linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 000/366] 3.16.61-rc1 review
@ 2018-11-11 19:49 Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
                   ` (366 more replies)
  0 siblings, 367 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm

This is the start of the stable review cycle for the 3.16.61 release.
There are 366 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Nov 16 18:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

kt.liao@emc.com.tw (1):
      Input: elantech - fix V4 report decoding for module with middle key
         [e0ae2519ca004a628fa55aeef969c37edce522d3]

Aaron Ma (1):
      Input: elantech - enable middle button of touchpads on ThinkPad P52
         [24bb555e6e46d96e2a954aa0295029a81cc9bbaa]

Al Viro (6):
      fix __legitimize_mnt()/mntput() race
         [119e1ef80ecfe0d1deb6378d4ab41f5b71519de1]
      fix mntput/mntput race
         [9ea0a46ca2c318fcc449c1e6b62a7230a17888f1]
      make sure that __dentry_kill() always invalidates d_seq, unhashed or not
         [4c0d7cd5c8416b1ef41534d19163cb07ffaa03ab]
      root dentries need RCU-delayed freeing
         [90bad5e05bcdb0308cfa3d3a60f5c0b9c8e2efb3]
      unify dentry_iput() and dentry_unlink_inode()
         [550dce01dd606c88a837138aa448ccd367fb0cbb]
      use ->d_seq to get coherency between ->d_inode and ->d_flags
         [a528aca7f359f4b0b1d72ae406097e491a5ba9ea]

Alex Estrin (1):
      IB/isert: Fix for lib/dma_debug check_sync warning
         [763b69654bfb88ea3230d015e7d755ee8339f8ee]

Alex Vesker (2):
      net/mlx5: Fix command interface race in polling mode
         [d412c31dae053bf30a1bc15582a9990df297a660]
      net/mlx5: Fix incorrect raw command length parsing
         [603b7bcff824740500ddfa001d7a7168b0b38542]

Alexander Potapenko (1):
      vt: prevent leaking uninitialized data to userspace via /dev/vcs*
         [21eff69aaaa0e766ca0ce445b477698dc6a9f55a]

Alexander Sverdlin (2):
      ASoC: cirrus: i2s: Fix LRCLK configuration
         [2d534113be9a2aa532a1ae127a57e83558aed358]
      ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
         [5d302ed3cc80564fb835bed5fdba1e1250ecc9e5]

Alexey Brodkin (1):
      ARC: Fix CONFIG_SWAP
         [6e3761145a9ba3ce267c330b6bff51cf6a057b06]

Alexey Kodanev (1):
      dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
         [61ef4b07fcdc30535889990cf4229766502561cf]

Amir Goldstein (3):
      ext4: do not update s_last_mounted of a frozen fs
         [db6516a5e7ddb6dc72d167b920f2f272596ea22d]
      ext4: factor out helper ext4_sample_last_mounted()
         [833a950882d33a7dfc319d5e152fdf35028936eb]
      vfs: add the sb_start_intwrite_trylock() helper
         [0c8e3fe35db9b66ae0030849545030ec7c0fc45c]

Andre Przywara (1):
      arm64: add missing data types in smp_load_acquire/smp_store_release
         [878a84d5a8a18a4ab241d40cebb791d6aedf5605]

Andrea Arcangeli (1):
      ksm: add cond_resched() to the rmap_walks
         [ad12695f177c3403a64348b42718faf9727fe358]

Andrew F. Davis (1):
      rpmsg: Correct support for MODULE_DEVICE_TABLE()
         [5b7d127726de6eed4b900bc3bbb167837690818f]

Andrew Morton (1):
      arch/x86/kernel/cpu/common.c: fix unused symbol warning
         [e48510f45107613bf14060eeabd658c49a044242]

Andri Yngvason (1):
      can: dev: Consolidate and unify state change handling
         [bac78aabcfece0c493b2ad824c68fbdc20448cbc]

Andy Lutomirski (1):
      fs/proc: Stop trying to report thread stacks
         [b18cb64ead400c01bf1580eeba330ace51f8087d]

Aneesh Kumar K.V (1):
      powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
         [91d06971881f71d945910de128658038513d1b24]

Anil Gurumurthy (1):
      scsi: qla2xxx: Return error when TMF returns
         [b4146c4929ef61d5afca011474d59d0918a0cd82]

Anna-Maria Gleixner (1):
      nohz: Fix local_timer_softirq_pending()
         [80d20d35af1edd632a5e7a3b9c0ab7ceff92769e]

Anssi Hannula (6):
      can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK
         [32852c561bffd613d4ed7ec464b1e03e1b7b6c5c]
      can: xilinx_can: fix RX overflow interrupt not being enabled
         [83997997252f5d3fc7f04abc24a89600c2b504ab]
      can: xilinx_can: fix device dropping off bus on RX overrun
         [2574fe54515ed3487405de329e4e9f13d7098c10]
      can: xilinx_can: fix incorrect clear of non-processed interrupts
         [2f4f0f338cf453bfcdbcf089e177c16f35f023c8]
      can: xilinx_can: fix recovery from error states not being propagated
         [877e0b75947e2c7acf5624331bb17ceb093c98ae]
      can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
         [620050d9c2be15c47017ba95efe59e0832e99a56]

Anton Vasilyev (1):
      can: ems_usb: Fix memory leak on ems_usb_disconnect()
         [72c05f32f4a5055c9c8fe889bb6903ec959c0aad]

Arnaldo Carvalho de Melo (9):
      perf script: Use readdir() instead of deprecated readdir_r()
         [a5e8e825bd1704c488bf6a46936aaf3b9f203d6a]
      perf thread_map: Correctly size buffer used with dirent->dt_name
         [bdf23a9a190d7ecea092fd5c4aabb7d4bd0a9980]
      perf thread_map: Use readdir() instead of deprecated readdir_r()
         [3354cf71104de49326d19d2f9bdb1f66eea52ef4]
      perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/
         [cec07f53c398f22576df77052c4777dc13f14962]
      perf tools: Use readdir() instead of deprecated readdir_r()
         [bfc279f3d233150ff260e9e93012e14f86810648]
      perf top: Use __fallthrough
         [7b0214b702ad8e124e039a317beeebb3f020d125]
      perf trace: Do not process PERF_RECORD_LOST twice
         [3ed5ca2efff70e9f589087c2013789572901112d]
      perf trace: Fix up fd -> pathname resolution
         [cdcd1e6bd8a92f8353fc2f37003c6eae2d1e6903]
      tools include: Add a __fallthrough statement
         [b5bf1733d6a391c4e90ea8f8468d83023be74a2a]

Arnd Bergmann (3):
      [media] ir-core: fix gcc-7 warning on bool arithmetic
         [bd7e31bbade02bc1e92aa00d5cf2cee2da66838a]
      arm64: use linux/types.h in kvm.h
         [d19279154b3fff9adff96b54d1a77dfb8f01e3da]
      video/omap: add module license tags
         [1bde9f2cf142b726412fa5b0e3cb557ff46952b0]

Artem Savkov (1):
      tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
         [57ea2a34adf40f3a6e88409aafcf803b8945619a]

Bart Van Assche (1):
      scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
         [1214fd7b497400d200e3f4e64e2338b303a20949]

Ben Hutchings (10):
      Revert "mtd: nand: omap2: Fix subpage write"
         [not upstream; reverted change is good but has larger dependencies]
      bcmgenet: Delete unused variable
         [not upstream; fixes incorrect backport]
      fnic: Fix misleading indentation
         [86001f248e943b7b22c22b50151ffaee9447df2d]
      iio: iio-trig-periodic-rtc: Free trigger resource  correctly
         [not upstream; driver was removed]
      rtl8723be: Fix misleading indentation
         [5c99f04fec93068147a3e95b439b345f203ac5b9]
      staging: rtl8192ee: Fix misleading indentation
         [not upstream; driver was removed from staging]
      staging: vt6656: Fix misleading indentation
         [not upstream; functions have been removed]
      string: drop __must_check from strscpy()
         [08a77676f9c5fc69a681ccd2cd8140e65dcb26c7]
      x86/apic: Fix build failure with X86_IO_APIC disabled
         [not upstream; failing configuration is no longer possible]
      x86/cpufeatures: Hide AMD-specific speculation flags
         [e7c587da125291db39ddf1f49b18e5970adbac17]

Bin Liu (1):
      usb: core: handle hub C_PORT_OVER_CURRENT condition
         [249a32b7eeb3edb6897dd38f89651a62163ac4ed]

Bjorn Helgaas (1):
      PCI: shpchp: Fix AMD POGO identification
         [bed4e9cfab93a0f3d0144cb919820e6d5c40b8b1]

Bo Chen (1):
      ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
         [a3aa60d511746bd6c0d0366d4eb90a7998bcde8b]

Boris Brezillon (1):
      m68k: Implement ndelay() as an inline function to force type checking/casting
         [d8441ba80c55aad435e4b98fe0d7ad5d21e46bf9]

Boris Ostrovsky (1):
      xen: Remove unnecessary BUG_ON from __unbind_from_irq()
         [eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff]

Borislav Petkov (1):
      x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out()
         [1f74c8a64798e2c488f86efc97e308b85fb7d7aa]

Cannon Matthews (1):
      mm: hugetlb: yield when prepping struct pages
         [520495fe96d74e05db585fc748351e0504d8f40d]

Changbin Du (1):
      tracing: Fix missing return symbol in function_graph output
         [1fe4293f4b8de75824935f8d8e9a99c7fc6873da]

Chanho Park (1):
      perf tools: define _DEFAULT_SOURCE for glibc_2.20
         [512fe365373b9c95a70b4b6357503ee74d27214f]

Chas Williams (1):
      net/xen-netfront: only clean up queues if present
         [9a873c71e91cabf4c10fd9bbd8358c22deaf6c9e]

Chen-Yu Tsai (1):
      Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
         [384cf4285b34e08917e3e66603382f2b0c4f6e1b]

Christophe Jaillet (1):
      scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()'
         [51b910c3c70986a5a0a84eea11cb8e904e37ba8b]

Colin Ian King (2):
      libata: zpodd: make arrays cdb static, reduces object code size
         [795ef788145ed2fa023efdf11e8d5d7bedc21462]
      media: smiapp: fix timeout checking in smiapp_read_nvm
         [7a2148dfda8001c983f0effd9afd8a7fa58e99c4]

Cong Wang (1):
      vsock: split dwork to avoid reinitializations
         [455f05ecd2b219e9a216050796d30c830d9bc393]

Corey Minyard (1):
      ipmi:bt: Set the timeout before doing a capabilities check
         [fe50a7d0393a552e4539da2d31261a59d6415950]

Dan Carpenter (10):
      ALSA: msnd: add some missing curly braces
         [096a020a9ef5c947577d3b57199bfc9b7e686b49]
      PCI: ibmphp: Fix use-before-set in get_max_bus_speed()
         [4051f5ebb11c6ef4b0d3eac2fbbd187c070656c5]
      USB: serial: ch341: fix type promotion bug in ch341_control_in()
         [e33eab9ded328ccc14308afa51b5be7cbe78d30b]
      dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
         [c4c2b7644cc9a41f17a8cc8904efe3f66ae4c7ed]
      drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
         [7f073d011f93e92d4d225526b9ab6b8b0bbd6613]
      libata: zpodd: small read overflow in eject_tray()
         [18c9a99bce2a57dfd7e881658703b5d7469cc7b9]
      mfd: tps65911-comparator: Fix a build error
         [ac1886165cd1201c5793099b6fbad1876bf98dfe]
      mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready()
         [01eca2842874b9a85b7cd1e1b0e5b34a5d53a21f]
      qlogic: check kstrtoul() for errors
         [5fc853cc01c68f84984ecc2d5fd777ecad78240f]
      xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
         [313db3d6488bb03b61b99de9dbca061f1fd838e1]

Dan Williams (2):
      x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()
         [eab6870fee877258122a042bfd99ee7908c40280]
      x86/speculation: Fix up array_index_nospec_mask() asm constraint
         [be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470]

Daniel Axtens (1):
      powerpc: make feature-fixup tests fortify-safe
         [c69a48cdb301a18697bc8c9935baf4f32861cf9e]

Daniel Jordan (1):
      mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT
         [955c97f0859abef698e77f5697f5c4008303abb9]

Dave Martin (1):
      tty: pl011: Avoid spuriously stuck-off interrupts
         [4a7e625ce50412a7711efa0f2ef0b96ce3826759]

Dave Wysochanski (1):
      NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
         [d68894800ec5712d7ddf042356f11e36f87d7f78]

David Disseldorp (1):
      scsi: target: Fix truncated PR-in ReadKeys response
         [63ce3c384db26494615e3c8972bcd419ed71f4c4]

David Howells (1):
      VFS: Impose ordering on accesses of d_inode and d_flags
         [4bf46a272647d89e780126b52eda04737defd9f4]

David Rivshin (1):
      ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
         [76ed0b803a2ab793a1b27d1dfe0de7955282cd34]

David Vrabel (4):
      xen-netfront: fix locking in connect error path
         [db8c8ab61a28d7e3eb86d247b342a853263262c3]
      xen-netfront: properly destroy queues when removing device
         [ad0681185770716523c81b156c44b9804d7b8ed2]
      xen-netfront: release per-queue Tx and Rx resource when disconnecting
         [a5b5dc3ce4df4f05f4d81c7d3c56a7604b242093]
      xen-netfront: use different locks for Rx and Tx stats
         [900e183301b54f8ca17a86d9835e9569090d182a]

Davide Caratti (1):
      net/sched: act_simple: fix parsing of TCA_DEF_DATA
         [8d499533e0bc02d44283dbdab03142b599b8ba16]

Dewet Thibaut (1):
      x86/MCE: Remove min interval polling limitation
         [fbdb328c6bae0a7c78d75734a738b66b86dffc96]

Dmitry Safonov (4):
      iommu/vt-d: Ratelimit each dmar fault printing
         [6c50d79f66382d78918a768374839d6d1b606d3f]
      netlink: Do not subscribe to non-existent groups
         [7acf9d4237c46894e0fa0492dd96314a41742e84]
      netlink: Don't shift on 64 for ngroups
         [91874ecf32e41b5d86a4cb9d60e0bee50d828058]
      netlink: Don't shift with UB on nlk->ngroups
         [61f4b23769f0cc72ae62c9a81cf08f0397d40da8]

Dmitry Torokhov (1):
      Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
         [a4c2a13129f7c5bcf81704c06851601593303fd5]

Doug Berger (1):
      PM / wakeup: Only update last time for active wakeup sources
         [2ef7c01c0cdb170142058c6d8fe0697aee4e4d7d]

Doug Ledford (1):
      RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events
         [fa9391dbad4b868512ed22a7e41765f881a8a935]

Douglas Anderson (1):
      dm bufio: avoid sleeping while holding the dm_bufio lock
         [9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc]

Eric Biggers (4):
      KEYS: DNS: fix parsing multiple options
         [c604cb767049b78b3075497b80ebb8fd530ea2cc]
      ext4: correct endianness conversion in __xattr_check_inode()
         [199625098a18a5522b424dea9b122b254c022fc5]
      ext4: don't read out of bounds when checking for in-inode xattrs
         [290ab230016f187c3551d8380ea742889276d03a]
      reiserfs: fix buffer overflow with long warning messages
         [fe10e398e860955bac4d28ec031b701d358465e4]

Eric Dumazet (6):
      net/packet: refine check for priv area size
         [eb73190f4fbeedf762394e92d6a4ec9ace684c88]
      net: metrics: add proper netlink validation
         [5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53]
      netfilter: ipv6: nf_defrag: reduce struct net memory waste
         [9ce7bc036ae4cfe3393232c86e9e1fea2153c237]
      netfilter: nf_queue: augment nfqa_cfg_policy
         [ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc]
      rtnetlink: validate attributes in do_setlink()
         [644c7eebbfd59e72982d11ec6cc7d39af12450ae]
      xfrm_user: prevent leaking 2 bytes of kernel memory
         [45c180bc29babbedd6b8c01b975780ef44d9d09c]

Eric Engestrom (1):
      perf tools: Remove duplicate const qualifier
         [3b556bced46aa6b1873da7faa18eff235e896adc]

Eric W. Biederman (1):
      signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
         [7de712ccc096b81d23cc0a941cd9b8cb3956605d]

Evan Green (1):
      clk: qcom: Base rcg parent rate off plan frequency
         [c7d2a0eb6c028ba064bfe92d7667977418142c7c]

Fabian Frederick (1):
      can: constify of_device_id array
         [486e957033623656298a07c39a8bf2fd81db285b]

Florian Fainelli (1):
      net: ethernet: davinci_emac: Fix printing of base address
         [5a04e8f81a4f55ce1c2b7b525744a187c99ba302]

Florian Meier (1):
      gcov: add support for gcc version >= 6
         [d02038f972538b93011d78c068f44514fbde0a8c]

Florian Westphal (2):
      atl1c: reserve min skb headroom
         [6e56830776828d8ca9897fc4429eeab47c3bb432]
      xfrm: free skb if nlsk pointer is NULL
         [86126b77dcd551ce223e7293bb55854e3df05646]

Geert Uytterhoeven (1):
      time: Make sure jiffies_to_msecs() preserves non-zero time periods
         [abcbcb80cd09cd40f2089d912764e315459b71f7]

Geoff Levand (1):
      kexec: Fix make headers_check
         [9dc5c05f45ca8101025046cda7f8aca8835204f2]

Guillaume Nault (8):
      l2tp: clean up stale tunnel or session in pppol2tp_connect's error path
         [bda06be2158c7aa7e41b15500c4d3840369c19a6]
      l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
         [ecd012e45ab5fd76ed57546865897ce35920f56b]
      l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
         [f664e37dcc525768280cb94321424a09beb1c992]
      l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()
         [90904ff5f958a215cc3d26f957a46e80fa178470]
      l2tp: fix refcount leakage on PPPoL2TP sockets
         [3d609342cc04129ff7568e19316ce3d7451a27e8]
      l2tp: only accept PPP sessions in pppol2tp_connect()
         [7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658]
      l2tp: prevent pppol2tp_connect() from creating kernel sockets
         [3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd]
      l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
         [de9bada5d389903f4faf33980e6a95a2911c7e6d]

Gustavo A. R. Silva (2):
      HID: hiddev: fix potential Spectre v1
         [4f65245f2d178b9cba48350620d76faa4a098841]
      net: cxgb3_main: fix potential Spectre v1
         [676bcfece19f83621e905aa55b5ed2d45cc4f2d3]

Hangbin Liu (2):
      ipv6: mcast: fix unsolicited report interval after receiving querys
         [6c6da92808442908287fae8ebb0ca041a52469f4]
      multicast: do not restore deleted record source filter mode to new one
         [08d3ffcc0cfaba36f6b86fd568cc3bc773061fa6]

Hans de Goede (4):
      ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
         [fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70]
      ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
         [240630e61870e62e39a97225048f9945848fa5f5]
      libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
         [2cfce3a86b64b53f0a70e92a6a659c720c319b45]
      pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
         [1d375b58c12f08d8570b30b865def4734517f04f]

Herbert Xu (1):
      crypto: padlock-aes - Fix Nano workaround data corruption
         [46d8c4b28652d35dc6cfb5adf7f54e102fc04384]

Himanshu Madhani (1):
      scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
         [413c2f33489b134e3cc65d9c3ff7861e8fdfe899]

Houston Yaroschoff (1):
      usb: cdc_acm: Add quirk for Uniden UBC125 scanner
         [4a762569a2722b8a48066c7bacf0e1dc67d17fa1]

Huacai Chen (1):
      MIPS: io: Add barrier after register read in inX()
         [18f3e95b90b28318ef35910d21c39908de672331]

Huang Ying (1):
      mm: /proc/pid/pagemap: hide swap entries from unprivileged users
         [ab6ecf247a9321e3180e021a6a60164dee53ab2e]

Ingo Flaschberger (1):
      1wire: family module autoload fails because of upper/lower case mismatch.
         [065c09563c872e52813a17218c52cd642be1dca6]

Jack Morgenstein (1):
      net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
         [958c696f5a7274d9447a458ad7aa70719b29a50a]

Jan Kara (2):
      ext4: fix fencepost error in check for inode count overflow during resize
         [4f2f76f751433908364ccff82f437a57d0e6e9b7]
      udf: Detect incorrect directory size
         [fa65653e575fbd958bdf5fb9c4a71a324e39510d]

Jann Horn (3):
      ibmasm: don't write out of bounds in read handler
         [a0341fc1981a950c1e902ab901e98f60e0e243f3]
      netfilter: nf_log: don't hold nf_log_mutex during user access
         [ce00bf07cc95a57cd20b208e02b3c2604e532ae8]
      scsi: sg: mitigate read/write abuse
         [26b5b874aff5659a7e26e5b1997e3df2c41fa7fd]

Jason Wang (1):
      vhost_net: validate sock before trying to put its fd
         [b8f1f65882f07913157c44673af7ec0b308d03eb]

Jeff Layton (3):
      ceph: don't set req->r_locked_dir in ceph_d_revalidate
         [c3f4688a08fd86f1bf8e055724c84b7a40a09733]
      ceph: fix endianness of getattr mask in ceph_d_revalidate
         [1097680d759918ce4a8705381c0ab2ed7bd60cf1]
      nfsd: silence sparse warning about accessing credentials
         [ae4b884fc6316b3190be19448cea24b020c1cad6]

Jens Axboe (1):
      sbitmap: fix race in wait batch accounting
         [c854ab5773be1c1a0d3cef0c3a3261f2c48ab7f8]

Jeremy Cline (1):
      net: socket: fix potential spectre v1 gadget in socketcall
         [c8e8cd579bb4265651df8223730105341e61a2d1]

Jia He (1):
      mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
         [1105a2fc022f3c7482e32faf516e8bc44095f778]

Jiang Biao (1):
      virtio_balloon: fix another race between migration and ballooning
         [89da619bc18d79bca5304724c11d4ba3b67ce2c6]

Jiri Olsa (2):
      perf tools: Fix python extension build for gcc 8
         [b7a313d84e853049062011d78cb04b6decd12f5c]
      perf tools: Fix snprint warnings for gcc 8
         [77f18153c080855e1c3fb520ca31a4e61530121d]

Jiri Slaby (3):
      p54: memset(0) whole array
         [6f17581788206444cbbcdbc107498f85e9765e3d]
      tty: vt, get rid of weird source code flow
         [34902b7f2754e6d890feb0cee34187f1bc75c930]
      tty: vt, remove reduntant check
         [182846a00f489849c55d113954f0c4a8a286ca39]

Joakim Tjernlund (4):
      mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
         [f1ce87f6080b1dda7e7b1eda3da332add19d87b9]
      mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
         [0cd8116f172eed018907303dbff5c112690eeb91]
      mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
         [f93aa8c4de307069c270b2d81741961162bead6c]
      mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
         [5fdfc3dbad099281bf027a353d5786c09408a8e5]

Johan Hovold (7):
      USB: serial: cp210x: add CESINEL device ids
         [24160628a34af962ac99f2f58e547ac3c4cbd26f]
      USB: serial: keyspan_pda: fix modem-status error handling
         [01b3cdfca263a17554f7b249d20a247b2a751521]
      USB: serial: mos7840: fix status-register error handling
         [794744abfffef8b1f3c0c8a4896177d6d13d653d]
      backlight: as3711_bl: Fix Device Tree node leaks
         [d5318d302e7cf6583ec85a2a8bfbb3a3910ae372]
      backlight: as3711_bl: Fix Device Tree node lookup
         [4a9c8bb2aca5b5a2a15744333729745dd9903562]
      backlight: max8925_bl: Fix Device Tree node lookup
         [d1cc0ec3da23e44c23712579515494b374f111c9]
      backlight: tps65217_bl: Fix Device Tree node lookup
         [2b12dfa124dbadf391cb9a616aaa6b056823bf75]

John Syne (2):
      staging:iio:ade7854: Fix error handling on read/write
         [4297b23d927fa5265378f4a71372ecef3c33023a]
      staging:iio:ade7854: Fix the wrong number of bits to read
         [6cef2ab01636b6021044f349df466a97c408ec27]

Jon Derrick (1):
      ext4: check superblock mapped prior to committing
         [a17712c8e4be4fa5404d20e9cd3b2b21eae7bc56]

Joshua Frkuska (1):
      usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
         [6b37bd78d30c890e575a1bda22978d1d2a233362]

Juergen Gross (1):
      xen/netfront: don't cache skb_shinfo()
         [d472b3a6cf63cd31cae1ed61930f07e6cd6671b5]

Julia Lawall (1):
      bnx2x: use the right constant
         [dd612f18a49b63af8b3a5f572d999bdb197385bc]

Julian Wiedmann (1):
      s390/qeth: don't clobber buffer on async TX completion
         [ce28867fd20c23cd769e78b4d619c4755bf71a1c]

Kai-Heng Feng (1):
      media: cx231xx: Add support for AverMedia DVD EZMaker 7
         [29e61d6ef061b012d320327af7dbb3990e75be45]

Kamal Heib (1):
      RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
         [d63c46734c545ad0488761059004a65c46efdde3]

Karoly Pados (1):
      USB: serial: cp210x: add Silicon Labs IDs for Windows Update
         [2f839823382748664b643daa73f41ee0cc01ced6]

Keerthy (1):
      ARM: dts: da850: Fix interrups property for gpio
         [3eb1b955cd7ed1e621ace856710006c2a8a7f231]

Kees Cook (2):
      binfmt_elf: fix calculations for bss padding
         [0036d1f7eb95bcc52977f15507f00dd07018e7e2]
      mm: refuse wrapped vm_brk requests
         [ba093a6d9397da8eafcfbaa7d95bd34255da39a0]

Keith Busch (1):
      block: Fix transfer when chunk sectors exceeds max
         [15bfd21fbc5d35834b9ea383dc458a1f0c9e3434]

Kiran Kumar Modukuri (5):
      cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag
         [5ce83d4bb7d8e11e8c1c687d09f4b5ae67ef3ce3]
      cachefiles: Fix refcounting bug in backing-file read monitoring
         [934140ab028713a61de8bca58c05332416d037d1]
      cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
         [c2412ac45a8f8f1cd582723c1a139608694d410d]
      fscache: Allow cancelled operations to be enqueued
         [d0eb06afe712b7b103b6361f40a9a0c638524669]
      fscache: Fix reference overput in fscache_attach_object() error handling
         [f29507ce66701084c39aeb1b0ae71690cbff3554]

Konrad Rzeszutek Wilk (3):
      x86/bugs: Add AMD's SPEC_CTRL MSR usage
         [6ac2f49edb1ef5446089c7c660017732886d62d6]
      x86/bugs: Add AMD's variant of SSB_NO
         [24809860012e0130fbafe536709e08a22b3e959e]
      x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
         [108fab4b5c8f12064ef86e02cb0459992affb30f]

Konstantin Khlebnikov (1):
      pagemap: hide physical addresses from non-privileged users
         [1c90308e7a77af6742a97d1021cca923b23b7f0d]

Krzysztof Kozlowski (1):
      clk: si5351: Constify clock names and struct regmap_config
         [8234caed27f7bce141c9fb1f7e76c91a2a66d248]

Lars Persson (1):
      cifs: Fix use after free of a mid_q_entry
         [696e420bb2a6624478105651d5368d45b502b324]

Laura Abbott (2):
      staging: android: ion: Return an ERR_PTR in ion_map_kernel
         [0a2bc00341dcfcc793c0dbf4f8d43adf60458b05]
      staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
         [45ad559a29629cb1c64ee636563c69b71524f077]

Lee Jones (1):
      mfd: tps65911-comparator: Fix an off by one bug
         [1768391c3674b0c6bdc4947121f15fb0c2f47ec4]

Leon Romanovsky (4):
      RDMA/mlx4: Discard unknown SQP work requests
         [6b1ca7ece15e94251d1d0d919f813943e4a58059]
      RDMA/uverbs: Don't fail in creation of multiple flows
         [fe48aecb4df837540f13b5216f27ddb306aaf4b9]
      RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
         [4fae7f170416f970e5655f7e945ce69286b1c4ff]
      RDMA/uverbs: Protect from attempts to create flows on unsupported QP
         [940efcc8889f0d15567eb07fc9fd69b06e366aa5]

Liang Z Li (1):
      xen-netfront: Remove the meaningless code
         [905726c1c5a3ca620ba7d73c78eddfb91de5ce28]

Linus Lüssing (2):
      batman-adv: Avoid storing non-TT-sync flags on singular entries too
         [4a519b83da16927fb98fd32b0f598e639d1f1859]
      batman-adv: Fix multicast TT issues with bogus ROAM flags
         [a44ebeff6bbd6ef50db41b4195fca87b21aefd20]

Linus Torvalds (2):
      squashfs: be more careful about metadata corruption
         [01cfb7937a9af2abb1136c7e89fbf3fd92952956]
      squashfs: more metadata hardening
         [d512584780d3e6a7cacb2f482834849453d444a1]

Lorenzo Bianconi (1):
      ipv4: remove BUG_ON() from fib_compute_spec_dst
         [9fc12023d6f51551d6ca9ed7e02ecc19d79caf17]

Lorenzo Stoakes (1):
      gcov: add support for GCC 5.1
         [3e44c471a2dab210f7e9b1e5f7d4d54d52df59eb]

Lubomir Rintel (1):
      usb: cdc_acm: Add quirk for Castles VEGA3000
         [1445cbe476fc3dd09c0b380b206526a49403c071]

Lukas Czerner (1):
      ext4: update mtime in ext4_punch_hole even if no blocks are released
         [eee597ac931305eff3d3fd1d61d6aae553bc0984]

Lyude Paul (1):
      drm/nouveau: Remove bogus crtc check in pmops_runtime_idle
         [68fe23a626b67b56c912c496ea43ed537ea9708f]

Maciej S. Szmigiero (1):
      X.509: unpack RSA signatureValue field from BIT STRING
         [b65c32ec5a942ab3ada93a048089a938918aba7f]

Mahesh Salgaonkar (1):
      powerpc/fadump: Unregister fadump on kexec down path.
         [722cde76d68e8cc4f3de42e71c82fd40dea4f7b9]

Marcelo Ricardo Leitner (1):
      sctp: fix identification of new acks for SFR-CACC
         [51446780fc33e45cb790c05a7fa2c5bf7e8bc53b]

Mark Rutland (1):
      arm64: ensure extension of smp_store_release value
         [994870bead4ab19087a79492400a5478e2906196]

Markos Chandras (2):
      MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations
         [be5136988e25ae0dc8379fcb937efc63d87aba9e]
      MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA
         [2bd7bc254ab1f45269db6dd7957d63b713817408]

Markus Pargmann (1):
      batman-adv: debugfs, avoid compiling for !DEBUG_FS
         [9bb218828c8f4fa6587af93e248903c96ce469d0]

Martin Kaiser (1):
      mtd: rawnand: mxc: set spare area size register explicitly
         [3f77f244d8ec28e3a0a81240ffac7d626390060c]

Martin Liska (1):
      gcov: support GCC 7.1
         [05384213436ab690c46d9dfec706b80ef8d671ab]

Masami Hiramatsu (1):
      ring_buffer: tracing: Inherit the tracing setting to next ring buffer
         [73c8d8945505acdcbae137c2e00a1232e0be709f]

Matt Turner (2):
      tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
         [e0d34648b4d77ba715e13739d04e7b0692fe5eaa]
      x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
         [a00072a24a9f5b88cfc56f2dec6afe8ce3874e60]

Mauro Carvalho Chehab (5):
      [media] drxd_hard: fix bad alignments
         [cea130021448763b15f4b16af184bbab4be118fb]
      [media] drxk_hard: fix bad alignments
         [89fffac802c18caebdf4e91c0785b522c9f6399a]
      media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
         [76d81243a487c09619822ef8e7201a756e58a87d]
      media: omap3isp/isp: remove an unused static var
         [3f4836beb2ebeb0211d9911d878a267d687e0e6e]
      media: v4l2-compat-ioctl32: prevent go past max size
         [ea72fbf588ac9c017224dcdaa2019ff52ca56fee]

Max Gurtovoy (1):
      IB/isert: fix T10-pi check mask setting
         [0e12af84cdd3056460f928adc164f9e87f4b303b]

Maxim Moseychuk (1):
      usb: do not reset if a low-speed or full-speed device timed out
         [6e01827ed93947895680fbdad68c072a0f4e2450]

Michael Ellerman (2):
      powerpc/lib: Fix feature fixup test of external branch
         [32810d91325ec76b8ef4df463f8a0e9baf353322]
      powerpc/lib: Fix the feature fixup tests to actually work
         [cad0e39023b43d94d5e38dfd55c103e15bdd093d]

Michael Jeanson (1):
      powerpc/e500mc: Set assembler machine type to e500mc
         [69a8405999aa1c489de4b8d349468f0c2b83f093]

Michael Karcher (1):
      net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()).
         [9144c3795c2636351d553e4d0fc5297201182de2]

Michael Neuling (2):
      powerpc/ptrace: Fix enforcement of DAWR constraints
         [cd6ef7eebf171bfcba7dc2df719c2a4958775040]
      powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
         [4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3]

Michael Schmitz (1):
      m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
         [3f90f9ef2dda316d64e420d5d51ba369587ccc55]

Michal Hocko (2):
      mm, elf: handle vm_brk error
         [ecc2bc8ac03884266cf73f8a2a42b911465b2fbc]
      mm: do not bug_on on incorrect length in __mm_populate()
         [bb177a732c4369bb58a1fe1df8f552b6f0f7db5f]

Mika Westerberg (1):
      PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
         [13c65840feab8109194f9490c9870587173cb29d]

Mike Marciniszyn (1):
      IB/qib: Fix DMA api warning with debug kernel
         [0252f73334f9ef68868e4684200bea3565a4fcee]

Mike Snitzer (1):
      dm thin: handle running out of data space vs concurrent discard
         [a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3]

Miklos Szeredi (2):
      fuse: atomic_o_trunc should truncate pagecache
         [df0e91d488276086bc07da2e389986cae0048c37]
      fuse: fix control dir setup and teardown
         [6becdb601bae2a043d7fb9762c4d48699528ea6e]

Mikulas Patocka (3):
      branch-check: fix long->int truncation when profiling branches
         [2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe]
      dm bufio: drop the lock when doing GFP_NOIO allocation
         [41c73a49df31151f4ff868f28fe4f129f113fa2c]
      drm/udl: fix display corruption of the last line
         [99ec9e77511dea55d81729fc80b6c63a61bfa8e0]

Ming_qian (1):
      media: uvcvideo: Support realtek's UVC 1.5 device
         [f620d1d7afc7db57ab59f35000752840c91f67e7]

Nathan Chancellor (1):
      kconfig: Avoid format overflow warning from GCC 8.1
         [2ae89c7a82ea9d81a19b4fc2df23bef4b112f24e]

Nathan Sullivan (1):
      leds: do not overflow sysfs buffer in led_trigger_show
         [3b9b95363c45365d606ad4bbba16acca75fdf6d3]

NeilBrown (1):
      w1: support auto-load of w1_bq27000 module.
         [4b7e4f8289c1ca60accb6c1baf31984f69bc2771]

Nicholas Mc Guire (2):
      can: mpc5xxx_can: check of_iomap return before use
         [b5c1a23b17e563b656cc9bb76ce5323b997d90e8]
      drm: re-enable error handling
         [d530b5f1ca0bb66958a2b714bebe40a1248b9c15]

Nico Sneck (1):
      usb: quirks: add delay quirks for Corsair Strafe
         [bba57eddadda936c94b5dccf73787cb9e159d0a5]

OGAWA Hirofumi (1):
      fat: fix memory allocation failure handling of match_strdup()
         [35033ab988c396ad7bce3b6d24060c16a9066db8]

Olli Salonen (1):
      USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
         [367b160fe4717c14a2a978b6f9ffb75a7762d3ed]

Omar Sandoval (3):
      Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
         [0552210997badb6a60740a26ff9d976a416510f0]
      Btrfs: don't return ino to ino cache if inode item removal fails
         [c08db7d8d295a4f3a10faaca376de011afff7950]
      Btrfs: reserve space for O_TMPFILE orphan item deletion
         [399b0bbf5f680797d3599fa14f16706ffc470145]

Oscar Salvador (1):
      fs, elf: make sure to page align bss in load_elf_library
         [24962af7e1041b7e50c1bc71d8d10dc678c556b5]

Paul Bolle (1):
      eeepc-laptop: simplify parse_arg()
         [95369a73a957ad221f1d6b8f11a63a376f38c544]

Paul Burton (1):
      MIPS: Fix off-by-one in pci_resource_to_user()
         [38c0a74fe06da3be133cae3fb7bde6a9438e698b]

Paulo Alcantara (1):
      cifs: Fix infinite loop when using hard mount option
         [7ffbe65578b44fafdef577a360eb0583929f7c6e]

Paweł Chmiel (2):
      pinctrl: samsung: Correct EINTG banks order
         [5cf9a338db94cfd570aa2607bef1b30996f188e3]
      regulator: max8998: Fix platform data retrieval.
         [c1472737914fe5246a672fef6e85c9455de8473f]

Prabhakar Lad (1):
      media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS
         [d75cf0144f150272be806b69b4e62553ba07ea1b]

Pranay Kr. Srivastava (1):
      ext4: Fix WARN_ON_ONCE in ext4_commit_super()
         [4743f83990614af6adb09ea7aa3c37b78c4031ab]

Quinn Tran (1):
      scsi: qla2xxx: Fix ISP recovery on unload
         [b08abbd9f5996309f021684f9ca74da30dcca36a]

Rasmus Villemoes (1):
      net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics
         [e843bb199ba58ce5d1364d4c82fcf6975f08eec2]

Ronnie Sahlberg (1):
      cifs: store the leaseKey in the fid on SMB2_open
         [96164ab2d880c9539989bea68d4790f6fd619b1f]

Ross Lagerwall (4):
      xen-netfront: Fix mismatched rtnl_unlock
         [cb257783c2927b73614b20f915a91ff78aa6f3e8]
      xen-netfront: Fix race between device setup and open
         [f599c64fdf7d9c108e8717fb04bc41c680120da4]
      xen-netfront: Improve error handling during initialization
         [e2e004acc7cbe3c531e752a270a74e95cde3ea48]
      xen-netfront: Update features after registering netdev
         [45c8184c1bed1ca8a7f02918552063a00b909bf5]

Sabrina Dubroca (1):
      ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
         [848235edb5c93ed086700584c8ff64f6d7fc778d]

Sakari Ailus (1):
      media: v4l: event: Prevent freeing event subscriptions while accessed
         [ad608fbcf166fec809e402d548761768f602702c]

Scott Mayhew (1):
      nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
         [9c2ece6ef67e9d376f32823086169b489c422ed0]

Sean Young (1):
      media: rc: mce_kbd decoder: fix stuck keys
         [63039c29f7a4ce8a8bd165173840543c0098d7b0]

Sergey Senozhatsky (1):
      tools/lib/subcmd/pager.c: do not alias select() params
         [ad343a98e74e85aa91d844310e797f96fee6983b]

Shuah Khan (1):
      usbip: stub_rx: fix static checker warning on unnecessary checks
         [10c90120930628e8b959bf58d4a0aaef3ae5d945]

Siarhei Liakh (1):
      x86: Call fixup_exception() before notify_die() in math_error()
         [3ae6295ccb7cf6d344908209701badbbbb503e40]

Silvio Cesare (1):
      UBIFS: Fix potential integer overflow in allocation
         [353748a359f1821ee934afc579cf04572406b420]

Simon Wunderlich (1):
      batman-adv: unify flags access style in tt global add
         [ad7e2c466d8b0a7056cd248e1df6bb7296e014f7]

Snild Dolkow (1):
      kthread, tracing: Don't expose half-written comm when creating kthreads
         [3e536e222f2930534c252c1cc7ae799c725c5ff9]

Song Liu (1):
      perf/core: Fix group scheduling with mixed hw and sw events
         [a1150c202207cc8501bebc45b63c264f91959260]

Srinivas Kandagatla (2):
      ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
         [ff2faf1289c1f81b5b26b9451dd1c2006aac8db8]
      of: platform: stop accessing invalid dev in of_platform_device_destroy
         [522811e944ed9b36806faa019faec10f9d259cca]

Stefan Agner (1):
      mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
         [92748beac07c471d995fbec642b63572dc01b3dc]

Stefan M Schaeckeler (1):
      of: unittest: for strings, account for trailing \\0 in property length field
         [3b9cf7905fe3ab35ab437b5072c883e609d3498d]

Stefan Potyra (1):
      w1: mxc_w1: Enable clock before calling clk_get_rate() on it
         [955bc61328dc0a297fb3baccd84e9d3aee501ed8]

Stefano Brivio (2):
      cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
         [729c0c9dd55204f0c9a823ac8a7bfa83d36c7e78]
      skbuff: Unconditionally copy pfmemalloc in __skb_clone()
         [e78bfb0751d4e312699106ba7efbed2bab1a53ca]

Steffen Maier (7):
      scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
         [512857a795cbbda5980efa4cdb3c0b6602330408]
      scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
         [8c3d20aada70042a39c6a6625be037c1472ca610]
      scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
         [6a76550841d412330bd86aed3238d1888ba70f0e]
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
         [96d9270499471545048ed8a6d7f425a49762283d]
      scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
         [d70aab55924b44f213fec2b900b095430b33eec6]
      scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
         [df30781699f53e4fd4c494c6f7dd16e3d5c21d30]
      scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
         [81979ae63e872ef650a7197f6ce6590059d37172]

Steven Rostedt (3):
      tracing: Fix double free of event_trigger_data
         [1863c387259b629e4ebfb255495f67cd06aa229b]
      tracing: Fix possible double free in event_enable_trigger_func()
         [15cc78644d0075e76d59476a4467e7143860f660]
      tracing: Quiet gcc warning about maybe unused link variable
         [2519c1bbe38d7acacc9aacba303ca6f97482ed53]

Sven Eckelmann (3):
      batman-adv: Fix debugfs path for renamed hardif
         [36dc621ceca1be3ec885aeade5fdafbbcc452a6d]
      batman-adv: Fix debugfs path for renamed softif
         [6da7be7d24b2921f8215473ba7552796dff05fe1]
      cfg80211: initialize sinfo in cfg80211_get_station
         [3c12d0486856b9eb89c2a9ac336713cba90813e3]

Tadeusz Struk (1):
      tpm: fix race condition in tpm_common_write()
         [3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df]

Takashi Iwai (5):
      ALSA: core: Assure control device to be registered at last
         [dc82e52492f684dcd5ed9e4773e72dbf2203d75e]
      ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation
         [f16041df4c360eccacfe90f96673b37829e4c959]
      ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
         [275ec0cb946cb75ac8977f662e608fce92f8b8a8]
      ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
         [b41f794f284966fd6ec634111e3b40d241389f96]
      xen-netfront: Use static attribute groups for sysfs entries
         [27b917e54bed7156c2b0249969ace34a5f585626]

Takashi Sakamoto (1):
      ALSA: hda/ca0132: fix build failure when a local macro is defined
         [8e142e9e628975b0dddd05cf1b095331dff6e2de]

Tetsuo Handa (4):
      driver core: Don't ignore class_dir_create_and_add() failure.
         [84d0c27d6233a9ba0578b20f5a09701eb66cee42]
      fuse: don't keep dead fuse_conn at fuse_fill_super().
         [543b8f8662fe6d21f19958b666ab0051af9db21a]
      n_tty: Access echo_* variables carefully.
         [ebec3f8f5271139df618ebdf8427e24ba102ba94]
      n_tty: Fix stall at n_tty_receive_char_special().
         [3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81]

Thadeu Lima de Souza Cascardo (1):
      fs/binfmt_misc.c: do not allow offset overflow
         [5cc41e099504b77014358b58567c5ea6293dd220]

Theodore Ts'o (7):
      ext4: add more mount time checks of the superblock
         [bfe0a5f47ada40d7984de67e59a7d3390b9b9ecc]
      ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
         [eb9b5f01c33adebc31cbc236c02695f605b0e417]
      ext4: check for allocation block validity with block group locked
         [8d5a803c6a6ce4ec258e31f76059ea5153ba46ef]
      ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
         [9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35]
      ext4: fix inline data updates with checksums enabled
         [362eca70b53389bddf3143fe20f53dcce2cfdf61]
      ext4: include the illegal physical block in the bad map ext4_error msg
         [bdbd6ce01a70f02e9373a584d0ae9538dcf0a121]
      random: mix rdrand with entropy sent in from userspace
         [81e69df38e2911b642ec121dec319fad2a4782f3]

Thomas Richter (2):
      perf: fix invalid bit in diagnostic entry
         [3c0a83b14ea71fef5ccc93a3bd2de5f892be3194]
      s390/cpum_sf: Add data entry sizes to sampling trailer entry
         [77715b7ddb446bd39a06f3376e85f4bb95b29bb8]

Tobias Jordan (1):
      spi: pxa2xx: check clk_prepare_enable() return value
         [62bbc864d1946c715063bd481bff3641fd1324e2]

Tokunori Ikegami (5):
      MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
         [2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175]
      mtd: cfi_cmdset_0002: Change definition naming to retry write operation
         [85a82e28b023de9b259a86824afbd6ba07bd6475]
      mtd: cfi_cmdset_0002: Change erase functions to check chip good only
         [79ca484b613041ca223f74b34608bb6f5221724b]
      mtd: cfi_cmdset_0002: Change erase functions to retry for error
         [45f75b8a919a4255f52df454f1ffdee0e42443b2]
      mtd: cfi_cmdset_0002: Change write buffer to check correct value
         [dfeae1073583dc35c33b32150e18b7048bbb37e6]

Tom Lendacky (1):
      x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
         [612bc3b3d4be749f73a513a17d9b3ee1330d3487]

Tomasz Kramkowski (2):
      HID: clamp input to logical range if no null state
         [c3883fe06488a483658ba5d849b70e49bee15e7c]
      HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter
         [9547837bdccb4af127528b36a73377150658b4ac]

Tommi Rantala (1):
      xfrm: fix missing dst_release() after policy blocking lbcast and multicast
         [8cc88773855f988d6a3bbf102bbd9dd9c828eb81]

Tushar Behera (1):
      usb: misc: usb3503: Update error code in print message
         [ec5734c41bee2ee7c938a8f34853d31cada7e67a]

Ulrik De Bie (1):
      Input: elantech - report the middle button of the touchpad
         [f386474e12a560e005ec7899e78f51f6bdc3cf41]

Valtteri Heikkilä (1):
      HID: reject input outside logical range only if null state is set
         [3f3752705dbd50b66b66ad7b4d54fe33d2f746ed]

Ville Syrjälä (1):
      x86/apm: Don't access __preempt_count with zeroed fs
         [6f6060a5c9cc76fdbc22748264e6aa3779ec2427]

Vineet Gupta (1):
      ARC: mm: allow mprotect to make stack mappings executable
         [93312b6da4df31e4102ce5420e6217135a16c7ea]

Vitaly Kuznetsov (1):
      xen-netfront: avoid crashing on resume after a failure in talk_to_netback()
         [d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e]

Vladimir Zapolskiy (1):
      sh_eth: fix invalid context bug while changing link options by ethtool
         [5cb3f52a11e18628fc4bee76dd14b1f0b76349de]

Vlastimil Babka (1):
      mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
         [7810e6781e0fcbca78b91cf65053f895bf59e85f]

Wanpeng Li (1):
      KVM: x86: fix escape of guest dr6 to the host
         [efdab992813fb2ed825745625b83c05032e9cda2]

Willem de Bruijn (1):
      packet: refine ring v3 block size test to hold one frame
         [4576cd469d980317c4edd9173f8b694aa71ea3a3]

Xunlei Pang (1):
      sched/fair: Fix bandwidth timer clock drift condition
         [512ac999d2755d2b7109e996a76b6fb8b888631d]

Yoshihiro Shimoda (2):
      usb: gadget: function: printer: avoid spinlock recursion
         [9ada8c582088d32bd5c071c17213bc6edf37443a]
      usb: gadget: function: printer: avoid wrong list handling in printer_write()
         [4a014a7339f441b0851ce012f469c0fadac61c81]

YueHaibing (1):
      net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
         [64119e05f7b31e83e2555f6782e6cdc8f81c63f4]

Yuiko Oshino (1):
      smsc75xx: Add workaround for gigabit link up hardware errata.
         [d461e3da905332189aad546b2ad9adbe6071c7cc]

Zheng Yan (2):
      ceph: fix llistxattr on symlink
         [0abb43dcacb52145aa265f82c914375d59dfe2da]
      ceph: use lookup request to revalidate dentry
         [200fd27c8fa2ba8bb4529033967b69a7cbfa2c2e]

Zhong Jiang (1):
      sched/topology: Make local variables static
         [ace8031099f91480799b5929b4cccf2dcacc5136]

 Documentation/filesystems/proc.txt                 |  31 +-
 Makefile                                           |   4 +-
 arch/arc/include/asm/page.h                        |   2 +-
 arch/arc/include/asm/pgtable.h                     |   2 +-
 arch/arm/boot/dts/da850.dtsi                       |   6 +-
 arch/arm/include/asm/kgdb.h                        |   2 +-
 arch/arm64/include/asm/barrier.h                   |  20 ++
 arch/arm64/include/uapi/asm/kvm.h                  |   2 +-
 arch/m68k/include/asm/delay.h                      |  11 +-
 arch/m68k/mm/kmap.c                                |   3 +-
 arch/mips/bcm47xx/setup.c                          |   6 +
 arch/mips/include/asm/asmmacro.h                   |  11 +
 arch/mips/include/asm/compiler.h                   |   6 +
 arch/mips/include/asm/io.h                         |   2 +
 arch/mips/include/asm/mipsregs.h                   |   3 +
 arch/mips/include/asm/pci.h                        |   2 +-
 arch/powerpc/Makefile                              |   1 +
 arch/powerpc/kernel/entry_64.S                     |   1 +
 arch/powerpc/kernel/fadump.c                       |   3 +
 arch/powerpc/kernel/hw_breakpoint.c                |   4 +-
 arch/powerpc/kernel/ptrace.c                       |   1 +
 arch/powerpc/lib/feature-fixups-test.S             |   4 +-
 arch/powerpc/lib/feature-fixups.c                  | 180 +++++------
 arch/s390/include/asm/cpu_mf.h                     |   6 +-
 arch/x86/include/asm/apm.h                         |   6 -
 arch/x86/include/asm/barrier.h                     |   4 +-
 arch/x86/include/asm/cpufeature.h                  |   8 +-
 arch/x86/include/uapi/asm/msr-index.h              |   4 +-
 arch/x86/kernel/apic/apic.c                        |   3 +-
 arch/x86/kernel/apm_32.c                           |   5 +
 arch/x86/kernel/cpu/bugs.c                         |  17 +-
 arch/x86/kernel/cpu/common.c                       |  13 +-
 arch/x86/kernel/cpu/mcheck/mce.c                   |  21 +-
 arch/x86/kernel/traps.c                            |  14 +-
 arch/x86/kvm/cpuid.c                               |  10 +-
 arch/x86/kvm/cpuid.h                               |   2 +-
 arch/x86/kvm/svm.c                                 |   2 +-
 arch/x86/kvm/x86.c                                 |   6 +
 arch/xtensa/kernel/traps.c                         |   2 +-
 block/blk-mq-tag.c                                 |  42 ++-
 crypto/asymmetric_keys/x509_cert_parser.c          |   9 +
 drivers/acpi/acpi_lpss.c                           |   1 +
 drivers/ata/ahci.c                                 |  59 ++++
 drivers/ata/libata-core.c                          |   6 +-
 drivers/ata/libata-zpodd.c                         |   4 +-
 drivers/base/core.c                                |  14 +-
 drivers/base/power/wakeup.c                        |   1 -
 drivers/char/ipmi/ipmi_bt_sm.c                     |   3 +-
 drivers/char/random.c                              |  10 +-
 drivers/char/tpm/tpm-dev.c                         |  41 ++-
 drivers/clk/clk-si5351.c                           |  10 +-
 drivers/clk/qcom/clk-rcg2.c                        |   1 +
 drivers/crypto/padlock-aes.c                       |   8 +-
 drivers/dma/k3dma.c                                |   2 +-
 drivers/gpu/drm/drm_context.c                      |   2 +-
 drivers/gpu/drm/nouveau/nouveau_drm.c              |   7 -
 drivers/gpu/drm/nouveau/nouveau_gem.c              |   4 +-
 drivers/gpu/drm/udl/udl_fb.c                       |   5 +-
 drivers/gpu/drm/udl/udl_transfer.c                 |  11 +-
 drivers/hid/hid-ids.h                              |   3 +
 drivers/hid/hid-input.c                            |  20 +-
 drivers/hid/usbhid/hid-quirks.c                    |   1 +
 drivers/hid/usbhid/hiddev.c                        |  11 +
 drivers/infiniband/core/uverbs_cmd.c               |  27 +-
 drivers/infiniband/hw/mlx4/mad.c                   |   1 -
 drivers/infiniband/hw/mlx5/srq.c                   |  18 +-
 drivers/infiniband/hw/qib/qib.h                    |   3 +-
 drivers/infiniband/hw/qib/qib_file_ops.c           |  10 +-
 drivers/infiniband/hw/qib/qib_user_pages.c         |  20 +-
 drivers/infiniband/ulp/ipoib/ipoib.h               |   2 +-
 drivers/infiniband/ulp/ipoib/ipoib_main.c          |  33 +-
 drivers/infiniband/ulp/isert/ib_isert.c            |  27 +-
 drivers/input/mouse/elantech.c                     |  28 +-
 drivers/input/serio/i8042-x86ia64io.h              |  14 +
 drivers/iommu/dmar.c                               |   8 +-
 drivers/leds/led-triggers.c                        |  12 +-
 drivers/md/dm-bufio.c                              |  15 +-
 drivers/md/dm-thin.c                               |  11 +-
 drivers/media/dvb-core/dvb_frontend.c              |  23 +-
 drivers/media/dvb-frontends/drxd_hard.c            |   3 +-
 drivers/media/dvb-frontends/drxk_hard.c            |   3 +-
 drivers/media/i2c/smiapp/smiapp-core.c             |  11 +-
 drivers/media/platform/davinci/ccdc_hw_device.h    |  10 -
 drivers/media/platform/davinci/dm355_ccdc.c        |  92 +-----
 drivers/media/platform/davinci/dm644x_ccdc.c       | 151 +--------
 drivers/media/platform/davinci/vpfe_capture.c      |  75 -----
 drivers/media/platform/omap3isp/isp.c              |   7 -
 drivers/media/rc/imon.c                            |   2 +-
 drivers/media/rc/ir-mce_kbd-decoder.c              |   2 +
 drivers/media/usb/cx231xx/cx231xx-cards.c          |   3 +
 drivers/media/usb/uvc/uvc_video.c                  |  24 +-
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |   2 +-
 drivers/media/v4l2-core/v4l2-event.c               |  38 +--
 drivers/media/v4l2-core/v4l2-fh.c                  |   2 +
 drivers/mfd/tps65911-comparator.c                  |  17 +-
 drivers/misc/ibmasm/ibmasmfs.c                     |  27 +-
 drivers/mmc/host/sdhci-esdhc-imx.c                 |  18 +-
 drivers/mtd/chips/cfi_cmdset_0002.c                |  51 ++--
 drivers/mtd/nand/mxc_nand.c                        |   5 +-
 drivers/mtd/nand/omap2.c                           | 340 +++++++--------------
 drivers/net/can/cc770/cc770_platform.c             |   2 +-
 drivers/net/can/dev.c                              |  78 +++++
 drivers/net/can/grcan.c                            |   2 +-
 drivers/net/can/mscan/mpc5xxx_can.c                |   7 +-
 drivers/net/can/sja1000/sja1000_platform.c         |   2 +-
 drivers/net/can/usb/ems_usb.c                      |   1 +
 drivers/net/can/xilinx_can.c                       | 323 ++++++++++++++++----
 drivers/net/ethernet/8390/ax88796.c                |   1 -
 drivers/net/ethernet/atheros/atl1c/atl1c_main.c    |   1 +
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c   |   2 +-
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     |   1 -
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c    |   2 +
 .../net/ethernet/mellanox/mlx4/resource_tracker.c  |   2 +-
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c      |   8 +-
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c  |   2 +
 drivers/net/ethernet/renesas/sh_eth.c              |  47 +--
 drivers/net/ethernet/ti/davinci_emac.c             |   4 +-
 drivers/net/usb/smsc75xx.c                         |  62 ++++
 drivers/net/wireless/brcm80211/brcmfmac/p2p.c      |   2 +-
 .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c  |   7 +-
 .../net/wireless/brcm80211/brcmfmac/wl_cfg80211.h  |   2 +-
 drivers/net/wireless/mwifiex/pcie.c                |   3 +-
 drivers/net/wireless/p54/fwio.c                    |   2 +-
 drivers/net/wireless/rtlwifi/rtl8723be/hw.c        |   2 +-
 drivers/net/xen-netfront.c                         | 295 +++++++-----------
 drivers/of/platform.c                              |   4 +-
 drivers/of/selftest.c                              |   8 +-
 drivers/pci/hotplug/ibmphp_core.c                  |   2 +-
 drivers/pci/hotplug/pciehp.h                       |   2 +-
 drivers/pci/hotplug/pciehp_core.c                  |   2 +-
 drivers/pci/hotplug/pciehp_hpc.c                   |  13 +-
 drivers/pci/hotplug/shpchp_ctrl.c                  |   8 +-
 drivers/pinctrl/pinctrl-exynos.c                   |   2 +-
 drivers/platform/x86/eeepc-laptop.c                |  36 +--
 drivers/pwm/pwm-lpss.c                             |  24 ++
 drivers/regulator/max8998.c                        |   3 +-
 drivers/s390/net/qeth_core.h                       |  11 +
 drivers/s390/net/qeth_core_main.c                  |  22 +-
 drivers/s390/scsi/zfcp_dbf.c                       |  39 +++
 drivers/s390/scsi/zfcp_erp.c                       | 123 ++++++--
 drivers/s390/scsi/zfcp_ext.h                       |   5 +
 drivers/s390/scsi/zfcp_scsi.c                      |  18 +-
 drivers/scsi/fnic/fnic_fcs.c                       |   3 +-
 drivers/scsi/qla2xxx/qla_init.c                    |  10 +-
 drivers/scsi/qla2xxx/qla_os.c                      |   5 +-
 drivers/scsi/qlogicpti.c                           |   6 +-
 drivers/scsi/sg.c                                  |  42 ++-
 drivers/scsi/sr.c                                  |  33 +-
 drivers/spi/spi-pxa2xx.c                           |  18 +-
 drivers/staging/android/ion/ion.c                  |   5 +-
 drivers/staging/android/ion/ion_heap.c             |   2 +-
 drivers/staging/iio/meter/ade7854-i2c.c            |  26 +-
 drivers/staging/iio/meter/ade7854.c                |  10 +-
 .../staging/iio/trigger/iio-trig-periodic-rtc.c    |   6 +-
 .../staging/rtl8192ee/btcoexist/halbtc8821a2ant.c  |   4 +-
 drivers/staging/rtl8192ee/rtl8192ee/hw.c           |  14 +-
 drivers/staging/usbip/stub_rx.c                    |  11 +-
 drivers/staging/vt6656/dpc.c                       |   4 +-
 drivers/staging/vt6656/main_usb.c                  |  23 +-
 drivers/target/target_core_pr.c                    |  22 +-
 drivers/tty/n_tty.c                                |  55 ++--
 drivers/tty/serial/amba-pl011.c                    |  15 +
 drivers/tty/vt/vt.c                                |  76 ++---
 drivers/usb/class/cdc-acm.c                        |   6 +
 drivers/usb/core/hub.c                             |  12 +-
 drivers/usb/core/quirks.c                          |   4 +
 drivers/usb/gadget/f_uac2.c                        |   8 +-
 drivers/usb/gadget/printer.c                       |  13 +-
 drivers/usb/host/xhci-mem.c                        |   2 +-
 drivers/usb/misc/usb3503.c                         |   3 +-
 drivers/usb/serial/ch341.c                         |   2 +-
 drivers/usb/serial/cp210x.c                        |  15 +
 drivers/usb/serial/keyspan_pda.c                   |   4 +-
 drivers/usb/serial/mos7840.c                       |   3 +
 drivers/vhost/net.c                                |   3 +-
 drivers/video/backlight/as3711_bl.c                |  45 ++-
 drivers/video/backlight/max8925_bl.c               |   4 +-
 drivers/video/backlight/tps65217_bl.c              |   4 +-
 drivers/video/fbdev/omap/lcd_ams_delta.c           |   4 +
 drivers/video/fbdev/omap/lcd_h3.c                  |   4 +
 drivers/video/fbdev/omap/lcd_htcherald.c           |   4 +
 drivers/video/fbdev/omap/lcd_inn1510.c             |   4 +
 drivers/video/fbdev/omap/lcd_inn1610.c             |   4 +
 drivers/video/fbdev/omap/lcd_osk.c                 |   4 +
 drivers/video/fbdev/omap/lcd_palmte.c              |   4 +
 drivers/video/fbdev/omap/lcd_palmtt.c              |   4 +
 drivers/video/fbdev/omap/lcd_palmz71.c             |   4 +
 drivers/virtio/virtio_balloon.c                    |   2 +
 drivers/w1/masters/mxc_w1.c                        |  20 +-
 drivers/w1/slaves/w1_bq27000.c                     |   4 +-
 drivers/w1/w1.c                                    |   2 +-
 drivers/w1/w1_family.h                             |   1 +
 drivers/xen/events/events_base.c                   |   2 -
 fs/binfmt_elf.c                                    |  46 +--
 fs/binfmt_misc.c                                   |  12 +-
 fs/btrfs/inode.c                                   |  33 +-
 fs/cachefiles/bind.c                               |   3 +-
 fs/cachefiles/namei.c                              |   3 +-
 fs/cachefiles/rdwr.c                               |  17 +-
 fs/ceph/dir.c                                      |  39 +++
 fs/ceph/inode.c                                    |   1 +
 fs/ceph/super.h                                    |   9 +
 fs/ceph/xattr.c                                    |  10 +-
 fs/cifs/cifsglob.h                                 |   5 +-
 fs/cifs/cifsproto.h                                |   1 +
 fs/cifs/cifssmb.c                                  |  10 +-
 fs/cifs/connect.c                                  |   7 +-
 fs/cifs/smb1ops.c                                  |   1 +
 fs/cifs/smb2file.c                                 |  11 +-
 fs/cifs/smb2ops.c                                  |  13 +-
 fs/cifs/smb2pdu.c                                  |  33 +-
 fs/cifs/smb2pdu.h                                  |   6 +-
 fs/cifs/smb2transport.c                            |   1 +
 fs/cifs/transport.c                                |  18 +-
 fs/dcache.c                                        |  85 +++---
 fs/ext4/balloc.c                                   |   3 +
 fs/ext4/file.c                                     |  90 +++---
 fs/ext4/ialloc.c                                   |   5 +-
 fs/ext4/inline.c                                   |  18 +-
 fs/ext4/inode.c                                    |  70 +++--
 fs/ext4/resize.c                                   |   2 +-
 fs/ext4/super.c                                    |  75 +++--
 fs/ext4/xattr.c                                    |  31 +-
 fs/fat/inode.c                                     |  20 +-
 fs/fscache/cache.c                                 |   2 +-
 fs/fscache/cookie.c                                |   7 +-
 fs/fscache/object.c                                |   1 +
 fs/fscache/operation.c                             |   6 +-
 fs/fuse/control.c                                  |  13 +-
 fs/fuse/dir.c                                      |  13 +-
 fs/fuse/inode.c                                    |   1 +
 fs/namespace.c                                     |  27 +-
 fs/nfs/idmap.c                                     |   5 +-
 fs/nfsd/auth.c                                     |   2 +-
 fs/nfsd/nfs4xdr.c                                  |   5 +-
 fs/proc/task_mmu.c                                 |  74 ++---
 fs/proc/task_nommu.c                               |  32 +-
 fs/reiserfs/prints.c                               | 141 +++++----
 fs/squashfs/block.c                                |   2 +
 fs/squashfs/cache.c                                |   3 +
 fs/squashfs/file.c                                 |   8 +-
 fs/squashfs/fragment.c                             |   4 +-
 fs/squashfs/squashfs_fs.h                          |   6 +
 fs/ubifs/journal.c                                 |   5 +-
 fs/udf/directory.c                                 |   3 +
 include/linux/blkdev.h                             |   4 +-
 include/linux/can/dev.h                            |   3 +
 include/linux/compiler.h                           |   2 +-
 include/linux/cred.h                               |   9 +
 include/linux/dcache.h                             |  17 --
 include/linux/fs.h                                 |   5 +
 include/linux/libata.h                             |   1 +
 include/linux/mfd/as3711.h                         |   4 +-
 include/linux/mm.h                                 |   3 +-
 include/linux/perf_event.h                         |   8 +
 include/linux/ring_buffer.h                        |   1 +
 include/linux/string.h                             |   2 +-
 include/media/davinci/dm644x_ccdc.h                |  12 -
 include/media/davinci/vpfe_capture.h               |  10 -
 include/media/v4l2-fh.h                            |   1 +
 include/net/af_vsock.h                             |   4 +-
 include/net/net_namespace.h                        |   1 +
 include/net/netns/ipv6.h                           |   1 -
 include/sound/core.h                               |   2 +-
 include/uapi/linux/can/error.h                     |   1 +
 include/uapi/linux/kexec.h                         |   6 -
 include/uapi/linux/vt.h                            |   1 -
 kernel/events/core.c                               |  21 +-
 kernel/gcov/base.c                                 |  12 +
 kernel/gcov/gcc_4_7.c                              |   6 +-
 kernel/kthread.c                                   |   8 +-
 kernel/power/wakelock.c                            |   1 +
 kernel/sched/core.c                                |   2 +-
 kernel/sched/fair.c                                |  14 +-
 kernel/sched/sched.h                               |   2 +
 kernel/time.c                                      |   6 +-
 kernel/time/tick-sched.c                           |   2 +-
 kernel/trace/ring_buffer.c                         |  16 +
 kernel/trace/trace.c                               |   6 +
 kernel/trace/trace_events_trigger.c                |  18 +-
 kernel/trace/trace_functions_graph.c               |   7 +-
 kernel/trace/trace_kprobe.c                        |  15 +-
 mm/hugetlb.c                                       |   1 +
 mm/ksm.c                                           |  16 +-
 mm/mlock.c                                         |   2 -
 mm/mmap.c                                          |  13 +-
 mm/page_alloc.c                                    |   3 +-
 mm/rmap.c                                          |   4 +
 mm/swapfile.c                                      |   2 +-
 mm/util.c                                          |  34 +--
 net/batman-adv/Makefile                            |   2 +-
 net/batman-adv/debugfs.c                           |  48 ++-
 net/batman-adv/debugfs.h                           |  45 +++
 net/batman-adv/hard-interface.c                    |  37 ++-
 net/batman-adv/translation-table.c                 |   7 +-
 net/caif/caif_dev.c                                |   4 +-
 net/core/rtnetlink.c                               |   8 +-
 net/core/skbuff.c                                  |   1 +
 net/dccp/ccids/ccid2.c                             |   6 +-
 net/dns_resolver/dns_key.c                         |  28 +-
 net/ipv4/fib_frontend.c                            |   5 +-
 net/ipv4/fib_semantics.c                           |   2 +
 net/ipv4/igmp.c                                    |   3 +-
 net/ipv6/ip6mr.c                                   |   3 +-
 net/ipv6/mcast.c                                   |  12 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   6 +-
 net/l2tp/l2tp_netlink.c                            |   6 +
 net/l2tp/l2tp_ppp.c                                |  76 +++--
 net/netfilter/nf_log.c                             |   9 +-
 net/netfilter/nfnetlink_queue_core.c               |   3 +
 net/netlink/af_netlink.c                           |   5 +
 net/packet/af_packet.c                             |  10 +-
 net/sched/act_simple.c                             |  14 +-
 net/sctp/outqueue.c                                |  48 ++-
 net/socket.c                                       |   2 +
 net/vmw_vsock/af_vsock.c                           |  15 +-
 net/vmw_vsock/vmci_transport.c                     |   3 +-
 net/wireless/util.c                                |   2 +
 net/xfrm/xfrm_policy.c                             |   3 +
 net/xfrm/xfrm_user.c                               |  18 +-
 scripts/kconfig/confdata.c                         |   2 +-
 scripts/mod/devicetable-offsets.c                  |   3 +
 scripts/mod/file2alias.c                           |  11 +
 sound/core/device.c                                |   9 +
 sound/core/timer.c                                 |   2 +-
 sound/isa/msnd/msnd_pinnacle_mixer.c               |   3 +-
 sound/pci/hda/hda_controller.c                     |   4 +-
 sound/pci/hda/patch_ca0132.c                       |   8 +-
 sound/pci/hda/patch_conexant.c                     |   1 +
 sound/pci/hda/patch_realtek.c                      |   1 +
 sound/soc/cirrus/edb93xx.c                         |   2 +-
 sound/soc/cirrus/ep93xx-i2s.c                      |  26 +-
 sound/soc/cirrus/snappercl15.c                     |   2 +-
 sound/soc/soc-dapm.c                               |   2 +
 tools/arch/x86/include/asm/unistd_32.h             |   9 +
 tools/arch/x86/include/asm/unistd_64.h             |   9 +
 tools/include/linux/compiler.h                     |   9 +
 tools/perf/Makefile.perf                           |   2 -
 tools/perf/builtin-script.c                        |  82 +++--
 tools/perf/builtin-top.c                           |   2 +-
 tools/perf/builtin-trace.c                         |   5 +-
 tools/perf/config/Makefile                         |   1 +
 tools/perf/perf-sys.h                              |  18 --
 tools/perf/tests/attr.c                            |   4 +-
 tools/perf/tests/pmu.c                             |   2 +-
 tools/perf/util/cgroup.c                           |   2 +-
 tools/perf/util/event.c                            |  12 +-
 tools/perf/util/include/asm/unistd_32.h            |   1 -
 tools/perf/util/include/asm/unistd_64.h            |   1 -
 tools/perf/util/pager.c                            |   5 +-
 tools/perf/util/parse-events.c                     |  64 ++--
 tools/perf/util/pmu.c                              |   2 +-
 tools/perf/util/setup.py                           |   1 +
 tools/perf/util/thread.c                           |   2 +-
 tools/perf/util/thread_map.c                       |  10 +-
 tools/perf/util/util.h                             |   2 +
 tools/power/x86/turbostat/turbostat.c              |   4 +-
 357 files changed, 3362 insertions(+), 2348 deletions(-)

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (154 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 364/366] perf trace: Do not process PERF_RECORD_LOST twice Ben Hutchings
                   ` (210 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Fix the compiler warnings:

drivers/staging/vt6656/dpc.c:712:5: warning: this 'if' clause does not guard...
drivers/staging/vt6656/main_usb.c:1101:7: warning: this 'if' clause does not guard...

by reducing indentation of the following statements in
RXbBulkInProcessData() and reformatting the kstrstr() function to
kernel coding style.

Both functions have been removed in a later version, so there is no
corresponding upstream commit.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/staging/vt6656/main_usb.c
+++ b/drivers/staging/vt6656/main_usb.c
@@ -1092,17 +1092,18 @@ out:
 
 /* find out the start position of str2 from str1 */
 static unsigned char *kstrstr(const unsigned char *str1,
-			      const unsigned char *str2) {
-  int str1_len = strlen(str1);
-  int str2_len = strlen(str2);
+			      const unsigned char *str2)
+{
+	int str1_len = strlen(str1);
+	int str2_len = strlen(str2);
 
-  while (str1_len >= str2_len) {
-       str1_len--;
-      if(memcmp(str1,str2,str2_len)==0)
-	return (unsigned char *) str1;
-        str1++;
-  }
-  return NULL;
+	while (str1_len >= str2_len) {
+		str1_len--;
+		if (memcmp(str1, str2, str2_len) == 0)
+			return (unsigned char *)str1;
+		str1++;
+	}
+	return NULL;
 }
 
 static int Config_FileGetParameter(unsigned char *string,
--- a/drivers/staging/vt6656/dpc.c
+++ b/drivers/staging/vt6656/dpc.c
@@ -712,8 +712,8 @@ int RXbBulkInProcessData(struct vnt_priv
     if (FrameSize < 12)
         return false;
 
-	skb->data += cbHeaderOffset;
-	skb->tail += cbHeaderOffset;
+    skb->data += cbHeaderOffset;
+    skb->tail += cbHeaderOffset;
     skb_put(skb, FrameSize);
     skb->protocol=eth_type_trans(skb, skb->dev);
     skb->ip_summed=CHECKSUM_NONE;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 021/366] net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()).
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (353 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 310/366] netlink: Don't shift on 64 for ngroups Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 282/366] can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK Ben Hutchings
                   ` (11 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Michael Schmitz, Geert Uytterhoeven, David S. Miller,
	Michael Karcher

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>

commit 9144c3795c2636351d553e4d0fc5297201182de2 upstream.

This complements the fix in 82533ad9a1c ("net: ethernet: ax88796:
don't call free_irq without request_irq first") that removed the
free_irq call in the error path of probe, to also not call free_irq
when remove is called to revert the effects of probe.

Fixes: 82533ad9a1c (net: ethernet: ax88796: don't call free_irq without request_irq first)
Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/8390/ax88796.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/ethernet/8390/ax88796.c
+++ b/drivers/net/ethernet/8390/ax88796.c
@@ -812,7 +812,6 @@ static int ax_remove(struct platform_dev
 	struct resource *mem;
 
 	unregister_netdev(dev);
-	free_irq(dev->irq, dev);
 
 	iounmap(ei_local->mem);
 	mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 100/366] fuse: fix control dir setup and teardown
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags Ben Hutchings
                   ` (349 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot, Miklos Szeredi

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.

syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
clear d_inode(dentry)->i_private field.

Fix by only adding the dentry to the array after being fully set up.

When tearing down the control directory, do d_invalidate() on it to get rid
of any mounts that might have been added.

[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/control.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr
 	if (!dentry)
 		return NULL;
 
-	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
 	inode = new_inode(fuse_control_sb);
-	if (!inode)
+	if (!inode) {
+		dput(dentry);
 		return NULL;
+	}
 
 	inode->i_ino = get_next_ino();
 	inode->i_mode = mode;
@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr
 	set_nlink(inode, nlink);
 	inode->i_private = fc;
 	d_add(dentry, inode);
+
+	fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+
 	return dentry;
 }
 
@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co
 	for (i = fc->ctl_ndents - 1; i >= 0; i--) {
 		struct dentry *dentry = fc->ctl_dentry[i];
 		dentry->d_inode->i_private = NULL;
-		d_drop(dentry);
+		if (!i) {
+			/* Get rid of submounts: */
+			d_invalidate(dentry);
+		}
 		dput(dentry);
 	}
 	drop_nlink(fuse_control_sb->s_root->d_inode);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 175/366] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (237 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 323/366] media: v4l: event: Prevent freeing event subscriptions while accessed Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 153/366] powerpc/e500mc: Set assembler machine type to e500mc Ben Hutchings
                   ` (127 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Joakim Tjernlund

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.

The "sector is in requested range" test used to determine whether
sectors should be re-locked or not is done on a variable that is reset
everytime we cross a chip boundary, which can lead to some blocks being
re-locked while the caller expect them to be unlocked.
Fix the check to make sure this cannot happen.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2340,7 +2340,7 @@ static int __maybe_unused cfi_ppb_unlock
 		 * sectors shall be unlocked, so lets keep their locking
 		 * status at "unlocked" (locked=0) for the final re-locking.
 		 */
-		if ((adr < ofs) || (adr >= (ofs + len))) {
+		if ((offset < ofs) || (offset >= (ofs + len))) {
 			sect[sectors].chip = &cfi->chips[chipnum];
 			sect[sectors].adr = adr;
 			sect[sectors].locked = do_ppb_xxlock(


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (304 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work Ben Hutchings
                   ` (60 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, David Vrabel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Vrabel <david.vrabel@citrix.com>

commit a5b5dc3ce4df4f05f4d81c7d3c56a7604b242093 upstream.

Since netfront may reconnect to a backend with a different number of
queues, all per-queue Rx and Tx resources (skbs and grant references)
should be freed when disconnecting.

Without this fix, the Tx and Rx grant refs are not released and
netfront will exhaust them after only a few reconnections.  netfront
will fail to connect when no free grant references are available.

Since all Rx bufs are freed and reallocated instead of reused this
will add some additional delay to the reconnection but this is
expected to be small compared to the time taken by any backend hotplug
scripts etc.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 68 ++++----------------------------------
 1 file changed, 7 insertions(+), 61 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1194,22 +1194,6 @@ static void xennet_release_rx_bufs(struc
 	spin_unlock_bh(&queue->rx_lock);
 }
 
-static void xennet_uninit(struct net_device *dev)
-{
-	struct netfront_info *np = netdev_priv(dev);
-	unsigned int num_queues = dev->real_num_tx_queues;
-	struct netfront_queue *queue;
-	unsigned int i;
-
-	for (i = 0; i < num_queues; ++i) {
-		queue = &np->queues[i];
-		xennet_release_tx_bufs(queue);
-		xennet_release_rx_bufs(queue);
-		gnttab_free_grant_references(queue->gref_tx_head);
-		gnttab_free_grant_references(queue->gref_rx_head);
-	}
-}
-
 static netdev_features_t xennet_fix_features(struct net_device *dev,
 	netdev_features_t features)
 {
@@ -1311,7 +1295,6 @@ static void xennet_poll_controller(struc
 
 static const struct net_device_ops xennet_netdev_ops = {
 	.ndo_open            = xennet_open,
-	.ndo_uninit          = xennet_uninit,
 	.ndo_stop            = xennet_close,
 	.ndo_start_xmit      = xennet_start_xmit,
 	.ndo_change_mtu	     = xennet_change_mtu,
@@ -1454,6 +1437,11 @@ static void xennet_disconnect_backend(st
 		if (netif_running(info->netdev))
 			napi_synchronize(&queue->napi);
 
+		xennet_release_tx_bufs(queue);
+		xennet_release_rx_bufs(queue);
+		gnttab_free_grant_references(queue->gref_tx_head);
+		gnttab_free_grant_references(queue->gref_rx_head);
+
 		/* End access and free the pages */
 		xennet_end_access(queue->tx_ring_ref, queue->tx.sring);
 		xennet_end_access(queue->rx_ring_ref, queue->rx.sring);
@@ -2009,10 +1997,7 @@ static int xennet_connect(struct net_dev
 {
 	struct netfront_info *np = netdev_priv(dev);
 	unsigned int num_queues = 0;
-	int i, requeue_idx, err;
-	struct sk_buff *skb;
-	grant_ref_t ref;
-	struct xen_netif_rx_request *req;
+	int err;
 	unsigned int feature_rx_copy;
 	unsigned int j = 0;
 	struct netfront_queue *queue = NULL;
@@ -2039,47 +2024,8 @@ static int xennet_connect(struct net_dev
 	netdev_update_features(dev);
 	rtnl_unlock();
 
-	/* By now, the queue structures have been set up */
-	for (j = 0; j < num_queues; ++j) {
-		queue = &np->queues[j];
-
-		/* Step 1: Discard all pending TX packet fragments. */
-		spin_lock_irq(&queue->tx_lock);
-		xennet_release_tx_bufs(queue);
-		spin_unlock_irq(&queue->tx_lock);
-
-		/* Step 2: Rebuild the RX buffer freelist and the RX ring itself. */
-		spin_lock_bh(&queue->rx_lock);
-
-		for (requeue_idx = 0, i = 0; i < NET_RX_RING_SIZE; i++) {
-			skb_frag_t *frag;
-			const struct page *page;
-			if (!queue->rx_skbs[i])
-				continue;
-
-			skb = queue->rx_skbs[requeue_idx] = xennet_get_rx_skb(queue, i);
-			ref = queue->grant_rx_ref[requeue_idx] = xennet_get_rx_ref(queue, i);
-			req = RING_GET_REQUEST(&queue->rx, requeue_idx);
-
-			frag = &skb_shinfo(skb)->frags[0];
-			page = skb_frag_page(frag);
-			gnttab_grant_foreign_access_ref(
-				ref, queue->info->xbdev->otherend_id,
-				pfn_to_mfn(page_to_pfn(page)),
-				0);
-			req->gref = ref;
-			req->id   = requeue_idx;
-
-			requeue_idx++;
-		}
-
-		queue->rx.req_prod_pvt = requeue_idx;
-
-		spin_unlock_bh(&queue->rx_lock);
-	}
-
 	/*
-	 * Step 3: All public and private state should now be sane.  Get
+	 * All public and private state should now be sane.  Get
 	 * ready to start sending and receiving packets and give the driver
 	 * domain a kick because we've probably just requeued some
 	 * packets.


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (302 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing Ben Hutchings
                   ` (62 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro, Dae R. Jeong

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 4c0d7cd5c8416b1ef41534d19163cb07ffaa03ab upstream.

RCU pathwalk relies upon the assumption that anything that changes
->d_inode of a dentry will invalidate its ->d_seq.  That's almost
true - the one exception is that the final dput() of already unhashed
dentry does *not* touch ->d_seq at all.  Unhashing does, though,
so for anything we'd found by RCU dcache lookup we are fine.
Unfortunately, we can *start* with an unhashed dentry or jump into
it.

We could try and be careful in the (few) places where that could
happen.  Or we could just make the final dput() invalidate the damn
thing, unhashed or not.  The latter is much simpler and easier to
backport, so let's do it that way.

Reported-by: "Dae R. Jeong" <threeearcat@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/dcache.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -340,14 +340,11 @@ static void dentry_unlink_inode(struct d
 	__releases(dentry->d_inode->i_lock)
 {
 	struct inode *inode = dentry->d_inode;
-	bool hashed = !d_unhashed(dentry);
 
-	if (hashed)
-		raw_write_seqcount_begin(&dentry->d_seq);
+	raw_write_seqcount_begin(&dentry->d_seq);
 	__d_clear_type_and_inode(dentry);
 	hlist_del_init(&dentry->d_u.d_alias);
-	if (hashed)
-		raw_write_seqcount_end(&dentry->d_seq);
+	raw_write_seqcount_end(&dentry->d_seq);
 	spin_unlock(&dentry->d_lock);
 	spin_unlock(&inode->i_lock);
 	if (!inode->i_nlink)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (246 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 264/366] usb: gadget: u_audio: update hw_ptr in iso_complete after data copied Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Ben Hutchings
                   ` (118 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Alan Stern, Bart Van Assche, Johannes Thumshirn,
	Martin K. Petersen, Maurizio Lombardi

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>

commit 1214fd7b497400d200e3f4e64e2338b303a20949 upstream.

Surround scsi_execute() calls with scsi_autopm_get_device() and
scsi_autopm_put_device(). Note: removing sr_mutex protection from the
scsi_cd_get() and scsi_cd_put() calls is safe because the purpose of
sr_mutex is to serialize cdrom_*() calls.

This patch avoids that complaints similar to the following appear in the
kernel log if runtime power management is enabled:

INFO: task systemd-udevd:650 blocked for more than 120 seconds.
     Not tainted 4.18.0-rc7-dbg+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
systemd-udevd   D28176   650    513 0x00000104
Call Trace:
__schedule+0x444/0xfe0
schedule+0x4e/0xe0
schedule_preempt_disabled+0x18/0x30
__mutex_lock+0x41c/0xc70
mutex_lock_nested+0x1b/0x20
__blkdev_get+0x106/0x970
blkdev_get+0x22c/0x5a0
blkdev_open+0xe9/0x100
do_dentry_open.isra.19+0x33e/0x570
vfs_open+0x7c/0xd0
path_openat+0x6e3/0x1120
do_filp_open+0x11c/0x1c0
do_sys_open+0x208/0x2d0
__x64_sys_openat+0x59/0x70
do_syscall_64+0x77/0x230
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Maurizio Lombardi <mlombard@redhat.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16:
 - Update one extra "goto out" in sr_block_ioctl() and delete the unused
   label
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -521,16 +521,25 @@ static int sr_init_command(struct scsi_c
 static int sr_block_open(struct block_device *bdev, fmode_t mode)
 {
 	struct scsi_cd *cd;
+	struct scsi_device *sdev;
 	int ret = -ENXIO;
 
-	mutex_lock(&sr_mutex);
 	cd = scsi_cd_get(bdev->bd_disk);
-	if (cd) {
-		ret = cdrom_open(&cd->cdi, bdev, mode);
-		if (ret)
-			scsi_cd_put(cd);
-	}
+	if (!cd)
+		goto out;
+
+	sdev = cd->device;
+	scsi_autopm_get_device(sdev);
+
+	mutex_lock(&sr_mutex);
+	ret = cdrom_open(&cd->cdi, bdev, mode);
 	mutex_unlock(&sr_mutex);
+
+	scsi_autopm_put_device(sdev);
+	if (ret)
+		scsi_cd_put(cd);
+
+out:
 	return ret;
 }
 
@@ -553,6 +562,8 @@ static int sr_block_ioctl(struct block_d
 
 	mutex_lock(&sr_mutex);
 
+	scsi_autopm_get_device(sdev);
+
 	/*
 	 * Send SCSI addressing ioctls directly to mid level, send other
 	 * ioctls to cdrom/block level.
@@ -561,12 +572,12 @@ static int sr_block_ioctl(struct block_d
 	case SCSI_IOCTL_GET_IDLUN:
 	case SCSI_IOCTL_GET_BUS_NUMBER:
 		ret = scsi_ioctl(sdev, cmd, argp);
-		goto out;
+		goto put;
 	}
 
 	ret = cdrom_ioctl(&cd->cdi, bdev, mode, cmd, arg);
 	if (ret != -ENOSYS)
-		goto out;
+		goto put;
 
 	/*
 	 * ENODEV means that we didn't recognise the ioctl, or that we
@@ -577,10 +588,12 @@ static int sr_block_ioctl(struct block_d
 	ret = scsi_nonblockable_ioctl(sdev, cmd, argp,
 					(mode & FMODE_NDELAY) != 0);
 	if (ret != -ENODEV)
-		goto out;
+		goto put;
 	ret = scsi_ioctl(sdev, cmd, argp);
 
-out:
+put:
+	scsi_autopm_put_device(sdev);
+
 	mutex_unlock(&sr_mutex);
 	return ret;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 364/366] perf trace: Do not process PERF_RECORD_LOST twice
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (155 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 297/366] tracing: Quiet gcc warning about maybe unused link variable Ben Hutchings
                   ` (209 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Adrian Hunter, Wang Nan, Namhyung Kim,
	Arnaldo Carvalho de Melo, David Ahern, Jiri Olsa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 3ed5ca2efff70e9f589087c2013789572901112d upstream.

We catch this record to provide a visual indication that events are
getting lost, then call the default method to allow extra logging shared
with the other tools to take place.

This extra logging was done twice because we were continuing to the
"default" clause where machine__process_event() will end up calling
machine__process_lost_event() again, fix it.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-wus2zlhw3qo24ye84ewu4aqw@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/builtin-trace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1359,6 +1359,7 @@ static int trace__process_event(struct t
 		color_fprintf(trace->output, PERF_COLOR_RED,
 			      "LOST %" PRIu64 " events!\n", event->lost.lost);
 		ret = machine__process_lost_event(machine, event, sample);
+		break;
 	default:
 		ret = machine__process_event(machine, event, sample);
 		break;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 334/366] HID: clamp input to logical range if no null state
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 228/366] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 243/366] ARC: Fix CONFIG_SWAP Ben Hutchings
                   ` (264 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Tissoires, Tomasz Kramkowski, Jiri Kosina

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tomasz Kramkowski <tk@the-tk.com>

commit c3883fe06488a483658ba5d849b70e49bee15e7c upstream.

This patch fixes an issue in drivers/hid/hid-input.c where values
outside of the logical range are not clamped when "null state" bit of
the input control is not set.

This was discussed on the lists [1] and this change stems from the fact
due to the ambiguity of the HID specification it might be appropriate to
follow Microsoft's own interpretation of the specification. As noted in
Microsoft's documentation [2] in the section titled "Required HID usages
for digitizers" it is noted that values reported outside the logical
range "will be considered as invalid data and the value will be changed
to the nearest boundary value (logical min/max)."

This patch fixes an issue where the (1292:4745) Innomedia INNEX
GENESIS/ATARI reports out of range values for its X and Y axis of the
DPad which, due to the null state bit being unset, are forwarded to
userspace as is. Now these values will get clamped to the logical range
before being forwarded to userspace. This device was also used to test
this patch.

This patch expands on commit 3f3752705dbd ("HID: reject input outside
logical range only if null state is set").

[1]: http://lkml.kernel.org/r/20170307131036.GA853@gaia.local
[2]: https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp

Signed-off-by: Tomasz Kramkowski <tk@the-tk.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-input.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1087,19 +1087,26 @@ void hidinput_hid_event(struct hid_devic
 
 	/*
 	 * Ignore out-of-range values as per HID specification,
-	 * section 5.10 and 6.2.25.
+	 * section 5.10 and 6.2.25, when NULL state bit is present.
+	 * When it's not, clamp the value to match Microsoft's input
+	 * driver as mentioned in "Required HID usages for digitizers":
+	 * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp
 	 *
 	 * The logical_minimum < logical_maximum check is done so that we
 	 * don't unintentionally discard values sent by devices which
 	 * don't specify logical min and max.
 	 */
 	if ((field->flags & HID_MAIN_ITEM_VARIABLE) &&
-	    (field->flags & HID_MAIN_ITEM_NULL_STATE) &&
-	    (field->logical_minimum < field->logical_maximum) &&
-	    (value < field->logical_minimum ||
-	     value > field->logical_maximum)) {
-		dbg_hid("Ignoring out-of-range value %x\n", value);
-		return;
+	    (field->logical_minimum < field->logical_maximum)) {
+		if (field->flags & HID_MAIN_ITEM_NULL_STATE &&
+		    (value < field->logical_minimum ||
+		     value > field->logical_maximum)) {
+			dbg_hid("Ignoring out-of-range value %x\n", value);
+			return;
+		}
+		value = clamp(value,
+			      field->logical_minimum,
+			      field->logical_maximum);
 	}
 
 	/*


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 325/366] ceph: use lookup request to revalidate dentry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (281 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 294/366] ring_buffer: tracing: Inherit the tracing setting to next ring buffer Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Ben Hutchings
                   ` (83 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Yan, Zheng, Bryan Henderson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Yan, Zheng" <zyan@redhat.com>

commit 200fd27c8fa2ba8bb4529033967b69a7cbfa2c2e upstream.

If dentry has no lease, ceph_d_revalidate() previously return 0.
This causes VFS to invalidate the dentry and create a new dentry
for later lookup. Invalidating a dentry also detach any underneath
mount points. So mount point inside cephfs can disapear mystically
(even the mount point is not modified by other hosts).

The fix is using lookup request to revalidate dentry without lease.
This can partly solve the mount points disapear issue (as long as
the mount point is not modified by other hosts)

Signed-off-by: Yan, Zheng <zyan@redhat.com>
Cc: Bryan Henderson <bryanh@giraffe-data.com>
[bwh: Backported to 3.16: Add the ceph_security_xattr_wanted() function]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ceph/dir.c   | 34 ++++++++++++++++++++++++++++++++++
 fs/ceph/inode.c |  1 +
 2 files changed, 35 insertions(+)

--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1064,6 +1064,40 @@ static int ceph_d_revalidate(struct dent
 			valid = 1;
 	}
 
+	if (!valid) {
+		struct ceph_mds_client *mdsc =
+			ceph_sb_to_client(dir->i_sb)->mdsc;
+		struct ceph_mds_request *req;
+		int op, mask, err;
+
+		op = ceph_snap(dir) == CEPH_SNAPDIR ?
+			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_LOOKUP;
+		req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);
+		if (!IS_ERR(req)) {
+			req->r_dentry = dget(dentry);
+			req->r_num_caps = 2;
+
+			mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
+			if (ceph_security_xattr_wanted(dir))
+				mask |= CEPH_CAP_XATTR_SHARED;
+			req->r_args.getattr.mask = mask;
+
+			req->r_locked_dir = dir;
+			err = ceph_mdsc_do_request(mdsc, NULL, req);
+			if (err == 0 || err == -ENOENT) {
+				if (dentry == req->r_dentry) {
+					valid = !d_unhashed(dentry);
+				} else {
+					d_invalidate(req->r_dentry);
+					err = -EAGAIN;
+				}
+			}
+			ceph_mdsc_put_request(req);
+			dout("d_revalidate %p lookup result=%d\n",
+			     dentry, err);
+		}
+	}
+
 	dout("d_revalidate %p %s\n", dentry, valid ? "valid" : "invalid");
 	if (valid) {
 		ceph_dentry_lru_touch(dentry);
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -1251,6 +1251,7 @@ retry_lookup:
 			dout(" %p links to %p %llx.%llx, not %llx.%llx\n",
 			     dn, dn->d_inode, ceph_vinop(dn->d_inode),
 			     ceph_vinop(in));
+			d_invalidate(dn);
 			have_lease = false;
 		}
 
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -736,6 +736,15 @@ extern void __ceph_destroy_xattrs(struct
 extern void __init ceph_xattr_init(void);
 extern void ceph_xattr_exit(void);
 
+#ifdef CONFIG_SECURITY
+extern bool ceph_security_xattr_wanted(struct inode *in);
+#else
+static inline bool ceph_security_xattr_wanted(struct inode *in)
+{
+	return false;
+}
+#endif
+
 /* acl.c */
 extern const struct xattr_handler *ceph_xattr_handlers[];
 
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1128,3 +1128,10 @@ int ceph_removexattr(struct dentry *dent
 
 	return __ceph_removexattr(dentry, name);
 }
+
+#ifdef CONFIG_SECURITY
+bool ceph_security_xattr_wanted(struct inode *in)
+{
+	return in->i_security != NULL;
+}
+#endif


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 306/366] squashfs: more metadata hardening
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (289 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 235/366] USB: serial: keyspan_pda: fix modem-status error handling Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 051/366] rpmsg: Correct support for MODULE_DEVICE_TABLE() Ben Hutchings
                   ` (75 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Anatoly Trosinenko, Phillip Lougher, Linus Torvalds

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit d512584780d3e6a7cacb2f482834849453d444a1 upstream.

Anatoly reports another squashfs fuzzing issue, where the decompression
parameters themselves are in a compressed block.

