254] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 108/254] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 084/254] dmaengine: jz4740: disable/unprepare clk if probe fails Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 047/254] usb: xhci: fix panic in xhci_free_virt_devices_depth_first Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 196/254] SolutionEngine771x: fix Ether platform data Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 055/254] s390: always save and restore all registers on context switch Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 050/254] ALSA: usb-audio: Add check return value for usb_string() Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 027/254] serial: 8250_pci: Add Amazon PCI serial device ID Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 009/254] scsi: use dma_get_cache_alignment() as minimum DMA alignment Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 228/254] x86/microcode/intel: Extend BDW late-loading further with LLC size check Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 065/254] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 178/254] sh_eth: fix SH7757 GEther initialization Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 081/254] xhci: Don't add a virt_dev to the devs array before it's fully allocated Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 003/254] KVM: x86: Exit to user-mode on #UD intercept when emulator requires Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 250/254] media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 048/254] ext4: fix fdatasync(2) after fallocate(2) operation Ben Hutchings
2018-02-28 15:20 ` [PATCH 3.16 087/254] ipv4: Avoid reading user iov twice after raw_probe_proto_opt Ben Hutchings
2018-02-28 16:57 ` [PATCH 3.16 000/254] 3.16.55-rc1 review Guenter Roeck
2018-02-28 17:30   ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).