This causes squashfs_read_data() to be called in order to read the
decompression options before the decompression stream having been set
up, making squashfs go sideways.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Acked-by: Phillip Lougher <phillip.lougher@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/squashfs/block.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/squashfs/block.c
+++ b/fs/squashfs/block.c
@@ -166,6 +166,8 @@ int squashfs_read_data(struct super_bloc
 	}
 
 	if (compressed) {
+		if (!msblk->stream)
+			goto read_failure;
 		length = squashfs_decompress(msblk, bh, b, offset, length,
 			output);
 		if (length < 0)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 289/366] cachefiles: Fix refcounting bug in backing-file read monitoring
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 253/366] fs, elf: make sure to page align bss in load_elf_library Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 159/366] x86/speculation: Fix up array_index_nospec_mask() asm constraint Ben Hutchings
                   ` (332 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Howells, Anthony DeRobertis, Lei Xue,
	Kiran Kumar Modukuri, Vegard Nossum, NeilBrown, Daniel Axtens

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit 934140ab028713a61de8bca58c05332416d037d1 upstream.

cachefiles_read_waiter() has the right to access a 'monitor' object by
virtue of being called under the waitqueue lock for one of the pages in its
purview.  However, it has no ref on that monitor object or on the
associated operation.

What it is allowed to do is to move the monitor object to the operation's
to_do list, but once it drops the work_lock, it's actually no longer
permitted to access that object.  However, it is trying to enqueue the
retrieval operation for processing - but it can only do this via a pointer
in the monitor object, something it shouldn't be doing.

If it doesn't enqueue the operation, the operation may not get processed.
If the order is flipped so that the enqueue is first, then it's possible
for the work processor to look at the to_do list before the monitor is
enqueued upon it.

Fix this by getting a ref on the operation so that we can trust that it
will still be there once we've added the monitor to the to_do list and
dropped the work_lock.  The op can then be enqueued after the lock is
dropped.

The bug can manifest in one of a couple of ways.  The first manifestation
looks like:

 FS-Cache:
 FS-Cache: Assertion failed
 FS-Cache: 6 == 5 is false
 ------------[ cut here ]------------
 kernel BUG at fs/fscache/operation.c:494!
 RIP: 0010:fscache_put_operation+0x1e3/0x1f0
 ...
 fscache_op_work_func+0x26/0x50
 process_one_work+0x131/0x290
 worker_thread+0x45/0x360
 kthread+0xf8/0x130
 ? create_worker+0x190/0x190
 ? kthread_cancel_work_sync+0x10/0x10
 ret_from_fork+0x1f/0x30

This is due to the operation being in the DEAD state (6) rather than
INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through
fscache_put_operation().

The bug can also manifest like the following:

 kernel BUG at fs/fscache/operation.c:69!
 ...
    [exception RIP: fscache_enqueue_operation+246]
 ...
 #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6
 #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48
 #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028

I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not
entirely clear which assertion failed.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Reported-by: Lei Xue <carmark.dlut@gmail.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Reported-by: Anthony DeRobertis <aderobertis@metrics.net>
Reported-by: NeilBrown <neilb@suse.com>
Reported-by: Daniel Axtens <dja@axtens.net>
Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cachefiles/rdwr.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/cachefiles/rdwr.c
+++ b/fs/cachefiles/rdwr.c
@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q
 	struct cachefiles_one_read *monitor =
 		container_of(wait, struct cachefiles_one_read, monitor);
 	struct cachefiles_object *object;
+	struct fscache_retrieval *op = monitor->op;
 	struct wait_bit_key *key = _key;
 	struct page *page = wait->private;
 
@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q
 	list_del(&wait->task_list);
 
 	/* move onto the action list and queue for FS-Cache thread pool */
-	ASSERT(monitor->op);
+	ASSERT(op);
 
-	object = container_of(monitor->op->op.object,
-			      struct cachefiles_object, fscache);
+	/* We need to temporarily bump the usage count as we don't own a ref
+	 * here otherwise cachefiles_read_copier() may free the op between the
+	 * monitor being enqueued on the op->to_do list and the op getting
+	 * enqueued on the work queue.
+	 */
+	fscache_get_retrieval(op);
 
+	object = container_of(op->op.object, struct cachefiles_object, fscache);
 	spin_lock(&object->work_lock);
-	list_add_tail(&monitor->op_link, &monitor->op->to_do);
+	list_add_tail(&monitor->op_link, &op->to_do);
 	spin_unlock(&object->work_lock);
 
-	fscache_enqueue_retrieval(monitor->op);
+	fscache_enqueue_retrieval(op);
+	fscache_put_retrieval(op);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 270/366] scsi: qla2xxx: Fix ISP recovery on unload
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 019/366] media: v4l2-compat-ioctl32: prevent go past max size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 097/366] mtd: cfi_cmdset_0002: Change definition naming to retry write operation Ben Hutchings
                   ` (240 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Himanshu Madhani, Quinn Tran, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Quinn Tran <quinn.tran@cavium.com>

commit b08abbd9f5996309f021684f9ca74da30dcca36a upstream.

During unload process, the chip can encounter problem where a FW dump would
be captured. For this case, the full reset sequence will be skip to bring
the chip back to full operational state.

Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_os.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -4963,8 +4963,9 @@ qla2x00_do_dpc(void *data)
 			}
 		}
 
-		if (test_and_clear_bit(ISP_ABORT_NEEDED,
-						&base_vha->dpc_flags)) {
+		if (test_and_clear_bit
+		    (ISP_ABORT_NEEDED, &base_vha->dpc_flags) &&
+		    !test_bit(UNLOADING, &base_vha->dpc_flags)) {
 
 			ql_dbg(ql_dbg_dpc, base_vha, 0x4007,
 			    "ISP abort scheduled.\n");


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 304/366] netlink: Do not subscribe to non-existent groups
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 355/366] perf thread_map: Use readdir() instead of deprecated readdir_r() Ben Hutchings
                   ` (244 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Herbert Xu, Dmitry Safonov, David S. Miller, netdev,
	Steffen Klassert

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 7acf9d4237c46894e0fa0492dd96314a41742e84 upstream.

Make ABI more strict about subscribing to group > ngroups.
Code doesn't check for that and it looks bogus.
(one can subscribe to non-existing group)
Still, it's possible to bind() to all possible groups with (-1)

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netlink/af_netlink.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -927,6 +927,7 @@ static int netlink_bind(struct socket *s
 		if (err)
 			return err;
 	}
+	groups &= (1UL << nlk->ngroups) - 1;
 
 	if (nlk->portid)
 		if (nladdr->nl_pid != nlk->portid)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (198 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 201/366] nfsd: silence sparse warning about accessing credentials Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Ben Hutchings
                   ` (166 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Nicholas Mc Guire

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 upstream.

of_iomap() can return NULL so that return needs to be checked and NULL
treated as failure. While at it also take care of the missing
of_node_put() in the error path.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/mscan/mpc5xxx_can.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/can/mscan/mpc5xxx_can.c
+++ b/drivers/net/can/mscan/mpc5xxx_can.c
@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct
 		return 0;
 	}
 	cdm = of_iomap(np_cdm, 0);
+	if (!cdm) {
+		of_node_put(np_cdm);
+		dev_err(&ofdev->dev, "can't map clock node!\n");
+		return 0;
+	}
 
 	if (in_8(&cdm->ipb_clk_sel) & 0x1)
 		freq *= 2;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 271/366] scsi: qla2xxx: Return error when TMF returns
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (319 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 295/366] tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure Ben Hutchings
                   ` (45 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Himanshu Madhani, Anil Gurumurthy, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anil Gurumurthy <anil.gurumurthy@cavium.com>

commit b4146c4929ef61d5afca011474d59d0918a0cd82 upstream.

Propagate the task management completion status properly to avoid
unnecessary waits for commands to complete.

Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling")
Signed-off-by: Anil Gurumurthy <anil.gurumurthy@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_init.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -323,11 +323,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
 
 	wait_for_completion(&tm_iocb->u.tmf.comp);
 
-	rval = tm_iocb->u.tmf.comp_status == CS_COMPLETE ?
-	    QLA_SUCCESS : QLA_FUNCTION_FAILED;
+	rval = tm_iocb->u.tmf.data;
 
-	if ((rval != QLA_SUCCESS) || tm_iocb->u.tmf.data) {
-		ql_dbg(ql_dbg_taskm, vha, 0x8030,
+	if (rval != QLA_SUCCESS) {
+		ql_log(ql_log_warn, vha, 0x8030,
 		    "TM IOCB failed (%x).\n", rval);
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 330/366] fs/proc: Stop trying to report thread stacks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (261 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 333/366] HID: reject input outside logical range only if null state is set Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Ben Hutchings
                   ` (103 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Borislav Petkov, Peter Zijlstra,
	Andy Lutomirski, Kees Cook, Ingo Molnar, Tycho Andersen,
	Brian Gerst, Johannes Weiner, Linux API, Thomas Gleixner,
	Jann Horn, Al Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit b18cb64ead400c01bf1580eeba330ace51f8087d upstream.

This reverts more of:

  b76437579d13 ("procfs: mark thread stack correctly in proc/<pid>/maps")

... which was partially reverted by:

  65376df58217 ("proc: revert /proc/<pid>/maps [stack:TID] annotation")

Originally, /proc/PID/task/TID/maps was the same as /proc/TID/maps.

In current kernels, /proc/PID/maps (or /proc/TID/maps even for
threads) shows "[stack]" for VMAs in the mm's stack address range.

In contrast, /proc/PID/task/TID/maps uses KSTK_ESP to guess the
target thread's stack's VMA.  This is racy, probably returns garbage
and, on arches with CONFIG_TASK_INFO_IN_THREAD=y, is also crash-prone:
KSTK_ESP is not safe to use on tasks that aren't known to be running
ordinary process-context kernel code.

This patch removes the difference and just shows "[stack]" for VMAs
in the mm's stack range.  This is IMO much more sensible -- the
actual "stack" address really is treated specially by the VM code,
and the current thread stack isn't even well-defined for programs
that frequently switch stacks on their own.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux API <linux-api@vger.kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tycho Andersen <tycho.andersen@canonical.com>
Link: http://lkml.kernel.org/r/3e678474ec14e0a0ec34c611016753eea2e1b8ba.1475257877.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: Squash in the earlier commits 58cb65487e92
 "proc/maps: make vm_is_stack() logic namespace-friendly" and 
 65376df58217 "proc: revert /proc/<pid>/maps [stack:TID] annotation",
 which would introduce build failures if applied separately.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -250,13 +250,28 @@ static int do_maps_open(struct inode *in
 	return ret;
 }
 
+/*
+ * Indicate if the VMA is a stack for the given task; for
+ * /proc/PID/maps that is the stack of the main task.
+ */
+static int is_stack(struct proc_maps_private *priv,
+		    struct vm_area_struct *vma)
+{
+	/*
+	 * We make no effort to guess what a given thread considers to be
+	 * its "stack".  It's not even well-defined for programs written
+	 * languages like Go.
+	 */
+	return vma->vm_start <= vma->vm_mm->start_stack &&
+		vma->vm_end >= vma->vm_mm->start_stack;
+}
+
 static void
 show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
 {
 	struct mm_struct *mm = vma->vm_mm;
 	struct file *file = vma->vm_file;
 	struct proc_maps_private *priv = m->private;
-	struct task_struct *task = priv->task;
 	vm_flags_t flags = vma->vm_flags;
 	unsigned long ino = 0;
 	unsigned long long pgoff = 0;
@@ -304,8 +319,6 @@ show_map_vma(struct seq_file *m, struct
 
 	name = arch_vma_name(vma);
 	if (!name) {
-		pid_t tid;
-
 		if (!mm) {
 			name = "[vdso]";
 			goto done;
@@ -317,22 +330,8 @@ show_map_vma(struct seq_file *m, struct
 			goto done;
 		}
 
-		tid = vm_is_stack(task, vma, is_pid);
-
-		if (tid != 0) {
-			/*
-			 * Thread stack in /proc/PID/task/TID/maps or
-			 * the main process stack.
-			 */
-			if (!is_pid || (vma->vm_start <= mm->start_stack &&
-			    vma->vm_end >= mm->start_stack)) {
-				name = "[stack]";
-			} else {
-				/* Thread stack in /proc/PID/maps */
-				seq_pad(m, ' ');
-				seq_printf(m, "[stack:%d]", tid);
-			}
-		}
+		if (is_stack(priv, vma))
+			name = "[stack]";
 	}
 
 done:
@@ -1433,19 +1432,8 @@ static int show_numa_map(struct seq_file
 		seq_path(m, &file->f_path, "\n\t= ");
 	} else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
 		seq_puts(m, " heap");
-	} else {
-		pid_t tid = vm_is_stack(task, vma, is_pid);
-		if (tid != 0) {
-			/*
-			 * Thread stack in /proc/PID/task/TID/maps or
-			 * the main process stack.
-			 */
-			if (!is_pid || (vma->vm_start <= mm->start_stack &&
-			    vma->vm_end >= mm->start_stack))
-				seq_puts(m, " stack");
-			else
-				seq_printf(m, " stack:%d", tid);
-		}
+	} else if (is_stack(proc_priv, vma)) {
+		seq_puts(m, " stack");
 	}
 
 	if (is_vm_hugetlb_page(vma))
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -123,6 +123,20 @@ unsigned long task_statm(struct mm_struc
 	return size;
 }
 
+static int is_stack(struct proc_maps_private *priv,
+		    struct vm_area_struct *vma)
+{
+	struct mm_struct *mm = vma->vm_mm;
+
+	/*
+	 * We make no effort to guess what a given thread considers to be
+	 * its "stack".  It's not even well-defined for programs written
+	 * languages like Go.
+	 */
+	return vma->vm_start <= mm->start_stack &&
+		vma->vm_end >= mm->start_stack;
+}
+
 /*
  * display a single VMA to a sequenced file
  */
@@ -162,21 +176,9 @@ static int nommu_vma_show(struct seq_fil
 	if (file) {
 		seq_pad(m, ' ');
 		seq_path(m, &file->f_path, "");
-	} else if (mm) {
-		pid_t tid = vm_is_stack(priv->task, vma, is_pid);
-
-		if (tid != 0) {
-			seq_pad(m, ' ');
-			/*
-			 * Thread stack in /proc/PID/task/TID/maps or
-			 * the main process stack.
-			 */
-			if (!is_pid || (vma->vm_start <= mm->start_stack &&
-			    vma->vm_end >= mm->start_stack))
-				seq_printf(m, "[stack]");
-			else
-				seq_printf(m, "[stack:%d]", tid);
-		}
+	} else if (mm && is_stack(priv, vma)) {
+		seq_pad(m, ' ');
+		seq_printf(m, "[stack]");
 	}
 
 	seq_putc(m, '\n');
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1239,8 +1239,7 @@ int set_page_dirty_lock(struct page *pag
 int clear_page_dirty_for_io(struct page *page);
 int get_cmdline(struct task_struct *task, char *buffer, int buflen);
 
-extern pid_t
-vm_is_stack(struct task_struct *task, struct vm_area_struct *vma, int in_group);
+int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t);
 
 extern unsigned long move_page_tables(struct vm_area_struct *vma,
 		unsigned long old_addr, struct vm_area_struct *new_vma,
--- a/mm/util.c
+++ b/mm/util.c
@@ -255,43 +255,11 @@ void __vma_link_list(struct mm_struct *m
 }
 
 /* Check if the vma is being used as a stack by this task */
-static int vm_is_stack_for_task(struct task_struct *t,
-				struct vm_area_struct *vma)
+int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t)
 {
 	return (vma->vm_start <= KSTK_ESP(t) && vma->vm_end >= KSTK_ESP(t));
 }
 
-/*
- * Check if the vma is being used as a stack.
- * If is_group is non-zero, check in the entire thread group or else
- * just check in the current task. Returns the pid of the task that
- * the vma is stack for.
- */
-pid_t vm_is_stack(struct task_struct *task,
-		  struct vm_area_struct *vma, int in_group)
-{
-	pid_t ret = 0;
-
-	if (vm_is_stack_for_task(task, vma))
-		return task->pid;
-
-	if (in_group) {
-		struct task_struct *t;
-
-		rcu_read_lock();
-		for_each_thread(task, t) {
-			if (vm_is_stack_for_task(t, vma)) {
-				ret = t->pid;
-				goto done;
-			}
-		}
-done:
-		rcu_read_unlock();
-	}
-
-	return ret;
-}
-
 #if defined(CONFIG_MMU) && !defined(HAVE_ARCH_PICK_MMAP_LAYOUT)
 void arch_pick_mmap_layout(struct mm_struct *mm)
 {
--- a/Documentation/filesystems/proc.txt
+++ b/Documentation/filesystems/proc.txt
@@ -335,7 +335,7 @@ address           perms offset  dev   in
 a7cb1000-a7cb2000 ---p 00000000 00:00 0
 a7cb2000-a7eb2000 rw-p 00000000 00:00 0
 a7eb2000-a7eb3000 ---p 00000000 00:00 0
-a7eb3000-a7ed5000 rw-p 00000000 00:00 0          [stack:1001]
+a7eb3000-a7ed5000 rw-p 00000000 00:00 0
 a7ed5000-a8008000 r-xp 00000000 03:00 4222       /lib/libc.so.6
 a8008000-a800a000 r--p 00133000 03:00 4222       /lib/libc.so.6
 a800a000-a800b000 rw-p 00135000 03:00 4222       /lib/libc.so.6
@@ -367,40 +367,11 @@ is not associated with a file:
 
  [heap]                   = the heap of the program
  [stack]                  = the stack of the main process
- [stack:1001]             = the stack of the thread with tid 1001
  [vdso]                   = the "virtual dynamic shared object",
                             the kernel system call handler
 
  or if empty, the mapping is anonymous.
 
-The /proc/PID/task/TID/maps is a view of the virtual memory from the viewpoint
-of the individual tasks of a process. In this file you will see a mapping marked
-as [stack] if that task sees it as a stack. This is a key difference from the
-content of /proc/PID/maps, where you will see all mappings that are being used
-as stack by all of those tasks. Hence, for the example above, the task-level
-map, i.e. /proc/PID/task/TID/maps for thread 1001 will look like this:
-
-08048000-08049000 r-xp 00000000 03:00 8312       /opt/test
-08049000-0804a000 rw-p 00001000 03:00 8312       /opt/test
-0804a000-0806b000 rw-p 00000000 00:00 0          [heap]
-a7cb1000-a7cb2000 ---p 00000000 00:00 0
-a7cb2000-a7eb2000 rw-p 00000000 00:00 0
-a7eb2000-a7eb3000 ---p 00000000 00:00 0
-a7eb3000-a7ed5000 rw-p 00000000 00:00 0          [stack]
-a7ed5000-a8008000 r-xp 00000000 03:00 4222       /lib/libc.so.6
-a8008000-a800a000 r--p 00133000 03:00 4222       /lib/libc.so.6
-a800a000-a800b000 rw-p 00135000 03:00 4222       /lib/libc.so.6
-a800b000-a800e000 rw-p 00000000 00:00 0
-a800e000-a8022000 r-xp 00000000 03:00 14462      /lib/libpthread.so.0
-a8022000-a8023000 r--p 00013000 03:00 14462      /lib/libpthread.so.0
-a8023000-a8024000 rw-p 00014000 03:00 14462      /lib/libpthread.so.0
-a8024000-a8027000 rw-p 00000000 00:00 0
-a8027000-a8043000 r-xp 00000000 03:00 8317       /lib/ld-linux.so.2
-a8043000-a8044000 r--p 0001b000 03:00 8317       /lib/ld-linux.so.2
-a8044000-a8045000 rw-p 0001c000 03:00 8317       /lib/ld-linux.so.2
-aff35000-aff4a000 rw-p 00000000 00:00 0
-ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
-
 The /proc/PID/smaps is an extension based on maps, showing the memory
 consumption for each of the process's mappings. For each of mappings there
 is a series of lines such as the following:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (300 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry Ben Hutchings
                   ` (64 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Joakim Tjernlund, Boris Brezillon

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.

cfi_ppb_unlock() tries to relock all sectors that were locked before
unlocking the whole chip.
This locking used the chip start address + the FULL offset from the
first flash chip, thereby forming an illegal address. Fix that by using
the chip offset(adr).

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2206,7 +2206,7 @@ static int cfi_atmel_unlock(struct mtd_i
 
 struct ppb_lock {
 	struct flchip *chip;
-	loff_t offset;
+	unsigned long adr;
 	int locked;
 };
 
@@ -2342,7 +2342,7 @@ static int __maybe_unused cfi_ppb_unlock
 		 */
 		if ((adr < ofs) || (adr >= (ofs + len))) {
 			sect[sectors].chip = &cfi->chips[chipnum];
-			sect[sectors].offset = offset;
+			sect[sectors].adr = adr;
 			sect[sectors].locked = do_ppb_xxlock(
 				map, &cfi->chips[chipnum], adr, 0,
 				DO_XXLOCK_ONEBLOCK_GETLOCK);
@@ -2386,7 +2386,7 @@ static int __maybe_unused cfi_ppb_unlock
 	 */
 	for (i = 0; i < sectors; i++) {
 		if (sect[i].locked)
-			do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
+			do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
 				      DO_XXLOCK_ONEBLOCK_LOCK);
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 220/366] x86/bugs: Add AMD's variant of SSB_NO
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 013/366] arch/x86/kernel/cpu/common.c: fix unused symbol warning Ben Hutchings
                   ` (311 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Woodhouse, H. Peter Anvin, Tom Lendacky,
	Andy Lutomirski, Borislav Petkov, andrew.cooper3,
	Janakarajan Natarajan, Thomas Gleixner, kvm,
	Konrad Rzeszutek Wilk

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

commit 24809860012e0130fbafe536709e08a22b3e959e upstream.

The AMD document outlining the SSBD handling
124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
mentions that the CPUID 8000_0008.EBX[26] will mean that the
speculative store bypass disable is no longer needed.

A copy of this document is available at:
    https://bugzilla.kernel.org/show_bug.cgi?id=199889

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Cc: kvm@vger.kernel.org
Cc: andrew.cooper3@citrix.com
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/20180601145921.9500-2-konrad.wilk@oracle.com
[bwh: Backported to 3.16:
 - The feature bit is in feature word 11
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/cpufeature.h | 1 +
 arch/x86/kernel/cpu/common.c      | 3 ++-
 arch/x86/kvm/cpuid.c              | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -257,6 +257,7 @@
 #define X86_FEATURE_AMD_IBRS		(11*32+14) /* "" Indirect Branch Restricted Speculation */
 #define X86_FEATURE_AMD_STIBP		(11*32+15) /* "" Single Thread Indirect Branch Predictors */
 #define X86_FEATURE_VIRT_SSBD		(11*32+25) /* Virtualized Speculative Store Bypass Disable */
+#define X86_FEATURE_AMD_SSB_NO		(11*32+26) /* "" Speculative Store Bypass is fixed in hardware. */
 
 /*
  * BUG word(s)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -865,7 +865,8 @@ static void __init cpu_set_bug_bits(stru
 		rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
 
 	if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
-	   !(ia32_cap & ARCH_CAP_SSB_NO))
+	   !(ia32_cap & ARCH_CAP_SSB_NO) &&
+	   !cpu_has(c, X86_FEATURE_AMD_SSB_NO))
 		setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
 
 	if (x86_match_cpu(cpu_no_speculation))
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -302,7 +302,7 @@ static inline int __do_cpuid_ent(struct
 
 	/* cpuid 0x80000008.ebx */
 	const u32 kvm_cpuid_8000_0008_ebx_x86_features =
-		F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD);
+		F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD) | F(AMD_SSB_NO);
 
 	/* cpuid 0xC0000001.edx */
 	const u32 kvm_supported_word5_x86_features =


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 222/366] x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (203 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 361/366] perf trace: Fix up fd -> pathname resolution Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 044/366] ext4: factor out helper ext4_sample_last_mounted() Ben Hutchings
                   ` (161 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, andrew.cooper3, H. Peter Anvin, David Woodhouse, Kees Cook,
	Konrad Rzeszutek Wilk, Borislav Petkov, KarimAllah Ahmed, kvm,
	Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

commit 108fab4b5c8f12064ef86e02cb0459992affb30f upstream.

Both AMD and Intel can have SPEC_CTRL_MSR for SSBD.

However AMD also has two more other ways of doing it - which
are !SPEC_CTRL MSR ways.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: kvm@vger.kernel.org
Cc: KarimAllah Ahmed <karahmed@amazon.de>
Cc: andrew.cooper3@citrix.com
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/20180601145921.9500-4-konrad.wilk@oracle.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/bugs.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -573,17 +573,12 @@ static enum ssb_mitigation __init __ssb_
 		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
 		 * use a completely different MSR and bit dependent on family.
 		 */
-		switch (boot_cpu_data.x86_vendor) {
-		case X86_VENDOR_INTEL:
-		case X86_VENDOR_AMD:
-			if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
-				x86_amd_ssb_disable();
-				break;
-			}
+		if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+			x86_amd_ssb_disable();
+		else {
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
-			break;
 		}
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 134/366] UBIFS: Fix potential integer overflow in allocation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (271 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 277/366] atl1c: reserve min skb headroom Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 025/366] mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() Ben Hutchings
                   ` (93 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Silvio Cesare, Kees Cook

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Silvio Cesare <silvio.cesare@gmail.com>

commit 353748a359f1821ee934afc579cf04572406b420 upstream.

There is potential for the size and len fields in ubifs_data_node to be
too large causing either a negative value for the length fields or an
integer overflow leading to an incorrect memory allocation. Likewise,
when the len field is small, an integer underflow may occur.

Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
Signed-off-by: Kees Cook <keescook@chromium.org>
[bwh: Backported to 3.16: We have a different set of length variables in
 recomp_data_node()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ubifs/journal.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -1099,10 +1099,11 @@ out_free:
 static int recomp_data_node(struct ubifs_data_node *dn, int *new_len)
 {
 	void *buf;
-	int err, len, compr_type, out_len;
+	int err, compr_type;
+	u32 len, out_len;
 
 	out_len = le32_to_cpu(dn->size);
-	buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+	buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
 	if (!buf)
 		return -ENOMEM;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 201/366] nfsd: silence sparse warning about accessing credentials
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (197 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 173/366] xen-netfront: Fix mismatched rtnl_unlock Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use Ben Hutchings
                   ` (167 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, J. Bruce Fields, Jeff Layton

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@primarydata.com>

commit ae4b884fc6316b3190be19448cea24b020c1cad6 upstream.

sparse says:

    fs/nfsd/auth.c:31:38: warning: incorrect type in argument 1 (different address spaces)
    fs/nfsd/auth.c:31:38:    expected struct cred const *cred
    fs/nfsd/auth.c:31:38:    got struct cred const [noderef] <asn:4>*real_cred

Add a new accessor for the ->real_cred and use that to fetch the
pointer. Accessing current->real_cred directly is actually quite safe
since we know that they can't go away so this is mostly a cosmetic fixup
to silence sparse.

Signed-off-by: Jeff Layton <jlayton@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/auth.c       | 2 +-
 include/linux/cred.h | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -28,7 +28,7 @@ int nfsd_setuser(struct svc_rqst *rqstp,
 	validate_process_creds();
 
 	/* discard any old override before preparing the new set */
-	revert_creds(get_cred(current->real_cred));
+	revert_creds(get_cred(current_real_cred()));
 	new = prepare_creds();
 	if (!new)
 		return -ENOMEM;
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -261,6 +261,15 @@ static inline void put_cred(const struct
 	rcu_dereference_protected(current->cred, 1)
 
 /**
+ * current_real_cred - Access the current task's objective credentials
+ *
+ * Access the objective credentials of the current task.  RCU-safe,
+ * since nobody else can modify it.
+ */
+#define current_real_cred() \
+	rcu_dereference_protected(current->real_cred, 1)
+
+/**
  * __task_cred - Access a task's objective credentials
  * @task: The task to query
  *


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs*
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (178 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 161/366] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:59   ` syzbot
  2018-11-11 19:49 ` [PATCH 3.16 009/366] eeepc-laptop: simplify parse_arg() Ben Hutchings
                   ` (186 subsequent siblings)
  366 siblings, 1 reply; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, syzbot+17a8efdf800000, Alexander Potapenko, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Potapenko <glider@google.com>

commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.

KMSAN reported an infoleak when reading from /dev/vcs*:

  BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
  Call Trace:
  ...
   kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
   copy_to_user ./include/linux/uaccess.h:184
   vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
   __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
   vfs_read+0x36c/0x6b0 fs/read_write.c:452
  ...
  Uninit was created at:
   kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
   kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
   kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
   __kmalloc+0x13a/0x350 mm/slub.c:3818
   kmalloc ./include/linux/slab.h:517
   vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
   con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
   tty_driver_install_tty drivers/tty/tty_io.c:1224
   tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
   tty_open_by_driver drivers/tty/tty_io.c:1959
   tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
   chrdev_open+0xc25/0xd90 fs/char_dev.c:417
   do_dentry_open+0xccc/0x1440 fs/open.c:794
   vfs_open+0x1b6/0x2f0 fs/open.c:908
  ...
  Bytes 0-79 of 240 are uninitialized

Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem

Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/vt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -782,7 +782,7 @@ int vc_allocate(unsigned int currcons)	/
 	if (!*vc->vc_uni_pagedir_loc)
 		con_set_default_unimap(vc);
 
-	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+	vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
 	if (!vc->vc_screenbuf)
 		goto err_free;
 
@@ -869,7 +869,7 @@ static int vc_do_resize(struct tty_struc
 
 	if (new_screen_size > (4 << 20))
 		return -EINVAL;
-	newscreen = kmalloc(new_screen_size, GFP_USER);
+	newscreen = kzalloc(new_screen_size, GFP_USER);
 	if (!newscreen)
 		return -ENOMEM;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 074/366] RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry Ben Hutchings
                   ` (256 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, KarimAllah Ahmed, kvm, Radim Krčmář,
	Thomas Gleixner, Janakarajan Natarajan, Paolo Bonzini,
	Tom Lendacky, Joerg Roedel, Borislav Petkov, Kees Cook,
	Konrad Rzeszutek Wilk, David Woodhouse, H. Peter Anvin,
	andrew.cooper3, Andy Lutomirski

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

commit 6ac2f49edb1ef5446089c7c660017732886d62d6 upstream.

The AMD document outlining the SSBD handling
124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
mentions that if CPUID 8000_0008.EBX[24] is set we should be using
the SPEC_CTRL MSR (0x48) over the VIRT SPEC_CTRL MSR (0xC001_011f)
for speculative store bypass disable.

This in effect means we should clear the X86_FEATURE_VIRT_SSBD
flag so that we would prefer the SPEC_CTRL MSR.

See the document titled:
   124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf

A copy of this document is available at
   https://bugzilla.kernel.org/show_bug.cgi?id=199889

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Cc: kvm@vger.kernel.org
Cc: KarimAllah Ahmed <karahmed@amazon.de>
Cc: andrew.cooper3@citrix.com
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Kees Cook <keescook@chromium.org>
Link: https://lkml.kernel.org/r/20180601145921.9500-3-konrad.wilk@oracle.com
[bwh: Backported to 3.16:
 - The feature bit is in feature word 11
 - Update feature test in guest_cpuid_has_spec_ctrl() instead of
   svm_{get,set}_msr()
 - Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -256,6 +256,7 @@
 #define X86_FEATURE_AMD_IBPB		(11*32+12) /* "" Indirect Branch Prediction Barrier */
 #define X86_FEATURE_AMD_IBRS		(11*32+14) /* "" Indirect Branch Restricted Speculation */
 #define X86_FEATURE_AMD_STIBP		(11*32+15) /* "" Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_AMD_SSBD		(11*32+24) /* "" Speculative Store Bypass Disable */
 #define X86_FEATURE_VIRT_SSBD		(11*32+25) /* Virtualized Speculative Store Bypass Disable */
 #define X86_FEATURE_AMD_SSB_NO		(11*32+26) /* "" Speculative Store Bypass is fixed in hardware. */
 
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -570,18 +570,20 @@ static enum ssb_mitigation __init __ssb_
 	if (mode == SPEC_STORE_BYPASS_DISABLE) {
 		setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
 		/*
-		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
-		 * a completely different MSR and bit dependent on family.
+		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
+		 * use a completely different MSR and bit dependent on family.
 		 */
 		switch (boot_cpu_data.x86_vendor) {
 		case X86_VENDOR_INTEL:
+		case X86_VENDOR_AMD:
+			if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
+				x86_amd_ssb_disable();
+				break;
+			}
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
 			break;
-		case X86_VENDOR_AMD:
-			x86_amd_ssb_disable();
-			break;
 		}
 	}
 
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -716,6 +716,12 @@ static void init_speculation_control(str
 		set_cpu_cap(c, X86_FEATURE_STIBP);
 		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
 	}
+
+	if (cpu_has(c, X86_FEATURE_AMD_SSBD)) {
+		set_cpu_cap(c, X86_FEATURE_SSBD);
+		set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+		clear_cpu_cap(c, X86_FEATURE_VIRT_SSBD);
+	}
 }
 
 void get_cpu_cap(struct cpuinfo_x86 *c)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -302,7 +302,8 @@ static inline int __do_cpuid_ent(struct
 
 	/* cpuid 0x80000008.ebx */
 	const u32 kvm_cpuid_8000_0008_ebx_x86_features =
-		F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD) | F(AMD_SSB_NO);
+		F(AMD_IBPB) | F(AMD_IBRS) | F(AMD_SSBD) | F(VIRT_SSBD) |
+		F(AMD_SSB_NO);
 
 	/* cpuid 0xC0000001.edx */
 	const u32 kvm_supported_word5_x86_features =
@@ -536,7 +537,12 @@ static inline int __do_cpuid_ent(struct
 			entry->ebx |= F(VIRT_SSBD);
 		entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
 		cpuid_mask(&entry->ebx, 11);
-		if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+		/*
+		 * The preference is to use SPEC CTRL MSR instead of the
+		 * VIRT_SPEC MSR.
+		 */
+		if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
+		    !boot_cpu_has(X86_FEATURE_AMD_SSBD))
 			entry->ebx |= F(VIRT_SSBD);
 		break;
 	}
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -120,7 +120,7 @@ static inline bool guest_cpuid_has_spec_
 	struct kvm_cpuid_entry2 *best;
 
 	best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0);
-	if (best && (best->ebx & bit(X86_FEATURE_AMD_IBRS)))
+	if (best && (best->ebx & (bit(X86_FEATURE_AMD_IBRS | bit(X86_FEATURE_AMD_SSBD)))))
 		return true;
 	best = kvm_find_cpuid_entry(vcpu, 7, 0);
 	return best && (best->edx & (bit(X86_FEATURE_SPEC_CTRL) | bit(X86_FEATURE_SPEC_CTRL_SSBD)));
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3236,7 +3236,7 @@ static int svm_set_msr(struct kvm_vcpu *
 			return 1;
 
 		/* The STIBP bit doesn't fault even if it's not advertised */
-		if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP))
+		if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD))
 			return 1;
 
 		svm->spec_ctrl = data;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 081/366] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 100/366] fuse: fix control dir setup and teardown Ben Hutchings
                   ` (350 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Pranay Kr. Srivastava

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Pranay Kr. Srivastava" <pranjas@gmail.com>

commit 4743f83990614af6adb09ea7aa3c37b78c4031ab upstream.

If there are racing calls to ext4_commit_super() it's possible for
another writeback of the superblock to result in the buffer being
marked with an error after we check if the buffer is marked as having
a write error and the buffer up-to-date flag is set again.  If that
happens mark_buffer_dirty() can end up throwing a WARN_ON_ONCE.

Fix this by moving this check to write before we call
write_buffer_dirty(), and keeping the buffer locked during this whole
sequence.

Signed-off-by: Pranay Kr. Srivastava <pranjas@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4653,20 +4653,6 @@ static int ext4_commit_super(struct supe
 
 	if (!sbh || block_device_ejected(sb))
 		return error;
-	if (buffer_write_io_error(sbh)) {
-		/*
-		 * Oh, dear.  A previous attempt to write the
-		 * superblock failed.  This could happen because the
-		 * USB device was yanked out.  Or it could happen to
-		 * be a transient write error and maybe the block will
-		 * be remapped.  Nothing we can do but to retry the
-		 * write and hope for the best.
-		 */
-		ext4_msg(sb, KERN_ERR, "previous I/O error to "
-		       "superblock detected");
-		clear_buffer_write_io_error(sbh);
-		set_buffer_uptodate(sbh);
-	}
 	/*
 	 * If the file system is mounted read-only, don't update the
 	 * superblock write time.  This avoids updating the superblock
@@ -4695,7 +4681,23 @@ static int ext4_commit_super(struct supe
 				&EXT4_SB(sb)->s_freeinodes_counter));
 	BUFFER_TRACE(sbh, "marking dirty");
 	ext4_superblock_csum_set(sb);
+	lock_buffer(sbh);
+	if (buffer_write_io_error(sbh)) {
+		/*
+		 * Oh, dear.  A previous attempt to write the
+		 * superblock failed.  This could happen because the
+		 * USB device was yanked out.  Or it could happen to
+		 * be a transient write error and maybe the block will
+		 * be remapped.  Nothing we can do but to retry the
+		 * write and hope for the best.
+		 */
+		ext4_msg(sb, KERN_ERR, "previous I/O error to "
+		       "superblock detected");
+		clear_buffer_write_io_error(sbh);
+		set_buffer_uptodate(sbh);
+	}
 	mark_buffer_dirty(sbh);
+	unlock_buffer(sbh);
 	if (sync) {
 		error = sync_dirty_buffer(sbh);
 		if (error)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (166 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user() Ben Hutchings
                   ` (198 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Gustavo A. R. Silva

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream.

t.qset_idx can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
warn: potential spectre issue 'adapter->msix_info'

Fix this by sanitizing t.qset_idx before using it to index
adapter->msix_info

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -51,6 +51,7 @@
 #include <linux/sched.h>
 #include <linux/slab.h>
 #include <asm/uaccess.h>
+#include <linux/nospec.h>
 
 #include "common.h"
 #include "cxgb3_ioctl.h"
@@ -2256,6 +2257,7 @@ static int cxgb_extension_ioctl(struct n
 
 		if (t.qset_idx >= nqsets)
 			return -EINVAL;
+		t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
 
 		q = &adapter->params.sge.qset[q1 + t.qset_idx];
 		t.rspq_size = q->rspq_size;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 275/366] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (220 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 328/366] dm bufio: avoid sleeping while holding the dm_bufio lock Ben Hutchings
                   ` (144 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, YueHaibing, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 upstream.

Add a missing rcu_read_unlock in the error path

Fixes: c95567c80352 ("caif: added check for potential null return")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/caif/caif_dev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff
 	caifd = caif_get(skb->dev);
 
 	WARN_ON(caifd == NULL);
-	if (caifd == NULL)
+	if (!caifd) {
+		rcu_read_unlock();
 		return;
+	}
 
 	caifd_hold(caifd);
 	rcu_read_unlock();


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 264/366] usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (245 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 098/366] mtd: cfi_cmdset_0002: Change erase functions to retry for error Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Ben Hutchings
                   ` (119 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Joshua Frkuska, Felipe Balbi, Eugeniu Rosca

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joshua Frkuska <joshua_frkuska@mentor.com>

commit 6b37bd78d30c890e575a1bda22978d1d2a233362 upstream.

In u_audio_iso_complete, the runtime hw_ptr is updated before the
data is actually copied over to/from the buffer/dma area. When
ALSA uses this hw_ptr, the data may not actually be available to
be used. This causes trash/stale audio to play/record. This
patch updates the hw_ptr after the data has been copied to avoid
this.

Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Joshua Frkuska <joshua_frkuska@mentor.com>
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16:
 - Don't use a local hw_ptr variable
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/gadget/f_uac2.c
+++ b/drivers/usb/gadget/f_uac2.c
@@ -229,12 +229,16 @@ agdev_iso_complete(struct usb_ep *ep, st
 	if (pending >= prm->period_size)
 		update_alsa = true;
 
-	prm->hw_ptr = (prm->hw_ptr + req->actual) % prm->dma_bytes;
-
 	spin_unlock_irqrestore(&prm->lock, flags);
 
 	/* Pack USB load in ALSA ring buffer */
 	memcpy(dst, src, req->actual);
+
+	spin_lock_irqsave(&prm->lock, flags);
+	/* update hw_ptr after data is copied to memory */
+	prm->hw_ptr = (prm->hw_ptr + req->actual) % prm->dma_bytes;
+	spin_unlock_irqrestore(&prm->lock, flags);
+
 exit:
 	if (usb_ep_queue(ep, req, GFP_ATOMIC))
 		dev_err(&uac2->pdev.dev, "%d Error!\n", __LINE__);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (268 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 285/366] can: xilinx_can: fix RX overflow interrupt not being enabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe Ben Hutchings
                   ` (96 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Peter Feiner, Greg Thelen, Mike Kravetz,
	Andres Lagar-Cavilla, Cannon Matthews, Michal Hocko

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Cannon Matthews <cannonmatthews@google.com>

commit 520495fe96d74e05db585fc748351e0504d8f40d upstream.

When booting with very large numbers of gigantic (i.e.  1G) pages, the
operations in the loop of gather_bootmem_prealloc, and specifically
prep_compound_gigantic_page, takes a very long time, and can cause a
softlockup if enough pages are requested at boot.

For example booting with 3844 1G pages requires prepping
(set_compound_head, init the count) over 1 billion 4K tail pages, which
takes considerable time.

Add a cond_resched() to the outer loop in gather_bootmem_prealloc() to
prevent this lockup.

Tested: Booted with softlockup_panic=1 hugepagesz=1G hugepages=3844 and
no softlockup is reported, and the hugepages are reported as
successfully setup.

Link: http://lkml.kernel.org/r/20180627214447.260804-1-cannonmatthews@google.com
Signed-off-by: Cannon Matthews <cannonmatthews@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Andres Lagar-Cavilla <andreslc@google.com>
Cc: Peter Feiner <pfeiner@google.com>
Cc: Greg Thelen <gthelen@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/hugetlb.c | 1 +
 1 file changed, 1 insertion(+)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1546,6 +1546,7 @@ static void __init gather_bootmem_preall
 		 */
 		if (hstate_is_gigantic(h))
 			adjust_managed_page_count(page, 1 << h->order);
+		cond_resched();
 	}
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (147 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches Ben Hutchings
                   ` (217 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), Changbin Du

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Changbin Du <changbin.du@intel.com>

commit 1fe4293f4b8de75824935f8d8e9a99c7fc6873da upstream.

The function_graph tracer does not show the interrupt return marker for the
leaf entry. On leaf entries, we see an unbalanced interrupt marker (the
interrupt was entered, but nevern left).

Before:
 1)               |  SyS_write() {
 1)               |    __fdget_pos() {
 1)   0.061 us    |      __fget_light();
 1)   0.289 us    |    }
 1)               |    vfs_write() {
 1)   0.049 us    |      rw_verify_area();
 1) + 15.424 us   |      __vfs_write();
 1)   ==========> |
 1)   6.003 us    |      smp_apic_timer_interrupt();
 1)   0.055 us    |      __fsnotify_parent();
 1)   0.073 us    |      fsnotify();
 1) + 23.665 us   |    }
 1) + 24.501 us   |  }

After:
 0)               |  SyS_write() {
 0)               |    __fdget_pos() {
 0)   0.052 us    |      __fget_light();
 0)   0.328 us    |    }
 0)               |    vfs_write() {
 0)   0.057 us    |      rw_verify_area();
 0)               |      __vfs_write() {
 0)   ==========> |
 0)   8.548 us    |      smp_apic_timer_interrupt();
 0)   <========== |
 0) + 36.507 us   |      } /* __vfs_write */
 0)   0.049 us    |      __fsnotify_parent();
 0)   0.066 us    |      fsnotify();
 0) + 50.064 us   |    }
 0) + 50.952 us   |  }

Link: http://lkml.kernel.org/r/1517413729-20411-1-git-send-email-changbin.du@intel.com

Fixes: f8b755ac8e0cc ("tracing/function-graph-tracer: Output arrows signal on hardirq call/return")
Signed-off-by: Changbin Du <changbin.du@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: Propagate return of TRACE_TYPE_PARTIAL_LINE from
 print_graph_irq()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_functions_graph.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_functions_graph.c
+++ b/kernel/trace/trace_functions_graph.c
@@ -828,6 +828,7 @@ print_graph_entry_leaf(struct trace_iter
 	struct ftrace_graph_ret *graph_ret;
 	struct ftrace_graph_ent *call;
 	unsigned long long duration;
+	int cpu = iter->cpu;
 	int ret;
 	int i;
 
@@ -837,7 +838,6 @@ print_graph_entry_leaf(struct trace_iter
 
 	if (data) {
 		struct fgraph_cpu_data *cpu_data;
-		int cpu = iter->cpu;
 
 		cpu_data = per_cpu_ptr(data->cpu_data, cpu);
 
@@ -874,6 +874,11 @@ print_graph_entry_leaf(struct trace_iter
 	if (!ret)
 		return TRACE_TYPE_PARTIAL_LINE;
 
+	ret = print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET,
+			      cpu, iter->ent->pid, flags);
+	if (ret == TRACE_TYPE_PARTIAL_LINE)
+		return ret;
+
 	return TRACE_TYPE_HANDLED;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 219/366] x86/cpufeatures: Hide AMD-specific speculation flags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (294 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 033/366] powerpc/fadump: Unregister fadump on kexec down path Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 102/366] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Ben Hutchings
                   ` (70 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Hide the AMD_{IBRS,IBPB,STIBP} flag from /proc/cpuinfo.  This was done
upstream as part of commit e7c587da1252 "x86/speculation: Use
synthetic bits for IBRS/IBPB/STIBP".  I already backported that commit
but accidentally dropped this part.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -253,9 +253,9 @@
 #define X86_FEATURE_SPEC_CTRL_SSBD	(10*32+31) /* "" Speculative Store Bypass Disable */
 
 /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 11 */
-#define X86_FEATURE_AMD_IBPB		(11*32+12) /* Indirect Branch Prediction Barrier */
-#define X86_FEATURE_AMD_IBRS		(11*32+14) /* Indirect Branch Restricted Speculation */
-#define X86_FEATURE_AMD_STIBP		(11*32+15) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_AMD_IBPB		(11*32+12) /* "" Indirect Branch Prediction Barrier */
+#define X86_FEATURE_AMD_IBRS		(11*32+14) /* "" Indirect Branch Restricted Speculation */
+#define X86_FEATURE_AMD_STIBP		(11*32+15) /* "" Single Thread Indirect Branch Predictors */
 #define X86_FEATURE_VIRT_SSBD		(11*32+25) /* Virtualized Speculative Store Bypass Disable */
 
 /*


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (138 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 091/366] Btrfs: reserve space for O_TMPFILE orphan item deletion Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg Ben Hutchings
                   ` (226 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tom Lendacky, Thomas Gleixner, Linus Torvalds,
	David Woodhouse, Borislav Petkov, Peter Zijlstra,
	Konrad Rzeszutek Wilk, Ingo Molnar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit 612bc3b3d4be749f73a513a17d9b3ee1330d3487 upstream.

On AMD, the presence of the MSR_SPEC_CTRL feature does not imply that the
SSBD mitigation support should use the SPEC_CTRL MSR. Other features could
have caused the MSR_SPEC_CTRL feature to be set, while a different SSBD
mitigation option is in place.

Update the SSBD support to check for the actual SSBD features that will
use the SPEC_CTRL MSR.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 6ac2f49edb1e ("x86/bugs: Add AMD's SPEC_CTRL MSR usage")
Link: http://lkml.kernel.org/r/20180702213602.29202.33151.stgit@tlendack-t1.amdoffice.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/bugs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -219,7 +219,8 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl,
 		guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
 
 		/* SSBD controlled in MSR_SPEC_CTRL */
-		if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
+		if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
+		    static_cpu_has(X86_FEATURE_AMD_SSBD))
 			hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
 
 		if (hostval != guestval) {
@@ -573,9 +574,10 @@ static enum ssb_mitigation __init __ssb_
 		 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD may
 		 * use a completely different MSR and bit dependent on family.
 		 */
-		if (!static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+		if (!static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
+		    !static_cpu_has(X86_FEATURE_AMD_SSBD)) {
 			x86_amd_ssb_disable();
-		else {
+		} else {
 			x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
 			x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
 			wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 278/366] can: constify of_device_id array
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 242/366] HID: hiddev: fix potential Spectre v1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink() Ben Hutchings
                   ` (341 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Fabian Frederick, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Fabian Frederick <fabf@skynet.be>

commit 486e957033623656298a07c39a8bf2fd81db285b upstream.

of_device_id is always used as const.
(See driver.of_match_table and open firmware functions)

Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/cc770/cc770_platform.c     | 2 +-
 drivers/net/can/grcan.c                    | 2 +-
 drivers/net/can/mscan/mpc5xxx_can.c        | 2 +-
 drivers/net/can/sja1000/sja1000_platform.c | 2 +-
 drivers/net/can/xilinx_can.c               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/can/cc770/cc770_platform.c
+++ b/drivers/net/can/cc770/cc770_platform.c
@@ -254,7 +254,7 @@ static int cc770_platform_remove(struct
 	return 0;
 }
 
-static struct of_device_id cc770_platform_table[] = {
+static const struct of_device_id cc770_platform_table[] = {
 	{.compatible = "bosch,cc770"}, /* CC770 from Bosch */
 	{.compatible = "intc,82527"},  /* AN82527 from Intel CP */
 	{},
--- a/drivers/net/can/grcan.c
+++ b/drivers/net/can/grcan.c
@@ -1725,7 +1725,7 @@ static int grcan_remove(struct platform_
 	return 0;
 }
 
-static struct of_device_id grcan_match[] = {
+static const struct of_device_id grcan_match[] = {
 	{.name = "GAISLER_GRCAN"},
 	{.name = "01_03d"},
 	{.name = "GAISLER_GRHCAN"},
--- a/drivers/net/can/mscan/mpc5xxx_can.c
+++ b/drivers/net/can/mscan/mpc5xxx_can.c
@@ -43,7 +43,7 @@ struct mpc5xxx_can_data {
 };
 
 #ifdef CONFIG_PPC_MPC52xx
-static struct of_device_id mpc52xx_cdm_ids[] = {
+static const struct of_device_id mpc52xx_cdm_ids[] = {
 	{ .compatible = "fsl,mpc5200-cdm", },
 	{}
 };
--- a/drivers/net/can/sja1000/sja1000_platform.c
+++ b/drivers/net/can/sja1000/sja1000_platform.c
@@ -242,7 +242,7 @@ static int sp_remove(struct platform_dev
 	return 0;
 }
 
-static struct of_device_id sp_of_table[] = {
+static const struct of_device_id sp_of_table[] = {
 	{.compatible = "nxp,sja1000"},
 	{},
 };
--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -1184,7 +1184,7 @@ static int xcan_remove(struct platform_d
 }
 
 /* Match table for OF platform binding */
-static struct of_device_id xcan_of_match[] = {
+static const struct of_device_id xcan_of_match[] = {
 	{ .compatible = "xlnx,zynq-can-1.0", },
 	{ .compatible = "xlnx,axi-can-1.00.a", },
 	{ /* end of list */ },


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 259/366] drm/nouveau: Remove bogus crtc check in pmops_runtime_idle
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 159/366] x86/speculation: Fix up array_index_nospec_mask() asm constraint Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 212/366] tty: vt, get rid of weird source code flow Ben Hutchings
                   ` (330 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ben Skeggs, Lyude Paul, Daniel Vetter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lyude Paul <lyude@redhat.com>

commit 68fe23a626b67b56c912c496ea43ed537ea9708f upstream.

This both uses the legacy modesetting structures in a racy manner, and
additionally also doesn't even check the right variable (enabled != the
CRTC is actually turned on for atomic).

This fixes issues on my P50 regarding the dedicated GPU not entering
runtime suspend.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
[bwh: Backported to 3.16:
 - Preserve local variables that are still needed
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -927,7 +927,6 @@ static int nouveau_pmops_runtime_idle(st
 	struct pci_dev *pdev = to_pci_dev(dev);
 	struct drm_device *drm_dev = pci_get_drvdata(pdev);
 	struct nouveau_drm *drm = nouveau_drm(drm_dev);
-	struct drm_crtc *crtc;
 
 	if (nouveau_runtime_pm == 0) {
 		pm_runtime_forbid(dev);
@@ -950,12 +949,6 @@ static int nouveau_pmops_runtime_idle(st
 		}
 	}
 
-	list_for_each_entry(crtc, &drm->dev->mode_config.crtc_list, head) {
-		if (crtc->enabled) {
-			DRM_DEBUG_DRIVER("failing to power off - crtc active\n");
-			return -EBUSY;
-		}
-	}
 	pm_runtime_mark_last_busy(dev);
 	pm_runtime_autosuspend(dev);
 	/* we don't want the main rpm_idle to call suspend - we want to autosuspend */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (298 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 143/366] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif Ben Hutchings
                   ` (66 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Menzel, Marcos Paulo de Souza, Vojtech Pavlik,
	Dmitry Torokhov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit a4c2a13129f7c5bcf81704c06851601593303fd5 upstream.

TUXEDO BU1406 does not implement active multiplexing mode properly,
and takes around 550 ms in i8042_set_mux_mode(). Given that the
device does not have external AUX port, there is no downside in
disabling the MUX mode.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Suggested-by: Vojtech Pavlik <vojtech@suse.cz>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -513,6 +513,13 @@ static const struct dmi_system_id __init
 			DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"),
 		},
 	},
+	{
+		/* TUXEDO BU1406 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
+		},
+	},
 	{ }
 };
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 277/366] atl1c: reserve min skb headroom
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (270 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 134/366] UBIFS: Fix potential integer overflow in allocation Ben Hutchings
                   ` (94 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Eric Dumazet, Florian Westphal

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 6e56830776828d8ca9897fc4429eeab47c3bb432 upstream.

Got crash report with following backtrace:
BUG: unable to handle kernel paging request at ffff8801869daffe
RIP: 0010:[<ffffffff816429c4>]  [<ffffffff816429c4>] ip6_finish_output2+0x394/0x4c0
RSP: 0018:ffff880186c83a98  EFLAGS: 00010283
RAX: ffff8801869db00e ...
  [<ffffffff81644cdc>] ip6_finish_output+0x8c/0xf0
  [<ffffffff81644d97>] ip6_output+0x57/0x100
  [<ffffffff81643dc9>] ip6_forward+0x4b9/0x840
  [<ffffffff81645566>] ip6_rcv_finish+0x66/0xc0
  [<ffffffff81645db9>] ipv6_rcv+0x319/0x530
  [<ffffffff815892ac>] netif_receive_skb+0x1c/0x70
  [<ffffffffc0060bec>] atl1c_clean+0x1ec/0x310 [atl1c]
  ...

The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD).
atl1c driver provided skb with no headroom, so 14 bytes (ethernet
header) got pulled, but then 16 are copied.

Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb().

Compile tested only; I lack hardware.

Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
@@ -1674,6 +1674,7 @@ static struct sk_buff *atl1c_alloc_skb(s
 	skb = build_skb(page_address(page) + adapter->rx_page_offset,
 			adapter->rx_frag_size);
 	if (likely(skb)) {
+		skb_reserve(skb, NET_SKB_PAD);
 		adapter->rx_page_offset += adapter->rx_frag_size;
 		if (adapter->rx_page_offset >= PAGE_SIZE)
 			adapter->rx_page = NULL;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 272/366] crypto: padlock-aes - Fix Nano workaround data corruption
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 096/366] mtd: cfi_cmdset_0002: Change write buffer to check correct value Ben Hutchings
                   ` (296 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jamie Heilman, Herbert Xu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>

commit 46d8c4b28652d35dc6cfb5adf7f54e102fc04384 upstream.

This was detected by the self-test thanks to Ard's chunking patch.

I finally got around to testing this out on my ancient Via box.  It
turns out that the workaround got the assembly wrong and we end up
doing count + initial cycles of the loop instead of just count.

This obviously causes corruption, either by overwriting the source
that is yet to be processed, or writing over the end of the buffer.

On CPUs that don't require the workaround only ECB is affected.
On Nano CPUs both ECB and CBC are affected.

This patch fixes it by doing the subtraction prior to the assembly.

Fixes: a76c1c23d0c3 ("crypto: padlock-aes - work around Nano CPU...")
Reported-by: Jamie Heilman <jamie@audible.transient.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/crypto/padlock-aes.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/crypto/padlock-aes.c
+++ b/drivers/crypto/padlock-aes.c
@@ -266,6 +266,8 @@ static inline void padlock_xcrypt_ecb(co
 		return;
 	}
 
+	count -= initial;
+
 	if (initial)
 		asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"	/* rep xcryptecb */
 			      : "+S"(input), "+D"(output)
@@ -273,7 +275,7 @@ static inline void padlock_xcrypt_ecb(co
 
 	asm volatile (".byte 0xf3,0x0f,0xa7,0xc8"	/* rep xcryptecb */
 		      : "+S"(input), "+D"(output)
-		      : "d"(control_word), "b"(key), "c"(count - initial));
+		      : "d"(control_word), "b"(key), "c"(count));
 }
 
 static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
@@ -284,6 +286,8 @@ static inline u8 *padlock_xcrypt_cbc(con
 	if (count < cbc_fetch_blocks)
 		return cbc_crypt(input, output, key, iv, control_word, count);
 
+	count -= initial;
+
 	if (initial)
 		asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"	/* rep xcryptcbc */
 			      : "+S" (input), "+D" (output), "+a" (iv)
@@ -291,7 +295,7 @@ static inline u8 *padlock_xcrypt_cbc(con
 
 	asm volatile (".byte 0xf3,0x0f,0xa7,0xd0"	/* rep xcryptcbc */
 		      : "+S" (input), "+D" (output), "+a" (iv)
-		      : "d" (control_word), "b" (key), "c" (count-initial));
+		      : "d" (control_word), "b" (key), "c" (count));
 	return iv;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 236/366] USB: serial: mos7840: fix status-register error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (170 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 244/366] ext4: fix inline data updates with checksums enabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 299/366] ipv4: remove BUG_ON() from fib_compute_spec_dst Ben Hutchings
                   ` (194 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 794744abfffef8b1f3c0c8a4896177d6d13d653d upstream.

Add missing transfer-length sanity check to the status-register
completion handler to avoid leaking bits of uninitialised slab data to
user space.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/mos7840.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -471,6 +471,9 @@ static void mos7840_control_callback(str
 	}
 
 	dev_dbg(dev, "%s urb buffer size is %d\n", __func__, urb->actual_length);
+	if (urb->actual_length < 1)
+		goto out;
+
 	dev_dbg(dev, "%s mos7840_port->MsrLsr is %d port %d\n", __func__,
 		mos7840_port->MsrLsr, mos7840_port->port_num);
 	data = urb->transfer_buffer;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 276/366] multicast: do not restore deleted record source filter mode to new one
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 349/366] x86/apic: Fix build failure with X86_IO_APIC disabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 314/366] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Ben Hutchings
                   ` (301 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Hangbin Liu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>

commit 08d3ffcc0cfaba36f6b86fd568cc3bc773061fa6 upstream.

There are two scenarios that we will restore deleted records. The first is
when device down and up(or unmap/remap). In this scenario the new filter
mode is same with previous one. Because we get it from in_dev->mc_list and
we do not touch it during device down and up.

The other scenario is when a new socket join a group which was just delete
and not finish sending status reports. In this scenario, we should use the
current filter mode instead of restore old one. Here are 4 cases in total.

old_socket        new_socket       before_fix       after_fix
  IN(A)             IN(A)           ALLOW(A)         ALLOW(A)
  IN(A)             EX( )           TO_IN( )         TO_EX( )
  EX( )             IN(A)           TO_EX( )         ALLOW(A)
  EX( )             EX( )           TO_EX( )         TO_EX( )

Fixes: 24803f38a5c0b (igmp: do not remove igmp souce list info when set link down)
Fixes: 1666d49e1d416 (mld: do not remove mld souce list info when set link down)
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/igmp.c  | 3 +--
 net/ipv6/mcast.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1159,8 +1159,7 @@ static void igmpv3_del_delrec(struct in_
 	if (pmc) {
 		im->interface = pmc->interface;
 		im->crcount = in_dev->mr_qrv ?: IGMP_Unsolicited_Report_Count;
-		im->sfmode = pmc->sfmode;
-		if (pmc->sfmode == MCAST_INCLUDE) {
+		if (im->sfmode == MCAST_INCLUDE) {
 			im->tomb = pmc->tomb;
 			im->sources = pmc->sources;
 			for (psf = im->sources; psf; psf = psf->sf_next)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -806,8 +806,7 @@ static void mld_del_delrec(struct inet6_
 	if (pmc) {
 		im->idev = pmc->idev;
 		im->mca_crcount = idev->mc_qrv;
-		im->mca_sfmode = pmc->mca_sfmode;
-		if (pmc->mca_sfmode == MCAST_INCLUDE) {
+		if (im->mca_sfmode == MCAST_INCLUDE) {
 			im->mca_tomb = pmc->mca_tomb;
 			im->mca_sources = pmc->mca_sources;
 			for (psf = im->mca_sources; psf; psf = psf->sf_next)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (167 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 186/366] batman-adv: debugfs, avoid compiling for !DEBUG_FS Ben Hutchings
                   ` (197 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Burton, Rui Wang, Ralf Baechle, James Hogan,
	Wolfgang Grandegger, linux-mips

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@mips.com>

commit 38c0a74fe06da3be133cae3fb7bde6a9438e698b upstream.

The MIPS implementation of pci_resource_to_user() introduced in v3.12 by
commit 4c2924b725fb ("MIPS: PCI: Use pci_resource_to_user to map pci
memory space properly") incorrectly sets *end to the address of the
byte after the resource, rather than the last byte of the resource.

This results in userland seeing resources as a byte larger than they
actually are, for example a 32 byte BAR will be reported by a tool such
as lspci as being 33 bytes in size:

    Region 2: I/O ports at 1000 [disabled] [size=33]

Correct this by subtracting one from the calculated end address,
reporting the correct address to userland.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reported-by: Rui Wang <rui.wang@windriver.com>
Fixes: 4c2924b725fb ("MIPS: PCI: Use pci_resource_to_user to map pci memory space properly")
Cc: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/19829/
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/pci.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/include/asm/pci.h
+++ b/arch/mips/include/asm/pci.h
@@ -87,7 +87,7 @@ static inline void pci_resource_to_user(
 	phys_t size = resource_size(rsrc);
 
 	*start = fixup_bigphys_addr(rsrc->start, size);
-	*end = rsrc->start + size;
+	*end = rsrc->start + size - 1;
 }
 
 /*


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 233/366] cifs: store the leaseKey in the fid on SMB2_open
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (322 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 180/366] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 246/366] RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path Ben Hutchings
                   ` (42 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steve French, Ronnie Sahlberg, Pavel Shilovsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit 96164ab2d880c9539989bea68d4790f6fd619b1f upstream.

In SMB2_open(), if we got a lease we need to store this in the fid structure
or else we will never be able to map a lease break back to which file/fid
it applies to.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h | 2 +-
 fs/cifs/smb2ops.c  | 7 +++++--
 fs/cifs/smb2pdu.c  | 8 +++++---
 3 files changed, 11 insertions(+), 6 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -383,7 +383,7 @@ struct smb_version_operations {
 	/* create lease context buffer for CREATE request */
 	char * (*create_lease_buf)(u8 *, u8);
 	/* parse lease context buffer and return oplock/epoch info */
-	__u8 (*parse_lease_buf)(void *, unsigned int *);
+	__u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey);
 	int (*clone_range)(const unsigned int, struct cifsFileInfo *src_file,
 			struct cifsFileInfo *target_file, u64 src_off, u64 len,
 			u64 dest_off);
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1118,7 +1118,7 @@ smb3_create_lease_buf(u8 *lease_key, u8
 }
 
 static __u8
-smb2_parse_lease_buf(void *buf, unsigned int *epoch)
+smb2_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key)
 {
 	struct create_lease *lc = (struct create_lease *)buf;
 
@@ -1129,13 +1129,16 @@ smb2_parse_lease_buf(void *buf, unsigned
 }
 
 static __u8
-smb3_parse_lease_buf(void *buf, unsigned int *epoch)
+smb3_parse_lease_buf(void *buf, unsigned int *epoch, char *lease_key)
 {
 	struct create_lease_v2 *lc = (struct create_lease_v2 *)buf;
 
 	*epoch = le16_to_cpu(lc->lcontext.Epoch);
 	if (lc->lcontext.LeaseFlags & SMB2_LEASE_FLAG_BREAK_IN_PROGRESS)
 		return SMB2_OPLOCK_LEVEL_NOCHANGE;
+	if (lease_key)
+		memcpy(lease_key, &lc->lcontext.LeaseKeyLow,
+		       SMB2_LEASE_KEY_SIZE);
 	return le32_to_cpu(lc->lcontext.LeaseState);
 }
 
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1054,7 +1054,7 @@ create_reconnect_durable_buf(struct cifs
 
 static __u8
 parse_lease_state(struct TCP_Server_Info *server, struct smb2_create_rsp *rsp,
-		  unsigned int *epoch)
+		  unsigned int *epoch, char *lease_key)
 {
 	char *data_offset;
 	struct create_context *cc;
@@ -1069,7 +1069,8 @@ parse_lease_state(struct TCP_Server_Info
 		name = le16_to_cpu(cc->NameOffset) + (char *)cc;
 		if (le16_to_cpu(cc->NameLength) == 4 &&
 		    strncmp(name, "RqLs", 4) == 0)
-			return server->ops->parse_lease_buf(cc, epoch);
+			return server->ops->parse_lease_buf(cc, epoch,
+							    lease_key);
 
 		next = le32_to_cpu(cc->Next);
 		if (!next)
@@ -1262,7 +1263,8 @@ SMB2_open(const unsigned int xid, struct
 	}
 
 	if (rsp->OplockLevel == SMB2_OPLOCK_LEVEL_LEASE)
-		*oplock = parse_lease_state(server, rsp, &oparms->fid->epoch);
+		*oplock = parse_lease_state(server, rsp, &oparms->fid->epoch,
+					    oparms->fid->lease_key);
 	else
 		*oplock = rsp->OplockLevel;
 creat_exit:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 273/366] usb: core: handle hub C_PORT_OVER_CURRENT condition
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (311 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 292/366] cachefiles: Wait rather than BUG'ing on "Unexpected object collision" Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets Ben Hutchings
                   ` (53 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Alan Stern, Bin Liu, Alessandro Antenucci

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Liu <b-liu@ti.com>

commit 249a32b7eeb3edb6897dd38f89651a62163ac4ed upstream.

Based on USB2.0 Spec Section 11.12.5,

  "If a hub has per-port power switching and per-port current limiting,
  an over-current on one port may still cause the power on another port
  to fall below specific minimums. In this case, the affected port is
  placed in the Power-Off state and C_PORT_OVER_CURRENT is set for the
  port, but PORT_OVER_CURRENT is not set."

so let's check C_PORT_OVER_CURRENT too for over current condition.

Fixes: 08d1dec6f405 ("usb:hub set hub->change_bits when over-current happens")
Tested-by: Alessandro Antenucci <antenucci@korg.it>
Signed-off-by: Bin Liu <b-liu@ti.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1119,10 +1119,14 @@ static void hub_activate(struct usb_hub
 
 		if (!udev || udev->state == USB_STATE_NOTATTACHED) {
 			/* Tell khubd to disconnect the device or
-			 * check for a new connection
+			 * check for a new connection or over current condition.
+			 * Based on USB2.0 Spec Section 11.12.5,
+			 * C_PORT_OVER_CURRENT could be set while
+			 * PORT_OVER_CURRENT is not. So check for any of them.
 			 */
 			if (udev || (portstatus & USB_PORT_STAT_CONNECTION) ||
-			    (portstatus & USB_PORT_STAT_OVERCURRENT))
+			    (portstatus & USB_PORT_STAT_OVERCURRENT) ||
+			    (portchange & USB_PORT_STAT_C_OVERCURRENT))
 				set_bit(port1, hub->change_bits);
 
 		} else if (portstatus & USB_PORT_STAT_ENABLE) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 235/366] USB: serial: keyspan_pda: fix modem-status error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (288 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 026/366] usb: do not reset if a low-speed or full-speed device timed out Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 306/366] squashfs: more metadata hardening Ben Hutchings
                   ` (76 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 01b3cdfca263a17554f7b249d20a247b2a751521 upstream.

Fix broken modem-status error handling which could lead to bits of slab
data leaking to user space.

Fixes: 3b36a8fd6777 ("usb: fix uninitialized variable warning in keyspan_pda")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/keyspan_pda.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -373,8 +373,10 @@ static int keyspan_pda_get_modem_info(st
 			     3, /* get pins */
 			     USB_TYPE_VENDOR|USB_RECIP_INTERFACE|USB_DIR_IN,
 			     0, 0, data, 1, 2000);
-	if (rc >= 0)
+	if (rc == 1)
 		*value = *data;
+	else if (rc >= 0)
+		rc = -EIO;
 
 	kfree(data);
 	return rc;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 260/366] drm: re-enable error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 109/366] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 101/366] fuse: don't keep dead fuse_conn at fuse_fill_super() Ben Hutchings
                   ` (335 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sean Paul, Nicholas Mc Guire

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit d530b5f1ca0bb66958a2b714bebe40a1248b9c15 upstream.

drm_legacy_ctxbitmap_next() returns idr_alloc() which can return
-ENOMEM, -EINVAL or -ENOSPC none of which are -1 . but the call sites
of drm_legacy_ctxbitmap_next() seem to be assuming that the error case
would be -1 (original return of drm_ctxbitmap_next() prior to 2.6.23
was actually -1). Thus reenable error handling by checking for < 0.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr")
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1531571532-22733-1-git-send-email-hofrat@osadl.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/drm_context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -316,7 +316,7 @@ int drm_addctx(struct drm_device *dev, v
 		ctx->handle = drm_ctxbitmap_next(dev);
 	}
 	DRM_DEBUG("%d\n", ctx->handle);
-	if (ctx->handle == -1) {
+	if (ctx->handle < 0) {
 		DRM_DEBUG("Not enough free contexts.\n");
 		/* Should this return -EBUSY instead? */
 		return -ENOMEM;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 268/366] Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 366/366] perf tools: Fix python extension build for gcc 8 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode Ben Hutchings
                   ` (314 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chen-Yu Tsai, Dmitry Torokhov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chen-Yu Tsai <wens@csie.org>

commit 384cf4285b34e08917e3e66603382f2b0c4f6e1b upstream.

The Lenovo LaVie Z laptop requires i8042 to be reset in order to
consistently detect its Elantech touchpad. The nomux and kbdreset
quirks are not sufficient.

It's possible the other LaVie Z models from NEC require this as well.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -520,6 +520,13 @@ static const struct dmi_system_id __init
 			DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
 		},
 	},
+	{
+		/* Lenovo LaVie Z */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"),
+		},
+	},
 	{ }
 };
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 011/366] Revert "mtd: nand: omap2: Fix subpage write" Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 211/366] tty: vt, remove reduntant check Ben Hutchings
                   ` (357 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, OGAWA Hirofumi, Linus Torvalds, syzbot+90b8e10515ae88228a92

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream.

In parse_options(), if match_strdup() failed, parse_options() leaves
opts->iocharset in unexpected state (i.e.  still pointing the freed
string).  And this can be the cause of double free.

To fix, this initialize opts->iocharset always when freeing.

Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fat/inode.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

--- a/fs/fat/inode.c
+++ b/fs/fat/inode.c
@@ -610,13 +610,21 @@ static void fat_set_state(struct super_b
 	brelse(bh);
 }
 
+static void fat_reset_iocharset(struct fat_mount_options *opts)
+{
+	if (opts->iocharset != fat_default_iocharset) {
+		/* Note: opts->iocharset can be NULL here */
+		kfree(opts->iocharset);
+		opts->iocharset = fat_default_iocharset;
+	}
+}
+
 static void delayed_free(struct rcu_head *p)
 {
 	struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu);
 	unload_nls(sbi->nls_disk);
 	unload_nls(sbi->nls_io);
-	if (sbi->options.iocharset != fat_default_iocharset)
-		kfree(sbi->options.iocharset);
+	fat_reset_iocharset(&sbi->options);
 	kfree(sbi);
 }
 
@@ -1031,7 +1039,7 @@ static int parse_options(struct super_bl
 	opts->fs_fmask = opts->fs_dmask = current_umask();
 	opts->allow_utime = -1;
 	opts->codepage = fat_default_codepage;
-	opts->iocharset = fat_default_iocharset;
+	fat_reset_iocharset(opts);
 	if (is_vfat) {
 		opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95;
 		opts->rodir = 0;
@@ -1181,8 +1189,7 @@ static int parse_options(struct super_bl
 
 		/* vfat specific */
 		case Opt_charset:
-			if (opts->iocharset != fat_default_iocharset)
-				kfree(opts->iocharset);
+			fat_reset_iocharset(opts);
 			iocharset = match_strdup(&args[0]);
 			if (!iocharset)
 				return -ENOMEM;
@@ -1763,8 +1770,7 @@ out_fail:
 		iput(fat_inode);
 	unload_nls(sbi->nls_io);
 	unload_nls(sbi->nls_disk);
-	if (sbi->options.iocharset != fat_default_iocharset)
-		kfree(sbi->options.iocharset);
+	fat_reset_iocharset(&sbi->options);
 	sb->s_fs_info = NULL;
 	kfree(sbi);
 	return error;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (328 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 210/366] n_tty: Access echo_* variables carefully Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel Ben Hutchings
                   ` (36 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Steffen Maier, Benjamin Block

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 6a76550841d412330bd86aed3238d1888ba70f0e upstream.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : .......
LUN            : 0x...
WWPN           : 0x...
D_ID           : 0x...
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x...
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -314,8 +314,11 @@ static int zfcp_erp_action_enqueue(int w
 		goto out;
 	}
 
-	if (!adapter->erp_thread)
-		return -EIO;
+	if (!adapter->erp_thread) {
+		need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
+		retval = -EIO;
+		goto out;
+	}
 
 	need = zfcp_erp_required_act(want, adapter, port, sdev);
 	if (!need)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (199 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 130/366] backlight: as3711_bl: Fix Device Tree node lookup Ben Hutchings
                   ` (165 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Michael Neuling

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Neuling <mikey@neuling.org>

commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.

In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
validating DAWR region end") we fixed setting the DAWR end point to
its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.

PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
zero (memset() in hw_breakpoint_init()). This worked with
arch_validate_hwbkpt_settings() before the above patch was applied but
is now broken if the breakpoint is 512byte aligned.

This sets the length of the breakpoint to 8 bytes when using
PTRACE_SET_DEBUGREG.

Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/ptrace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -1011,6 +1011,7 @@ int ptrace_set_debugreg(struct task_stru
 	/* Create a new breakpoint request if one doesn't exist already */
 	hw_breakpoint_init(&attr);
 	attr.bp_addr = hw_brk.address;
+	attr.bp_len = 8;
 	arch_bp_generic_fields(hw_brk.type,
 			       &attr.bp_type);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (274 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 190/366] batman-adv: unify flags access style in tt global add Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 032/366] iommu/vt-d: Ratelimit each dmar fault printing Ben Hutchings
                   ` (90 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Rafael J. Wysocki, Doug Berger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Berger <opendmb@gmail.com>

commit 2ef7c01c0cdb170142058c6d8fe0697aee4e4d7d upstream.

When wakelock support was added, the wakeup_source_add() function
was updated to set the last_time value of the wakeup source. This
has the unintended side effect of producing confusing output from
pm_print_active_wakeup_sources() when a wakeup source is added
prior to a sleep that is blocked by a different wakeup source.

The function pm_print_active_wakeup_sources() will search for the
most recently active wakeup source when no active source is found.
If a wakeup source is added after a different wakeup source blocks
the system from going to sleep it may have a later last_time value
than the blocking source and be output as the last active wakeup
source even if it has never actually been active.

It looks to me like the change to wakeup_source_add() was made to
prevent the wakelock garbage collection from accidentally dropping
a wakelock during the narrow window between adding the wakelock to
the wakelock list in wakelock_lookup_add() and the activation of
the wakeup source in pm_wake_lock().

This commit changes the behavior so that only the last_time of the
wakeup source used by a wakelock is initialized prior to adding it
to the wakeup source list. This preserves the meaning of the
last_time value as the last time the wakeup source was active and
allows a wakeup source that has never been active to have a
last_time value of 0.

Fixes: b86ff9820fd5 (PM / Sleep: Add user space interface for manipulating wakeup sources, v3)
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/base/power/wakeup.c | 1 -
 kernel/power/wakelock.c     | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/power/wakeup.c
+++ b/drivers/base/power/wakeup.c
@@ -135,7 +135,6 @@ void wakeup_source_add(struct wakeup_sou
 	spin_lock_init(&ws->lock);
 	setup_timer(&ws->timer, pm_wakeup_timer_fn, (unsigned long)ws);
 	ws->active = false;
-	ws->last_time = ktime_get();
 
 	spin_lock_irqsave(&events_lock, flags);
 	list_add_rcu(&ws->entry, &wakeup_sources);
--- a/kernel/power/wakelock.c
+++ b/kernel/power/wakelock.c
@@ -175,6 +175,7 @@ static struct wakelock *wakelock_lookup_
 		return ERR_PTR(-ENOMEM);
 	}
 	wl->ws.name = wl->name;
+	wl->ws.last_time = ktime_get();
 	wakeup_source_add(&wl->ws);
 	rb_link_node(&wl->node, parent, node);
 	rb_insert_color(&wl->node, &wakelocks_tree);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 115/366] kconfig: Avoid format overflow warning from GCC 8.1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 135/366] ksm: add cond_resched() to the rmap_walks Ben Hutchings
                   ` (281 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Rob Herring, Frank Rowand, Stefan M Schaeckeler

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan M Schaeckeler <sschaeck@cisco.com>

commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream.

For strings, account for trailing \0 in property length field:

This is consistent with how dtc builds string properties.

Function __of_prop_dup() would misbehave on such properties as it duplicates
properties based on the property length field creating new string values
without trailing \0s.

Signed-off-by: Stefan M Schaeckeler <sschaeck@cisco.com>
Reviewed-by: Frank Rowand <frank.rowand@sony.com>
Tested-by: Frank Rowand <frank.rowand@sony.com>
Signed-off-by: Rob Herring <robh@kernel.org>
[bwh: Backported to 3.16: s/unittest/selftest/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/selftest.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/of/selftest.c
+++ b/drivers/of/selftest.c
@@ -97,20 +97,20 @@ static void __init of_selftest_dynamic(v
 	/* Add a new property - should pass*/
 	prop->name = "new-property";
 	prop->value = "new-property-data";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
 
 	/* Try to add an existing property - should fail */
 	prop++;
 	prop->name = "new-property";
 	prop->value = "new-property-data-should-fail";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_add_property(np, prop) != 0,
 		 "Adding an existing property should have failed\n");
 
 	/* Try to modify an existing property - should pass */
 	prop->value = "modify-property-data-should-pass";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_update_property(np, prop) == 0,
 		 "Updating an existing property should have passed\n");
 
@@ -118,7 +118,7 @@ static void __init of_selftest_dynamic(v
 	prop++;
 	prop->name = "modify-property";
 	prop->value = "modify-missing-property-data-should-pass";
-	prop->length = strlen(prop->value);
+	prop->length = strlen(prop->value) + 1;
 	selftest(of_update_property(np, prop) == 0,
 		 "Updating a missing property should have passed\n");
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 215/366] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (334 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 006/366] fnic: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 069/366] powerpc/ptrace: Fix enforcement of DAWR constraints Ben Hutchings
                   ` (30 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Hans de Goede

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 240630e61870e62e39a97225048f9945848fa5f5 upstream.

There have been several reports of LPM related hard freezes about once
a day on multiple Lenovo 50 series models. Strange enough these reports
where not disk model specific as LPM issues usually are and some users
with the exact same disk + laptop where seeing them while other users
where not seeing these issues.

It turns out that enabling LPM triggers a firmware bug somewhere, which
has been fixed in later BIOS versions.

This commit adds a new ahci_broken_lpm() function and a new ATA_FLAG_NO_LPM
for dealing with this.

The ahci_broken_lpm() function contains DMI match info for the 4 models
which are known to be affected by this and the DMI BIOS date field for
known good BIOS versions. If the BIOS date is older then the one in the
table LPM will be disabled and a warning will be printed.

Note the BIOS dates are for known good versions, some older versions may
work too, but we don't know for sure, the table is using dates from BIOS
versions for which users have confirmed that upgrading to that version
makes the problem go away.

Unfortunately I've been unable to get hold of the reporter who reported
that BIOS version 2.35 fixed the problems on the W541 for him. I've been
able to verify the DMI_SYS_VENDOR and DMI_PRODUCT_VERSION from an older
dmidecode, but I don't know the exact BIOS date as reported in the DMI.
Lenovo keeps a changelog with dates in their release notes, but the
dates there are the release dates not the build dates which are in DMI.
So I've chosen to set the date to which we compare to one day past the
release date of the 2.34 BIOS. I plan to fix this with a follow up
commit once I've the necessary info.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/ahci.c        | 59 +++++++++++++++++++++++++++++++++++++++
 drivers/ata/libata-core.c |  3 ++
 include/linux/libata.h    |  1 +
 3 files changed, 63 insertions(+)

--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -1225,6 +1225,59 @@ static bool ahci_broken_suspend(struct p
 	return strcmp(buf, dmi->driver_data) < 0;
 }
 
+static bool ahci_broken_lpm(struct pci_dev *pdev)
+{
+	static const struct dmi_system_id sysids[] = {
+		/* Various Lenovo 50 series have LPM issues with older BIOSen */
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X250"),
+			},
+			.driver_data = "20180406", /* 1.31 */
+		},
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L450"),
+			},
+			.driver_data = "20180420", /* 1.28 */
+		},
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T450s"),
+			},
+			.driver_data = "20180315", /* 1.33 */
+		},
+		{
+			.matches = {
+				DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+				DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W541"),
+			},
+			/*
+			 * Note date based on release notes, 2.35 has been
+			 * reported to be good, but I've been unable to get
+			 * a hold of the reporter to get the DMI BIOS date.
+			 * TODO: fix this.
+			 */
+			.driver_data = "20180310", /* 2.35 */
+		},
+		{ }	/* terminate list */
+	};
+	const struct dmi_system_id *dmi = dmi_first_match(sysids);
+	int year, month, date;
+	char buf[9];
+
+	if (!dmi)
+		return false;
+
+	dmi_get_date(DMI_BIOS_DATE, &year, &month, &date);
+	snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date);
+
+	return strcmp(buf, dmi->driver_data) < 0;
+}
+
 static bool ahci_broken_online(struct pci_dev *pdev)
 {
 #define ENCODE_BUSDEVFN(bus, slot, func)			\
@@ -1608,6 +1661,12 @@ static int ahci_init_one(struct pci_dev
 			"quirky BIOS, skipping spindown on poweroff\n");
 	}
 
+	if (ahci_broken_lpm(pdev)) {
+		pi.flags |= ATA_FLAG_NO_LPM;
+		dev_warn(&pdev->dev,
+			 "BIOS update required for Link Power Management support\n");
+	}
+
 	if (ahci_broken_suspend(pdev)) {
 		hpriv->flags |= AHCI_HFLAG_NO_SUSPEND;
 		dev_warn(&pdev->dev,
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2227,6 +2227,9 @@ int ata_dev_configure(struct ata_device
 	    (id[ATA_ID_SATA_CAPABILITY] & 0xe) == 0x2)
 		dev->horkage |= ATA_HORKAGE_NOLPM;
 
+	if (ap->flags & ATA_FLAG_NO_LPM)
+		dev->horkage |= ATA_HORKAGE_NOLPM;
+
 	if (dev->horkage & ATA_HORKAGE_NOLPM) {
 		ata_dev_warn(dev, "LPM support broken, forcing max_power\n");
 		dev->link->ap->target_lpm_policy = ATA_LPM_MAX_POWER;
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -210,6 +210,7 @@ enum {
 	ATA_FLAG_SLAVE_POSS	= (1 << 0), /* host supports slave dev */
 					    /* (doesn't imply presence) */
 	ATA_FLAG_SATA		= (1 << 1),
+	ATA_FLAG_NO_LPM		= (1 << 2), /* host not happy with LPM */
 	ATA_FLAG_NO_ATAPI	= (1 << 6), /* No ATAPI support */
 	ATA_FLAG_PIO_DMA	= (1 << 7), /* PIO cmds via DMA */
 	ATA_FLAG_PIO_LBA48	= (1 << 8), /* Host DMA engine is LBA28 only */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 196/366] staging: android: ion: Return an ERR_PTR in ion_map_kernel
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (189 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 053/366] sbitmap: fix race in wait batch accounting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 341/366] MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations Ben Hutchings
                   ` (175 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Laura Abbott, Greg Kroah-Hartman, syzbot+55b1d9f811650de944c6

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laura Abbott <labbott@redhat.com>

commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream.

The expected return value from ion_map_kernel is an ERR_PTR. The error
path for a vmalloc failure currently just returns NULL, triggering
a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR.

Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ion/ion_heap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/android/ion/ion_heap.c
+++ b/drivers/staging/android/ion/ion_heap.c
@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_hea
 	struct page **tmp = pages;
 
 	if (!pages)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	if (buffer->flags & ION_FLAG_CACHED)
 		pgprot = PAGE_KERNEL;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 206/366] ARM: dts: da850: Fix interrups property for gpio
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (181 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 257/366] usb: cdc_acm: Add quirk for Castles VEGA3000 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 018/366] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Ben Hutchings
                   ` (183 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Keerthy, Sekhar Nori

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Keerthy <j-keerthy@ti.com>

commit 3eb1b955cd7ed1e621ace856710006c2a8a7f231 upstream.

The intc #interrupt-cells is equal to 1. Currently gpio
node has 2 cells per IRQ which is wrong. Remove the additional
cell for each of the interrupts.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Fixes: 2e38b946dc54 ("ARM: davinci: da850: add GPIO DT node")
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/boot/dts/da850.dtsi | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

--- a/arch/arm/boot/dts/da850.dtsi
+++ b/arch/arm/boot/dts/da850.dtsi
@@ -261,11 +261,7 @@
 			compatible = "ti,dm6441-gpio";
 			gpio-controller;
 			reg = <0x226000 0x1000>;
-			interrupts = <42 IRQ_TYPE_EDGE_BOTH
-				43 IRQ_TYPE_EDGE_BOTH 44 IRQ_TYPE_EDGE_BOTH
-				45 IRQ_TYPE_EDGE_BOTH 46 IRQ_TYPE_EDGE_BOTH
-				47 IRQ_TYPE_EDGE_BOTH 48 IRQ_TYPE_EDGE_BOTH
-				49 IRQ_TYPE_EDGE_BOTH 50 IRQ_TYPE_EDGE_BOTH>;
+			interrupts = <42 43 44 45 46 47 48 49 50>;
 			ti,ngpio = <144>;
 			ti,davinci-gpio-unbanked = <0>;
 			status = "disabled";


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 128/366] video/omap: add module license tags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (364 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 077/366] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Bartlomiej Zolnierkiewicz, Imre Deak

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 1bde9f2cf142b726412fa5b0e3cb557ff46952b0 upstream.

I got a bunch of warnings in a randconfig build:

WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_ams_delta.o
WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_inn1510.o
WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_palmte.o
WARNING: modpost: missing MODULE_LICENSE() in drivers/video/fbdev/omap/lcd_palmtt.o

These come from an earlier patch of mine that turned all display drivers
into separate modules. The fix is to add a MODULE_LICENSE tag. Since I'm
doing that, adding a description and author field also makes sense. I
went by the authors listed in the comment at the top of each file, but
removed Imre's Nokia email address that I assume is not valid any more,
since Imre is working at Intel these days.

Fixes: 81c44c2b2ce3 ("video/omap: fix modular build")
Cc: Imre Deak <imre.deak@intel.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[b.zolnierkie: minor fixups]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/omap/lcd_ams_delta.c | 4 ++++
 drivers/video/fbdev/omap/lcd_h3.c        | 4 ++++
 drivers/video/fbdev/omap/lcd_htcherald.c | 4 ++++
 drivers/video/fbdev/omap/lcd_inn1510.c   | 4 ++++
 drivers/video/fbdev/omap/lcd_inn1610.c   | 4 ++++
 drivers/video/fbdev/omap/lcd_osk.c       | 4 ++++
 drivers/video/fbdev/omap/lcd_palmte.c    | 4 ++++
 drivers/video/fbdev/omap/lcd_palmtt.c    | 4 ++++
 drivers/video/fbdev/omap/lcd_palmz71.c   | 4 ++++
 9 files changed, 36 insertions(+)

--- a/drivers/video/fbdev/omap/lcd_ams_delta.c
+++ b/drivers/video/fbdev/omap/lcd_ams_delta.c
@@ -223,3 +223,7 @@ static struct platform_driver ams_delta_
 };
 
 module_platform_driver(ams_delta_panel_driver);
+
+MODULE_AUTHOR("Jonathan McDowell <noodles@earth.li>");
+MODULE_DESCRIPTION("LCD panel support for the Amstrad E3 (Delta) videophone");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_h3.c
+++ b/drivers/video/fbdev/omap/lcd_h3.c
@@ -125,3 +125,7 @@ static struct platform_driver h3_panel_d
 };
 
 module_platform_driver(h3_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP H3 board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_htcherald.c
+++ b/drivers/video/fbdev/omap/lcd_htcherald.c
@@ -116,3 +116,7 @@ static struct platform_driver htcherald_
 };
 
 module_platform_driver(htcherald_panel_driver);
+
+MODULE_AUTHOR("Cory Maccarrone");
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("LCD panel support for the HTC Herald");
--- a/drivers/video/fbdev/omap/lcd_inn1510.c
+++ b/drivers/video/fbdev/omap/lcd_inn1510.c
@@ -111,3 +111,7 @@ static struct platform_driver innovator1
 };
 
 module_platform_driver(innovator1510_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP1510 Innovator board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_inn1610.c
+++ b/drivers/video/fbdev/omap/lcd_inn1610.c
@@ -132,3 +132,7 @@ static struct platform_driver innovator1
 };
 
 module_platform_driver(innovator1610_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP1610 Innovator board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_osk.c
+++ b/drivers/video/fbdev/omap/lcd_osk.c
@@ -131,3 +131,7 @@ static struct platform_driver osk_panel_
 };
 
 module_platform_driver(osk_panel_driver);
+
+MODULE_AUTHOR("Imre Deak");
+MODULE_DESCRIPTION("LCD panel support for the TI OMAP OSK board");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_palmte.c
+++ b/drivers/video/fbdev/omap/lcd_palmte.c
@@ -108,3 +108,7 @@ static struct platform_driver palmte_pan
 };
 
 module_platform_driver(palmte_panel_driver);
+
+MODULE_AUTHOR("Romain Goyet <r.goyet@gmail.com>, Laurent Gonzalez <palmte.linux@free.fr>");
+MODULE_DESCRIPTION("LCD panel support for the Palm Tungsten E");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_palmtt.c
+++ b/drivers/video/fbdev/omap/lcd_palmtt.c
@@ -114,3 +114,7 @@ static struct platform_driver palmtt_pan
 };
 
 module_platform_driver(palmtt_panel_driver);
+
+MODULE_AUTHOR("Marek Vasut <marek.vasut@gmail.com>");
+MODULE_DESCRIPTION("LCD panel support for Palm Tungsten|T");
+MODULE_LICENSE("GPL");
--- a/drivers/video/fbdev/omap/lcd_palmz71.c
+++ b/drivers/video/fbdev/omap/lcd_palmz71.c
@@ -110,3 +110,7 @@ static struct platform_driver palmz71_pa
 };
 
 module_platform_driver(palmz71_panel_driver);
+
+MODULE_AUTHOR("Romain Goyet, Laurent Gonzalez, Marek Vasut");
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("LCD panel support for the Palm Zire71");


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 146/366] ext4: add more mount time checks of the superblock
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (240 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 088/366] ext4: fix fencepost error in check for inode count overflow during resize Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 177/366] Input: elantech - enable middle button of touchpads on ThinkPad P52 Ben Hutchings
                   ` (124 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bfe0a5f47ada40d7984de67e59a7d3390b9b9ecc upstream.

The kernel's ext4 mount-time checks were more permissive than
e2fsprogs's libext2fs checks when opening a file system.  The
superblock is considered too insane for debugfs or e2fsck to operate
on it, the kernel has no business trying to mount it.

This will make file system fuzzing tools work harder, but the failure
cases that they find will be more useful and be easier to evaluate.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3725,6 +3725,13 @@ static int ext4_fill_super(struct super_
 			 le32_to_cpu(es->s_log_block_size));
 		goto failed_mount;
 	}
+	if (le32_to_cpu(es->s_log_cluster_size) >
+	    (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
+		ext4_msg(sb, KERN_ERR,
+			 "Invalid log cluster size: %u",
+			 le32_to_cpu(es->s_log_cluster_size));
+		goto failed_mount;
+	}
 
 	if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
 		ext4_msg(sb, KERN_ERR,
@@ -3853,13 +3860,6 @@ static int ext4_fill_super(struct super_
 				 "block size (%d)", clustersize, blocksize);
 			goto failed_mount;
 		}
-		if (le32_to_cpu(es->s_log_cluster_size) >
-		    (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
-			ext4_msg(sb, KERN_ERR,
-				 "Invalid log cluster size: %u",
-				 le32_to_cpu(es->s_log_cluster_size));
-			goto failed_mount;
-		}
 		sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) -
 			le32_to_cpu(es->s_log_block_size);
 		sbi->s_clusters_per_group =
@@ -3880,10 +3880,10 @@ static int ext4_fill_super(struct super_
 		}
 	} else {
 		if (clustersize != blocksize) {
-			ext4_warning(sb, "fragment/cluster size (%d) != "
-				     "block size (%d)", clustersize,
-				     blocksize);
-			clustersize = blocksize;
+			ext4_msg(sb, KERN_ERR,
+				 "fragment/cluster size (%d) != "
+				 "block size (%d)", clustersize, blocksize);
+			goto failed_mount;
 		}
 		if (sbi->s_blocks_per_group > blocksize * 8) {
 			ext4_msg(sb, KERN_ERR,
@@ -3937,6 +3937,13 @@ static int ext4_fill_super(struct super_
 			 ext4_blocks_count(es));
 		goto failed_mount;
 	}
+	if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) &&
+	    (sbi->s_cluster_ratio == 1)) {
+		ext4_msg(sb, KERN_WARNING, "bad geometry: first data "
+			 "block is 0 with a 1k block and cluster size");
+		goto failed_mount;
+	}
+
 	blocks_count = (ext4_blocks_count(es) -
 			le32_to_cpu(es->s_first_data_block) +
 			EXT4_BLOCKS_PER_GROUP(sb) - 1);
@@ -3972,6 +3979,14 @@ static int ext4_fill_super(struct super_
 		ret = -ENOMEM;
 		goto failed_mount;
 	}
+	if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+	    le32_to_cpu(es->s_inodes_count)) {
+		ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+			 le32_to_cpu(es->s_inodes_count),
+			 ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+		ret = -EINVAL;
+		goto failed_mount;
+	}
 
 	if (ext4_proc_root)
 		sbi->s_proc = proc_mkdir(sb->s_id, ext4_proc_root);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 143/366] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (297 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 099/366] mtd: cfi_cmdset_0002: Change erase functions to check chip good only Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list Ben Hutchings
                   ` (67 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit de9bada5d389903f4faf33980e6a95a2911c7e6d upstream.

The /proc/net/pppol2tp handlers (pppol2tp_seq_*()) iterate over all
L2TPv2 tunnels, and rightfully expect that only PPP sessions can be
found there. However, l2tp_netlink accepts creating Ethernet sessions
regardless of the underlying tunnel version.

This confuses pppol2tp_seq_session_show(), which expects that
l2tp_session_priv() returns a pppol2tp_session structure. When the
session is an Ethernet pseudo-wire, a struct l2tp_eth_sess is returned
instead. This leads to invalid memory access when
pppol2tp_session_get_sock() later tries to dereference ps->sk.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_netlink.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -460,6 +460,12 @@ static int l2tp_nl_cmd_session_create(st
 		goto out_tunnel;
 	}
 
+	/* L2TPv2 only accepts PPP pseudo-wires */
+	if (tunnel->version == 2 && cfg.pw_type != L2TP_PWTYPE_PPP) {
+		ret = -EPROTONOSUPPORT;
+		goto out_tunnel;
+	}
+
 	if (tunnel->version > 2) {
 		if (info->attrs[L2TP_ATTR_OFFSET])
 			cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 131/366] backlight: max8925_bl: Fix Device Tree node lookup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (307 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 095/366] tpm: fix race condition in tpm_common_write() Ben Hutchings
                   ` (57 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Lee Jones, Daniel Thompson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed,
while the child backlight node was leaked.

Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/max8925_bl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/video/backlight/max8925_bl.c
+++ b/drivers/video/backlight/max8925_bl.c
@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(st
 	if (!pdata)
 		return;
 
-	np = of_find_node_by_name(nproot, "backlight");
+	np = of_get_child_by_name(nproot, "backlight");
 	if (!np) {
 		dev_err(&pdev->dev, "failed to find backlight node\n");
 		return;
@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(st
 	if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
 		pdata->dual_string = val;
 
+	of_node_put(np);
+
 	pdev->dev.platform_data = pdata;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 239/366] sh_eth: fix invalid context bug while changing link options by ethtool
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (315 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 017/366] media: omap3isp/isp: remove an unused static var Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 181/366] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Ben Hutchings
                   ` (49 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Sergei Shtylyov, Vladimir Zapolskiy

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>

commit 5cb3f52a11e18628fc4bee76dd14b1f0b76349de upstream.

The change fixes sleep in atomic context bug, which is encountered
every time when link settings are changed by ethtool.

Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O
potentially sleeping") phy_start_aneg() function utilizes a mutex
to serialize changes to phy state, however that helper function is
called in atomic context under a grabbed spinlock, because
phy_start_aneg() is called by phy_ethtool_ksettings_set() and by
replaced phy_ethtool_sset() helpers from phylib.

Now duplex mode setting is enforced in sh_eth_adjust_link() only,
also now RX/TX is disabled when link is put down or modifications
to E-MAC registers ECMR and GECMR are expected for both cases of
checked and ignored link status pin state from E-MAC interrupt handler.

For reference the change is a partial rework of commit 1e1b812bbe10
("sh_eth: fix handling of no LINK signal").

Fixes: dc19e4e5e02f ("sh: sh_eth: Add support ethtool")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Keep using phy_ethtool_sset()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -1727,8 +1727,15 @@ static void sh_eth_adjust_link(struct ne
 {
 	struct sh_eth_private *mdp = netdev_priv(ndev);
 	struct phy_device *phydev = mdp->phydev;
+	unsigned long flags;
 	int new_state = 0;
 
+	spin_lock_irqsave(&mdp->lock, flags);
+
+	/* Disable TX and RX right over here, if E-MAC change is ignored */
+	if (mdp->cd->no_psr || mdp->no_ether_link)
+		sh_eth_rcv_snd_disable(ndev);
+
 	if (phydev->link) {
 		if (phydev->duplex != mdp->duplex) {
 			new_state = 1;
@@ -1749,18 +1756,21 @@ static void sh_eth_adjust_link(struct ne
 				     ECMR);
 			new_state = 1;
 			mdp->link = phydev->link;
-			if (mdp->cd->no_psr || mdp->no_ether_link)
-				sh_eth_rcv_snd_enable(ndev);
 		}
 	} else if (mdp->link) {
 		new_state = 1;
 		mdp->link = 0;
 		mdp->speed = 0;
 		mdp->duplex = -1;
-		if (mdp->cd->no_psr || mdp->no_ether_link)
-			sh_eth_rcv_snd_disable(ndev);
 	}
 
+	/* Enable TX and RX right over here, if E-MAC change is ignored */
+	if ((mdp->cd->no_psr || mdp->no_ether_link) && phydev->link)
+		sh_eth_rcv_snd_enable(ndev);
+
+	mmiowb();
+	spin_unlock_irqrestore(&mdp->lock, flags);
+
 	if (new_state && netif_msg_link(mdp))
 		phy_print_status(phydev);
 }
@@ -1843,35 +1853,8 @@ static int sh_eth_set_settings(struct ne
 			       struct ethtool_cmd *ecmd)
 {
 	struct sh_eth_private *mdp = netdev_priv(ndev);
-	unsigned long flags;
-	int ret;
-
-	spin_lock_irqsave(&mdp->lock, flags);
 
-	/* disable tx and rx */
-	sh_eth_rcv_snd_disable(ndev);
-
-	ret = phy_ethtool_sset(mdp->phydev, ecmd);
-	if (ret)
-		goto error_exit;
-
-	if (ecmd->duplex == DUPLEX_FULL)
-		mdp->duplex = 1;
-	else
-		mdp->duplex = 0;
-
-	if (mdp->cd->set_duplex)
-		mdp->cd->set_duplex(ndev);
-
-error_exit:
-	mdelay(1);
-
-	/* enable tx and rx */
-	sh_eth_rcv_snd_enable(ndev);
-
-	spin_unlock_irqrestore(&mdp->lock, flags);
-
-	return ret;
+	return phy_ethtool_sset(mdp->phydev, ecmd);
 }
 
 static int sh_eth_nway_reset(struct net_device *ndev)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 211/366] tty: vt, remove reduntant check Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Ben Hutchings
                   ` (355 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Steffen Maier, Benjamin Block

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 81979ae63e872ef650a7197f6ce6590059d37172 upstream.

We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
our eh callback and an actual send/recv of an abort / TMF request.  In order
to see the temporal sequence including any abort / TMF send retries, add a
trace before the above two blocking functions.  This supports problem
determination with scsi_eh and parallel zfcp ERP.

No need to explicitly trace the beginning of our eh callback, since we
typically can send an abort / TMF and see its HBA response (in the worst
case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
almost the beginning of the callback.

No need to explicitly trace the wakeup after the above two blocking
functions because the next retry loop causes another trace in any case and
that is sufficient.

Example trace records formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : abrt_wt        abort, before zfcp_erp_wait()
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0x<scsi_id>
SCSI LUN       : 0x<scsi_lun>
SCSI LUN high  : 0x<scsi_lun_high>
SCSI result    : 0x<scsi_result_of_cmd_to_be_aborted>
SCSI retries   : 0x<retries_of_cmd_to_be_aborted>
SCSI allowed   : 0x<allowed_retries_of_cmd_to_be_aborted>
SCSI scribble  : 0x<req_id_of_cmd_to_be_aborted>
SCSI opcode    : <CDB_of_cmd_to_be_aborted>
FCP rsp inf cod: 0x..                                   none (invalid)
FCP rsp IU     : ...                                    none (invalid)

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : lr_wait        LUN reset, before zfcp_erp_wait()
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0x<scsi_id>
SCSI LUN       : 0x<scsi_lun>
SCSI LUN high  : 0x<scsi_lun_high>
SCSI result    : 0x...                                  unrelated
SCSI retries   : 0x..                                   unrelated
SCSI allowed   : 0x..                                   unrelated
SCSI scribble  : 0x...                                  unrelated
SCSI opcode    : ...                                    unrelated
FCP rsp inf cod: 0x..                                   none (invalid)
FCP rsp IU     : ...                                    none (invalid)

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_scsi.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -201,6 +201,7 @@ static int zfcp_scsi_eh_abort_handler(st
 		if (abrt_req)
 			break;
 
+		zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
 		zfcp_erp_wait(adapter);
 		ret = fc_block_scsi_eh(scpnt);
 		if (ret) {
@@ -297,6 +298,7 @@ static int zfcp_task_mgmt_function(struc
 		if (fsf_req)
 			break;
 
+		zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
 		zfcp_erp_wait(adapter);
 		ret = fc_block_scsi_eh(scpnt);
 		if (ret) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 268/366] Input: i8042 - add Lenovo LaVie Z to the i8042 reset list Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows Ben Hutchings
                   ` (313 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Saeed Mahameed, Alex Vesker

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Vesker <valex@mellanox.com>

commit d412c31dae053bf30a1bc15582a9990df297a660 upstream.

The command interface can work in two modes: Events and Polling.
In the general case, each time we invoke a command, a work is
queued to handle it.

When working in events, the interrupt handler completes the
command execution. On the other hand, when working in polling
mode, the work itself completes it.

Due to a bug in the work handler, a command could have been
completed by the interrupt handler, while the work handler
hasn't finished yet, causing the it to complete once again
if the command interface mode was changed from Events to
polling after the interrupt handler was called.

mlx5_unload_one()
        mlx5_stop_eqs()
                // Destroy the EQ before cmd EQ
                ...cmd_work_handler()
                        write_doorbell()
                        --> EVENT_TYPE_CMD
                                mlx5_cmd_comp_handler() // First free
                                        free_ent(cmd, ent->idx)
                                        complete(&ent->done)

        <-- mlx5_stop_eqs //cmd was complete
                // move to polling before destroying the last cmd EQ
                mlx5_cmd_use_polling()
                        cmd->mode = POLL;

                --> cmd_work_handler (continues)
                        if (cmd->mode == POLL)
                                mlx5_cmd_comp_handler() // Double free

The solution is to store the cmd->mode before writing the doorbell.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -560,6 +560,7 @@ static void cmd_work_handler(struct work
 	struct mlx5_cmd_layout *lay;
 	struct semaphore *sem;
 	int alloc_ret;
+	int cmd_mode;
 
 	sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
 	down(sem);
@@ -602,6 +603,7 @@ static void cmd_work_handler(struct work
 	set_signature(ent, !cmd->checksum_disabled);
 	dump_command(dev, ent, 1);
 	ktime_get_ts(&ent->ts1);
+	cmd_mode = cmd->mode;
 
 	if (ent->callback)
 		schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
@@ -611,7 +613,7 @@ static void cmd_work_handler(struct work
 	iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell);
 	mlx5_core_dbg(dev, "write 0x%x to command doorbell\n", 1 << ent->idx);
 	mmiowb();
-	if (cmd->mode == CMD_MODE_POLLING) {
+	if (cmd_mode == CMD_MODE_POLLING) {
 		poll_timeout(ent);
 		/* make sure we read the descriptor after ownership is SW */
 		rmb();


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 033/366] powerpc/fadump: Unregister fadump on kexec down path.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (293 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 300/366] net: socket: fix potential spectre v1 gadget in socketcall Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 219/366] x86/cpufeatures: Hide AMD-specific speculation flags Ben Hutchings
                   ` (71 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Mahesh Salgaonkar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>

commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.

Unregister fadump on kexec down path otherwise the fadump registration
in new kexec-ed kernel complains that fadump is already registered.
This makes new kernel to continue using fadump registered by previous
kernel which may lead to invalid vmcore generation. Hence this patch
fixes this issue by un-registering fadump in fadump_cleanup() which is
called during kexec path so that new kernel can register fadump with
new valid values.

Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/fadump.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1025,6 +1025,9 @@ void fadump_cleanup(void)
 		init_fadump_mem_struct(&fdm,
 			fdm_active->cpu_state_data.destination_address);
 		fadump_invalidate_dump(&fdm);
+	} else if (fw_dump.dump_registered) {
+		/* Un-register Firmware-assisted dump if it was registered. */
+		fadump_unregister_dump(&fdm);
 	}
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 190/366] batman-adv: unify flags access style in tt global add
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (273 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 025/366] mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources Ben Hutchings
                   ` (91 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Antonio Quartulli, Marek Lindner, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Simon Wunderlich <sw@simonwunderlich.de>

commit ad7e2c466d8b0a7056cd248e1df6bb7296e014f7 upstream.

This should slightly improve readability

Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1435,7 +1435,7 @@ static bool batadv_tt_global_add(struct
 		 * TT_CLIENT_TEMP, therefore they have to be copied in the
 		 * client entry
 		 */
-		tt_global_entry->common.flags |= flags & (~BATADV_TT_SYNC_MASK);
+		common->flags |= flags & (~BATADV_TT_SYNC_MASK);
 
 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
 		 * one originator left in the list and we previously received a


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 071/366] net: ethernet: davinci_emac: Fix printing of base address
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (158 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 138/366] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 344/366] [media] ir-core: fix gcc-7 warning on bool arithmetic Ben Hutchings
                   ` (206 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 5a04e8f81a4f55ce1c2b7b525744a187c99ba302 upstream.

Use %pa which is the correct formatter to print a physical address,
instead of %p which is just a pointer.

Fixes: a6286ee630f6 ("net: Add TI DaVinci EMAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/ti/davinci_emac.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -2024,8 +2024,8 @@ static int davinci_emac_probe(struct pla
 
 	if (netif_msg_probe(priv)) {
 		dev_notice(&pdev->dev, "DaVinci EMAC Probe found device "
-			   "(regs: %p, irq: %d)\n",
-			   (void *)priv->emac_base_phys, ndev->irq);
+			   "(regs: %pa, irq: %d)\n",
+			   &priv->emac_base_phys, ndev->irq);
 	}
 	pm_runtime_put(&pdev->dev);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 111/366] net/packet: refine check for priv area size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (361 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 031/366] ALSA: hda/ca0132: fix build failure when a local macro is defined Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 016/366] staging:iio:ade7854: Fix the wrong number of bits to read Ben Hutchings
                   ` (3 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, syzbot, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 upstream.

syzbot was able to trick af_packet again [1]

Various commits tried to address the problem in the past,
but failed to take into account V3 header size.

[1]

tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106

CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
 prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
 prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
 __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
 packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
 tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
 xmit_one net/core/dev.c:3049 [inline]
 dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
 neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
 neigh_output include/net/neighbour.h:482 [inline]
 ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:277 [inline]
 ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
 ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
 addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the page:
page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80
raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3898,7 +3898,7 @@ static int packet_set_ring(struct sock *
 			goto out;
 		if (po->tp_version >= TPACKET_V3 &&
 		    req->tp_block_size <=
-			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+		    BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
 			goto out;
 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
 					po->tp_reserve))


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (207 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 139/366] l2tp: only accept PPP sessions in pppol2tp_connect() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line Ben Hutchings
                   ` (157 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dennis Yang, Mike Snitzer

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <snitzer@redhat.com>

commit a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3 upstream.

Discards issued to a DM thin device can complete to userspace (via
fstrim) _before_ the metadata changes associated with the discards is
reflected in the thinp superblock (e.g. free blocks).  As such, if a
user constructs a test that loops repeatedly over these steps, block
allocation can fail due to discards not having completed yet:
1) fill thin device via filesystem file
2) remove file
3) fstrim

=46rominitial report, here:
https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html

"The root cause of this issue is that dm-thin will first remove
mapping and increase corresponding blocks' reference count to prevent
them from being reused before DISCARD bios get processed by the
underlying layers. However. increasing blocks' reference count could
also increase the nr_allocated_this_transaction in struct sm_disk
which makes smd->old_ll.nr_allocated +
smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
In this case, alloc_data_block() will never commit metadata to reset
the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
always return an underflow value."

While there is room for improvement to the space-map accounting that
thinp is making use of: the reality is this test is inherently racey and
will result in the previous iteration's fstrim's discard(s) completing
vs concurrent block allocation, via dd, in the next iteration of the
loop.

No amount of space map accounting improvements will be able to allow
user's to use a block before a discard of that block has completed.

So the best we can really do is allow DM thinp to gracefully handle such
aggressive use of all the pool's data by degrading the pool into
out-of-data-space (OODS) mode.  We _should_ get that behaviour already
(if space map accounting didn't falsely cause alloc_data_block() to
believe free space was available).. but short of that we handle the
current reality that dm_pool_alloc_data_block() can return -ENOSPC.

Reported-by: Dennis Yang <dennisyang@qnap.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-thin.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -938,6 +938,8 @@ static void schedule_zero(struct thin_c
 
 static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
 
+static void requeue_bios(struct pool *pool);
+
 static void check_for_space(struct pool *pool)
 {
 	int r;
@@ -950,8 +952,10 @@ static void check_for_space(struct pool
 	if (r)
 		return;
 
-	if (nr_free)
+	if (nr_free) {
 		set_pool_mode(pool, PM_WRITE);
+		requeue_bios(pool);
+	}
 }
 
 /*
@@ -1028,7 +1032,10 @@ static int alloc_data_block(struct thin_
 
 	r = dm_pool_alloc_data_block(pool->pmd, result);
 	if (r) {
-		metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
+		if (r == -ENOSPC)
+			set_pool_mode(pool, PM_OUT_OF_DATA_SPACE);
+		else
+			metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
 		return r;
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 087/366] perf/core: Fix group scheduling with mixed hw and sw events
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 133/366] backlight: as3711_bl: Fix Device Tree node leaks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 336/366] gcov: add support for GCC 5.1 Ben Hutchings
                   ` (277 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, Song Liu, Thomas Gleixner, Alexander Shishkin,
	kernel-team, Jiri Olsa, Arnaldo Carvalho de Melo, Linus Torvalds,
	Peter Zijlstra (Intel),
	Vince Weaver, Stephane Eranian

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Song Liu <songliubraving@fb.com>

commit a1150c202207cc8501bebc45b63c264f91959260 upstream.

When hw and sw events are mixed in the same group, they are all attached
to the hw perf_event_context. This sometimes requires moving group of
perf_event to a different context.

We found a bug in how the kernel handles this, for example if we do:

   perf stat -e '{faults,ref-cycles,faults}'  -I 1000

     1.005591180              1,297      faults
     1.005591180        457,476,576      ref-cycles
     1.005591180    <not supported>      faults

First, sw event "faults" is attached to the sw context, and becomes the
group leader. Then, hw event "ref-cycles" is attached, so both events
are moved to the hw context. Last, another sw "faults" tries to attach,
but it fails because of mismatch between the new target ctx (from sw
pmu) and the group_leader's ctx (hw context, same as ref-cycles).

The broken condition is:
   group_leader is sw event;
   group_leader is on hw context;
   add a sw event to the group.

Fix this scenario by checking group_leader's context (instead of just
event type). If group_leader is on hw context, use the ->pmu of this
context to look up context for the new event.

Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <kernel-team@fb.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: b04243ef7006 ("perf: Complete software pmu grouping")
Link: http://lkml.kernel.org/r/20180503194716.162815-1-songliubraving@fb.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/perf_event.h |  8 ++++++++
 kernel/events/core.c       | 21 +++++++++++----------
 2 files changed, 19 insertions(+), 10 deletions(-)

--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -640,6 +640,14 @@ static inline int is_software_event(stru
 	return event->pmu->task_ctx_nr == perf_sw_context;
 }
 
+/*
+ * Return 1 for event in sw context, 0 for event in hw context
+ */
+static inline int in_software_context(struct perf_event *event)
+{
+	return event->ctx->pmu->task_ctx_nr == perf_sw_context;
+}
+
 extern struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX];
 
 extern void ___perf_sw_event(u32, u64, struct pt_regs *, u64);
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7502,19 +7502,20 @@ SYSCALL_DEFINE5(perf_event_open,
 	 */
 	pmu = event->pmu;
 
-	if (group_leader &&
-	    (is_software_event(event) != is_software_event(group_leader))) {
-		if (is_software_event(event)) {
+	if (group_leader) {
+		if (is_software_event(event) &&
+		    !in_software_context(group_leader)) {
 			/*
-			 * If event and group_leader are not both a software
-			 * event, and event is, then group leader is not.
+			 * If the event is a sw event, but the group_leader
+			 * is on hw context.
 			 *
-			 * Allow the addition of software events to !software
-			 * groups, this is safe because software events never
-			 * fail to schedule.
+			 * Allow the addition of software events to hw
+			 * groups, this is safe because software events
+			 * never fail to schedule.
 			 */
-			pmu = group_leader->pmu;
-		} else if (is_software_event(group_leader) &&
+			pmu = group_leader->ctx->pmu;
+		} else if (!is_software_event(event) &&
+			   is_software_event(group_leader) &&
 			   (group_leader->group_flags & PERF_GROUP_SOFTWARE)) {
 			/*
 			 * In case the group is a pure software group, and we


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 041/366] powerpc: make feature-fixup tests fortify-safe
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (325 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 362/366] tools/lib/subcmd/pager.c: do not alias select() params Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 319/366] unify dentry_iput() and dentry_unlink_inode() Ben Hutchings
                   ` (39 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Andrew Donnellan, Kees Cook, Daniel Axtens, Linus Torvalds,
	Michael Ellerman, Daniel Micay

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Axtens <dja@axtens.net>

commit c69a48cdb301a18697bc8c9935baf4f32861cf9e upstream.

Testing the fortified string functions[1] would cause a kernel panic on
boot in test_feature_fixups() due to a buffer overflow in memcmp.

This boils down to things like this:

  extern unsigned int ftr_fixup_test1;
  extern unsigned int ftr_fixup_test1_orig;

  check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);

We know that these are asm labels so it is safe to read up to 'size'
bytes at those addresses.

However, because we have passed the address of a single unsigned int to
memcmp, the compiler believes the underlying object is in fact a single
unsigned int.  So if size > sizeof(unsigned int), there will be a panic
at runtime.

We can fix this by changing the types: instead of calling the asm labels
unsigned ints, call them unsigned int[]s.  Therefore the size isn't
incorrectly determined at compile time and we get a regular unsafe
memcmp and no panic.

[1] http://openwall.com/lists/kernel-hardening/2017/05/09/2

Link: http://lkml.kernel.org/r/1497903987-21002-7-git-send-email-keescook@chromium.org
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/lib/feature-fixups.c | 180 +++++++++++++++---------------
 1 file changed, 90 insertions(+), 90 deletions(-)

--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -166,192 +166,192 @@ static long calc_offset(struct fixup_ent
 
 void test_basic_patching(void)
 {
-	extern unsigned int ftr_fixup_test1;
-	extern unsigned int end_ftr_fixup_test1;
-	extern unsigned int ftr_fixup_test1_orig;
-	extern unsigned int ftr_fixup_test1_expected;
-	int size = &end_ftr_fixup_test1 - &ftr_fixup_test1;
+	extern unsigned int ftr_fixup_test1[];
+	extern unsigned int end_ftr_fixup_test1[];
+	extern unsigned int ftr_fixup_test1_orig[];
+	extern unsigned int ftr_fixup_test1_expected[];
+	int size = end_ftr_fixup_test1 - ftr_fixup_test1;
 
 	fixup.value = fixup.mask = 8;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test1 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test1 + 2);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test1 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test1 + 2);
 	fixup.alt_start_off = fixup.alt_end_off = 0;
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_orig, size) == 0);
 
 	/* Check we don't patch if the value matches */
 	patch_feature_section(8, &fixup);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_orig, size) == 0);
 
 	/* Check we do patch if the value doesn't match */
 	patch_feature_section(0, &fixup);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_expected, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_expected, size) == 0);
 
 	/* Check we do patch if the mask doesn't match */
-	memcpy(&ftr_fixup_test1, &ftr_fixup_test1_orig, size);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_orig, size) == 0);
+	memcpy(ftr_fixup_test1, ftr_fixup_test1_orig, size);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_orig, size) == 0);
 	patch_feature_section(~8, &fixup);
-	check(memcmp(&ftr_fixup_test1, &ftr_fixup_test1_expected, size) == 0);
+	check(memcmp(ftr_fixup_test1, ftr_fixup_test1_expected, size) == 0);
 }
 
 static void test_alternative_patching(void)
 {
-	extern unsigned int ftr_fixup_test2;
-	extern unsigned int end_ftr_fixup_test2;
-	extern unsigned int ftr_fixup_test2_orig;
-	extern unsigned int ftr_fixup_test2_alt;
-	extern unsigned int ftr_fixup_test2_expected;
-	int size = &end_ftr_fixup_test2 - &ftr_fixup_test2;
+	extern unsigned int ftr_fixup_test2[];
+	extern unsigned int end_ftr_fixup_test2[];
+	extern unsigned int ftr_fixup_test2_orig[];
+	extern unsigned int ftr_fixup_test2_alt[];
+	extern unsigned int ftr_fixup_test2_expected[];
+	int size = end_ftr_fixup_test2 - ftr_fixup_test2;
 
 	fixup.value = fixup.mask = 0xF;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test2 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test2 + 2);
-	fixup.alt_start_off = calc_offset(&fixup, &ftr_fixup_test2_alt);
-	fixup.alt_end_off = calc_offset(&fixup, &ftr_fixup_test2_alt + 1);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test2 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test2 + 2);
+	fixup.alt_start_off = calc_offset(&fixup, ftr_fixup_test2_alt);
+	fixup.alt_end_off = calc_offset(&fixup, ftr_fixup_test2_alt + 1);
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_orig, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_orig, size) == 0);
 
 	/* Check we don't patch if the value matches */
 	patch_feature_section(0xF, &fixup);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_orig, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_orig, size) == 0);
 
 	/* Check we do patch if the value doesn't match */
 	patch_feature_section(0, &fixup);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_expected, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_expected, size) == 0);
 
 	/* Check we do patch if the mask doesn't match */
-	memcpy(&ftr_fixup_test2, &ftr_fixup_test2_orig, size);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_orig, size) == 0);
+	memcpy(ftr_fixup_test2, ftr_fixup_test2_orig, size);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_orig, size) == 0);
 	patch_feature_section(~0xF, &fixup);
-	check(memcmp(&ftr_fixup_test2, &ftr_fixup_test2_expected, size) == 0);
+	check(memcmp(ftr_fixup_test2, ftr_fixup_test2_expected, size) == 0);
 }
 
 static void test_alternative_case_too_big(void)
 {
-	extern unsigned int ftr_fixup_test3;
-	extern unsigned int end_ftr_fixup_test3;
-	extern unsigned int ftr_fixup_test3_orig;
-	extern unsigned int ftr_fixup_test3_alt;
-	int size = &end_ftr_fixup_test3 - &ftr_fixup_test3;
+	extern unsigned int ftr_fixup_test3[];
+	extern unsigned int end_ftr_fixup_test3[];
+	extern unsigned int ftr_fixup_test3_orig[];
+	extern unsigned int ftr_fixup_test3_alt[];
+	int size = end_ftr_fixup_test3 - ftr_fixup_test3;
 
 	fixup.value = fixup.mask = 0xC;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test3 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test3 + 2);
-	fixup.alt_start_off = calc_offset(&fixup, &ftr_fixup_test3_alt);
-	fixup.alt_end_off = calc_offset(&fixup, &ftr_fixup_test3_alt + 2);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test3 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test3 + 2);
+	fixup.alt_start_off = calc_offset(&fixup, ftr_fixup_test3_alt);
+	fixup.alt_end_off = calc_offset(&fixup, ftr_fixup_test3_alt + 2);
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 
 	/* Expect nothing to be patched, and the error returned to us */
 	check(patch_feature_section(0xF, &fixup) == 1);
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 	check(patch_feature_section(0, &fixup) == 1);
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 	check(patch_feature_section(~0xF, &fixup) == 1);
-	check(memcmp(&ftr_fixup_test3, &ftr_fixup_test3_orig, size) == 0);
+	check(memcmp(ftr_fixup_test3, ftr_fixup_test3_orig, size) == 0);
 }
 
 static void test_alternative_case_too_small(void)
 {
-	extern unsigned int ftr_fixup_test4;
-	extern unsigned int end_ftr_fixup_test4;
-	extern unsigned int ftr_fixup_test4_orig;
-	extern unsigned int ftr_fixup_test4_alt;
-	extern unsigned int ftr_fixup_test4_expected;
-	int size = &end_ftr_fixup_test4 - &ftr_fixup_test4;
+	extern unsigned int ftr_fixup_test4[];
+	extern unsigned int end_ftr_fixup_test4[];
+	extern unsigned int ftr_fixup_test4_orig[];
+	extern unsigned int ftr_fixup_test4_alt[];
+	extern unsigned int ftr_fixup_test4_expected[];
+	int size = end_ftr_fixup_test4 - ftr_fixup_test4;
 	unsigned long flag;
 
 	/* Check a high-bit flag */
 	flag = 1UL << ((sizeof(unsigned long) - 1) * 8);
 	fixup.value = fixup.mask = flag;
-	fixup.start_off = calc_offset(&fixup, &ftr_fixup_test4 + 1);
-	fixup.end_off = calc_offset(&fixup, &ftr_fixup_test4 + 5);
-	fixup.alt_start_off = calc_offset(&fixup, &ftr_fixup_test4_alt);
-	fixup.alt_end_off = calc_offset(&fixup, &ftr_fixup_test4_alt + 2);
+	fixup.start_off = calc_offset(&fixup, ftr_fixup_test4 + 1);
+	fixup.end_off = calc_offset(&fixup, ftr_fixup_test4 + 5);
+	fixup.alt_start_off = calc_offset(&fixup, ftr_fixup_test4_alt);
+	fixup.alt_end_off = calc_offset(&fixup, ftr_fixup_test4_alt + 2);
 
 	/* Sanity check */
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_orig, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_orig, size) == 0);
 
 	/* Check we don't patch if the value matches */
 	patch_feature_section(flag, &fixup);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_orig, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_orig, size) == 0);
 
 	/* Check we do patch if the value doesn't match */
 	patch_feature_section(0, &fixup);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_expected, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_expected, size) == 0);
 
 	/* Check we do patch if the mask doesn't match */
-	memcpy(&ftr_fixup_test4, &ftr_fixup_test4_orig, size);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_orig, size) == 0);
+	memcpy(ftr_fixup_test4, ftr_fixup_test4_orig, size);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_orig, size) == 0);
 	patch_feature_section(~flag, &fixup);
-	check(memcmp(&ftr_fixup_test4, &ftr_fixup_test4_expected, size) == 0);
+	check(memcmp(ftr_fixup_test4, ftr_fixup_test4_expected, size) == 0);
 }
 
 static void test_alternative_case_with_branch(void)
 {
-	extern unsigned int ftr_fixup_test5;
-	extern unsigned int end_ftr_fixup_test5;
-	extern unsigned int ftr_fixup_test5_expected;
-	int size = &end_ftr_fixup_test5 - &ftr_fixup_test5;
+	extern unsigned int ftr_fixup_test5[];
+	extern unsigned int end_ftr_fixup_test5[];
+	extern unsigned int ftr_fixup_test5_expected[];
+	int size = end_ftr_fixup_test5 - ftr_fixup_test5;
 
-	check(memcmp(&ftr_fixup_test5, &ftr_fixup_test5_expected, size) == 0);
+	check(memcmp(ftr_fixup_test5, ftr_fixup_test5_expected, size) == 0);
 }
 
 static void test_alternative_case_with_external_branch(void)
 {
-	extern unsigned int ftr_fixup_test6;
-	extern unsigned int end_ftr_fixup_test6;
-	extern unsigned int ftr_fixup_test6_expected;
-	int size = &end_ftr_fixup_test6 - &ftr_fixup_test6;
+	extern unsigned int ftr_fixup_test6[];
+	extern unsigned int end_ftr_fixup_test6[];
+	extern unsigned int ftr_fixup_test6_expected[];
+	int size = end_ftr_fixup_test6 - ftr_fixup_test6;
 
-	check(memcmp(&ftr_fixup_test6, &ftr_fixup_test6_expected, size) == 0);
+	check(memcmp(ftr_fixup_test6, ftr_fixup_test6_expected, size) == 0);
 }
 
 static void test_cpu_macros(void)
 {
-	extern u8 ftr_fixup_test_FTR_macros;
-	extern u8 ftr_fixup_test_FTR_macros_expected;
-	unsigned long size = &ftr_fixup_test_FTR_macros_expected -
-			     &ftr_fixup_test_FTR_macros;
+	extern u8 ftr_fixup_test_FTR_macros[];
+	extern u8 ftr_fixup_test_FTR_macros_expected[];
+	unsigned long size = ftr_fixup_test_FTR_macros_expected -
+			     ftr_fixup_test_FTR_macros;
 
 	/* The fixups have already been done for us during boot */
-	check(memcmp(&ftr_fixup_test_FTR_macros,
-		     &ftr_fixup_test_FTR_macros_expected, size) == 0);
+	check(memcmp(ftr_fixup_test_FTR_macros,
+		     ftr_fixup_test_FTR_macros_expected, size) == 0);
 }
 
 static void test_fw_macros(void)
 {
 #ifdef CONFIG_PPC64
-	extern u8 ftr_fixup_test_FW_FTR_macros;
-	extern u8 ftr_fixup_test_FW_FTR_macros_expected;
-	unsigned long size = &ftr_fixup_test_FW_FTR_macros_expected -
-			     &ftr_fixup_test_FW_FTR_macros;
+	extern u8 ftr_fixup_test_FW_FTR_macros[];
+	extern u8 ftr_fixup_test_FW_FTR_macros_expected[];
+	unsigned long size = ftr_fixup_test_FW_FTR_macros_expected -
+			     ftr_fixup_test_FW_FTR_macros;
 
 	/* The fixups have already been done for us during boot */
-	check(memcmp(&ftr_fixup_test_FW_FTR_macros,
-		     &ftr_fixup_test_FW_FTR_macros_expected, size) == 0);
+	check(memcmp(ftr_fixup_test_FW_FTR_macros,
+		     ftr_fixup_test_FW_FTR_macros_expected, size) == 0);
 #endif
 }
 
 static void test_lwsync_macros(void)
 {
-	extern u8 lwsync_fixup_test;
-	extern u8 end_lwsync_fixup_test;
-	extern u8 lwsync_fixup_test_expected_LWSYNC;
-	extern u8 lwsync_fixup_test_expected_SYNC;
-	unsigned long size = &end_lwsync_fixup_test -
-			     &lwsync_fixup_test;
+	extern u8 lwsync_fixup_test[];
+	extern u8 end_lwsync_fixup_test[];
+	extern u8 lwsync_fixup_test_expected_LWSYNC[];
+	extern u8 lwsync_fixup_test_expected_SYNC[];
+	unsigned long size = end_lwsync_fixup_test -
+			     lwsync_fixup_test;
 
 	/* The fixups have already been done for us during boot */
 	if (cur_cpu_spec->cpu_features & CPU_FTR_LWSYNC) {
-		check(memcmp(&lwsync_fixup_test,
-			     &lwsync_fixup_test_expected_LWSYNC, size) == 0);
+		check(memcmp(lwsync_fixup_test,
+			     lwsync_fixup_test_expected_LWSYNC, size) == 0);
 	} else {
-		check(memcmp(&lwsync_fixup_test,
-			     &lwsync_fixup_test_expected_SYNC, size) == 0);
+		check(memcmp(lwsync_fixup_test,
+			     lwsync_fixup_test_expected_SYNC, size) == 0);
 	}
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released Ben Hutchings
                   ` (255 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hendrik Brueckner, Thomas Richter, Martin Schwidefsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Richter <tmricht@linux.ibm.com>

commit 3c0a83b14ea71fef5ccc93a3bd2de5f892be3194 upstream.

The s390 CPU measurement facility sampling mode supports basic entries
and diagnostic entries. Each entry has a valid bit to indicate the
status of the entry as valid or invalid.

This bit is bit 31 in the diagnostic entry, but the bit mask definition
refers to bit 30.

Fix this by making the reserved field one bit larger.

Fixes: 7e75fc3ff4cf ("s390/cpum_sf: Add raw data sampling to support the diagnostic-sampling function")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/s390/include/asm/cpu_mf.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/include/asm/cpu_mf.h
+++ b/arch/s390/include/asm/cpu_mf.h
@@ -118,7 +118,7 @@ struct hws_basic_entry {
 
 struct hws_diag_entry {
 	unsigned int def:16;	    /* 0-15  Data Entry Format		 */
-	unsigned int R:14;	    /* 16-19 and 20-30 reserved		 */
+	unsigned int R:15;	    /* 16-19 and 20-30 reserved		 */
 	unsigned int I:1;	    /* 31 entry valid or invalid	 */
 	u8	     data[];	    /* Machine-dependent sample data	 */
 } __packed;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 052/366] driver core: Don't ignore class_dir_create_and_add() failure.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 096/366] mtd: cfi_cmdset_0002: Change write buffer to check correct value Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 183/366] time: Make sure jiffies_to_msecs() preserves non-zero time periods Ben Hutchings
                   ` (294 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tetsuo Handa, Greg Kroah-Hartman, syzbot

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 84d0c27d6233a9ba0578b20f5a09701eb66cee42 upstream.

syzbot is hitting WARN() at kernfs_add_one() [1].
This is because kernfs_create_link() is confused by previous device_add()
call which continued without setting dev->kobj.parent field when
get_device_parent() failed by memory allocation fault injection.
Fix this by propagating the error from class_dir_create_and_add() to
the calllers of get_device_parent().

[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+df47f81c226b31d89fb1@syzkaller.appspotmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/base/core.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -709,7 +709,7 @@ class_dir_create_and_add(struct class *c
 
 	dir = kzalloc(sizeof(*dir), GFP_KERNEL);
 	if (!dir)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	dir->class = class;
 	kobject_init(&dir->kobj, &class_dir_ktype);
@@ -719,7 +719,7 @@ class_dir_create_and_add(struct class *c
 	retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name);
 	if (retval < 0) {
 		kobject_put(&dir->kobj);
-		return NULL;
+		return ERR_PTR(retval);
 	}
 	return &dir->kobj;
 }
@@ -1000,6 +1000,10 @@ int device_add(struct device *dev)
 
 	parent = get_device(dev->parent);
 	kobj = get_device_parent(dev, parent);
+	if (IS_ERR(kobj)) {
+		error = PTR_ERR(kobj);
+		goto parent_error;
+	}
 	if (kobj)
 		dev->kobj.parent = kobj;
 
@@ -1097,6 +1101,7 @@ done:
 	kobject_del(&dev->kobj);
  Error:
 	cleanup_device_parent(dev);
+parent_error:
 	if (parent)
 		put_device(parent);
 name_error:
@@ -1867,6 +1872,11 @@ int device_move(struct device *dev, stru
 	device_pm_lock();
 	new_parent = get_device(new_parent);
 	new_parent_kobj = get_device_parent(dev, new_parent);
+	if (IS_ERR(new_parent_kobj)) {
+		error = PTR_ERR(new_parent_kobj);
+		put_device(new_parent);
+		goto out;
+	}
 
 	pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev),
 		 __func__, new_parent ? dev_name(new_parent) : "<NULL>");


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (229 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 234/366] cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 107/366] x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
                   ` (135 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Paweł Chmiel, Mark Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>

commit c1472737914fe5246a672fef6e85c9455de8473f upstream.

Since the max8998 MFD driver supports instantiation by DT, platform data
retrieval is handled in MFD probe and cell drivers should get use
the pdata field of max8998_dev struct to obtain them.

Fixes: ee999fb3f17f ("mfd: max8998: Add support for Device Tree")
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/regulator/max8998.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/regulator/max8998.c
+++ b/drivers/regulator/max8998.c
@@ -309,8 +309,7 @@ static int max8998_set_voltage_buck_sel(
 					unsigned selector)
 {
 	struct max8998_data *max8998 = rdev_get_drvdata(rdev);
-	struct max8998_platform_data *pdata =
-		dev_get_platdata(max8998->iodev->dev);
+	struct max8998_platform_data *pdata = max8998->iodev->pdata;
 	struct i2c_client *i2c = max8998->iodev->i2c;
 	int buck = rdev_get_id(rdev);
 	int reg, shift = 0, mask, ret, j;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 037/366] s390/cpum_sf: Add data entry sizes to sampling trailer entry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 178/366] Input: elantech - fix V4 report decoding for module with middle key Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 187/366] batman-adv: Fix debugfs path for renamed hardif Ben Hutchings
                   ` (360 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hendrik Brueckner, Thomas Richter, Martin Schwidefsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Richter <tmricht@linux.ibm.com>

commit 77715b7ddb446bd39a06f3376e85f4bb95b29bb8 upstream.

The CPU Measurement sampling facility creates a trailer entry for each
Sample-Data-Block of stored samples. The trailer entry contains the sizes
(in bytes) of the stored sampling types:
 - basic-sampling data entry size
 - diagnostic-sampling data entry size
Both sizes are 2 bytes long.

This patch changes the trailer entry definition to reflect this.

Fixes: fcc77f507333 ("s390/cpum_sf: Atomically reset trailer entry fields of sample-data-blocks")
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/s390/include/asm/cpu_mf.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/s390/include/asm/cpu_mf.h
+++ b/arch/s390/include/asm/cpu_mf.h
@@ -134,7 +134,9 @@ struct hws_trailer_entry {
 			unsigned int f:1;	/* 0 - Block Full Indicator   */
 			unsigned int a:1;	/* 1 - Alert request control  */
 			unsigned int t:1;	/* 2 - Timestamp format	      */
-			unsigned long long:61;	/* 3 - 63: Reserved	      */
+			unsigned int :29;	/* 3 - 31: Reserved	      */
+			unsigned int bsdes:16;	/* 32-47: size of basic SDE   */
+			unsigned int dsdes:16;	/* 48-63: size of diagnostic SDE */
 		};
 		unsigned long long flags;	/* 0 - 63: All indicators     */
 	};


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (247 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 20:17   ` Rafał Miłecki
  2018-11-11 19:49 ` [PATCH 3.16 280/366] can: dev: Consolidate and unify state change handling Ben Hutchings
                   ` (117 subsequent siblings)
  366 siblings, 1 reply; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paul Burton, Hauke Mehrtens, linux-mips,
	Rafał Miłecki, Chris Packham, James Hogan,
	Tokunori Ikegami

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream.

The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as
below.

  R10: PCIe Transactions Periodically Fail

    Description: The BCM5300X PCIe does not maintain transaction ordering.
                 This may cause PCIe transaction failure.
    Fix Comment: Add a dummy PCIe configuration read after a PCIe
                 configuration write to ensure PCIe configuration access
                 ordering. Set ES bit of CP0 configu7 register to enable
                 sync function so that the sync instruction is functional.
    Resolution:  hndpci.c: extpci_write_config()
                 hndmips.c: si_mips_init()
                 mipsinc.h CONF7_ES

This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX.
Also the dummy PCIe configuration read is already implemented in the
Linux BCMA driver.

Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y
too so that the sync instruction is externalised.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Paul Burton <paul.burton@mips.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Rafał Miłecki <zajec5@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/19461/
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/bcm47xx/setup.c        | 6 ++++++
 arch/mips/include/asm/mipsregs.h | 3 +++
 2 files changed, 9 insertions(+)

--- a/arch/mips/bcm47xx/setup.c
+++ b/arch/mips/bcm47xx/setup.c
@@ -253,6 +253,12 @@ static int __init bcm47xx_cpu_fixes(void
 		 */
 		if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
 			cpu_wait = NULL;
+
+		/*
+		 * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
+		 * Enable ExternalSync for sync instruction to take effect
+		 */
+		set_c0_config7(MIPS_CONF7_ES);
 		break;
 #endif
 	}
--- a/arch/mips/include/asm/mipsregs.h
+++ b/arch/mips/include/asm/mipsregs.h
@@ -674,6 +674,8 @@
 #define MIPS_CONF7_WII		(_ULCAST_(1) << 31)
 
 #define MIPS_CONF7_RPS		(_ULCAST_(1) << 2)
+/* ExternalSync */
+#define MIPS_CONF7_ES		(_ULCAST_(1) << 8)
 
 #define MIPS_CONF7_IAR		(_ULCAST_(1) << 10)
 #define MIPS_CONF7_AR		(_ULCAST_(1) << 16)
@@ -1817,6 +1819,7 @@ __BUILD_SET_C0(status)
 __BUILD_SET_C0(cause)
 __BUILD_SET_C0(config)
 __BUILD_SET_C0(config5)
+__BUILD_SET_C0(config7)
 __BUILD_SET_C0(intcontrol)
 __BUILD_SET_C0(intctl)
 __BUILD_SET_C0(srsmap)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 091/366] Btrfs: reserve space for O_TMPFILE orphan item deletion
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (137 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 255/366] string: drop __must_check from strscpy() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR Ben Hutchings
                   ` (227 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Sterba, Filipe Manana, Omar Sandoval

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit 399b0bbf5f680797d3599fa14f16706ffc470145 upstream.

btrfs_link() calls btrfs_orphan_del() if it's linking an O_TMPFILE but
it doesn't reserve space to do so. Even before the removal of the
orphan_block_rsv it wasn't using it.

Fixes: ef3b9af50bfa ("Btrfs: implement inode_operations callback tmpfile")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6142,8 +6142,9 @@ static int btrfs_link(struct dentry *old
 	 * 2 items for inode and inode ref
 	 * 2 items for dir items
 	 * 1 item for parent inode
+	 * 1 item for orphan item deletion if O_TMPFILE
 	 */
-	trans = btrfs_start_transaction(root, 5);
+	trans = btrfs_start_transaction(root, inode->i_nlink ? 5 : 6);
 	if (IS_ERR(trans)) {
 		err = PTR_ERR(trans);
 		goto fail;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 210/366] n_tty: Access echo_* variables carefully.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (327 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 319/366] unify dentry_iput() and dentry_unlink_inode() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Ben Hutchings
                   ` (37 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Hurley, Greg Kroah-Hartman, syzbot, Tetsuo Handa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit ebec3f8f5271139df618ebdf8427e24ba102ba94 upstream.

syzbot is reporting stalls at __process_echoes() [1]. This is because
since ldata->echo_commit < ldata->echo_tail becomes true for some reason,
the discard loop is serving as almost infinite loop. This patch tries to
avoid falling into ldata->echo_commit < ldata->echo_tail situation by
making access to echo_* variables more carefully.

Since reset_buffer_flags() is called without output_lock held, it should
not touch echo_* variables. And omit a call to reset_buffer_flags() from
n_tty_open() by using vzalloc().

Since add_echo_byte() is called without output_lock held, it needs memory
barrier between storing into echo_buf[] and incrementing echo_head counter.
echo_buf() needs corresponding memory barrier before reading echo_buf[].
Lack of handling the possibility of not-yet-stored multi-byte operation
might be the reason of falling into ldata->echo_commit < ldata->echo_tail
situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to
echo_buf(ldata, tail + 1), the WARN_ON() fires.

Also, explicitly masking with buffer for the former "while" loop, and
use ldata->echo_commit > tail for the latter "while" loop.

[1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf40

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+108696293d7a21ab688f@syzkaller.appspotmail.com>
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/n_tty.c | 42 ++++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 18 deletions(-)

--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -146,6 +146,7 @@ static inline unsigned char *read_buf_ad
 
 static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i)
 {
+	smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */
 	return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)];
 }
 
@@ -347,8 +348,6 @@ static inline void put_tty_queue(unsigne
 static void reset_buffer_flags(struct n_tty_data *ldata)
 {
 	ldata->read_head = ldata->canon_head = ldata->read_tail = 0;
-	ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0;
-	ldata->echo_mark = 0;
 	ldata->line_start = 0;
 
 	ldata->erasing = 0;
@@ -669,13 +668,20 @@ static size_t __process_echoes(struct tt
 	old_space = space = tty_write_room(tty);
 
 	tail = ldata->echo_tail;
-	while (ldata->echo_commit != tail) {
+	while (MASK(ldata->echo_commit) != MASK(tail)) {
 		c = echo_buf(ldata, tail);
 		if (c == ECHO_OP_START) {
 			unsigned char op;
 			int no_space_left = 0;
 
 			/*
+			 * Since add_echo_byte() is called without holding
+			 * output_lock, we might see only portion of multi-byte
+			 * operation.
+			 */
+			if (MASK(ldata->echo_commit) == MASK(tail + 1))
+				goto not_yet_stored;
+			/*
 			 * If the buffer byte is the start of a multi-byte
 			 * operation, get the next byte, which is either the
 			 * op code or a control character value.
@@ -686,6 +692,8 @@ static size_t __process_echoes(struct tt
 				unsigned int num_chars, num_bs;
 
 			case ECHO_OP_ERASE_TAB:
+				if (MASK(ldata->echo_commit) == MASK(tail + 2))
+					goto not_yet_stored;
 				num_chars = echo_buf(ldata, tail + 2);
 
 				/*
@@ -780,7 +788,8 @@ static size_t __process_echoes(struct tt
 	/* If the echo buffer is nearly full (so that the possibility exists
 	 * of echo overrun before the next commit), then discard enough
 	 * data at the tail to prevent a subsequent overrun */
-	while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
+	while (ldata->echo_commit > tail &&
+	       ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
 		if (echo_buf(ldata, tail) == ECHO_OP_START) {
 			if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB)
 				tail += 3;
@@ -790,6 +799,7 @@ static size_t __process_echoes(struct tt
 			tail++;
 	}
 
+ not_yet_stored:
 	ldata->echo_tail = tail;
 	return old_space - space;
 }
@@ -800,6 +810,7 @@ static void commit_echoes(struct tty_str
 	size_t nr, old, echoed;
 	size_t head;
 
+	mutex_lock(&ldata->output_lock);
 	head = ldata->echo_head;
 	ldata->echo_mark = head;
 	old = ldata->echo_commit - ldata->echo_tail;
@@ -808,10 +819,12 @@ static void commit_echoes(struct tty_str
 	 * is over the threshold (and try again each time another
 	 * block is accumulated) */
 	nr = head - ldata->echo_tail;
-	if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK))
+	if (nr < ECHO_COMMIT_WATERMARK ||
+	    (nr % ECHO_BLOCK > old % ECHO_BLOCK)) {
+		mutex_unlock(&ldata->output_lock);
 		return;
+	}
 
-	mutex_lock(&ldata->output_lock);
 	ldata->echo_commit = head;
 	echoed = __process_echoes(tty);
 	mutex_unlock(&ldata->output_lock);
@@ -862,7 +875,9 @@ static void flush_echoes(struct tty_stru
 
 static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata)
 {
-	*echo_buf_addr(ldata, ldata->echo_head++) = c;
+	*echo_buf_addr(ldata, ldata->echo_head) = c;
+	smp_wmb(); /* Matches smp_rmb() in echo_buf(). */
+	ldata->echo_head++;
 }
 
 /**
@@ -1928,31 +1943,22 @@ static int n_tty_open(struct tty_struct
 	struct n_tty_data *ldata;
 
 	/* Currently a malloc failure here can panic */
-	ldata = vmalloc(sizeof(*ldata));
+	ldata = vzalloc(sizeof(*ldata));
 	if (!ldata)
-		goto err;
+		return -ENOMEM;
 
 	ldata->overrun_time = jiffies;
 	mutex_init(&ldata->atomic_read_lock);
 	mutex_init(&ldata->output_lock);
 
 	tty->disc_data = ldata;
-	reset_buffer_flags(tty->disc_data);
-	ldata->column = 0;
-	ldata->canon_column = 0;
 	ldata->minimum_to_wake = 1;
-	ldata->num_overrun = 0;
-	ldata->no_room = 0;
-	ldata->lnext = 0;
 	tty->closing = 0;
 	/* indicate buffer work may resume */
 	clear_bit(TTY_LDISC_HALTED, &tty->flags);
 	n_tty_set_termios(tty, NULL);
 	tty_unthrottle(tty);
-
 	return 0;
-err:
-	return -ENOMEM;
 }
 
 static inline int input_available_p(struct tty_struct *tty, int poll)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 161/366] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (177 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 303/366] virtio_balloon: fix another race between migration and ballooning Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Ben Hutchings
                   ` (187 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Boris Brezillon, Joakim Tjernlund

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit f93aa8c4de307069c270b2d81741961162bead6c upstream.

do_ppb_xxlock() fails to add chip->start when querying for lock status
(and chip_ready test), which caused false status reports.
Fix that by adding adr += chip->start and adjust call sites
accordingly.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2224,8 +2224,9 @@ static int __maybe_unused do_ppb_xxlock(
 	unsigned long timeo;
 	int ret;
 
+	adr += chip->start;
 	mutex_lock(&chip->mutex);
-	ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
+	ret = get_chip(map, chip, adr, FL_LOCKING);
 	if (ret) {
 		mutex_unlock(&chip->mutex);
 		return ret;
@@ -2243,8 +2244,8 @@ static int __maybe_unused do_ppb_xxlock(
 
 	if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
 		chip->state = FL_LOCKING;
-		map_write(map, CMD(0xA0), chip->start + adr);
-		map_write(map, CMD(0x00), chip->start + adr);
+		map_write(map, CMD(0xA0), adr);
+		map_write(map, CMD(0x00), adr);
 	} else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
 		/*
 		 * Unlocking of one specific sector is not supported, so we
@@ -2282,7 +2283,7 @@ static int __maybe_unused do_ppb_xxlock(
 	map_write(map, CMD(0x00), chip->start);
 
 	chip->state = FL_READY;
-	put_chip(map, chip, adr + chip->start);
+	put_chip(map, chip, adr);
 	mutex_unlock(&chip->mutex);
 
 	return ret;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (269 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 277/366] atl1c: reserve min skb headroom Ben Hutchings
                   ` (95 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Nico Sneck

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nico Sneck <snecknico@gmail.com>

commit bba57eddadda936c94b5dccf73787cb9e159d0a5 upstream.

Corsair Strafe appears to suffer from the same issues
as the Corsair Strafe RGB.
Apply the same quirks (control message delay and init delay)
that the RGB version has to 1b1c:1b15.

With these quirks in place the keyboard works correctly upon
booting the system, and no longer requires reattaching the device.

Signed-off-by: Nico Sneck <snecknico@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -228,6 +228,10 @@ static const struct usb_device_id usb_qu
 	/* Corsair K70 RGB */
 	{ USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
 
+	/* Corsair Strafe */
+	{ USB_DEVICE(0x1b1c, 0x1b15), .driver_info = USB_QUIRK_DELAY_INIT |
+	  USB_QUIRK_DELAY_CTRL_MSG },
+
 	/* Corsair Strafe RGB */
 	{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
 	  USB_QUIRK_DELAY_CTRL_MSG },


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (303 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting Ben Hutchings
                   ` (61 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Saeed Mahameed, Alex Vesker

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Vesker <valex@mellanox.com>

commit 603b7bcff824740500ddfa001d7a7168b0b38542 upstream.

The NULL character was not set correctly for the string containing
the command length, this caused failures reading the output of the
command due to a random length. The fix is to initialize the output
length string.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Alex Vesker <valex@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -1028,7 +1028,7 @@ static ssize_t outlen_write(struct file
 {
 	struct mlx5_core_dev *dev = filp->private_data;
 	struct mlx5_cmd_debug *dbg = &dev->cmd.dbg;
-	char outlen_str[8];
+	char outlen_str[8] = {0};
 	int outlen;
 	void *ptr;
 	int err;
@@ -1043,8 +1043,6 @@ static ssize_t outlen_write(struct file
 	if (copy_from_user(outlen_str, buf, count))
 		return -EFAULT;
 
-	outlen_str[7] = 0;
-
 	err = sscanf(outlen_str, "%d", &outlen);
 	if (err < 0)
 		return err;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (148 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 110/366] IB/isert: fix T10-pi check mask setting Ben Hutchings
                   ` (216 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, Steven Rostedt (VMware), Mikulas Patocka

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.

The function __builtin_expect returns long type (see the gcc
documentation), and so do macros likely and unlikely. Unfortunatelly, when
CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
unlikely expand to __branch_check__ and __branch_check__ truncates the
long type to int. This unintended truncation may cause bugs in various
kernel code (we found a bug in dm-writecache because of it), so it's
better to fix __branch_check__ to return long.

Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com

Cc: Ingo Molnar <mingo@redhat.com>
Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/compiler.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -105,7 +105,7 @@ void ftrace_likely_update(struct ftrace_
 #define unlikely_notrace(x)	__builtin_expect(!!(x), 0)
 
 #define __branch_check__(x, expect) ({					\
-			int ______r;					\
+			long ______r;					\
 			static struct ftrace_branch_data		\
 				__attribute__((__aligned__(4)))		\
 				__attribute__((section("_ftrace_annotated_branch"))) \


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 198/366] RDMA/uverbs: Protect from attempts to create flows on unsupported QP
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (143 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 291/366] cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Ben Hutchings
                   ` (221 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Leon Romanovsky, Noa Osherovich, syzkaller, Jason Gunthorpe

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 940efcc8889f0d15567eb07fc9fd69b06e366aa5 upstream.

Flows can be created on UD and RAW_PACKET QP types. Attempts to provide
other QP types as an input causes to various unpredictable failures.

The reason is that in order to support all various types (e.g. XRC), we
are supposed to use real_qp handle and not qp handle and expect to
driver/FW to fail such (XRC) flows. The simpler and safer variant is to
ban all QP types except UD and RAW_PACKET, instead of relying on
driver/FW.

Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs")
Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2740,6 +2740,11 @@ int ib_uverbs_ex_create_flow(struct ib_u
 		goto err_uobj;
 	}
 
+	if (qp->qp_type != IB_QPT_UD && qp->qp_type != IB_QPT_RAW_PACKET) {
+		err = -EINVAL;
+		goto err_put;
+	}
+
 	flow_attr = kmalloc(sizeof(*flow_attr) + cmd.flow_attr.size, GFP_KERNEL);
 	if (!flow_attr) {
 		err = -ENOMEM;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 218/366] sched/fair: Fix bandwidth timer clock drift condition
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 067/366] scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 245/366] ARC: mm: allow mprotect to make stack mappings executable Ben Hutchings
                   ` (344 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Xunlei Pang, Peter Zijlstra (Intel),
	Ben Segall, Ingo Molnar, Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xunlei Pang <xlpang@linux.alibaba.com>

commit 512ac999d2755d2b7109e996a76b6fb8b888631d upstream.

I noticed that cgroup task groups constantly get throttled even
if they have low CPU usage, this causes some jitters on the response
time to some of our business containers when enabling CPU quotas.

It's very simple to reproduce:

  mkdir /sys/fs/cgroup/cpu/test
  cd /sys/fs/cgroup/cpu/test
  echo 100000 > cpu.cfs_quota_us
  echo $$ > tasks

then repeat:

  cat cpu.stat | grep nr_throttled  # nr_throttled will increase steadily

After some analysis, we found that cfs_rq::runtime_remaining will
be cleared by expire_cfs_rq_runtime() due to two equal but stale
"cfs_{b|q}->runtime_expires" after period timer is re-armed.

The current condition to judge clock drift in expire_cfs_rq_runtime()
is wrong, the two runtime_expires are actually the same when clock
drift happens, so this condtion can never hit. The orginal design was
correctly done by this commit:

  a9cf55b28610 ("sched: Expire invalid runtime")

... but was changed to be the current implementation due to its locking bug.

This patch introduces another way, it adds a new field in both structures
cfs_rq and cfs_bandwidth to record the expiration update sequence, and
uses them to figure out if clock drift happens (true if they are equal).

Signed-off-by: Xunlei Pang <xlpang@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ben Segall <bsegall@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 51f2176d74ac ("sched/fair: Fix unlocked reads of some cfs_b->quota/period")
Link: http://lkml.kernel.org/r/20180620101834.24455-1-xlpang@linux.alibaba.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
 - Drop changes to other member types in struct cfs_bandwidth
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/sched/fair.c  | 14 ++++++++------
 kernel/sched/sched.h |  6 ++++--
 2 files changed, 12 insertions(+), 8 deletions(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3143,6 +3143,7 @@ void __refill_cfs_bandwidth_runtime(stru
 	now = sched_clock_cpu(smp_processor_id());
 	cfs_b->runtime = cfs_b->quota;
 	cfs_b->runtime_expires = now + ktime_to_ns(cfs_b->period);
+	cfs_b->expires_seq++;
 }
 
 static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg)
@@ -3165,6 +3166,7 @@ static int assign_cfs_rq_runtime(struct
 	struct task_group *tg = cfs_rq->tg;
 	struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg);
 	u64 amount = 0, min_amount, expires;
+	int expires_seq;
 
 	/* note: this is a positive sum as runtime_remaining <= 0 */
 	min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining;
@@ -3190,6 +3192,7 @@ static int assign_cfs_rq_runtime(struct
 			cfs_b->idle = 0;
 		}
 	}
+	expires_seq = cfs_b->expires_seq;
 	expires = cfs_b->runtime_expires;
 	raw_spin_unlock(&cfs_b->lock);
 
@@ -3199,8 +3202,10 @@ static int assign_cfs_rq_runtime(struct
 	 * spread between our sched_clock and the one on which runtime was
 	 * issued.
 	 */
-	if ((s64)(expires - cfs_rq->runtime_expires) > 0)
+	if (cfs_rq->expires_seq != expires_seq) {
+		cfs_rq->expires_seq = expires_seq;
 		cfs_rq->runtime_expires = expires;
+	}
 
 	return cfs_rq->runtime_remaining > 0;
 }
@@ -3226,12 +3231,9 @@ static void expire_cfs_rq_runtime(struct
 	 * has not truly expired.
 	 *
 	 * Fortunately we can check determine whether this the case by checking
-	 * whether the global deadline has advanced. It is valid to compare
-	 * cfs_b->runtime_expires without any locks since we only care about
-	 * exact equality, so a partial write will still work.
+	 * whether the global deadline(cfs_b->expires_seq) has advanced.
 	 */
-
-	if (cfs_rq->runtime_expires != cfs_b->runtime_expires) {
+	if (cfs_rq->expires_seq == cfs_b->expires_seq) {
 		/* extend local deadline, drift is bounded above by 2 ticks */
 		cfs_rq->runtime_expires += TICK_NSEC;
 	} else {
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -186,6 +186,7 @@ struct cfs_bandwidth {
 	u64 quota, runtime;
 	s64 hierarchal_quota;
 	u64 runtime_expires;
+	int expires_seq;
 
 	int idle, timer_active;
 	struct hrtimer period_timer, slack_timer;
@@ -375,6 +376,7 @@ struct cfs_rq {
 
 #ifdef CONFIG_CFS_BANDWIDTH
 	int runtime_enabled;
+	int expires_seq;
 	u64 runtime_expires;
 	s64 runtime_remaining;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (184 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 054/366] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 065/366] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Ben Hutchings
                   ` (180 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Thierry Reding, Andy Shevchenko

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 1d375b58c12f08d8570b30b865def4734517f04f upstream.

On some devices the contents of the ctrl register get lost over a
suspend/resume and the PWM comes back up disabled after the resume.

This is seen on some Bay Trail devices with the PWM in ACPI enumerated
mode, so it shows up as a platform device instead of a PCI device.

If we still think it is enabled and then try to change the duty-cycle
after this, we end up with a "PWM_SW_UPDATE was not cleared" error and
the PWM is stuck in that state from then on.

This commit adds suspend and resume pm callbacks to the pwm-lpss-platform
code, which save/restore the ctrl register over a suspend/resume, fixing
this.

Note that:

1) There is no need to do this over a runtime suspend, since we
only runtime suspend when disabled and then we properly set the enable
bit and reprogram the timings when we re-enable the PWM.

2) This may be happening on more systems then we realize, but has been
covered up sofar by a bug in the acpi-lpss.c code which was save/restoring
the regular device registers instead of the lpss private registers due to
lpss_device_desc.prv_offset not being set. This is fixed by a later patch
in this series.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
[bwh: Backported to 3.16:
 - pwm-lpss is a single module, so make the new functions static
 - Only one PWM per chip is supported; remove the npwm assertion and loops
 - Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/pwm/pwm-lpss.c
+++ b/drivers/pwm/pwm-lpss.c
@@ -39,6 +39,7 @@ struct pwm_lpss_chip {
 	void __iomem *regs;
 	struct clk *clk;
 	unsigned long clk_rate;
+	u32 saved_ctrl;
 };
 
 struct pwm_lpss_boardinfo {
@@ -177,6 +178,24 @@ static int pwm_lpss_remove(struct pwm_lp
 	return pwmchip_remove(&lpwm->chip);
 }
 
+static int pwm_lpss_suspend(struct device *dev)
+{
+	struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
+
+	lpwm->saved_ctrl = readl(lpwm->regs + PWM);
+
+	return 0;
+}
+
+static int pwm_lpss_resume(struct device *dev)
+{
+	struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
+
+	writel(lpwm->saved_ctrl, lpwm->regs + PWM);
+
+	return 0;
+}
+
 static int pwm_lpss_probe_pci(struct pci_dev *pdev,
 			      const struct pci_device_id *id)
 {
@@ -241,6 +260,10 @@ static int pwm_lpss_remove_platform(stru
 	return pwm_lpss_remove(lpwm);
 }
 
+static SIMPLE_DEV_PM_OPS(pwm_lpss_platform_pm_ops,
+			 pwm_lpss_suspend,
+			 pwm_lpss_resume);
+
 static const struct acpi_device_id pwm_lpss_acpi_match[] = {
 	{ "80860F09", 0 },
 	{ },
@@ -251,6 +274,7 @@ static struct platform_driver pwm_lpss_d
 	.driver = {
 		.name = "pwm-lpss",
 		.acpi_match_table = pwm_lpss_acpi_match,
+		.pm = &pwm_lpss_platform_pm_ops,
 	},
 	.probe = pwm_lpss_probe_platform,
 	.remove = pwm_lpss_remove_platform,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 109/366] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 342/366] clk: si5351: Constify clock names and struct regmap_config Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 260/366] drm: re-enable error handling Ben Hutchings
                   ` (336 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mark Brown, Srinivas Kandagatla

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit ff2faf1289c1f81b5b26b9451dd1c2006aac8db8 upstream.

dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the
paths pointer dangling in the list.

This leads to system crash when we try to unload and reload sound card.
I hit this bug during ADSP crash/reboot test case on Dragon board DB410c.

Without this patch, on SLAB Poisoning enabled build, kernel crashes with
"BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten"

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/soc-dapm.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -254,6 +254,8 @@ static int dapm_kcontrol_data_alloc(stru
 static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
 {
 	struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
+
+	list_del(&data->paths);
 	kfree(data->wlist);
 	kfree(data);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch Ben Hutchings
                   ` (254 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Joe Habermann, Lukas Czerner, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Czerner <lczerner@redhat.com>

commit eee597ac931305eff3d3fd1d61d6aae553bc0984 upstream.

Currently in ext4_punch_hole we're going to skip the mtime update if
there are no actual blocks to release. However we've actually modified
the file by zeroing the partial block so the mtime should be updated.

Moreover the sync and datasync handling is skipped as well, which is
also wrong. Fix it.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Joe Habermann <joe.habermann@quantum.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3749,28 +3749,28 @@ int ext4_punch_hole(struct inode *inode,
 		EXT4_BLOCK_SIZE_BITS(sb);
 	stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb);
 
-	/* If there are no blocks to remove, return now */
-	if (first_block >= stop_block)
-		goto out_stop;
-
-	down_write(&EXT4_I(inode)->i_data_sem);
-	ext4_discard_preallocations(inode);
-
-	ret = ext4_es_remove_extent(inode, first_block,
-				    stop_block - first_block);
-	if (ret) {
-		up_write(&EXT4_I(inode)->i_data_sem);
-		goto out_stop;
-	}
+	/* If there are blocks to remove, do it */
+	if (stop_block > first_block) {
+
+		down_write(&EXT4_I(inode)->i_data_sem);
+		ext4_discard_preallocations(inode);
 
-	if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
-		ret = ext4_ext_remove_space(inode, first_block,
-					    stop_block - 1);
-	else
-		ret = ext4_ind_remove_space(handle, inode, first_block,
-					    stop_block);
+		ret = ext4_es_remove_extent(inode, first_block,
+					    stop_block - first_block);
+		if (ret) {
+			up_write(&EXT4_I(inode)->i_data_sem);
+			goto out_stop;
+		}
+
+		if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+			ret = ext4_ext_remove_space(inode, first_block,
+						    stop_block - 1);
+		else
+			ret = ext4_ind_remove_space(handle, inode, first_block,
+						    stop_block);
 
-	up_write(&EXT4_I(inode)->i_data_sem);
+		up_write(&EXT4_I(inode)->i_data_sem);
+	}
 	if (IS_SYNC(inode))
 		ext4_handle_sync(handle);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 186/366] batman-adv: debugfs, avoid compiling for !DEBUG_FS
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (168 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 244/366] ext4: fix inline data updates with checksums enabled Ben Hutchings
                   ` (196 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Markus Pargmann, Marek Lindner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Markus Pargmann <mpa@pengutronix.de>

commit 9bb218828c8f4fa6587af93e248903c96ce469d0 upstream.

Normally the debugfs framework will return error pointer with -ENODEV
for function calls when DEBUG_FS is not set.

batman does not notice this error code and continues trying to create
debugfs files and executes more code. We can avoid this code execution
by disabling compiling debugfs.c when DEBUG_FS is not set.

Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/Makefile  |  2 +-
 net/batman-adv/debugfs.c |  8 --------
 net/batman-adv/debugfs.h | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 9 deletions(-)

--- a/net/batman-adv/Makefile
+++ b/net/batman-adv/Makefile
@@ -20,7 +20,7 @@ obj-$(CONFIG_BATMAN_ADV) += batman-adv.o
 batman-adv-y += bat_iv_ogm.o
 batman-adv-y += bitarray.o
 batman-adv-$(CONFIG_BATMAN_ADV_BLA) += bridge_loop_avoidance.o
-batman-adv-y += debugfs.o
+batman-adv-$(CONFIG_DEBUG_FS) += debugfs.o
 batman-adv-$(CONFIG_BATMAN_ADV_DAT) += distributed-arp-table.o
 batman-adv-y += fragmentation.o
 batman-adv-y += gateway_client.o
--- a/net/batman-adv/debugfs.c
+++ b/net/batman-adv/debugfs.c
@@ -482,11 +482,7 @@ rem_attr:
 	debugfs_remove_recursive(hard_iface->debug_dir);
 	hard_iface->debug_dir = NULL;
 out:
-#ifdef CONFIG_DEBUG_FS
 	return -ENOMEM;
-#else
-	return 0;
-#endif /* CONFIG_DEBUG_FS */
 }
 
 /**
@@ -541,11 +537,7 @@ rem_attr:
 	debugfs_remove_recursive(bat_priv->debug_dir);
 	bat_priv->debug_dir = NULL;
 out:
-#ifdef CONFIG_DEBUG_FS
 	return -ENOMEM;
-#else
-	return 0;
-#endif /* CONFIG_DEBUG_FS */
 }
 
 void batadv_debugfs_del_meshif(struct net_device *dev)
--- a/net/batman-adv/debugfs.h
+++ b/net/batman-adv/debugfs.h
@@ -20,6 +20,8 @@
 
 #define BATADV_DEBUGFS_SUBDIR "batman_adv"
 
+#if IS_ENABLED(CONFIG_DEBUG_FS)
+
 void batadv_debugfs_init(void);
 void batadv_debugfs_destroy(void);
 int batadv_debugfs_add_meshif(struct net_device *dev);
@@ -27,4 +29,36 @@ void batadv_debugfs_del_meshif(struct ne
 int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
 void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface);
 
+#else
+
+static inline void batadv_debugfs_init(void)
+{
+}
+
+static inline void batadv_debugfs_destroy(void)
+{
+}
+
+static inline int batadv_debugfs_add_meshif(struct net_device *dev)
+{
+	return 0;
+}
+
+static inline void batadv_debugfs_del_meshif(struct net_device *dev)
+{
+}
+
+static inline
+int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface)
+{
+	return 0;
+}
+
+static inline
+void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface)
+{
+}
+
+#endif
+
 #endif /* _NET_BATMAN_ADV_DEBUGFS_H_ */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (306 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 131/366] backlight: max8925_bl: Fix Device Tree node lookup Ben Hutchings
                   ` (58 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, James Morris, Maciej S. Szmigiero

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>

commit b65c32ec5a942ab3ada93a048089a938918aba7f upstream.

The signatureValue field of a X.509 certificate is encoded as a BIT STRING.
For RSA signatures this BIT STRING is of so-called primitive subtype, which
contains a u8 prefix indicating a count of unused bits in the encoding.

We have to strip this prefix from signature data, just as we already do for
key data in x509_extract_key_data() function.

This wasn't noticed earlier because this prefix byte is zero for RSA key
sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero
prefixes has no bearing on its value.

The signature length, however was incorrect, which is a problem for RSA
implementations that need it to be exactly correct (like AMD CCP).

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 certificates")
Signed-off-by: James Morris <james.morris@microsoft.com>
[bwh: Backported to 3.16:
 - x509_certificate::sig is a structure, not a pointer
 - public_key_signature::pkey_algo is an enumeration type, not a string]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -205,6 +205,15 @@ int x509_note_signature(void *context, s
 		return -EINVAL;
 	}
 
+	if (ctx->cert->sig.pkey_algo == PKEY_ALGO_RSA) {
+		/* Discard the BIT STRING metadata */
+		if (vlen < 1 || *(const u8 *)value != 0)
+			return -EBADMSG;
+
+		value++;
+		vlen--;
+	}
+
 	ctx->cert->raw_sig = value;
 	ctx->cert->raw_sig_size = vlen;
 	return 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 211/366] tty: vt, remove reduntant check
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Ben Hutchings
                   ` (356 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jiri Slaby, Fugang Duan, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 182846a00f489849c55d113954f0c4a8a286ca39 upstream.

MAX_NR_CONSOLES and MAX_NR_USER_CONSOLES are both 63 since they were
introduced in 1.1.54. And since vc_allocate does:

if (currcons >= MAX_NR_CONSOLES)
	return -ENXIO;

if (!vc_cons[currcons].d) {
	if (currcons >= MAX_NR_USER_CONSOLES && !capable(CAP_SYS_RESOURCE))
		return -EPERM;
}

the second check is pointless. Remove both the check and the macro
MAX_NR_USER_CONSOLES.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/vt.c     | 4 ----
 include/uapi/linux/vt.h | 1 -
 2 files changed, 5 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -760,10 +760,6 @@ int vc_allocate(unsigned int currcons)	/
 	    struct vc_data *vc;
 	    struct vt_notifier_param param;
 
-	    /* prevent users from taking too much memory */
-	    if (currcons >= MAX_NR_USER_CONSOLES && !capable(CAP_SYS_RESOURCE))
-	      return -EPERM;
-
 	    /* due to the granularity of kmalloc, we waste some memory here */
 	    /* the alloc is done in two steps, to optimize the common situation
 	       of a 25x80 console (structsize=216, screenbuf_size=4000) */
--- a/include/uapi/linux/vt.h
+++ b/include/uapi/linux/vt.h
@@ -8,7 +8,6 @@
  */
 #define MIN_NR_CONSOLES 1       /* must be at least 1 */
 #define MAX_NR_CONSOLES	63	/* serial lines start at 64 */
-#define MAX_NR_USER_CONSOLES 63	/* must be root to allocate above this */
 		/* Note: the ioctl VT_GETSTATE does not work for
 		   consoles 16 and higher (since it returns a short) */
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 132/366] backlight: tps65217_bl: Fix Device Tree node lookup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (347 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 237/366] xhci: xhci-mem: off by one in xhci_stream_id_to_ring() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 034/366] spi: pxa2xx: check clk_prepare_enable() return value Ben Hutchings
                   ` (17 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Daniel Thompson, Lee Jones

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

This would only cause trouble if the child node is missing while there
is an unrelated node named "backlight" elsewhere in the tree.

Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/tps65217_bl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/video/backlight/tps65217_bl.c
+++ b/drivers/video/backlight/tps65217_bl.c
@@ -190,11 +190,11 @@ static struct tps65217_bl_pdata *
 tps65217_bl_parse_dt(struct platform_device *pdev)
 {
 	struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
-	struct device_node *node = of_node_get(tps->dev->of_node);
+	struct device_node *node;
 	struct tps65217_bl_pdata *pdata, *err;
 	u32 val;
 
-	node = of_find_node_by_name(node, "backlight");
+	node = of_get_child_by_name(tps->dev->of_node, "backlight");
 	if (!node)
 		return ERR_PTR(-ENODEV);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 214/366] s390/qeth: don't clobber buffer on async TX completion
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 243/366] ARC: Fix CONFIG_SWAP Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 248/366] skbuff: Unconditionally copy pfmemalloc in __skb_clone() Ben Hutchings
                   ` (262 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Julian Wiedmann

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.ibm.com>

commit ce28867fd20c23cd769e78b4d619c4755bf71a1c upstream.

If qeth_qdio_output_handler() detects that a transmit requires async
completion, it replaces the pending buffer's metadata object
(qeth_qdio_out_buffer) so that this queue buffer can be re-used while
the data is pending completion.

Later when the CQ indicates async completion of such a metadata object,
qeth_qdio_cq_handler() tries to free any data associated with this
object (since HW has now completed the transfer). By calling
qeth_clear_output_buffer(), it erronously operates on the queue buffer
that _previously_ belonged to this transfer ... but which has been
potentially re-used several times by now.
This results in double-free's of the buffer's data, and failing
transmits as the buffer descriptor is scrubbed in mid-air.

The correct way of handling this situation is to
1. scrub the queue buffer when it is prepared for re-use, and
2. later obtain the data addresses from the async-completion notifier
   (ie. the AOB), instead of the queue buffer.

All this only affects qeth devices used for af_iucv HiperTransport.

Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/net/qeth_core.h      | 11 +++++++++++
 drivers/s390/net/qeth_core_main.c | 22 ++++++++++++++++------
 2 files changed, 27 insertions(+), 6 deletions(-)

--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -844,6 +844,17 @@ struct qeth_trap_id {
 /*some helper functions*/
 #define QETH_CARD_IFNAME(card) (((card)->dev)? (card)->dev->name : "")
 
+static inline void qeth_scrub_qdio_buffer(struct qdio_buffer *buf,
+					  unsigned int elements)
+{
+	unsigned int i;
+
+	for (i = 0; i < elements; i++)
+		memset(&buf->element[i], 0, sizeof(struct qdio_buffer_element));
+	buf->element[14].sflags = 0;
+	buf->element[15].sflags = 0;
+}
+
 static inline struct qeth_card *CARD_FROM_CDEV(struct ccw_device *cdev)
 {
 	struct qeth_card *card = dev_get_drvdata(&((struct ccwgroup_device *)
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -65,9 +65,6 @@ static void qeth_notify_skbs(struct qeth
 		struct qeth_qdio_out_buffer *buf,
 		enum iucv_tx_notify notification);
 static void qeth_release_skbs(struct qeth_qdio_out_buffer *buf);
-static void qeth_clear_output_buffer(struct qeth_qdio_out_q *queue,
-		struct qeth_qdio_out_buffer *buf,
-		enum qeth_qdio_buffer_states newbufstate);
 static int qeth_init_qdio_out_buf(struct qeth_qdio_out_q *, int);
 
 struct workqueue_struct *qeth_wq;
@@ -451,6 +448,7 @@ static inline void qeth_qdio_handle_aob(
 	struct qaob *aob;
 	struct qeth_qdio_out_buffer *buffer;
 	enum iucv_tx_notify notification;
+	unsigned int i;
 
 	aob = (struct qaob *) phys_to_virt(phys_aob_addr);
 	QETH_CARD_TEXT(card, 5, "haob");
@@ -475,10 +473,18 @@ static inline void qeth_qdio_handle_aob(
 	qeth_notify_skbs(buffer->q, buffer, notification);
 
 	buffer->aob = NULL;
-	qeth_clear_output_buffer(buffer->q, buffer,
-				 QETH_QDIO_BUF_HANDLED_DELAYED);
+	/* Free dangling allocations. The attached skbs are handled by
+	 * qeth_cleanup_handled_pending().
+	 */
+	for (i = 0;
+	     i < aob->sb_count && i < QETH_MAX_BUFFER_ELEMENTS(card);
+	     i++) {
+		if (aob->sba[i] && buffer->is_header[i])
+			kmem_cache_free(qeth_core_header_cache,
+					(void *) aob->sba[i]);
+	}
+	atomic_set(&buffer->state, QETH_QDIO_BUF_HANDLED_DELAYED);
 
-	/* from here on: do not touch buffer anymore */
 	qdio_release_aob(aob);
 }
 
@@ -3635,6 +3641,10 @@ void qeth_qdio_output_handler(struct ccw
 			QETH_CARD_TEXT(queue->card, 5, "aob");
 			QETH_CARD_TEXT_(queue->card, 5, "%lx",
 					virt_to_phys(buffer->aob));
+
+			/* prepare the queue slot for re-use: */
+			qeth_scrub_qdio_buffer(buffer->buffer,
+					       QETH_MAX_BUFFER_ELEMENTS(card));
 			if (qeth_init_qdio_out_buf(queue, bidx)) {
 				QETH_CARD_TEXT(card, 2, "outofbuf");
 				qeth_schedule_recovery(card);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (164 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm Ben Hutchings
                   ` (200 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 96d9270499471545048ed8a6d7f425a49762283d upstream.

get_device() and its internally used kobject_get() only return NULL if they
get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
adapter->port_list so the iteration variable port is always non-NULL.
Struct device is embedded in struct zfcp_port so &port->dev is always
non-NULL. This is the argument to get_device().  However, if we get an
fc_rport in terminate_rport_io() for which we cannot find a match within
zfcp_get_port_by_wwpn(), the latter can return NULL.  v2.6.30 commit
70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an
early return without adding a trace record for this case.  Even if we don't
need recovery in this case, for debugging we should still see that our
callback was invoked originally by scsi_transport_fc.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : sctrpin        SCSI terminate rport I/O, no zfcp port
LUN            : 0xffffffffffffffff                     none (invalid)
WWPN           : 0x<wwpn>               WWPN
D_ID           : 0x<n_port_id>          N_Port-ID
Adapter status : 0x...
Port status    : 0xffffffff             unknown (-1)
LUN status     : 0x00000000                             none (invalid)
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
ERP need       : 0xc0                   ZFCP_ERP_ACTION_NONE

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears")
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c  | 20 ++++++++++++++++++++
 drivers/s390/scsi/zfcp_ext.h  |  3 +++
 drivers/s390/scsi/zfcp_scsi.c |  5 +++++
 3 files changed, 28 insertions(+)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -282,6 +282,26 @@ static int zfcp_erp_action_enqueue(int w
 	return retval;
 }
 
+void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
+				      u64 port_name, u32 port_id)
+{
+	unsigned long flags;
+	static /* don't waste stack */ struct zfcp_port tmpport;
+
+	write_lock_irqsave(&adapter->erp_lock, flags);
+	/* Stand-in zfcp port with fields just good enough for
+	 * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
+	 * Under lock because tmpport is static.
+	 */
+	atomic_set(&tmpport.status, -1); /* unknown */
+	tmpport.wwpn = port_name;
+	tmpport.d_id = port_id;
+	zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
+			  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+			  ZFCP_ERP_ACTION_NONE);
+	write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
 static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
 				    int clear_mask, char *id)
 {
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -58,6 +58,9 @@ extern void zfcp_dbf_scsi_eh(char *tag,
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
 extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
+extern void zfcp_erp_port_forced_no_port_dbf(char *id,
+					     struct zfcp_adapter *adapter,
+					     u64 port_name, u32 port_id);
 extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
 extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -624,6 +624,11 @@ static void zfcp_scsi_terminate_rport_io
 	if (port) {
 		zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
 		put_device(&port->dev);
+	} else {
+		zfcp_erp_port_forced_no_port_dbf(
+			"sctrpin", adapter,
+			rport->port_name /* zfcp_scsi_rport_register */,
+			rport->port_id /* zfcp_scsi_rport_register */);
 	}
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 035/366] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Ben Hutchings
                   ` (339 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Andreas Dilger, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit eb9b5f01c33adebc31cbc236c02695f605b0e417 upstream.

If ext4_find_inline_data_nolock() returns an error it needs to get
reflected up to ext4_iget().  In order to fix this,
ext4_iget_extra_inode() needs to return an error (and not return
void).

This is related to "ext4: do not allow external inodes for inline
data" (which fixes CVE-2018-11412) in that in the errors=continue
case, it would be useful to for userspace to receive an error
indicating that file system is corrupted.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4159,19 +4159,21 @@ static blkcnt_t ext4_inode_blocks(struct
 	}
 }
 
-static inline void ext4_iget_extra_inode(struct inode *inode,
+static inline int ext4_iget_extra_inode(struct inode *inode,
 					 struct ext4_inode *raw_inode,
 					 struct ext4_inode_info *ei)
 {
 	__le32 *magic = (void *)raw_inode +
 			EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
+
 	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
 	    EXT4_INODE_SIZE(inode->i_sb) &&
 	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
-		ext4_find_inline_data_nolock(inode);
+		return ext4_find_inline_data_nolock(inode);
 	} else
 		EXT4_I(inode)->i_inline_off = 0;
+	return 0;
 }
 
 struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
@@ -4331,7 +4333,9 @@ struct inode *ext4_iget(struct super_blo
 			ei->i_extra_isize = sizeof(struct ext4_inode) -
 					    EXT4_GOOD_OLD_INODE_SIZE;
 		} else {
-			ext4_iget_extra_inode(inode, raw_inode, ei);
+			ret = ext4_iget_extra_inode(inode, raw_inode, ei);
+			if (ret)
+				goto bad_inode;
 		}
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 130/366] backlight: as3711_bl: Fix Device Tree node lookup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (200 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 174/366] xen-netfront: Update features after registering netdev Ben Hutchings
                   ` (164 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Lee Jones, Daniel Thompson, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream.

Fix child-node lookup during probe, which ended up searching the whole
device tree depth-first starting at the parent rather than just matching
on its children.

To make things worse, the parent mfd node was also prematurely freed.

Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/as3711_bl.c | 33 ++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 10 deletions(-)

--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -262,10 +262,10 @@ static int as3711_bl_register(struct pla
 static int as3711_backlight_parse_dt(struct device *dev)
 {
 	struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
-	struct device_node *bl =
-		of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
+	struct device_node *bl, *fb;
 	int ret;
 
+	bl = of_get_child_by_name(dev->parent->of_node, "backlight");
 	if (!bl) {
 		dev_dbg(dev, "backlight node not found\n");
 		return -ENODEV;
@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(str
 		if (pdata->su1_max_uA <= 0)
 			ret = -EINVAL;
 		if (ret < 0)
-			return ret;
+			goto err_put_bl;
 	}
 
 	fb = of_parse_phandle(bl, "su2-dev", 0);
@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(str
 		if (pdata->su2_max_uA <= 0)
 			ret = -EINVAL;
 		if (ret < 0)
-			return ret;
+			goto err_put_bl;
 
 		if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
 			pdata->su2_feedback = AS3711_SU2_VOLTAGE;
@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(str
 			pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
 			count++;
 		}
-		if (count != 1)
-			return -EINVAL;
+		if (count != 1) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 
 		count = 0;
 		if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(str
 			pdata->su2_fbprot = AS3711_SU2_GPIO4;
 			count++;
 		}
-		if (count != 1)
-			return -EINVAL;
+		if (count != 1) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 
 		count = 0;
 		if (of_find_property(bl, "su2-auto-curr1", NULL)) {
@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(str
 		 * At least one su2-auto-curr* must be specified iff
 		 * AS3711_SU2_CURR_AUTO is used
 		 */
-		if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
-			return -EINVAL;
+		if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
+			ret = -EINVAL;
+			goto err_put_bl;
+		}
 	}
 
+	of_node_put(bl);
+
 	return 0;
+
+err_put_bl:
+	of_node_put(bl);
+
+	return ret;
 }
 
 static int as3711_backlight_probe(struct platform_device *pdev)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 127/366] fs/binfmt_misc.c: do not allow offset overflow
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 184/366] vhost_net: validate sock before trying to put its fd Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 012/366] media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS Ben Hutchings
                   ` (274 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Thadeu Lima de Souza Cascardo, Alexander Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream.

WHen registering a new binfmt_misc handler, it is possible to overflow
the offset to get a negative value, which might crash the system, or
possibly leak kernel data.

Here is a crash log when 2500000000 was used as an offset:

  BUG: unable to handle kernel paging request at ffff989cfd6edca0
  IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
  PGD 1ef3e067 P4D 1ef3e067 PUD 0
  Oops: 0000 [#1] SMP NOPTI
  Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
  CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
  RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
  Call Trace:
    search_binary_handler+0x97/0x1d0
    do_execveat_common.isra.34+0x667/0x810
    SyS_execve+0x31/0x40
    do_syscall_64+0x73/0x130
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Use kstrtoint instead of simple_strtoul.  It will work as the code
already set the delimiter byte to '\0' and we only do it when the field
is not empty.

Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX.  Also tested
with examples documented at Documentation/admin-guide/binfmt-misc.rst
and other registrations from packages on Ubuntu.

Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Error label is "Einval"
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/binfmt_misc.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -319,8 +319,13 @@ static Node *create_entry(const char __u
 		char *s = strchr(p, del);
 		if (!s)
 			goto Einval;
-		*s++ = '\0';
-		e->offset = simple_strtoul(p, &p, 10);
+		*s = '\0';
+		if (p != s) {
+			int r = kstrtoint(p, 10, &e->offset);
+			if (r != 0 || e->offset < 0)
+				goto Einval;
+		}
+		p = s;
 		if (*p++)
 			goto Einval;
 		e->magic = p;
@@ -341,7 +346,8 @@ static Node *create_entry(const char __u
 		if (e->mask &&
 		    string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
 			goto Einval;
-		if (e->size + e->offset > BINPRM_BUF_SIZE)
+		if (e->size > BINPRM_BUF_SIZE ||
+		    BINPRM_BUF_SIZE - e->size < e->offset)
 			goto Einval;
 	} else {
 		p = strchr(p, del);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 229/366] USB: serial: ch341: fix type promotion bug in ch341_control_in()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 166/366] xen-netfront: Use static attribute groups for sysfs entries Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 301/366] squashfs: be more careful about metadata corruption Ben Hutchings
                   ` (308 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit e33eab9ded328ccc14308afa51b5be7cbe78d30b upstream.

The "r" variable is an int and "bufsize" is an unsigned int so the
comparison is type promoted to unsigned.  If usb_control_msg() returns a
negative that is treated as a high positive value and the error handling
doesn't work.

Fixes: 2d5a9c72d0c4 ("USB: serial: ch341: fix control-message error handling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ch341.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -131,7 +131,7 @@ static int ch341_control_in(struct usb_d
 	r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
 			    USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
 			    value, index, buf, bufsize, DEFAULT_TIMEOUT);
-	if (r < bufsize) {
+	if (r < (int)bufsize) {
 		if (r >= 0) {
 			dev_err(&dev->dev,
 				"short control message received (%d < %u)\n",


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 054/366] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (183 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 018/366] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Ben Hutchings
                   ` (181 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, syzbot+cd8bcd40cb049efa2770, Laura Abbott, syzbot,
	Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laura Abbott <labbott@redhat.com>

commit 45ad559a29629cb1c64ee636563c69b71524f077 upstream.

Syzbot reported yet another warning with Ion:

WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
Kernel panic - not syncing: panic_on_warn set ...

This is catching that a buffer was freed with an existing kernel mapping
still present. This can be easily be triggered from userspace by calling
DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
pr_warn_once to indicate the error without being disruptive.

Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ion/ion.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/staging/android/ion/ion.c
+++ b/drivers/staging/android/ion/ion.c
@@ -272,8 +272,11 @@ err2:
 
 void ion_buffer_destroy(struct ion_buffer *buffer)
 {
-	if (WARN_ON(buffer->kmap_cnt > 0))
+	if (buffer->kmap_cnt > 0) {
+		pr_warn_once("%s: buffer still mapped in the kernel\n",
+			     __func__);
 		buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
+	}
 	buffer->heap->ops->unmap_dma(buffer->heap, buffer);
 	buffer->heap->ops->free(buffer);
 	if (buffer->pages)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 065/366] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (185 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 002/366] arm64: ensure extension of smp_store_release value Ben Hutchings
                   ` (179 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 8c3d20aada70042a39c6a6625be037c1472ca610 upstream.

That other commit introduced an inconsistency because it would trace on
ERP_FAILED for all callers of port forced reopen triggers (not just
terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
other ERP triggers such as adapter, port regular, LUN.

Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
had two early outs which re-used the one zfcp_dbf_rec_trig() call.  All ERP
trigger functions finally run through zfcp_erp_action_enqueue().  So move
the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
zfcp_erp_action_enqueue() and add another early out with new trace marker
for pseudo ERP need in this case. This removes all early returns from all
ERP trigger functions so we always end up at zfcp_dbf_rec_trig().

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : .......
LUN            : 0x...
WWPN           : 0x...
D_ID           : 0x...
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x...
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x0.                   ZFCP_ERP_ACTION_REOPEN_...
ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 79 +++++++++++++++++++++++-------------
 1 file changed, 51 insertions(+), 28 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -142,6 +142,49 @@ static void zfcp_erp_action_dismiss_adap
 	}
 }
 
+static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
+				  struct zfcp_port *port,
+				  struct scsi_device *sdev)
+{
+	int need = want;
+	struct zfcp_scsi_dev *zsdev;
+
+	switch (want) {
+	case ZFCP_ERP_ACTION_REOPEN_LUN:
+		zsdev = sdev_to_zfcp(sdev);
+		if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+			need = 0;
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
+		if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+			need = 0;
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_PORT:
+		if (atomic_read(&port->status) &
+		    ZFCP_STATUS_COMMON_ERP_FAILED) {
+			need = 0;
+			/* ensure propagation of failed status to new devices */
+			zfcp_erp_set_port_status(
+				port, ZFCP_STATUS_COMMON_ERP_FAILED);
+		}
+		break;
+	case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
+		if (atomic_read(&adapter->status) &
+		    ZFCP_STATUS_COMMON_ERP_FAILED) {
+			need = 0;
+			/* ensure propagation of failed status to new devices */
+			zfcp_erp_set_adapter_status(
+				adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
+		}
+		break;
+	default:
+		need = 0;
+		break;
+	}
+
+	return need;
+}
+
 static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
 				 struct zfcp_port *port,
 				 struct scsi_device *sdev)
@@ -265,6 +308,12 @@ static int zfcp_erp_action_enqueue(int w
 	int retval = 1, need;
 	struct zfcp_erp_action *act;
 
+	need = zfcp_erp_handle_failed(want, adapter, port, sdev);
+	if (!need) {
+		need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
+		goto out;
+	}
+
 	if (!adapter->erp_thread)
 		return -EIO;
 
@@ -313,12 +362,6 @@ static int _zfcp_erp_adapter_reopen(stru
 	zfcp_erp_adapter_block(adapter, clear_mask);
 	zfcp_scsi_schedule_rports_block(adapter);
 
-	/* ensure propagation of failed status to new devices */
-	if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		zfcp_erp_set_adapter_status(adapter,
-					    ZFCP_STATUS_COMMON_ERP_FAILED);
-		return -EIO;
-	}
 	return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
 				       adapter, NULL, NULL, id, 0);
 }
@@ -337,12 +380,8 @@ void zfcp_erp_adapter_reopen(struct zfcp
 	zfcp_scsi_schedule_rports_block(adapter);
 
 	write_lock_irqsave(&adapter->erp_lock, flags);
-	if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-		zfcp_erp_set_adapter_status(adapter,
-					    ZFCP_STATUS_COMMON_ERP_FAILED);
-	else
-		zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-					NULL, NULL, id, 0);
+	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
+				NULL, NULL, id, 0);
 	write_unlock_irqrestore(&adapter->erp_lock, flags);
 }
 
@@ -383,13 +422,6 @@ static void _zfcp_erp_port_forced_reopen
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
-				  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
-				  ZFCP_ERP_ACTION_FAILED);
-		return;
-	}
-
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
 				port->adapter, port, NULL, id, 0);
 }
@@ -415,12 +447,6 @@ static int _zfcp_erp_port_reopen(struct
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-		/* ensure propagation of failed status to new devices */
-		zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
-		return -EIO;
-	}
-
 	return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
 				       port->adapter, port, NULL, id, 0);
 }
@@ -460,9 +486,6 @@ static void _zfcp_erp_lun_reopen(struct
 
 	zfcp_erp_lun_block(sdev, clear);
 
-	if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-		return;
-
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
 				zfcp_sdev->port, sdev, id, act_status);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 046/366] ext4: do not update s_last_mounted of a frozen fs
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (226 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 123/366] bnx2x: use the right constant Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 331/366] leds: do not overflow sysfs buffer in led_trigger_show Ben Hutchings
                   ` (138 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Amir Goldstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit db6516a5e7ddb6dc72d167b920f2f272596ea22d upstream.

If fs is frozen after mount and before the first file open, the
update of s_last_mounted bypasses freeze protection and prints out
a WARNING splat:

$ mount /vdf
$ fsfreeze -f /vdf
$ cat /vdf/foo

[   31.578555] WARNING: CPU: 1 PID: 1415 at
fs/ext4/ext4_jbd2.c:53 ext4_journal_check_start+0x48/0x82

[   31.614016] Call Trace:
[   31.614997]  __ext4_journal_start_sb+0xe4/0x1a4
[   31.616771]  ? ext4_file_open+0xb6/0x189
[   31.618094]  ext4_file_open+0xb6/0x189

If fs is frozen, skip s_last_mounted update.

[backport hint: to apply to stable tree, need to apply also patches
 vfs: add the sb_start_intwrite_trylock() helper
 ext4: factor out helper ext4_sample_last_mounted()]

Fixes: bc0b0d6d69ee ("ext4: update the s_last_mounted field in the superblock")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/file.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -220,7 +220,7 @@ static int ext4_sample_last_mounted(stru
 	if (likely(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED))
 		return 0;
 
-	if (sb->s_flags & MS_RDONLY)
+	if (sb->s_flags & MS_RDONLY || !sb_start_intwrite_trylock(sb))
 		return 0;
 
 	sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
@@ -234,21 +234,25 @@ static int ext4_sample_last_mounted(stru
 	path.mnt = mnt;
 	path.dentry = mnt->mnt_root;
 	cp = d_path(&path, buf, sizeof(buf));
+	err = 0;
 	if (IS_ERR(cp))
-		return 0;
+		goto out;
 
 	handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
+	err = PTR_ERR(handle);
 	if (IS_ERR(handle))
-		return PTR_ERR(handle);
+		goto out;
 	BUFFER_TRACE(sbi->s_sbh, "get_write_access");
 	err = ext4_journal_get_write_access(handle, sbi->s_sbh);
 	if (err)
-		goto out;
+		goto out_journal;
 	strlcpy(sbi->s_es->s_last_mounted, cp,
 		sizeof(sbi->s_es->s_last_mounted));
 	ext4_handle_dirty_super(handle, sb);
-out:
+out_journal:
 	ext4_journal_stop(handle);
+out:
+	sb_end_intwrite(sb);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 147/366] USB: serial: cp210x: add Silicon Labs IDs for Windows Update
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 353/366] perf tools: define _DEFAULT_SOURCE for glibc_2.20 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 360/366] perf tools: Fix snprint warnings for gcc 8 Ben Hutchings
                   ` (267 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Karoly Pados

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Karoly Pados <pados@pados.hu>

commit 2f839823382748664b643daa73f41ee0cc01ced6 upstream.

Silicon Labs defines alternative VID/PID pairs for some chips that when
used will automatically install drivers for Windows users without manual
intervention. Unfortunately, these IDs are not recognized by the Linux
module, so using these IDs improves user experience on one platform but
degrades it on Linux. This patch addresses this problem.

Signed-off-by: Karoly Pados <pados@pados.hu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -139,8 +139,11 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
 	{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
 	{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
+	{ USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */
 	{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
 	{ USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
+	{ USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */
+	{ USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */
 	{ USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
 	{ USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
 	{ USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 039/366] clk: qcom: Base rcg parent rate off plan frequency
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 355/366] perf thread_map: Use readdir() instead of deprecated readdir_r() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 019/366] media: v4l2-compat-ioctl32: prevent go past max size Ben Hutchings
                   ` (242 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Evan Green, Stephen Boyd

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Evan Green <evgreen@chromium.org>

commit c7d2a0eb6c028ba064bfe92d7667977418142c7c upstream.

_freq_tbl_determine_rate uses the pre_div found in the clock plan
multiplied by the requested rate from the caller to determine the
best parent rate to set. If the requested rate is not exactly equal
to the rate that was found in the clock plan, then using the requested
rate in parent rate calculations is incorrect. For instance, if 150MHz
was requested, but 200MHz was the match found, and that plan had a
pre_div of 3, then the parent should be set to 600MHz, not 450MHz.

Signed-off-by: Evan Green <evgreen@chromium.org>
Fixes: bcd61c0f535a ("clk: qcom: Add support for root clock generators (RCGs)")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/qcom/clk-rcg2.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/qcom/clk-rcg2.c
+++ b/drivers/clk/qcom/clk-rcg2.c
@@ -199,6 +199,7 @@ static long _freq_tbl_determine_rate(str
 	clk_flags = __clk_get_flags(hw->clk);
 	*p = clk_get_parent_by_index(hw->clk, f->src);
 	if (clk_flags & CLK_SET_RATE_PARENT) {
+		rate = f->freq;
 		if (f->pre_div) {
 			rate /= 2;
 			rate *= f->pre_div + 1;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 138/366] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (157 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 297/366] tracing: Quiet gcc warning about maybe unused link variable Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 071/366] net: ethernet: davinci_emac: Fix printing of base address Ben Hutchings
                   ` (207 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 90904ff5f958a215cc3d26f957a46e80fa178470 upstream.

Define cfg.pw_type so that the new session is created with its .pwtype
field properly set (L2TP_PWTYPE_PPP).

Not setting the pseudo-wire type had several annoying effects:

  * Invalid value returned in the L2TP_ATTR_PW_TYPE attribute when
    dumping sessions with the netlink API.

  * Impossibility to delete the session using the netlink API (because
    l2tp_nl_cmd_session_delete() gets the deletion callback function
    from an array indexed by the session's pseudo-wire type).

Also, there are several cases where we should check a session's
pseudo-wire type. For example, pppol2tp_connect() should refuse to
connect a session that is not PPPoL2TP, but that requires the session's
.pwtype field to be properly set.

Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -780,6 +780,7 @@ static int pppol2tp_connect(struct socke
 		/* Default MTU must allow space for UDP/L2TP/PPP headers */
 		cfg.mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
 		cfg.mru = cfg.mtu;
+		cfg.pw_type = L2TP_PWTYPE_PPP;
 
 		session = l2tp_session_create(sizeof(struct pppol2tp_session),
 					      tunnel, session_id,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 034/366] spi: pxa2xx: check clk_prepare_enable() return value
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (348 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 132/366] backlight: tps65217_bl: Fix Device Tree node lookup Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 317/366] VFS: Impose ordering on accesses of d_inode and d_flags Ben Hutchings
                   ` (16 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tobias Jordan, Mark Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tobias Jordan <Tobias.Jordan@elektrobit.com>

commit 62bbc864d1946c715063bd481bff3641fd1324e2 upstream.

clk_prepare_enable() can fail, so its return value should be checked and
acted upon.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 3343b7a6d2cd ("spi/pxa2xx: convert to the common clk framework")
Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-pxa2xx.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -1182,7 +1182,9 @@ static int pxa2xx_spi_probe(struct platf
 	}
 
 	/* Enable SOC clock */
-	clk_prepare_enable(ssp->clk);
+	status = clk_prepare_enable(ssp->clk);
+	if (status)
+		goto out_error_dma_irq_alloc;
 
 	drv_data->max_clk_rate = clk_get_rate(ssp->clk);
 
@@ -1221,6 +1223,8 @@ static int pxa2xx_spi_probe(struct platf
 
 out_error_clock_enabled:
 	clk_disable_unprepare(ssp->clk);
+
+out_error_dma_irq_alloc:
 	pxa2xx_spi_dma_release(drv_data);
 	free_irq(ssp->irq, drv_data);
 
@@ -1296,8 +1300,11 @@ static int pxa2xx_spi_resume(struct devi
 	pxa2xx_spi_dma_resume(drv_data);
 
 	/* Enable the SSP clock */
-	if (!pm_runtime_suspended(dev))
-		clk_prepare_enable(ssp->clk);
+	if (!pm_runtime_suspended(dev)) {
+		status = clk_prepare_enable(ssp->clk);
+		if (status)
+			return status;
+	}
 
 	/* Restore LPSS private register bits */
 	lpss_ssp_setup(drv_data);
@@ -1325,9 +1332,10 @@ static int pxa2xx_spi_runtime_suspend(st
 static int pxa2xx_spi_runtime_resume(struct device *dev)
 {
 	struct driver_data *drv_data = dev_get_drvdata(dev);
+	int status;
 
-	clk_prepare_enable(drv_data->ssp->clk);
-	return 0;
+	status = clk_prepare_enable(drv_data->ssp->clk);
+	return status;
 }
 #endif
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 117/366] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 335/366] usbip: stub_rx: fix static checker warning on unnecessary checks Ben Hutchings
                   ` (347 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sabrina Dubroca

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

commit 848235edb5c93ed086700584c8ff64f6d7fc778d upstream.

Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during
ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same
setsockopt will fail with -ENOENT, since we haven't actually created
that table.

A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr:
various fixes and cleanups").

Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/ip6mr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1785,7 +1785,8 @@ int ip6_mroute_setsockopt(struct sock *s
 		ret = 0;
 		if (!ip6mr_new_table(net, v))
 			ret = -ENOMEM;
-		raw6_sk(sk)->ip6mr_table = v;
+		else
+			raw6_sk(sk)->ip6mr_table = v;
 		rtnl_unlock();
 		return ret;
 	}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 035/366] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 342/366] clk: si5351: Constify clock names and struct regmap_config Ben Hutchings
                   ` (338 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Scott Mayhew, J. Bruce Fields

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Scott Mayhew <smayhew@redhat.com>

commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.

nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
estimating the size of the readdir reply, but nfsd_encode_readdir
restricts it to INT_MAX when encoding the reply.  This can result in log
messages like "kernel: RPC request reserved 32896 but used 1049444".

Restrict rd_dircount similarly (no reason it should be larger than
svc_max_payload).

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/nfs4xdr.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3343,7 +3343,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
 		nfserr = nfserr_resource;
 		goto err_no_verf;
 	}
-	maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
+	maxcount = svc_max_payload(resp->rqstp);
+	maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
 	/*
 	 * Note the rfc defines rd_maxcount as the size of the
 	 * READDIR4resok structure, which includes the verifier above
@@ -3357,7 +3358,7 @@ nfsd4_encode_readdir(struct nfsd4_compou
 
 	/* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
 	if (!readdir->rd_dircount)
-		readdir->rd_dircount = INT_MAX;
+		readdir->rd_dircount = svc_max_payload(resp->rqstp);
 
 	readdir->xdr = xdr;
 	readdir->rd_maxcount = maxcount;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 044/366] ext4: factor out helper ext4_sample_last_mounted()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (204 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 222/366] x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 305/366] netlink: Don't shift with UB on nlk->ngroups Ben Hutchings
                   ` (160 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Amir Goldstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 833a950882d33a7dfc319d5e152fdf35028936eb upstream.

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16:
 - Move up declaration of ret in ext4_file_open()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/file.c | 82 ++++++++++++++++++++++++++++----------------------
 1 file changed, 46 insertions(+), 36 deletions(-)

--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -208,52 +208,64 @@ static int ext4_file_mmap(struct file *f
 	return 0;
 }
 
-static int ext4_file_open(struct inode * inode, struct file * filp)
+static int ext4_sample_last_mounted(struct super_block *sb,
+				    struct vfsmount *mnt)
 {
-	struct super_block *sb = inode->i_sb;
-	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
-	struct vfsmount *mnt = filp->f_path.mnt;
+	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	struct path path;
 	char buf[64], *cp;
+	handle_t *handle;
+	int err;
+
+	if (likely(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED))
+		return 0;
+
+	if (sb->s_flags & MS_RDONLY)
+		return 0;
+
+	sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
+	/*
+	 * Sample where the filesystem has been mounted and
+	 * store it in the superblock for sysadmin convenience
+	 * when trying to sort through large numbers of block
+	 * devices or filesystem images.
+	 */
+	memset(buf, 0, sizeof(buf));
+	path.mnt = mnt;
+	path.dentry = mnt->mnt_root;
+	cp = d_path(&path, buf, sizeof(buf));
+	if (IS_ERR(cp))
+		return 0;
+
+	handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
+	if (IS_ERR(handle))
+		return PTR_ERR(handle);
+	BUFFER_TRACE(sbi->s_sbh, "get_write_access");
+	err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+	if (err)
+		goto out;
+	strlcpy(sbi->s_es->s_last_mounted, cp,
+		sizeof(sbi->s_es->s_last_mounted));
+	ext4_handle_dirty_super(handle, sb);
+out:
+	ext4_journal_stop(handle);
+	return err;
+}
+
+static int ext4_file_open(struct inode * inode, struct file * filp)
+{
+	int ret;
+
+	ret = ext4_sample_last_mounted(inode->i_sb, filp->f_path.mnt);
+	if (ret)
+		return ret;
 
-	if (unlikely(!(sbi->s_mount_flags & EXT4_MF_MNTDIR_SAMPLED) &&
-		     !(sb->s_flags & MS_RDONLY))) {
-		sbi->s_mount_flags |= EXT4_MF_MNTDIR_SAMPLED;
-		/*
-		 * Sample where the filesystem has been mounted and
-		 * store it in the superblock for sysadmin convenience
-		 * when trying to sort through large numbers of block
-		 * devices or filesystem images.
-		 */
-		memset(buf, 0, sizeof(buf));
-		path.mnt = mnt;
-		path.dentry = mnt->mnt_root;
-		cp = d_path(&path, buf, sizeof(buf));
-		if (!IS_ERR(cp)) {
-			handle_t *handle;
-			int err;
-
-			handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
-			if (IS_ERR(handle))
-				return PTR_ERR(handle);
-			BUFFER_TRACE(sbi->s_sbh, "get_write_access");
-			err = ext4_journal_get_write_access(handle, sbi->s_sbh);
-			if (err) {
-				ext4_journal_stop(handle);
-				return err;
-			}
-			strlcpy(sbi->s_es->s_last_mounted, cp,
-				sizeof(sbi->s_es->s_last_mounted));
-			ext4_handle_dirty_super(handle, sb);
-			ext4_journal_stop(handle);
-		}
-	}
 	/*
 	 * Set up the jbd2_inode if we are opening the inode for
 	 * writing and the journal is present
 	 */
 	if (filp->f_mode & FMODE_WRITE) {
-		int ret = ext4_inode_attach_jinode(inode);
+		ret = ext4_inode_attach_jinode(inode);
 		if (ret < 0)
 			return ret;
 	}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 187/366] batman-adv: Fix debugfs path for renamed hardif
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 037/366] s390/cpum_sf: Add data entry sizes to sampling trailer entry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 011/366] Revert "mtd: nand: omap2: Fix subpage write" Ben Hutchings
                   ` (359 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, John Soros, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 36dc621ceca1be3ec885aeade5fdafbbcc452a6d upstream.

batman-adv is creating special debugfs directories in the init
net_namespace for each valid hard-interface (net_device). But it is
possible to rename a net_device to a completely different name then the
original one.

It can therefore happen that a user registers a new net_device which gets
the name "wlan0" assigned by default. batman-adv is also adding a new
directory under $debugfs/batman-adv/ with the name "wlan0".

The user then decides to rename this device to "wl_pri" and registers a
different device. The kernel may now decide to use the name "wlan0" again
for this new device. batman-adv will detect it as a valid net_device and
tries to create a directory with the name "wlan0" under
$debugfs/batman-adv/. But there already exists one with this name under
this path and thus this fails. batman-adv will detect a problem and
rollback the registering of this device.

batman-adv must therefore take care of renaming the debugfs directories
for hard-interfaces whenever it detects such a net_device rename.

Fixes: 5bc7c1eb44f2 ("batman-adv: add debugfs structure for information per interface")
Reported-by: John Soros <sorosj@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/debugfs.c        | 20 ++++++++++++++++++++
 net/batman-adv/debugfs.h        |  6 ++++++
 net/batman-adv/hard-interface.c |  3 +++
 3 files changed, 29 insertions(+)

--- a/net/batman-adv/debugfs.c
+++ b/net/batman-adv/debugfs.c
@@ -17,6 +17,7 @@
 
 #include "main.h"
 
+#include <linux/dcache.h>
 #include <linux/debugfs.h>
 
 #include "debugfs.h"
@@ -486,6 +487,25 @@ out:
 }
 
 /**
+ * batadv_debugfs_rename_hardif() - Fix debugfs path for renamed hardif
+ * @hard_iface: hard interface which was renamed
+ */
+void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface)
+{
+	const char *name = hard_iface->net_dev->name;
+	struct dentry *dir;
+	struct dentry *d;
+
+	dir = hard_iface->debug_dir;
+	if (!dir)
+		return;
+
+	d = debugfs_rename(dir->d_parent, dir, dir->d_parent, name);
+	if (!d)
+		pr_err("Can't rename debugfs dir to %s\n", name);
+}
+
+/**
  * batadv_debugfs_del_hardif - delete the base directory for a hard interface
  *  in debugfs.
  * @hard_iface: hard interface which is deleted.
--- a/net/batman-adv/debugfs.h
+++ b/net/batman-adv/debugfs.h
@@ -27,6 +27,7 @@ void batadv_debugfs_destroy(void);
 int batadv_debugfs_add_meshif(struct net_device *dev);
 void batadv_debugfs_del_meshif(struct net_device *dev);
 int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
+void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface);
 void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface);
 
 #else
@@ -55,6 +56,11 @@ int batadv_debugfs_add_hardif(struct bat
 }
 
 static inline
+void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface)
+{
+}
+
+static inline
 void batadv_debugfs_del_hardif(struct batadv_hard_iface *hard_iface)
 {
 }
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -695,6 +695,9 @@ static int batadv_hard_if_event(struct n
 		if (hard_iface == primary_if)
 			batadv_primary_if_update_addr(bat_priv, NULL);
 		break;
+	case NETDEV_CHANGENAME:
+		batadv_debugfs_rename_hardif(hard_iface);
+		break;
 	default:
 		break;
 	}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 278/366] can: constify of_device_id array Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Ben Hutchings
                   ` (340 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Dumazet, Dmitry Vyukov, syzbot, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae upstream.

It seems that rtnl_group_changelink() can call do_setlink
while a prior call to validate_linkmsg(dev = NULL, ...) could
not validate IFLA_ADDRESS / IFLA_BROADCAST

Make sure do_setlink() calls validate_linkmsg() instead
of letting its callers having this responsibility.

With help from Dmitry Vyukov, thanks a lot !

BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
 is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
 eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
 eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
 dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
 do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
 rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
 do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
 rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: e7ed828f10bd ("netlink: support setting devgroup parameters")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/rtnetlink.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1483,6 +1483,10 @@ static int do_setlink(const struct sk_bu
 	const struct net_device_ops *ops = dev->netdev_ops;
 	int err;
 
+	err = validate_linkmsg(dev, tb);
+	if (err < 0)
+		return err;
+
 	if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
 		struct net *net = rtnl_link_get_net(dev_net(dev), tb);
 		if (IS_ERR(net)) {
@@ -1747,10 +1751,6 @@ static int rtnl_setlink(struct sk_buff *
 		goto errout;
 	}
 
-	err = validate_linkmsg(dev, tb);
-	if (err < 0)
-		goto errout;
-
 	err = do_setlink(skb, dev, ifm, tb, ifname, 0);
 errout:
 	return err;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 069/366] powerpc/ptrace: Fix enforcement of DAWR constraints
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (335 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 215/366] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 347/366] arm64: use linux/types.h in kvm.h Ben Hutchings
                   ` (29 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Michael Neuling

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Neuling <mikey@neuling.org>

commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.

Back when we first introduced the DAWR, in commit 4ae7ebe9522a
("powerpc: Change hardware breakpoint to allow longer ranges"), we
screwed up the constraint making it a 1024 byte boundary rather than a
512. This makes the check overly permissive. Fortunately GDB is the
only real user and it always did they right thing, so we never
noticed.

This fixes the constraint to 512 bytes.

Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/hw_breakpoint.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/hw_breakpoint.c
+++ b/arch/powerpc/kernel/hw_breakpoint.c
@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct
 	if (cpu_has_feature(CPU_FTR_DAWR)) {
 		length_max = 512 ; /* 64 doublewords */
 		/* DAWR region can't cross 512 boundary */
-		if ((bp->attr.bp_addr >> 10) != 
-		    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
+		if ((bp->attr.bp_addr >> 9) !=
+		    ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
 			return -EINVAL;
 	}
 	if (info->len >


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 194/366] usb: cdc_acm: Add quirk for Uniden UBC125 scanner
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (339 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 312/366] packet: refine ring v3 block size test to hold one frame Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 343/366] net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics Ben Hutchings
                   ` (25 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Oliver Neukum, Greg Kroah-Hartman, Houston Yaroschoff

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Houston Yaroschoff <hstn@4ever3.net>

commit 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 upstream.

Uniden UBC125 radio scanner has USB interface which fails to work
with cdc_acm driver:
  usb 1-1.5: new full-speed USB device number 4 using xhci_hcd
  cdc_acm 1-1.5:1.0: Zero length descriptor references
  cdc_acm: probe of 1-1.5:1.0 failed with error -22

Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
  usb 1-4: new full-speed USB device number 15 using xhci_hcd
  usb 1-4: New USB device found, idVendor=1965, idProduct=0018
  usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
  usb 1-4: Product: UBC125XLT
  usb 1-4: Manufacturer: Uniden Corp.
  usb 1-4: SerialNumber: 0001
  cdc_acm 1-4:1.0: ttyACM0: USB ACM device

`lsusb -v` of the device:

  Bus 001 Device 015: ID 1965:0018 Uniden Corporation
  Device Descriptor:
    bLength                18
    bDescriptorType         1
    bcdUSB               2.00
    bDeviceClass            2 Communications
    bDeviceSubClass         0
    bDeviceProtocol         0
    bMaxPacketSize0        64
    idVendor           0x1965 Uniden Corporation
    idProduct          0x0018
    bcdDevice            0.01
    iManufacturer           1 Uniden Corp.
    iProduct                2 UBC125XLT
    iSerial                 3 0001
    bNumConfigurations      1
    Configuration Descriptor:
      bLength                 9
      bDescriptorType         2
      wTotalLength           48
      bNumInterfaces          2
      bConfigurationValue     1
      iConfiguration          0
      bmAttributes         0x80
        (Bus Powered)
      MaxPower              500mA
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        0
        bAlternateSetting       0
        bNumEndpoints           1
        bInterfaceClass         2 Communications
        bInterfaceSubClass      2 Abstract (modem)
        bInterfaceProtocol      0 None
        iInterface              0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x87  EP 7 IN
          bmAttributes            3
            Transfer Type            Interrupt
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0008  1x 8 bytes
          bInterval              10
      Interface Descriptor:
        bLength                 9
        bDescriptorType         4
        bInterfaceNumber        1
        bAlternateSetting       0
        bNumEndpoints           2
        bInterfaceClass        10 CDC Data
        bInterfaceSubClass      0 Unused
        bInterfaceProtocol      0
        iInterface              0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x81  EP 1 IN
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval               0
        Endpoint Descriptor:
          bLength                 7
          bDescriptorType         5
          bEndpointAddress     0x02  EP 2 OUT
          bmAttributes            2
            Transfer Type            Bulk
            Synch Type               None
            Usage Type               Data
          wMaxPacketSize     0x0040  1x 64 bytes
          bInterval               0
  Device Status:     0x0000
    (Bus Powered)

Signed-off-by: Houston Yaroschoff <hstn@4ever3.net>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-acm.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1711,6 +1711,9 @@ static const struct usb_device_id acm_id
 	{ USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
 	.driver_info = SINGLE_RX_URB,
 	},
+	{ USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
+	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+	},
 	{ USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
 	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
 	},


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (139 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 144/366] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Ben Hutchings
                   ` (225 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit bdbd6ce01a70f02e9373a584d0ae9538dcf0a121 upstream.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -414,9 +414,9 @@ static int __check_block_validity(struct
 	if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
 				   map->m_len)) {
 		ext4_error_inode(inode, func, line, map->m_pblk,
-				 "lblock %lu mapped to illegal pblock "
+				 "lblock %lu mapped to illegal pblock %llu "
 				 "(length %d)", (unsigned long) map->m_lblk,
-				 map->m_len);
+				 map->m_pblk, map->m_len);
 		return -EIO;
 	}
 	return 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (299 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Ben Hutchings
                   ` (65 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 6da7be7d24b2921f8215473ba7552796dff05fe1 upstream.

batman-adv is creating special debugfs directories in the init
net_namespace for each created soft-interface (batadv net_device). But it
is possible to rename a net_device to a completely different name then the
original one.

It can therefore happen that a user registers a new batadv net_device with
the name "bat0". batman-adv is then also adding a new directory under
$debugfs/batman-adv/ with the name "wlan0".

The user then decides to rename this device to "bat1" and registers a
different batadv device with the name "bat0". batman-adv will then try to
create a directory with the name "bat0" under $debugfs/batman-adv/ again.
But there already exists one with this name under this path and thus this
fails. batman-adv will detect a problem and rollback the registering of
this device.

batman-adv must therefore take care of renaming the debugfs directories for
soft-interfaces whenever it detects such a net_device rename.

Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/debugfs.c        | 20 +++++++++++++++++++
 net/batman-adv/debugfs.h        |  5 +++++
 net/batman-adv/hard-interface.c | 34 +++++++++++++++++++++++++++------
 3 files changed, 53 insertions(+), 6 deletions(-)

--- a/net/batman-adv/debugfs.c
+++ b/net/batman-adv/debugfs.c
@@ -560,6 +560,26 @@ out:
 	return -ENOMEM;
 }
 
+/**
+ * batadv_debugfs_rename_meshif() - Fix debugfs path for renamed softif
+ * @dev: net_device which was renamed
+ */
+void batadv_debugfs_rename_meshif(struct net_device *dev)
+{
+	struct batadv_priv *bat_priv = netdev_priv(dev);
+	const char *name = dev->name;
+	struct dentry *dir;
+	struct dentry *d;
+
+	dir = bat_priv->debug_dir;
+	if (!dir)
+		return;
+
+	d = debugfs_rename(dir->d_parent, dir, dir->d_parent, name);
+	if (!d)
+		pr_err("Can't rename debugfs dir to %s\n", name);
+}
+
 void batadv_debugfs_del_meshif(struct net_device *dev)
 {
 	struct batadv_priv *bat_priv = netdev_priv(dev);
--- a/net/batman-adv/debugfs.h
+++ b/net/batman-adv/debugfs.h
@@ -25,6 +25,7 @@
 void batadv_debugfs_init(void);
 void batadv_debugfs_destroy(void);
 int batadv_debugfs_add_meshif(struct net_device *dev);
+void batadv_debugfs_rename_meshif(struct net_device *dev);
 void batadv_debugfs_del_meshif(struct net_device *dev);
 int batadv_debugfs_add_hardif(struct batadv_hard_iface *hard_iface);
 void batadv_debugfs_rename_hardif(struct batadv_hard_iface *hard_iface);
@@ -45,6 +46,10 @@ static inline int batadv_debugfs_add_mes
 	return 0;
 }
 
+static inline void batadv_debugfs_rename_meshif(struct net_device *dev)
+{
+}
+
 static inline void batadv_debugfs_del_meshif(struct net_device *dev)
 {
 }
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -640,6 +640,32 @@ void batadv_hardif_remove_interfaces(voi
 	rtnl_unlock();
 }
 
+/**
+ * batadv_hard_if_event_softif() - Handle events for soft interfaces
+ * @event: NETDEV_* event to handle
+ * @net_dev: net_device which generated an event
+ *
+ * Return: NOTIFY_* result
+ */
+static int batadv_hard_if_event_softif(unsigned long event,
+				       struct net_device *net_dev)
+{
+	struct batadv_priv *bat_priv;
+
+	switch (event) {
+	case NETDEV_REGISTER:
+		batadv_sysfs_add_meshif(net_dev);
+		bat_priv = netdev_priv(net_dev);
+		batadv_softif_create_vlan(bat_priv, BATADV_NO_FLAGS);
+		break;
+	case NETDEV_CHANGENAME:
+		batadv_debugfs_rename_meshif(net_dev);
+		break;
+	}
+
+	return NOTIFY_DONE;
+}
+
 static int batadv_hard_if_event(struct notifier_block *this,
 				unsigned long event, void *ptr)
 {
@@ -648,12 +674,8 @@ static int batadv_hard_if_event(struct n
 	struct batadv_hard_iface *primary_if = NULL;
 	struct batadv_priv *bat_priv;
 
-	if (batadv_softif_is_valid(net_dev) && event == NETDEV_REGISTER) {
-		batadv_sysfs_add_meshif(net_dev);
-		bat_priv = netdev_priv(net_dev);
-		batadv_softif_create_vlan(bat_priv, BATADV_NO_FLAGS);
-		return NOTIFY_DONE;
-	}
+	if (batadv_softif_is_valid(net_dev))
+		return batadv_hard_if_event_softif(event, net_dev);
 
 	hard_iface = batadv_hardif_get_by_netdev(net_dev);
 	if (!hard_iface && event == NETDEV_REGISTER)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 110/366] IB/isert: fix T10-pi check mask setting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (149 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 015/366] staging:iio:ade7854: Fix error handling on read/write Ben Hutchings
                   ` (215 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jason Gunthorpe, Christoph Hellwig, Martin K. Petersen,
	Sagi Grimberg, Max Gurtovoy

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Gurtovoy <maxg@mellanox.com>

commit 0e12af84cdd3056460f928adc164f9e87f4b303b upstream.

A copy/paste bug (probably) caused setting of an app_tag check mask
in case where a ref_tag check was needed.

Fixes: 38a2d0d429f1 ("IB/isert: convert to the generic RDMA READ/WRITE API")
Fixes: 9e961ae73c2c ("IB/isert: Support T10-PI protected transactions")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2822,7 +2822,7 @@ static inline u8
 isert_set_prot_checks(u8 prot_checks)
 {
 	return (prot_checks & TARGET_DIF_CHECK_GUARD  ? 0xc0 : 0) |
-	       (prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x30 : 0) |
+	       (prot_checks & TARGET_DIF_CHECK_APPTAG ? 0x30 : 0) |
 	       (prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x0f : 0);
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 076/366] ipmi:bt: Set the timeout before doing a capabilities check Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 103/366] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Ben Hutchings
                   ` (249 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Jon Derrick

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jon Derrick <jonathan.derrick@intel.com>

commit a17712c8e4be4fa5404d20e9cd3b2b21eae7bc56 upstream.

This patch attempts to close a hole leading to a BUG seen with hot
removals during writes [1].

A block device (NVME namespace in this test case) is formatted to EXT4
without partitions. It's mounted and write I/O is run to a file, then
the device is hot removed from the slot. The superblock attempts to be
written to the drive which is no longer present.

The typical chain of events leading to the BUG:
ext4_commit_super()
  __sync_dirty_buffer()
    submit_bh()
      submit_bh_wbc()
        BUG_ON(!buffer_mapped(bh));

This fix checks for the superblock's buffer head being mapped prior to
syncing.

[1] https://www.spinics.net/lists/linux-ext4/msg56527.html

Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4653,6 +4653,14 @@ static int ext4_commit_super(struct supe
 
 	if (!sbh || block_device_ejected(sb))
 		return error;
+
+	/*
+	 * The superblock bh should be mapped, but it might not be if the
+	 * device was hot-removed. Not much we can do but fail the I/O.
+	 */
+	if (!buffer_mapped(sbh))
+		return error;
+
 	/*
 	 * If the file system is mounted read-only, don't update the
 	 * superblock write time.  This avoids updating the superblock


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 118/366] net: metrics: add proper netlink validation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (341 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 343/366] net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 094/366] libata: zpodd: small read overflow in eject_tray() Ben Hutchings
                   ` (23 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Dumazet, David Ahern, David S. Miller, syzbot

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53 upstream.

Before using nla_get_u32(), better make sure the attribute
is of the proper size.

Code recently was changed, but bug has been there from beginning
of git.

BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
 rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
 fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
 rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
 fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
 inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
 fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
 fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
 fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
 inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Metrics are parsed in fib_create_info()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -862,6 +862,8 @@ struct fib_info *fib_create_info(struct
 
 				if (type > RTAX_MAX)
 					goto err_inval;
+				if (nla_len(nla) != sizeof(u32))
+					goto err_inval;
 				val = nla_get_u32(nla);
 				if (type == RTAX_ADVMSS && val > 65535 - 40)
 					val = 65535 - 40;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 142/366] cfg80211: initialize sinfo in cfg80211_get_station
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (160 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 344/366] [media] ir-core: fix gcc-7 warning on bool arithmetic Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 152/366] mtd: rawnand: mxc: set spare area size register explicitly Ben Hutchings
                   ` (204 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, b.a.t.m.a.n, Sven Eckelmann, Marcel Schmidt, Johannes Berg,
	Thomas Lauer

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 3c12d0486856b9eb89c2a9ac336713cba90813e3 upstream.

Most of the implementations behind cfg80211_get_station will not initialize
sinfo to zero before manipulating it. For example, the member "filled",
which indicates the filled in parts of this struct, is often only modified
by enabling certain bits in the bitfield while keeping the remaining bits
in their original state. A caller without a preinitialized sinfo.filled can
then no longer decide which parts of sinfo were filled in by
cfg80211_get_station (or actually the underlying implementations).

cfg80211_get_station must therefore take care that sinfo is initialized to
zero. Otherwise, the caller may tries to read information which was not
filled in and which must therefore also be considered uninitialized. In
batadv_v_elp_get_throughput's case, an invalid "random" expected throughput
may be stored for this neighbor and thus the B.A.T.M.A.N V algorithm may
switch to non-optimal neighbors for certain destinations.

Fixes: 7406353d43c8 ("cfg80211: implement cfg80211_get_station cfg80211 API")
Reported-by: Thomas Lauer <holminateur@gmail.com>
Reported-by: Marcel Schmidt <ff.z-casparistrasse@mailbox.org>
Cc: b.a.t.m.a.n@lists.open-mesh.org
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/wireless/util.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1566,6 +1566,8 @@ int cfg80211_get_station(struct net_devi
 	if (!rdev->ops->get_station)
 		return -EOPNOTSUPP;
 
+	memset(sinfo, 0, sizeof(*sinfo));
+
 	return rdev_get_station(rdev, dev, mac_addr, sinfo);
 }
 EXPORT_SYMBOL(cfg80211_get_station);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 209/366] n_tty: Fix stall at n_tty_receive_char_special().
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (192 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 155/366] scsi: target: Fix truncated PR-in ReadKeys response Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun Ben Hutchings
                   ` (172 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Hurley, Tetsuo Handa, syzbot, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream.

syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
because comparison is not working as expected since ldata->read_head can
change at any moment. Mitigate this by explicitly masking with buffer size
when checking condition for "while" loops.

[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size")
Cc: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/n_tty.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -127,6 +127,8 @@ struct n_tty_data {
 	struct mutex output_lock;
 };
 
+#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
+
 static inline size_t read_cnt(struct n_tty_data *ldata)
 {
 	return ldata->read_head - ldata->read_tail;
@@ -1032,14 +1034,15 @@ static void eraser(unsigned char c, stru
 	}
 
 	seen_alnums = 0;
-	while (ldata->read_head != ldata->canon_head) {
+	while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
 		head = ldata->read_head;
 
 		/* erase a single possibly multibyte character */
 		do {
 			head--;
 			c = read_buf(ldata, head);
-		} while (is_continuation(c, tty) && head != ldata->canon_head);
+		} while (is_continuation(c, tty) &&
+			 MASK(head) != MASK(ldata->canon_head));
 
 		/* do not partially erase */
 		if (is_continuation(c, tty))
@@ -1081,7 +1084,7 @@ static void eraser(unsigned char c, stru
 				 * This info is used to go back the correct
 				 * number of columns.
 				 */
-				while (tail != ldata->canon_head) {
+				while (MASK(tail) != MASK(ldata->canon_head)) {
 					tail--;
 					c = read_buf(ldata, tail);
 					if (c == '\t') {
@@ -1341,7 +1344,7 @@ n_tty_receive_char_special(struct tty_st
 			finish_erasing(ldata);
 			echo_char(c, tty);
 			echo_char_raw('\n', ldata);
-			while (tail != ldata->read_head) {
+			while (MASK(tail) != MASK(ldata->read_head)) {
 				echo_char(read_buf(ldata, tail), tty);
 				tail++;
 			}
@@ -2506,7 +2509,7 @@ static unsigned long inq_canon(struct n_
 	tail = ldata->read_tail;
 	nr = head - tail;
 	/* Skip EOF-chars.. */
-	while (head != tail) {
+	while (MASK(head) != MASK(tail)) {
 		if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
 		    read_buf(ldata, tail) == __DISABLED_CHAR)
 			nr--;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 265/366] x86/MCE: Remove min interval polling limitation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 293/366] tracing: Fix double free of event_trigger_data Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 338/366] gcov: support GCC 7.1 Ben Hutchings
                   ` (271 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dewet Thibaut, Tony Luck, Thomas Gleixner, linux-edac,
	Alexander Sverdlin, Borislav Petkov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dewet Thibaut <thibaut.dewet@nokia.com>

commit fbdb328c6bae0a7c78d75734a738b66b86dffc96 upstream.

commit b3b7c4795c ("x86/MCE: Serialize sysfs changes") introduced a min
interval limitation when setting the check interval for polled MCEs.
However, the logic is that 0 disables polling for corrected MCEs, see
Documentation/x86/x86_64/machinecheck. The limitation prevents disabling.

Remove this limitation and allow the value 0 to disable polling again.

Fixes: b3b7c4795c ("x86/MCE: Serialize sysfs changes")
Signed-off-by: Dewet Thibaut <thibaut.dewet@nokia.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
[ Massage commit message. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Luck <tony.luck@intel.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180716084927.24869-1-alexander.sverdlin@nokia.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/mcheck/mce.c | 3 ---
 1 file changed, 3 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -2260,9 +2260,6 @@ static ssize_t store_int_with_restart(st
 	if (check_interval == old_check_interval)
 		return ret;
 
-	if (check_interval < 1)
-		check_interval = 1;
-
 	mutex_lock(&mce_sysfs_mutex);
 	mce_restart();
 	mutex_unlock(&mce_sysfs_mutex);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (145 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets Ben Hutchings
                   ` (219 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Doug Ledford

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream.

There is no need to crash the machine if unknown work request was
received in SQP MAD.

Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/mlx4/mad.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1748,7 +1748,6 @@ static void mlx4_ib_sqp_comp_worker(stru
 					       "buf:%lld\n", wc.wr_id);
 				break;
 			default:
-				BUG_ON(1);
 				break;
 			}
 		} else  {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 189/366] batman-adv: Avoid storing non-TT-sync flags on singular entries too
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (234 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 240/366] ibmasm: don't write out of bounds in read handler Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 172/366] xen-netfront: Fix race between device setup and open Ben Hutchings
                   ` (130 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sven Eckelmann, Linus Lüssing, Simon Wunderlich

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Lüssing <linus.luessing@c0d3.blue>

commit 4a519b83da16927fb98fd32b0f598e639d1f1859 upstream.

Since commit 54e22f265e87 ("batman-adv: fix TT sync flag inconsistencies")
TT sync flags and TT non-sync'd flags are supposed to be stored
separately.

The previous patch missed to apply this separation on a TT entry with
only a single TT orig entry.

This is a minor fix because with only a single TT orig entry the DDoS
issue the former patch solves does not apply.

Fixes: 54e22f265e87 ("batman-adv: fix TT sync flag inconsistencies")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1378,7 +1378,8 @@ static bool batadv_tt_global_add(struct
 		ether_addr_copy(common->addr, tt_addr);
 		common->vid = vid;
 
-		common->flags = flags;
+		common->flags = flags & (~BATADV_TT_SYNC_MASK);
+
 		tt_global_entry->roam_at = 0;
 		/* node must store current time in case of roaming. This is
 		 * needed to purge this entry out on timeout (if nobody claims


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 208/366] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (194 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 007/366] [media] drxk_hard: fix bad alignments Ben Hutchings
                   ` (170 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Vinod Koul

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit c4c2b7644cc9a41f17a8cc8904efe3f66ae4c7ed upstream.

The d->chans[] array has d->dma_requests elements so the > should be
>= here.

Fixes: 8e6152bc660e ("dmaengine: Add hisilicon k3 DMA engine driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/k3dma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/dma/k3dma.c
+++ b/drivers/dma/k3dma.c
@@ -652,7 +652,7 @@ static struct dma_chan *k3_of_dma_simple
 	struct k3_dma_dev *d = ofdma->of_dma_data;
 	unsigned int request = dma_spec->args[0];
 
-	if (request > d->dma_requests)
+	if (request >= d->dma_requests)
 		return NULL;
 
 	return dma_get_slave_channel(&(d->chans[request].vc.chan));


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 077/366] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (363 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 016/366] staging:iio:ade7854: Fix the wrong number of bits to read Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 128/366] video/omap: add module license tags Ben Hutchings
  2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.

We aren't checking to see if the in-inode extended attribute is
corrupted before we try to expand the inode's extra isize fields.

This can lead to potential crashes caused by the BUG_ON() check in
ext4_xattr_shift_entries().

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: s/EFSCORRUPTED/EIO/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/xattr.c | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -243,6 +243,27 @@ ext4_xattr_check_block(struct inode *ino
 	return error;
 }
 
+static int
+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
+			 void *end, const char *function, unsigned int line)
+{
+	struct ext4_xattr_entry *entry = IFIRST(header);
+	int error = -EIO;
+
+	if (((void *) header >= end) ||
+	    (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
+		goto errout;
+	error = ext4_xattr_check_names(entry, end, entry);
+errout:
+	if (error)
+		__ext4_error_inode(inode, function, line, 0,
+				   "corrupted in-inode xattr");
+	return error;
+}
+
+#define xattr_check_inode(inode, header, end) \
+	__xattr_check_inode((inode), (header), (end), __func__, __LINE__)
+
 static inline int
 ext4_xattr_check_entry(struct ext4_xattr_entry *entry, size_t size)
 {
@@ -368,7 +389,7 @@ ext4_xattr_ibody_get(struct inode *inode
 	header = IHDR(inode, raw_inode);
 	entry = IFIRST(header);
 	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-	error = ext4_xattr_check_names(entry, end, entry);
+	error = xattr_check_inode(inode, header, end);
 	if (error)
 		goto cleanup;
 	error = xattr_find_entry(inode, &entry, end, name_index, name,
@@ -506,7 +527,7 @@ ext4_xattr_ibody_list(struct dentry *den
 	raw_inode = ext4_raw_inode(&iloc);
 	header = IHDR(inode, raw_inode);
 	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-	error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
+	error = xattr_check_inode(inode, header, end);
 	if (error)
 		goto cleanup;
 	error = ext4_xattr_list_entries(dentry, IFIRST(header),
@@ -1038,8 +1059,7 @@ int ext4_xattr_ibody_find(struct inode *
 	is->s.here = is->s.first;
 	is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
-		error = ext4_xattr_check_names(IFIRST(header), is->s.end,
-					       IFIRST(header));
+		error = xattr_check_inode(inode, header, is->s.end);
 		if (error)
 			return error;
 		/* Find the named attribute. */
@@ -1319,6 +1339,10 @@ retry:
 	last = entry;
 	total_ino = sizeof(struct ext4_xattr_ibody_header);
 
+	error = xattr_check_inode(inode, header, end);
+	if (error)
+		goto cleanup;
+
 	free = ext4_xattr_free_space(last, &min_offs, base, &total_ino);
 	if (free >= new_extra_isize) {
 		entry = IFIRST(header);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 283/366] can: xilinx_can: fix recovery from error states not being propagated Ben Hutchings
                   ` (253 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Evgeniy Polyakov, Ingo Flaschberger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ingo Flaschberger <ingo.flaschberger@gmail.com>

commit 065c09563c872e52813a17218c52cd642be1dca6 upstream.

1wire family module autoload fails because of upper/lower
  case mismatch.

Signed-off-by: Ingo Flaschberger <ingo.flaschberger@gmail.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/w1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -727,7 +727,7 @@ int w1_attach_slave_device(struct w1_mas
 
 	/* slave modules need to be loaded in a context with unlocked mutex */
 	mutex_unlock(&dev->mutex);
-	request_module("w1-family-0x%02x", rn->family);
+	request_module("w1-family-0x%02X", rn->family);
 	mutex_lock(&dev->mutex);
 
 	spin_lock(&w1_flock);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (329 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 062/366] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Ben Hutchings
                   ` (35 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Doug Ledford, Don Dutile, Alex Estrin, Mike Marciniszyn,
	Dennis Dalessandro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <mike.marciniszyn@intel.com>

commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream.

The following error occurs in a debug build when running MPI PSM:

[  307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
check_unmap+0x4ee/0xa20
[  307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
[  307.517494] Modules linked in:
[  307.531584]  ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
[  307.846113]  pps_core dm_mirror dm_region_hash dm_log dm_mod
[  307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
tainted 3.10.0-862.el7.x86_64.debug #1
[  307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
[  307.944206] Call Trace:
[  307.956973]  [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
[  307.982201]  [<ffffffffbd2a2f58>] __warn+0xd8/0x100
[  308.005999]  [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
[  308.034260]  [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
[  308.060801]  [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
[  308.090689]  [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
[  308.120155]  [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
[  308.146656]  [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
[  308.180739]  [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
[  308.210733]  [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
[  308.244837]  [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
[  308.266025] qib_ib0.8006: multicast join failed for
ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
[  308.323421]  [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
[  308.347077]  [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
[  308.372533]  [<ffffffffbd47045a>] SyS_write+0x8a/0x100
[  308.396456]  [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21

The code calls a qib_map_page() which has never correctly tested for a
mapping error.

Fix by testing for pci_dma_mapping_error() in all cases and properly
handling the failure in the caller.

Additionally, streamline qib_map_page() arguments to satisfy just
the single caller.

Reviewed-by: Alex Estrin <alex.estrin@intel.com>
Tested-by: Don Dutile <ddutile@redhat.com>
Reviewed-by: Don Dutile <ddutile@redhat.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/qib/qib.h            |  3 +--
 drivers/infiniband/hw/qib/qib_file_ops.c   | 10 +++++++---
 drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++--------
 3 files changed, 20 insertions(+), 13 deletions(-)

--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1452,8 +1452,7 @@ u64 qib_sps_ints(void);
 /*
  * dma_addr wrappers - all 0's invalid for hw
  */
-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
-			  size_t, int);
+int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
 const char *qib_get_unit_name(int unit);
 
 /*
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -359,6 +359,8 @@ static int qib_tid_update(struct qib_ctx
 		goto done;
 	}
 	for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
+		dma_addr_t daddr;
+
 		for (; ntids--; tid++) {
 			if (tid == tidcnt)
 				tid = 0;
@@ -375,12 +377,14 @@ static int qib_tid_update(struct qib_ctx
 			ret = -ENOMEM;
 			break;
 		}
+		ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
+		if (ret)
+			break;
+
 		tidlist[i] = tid + tidoff;
 		/* we "know" system pages and TID pages are same size */
 		dd->pageshadow[ctxttid + tid] = pagep[i];
-		dd->physshadow[ctxttid + tid] =
-			qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
-				     PCI_DMA_FROMDEVICE);
+		dd->physshadow[ctxttid + tid] = daddr;
 		/*
 		 * don't need atomic or it's overhead
 		 */
--- a/drivers/infiniband/hw/qib/qib_user_pages.c
+++ b/drivers/infiniband/hw/qib/qib_user_pages.c
@@ -98,23 +98,27 @@ bail:
  *
  * I'm sure we won't be so lucky with other iommu's, so FIXME.
  */
-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
-			unsigned long offset, size_t size, int direction)
+int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
 {
 	dma_addr_t phys;
 
-	phys = pci_map_page(hwdev, page, offset, size, direction);
+	phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+	if (pci_dma_mapping_error(hwdev, phys))
+		return -ENOMEM;
 
-	if (phys == 0) {
-		pci_unmap_page(hwdev, phys, size, direction);
-		phys = pci_map_page(hwdev, page, offset, size, direction);
+	if (!phys) {
+		pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
+		phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
+				    PCI_DMA_FROMDEVICE);
+		if (pci_dma_mapping_error(hwdev, phys))
+			return -ENOMEM;
 		/*
 		 * FIXME: If we get 0 again, we should keep this page,
 		 * map another, then free the 0 page.
 		 */
 	}
-
-	return phys;
+	*daddr = phys;
+	return 0;
 }
 
 /**


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 139/366] l2tp: only accept PPP sessions in pppol2tp_connect()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (206 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 305/366] netlink: Don't shift with UB on nlk->ngroups Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard Ben Hutchings
                   ` (158 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658 upstream.

l2tp_session_priv() returns a struct pppol2tp_session pointer only for
PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
structure, which is much smaller than struct pppol2tp_session. This
leads to invalid memory dereference when trying to lock ps->sk_lock.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -756,6 +756,12 @@ static int pppol2tp_connect(struct socke
 	session = l2tp_session_get(sock_net(sk), tunnel, session_id, false);
 	if (session) {
 		drop_refcnt = true;
+
+		if (session->pwtype != L2TP_PWTYPE_PPP) {
+			error = -EPROTOTYPE;
+			goto end;
+		}
+
 		ps = l2tp_session_priv(session);
 
 		/* Using a pre-existing session is fine as long as it hasn't


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 089/366] Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (277 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Ben Hutchings
                   ` (87 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Omar Sandoval, David Sterba, Nikolay Borisov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit 0552210997badb6a60740a26ff9d976a416510f0 upstream.

btrfs_free_extent() can fail because of ENOMEM. There's no reason to
panic here, we can just abort the transaction.

Fixes: f4b9aa8d3b87 ("btrfs_truncate")
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Also pass root to btrfs_abort_transaction()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4313,7 +4313,10 @@ delete:
 						extent_num_bytes, 0,
 						btrfs_header_owner(leaf),
 						ino, extent_offset, 0);
-			BUG_ON(ret);
+			if (ret) {
+				btrfs_abort_transaction(trans, root, ret);
+				break;
+			}
 		}
 
 		if (found_type == BTRFS_INODE_ITEM_KEY)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (153 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation Ben Hutchings
                   ` (211 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Josef Bacik, David Sterba, Omar Sandoval

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osandov@fb.com>

commit c08db7d8d295a4f3a10faaca376de011afff7950 upstream.

In btrfs_evict_inode(), if btrfs_truncate_inode_items() fails, the inode
item will still be in the tree but we still return the ino to the ino
cache. That will blow up later when someone tries to allocate that ino,
so don't return it to the cache.

Fixes: 581bb050941b ("Btrfs: Cache free inode numbers in memory")
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Pass inode, not btrfs_inode, to btrfs_orphan_del()
 - Pass btrfs_root, not btrfs_fs_info, to btrfs_free_block_rsv()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4908,13 +4908,18 @@ void btrfs_evict_inode(struct inode *ino
 		trans->block_rsv = rsv;
 
 		ret = btrfs_truncate_inode_items(trans, root, inode, 0, 0);
-		if (ret != -ENOSPC)
+		if (ret) {
+			trans->block_rsv = &root->fs_info->trans_block_rsv;
+			btrfs_end_transaction(trans, root);
+			btrfs_btree_balance_dirty(root);
+			if (ret != -ENOSPC) {
+				btrfs_orphan_del(NULL, inode);
+				btrfs_free_block_rsv(root, rsv);
+				goto no_delete;
+			}
+		} else {
 			break;
-
-		trans->block_rsv = &root->fs_info->trans_block_rsv;
-		btrfs_end_transaction(trans, root);
-		trans = NULL;
-		btrfs_btree_balance_dirty(root);
+		}
 	}
 
 	btrfs_free_block_rsv(root, rsv);
@@ -4923,12 +4928,8 @@ void btrfs_evict_inode(struct inode *ino
 	 * Errors here aren't a big deal, it just means we leave orphan items
 	 * in the tree.  They will be cleaned up on the next mount.
 	 */
-	if (ret == 0) {
-		trans->block_rsv = root->orphan_block_rsv;
-		btrfs_orphan_del(trans, inode);
-	} else {
-		btrfs_orphan_del(NULL, inode);
-	}
+	trans->block_rsv = root->orphan_block_rsv;
+	btrfs_orphan_del(trans, inode);
 
 	trans->block_rsv = &root->fs_info->trans_block_rsv;
 	if (!(root == root->fs_info->tree_root ||


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (282 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 325/366] ceph: use lookup request to revalidate dentry Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 193/366] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Ben Hutchings
                   ` (82 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Evgeniy Polyakov, Stefan Potyra, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Potyra <Stefan.Potyra@elektrobit.com>

commit 955bc61328dc0a297fb3baccd84e9d3aee501ed8 upstream.

According to the API, you may only call clk_get_rate() after actually
enabling it.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31")
Signed-off-by: Stefan Potyra <Stefan.Potyra@elektrobit.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/masters/mxc_w1.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

--- a/drivers/w1/masters/mxc_w1.c
+++ b/drivers/w1/masters/mxc_w1.c
@@ -111,6 +111,10 @@ static int mxc_w1_probe(struct platform_
 	if (IS_ERR(mdev->clk))
 		return PTR_ERR(mdev->clk);
 
+	err = clk_prepare_enable(mdev->clk);
+	if (err)
+		return err;
+
 	clkrate = clk_get_rate(mdev->clk);
 	if (clkrate < 10000000)
 		dev_warn(&pdev->dev,
@@ -124,12 +128,10 @@ static int mxc_w1_probe(struct platform_
 
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	mdev->regs = devm_ioremap_resource(&pdev->dev, res);
-	if (IS_ERR(mdev->regs))
-		return PTR_ERR(mdev->regs);
-
-	err = clk_prepare_enable(mdev->clk);
-	if (err)
-		return err;
+	if (IS_ERR(mdev->regs)) {
+		err = PTR_ERR(mdev->regs);
+		goto out_disable_clk;
+	}
 
 	writeb(clkdiv - 1, mdev->regs + MXC_W1_TIME_DIVIDER);
 
@@ -141,8 +143,12 @@ static int mxc_w1_probe(struct platform_
 
 	err = w1_add_master_device(&mdev->bus_master);
 	if (err)
-		clk_disable_unprepare(mdev->clk);
+		goto out_disable_clk;
+
+	return 0;
 
+out_disable_clk:
+	clk_disable_unprepare(mdev->clk);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (163 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Ben Hutchings
                   ` (201 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Rafael J . Wysocki, Hans de Goede, Thierry Reding

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70 upstream.

The LPSS PWM device on on Bay Trail and Cherry Trail devices has a set
of private registers at offset 0x800, the current lpss_device_desc for
them already sets the LPSS_SAVE_CTX flag to have these saved/restored
over device-suspend, but the current lpss_device_desc was not setting
the prv_offset field, leading to the regular device registers getting
saved/restored instead.

This is causing the PWM controller to no longer work, resulting in a black
screen,  after a suspend/resume on systems where the firmware clears the
APB clock and reset bits at offset 0x804.

This commit fixes this by properly setting prv_offset to 0x800 for
the PWM devices.

Fixes: e1c748179754 ("ACPI / LPSS: Add Intel BayTrail ACPI mode PWM")
Fixes: 1bfbd8eb8a7f ("ACPI / LPSS: Add ACPI IDs for Intel Braswell")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Rafael J . Wysocki <rjw@rjwysocki.net>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
[bwh: Backported to 3.16:
 - Drop changes for Braswell
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -150,6 +150,7 @@ static struct lpss_shared_clock pwm_cloc
 
 static struct lpss_device_desc byt_pwm_dev_desc = {
 	.clk_required = true,
+	.prv_offset = 0x800,
 	.save_ctx = true,
 	.shared_clock = &pwm_clock,
 };


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 123/366] bnx2x: use the right constant
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (225 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 316/366] fix __legitimize_mnt()/mntput() race Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 046/366] ext4: do not update s_last_mounted of a frozen fs Ben Hutchings
                   ` (139 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Julia Lawall

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julia Lawall <Julia.Lawall@lip6.fr>

commit dd612f18a49b63af8b3a5f572d999bdb197385bc upstream.

Nearby code that also tests port suggests that the P0 constant should be
used when port is zero.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression e,e1;
@@

* e ? e1 : e1
// </smpl>

Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx")
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -581,7 +581,7 @@ static void bnx2x_ets_e3b0_nig_disabled(
 	 * slots for the highest priority.
 	 */
 	REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
-		   NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+		   NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
 	/* Mapping between the CREDIT_WEIGHT registers and actual client
 	 * numbers
 	 */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (318 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 020/366] pinctrl: samsung: Correct EINTG banks order Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 271/366] scsi: qla2xxx: Return error when TMF returns Ben Hutchings
                   ` (46 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Suzuki K Poulose, Andrea Arcangeli, Linus Torvalds,
	Mike Rapoport, Arvind Yadav, Jia He, Claudio Imbrenda,
	Minchan Kim, Jia He

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jia He <jia.he@hxt-semitech.com>

commit 1105a2fc022f3c7482e32faf516e8bc44095f778 upstream.

In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by
PAGE_SIZE unaligned for rmap_item->address under memory pressure
tests(start 20 guests and run memhog in the host).

  WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8
  CPU: 4 PID: 4641 Comm: memhog Tainted: G        W 4.17.0-rc3+ #8
  Call trace:
   kvm_age_hva_handler+0xc0/0xc8
   handle_hva_to_gpa+0xa8/0xe0
   kvm_age_hva+0x4c/0xe8
   kvm_mmu_notifier_clear_flush_young+0x54/0x98
   __mmu_notifier_clear_flush_young+0x6c/0xa0
   page_referenced_one+0x154/0x1d8
   rmap_walk_ksm+0x12c/0x1d0
   rmap_walk+0x94/0xa0
   page_referenced+0x194/0x1b0
   shrink_page_list+0x674/0xc28
   shrink_inactive_list+0x26c/0x5b8
   shrink_node_memcg+0x35c/0x620
   shrink_node+0x100/0x430
   do_try_to_free_pages+0xe0/0x3a8
   try_to_free_pages+0xe4/0x230
   __alloc_pages_nodemask+0x564/0xdc0
   alloc_pages_vma+0x90/0x228
   do_anonymous_page+0xc8/0x4d0
   __handle_mm_fault+0x4a0/0x508
   handle_mm_fault+0xf8/0x1b0
   do_page_fault+0x218/0x4b8
   do_translation_fault+0x90/0xa0
   do_mem_abort+0x68/0xf0
   el0_da+0x24/0x28

In rmap_walk_ksm, the rmap_item->address might still have the
STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be
PAGE_SIZE aligned.  Thus it will cause exceptions in handle_hva_to_gpa
on arm64.

This patch fixes it by ignoring (not removing) the low bits of address
when doing rmap_walk_ksm.

IMO, it should be backported to stable tree.  the storm of WARN_ONs is
very easy for me to reproduce.  More than that, I watched a panic (not
reproducible) as follows:

  page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0
  flags: 0x1fffc00000000000()
  raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000
  raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000
  page dumped because: nonzero _refcount
  CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1
  Hardware name: <snip for confidential issues>
  Call trace:
    dump_backtrace+0x0/0x22c
    show_stack+0x24/0x2c
    dump_stack+0x8c/0xb0
    bad_page+0xf4/0x154
    free_pages_check_bad+0x90/0x9c
    free_pcppages_bulk+0x464/0x518
    free_hot_cold_page+0x22c/0x300
    __put_page+0x54/0x60
    unmap_stage2_range+0x170/0x2b4
    kvm_unmap_hva_handler+0x30/0x40
    handle_hva_to_gpa+0xb0/0xec
    kvm_unmap_hva_range+0x5c/0xd0

I even injected a fault on purpose in kvm_unmap_hva_range by seting
size=size-0x200, the call trace is similar as above.  So I thought the
panic is similarly caused by the root cause of WARN_ON.

Andrea said:

: It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would
: zap those bits and hide the misalignment caused by the low metadata
: bits being erroneously left set in the address, but the arm code
: notices when that's the last page in the memslot and the hva_end is
: getting aligned and the size is below one page.
:
: I think the problem triggers in the addr += PAGE_SIZE of
: unmap_stage2_ptes that never matches end because end is aligned but
: addr is not.
:
: 	} while (pte++, addr += PAGE_SIZE, addr != end);
:
: x86 again only works on hva_start/hva_end after converting it to
: gfn_start/end and that being in pfn units the bits are zapped before
: they risk to cause trouble.

Jia He said:

: I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without
: this patch, the WARN_ON is very easy for reproducing.  After this patch, I
: have run the same benchmarch for a whole day without any WARN_ONs

Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.com
Signed-off-by: Jia He <jia.he@hxt-semitech.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Tested-by: Jia He <hejianet@gmail.com>
Cc: Suzuki K Poulose <Suzuki.Poulose@arm.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/ksm.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -181,6 +181,8 @@ struct rmap_item {
 #define SEQNR_MASK	0x0ff	/* low bits of unstable tree seqnr */
 #define UNSTABLE_FLAG	0x100	/* is a node of the unstable tree */
 #define STABLE_FLAG	0x200	/* is listed from the stable tree */
+#define KSM_FLAG_MASK	(SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG)
+				/* to mask all the flags */
 
 /* The stable and unstable tree heads */
 static struct rb_root one_stable_tree[1] = { RB_ROOT };
@@ -1919,10 +1921,15 @@ again:
 		anon_vma_lock_read(anon_vma);
 		anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
 					       0, ULONG_MAX) {
+			unsigned long addr;
+
 			cond_resched();
 			vma = vmac->vma;
-			if (rmap_item->address < vma->vm_start ||
-			    rmap_item->address >= vma->vm_end)
+
+			/* Ignore the stable/unstable/sqnr flags */
+			addr = rmap_item->address & ~KSM_FLAG_MASK;
+
+			if (addr < vma->vm_start || addr >= vma->vm_end)
 				continue;
 			/*
 			 * Initially we examine only the vma which covers this
@@ -1936,8 +1943,7 @@ again:
 			if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 				continue;
 
-			ret = rwc->rmap_one(page, vma,
-					rmap_item->address, rwc->arg);
+			ret = rwc->rmap_one(page, vma, addr, rwc->arg);
 			if (ret != SWAP_AGAIN) {
 				anon_vma_unlock_read(anon_vma);
 				goto out;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 058/366] ALSA: core: Assure control device to be registered at last
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 056/366] mfd: tps65911-comparator: Fix an off by one bug Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 092/366] media: uvcvideo: Support realtek's UVC 1.5 device Ben Hutchings
                   ` (288 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tzung-Bi Shih, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit dc82e52492f684dcd5ed9e4773e72dbf2203d75e upstream.

The commit 289ca025ee1d ("ALSA: Use priority list for managing device
list") changed the way to register/disconnect/free devices via a
single priority list.  This helped to make behavior consistent, but it
also changed a slight behavior change: namely, the control device is
registered earlier than others, while it was supposed to be the very
last one.

I've put SNDRV_DEV_CONTROL in the current position as the release of
ctl elements often conflict with the private ctl elements some PCM or
other components may create, which often leads to a double-free.
But, the order of register and disconnect should be indeed fixed as
expected in the early days: the control device gets registered at
last, and disconnected at first.

This patch changes the priority list order to move SNDRV_DEV_CONTROL
as the last guy to assure the register / disconnect order.  Meanwhile,
for keeping the messy resource release order, manually treat the
control and lowlevel devices as last freed one.

Additional note:
The lowlevel device is the device where a card driver creates at
probe.  And, we still keep the release order control -> lowlevel, as
there might  be link from a control element back to a lowlevel object.

Fixes: 289ca025ee1d ("ALSA: Use priority list for managing device list")
Reported-by: Tzung-Bi Shih <tzungbi@google.com>
Tested-by: Tzung-Bi Shih <tzungbi@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/sound/core.h | 2 +-
 sound/core/device.c  | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

--- a/include/sound/core.h
+++ b/include/sound/core.h
@@ -51,7 +51,6 @@ struct completion;
  */
 enum snd_device_type {
 	SNDRV_DEV_LOWLEVEL,
-	SNDRV_DEV_CONTROL,
 	SNDRV_DEV_INFO,
 	SNDRV_DEV_BUS,
 	SNDRV_DEV_CODEC,
@@ -62,6 +61,7 @@ enum snd_device_type {
 	SNDRV_DEV_SEQUENCER,
 	SNDRV_DEV_HWDEP,
 	SNDRV_DEV_JACK,
+	SNDRV_DEV_CONTROL,	/* NOTE: this must be the last one */
 };
 
 enum snd_device_state {
--- a/sound/core/device.c
+++ b/sound/core/device.c
@@ -219,6 +219,15 @@ void snd_device_free_all(struct snd_card
 
 	if (snd_BUG_ON(!card))
 		return;
+	list_for_each_entry_safe_reverse(dev, next, &card->devices, list) {
+		/* exception: free ctl and lowlevel stuff later */
+		if (dev->type == SNDRV_DEV_CONTROL ||
+		    dev->type == SNDRV_DEV_LOWLEVEL)
+			continue;
+		__snd_device_free(dev);
+	}
+
+	/* free all */
 	list_for_each_entry_safe_reverse(dev, next, &card->devices, list)
 		__snd_device_free(dev);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 227/366] smsc75xx: Add workaround for gigabit link up hardware errata.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 097/366] mtd: cfi_cmdset_0002: Change definition naming to retry write operation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 163/366] xen-netfront: fix locking in connect error path Ben Hutchings
                   ` (238 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Yuiko Oshino

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yuiko Oshino <yuiko.oshino@microchip.com>

commit d461e3da905332189aad546b2ad9adbe6071c7cc upstream.

In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state.

Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices")
Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/usb/smsc75xx.c | 62 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -81,6 +81,9 @@ static bool turbo_mode = true;
 module_param(turbo_mode, bool, 0644);
 MODULE_PARM_DESC(turbo_mode, "Enable multiple frames per Rx transaction");
 
+static int smsc75xx_link_ok_nopm(struct usbnet *dev);
+static int smsc75xx_phy_gig_workaround(struct usbnet *dev);
+
 static int __must_check __smsc75xx_read_reg(struct usbnet *dev, u32 index,
 					    u32 *data, int in_pm)
 {
@@ -840,6 +843,9 @@ static int smsc75xx_phy_initialize(struc
 		return -EIO;
 	}
 
+	/* phy workaround for gig link */
+	smsc75xx_phy_gig_workaround(dev);
+
 	smsc75xx_mdio_write(dev->net, dev->mii.phy_id, MII_ADVERTISE,
 		ADVERTISE_ALL | ADVERTISE_CSMA | ADVERTISE_PAUSE_CAP |
 		ADVERTISE_PAUSE_ASYM);
@@ -977,6 +983,62 @@ static int smsc75xx_wait_ready(struct us
 	return -EIO;
 }
 
+static int smsc75xx_phy_gig_workaround(struct usbnet *dev)
+{
+	struct mii_if_info *mii = &dev->mii;
+	int ret = 0, timeout = 0;
+	u32 buf, link_up = 0;
+
+	/* Set the phy in Gig loopback */
+	smsc75xx_mdio_write(dev->net, mii->phy_id, MII_BMCR, 0x4040);
+
+	/* Wait for the link up */
+	do {
+		link_up = smsc75xx_link_ok_nopm(dev);
+		usleep_range(10000, 20000);
+		timeout++;
+	} while ((!link_up) && (timeout < 1000));
+
+	if (timeout >= 1000) {
+		netdev_warn(dev->net, "Timeout waiting for PHY link up\n");
+		return -EIO;
+	}
+
+	/* phy reset */
+	ret = smsc75xx_read_reg(dev, PMT_CTL, &buf);
+	if (ret < 0) {
+		netdev_warn(dev->net, "Failed to read PMT_CTL: %d\n", ret);
+		return ret;
+	}
+
+	buf |= PMT_CTL_PHY_RST;
+
+	ret = smsc75xx_write_reg(dev, PMT_CTL, buf);
+	if (ret < 0) {
+		netdev_warn(dev->net, "Failed to write PMT_CTL: %d\n", ret);
+		return ret;
+	}
+
+	timeout = 0;
+	do {
+		usleep_range(10000, 20000);
+		ret = smsc75xx_read_reg(dev, PMT_CTL, &buf);
+		if (ret < 0) {
+			netdev_warn(dev->net, "Failed to read PMT_CTL: %d\n",
+				    ret);
+			return ret;
+		}
+		timeout++;
+	} while ((buf & PMT_CTL_PHY_RST) && (timeout < 100));
+
+	if (timeout >= 100) {
+		netdev_warn(dev->net, "timeout waiting for PHY Reset\n");
+		return -EIO;
+	}
+
+	return 0;
+}
+
 static int smsc75xx_reset(struct usbnet *dev)
 {
 	struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 073/366] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation Ben Hutchings
                   ` (363 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Daniel Jordan, Hugh Dickins, Huang, Ying

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit 955c97f0859abef698e77f5697f5c4008303abb9 upstream.

Commit 570a335b8e22 ("swap_info: swap count continuations") introduces
COUNT_CONTINUED but refers to it incorrectly as SWAP_HAS_CONT in a
comment in swap_count.  Fix it.

Link: http://lkml.kernel.org/r/20180612175919.30413-1-daniel.m.jordan@oracle.com
Fixes: 570a335b8e22 ("swap_info: swap count continuations")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/swapfile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -88,7 +88,7 @@ static atomic_t proc_poll_event = ATOMIC
 
 static inline unsigned char swap_count(unsigned char ent)
 {
-	return ent & ~SWAP_HAS_CACHE;	/* may include SWAP_HAS_CONT flag */
+	return ent & ~SWAP_HAS_CACHE;	/* may include COUNT_CONTINUED flag */
 }
 
 /* returns 1 if swap entry is freed */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 228/366] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (99 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 360/366] perf tools: Fix snprint warnings for gcc 8 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 334/366] HID: clamp input to logical range if no null state Ben Hutchings
                   ` (265 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Olli Salonen, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Olli Salonen <olli.salonen@iki.fi>

commit 367b160fe4717c14a2a978b6f9ffb75a7762d3ed upstream.

There are two versions of the Qivicon Zigbee stick in circulation. This
adds the second USB ID to the cp210x driver.

Signed-off-by: Olli Salonen <olli.salonen@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -145,6 +145,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8977) },	/* CEL MeshWorks DevKit Device */
 	{ USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
 	{ USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
+	{ USB_DEVICE(0x10C4, 0x89FB) }, /* Qivicon ZigBee USB Radio Stick */
 	{ USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
 	{ USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
 	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (165 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1 Ben Hutchings
                   ` (199 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Sakari Ailus, Colin Ian King

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 7a2148dfda8001c983f0effd9afd8a7fa58e99c4 upstream.

The current code decrements the timeout counter i and the end of
each loop i is incremented, so the check for timeout will always
be false and hence the timeout mechanism is just a dead code path.
Potentially, if the RD_READY bit is not set, we could end up in
an infinite loop.

Fix this so the timeout starts from 1000 and decrements to zero,
if at the end of the loop i is zero we have a timeout condition.

Detected by CoverityScan, CID#1324008 ("Logically dead code")

Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/i2c/smiapp/smiapp-core.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/media/i2c/smiapp/smiapp-core.c
+++ b/drivers/media/i2c/smiapp/smiapp-core.c
@@ -899,7 +899,7 @@ static int smiapp_read_nvm(struct smiapp
 		if (rval)
 			goto out;
 
-		for (i = 0; i < 1000; i++) {
+		for (i = 1000; i > 0; i--) {
 			rval = smiapp_read(
 				sensor,
 				SMIAPP_REG_U8_DATA_TRANSFER_IF_1_STATUS, &s);
@@ -910,11 +910,10 @@ static int smiapp_read_nvm(struct smiapp
 			if (s & SMIAPP_DATA_TRANSFER_IF_1_STATUS_RD_READY)
 				break;
 
-			if (--i == 0) {
-				rval = -ETIMEDOUT;
-				goto out;
-			}
-
+		}
+		if (!i) {
+			rval = -ETIMEDOUT;
+			goto out;
 		}
 
 		for (i = 0; i < SMIAPP_NVM_PAGE_SIZE; i++) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 125/366] mm: /proc/pid/pagemap: hide swap entries from unprivileged users
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 055/366] mfd: tps65911-comparator: Fix a build error Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 288/366] fscache: Allow cancelled operations to be enqueued Ben Hutchings
                   ` (321 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Zi Yan, Daniel Colascione, Andrei Vagin,
	Naoya Horiguchi, Huang Ying, Jerome Glisse,
	Konstantin Khlebnikov, Michal Hocko, Kirill A. Shutemov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Huang Ying <ying.huang@intel.com>

commit ab6ecf247a9321e3180e021a6a60164dee53ab2e upstream.

In commit ab676b7d6fbf ("pagemap: do not leak physical addresses to
non-privileged userspace"), the /proc/PID/pagemap is restricted to be
readable only by CAP_SYS_ADMIN to address some security issue.

In commit 1c90308e7a77 ("pagemap: hide physical addresses from
non-privileged users"), the restriction is relieved to make
/proc/PID/pagemap readable, but hide the physical addresses for
non-privileged users.

But the swap entries are readable for non-privileged users too.  This
has some security issues.  For example, for page under migrating, the
swap entry has physical address information.  So, in this patch, the
swap entries are hided for non-privileged users too.

Link: http://lkml.kernel.org/r/20180508012745.7238-1-ying.huang@intel.com
Fixes: 1c90308e7a77 ("pagemap: hide physical addresses from non-privileged users")
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Andrei Vagin <avagin@openvz.org>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Daniel Colascione <dancol@google.com>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Only PTEs can be swap entries
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -938,8 +938,9 @@ static void pte_to_pagemap_entry(pagemap
 		if (pte_swp_soft_dirty(pte))
 			flags2 |= __PM_SOFT_DIRTY;
 		entry = pte_to_swp_entry(pte);
-		frame = swp_type(entry) |
-			(swp_offset(entry) << MAX_SWAPFILES_SHIFT);
+		if (pm->show_pfn)
+			frame = swp_type(entry) |
+				(swp_offset(entry) << MAX_SWAPFILES_SHIFT);
 		flags = PM_SWAP;
 		if (is_migration_entry(entry))
 			page = migration_entry_to_page(entry);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 234/366] cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (228 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 331/366] leds: do not overflow sysfs buffer in led_trigger_show Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval Ben Hutchings
                   ` (136 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steve French, Stefano Brivio, Aurélien Aptel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit 729c0c9dd55204f0c9a823ac8a7bfa83d36c7e78 upstream.

smb{2,3}_create_lease_buf() store a lease key in the lease
context for later usage on a lease break.

In most paths, the key is currently sourced from data that
happens to be on the stack near local variables for oplock in
SMB2_open() callers, e.g. from open_shroot(), whereas
smb2_open_file() properly allocates space on its stack for it.

The address of those local variables holding the oplock is then
passed to create_lease_buf handlers via SMB2_open(), and 16
bytes near oplock are used. This causes a stack out-of-bounds
access as reported by KASAN on SMB2.1 and SMB3 mounts (first
out-of-bounds access is shown here):

[  111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
[  111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
[  111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  111.536838] Call Trace:
[  111.537528]  dump_stack+0xc2/0x16b
[  111.540890]  print_address_description+0x6a/0x270
[  111.542185]  kasan_report+0x258/0x380
[  111.544701]  smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.546134]  SMB2_open+0x1ef8/0x4b70 [cifs]
[  111.575883]  open_shroot+0x339/0x550 [cifs]
[  111.591969]  smb3_qfs_tcon+0x32c/0x1e60 [cifs]
[  111.617405]  cifs_mount+0x4f3/0x2fc0 [cifs]
[  111.674332]  cifs_smb3_do_mount+0x263/0xf10 [cifs]
[  111.677915]  mount_fs+0x55/0x2b0
[  111.679504]  vfs_kern_mount.part.22+0xaa/0x430
[  111.684511]  do_mount+0xc40/0x2660
[  111.698301]  ksys_mount+0x80/0xd0
[  111.701541]  do_syscall_64+0x14e/0x4b0
[  111.711807]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  111.713665] RIP: 0033:0x7f372385b5fa
[  111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
[  111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
[  111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
[  111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
[  111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
[  111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000

[  111.735448] The buggy address belongs to the page:
[  111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  111.739890] flags: 0x17ffffc0000000()
[  111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
[  111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  111.746679] page dumped because: kasan: bad access detected

[  111.750482] Memory state around the buggy address:
[  111.752562]  ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[  111.754991]  ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[  111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
[  111.759801]                                               ^
[  111.762034]  ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[  111.764486]  ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.766913] ==================================================================

Lease keys are however already generated and stored in fid data
on open and create paths: pass them down to the lease context
creation handlers and use them.

Suggested-by: Aurélien Aptel <aaptel@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Fixes: b8c32dbb0deb ("CIFS: Request SMB2.1 leases")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h |  2 +-
 fs/cifs/smb2file.c | 11 ++++-------
 fs/cifs/smb2ops.c  |  9 +++------
 fs/cifs/smb2pdu.c  |  7 ++++---
 fs/cifs/smb2pdu.h  |  6 ++----
 5 files changed, 14 insertions(+), 21 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -381,7 +381,7 @@ struct smb_version_operations {
 	void (*set_oplock_level)(struct cifsInodeInfo *, __u32, unsigned int,
 				 bool *);
 	/* create lease context buffer for CREATE request */
-	char * (*create_lease_buf)(u8 *, u8);
+	char * (*create_lease_buf)(u8 *lease_key, u8 oplock);
 	/* parse lease context buffer and return oplock/epoch info */
 	__u8 (*parse_lease_buf)(void *buf, unsigned int *epoch, char *lkey);
 	int (*clone_range)(const unsigned int, struct cifsFileInfo *src_file,
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -41,7 +41,7 @@ smb2_open_file(const unsigned int xid, s
 	int rc;
 	__le16 *smb2_path;
 	struct smb2_file_all_info *smb2_data = NULL;
-	__u8 smb2_oplock[17];
+	__u8 smb2_oplock;
 	struct cifs_fid *fid = oparms->fid;
 
 	smb2_path = cifs_convert_path_to_utf16(oparms->path, oparms->cifs_sb);
@@ -58,12 +58,9 @@ smb2_open_file(const unsigned int xid, s
 	}
 
 	oparms->desired_access |= FILE_READ_ATTRIBUTES;
-	*smb2_oplock = SMB2_OPLOCK_LEVEL_BATCH;
+	smb2_oplock = SMB2_OPLOCK_LEVEL_BATCH;
 
-	if (oparms->tcon->ses->server->capabilities & SMB2_GLOBAL_CAP_LEASING)
-		memcpy(smb2_oplock + 1, fid->lease_key, SMB2_LEASE_KEY_SIZE);
-
-	rc = SMB2_open(xid, oparms, smb2_path, smb2_oplock, smb2_data, NULL);
+	rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL);
 	if (rc)
 		goto out;
 
@@ -80,7 +77,7 @@ smb2_open_file(const unsigned int xid, s
 		move_smb2_info_to_cifs(buf, smb2_data);
 	}
 
-	*oplock = *smb2_oplock;
+	*oplock = smb2_oplock;
 out:
 	kfree(smb2_data);
 	kfree(smb2_path);
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1072,8 +1072,7 @@ smb2_create_lease_buf(u8 *lease_key, u8
 	if (!buf)
 		return NULL;
 
-	buf->lcontext.LeaseKeyLow = cpu_to_le64(*((u64 *)lease_key));
-	buf->lcontext.LeaseKeyHigh = cpu_to_le64(*((u64 *)(lease_key + 8)));
+	memcpy(&buf->lcontext.LeaseKey, lease_key, SMB2_LEASE_KEY_SIZE);
 	buf->lcontext.LeaseState = map_oplock_to_lease(oplock);
 
 	buf->ccontext.DataOffset = cpu_to_le16(offsetof
@@ -1099,8 +1098,7 @@ smb3_create_lease_buf(u8 *lease_key, u8
 	if (!buf)
 		return NULL;
 
-	buf->lcontext.LeaseKeyLow = cpu_to_le64(*((u64 *)lease_key));
-	buf->lcontext.LeaseKeyHigh = cpu_to_le64(*((u64 *)(lease_key + 8)));
+	memcpy(&buf->lcontext.LeaseKey, lease_key, SMB2_LEASE_KEY_SIZE);
 	buf->lcontext.LeaseState = map_oplock_to_lease(oplock);
 
 	buf->ccontext.DataOffset = cpu_to_le16(offsetof
@@ -1137,8 +1135,7 @@ smb3_parse_lease_buf(void *buf, unsigned
 	if (lc->lcontext.LeaseFlags & SMB2_LEASE_FLAG_BREAK_IN_PROGRESS)
 		return SMB2_OPLOCK_LEVEL_NOCHANGE;
 	if (lease_key)
-		memcpy(lease_key, &lc->lcontext.LeaseKeyLow,
-		       SMB2_LEASE_KEY_SIZE);
+		memcpy(lease_key, &lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
 	return le32_to_cpu(lc->lcontext.LeaseState);
 }
 
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1084,12 +1084,12 @@ parse_lease_state(struct TCP_Server_Info
 
 static int
 add_lease_context(struct TCP_Server_Info *server, struct kvec *iov,
-		  unsigned int *num_iovec, __u8 *oplock)
+		  unsigned int *num_iovec, u8 *lease_key, __u8 *oplock)
 {
 	struct smb2_create_req *req = iov[0].iov_base;
 	unsigned int num = *num_iovec;
 
-	iov[num].iov_base = server->ops->create_lease_buf(oplock+1, *oplock);
+	iov[num].iov_base = server->ops->create_lease_buf(lease_key, *oplock);
 	if (iov[num].iov_base == NULL)
 		return -ENOMEM;
 	iov[num].iov_len = server->vals->create_lease_size;
@@ -1212,7 +1212,8 @@ SMB2_open(const unsigned int xid, struct
 	    *oplock == SMB2_OPLOCK_LEVEL_NONE)
 		req->RequestedOplockLevel = *oplock;
 	else {
-		rc = add_lease_context(server, iov, &num_iovecs, oplock);
+		rc = add_lease_context(server, iov, &num_iovecs,
+				       oparms->fid->lease_key, oplock);
 		if (rc) {
 			cifs_small_buf_release(req);
 			kfree(copy_path);
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -510,16 +510,14 @@ struct create_context {
 #define SMB2_LEASE_KEY_SIZE 16
 
 struct lease_context {
-	__le64 LeaseKeyLow;
-	__le64 LeaseKeyHigh;
+	u8 LeaseKey[SMB2_LEASE_KEY_SIZE];
 	__le32 LeaseState;
 	__le32 LeaseFlags;
 	__le64 LeaseDuration;
 } __packed;
 
 struct lease_context_v2 {
-	__le64 LeaseKeyLow;
-	__le64 LeaseKeyHigh;
+	u8 LeaseKey[SMB2_LEASE_KEY_SIZE];
 	__le32 LeaseState;
 	__le32 LeaseFlags;
 	__le64 LeaseDuration;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 060/366] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (279 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 294/366] ring_buffer: tracing: Inherit the tracing setting to next ring buffer Ben Hutchings
                   ` (85 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen, Jens Remus

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit df30781699f53e4fd4c494c6f7dd16e3d5c21d30 upstream.

For problem determination we need to see whether and why we were successful
or not. This allows deduction of scsi_eh escalation.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : SCSI
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1
Tag            : schrh_r        SCSI host reset handler result
Request ID     : 0x0000000000000000                     none (invalid)
SCSI ID        : 0xffffffff                             none (invalid)
SCSI LUN       : 0xffffffff                             none (invalid)
SCSI LUN high  : 0xffffffff                             none (invalid)
SCSI result    : 0x00002002     field re-used for midlayer value: SUCCESS
                                or in other cases: 0x2009 == FAST_IO_FAIL
SCSI retries   : 0xff                                   none (invalid)
SCSI allowed   : 0xff                                   none (invalid)
SCSI scribble  : 0xffffffffffffffff                     none (invalid)
SCSI opcode    : ffffffff ffffffff ffffffff ffffffff    none (invalid)
FCP rsp inf cod: 0xff                                   none (invalid)
FCP rsp IU     : 00000000 00000000 00000000 00000000    none (invalid)
                 00000000 00000000

v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from
fc_block_scsi_eh to scsi eh") introduced the first return with something
other than the previously hardcoded single SUCCESS return path.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: Drop assignment to zfcp_dbf_scsi::scsi_lun_64_hi
 which doesn't exist here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -624,6 +624,45 @@ void zfcp_dbf_scsi(char *tag, int level,
 	spin_unlock_irqrestore(&dbf->scsi_lock, flags);
 }
 
+/**
+ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
+ * @tag: Identifier for event.
+ * @adapter: Pointer to zfcp adapter as context for this event.
+ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
+ * @ret: Return value of calling function.
+ *
+ * This SCSI trace variant does not depend on any of:
+ * scsi_cmnd, zfcp_fsf_req, scsi_device.
+ */
+void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+		      unsigned int scsi_id, int ret)
+{
+	struct zfcp_dbf *dbf = adapter->dbf;
+	struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
+	unsigned long flags;
+	static int const level = 1;
+
+	if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
+		return;
+
+	spin_lock_irqsave(&dbf->scsi_lock, flags);
+	memset(rec, 0, sizeof(*rec));
+
+	memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
+	rec->id = ZFCP_DBF_SCSI_CMND;
+	rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
+	rec->scsi_retries = ~0;
+	rec->scsi_allowed = ~0;
+	rec->fcp_rsp_info = ~0;
+	rec->scsi_id = scsi_id;
+	rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
+	rec->host_scribble = ~0;
+	memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
+
+	debug_event(dbf->scsi, level, rec, sizeof(*rec));
+	spin_unlock_irqrestore(&dbf->scsi_lock, flags);
+}
+
 static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
 {
 	struct debug_info *d;
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -52,6 +52,8 @@ extern void zfcp_dbf_san_res(char *, str
 extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
 extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
 			  struct zfcp_fsf_req *);
+extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+			     unsigned int scsi_id, int ret);
 
 /* zfcp_erp.c */
 extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -343,15 +343,16 @@ static int zfcp_scsi_eh_host_reset_handl
 {
 	struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
 	struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
-	int ret;
+	int ret = SUCCESS, fc_ret;
 
 	zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
 	zfcp_erp_wait(adapter);
-	ret = fc_block_scsi_eh(scpnt);
-	if (ret)
-		return ret;
+	fc_ret = fc_block_scsi_eh(scpnt);
+	if (fc_ret)
+		ret = fc_ret;
 
-	return SUCCESS;
+	zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
+	return ret;
 }
 
 struct scsi_transport_template *zfcp_scsi_transport_template;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 272/366] crypto: padlock-aes - Fix Nano workaround data corruption Ben Hutchings
                   ` (297 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Douglas Gilbert, Jann Horn, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd upstream.

As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit
to be called under KERNEL_DS"), sg improperly accesses userspace memory
outside the provided buffer, permitting kernel memory corruption via
splice().  But it doesn't just do it on ->write(), also on ->read().

As a band-aid, make sure that the ->read() and ->write() handlers can not
be called in weird contexts (kernel context or credentials different from
file opener), like for ib_safe_file_access().

If someone needs to use these interfaces from different security contexts,
a new interface should be written that goes through the ->ioctl() handler.

I've mostly copypasted ib_safe_file_access() over as sg_safe_file_access()
because I couldn't find a good common header - please tell me if you know a
better way.

[mkp: s/_safe_/_check_/]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: open-code uaccess_kernel()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/sg.c | 42 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 40 insertions(+), 2 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -52,6 +52,7 @@ static int sg_version_num = 30534;	/* 2
 #include <linux/blktrace_api.h>
 #include <linux/mutex.h>
 #include <linux/ratelimit.h>
+#include <linux/cred.h> /* for sg_check_file_access() */
 
 #include "scsi.h"
 #include <scsi/scsi_dbg.h>
@@ -215,6 +216,33 @@ static void sg_put_dev(Sg_device *sdp);
 #define SZ_SG_IOVEC sizeof(sg_iovec_t)
 #define SZ_SG_REQ_INFO sizeof(sg_req_info_t)
 
+/*
+ * The SCSI interfaces that use read() and write() as an asynchronous variant of
+ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
+ * to trigger read() and write() calls from various contexts with elevated
+ * privileges. This can lead to kernel memory corruption (e.g. if these
+ * interfaces are called through splice()) and privilege escalation inside
+ * userspace (e.g. if a process with access to such a device passes a file
+ * descriptor to a SUID binary as stdin/stdout/stderr).
+ *
+ * This function provides protection for the legacy API by restricting the
+ * calling context.
+ */
+static int sg_check_file_access(struct file *filp, const char *caller)
+{
+	if (filp->f_cred != current_real_cred()) {
+		pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
+			caller, task_tgid_vnr(current), current->comm);
+		return -EPERM;
+	}
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
+		pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
+			caller, task_tgid_vnr(current), current->comm);
+		return -EACCES;
+	}
+	return 0;
+}
+
 static int sg_allow_access(struct file *filp, unsigned char *cmd)
 {
 	struct sg_fd *sfp = filp->private_data;
@@ -382,6 +410,14 @@ sg_read(struct file *filp, char __user *
 	struct sg_header *old_hdr = NULL;
 	int retval = 0;
 
+	/*
+	 * This could cause a response to be stranded. Close the associated
+	 * file descriptor to free up any resources being held.
+	 */
+	retval = sg_check_file_access(filp, __func__);
+	if (retval)
+		return retval;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, printk("sg_read: %s, count=%d\n",
@@ -567,9 +603,11 @@ sg_write(struct file *filp, const char _
 	struct sg_header old_hdr;
 	sg_io_hdr_t *hp;
 	unsigned char cmnd[MAX_COMMAND_SIZE];
+	int retval;
 
-	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
-		return -EINVAL;
+	retval = sg_check_file_access(filp, __func__);
+	if (retval)
+		return retval;
 
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 135/366] ksm: add cond_resched() to the rmap_walks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads Ben Hutchings
                   ` (280 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Hugh Dickins, Andrea Arcangeli, Petr Holasek,
	Linus Torvalds, Davidlohr Bueso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrea Arcangeli <aarcange@redhat.com>

commit ad12695f177c3403a64348b42718faf9727fe358 upstream.

While at it add it to the file and anon walks too.

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Petr Holasek <pholasek@redhat.com>
Acked-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/ksm.c  | 2 ++
 mm/rmap.c | 4 ++++
 2 files changed, 6 insertions(+)

--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -1915,9 +1915,11 @@ again:
 		struct anon_vma_chain *vmac;
 		struct vm_area_struct *vma;
 
+		cond_resched();
 		anon_vma_lock_read(anon_vma);
 		anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
 					       0, ULONG_MAX) {
+			cond_resched();
 			vma = vmac->vma;
 			if (rmap_item->address < vma->vm_start ||
 			    rmap_item->address >= vma->vm_end)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1486,6 +1486,8 @@ static int rmap_walk_anon(struct page *p
 		struct vm_area_struct *vma = avc->vma;
 		unsigned long address = vma_address(page, vma);
 
+		cond_resched();
+
 		if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 			continue;
 
@@ -1533,6 +1535,8 @@ static int rmap_walk_file(struct page *p
 	vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff) {
 		unsigned long address = vma_address(page, vma);
 
+		cond_resched();
+
 		if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
 			continue;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (144 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 198/366] RDMA/uverbs: Protect from attempts to create flows on unsupported QP Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests Ben Hutchings
                   ` (220 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Bo Chen, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bo Chen <chenbo@pdx.edu>

commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream.

When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is
created without setting its operators via 'snd_pcm_set_ops()'. Following
operations on the new pcm instance can trigger kernel null pointer dereferences
and cause kernel oops.

This bug was found with my work on building a gray-box fault-injection tool for
linux-kernel-module binaries. A kernel null pointer dereference was confirmed
from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in
file 'sound/core/pcm_native.c'.

This patch fixes the bug by calling 'snd_device_free()' in the error handling
path of 'kzalloc()', which removes the new pcm instance from the snd card before
returns with an error code.

Signed-off-by: Bo Chen <chenbo@pdx.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/hda_controller.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -998,8 +998,10 @@ static int azx_attach_pcm_stream(struct
 		return err;
 	strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
 	apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
-	if (apcm == NULL)
+	if (apcm == NULL) {
+		snd_device_free(chip->card, pcm);
 		return -ENOMEM;
+	}
 	apcm->chip = chip;
 	apcm->pcm = pcm;
 	apcm->codec = codec;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 079/366] ext4: don't read out of bounds when checking for in-inode xattrs
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (214 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 315/366] fix mntput/mntput race Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace Ben Hutchings
                   ` (150 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Biggers, Theodore Ts'o, Andreas Dilger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 290ab230016f187c3551d8380ea742889276d03a upstream.

With i_extra_isize equal to or close to the available space, it was
possible for us to read past the end of the inode when trying to detect
or validate in-inode xattrs.  Fix this by checking for the needed extra
space first.

This patch shouldn't have any noticeable effect on
non-corrupted/non-malicious filesystems.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 4 +++-
 fs/ext4/xattr.c | 5 ++---
 2 files changed, 5 insertions(+), 4 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4165,7 +4165,9 @@ static inline void ext4_iget_extra_inode
 {
 	__le32 *magic = (void *)raw_inode +
 			EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
-	if (*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
+	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
+	    EXT4_INODE_SIZE(inode->i_sb) &&
+	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
 		ext4_find_inline_data_nolock(inode);
 	} else
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -247,13 +247,12 @@ static int
 __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
 			 void *end, const char *function, unsigned int line)
 {
-	struct ext4_xattr_entry *entry = IFIRST(header);
 	int error = -EIO;
 
-	if (((void *) header >= end) ||
+	if (end - (void *)header < sizeof(*header) + sizeof(u32) ||
 	    (header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)))
 		goto errout;
-	error = ext4_xattr_check_names(entry, end, entry);
+	error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
 errout:
 	if (error)
 		__ext4_error_inode(inode, function, line, 0,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 082/366] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 157/366] udf: Detect incorrect directory size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 349/366] x86/apic: Fix build failure with X86_IO_APIC disabled Ben Hutchings
                   ` (303 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Schmitz, Geert Uytterhoeven

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Schmitz <schmitzmic@gmail.com>

commit 3f90f9ef2dda316d64e420d5d51ba369587ccc55 upstream.

If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap
between mappings which is added to the vm_struct representing the
mapping.  __ioremap() uses the actual requested size (after alignment),
while __iounmap() is passed the size from the vm_struct.

On 020/030, early termination descriptors are used to set up mappings of
extent 'size', which are validated on unmapping. The unmapped gap of
size IO_SIZE defeats the sanity check of the pmd tables, causing
__iounmap() to loop forever on 030.

On 040/060, unmapping of page table entries does not check for a valid
mapping, so the umapping loop always completes there.

Adjust size to be unmapped by the gap that had been added in the
vm_struct prior.

This fixes the hang in atari_platform_init() reported a long time ago,
and a similar one reported by Finn recently (addressed by removing
ioremap() use from the SWIM driver.

Tested on my Falcon in 030 mode - untested but should work the same on
040/060 (the extra page tables cleared there would never have been set
up anyway).

Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
[geert: Minor commit description improvements]
[geert: This was fixed in 2.4.23, but not in 2.5.x]
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/m68k/mm/kmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/m68k/mm/kmap.c
+++ b/arch/m68k/mm/kmap.c
@@ -88,7 +88,8 @@ static inline void free_io_area(void *ad
 	for (p = &iolist ; (tmp = *p) ; p = &tmp->next) {
 		if (tmp->addr == addr) {
 			*p = tmp->next;
-			__iounmap(tmp->addr, tmp->size);
+			/* remove gap added in get_io_area() */
+			__iounmap(tmp->addr, tmp->size - IO_SIZE);
 			kfree(tmp);
 			return;
 		}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 088/366] ext4: fix fencepost error in check for inode count overflow during resize
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (239 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 153/366] powerpc/e500mc: Set assembler machine type to e500mc Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 146/366] ext4: add more mount time checks of the superblock Ben Hutchings
                   ` (125 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jaco Kroon, Andreas Dilger, Theodore Ts'o, Jan Kara

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 upstream.

ext4_resize_fs() has an off-by-one bug when checking whether growing of
a filesystem will not overflow inode count. As a result it allows a
filesystem with 8192 inodes per group to grow to 64TB which overflows
inode count to 0 and makes filesystem unusable. Fix it.

Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b
Reported-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1906,7 +1906,7 @@ retry:
 		return 0;
 
 	n_group = ext4_get_group_number(sb, n_blocks_count - 1);
-	if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
+	if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
 		ext4_warning(sb, "resize would cause inodes_count overflow");
 		return -EINVAL;
 	}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 081/366] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 307/366] nohz: Fix local_timer_softirq_pending() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super() Ben Hutchings
                   ` (351 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Bjorn Helgaas, Andy Shevchenko, Mika Westerberg, Rafael J. Wysocki

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 13c65840feab8109194f9490c9870587173cb29d upstream.

After a suspend/resume cycle the Presence Detect or Data Link Layer Status
Changed bits might be set.  If we don't clear them those events will not
fire anymore and nothing happens for instance when a device is now
hot-unplugged.

Fix this by clearing those bits in a newly introduced function
pcie_reenable_notification().  This should be fine because immediately
after, we check if the adapter is still present by reading directly from
the status register.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/hotplug/pciehp.h      |  2 +-
 drivers/pci/hotplug/pciehp_core.c |  2 +-
 drivers/pci/hotplug/pciehp_hpc.c  | 13 ++++++++++++-
 3 files changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/pci/hotplug/pciehp.h
+++ b/drivers/pci/hotplug/pciehp.h
@@ -143,7 +143,7 @@ struct controller *pcie_init(struct pcie
 int pcie_init_notification(struct controller *ctrl);
 int pciehp_enable_slot(struct slot *p_slot);
 int pciehp_disable_slot(struct slot *p_slot);
-void pcie_enable_notification(struct controller *ctrl);
+void pcie_reenable_notification(struct controller *ctrl);
 int pciehp_power_on_slot(struct slot *slot);
 void pciehp_power_off_slot(struct slot *slot);
 void pciehp_get_power_status(struct slot *slot, u8 *status);
--- a/drivers/pci/hotplug/pciehp_core.c
+++ b/drivers/pci/hotplug/pciehp_core.c
@@ -332,7 +332,7 @@ static int pciehp_resume(struct pcie_dev
 	ctrl = get_service_data(dev);
 
 	/* reinitialize the chipset's event detection logic */
-	pcie_enable_notification(ctrl);
+	pcie_reenable_notification(ctrl);
 
 	slot = ctrl->slot;
 
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -580,7 +580,7 @@ static irqreturn_t pcie_isr(int irq, voi
 	return IRQ_HANDLED;
 }
 
-void pcie_enable_notification(struct controller *ctrl)
+static void pcie_enable_notification(struct controller *ctrl)
 {
 	u16 cmd, mask;
 
@@ -618,6 +618,17 @@ void pcie_enable_notification(struct con
 	pcie_write_cmd(ctrl, cmd, mask);
 }
 
+void pcie_reenable_notification(struct controller *ctrl)
+{
+	/*
+	 * Clear both Presence and Data Link Layer Changed to make sure
+	 * those events still fire after we have re-enabled them.
+	 */
+	pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
+				   PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
+	pcie_enable_notification(ctrl);
+}
+
 static void pcie_disable_notification(struct controller *ctrl)
 {
 	u16 mask;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 183/366] time: Make sure jiffies_to_msecs() preserves non-zero time periods
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 052/366] driver core: Don't ignore class_dir_create_and_add() failure Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 199/366] RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow Ben Hutchings
                   ` (293 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Geert Uytterhoeven, linux-mips,
	Thomas Gleixner, Stephen Boyd, John Stultz, linux-alpha

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert@linux-m68k.org>

commit abcbcb80cd09cd40f2089d912764e315459b71f7 upstream.

For the common cases where 1000 is a multiple of HZ, or HZ is a multiple of
1000, jiffies_to_msecs() never returns zero when passed a non-zero time
period.

However, if HZ > 1000 and not an integer multiple of 1000 (e.g. 1024 or
1200, as used on alpha and DECstation), jiffies_to_msecs() may return zero
for small non-zero time periods.  This may break code that relies on
receiving back a non-zero value.

jiffies_to_usecs() does not need such a fix: one jiffy can only be less
than one µs if HZ > 1000000, and such large values of HZ are already
rejected at build time, twice:

  - include/linux/jiffies.h does #error if HZ >= 12288,
  - kernel/time/time.c has BUILD_BUG_ON(HZ > USEC_PER_SEC).

Broken since forever.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Stephen Boyd <sboyd@kernel.org>
Cc: linux-alpha@vger.kernel.org
Cc: linux-mips@linux-mips.org
Link: https://lkml.kernel.org/r/20180622143357.7495-1-geert@linux-m68k.org
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/time.c
+++ b/kernel/time.c
@@ -28,6 +28,7 @@
  */
 
 #include <linux/export.h>
+#include <linux/kernel.h>
 #include <linux/timex.h>
 #include <linux/capability.h>
 #include <linux/timekeeper_internal.h>
@@ -253,9 +254,10 @@ unsigned int jiffies_to_msecs(const unsi
 	return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC);
 #else
 # if BITS_PER_LONG == 32
-	return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32;
+	return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >>
+	       HZ_TO_MSEC_SHR32;
 # else
-	return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN;
+	return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN);
 # endif
 #endif
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 100/366] fuse: fix control dir setup and teardown Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 117/366] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Ben Hutchings
                   ` (348 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Leonardo Mörlein, Simon Wunderlich, Linus Lüssing

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Lüssing <linus.luessing@c0d3.blue>

commit a44ebeff6bbd6ef50db41b4195fca87b21aefd20 upstream.

When a (broken) node wrongly sends multicast TT entries with a ROAM
flag then this causes any receiving node to drop all entries for the
same multicast MAC address announced by other nodes, leading to
packet loss.

Fix this DoS vector by only storing TT sync flags. For multicast TT
non-sync'ing flag bits like ROAM are unused so far anyway.

Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
Reported-by: Leonardo Mörlein <me@irrelefant.net>
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/translation-table.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1378,7 +1378,8 @@ static bool batadv_tt_global_add(struct
 		ether_addr_copy(common->addr, tt_addr);
 		common->vid = vid;
 
-		common->flags = flags & (~BATADV_TT_SYNC_MASK);
+		if (!is_multicast_ether_addr(common->addr))
+			common->flags = flags & (~BATADV_TT_SYNC_MASK);
 
 		tt_global_entry->roam_at = 0;
 		/* node must store current time in case of roaming. This is
@@ -1435,7 +1436,8 @@ static bool batadv_tt_global_add(struct
 		 * TT_CLIENT_TEMP, therefore they have to be copied in the
 		 * client entry
 		 */
-		common->flags |= flags & (~BATADV_TT_SYNC_MASK);
+		if (!is_multicast_ether_addr(common->addr))
+			common->flags |= flags & (~BATADV_TT_SYNC_MASK);
 
 		/* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
 		 * one originator left in the list and we previously received a


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (301 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not Ben Hutchings
                   ` (63 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ronnie Sahlberg, Paulo Alcantara, Lars Persson,
	Steve French, Lars Persson, Pavel Shilovsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lars Persson <lars.persson@axis.com>

commit 696e420bb2a6624478105651d5368d45b502b324 upstream.

With protocol version 2.0 mounts we have seen crashes with corrupt mid
entries. Either the server->pending_mid_q list becomes corrupt with a
cyclic reference in one element or a mid object fetched by the
demultiplexer thread becomes overwritten during use.

Code review identified a race between the demultiplexer thread and the
request issuing thread. The demultiplexer thread seems to be written
with the assumption that it is the sole user of the mid object until
it calls the mid callback which either wakes the issuer task or
deletes the mid.

This assumption is not true because the issuer task can be woken up
earlier by a signal. If the demultiplexer thread has proceeded as far
as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
thread will happily end up calling cifs_delete_mid while the
demultiplexer thread still is using the mid object.

Inserting a delay in the cifs demultiplexer thread widens the race
window and makes reproduction of the race very easy:

		if (server->large_buf)
			buf = server->bigbuf;

+		usleep_range(500, 4000);

		server->lstrp = jiffies;

To resolve this I think the proper solution involves putting a
reference count on the mid object. This patch makes sure that the
demultiplexer thread holds a reference until it has finished
processing the transaction.

Signed-off-by: Lars Persson <larper@axis.com>
Acked-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: Drop redundant assignment to mid_entry]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h      |  1 +
 fs/cifs/cifsproto.h     |  1 +
 fs/cifs/connect.c       |  8 +++++++-
 fs/cifs/smb1ops.c       |  1 +
 fs/cifs/smb2ops.c       |  1 +
 fs/cifs/smb2transport.c |  1 +
 fs/cifs/transport.c     | 18 +++++++++++++++++-
 7 files changed, 29 insertions(+), 2 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1232,6 +1232,7 @@ typedef void (mid_callback_t)(struct mid
 /* one of these for every pending CIFS request to the server */
 struct mid_q_entry {
 	struct list_head qhead;	/* mids waiting on reply from this server */
+	struct kref refcount;
 	struct TCP_Server_Info *server;	/* server corresponding to this mid */
 	__u64 mid;		/* multiplex id */
 	__u32 pid;		/* process id */
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -74,6 +74,7 @@ extern struct mid_q_entry *AllocMidQEntr
 					struct TCP_Server_Info *server);
 extern void DeleteMidQEntry(struct mid_q_entry *midEntry);
 extern void cifs_delete_mid(struct mid_q_entry *mid);
+extern void cifs_mid_q_entry_release(struct mid_q_entry *midEntry);
 extern void cifs_wake_up_task(struct mid_q_entry *mid);
 extern int cifs_call_async(struct TCP_Server_Info *server,
 			struct smb_rqst *rqst,
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -903,8 +903,11 @@ cifs_demultiplex_thread(void *p)
 		else
 			length = mid_entry->receive(server, mid_entry);
 
-		if (length < 0)
+		if (length < 0) {
+			if (mid_entry)
+				cifs_mid_q_entry_release(mid_entry);
 			continue;
+		}
 
 		if (server->large_buf)
 			buf = server->bigbuf;
@@ -920,6 +923,8 @@ cifs_demultiplex_thread(void *p)
 
 			if (!mid_entry->multiRsp || mid_entry->multiEnd)
 				mid_entry->callback(mid_entry);
+
+			cifs_mid_q_entry_release(mid_entry);
 		} else if (server->ops->is_oplock_break &&
 			   server->ops->is_oplock_break(buf, server)) {
 			cifs_dbg(FYI, "Received oplock break\n");
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -104,6 +104,7 @@ cifs_find_mid(struct TCP_Server_Info *se
 		if (compare_mid(mid->mid, buf) &&
 		    mid->mid_state == MID_REQUEST_SUBMITTED &&
 		    le16_to_cpu(mid->command) == buf->Command) {
+			kref_get(&mid->refcount);
 			spin_unlock(&GlobalMid_Lock);
 			return mid;
 		}
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -138,6 +138,7 @@ smb2_find_mid(struct TCP_Server_Info *se
 		if ((mid->mid == hdr->MessageId) &&
 		    (mid->mid_state == MID_REQUEST_SUBMITTED) &&
 		    (mid->command == hdr->Command)) {
+			kref_get(&mid->refcount);
 			spin_unlock(&GlobalMid_Lock);
 			return mid;
 		}
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -531,6 +531,7 @@ smb2_mid_entry_alloc(const struct smb2_h
 		return temp;
 	else {
 		memset(temp, 0, sizeof(struct mid_q_entry));
+		kref_init(&temp->refcount);
 		temp->mid = smb_buffer->MessageId;	/* always LE */
 		temp->pid = current->pid;
 		temp->command = smb_buffer->Command;	/* Always LE */
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -58,6 +58,7 @@ AllocMidQEntry(const struct smb_hdr *smb
 		return temp;
 	else {
 		memset(temp, 0, sizeof(struct mid_q_entry));
+		kref_init(&temp->refcount);
 		temp->mid = get_mid(smb_buffer);
 		temp->pid = current->pid;
 		temp->command = cpu_to_le16(smb_buffer->Command);
@@ -80,6 +81,21 @@ AllocMidQEntry(const struct smb_hdr *smb
 	return temp;
 }
 
+static void _cifs_mid_q_entry_release(struct kref *refcount)
+{
+	struct mid_q_entry *mid = container_of(refcount, struct mid_q_entry,
+					       refcount);
+
+	mempool_free(mid, cifs_mid_poolp);
+}
+
+void cifs_mid_q_entry_release(struct mid_q_entry *midEntry)
+{
+	spin_lock(&GlobalMid_Lock);
+	kref_put(&midEntry->refcount, _cifs_mid_q_entry_release);
+	spin_unlock(&GlobalMid_Lock);
+}
+
 void
 DeleteMidQEntry(struct mid_q_entry *midEntry)
 {
@@ -108,7 +124,7 @@ DeleteMidQEntry(struct mid_q_entry *midE
 		}
 	}
 #endif
-	mempool_free(midEntry, cifs_mid_poolp);
+	cifs_mid_q_entry_release(midEntry);
 }
 
 void


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 032/366] iommu/vt-d: Ratelimit each dmar fault printing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (275 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Ben Hutchings
                   ` (89 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Joerg Roedel, Lu Baolu, Joerg Roedel, Dmitry Safonov,
	David Woodhouse, Ingo Molnar, iommu, Alex Williamson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 6c50d79f66382d78918a768374839d6d1b606d3f upstream.

There is a ratelimit for printing, but it's incremented each time the
cpu recives dmar fault interrupt. While one interrupt may signal about
*many* faults.
So, measuring the impact it turns out that reading/clearing one fault
takes < 1 usec, and printing info about the fault takes ~170 msec.

Having in mind that maximum number of fault recording registers per
remapping hardware unit is 256.. IRQ handler may run for (170*256) msec.
And as fault-serving loop runs without a time limit, during servicing
new faults may occur..

Ratelimit each fault printing rather than each irq printing.

Fixes: commit c43fce4eebae ("iommu/vt-d: Ratelimit fault handler")

BUG: spinlock lockup suspected on CPU#0, CliShell/9903
 lock: 0xffffffff81a47440, .magic: dead4ead, .owner: kworker/u16:2/8915, .owner_cpu: 6
CPU: 0 PID: 9903 Comm: CliShell
Call Trace:$\n'
[..] dump_stack+0x65/0x83$\n'
[..] spin_dump+0x8f/0x94$\n'
[..] do_raw_spin_lock+0x123/0x170$\n'
[..] _raw_spin_lock_irqsave+0x32/0x3a$\n'
[..] uart_chars_in_buffer+0x20/0x4d$\n'
[..] tty_chars_in_buffer+0x18/0x1d$\n'
[..] n_tty_poll+0x1cb/0x1f2$\n'
[..] tty_poll+0x5e/0x76$\n'
[..] do_select+0x363/0x629$\n'
[..] compat_core_sys_select+0x19e/0x239$\n'
[..] compat_SyS_select+0x98/0xc0$\n'
[..] sysenter_dispatch+0x7/0x25$\n'
[..]
NMI backtrace for cpu 6
CPU: 6 PID: 8915 Comm: kworker/u16:2
Workqueue: dmar_fault dmar_fault_work
Call Trace:$\n'
[..] wait_for_xmitr+0x26/0x8f$\n'
[..] serial8250_console_putchar+0x1c/0x2c$\n'
[..] uart_console_write+0x40/0x4b$\n'
[..] serial8250_console_write+0xe6/0x13f$\n'
[..] call_console_drivers.constprop.13+0xce/0x103$\n'
[..] console_unlock+0x1f8/0x39b$\n'
[..] vprintk_emit+0x39e/0x3e6$\n'
[..] printk+0x4d/0x4f$\n'
[..] dmar_fault+0x1a8/0x1fc$\n'
[..] dmar_fault_work+0x15/0x17$\n'
[..] process_one_work+0x1e8/0x3a9$\n'
[..] worker_thread+0x25d/0x345$\n'
[..] kthread+0xea/0xf2$\n'
[..] ret_from_fork+0x58/0x90$\n'

Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Lu Baolu <baolu.lu@linux.intel.com>
Cc: iommu@lists.linux-foundation.org
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iommu/dmar.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1483,17 +1483,13 @@ irqreturn_t dmar_fault(int irq, void *de
 	int reg, fault_index;
 	u32 fault_status;
 	unsigned long flag;
-	bool ratelimited;
 	static DEFINE_RATELIMIT_STATE(rs,
 				      DEFAULT_RATELIMIT_INTERVAL,
 				      DEFAULT_RATELIMIT_BURST);
 
-	/* Disable printing, simply clear the fault when ratelimited */
-	ratelimited = !__ratelimit(&rs);
-
 	raw_spin_lock_irqsave(&iommu->register_lock, flag);
 	fault_status = readl(iommu->reg + DMAR_FSTS_REG);
-	if (fault_status && !ratelimited)
+	if (fault_status && __ratelimit(&rs))
 		pr_err("DRHD: handling fault status reg %x\n", fault_status);
 
 	/* TBD: ignore advanced fault log currently */
@@ -1503,6 +1499,8 @@ irqreturn_t dmar_fault(int irq, void *de
 	fault_index = dma_fsts_fault_record_index(fault_status);
 	reg = cap_fault_reg_offset(iommu->cap);
 	while (1) {
+		/* Disable printing, simply clear the fault when ratelimited */
+		bool ratelimited = !__ratelimit(&rs);
 		u8 fault_reason;
 		u16 source_id;
 		u64 guest_addr;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 031/366] ALSA: hda/ca0132: fix build failure when a local macro is defined
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (360 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 322/366] ALSA: msnd: add some missing curly braces Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 111/366] net/packet: refine check for priv area size Ben Hutchings
                   ` (4 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Takashi Sakamoto, Connor McAdams

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 8e142e9e628975b0dddd05cf1b095331dff6e2de upstream.

DECLARE_TLV_DB_SCALE (alias of SNDRV_CTL_TLVD_DECLARE_DB_SCALE) is used but
tlv.h is not included. This causes build failure when local macro is
defined by comment-out.

This commit fixes the bug. At the same time, the alias macro is replaced
with a destination macro added at a commit 46e860f76804 ("ALSA: rename
TLV-related macros so that they're friendly to user applications")

Reported-by: Connor McAdams <conmanx360@gmail.com>
Fixes: 44f0c9782cc6 ('ALSA: hda/ca0132: Add tuning controls')
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_ca0132.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -38,6 +38,10 @@
 /* Enable this to see controls for tuning purpose. */
 /*#define ENABLE_TUNING_CONTROLS*/
 
+#ifdef ENABLE_TUNING_CONTROLS
+#include <sound/tlv.h>
+#endif
+
 #define FLOAT_ZERO	0x00000000
 #define FLOAT_ONE	0x3f800000
 #define FLOAT_TWO	0x40000000
@@ -3037,8 +3041,8 @@ static int equalizer_ctl_put(struct snd_
 	return 1;
 }
 
-static const DECLARE_TLV_DB_SCALE(voice_focus_db_scale, 2000, 100, 0);
-static const DECLARE_TLV_DB_SCALE(eq_db_scale, -2400, 100, 0);
+static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(voice_focus_db_scale, 2000, 100, 0);
+static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(eq_db_scale, -2400, 100, 0);
 
 static int add_tuning_control(struct hda_codec *codec,
 				hda_nid_t pnid, hda_nid_t nid,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 212/366] tty: vt, get rid of weird source code flow
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 259/366] drm/nouveau: Remove bogus crtc check in pmops_runtime_idle Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 352/366] perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ Ben Hutchings
                   ` (329 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Jiri Slaby

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 34902b7f2754e6d890feb0cee34187f1bc75c930 upstream.

Some code in vc_allocate is indented by 4 spaces. It is inside a
condition. Invert the condition and move the code to the first
indentation level (using \tab). And insert some empty lines to have
logical code blocks separated.

Then, instead of freeing in an 'if' false branch, use goto-error
label as fail path.

Maybe better to look at this patch with diff -w -b.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/vt.c | 70 +++++++++++++++++++++++++--------------------
 1 file changed, 39 insertions(+), 31 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -752,46 +752,54 @@ static void visual_init(struct vc_data *
 
 int vc_allocate(unsigned int currcons)	/* return 0 on success */
 {
+	struct vt_notifier_param param;
+	struct vc_data *vc;
+
 	WARN_CONSOLE_UNLOCKED();
 
 	if (currcons >= MAX_NR_CONSOLES)
 		return -ENXIO;
-	if (!vc_cons[currcons].d) {
-	    struct vc_data *vc;
-	    struct vt_notifier_param param;
-
-	    /* due to the granularity of kmalloc, we waste some memory here */
-	    /* the alloc is done in two steps, to optimize the common situation
-	       of a 25x80 console (structsize=216, screenbuf_size=4000) */
-	    /* although the numbers above are not valid since long ago, the
-	       point is still up-to-date and the comment still has its value
-	       even if only as a historical artifact.  --mj, July 1998 */
-	    param.vc = vc = kzalloc(sizeof(struct vc_data), GFP_KERNEL);
-	    if (!vc)
+
+	if (vc_cons[currcons].d)
+		return 0;
+
+	/* due to the granularity of kmalloc, we waste some memory here */
+	/* the alloc is done in two steps, to optimize the common situation
+	   of a 25x80 console (structsize=216, screenbuf_size=4000) */
+	/* although the numbers above are not valid since long ago, the
+	   point is still up-to-date and the comment still has its value
+	   even if only as a historical artifact.  --mj, July 1998 */
+	param.vc = vc = kzalloc(sizeof(struct vc_data), GFP_KERNEL);
+	if (!vc)
 		return -ENOMEM;
-	    vc_cons[currcons].d = vc;
-	    tty_port_init(&vc->port);
-	    INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
-	    visual_init(vc, currcons, 1);
-	    if (!*vc->vc_uni_pagedir_loc)
+
+	vc_cons[currcons].d = vc;
+	tty_port_init(&vc->port);
+	INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
+
+	visual_init(vc, currcons, 1);
+
+	if (!*vc->vc_uni_pagedir_loc)
 		con_set_default_unimap(vc);
-	    vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
-	    if (!vc->vc_screenbuf) {
-		kfree(vc);
-		vc_cons[currcons].d = NULL;
-		return -ENOMEM;
-	    }
 
-	    /* If no drivers have overridden us and the user didn't pass a
-	       boot option, default to displaying the cursor */
-	    if (global_cursor_default == -1)
-		    global_cursor_default = 1;
-
-	    vc_init(vc, vc->vc_rows, vc->vc_cols, 1);
-	    vcs_make_sysfs(currcons);
-	    atomic_notifier_call_chain(&vt_notifier_list, VT_ALLOCATE, &param);
-	}
+	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+	if (!vc->vc_screenbuf)
+		goto err_free;
+
+	/* If no drivers have overridden us and the user didn't pass a
+	   boot option, default to displaying the cursor */
+	if (global_cursor_default == -1)
+		global_cursor_default = 1;
+
+	vc_init(vc, vc->vc_rows, vc->vc_cols, 1);
+	vcs_make_sysfs(currcons);
+	atomic_notifier_call_chain(&vt_notifier_list, VT_ALLOCATE, &param);
+
 	return 0;
+err_free:
+	kfree(vc);
+	vc_cons[currcons].d = NULL;
+	return -ENOMEM;
 }
 
 static inline int resize_screen(struct vc_data *vc, int width, int height,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 144/366] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (140 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 256/366] reiserfs: fix buffer overflow with long warning messages Ben Hutchings
                   ` (224 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit ecd012e45ab5fd76ed57546865897ce35920f56b upstream.

pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
'session' may be an Ethernet pseudo-wire.

However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
assumes l2tp_session_priv() points to a pppol2tp_session structure. For
an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
structure instead, making pppol2tp_session_ioctl() access invalid
memory.

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1231,7 +1231,7 @@ static int pppol2tp_tunnel_ioctl(struct
 				l2tp_session_get(sock_net(sk), tunnel,
 						 stats.session_id, true);
 
-			if (session) {
+			if (session && session->pwtype == L2TP_PWTYPE_PPP) {
 				err = pppol2tp_session_ioctl(session, cmd,
 							     arg);
 				if (session->deref)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 149/366] netfilter: nf_queue: augment nfqa_cfg_policy
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (358 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 354/366] perf script: Use readdir() instead of deprecated readdir_r() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 322/366] ALSA: msnd: add some missing curly braces Ben Hutchings
                   ` (6 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, syzbot, Pablo Neira Ayuso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc upstream.

Three attributes are currently not verified, thus can trigger KMSAN
warnings such as :

BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
BUG: KMSAN: uninit-value in nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268
CPU: 1 PID: 4521 Comm: syz-executor120 Not tainted 4.17.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
 __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620
 __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
 __fswab32 include/uapi/linux/swab.h:59 [inline]
 nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268
 nfnetlink_rcv_msg+0xb2e/0xc80 net/netfilter/nfnetlink.c:212
 netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
 nfnetlink_rcv+0x2fe/0x680 net/netfilter/nfnetlink.c:513
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43fd59
RSP: 002b:00007ffde0e30d28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401680
R13: 0000000000401710 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2753 [inline]
 __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395
 __kmalloc_reserve net/core/skbuff.c:138 [inline]
 __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:988 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
 netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: fdb694a01f1f ("netfilter: Add fail-open support")
Fixes: 829e17a1a602 ("[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nfnetlink_queue_core.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1039,6 +1039,9 @@ nfqnl_recv_unsupp(struct sock *ctnl, str
 static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
 	[NFQA_CFG_CMD]		= { .len = sizeof(struct nfqnl_msg_config_cmd) },
 	[NFQA_CFG_PARAMS]	= { .len = sizeof(struct nfqnl_msg_config_params) },
+	[NFQA_CFG_QUEUE_MAXLEN]	= { .type = NLA_U32 },
+	[NFQA_CFG_MASK]		= { .type = NLA_U32 },
+	[NFQA_CFG_FLAGS]	= { .type = NLA_U32 },
 };
 
 static const struct nf_queue_handler nfqh = {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 108/366] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (265 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 168/366] xen-netfront: Remove the meaningless code Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 254/366] mm: do not bug_on on incorrect length in __mm_populate() Ben Hutchings
                   ` (99 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Aneesh Kumar K.V

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>

commit 91d06971881f71d945910de128658038513d1b24 upstream.

Currently we do not have an isync, or any other context synchronizing
instruction prior to the slbie/slbmte in _switch() that updates the
SLB entry for the kernel stack.

However that is not correct as outlined in the ISA.

=46romPower ISA Version 3.0B, Book III, Chapter 11, page 1133:

  "Changing the contents of ... the contents of SLB entries ... can
   have the side effect of altering the context in which data
   addresses and instruction addresses are interpreted, and in which
   instructions are executed and data accesses are performed.
   ...
   These side effects need not occur in program order, and therefore
   may require explicit synchronization by software.
   ...
   The synchronizing instruction before the context-altering
   instruction ensures that all instructions up to and including that
   synchronizing instruction are fetched and executed in the context
   that existed before the alteration."

And page 1136:

  "For data accesses, the context synchronizing instruction before the
   slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
   that all preceding instructions that access data storage have
   completed to a point at which they have reported all exceptions
   they will cause."

We're not aware of any bugs caused by this, but it should be fixed
regardless.

Add the missing isync when updating kernel stack SLB entry.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
[mpe: Flesh out change log with more ISA text & explanation]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/entry_64.S | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -525,6 +525,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG
 	 * actually hit this code path.
 	 */
 
+	isync
 	slbie	r6
 	slbie	r6		/* Workaround POWER5 < DD2.1 issue */
 	slbmte	r7,r0


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 064/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (216 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func() Ben Hutchings
                   ` (148 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Steffen Maier, Benjamin Block

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit d70aab55924b44f213fec2b900b095430b33eec6 upstream.

For problem determination we always want to see when we were invoked on the
terminate_rport_io callback whether we perform something or not.

Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:

loose remote port

t   workqueue
[s] zfcp_q_<dev>       IRQ                 zfcperp<dev>

=== ================== =================== ============================

  0                    recv RSCN
                       q p.test_link_work
    block rport
     start fast_io_fail_tmo
    send ADISC ELS
  4                    recv ADISC fail
                       block zfcp_port
                                           port forced reopen
                                           send open port
 12                    recv open port fail
                                           q p.gid_pn_work
                                           zfcp_erp_wakeup
                                           (zfcp_erp_wait would return)
    GID_PN fail

Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
e.g. with the typical 5 sec setting.

    port.status |= ERP_FAILED

If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.

    workqueue
    fc_dl_<host>
    ==================
 27 fc_timeout_fail_rport_io
    fc_terminate_rport_io
    zfcp_scsi_terminate_rport_io
    zfcp_erp_port_forced_reopen
    _zfcp_erp_port_forced_reopen
     if (port.status & ERP_FAILED)
      return;

Therefore, write a trace before above early return.

Example trace record formatted with zfcpdbf from s390-tools:

Timestamp      : ...
Area           : REC
Subarea        : 00
Level          : 1
Exception      : -
CPU ID         : ..
Caller         : 0x...
Record ID      : 1                      ZFCP_DBF_REC_TRIG
Tag            : sctrpi1                SCSI terminate rport I/O
LUN            : 0xffffffffffffffff                     none (invalid)
WWPN           : 0x<wwpn>
D_ID           : 0x<n_port_id>
Adapter status : 0x...
Port status    : 0x...
LUN status     : 0x00000000                             none (invalid)
Ready count    : 0x...
Running count  : 0x...
ERP want       : 0x03                   ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
ERP need       : 0xe0                   ZFCP_ERP_ACTION_FAILED

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -41,9 +41,13 @@ enum zfcp_erp_steps {
  * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
  * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
  * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
- *			  either of the other enum values.
+ *			  either of the first four enum values.
  *			  Used to indicate that an ERP action could not be
  *			  set up despite a detected need for some recovery.
+ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
+ *			    either of the first four enum values.
+ *			    Used to indicate that ERP not needed because
+ *			    the object has ZFCP_STATUS_COMMON_ERP_FAILED.
  */
 enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
@@ -51,6 +55,7 @@ enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
 	ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
 	ZFCP_ERP_ACTION_NONE		   = 0xc0,
+	ZFCP_ERP_ACTION_FAILED		   = 0xe0,
 };
 
 enum zfcp_erp_act_state {
@@ -378,8 +383,12 @@ static void _zfcp_erp_port_forced_reopen
 	zfcp_erp_port_block(port, clear);
 	zfcp_scsi_schedule_rport_block(port);
 
-	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+	if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+		zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
+				  ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+				  ZFCP_ERP_ACTION_FAILED);
 		return;
+	}
 
 	zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
 				port->adapter, port, NULL, id, 0);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 073/366] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 178/366] Input: elantech - fix V4 report decoding for module with middle key Ben Hutchings
                   ` (362 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit f16041df4c360eccacfe90f96673b37829e4c959 upstream.

HP Z2 G4 requires the same workaround as other HP machines that have
no mic-pin detection.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_conexant.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -3454,6 +3454,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
 	SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+	SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
 	SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 047/366] tty: pl011: Avoid spuriously stuck-off interrupts
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (135 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 251/366] binfmt_elf: fix calculations for bss padding Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 255/366] string: drop __must_check from strscpy() Ben Hutchings
                   ` (229 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dave Martin, Greg Kroah-Hartman, Wei Xu, Linus Walleij,
	Russell King, Peter Maydell

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 4a7e625ce50412a7711efa0f2ef0b96ce3826759 upstream.

Commit 9b96fbacda34 ("serial: PL011: clear pending interrupts")
clears the RX and receive timeout interrupts on pl011 startup, to
avoid a screaming-interrupt scenario that can occur when the
firmware or bootloader leaves these interrupts asserted.

This has been noted as an issue when running Linux on qemu [1].

Unfortunately, the above fix seems to lead to potential
misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously
on driver startup, if the RX FIFO is also already full to the
trigger level.

Clearing the RX FIFO interrupt does not change the FIFO fill level.
In this scenario, because the interrupt is now clear and because
the FIFO is already full to the trigger level, no new assertion of
the RX FIFO interrupt can occur unless the FIFO is drained back
below the trigger level.  This never occurs because the pl011
driver is waiting for an RX FIFO interrupt to tell it that there is
something to read, and does not read the FIFO at all until that
interrupt occurs.

Thus, simply clearing "spurious" interrupts on startup may be
misguided, since there is no way to be sure that the interrupts are
truly spurious, and things can go wrong if they are not.

This patch instead clears the interrupt condition by draining the
RX FIFO during UART startup, after clearing any potentially
spurious interrupt.  This should ensure that an interrupt will
definitely be asserted if the RX FIFO subsequently becomes
sufficiently full.

The drain is done at the point of enabling interrupts only.  This
means that it will occur any time the UART is newly opened through
the tty layer.  It will not apply to polled-mode use of the UART by
kgdboc: since that scenario cannot use interrupts by design, this
should not matter.  kgdboc will interact badly with "normal" use of
the UART in any case: this patch makes no attempt to paper over
such issues.

This patch does not attempt to address the case where the RX FIFO
fills faster than it can be drained: that is a pathological
hardware design problem that is beyond the scope of the driver to
work around.  As a failsafe, the number of poll iterations for
draining the FIFO is limited to twice the FIFO size.  This will
ensure that the kernel at least boots even if it is impossible to
drain the FIFO for some reason.

[1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo
before enabled the interruption
https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.html

Reported-by: Wei Xu <xuwei5@hisilicon.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>
Fixes: 9b96fbacda34 ("serial: PL011: clear pending interrupts")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Tested-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Open-code pl011_read()
 - s/REG_/UART01x_/
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/amba-pl011.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -1531,6 +1531,7 @@ static int pl011_startup(struct uart_por
 	struct uart_amba_port *uap = (struct uart_amba_port *)port;
 	unsigned int cr, lcr_h, fbrd, ibrd;
 	int retval;
+	unsigned int i;
 
 	retval = pl011_hwinit(port);
 	if (retval)
@@ -1595,6 +1596,20 @@ static int pl011_startup(struct uart_por
 	/* Clear out any spuriously appearing RX interrupts */
 	 writew(UART011_RTIS | UART011_RXIS,
 		uap->port.membase + UART011_ICR);
+
+	/*
+	 * RXIS is asserted only when the RX FIFO transitions from below
+	 * to above the trigger threshold.  If the RX FIFO is already
+	 * full to the threshold this can't happen and RXIS will now be
+	 * stuck off.  Drain the RX FIFO explicitly to fix this:
+	 */
+	for (i = 0; i < uap->fifosize * 2; ++i) {
+		if (readw(uap->port.membase + UART01x_FR) & UART01x_FR_RXFE)
+			break;
+
+		readw(uap->port.membase + UART01x_DR);
+	}
+
 	uap->im = UART011_RTIM;
 	if (!pl011_dma_rx_running(uap))
 		uap->im |= UART011_RXIM;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 193/366] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (283 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 348/366] MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA Ben Hutchings
                   ` (81 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit b41f794f284966fd6ec634111e3b40d241389f96 upstream.

The kernel may spew a WARNING about UBSAN undefined behavior at
handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:

UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
signed integer overflow:
2147483647 + 1 cannot be represented in type 'int'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x122/0x1c8 lib/dump_stack.c:113
 ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
 handle_overflow+0x1c2/0x21f lib/ubsan.c:190
 __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
 snd_timer_user_next_device sound/core/timer.c:1524 [inline]
 __snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
 snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
 ....

It happens only when a value with INT_MAX is passed, as we're
incrementing it unconditionally.  So the fix is trivial, check the
value with INT_MAX.  Although the bug itself is fairly harmless, it's
better to fix it so that fuzzers won't hit this again later.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213
Reported-and-tested-by: Team OWL337 <icytxw@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/timer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1476,7 +1476,7 @@ static int snd_timer_user_next_device(st
 					} else {
 						if (id.subdevice < 0) {
 							id.subdevice = 0;
-						} else {
+						} else if (id.subdevice < INT_MAX) {
 							id.subdevice++;
 						}
 					}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (208 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 068/366] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Ben Hutchings
                   ` (156 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mikulas Patocka, Dave Airlie

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 99ec9e77511dea55d81729fc80b6c63a61bfa8e0 upstream.

The displaylink hardware has such a peculiarity that it doesn't render a
command until next command is received. This produces occasional
corruption, such as when setting 22x11 font on the console, only the first
line of the cursor will be blinking if the cursor is located at some
specific columns.

When we end up with a repeating pixel, the driver has a bug that it leaves
one uninitialized byte after the command (and this byte is enough to flush
the command and render it - thus it fixes the screen corruption), however
whe we end up with a non-repeating pixel, there is no byte appended and
this results in temporary screen corruption.

This patch fixes the screen corruption by always appending a byte 0xAF at
the end of URB. It also removes the uninitialized byte.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/udl/udl_fb.c       |  5 ++++-
 drivers/gpu/drm/udl/udl_transfer.c | 11 +++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -234,7 +234,10 @@ int udl_handle_damage(struct udl_framebu
 
 	if (cmd > (char *) urb->transfer_buffer) {
 		/* Send partial buffer remaining before exiting */
-		int len = cmd - (char *) urb->transfer_buffer;
+		int len;
+		if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length)
+			*cmd++ = 0xAF;
+		len = cmd - (char *) urb->transfer_buffer;
 		ret = udl_submit_urb(dev, urb, len);
 		bytes_sent += len;
 	} else
--- a/drivers/gpu/drm/udl/udl_transfer.c
+++ b/drivers/gpu/drm/udl/udl_transfer.c
@@ -149,11 +149,11 @@ static void udl_compress_hline16(
 		raw_pixels_count_byte = cmd++; /*  we'll know this later */
 		raw_pixel_start = pixel;
 
-		cmd_pixel_end = pixel + (min(MAX_CMD_PIXELS + 1,
-			min((int)(pixel_end - pixel) / bpp,
-			    (int)(cmd_buffer_end - cmd) / 2))) * bpp;
+		cmd_pixel_end = pixel + min3(MAX_CMD_PIXELS + 1UL,
+					(unsigned long)(pixel_end - pixel) / bpp,
+					(unsigned long)(cmd_buffer_end - 1 - cmd) / 2) * bpp;
 
-		prefetch_range((void *) pixel, (cmd_pixel_end - pixel) * bpp);
+		prefetch_range((void *) pixel, cmd_pixel_end - pixel);
 
 		while (pixel < cmd_pixel_end) {
 			const u8 *const start = pixel;
@@ -193,6 +193,9 @@ static void udl_compress_hline16(
 		if (pixel > raw_pixel_start) {
 			/* finalize last RAW span */
 			*raw_pixels_count_byte = ((pixel-raw_pixel_start) / bpp) & 0xFF;
+		} else {
+			/* undo unused byte */
+			cmd--;
 		}
 
 		*cmd_pixels_count_byte = ((pixel - cmd_pixel_start) / bpp) & 0xFF;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 184/366] vhost_net: validate sock before trying to put its fd
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 336/366] gcov: add support for GCC 5.1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 127/366] fs/binfmt_misc.c: do not allow offset overflow Ben Hutchings
                   ` (275 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dan Carpenter, Jason Wang

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Wang <jasowang@redhat.com>

commit b8f1f65882f07913157c44673af7ec0b308d03eb upstream.

Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when
we meet errors during ubuf allocation, the code does not check for
NULL before calling sockfd_put(), this will lead NULL
dereferencing. Fixing by checking sock pointer before.

Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/vhost/net.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -983,7 +983,8 @@ err_used:
 	if (ubufs)
 		vhost_net_ubuf_put_wait_and_free(ubufs);
 err_ubufs:
-	sockfd_put(sock);
+	if (sock)
+		sockfd_put(sock);
 err_vq:
 	mutex_unlock(&vq->mutex);
 err:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 185/366] ipv6: mcast: fix unsolicited report interval after receiving querys
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 321/366] xen/netfront: don't cache skb_shinfo() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host Ben Hutchings
                   ` (284 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Hangbin Liu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>

commit 6c6da92808442908287fae8ebb0ca041a52469f4 upstream.

After recieving MLD querys, we update idev->mc_maxdelay with max_delay
from query header. This make the later unsolicited reports have the same
interval with mc_maxdelay, which means we may send unsolicited reports with
long interval time instead of default configured interval time.

Also as we will not call ipv6_mc_reset() after device up. This issue will
be there even after leave the group and join other groups.

Fixes: fc4eba58b4c14 ("ipv6: make unsolicited report intervals configurable for mld")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/mcast.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -2058,7 +2058,8 @@ void ipv6_mc_dad_complete(struct inet6_d
 		mld_send_initial_cr(idev);
 		idev->mc_dad_count--;
 		if (idev->mc_dad_count)
-			mld_dad_start_timer(idev, idev->mc_maxdelay);
+			mld_dad_start_timer(idev,
+					    unsolicited_report_interval(idev));
 	}
 }
 
@@ -2070,7 +2071,8 @@ static void mld_dad_timer_expire(unsigne
 	if (idev->mc_dad_count) {
 		idev->mc_dad_count--;
 		if (idev->mc_dad_count)
-			mld_dad_start_timer(idev, idev->mc_maxdelay);
+			mld_dad_start_timer(idev,
+					    unsolicited_report_interval(idev));
 	}
 	in6_dev_put(idev);
 }
@@ -2428,7 +2430,8 @@ static void mld_ifc_timer_expire(unsigne
 	if (idev->mc_ifc_count) {
 		idev->mc_ifc_count--;
 		if (idev->mc_ifc_count)
-			mld_ifc_start_timer(idev, idev->mc_maxdelay);
+			mld_ifc_start_timer(idev,
+					    unsolicited_report_interval(idev));
 	}
 	in6_dev_put(idev);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 068/366] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (209 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 337/366] gcov: add support for gcc version >= 6 Ben Hutchings
                   ` (155 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Rivshin, Rabin Vincent, David Rivshin,
	Daniel Thompson, Russell King

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Rivshin <DRivshin@allworx.com>

commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.

NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
is the number of total registers, while GDB_MAX_REGS is the number
of 'unsigned longs' it takes to serialize those registers. Since
FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
smaller than GDB_MAX_REGS.

This causes GDB 8.0 give the following error on connect:
"Truncated register 19 in remote 'g' packet"

This also causes the register serialization/deserialization logic
to overflow gdb_regs[], overwriting whatever follows.

Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
Signed-off-by: David Rivshin <drivshin@allworx.com>
Acked-by: Rabin Vincent <rabin@rab.in>
Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/include/asm/kgdb.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/include/asm/kgdb.h
+++ b/arch/arm/include/asm/kgdb.h
@@ -76,7 +76,7 @@ extern int kgdb_fault_expected;
 
 #define KGDB_MAX_NO_CPUS	1
 #define BUFMAX			400
-#define NUMREGBYTES		(DBG_MAX_REG_NUM << 2)
+#define NUMREGBYTES		(GDB_MAX_REGS << 2)
 #define NUMCRITREGBYTES		(32 << 2)
 
 #define _R0			0


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (162 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 152/366] mtd: rawnand: mxc: set spare area size register explicitly Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Ben Hutchings
                   ` (202 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Carlos Barcala Lara

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 24160628a34af962ac99f2f58e547ac3c4cbd26f upstream.

Add device ids for CESINEL products.

Reported-by: Carlos Barcala Lara <cabl@cesinel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -91,6 +91,9 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */
 	{ USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */
 	{ USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */
+	{ USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */
+	{ USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */
+	{ USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */
 	{ USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */
 	{ USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */
 	{ USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */
@@ -108,6 +111,9 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */
 	{ USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
 	{ USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
+	{ USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */
+	{ USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */
+	{ USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */
 	{ USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */
 	{ USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
 	{ USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
@@ -120,7 +126,9 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
 	{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
 	{ USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
+	{ USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */
 	{ USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
+	{ USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */
 	{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
 	{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
 	{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
@@ -130,10 +138,13 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8857) },	/* CEL EM357 ZigBee USB Stick */
 	{ USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
 	{ USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
+	{ USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */
+	{ USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */
 	{ USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
 	{ USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
 	{ USB_DEVICE(0x10C4, 0x8977) },	/* CEL MeshWorks DevKit Device */
 	{ USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
+	{ USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
 	{ USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
 	{ USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
 	{ USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 103/366] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 311/366] root dentries need RCU-delayed freeing Ben Hutchings
                   ` (248 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Trond Myklebust, Stephen Johnston, Dave Wysochanski

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Wysochanski <dwysocha@redhat.com>

commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream.

In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
is a stack char array variable of length NFS_UINT_MAXLEN == 11.
If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
overflows into a negative value, for example:
crash> p (unsigned) (0x80000000)
$1 = 2147483648
crash> p (signed) (0x80000000)
$2 = -2147483648
The '-' sign is written to the buffer and this causes a 1 byte overflow
when the NULL byte is written, which corrupts kernel stack memory.  If
CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:

[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G        W      ------------ T 3.10.0-514.el7.x86_64 #1
[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
[11558053.644462]  ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
[11558053.646430]  ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
[11558053.648313]  ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
[11558053.650107] Call Trace:
[11558053.651347]  [<ffffffff81685eac>] dump_stack+0x19/0x1b
[11558053.653013]  [<ffffffff8167f2b3>] panic+0xe3/0x1f2
[11558053.666240]  [<ffffffff811dcb03>] ? kfree+0x103/0x140
[11558053.682589]  [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.689710]  [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
[11558053.691619]  [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
[11558053.693867]  [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
[11558053.695763]  [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
[11558053.702236]  [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
[11558053.704215]  [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
[11558053.709674]  [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b

Fix this by calling the internally defined nfs_map_numeric_to_string()
function which properly uses '%u' to convert this __u32.  For consistency,
also replace the one other place where snprintf is called.

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reported-by: Stephen Johnston <sjohnsto@redhat.com>
Fixes: cf4ab538f1516 ("NFSv4: Fix the string length returned by the idmapper")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/idmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -339,7 +339,7 @@ static ssize_t nfs_idmap_lookup_name(__u
 	int id_len;
 	ssize_t ret;
 
-	id_len = snprintf(id_str, sizeof(id_str), "%u", id);
+	id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str));
 	ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap);
 	if (ret < 0)
 		return -EINVAL;
@@ -636,7 +636,8 @@ static int nfs_idmap_read_and_verify_mes
 		if (strcmp(upcall->im_name, im->im_name) != 0)
 			break;
 		/* Note: here we store the NUL terminator too */
-		len = sprintf(id_str, "%d", im->im_id) + 1;
+		len = 1 + nfs_map_numeric_to_string(im->im_id, id_str,
+						    sizeof(id_str));
 		ret = nfs_idmap_instantiate(key, authkey, id_str, len);
 		break;
 	case IDMAP_CONV_IDTONAME:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 203/366] block: Fix transfer when chunk sectors exceeds max
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (259 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 329/366] dm bufio: drop the lock when doing GFP_NOIO allocation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 333/366] HID: reject input outside logical range only if null state is set Ben Hutchings
                   ` (105 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jens Axboe, Jitendra Bhivare, Martin K. Petersen, Keith Busch

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Keith Busch <keith.busch@intel.com>

commit 15bfd21fbc5d35834b9ea383dc458a1f0c9e3434 upstream.

A device may have boundary restrictions where the number of sectors
between boundaries exceeds its max transfer size. In this case, we need
to cap the max size to the smaller of the two limits.

Reported-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Tested-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Keith Busch <keith.busch@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/blkdev.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -929,8 +929,8 @@ static inline unsigned int blk_max_size_
 	if (!q->limits.chunk_sectors)
 		return q->limits.max_sectors;
 
-	return q->limits.chunk_sectors -
-			(offset & (q->limits.chunk_sectors - 1));
+	return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors -
+			(offset & (q->limits.chunk_sectors - 1))));
 }
 
 static inline unsigned int blk_rq_get_max_sectors(struct request *rq)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 051/366] rpmsg: Correct support for MODULE_DEVICE_TABLE()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (290 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 306/366] squashfs: more metadata hardening Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 340/366] iio: iio-trig-periodic-rtc: Free trigger resource correctly Ben Hutchings
                   ` (74 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Andrew F. Davis, Suman Anna

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Andrew F. Davis" <afd@ti.com>

commit 5b7d127726de6eed4b900bc3bbb167837690818f upstream.

Due to missing a missing entry in file2alias.c MODULE_DEVICE_TABLE() are
not generating the proper module aliases. Add the needed entry here.

Fixes: bcabbccabffe ("rpmsg: add virtio-based remote processor messaging bus")
Reported-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/mod/devicetable-offsets.c |  3 +++
 scripts/mod/file2alias.c          | 11 +++++++++++
 2 files changed, 14 insertions(+)

--- a/scripts/mod/devicetable-offsets.c
+++ b/scripts/mod/devicetable-offsets.c
@@ -136,6 +136,9 @@ int main(void)
 	DEVID(hv_vmbus_device_id);
 	DEVID_FIELD(hv_vmbus_device_id, guid);
 
+	DEVID(rpmsg_device_id);
+	DEVID_FIELD(rpmsg_device_id, name);
+
 	DEVID(i2c_device_id);
 	DEVID_FIELD(i2c_device_id, name);
 
--- a/scripts/mod/file2alias.c
+++ b/scripts/mod/file2alias.c
@@ -884,6 +884,17 @@ static int do_vmbus_entry(const char *fi
 }
 ADD_TO_DEVTABLE("vmbus", hv_vmbus_device_id, do_vmbus_entry);
 
+/* Looks like: rpmsg:S */
+static int do_rpmsg_entry(const char *filename, void *symval,
+			  char *alias)
+{
+	DEF_FIELD_ADDR(symval, rpmsg_device_id, name);
+	sprintf(alias, RPMSG_DEVICE_MODALIAS_FMT, *name);
+
+	return 1;
+}
+ADD_TO_DEVTABLE("rpmsg", rpmsg_device_id, do_rpmsg_entry);
+
 /* Looks like: i2c:S */
 static int do_i2c_entry(const char *filename, void *symval,
 			char *alias)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 152/366] mtd: rawnand: mxc: set spare area size register explicitly
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (161 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 142/366] cfg80211: initialize sinfo in cfg80211_get_station Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids Ben Hutchings
                   ` (203 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Boris Brezillon, Martin Kaiser, Sascha Hauer, Miquel Raynal

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kaiser <martin@kaiser.cx>

commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream.

The v21 version of the NAND flash controller contains a Spare Area Size
Register (SPAS) at offset 0x10. Its setting defaults to the maximum
spare area size of 218 bytes. The size that is set in this register is
used by the controller when it calculates the ECC bytes internally in
hardware.

Usually, this register is updated from settings in the IIM fuses when
the system is booting from NAND flash. For other boot media, however,
the SPAS register remains at the default setting, which may not work for
the particular flash chip on the board. The same goes for flash chips
whose configuration cannot be set in the IIM fuses (e.g. chips with 2k
sector size and 128 bytes spare area size can't be configured in the IIM
fuses on imx25 systems).

Set the SPAS register explicitly during the preset operation. Derive the
register value from mtd->oobsize that was detected during probe by
decoding the flash chip's ID bytes.

While at it, rename the define for the spare area register's offset to
NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is
different from the register on v21 controllers.

Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset")
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/nand/mxc_nand.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/mxc_nand.c
+++ b/drivers/mtd/nand/mxc_nand.c
@@ -49,7 +49,7 @@
 #define NFC_V1_V2_CONFIG		(host->regs + 0x0a)
 #define NFC_V1_V2_ECC_STATUS_RESULT	(host->regs + 0x0c)
 #define NFC_V1_V2_RSLTMAIN_AREA		(host->regs + 0x0e)
-#define NFC_V1_V2_RSLTSPARE_AREA	(host->regs + 0x10)
+#define NFC_V21_RSLTSPARE_AREA		(host->regs + 0x10)
 #define NFC_V1_V2_WRPROT		(host->regs + 0x12)
 #define NFC_V1_UNLOCKSTART_BLKADDR	(host->regs + 0x14)
 #define NFC_V1_UNLOCKEND_BLKADDR	(host->regs + 0x16)
@@ -958,6 +958,9 @@ static void preset_v2(struct mtd_info *m
 	writew(config1, NFC_V1_V2_CONFIG1);
 	/* preset operation */
 
+	/* spare area size in 16-bit half-words */
+	writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
+
 	/* Unlock the internal RAM Buffer */
 	writew(0x2, NFC_V1_V2_CONFIG);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 085/366] usb: gadget: function: printer: avoid spinlock recursion
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 307/366] nohz: Fix local_timer_softirq_pending() Ben Hutchings
                   ` (353 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Yoshihiro Shimoda

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 9ada8c582088d32bd5c071c17213bc6edf37443a upstream.

If usb_gadget_giveback_request() is called in usb_ep_queue(),
this printer_write() is possible to cause spinlock recursion. So,
this patch adds spin_unlock() before calls usb_ep_queue() to avoid it.

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/printer.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/printer.c
+++ b/drivers/usb/gadget/printer.c
@@ -587,6 +587,7 @@ printer_write(struct file *fd, const cha
 	size_t			size;	/* Amount of data in a TX request. */
 	size_t			bytes_copied = 0;
 	struct usb_request	*req;
+	int			value;
 
 	DBG(dev, "printer_write trying to send %d bytes\n", (int)len);
 
@@ -666,7 +667,11 @@ printer_write(struct file *fd, const cha
 			return -EAGAIN;
 		}
 
-		if (usb_ep_queue(dev->in_ep, req, GFP_ATOMIC)) {
+		/* here, we unlock, and only unlock, to avoid deadlock. */
+		spin_unlock(&dev->lock);
+		value = usb_ep_queue(dev->in_ep, req, GFP_ATOMIC);
+		spin_lock(&dev->lock);
+		if (value) {
 			list_add(&req->list, &dev->tx_reqs);
 			spin_unlock_irqrestore(&dev->lock, flags);
 			mutex_unlock(&dev->lock_printer_io);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 072/366] m68k: Implement ndelay() as an inline function to force type checking/casting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (223 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 363/366] perf tools: Remove duplicate const qualifier Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 316/366] fix __legitimize_mnt()/mntput() race Ben Hutchings
                   ` (141 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Geert Uytterhoeven, Miquel Raynal, Boris Brezillon

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Brezillon <boris.brezillon@bootlin.com>

commit d8441ba80c55aad435e4b98fe0d7ad5d21e46bf9 upstream.

ndelay() is supposed to take an unsigned long, but if you define
ndelay() as a macro and the caller pass an unsigned long long instead
of an unsigned long, the unsigned long long to unsigned long cast is
not done and we end up with an "undefined reference to `__udivdi3'"
error at link time.

Fix that by making ndelay() an inline function and then defining dummy
ndelay() macro that redirects to the ndelay() function (it's how most
archs do to implement ndelay()).

Fixes: c8ee038bd148 ("m68k: Implement ndelay() based on the existing udelay() logic")
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
[geert: Remove comment now it is no longer a macro]
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/m68k/include/asm/delay.h | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/arch/m68k/include/asm/delay.h
+++ b/arch/m68k/include/asm/delay.h
@@ -48,8 +48,6 @@ extern void __bad_udelay(void);
  * The simpler m68k and ColdFire processors do not have a 32*32->64
  * multiply instruction. So we need to handle them a little differently.
  * We use a bit of shifting and a single 32*32->32 multiply to get close.
- * This is a macro so that the const version can factor out the first
- * multiply and shift.
  */
 #define	HZSCALE		(268435456 / (1000000 / HZ))
 
@@ -114,6 +112,13 @@ static inline void __udelay(unsigned lon
  */
 #define	HZSCALE		(268435456 / (1000000 / HZ))
 
-#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000))
+static inline void ndelay(unsigned long nsec)
+{
+	__delay(DIV_ROUND_UP(nsec *
+			     ((((HZSCALE) >> 11) *
+			       (loops_per_jiffy >> 11)) >> 6),
+			     1000));
+}
+#define ndelay(n) ndelay(n)
 
 #endif /* defined(_M68K_DELAY_H) */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT Ben Hutchings
                   ` (364 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Thomas Gleixner, Borislav Petkov, Tony Luck

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit 1f74c8a64798e2c488f86efc97e308b85fb7d7aa upstream.

mce_no_way_out() does a quick check during #MC to see whether some of
the MCEs logged would require the kernel to panic immediately. And it
passes a struct mce where MCi_STATUS gets written.

However, after having saved a valid status value, the next iteration
of the loop which goes over the MCA banks on the CPU, overwrites the
valid status value because we're using struct mce as storage instead of
a temporary variable.

Which leads to MCE records with an empty status value:

  mce: [Hardware Error]: CPU 0: Machine Check Exception: 6 Bank 0: 0000000000000000
  mce: [Hardware Error]: RIP 10:<ffffffffbd42fbd7> {trigger_mce+0x7/0x10}

In order to prevent the loss of the status register value, return
immediately when severity is a panic one so that we can panic
immediately with the first fatal MCE logged. This is also the intention
of this function and not to noodle over the banks while a fatal MCE is
already logged.

Tony: read the rest of the MCA bank to populate the struct mce fully.

Suggested-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20180622095428.626-8-bp@alien8.de
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/mcheck/mce.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -666,23 +666,25 @@ EXPORT_SYMBOL_GPL(machine_check_poll);
 static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
 			  struct pt_regs *regs)
 {
-	int i, ret = 0;
 	char *tmp;
+	int i;
 
 	for (i = 0; i < mca_cfg.banks; i++) {
 		m->status = mce_rdmsrl(MSR_IA32_MCx_STATUS(i));
-		if (m->status & MCI_STATUS_VAL) {
-			__set_bit(i, validp);
-			if (quirk_no_way_out)
-				quirk_no_way_out(i, m, regs);
-		}
+		if (!(m->status & MCI_STATUS_VAL))
+			continue;
+
+		__set_bit(i, validp);
+		if (quirk_no_way_out)
+			quirk_no_way_out(i, m, regs);
 
 		if (mce_severity(m, mca_cfg.tolerant, &tmp) >= MCE_PANIC_SEVERITY) {
+			mce_read_aux(m, i);
 			*msg = tmp;
-			ret = 1;
+			return 1;
 		}
 	}
-	return ret;
+	return 0;
 }
 
 /*


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 263/366] KEYS: DNS: fix parsing multiple options Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse Ben Hutchings
                   ` (298 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Rob Herring, Srinivas Kandagatla

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit 522811e944ed9b36806faa019faec10f9d259cca upstream.

Immediately after the platform_device_unregister() the device will be
cleaned up. Accessing the freed pointer immediately after that will
crash the system.

Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing
loading/unloading audio drivers in a loop on Qcom platforms.

Fix this by moving of_node_clear_flag() just before the unregister calls.

Below is the crash trace:

Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c03
Mem abort info:
  ESR = 0x96000021
  Exception class = DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
Data abort info:
  ISV = 0, ISS = 0x00000021
  CM = 0, WnR = 0
[006b6b6b6b6b6c03] address between user and kernel address ranges
Internal error: Oops: 96000021 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 1784 Comm: sh Tainted: G        W         4.17.0-rc7-02230-ge3a63a7ef641-dirty #204
Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO)
pc : clear_bit+0x18/0x2c
lr : of_platform_device_destroy+0x64/0xb8
sp : ffff00000c9c3930
x29: ffff00000c9c3930 x28: ffff80003d39b200
x27: ffff000008bb1000 x26: 0000000000000040
x25: 0000000000000124 x24: ffff80003a9a3080
x23: 0000000000000060 x22: ffff00000939f518
x21: ffff80003aa79e98 x20: ffff80003aa3dae0
x19: ffff80003aa3c890 x18: ffff800009feb794
x17: 0000000000000000 x16: 0000000000000000
x15: ffff800009feb790 x14: 0000000000000000
x13: ffff80003a058778 x12: ffff80003a058728
x11: ffff80003a058750 x10: 0000000000000000
x9 : 0000000000000006 x8 : ffff80003a825988
x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000001
x5 : 0000000000000000 x4 : 0000000000000001
x3 : 0000000000000008 x2 : 0000000000000001
x1 : 6b6b6b6b6b6b6c03 x0 : 0000000000000000
Process sh (pid: 1784, stack limit = 0x        (ptrval))
Call trace:
 clear_bit+0x18/0x2c
 q6afe_remove+0x20/0x38
 apr_device_remove+0x30/0x70
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 apr_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 apr_remove+0x18/0x20
 rpmsg_dev_remove+0x38/0x68
 device_release_driver_internal+0x170/0x208
 device_release_driver+0x14/0x20
 bus_remove_device+0xcc/0x150
 device_del+0x10c/0x310
 device_unregister+0x1c/0x70
 qcom_smd_remove_device+0xc/0x18
 device_for_each_child+0x50/0x80
 qcom_smd_unregister_edge+0x3c/0x70
 smd_subdev_remove+0x18/0x28
 rproc_stop+0x48/0xd8
 rproc_shutdown+0x60/0xe8
 state_store+0xbc/0xf8
 dev_attr_store+0x18/0x28
 sysfs_kf_write+0x3c/0x50
 kernfs_fop_write+0x118/0x1e0
 __vfs_write+0x18/0x110
 vfs_write+0xa4/0x1a8
 ksys_write+0x48/0xb0
 sys_write+0xc/0x18
 el0_svc_naked+0x30/0x34
Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
---[ end trace 32020935775616a2 ]---

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
[bwh: Backported to 3.16: There's no OF_POPULATED_BUS flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/platform.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/of/platform.c
+++ b/drivers/of/platform.c
@@ -522,6 +522,8 @@ static int of_platform_device_destroy(st
 		return 0;
 	}
 
+	of_node_clear_flag(dev->of_node, OF_POPULATED);
+
 	if (dev->bus == &platform_bus_type)
 		platform_device_unregister(to_platform_device(dev));
 #ifdef CONFIG_ARM_AMBA
@@ -533,8 +535,6 @@ static int of_platform_device_destroy(st
 		return 0;
 	}
 
-	of_node_clear_flag(dev->of_node, OF_POPULATED);
-
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 200/366] netfilter: nf_log: don't hold nf_log_mutex during user access
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (132 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 023/366] media: rc: mce_kbd decoder: fix stuck keys Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 249/366] qlogic: check kstrtoul() for errors Ben Hutchings
                   ` (232 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jann Horn, Pablo Neira Ayuso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit ce00bf07cc95a57cd20b208e02b3c2604e532ae8 upstream.

The old code would indefinitely block other users of nf_log_mutex if
a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
region. Fix it by moving proc_dostring() out of the locked region.

This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
sleeping function called from invalid context"), which changed this code
from using rcu_read_lock() to taking nf_log_mutex.

Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nf_log.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -273,15 +273,18 @@ static int nf_log_proc_dostring(struct c
 		rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
 		mutex_unlock(&nf_log_mutex);
 	} else {
+		struct ctl_table tmp = *table;
+
+		tmp.data = buf;
 		mutex_lock(&nf_log_mutex);
 		logger = rcu_dereference_protected(net->nf.nf_loggers[tindex],
 						   lockdep_is_held(&nf_log_mutex));
 		if (!logger)
-			table->data = "NONE";
+			strlcpy(buf, "NONE", sizeof(buf));
 		else
-			table->data = logger->name;
-		r = proc_dostring(table, write, buffer, lenp, ppos);
+			strlcpy(buf, logger->name, sizeof(buf));
 		mutex_unlock(&nf_log_mutex);
+		r = proc_dostring(&tmp, write, buffer, lenp, ppos);
 	}
 
 	return r;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (146 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output Ben Hutchings
                   ` (218 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 3d609342cc04129ff7568e19316ce3d7451a27e8 upstream.

Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session
object destroy") tried to fix a race condition where a PPPoL2TP socket
would disappear while the L2TP session was still using it. However, it
missed the root issue which is that an L2TP session may accept to be
reconnected if its associated socket has entered the release process.

The tentative fix makes the session hold the socket it is connected to.
That saves the kernel from crashing, but introduces refcount leakage,
preventing the socket from completing the release process. Once stalled,
everything the socket depends on can't be released anymore, including
the L2TP session and the l2tp_ppp module.

The root issue is that, when releasing a connected PPPoL2TP socket, the
session's ->sk pointer (RCU-protected) is reset to NULL and we have to
wait for a grace period before destroying the socket. The socket drops
the session in its ->sk_destruct callback function, so the session
will exist until the last reference on the socket is dropped.
Therefore, there is a time frame where pppol2tp_connect() may accept
reconnecting a session, as it only checks ->sk to figure out if the
session is connected. This time frame is shortened by the fact that
pppol2tp_release() calls l2tp_session_delete(), making the session
unreachable before resetting ->sk. However, pppol2tp_connect() may
grab the session before it gets unhashed by l2tp_session_delete(), but
it may test ->sk after the later got reset. The race is not so hard to
trigger and syzbot found a pretty reliable reproducer:
https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf

Before d02ba2a6110c, another race could let pppol2tp_release()
overwrite the ->__sk pointer of an L2TP session, thus tricking
pppol2tp_put_sk() into calling sock_put() on a socket that is different
than the one for which pppol2tp_release() was originally called. To get
there, we had to trigger the race described above, therefore having one
PPPoL2TP socket being released, while the session it is connected to is
reconnecting to a different PPPoL2TP socket. When releasing this new
socket fast enough, pppol2tp_release() overwrites the session's
->__sk pointer with the address of the new socket, before the first
pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
invoked by the original socket will sock_put() the new socket,
potentially dropping its last reference. When the second
pppol2tp_put_sk() finally runs, its socket has already been freed.

With d02ba2a6110c, the session takes a reference on both sockets.
Furthermore, the session's ->sk pointer is reset in the
pppol2tp_session_close() callback function rather than in
pppol2tp_release(). Therefore, ->__sk can't be overwritten and
pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
run pppol2tp_session_close() once, to protect the session against
concurrent deletion requests). Now pppol2tp_put_sk() will properly
sock_put() the original socket, but the new socket will remain, as
l2tp_session_delete() prevented the release process from completing.
Here, we don't depend on the ->__sk race to trigger the bug. Getting
into the pppol2tp_connect() race is enough to leak the reference, no
matter when new socket is released.

So it all boils down to pppol2tp_connect() failing to realise that the
session has already been connected. This patch drops the unneeded extra
reference counting (mostly reverting d02ba2a6110c) and checks that
neither ->sk nor ->__sk is set before allowing a session to be
connected.

Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -449,16 +449,6 @@ static void pppol2tp_put_sk(struct rcu_h
  */
 static void pppol2tp_session_close(struct l2tp_session *session)
 {
-	struct pppol2tp_session *ps;
-
-	ps = l2tp_session_priv(session);
-	mutex_lock(&ps->sk_lock);
-	ps->__sk = rcu_dereference_protected(ps->sk,
-					     lockdep_is_held(&ps->sk_lock));
-	RCU_INIT_POINTER(ps->sk, NULL);
-	if (ps->__sk)
-		call_rcu(&ps->rcu, pppol2tp_put_sk);
-	mutex_unlock(&ps->sk_lock);
 }
 
 /* Really kill the session socket. (Called from sock_put() if
@@ -501,15 +491,24 @@ static int pppol2tp_release(struct socke
 	sock_orphan(sk);
 	sock->sk = NULL;
 
-	/* If the socket is associated with a session,
-	 * l2tp_session_delete will call pppol2tp_session_close which
-	 * will drop the session's ref on the socket.
-	 */
 	session = pppol2tp_sock_to_session(sk);
 	if (session) {
+		struct pppol2tp_session *ps;
+
 		l2tp_session_delete(session);
-		/* drop the ref obtained by pppol2tp_sock_to_session */
-		sock_put(sk);
+
+		ps = l2tp_session_priv(session);
+		mutex_lock(&ps->sk_lock);
+		ps->__sk = rcu_dereference_protected(ps->sk,
+						     lockdep_is_held(&ps->sk_lock));
+		RCU_INIT_POINTER(ps->sk, NULL);
+		mutex_unlock(&ps->sk_lock);
+		call_rcu(&ps->rcu, pppol2tp_put_sk);
+
+		/* Rely on the sock_put() call at the end of the function for
+		 * dropping the reference held by pppol2tp_sock_to_session().
+		 * The last reference will be dropped by pppol2tp_put_sk().
+		 */
 	}
 
 	release_sock(sk);
@@ -764,7 +763,8 @@ static int pppol2tp_connect(struct socke
 		 */
 		mutex_lock(&ps->sk_lock);
 		if (rcu_dereference_protected(ps->sk,
-					      lockdep_is_held(&ps->sk_lock))) {
+					      lockdep_is_held(&ps->sk_lock)) ||
+		    ps->__sk) {
 			mutex_unlock(&ps->sk_lock);
 			error = -EEXIST;
 			goto end;
@@ -832,7 +832,6 @@ static int pppol2tp_connect(struct socke
 
 out_no_ppp:
 	/* This is how we get the session context from the socket. */
-	sock_hold(sk);
 	sk->sk_user_data = session;
 	rcu_assign_pointer(ps->sk, sk);
 	mutex_unlock(&ps->sk_lock);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 049/366] w1: support auto-load of w1_bq27000 module Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 304/366] netlink: Do not subscribe to non-existent groups Ben Hutchings
                   ` (245 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Eric Dumazet, Pablo Neira Ayuso

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 9ce7bc036ae4cfe3393232c86e9e1fea2153c237 upstream.

It is a waste of memory to use a full "struct netns_sysctl_ipv6"
while only one pointer is really used, considering netns_sysctl_ipv6
keeps growing.

Also, since "struct netns_frags" has cache line alignment,
it is better to move the frags_hdr pointer outside, otherwise
we spend a full cache line for this pointer.

This saves 192 bytes of memory per netns.

Fixes: c038a767cd69 ("ipv6: add a new namespace for nf_conntrack_reasm")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/net_namespace.h             | 1 +
 include/net/netns/ipv6.h                | 1 -
 net/ipv6/netfilter/nf_conntrack_reasm.c | 6 +++---
 3 files changed, 4 insertions(+), 4 deletions(-)

--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -112,6 +112,7 @@ struct net {
 #endif
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 	struct netns_nf_frag	nf_frag;
+	struct ctl_table_header *nf_frag_frags_hdr;
 #endif
 	struct sock		*nfnl;
 	struct sock		*nfnl_stash;
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -80,7 +80,6 @@ struct netns_ipv6 {
 
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 struct netns_nf_frag {
-	struct netns_sysctl_ipv6 sysctl;
 	struct netns_frags	frags;
 };
 #endif
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -109,7 +109,7 @@ static int nf_ct_frag6_sysctl_register(s
 	if (hdr == NULL)
 		goto err_reg;
 
-	net->nf_frag.sysctl.frags_hdr = hdr;
+	net->nf_frag_frags_hdr = hdr;
 	return 0;
 
 err_reg:
@@ -123,8 +123,8 @@ static void __net_exit nf_ct_frags6_sysc
 {
 	struct ctl_table *table;
 
-	table = net->nf_frag.sysctl.frags_hdr->ctl_table_arg;
-	unregister_net_sysctl_table(net->nf_frag.sysctl.frags_hdr);
+	table = net->nf_frag_frags_hdr->ctl_table_arg;
+	unregister_net_sysctl_table(net->nf_frag_frags_hdr);
 	if (!net_eq(net, &init_net))
 		kfree(table);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (262 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 330/366] fs/proc: Stop trying to report thread stacks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 262/366] x86/apm: Don't access __preempt_count with zeroed fs Ben Hutchings
                   ` (102 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Vlastimil Babka, Michal Hocko, Mel Gorman, Joonsoo Kim,
	David Rientjes, Linus Torvalds

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream.

In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for
allocations that can ignore memory policies.  The zonelist is obtained
from current CPU's node.  This is a problem for __GFP_THISNODE
allocations that want to allocate on a different node, e.g.  because the
allocating thread has been migrated to a different CPU.

This has been observed to break SLAB in our 4.4-based kernel, because
there it relies on __GFP_THISNODE working as intended.  If a slab page
is put on wrong node's list, then further list manipulations may corrupt
the list because page_to_nid() is used to determine which node's
list_lock should be locked and thus we may take a wrong lock and race.

Current SLAB implementation seems to be immune by luck thanks to commit
511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on
arbitrary node") but there may be others assuming that __GFP_THISNODE
works as promised.

We can fix it by simply removing the zonelist reset completely.  There
is actually no reason to reset it, because memory policies and cpusets
don't affect the zonelist choice in the first place.  This was different
when commit 183f6371aac2 ("mm: ignore mempolicies when using
ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their
own restricted zonelists.

We might consider this for 4.17 although I don't know if there's
anything currently broken.

SLAB is currently not affected, but in kernels older than 4.7 that don't
yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page
allocated on arbitrary node") it is.  That's at least 4.4 LTS.  Older
ones I'll have to check.

So stable backports should be more important, but will have to be
reviewed carefully, as the code went through many changes.  BTW I think
that also the ac->preferred_zoneref reset is currently useless if we
don't also reset ac->nodemask from a mempolicy to NULL first (which we
probably should for the OOM victims etc?), but I would leave that for a
separate patch.

Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK")
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: Resetting the zonelist may still be useful here,
 so keep doing it if __GFP_THISNODE is not used.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/page_alloc.c | 1 -
 1 file changed, 1 deletion(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2594,7 +2594,8 @@ rebalance:
 		 * the allocation is high priority and these type of
 		 * allocations are system rather than user orientated
 		 */
-		zonelist = node_zonelist(numa_node_id(), gfp_mask);
+		if (!(gfp_mask & __GFP_THISNODE))
+			zonelist = node_zonelist(numa_node_id(), gfp_mask);
 
 		page = __alloc_pages_high_priority(gfp_mask, order,
 				zonelist, high_zoneidx, nodemask,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 085/366] usb: gadget: function: printer: avoid spinlock recursion Ben Hutchings
                   ` (354 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Martin K. Petersen, Eda Zhou, Ewan D. Milne, Himanshu Madhani

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@cavium.com>

commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.

This patch prevents driver from setting lower default speed of 1 GB/sec,
if the switch does not support Get Port Speed Capabilities (GPSC)
command. Setting this default speed results into much lower write
performance for large sequential WRITE.  This patch modifies driver to
check for gpsc_supported flags and prevents driver from issuing
MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
does not send this mailbox command, firmware assumes maximum supported
link speed and will operate at the max speed.

Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reported-by: Eda Zhou <ezhou@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Tested-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_init.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -3205,7 +3205,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vh
 		return;
 
 	if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
-	    fcport->fp_speed > ha->link_data_rate)
+	    fcport->fp_speed > ha->link_data_rate ||
+	    !ha->flags.gpsc_supported)
 		return;
 
 	rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 106/366] tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (285 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 348/366] MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 290/366] fscache: Fix reference overput in fscache_attach_object() error handling Ben Hutchings
                   ` (79 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Matt Turner, Len Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Turner <mattst88@gmail.com>

commit e0d34648b4d77ba715e13739d04e7b0692fe5eaa upstream.

According to the Intel Software Developers' Manual, Vol. 4, Order No.
335592, these macros have been reversed since they were added.

Fixes: 889facbee3e6 ("tools/power turbostat: v3.0: monitor Watts and Temperature")
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/power/x86/turbostat/turbostat.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/power/x86/turbostat/turbostat.c
+++ b/tools/power/x86/turbostat/turbostat.c
@@ -1088,8 +1088,8 @@ void print_verbose_header(void)
 print_nhm_turbo_ratio_limits:
 	get_msr(0, MSR_NHM_SNB_PKG_CST_CFG_CTL, &msr);
 
-#define SNB_C1_AUTO_UNDEMOTE              (1UL << 27)
-#define SNB_C3_AUTO_UNDEMOTE              (1UL << 28)
+#define SNB_C3_AUTO_UNDEMOTE              (1UL << 27)
+#define SNB_C1_AUTO_UNDEMOTE              (1UL << 28)
 
 	fprintf(stderr, "cpu0: MSR_NHM_SNB_PKG_CST_CFG_CTL: 0x%08llx", msr);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 133/366] backlight: as3711_bl: Fix Device Tree node leaks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 087/366] perf/core: Fix group scheduling with mixed hw and sw events Ben Hutchings
                   ` (278 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Daniel Thompson, Lee Jones, Johan Hovold

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit d5318d302e7cf6583ec85a2a8bfbb3a3910ae372 upstream.

Two framebuffer device-node names were looked up during probe, but were
only used as flags to indicate the presence of two framebuffer device.

Drop the unused framebuffer name along with a likewise unused device
pointer from the driver data, and update the platform data to pass in
booleans instead of the framebuffer strings. This allows us do drop the
node references acquired during probe, which would otherwise leak.

Note that there are no other in-kernel users of the modified
platform-data fields.

Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/backlight/as3711_bl.c | 12 ++++++------
 include/linux/mfd/as3711.h          |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/video/backlight/as3711_bl.c
+++ b/drivers/video/backlight/as3711_bl.c
@@ -28,8 +28,6 @@ enum as3711_bl_type {
 
 struct as3711_bl_data {
 	bool powered;
-	const char *fb_name;
-	struct device *fb_dev;
 	enum as3711_bl_type type;
 	int brightness;
 	struct backlight_device *bl;
@@ -273,7 +271,9 @@ static int as3711_backlight_parse_dt(str
 
 	fb = of_parse_phandle(bl, "su1-dev", 0);
 	if (fb) {
-		pdata->su1_fb = fb->full_name;
+		of_node_put(fb);
+
+		pdata->su1_fb = true;
 
 		ret = of_property_read_u32(bl, "su1-max-uA", &pdata->su1_max_uA);
 		if (pdata->su1_max_uA <= 0)
@@ -286,7 +286,9 @@ static int as3711_backlight_parse_dt(str
 	if (fb) {
 		int count = 0;
 
-		pdata->su2_fb = fb->full_name;
+		of_node_put(fb);
+
+		pdata->su2_fb = true;
 
 		ret = of_property_read_u32(bl, "su2-max-uA", &pdata->su2_max_uA);
 		if (pdata->su2_max_uA <= 0)
@@ -425,7 +427,6 @@ static int as3711_backlight_probe(struct
 
 	if (pdata->su1_fb) {
 		su = &supply->su1;
-		su->fb_name = pdata->su1_fb;
 		su->type = AS3711_BL_SU1;
 
 		max_brightness = min(pdata->su1_max_uA, 31);
@@ -436,7 +437,6 @@ static int as3711_backlight_probe(struct
 
 	if (pdata->su2_fb) {
 		su = &supply->su2;
-		su->fb_name = pdata->su2_fb;
 		su->type = AS3711_BL_SU2;
 
 		switch (pdata->su2_fbprot) {
--- a/include/linux/mfd/as3711.h
+++ b/include/linux/mfd/as3711.h
@@ -107,9 +107,9 @@ struct as3711_regulator_pdata {
 };
 
 struct as3711_bl_pdata {
-	const char *su1_fb;
+	bool su1_fb;
 	int su1_max_uA;
-	const char *su2_fb;
+	bool su2_fb;
 	int su2_max_uA;
 	enum as3711_su2_feedback su2_feedback;
 	enum as3711_su2_fbprot su2_fbprot;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (305 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING Ben Hutchings
                   ` (59 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit cad0e39023b43d94d5e38dfd55c103e15bdd093d upstream.

The code patching code has always been a bit confused about whether
it's best to use void *, unsigned int *, char *, etc. to point to
instructions. In fact in the feature fixups tests we use both unsigned
int[] and u8[] in different places.

Unfortunately the tests that use unsigned int[] calculate the size of
the code blocks using subtraction of those unsigned int pointers, and
then pass the result to memcmp(). This means we're only comparing 1/4
of the bytes we need to, because we need to multiply by
sizeof(unsigned int) to get the number of *bytes*.

The result is that the tests do all the patching and then only compare
some of the resulting code, so patching bugs that only effect that
last 3/4 of the code could slip through undetected. It turns out that
hasn't been happening, although one test had a bad expected case (see
previous commit).

Fix it for now by multiplying the size by 4 in the affected functions.

Fixes: 362e7701fd18 ("powerpc: Add self-tests of the feature fixup code")
Epic-brown-paper-bag-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/lib/feature-fixups.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -170,7 +170,7 @@ void test_basic_patching(void)
 	extern unsigned int end_ftr_fixup_test1[];
 	extern unsigned int ftr_fixup_test1_orig[];
 	extern unsigned int ftr_fixup_test1_expected[];
-	int size = end_ftr_fixup_test1 - ftr_fixup_test1;
+	int size = 4 * (end_ftr_fixup_test1 - ftr_fixup_test1);
 
 	fixup.value = fixup.mask = 8;
 	fixup.start_off = calc_offset(&fixup, ftr_fixup_test1 + 1);
@@ -202,7 +202,7 @@ static void test_alternative_patching(vo
 	extern unsigned int ftr_fixup_test2_orig[];
 	extern unsigned int ftr_fixup_test2_alt[];
 	extern unsigned int ftr_fixup_test2_expected[];
-	int size = end_ftr_fixup_test2 - ftr_fixup_test2;
+	int size = 4 * (end_ftr_fixup_test2 - ftr_fixup_test2);
 
 	fixup.value = fixup.mask = 0xF;
 	fixup.start_off = calc_offset(&fixup, ftr_fixup_test2 + 1);
@@ -234,7 +234,7 @@ static void test_alternative_case_too_bi
 	extern unsigned int end_ftr_fixup_test3[];
 	extern unsigned int ftr_fixup_test3_orig[];
 	extern unsigned int ftr_fixup_test3_alt[];
-	int size = end_ftr_fixup_test3 - ftr_fixup_test3;
+	int size = 4 * (end_ftr_fixup_test3 - ftr_fixup_test3);
 
 	fixup.value = fixup.mask = 0xC;
 	fixup.start_off = calc_offset(&fixup, ftr_fixup_test3 + 1);
@@ -261,7 +261,7 @@ static void test_alternative_case_too_sm
 	extern unsigned int ftr_fixup_test4_orig[];
 	extern unsigned int ftr_fixup_test4_alt[];
 	extern unsigned int ftr_fixup_test4_expected[];
-	int size = end_ftr_fixup_test4 - ftr_fixup_test4;
+	int size = 4 * (end_ftr_fixup_test4 - ftr_fixup_test4);
 	unsigned long flag;
 
 	/* Check a high-bit flag */
@@ -295,7 +295,7 @@ static void test_alternative_case_with_b
 	extern unsigned int ftr_fixup_test5[];
 	extern unsigned int end_ftr_fixup_test5[];
 	extern unsigned int ftr_fixup_test5_expected[];
-	int size = end_ftr_fixup_test5 - ftr_fixup_test5;
+	int size = 4 * (end_ftr_fixup_test5 - ftr_fixup_test5);
 
 	check(memcmp(ftr_fixup_test5, ftr_fixup_test5_expected, size) == 0);
 }
@@ -305,7 +305,7 @@ static void test_alternative_case_with_e
 	extern unsigned int ftr_fixup_test6[];
 	extern unsigned int end_ftr_fixup_test6[];
 	extern unsigned int ftr_fixup_test6_expected[];
-	int size = end_ftr_fixup_test6 - ftr_fixup_test6;
+	int size = 4 * (end_ftr_fixup_test6 - ftr_fixup_test6);
 
 	check(memcmp(ftr_fixup_test6, ftr_fixup_test6_expected, size) == 0);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 107/366] x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (230 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 327/366] ceph: fix endianness of getattr mask in ceph_d_revalidate Ben Hutchings
                   ` (134 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Matt Turner, Len Brown, Ingo Molnar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Turner <mattst88@gmail.com>

commit a00072a24a9f5b88cfc56f2dec6afe8ce3874e60 upstream.

According to the Intel Software Developers' Manual, Vol. 4, Order No.
335592, these macros have been reversed since they were added in the
initial turbostat commit. The reversed definitions were presumably
copied from turbostat.c to this file.

Fixes: 9c63a650bb10 ("tools/power/x86/turbostat: share kernel MSR #defines")
Signed-off-by: Matt Turner <mattst88@gmail.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Len Brown <len.brown@intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/uapi/asm/msr-index.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -50,8 +50,8 @@
 #define NHM_C3_AUTO_DEMOTE		(1UL << 25)
 #define NHM_C1_AUTO_DEMOTE		(1UL << 26)
 #define ATM_LNC_C6_AUTO_DEMOTE		(1UL << 25)
-#define SNB_C1_AUTO_UNDEMOTE		(1UL << 27)
-#define SNB_C3_AUTO_UNDEMOTE		(1UL << 28)
+#define SNB_C3_AUTO_UNDEMOTE		(1UL << 27)
+#define SNB_C1_AUTO_UNDEMOTE		(1UL << 28)
 
 #define MSR_PLATFORM_INFO		0x000000ce
 #define MSR_MTRRcap			0x000000fe


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 049/366] w1: support auto-load of w1_bq27000 module.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 311/366] root dentries need RCU-delayed freeing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste Ben Hutchings
                   ` (246 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Greg Kroah-Hartman, Evgeniy Polyakov, NeilBrown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.de>

commit 4b7e4f8289c1ca60accb6c1baf31984f69bc2771 upstream.

1/ change request_module call to zero-pad single digit
   family numbers.  This appears to be the intention of
   the code, but not what it actually does.

   This means that the alias created for W1_FAMILY_SMEM_01
   might actually be useful.

2/ Define a family name for the BQ27000 battery charge monitor.
   Unfortunately this is the same number as W1_FAMILY_SMEM_01
   so if both a compiled on a system, one module might need to
   be blacklisted.

3/ Add a MODULE_ALIAS for the bq27000.

Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/slaves/w1_bq27000.c | 4 ++--
 drivers/w1/w1.c                | 2 +-
 drivers/w1/w1_family.h         | 1 +
 3 files changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/w1/slaves/w1_bq27000.c
+++ b/drivers/w1/slaves/w1_bq27000.c
@@ -88,7 +88,7 @@ static struct w1_family_ops w1_bq27000_f
 };
 
 static struct w1_family w1_bq27000_family = {
-	.fid = 1,
+	.fid = W1_FAMILY_BQ27000,
 	.fops = &w1_bq27000_fops,
 };
 
@@ -111,7 +111,7 @@ module_exit(w1_bq27000_exit);
 
 module_param(F_ID, int, S_IRUSR);
 MODULE_PARM_DESC(F_ID, "1-wire slave FID for BQ device");
-
+MODULE_ALIAS("w1-family-" __stringify(W1_FAMILY_BQ27000));
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Texas Instruments Ltd");
 MODULE_DESCRIPTION("HDQ/1-wire slave driver bq27000 battery monitor chip");
--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -727,7 +727,7 @@ int w1_attach_slave_device(struct w1_mas
 
 	/* slave modules need to be loaded in a context with unlocked mutex */
 	mutex_unlock(&dev->mutex);
-	request_module("w1-family-0x%0x", rn->family);
+	request_module("w1-family-0x%02x", rn->family);
 	mutex_lock(&dev->mutex);
 
 	spin_lock(&w1_flock);
--- a/drivers/w1/w1_family.h
+++ b/drivers/w1/w1_family.h
@@ -27,6 +27,7 @@
 #include <linux/atomic.h>
 
 #define W1_FAMILY_DEFAULT	0
+#define W1_FAMILY_BQ27000	0x01
 #define W1_FAMILY_SMEM_01	0x01
 #define W1_FAMILY_SMEM_81	0x81
 #define W1_THERM_DS18S20 	0x10


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 074/366] RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 359/366] perf top: Use __fallthrough Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage Ben Hutchings
                   ` (257 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Evgenii Smirnov, Doug Ledford

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Ledford <dledford@redhat.com>

commit fa9391dbad4b868512ed22a7e41765f881a8a935 upstream.

We do a light flush on CLIENT_REREG and SM_CHANGE events.  This goes
through and marks paths invalid. But we weren't always checking for this
validity when we needed to, and so we could keep using a path marked
invalid.  What's more, once we establish a path with a valid ah, we put
a pointer to the ah in the neigh struct directly, so even if we mark the
path as invalid, as long as the neigh has a direct pointer to the ah, it
keeps using the old, outdated ah.

To fix this we do several things.

1) Put the valid flag in the ah instead of the path struct, so when we
put the ah pointer directly in the neigh struct, we can easily check the
validity of the ah on send events.
2) Check the neigh->ah and neigh->ah->valid elements in the needed
places, and if we have an ah, but it's invalid, then invoke a refresh of
the ah.
3) Fix the various places that check for path, but didn't check for
path->valid (now path->ah && path->ah->valid).

Reported-by: Evgenii Smirnov <evgenii.smirnov@profitbricks.com>
Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
 - s/phdr->hwaddr/cb->hdwaddr/
 - s/ipoib_priv/netdev_priv/
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/ipoib/ipoib.h      |  2 +-
 drivers/infiniband/ulp/ipoib/ipoib_main.c | 33 ++++++++++++++++++-----
 2 files changed, 28 insertions(+), 7 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -384,6 +384,7 @@ struct ipoib_ah {
 	struct list_head   list;
 	struct kref	   ref;
 	unsigned	   last_send;
+	int  		   valid;
 };
 
 struct ipoib_path {
@@ -400,7 +401,6 @@ struct ipoib_path {
 
 	struct rb_node	      rb_node;
 	struct list_head      list;
-	int  		      valid;
 };
 
 struct ipoib_neigh {
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -426,7 +426,8 @@ void ipoib_mark_paths_invalid(struct net
 		ipoib_dbg(priv, "mark path LID 0x%04x GID %pI6 invalid\n",
 			be16_to_cpu(path->pathrec.dlid),
 			path->pathrec.dgid.raw);
-		path->valid =  0;
+		if (path->ah)
+			path->ah->valid = 0;
 	}
 
 	spin_unlock_irq(&priv->lock);
@@ -535,7 +536,7 @@ static void path_rec_completion(int stat
 			while ((skb = __skb_dequeue(&neigh->queue)))
 				__skb_queue_tail(&skqueue, skb);
 		}
-		path->valid = 1;
+		path->ah->valid = 1;
 	}
 
 	path->query = NULL;
@@ -615,6 +616,24 @@ static int path_rec_start(struct net_dev
 	return 0;
 }
 
+static void neigh_refresh_path(struct ipoib_neigh *neigh, u8 *daddr,
+			       struct net_device *dev)
+{
+	struct ipoib_dev_priv *priv = netdev_priv(dev);
+	struct ipoib_path *path;
+	unsigned long flags;
+
+	spin_lock_irqsave(&priv->lock, flags);
+
+	path = __path_find(dev, daddr + 4);
+	if (!path)
+		goto out;
+	if (!path->query)
+		path_rec_start(dev, path);
+out:
+	spin_unlock_irqrestore(&priv->lock, flags);
+}
+
 static struct ipoib_neigh *neigh_add_path(struct sk_buff *skb, u8 *daddr,
 					  struct net_device *dev)
 {
@@ -651,7 +670,7 @@ static struct ipoib_neigh *neigh_add_pat
 
 	list_add_tail(&neigh->list, &path->neigh_list);
 
-	if (path->ah) {
+	if (path->ah && path->ah->valid) {
 		kref_get(&path->ah->ref);
 		neigh->ah = path->ah;
 
@@ -710,7 +729,7 @@ static void unicast_arp_send(struct sk_b
 	spin_lock_irqsave(&priv->lock, flags);
 
 	path = __path_find(dev, cb->hwaddr + 4);
-	if (!path || !path->valid) {
+	if (!path || !path->ah || !path->ah->valid) {
 		int new_path = 0;
 
 		if (!path) {
@@ -736,7 +755,7 @@ static void unicast_arp_send(struct sk_b
 		return;
 	}
 
-	if (path->ah) {
+	if (path->ah && path->ah->valid) {
 		ipoib_dbg(priv, "Send unicast ARP to %04x\n",
 			  be16_to_cpu(path->pathrec.dlid));
 
@@ -818,9 +837,11 @@ send_using_neigh:
 			ipoib_cm_send(dev, skb, ipoib_cm_get(neigh));
 			goto unref;
 		}
-	} else if (neigh->ah) {
+	} else if (neigh->ah && neigh->ah->valid) {
 		ipoib_send(dev, skb, neigh->ah, IPOIB_QPN(cb->hwaddr));
 		goto unref;
+	} else if (neigh->ah) {
+		neigh_refresh_path(neigh, cb->hwaddr, dev);
 	}
 
 	if (skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 053/366] sbitmap: fix race in wait batch accounting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (188 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 351/366] usb: misc: usb3503: Update error code in print message Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 196/366] staging: android: ion: Return an ERR_PTR in ion_map_kernel Ben Hutchings
                   ` (176 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Omar Sandoval, Jens Axboe

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jens Axboe <axboe@kernel.dk>

commit c854ab5773be1c1a0d3cef0c3a3261f2c48ab7f8 upstream.

If we have multiple callers of sbq_wake_up(), we can end up in a
situation where the wait_cnt will continually go more and more
negative. Consider the case where our wake batch is 1, hence
wait_cnt will start out as 1.

wait_cnt == 1

CPU0				CPU1
atomic_dec_return(), cnt == 0
				atomic_dec_return(), cnt == -1
				cmpxchg(-1, 0) (succeeds)
				[wait_cnt now 0]
cmpxchg(0, 1) (fails)

This ends up with wait_cnt being 0, we'll wakeup immediately
next time. Going through the same loop as above again, and
we'll have wait_cnt -1.

For the case where we have a larger wake batch, the only
difference is that the starting point will be higher. We'll
still end up with continually smaller batch wakeups, which
defeats the purpose of the rolling wakeups.

Always reset the wait_cnt to the batch value. Then it doesn't
matter who wins the race. But ensure that whomever does win
the race is the one that increments the ws index and wakes up
our batch count, loser gets to call __sbq_wake_up() again to
account his wakeups towards the next active wait state index.

Fixes: 6c0ca7ae292a ("sbitmap: fix wakeup hang after sbq resize")
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16:
 - Rename almost everything
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/blk-mq-tag.c | 35 +++++++++++++++++++++++++----------
 1 file changed, 25 insertions(+), 10 deletions(-)

--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -336,42 +336,58 @@ static struct bt_wait_state *bt_wake_ptr
 	return NULL;
 }
 
-static void bt_clear_tag(struct blk_mq_bitmap_tags *bt, unsigned int tag)
+static bool __bt_wake_up(struct blk_mq_bitmap_tags *bt)
 {
-	const int index = TAG_TO_INDEX(bt, tag);
 	struct bt_wait_state *bs;
 	unsigned int wake_batch;
 	int wait_cnt;
 
-	clear_bit(TAG_TO_BIT(bt, tag), &bt->map[index].word);
-
 	/* Ensure that the wait list checks occur after clear_bit(). */
 	smp_mb();
 
 	bs = bt_wake_ptr(bt);
 	if (!bs)
-		return;
+		return false;
 
 	wait_cnt = atomic_dec_return(&bs->wait_cnt);
 	if (wait_cnt <= 0) {
+		int ret;
+
 		wake_batch = ACCESS_ONCE(bt->wake_cnt);
+
 		/*
 		 * Pairs with the memory barrier in bt_update_count() to
 		 * ensure that we see the batch size update before the wait
 		 * count is reset.
 		 */
 		smp_mb__before_atomic();
+
 		/*
-		 * If there are concurrent callers to bt_clear_tag(), the last
-		 * one to decrement the wait count below zero will bump it back
-		 * up. If there is a concurrent resize, the count reset will
-		 * either cause the cmpxchg to fail or overwrite after the
-		 * cmpxchg.
+		 * For concurrent callers of this, the one that failed the
+		 * atomic_cmpxhcg() race should call this function again
+		 * to wakeup a new batch on a different 'bs'.
 		 */
-		atomic_cmpxchg(&bs->wait_cnt, wait_cnt, wait_cnt + wake_batch);
-		bt_index_atomic_inc(&bt->wake_index);
-		wake_up(&bs->wait);
+		ret = atomic_cmpxchg(&bs->wait_cnt, wait_cnt, wake_batch);
+		if (ret == wait_cnt) {
+			bt_index_atomic_inc(&bt->wake_index);
+			wake_up(&bs->wait);
+			return false;
+		}
+
+		return true;
 	}
+
+	return false;
+}
+
+static void bt_clear_tag(struct blk_mq_bitmap_tags *bt, unsigned int tag)
+{
+	const int index = TAG_TO_INDEX(bt, tag);
+
+	clear_bit(TAG_TO_BIT(bt, tag), &bt->map[index].word);
+
+	while (__bt_wake_up(bt))
+		;
 }
 
 static void __blk_mq_put_tag(struct blk_mq_tags *tags, unsigned int tag)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 055/366] mfd: tps65911-comparator: Fix a build error
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 358/366] tools include: Add a __fallthrough statement Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 125/366] mm: /proc/pid/pagemap: hide swap entries from unprivileged users Ben Hutchings
                   ` (322 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Lee Jones

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit ac1886165cd1201c5793099b6fbad1876bf98dfe upstream.

In 2012, we changed the tps65910 API and fixed most drivers but forgot
to update this one.

Fixes: 3f7e82759c69 ("mfd: Commonize tps65910 regmap access through header")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/tps65911-comparator.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mfd/tps65911-comparator.c
+++ b/drivers/mfd/tps65911-comparator.c
@@ -78,7 +78,7 @@ static int comp_threshold_set(struct tps
 		return -EINVAL;
 
 	val = index << 1;
-	ret = tps65910->write(tps65910, tps_comp.reg, 1, &val);
+	ret = tps65910_reg_write(tps65910, tps_comp.reg, val);
 
 	return ret;
 }
@@ -86,13 +86,13 @@ static int comp_threshold_set(struct tps
 static int comp_threshold_get(struct tps65910 *tps65910, int id)
 {
 	struct comparator tps_comp = tps_comparators[id];
+	unsigned int val;
 	int ret;
-	u8 val;
 
 	if (id == COMP)
 		return 0;
 
-	ret = tps65910->read(tps65910, tps_comp.reg, 1, &val);
+	ret = tps65910_reg_read(tps65910, tps_comp.reg, &val);
 	if (ret < 0)
 		return ret;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 045/366] vfs: add the sb_start_intwrite_trylock() helper
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 163/366] xen-netfront: fix locking in connect error path Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 346/366] kexec: Fix make headers_check Ben Hutchings
                   ` (236 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o, Jan Kara, Amir Goldstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 0c8e3fe35db9b66ae0030849545030ec7c0fc45c upstream.

Needed by ext4 to test frozen fs before updating s_last_mounted.

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/fs.h | 5 +++++
 1 file changed, 5 insertions(+)

--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1389,6 +1389,11 @@ static inline void sb_start_intwrite(str
 	__sb_start_write(sb, SB_FREEZE_FS, true);
 }
 
+static inline int sb_start_intwrite_trylock(struct super_block *sb)
+{
+	return __sb_start_write(sb, SB_FREEZE_FS, false);
+}
+
 
 extern bool inode_owner_or_capable(const struct inode *inode);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 220/366] x86/bugs: Add AMD's variant of SSB_NO Ben Hutchings
                   ` (312 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jason Gunthorpe, Leon Romanovsky, Ran Rozenstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit fe48aecb4df837540f13b5216f27ddb306aaf4b9 upstream.

The conversion from offsetof() calculations to sizeof()
wrongly behaved for missed exact size and in scenario with
more than one flow.

In such scenario we got "create flow failed, flow 10: 8 bytes
left from uverb cmd" error, which is wrong because the size of
kern_spec is exactly 8 bytes, and we were not supposed to fail.

Fixes: 4fae7f170416 ("RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow")
Reported-by: Ran Rozenstein <ranro@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2761,7 +2761,7 @@ int ib_uverbs_ex_create_flow(struct ib_u
 	kern_spec = kern_flow_attr->flow_specs;
 	ib_spec = flow_attr + 1;
 	for (i = 0; i < flow_attr->num_of_specs &&
-			cmd.flow_attr.size > sizeof(*kern_spec) &&
+			cmd.flow_attr.size >= sizeof(*kern_spec) &&
 			cmd.flow_attr.size >= kern_spec->size;
 	     i++) {
 		err = kern_spec_to_ib_spec(


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 067/366] scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()'
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 335/366] usbip: stub_rx: fix static checker warning on unnecessary checks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 218/366] sched/fair: Fix bandwidth timer clock drift condition Ben Hutchings
                   ` (345 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Christophe Jaillet, Martin K. Petersen, Dan Carpenter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>

commit 51b910c3c70986a5a0a84eea11cb8e904e37ba8b upstream.

The 'free_irq()' call is not at the right place in the error handling
path.  The changed order has been introduced in commit 3d4253d9afab
("[SCSI] qlogicpti: Convert to new SBUS device framework.")

Fixes: 3d4253d9afab ("[SCSI] qlogicpti: Convert to new SBUS device framework.")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qlogicpti.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/qlogicpti.c
+++ b/drivers/scsi/qlogicpti.c
@@ -1386,6 +1386,9 @@ fail_unmap_queues:
 			  qpti->req_cpu, qpti->req_dvma);
 #undef QSIZE
 
+fail_free_irq:
+	free_irq(qpti->irq, qpti);
+
 fail_unmap_regs:
 	of_iounmap(&op->resource[0], qpti->qregs,
 		   resource_size(&op->resource[0]));
@@ -1393,9 +1396,6 @@ fail_unmap_regs:
 		of_iounmap(&op->resource[0], qpti->sreg,
 			   sizeof(unsigned char));
 
-fail_free_irq:
-	free_irq(qpti->irq, qpti);
-
 fail_unlink:
 	scsi_host_put(host);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 113/366] PCI: shpchp: Fix AMD POGO identification
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (151 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 015/366] staging:iio:ade7854: Fix error handling on read/write Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch Ben Hutchings
                   ` (213 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Bjorn Helgaas, Mika Westerberg, Rafael J. Wysocki

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <bhelgaas@google.com>

commit bed4e9cfab93a0f3d0144cb919820e6d5c40b8b1 upstream.

The fix for an AMD POGO erratum related to SHPC incorrectly identified the
device.  The workaround should be applied only for AMD POGO devices, but it
was instead applied to:

  - all AMD bridges, and
  - all devices from any vendor with device ID 0x7458

Fixes: 53044f357448 ("[PATCH] PCI Hotplug: shpchp: AMD POGO errata fix")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/hotplug/shpchp_ctrl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/pci/hotplug/shpchp_ctrl.c
+++ b/drivers/pci/hotplug/shpchp_ctrl.c
@@ -595,13 +595,13 @@ static int shpchp_enable_slot (struct sl
 	ctrl_dbg(ctrl, "%s: p_slot->pwr_save %x\n", __func__, p_slot->pwr_save);
 	p_slot->hpc_ops->get_latch_status(p_slot, &getstatus);
 
-	if(((p_slot->ctrl->pci_dev->vendor == PCI_VENDOR_ID_AMD) ||
-	    (p_slot->ctrl->pci_dev->device == PCI_DEVICE_ID_AMD_POGO_7458))
+	if ((p_slot->ctrl->pci_dev->vendor == PCI_VENDOR_ID_AMD &&
+	     p_slot->ctrl->pci_dev->device == PCI_DEVICE_ID_AMD_POGO_7458)
 	     && p_slot->ctrl->num_slots == 1) {
-		/* handle amd pogo errata; this must be done before enable  */
+		/* handle AMD POGO errata; this must be done before enable  */
 		amd_pogo_errata_save_misc_reg(p_slot);
 		retval = board_added(p_slot);
-		/* handle amd pogo errata; this must be done after enable  */
+		/* handle AMD POGO errata; this must be done after enable  */
 		amd_pogo_errata_restore_misc_reg(p_slot);
 	} else
 		retval = board_added(p_slot);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 199/366] RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 183/366] time: Make sure jiffies_to_msecs() preserves non-zero time periods Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 179/366] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Ben Hutchings
                   ` (292 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Leon Romanovsky, Noa Osherovich, Jason Gunthorpe, syzkaller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit 4fae7f170416f970e5655f7e945ce69286b1c4ff upstream.

The check of cmd.flow_attr.size should check into account the size of the
reserved field (2 bytes), otherwise user can provide a size which will
cause a slab-out-of-bounds warning below.

==================================================================
BUG: KASAN: slab-out-of-bounds in ib_uverbs_ex_create_flow+0x1740/0x1d00
Read of size 2 at addr ffff880068dff1a6 by task syz-executor775/269

CPU: 0 PID: 269 Comm: syz-executor775 Not tainted 4.18.0-rc1+ #245
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0xef/0x17e
 print_address_description+0x83/0x3b0
 kasan_report+0x18d/0x4d0
 ib_uverbs_ex_create_flow+0x1740/0x1d00
 ib_uverbs_write+0x923/0x1010
 __vfs_write+0x10d/0x720
 vfs_write+0x1b0/0x550
 ksys_write+0xc6/0x1a0
 do_syscall_64+0xa7/0x590
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x433899
Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d
89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 91 fd ff c3 66
2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc2724db58 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000020006880 RCX: 0000000000433899
RDX: 00000000000000e0 RSI: 0000000020002480 RDI: 0000000000000003
RBP: 00000000006d7018 R08: 00000000004002f8 R09: 00000000004002f8
R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000

R13: 000000000040cd20 R14: 000000000040cdb0 R15: 0000000000000006

Allocated by task 269:
 kasan_kmalloc+0xa0/0xd0
 __kmalloc+0x1a9/0x510
 ib_uverbs_ex_create_flow+0x26c/0x1d00
 ib_uverbs_write+0x923/0x1010
 __vfs_write+0x10d/0x720
 vfs_write+0x1b0/0x550
 ksys_write+0xc6/0x1a0
 do_syscall_64+0xa7/0x590
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 __kasan_slab_free+0x12e/0x180
 kfree+0x159/0x630
 detach_buf+0x559/0x7a0
 virtqueue_get_buf_ctx+0x3cc/0xab0
 virtblk_done+0x1eb/0x3d0
 vring_interrupt+0x16d/0x2b0
 __handle_irq_event_percpu+0x10a/0x980
 handle_irq_event_percpu+0x77/0x190
 handle_irq_event+0xc6/0x1a0
 handle_edge_irq+0x211/0xd80
 handle_irq+0x3d/0x60
 do_IRQ+0x9b/0x220

The buggy address belongs to the object at ffff880068dff180
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 38 bytes inside of
 64-byte region [ffff880068dff180, ffff880068dff1c0)
The buggy address belongs to the page:
page:ffffea0001a37fc0 count:1 mapcount:0 mapping:ffff88006c401780
index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 ffffea0001a31100 0000001100000011 ffff88006c401780
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880068dff080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
 ffff880068dff100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
>ffff880068dff180: 00 00 00 00 07 fc fc fc fc fc fc fc fb fb fb fb
                               ^
 ffff880068dff200: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 fc fc
 ffff880068dff280: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================

Fixes: f88482743872 ("IB/core: clarify overflow/underflow checks on ib_create/destroy_flow")
Cc: syzkaller <syzkaller@googlegroups.com>
Reported-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/uverbs_cmd.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2674,8 +2674,8 @@ int ib_uverbs_ex_create_flow(struct ib_u
 	struct ib_uverbs_flow_attr	  *kern_flow_attr;
 	struct ib_flow_attr		  *flow_attr;
 	struct ib_qp			  *qp;
+	struct ib_uverbs_flow_spec_hdr	  *kern_spec;
 	int err = 0;
-	void *kern_spec;
 	void *ib_spec;
 	int i;
 
@@ -2717,8 +2717,8 @@ int ib_uverbs_ex_create_flow(struct ib_u
 		if (!kern_flow_attr)
 			return -ENOMEM;
 
-		memcpy(kern_flow_attr, &cmd.flow_attr, sizeof(*kern_flow_attr));
-		err = ib_copy_from_udata(kern_flow_attr + 1, ucore,
+		*kern_flow_attr = cmd.flow_attr;
+		err = ib_copy_from_udata(&kern_flow_attr->flow_specs, ucore,
 					 cmd.flow_attr.size);
 		if (err)
 			goto err_free_attr;
@@ -2758,19 +2758,21 @@ int ib_uverbs_ex_create_flow(struct ib_u
 	flow_attr->flags = kern_flow_attr->flags;
 	flow_attr->size = sizeof(*flow_attr);
 
-	kern_spec = kern_flow_attr + 1;
+	kern_spec = kern_flow_attr->flow_specs;
 	ib_spec = flow_attr + 1;
 	for (i = 0; i < flow_attr->num_of_specs &&
-	     cmd.flow_attr.size > offsetof(struct ib_uverbs_flow_spec, reserved) &&
-	     cmd.flow_attr.size >=
-	     ((struct ib_uverbs_flow_spec *)kern_spec)->size; i++) {
-		err = kern_spec_to_ib_spec(kern_spec, ib_spec);
+			cmd.flow_attr.size > sizeof(*kern_spec) &&
+			cmd.flow_attr.size >= kern_spec->size;
+	     i++) {
+		err = kern_spec_to_ib_spec(
+				(struct ib_uverbs_flow_spec *)kern_spec,
+				ib_spec);
 		if (err)
 			goto err_free;
 		flow_attr->size +=
 			((union ib_flow_spec *) ib_spec)->size;
-		cmd.flow_attr.size -= ((struct ib_uverbs_flow_spec *)kern_spec)->size;
-		kern_spec += ((struct ib_uverbs_flow_spec *) kern_spec)->size;
+		cmd.flow_attr.size -= kern_spec->size;
+		kern_spec = ((void *)kern_spec) + kern_spec->size;
 		ib_spec += ((union ib_flow_spec *) ib_spec)->size;
 	}
 	if (cmd.flow_attr.size || (i != flow_attr->num_of_specs)) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 062/366] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (330 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 356/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
                   ` (34 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Block, Steffen Maier, Martin K. Petersen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 512857a795cbbda5980efa4cdb3c0b6602330408 upstream.

If a SCSI device is deleted during scsi_eh host reset, we cannot get a
reference to the SCSI device anymore since scsi_device_get returns !=0 by
design. Assuming the recovery of adapter and port(s) was successful,
zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
half-gone SCSI device. Unfortunately, it causes the following confusing
trace record which states that zfcp will do a LUN recovery as "ERP need" is
ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".

Old example trace record formatted with zfcpdbf from s390-tools:

Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
LUN            : 0x<FCP_LUN>
WWPN           : 0x<WWPN>
D_ID           : 0x<N_Port-ID>
Adapter status : 0x5400050b
Port status    : 0x54000001
LUN status     : 0x40000000     ZFCP_STATUS_COMMON_RUNNING
                                but not ZFCP_STATUS_COMMON_UNBLOCKED as it
                                was closed on close part of adapter reopen
ERP want       : 0x01
ERP need       : 0x01           misleading

However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
actually happens.

We always do want the recovery trigger trace record even if no erp_action
could be enqueued as in this case. For other cases where we did not enqueue
an erp_action, 'need' has always been zero to indicate this. In order to
indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
need" as 'not needed' but still keep the information which erp_action type,
that zfcp_erp_required_act() had decided upon, is needed.  0xc_ is chosen to
be visibly different from 0x0_ in "ERP want".

New example trace record formatted with zfcpdbf from s390-tools:

Tag:           : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
LUN            : 0x<FCP_LUN>
WWPN           : 0x<WWPN>
D_ID           : 0x<N_Port-ID>
Adapter status : 0x5400050b
Port status    : 0x54000001
LUN status     : 0x40000000
ERP want       : 0x01
ERP need       : 0xc1           would need LUN ERP, but no action set up
                   ^

Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug
tracing for recovery actions.") we could detect this case because the
"erp_action" field in the trace was NULL. The rework removed erp_action as
argument and field from the trace.

This patch here is for tracing. A fix to allow LUN recovery in the case at
hand is a topic for a separate patch.

See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown
without acquiring reference") for a similar case and background info.

Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_erp.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -34,11 +34,23 @@ enum zfcp_erp_steps {
 	ZFCP_ERP_STEP_LUN_OPENING	= 0x2000,
 };
 
+/**
+ * enum zfcp_erp_act_type - Type of ERP action object.
+ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
+ *			  either of the other enum values.
+ *			  Used to indicate that an ERP action could not be
+ *			  set up despite a detected need for some recovery.
+ */
 enum zfcp_erp_act_type {
 	ZFCP_ERP_ACTION_REOPEN_LUN         = 1,
 	ZFCP_ERP_ACTION_REOPEN_PORT	   = 2,
 	ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
 	ZFCP_ERP_ACTION_REOPEN_ADAPTER     = 4,
+	ZFCP_ERP_ACTION_NONE		   = 0xc0,
 };
 
 enum zfcp_erp_act_state {
@@ -256,8 +268,10 @@ static int zfcp_erp_action_enqueue(int w
 		goto out;
 
 	act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
-	if (!act)
+	if (!act) {
+		need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
 		goto out;
+	}
 	atomic_set_mask(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
 	++adapter->erp_total_count;
 	list_add_tail(&act->list, &adapter->erp_ready_head);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 232/366] cifs: Fix infinite loop when using hard mount option
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (350 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 317/366] VFS: Impose ordering on accesses of d_inode and d_flags Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 004/366] bcmgenet: Delete unused variable Ben Hutchings
                   ` (14 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Aurelien Aptel, Paulo Alcantara, Paulo Alcantara, Steve French

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paulo Alcantara <paulo@paulo.ac>

commit 7ffbe65578b44fafdef577a360eb0583929f7c6e upstream.

For every request we send, whether it is SMB1 or SMB2+, we attempt to
reconnect tcon (cifs_reconnect_tcon or smb2_reconnect) before carrying
out the request.

So, while server->tcpStatus != CifsNeedReconnect, we wait for the
reconnection to succeed on wait_event_interruptible_timeout(). If it
returns, that means that either the condition was evaluated to true, or
timeout elapsed, or it was interrupted by a signal.

Since we're not handling the case where the process woke up due to a
received signal (-ERESTARTSYS), the next call to
wait_event_interruptible_timeout() will _always_ fail and we end up
looping forever inside either cifs_reconnect_tcon() or smb2_reconnect().

Here's an example of how to trigger that:

$ mount.cifs //foo/share /mnt/test -o
username=foo,password=foo,vers=1.0,hard

(break connection to server before executing bellow cmd)
$ stat -f /mnt/test & sleep 140
[1] 2511

$ ps -aux -q 2511
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2511  0.0  0.0  12892  1008 pts/0    S    12:24   0:00 stat -f
/mnt/test

$ kill -9 2511

(wait for a while; process is stuck in the kernel)
$ ps -aux -q 2511
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2511 83.2  0.0  12892  1008 pts/0    R    12:24  30:01 stat -f
/mnt/test

By using 'hard' mount point means that cifs.ko will keep retrying
indefinitely, however we must allow the process to be killed otherwise
it would hang the system.

Signed-off-by: Paulo Alcantara <palcantara@suse.de>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifssmb.c | 10 ++++++++--
 fs/cifs/smb2pdu.c | 18 ++++++++++++------
 2 files changed, 20 insertions(+), 8 deletions(-)

--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -150,8 +150,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tc
 	 * greater than cifs socket timeout which is 7 seconds
 	 */
 	while (server->tcpStatus == CifsNeedReconnect) {
-		wait_event_interruptible_timeout(server->response_q,
-			(server->tcpStatus != CifsNeedReconnect), 10 * HZ);
+		rc = wait_event_interruptible_timeout(server->response_q,
+						      (server->tcpStatus != CifsNeedReconnect),
+						      10 * HZ);
+		if (rc < 0) {
+			cifs_dbg(FYI, "%s: aborting reconnect due to a received"
+				 " signal by the process\n", __func__);
+			return -ERESTARTSYS;
+		}
 
 		/* are we still trying to reconnect? */
 		if (server->tcpStatus != CifsNeedReconnect)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -158,7 +158,7 @@ out:
 static int
 smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
 {
-	int rc = 0;
+	int rc;
 	struct nls_table *nls_codepage;
 	struct cifs_ses *ses;
 	struct TCP_Server_Info *server;
@@ -169,10 +169,10 @@ smb2_reconnect(__le16 smb2_command, stru
 	 * for those three - in the calling routine.
 	 */
 	if (tcon == NULL)
-		return rc;
+		return 0;
 
 	if (smb2_command == SMB2_TREE_CONNECT)
-		return rc;
+		return 0;
 
 	if (tcon->tidStatus == CifsExiting) {
 		/*
@@ -215,8 +215,14 @@ smb2_reconnect(__le16 smb2_command, stru
 			return -EAGAIN;
 		}
 
-		wait_event_interruptible_timeout(server->response_q,
-			(server->tcpStatus != CifsNeedReconnect), 10 * HZ);
+		rc = wait_event_interruptible_timeout(server->response_q,
+						      (server->tcpStatus != CifsNeedReconnect),
+						      10 * HZ);
+		if (rc < 0) {
+			cifs_dbg(FYI, "%s: aborting reconnect due to a received"
+				 " signal by the process\n", __func__);
+			return -ERESTARTSYS;
+		}
 
 		/* are we still trying to reconnect? */
 		if (server->tcpStatus != CifsNeedReconnect)
@@ -234,7 +240,7 @@ smb2_reconnect(__le16 smb2_command, stru
 	}
 
 	if (!tcon->ses->need_reconnect && !tcon->need_reconnect)
-		return rc;
+		return 0;
 
 	nls_codepage = load_nls_default();
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 262/366] x86/apm: Don't access __preempt_count with zeroed fs
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (263 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 168/366] xen-netfront: Remove the meaningless code Ben Hutchings
                   ` (101 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Thomas Gleixner, Ville Syrjälä,
	x86, H. Peter Anvin, David Woodhouse

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 upstream.

APM_DO_POP_SEGS does not restore fs/gs which were zeroed by
APM_DO_ZERO_SEGS. Trying to access __preempt_count with
zeroed fs doesn't really work.

Move the ibrs call outside the APM_DO_SAVE_SEGS/APM_DO_RESTORE_SEGS
invocations so that fs is actually restored before calling
preempt_enable().

Fixes the following sort of oopses:
[    0.313581] general protection fault: 0000 [#1] PREEMPT SMP
[    0.313803] Modules linked in:
[    0.314040] CPU: 0 PID: 268 Comm: kapmd Not tainted 4.16.0-rc1-triton-bisect-00090-gdd84441a7971 #19
[    0.316161] EIP: __apm_bios_call_simple+0xc8/0x170
[    0.316161] EFLAGS: 00210016 CPU: 0
[    0.316161] EAX: 00000102 EBX: 00000000 ECX: 00000102 EDX: 00000000
[    0.316161] ESI: 0000530e EDI: dea95f64 EBP: dea95f18 ESP: dea95ef0
[    0.316161]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
[    0.316161] CR0: 80050033 CR2: 00000000 CR3: 015d3000 CR4: 000006d0
[    0.316161] Call Trace:
[    0.316161]  ? cpumask_weight.constprop.15+0x20/0x20
[    0.316161]  on_cpu0+0x44/0x70
[    0.316161]  apm+0x54e/0x720
[    0.316161]  ? __switch_to_asm+0x26/0x40
[    0.316161]  ? __schedule+0x17d/0x590
[    0.316161]  kthread+0xc0/0xf0
[    0.316161]  ? proc_apm_show+0x150/0x150
[    0.316161]  ? kthread_create_worker_on_cpu+0x20/0x20
[    0.316161]  ret_from_fork+0x2e/0x38
[    0.316161] Code: da 8e c2 8e e2 8e ea 57 55 2e ff 1d e0 bb 5d b1 0f 92 c3 5d 5f 07 1f 89 47 0c 90 8d b4 26 00 00 00 00 90 8d b4 26 00 00 00 00 90 <64> ff 0d 84 16 5c b1 74 7f 8b 45 dc 8e e0 8b 45 d8 8e e8 8b 45
[    0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 SS:ESP: 0068:dea95ef0
[    0.316161] ---[ end trace 656253db2deaa12c ]---

Fixes: dd84441a7971 ("x86/speculation: Use IBRS if available before calling into firmware")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc:  David Woodhouse <dwmw@amazon.co.uk>
Cc:  "H. Peter Anvin" <hpa@zytor.com>
Cc:  x86@kernel.org
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Link: https://lkml.kernel.org/r/20180709133534.5963-1-ville.syrjala@linux.intel.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/apm.h | 6 ------
 arch/x86/kernel/apm_32.c   | 5 +++++
 2 files changed, 5 insertions(+), 6 deletions(-)

--- a/arch/x86/include/asm/apm.h
+++ b/arch/x86/include/asm/apm.h
@@ -6,8 +6,6 @@
 #ifndef _ASM_X86_MACH_DEFAULT_APM_H
 #define _ASM_X86_MACH_DEFAULT_APM_H
 
-#include <asm/nospec-branch.h>
-
 #ifdef APM_ZERO_SEGS
 #	define APM_DO_ZERO_SEGS \
 		"pushl %%ds\n\t" \
@@ -33,7 +31,6 @@ static inline void apm_bios_call_asm(u32
 	 * N.B. We do NOT need a cld after the BIOS call
 	 * because we always save and restore the flags.
 	 */
-	firmware_restrict_branch_speculation_start();
 	__asm__ __volatile__(APM_DO_ZERO_SEGS
 		"pushl %%edi\n\t"
 		"pushl %%ebp\n\t"
@@ -46,7 +43,6 @@ static inline void apm_bios_call_asm(u32
 		  "=S" (*esi)
 		: "a" (func), "b" (ebx_in), "c" (ecx_in)
 		: "memory", "cc");
-	firmware_restrict_branch_speculation_end();
 }
 
 static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
@@ -59,7 +55,6 @@ static inline u8 apm_bios_call_simple_as
 	 * N.B. We do NOT need a cld after the BIOS call
 	 * because we always save and restore the flags.
 	 */
-	firmware_restrict_branch_speculation_start();
 	__asm__ __volatile__(APM_DO_ZERO_SEGS
 		"pushl %%edi\n\t"
 		"pushl %%ebp\n\t"
@@ -72,7 +67,6 @@ static inline u8 apm_bios_call_simple_as
 		  "=S" (si)
 		: "a" (func), "b" (ebx_in), "c" (ecx_in)
 		: "memory", "cc");
-	firmware_restrict_branch_speculation_end();
 	return error;
 }
 
--- a/arch/x86/kernel/apm_32.c
+++ b/arch/x86/kernel/apm_32.c
@@ -239,6 +239,7 @@
 #include <asm/olpc.h>
 #include <asm/paravirt.h>
 #include <asm/reboot.h>
+#include <asm/nospec-branch.h>
 
 #if defined(CONFIG_APM_DISPLAY_BLANK) && defined(CONFIG_VT)
 extern int (*console_blank_hook)(int);
@@ -614,11 +615,13 @@ static long __apm_bios_call(void *_call)
 	gdt[0x40 / 8] = bad_bios_desc;
 
 	apm_irq_save(flags);
+	firmware_restrict_branch_speculation_start();
 	APM_DO_SAVE_SEGS;
 	apm_bios_call_asm(call->func, call->ebx, call->ecx,
 			  &call->eax, &call->ebx, &call->ecx, &call->edx,
 			  &call->esi);
 	APM_DO_RESTORE_SEGS;
+	firmware_restrict_branch_speculation_end();
 	apm_irq_restore(flags);
 	gdt[0x40 / 8] = save_desc_40;
 	put_cpu();
@@ -690,10 +693,12 @@ static long __apm_bios_call_simple(void
 	gdt[0x40 / 8] = bad_bios_desc;
 
 	apm_irq_save(flags);
+	firmware_restrict_branch_speculation_start();
 	APM_DO_SAVE_SEGS;
 	error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx,
 					 &call->eax);
 	APM_DO_RESTORE_SEGS;
+	firmware_restrict_branch_speculation_end();
 	apm_irq_restore(flags);
 	gdt[0x40 / 8] = save_desc_40;
 	put_cpu();


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 083/366] IB/isert: Fix for lib/dma_debug check_sync warning
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 346/366] kexec: Fix make headers_check Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 023/366] media: rc: mce_kbd decoder: fix stuck keys Ben Hutchings
                   ` (234 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dennis Dalessandro, Mike Marciniszyn, Doug Ledford,
	Don Dutile, Alex Estrin

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Estrin <alex.estrin@intel.com>

commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream.

The following error message occurs on a target host in a debug build
during session login:

[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0
[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes]
......snip .....

[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1
[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015
[ 3524.555740] Call Trace:
[ 3524.559102]  [<ffffffffa5fe915b>] dump_stack+0x19/0x1b
[ 3524.565477]  [<ffffffffa58a2f58>] __warn+0xd8/0x100
[ 3524.571557]  [<ffffffffa58a2fdf>] warn_slowpath_fmt+0x5f/0x80
[ 3524.578610]  [<ffffffffa5bf5b8c>] check_sync+0x4ec/0x5b0
[ 3524.585177]  [<ffffffffa58efc3f>] ? set_cpus_allowed_ptr+0x5f/0x1c0
[ 3524.592812]  [<ffffffffa5bf5cd0>] debug_dma_sync_single_for_cpu+0x80/0x90
[ 3524.601029]  [<ffffffffa586add3>] ? x2apic_send_IPI_mask+0x13/0x20
[ 3524.608574]  [<ffffffffa585ee1b>] ? native_smp_send_reschedule+0x5b/0x80
[ 3524.616699]  [<ffffffffa58e9b76>] ? resched_curr+0xf6/0x140
[ 3524.623567]  [<ffffffffc0879af0>] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert]
[ 3524.633060]  [<ffffffffc087af95>] isert_put_login_tx+0x55/0x8b0 [ib_isert]
[ 3524.641383]  [<ffffffffa58ef114>] ? try_to_wake_up+0x1a4/0x430
[ 3524.648561]  [<ffffffffc098cfed>] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod]
[ 3524.658557]  [<ffffffffc098d827>] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod]
[ 3524.668084]  [<ffffffffa59f9bc9>] ? kstrdup+0x49/0x60
[ 3524.674420]  [<ffffffffc098e976>] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod]
[ 3524.684656]  [<ffffffffc098c2ee>] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod]
[ 3524.694901]  [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
[ 3524.705446]  [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
[ 3524.715976]  [<ffffffffc098ca78>] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod]
[ 3524.725739]  [<ffffffffa58d60ff>] kthread+0xef/0x100
[ 3524.732007]  [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
[ 3524.739540]  [<ffffffffa5fff1b7>] ret_from_fork_nospec_begin+0x21/0x21
[ 3524.747558]  [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]---
[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION.

The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it
with dma-mapped address.
login_tx_desc is a part of iser_conn structure and is used only once
during login negotiation, so the issue is fixed by eliminating
dma_sync call for this buffer using a special case routine.

Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Don Dutile <ddutile@redhat.com>
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
 - Parameters to isert_create_send_desc() are not redundant; forward them
   all to __isert_create_send_desc()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/isert/ib_isert.c | 26 ++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1033,14 +1033,10 @@ isert_post_send(struct isert_conn *isert
 }
 
 static void
-isert_create_send_desc(struct isert_conn *isert_conn,
-		       struct isert_cmd *isert_cmd,
-		       struct iser_tx_desc *tx_desc)
+__isert_create_send_desc(struct isert_conn *isert_conn,
+			 struct isert_cmd *isert_cmd,
+			 struct iser_tx_desc *tx_desc)
 {
-	struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
-
-	ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
-				   ISER_HEADERS_LEN, DMA_TO_DEVICE);
 
 	memset(&tx_desc->iser_header, 0, sizeof(struct iser_hdr));
 	tx_desc->iser_header.flags = ISER_VER;
@@ -1054,6 +1050,19 @@ isert_create_send_desc(struct isert_conn
 	}
 }
 
+static void
+isert_create_send_desc(struct isert_conn *isert_conn,
+		       struct isert_cmd *isert_cmd,
+		       struct iser_tx_desc *tx_desc)
+{
+	struct ib_device *ib_dev = isert_conn->conn_cm_id->device;
+
+	ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
+				   ISER_HEADERS_LEN, DMA_TO_DEVICE);
+
+	__isert_create_send_desc(isert_conn, isert_cmd, tx_desc);
+}
+
 static int
 isert_init_tx_hdrs(struct isert_conn *isert_conn,
 		   struct iser_tx_desc *tx_desc)
@@ -1150,7 +1159,7 @@ isert_put_login_tx(struct iscsi_conn *co
 	struct iser_tx_desc *tx_desc = &isert_conn->conn_login_tx_desc;
 	int ret;
 
-	isert_create_send_desc(isert_conn, NULL, tx_desc);
+	__isert_create_send_desc(isert_conn, NULL, tx_desc);
 
 	memcpy(&tx_desc->iscsi_header, &login->rsp[0],
 	       sizeof(struct iscsi_hdr));


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 086/366] usb: gadget: function: printer: avoid wrong list handling in printer_write()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 352/366] perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 129/366] net/sched: act_simple: fix parsing of TCA_DEF_DATA Ben Hutchings
                   ` (327 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Felipe Balbi, Yoshihiro Shimoda, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 4a014a7339f441b0851ce012f469c0fadac61c81 upstream.

When printer_write() calls usb_ep_queue(), a udc driver (e.g.
renesas_usbhs driver) may call usb_gadget_giveback_request() in
the udc .queue ops immediately. Then, printer_write() calls
list_add(&req->list, &dev->tx_reqs_active) wrongly. After that,
if we do unbind the printer driver, WARN_ON() happens in
printer_func_unbind() because the list entry is not removed.

So, this patch moves list_add(&req->list, &dev->tx_reqs_active)
calling before usb_ep_queue().

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/printer.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/printer.c
+++ b/drivers/usb/gadget/printer.c
@@ -667,19 +667,19 @@ printer_write(struct file *fd, const cha
 			return -EAGAIN;
 		}
 
+		list_add(&req->list, &dev->tx_reqs_active);
+
 		/* here, we unlock, and only unlock, to avoid deadlock. */
 		spin_unlock(&dev->lock);
 		value = usb_ep_queue(dev->in_ep, req, GFP_ATOMIC);
 		spin_lock(&dev->lock);
 		if (value) {
+			list_del(&req->list);
 			list_add(&req->list, &dev->tx_reqs);
 			spin_unlock_irqrestore(&dev->lock, flags);
 			mutex_unlock(&dev->lock_printer_io);
 			return -EAGAIN;
 		}
-
-		list_add(&req->list, &dev->tx_reqs_active);
-
 	}
 
 	spin_unlock_irqrestore(&dev->lock, flags);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 076/366] ipmi:bt: Set the timeout before doing a capabilities check
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 169/366] net/xen-netfront: only clean up queues if present Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing Ben Hutchings
                   ` (250 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Corey Minyard, Nordmark Claes

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Corey Minyard <cminyard@mvista.com>

commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.

There was one place where the timeout value for an operation was
not being set, if a capabilities request was done from idle.  Move
the timeout value setting to before where that change might be
requested.

IMHO the cause here is the invisible returns in the macros.  Maybe
that's a job for later, though.

Reported-by: Nordmark Claes <Claes.Nordmark@tieto.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/ipmi/ipmi_bt_sm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct
 		if (status & BT_H_BUSY)		/* clear a leftover H_BUSY */
 			BT_CONTROL(BT_H_BUSY);
 
+		bt->timeout = bt->BT_CAP_req2rsp;
+
 		/* Read BT capabilities if it hasn't been done yet */
 		if (!bt->BT_CAP_outreqs)
 			BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
 					SI_SM_CALL_WITHOUT_DELAY);
-		bt->timeout = bt->BT_CAP_req2rsp;
 		BT_SI_SM_RETURN(SI_SM_IDLE);
 
 	case BT_STATE_XACTION_START:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (278 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 089/366] Btrfs: don't BUG_ON() in btrfs_truncate_inode_items() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 060/366] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Ben Hutchings
                   ` (86 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Ben Skeggs

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 upstream.

The bo array has req->nr_buffers elements so the > should be >= so we
don't read beyond the end of the array.

Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/nouveau/nouveau_gem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -613,7 +613,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n
 		struct nouveau_bo *nvbo;
 		uint32_t data;
 
-		if (unlikely(r->bo_index > req->nr_buffers)) {
+		if (unlikely(r->bo_index >= req->nr_buffers)) {
 			NV_ERROR(cli, "reloc bo index invalid\n");
 			ret = -EINVAL;
 			break;
@@ -623,7 +623,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n
 		if (b->presumed.valid)
 			continue;
 
-		if (unlikely(r->reloc_bo_index > req->nr_buffers)) {
+		if (unlikely(r->reloc_bo_index >= req->nr_buffers)) {
 			NV_ERROR(cli, "reloc container bo index invalid\n");
 			ret = -EINVAL;
 			break;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (312 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 273/366] usb: core: handle hub C_PORT_OVER_CURRENT condition Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 124/366] pagemap: hide physical addresses from non-privileged users Ben Hutchings
                   ` (52 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd upstream.

If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
the relevant fields to zero, tricking l2tp_tunnel_create() into setting
up an unusable kernel socket.

We can't set 'tcfg' with the required fields because there's no way to
get them from the current connect() parameters. So let's restrict
kernel sockets creation to the netlink API, which is the original use
case.

Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -723,6 +723,15 @@ static int pppol2tp_connect(struct socke
 				.encap = L2TP_ENCAPTYPE_UDP,
 				.debug = 0,
 			};
+
+			/* Prevent l2tp_tunnel_register() from trying to set up
+			 * a kernel socket.
+			 */
+			if (fd < 0) {
+				error = -EBADF;
+				goto end;
+			}
+
 			error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
 			if (error < 0)
 				goto end;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (152 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 113/366] PCI: shpchp: Fix AMD POGO identification Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails Ben Hutchings
                   ` (212 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Michael Ellerman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Ellerman <mpe@ellerman.id.au>

commit 32810d91325ec76b8ef4df463f8a0e9baf353322 upstream.

The expected case for this test was wrong, the source of the alternate
code sequence is:

  FTR_SECTION_ELSE
  2:	or	2,2,2
  	PPC_LCMPI	r3,1
  	beq	3f
  	blt	2b
  	b	3f
  	b	1b
  ALT_FTR_SECTION_END(0, 1)
  3:	or	1,1,1
  	or	2,2,2
  4:	or	3,3,3

So when it's patched the '3' label should still be on the 'or 1,1,1',
and the 4 label is irrelevant and can be removed.

Fixes: 362e7701fd18 ("powerpc: Add self-tests of the feature fixup code")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/lib/feature-fixups-test.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/lib/feature-fixups-test.S
+++ b/arch/powerpc/lib/feature-fixups-test.S
@@ -167,9 +167,9 @@ globl(ftr_fixup_test6_expected)
 	blt	2b
 	b	3f
 	b	1b
-2:	or	1,1,1
+3:	or	1,1,1
 	or	2,2,2
-3:	or	3,3,3
+	or	3,3,3
 
 
 #if 0


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 115/366] kconfig: Avoid format overflow warning from GCC 8.1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field Ben Hutchings
                   ` (282 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Nathan Chancellor, Masahiro Yamada

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit 2ae89c7a82ea9d81a19b4fc2df23bef4b112f24e upstream.

In file included from scripts/kconfig/zconf.tab.c:2485:
scripts/kconfig/confdata.c: In function ‘conf_write’:
scripts/kconfig/confdata.c:773:22: warning: ‘%s’ directive writing likely 7 or more bytes into a region of size between 1 and 4097 [-Wformat-overflow=]
  sprintf(newname, "%s%s", dirname, basename);
                      ^~
scripts/kconfig/confdata.c:773:19: note: assuming directive output of 7 bytes
  sprintf(newname, "%s%s", dirname, basename);
                   ^~~~~~
scripts/kconfig/confdata.c:773:2: note: ‘sprintf’ output 1 or more bytes (assuming 4104) into a destination of size 4097
  sprintf(newname, "%s%s", dirname, basename);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
scripts/kconfig/confdata.c:776:23: warning: ‘.tmpconfig.’ directive writing 11 bytes into a region of size between 1 and 4097 [-Wformat-overflow=]
   sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid());
                       ^~~~~~~~~~~
scripts/kconfig/confdata.c:776:3: note: ‘sprintf’ output between 13 and 4119 bytes into a destination of size 4097
   sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid());
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Increase the size of tmpname and newname to make GCC happy.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/kconfig/confdata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -738,7 +738,7 @@ int conf_write(const char *name)
 	struct menu *menu;
 	const char *basename;
 	const char *str;
-	char dirname[PATH_MAX+1], tmpname[PATH_MAX+1], newname[PATH_MAX+1];
+	char dirname[PATH_MAX+1], tmpname[PATH_MAX+22], newname[PATH_MAX+8];
 	char *env;
 
 	dirname[0] = 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 056/366] mfd: tps65911-comparator: Fix an off by one bug
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 302/366] can: ems_usb: Fix memory leak on ems_usb_disconnect() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 058/366] ALSA: core: Assure control device to be registered at last Ben Hutchings
                   ` (289 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Lee Jones

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lee Jones <lee.jones@linaro.org>

commit 1768391c3674b0c6bdc4947121f15fb0c2f47ec4 upstream.

The COMP1 and COMP2 elements are in 0 and 1 respectively so this code is
accessing the wrong elements and one space beyond the end of the array.

The "id" variable is never COMP (0) so that code can be removed.

Fixes: 6851ad3ab346 ("TPS65911: Comparator: Add comparator driver")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mfd/tps65911-comparator.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

--- a/drivers/mfd/tps65911-comparator.c
+++ b/drivers/mfd/tps65911-comparator.c
@@ -22,9 +22,8 @@
 #include <linux/gpio.h>
 #include <linux/mfd/tps65910.h>
 
-#define COMP					0
-#define COMP1					1
-#define COMP2					2
+#define COMP1					0
+#define COMP2					1
 
 /* Comparator 1 voltage selection table in millivolts */
 static const u16 COMP_VSEL_TABLE[] = {
@@ -63,9 +62,6 @@ static int comp_threshold_set(struct tps
 	int ret;
 	u8 index = 0, val;
 
-	if (id == COMP)
-		return 0;
-
 	while (curr_voltage < tps_comp.uV_max) {
 		curr_voltage = tps_comp.vsel_table[index];
 		if (curr_voltage >= voltage)
@@ -89,9 +85,6 @@ static int comp_threshold_get(struct tps
 	unsigned int val;
 	int ret;
 
-	if (id == COMP)
-		return 0;
-
 	ret = tps65910_reg_read(tps65910, tps_comp.reg, &val);
 	if (ret < 0)
 		return ret;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 192/366] xfrm: fix missing dst_release() after policy blocking lbcast and multicast
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (343 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 094/366] libata: zpodd: small read overflow in eject_tray() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 027/366] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Ben Hutchings
                   ` (21 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steffen Klassert, Tommi Rantala

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tommi Rantala <tommi.t.rantala@nokia.com>

commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 upstream.

Fix missing dst_release() when local broadcast or multicast traffic is
xfrm policy blocked.

For IPv4 this results to dst leak: ip_route_output_flow() allocates
dst_entry via __ip_route_output_key() and passes it to
xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
propagated. The dst that was allocated is never released.

IPv4 local broadcast testcase:
 ping -b 192.168.1.255 &
 sleep 1
 ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block

IPv4 multicast testcase:
 ping 224.0.0.1 &
 sleep 1
 ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block

For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
 ip netns add TEST
 ip netns exec TEST ip link set lo up
 ip link add dummy0 type dummy
 ip link set dev dummy0 netns TEST
 ip netns exec TEST ip addr add fd00::1111 dev dummy0
 ip netns exec TEST ip link set dummy0 up
 ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
 sleep 1
 ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
 wait
 ip netns del TEST

After netns deletion we see:
[  258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
[  288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2

Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_policy.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2176,6 +2176,9 @@ struct dst_entry *xfrm_lookup_route(stru
 	if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
 		return make_blackhole(net, dst_orig->ops->family, dst_orig);
 
+	if (IS_ERR(dst))
+		dst_release(dst_orig);
+
 	return dst;
 }
 EXPORT_SYMBOL(xfrm_lookup_route);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 195/366] xfrm: free skb if nlsk pointer is NULL
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 010/366] rtl8723be: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 359/366] perf top: Use __fallthrough Ben Hutchings
                   ` (259 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Steffen Klassert

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 86126b77dcd551ce223e7293bb55854e3df05646 upstream.

nlmsg_multicast() always frees the skb, so in case we cannot call
it we must do that ourselves.

Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_user.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -959,10 +959,12 @@ static inline int xfrm_nlmsg_multicast(s
 {
 	struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
 
-	if (nlsk)
-		return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
-	else
-		return -1;
+	if (!nlsk) {
+		kfree_skb(skb);
+		return -EPIPE;
+	}
+
+	return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
 }
 
 static inline size_t xfrm_spdinfo_msgsize(void)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (219 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 286/366] can: xilinx_can: fix incorrect clear of non-processed interrupts Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 275/366] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Ben Hutchings
                   ` (145 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Eric Biggers

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 199625098a18a5522b424dea9b122b254c022fc5 upstream.

It should be cpu_to_le32(), not le32_to_cpu().  No change in behavior.

Found with sparse, and this was the only endianness warning in fs/ext4/.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,7 +251,7 @@ __xattr_check_inode(struct inode *inode,
 	int error = -EIO;
 
 	if (((void *) header >= end) ||
-	    (header->h_magic != le32_to_cpu(EXT4_XATTR_MAGIC)))
+	    (header->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC)))
 		goto errout;
 	error = ext4_xattr_check_names(entry, end, entry);
 errout:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 129/366] net/sched: act_simple: fix parsing of TCA_DEF_DATA
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 086/366] usb: gadget: function: printer: avoid wrong list handling in printer_write() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 001/366] arm64: add missing data types in smp_load_acquire/smp_store_release Ben Hutchings
                   ` (326 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Davide Caratti, Simon Horman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Davide Caratti <dcaratti@redhat.com>

commit 8d499533e0bc02d44283dbdab03142b599b8ba16 upstream.

use nla_strlcpy() to avoid copying data beyond the length of TCA_DEF_DATA
netlink attribute, in case it is less than SIMP_MAX_DATA and it does not
end with '\0' character.

v2: fix errors in the commit message, thanks Hangbin Liu

Fixes: fa1b1cff3d06 ("net_cls_act: Make act_simple use of netlink policy.")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -52,22 +52,22 @@ static void tcf_simp_release(struct tc_a
 	kfree(d->tcfd_defdata);
 }
 
-static int alloc_defdata(struct tcf_defact *d, char *defdata)
+static int alloc_defdata(struct tcf_defact *d, const struct nlattr *defdata)
 {
 	d->tcfd_defdata = kzalloc(SIMP_MAX_DATA, GFP_KERNEL);
 	if (unlikely(!d->tcfd_defdata))
 		return -ENOMEM;
-	strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
+	nla_strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
 	return 0;
 }
 
-static void reset_policy(struct tcf_defact *d, char *defdata,
+static void reset_policy(struct tcf_defact *d, const struct nlattr *defdata,
 			 struct tc_defact *p)
 {
 	spin_lock_bh(&d->tcf_lock);
 	d->tcf_action = p->action;
 	memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
-	strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
+	nla_strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
 	spin_unlock_bh(&d->tcf_lock);
 }
 
@@ -83,7 +83,6 @@ static int tcf_simp_init(struct net *net
 	struct nlattr *tb[TCA_DEF_MAX + 1];
 	struct tc_defact *parm;
 	struct tcf_defact *d;
-	char *defdata;
 	int ret = 0, err;
 
 	if (nla == NULL)
@@ -100,7 +99,6 @@ static int tcf_simp_init(struct net *net
 		return -EINVAL;
 
 	parm = nla_data(tb[TCA_DEF_PARMS]);
-	defdata = nla_data(tb[TCA_DEF_DATA]);
 
 	if (!tcf_hash_check(parm->index, a, bind)) {
 		ret = tcf_hash_create(parm->index, est, a, sizeof(*d), bind);
@@ -108,7 +106,7 @@ static int tcf_simp_init(struct net *net
 			return ret;
 
 		d = to_defact(a);
-		ret = alloc_defdata(d, defdata);
+		ret = alloc_defdata(d, tb[TCA_DEF_DATA]);
 		if (ret < 0) {
 			tcf_hash_cleanup(a, est);
 			return ret;
@@ -124,7 +122,7 @@ static int tcf_simp_init(struct net *net
 		if (!ovr)
 			return -EEXIST;
 
-		reset_policy(d, defdata, parm);
+		reset_policy(d, tb[TCA_DEF_DATA], parm);
 	}
 
 	if (ret == ACT_P_CREATED)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 141/366] l2tp: clean up stale tunnel or session in pppol2tp_connect's error path
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 288/366] fscache: Allow cancelled operations to be enqueued Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 171/366] xen-netfront: avoid crashing on resume after a failure in talk_to_netback() Ben Hutchings
                   ` (319 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Guillaume Nault, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit bda06be2158c7aa7e41b15500c4d3840369c19a6 upstream.

pppol2tp_connect() may create a tunnel or a session. Remove them in
case of error.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -634,6 +634,8 @@ static int pppol2tp_connect(struct socke
 	u32 session_id, peer_session_id;
 	bool drop_refcnt = false;
 	bool drop_tunnel = false;
+	bool new_session = false;
+	bool new_tunnel = false;
 	int ver = 2;
 	int fd;
 
@@ -744,6 +746,7 @@ static int pppol2tp_connect(struct socke
 				goto end;
 			}
 			drop_tunnel = true;
+			new_tunnel = true;
 		}
 	} else {
 		/* Error if we can't find the tunnel */
@@ -817,6 +820,7 @@ static int pppol2tp_connect(struct socke
 			goto end;
 		}
 		drop_refcnt = true;
+		new_session = true;
 	}
 
 	/* Special case: if source & dest session_id == 0x0000, this
@@ -863,6 +867,12 @@ out_no_ppp:
 		  session->name);
 
 end:
+	if (error) {
+		if (new_session)
+			l2tp_session_delete(session);
+		if (new_tunnel)
+			l2tp_tunnel_delete(tunnel);
+	}
 	if (drop_refcnt)
 		l2tp_session_dec_refcount(session);
 	if (drop_tunnel)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 124/366] pagemap: hide physical addresses from non-privileged users
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (313 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 017/366] media: omap3isp/isp: remove an unused static var Ben Hutchings
                   ` (51 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mark Williamson, Linus Torvalds, Naoya Horiguchi,
	Konstantin Khlebnikov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.

This patch makes pagemap readable for normal users and hides physical
addresses from them.  For some use-cases PFN isn't required at all.

See http://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shutemov.name

Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Mark Williamson <mwilliamson@undo-software.com>
Tested-by:  Mark Williamson <mwilliamson@undo-software.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Add the same check in the places where we look up a PFN
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/proc/task_mmu.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -862,6 +862,7 @@ struct pagemapread {
 	int pos, len;		/* units: PM_ENTRY_BYTES, not bytes */
 	pagemap_entry_t *buffer;
 	bool v2;
+	bool show_pfn;
 };
 
 #define PAGEMAP_WALK_SIZE	(PMD_SIZE)
@@ -921,12 +922,13 @@ static int pagemap_pte_hole(unsigned lon
 static void pte_to_pagemap_entry(pagemap_entry_t *pme, struct pagemapread *pm,
 		struct vm_area_struct *vma, unsigned long addr, pte_t pte)
 {
-	u64 frame, flags;
+	u64 frame = 0, flags;
 	struct page *page = NULL;
 	int flags2 = 0;
 
 	if (pte_present(pte)) {
-		frame = pte_pfn(pte);
+		if (pm->show_pfn)
+			frame = pte_pfn(pte);
 		flags = PM_PRESENT;
 		page = vm_normal_page(vma, addr, pte);
 		if (pte_soft_dirty(pte))
@@ -966,7 +968,7 @@ static void thp_pmd_to_pagemap_entry(pag
 	 * This if-check is just to prepare for future implementation.
 	 */
 	if (pmd_present(pmd))
-		*pme = make_pme(PM_PFRAME(pmd_pfn(pmd) + offset)
+		*pme = make_pme((pm->show_pfn ? PM_PFRAME(pmd_pfn(pmd) + offset) : 0)
 				| PM_STATUS2(pm->v2, pmd_flags2) | PM_PRESENT);
 	else
 		*pme = make_pme(PM_NOT_PRESENT(pm->v2) | PM_STATUS2(pm->v2, pmd_flags2));
@@ -1075,7 +1077,7 @@ static void huge_pte_to_pagemap_entry(pa
 					pte_t pte, int offset, int flags2)
 {
 	if (pte_present(pte))
-		*pme = make_pme(PM_PFRAME(pte_pfn(pte) + offset)	|
+		*pme = make_pme((pm->show_pfn ? PM_PFRAME(pte_pfn(pte) + offset) : 0) |
 				PM_STATUS2(pm->v2, flags2)		|
 				PM_PRESENT);
 	else
@@ -1167,6 +1169,10 @@ static ssize_t pagemap_read(struct file
 		goto out_task;
 
 	pm.v2 = soft_dirty_cleared;
+
+	/* do not disclose physical addresses: attack vector */
+	pm.show_pfn = file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN);
+
 	pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
 	pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
 	ret = -ENOMEM;
@@ -1241,9 +1247,6 @@ out:
 
 static int pagemap_open(struct inode *inode, struct file *file)
 {
-	/* do not disclose physical addresses: attack vector */
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
 	pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
 			"to stop being page-shift some time soon. See the "
 			"linux/Documentation/vm/pagemap.txt for details.\n");


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 263/366] KEYS: DNS: fix parsing multiple options
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 314/366] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy Ben Hutchings
                   ` (299 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, syzbot, Eric Biggers

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit c604cb767049b78b3075497b80ebb8fd530ea2cc upstream.

My recent fix for dns_resolver_preparse() printing very long strings was
incomplete, as shown by syzbot which still managed to hit the
WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key:

    precision 50001 too large
    WARNING: CPU: 7 PID: 864 at lib/vsprintf.c:2164 vsnprintf+0x48a/0x5a0

The bug this time isn't just a printing bug, but also a logical error
when multiple options ("#"-separated strings) are given in the key
payload.  Specifically, when separating an option string into name and
value, if there is no value then the name is incorrectly considered to
end at the end of the key payload, rather than the end of the current
option.  This bypasses validation of the option length, and also means
that specifying multiple options is broken -- which presumably has gone
unnoticed as there is currently only one valid option anyway.

A similar problem also applied to option values, as the kstrtoul() when
parsing the "dnserror" option will read past the end of the current
option and into the next option.

Fix these bugs by correctly computing the length of the option name and
by copying the option value, null-terminated, into a temporary buffer.

Reproducer for the WARN_ONCE() that syzbot hit:

    perl -e 'print "#A#", "\0" x 50000' | keyctl padd dns_resolver desc @s

Reproducer for "dnserror" option being parsed incorrectly (expected
behavior is to fail when seeing the unknown option "foo", actual
behavior was to read the dnserror value as "1#foo" and fail there):

    perl -e 'print "#dnserror=1#foo\0"' | keyctl padd dns_resolver desc @s

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/dns_resolver/dns_key.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -89,35 +89,39 @@ dns_resolver_instantiate(struct key *key
 		opt++;
 		kdebug("options: '%s'", opt);
 		do {
+			int opt_len, opt_nlen;
 			const char *eq;
-			int opt_len, opt_nlen, opt_vlen, tmp;
+			char optval[128];
 
 			next_opt = memchr(opt, '#', end - opt) ?: end;
 			opt_len = next_opt - opt;
-			if (opt_len <= 0 || opt_len > 128) {
+			if (opt_len <= 0 || opt_len > sizeof(optval)) {
 				pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
 						    opt_len);
 				return -EINVAL;
 			}
 
-			eq = memchr(opt, '=', opt_len) ?: end;
-			opt_nlen = eq - opt;
-			eq++;
-			opt_vlen = next_opt - eq; /* will be -1 if no value */
-
-			tmp = opt_vlen >= 0 ? opt_vlen : 0;
-			kdebug("option '%*.*s' val '%*.*s'",
-			       opt_nlen, opt_nlen, opt, tmp, tmp, eq);
+			eq = memchr(opt, '=', opt_len);
+			if (eq) {
+				opt_nlen = eq - opt;
+				eq++;
+				memcpy(optval, eq, next_opt - eq);
+				optval[next_opt - eq] = '\0';
+			} else {
+				opt_nlen = opt_len;
+				optval[0] = '\0';
+			}
+
+			kdebug("option '%*.*s' val '%s'",
+			       opt_nlen, opt_nlen, opt, optval);
 
 			/* see if it's an error number representing a DNS error
 			 * that's to be recorded as the result in this key */
 			if (opt_nlen == sizeof(DNS_ERRORNO_OPTION) - 1 &&
 			    memcmp(opt, DNS_ERRORNO_OPTION, opt_nlen) == 0) {
 				kdebug("dns error number option");
-				if (opt_vlen <= 0)
-					goto bad_option_value;
 
-				ret = kstrtoul(eq, 10, &derrno);
+				ret = kstrtoul(optval, 10, &derrno);
 				if (ret < 0)
 					goto bad_option_value;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (215 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 079/366] ext4: don't read out of bounds when checking for in-inode xattrs Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 064/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Ben Hutchings
                   ` (149 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream.

Fedora has integrated the jitter entropy daemon to work around slow
boot problems, especially on VM's that don't support virtio-rng:

    https://bugzilla.redhat.com/show_bug.cgi?id=1572944

It's understandable why they did this, but the Jitter entropy daemon
works fundamentally on the principle: "the CPU microarchitecture is
**so** complicated and we can't figure it out, so it *must* be
random".  Yes, it uses statistical tests to "prove" it is secure, but
AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
flying colors.

So if RDRAND is available, mix it into entropy submitted from
userspace.  It can't hurt, and if you believe the NSA has backdoored
RDRAND, then they probably have enough details about the Intel
microarchitecture that they can reverse engineer how the Jitter
entropy daemon affects the microarchitecture, and attack its output
stream.  And if RDRAND is in fact an honest DRNG, it will immeasurably
improve on what the Jitter entropy daemon might produce.

This also provides some protection against someone who is able to read
or set the entropy seed file.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/random.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1418,14 +1418,22 @@ static int
 write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
 {
 	size_t bytes;
-	__u32 buf[16];
+	__u32 t, buf[16];
 	const char __user *p = buffer;
 
 	while (count > 0) {
+		int b, i = 0;
+
 		bytes = min(count, sizeof(buf));
 		if (copy_from_user(&buf, p, bytes))
 			return -EFAULT;
 
+		for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
+			if (!arch_get_random_int(&t))
+				break;
+			buf[i] ^= t;
+		}
+
 		count -= bytes;
 		p += bytes;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 284/366] can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (211 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 337/366] gcov: add support for gcc version >= 6 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 345/366] p54: memset(0) whole array Ben Hutchings
                   ` (153 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Anssi Hannula

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 620050d9c2be15c47017ba95efe59e0832e99a56 upstream.

The xilinx_can driver assumes that the TXOK interrupt only clears after
it has been acknowledged as many times as there have been successfully
sent frames.

However, the documentation does not mention such behavior, instead
saying just that the interrupt is cleared when the clear bit is set.

Similarly, testing seems to also suggest that it is immediately cleared
regardless of the amount of frames having been sent. Performing some
heavy TX load and then going back to idle has the tx_head drifting
further away from tx_tail over time, steadily reducing the amount of
frames the driver keeps in the TX FIFO (but not to zero, as the TXOK
interrupt always frees up space for 1 frame from the driver's
perspective, so frames continue to be sent) and delaying the local echo
frames.

The TX FIFO tracking is also otherwise buggy as it does not account for
TX FIFO being cleared after software resets, causing
  BUG!, TX FIFO full when queue awake!
messages to be output.

There does not seem to be any way to accurately track the state of the
TX FIFO for local echo support while using the full TX FIFO.

The Zynq version of the HW (but not the soft-AXI version) has watermark
programming support and with it an additional TX-FIFO-empty interrupt
bit.

Modify the driver to only put 1 frame into TX FIFO at a time on soft-AXI
and 2 frames at a time on Zynq. On Zynq the TXFEMP interrupt bit is used
to detect whether 1 or 2 frames have been sent at interrupt processing
time.

Tested with the integrated CAN on Zynq-7000 SoC. The 1-frame-FIFO mode
was also tested.

An alternative way to solve this would be to drop local echo support but
keep using the full TX FIFO.

v2: Add FIFO space check before TX queue wake with locking to
synchronize with queue stop. This avoids waking the queue when xmit()
had just filled it.

v3: Keep local echo support and reduce the amount of frames in FIFO
instead as suggested by Marc Kleine-Budde.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 139 +++++++++++++++++++++++++++++++----
 1 file changed, 123 insertions(+), 16 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -26,8 +26,10 @@
 #include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/of.h>
+#include <linux/of_device.h>
 #include <linux/platform_device.h>
 #include <linux/skbuff.h>
+#include <linux/spinlock.h>
 #include <linux/string.h>
 #include <linux/types.h>
 #include <linux/can/dev.h>
@@ -118,6 +120,7 @@ enum xcan_reg {
 /**
  * struct xcan_priv - This definition define CAN driver instance
  * @can:			CAN private data structure.
+ * @tx_lock:			Lock for synchronizing TX interrupt handling
  * @tx_head:			Tx CAN packets ready to send on the queue
  * @tx_tail:			Tx CAN packets successfully sended on the queue
  * @tx_max:			Maximum number packets the driver can send
@@ -132,6 +135,7 @@ enum xcan_reg {
  */
 struct xcan_priv {
 	struct can_priv can;
+	spinlock_t tx_lock;
 	unsigned int tx_head;
 	unsigned int tx_tail;
 	unsigned int tx_max;
@@ -159,6 +163,11 @@ static const struct can_bittiming_const
 	.brp_inc = 1,
 };
 
+#define XCAN_CAP_WATERMARK	0x0001
+struct xcan_devtype_data {
+	unsigned int caps;
+};
+
 /**
  * xcan_write_reg_le - Write a value to the device register little endian
  * @priv:	Driver private data structure
@@ -238,6 +247,10 @@ static int set_reset_mode(struct net_dev
 		usleep_range(500, 10000);
 	}
 
+	/* reset clears FIFOs */
+	priv->tx_head = 0;
+	priv->tx_tail = 0;
+
 	return 0;
 }
 
@@ -391,6 +404,7 @@ static int xcan_start_xmit(struct sk_buf
 	struct net_device_stats *stats = &ndev->stats;
 	struct can_frame *cf = (struct can_frame *)skb->data;
 	u32 id, dlc, data[2] = {0, 0};
+	unsigned long flags;
 
 	if (can_dropped_invalid_skb(ndev, skb))
 		return NETDEV_TX_OK;
@@ -438,6 +452,9 @@ static int xcan_start_xmit(struct sk_buf
 		data[1] = be32_to_cpup((__be32 *)(cf->data + 4));
 
 	can_put_echo_skb(skb, ndev, priv->tx_head % priv->tx_max);
+
+	spin_lock_irqsave(&priv->tx_lock, flags);
+
 	priv->tx_head++;
 
 	/* Write the Frame to Xilinx CAN TX FIFO */
@@ -453,10 +470,16 @@ static int xcan_start_xmit(struct sk_buf
 		stats->tx_bytes += cf->can_dlc;
 	}
 
+	/* Clear TX-FIFO-empty interrupt for xcan_tx_interrupt() */
+	if (priv->tx_max > 1)
+		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXFEMP_MASK);
+
 	/* Check if the TX buffer is full */
 	if ((priv->tx_head - priv->tx_tail) == priv->tx_max)
 		netif_stop_queue(ndev);
 
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+
 	return NETDEV_TX_OK;
 }
 
@@ -833,19 +856,71 @@ static void xcan_tx_interrupt(struct net
 {
 	struct xcan_priv *priv = netdev_priv(ndev);
 	struct net_device_stats *stats = &ndev->stats;
+	unsigned int frames_in_fifo;
+	int frames_sent = 1; /* TXOK => at least 1 frame was sent */
+	unsigned long flags;
+	int retries = 0;
+
+	/* Synchronize with xmit as we need to know the exact number
+	 * of frames in the FIFO to stay in sync due to the TXFEMP
+	 * handling.
+	 * This also prevents a race between netif_wake_queue() and
+	 * netif_stop_queue().
+	 */
+	spin_lock_irqsave(&priv->tx_lock, flags);
+
+	frames_in_fifo = priv->tx_head - priv->tx_tail;
+
+	if (WARN_ON_ONCE(frames_in_fifo == 0)) {
+		/* clear TXOK anyway to avoid getting back here */
+		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+		spin_unlock_irqrestore(&priv->tx_lock, flags);
+		return;
+	}
+
+	/* Check if 2 frames were sent (TXOK only means that at least 1
+	 * frame was sent).
+	 */
+	if (frames_in_fifo > 1) {
+		WARN_ON(frames_in_fifo > priv->tx_max);
+
+		/* Synchronize TXOK and isr so that after the loop:
+		 * (1) isr variable is up-to-date at least up to TXOK clear
+		 *     time. This avoids us clearing a TXOK of a second frame
+		 *     but not noticing that the FIFO is now empty and thus
+		 *     marking only a single frame as sent.
+		 * (2) No TXOK is left. Having one could mean leaving a
+		 *     stray TXOK as we might process the associated frame
+		 *     via TXFEMP handling as we read TXFEMP *after* TXOK
+		 *     clear to satisfy (1).
+		 */
+		while ((isr & XCAN_IXR_TXOK_MASK) && !WARN_ON(++retries == 100)) {
+			priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+			isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
+		}
 
-	while ((priv->tx_head - priv->tx_tail > 0) &&
-			(isr & XCAN_IXR_TXOK_MASK)) {
+		if (isr & XCAN_IXR_TXFEMP_MASK) {
+			/* nothing in FIFO anymore */
+			frames_sent = frames_in_fifo;
+		}
+	} else {
+		/* single frame in fifo, just clear TXOK */
 		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_TXOK_MASK);
+	}
+
+	while (frames_sent--) {
 		can_get_echo_skb(ndev, priv->tx_tail %
 					priv->tx_max);
 		priv->tx_tail++;
 		stats->tx_packets++;
-		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
+
+	netif_wake_queue(ndev);
+
+	spin_unlock_irqrestore(&priv->tx_lock, flags);
+
 	can_led_event(ndev, CAN_LED_EVENT_TX);
 	xcan_update_error_state_after_rxtx(ndev);
-	netif_wake_queue(ndev);
 }
 
 /**
@@ -1121,6 +1196,18 @@ static int __maybe_unused xcan_resume(st
 
 static SIMPLE_DEV_PM_OPS(xcan_dev_pm_ops, xcan_suspend, xcan_resume);
 
+static const struct xcan_devtype_data xcan_zynq_data = {
+	.caps = XCAN_CAP_WATERMARK,
+};
+
+/* Match table for OF platform binding */
+static const struct of_device_id xcan_of_match[] = {
+	{ .compatible = "xlnx,zynq-can-1.0", .data = &xcan_zynq_data },
+	{ .compatible = "xlnx,axi-can-1.00.a", },
+	{ /* end of list */ },
+};
+MODULE_DEVICE_TABLE(of, xcan_of_match);
+
 /**
  * xcan_probe - Platform registration call
  * @pdev:	Handle to the platform device structure
@@ -1135,8 +1222,10 @@ static int xcan_probe(struct platform_de
 	struct resource *res; /* IO mem resources */
 	struct net_device *ndev;
 	struct xcan_priv *priv;
+	const struct of_device_id *of_id;
+	int caps = 0;
 	void __iomem *addr;
-	int ret, rx_max, tx_max;
+	int ret, rx_max, tx_max, tx_fifo_depth;
 
 	/* Get the virtual base address for the device */
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
@@ -1146,7 +1235,8 @@ static int xcan_probe(struct platform_de
 		goto err;
 	}
 
-	ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth", &tx_max);
+	ret = of_property_read_u32(pdev->dev.of_node, "tx-fifo-depth",
+				   &tx_fifo_depth);
 	if (ret < 0)
 		goto err;
 
@@ -1154,6 +1244,30 @@ static int xcan_probe(struct platform_de
 	if (ret < 0)
 		goto err;
 
+	of_id = of_match_device(xcan_of_match, &pdev->dev);
+	if (of_id) {
+		const struct xcan_devtype_data *devtype_data = of_id->data;
+
+		if (devtype_data)
+			caps = devtype_data->caps;
+	}
+
+	/* There is no way to directly figure out how many frames have been
+	 * sent when the TXOK interrupt is processed. If watermark programming
+	 * is supported, we can have 2 frames in the FIFO and use TXFEMP
+	 * to determine if 1 or 2 frames have been sent.
+	 * Theoretically we should be able to use TXFWMEMP to determine up
+	 * to 3 frames, but it seems that after putting a second frame in the
+	 * FIFO, with watermark at 2 frames, it can happen that TXFWMEMP (less
+	 * than 2 frames in FIFO) is set anyway with no TXOK (a frame was
+	 * sent), which is not a sensible state - possibly TXFWMEMP is not
+	 * completely synchronized with the rest of the bits?
+	 */
+	if (caps & XCAN_CAP_WATERMARK)
+		tx_max = min(tx_fifo_depth, 2);
+	else
+		tx_max = 1;
+
 	/* Create a CAN device instance */
 	ndev = alloc_candev(sizeof(struct xcan_priv), tx_max);
 	if (!ndev)
@@ -1168,6 +1282,7 @@ static int xcan_probe(struct platform_de
 					CAN_CTRLMODE_BERR_REPORTING;
 	priv->reg_base = addr;
 	priv->tx_max = tx_max;
+	spin_lock_init(&priv->tx_lock);
 
 	/* Get IRQ for the device */
 	ndev->irq = platform_get_irq(pdev, 0);
@@ -1235,9 +1350,9 @@ static int xcan_probe(struct platform_de
 	devm_can_led_init(ndev);
 	clk_disable_unprepare(priv->bus_clk);
 	clk_disable_unprepare(priv->can_clk);
-	netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth:%d\n",
+	netdev_dbg(ndev, "reg_base=0x%p irq=%d clock=%d, tx fifo depth: actual %d, using %d\n",
 			priv->reg_base, ndev->irq, priv->can.clock.freq,
-			priv->tx_max);
+			tx_fifo_depth, priv->tx_max);
 
 	return 0;
 
@@ -1273,14 +1388,6 @@ static int xcan_remove(struct platform_d
 	return 0;
 }
 
-/* Match table for OF platform binding */
-static const struct of_device_id xcan_of_match[] = {
-	{ .compatible = "xlnx,zynq-can-1.0", },
-	{ .compatible = "xlnx,axi-can-1.00.a", },
-	{ /* end of list */ },
-};
-MODULE_DEVICE_TABLE(of, xcan_of_match);
-
 static struct platform_driver xcan_driver = {
 	.probe = xcan_probe,
 	.remove	= xcan_remove,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 285/366] can: xilinx_can: fix RX overflow interrupt not being enabled
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (267 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 254/366] mm: do not bug_on on incorrect length in __mm_populate() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages Ben Hutchings
                   ` (97 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Michal Simek, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 83997997252f5d3fc7f04abc24a89600c2b504ab upstream.

RX overflow interrupt (RXOFLW) is disabled even though xcan_interrupt()
processes it. This means that an RX overflow interrupt will only be
processed when another interrupt gets asserted (e.g. for RX/TX).

Fix that by enabling the RXOFLW interrupt.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Cc: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -103,7 +103,7 @@ enum xcan_reg {
 #define XCAN_INTR_ALL		(XCAN_IXR_TXOK_MASK | XCAN_IXR_BSOFF_MASK |\
 				 XCAN_IXR_WKUP_MASK | XCAN_IXR_SLP_MASK | \
 				 XCAN_IXR_RXNEMP_MASK | XCAN_IXR_ERROR_MASK | \
-				 XCAN_IXR_ARBLST_MASK)
+				 XCAN_IXR_RXOFLW_MASK | XCAN_IXR_ARBLST_MASK)
 
 /* CAN register bit shift - XCAN_<REG>_<BIT>_SHIFT */
 #define XCAN_BTR_SJW_SHIFT		7  /* Synchronous jump width */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 280/366] can: dev: Consolidate and unify state change handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (248 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 030/366] ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup Ben Hutchings
                   ` (116 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wolfgang Grandegger, Marc Kleine-Budde, Andri Yngvason

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andri Yngvason <andri.yngvason@marel.com>

commit bac78aabcfece0c493b2ad824c68fbdc20448cbc upstream.

The handling of can error states is different between platforms.
This is an attempt to correct that problem.

I've moved this handling into a generic function for changing the
error state. This ensures that error state changes are handled
the same way everywhere (where this function is used).

This new mechanism also adds reverse state transitioning in error
frames, i.e. the user will be notified through the socket interface
when the state goes down.

Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/dev.c          | 78 ++++++++++++++++++++++++++++++++++
 include/linux/can/dev.h        |  3 ++
 include/uapi/linux/can/error.h |  1 +
 3 files changed, 82 insertions(+)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -275,6 +275,84 @@ static int can_get_bittiming(struct net_
 	return err;
 }
 
+static void can_update_state_error_stats(struct net_device *dev,
+					 enum can_state new_state)
+{
+	struct can_priv *priv = netdev_priv(dev);
+
+	if (new_state <= priv->state)
+		return;
+
+	switch (new_state) {
+	case CAN_STATE_ERROR_WARNING:
+		priv->can_stats.error_warning++;
+		break;
+	case CAN_STATE_ERROR_PASSIVE:
+		priv->can_stats.error_passive++;
+		break;
+	case CAN_STATE_BUS_OFF:
+	default:
+		break;
+	};
+}
+
+static int can_tx_state_to_frame(struct net_device *dev, enum can_state state)
+{
+	switch (state) {
+	case CAN_STATE_ERROR_ACTIVE:
+		return CAN_ERR_CRTL_ACTIVE;
+	case CAN_STATE_ERROR_WARNING:
+		return CAN_ERR_CRTL_TX_WARNING;
+	case CAN_STATE_ERROR_PASSIVE:
+		return CAN_ERR_CRTL_TX_PASSIVE;
+	default:
+		return 0;
+	}
+}
+
+static int can_rx_state_to_frame(struct net_device *dev, enum can_state state)
+{
+	switch (state) {
+	case CAN_STATE_ERROR_ACTIVE:
+		return CAN_ERR_CRTL_ACTIVE;
+	case CAN_STATE_ERROR_WARNING:
+		return CAN_ERR_CRTL_RX_WARNING;
+	case CAN_STATE_ERROR_PASSIVE:
+		return CAN_ERR_CRTL_RX_PASSIVE;
+	default:
+		return 0;
+	}
+}
+
+void can_change_state(struct net_device *dev, struct can_frame *cf,
+		      enum can_state tx_state, enum can_state rx_state)
+{
+	struct can_priv *priv = netdev_priv(dev);
+	enum can_state new_state = max(tx_state, rx_state);
+
+	if (unlikely(new_state == priv->state)) {
+		netdev_warn(dev, "%s: oops, state did not change", __func__);
+		return;
+	}
+
+	netdev_dbg(dev, "New error state: %d\n", new_state);
+
+	can_update_state_error_stats(dev, new_state);
+	priv->state = new_state;
+
+	if (unlikely(new_state == CAN_STATE_BUS_OFF)) {
+		cf->can_id |= CAN_ERR_BUSOFF;
+		return;
+	}
+
+	cf->can_id |= CAN_ERR_CRTL;
+	cf->data[1] |= tx_state >= rx_state ?
+		       can_tx_state_to_frame(dev, tx_state) : 0;
+	cf->data[1] |= tx_state <= rx_state ?
+		       can_rx_state_to_frame(dev, rx_state) : 0;
+}
+EXPORT_SYMBOL_GPL(can_change_state);
+
 /*
  * Local echo of CAN messages
  *
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -122,6 +122,9 @@ void unregister_candev(struct net_device
 int can_restart_now(struct net_device *dev);
 void can_bus_off(struct net_device *dev);
 
+void can_change_state(struct net_device *dev, struct can_frame *cf,
+		      enum can_state tx_state, enum can_state rx_state);
+
 void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
 		      unsigned int idx);
 unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx);
--- a/include/uapi/linux/can/error.h
+++ b/include/uapi/linux/can/error.h
@@ -71,6 +71,7 @@
 #define CAN_ERR_CRTL_TX_PASSIVE  0x20 /* reached error passive status TX */
 				      /* (at least one error counter exceeds */
 				      /* the protocol-defined level of 127)  */
+#define CAN_ERR_CRTL_ACTIVE      0x40 /* recovered to error active state */
 
 /* error in CAN protocol (type) / data[2] */
 #define CAN_ERR_PROT_UNSPEC      0x00 /* unspecified */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 283/366] can: xilinx_can: fix recovery from error states not being propagated
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 169/366] net/xen-netfront: only clean up queues if present Ben Hutchings
                   ` (252 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 877e0b75947e2c7acf5624331bb17ceb093c98ae upstream.

The xilinx_can driver contains no mechanism for propagating recovery
from CAN_STATE_ERROR_WARNING and CAN_STATE_ERROR_PASSIVE.

Add such a mechanism by factoring the handling of
XCAN_STATE_ERROR_PASSIVE and XCAN_STATE_ERROR_WARNING out of
xcan_err_interrupt and checking for recovery after RX and TX if the
interface is in one of those states.

Tested with the integrated CAN on Zynq-7000 SoC.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 155 ++++++++++++++++++++++++++++-------
 1 file changed, 127 insertions(+), 28 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -2,6 +2,7 @@
  *
  * Copyright (C) 2012 - 2014 Xilinx, Inc.
  * Copyright (C) 2009 PetaLogix. All rights reserved.
+ * Copyright (C) 2017 Sandvik Mining and Construction Oy
  *
  * Description:
  * This driver is developed for Axi CAN IP and for Zynq CANPS Controller.
@@ -528,6 +529,123 @@ static int xcan_rx(struct net_device *nd
 }
 
 /**
+ * xcan_current_error_state - Get current error state from HW
+ * @ndev:	Pointer to net_device structure
+ *
+ * Checks the current CAN error state from the HW. Note that this
+ * only checks for ERROR_PASSIVE and ERROR_WARNING.
+ *
+ * Return:
+ * ERROR_PASSIVE or ERROR_WARNING if either is active, ERROR_ACTIVE
+ * otherwise.
+ */
+static enum can_state xcan_current_error_state(struct net_device *ndev)
+{
+	struct xcan_priv *priv = netdev_priv(ndev);
+	u32 status = priv->read_reg(priv, XCAN_SR_OFFSET);
+
+	if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK)
+		return CAN_STATE_ERROR_PASSIVE;
+	else if (status & XCAN_SR_ERRWRN_MASK)
+		return CAN_STATE_ERROR_WARNING;
+	else
+		return CAN_STATE_ERROR_ACTIVE;
+}
+
+/**
+ * xcan_set_error_state - Set new CAN error state
+ * @ndev:	Pointer to net_device structure
+ * @new_state:	The new CAN state to be set
+ * @cf:		Error frame to be populated or NULL
+ *
+ * Set new CAN error state for the device, updating statistics and
+ * populating the error frame if given.
+ */
+static void xcan_set_error_state(struct net_device *ndev,
+				 enum can_state new_state,
+				 struct can_frame *cf)
+{
+	struct xcan_priv *priv = netdev_priv(ndev);
+	u32 ecr = priv->read_reg(priv, XCAN_ECR_OFFSET);
+	u32 txerr = ecr & XCAN_ECR_TEC_MASK;
+	u32 rxerr = (ecr & XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT;
+
+	priv->can.state = new_state;
+
+	if (cf) {
+		cf->can_id |= CAN_ERR_CRTL;
+		cf->data[6] = txerr;
+		cf->data[7] = rxerr;
+	}
+
+	switch (new_state) {
+	case CAN_STATE_ERROR_PASSIVE:
+		priv->can.can_stats.error_passive++;
+		if (cf)
+			cf->data[1] = (rxerr > 127) ?
+					CAN_ERR_CRTL_RX_PASSIVE :
+					CAN_ERR_CRTL_TX_PASSIVE;
+		break;
+	case CAN_STATE_ERROR_WARNING:
+		priv->can.can_stats.error_warning++;
+		if (cf)
+			cf->data[1] |= (txerr > rxerr) ?
+					CAN_ERR_CRTL_TX_WARNING :
+					CAN_ERR_CRTL_RX_WARNING;
+		break;
+	case CAN_STATE_ERROR_ACTIVE:
+		if (cf)
+			cf->data[1] |= CAN_ERR_CRTL_ACTIVE;
+		break;
+	default:
+		/* non-ERROR states are handled elsewhere */
+		WARN_ON(1);
+		break;
+	}
+}
+
+/**
+ * xcan_update_error_state_after_rxtx - Update CAN error state after RX/TX
+ * @ndev:	Pointer to net_device structure
+ *
+ * If the device is in a ERROR-WARNING or ERROR-PASSIVE state, check if
+ * the performed RX/TX has caused it to drop to a lesser state and set
+ * the interface state accordingly.
+ */
+static void xcan_update_error_state_after_rxtx(struct net_device *ndev)
+{
+	struct xcan_priv *priv = netdev_priv(ndev);
+	enum can_state old_state = priv->can.state;
+	enum can_state new_state;
+
+	/* changing error state due to successful frame RX/TX can only
+	 * occur from these states
+	 */
+	if (old_state != CAN_STATE_ERROR_WARNING &&
+	    old_state != CAN_STATE_ERROR_PASSIVE)
+		return;
+
+	new_state = xcan_current_error_state(ndev);
+
+	if (new_state != old_state) {
+		struct sk_buff *skb;
+		struct can_frame *cf;
+
+		skb = alloc_can_err_skb(ndev, &cf);
+
+		xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
+
+		if (skb) {
+			struct net_device_stats *stats = &ndev->stats;
+
+			stats->rx_packets++;
+			stats->rx_bytes += cf->can_dlc;
+			netif_rx(skb);
+		}
+	}
+}
+
+/**
  * xcan_err_interrupt - error frame Isr
  * @ndev:	net_device pointer
  * @isr:	interrupt status register value
@@ -542,16 +660,12 @@ static void xcan_err_interrupt(struct ne
 	struct net_device_stats *stats = &ndev->stats;
 	struct can_frame *cf;
 	struct sk_buff *skb;
-	u32 err_status, status, txerr = 0, rxerr = 0;
+	u32 err_status;
 
 	skb = alloc_can_err_skb(ndev, &cf);
 
 	err_status = priv->read_reg(priv, XCAN_ESR_OFFSET);
 	priv->write_reg(priv, XCAN_ESR_OFFSET, err_status);
-	txerr = priv->read_reg(priv, XCAN_ECR_OFFSET) & XCAN_ECR_TEC_MASK;
-	rxerr = ((priv->read_reg(priv, XCAN_ECR_OFFSET) &
-			XCAN_ECR_REC_MASK) >> XCAN_ESR_REC_SHIFT);
-	status = priv->read_reg(priv, XCAN_SR_OFFSET);
 
 	if (isr & XCAN_IXR_BSOFF_MASK) {
 		priv->can.state = CAN_STATE_BUS_OFF;
@@ -561,28 +675,10 @@ static void xcan_err_interrupt(struct ne
 		can_bus_off(ndev);
 		if (skb)
 			cf->can_id |= CAN_ERR_BUSOFF;
-	} else if ((status & XCAN_SR_ESTAT_MASK) == XCAN_SR_ESTAT_MASK) {
-		priv->can.state = CAN_STATE_ERROR_PASSIVE;
-		priv->can.can_stats.error_passive++;
-		if (skb) {
-			cf->can_id |= CAN_ERR_CRTL;
-			cf->data[1] = (rxerr > 127) ?
-					CAN_ERR_CRTL_RX_PASSIVE :
-					CAN_ERR_CRTL_TX_PASSIVE;
-			cf->data[6] = txerr;
-			cf->data[7] = rxerr;
-		}
-	} else if (status & XCAN_SR_ERRWRN_MASK) {
-		priv->can.state = CAN_STATE_ERROR_WARNING;
-		priv->can.can_stats.error_warning++;
-		if (skb) {
-			cf->can_id |= CAN_ERR_CRTL;
-			cf->data[1] |= (txerr > rxerr) ?
-					CAN_ERR_CRTL_TX_WARNING :
-					CAN_ERR_CRTL_RX_WARNING;
-			cf->data[6] = txerr;
-			cf->data[7] = rxerr;
-		}
+	} else {
+		enum can_state new_state = xcan_current_error_state(ndev);
+
+		xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
 	}
 
 	/* Check for Arbitration lost interrupt */
@@ -714,8 +810,10 @@ static int xcan_rx_poll(struct napi_stru
 		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
 
-	if (work_done)
+	if (work_done) {
 		can_led_event(ndev, CAN_LED_EVENT_RX);
+		xcan_update_error_state_after_rxtx(ndev);
+	}
 
 	if (work_done < quota) {
 		napi_complete(napi);
@@ -746,6 +844,7 @@ static void xcan_tx_interrupt(struct net
 		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
 	can_led_event(ndev, CAN_LED_EVENT_TX);
+	xcan_update_error_state_after_rxtx(ndev);
 	netif_wake_queue(ndev);
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 282/366] can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (354 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 021/366] net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()) Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 252/366] mm: refuse wrapped vm_brk requests Ben Hutchings
                   ` (10 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Anssi Hannula

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 32852c561bffd613d4ed7ec464b1e03e1b7b6c5c upstream.

If the device gets into a state where RXNEMP (RX FIFO not empty)
interrupt is asserted without RXOK (new frame received successfully)
interrupt being asserted, xcan_rx_poll() will continue to try to clear
RXNEMP without actually reading frames from RX FIFO. If the RX FIFO is
not empty, the interrupt will not be cleared and napi_schedule() will
just be called again.

This situation can occur when:

(a) xcan_rx() returns without reading RX FIFO due to an error condition.
The code tries to clear both RXOK and RXNEMP but RXNEMP will not clear
due to a frame still being in the FIFO. The frame will never be read
from the FIFO as RXOK is no longer set.

(b) A frame is received between xcan_rx_poll() reading interrupt status
and clearing RXOK. RXOK will be cleared, but RXNEMP will again remain
set as the new message is still in the FIFO.

I'm able to trigger case (b) by flooding the bus with frames under load.

There does not seem to be any benefit in using both RXNEMP and RXOK in
the way the driver does, and the polling example in the reference manual
(UG585 v1.10 18.3.7 Read Messages from RxFIFO) also says that either
RXOK or RXNEMP can be used for detecting incoming messages.

Fix the issue and simplify the RX processing by only using RXNEMP
without RXOK.

Tested with the integrated CAN on Zynq-7000 SoC.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -100,7 +100,7 @@ enum xcan_reg {
 #define XCAN_INTR_ALL		(XCAN_IXR_TXOK_MASK | XCAN_IXR_BSOFF_MASK |\
 				 XCAN_IXR_WKUP_MASK | XCAN_IXR_SLP_MASK | \
 				 XCAN_IXR_RXNEMP_MASK | XCAN_IXR_ERROR_MASK | \
-				 XCAN_IXR_ARBLST_MASK | XCAN_IXR_RXOK_MASK)
+				 XCAN_IXR_ARBLST_MASK)
 
 /* CAN register bit shift - XCAN_<REG>_<BIT>_SHIFT */
 #define XCAN_BTR_SJW_SHIFT		7  /* Synchronous jump width */
@@ -709,15 +709,7 @@ static int xcan_rx_poll(struct napi_stru
 
 	isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	while ((isr & XCAN_IXR_RXNEMP_MASK) && (work_done < quota)) {
-		if (isr & XCAN_IXR_RXOK_MASK) {
-			priv->write_reg(priv, XCAN_ICR_OFFSET,
-				XCAN_IXR_RXOK_MASK);
-			work_done += xcan_rx(ndev);
-		} else {
-			priv->write_reg(priv, XCAN_ICR_OFFSET,
-				XCAN_IXR_RXNEMP_MASK);
-			break;
-		}
+		work_done += xcan_rx(ndev);
 		priv->write_reg(priv, XCAN_ICR_OFFSET, XCAN_IXR_RXNEMP_MASK);
 		isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
 	}
@@ -728,7 +720,7 @@ static int xcan_rx_poll(struct napi_stru
 	if (work_done < quota) {
 		napi_complete(napi);
 		ier = priv->read_reg(priv, XCAN_IER_OFFSET);
-		ier |= (XCAN_IXR_RXOK_MASK | XCAN_IXR_RXNEMP_MASK);
+		ier |= XCAN_IXR_RXNEMP_MASK;
 		priv->write_reg(priv, XCAN_IER_OFFSET, ier);
 	}
 	return work_done;
@@ -800,9 +792,9 @@ static irqreturn_t xcan_interrupt(int ir
 	}
 
 	/* Check for the type of receive interrupt and Processing it */
-	if (isr & (XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK)) {
+	if (isr & XCAN_IXR_RXNEMP_MASK) {
 		ier = priv->read_reg(priv, XCAN_IER_OFFSET);
-		ier &= ~(XCAN_IXR_RXNEMP_MASK | XCAN_IXR_RXOK_MASK);
+		ier &= ~XCAN_IXR_RXNEMP_MASK;
 		priv->write_reg(priv, XCAN_IER_OFFSET, ier);
 		napi_schedule(&priv->napi);
 	}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 287/366] net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 350/366] sched/topology: Make local variables static Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 366/366] perf tools: Fix python extension build for gcc 8 Ben Hutchings
                   ` (316 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Tariq Toukan, Jack Morgenstein

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

commit 958c696f5a7274d9447a458ad7aa70719b29a50a upstream.

Function mlx4_RST2INIT_QP_wrapper saved the qp number passed in the qp
context, rather than the one passed in the input modifier.

However, the qp number in the qp context is not defined as a
required parameter by the FW. Therefore, drivers may choose to not
specify the qp number in the qp context for the reset-to-init transition.

Thus, we must save the qp number passed in the command input modifier --
which is always present. (This saved qp number is used as the input
modifier for command 2RST_QP when a slave's qp's are destroyed).

Fixes: c82e9aa0a8bc ("mlx4_core: resource tracking for HCA resources used by guests")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2673,7 +2673,7 @@ int mlx4_RST2INIT_QP_wrapper(struct mlx4
 	u32 srqn = qp_get_srqn(qpc) & 0xffffff;
 	int use_srq = (qp_get_srqn(qpc) >> 24) & 1;
 	struct res_srq *srq;
-	int local_qpn = be32_to_cpu(qpc->local_qpn) & 0xffffff;
+	int local_qpn = vhcr->in_modifier & 0xffffff;
 
 	err = qp_res_start_move_to(dev, slave, qpn, RES_QP_HW, &qp, 0);
 	if (err)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 286/366] can: xilinx_can: fix incorrect clear of non-processed interrupts
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (218 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode() Ben Hutchings
                   ` (146 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Michal Simek, Anssi Hannula

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 2f4f0f338cf453bfcdbcf089e177c16f35f023c8 upstream.

xcan_interrupt() clears ERROR|RXOFLV|BSOFF|ARBLST interrupts if any of
them is asserted. This does not take into account that some of them
could have been asserted between interrupt status read and interrupt
clear, therefore clearing them without handling them.

Fix the code to only clear those interrupts that it knows are asserted
and therefore going to be processed in xcan_err_interrupt().

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Cc: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -939,6 +939,7 @@ static irqreturn_t xcan_interrupt(int ir
 	struct net_device *ndev = (struct net_device *)dev_id;
 	struct xcan_priv *priv = netdev_priv(ndev);
 	u32 isr, ier;
+	u32 isr_errors;
 
 	/* Get the interrupt status from Xilinx CAN */
 	isr = priv->read_reg(priv, XCAN_ISR_OFFSET);
@@ -957,11 +958,10 @@ static irqreturn_t xcan_interrupt(int ir
 		xcan_tx_interrupt(ndev, isr);
 
 	/* Check for the type of error interrupt and Processing it */
-	if (isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK |
-			XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK)) {
-		priv->write_reg(priv, XCAN_ICR_OFFSET, (XCAN_IXR_ERROR_MASK |
-				XCAN_IXR_RXOFLW_MASK | XCAN_IXR_BSOFF_MASK |
-				XCAN_IXR_ARBLST_MASK));
+	isr_errors = isr & (XCAN_IXR_ERROR_MASK | XCAN_IXR_RXOFLW_MASK |
+			    XCAN_IXR_BSOFF_MASK | XCAN_IXR_ARBLST_MASK);
+	if (isr_errors) {
+		priv->write_reg(priv, XCAN_ICR_OFFSET, isr_errors);
 		xcan_err_interrupt(ndev, isr);
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (193 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 209/366] n_tty: Fix stall at n_tty_receive_char_special() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 208/366] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Ben Hutchings
                   ` (171 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anssi Hannula, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 2574fe54515ed3487405de329e4e9f13d7098c10 upstream.

The xilinx_can driver performs a software reset when an RX overrun is
detected. This causes the device to enter Configuration mode where no
messages are received or transmitted.

The documentation does not mention any need to perform a reset on an RX
overrun, and testing by inducing an RX overflow also indicated that the
device continues to work just fine without a reset.

Remove the software reset.

Tested with the integrated CAN on Zynq-7000 SoC.

Fixes: b1201e44f50b ("can: xilinx CAN controller support")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/xilinx_can.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/can/xilinx_can.c
+++ b/drivers/net/can/xilinx_can.c
@@ -598,7 +598,6 @@ static void xcan_err_interrupt(struct ne
 	if (isr & XCAN_IXR_RXOFLW_MASK) {
 		stats->rx_over_errors++;
 		stats->rx_errors++;
-		priv->write_reg(priv, XCAN_SRR_OFFSET, XCAN_SRR_RESET_MASK);
 		if (skb) {
 			cf->can_id |= CAN_ERR_CRTL;
 			cf->data[1] |= CAN_ERR_CRTL_RX_OVERFLOW;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 290/366] fscache: Fix reference overput in fscache_attach_object() error handling
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (286 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 106/366] tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 026/366] usb: do not reset if a low-speed or full-speed device timed out Ben Hutchings
                   ` (78 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kiran Kumar Modukuri, David Howells

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit f29507ce66701084c39aeb1b0ae71690cbff3554 upstream.

When a cookie is allocated that causes fscache_object structs to be
allocated, those objects are initialised with the cookie pointer, but
aren't blessed with a ref on that cookie unless the attachment is
successfully completed in fscache_attach_object().

If attachment fails because the parent object was dying or there was a
collision, fscache_attach_object() returns without incrementing the cookie
counter - but upon failure of this function, the object is released which
then puts the cookie, whether or not a ref was taken on the cookie.

Fix this by taking a ref on the cookie when it is assigned in
fscache_object_init(), even when we're creating a root object.


Analysis from Kiran Kumar:

This bug has been seen in 4.4.0-124-generic #148-Ubuntu kernel

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1776277

fscache cookie ref count updated incorrectly during fscache object
allocation resulting in following Oops.

kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/internal.h:321!
kernel BUG at /build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639!

[Cause]
Two threads are trying to do operate on a cookie and two objects.

(1) One thread tries to unmount the filesystem and in process goes over a
    huge list of objects marking them dead and deleting the objects.
    cookie->usage is also decremented in following path:

      nfs_fscache_release_super_cookie
       -> __fscache_relinquish_cookie
        ->__fscache_cookie_put
        ->BUG_ON(atomic_read(&cookie->usage) <= 0);

(2) A second thread tries to lookup an object for reading data in following
    path:

    fscache_alloc_object
    1) cachefiles_alloc_object
        -> fscache_object_init
           -> assign cookie, but usage not bumped.
    2) fscache_attach_object -> fails in cant_attach_object because the
         cookie's backing object or cookie's->parent object are going away
    3) fscache_put_object
        -> cachefiles_put_object
          ->fscache_object_destroy
            ->fscache_cookie_put
               ->BUG_ON(atomic_read(&cookie->usage) <= 0);

[NOTE from dhowells] It's unclear as to the circumstances in which (2) can
take place, given that thread (1) is in nfs_kill_super(), however a
conflicting NFS mount with slightly different parameters that creates a
different superblock would do it.  A backtrace from Kiran seems to show
that this is a possibility:

    kernel BUG at/build/linux-Y09MKI/linux-4.4.0/fs/fscache/cookie.c:639!
    ...
    RIP: __fscache_cookie_put+0x3a/0x40 [fscache]
    Call Trace:
     __fscache_relinquish_cookie+0x87/0x120 [fscache]
     nfs_fscache_release_super_cookie+0x2d/0xb0 [nfs]
     nfs_kill_super+0x29/0x40 [nfs]
     deactivate_locked_super+0x48/0x80
     deactivate_super+0x5c/0x60
     cleanup_mnt+0x3f/0x90
     __cleanup_mnt+0x12/0x20
     task_work_run+0x86/0xb0
     exit_to_usermode_loop+0xc2/0xd0
     syscall_return_slowpath+0x4e/0x60
     int_ret_from_sys_call+0x25/0x9f

[Fix] Bump up the cookie usage in fscache_object_init, when it is first
being assigned a cookie atomically such that the cookie is added and bumped
up if its refcount is not zero.  Remove the assignment in
fscache_attach_object().

[Testcase]
I have run ~100 hours of NFS stress tests and not seen this bug recur.

[Regression Potential]
 - Limited to fscache/cachefiles.

Fixes: ccc4fc3d11e9 ("FS-Cache: Implement the cookie management part of the netfs API")
Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: Keep using atomic_inc() instead of
 fscache_cookie_get()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cachefiles/bind.c | 3 ++-
 fs/fscache/cache.c   | 2 +-
 fs/fscache/cookie.c  | 7 ++++---
 fs/fscache/object.c  | 1 +
 4 files changed, 8 insertions(+), 5 deletions(-)

--- a/fs/cachefiles/bind.c
+++ b/fs/cachefiles/bind.c
@@ -218,7 +218,8 @@ static int cachefiles_daemon_add_cache(s
 			   "%s",
 			   fsdef->dentry->d_sb->s_id);
 
-	fscache_object_init(&fsdef->fscache, NULL, &cache->cache);
+	fscache_object_init(&fsdef->fscache, &fscache_fsdef_index,
+			    &cache->cache);
 
 	ret = fscache_add_cache(&cache->cache, &fsdef->fscache, cache->tag);
 	if (ret < 0)
--- a/fs/fscache/cache.c
+++ b/fs/fscache/cache.c
@@ -220,6 +220,7 @@ int fscache_add_cache(struct fscache_cac
 {
 	struct fscache_cache_tag *tag;
 
+	ASSERTCMP(ifsdef->cookie, ==, &fscache_fsdef_index);
 	BUG_ON(!cache->ops);
 	BUG_ON(!ifsdef);
 
@@ -248,7 +249,6 @@ int fscache_add_cache(struct fscache_cac
 	if (!cache->kobj)
 		goto error;
 
-	ifsdef->cookie = &fscache_fsdef_index;
 	ifsdef->cache = cache;
 	cache->fsdef = ifsdef;
 
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -302,6 +302,7 @@ static int fscache_alloc_object(struct f
 		goto error;
 	}
 
+	ASSERTCMP(object->cookie, ==, cookie);
 	fscache_stat(&fscache_n_object_alloc);
 
 	object->debug_id = atomic_inc_return(&fscache_object_debug_id);
@@ -356,6 +357,8 @@ static int fscache_attach_object(struct
 
 	_enter("{%s},{OBJ%x}", cookie->def->name, object->debug_id);
 
+	ASSERTCMP(object->cookie, ==, cookie);
+
 	spin_lock(&cookie->lock);
 
 	/* there may be multiple initial creations of this object, but we only
@@ -395,9 +398,7 @@ static int fscache_attach_object(struct
 		spin_unlock(&cache->object_list_lock);
 	}
 
-	/* attach to the cookie */
-	object->cookie = cookie;
-	atomic_inc(&cookie->usage);
+	/* Attach to the cookie.  The object already has a ref on it. */
 	hlist_add_head(&object->cookie_link, &cookie->backing_objects);
 
 	fscache_objlist_add(object);
--- a/fs/fscache/object.c
+++ b/fs/fscache/object.c
@@ -313,6 +313,7 @@ void fscache_object_init(struct fscache_
 	object->store_limit_l = 0;
 	object->cache = cache;
 	object->cookie = cookie;
+	atomic_inc(&cookie->usage);
 	object->parent = NULL;
 #ifdef CONFIG_FSCACHE_OBJECT_LIST
 	RB_CLEAR_NODE(&object->objlist_link);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 293/366] tracing: Fix double free of event_trigger_data
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 012/366] media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 265/366] x86/MCE: Remove min interval polling limitation Ben Hutchings
                   ` (272 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Masami Hiramatsu, Steven Rostedt (VMware), stable

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 1863c387259b629e4ebfb255495f67cd06aa229b upstream.

Running the following:

 # cd /sys/kernel/debug/tracing
 # echo 500000 > buffer_size_kb
[ Or some other number that takes up most of memory ]
 # echo snapshot > events/sched/sched_switch/trigger

Triggers the following bug:

 ------------[ cut here ]------------
 kernel BUG at mm/slub.c:296!
 invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
 CPU: 6 PID: 6878 Comm: bash Not tainted 4.18.0-rc6-test+ #1066
 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
 RIP: 0010:kfree+0x16c/0x180
 Code: 05 41 0f b6 72 51 5b 5d 41 5c 4c 89 d7 e9 ac b3 f8 ff 48 89 d9 48 89 da 41 b8 01 00 00 00 5b 5d 41 5c 4c 89 d6 e9 f4 f3 ff ff <0f> 0b 0f 0b 48 8b 3d d9 d8 f9 00 e9 c1 fe ff ff 0f 1f 40 00 0f 1f
 RSP: 0018:ffffb654436d3d88 EFLAGS: 00010246
 RAX: ffff91a9d50f3d80 RBX: ffff91a9d50f3d80 RCX: ffff91a9d50f3d80
 RDX: 00000000000006a4 RSI: ffff91a9de5a60e0 RDI: ffff91a9d9803500
 RBP: ffffffff8d267c80 R08: 00000000000260e0 R09: ffffffff8c1a56be
 R10: fffff0d404543cc0 R11: 0000000000000389 R12: ffffffff8c1a56be
 R13: ffff91a9d9930e18 R14: ffff91a98c0c2890 R15: ffffffff8d267d00
 FS:  00007f363ea64700(0000) GS:ffff91a9de580000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 000055c1cacc8e10 CR3: 00000000d9b46003 CR4: 00000000001606e0
 Call Trace:
  event_trigger_callback+0xee/0x1d0
  event_trigger_write+0xfc/0x1a0
  __vfs_write+0x33/0x190
  ? handle_mm_fault+0x115/0x230
  ? _cond_resched+0x16/0x40
  vfs_write+0xb0/0x190
  ksys_write+0x52/0xc0
  do_syscall_64+0x5a/0x160
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 RIP: 0033:0x7f363e16ab50
 Code: 73 01 c3 48 8b 0d 38 83 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 79 db 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e e3 01 00 48 89 04 24
 RSP: 002b:00007fff9a4c6378 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f363e16ab50
 RDX: 0000000000000009 RSI: 000055c1cacc8e10 RDI: 0000000000000001
 RBP: 000055c1cacc8e10 R08: 00007f363e435740 R09: 00007f363ea64700
 R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000009
 R13: 0000000000000001 R14: 00007f363e4345e0 R15: 00007f363e4303c0
 Modules linked in: ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_seq snd_seq_device i915 snd_pcm snd_timer i2c_i801 snd soundcore i2c_algo_bit drm_kms_helper
86_pkg_temp_thermal video kvm_intel kvm irqbypass wmi e1000e
 ---[ end trace d301afa879ddfa25 ]---

The cause is because the register_snapshot_trigger() call failed to
allocate the snapshot buffer, and then called unregister_trigger()
which freed the data that was passed to it. Then on return to the
function that called register_snapshot_trigger(), as it sees it
failed to register, it frees the trigger_data again and causes
a double free.

By calling event_trigger_init() on the trigger_data (which only ups
the reference counter for it), and then event_trigger_free() afterward,
the trigger_data would not get freed by the registering trigger function
as it would only up and lower the ref count for it. If the register
trigger function fails, then the event_trigger_free() called after it
will free the trigger data normally.

Link: http://lkml.kernel.org/r/20180724191331.738eb819@gandalf.local.home

Cc: stable@vger.kerne.org
Fixes: 93e31ffbf417 ("tracing: Add 'snapshot' event trigger command")
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_events_trigger.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -663,6 +663,8 @@ event_trigger_callback(struct event_comm
 		goto out_free;
 
  out_reg:
+	/* Up the trigger_data count to make sure reg doesn't free it on failure */
+	event_trigger_init(trigger_ops, trigger_data);
 	ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file);
 	/*
 	 * The above returns on success the # of functions enabled,
@@ -670,11 +672,13 @@ event_trigger_callback(struct event_comm
 	 * Consider no functions a failure too.
 	 */
 	if (!ret) {
+		cmd_ops->unreg(glob, trigger_ops, trigger_data, file);
 		ret = -ENOENT;
-		goto out_free;
-	} else if (ret < 0)
-		goto out_free;
-	ret = 0;
+	} else if (ret > 0)
+		ret = 0;
+
+	/* Down the counter of trigger_data or free it if not used anymore */
+	event_trigger_free(trigger_ops, trigger_data);
  out:
 	return ret;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 294/366] ring_buffer: tracing: Inherit the tracing setting to next ring buffer
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (280 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 060/366] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 325/366] ceph: use lookup request to revalidate dentry Ben Hutchings
                   ` (84 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tom Zanussi, Shuah Khan, Masami Hiramatsu,
	Steven Rostedt (VMware),
	Hiraku Toyooka, Ingo Molnar

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 73c8d8945505acdcbae137c2e00a1232e0be709f upstream.

Maintain the tracing on/off setting of the ring_buffer when switching
to the trace buffer snapshot.

Taking a snapshot is done by swapping the backup ring buffer
(max_tr_buffer). But since the tracing on/off setting is defined
by the ring buffer, when swapping it, the tracing on/off setting
can also be changed. This causes a strange result like below:

  /sys/kernel/debug/tracing # cat tracing_on
  1
  /sys/kernel/debug/tracing # echo 0 > tracing_on
  /sys/kernel/debug/tracing # cat tracing_on
  0
  /sys/kernel/debug/tracing # echo 1 > snapshot
  /sys/kernel/debug/tracing # cat tracing_on
  1
  /sys/kernel/debug/tracing # echo 1 > snapshot
  /sys/kernel/debug/tracing # cat tracing_on
  0

We don't touch tracing_on, but snapshot changes tracing_on
setting each time. This is an anomaly, because user doesn't know
that each "ring_buffer" stores its own tracing-enable state and
the snapshot is done by swapping ring buffers.

Link: http://lkml.kernel.org/r/153149929558.11274.11730609978254724394.stgit@devbox

Cc: Ingo Molnar <mingo@redhat.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
Cc: Hiraku Toyooka <hiraku.toyooka@cybertrust.co.jp>
Fixes: debdd57f5145 ("tracing: Make a snapshot feature available from userspace")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
[ Updated commit log and comment in the code ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/ring_buffer.h |  1 +
 kernel/trace/ring_buffer.c  | 16 ++++++++++++++++
 kernel/trace/trace.c        |  6 ++++++
 3 files changed, 23 insertions(+)

--- a/include/linux/ring_buffer.h
+++ b/include/linux/ring_buffer.h
@@ -162,6 +162,7 @@ void ring_buffer_record_enable(struct ri
 void ring_buffer_record_off(struct ring_buffer *buffer);
 void ring_buffer_record_on(struct ring_buffer *buffer);
 int ring_buffer_record_is_on(struct ring_buffer *buffer);
+int ring_buffer_record_is_set_on(struct ring_buffer *buffer);
 void ring_buffer_record_disable_cpu(struct ring_buffer *buffer, int cpu);
 void ring_buffer_record_enable_cpu(struct ring_buffer *buffer, int cpu);
 
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -3165,6 +3165,22 @@ int ring_buffer_record_is_on(struct ring
 }
 
 /**
+ * ring_buffer_record_is_set_on - return true if the ring buffer is set writable
+ * @buffer: The ring buffer to see if write is set enabled
+ *
+ * Returns true if the ring buffer is set writable by ring_buffer_record_on().
+ * Note that this does NOT mean it is in a writable state.
+ *
+ * It may return true when the ring buffer has been disabled by
+ * ring_buffer_record_disable(), as that is a temporary disabling of
+ * the ring buffer.
+ */
+int ring_buffer_record_is_set_on(struct ring_buffer *buffer)
+{
+	return !(atomic_read(&buffer->record_disabled) & RB_BUFFER_OFF);
+}
+
+/**
  * ring_buffer_record_disable_cpu - stop all writes into the cpu_buffer
  * @buffer: The ring buffer to stop writes to.
  * @cpu: The CPU buffer to stop
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1046,6 +1046,12 @@ update_max_tr(struct trace_array *tr, st
 
 	arch_spin_lock(&tr->max_lock);
 
+	/* Inherit the recordable setting from trace_buffer */
+	if (ring_buffer_record_is_set_on(tr->trace_buffer.buffer))
+		ring_buffer_record_on(tr->max_buffer.buffer);
+	else
+		ring_buffer_record_off(tr->max_buffer.buffer);
+
 	buf = tr->trace_buffer.buffer;
 	tr->trace_buffer.buffer = tr->max_buffer.buffer;
 	tr->max_buffer.buffer = buf;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 297/366] tracing: Quiet gcc warning about maybe unused link variable
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (156 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 364/366] perf trace: Do not process PERF_RECORD_LOST twice Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 138/366] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect() Ben Hutchings
                   ` (208 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), kbuild test robot

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 2519c1bbe38d7acacc9aacba303ca6f97482ed53 upstream.

Commit 57ea2a34adf4 ("tracing/kprobes: Fix trace_probe flags on
enable_trace_kprobe() failure") added an if statement that depends on another
if statement that gcc doesn't see will initialize the "link" variable and
gives the warning:

 "warning: 'link' may be used uninitialized in this function"

It is really a false positive, but to quiet the warning, and also to make
sure that it never actually is used uninitialized, initialize the "link"
variable to NULL and add an if (!WARN_ON_ONCE(!link)) where the compiler
thinks it could be used uninitialized.

Fixes: 57ea2a34adf4 ("tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_kprobe.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -361,7 +361,7 @@ static struct trace_kprobe *find_trace_k
 static int
 enable_trace_kprobe(struct trace_kprobe *tk, struct ftrace_event_file *file)
 {
-	struct event_file_link *link;
+	struct event_file_link *link = NULL;
 	int ret = 0;
 
 	if (file) {
@@ -387,7 +387,9 @@ enable_trace_kprobe(struct trace_kprobe
 
 	if (ret) {
 		if (file) {
-			list_del_rcu(&link->list);
+			/* Notice the if is true on not WARN() */
+			if (!WARN_ON_ONCE(!link))
+				list_del_rcu(&link->list);
 			kfree(link);
 			tk->tp.flags &= ~TP_FLAG_TRACE;
 		} else {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 288/366] fscache: Allow cancelled operations to be enqueued
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 125/366] mm: /proc/pid/pagemap: hide swap entries from unprivileged users Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 141/366] l2tp: clean up stale tunnel or session in pppol2tp_connect's error path Ben Hutchings
                   ` (320 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kiran Kumar Modukuri, David Howells

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit d0eb06afe712b7b103b6361f40a9a0c638524669 upstream.

Alter the state-check assertion in fscache_enqueue_operation() to allow
cancelled operations to be given processing time so they can be cleaned up.

Also fix a debugging statement that was requiring such operations to have
an object assigned.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Reported-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fscache/operation.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/fscache/operation.c
+++ b/fs/fscache/operation.c
@@ -37,7 +37,8 @@ void fscache_enqueue_operation(struct fs
 	ASSERT(op->processor != NULL);
 	ASSERT(fscache_object_is_available(op->object));
 	ASSERTCMP(atomic_read(&op->usage), >, 0);
-	ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
+	ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS,
+		    op->state, ==,  FSCACHE_OP_ST_CANCELLED);
 
 	fscache_stat(&fscache_n_op_enqueue);
 	switch (op->flags & FSCACHE_OP_TYPE) {
@@ -401,7 +402,8 @@ void fscache_put_operation(struct fscach
 	struct fscache_cache *cache;
 
 	_enter("{OBJ%x OP%x,%d}",
-	       op->object->debug_id, op->debug_id, atomic_read(&op->usage));
+	       op->object ? op->object->debug_id : 0,
+	       op->debug_id, atomic_read(&op->usage));
 
 	ASSERTCMP(atomic_read(&op->usage), >, 0);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 292/366] cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (310 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 160/366] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 273/366] usb: core: handle hub C_PORT_OVER_CURRENT condition Ben Hutchings
                   ` (54 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kiran Kumar Modukuri, David Howells

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit c2412ac45a8f8f1cd582723c1a139608694d410d upstream.

If we meet a conflicting object that is marked FSCACHE_OBJECT_IS_LIVE in
the active object tree, we have been emitting a BUG after logging
information about it and the new object.

Instead, we should wait for the CACHEFILES_OBJECT_ACTIVE flag to be cleared
on the old object (or return an error).  The ACTIVE flag should be cleared
after it has been removed from the active object tree.  A timeout of 60s is
used in the wait, so we shouldn't be able to get stuck there.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cachefiles/namei.c | 1 -
 1 file changed, 1 deletion(-)

--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -194,7 +194,6 @@ wait_for_old_object:
 		pr_err("\n");
 		pr_err("Error: Unexpected object collision\n");
 		cachefiles_printk_object(object, xobject);
-		BUG();
 	}
 	atomic_inc(&xobject->usage);
 	write_unlock(&cache->active_lock);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 299/366] ipv4: remove BUG_ON() from fib_compute_spec_dst
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (171 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 236/366] USB: serial: mos7840: fix status-register error handling Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 028/366] sctp: fix identification of new acks for SFR-CACC Ben Hutchings
                   ` (193 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Lorenzo Bianconi, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>

commit 9fc12023d6f51551d6ca9ed7e02ecc19d79caf17 upstream.

Remove BUG_ON() from fib_compute_spec_dst routine and check
in_dev pointer during flowi4 data structure initialization.
fib_compute_spec_dst routine can be run concurrently with device removal
where ip_ptr net_device pointer is set to NULL. This can happen
if userspace enables pkt info on UDP rx socket and the device
is removed while traffic is flowing

Fixes: 35ebf65e851c ("ipv4: Create and use fib_compute_spec_dst() helper")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -209,19 +209,20 @@ __be32 fib_compute_spec_dst(struct sk_bu
 		return ip_hdr(skb)->daddr;
 
 	in_dev = __in_dev_get_rcu(dev);
-	BUG_ON(!in_dev);
 
 	net = dev_net(dev);
 
 	scope = RT_SCOPE_UNIVERSE;
 	if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) {
+		bool vmark = in_dev && IN_DEV_SRC_VMARK(in_dev);
+
 		fl4.flowi4_oif = 0;
 		fl4.flowi4_iif = LOOPBACK_IFINDEX;
 		fl4.daddr = ip_hdr(skb)->saddr;
 		fl4.saddr = 0;
 		fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
 		fl4.flowi4_scope = scope;
-		fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
+		fl4.flowi4_mark = vmark ? skb->mark : 0;
 		if (!fib_lookup(net, &fl4, &res))
 			return FIB_RES_PREFSRC(net, res);
 	} else {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 291/366] cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (142 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 256/366] reiserfs: fix buffer overflow with long warning messages Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 198/366] RDMA/uverbs: Protect from attempts to create flows on unsupported QP Ben Hutchings
                   ` (222 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kiran Kumar Modukuri, David Howells

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>

commit 5ce83d4bb7d8e11e8c1c687d09f4b5ae67ef3ce3 upstream.

In cachefiles_mark_object_active(), the new object is marked active and
then we try to add it to the active object tree.  If a conflicting object
is already present, we want to wait for that to go away.  After the wait,
we go round again and try to re-mark the object as being active - but it's
already marked active from the first time we went through and a BUG is
issued.

Fix this by clearing the CACHEFILES_OBJECT_ACTIVE flag before we try again.

Analysis from Kiran Kumar Modukuri:

[Impact]
Oops during heavy NFS + FSCache + Cachefiles

CacheFiles: Error: Overlong wait for old active object to go away.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000002

CacheFiles: Error: Object already active kernel BUG at
fs/cachefiles/namei.c:163!

[Cause]
In a heavily loaded system with big files being read and truncated, an
fscache object for a cookie is being dropped and a new object being
looked. The new object being looked for has to wait for the old object
to go away before the new object is moved to active state.

[Fix]
Clear the flag 'CACHEFILES_OBJECT_ACTIVE' for the new object when
retrying the object lookup.

[Testcase]
Have run ~100 hours of NFS stress tests and have not seen this bug recur.

[Regression Potential]
 - Limited to fscache/cachefiles.

Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
Signed-off-by: Kiran Kumar Modukuri <kiran.modukuri@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cachefiles/namei.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -189,6 +189,7 @@ try_again:
 	/* an old object from a previous incarnation is hogging the slot - we
 	 * need to wait for it to be destroyed */
 wait_for_old_object:
+	clear_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags);
 	if (fscache_object_is_live(&object->fscache)) {
 		pr_err("\n");
 		pr_err("Error: Unexpected object collision\n");
@@ -250,7 +251,6 @@ wait_for_old_object:
 	goto try_again;
 
 requeue:
-	clear_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags);
 	cache->cache.ops->put_object(&xobject->fscache);
 	_leave(" = -ETIMEDOUT");
 	return -ETIMEDOUT;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 295/366] tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (320 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 271/366] scsi: qla2xxx: Return error when TMF returns Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 180/366] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Ben Hutchings
                   ` (44 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Masami Hiramatsu, Steven Rostedt (VMware),
	Artem Savkov, Ingo Molnar, Josh Poimboeuf

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Artem Savkov <asavkov@redhat.com>

commit 57ea2a34adf40f3a6e88409aafcf803b8945619a upstream.

If enable_trace_kprobe fails to enable the probe in enable_k(ret)probe
it returns an error, but does not unset the tp flags it set previously.
This results in a probe being considered enabled and failures like being
unable to remove the probe through kprobe_events file since probes_open()
expects every probe to be disabled.

Link: http://lkml.kernel.org/r/20180725102826.8300-1-asavkov@redhat.com
Link: http://lkml.kernel.org/r/20180725142038.4765-1-asavkov@redhat.com

Cc: Ingo Molnar <mingo@redhat.com>
Fixes: 41a7dd420c57 ("tracing/kprobes: Support ftrace_event_file base multibuffer")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Artem Savkov <asavkov@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_kprobe.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -361,11 +361,10 @@ static struct trace_kprobe *find_trace_k
 static int
 enable_trace_kprobe(struct trace_kprobe *tk, struct ftrace_event_file *file)
 {
+	struct event_file_link *link;
 	int ret = 0;
 
 	if (file) {
-		struct event_file_link *link;
-
 		link = kmalloc(sizeof(*link), GFP_KERNEL);
 		if (!link) {
 			ret = -ENOMEM;
@@ -385,6 +384,16 @@ enable_trace_kprobe(struct trace_kprobe
 		else
 			ret = enable_kprobe(&tk->rp.kp);
 	}
+
+	if (ret) {
+		if (file) {
+			list_del_rcu(&link->list);
+			kfree(link);
+			tk->tp.flags &= ~TP_FLAG_TRACE;
+		} else {
+			tk->tp.flags &= ~TP_FLAG_PROFILE;
+		}
+	}
  out:
 	return ret;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 135/366] ksm: add cond_resched() to the rmap_walks Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-12  8:10   ` Snild Dolkow
  2018-11-11 19:49 ` [PATCH 3.16 133/366] backlight: as3711_bl: Fix Device Tree node leaks Ben Hutchings
                   ` (279 subsequent siblings)
  366 siblings, 1 reply; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware), Snild Dolkow

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Snild Dolkow <snild@sony.com>

commit 3e536e222f2930534c252c1cc7ae799c725c5ff9 upstream.

There is a window for racing when printing directly to task->comm,
allowing other threads to see a non-terminated string. The vsnprintf
function fills the buffer, counts the truncated chars, then finally
writes the \0 at the end.

	creator                     other
	vsnprintf:
	  fill (not terminated)
	  count the rest            trace_sched_waking(p):
	  ...                         memcpy(comm, p->comm, TASK_COMM_LEN)
	  write \0

The consequences depend on how 'other' uses the string. In our case,
it was copied into the tracing system's saved cmdlines, a buffer of
adjacent TASK_COMM_LEN-byte buffers (note the 'n' where 0 should be):

	crash-arm64> x/1024s savedcmd->saved_cmdlines | grep 'evenk'
	0xffffffd5b3818640:     "irq/497-pwr_evenkworker/u16:12"

...and a strcpy out of there would cause stack corruption:

	[224761.522292] Kernel panic - not syncing: stack-protector:
	    Kernel stack is corrupted in: ffffff9bf9783c78

	crash-arm64> kbt | grep 'comm\|trace_print_context'
	#6  0xffffff9bf9783c78 in trace_print_context+0x18c(+396)
	      comm (char [16]) =  "irq/497-pwr_even"

	crash-arm64> rd 0xffffffd4d0e17d14 8
	ffffffd4d0e17d14:  2f71726900000000 5f7277702d373934   ....irq/497-pwr_
	ffffffd4d0e17d24:  726f776b6e657665 3a3631752f72656b   evenkworker/u16:
	ffffffd4d0e17d34:  f9780248ff003231 cede60e0ffffff9b   12..H.x......`..
	ffffffd4d0e17d44:  cede60c8ffffffd4 00000fffffffffd4   .....`..........

The workaround in e09e28671 (use strlcpy in __trace_find_cmdline) was
likely needed because of this same bug.

Solved by vsnprintf:ing to a local buffer, then using set_task_comm().
This way, there won't be a window where comm is not terminated.

Link: http://lkml.kernel.org/r/20180726071539.188015-1-snild@sony.com

Fixes: bc0c38d139ec7 ("ftrace: latency tracer infrastructure")
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Snild Dolkow <snild@sony.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/kthread.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -309,10 +309,16 @@ struct task_struct *kthread_create_on_no
 	if (!IS_ERR(task)) {
 		static const struct sched_param param = { .sched_priority = 0 };
 		va_list args;
+		char name[TASK_COMM_LEN];
 
+		/*
+		 * task is already visible to other tasks, so updating
+		 * COMM must be protected.
+		 */
 		va_start(args, namefmt);
-		vsnprintf(task->comm, sizeof(task->comm), namefmt, args);
+		vsnprintf(name, sizeof(name), namefmt, args);
 		va_end(args);
+		set_task_comm(task, name);
 		/*
 		 * root may have changed our (kthreadd's) priority or CPU mask.
 		 * The kernel thread should not inherit these properties.


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 302/366] can: ems_usb: Fix memory leak on ems_usb_disconnect()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 179/366] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 056/366] mfd: tps65911-comparator: Fix an off by one bug Ben Hutchings
                   ` (290 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Anton Vasilyev, Marc Kleine-Budde

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anton Vasilyev <vasilyev@ispras.ru>

commit 72c05f32f4a5055c9c8fe889bb6903ec959c0aad upstream.

ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there
is no its deallocation in ems_usb_disconnect().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/ems_usb.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1084,6 +1084,7 @@ static void ems_usb_disconnect(struct us
 		usb_free_urb(dev->intr_urb);
 
 		kfree(dev->intr_in_buffer);
+		kfree(dev->tx_msg_buffer);
 	}
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 336/366] gcov: add support for GCC 5.1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 087/366] perf/core: Fix group scheduling with mixed hw and sw events Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 184/366] vhost_net: validate sock before trying to put its fd Ben Hutchings
                   ` (276 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Oberparleiter, Andrey Ryabinin, Yuan Pengfei,
	Lorenzo Stoakes, Linus Torvalds, Arnd Bergmann

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Stoakes <lstoakes@gmail.com>

commit 3e44c471a2dab210f7e9b1e5f7d4d54d52df59eb upstream.

Fix kernel gcov support for GCC 5.1.  Similar to commit a992bf836f9
("gcov: add support for GCC 4.9"), this patch takes into account the
existence of a new gcov counter (see gcc's gcc/gcov-counter.def.)

Firstly, it increments GCOV_COUNTERS (to 10), which makes the data
structure struct gcov_info compatible with GCC 5.1.

Secondly, a corresponding counter function __gcov_merge_icall_topn (Top N
value tracking for indirect calls) is included in base.c with the other
gcov counters unused for kernel profiling.

Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Andrey Ryabinin <a.ryabinin@samsung.com>
Cc: Yuan Pengfei <coolypf@qq.com>
Tested-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/gcov/base.c    | 6 ++++++
 kernel/gcov/gcc_4_7.c | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

--- a/kernel/gcov/base.c
+++ b/kernel/gcov/base.c
@@ -91,6 +91,12 @@ void __gcov_merge_time_profile(gcov_type
 }
 EXPORT_SYMBOL(__gcov_merge_time_profile);
 
+void __gcov_merge_icall_topn(gcov_type *counters, unsigned int n_counters)
+{
+	/* Unused. */
+}
+EXPORT_SYMBOL(__gcov_merge_icall_topn);
+
 /**
  * gcov_enable_events - enable event reporting through gcov_event()
  *
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -18,7 +18,9 @@
 #include <linux/vmalloc.h>
 #include "gcov.h"
 
-#if __GNUC__ == 4 && __GNUC_MINOR__ >= 9
+#if __GNUC__ == 5 && __GNUC_MINOR__ >= 1
+#define GCOV_COUNTERS			10
+#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9
 #define GCOV_COUNTERS			9
 #else
 #define GCOV_COUNTERS			8


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 301/366] squashfs: be more careful about metadata corruption
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 229/366] USB: serial: ch341: fix type promotion bug in ch341_control_in() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 158/366] x86: Call fixup_exception() before notify_die() in math_error() Ben Hutchings
                   ` (307 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Phillip Lougher, Anatoly Trosinenko, Al Viro, Linus Torvalds

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 01cfb7937a9af2abb1136c7e89fbf3fd92952956 upstream.

Anatoly Trosinenko reports that a corrupted squashfs image can cause a
kernel oops.  It turns out that squashfs can end up being confused about
negative fragment lengths.

The regular squashfs_read_data() does check for negative lengths, but
squashfs_read_metadata() did not, and the fragment size code just
blindly trusted the on-disk value.  Fix both the fragment parsing and
the metadata reading code.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Phillip Lougher <phillip@squashfs.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/squashfs/cache.c       | 3 +++
 fs/squashfs/file.c        | 8 ++++++--
 fs/squashfs/fragment.c    | 4 +---
 fs/squashfs/squashfs_fs.h | 6 ++++++
 4 files changed, 16 insertions(+), 5 deletions(-)

--- a/fs/squashfs/cache.c
+++ b/fs/squashfs/cache.c
@@ -350,6 +350,9 @@ int squashfs_read_metadata(struct super_
 
 	TRACE("Entered squashfs_read_metadata [%llx:%x]\n", *block, *offset);
 
+	if (unlikely(length < 0))
+		return -EIO;
+
 	while (length) {
 		entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0);
 		if (entry->error) {
--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -194,7 +194,11 @@ static long long read_indexes(struct sup
 		}
 
 		for (i = 0; i < blocks; i++) {
-			int size = le32_to_cpu(blist[i]);
+			int size = squashfs_block_size(blist[i]);
+			if (size < 0) {
+				err = size;
+				goto failure;
+			}
 			block += SQUASHFS_COMPRESSED_SIZE_BLOCK(size);
 		}
 		n -= blocks;
@@ -367,7 +371,7 @@ static int read_blocklist(struct inode *
 			sizeof(size));
 	if (res < 0)
 		return res;
-	return le32_to_cpu(size);
+	return squashfs_block_size(size);
 }
 
 /* Copy data into page cache  */
--- a/fs/squashfs/fragment.c
+++ b/fs/squashfs/fragment.c
@@ -61,9 +61,7 @@ int squashfs_frag_lookup(struct super_bl
 		return size;
 
 	*fragment_block = le64_to_cpu(fragment_entry.start_block);
-	size = le32_to_cpu(fragment_entry.size);
-
-	return size;
+	return squashfs_block_size(fragment_entry.size);
 }
 
 
--- a/fs/squashfs/squashfs_fs.h
+++ b/fs/squashfs/squashfs_fs.h
@@ -129,6 +129,12 @@
 
 #define SQUASHFS_COMPRESSED_BLOCK(B)	(!((B) & SQUASHFS_COMPRESSED_BIT_BLOCK))
 
+static inline int squashfs_block_size(__le32 raw)
+{
+	u32 size = le32_to_cpu(raw);
+	return (size >> 25) ? -EIO : size;
+}
+
 /*
  * Inode number ops.  Inodes consist of a compressed block number, and an
  * uncompressed offset within that block


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 303/366] virtio_balloon: fix another race between migration and ballooning
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (176 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 357/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 161/366] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Ben Hutchings
                   ` (188 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jiang Biao, Huang Chong, Michael S. Tsirkin

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiang Biao <jiang.biao2@zte.com.cn>

commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.

Kernel panic when with high memory pressure, calltrace looks like,

PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
 #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
 #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
 #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
 #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
 #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
 #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
 #6 [ffff881ec7ed7838] __node_set at ffffffff81680300
 #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
 #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
 #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
    [exception RIP: _raw_spin_lock_irqsave+47]
    RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
    RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
    RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
    RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
    R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
    ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018

It happens in the pagefault and results in double pagefault
during compacting pages when memory allocation fails.

Analysed the vmcore, the page leads to second pagefault is corrupted
with _mapcount=-256, but private=0.

It's caused by the race between migration and ballooning, and lock
missing in virtballoon_migratepage() of virtio_balloon driver.
This patch fix the bug.

Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/virtio/virtio_balloon.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -413,7 +413,9 @@ static int virtballoon_migratepage(struc
 	tell_host(vb, vb->inflate_vq);
 
 	/* balloon's page migration 2nd step -- deflate "page" */
+	spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
 	balloon_page_delete(page);
+	spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
 	vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
 	set_page_pfns(vb->pfns, page);
 	tell_host(vb, vb->deflate_vq);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 300/366] net: socket: fix potential spectre v1 gadget in socketcall
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (292 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 340/366] iio: iio-trig-periodic-rtc: Free trigger resource correctly Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 033/366] powerpc/fadump: Unregister fadump on kexec down path Ben Hutchings
                   ` (72 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Josh Poimboeuf, David S. Miller, Jeremy Cline

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Cline <jcline@redhat.com>

commit c8e8cd579bb4265651df8223730105341e61a2d1 upstream.

'call' is a user-controlled value, so sanitize the array index after the
bounds check to avoid speculating past the bounds of the 'nargs' array.

Found with the help of Smatch:

net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
'nargs' [r] (local cap)

Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/socket.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/socket.c
+++ b/net/socket.c
@@ -89,6 +89,7 @@
 #include <linux/magic.h>
 #include <linux/slab.h>
 #include <linux/xattr.h>
+#include <linux/nospec.h>
 
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
@@ -2494,6 +2495,7 @@ SYSCALL_DEFINE2(socketcall, int, call, u
 
 	if (call < 1 || call > SYS_SENDMMSG)
 		return -EINVAL;
+	call = array_index_nospec(call, SYS_SENDMMSG + 1);
 
 	len = nargs[call];
 	if (len > sizeof(a))


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 305/366] netlink: Don't shift with UB on nlk->ngroups
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (205 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 044/366] ext4: factor out helper ext4_sample_last_mounted() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 139/366] l2tp: only accept PPP sessions in pppol2tp_connect() Ben Hutchings
                   ` (159 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, kernel test robot, David S. Miller, Dmitry Safonov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 61f4b23769f0cc72ae62c9a81cf08f0397d40da8 upstream.

On i386 nlk->ngroups might be 32 or 0. Which leads to UB, resulting in
hang during boot.
Check for 0 ngroups and use (unsigned long long) as a type to shift.

Fixes: 7acf9d4237c4 ("netlink: Do not subscribe to non-existent groups").
Reported-by: kernel test robot <rong.a.chen@intel.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netlink/af_netlink.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -927,7 +927,11 @@ static int netlink_bind(struct socket *s
 		if (err)
 			return err;
 	}
-	groups &= (1UL << nlk->ngroups) - 1;
+
+	if (nlk->ngroups == 0)
+		groups = 0;
+	else
+		groups &= (1ULL << nlk->ngroups) - 1;
 
 	if (nlk->portid)
 		if (nladdr->nl_pid != nlk->portid)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Ben Hutchings
                   ` (365 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tomasz Kramkowski, Benjamin Tissoires, Jiri Kosina

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tomasz Kramkowski <tk@the-tk.com>

commit 9547837bdccb4af127528b36a73377150658b4ac upstream.

The (1292:4745) Innomedia INNEX GENESIS/ATARI adapter needs
HID_QUIRK_MULTI_INPUT to split the device up into two controllers
instead of inputs from both being merged into one.

Signed-off-by: Tomasz Kramkowski <tk@the-tk.com>
Acked-By: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-ids.h           | 3 +++
 drivers/hid/usbhid/hid-quirks.c | 1 +
 2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -530,6 +530,9 @@
 #define USB_VENDOR_ID_IRTOUCHSYSTEMS	0x6615
 #define USB_DEVICE_ID_IRTOUCH_INFRARED_USB	0x0070
 
+#define USB_VENDOR_ID_INNOMEDIA			0x1292
+#define USB_DEVICE_ID_INNEX_GENESIS_ATARI	0x4745
+
 #define USB_VENDOR_ID_JABRA		0x0b0e
 #define USB_DEVICE_ID_JABRA_SPEAK_410	0x0412
 #define USB_DEVICE_ID_JABRA_SPEAK_510	0x0420
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -175,6 +175,7 @@ static const struct hid_blacklist {
 	{ USB_VENDOR_ID_MULTIPLE_1781, USB_DEVICE_ID_RAPHNET_4NES4SNES_OLD, HID_QUIRK_MULTI_INPUT },
 	{ USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES, HID_QUIRK_MULTI_INPUT },
 	{ USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES, HID_QUIRK_MULTI_INPUT },
+	{ USB_VENDOR_ID_INNOMEDIA, USB_DEVICE_ID_INNEX_GENESIS_ATARI, HID_QUIRK_MULTI_INPUT },
 
 	{ 0, 0 }
 };


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 331/366] leds: do not overflow sysfs buffer in led_trigger_show
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (227 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 046/366] ext4: do not update s_last_mounted of a frozen fs Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 234/366] cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() Ben Hutchings
                   ` (137 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jacek Anaszewski, Zach Brown, Vlastimil Babka, Nathan Sullivan

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Sullivan <nathan.sullivan@ni.com>

commit 3b9b95363c45365d606ad4bbba16acca75fdf6d3 upstream.

Per the documentation, use scnprintf instead of sprintf to ensure there
is never more than PAGE_SIZE bytes of trigger names put into the
buffer.

Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: Zach Brown <zach.brown@ni.com>
Signed-off-by: Jacek Anaszewski <j.anaszewski@samsung.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/leds/led-triggers.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/leds/led-triggers.c
+++ b/drivers/leds/led-triggers.c
@@ -78,21 +78,23 @@ ssize_t led_trigger_show(struct device *
 	down_read(&led_cdev->trigger_lock);
 
 	if (!led_cdev->trigger)
-		len += sprintf(buf+len, "[none] ");
+		len += scnprintf(buf+len, PAGE_SIZE - len, "[none] ");
 	else
-		len += sprintf(buf+len, "none ");
+		len += scnprintf(buf+len, PAGE_SIZE - len, "none ");
 
 	list_for_each_entry(trig, &trigger_list, next_trig) {
 		if (led_cdev->trigger && !strcmp(led_cdev->trigger->name,
 							trig->name))
-			len += sprintf(buf+len, "[%s] ", trig->name);
+			len += scnprintf(buf+len, PAGE_SIZE - len, "[%s] ",
+					 trig->name);
 		else
-			len += sprintf(buf+len, "%s ", trig->name);
+			len += scnprintf(buf+len, PAGE_SIZE - len, "%s ",
+					 trig->name);
 	}
 	up_read(&led_cdev->trigger_lock);
 	up_read(&triggers_list_lock);
 
-	len += sprintf(len+buf, "\n");
+	len += scnprintf(len+buf, PAGE_SIZE - len, "\n");
 	return len;
 }
 EXPORT_SYMBOL_GPL(led_trigger_show);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 328/366] dm bufio: avoid sleeping while holding the dm_bufio lock
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (221 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 275/366] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 363/366] perf tools: Remove duplicate const qualifier Ben Hutchings
                   ` (143 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Rientjes, Mikulas Patocka, Douglas Anderson,
	Guenter Roeck, Mike Snitzer

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Douglas Anderson <dianders@chromium.org>

commit 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc upstream.

We've seen in-field reports showing _lots_ (18 in one case, 41 in
another) of tasks all sitting there blocked on:

  mutex_lock+0x4c/0x68
  dm_bufio_shrink_count+0x38/0x78
  shrink_slab.part.54.constprop.65+0x100/0x464
  shrink_zone+0xa8/0x198

In the two cases analyzed, we see one task that looks like this:

  Workqueue: kverityd verity_prefetch_io

  __switch_to+0x9c/0xa8
  __schedule+0x440/0x6d8
  schedule+0x94/0xb4
  schedule_timeout+0x204/0x27c
  schedule_timeout_uninterruptible+0x44/0x50
  wait_iff_congested+0x9c/0x1f0
  shrink_inactive_list+0x3a0/0x4cc
  shrink_lruvec+0x418/0x5cc
  shrink_zone+0x88/0x198
  try_to_free_pages+0x51c/0x588
  __alloc_pages_nodemask+0x648/0xa88
  __get_free_pages+0x34/0x7c
  alloc_buffer+0xa4/0x144
  __bufio_new+0x84/0x278
  dm_bufio_prefetch+0x9c/0x154
  verity_prefetch_io+0xe8/0x10c
  process_one_work+0x240/0x424
  worker_thread+0x2fc/0x424
  kthread+0x10c/0x114

...and that looks to be the one holding the mutex.

The problem has been reproduced on fairly easily:
0. Be running Chrome OS w/ verity enabled on the root filesystem
1. Pick test patch: http://crosreview.com/412360
2. Install launchBalloons.sh and balloon.arm from
     http://crbug.com/468342
   ...that's just a memory stress test app.
3. On a 4GB rk3399 machine, run
     nice ./launchBalloons.sh 4 900 100000
   ...that tries to eat 4 * 900 MB of memory and keep accessing.
4. Login to the Chrome web browser and restore many tabs

With that, I've seen printouts like:
  DOUG: long bufio 90758 ms
...and stack trace always show's we're in dm_bufio_prefetch().

The problem is that we try to allocate memory with GFP_NOIO while
we're holding the dm_bufio lock.  Instead we should be using
GFP_NOWAIT.  Using GFP_NOIO can cause us to sleep while holding the
lock and that causes the above problems.

The current behavior explained by David Rientjes:

  It will still try reclaim initially because __GFP_WAIT (or
  __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO.  This is the cause of
  contention on dm_bufio_lock() that the thread holds.  You want to
  pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a
  mutex that can be contended by a concurrent slab shrinker (if
  count_objects didn't use a trylock, this pattern would trivially
  deadlock).

This change significantly increases responsiveness of the system while
in this state.  It makes a real difference because it unblocks kswapd.
In the bug report analyzed, kswapd was hung:

   kswapd0         D ffffffc000204fd8     0    72      2 0x00000000
   Call trace:
   [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
   [<ffffffc00090b794>] __schedule+0x440/0x6d8
   [<ffffffc00090bac0>] schedule+0x94/0xb4
   [<ffffffc00090be44>] schedule_preempt_disabled+0x28/0x44
   [<ffffffc00090d900>] __mutex_lock_slowpath+0x120/0x1ac
   [<ffffffc00090d9d8>] mutex_lock+0x4c/0x68
   [<ffffffc000708e7c>] dm_bufio_shrink_count+0x38/0x78
   [<ffffffc00030b268>] shrink_slab.part.54.constprop.65+0x100/0x464
   [<ffffffc00030dbd8>] shrink_zone+0xa8/0x198
   [<ffffffc00030e578>] balance_pgdat+0x328/0x508
   [<ffffffc00030eb7c>] kswapd+0x424/0x51c
   [<ffffffc00023f06c>] kthread+0x10c/0x114
   [<ffffffc000203dd0>] ret_from_fork+0x10/0x40

By unblocking kswapd memory pressure should be reduced.

Suggested-by: David Rientjes <rientjes@google.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-bufio.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -778,7 +778,8 @@ static struct dm_buffer *__alloc_buffer_
 	 * dm-bufio is resistant to allocation failures (it just keeps
 	 * one buffer reserved in cases all the allocations fail).
 	 * So set flags to not try too hard:
-	 *	GFP_NOIO: don't recurse into the I/O layer
+	 *	GFP_NOWAIT: don't wait; if we need to sleep we'll release our
+	 *		    mutex and wait ourselves.
 	 *	__GFP_NORETRY: don't retry and rather return failure
 	 *	__GFP_NOMEMALLOC: don't use emergency reserves
 	 *	__GFP_NOWARN: don't print a warning in case of failure
@@ -788,7 +789,7 @@ static struct dm_buffer *__alloc_buffer_
 	 */
 	while (1) {
 		if (dm_bufio_cache_size_latch != 1) {
-			b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+			b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
 			if (b)
 				return b;
 		}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 333/366] HID: reject input outside logical range only if null state is set
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (260 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 203/366] block: Fix transfer when chunk sectors exceeds max Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 330/366] fs/proc: Stop trying to report thread stacks Ben Hutchings
                   ` (104 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Benjamin Tissoires, Tomasz Kramkowski,
	Valtteri Heikkilä,
	Jiri Kosina

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Valtteri Heikkilä <rnd@nic.fi>

commit 3f3752705dbd50b66b66ad7b4d54fe33d2f746ed upstream.

This patch fixes an issue in drivers/hid/hid-input.c where USB HID
control null state flag is not checked upon rejecting inputs outside
logical minimum-maximum range. The check should be made according to USB
HID specification 1.11, section 6.2.2.5, p.31. The fix will resolve
issues with some game controllers, such as:
https://bugzilla.kernel.org/show_bug.cgi?id=68621

[tk@the-tk.com: shortened and fixed spelling in commit message]
Signed-off-by: Valtteri Heikkilä <rnd@nic.fi>
Signed-off-by: Tomasz Kramkowski <tk@the-tk.com>
Acked-By: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-input.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1094,6 +1094,7 @@ void hidinput_hid_event(struct hid_devic
 	 * don't specify logical min and max.
 	 */
 	if ((field->flags & HID_MAIN_ITEM_VARIABLE) &&
+	    (field->flags & HID_MAIN_ITEM_NULL_STATE) &&
 	    (field->logical_minimum < field->logical_maximum) &&
 	    (value < field->logical_minimum ||
 	     value > field->logical_maximum)) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 337/366] gcov: add support for gcc version >= 6
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (210 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 068/366] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 284/366] can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting Ben Hutchings
                   ` (154 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Florian Meier, Peter Oberparleiter, Arnd Bergmann, Linus Torvalds

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Meier <Florian.Meier@informatik.uni-erlangen.de>

commit d02038f972538b93011d78c068f44514fbde0a8c upstream.

Link: http://lkml.kernel.org/r/20160701130914.GA23225@styxhp
Signed-off-by: Florian Meier <Florian.Meier@informatik.uni-erlangen.de>
Reviewed-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Tested-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/gcov/gcc_4_7.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -18,7 +18,7 @@
 #include <linux/vmalloc.h>
 #include "gcov.h"
 
-#if __GNUC__ == 5 && __GNUC_MINOR__ >= 1
+#if (__GNUC__ > 5) || (__GNUC__ == 5 && __GNUC_MINOR__ >= 1)
 #define GCOV_COUNTERS			10
 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9
 #define GCOV_COUNTERS			9


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 326/366] ceph: don't set req->r_locked_dir in ceph_d_revalidate
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (256 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 313/366] vsock: split dwork to avoid reinitializations Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 008/366] [media] drxd_hard: fix bad alignments Ben Hutchings
                   ` (108 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jeff Layton, Donatas Abraitis, Yan, Zheng, Bryan Henderson,
	Ilya Dryomov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@redhat.com>

commit c3f4688a08fd86f1bf8e055724c84b7a40a09733 upstream.

This function sets req->r_locked_dir which is supposed to indicate to
ceph_fill_trace that the parent's i_rwsem is locked for write.
Unfortunately, there is no guarantee that the dir will be locked when
d_revalidate is called, so we really don't want ceph_fill_trace to do
any dcache manipulation from this context. Clear req->r_locked_dir since
it's clearly not safe to do that.

What we really want to know with d_revalidate is whether the dentry
still points to the same inode. ceph_fill_trace installs a pointer to
the inode in req->r_target_inode, so we can just compare that to
d_inode(dentry) to see if it's the same one after the lookup.

Also, since we aren't generally interested in the parent here, we can
switch to using a GETATTR to hint that to the MDS, which also means that
we only need to reserve one cap.

Finally, just remove the d_unhashed check. That's really outside the
purview of a filesystem's d_revalidate. If the thing became unhashed
while we're checking it, then that's up to the VFS to handle anyway.

Fixes: 200fd27c8fa2 ("ceph: use lookup request to revalidate dentry")
Link: http://tracker.ceph.com/issues/18041
Reported-by: Donatas Abraitis <donatas.abraitis@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Cc: Bryan Henderson <bryanh@giraffe-data.com>
[bwh: Backported to 3.16: s/d_really_is_(positive|negative)/d_is_\1/ since
 we don't have to consider overlayfs]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ceph/dir.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1071,26 +1071,30 @@ static int ceph_d_revalidate(struct dent
 		int op, mask, err;
 
 		op = ceph_snap(dir) == CEPH_SNAPDIR ?
-			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_LOOKUP;
+			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_GETATTR;
 		req = ceph_mdsc_create_request(mdsc, op, USE_ANY_MDS);
 		if (!IS_ERR(req)) {
 			req->r_dentry = dget(dentry);
-			req->r_num_caps = 2;
+			req->r_num_caps = op == CEPH_MDS_OP_GETATTR ? 1 : 2;
 
 			mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
 			if (ceph_security_xattr_wanted(dir))
 				mask |= CEPH_CAP_XATTR_SHARED;
 			req->r_args.getattr.mask = mask;
 
-			req->r_locked_dir = dir;
 			err = ceph_mdsc_do_request(mdsc, NULL, req);
-			if (err == 0 || err == -ENOENT) {
-				if (dentry == req->r_dentry) {
-					valid = !d_unhashed(dentry);
-				} else {
-					d_invalidate(req->r_dentry);
-					err = -EAGAIN;
-				}
+			switch (err) {
+			case 0:
+				if (d_is_positive(dentry) &&
+				    d_inode(dentry) == req->r_target_inode)
+					valid = 1;
+				break;
+			case -ENOENT:
+				if (d_is_negative(dentry))
+					valid = 1;
+				/* Fallthrough */
+			default:
+				break;
 			}
 			ceph_mdsc_put_request(req);
 			dout("d_revalidate %p lookup result=%d\n",


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 349/366] x86/apic: Fix build failure with X86_IO_APIC disabled
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 082/366] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 276/366] multicast: do not restore deleted record source filter mode to new one Ben Hutchings
                   ` (302 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

My backport of commit 2e63ad4bd5dd "x86/apic: Do not init irq
remapping if ioapic is disabled" added an unconditional use of
skip_ioapic_setup.  Enabling X86_LOCAL_APIC but not X86_IO_APIC
results in a build failure.

This configuration was made impossible by commit b1da1e715d4f
"x86/Kconfig: Simplify X86_IO_APIC dependencies", but that seems to
depend on additional changes that aren't suitable for stable.

The function that was changed, enable_IR_x2apic(), is only used in
64-bit configurations where CONFIG_X86_IO_APIC is always enabled.  So
extend the #ifdef CONFIG_X86_64 section to include this function.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1609,6 +1609,8 @@ int __init enable_IR(void)
 	return -1;
 }
 
+#ifdef CONFIG_X86_64
+
 void __init enable_IR_x2apic(void)
 {
 	unsigned long flags;
@@ -1683,7 +1685,6 @@ skip_x2apic:
 	local_irq_restore(flags);
 }
 
-#ifdef CONFIG_X86_64
 /*
  * Detect and enable local APICs on non-SMP boards.
  * Original code written by Keir Fraser.


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 327/366] ceph: fix endianness of getattr mask in ceph_d_revalidate
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (231 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 107/366] x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 365/366] perf thread_map: Correctly size buffer used with dirent->dt_name Ben Hutchings
                   ` (133 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sage Weil, Jeff Layton, Bryan Henderson, Ilya Dryomov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@redhat.com>

commit 1097680d759918ce4a8705381c0ab2ed7bd60cf1 upstream.

sparse says:

    fs/ceph/dir.c:1248:50: warning: incorrect type in assignment (different base types)
    fs/ceph/dir.c:1248:50:    expected restricted __le32 [usertype] mask
    fs/ceph/dir.c:1248:50:    got int [signed] [assigned] mask

Fixes: 200fd27c8fa2 ("ceph: use lookup request to revalidate dentry")
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Cc: Bryan Henderson <bryanh@giraffe-data.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ceph/dir.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -1068,7 +1068,8 @@ static int ceph_d_revalidate(struct dent
 		struct ceph_mds_client *mdsc =
 			ceph_sb_to_client(dir->i_sb)->mdsc;
 		struct ceph_mds_request *req;
-		int op, mask, err;
+		int op, err;
+		u32 mask;
 
 		op = ceph_snap(dir) == CEPH_SNAPDIR ?
 			CEPH_MDS_OP_LOOKUPSNAP : CEPH_MDS_OP_GETATTR;
@@ -1080,7 +1081,7 @@ static int ceph_d_revalidate(struct dent
 			mask = CEPH_STAT_CAP_INODE | CEPH_CAP_AUTH_SHARED;
 			if (ceph_security_xattr_wanted(dir))
 				mask |= CEPH_CAP_XATTR_SHARED;
-			req->r_args.getattr.mask = mask;
+			req->r_args.getattr.mask = cpu_to_le32(mask);
 
 			err = ceph_mdsc_do_request(mdsc, NULL, req);
 			switch (err) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 329/366] dm bufio: drop the lock when doing GFP_NOIO allocation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (258 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 008/366] [media] drxd_hard: fix bad alignments Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 203/366] block: Fix transfer when chunk sectors exceeds max Ben Hutchings
                   ` (106 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mike Snitzer, Mikulas Patocka

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 41c73a49df31151f4ff868f28fe4f129f113fa2c upstream.

If the first allocation attempt using GFP_NOWAIT fails, drop the lock
and retry using GFP_NOIO allocation (lock is dropped because the
allocation can take some time).

Note that we won't do GFP_NOIO allocation when we loop for the second
time, because the lock shouldn't be dropped between __wait_for_free_buffer
and __get_unclaimed_buffer.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-bufio.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -773,6 +773,7 @@ enum new_flag {
 static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf)
 {
 	struct dm_buffer *b;
+	bool tried_noio_alloc = false;
 
 	/*
 	 * dm-bufio is resistant to allocation failures (it just keeps
@@ -797,6 +798,15 @@ static struct dm_buffer *__alloc_buffer_
 		if (nf == NF_PREFETCH)
 			return NULL;
 
+		if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) {
+			dm_bufio_unlock(c);
+			b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+			dm_bufio_lock(c);
+			if (b)
+				return b;
+			tried_noio_alloc = true;
+		}
+
 		if (!list_empty(&c->reserved_buffers)) {
 			b = list_entry(c->reserved_buffers.next,
 				       struct dm_buffer, lru_list);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 335/366] usbip: stub_rx: fix static checker warning on unnecessary checks
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 117/366] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 067/366] scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' Ben Hutchings
                   ` (346 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Greg Kroah-Hartman, Dan Carpenter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Shuah Khan <shuahkh@osg.samsung.com>

commit 10c90120930628e8b959bf58d4a0aaef3ae5d945 upstream.

Fix the following static checker warnings:

The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
to handle malicious input" from Dec 7, 2017, leads to the following
static checker warning:

    drivers/usb/usbip/stub_rx.c:346 get_pipe()
    warn: impossible condition
'(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) =>
(s32min-s32max > s32max)'
    drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
    warn: always true condition
'(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) =>
(s32min-s32max <= s32max)'

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/usbip/stub_rx.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -353,14 +353,6 @@ static int get_pipe(struct stub_device *
 
 	epd = &ep->desc;
 
-	/* validate transfer_buffer_length */
-	if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
-		dev_err(&sdev->udev->dev,
-			"CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
-			pdu->u.cmd_submit.transfer_buffer_length);
-		return -1;
-	}
-
 	if (usb_endpoint_xfer_control(epd)) {
 		if (dir == USBIP_DIR_OUT)
 			return usb_sndctrlpipe(udev, epnum);
@@ -494,8 +486,7 @@ static void stub_recv_cmd_submit(struct
 	}
 
 	/* allocate urb transfer buffer, if needed */
-	if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
-	    pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
+	if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
 		priv->urb->transfer_buffer =
 			kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
 				GFP_KERNEL);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 340/366] iio: iio-trig-periodic-rtc: Free trigger resource  correctly
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (291 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 051/366] rpmsg: Correct support for MODULE_DEVICE_TABLE() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 300/366] net: socket: fix potential spectre v1 gadget in socketcall Ben Hutchings
                   ` (73 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jonathan Cameron, Alison Schofield, Ben Hutchings

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

This is based on upstream commit 10e840dfb0b7, which did not touch the
iio-trig-periodic-rtc driver because it has been removed upstream.

The following explanation comes from that commit:

    These stand-alone trigger drivers were using iio_trigger_put()
    where they should have been using iio_trigger_free().  The
    iio_trigger_put() adds a module_put which is bad since they
    never did a module_get.

    In the sysfs driver, module_get/put's are used as triggers are
    added & removed. This extra module_put() occurs on an error path
    in the probe routine (probably rare).

    In the bfin-timer & interrupt trigger drivers, the module resources
    are not explicitly managed, so it's doing a put on something that
    was never get'd.  It occurs on the probe error path and on the
    remove path (not so rare).

    Tested with the sysfs trigger driver.
    The bfin & interrupt drivers were build tested & inspected only.

This was build tested only.

Cc: Alison Schofield <amsfield22@gmail.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/trigger/iio-trig-periodic-rtc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/staging/iio/trigger/iio-trig-periodic-rtc.c
+++ b/drivers/staging/iio/trigger/iio-trig-periodic-rtc.c
@@ -123,7 +123,7 @@ static int iio_trig_periodic_rtc_probe(s
 		trig_info = kzalloc(sizeof(*trig_info), GFP_KERNEL);
 		if (!trig_info) {
 			ret = -ENOMEM;
-			goto error_put_trigger_and_remove_from_list;
+			goto error_free_trigger_and_remove_from_list;
 		}
 		iio_trigger_set_drvdata(trig, trig_info);
 		trig->ops = &iio_prtc_trigger_ops;
@@ -151,9 +151,9 @@ error_close_rtc:
 	rtc_class_close(trig_info->rtc);
 error_free_trig_info:
 	kfree(trig_info);
-error_put_trigger_and_remove_from_list:
+error_free_trigger_and_remove_from_list:
 	list_del(&trig->alloc_list);
-	iio_trigger_put(trig);
+	iio_trigger_free(trig);
 error_free_completed_registrations:
 	list_for_each_entry_safe(trig,
 				 trig2,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 355/366] perf thread_map: Use readdir() instead of deprecated readdir_r()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (121 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 304/366] netlink: Do not subscribe to non-existent groups Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 039/366] clk: qcom: Base rcg parent rate off plan frequency Ben Hutchings
                   ` (243 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wang Nan, Adrian Hunter, David Ahern,
	Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 3354cf71104de49326d19d2f9bdb1f66eea52ef4 upstream.

The readdir() function is thread safe as long as just one thread uses a
DIR, which is the case in thread_map, so, to avoid breaking the build
with glibc-2.23.90 (upcoming 2.24), use it instead of readdir_r().

See: http://man7.org/linux/man-pages/man3/readdir.3.html

"However, in modern implementations (including the glibc implementation),
concurrent calls to readdir() that specify different directory streams
are thread-safe.  In cases where multiple threads must read from the
same directory stream, using readdir() with external synchronization is
still preferable to the use of the deprecated readdir_r(3) function."

Noticed while building on a Fedora Rawhide docker container.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-del8h2a0f40z75j4r42l96l0@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/thread_map.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/tools/perf/util/thread_map.c
+++ b/tools/perf/util/thread_map.c
@@ -64,7 +64,7 @@ struct thread_map *thread_map__new_by_ui
 	DIR *proc;
 	int max_threads = 32, items, i;
 	char path[256];
-	struct dirent dirent, *next, **namelist = NULL;
+	struct dirent *dirent, **namelist = NULL;
 	struct thread_map *threads = malloc(sizeof(*threads) +
 					    max_threads * sizeof(pid_t));
 	if (threads == NULL)
@@ -76,16 +76,16 @@ struct thread_map *thread_map__new_by_ui
 
 	threads->nr = 0;
 
-	while (!readdir_r(proc, &dirent, &next) && next) {
+	while ((dirent = readdir(proc)) != NULL) {
 		char *end;
 		bool grow = false;
 		struct stat st;
-		pid_t pid = strtol(dirent.d_name, &end, 10);
+		pid_t pid = strtol(dirent->d_name, &end, 10);
 
 		if (*end) /* only interested in proper numerical dirents */
 			continue;
 
-		snprintf(path, sizeof(path), "/proc/%s", dirent.d_name);
+		snprintf(path, sizeof(path), "/proc/%s", dirent->d_name);
 
 		if (stat(path, &st) != 0)
 			continue;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 338/366] gcov: support GCC 7.1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 265/366] x86/MCE: Remove min interval polling limitation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 167/366] xen-netfront: properly destroy queues when removing device Ben Hutchings
                   ` (270 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Linus Torvalds, Martin Liska, Peter Oberparleiter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Liska <mliska@suse.cz>

commit 05384213436ab690c46d9dfec706b80ef8d671ab upstream.

Starting from GCC 7.1, __gcov_exit is a new symbol expected to be
implemented in a profiling runtime.

[akpm@linux-foundation.org: coding-style fixes]
[mliska@suse.cz: v2]
  Link: http://lkml.kernel.org/r/e63a3c59-0149-c97e-4084-20ca8f146b26@suse.cz
Link: http://lkml.kernel.org/r/8c4084fa-3885-29fe-5fc4-0d4ca199c785@suse.cz
Signed-off-by: Martin Liska <mliska@suse.cz>
Acked-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/gcov/base.c    | 6 ++++++
 kernel/gcov/gcc_4_7.c | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

--- a/kernel/gcov/base.c
+++ b/kernel/gcov/base.c
@@ -97,6 +97,12 @@ void __gcov_merge_icall_topn(gcov_type *
 }
 EXPORT_SYMBOL(__gcov_merge_icall_topn);
 
+void __gcov_exit(void)
+{
+	/* Unused. */
+}
+EXPORT_SYMBOL(__gcov_exit);
+
 /**
  * gcov_enable_events - enable event reporting through gcov_event()
  *
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -18,7 +18,9 @@
 #include <linux/vmalloc.h>
 #include "gcov.h"
 
-#if (__GNUC__ > 5) || (__GNUC__ == 5 && __GNUC_MINOR__ >= 1)
+#if (__GNUC__ >= 7)
+#define GCOV_COUNTERS			9
+#elif (__GNUC__ > 5) || (__GNUC__ == 5 && __GNUC_MINOR__ >= 1)
 #define GCOV_COUNTERS			10
 #elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9
 #define GCOV_COUNTERS			9


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 359/366] perf top: Use __fallthrough
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (106 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 195/366] xfrm: free skb if nlsk pointer is NULL Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 074/366] RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events Ben Hutchings
                   ` (258 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jiri Olsa, David Ahern, Arnaldo Carvalho de Melo,
	Namhyung Kim, Wang Nan, Adrian Hunter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 7b0214b702ad8e124e039a317beeebb3f020d125 upstream.

The implicit fall through case label here is intended, so let us inform
that to gcc >= 7:

    CC       /tmp/build/perf/builtin-top.o
  builtin-top.c: In function 'display_thread':
  builtin-top.c:644:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
      if (errno == EINTR)
         ^
  builtin-top.c:647:3: note: here
     default:
   ^~~~~~~

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-lmcfnnyx9ic0m6j0aud98p4e@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/builtin-top.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/builtin-top.c
+++ b/tools/perf/builtin-top.c
@@ -609,7 +609,7 @@ repeat:
 		case -1:
 			if (errno == EINTR)
 				continue;
-			/* Fall trhu */
+			__fallthrough;
 		default:
 			c = getc(stdin);
 			tcsetattr(0, TCSAFLUSH, &save);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 343/366] net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (340 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 194/366] usb: cdc_acm: Add quirk for Uniden UBC125 scanner Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 118/366] net: metrics: add proper netlink validation Ben Hutchings
                   ` (24 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Rasmus Villemoes, John W. Linville, Arend van Spriel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

commit e843bb199ba58ce5d1364d4c82fcf6975f08eec2 upstream.

Applying ++ to a bool is equivalent to setting it true, regardless of
its initial value (bools are not uint1_t). Hence the function
wl_get_vif_state_all can only ever return true/false. The only in-tree
caller uses its return value as a boolean. So update its return type,
and since the list traversal and bit testing have no side effects,
just return true immediately. Its return value tells if any vif is in
the specified state, so also rename it to brcmf_get_vif_state_any.

Reviewed-by: Arend van Spriel<arend@broadcom.com>
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/brcm80211/brcmfmac/p2p.c         | 2 +-
 drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 7 +++----
 drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.h | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -706,7 +706,7 @@ static s32 brcmf_p2p_escan(struct brcmf_
 		active = P2PAPI_SCAN_SOCIAL_DWELL_TIME_MS;
 	else if (num_chans == AF_PEER_SEARCH_CNT)
 		active = P2PAPI_SCAN_AF_SEARCH_DWELL_TIME_MS;
-	else if (wl_get_vif_state_all(p2p->cfg, BRCMF_VIF_STATUS_CONNECTED))
+	else if (brcmf_get_vif_state_any(p2p->cfg, BRCMF_VIF_STATUS_CONNECTED))
 		active = -1;
 	else
 		active = P2PAPI_SCAN_DWELL_TIME_MS;
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
@@ -5647,16 +5647,15 @@ enum nl80211_iftype brcmf_cfg80211_get_i
 	return wdev->iftype;
 }
 
-u32 wl_get_vif_state_all(struct brcmf_cfg80211_info *cfg, unsigned long state)
+bool brcmf_get_vif_state_any(struct brcmf_cfg80211_info *cfg, unsigned long state)
 {
 	struct brcmf_cfg80211_vif *vif;
-	bool result = 0;
 
 	list_for_each_entry(vif, &cfg->vif_list, list) {
 		if (test_bit(state, &vif->sme_state))
-			result++;
+			return true;
 	}
-	return result;
+	return false;
 }
 
 static inline bool vif_event_equals(struct brcmf_cfg80211_vif_event *event,
--- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.h
@@ -477,7 +477,7 @@ const struct brcmf_tlv *
 brcmf_parse_tlvs(const void *buf, int buflen, uint key);
 u16 channel_to_chanspec(struct brcmu_d11inf *d11inf,
 			struct ieee80211_channel *ch);
-u32 wl_get_vif_state_all(struct brcmf_cfg80211_info *cfg, unsigned long state);
+bool brcmf_get_vif_state_any(struct brcmf_cfg80211_info *cfg, unsigned long state);
 void brcmf_cfg80211_arm_vif_event(struct brcmf_cfg80211_info *cfg,
 				  struct brcmf_cfg80211_vif *vif);
 bool brcmf_cfg80211_vif_event_armed(struct brcmf_cfg80211_info *cfg);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 345/366] p54: memset(0) whole array
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (212 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 284/366] can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 315/366] fix mntput/mntput race Ben Hutchings
                   ` (152 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, linux-wireless, netdev, Jiri Slaby, Kalle Valo,
	Christian Lamparter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit 6f17581788206444cbbcdbc107498f85e9765e3d upstream.

gcc 7 complains:
drivers/net/wireless/intersil/p54/fwio.c: In function 'p54_scan':
drivers/net/wireless/intersil/p54/fwio.c:491:4: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]

Fix that by passing the correct size to memset.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Christian Lamparter <chunkeey@googlemail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/p54/fwio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/p54/fwio.c
+++ b/drivers/net/wireless/p54/fwio.c
@@ -486,7 +486,7 @@ int p54_scan(struct p54_common *priv, u1
 
 			entry += sizeof(__le16);
 			chan->pa_points_per_curve = 8;
-			memset(chan->curve_data, 0, sizeof(*chan->curve_data));
+			memset(chan->curve_data, 0, sizeof(chan->curve_data));
 			memcpy(chan->curve_data, entry,
 			       sizeof(struct p54_pa_curve_data_sample) *
 			       min((u8)8, curve_data->points_per_channel));


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 185/366] ipv6: mcast: fix unsolicited report interval after receiving querys Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 115/366] kconfig: Avoid format overflow warning from GCC 8.1 Ben Hutchings
                   ` (283 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wanpeng Li, David Hildenbrand, Radim Krčmář,
	Dmitry Vyukov, Paolo Bonzini

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpeng.li@hotmail.com>

commit efdab992813fb2ed825745625b83c05032e9cda2 upstream.

syzkaller reported:

   WARNING: CPU: 0 PID: 12927 at arch/x86/kernel/traps.c:780 do_debug+0x222/0x250
   CPU: 0 PID: 12927 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #16
   RIP: 0010:do_debug+0x222/0x250
   Call Trace:
    <#DB>
    debug+0x3e/0x70
   RIP: 0010:copy_user_enhanced_fast_string+0x10/0x20
    </#DB>
    _copy_from_user+0x5b/0x90
    SyS_timer_create+0x33/0x80
    entry_SYSCALL_64_fastpath+0x23/0x9a

The testcase sets a watchpoint (with perf_event_open) on a buffer that is
passed to timer_create() as the struct sigevent argument.  In timer_create(),
copy_from_user()'s rep movsb triggers the BP.  The testcase also sets
the debug registers for the guest.

However, KVM only restores host debug registers when the host has active
watchpoints, which triggers a race condition when running the testcase with
multiple threads.  The guest's DR6.BS bit can escape to the host before
another thread invokes timer_create(), and do_debug() complains.

The fix is to respect do_debug()'s dr6 invariant when leaving KVM.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2892,6 +2892,12 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *
 	kvm_x86_ops->vcpu_put(vcpu);
 	kvm_put_guest_fpu(vcpu);
 	vcpu->arch.last_host_tsc = native_read_tsc();
+	/*
+	 * If userspace has set any breakpoints or watchpoints, dr6 is restored
+	 * on every vmexit, but if not, we might have a stale dr6 from the
+	 * guest. do_debug expects dr6 to be cleared after it runs, do the same.
+	 */
+	set_debugreg(0, 6);
 }
 
 static int kvm_vcpu_ioctl_get_lapic(struct kvm_vcpu *vcpu,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 348/366] MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (284 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 193/366] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 106/366] tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
                   ` (80 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ralf Baechle, Markos Chandras, Paul Burton, linux-mips,
	James Hogan

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit 2bd7bc254ab1f45269db6dd7957d63b713817408 upstream.

This silences warnings like the following one when building with the
latest binutils:

arch/mips/kernel/genex.S: Assembler messages:
arch/mips/kernel/genex.S:438: Warning: the `msa' extension requires 64-bit FPRs

[ralf@linux-mips.org: Markos says binutils 2.25 and some 2.24 snapshots
are affected.]

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9745/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/asmmacro.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/arch/mips/include/asm/asmmacro.h
+++ b/arch/mips/include/asm/asmmacro.h
@@ -209,9 +209,13 @@
 	.endm
 
 #ifdef TOOLCHAIN_SUPPORTS_MSA
+/* preprocessor replaces the fp in ".set fp=64" with $30 otherwise */
+#undef fp
+
 	.macro	_cfcmsa	rd, cs
 	.set	push
 	.set	mips32r2
+	.set	fp=64
 	.set	msa
 	cfcmsa	\rd, $\cs
 	.set	pop
@@ -220,6 +224,7 @@
 	.macro	_ctcmsa	cd, rs
 	.set	push
 	.set	mips32r2
+	.set	fp=64
 	.set	msa
 	ctcmsa	$\cd, \rs
 	.set	pop
@@ -228,6 +233,7 @@
 	.macro	ld_d	wd, off, base
 	.set	push
 	.set	mips32r2
+	.set	fp=64
 	.set	msa
 	ld.d	$w\wd, \off(\base)
 	.set	pop
@@ -236,6 +242,7 @@
 	.macro	st_d	wd, off, base
 	.set	push
 	.set	mips32r2
+	.set	fp=64
 	.set	msa
 	st.d	$w\wd, \off(\base)
 	.set	pop
@@ -244,6 +251,7 @@
 	.macro	copy_u_w	ws, n
 	.set	push
 	.set	mips32r2
+	.set	fp=64
 	.set	msa
 	copy_u.w $1, $w\ws[\n]
 	.set	pop
@@ -252,6 +260,7 @@
 	.macro	copy_u_d	ws, n
 	.set	push
 	.set	mips64r2
+	.set	fp=64
 	.set	msa
 	copy_u.d $1, $w\ws[\n]
 	.set	pop
@@ -260,6 +269,7 @@
 	.macro	insert_w	wd, n
 	.set	push
 	.set	mips32r2
+	.set	fp=64
 	.set	msa
 	insert.w $w\wd[\n], $1
 	.set	pop
@@ -268,6 +278,7 @@
 	.macro	insert_d	wd, n
 	.set	push
 	.set	mips64r2
+	.set	fp=64
 	.set	msa
 	insert.d $w\wd[\n], $1
 	.set	pop


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 342/366] clk: si5351: Constify clock names and struct regmap_config
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 035/366] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 109/366] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Ben Hutchings
                   ` (337 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Max Filippov, Stephen Boyd, Krzysztof Kozlowski

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.kozlowski@samsung.com>

commit 8234caed27f7bce141c9fb1f7e76c91a2a66d248 upstream.

The regmap_config struct may be const because it is not modified by the
driver and regmap_init() accepts pointer to const.

Replace doubled const in the arrays of clock names with proper const
pointer to const data. This fixes the warnings:

drivers/clk/clk-si5351.c:71:25: warning: duplicate const
drivers/clk/clk-si5351.c:74:25: warning: duplicate const
drivers/clk/clk-si5351.c:77:25: warning: duplicate const
drivers/clk/clk-si5351.c:80:25: warning: duplicate const

Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/clk-si5351.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/clk/clk-si5351.c
+++ b/drivers/clk/clk-si5351.c
@@ -68,16 +68,16 @@ struct si5351_driver_data {
 	struct si5351_hw_data	*clkout;
 };
 
-static const char const *si5351_input_names[] = {
+static const char * const si5351_input_names[] = {
 	"xtal", "clkin"
 };
-static const char const *si5351_pll_names[] = {
+static const char * const si5351_pll_names[] = {
 	"plla", "pllb", "vxco"
 };
-static const char const *si5351_msynth_names[] = {
+static const char * const si5351_msynth_names[] = {
 	"ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7"
 };
-static const char const *si5351_clkout_names[] = {
+static const char * const si5351_clkout_names[] = {
 	"clk0", "clk1", "clk2", "clk3", "clk4", "clk5", "clk6", "clk7"
 };
 
@@ -207,7 +207,7 @@ static bool si5351_regmap_is_writeable(s
 	return true;
 }
 
-static struct regmap_config si5351_regmap_config = {
+static const struct regmap_config si5351_regmap_config = {
 	.reg_bits = 8,
 	.val_bits = 8,
 	.cache_type = REGCACHE_RBTREE,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 341/366] MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (190 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 196/366] staging: android: ion: Return an ERR_PTR in ion_map_kernel Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 155/366] scsi: target: Fix truncated PR-in ReadKeys response Ben Hutchings
                   ` (174 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Markos Chandras

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit be5136988e25ae0dc8379fcb937efc63d87aba9e upstream.

There are certain places where the code uses .set mips32 or .set mips64
or .set arch=r4000. In preparation of MIPS R6 support, and in order to
use as less #ifdefs as possible, we define new macros to set similar
annotations for MIPS R6.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
[bwh: Backported to 3.16: We don't support MIPS R6 but I have applied a
 commit that uses MIPS_ISA_LEVEL_RAW.  Add the R2 definitions only.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/compiler.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/arch/mips/include/asm/compiler.h
+++ b/arch/mips/include/asm/compiler.h
@@ -16,4 +16,10 @@
 #define GCC_REG_ACCUM "accum"
 #endif
 
+/* MIPS64 is a superset of MIPS32 */
+#define MIPS_ISA_LEVEL "mips64r2"
+#define MIPS_ISA_ARCH_LEVEL "arch=r4000"
+#define MIPS_ISA_LEVEL_RAW mips64r2
+#define MIPS_ISA_ARCH_LEVEL_RAW MIPS_ISA_LEVEL_RAW
+
 #endif /* _ASM_COMPILER_H */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 353/366] perf tools: define _DEFAULT_SOURCE for glibc_2.20
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 167/366] xen-netfront: properly destroy queues when removing device Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 147/366] USB: serial: cp210x: add Silicon Labs IDs for Windows Update Ben Hutchings
                   ` (268 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, Peter Zijlstra, Arnaldo Carvalho de Melo,
	Paul Mackerras, Chanho Park

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chanho Park <chanho61.park@samsung.com>

commit 512fe365373b9c95a70b4b6357503ee74d27214f upstream.

_BSD_SOURCE was deprecated in favour of _DEFAULT_SOURCE since glibc
2.20[1]. To avoid build warning on glibc2.20, _DEFAULT_SOURCE should
also be defined.

[1]: https://sourceware.org/glibc/wiki/Release/2.20

Signed-off-by: Chanho Park <chanho61.park@samsung.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/1410487817-13403-1-git-send-email-chanho61.park@samsung.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/util.h | 2 ++
 1 file changed, 2 insertions(+)

--- a/tools/perf/util/util.h
+++ b/tools/perf/util/util.h
@@ -39,6 +39,8 @@
 
 #define _ALL_SOURCE 1
 #define _BSD_SOURCE 1
+/* glibc 2.20 deprecates _BSD_SOURCE in favour of _DEFAULT_SOURCE */
+#define _DEFAULT_SOURCE 1
 #define HAS_BOOL
 
 #include <unistd.h>


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 350/366] sched/topology: Make local variables static
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 171/366] xen-netfront: avoid crashing on resume after a failure in talk_to_netback() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 287/366] net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper Ben Hutchings
                   ` (317 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, zhong jiang, Peter Zijlstra, Ingo Molnar,
	Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: zhong jiang <zhongjiang@huawei.com>

commit ace8031099f91480799b5929b4cccf2dcacc5136 upstream.

Fix the following warnings:

  kernel/sched/topology.c:10:15: warning: symbol 'sched_domains_tmpmask' was not declared. Should it be static?
  kernel/sched/topology.c:11:15: warning: symbol 'sched_domains_tmpmask2' was not declared. Should it be static?

Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1533299852-26941-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5286,7 +5286,7 @@ early_initcall(migration_init);
 #ifdef CONFIG_SMP
 
 static cpumask_var_t sched_domains_tmpmask; /* sched_domains_mutex */
-cpumask_var_t sched_domains_tmpmask2;
+static cpumask_var_t sched_domains_tmpmask2;
 
 #ifdef CONFIG_SCHED_DEBUG
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 344/366] [media] ir-core: fix gcc-7 warning on bool arithmetic
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (159 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 071/366] net: ethernet: davinci_emac: Fix printing of base address Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 142/366] cfg80211: initialize sinfo in cfg80211_get_station Ben Hutchings
                   ` (205 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit bd7e31bbade02bc1e92aa00d5cf2cee2da66838a upstream.

gcc-7 suggests that an expression using a bitwise not and a bitmask
on a 'bool' variable is better written using boolean logic:

drivers/media/rc/imon.c: In function 'imon_incoming_scancode':
drivers/media/rc/imon.c:1725:22: error: '~' on a boolean expression [-Werror=bool-operation]
    ictx->pad_mouse = ~(ictx->pad_mouse) & 0x1;
                      ^
drivers/media/rc/imon.c:1725:22: note: did you mean to use logical not?

I agree.

Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver")

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/rc/imon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1530,7 +1530,7 @@ static void imon_incoming_packet(struct
 	if (kc == KEY_KEYBOARD && !ictx->release_code) {
 		ictx->last_keycode = kc;
 		if (!nomouse) {
-			ictx->pad_mouse = ~(ictx->pad_mouse) & 0x1;
+			ictx->pad_mouse = !ictx->pad_mouse;
 			dev_dbg(dev, "toggling to %s mode\n",
 				ictx->pad_mouse ? "mouse" : "keyboard");
 			spin_unlock_irqrestore(&ictx->kc_lock, flags);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 362/366] tools/lib/subcmd/pager.c: do not alias select() params
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (324 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 246/366] RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 041/366] powerpc: make feature-fixup tests fortify-safe Ben Hutchings
                   ` (40 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Linus Torvalds, Arnaldo Carvalho de Melo, Sergey Senozhatsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>

commit ad343a98e74e85aa91d844310e797f96fee6983b upstream.

Use a separate fd set for select()-s exception fds param to fix the
following gcc warning:

  pager.c:36:12: error: passing argument 2 to restrict-qualified parameter aliases with argument 4 [-Werror=restrict]
    select(1, &in, NULL, &in, NULL);
              ^~~        ~~~

Link: http://lkml.kernel.org/r/20180101105626.7168-1-sergey.senozhatsky@gmail.com
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/pager.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/tools/perf/util/pager.c
+++ b/tools/perf/util/pager.c
@@ -16,10 +16,13 @@ static void pager_preexec(void)
 	 * have real input
 	 */
 	fd_set in;
+	fd_set exception;
 
 	FD_ZERO(&in);
+	FD_ZERO(&exception);
 	FD_SET(0, &in);
-	select(1, &in, NULL, &in, NULL);
+	FD_SET(0, &exception);
+	select(1, &in, NULL, &exception, NULL);
 
 	setenv("LESS", "FRSX", 0);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 356/366] perf tools: Use readdir() instead of deprecated readdir_r()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (331 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 062/366] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 014/366] fuse: atomic_o_trunc should truncate pagecache Ben Hutchings
                   ` (33 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Namhyung Kim, David Ahern, Arnaldo Carvalho de Melo,
	Jiri Olsa, Adrian Hunter, Wang Nan

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 7093b4c963cc4e344e490c774924a180602a7092 upstream.

The readdir() function is thread safe as long as just one thread uses a
DIR, which is the case when synthesizing events for pre-existing threads
by traversing /proc, so, to avoid breaking the build with glibc-2.23.90
(upcoming 2.24), use it instead of readdir_r().

See: http://man7.org/linux/man-pages/man3/readdir.3.html

"However, in modern implementations (including the glibc implementation),
concurrent calls to readdir() that specify different directory streams
are thread-safe.  In cases where multiple threads must read from the
same directory stream, using readdir() with external synchronization is
still preferable to the use of the deprecated readdir_r(3) function."

Noticed while building on a Fedora Rawhide docker container.

   CC       /tmp/build/perf/util/event.o
  util/event.c: In function '__event__synthesize_thread':
  util/event.c:466:2: error: 'readdir_r' is deprecated [-Werror=deprecated-declarations]
    while (!readdir_r(tasks, &dirent, &next) && next) {
    ^~~~~
  In file included from /usr/include/features.h:368:0,
                   from /usr/include/stdint.h:25,
                   from /usr/lib/gcc/x86_64-redhat-linux/6.0.0/include/stdint.h:9,
                   from /git/linux/tools/include/linux/types.h:6,
                   from util/event.c:1:
  /usr/include/dirent.h:189:12: note: declared here

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-i1vj7nyjp2p750rirxgrfd3c@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/event.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/tools/perf/util/event.c
+++ b/tools/perf/util/event.c
@@ -331,7 +331,7 @@ static int __event__synthesize_thread(un
 {
 	char filename[PATH_MAX];
 	DIR *tasks;
-	struct dirent dirent, *next;
+	struct dirent *dirent;
 	pid_t tgid;
 
 	/* special case: only send one comm event using passed in pid */
@@ -358,12 +358,12 @@ static int __event__synthesize_thread(un
 		return 0;
 	}
 
-	while (!readdir_r(tasks, &dirent, &next) && next) {
+	while ((dirent = readdir(tasks)) != NULL) {
 		char *end;
 		int rc = 0;
 		pid_t _pid;
 
-		_pid = strtol(dirent.d_name, &end, 10);
+		_pid = strtol(dirent->d_name, &end, 10);
 		if (*end)
 			continue;
 
@@ -464,7 +464,7 @@ int perf_event__synthesize_threads(struc
 {
 	DIR *proc;
 	char proc_path[PATH_MAX];
-	struct dirent dirent, *next;
+	struct dirent *dirent;
 	union perf_event *comm_event, *mmap_event, *fork_event;
 	int err = -1;
 
@@ -489,9 +489,9 @@ int perf_event__synthesize_threads(struc
 	if (proc == NULL)
 		goto out_free_fork;
 
-	while (!readdir_r(proc, &dirent, &next) && next) {
+	while ((dirent = readdir(proc)) != NULL) {
 		char *end;
-		pid_t pid = strtol(dirent.d_name, &end, 10);
+		pid_t pid = strtol(dirent->d_name, &end, 10);
 
 		if (*end) /* only interested in proper numerical dirents */
 			continue;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 347/366] arm64: use linux/types.h in kvm.h
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (336 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 069/366] powerpc/ptrace: Fix enforcement of DAWR constraints Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 029/366] ASoC: cirrus: i2s: Fix LRCLK configuration Ben Hutchings
                   ` (28 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Catalin Marinas

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit d19279154b3fff9adff96b54d1a77dfb8f01e3da upstream.

We should always use linux/types.h instead of asm/types.h for
consistency, and Kbuild actually warns about it:

./usr/include/asm/kvm.h:35: include of <linux/types.h> is preferred over <asm/types.h>

This patch does as Kbuild asks us.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/include/uapi/asm/kvm.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/include/uapi/asm/kvm.h
+++ b/arch/arm64/include/uapi/asm/kvm.h
@@ -32,7 +32,7 @@
 
 #ifndef __ASSEMBLY__
 #include <linux/psci.h>
-#include <asm/types.h>
+#include <linux/types.h>
 #include <asm/ptrace.h>
 
 #define __KVM_HAVE_GUEST_DEBUG


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 357/366] perf tools: Use readdir() instead of deprecated readdir_r()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (175 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 170/366] xen-netfront: Improve error handling during initialization Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 303/366] virtio_balloon: fix another race between migration and ballooning Ben Hutchings
                   ` (189 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Adrian Hunter, Wang Nan, Namhyung Kim, David Ahern,
	Arnaldo Carvalho de Melo, Jiri Olsa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit bfc279f3d233150ff260e9e93012e14f86810648 upstream.

The readdir() function is thread safe as long as just one thread uses a
DIR, which is the case when parsing tracepoint event definitions, to
avoid breaking the build with glibc-2.23.90 (upcoming 2.24), use it
instead of readdir_r().

See: http://man7.org/linux/man-pages/man3/readdir.3.html

"However, in modern implementations (including the glibc implementation),
concurrent calls to readdir() that specify different directory streams
are thread-safe.  In cases where multiple threads must read from the
same directory stream, using readdir() with external synchronization is
still preferable to the use of the deprecated readdir_r(3) function."

Noticed while building on a Fedora Rawhide docker container.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-wddn49r6bz6wq4ee3dxbl7lo@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/parse-events.c | 60 +++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 30 deletions(-)

--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -123,11 +123,11 @@ static struct event_symbol event_symbols
 #define PERF_EVENT_TYPE(config)		__PERF_EVENT_FIELD(config, TYPE)
 #define PERF_EVENT_ID(config)		__PERF_EVENT_FIELD(config, EVENT)
 
-#define for_each_subsystem(sys_dir, sys_dirent, sys_next)	       \
-	while (!readdir_r(sys_dir, &sys_dirent, &sys_next) && sys_next)	       \
-	if (sys_dirent.d_type == DT_DIR &&				       \
-	   (strcmp(sys_dirent.d_name, ".")) &&				       \
-	   (strcmp(sys_dirent.d_name, "..")))
+#define for_each_subsystem(sys_dir, sys_dirent)			\
+	while ((sys_dirent = readdir(sys_dir)) != NULL)		\
+		if (sys_dirent->d_type == DT_DIR &&		\
+		    (strcmp(sys_dirent->d_name, ".")) &&	\
+		    (strcmp(sys_dirent->d_name, "..")))
 
 static int tp_event_has_id(struct dirent *sys_dir, struct dirent *evt_dir)
 {
@@ -144,12 +144,12 @@ static int tp_event_has_id(struct dirent
 	return 0;
 }
 
-#define for_each_event(sys_dirent, evt_dir, evt_dirent, evt_next)	       \
-	while (!readdir_r(evt_dir, &evt_dirent, &evt_next) && evt_next)        \
-	if (evt_dirent.d_type == DT_DIR &&				       \
-	   (strcmp(evt_dirent.d_name, ".")) &&				       \
-	   (strcmp(evt_dirent.d_name, "..")) &&				       \
-	   (!tp_event_has_id(&sys_dirent, &evt_dirent)))
+#define for_each_event(sys_dirent, evt_dir, evt_dirent)		\
+	while ((evt_dirent = readdir(evt_dir)) != NULL)		\
+		if (evt_dirent->d_type == DT_DIR &&		\
+		    (strcmp(evt_dirent->d_name, ".")) &&	\
+		    (strcmp(evt_dirent->d_name, "..")) &&	\
+		    (!tp_event_has_id(sys_dirent, evt_dirent)))
 
 #define MAX_EVENT_LENGTH 512
 
@@ -158,7 +158,7 @@ struct tracepoint_path *tracepoint_id_to
 {
 	struct tracepoint_path *path = NULL;
 	DIR *sys_dir, *evt_dir;
-	struct dirent *sys_next, *evt_next, sys_dirent, evt_dirent;
+	struct dirent *sys_dirent, *evt_dirent;
 	char id_buf[24];
 	int fd;
 	u64 id;
@@ -172,18 +172,18 @@ struct tracepoint_path *tracepoint_id_to
 	if (!sys_dir)
 		return NULL;
 
-	for_each_subsystem(sys_dir, sys_dirent, sys_next) {
+	for_each_subsystem(sys_dir, sys_dirent) {
 
 		snprintf(dir_path, MAXPATHLEN, "%s/%s", tracing_events_path,
-			 sys_dirent.d_name);
+			 sys_dirent->d_name);
 		evt_dir = opendir(dir_path);
 		if (!evt_dir)
 			continue;
 
-		for_each_event(sys_dirent, evt_dir, evt_dirent, evt_next) {
+		for_each_event(sys_dirent, evt_dir, evt_dirent) {
 
 			snprintf(evt_path, MAXPATHLEN, "%s/%s/id", dir_path,
-				 evt_dirent.d_name);
+				 evt_dirent->d_name);
 			fd = open(evt_path, O_RDONLY);
 			if (fd < 0)
 				continue;
@@ -208,9 +208,9 @@ struct tracepoint_path *tracepoint_id_to
 					free(path);
 					return NULL;
 				}
-				strncpy(path->system, sys_dirent.d_name,
+				strncpy(path->system, sys_dirent->d_name,
 					MAX_EVENT_LENGTH);
-				strncpy(path->name, evt_dirent.d_name,
+				strncpy(path->name, evt_dirent->d_name,
 					MAX_EVENT_LENGTH);
 				return path;
 			}
@@ -1003,7 +1003,7 @@ void print_tracepoint_events(const char
 			     bool name_only)
 {
 	DIR *sys_dir, *evt_dir;
-	struct dirent *sys_next, *evt_next, sys_dirent, evt_dirent;
+	struct dirent *sys_dirent, *evt_dirent;
 	char evt_path[MAXPATHLEN];
 	char dir_path[MAXPATHLEN];
 
@@ -1016,29 +1016,29 @@ void print_tracepoint_events(const char
 	if (!sys_dir)
 		return;
 
-	for_each_subsystem(sys_dir, sys_dirent, sys_next) {
+	for_each_subsystem(sys_dir, sys_dirent) {
 		if (subsys_glob != NULL && 
-		    !strglobmatch(sys_dirent.d_name, subsys_glob))
+		    !strglobmatch(sys_dirent->d_name, subsys_glob))
 			continue;
 
 		snprintf(dir_path, MAXPATHLEN, "%s/%s", tracing_events_path,
-			 sys_dirent.d_name);
+			 sys_dirent->d_name);
 		evt_dir = opendir(dir_path);
 		if (!evt_dir)
 			continue;
 
-		for_each_event(sys_dirent, evt_dir, evt_dirent, evt_next) {
+		for_each_event(sys_dirent, evt_dir, evt_dirent) {
 			if (event_glob != NULL && 
-			    !strglobmatch(evt_dirent.d_name, event_glob))
+			    !strglobmatch(evt_dirent->d_name, event_glob))
 				continue;
 
 			if (name_only) {
-				printf("%s:%s ", sys_dirent.d_name, evt_dirent.d_name);
+				printf("%s:%s ", sys_dirent->d_name, evt_dirent->d_name);
 				continue;
 			}
 
 			snprintf(evt_path, MAXPATHLEN, "%s:%s",
-				 sys_dirent.d_name, evt_dirent.d_name);
+				 sys_dirent->d_name, evt_dirent->d_name);
 			printf("  %-50s [%s]\n", evt_path,
 				event_type_descriptors[PERF_TYPE_TRACEPOINT]);
 		}
@@ -1054,7 +1054,7 @@ void print_tracepoint_events(const char
 int is_valid_tracepoint(const char *event_string)
 {
 	DIR *sys_dir, *evt_dir;
-	struct dirent *sys_next, *evt_next, sys_dirent, evt_dirent;
+	struct dirent *sys_dirent, *evt_dirent;
 	char evt_path[MAXPATHLEN];
 	char dir_path[MAXPATHLEN];
 
@@ -1065,17 +1065,17 @@ int is_valid_tracepoint(const char *even
 	if (!sys_dir)
 		return 0;
 
-	for_each_subsystem(sys_dir, sys_dirent, sys_next) {
+	for_each_subsystem(sys_dir, sys_dirent) {
 
 		snprintf(dir_path, MAXPATHLEN, "%s/%s", tracing_events_path,
-			 sys_dirent.d_name);
+			 sys_dirent->d_name);
 		evt_dir = opendir(dir_path);
 		if (!evt_dir)
 			continue;
 
-		for_each_event(sys_dirent, evt_dir, evt_dirent, evt_next) {
+		for_each_event(sys_dirent, evt_dir, evt_dirent) {
 			snprintf(evt_path, MAXPATHLEN, "%s:%s",
-				 sys_dirent.d_name, evt_dirent.d_name);
+				 sys_dirent->d_name, evt_dirent->d_name);
 			if (!strcmp(evt_path, event_string)) {
 				closedir(evt_dir);
 				closedir(sys_dir);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 354/366] perf script: Use readdir() instead of deprecated readdir_r()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (357 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 093/366] libata: zpodd: make arrays cdb static, reduces object code size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 149/366] netfilter: nf_queue: augment nfqa_cfg_policy Ben Hutchings
                   ` (7 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David Ahern, Arnaldo Carvalho de Melo, Jiri Olsa,
	Namhyung Kim, Wang Nan, Adrian Hunter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit a5e8e825bd1704c488bf6a46936aaf3b9f203d6a upstream.

The readdir() function is thread safe as long as just one thread uses a
DIR, which is the case in 'perf script', so, to avoid breaking the build
with glibc-2.23.90 (upcoming 2.24), use it instead of readdir_r().

See: http://man7.org/linux/man-pages/man3/readdir.3.html

"However, in modern implementations (including the glibc implementation),
concurrent calls to readdir() that specify different directory streams
are thread-safe.  In cases where multiple threads must read from the
same directory stream, using readdir() with external synchronization is
still preferable to the use of the deprecated readdir_r(3) function."

Noticed while building on a Fedora Rawhide docker container.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-mt3xz7n2hl49ni2vx7kuq74g@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/builtin-script.c | 70 ++++++++++++++++++-------------------
 1 file changed, 34 insertions(+), 36 deletions(-)

--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -1061,21 +1061,19 @@ static int is_directory(const char *base
 	return S_ISDIR(st.st_mode);
 }
 
-#define for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next)\
-	while (!readdir_r(scripts_dir, &lang_dirent, &lang_next) &&	\
-	       lang_next)						\
-		if ((lang_dirent.d_type == DT_DIR ||			\
-		     (lang_dirent.d_type == DT_UNKNOWN &&		\
-		      is_directory(scripts_path, &lang_dirent))) &&	\
-		    (strcmp(lang_dirent.d_name, ".")) &&		\
-		    (strcmp(lang_dirent.d_name, "..")))
-
-#define for_each_script(lang_path, lang_dir, script_dirent, script_next)\
-	while (!readdir_r(lang_dir, &script_dirent, &script_next) &&	\
-	       script_next)						\
-		if (script_dirent.d_type != DT_DIR &&			\
-		    (script_dirent.d_type != DT_UNKNOWN ||		\
-		     !is_directory(lang_path, &script_dirent)))
+#define for_each_lang(scripts_path, scripts_dir, lang_dirent)		\
+	while ((lang_dirent = readdir(scripts_dir)) != NULL)		\
+		if ((lang_dirent->d_type == DT_DIR ||			\
+		     (lang_dirent->d_type == DT_UNKNOWN &&		\
+		      is_directory(scripts_path, lang_dirent))) &&	\
+		    (strcmp(lang_dirent->d_name, ".")) &&		\
+		    (strcmp(lang_dirent->d_name, "..")))
+
+#define for_each_script(lang_path, lang_dir, script_dirent)		\
+	while ((script_dirent = readdir(lang_dir)) != NULL)		\
+		if (script_dirent->d_type != DT_DIR &&			\
+		    (script_dirent->d_type != DT_UNKNOWN ||		\
+		     !is_directory(lang_path, script_dirent)))
 
 
 #define RECORD_SUFFIX			"-record"
@@ -1221,7 +1219,7 @@ static int list_available_scripts(const
 				  const char *s __maybe_unused,
 				  int unset __maybe_unused)
 {
-	struct dirent *script_next, *lang_next, script_dirent, lang_dirent;
+	struct dirent *script_dirent, *lang_dirent;
 	char scripts_path[MAXPATHLEN];
 	DIR *scripts_dir, *lang_dir;
 	char script_path[MAXPATHLEN];
@@ -1236,19 +1234,19 @@ static int list_available_scripts(const
 	if (!scripts_dir)
 		return -1;
 
-	for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next) {
+	for_each_lang(scripts_path, scripts_dir, lang_dirent) {
 		snprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path,
-			 lang_dirent.d_name);
+			 lang_dirent->d_name);
 		lang_dir = opendir(lang_path);
 		if (!lang_dir)
 			continue;
 
-		for_each_script(lang_path, lang_dir, script_dirent, script_next) {
-			script_root = get_script_root(&script_dirent, REPORT_SUFFIX);
+		for_each_script(lang_path, lang_dir, script_dirent) {
+			script_root = get_script_root(script_dirent, REPORT_SUFFIX);
 			if (script_root) {
 				desc = script_desc__findnew(script_root);
 				snprintf(script_path, MAXPATHLEN, "%s/%s",
-					 lang_path, script_dirent.d_name);
+					 lang_path, script_dirent->d_name);
 				read_script_info(desc, script_path);
 				free(script_root);
 			}
@@ -1336,7 +1334,7 @@ static int check_ev_match(char *dir_name
  */
 int find_scripts(char **scripts_array, char **scripts_path_array)
 {
-	struct dirent *script_next, *lang_next, script_dirent, lang_dirent;
+	struct dirent *script_dirent, *lang_dirent;
 	char scripts_path[MAXPATHLEN], lang_path[MAXPATHLEN];
 	DIR *scripts_dir, *lang_dir;
 	struct perf_session *session;
@@ -1359,9 +1357,9 @@ int find_scripts(char **scripts_array, c
 		return -1;
 	}
 
-	for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next) {
+	for_each_lang(scripts_path, scripts_dir, lang_dirent) {
 		snprintf(lang_path, MAXPATHLEN, "%s/%s", scripts_path,
-			 lang_dirent.d_name);
+			 lang_dirent->d_name);
 #ifdef NO_LIBPERL
 		if (strstr(lang_path, "perl"))
 			continue;
@@ -1375,16 +1373,16 @@ int find_scripts(char **scripts_array, c
 		if (!lang_dir)
 			continue;
 
-		for_each_script(lang_path, lang_dir, script_dirent, script_next) {
+		for_each_script(lang_path, lang_dir, script_dirent) {
 			/* Skip those real time scripts: xxxtop.p[yl] */
-			if (strstr(script_dirent.d_name, "top."))
+			if (strstr(script_dirent->d_name, "top."))
 				continue;
 			sprintf(scripts_path_array[i], "%s/%s", lang_path,
-				script_dirent.d_name);
-			temp = strchr(script_dirent.d_name, '.');
+				script_dirent->d_name);
+			temp = strchr(script_dirent->d_name, '.');
 			snprintf(scripts_array[i],
-				(temp - script_dirent.d_name) + 1,
-				"%s", script_dirent.d_name);
+				(temp - script_dirent->d_name) + 1,
+				"%s", script_dirent->d_name);
 
 			if (check_ev_match(lang_path,
 					scripts_array[i], session))
@@ -1402,7 +1400,7 @@ int find_scripts(char **scripts_array, c
 
 static char *get_script_path(const char *script_root, const char *suffix)
 {
-	struct dirent *script_next, *lang_next, script_dirent, lang_dirent;
+	struct dirent *script_dirent, *lang_dirent;
 	char scripts_path[MAXPATHLEN];
 	char script_path[MAXPATHLEN];
 	DIR *scripts_dir, *lang_dir;
@@ -1415,21 +1413,21 @@ static char *get_script_path(const char
 	if (!scripts_dir)
 		return NULL;
 
-	for_each_lang(scripts_path, scripts_dir, lang_dirent, lang_next) {
+	for_each_lang(scripts_path, scripts_dir, lang_dirent) {
 		snprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path,
-			 lang_dirent.d_name);
+			 lang_dirent->d_name);
 		lang_dir = opendir(lang_path);
 		if (!lang_dir)
 			continue;
 
-		for_each_script(lang_path, lang_dir, script_dirent, script_next) {
-			__script_root = get_script_root(&script_dirent, suffix);
+		for_each_script(lang_path, lang_dir, script_dirent) {
+			__script_root = get_script_root(script_dirent, suffix);
 			if (__script_root && !strcmp(script_root, __script_root)) {
 				free(__script_root);
 				closedir(lang_dir);
 				closedir(scripts_dir);
 				snprintf(script_path, MAXPATHLEN, "%s/%s",
-					 lang_path, script_dirent.d_name);
+					 lang_path, script_dirent->d_name);
 				return strdup(script_path);
 			}
 			free(__script_root);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 346/366] kexec: Fix make headers_check
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (129 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 045/366] vfs: add the sb_start_intwrite_trylock() helper Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 083/366] IB/isert: Fix for lib/dma_debug check_sync warning Ben Hutchings
                   ` (235 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Arnd Bergmann, Benjamin Herrenschmidt, Paul Bolle,
	Geoff Levand, Maximilian Attems, H. Peter Anvin, Linus Torvalds,
	Vivek Goyal, Michal Marek

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geoff Levand <geoff@infradead.org>

commit 9dc5c05f45ca8101025046cda7f8aca8835204f2 upstream.

Remove the unneded declaration for a kexec_load() routine.

Fixes errors like these when running 'make headers_check':

include/uapi/linux/kexec.h: userspace cannot reference function or variable defined in the kernel

Paul said:

: The kexec_load declaration isn't very useful for userspace, see the patch
: I submitted in http://lkml.kernel.org/r/1389791824.17407.9.camel@x220 .
: And After my attempt the export of that declaration has also been
: discussed in
: http://lkml.kernel.org/r/115373b6ac68ee7a305975896e1c4971e8e51d4c.1408731991.git.geoff@infradead.org
:
: In that last discussion no one has been able to point to an actual user of
: it.  So, as far as I can tell, no one actually uses it.  Which makes
: sense, because including this header by itself doesn't give one access to
: a useful definition of kexec_load.  So why bother with the declaration?

Signed-off-by: Geoff Levand <geoff@infradead.org>
Acked-by: Paul Bolle <pebolle@tiscali.nl>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Maximilian Attems <max@stro.at>
Cc: Michal Marek <mmarek@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/uapi/linux/kexec.h | 6 ------
 1 file changed, 6 deletions(-)

--- a/include/uapi/linux/kexec.h
+++ b/include/uapi/linux/kexec.h
@@ -44,12 +44,6 @@ struct kexec_segment {
 	size_t memsz;
 };
 
-/* Load a new kernel image as described by the kexec_segment array
- * consisting of passed number of segments at the entry-point address.
- * The flags allow different useage types.
- */
-extern int kexec_load(void *, size_t, struct kexec_segment *,
-		unsigned long int);
 #endif /* __KERNEL__ */
 
 #endif /* _UAPILINUX_KEXEC_H */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 352/366] perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 212/366] tty: vt, get rid of weird source code flow Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 086/366] usb: gadget: function: printer: avoid wrong list handling in printer_write() Ben Hutchings
                   ` (328 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wang Nan, Adrian Hunter, Jiri Olsa,
	Arnaldo Carvalho de Melo, David Ahern, Namhyung Kim

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit cec07f53c398f22576df77052c4777dc13f14962 upstream.

And remove the empty tools/arch/x86/include/asm/unistd_{32,64}.h files
introduced by eae7a755ee81 ("perf tools, x86: Build perf on older
user-space as well").

This way we get closer to mirroring the kernel for cases where __NR_
can't be found for some include path/_GNU_SOURCE/whatever scenario.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-kpj6m3mbjw82kg6krk2z529e@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16:
 - Also remove the deleted headers from LIB_H in Makefile.perf
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- /dev/null
+++ b/tools/arch/x86/include/asm/unistd_32.h
@@ -0,0 +1,9 @@
+#ifndef __NR_perf_event_open
+# define __NR_perf_event_open 336
+#endif
+#ifndef __NR_futex
+# define __NR_futex 240
+#endif
+#ifndef __NR_gettid
+# define __NR_gettid 224
+#endif
--- /dev/null
+++ b/tools/arch/x86/include/asm/unistd_64.h
@@ -0,0 +1,9 @@
+#ifndef __NR_perf_event_open
+# define __NR_perf_event_open 298
+#endif
+#ifndef __NR_futex
+# define __NR_futex 202
+#endif
+#ifndef __NR_gettid
+# define __NR_gettid 186
+#endif
--- a/tools/perf/config/Makefile
+++ b/tools/perf/config/Makefile
@@ -252,6 +252,7 @@ CFLAGS += -I$(src-perf)/arch/$(ARCH)/inc
 CFLAGS += -I$(srctree)/tools/include/
 CFLAGS += -I$(srctree)/arch/$(ARCH)/include/uapi
 CFLAGS += -I$(srctree)/arch/$(ARCH)/include
+CFLAGS += -I$(srctree)/tools/arch/$(ARCH)/include
 CFLAGS += -I$(srctree)/include/uapi
 CFLAGS += -I$(srctree)/include
 
--- a/tools/perf/perf-sys.h
+++ b/tools/perf/perf-sys.h
@@ -14,15 +14,6 @@
 #define rmb()		asm volatile("lock; addl $0,0(%%esp)" ::: "memory")
 #define cpu_relax()	asm volatile("rep; nop" ::: "memory");
 #define CPUINFO_PROC	"model name"
-#ifndef __NR_perf_event_open
-# define __NR_perf_event_open 336
-#endif
-#ifndef __NR_futex
-# define __NR_futex 240
-#endif
-#ifndef __NR_gettid
-# define __NR_gettid 224
-#endif
 #endif
 
 #if defined(__x86_64__)
@@ -31,15 +22,6 @@
 #define rmb()		asm volatile("lfence" ::: "memory")
 #define cpu_relax()	asm volatile("rep; nop" ::: "memory");
 #define CPUINFO_PROC	"model name"
-#ifndef __NR_perf_event_open
-# define __NR_perf_event_open 298
-#endif
-#ifndef __NR_futex
-# define __NR_futex 202
-#endif
-#ifndef __NR_gettid
-# define __NR_gettid 186
-#endif
 #endif
 
 #ifdef __powerpc__
--- a/tools/perf/util/include/asm/unistd_32.h
+++ /dev/null
@@ -1 +0,0 @@
-
--- a/tools/perf/util/include/asm/unistd_64.h
+++ /dev/null
@@ -1 +0,0 @@
-
--- a/tools/perf/Makefile.perf
+++ b/tools/perf/Makefile.perf
@@ -239,8 +239,6 @@ LIB_H += util/include/asm/uaccess.h
 LIB_H += util/include/dwarf-regs.h
 LIB_H += util/include/asm/dwarf2.h
 LIB_H += util/include/asm/cpufeature.h
-LIB_H += util/include/asm/unistd_32.h
-LIB_H += util/include/asm/unistd_64.h
 LIB_H += perf.h
 LIB_H += util/annotate.h
 LIB_H += util/cache.h


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 358/366] tools include: Add a __fallthrough statement
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 241/366] mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 055/366] mfd: tps65911-comparator: Fix a build error Ben Hutchings
                   ` (323 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jiri Olsa, William Cohen, David Ahern,
	Arnaldo Carvalho de Melo, Namhyung Kim, Wang Nan, Adrian Hunter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit b5bf1733d6a391c4e90ea8f8468d83023be74a2a upstream.

For cases where implicit fall through case labels are intended,
to let us inform that to gcc >= 7:

    CC       /tmp/build/perf/util/string.o
  util/string.c: In function 'perf_atoll':
  util/string.c:22:7: error: this statement may fall through [-Werror=implicit-fallthrough=]
      if (*p)
         ^
  util/string.c:24:3: note: here
     case '\0':
     ^~~~

So we introduce:

  #define __fallthrough __attribute__ ((fallthrough))

And use it in such cases.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Cc: William Cohen <wcohen@redhat.com>
Link: http://lkml.kernel.org/n/tip-qnpig0xfop4hwv6k4mv1wts5@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/include/linux/compiler.h | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/tools/include/linux/compiler.h
+++ b/tools/include/linux/compiler.h
@@ -37,4 +37,13 @@
 
 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
 
+
+#ifndef __fallthrough
+# if defined(__GNUC__) && __GNUC__ >= 7
+#  define __fallthrough __attribute__ ((fallthrough))
+# else
+#  define __fallthrough
+# endif
+#endif
+
 #endif /* _TOOLS_LINUX_COMPILER_H */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 360/366] perf tools: Fix snprint warnings for gcc 8
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 147/366] USB: serial: cp210x: add Silicon Labs IDs for Windows Update Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 228/366] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick Ben Hutchings
                   ` (266 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sergey Senozhatsky, Josh Poimboeuf, Alexander Shishkin,
	Peter Zijlstra, David Ahern, Arnaldo Carvalho de Melo, Jiri Olsa,
	Namhyung Kim

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@kernel.org>

commit 77f18153c080855e1c3fb520ca31a4e61530121d upstream.

With gcc 8 we get new set of snprintf() warnings that breaks the
compilation, one example:

  tests/mem.c: In function ‘check’:
  tests/mem.c:19:48: error: ‘%s’ directive output may be truncated writing \
        up to 99 bytes into a region of size 89 [-Werror=format-truncation=]
    snprintf(failure, sizeof failure, "unexpected %s", out);

The gcc docs says:

 To avoid the warning either use a bigger buffer or handle the
 function's return value which indicates whether or not its output
 has been truncated.

Given that all these warnings are harmless, because the code either
properly fails due to uncomplete file path or we don't care for
truncated output at all, I'm changing all those snprintf() calls to
scnprintf(), which actually 'checks' for the snprint return value so the
gcc stays silent.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Link: http://lkml.kernel.org/r/20180319082902.4518-1-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: Drop changes in tools/perf/tests/mem.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/builtin-script.c    | 22 +++++++++++-----------
 tools/perf/tests/attr.c        |  4 ++--
 tools/perf/tests/mem.c         |  2 +-
 tools/perf/tests/pmu.c         |  2 +-
 tools/perf/util/cgroup.c       |  2 +-
 tools/perf/util/parse-events.c |  4 ++--
 tools/perf/util/pmu.c          |  2 +-
 7 files changed, 19 insertions(+), 19 deletions(-)

--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -1235,8 +1235,8 @@ static int list_available_scripts(const
 		return -1;
 
 	for_each_lang(scripts_path, scripts_dir, lang_dirent) {
-		snprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path,
-			 lang_dirent->d_name);
+		scnprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path,
+			  lang_dirent->d_name);
 		lang_dir = opendir(lang_path);
 		if (!lang_dir)
 			continue;
@@ -1245,8 +1245,8 @@ static int list_available_scripts(const
 			script_root = get_script_root(script_dirent, REPORT_SUFFIX);
 			if (script_root) {
 				desc = script_desc__findnew(script_root);
-				snprintf(script_path, MAXPATHLEN, "%s/%s",
-					 lang_path, script_dirent->d_name);
+				scnprintf(script_path, MAXPATHLEN, "%s/%s",
+					  lang_path, script_dirent->d_name);
 				read_script_info(desc, script_path);
 				free(script_root);
 			}
@@ -1282,7 +1282,7 @@ static int check_ev_match(char *dir_name
 	int match, len;
 	FILE *fp;
 
-	sprintf(filename, "%s/bin/%s-record", dir_name, scriptname);
+	scnprintf(filename, MAXPATHLEN, "%s/bin/%s-record", dir_name, scriptname);
 
 	fp = fopen(filename, "r");
 	if (!fp)
@@ -1358,8 +1358,8 @@ int find_scripts(char **scripts_array, c
 	}
 
 	for_each_lang(scripts_path, scripts_dir, lang_dirent) {
-		snprintf(lang_path, MAXPATHLEN, "%s/%s", scripts_path,
-			 lang_dirent->d_name);
+		scnprintf(lang_path, MAXPATHLEN, "%s/%s", scripts_path,
+			  lang_dirent->d_name);
 #ifdef NO_LIBPERL
 		if (strstr(lang_path, "perl"))
 			continue;
@@ -1414,8 +1414,8 @@ static char *get_script_path(const char
 		return NULL;
 
 	for_each_lang(scripts_path, scripts_dir, lang_dirent) {
-		snprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path,
-			 lang_dirent->d_name);
+		scnprintf(lang_path, MAXPATHLEN, "%s/%s/bin", scripts_path,
+			  lang_dirent->d_name);
 		lang_dir = opendir(lang_path);
 		if (!lang_dir)
 			continue;
@@ -1426,8 +1426,8 @@ static char *get_script_path(const char
 				free(__script_root);
 				closedir(lang_dir);
 				closedir(scripts_dir);
-				snprintf(script_path, MAXPATHLEN, "%s/%s",
-					 lang_path, script_dirent->d_name);
+				scnprintf(script_path, MAXPATHLEN, "%s/%s",
+					  lang_path, script_dirent->d_name);
 				return strdup(script_path);
 			}
 			free(__script_root);
--- a/tools/perf/tests/attr.c
+++ b/tools/perf/tests/attr.c
@@ -147,8 +147,8 @@ static int run_dir(const char *d, const
 	if (verbose)
 		vcnt++;
 
-	snprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s",
-		 d, d, perf, vcnt, v);
+	scnprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s",
+		  d, d, perf, vcnt, v);
 
 	return system(cmd);
 }
--- a/tools/perf/tests/pmu.c
+++ b/tools/perf/tests/pmu.c
@@ -95,7 +95,7 @@ static char *test_format_dir_get(void)
 		struct test_format *format = &test_formats[i];
 		FILE *file;
 
-		snprintf(name, PATH_MAX, "%s/%s", dir, format->name);
+		scnprintf(name, PATH_MAX, "%s/%s", dir, format->name);
 
 		file = fopen(name, "w");
 		if (!file)
--- a/tools/perf/util/cgroup.c
+++ b/tools/perf/util/cgroup.c
@@ -64,7 +64,7 @@ static int open_cgroup(char *name)
 	if (cgroupfs_find_mountpoint(mnt, PATH_MAX + 1))
 		return -1;
 
-	snprintf(path, PATH_MAX, "%s/%s", mnt, name);
+	scnprintf(path, PATH_MAX, "%s/%s", mnt, name);
 
 	fd = open(path, O_RDONLY);
 	if (fd == -1)
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -182,8 +182,8 @@ struct tracepoint_path *tracepoint_id_to
 
 		for_each_event(sys_dirent, evt_dir, evt_dirent) {
 
-			snprintf(evt_path, MAXPATHLEN, "%s/%s/id", dir_path,
-				 evt_dirent->d_name);
+			scnprintf(evt_path, MAXPATHLEN, "%s/%s/id", dir_path,
+				  evt_dirent->d_name);
 			fd = open(evt_path, O_RDONLY);
 			if (fd < 0)
 				continue;
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -240,7 +240,7 @@ static int pmu_aliases_parse(char *dir,
 		if (len > 6 && !strcmp(name + len - 6, ".scale"))
 			continue;
 
-		snprintf(path, PATH_MAX, "%s/%s", dir, name);
+		scnprintf(path, PATH_MAX, "%s/%s", dir, name);
 
 		file = fopen(path, "r");
 		if (!file) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 310/366] netlink: Don't shift on 64 for ngroups
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (352 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 004/366] bcmgenet: Delete unused variable Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 021/366] net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()) Ben Hutchings
                   ` (12 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Herbert Xu, Dmitry Safonov, netdev, David S. Miller,
	Steffen Klassert

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 91874ecf32e41b5d86a4cb9d60e0bee50d828058 upstream.

It's legal to have 64 groups for netlink_sock.

As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe
only to first 32 groups.

The check for correctness of .bind() userspace supplied parameter
is done by applying mask made from ngroups shift. Which broke Android
as they have 64 groups and the shift for mask resulted in an overflow.

Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups")
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org
Reported-and-Tested-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netlink/af_netlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -930,8 +930,8 @@ static int netlink_bind(struct socket *s
 
 	if (nlk->ngroups == 0)
 		groups = 0;
-	else
-		groups &= (1ULL << nlk->ngroups) - 1;
+	else if (nlk->ngroups < 8*sizeof(groups))
+		groups &= (1UL << nlk->ngroups) - 1;
 
 	if (nlk->portid)
 		if (nladdr->nl_pid != nlk->portid)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 363/366] perf tools: Remove duplicate const qualifier
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (222 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 328/366] dm bufio: avoid sleeping while holding the dm_bufio lock Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 072/366] m68k: Implement ndelay() as an inline function to force type checking/casting Ben Hutchings
                   ` (142 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Adrian Hunter, David Ahern, Arnaldo Carvalho de Melo,
	Peter Zijlstra, Eric Engestrom

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Engestrom <eric.engestrom@imgtec.com>

commit 3b556bced46aa6b1873da7faa18eff235e896adc upstream.

Signed-off-by: Eric Engestrom <eric.engestrom@imgtec.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1461577678-29517-1-git-send-email-eric.engestrom@imgtec.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/thread.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/thread.c
+++ b/tools/perf/util/thread.c
@@ -177,7 +177,7 @@ void thread__find_cpumode_addr_location(
 					struct addr_location *al)
 {
 	size_t i;
-	const u8 const cpumodes[] = {
+	const u8 cpumodes[] = {
 		PERF_RECORD_MISC_USER,
 		PERF_RECORD_MISC_KERNEL,
 		PERF_RECORD_MISC_GUEST_USER,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 361/366] perf trace: Fix up fd -> pathname resolution
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (202 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 174/366] xen-netfront: Update features after registering netdev Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 222/366] x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features Ben Hutchings
                   ` (162 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mike Galbraith, Namhyung Kim, David Ahern,
	Arnaldo Carvalho de Melo, Peter Zijlstra, Don Zickus,
	Adrian Hunter, Jiri Olsa, Frederic Weisbecker, Stephane Eranian,
	Paul Mackerras

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit cdcd1e6bd8a92f8353fc2f37003c6eae2d1e6903 upstream.

There was a brown paper bag bug in the patch that introduced a reference
implementation on using 'perf probe' made wannabe tracepoints that broke fd ->
pathname resolution, fix it:

  [root@zoo ~]# perf probe 'vfs_getname=getname_flags:65 pathname=result->name:string'
  Added new event:
    probe:vfs_getname    (on getname_flags:65 with pathname=result->name:string)

  You can now use it in all perf tools, such as:

	perf record -e probe:vfs_getname -aR sleep 1

  [root@zoo ~]

Before:

  [acme@zoo linux]$ trace touch -e open,fstat /tmp/b
     1.159 ( 0.007 ms): open(filename: 0x7fd73f2fe088, flags: CLOEXEC                         ) = 3
     1.163 ( 0.002 ms): fstat(fd: 3, statbuf: 0x7fff1b25e610                                  ) = 0
     1.192 ( 0.009 ms): open(filename: 0x7fd73f4fedb8, flags: CLOEXEC                         ) = 3
     1.201 ( 0.002 ms): fstat(fd: 3, statbuf: 0x7fff1b25e660                                  ) = 0
     1.501 ( 0.013 ms): open(filename: 0x7fd73f0a1610, flags: CLOEXEC                         ) = 3
     1.505 ( 0.002 ms): fstat(fd: 3, statbuf: 0x7fd73f2ddb60                                  ) = 0
     1.581 ( 0.011 ms): open(filename: 0x7fff1b2603da, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: 438) = 3
  [acme@zoo linux]$

After:

  [acme@zoo linux]$ trace touch -e open,fstat,dup2,mmap,close /tmp/b
     1.105 ( 0.004 ms): mmap(len: 4096, prot: READ|WRITE, flags: PRIVATE|ANONYMOUS, fd: -1    ) = 0x2fbf000
     1.136 ( 0.008 ms): open(filename: 0x7f8902dbc088, flags: CLOEXEC                         ) = 3
     1.140 ( 0.002 ms): fstat(fd: 3</etc/ld.so.cache>, statbuf: 0x7fff19889ef0                ) = 0
     1.146 ( 0.004 ms): mmap(len: 86079, prot: READ, flags: PRIVATE, fd: 3</etc/ld.so.cache>  ) = 0x2fa9000
     1.149 ( 0.001 ms): close(fd: 3</etc/ld.so.cache>                                         ) = 0
     1.170 ( 0.010 ms): open(filename: 0x7f8902fbcdb8, flags: CLOEXEC                         ) = 3
     1.178 ( 0.002 ms): fstat(fd: 3</lib64/libc.so.6>, statbuf: 0x7fff19889f40                ) = 0
     1.188 ( 0.006 ms): mmap(len: 3924576, prot: EXEC|READ, flags: PRIVATE|DENYWRITE, fd: 3</lib64/libc.so.6>) = 0x29e2000
     1.207 ( 0.007 ms): mmap(addr: 0x7f8902d96000, len: 24576, prot: READ|WRITE, flags: PRIVATE|DENYWRITE|FIXED, fd: 3</lib64/libc.so.6>, off: 1785856) = 0x2d96000
     1.217 ( 0.004 ms): mmap(addr: 0x7f8902d9c000, len: 16992, prot: READ|WRITE, flags: PRIVATE|ANONYMOUS|FIXED, fd: -1) = 0x2d9c000
     1.228 ( 0.002 ms): close(fd: 3</lib64/libc.so.6>                                         ) = 0
     1.243 ( 0.003 ms): mmap(len: 4096, prot: READ|WRITE, flags: PRIVATE|ANONYMOUS, fd: -1    ) = 0x2fa8000
     1.250 ( 0.003 ms): mmap(len: 8192, prot: READ|WRITE, flags: PRIVATE|ANONYMOUS, fd: -1    ) = 0x2fa6000
     1.452 ( 0.010 ms): open(filename: 0x7f8902b5f610, flags: CLOEXEC                         ) = 3
     1.455 ( 0.002 ms): fstat(fd: 3</usr/lib/locale/locale-archive>, statbuf: 0x7f8902d9bb60  ) = 0
     1.461 ( 0.004 ms): mmap(len: 106070960, prot: READ, flags: PRIVATE, fd: 3</usr/lib/locale/locale-archive>) = 0xfc4b9000
     1.469 ( 0.002 ms): close(fd: 3</usr/lib/locale/locale-archive>                           ) = 0
     1.528 ( 0.010 ms): open(filename: 0x7fff1988c3da, flags: CREAT|NOCTTY|NONBLOCK|WRONLY, mode: 438) = 3
     1.532 ( 0.002 ms): dup2(oldfd: 3</tmp/b>                                                 ) = 0
     1.535 ( 0.001 ms): close(fd: 3</tmp/b>                                                   ) = 0
     1.544 ( 0.001 ms): close(                                                                ) = 0
     1.555 ( 0.001 ms): close(fd: 1                                                           ) = 0
     1.558 ( 0.001 ms): close(fd: 2                                                           ) = 0
  [acme@zoo linux]$

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Link: http://lkml.kernel.org/n/tip-vcm22xpjxc3j4hbyuzjzf7ik@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/builtin-trace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1276,11 +1276,11 @@ static const char *thread__fd_path(struc
 	if (fd < 0)
 		return NULL;
 
-	if ((fd > ttrace->paths.max || ttrace->paths.table[fd] == NULL))
+	if ((fd > ttrace->paths.max || ttrace->paths.table[fd] == NULL)) {
 		if (!trace->live)
 			return NULL;
 		++trace->stats.proc_getname;
-		if (thread__read_fd_path(thread, fd)) {
+		if (thread__read_fd_path(thread, fd))
 			return NULL;
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 324/366] ceph: fix llistxattr on symlink
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (173 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 028/366] sctp: fix identification of new acks for SFR-CACC Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 170/366] xen-netfront: Improve error handling during initialization Ben Hutchings
                   ` (191 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Yan, Zheng, Bryan Henderson

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Yan, Zheng" <zyan@redhat.com>

commit 0abb43dcacb52145aa265f82c914375d59dfe2da upstream.

only regular file and directory have vxattrs.

Signed-off-by: Yan, Zheng <zyan@redhat.com>
Cc: Bryan Henderson <bryanh@giraffe-data.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ceph/xattr.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -284,8 +284,7 @@ static size_t ceph_vxattrs_name_size(str
 		return ceph_dir_vxattrs_name_size;
 	if (vxattrs == ceph_file_vxattrs)
 		return ceph_file_vxattrs_name_size;
-	BUG();
-
+	BUG_ON(vxattrs);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 314/366] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 276/366] multicast: do not restore deleted record source filter mode to new one Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 263/366] KEYS: DNS: fix parsing multiple options Ben Hutchings
                   ` (300 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Alexey Kodanev

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <alexey.kodanev@oracle.com>

commit 61ef4b07fcdc30535889990cf4229766502561cf upstream.

The shift of 'cwnd' with '(now - hc->tx_lsndtime) / hc->tx_rto' value
can lead to undefined behavior [1].

In order to fix this use a gradual shift of the window with a 'while'
loop, similar to what tcp_cwnd_restart() is doing.

When comparing delta and RTO there is a minor difference between TCP
and DCCP, the last one also invokes dccp_cwnd_restart() and reduces
'cwnd' if delta equals RTO. That case is preserved in this change.

[1]:
[40850.963623] UBSAN: Undefined behaviour in net/dccp/ccids/ccid2.c:237:7
[40851.043858] shift exponent 67 is too large for 32-bit type 'unsigned int'
[40851.127163] CPU: 3 PID: 15940 Comm: netstress Tainted: G        W   E     4.18.0-rc7.x86_64 #1
...
[40851.377176] Call Trace:
[40851.408503]  dump_stack+0xf1/0x17b
[40851.451331]  ? show_regs_print_info+0x5/0x5
[40851.503555]  ubsan_epilogue+0x9/0x7c
[40851.548363]  __ubsan_handle_shift_out_of_bounds+0x25b/0x2b4
[40851.617109]  ? __ubsan_handle_load_invalid_value+0x18f/0x18f
[40851.686796]  ? xfrm4_output_finish+0x80/0x80
[40851.739827]  ? lock_downgrade+0x6d0/0x6d0
[40851.789744]  ? xfrm4_prepare_output+0x160/0x160
[40851.845912]  ? ip_queue_xmit+0x810/0x1db0
[40851.895845]  ? ccid2_hc_tx_packet_sent+0xd36/0x10a0 [dccp]
[40851.963530]  ccid2_hc_tx_packet_sent+0xd36/0x10a0 [dccp]
[40852.029063]  dccp_xmit_packet+0x1d3/0x720 [dccp]
[40852.086254]  dccp_write_xmit+0x116/0x1d0 [dccp]
[40852.142412]  dccp_sendmsg+0x428/0xb20 [dccp]
[40852.195454]  ? inet_dccp_listen+0x200/0x200 [dccp]
[40852.254833]  ? sched_clock+0x5/0x10
[40852.298508]  ? sched_clock+0x5/0x10
[40852.342194]  ? inet_create+0xdf0/0xdf0
[40852.388988]  sock_sendmsg+0xd9/0x160
...

Fixes: 113ced1f52e5 ("dccp ccid-2: Perform congestion-window validation")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/dccp/ccids/ccid2.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -228,14 +228,16 @@ static void ccid2_cwnd_restart(struct so
 	struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk);
 	u32 cwnd = hc->tx_cwnd, restart_cwnd,
 	    iwnd = rfc3390_bytes_to_packets(dccp_sk(sk)->dccps_mss_cache);
+	s32 delta = now - hc->tx_lsndtime;
 
 	hc->tx_ssthresh = max(hc->tx_ssthresh, (cwnd >> 1) + (cwnd >> 2));
 
 	/* don't reduce cwnd below the initial window (IW) */
 	restart_cwnd = min(cwnd, iwnd);
-	cwnd >>= (now - hc->tx_lsndtime) / hc->tx_rto;
-	hc->tx_cwnd = max(cwnd, restart_cwnd);
 
+	while ((delta -= hc->tx_rto) >= 0 && cwnd > restart_cwnd)
+		cwnd >>= 1;
+	hc->tx_cwnd = max(cwnd, restart_cwnd);
 	hc->tx_cwnd_stamp = now;
 	hc->tx_cwnd_used  = 0;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 366/366] perf tools: Fix python extension build for gcc 8
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 287/366] net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 268/366] Input: i8042 - add Lenovo LaVie Z to the i8042 reset list Ben Hutchings
                   ` (315 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Namhyung Kim, Peter Zijlstra, Jiri Olsa, David Ahern,
	Arnaldo Carvalho de Melo, Alexander Shishkin, Josh Poimboeuf,
	Sergey Senozhatsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@kernel.org>

commit b7a313d84e853049062011d78cb04b6decd12f5c upstream.

The gcc 8 compiler won't compile the python extension code with the
following errors (one example):

  python.c:830:15: error: cast between incompatible  function types from              \
  ‘PyObject * (*)(struct pyrf_evsel *, PyObject *, PyObject *)’                       \
  uct _object * (*)(struct pyrf_evsel *, struct _object *, struct _object *)’} to     \
  ‘PyObject * (*)(PyObject *, PyObject *)’ {aka ‘struct _object * (*)(struct _objeuct \
  _object *)’} [-Werror=cast-function-type]
     .ml_meth  = (PyCFunction)pyrf_evsel__open,

The problem with the PyMethodDef::ml_meth callback is that its type is
determined based on the PyMethodDef::ml_flags value, which we set as
METH_VARARGS | METH_KEYWORDS.

That indicates that the callback is expecting an extra PyObject* arg, and is
actually PyCFunctionWithKeywords type, but the base PyMethodDef::ml_meth type
stays PyCFunction.

Previous gccs did not find this, gcc8 now does. Fixing this by silencing this
warning for python.c build.

Commiter notes:

Do not do that for CC=clang, as it breaks the build in some clang
versions, like the ones in fedora up to fedora27:

  fedora:25:error: unknown warning option '-Wno-cast-function-type'; did you mean '-Wno-bad-function-cast'? [-Werror,-Wunknown-warning-option]
  fedora:26:error: unknown warning option '-Wno-cast-function-type'; did you mean '-Wno-bad-function-cast'? [-Werror,-Wunknown-warning-option]
  fedora:27:error: unknown warning option '-Wno-cast-function-type'; did you mean '-Wno-bad-function-cast'? [-Werror,-Wunknown-warning-option]
  #

those have:

  clang version 3.9.1 (tags/RELEASE_391/final)

The one in rawhide accepts that:

  clang version 6.0.0 (tags/RELEASE_600/final)

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Link: http://lkml.kernel.org/r/20180319082902.4518-2-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/setup.py | 2 ++
 1 file changed, 2 insertions(+)

--- a/tools/perf/util/setup.py
+++ b/tools/perf/util/setup.py
@@ -21,6 +21,7 @@ class install_lib(_install_lib):
 cflags = getenv('CFLAGS', '').split()
 # switch off several checks (need to be at the end of cflags list)
 cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter' ]
+cflags += ['-Wno-cast-function-type' ]
 
 build_lib = getenv('PYTHON_EXTBUILD_LIB')
 build_tmp = getenv('PYTHON_EXTBUILD_TMP')


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 365/366] perf thread_map: Correctly size buffer used with dirent->dt_name
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (232 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 327/366] ceph: fix endianness of getattr mask in ceph_d_revalidate Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 240/366] ibmasm: don't write out of bounds in read handler Ben Hutchings
                   ` (132 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Wang Nan, Adrian Hunter, David Ahern,
	Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit bdf23a9a190d7ecea092fd5c4aabb7d4bd0a9980 upstream.

The size of dirent->dt_name is NAME_MAX + 1, but the size for the 'path'
buffer is hard coded at 256, which may truncate it because we also
prepend "/proc/", so that all that into account and thank gcc 7 for this
warning:

  /git/linux/tools/perf/util/thread_map.c: In function 'thread_map__new_by_uid':
  /git/linux/tools/perf/util/thread_map.c:119:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 250 [-Werror=format-truncation=]
     snprintf(path, sizeof(path), "/proc/%s", dirent->d_name);
                                         ^~
  In file included from /usr/include/stdio.h:939:0,
                   from /git/linux/tools/perf/util/thread_map.c:5:
  /usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 7 and 262 bytes into a destination of size 256
     return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          __bos (__s), __fmt, __va_arg_pack ());
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-csy0r8zrvz5efccgd4k12c82@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/thread_map.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/thread_map.c
+++ b/tools/perf/util/thread_map.c
@@ -63,7 +63,7 @@ struct thread_map *thread_map__new_by_ui
 {
 	DIR *proc;
 	int max_threads = 32, items, i;
-	char path[256];
+	char path[NAME_MAX + 1 + 6];
 	struct dirent *dirent, **namelist = NULL;
 	struct thread_map *threads = malloc(sizeof(*threads) +
 					    max_threads * sizeof(pid_t));


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 243/366] ARC: Fix CONFIG_SWAP
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (101 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 334/366] HID: clamp input to logical range if no null state Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 214/366] s390/qeth: don't clobber buffer on async TX completion Ben Hutchings
                   ` (263 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Vineet Gupta, Alexey Brodkin

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Brodkin <abrodkin@synopsys.com>

commit 6e3761145a9ba3ce267c330b6bff51cf6a057b06 upstream.

swap was broken on ARC due to silly copy-paste issue.

We encode offset from swapcache page in __swp_entry() as (off << 13) but
were not decoding back in __swp_offset() as (off >> 13) - it was still
(off << 13).

This finally fixes swap usage on ARC.

| # mkswap /dev/sda2
|
| # swapon -a -e /dev/sda2
| Adding 500728k swap on /dev/sda2.  Priority:-2 extents:1 across:500728k
|
| # free
|              total       used       free     shared    buffers     cached
| Mem:        765104      13456     751648       4736          8       4736
| -/+ buffers/cache:       8712     756392
| Swap:       500728          0     500728

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arc/include/asm/pgtable.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arc/include/asm/pgtable.h
+++ b/arch/arc/include/asm/pgtable.h
@@ -361,7 +361,7 @@ void update_mmu_cache(struct vm_area_str
 
 /* Decode a PTE containing swap "identifier "into constituents */
 #define __swp_type(pte_lookalike)	(((pte_lookalike).val) & 0x1f)
-#define __swp_offset(pte_lookalike)	((pte_lookalike).val << 13)
+#define __swp_offset(pte_lookalike)	((pte_lookalike).val >> 13)
 
 /* NOPs, to keep generic kernel happy */
 #define __pte_to_swp_entry(pte)	((swp_entry_t) { pte_val(pte) })


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 313/366] vsock: split dwork to avoid reinitializations
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (255 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 250/366] mm, elf: handle vm_brk error Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 326/366] ceph: don't set req->r_locked_dir in ceph_d_revalidate Ben Hutchings
                   ` (109 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Jorgen Hansen, syzbot+8a9b1bd330476a4f3db6, Andy king,
	Stefan Hajnoczi, David S. Miller, Cong Wang

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

commit 455f05ecd2b219e9a216050796d30c830d9bc393 upstream.

syzbot reported that we reinitialize an active delayed
work in vsock_stream_connect():

	ODEBUG: init active (active state 0) object type: timer_list hint:
	delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:1414
	WARNING: CPU: 1 PID: 11518 at lib/debugobjects.c:329
	debug_print_object+0x16a/0x210 lib/debugobjects.c:326

The pattern is apparently wrong, we should only initialize
the dealyed work once and could repeatly schedule it. So we
have to move out the initializations to allocation side.
And to avoid confusion, we can split the shared dwork
into two, instead of re-using the same one.

Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reported-by: <syzbot+8a9b1bd330476a4f3db6@syzkaller.appspotmail.com>
Cc: Andy king <acking@vmware.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/af_vsock.h         |  4 ++--
 net/vmw_vsock/af_vsock.c       | 15 ++++++++-------
 net/vmw_vsock/vmci_transport.c |  3 +--
 3 files changed, 11 insertions(+), 11 deletions(-)

--- a/include/net/af_vsock.h
+++ b/include/net/af_vsock.h
@@ -59,7 +59,8 @@ struct vsock_sock {
 	struct list_head pending_links;
 	struct list_head accept_queue;
 	bool rejected;
-	struct delayed_work dwork;
+	struct delayed_work connect_work;
+	struct delayed_work pending_work;
 	u32 peer_shutdown;
 	bool sent_request;
 	bool ignore_connecting_rst;
@@ -70,7 +71,6 @@ struct vsock_sock {
 
 s64 vsock_stream_has_data(struct vsock_sock *vsk);
 s64 vsock_stream_has_space(struct vsock_sock *vsk);
-void vsock_pending_work(struct work_struct *work);
 struct sock *__vsock_create(struct net *net,
 			    struct socket *sock,
 			    struct sock *parent,
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -431,14 +431,14 @@ static int vsock_send_shutdown(struct so
 	return transport->shutdown(vsock_sk(sk), mode);
 }
 
-void vsock_pending_work(struct work_struct *work)
+static void vsock_pending_work(struct work_struct *work)
 {
 	struct sock *sk;
 	struct sock *listener;
 	struct vsock_sock *vsk;
 	bool cleanup;
 
-	vsk = container_of(work, struct vsock_sock, dwork.work);
+	vsk = container_of(work, struct vsock_sock, pending_work.work);
 	sk = sk_vsock(vsk);
 	listener = vsk->listener;
 	cleanup = true;
@@ -478,7 +478,6 @@ out:
 	sock_put(sk);
 	sock_put(listener);
 }
-EXPORT_SYMBOL_GPL(vsock_pending_work);
 
 /**** SOCKET OPERATIONS ****/
 
@@ -577,6 +576,8 @@ static int __vsock_bind(struct sock *sk,
 	return retval;
 }
 
+static void vsock_connect_timeout(struct work_struct *work);
+
 struct sock *__vsock_create(struct net *net,
 			    struct socket *sock,
 			    struct sock *parent,
@@ -618,6 +619,8 @@ struct sock *__vsock_create(struct net *
 	vsk->sent_request = false;
 	vsk->ignore_connecting_rst = false;
 	vsk->peer_shutdown = 0;
+	INIT_DELAYED_WORK(&vsk->connect_work, vsock_connect_timeout);
+	INIT_DELAYED_WORK(&vsk->pending_work, vsock_pending_work);
 
 	psk = parent ? vsock_sk(parent) : NULL;
 	if (parent) {
@@ -1095,7 +1098,7 @@ static void vsock_connect_timeout(struct
 	struct sock *sk;
 	struct vsock_sock *vsk;
 
-	vsk = container_of(work, struct vsock_sock, dwork.work);
+	vsk = container_of(work, struct vsock_sock, connect_work.work);
 	sk = sk_vsock(vsk);
 
 	lock_sock(sk);
@@ -1196,9 +1199,7 @@ static int vsock_stream_connect(struct s
 			 * timeout fires.
 			 */
 			sock_hold(sk);
-			INIT_DELAYED_WORK(&vsk->dwork,
-					  vsock_connect_timeout);
-			schedule_delayed_work(&vsk->dwork, timeout);
+			schedule_delayed_work(&vsk->connect_work, timeout);
 
 			/* Skip ahead to preserve error code set above. */
 			goto out_wait;
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1101,8 +1101,7 @@ static int vmci_transport_recv_listen(st
 	vpending->listener = sk;
 	sock_hold(sk);
 	sock_hold(pending);
-	INIT_DELAYED_WORK(&vpending->dwork, vsock_pending_work);
-	schedule_delayed_work(&vpending->dwork, HZ);
+	schedule_delayed_work(&vpending->pending_work, HZ);
 
 out:
 	return err;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 312/366] packet: refine ring v3 block size test to hold one frame
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (338 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 029/366] ASoC: cirrus: i2s: Fix LRCLK configuration Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 194/366] usb: cdc_acm: Add quirk for Uniden UBC125 scanner Ben Hutchings
                   ` (26 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, syzbot, Willem de Bruijn, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>

commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.

TPACKET_V3 stores variable length frames in fixed length blocks.
Blocks must be able to store a block header, optional private space
and at least one minimum sized frame.

Frames, even for a zero snaplen packet, store metadata headers and
optional reserved space.

In the block size bounds check, ensure that the frame of the
chosen configuration fits. This includes sockaddr_ll and optional
tp_reserve.

Syzbot was able to construct a ring with insuffient room for the
sockaddr_ll in the header of a zero-length frame, triggering an
out-of-bounds write in dev_parse_header.

Convert the comparison to less than, as zero is a valid snap len.
This matches the test for minimum tp_frame_size immediately below.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3874,6 +3874,8 @@ static int packet_set_ring(struct sock *
 	}
 
 	if (req->tp_block_nr) {
+		unsigned int min_frame_size;
+
 		/* Sanity tests and some calculations */
 		err = -EBUSY;
 		if (unlikely(rb->pg_vec))
@@ -3896,12 +3898,12 @@ static int packet_set_ring(struct sock *
 			goto out;
 		if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
 			goto out;
+		min_frame_size = po->tp_hdrlen + po->tp_reserve;
 		if (po->tp_version >= TPACKET_V3 &&
-		    req->tp_block_size <=
-		    BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
+		    req->tp_block_size <
+		    BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
 			goto out;
-		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
-					po->tp_reserve))
+		if (unlikely(req->tp_frame_size < min_frame_size))
 			goto out;
 		if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
 			goto out;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (276 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 032/366] iommu/vt-d: Ratelimit each dmar fault printing Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 089/366] Btrfs: don't BUG_ON() in btrfs_truncate_inode_items() Ben Hutchings
                   ` (88 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.nault@alphalink.fr>

commit f664e37dcc525768280cb94321424a09beb1c992 upstream.

If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
drop the reference taken by l2tp_session_get().

Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Also call session->deref in both cases]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ppp.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1231,15 +1231,22 @@ static int pppol2tp_tunnel_ioctl(struct
 				l2tp_session_get(sock_net(sk), tunnel,
 						 stats.session_id, true);
 
-			if (session && session->pwtype == L2TP_PWTYPE_PPP) {
-				err = pppol2tp_session_ioctl(session, cmd,
-							     arg);
+			if (!session) {
+				err = -EBADR;
+				break;
+			}
+			if (session->pwtype != L2TP_PWTYPE_PPP) {
 				if (session->deref)
 					session->deref(session);
 				l2tp_session_dec_refcount(session);
-			} else {
 				err = -EBADR;
+				break;
 			}
+
+			err = pppol2tp_session_ioctl(session, cmd, arg);
+			if (session->deref)
+				session->deref(session);
+			l2tp_session_dec_refcount(session);
 			break;
 		}
 #ifdef CONFIG_XFRM


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 321/366] xen/netfront: don't cache skb_shinfo()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 247/366] ext4: check for allocation block validity with block group locked Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 185/366] ipv6: mcast: fix unsolicited report interval after receiving querys Ben Hutchings
                   ` (285 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Wei Liu, Juergen Gross

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit d472b3a6cf63cd31cae1ed61930f07e6cd6671b5 upstream.

skb_shinfo() can change when calling __pskb_pull_tail(): Don't cache
its return value.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -898,7 +898,6 @@ static RING_IDX xennet_fill_frags(struct
 				  struct sk_buff *skb,
 				  struct sk_buff_head *list)
 {
-	struct skb_shared_info *shinfo = skb_shinfo(skb);
 	RING_IDX cons = queue->rx.rsp_cons;
 	struct sk_buff *nskb;
 
@@ -907,15 +906,16 @@ static RING_IDX xennet_fill_frags(struct
 			RING_GET_RESPONSE(&queue->rx, ++cons);
 		skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
 
-		if (shinfo->nr_frags == MAX_SKB_FRAGS) {
+		if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
 			unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
 
 			BUG_ON(pull_to <= skb_headlen(skb));
 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
 		}
-		BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
+		BUG_ON(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS);
 
-		skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
+		skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+				skb_frag_page(nfrag),
 				rx->offset, rx->status, PAGE_SIZE);
 
 		skb_shinfo(nskb)->nr_frags = 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 319/366] unify dentry_iput() and dentry_unlink_inode()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (326 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 041/366] powerpc: make feature-fixup tests fortify-safe Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 210/366] n_tty: Access echo_* variables carefully Ben Hutchings
                   ` (38 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 550dce01dd606c88a837138aa448ccd367fb0cbb upstream.

There is a lot of duplication between dentry_unlink_inode() and dentry_iput().
The only real difference is that dentry_unlink_inode() bumps ->d_seq and
dentry_iput() doesn't.  The argument of the latter is known to have been
unhashed, so anybody who might've found it in RCU lookup would already be
doomed to a ->d_seq mismatch.  And we want to avoid pointless smp_rmb() there.

This patch makes dentry_unlink_inode() bump ->d_seq only for hashed dentries.
It's safe (d_delete() calls that sucker only if we are holding the only
reference to dentry, so rehash is not going to happen) and it allows
to use dentry_unlink_inode() in __dentry_kill() and get rid of dentry_iput().

The interesting question here is profiling; it *is* a hot path, and extra
conditional jumps in there might or might not be painful.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/dcache.c | 45 ++++++++++-----------------------------------
 1 file changed, 10 insertions(+), 35 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -333,44 +333,21 @@ static inline void dentry_rcuwalk_barrie
 
 /*
  * Release the dentry's inode, using the filesystem
- * d_iput() operation if defined. Dentry has no refcount
- * and is unhashed.
- */
-static void dentry_iput(struct dentry * dentry)
-	__releases(dentry->d_lock)
-	__releases(dentry->d_inode->i_lock)
-{
-	struct inode *inode = dentry->d_inode;
-	if (inode) {
-		__d_clear_type_and_inode(dentry);
-		hlist_del_init(&dentry->d_u.d_alias);
-		spin_unlock(&dentry->d_lock);
-		spin_unlock(&inode->i_lock);
-		if (!inode->i_nlink)
-			fsnotify_inoderemove(inode);
-		if (dentry->d_op && dentry->d_op->d_iput)
-			dentry->d_op->d_iput(dentry, inode);
-		else
-			iput(inode);
-	} else {
-		spin_unlock(&dentry->d_lock);
-	}
-}
-
-/*
- * Release the dentry's inode, using the filesystem
- * d_iput() operation if defined. dentry remains in-use.
+ * d_iput() operation if defined.
  */
 static void dentry_unlink_inode(struct dentry * dentry)
 	__releases(dentry->d_lock)
 	__releases(dentry->d_inode->i_lock)
 {
 	struct inode *inode = dentry->d_inode;
+	bool hashed = !d_unhashed(dentry);
 
-	raw_write_seqcount_begin(&dentry->d_seq);
+	if (hashed)
+		raw_write_seqcount_begin(&dentry->d_seq);
 	__d_clear_type_and_inode(dentry);
 	hlist_del_init(&dentry->d_u.d_alias);
-	raw_write_seqcount_end(&dentry->d_seq);
+	if (hashed)
+		raw_write_seqcount_end(&dentry->d_seq);
 	spin_unlock(&dentry->d_lock);
 	spin_unlock(&inode->i_lock);
 	if (!inode->i_nlink)
@@ -537,12 +514,10 @@ static void __dentry_kill(struct dentry
 	dentry->d_flags |= DCACHE_DENTRY_KILLED;
 	if (parent)
 		spin_unlock(&parent->d_lock);
-	dentry_iput(dentry);
-	/*
-	 * dentry_iput drops the locks, at which point nobody (except
-	 * transient RCU lookups) can reach this dentry.
-	 */
-	BUG_ON((int)dentry->d_lockref.count > 0);
+	if (dentry->d_inode)
+		dentry_unlink_inode(dentry);
+	else
+		spin_unlock(&dentry->d_lock);
 	this_cpu_dec(nr_dentry);
 	if (dentry->d_op && dentry->d_op->d_release)
 		dentry->d_op->d_release(dentry);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 318/366] use ->d_seq to get coherency between ->d_inode and ->d_flags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (242 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 177/366] Input: elantech - enable middle button of touchpads on ThinkPad P52 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 024/366] PCI: ibmphp: Fix use-before-set in get_max_bus_speed() Ben Hutchings
                   ` (122 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit a528aca7f359f4b0b1d72ae406097e491a5ba9ea upstream.

Games with ordering and barriers are way too brittle.  Just
bump ->d_seq before and after updating ->d_inode and ->d_flags
type bits, so that verifying ->d_seq would guarantee they are
coherent.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/dcache.c            | 20 +++++---------------
 include/linux/dcache.h |  4 +---
 2 files changed, 6 insertions(+), 18 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -291,28 +291,18 @@ static inline void __d_set_inode_and_typ
 	unsigned flags;
 
 	dentry->d_inode = inode;
-	smp_wmb();
 	flags = ACCESS_ONCE(dentry->d_flags);
 	flags &= ~DCACHE_ENTRY_TYPE;
 	flags |= type_flags;
 	ACCESS_ONCE(dentry->d_flags) = flags;
 }
 
-/*
- * Ideally, we want to make sure that other CPUs see the flags cleared before
- * the inode is detached, but this is really a violation of RCU principles
- * since the ordering suggests we should always set inode before flags.
- *
- * We should instead replace or discard the entire dentry - but that sucks
- * performancewise on mass deletion/rename.
- */
 static inline void __d_clear_type_and_inode(struct dentry *dentry)
 {
 	unsigned flags = ACCESS_ONCE(dentry->d_flags);
 
 	flags &= ~DCACHE_ENTRY_TYPE;
 	ACCESS_ONCE(dentry->d_flags) = flags;
-	smp_wmb();
 	dentry->d_inode = NULL;
 }
 
@@ -376,9 +366,11 @@ static void dentry_unlink_inode(struct d
 	__releases(dentry->d_inode->i_lock)
 {
 	struct inode *inode = dentry->d_inode;
+
+	raw_write_seqcount_begin(&dentry->d_seq);
 	__d_clear_type_and_inode(dentry);
 	hlist_del_init(&dentry->d_u.d_alias);
-	dentry_rcuwalk_barrier(dentry);
+	raw_write_seqcount_end(&dentry->d_seq);
 	spin_unlock(&dentry->d_lock);
 	spin_unlock(&inode->i_lock);
 	if (!inode->i_nlink)
@@ -1680,8 +1672,9 @@ static void __d_instantiate(struct dentr
 	spin_lock(&dentry->d_lock);
 	if (inode)
 		hlist_add_head(&dentry->d_u.d_alias, &inode->i_dentry);
+	raw_write_seqcount_begin(&dentry->d_seq);
 	__d_set_inode_and_type(dentry, inode, add_flags);
-	dentry_rcuwalk_barrier(dentry);
+	raw_write_seqcount_end(&dentry->d_seq);
 	spin_unlock(&dentry->d_lock);
 	fsnotify_d_instantiate(dentry, inode);
 }
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -413,9 +413,7 @@ static inline bool d_mountpoint(const st
  */
 static inline unsigned __d_entry_type(const struct dentry *dentry)
 {
-	unsigned type = ACCESS_ONCE(dentry->d_flags);
-	smp_rmb();
-	return type & DCACHE_ENTRY_TYPE;
+	return dentry->d_flags & DCACHE_ENTRY_TYPE;
 }
 
 static inline bool d_can_lookup(const struct dentry *dentry)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 311/366] root dentries need RCU-delayed freeing
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (117 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 103/366] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 049/366] w1: support auto-load of w1_bq27000 module Ben Hutchings
                   ` (247 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 90bad5e05bcdb0308cfa3d3a60f5c0b9c8e2efb3 upstream.

Since mountpoint crossing can happen without leaving lazy mode,
root dentries do need the same protection against having their
memory freed without RCU delay as everything else in the tree.

It's partially hidden by RCU delay between detaching from the
mount tree and dropping the vfsmount reference, but the starting
point of pathwalk can be on an already detached mount, in which
case umount-caused RCU delay has already passed by the time the
lazy pathwalk grabs rcu_read_lock().  If the starting point
happens to be at the root of that vfsmount *and* that vfsmount
covers the entire filesystem, we get trouble.

Fixes: 48a066e72d97 ("RCU'd vsfmounts")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/dcache.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1812,10 +1812,12 @@ struct dentry *d_make_root(struct inode
 		static const struct qstr name = QSTR_INIT("/", 1);
 
 		res = __d_alloc(root_inode->i_sb, &name);
-		if (res)
+		if (res) {
+			res->d_flags |= DCACHE_RCUACCESS;
 			d_instantiate(res, root_inode);
-		else
+		} else {
 			iput(root_inode);
+		}
 	}
 	return res;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 316/366] fix __legitimize_mnt()/mntput() race
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (224 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 072/366] m68k: Implement ndelay() as an inline function to force type checking/casting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 123/366] bnx2x: use the right constant Ben Hutchings
                   ` (140 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro, Oleg Nesterov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 119e1ef80ecfe0d1deb6378d4ab41f5b71519de1 upstream.

__legitimize_mnt() has two problems - one is that in case of success
the check of mount_lock is not ordered wrt preceding increment of
refcount, making it possible to have successful __legitimize_mnt()
on one CPU just before the otherwise final mntpu() on another,
with __legitimize_mnt() not seeing mntput() taking the lock and
mntput() not seeing the increment done by __legitimize_mnt().
Solved by a pair of barriers.

Another is that failure of __legitimize_mnt() on the second
read_seqretry() leaves us with reference that'll need to be
dropped by caller; however, if that races with final mntput()
we can end up with caller dropping rcu_read_lock() and doing
mntput() to release that reference - with the first mntput()
having freed the damn thing just as rcu_read_lock() had been
dropped.  Solution: in "do mntput() yourself" failure case
grab mount_lock, check if MNT_DOOMED has been set by racing
final mntput() that has missed our increment and if it has -
undo the increment and treat that as "failure, caller doesn't
need to drop anything" case.

It's not easy to hit - the final mntput() has to come right
after the first read_seqretry() in __legitimize_mnt() *and*
manage to miss the increment done by __legitimize_mnt() before
the second read_seqretry() in there.  The things that are almost
impossible to hit on bare hardware are not impossible on SMP
KVM, though...

Reported-by: Oleg Nesterov <oleg@redhat.com>
Fixes: 48a066e72d97 ("RCU'd vsfmounts")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: __legitimize_mnt() has not been split out
 from legitimize_mnt().  Adjust the added return statement and
 comments accordingly.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/namespace.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -592,12 +592,20 @@ bool legitimize_mnt(struct vfsmount *bas
 		return true;
 	mnt = real_mount(bastard);
 	mnt_add_count(mnt, 1);
+	smp_mb();			// see mntput_no_expire()
 	if (likely(!read_seqretry(&mount_lock, seq)))
 		return true;
 	if (bastard->mnt_flags & MNT_SYNC_UMOUNT) {
 		mnt_add_count(mnt, -1);
 		return false;
 	}
+	lock_mount_hash();
+	if (unlikely(bastard->mnt_flags & MNT_DOOMED)) {
+		mnt_add_count(mnt, -1);
+		unlock_mount_hash();
+		return false;
+	}
+	unlock_mount_hash();
 	rcu_read_unlock();
 	mntput(bastard);
 	rcu_read_lock();
@@ -984,6 +992,11 @@ put_again:
 		return;
 	}
 	lock_mount_hash();
+	/*
+	 * make sure that if legitimize_mnt() has not seen us grab
+	 * mount_lock, we'll see their refcount increment here.
+	 */
+	smp_mb();
 	mnt_add_count(mnt, -1);
 	if (mnt_get_count(mnt)) {
 		rcu_read_unlock();


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 315/366] fix mntput/mntput race
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (213 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 345/366] p54: memset(0) whole array Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 079/366] ext4: don't read out of bounds when checking for in-inode xattrs Ben Hutchings
                   ` (151 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Al Viro, Jann Horn

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 9ea0a46ca2c318fcc449c1e6b62a7230a17888f1 upstream.

mntput_no_expire() does the calculation of total refcount under mount_lock;
unfortunately, the decrement (as well as all increments) are done outside
of it, leading to false positives in the "are we dropping the last reference"
test.  Consider the following situation:
	* mnt is a lazy-umounted mount, kept alive by two opened files.  One
of those files gets closed.  Total refcount of mnt is 2.  On CPU 42
mntput(mnt) (called from __fput()) drops one reference, decrementing component
	* After it has looked at component #0, the process on CPU 0 does
mntget(), incrementing component #0, gets preempted and gets to run again -
on CPU 69.  There it does mntput(), which drops the reference (component #69)
and proceeds to spin on mount_lock.
	* On CPU 42 our first mntput() finishes counting.  It observes the
decrement of component #69, but not the increment of component #0.  As the
result, the total it gets is not 1 as it should've been - it's 0.  At which
point we decide that vfsmount needs to be killed and proceed to free it and
shut the filesystem down.  However, there's still another opened file
on that filesystem, with reference to (now freed) vfsmount, etc. and we are
screwed.

It's not a wide race, but it can be reproduced with artificial slowdown of
the mnt_get_count() loop, and it should be easier to hit on SMP KVM setups.

Fix consists of moving the refcount decrement under mount_lock; the tricky
part is that we want (and can) keep the fast case (i.e. mount that still
has non-NULL ->mnt_ns) entirely out of mount_lock.  All places that zero
mnt->mnt_ns are dropping some reference to mnt and they call synchronize_rcu()
before that mntput().  IOW, if mntput() observes (under rcu_read_lock())
a non-NULL ->mnt_ns, it is guaranteed that there is another reference yet to
be dropped.

Reported-by: Jann Horn <jannh@google.com>
Tested-by: Jann Horn <jannh@google.com>
Fixes: 48a066e72d97 ("RCU'd vsfmounts")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: Use ACCESS_ONCE() instead of READ_ONCE()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/namespace.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -969,12 +969,22 @@ static void mntput_no_expire(struct moun
 {
 put_again:
 	rcu_read_lock();
-	mnt_add_count(mnt, -1);
-	if (likely(mnt->mnt_ns)) { /* shouldn't be the last one */
+	if (likely(ACCESS_ONCE(mnt->mnt_ns))) {
+		/*
+		 * Since we don't do lock_mount_hash() here,
+		 * ->mnt_ns can change under us.  However, if it's
+		 * non-NULL, then there's a reference that won't
+		 * be dropped until after an RCU delay done after
+		 * turning ->mnt_ns NULL.  So if we observe it
+		 * non-NULL under rcu_read_lock(), the reference
+		 * we are dropping is not the final one.
+		 */
+		mnt_add_count(mnt, -1);
 		rcu_read_unlock();
 		return;
 	}
 	lock_mount_hash();
+	mnt_add_count(mnt, -1);
 	if (mnt_get_count(mnt)) {
 		rcu_read_unlock();
 		unlock_mount_hash();


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 307/366] nohz: Fix local_timer_softirq_pending()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 085/366] usb: gadget: function: printer: avoid spinlock recursion Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 081/366] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Ben Hutchings
                   ` (352 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, peterz, Frederic Weisbecker, Paul E. McKenney, bigeasy,
	Anna-Maria Gleixner, Thomas Gleixner, Daniel Bristot de Oliveira

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anna-Maria Gleixner <anna-maria@linutronix.de>

commit 80d20d35af1edd632a5e7a3b9c0ab7ceff92769e upstream.

local_timer_softirq_pending() checks whether the timer softirq is
pending with: local_softirq_pending() & TIMER_SOFTIRQ.

This is wrong because TIMER_SOFTIRQ is the softirq number and not a
bitmask. So the test checks for the wrong bit.

Use BIT(TIMER_SOFTIRQ) instead.

Fixes: 5d62c183f9e9 ("nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()")
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
Acked-by: Frederic Weisbecker <frederic@kernel.org>
Cc: bigeasy@linutronix.de
Cc: peterz@infradead.org
Link: https://lkml.kernel.org/r/20180731161358.29472-1-anna-maria@linutronix.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time/tick-sched.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
@@ -529,7 +529,7 @@ EXPORT_SYMBOL_GPL(get_cpu_iowait_time_us
 
 static inline bool local_timer_softirq_pending(void)
 {
-	return local_softirq_pending() & TIMER_SOFTIRQ;
+	return local_softirq_pending() & BIT(TIMER_SOFTIRQ);
 }
 
 static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 322/366] ALSA: msnd: add some missing curly braces
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (359 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 149/366] netfilter: nf_queue: augment nfqa_cfg_policy Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 031/366] ALSA: hda/ca0132: fix build failure when a local macro is defined Ben Hutchings
                   ` (5 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 096a020a9ef5c947577d3b57199bfc9b7e686b49 upstream.

There were some curly braces intended here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/isa/msnd/msnd_pinnacle_mixer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/isa/msnd/msnd_pinnacle_mixer.c
+++ b/sound/isa/msnd/msnd_pinnacle_mixer.c
@@ -313,11 +313,12 @@ int snd_msndmix_new(struct snd_card *car
 	spin_lock_init(&chip->mixer_lock);
 	strcpy(card->mixername, "MSND Pinnacle Mixer");
 
-	for (idx = 0; idx < ARRAY_SIZE(snd_msnd_controls); idx++)
+	for (idx = 0; idx < ARRAY_SIZE(snd_msnd_controls); idx++) {
 		err = snd_ctl_add(card,
 				  snd_ctl_new1(snd_msnd_controls + idx, chip));
 		if (err < 0)
 			return err;
+	}
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 323/366] media: v4l: event: Prevent freeing event subscriptions while accessed
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (236 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 172/366] xen-netfront: Fix race between device setup and open Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 175/366] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Ben Hutchings
                   ` (128 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sakari Ailus, Hans Verkuil, Mauro Carvalho Chehab,
	Laurent Pinchart

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sakari Ailus <sakari.ailus@linux.intel.com>

commit ad608fbcf166fec809e402d548761768f602702c upstream.

The event subscriptions are added to the subscribed event list while
holding a spinlock, but that lock is subsequently released while still
accessing the subscription object. This makes it possible to unsubscribe
the event --- and freeing the subscription object's memory --- while
the subscription object is simultaneously accessed.

Prevent this by adding a mutex to serialise the event subscription and
unsubscription. This also gives a guarantee to the callback ops that the
add op has returned before the del op is called.

This change also results in making the elems field less special:
subscriptions are only added to the event list once they are fully
initialised.

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Fixes: c3b5b0241f62 ("V4L/DVB: V4L: Events: Add backend")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-event.c | 38 +++++++++++++++++++-----------------
 drivers/media/v4l2-core/v4l2-fh.c    |  2 ++
 include/media/v4l2-fh.h              |  1 +
 3 files changed, 23 insertions(+), 18 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-event.c
+++ b/drivers/media/v4l2-core/v4l2-event.c
@@ -119,14 +119,6 @@ static void __v4l2_event_queue_fh(struct
 	if (sev == NULL)
 		return;
 
-	/*
-	 * If the event has been added to the fh->subscribed list, but its
-	 * add op has not completed yet elems will be 0, treat this as
-	 * not being subscribed.
-	 */
-	if (!sev->elems)
-		return;
-
 	/* Increase event sequence number on fh. */
 	fh->sequence++;
 
@@ -209,6 +201,7 @@ int v4l2_event_subscribe(struct v4l2_fh
 	struct v4l2_subscribed_event *sev, *found_ev;
 	unsigned long flags;
 	unsigned i;
+	int ret = 0;
 
 	if (sub->type == V4L2_EVENT_ALL)
 		return -EINVAL;
@@ -226,31 +219,36 @@ int v4l2_event_subscribe(struct v4l2_fh
 	sev->flags = sub->flags;
 	sev->fh = fh;
 	sev->ops = ops;
+	sev->elems = elems;
+
+	mutex_lock(&fh->subscribe_lock);
 
 	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
 	found_ev = v4l2_event_subscribed(fh, sub->type, sub->id);
-	if (!found_ev)
-		list_add(&sev->list, &fh->subscribed);
 	spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
 
 	if (found_ev) {
+		/* Already listening */
 		kfree(sev);
-		return 0; /* Already listening */
+		goto out_unlock;
 	}
 
 	if (sev->ops && sev->ops->add) {
-		int ret = sev->ops->add(sev, elems);
+		ret = sev->ops->add(sev, elems);
 		if (ret) {
-			sev->ops = NULL;
-			v4l2_event_unsubscribe(fh, sub);
-			return ret;
+			kfree(sev);
+			goto out_unlock;
 		}
 	}
 
-	/* Mark as ready for use */
-	sev->elems = elems;
+	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+	list_add(&sev->list, &fh->subscribed);
+	spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
+
+out_unlock:
+	mutex_unlock(&fh->subscribe_lock);
 
-	return 0;
+	return ret;
 }
 EXPORT_SYMBOL_GPL(v4l2_event_subscribe);
 
@@ -289,6 +287,8 @@ int v4l2_event_unsubscribe(struct v4l2_f
 		return 0;
 	}
 
+	mutex_lock(&fh->subscribe_lock);
+
 	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
 
 	sev = v4l2_event_subscribed(fh, sub->type, sub->id);
@@ -306,6 +306,8 @@ int v4l2_event_unsubscribe(struct v4l2_f
 	if (sev && sev->ops && sev->ops->del)
 		sev->ops->del(sev);
 
+	mutex_unlock(&fh->subscribe_lock);
+
 	kfree(sev);
 
 	return 0;
--- a/drivers/media/v4l2-core/v4l2-fh.c
+++ b/drivers/media/v4l2-core/v4l2-fh.c
@@ -42,6 +42,7 @@ void v4l2_fh_init(struct v4l2_fh *fh, st
 	INIT_LIST_HEAD(&fh->available);
 	INIT_LIST_HEAD(&fh->subscribed);
 	fh->sequence = -1;
+	mutex_init(&fh->subscribe_lock);
 }
 EXPORT_SYMBOL_GPL(v4l2_fh_init);
 
@@ -88,6 +89,7 @@ void v4l2_fh_exit(struct v4l2_fh *fh)
 	if (fh->vdev == NULL)
 		return;
 	v4l2_event_unsubscribe_all(fh);
+	mutex_destroy(&fh->subscribe_lock);
 	fh->vdev = NULL;
 }
 EXPORT_SYMBOL_GPL(v4l2_fh_exit);
--- a/include/media/v4l2-fh.h
+++ b/include/media/v4l2-fh.h
@@ -41,6 +41,7 @@ struct v4l2_fh {
 
 	/* Events */
 	wait_queue_head_t	wait;
+	struct mutex		subscribe_lock;
 	struct list_head	subscribed; /* Subscribed events */
 	struct list_head	available; /* Dequeueable event */
 	unsigned int		navailable;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 317/366] VFS: Impose ordering on accesses of d_inode and d_flags
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (349 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 034/366] spi: pxa2xx: check clk_prepare_enable() return value Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 232/366] cifs: Fix infinite loop when using hard mount option Ben Hutchings
                   ` (15 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Howells, Al Viro

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit 4bf46a272647d89e780126b52eda04737defd9f4 upstream.

Impose ordering on accesses of d_inode and d_flags to avoid the need to do
this:

	if (!dentry->d_inode || d_is_negative(dentry)) {

when this:

	if (d_is_negative(dentry)) {

should suffice.

This check is especially problematic if a dentry can have its type field set
to something other than DENTRY_MISS_TYPE when d_inode is NULL (as in
unionmount).

What we really need to do is stick a write barrier between setting d_inode and
setting d_flags and a read barrier between reading d_flags and reading
d_inode.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16:
 - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
 - There's no DCACHE_FALLTHRU flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/dcache.c            | 47 +++++++++++++++++++++++++++++++++++-------
 include/linux/dcache.h | 21 +++----------------
 2 files changed, 42 insertions(+), 26 deletions(-)

--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -281,6 +281,41 @@ void release_dentry_name_snapshot(struct
 }
 EXPORT_SYMBOL(release_dentry_name_snapshot);
 
+/*
+ * Make sure other CPUs see the inode attached before the type is set.
+ */
+static inline void __d_set_inode_and_type(struct dentry *dentry,
+					  struct inode *inode,
+					  unsigned type_flags)
+{
+	unsigned flags;
+
+	dentry->d_inode = inode;
+	smp_wmb();
+	flags = ACCESS_ONCE(dentry->d_flags);
+	flags &= ~DCACHE_ENTRY_TYPE;
+	flags |= type_flags;
+	ACCESS_ONCE(dentry->d_flags) = flags;
+}
+
+/*
+ * Ideally, we want to make sure that other CPUs see the flags cleared before
+ * the inode is detached, but this is really a violation of RCU principles
+ * since the ordering suggests we should always set inode before flags.
+ *
+ * We should instead replace or discard the entire dentry - but that sucks
+ * performancewise on mass deletion/rename.
+ */
+static inline void __d_clear_type_and_inode(struct dentry *dentry)
+{
+	unsigned flags = ACCESS_ONCE(dentry->d_flags);
+
+	flags &= ~DCACHE_ENTRY_TYPE;
+	ACCESS_ONCE(dentry->d_flags) = flags;
+	smp_wmb();
+	dentry->d_inode = NULL;
+}
+
 static void dentry_free(struct dentry *dentry)
 {
 	WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias));
@@ -317,7 +352,7 @@ static void dentry_iput(struct dentry *
 {
 	struct inode *inode = dentry->d_inode;
 	if (inode) {
-		dentry->d_inode = NULL;
+		__d_clear_type_and_inode(dentry);
 		hlist_del_init(&dentry->d_u.d_alias);
 		spin_unlock(&dentry->d_lock);
 		spin_unlock(&inode->i_lock);
@@ -341,8 +376,7 @@ static void dentry_unlink_inode(struct d
 	__releases(dentry->d_inode->i_lock)
 {
 	struct inode *inode = dentry->d_inode;
-	__d_clear_type(dentry);
-	dentry->d_inode = NULL;
+	__d_clear_type_and_inode(dentry);
 	hlist_del_init(&dentry->d_u.d_alias);
 	dentry_rcuwalk_barrier(dentry);
 	spin_unlock(&dentry->d_lock);
@@ -1644,10 +1678,9 @@ static void __d_instantiate(struct dentr
 	unsigned add_flags = d_flags_for_inode(inode);
 
 	spin_lock(&dentry->d_lock);
-	__d_set_type(dentry, add_flags);
 	if (inode)
 		hlist_add_head(&dentry->d_u.d_alias, &inode->i_dentry);
-	dentry->d_inode = inode;
+	__d_set_inode_and_type(dentry, inode, add_flags);
 	dentry_rcuwalk_barrier(dentry);
 	spin_unlock(&dentry->d_lock);
 	fsnotify_d_instantiate(dentry, inode);
@@ -1904,8 +1937,7 @@ struct dentry *d_obtain_alias(struct ino
 	add_flags = d_flags_for_inode(inode) | DCACHE_DISCONNECTED;
 
 	spin_lock(&tmp->d_lock);
-	tmp->d_inode = inode;
-	tmp->d_flags |= add_flags;
+	__d_set_inode_and_type(tmp, inode, add_flags);
 	hlist_add_head(&tmp->d_u.d_alias, &inode->i_dentry);
 	hlist_bl_lock(&tmp->d_sb->s_anon);
 	hlist_bl_add_head(&tmp->d_hash, &tmp->d_sb->s_anon);
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -411,26 +411,11 @@ static inline bool d_mountpoint(const st
 /*
  * Directory cache entry type accessor functions.
  */
-static inline void __d_set_type(struct dentry *dentry, unsigned type)
-{
-	dentry->d_flags = (dentry->d_flags & ~DCACHE_ENTRY_TYPE) | type;
-}
-
-static inline void __d_clear_type(struct dentry *dentry)
-{
-	__d_set_type(dentry, DCACHE_MISS_TYPE);
-}
-
-static inline void d_set_type(struct dentry *dentry, unsigned type)
-{
-	spin_lock(&dentry->d_lock);
-	__d_set_type(dentry, type);
-	spin_unlock(&dentry->d_lock);
-}
-
 static inline unsigned __d_entry_type(const struct dentry *dentry)
 {
-	return dentry->d_flags & DCACHE_ENTRY_TYPE;
+	unsigned type = ACCESS_ONCE(dentry->d_flags);
+	smp_rmb();
+	return type & DCACHE_ENTRY_TYPE;
 }
 
 static inline bool d_can_lookup(const struct dentry *dentry)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 255/366] string: drop __must_check from strscpy()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (136 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 047/366] tty: pl011: Avoid spuriously stuck-off interrupts Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 091/366] Btrfs: reserve space for O_TMPFILE orphan item deletion Ben Hutchings
                   ` (228 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tejun Heo

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

This was done as part of commit 08a77676f9c5 upstream, from which
the following description is taken:

> strlcpy() is worse than strlcpy() because it unconditionally runs
> strlen() on the source string, and the only reason we switched to
> strlcpy() here was because it was lacking __must_check, which doesn't
> reflect any material differences between the two function.  It's just
> that someone added __must_check to strscpy() and not to strlcpy().
> 
> These basic string copy operations are used in variety of ways, and
> one of not-so-uncommon use cases is safely handling truncated copies,
> where the caller naturally doesn't care about the return value.  The
> __must_check doesn't match the actual use cases and forces users to
> opt for inferior variants which lack __must_check by happenstance or
> spread ugly (void) casts.

Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -26,7 +26,7 @@ extern char * strncpy(char *,const char
 size_t strlcpy(char *, const char *, size_t);
 #endif
 #ifndef __HAVE_ARCH_STRSCPY
-ssize_t __must_check strscpy(char *, const char *, size_t);
+ssize_t strscpy(char *, const char *, size_t);
 #endif
 #ifndef __HAVE_ARCH_STRCAT
 extern char * strcat(char *, const char *);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 253/366] fs, elf: make sure to page align bss in load_elf_library
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 101/366] fuse: don't keep dead fuse_conn at fuse_fill_super() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 289/366] cachefiles: Fix refcounting bug in backing-file read monitoring Ben Hutchings
                   ` (333 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Michal Hocko, Oscar Salvador, Nicolas Pitre,
	Linus Torvalds, syzbot+5dcb560fe12aa5091c06, Kees Cook,
	Tetsuo Handa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oscar Salvador <osalvador@suse.de>

commit 24962af7e1041b7e50c1bc71d8d10dc678c556b5 upstream.

The current code does not make sure to page align bss before calling
vm_brk(), and this can lead to a VM_BUG_ON() in __mm_populate() due to
the requested lenght not being correctly aligned.

Let us make sure to align it properly.

Kees: only applicable to CONFIG_USELIB kernels: 32-bit and configured
for libc5.

Link: http://lkml.kernel.org/r/20180705145539.9627-1-osalvador@techadventures.net
Signed-off-by: Oscar Salvador <osalvador@suse.de>
Reported-by: syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com
Tested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/binfmt_elf.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1083,9 +1083,8 @@ static int load_elf_library(struct file
 		goto out_free_ph;
 	}
 
-	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
-			    ELF_MIN_ALIGN - 1);
-	bss = eppnt->p_memsz + eppnt->p_vaddr;
+	len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
+	bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
 	if (bss > len) {
 		error = vm_brk(len, bss - len);
 		if (BAD_ADDR(error))


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 245/366] ARC: mm: allow mprotect to make stack mappings executable
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 218/366] sched/fair: Fix bandwidth timer clock drift condition Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 242/366] HID: hiddev: fix potential Spectre v1 Ben Hutchings
                   ` (343 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Vineet Gupta

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vineet Gupta <vgupta@synopsys.com>

commit 93312b6da4df31e4102ce5420e6217135a16c7ea upstream.

mprotect(EXEC) was failing for stack mappings as default vm flags was
missing MAYEXEC.

This was triggered by glibc test suite nptl/tst-execstack testcase

What is surprising is that despite running LTP for years on, we didn't
catch this issue as it lacks a directed test case.

gcc dejagnu tests with nested functions also requiring exec stack work
fine though because they rely on the GNU_STACK segment spit out by
compiler and handled in kernel elf loader.

This glibc case is different as the stack is non exec to begin with and
a dlopen of shared lib with GNU_STACK segment triggers the exec stack
proceedings using a mprotect(PROT_EXEC) which was broken.

Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arc/include/asm/page.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arc/include/asm/page.h
+++ b/arch/arc/include/asm/page.h
@@ -97,7 +97,7 @@ typedef unsigned long pgtable_t;
 #define virt_addr_valid(kaddr)  pfn_valid(__pa(kaddr) >> PAGE_SHIFT)
 
 /* Default Permissions for stack/heaps pages (Non Executable) */
-#define VM_DATA_DEFAULT_FLAGS   (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE)
+#define VM_DATA_DEFAULT_FLAGS   (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
 
 #define WANT_PAGE_VIRTUAL   1
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 246/366] RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (323 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 233/366] cifs: store the leaseKey in the fid on SMB2_open Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 362/366] tools/lib/subcmd/pager.c: do not alias select() params Ben Hutchings
                   ` (41 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Jason Gunthorpe, Kamal Heib

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kamal Heib <kamalheib1@gmail.com>

commit d63c46734c545ad0488761059004a65c46efdde3 upstream.

Fix memory leak in the error path of mlx5_ib_create_srq() by making sure
to free the allocated srq.

Fixes: c2b37f76485f ("IB/mlx5: Fix integer overflows in mlx5_ib_create_srq")
Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/mlx5/srq.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/infiniband/hw/mlx5/srq.c
+++ b/drivers/infiniband/hw/mlx5/srq.c
@@ -261,18 +261,24 @@ struct ib_srq *mlx5_ib_create_srq(struct
 
 	desc_size = sizeof(struct mlx5_wqe_srq_next_seg) +
 		    srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg);
-	if (desc_size == 0 || srq->msrq.max_gs > desc_size)
-		return ERR_PTR(-EINVAL);
+	if (desc_size == 0 || srq->msrq.max_gs > desc_size) {
+		err = -EINVAL;
+		goto err_srq;
+	}
 	desc_size = roundup_pow_of_two(desc_size);
 	desc_size = max_t(size_t, 32, desc_size);
-	if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg))
-		return ERR_PTR(-EINVAL);
+	if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) {
+		err = -EINVAL;
+		goto err_srq;
+	}
 	srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) /
 		sizeof(struct mlx5_wqe_data_seg);
 	srq->msrq.wqe_shift = ilog2(desc_size);
 	buf_size = srq->msrq.max * desc_size;
-	if (buf_size < desc_size)
-		return ERR_PTR(-EINVAL);
+	if (buf_size < desc_size) {
+		err = -EINVAL;
+		goto err_srq;
+	}
 
 	if (pd->uobject)
 		err = create_srq_user(pd, srq, &in, udata, buf_size, &inlen);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 256/366] reiserfs: fix buffer overflow with long warning messages
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (141 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 144/366] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 291/366] cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag Ben Hutchings
                   ` (223 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Eric Biggers, Linus Torvalds, syzbot+b890b3335a4d8c608963

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit fe10e398e860955bac4d28ec031b701d358465e4 upstream.

ReiserFS prepares log messages into a 1024-byte buffer with no bounds
checks.  Long messages, such as the "unknown mount option" warning when
userspace passes a crafted mount options string, overflow this buffer.
This causes KASAN to report a global-out-of-bounds write.

Fix it by truncating messages to the buffer size.

Link: http://lkml.kernel.org/r/20180707203621.30922-1-ebiggers3@gmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+b890b3335a4d8c608963@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/reiserfs/prints.c | 141 +++++++++++++++++++++++++------------------
 1 file changed, 81 insertions(+), 60 deletions(-)

--- a/fs/reiserfs/prints.c
+++ b/fs/reiserfs/prints.c
@@ -76,85 +76,101 @@ static char *le_type(struct reiserfs_key
 }
 
 /* %k */
-static void sprintf_le_key(char *buf, struct reiserfs_key *key)
+static int scnprintf_le_key(char *buf, size_t size, struct reiserfs_key *key)
 {
 	if (key)
-		sprintf(buf, "[%d %d %s %s]", le32_to_cpu(key->k_dir_id),
-			le32_to_cpu(key->k_objectid), le_offset(key),
-			le_type(key));
+		return scnprintf(buf, size, "[%d %d %s %s]",
+				 le32_to_cpu(key->k_dir_id),
+				 le32_to_cpu(key->k_objectid), le_offset(key),
+				 le_type(key));
 	else
-		sprintf(buf, "[NULL]");
+		return scnprintf(buf, size, "[NULL]");
 }
 
 /* %K */
-static void sprintf_cpu_key(char *buf, struct cpu_key *key)
+static int scnprintf_cpu_key(char *buf, size_t size, struct cpu_key *key)
 {
 	if (key)
-		sprintf(buf, "[%d %d %s %s]", key->on_disk_key.k_dir_id,
-			key->on_disk_key.k_objectid, reiserfs_cpu_offset(key),
-			cpu_type(key));
+		return scnprintf(buf, size, "[%d %d %s %s]",
+				 key->on_disk_key.k_dir_id,
+				 key->on_disk_key.k_objectid,
+				 reiserfs_cpu_offset(key), cpu_type(key));
 	else
-		sprintf(buf, "[NULL]");
+		return scnprintf(buf, size, "[NULL]");
 }
 
-static void sprintf_de_head(char *buf, struct reiserfs_de_head *deh)
+static int scnprintf_de_head(char *buf, size_t size,
+			     struct reiserfs_de_head *deh)
 {
 	if (deh)
-		sprintf(buf,
-			"[offset=%d dir_id=%d objectid=%d location=%d state=%04x]",
-			deh_offset(deh), deh_dir_id(deh), deh_objectid(deh),
-			deh_location(deh), deh_state(deh));
+		return scnprintf(buf, size,
+				 "[offset=%d dir_id=%d objectid=%d location=%d state=%04x]",
+				 deh_offset(deh), deh_dir_id(deh),
+				 deh_objectid(deh), deh_location(deh),
+				 deh_state(deh));
 	else
-		sprintf(buf, "[NULL]");
+		return scnprintf(buf, size, "[NULL]");
 
 }
 
-static void sprintf_item_head(char *buf, struct item_head *ih)
+static int scnprintf_item_head(char *buf, size_t size, struct item_head *ih)
 {
 	if (ih) {
-		strcpy(buf,
-		       (ih_version(ih) == KEY_FORMAT_3_6) ? "*3.6* " : "*3.5*");
-		sprintf_le_key(buf + strlen(buf), &(ih->ih_key));
-		sprintf(buf + strlen(buf), ", item_len %d, item_location %d, "
-			"free_space(entry_count) %d",
-			ih_item_len(ih), ih_location(ih), ih_free_space(ih));
+		char *p = buf;
+		char * const end = buf + size;
+
+		p += scnprintf(p, end - p, "%s",
+			       (ih_version(ih) == KEY_FORMAT_3_6) ?
+			       "*3.6* " : "*3.5*");
+
+		p += scnprintf_le_key(p, end - p, &ih->ih_key);
+
+		p += scnprintf(p, end - p,
+			       ", item_len %d, item_location %d, free_space(entry_count) %d",
+			       ih_item_len(ih), ih_location(ih),
+			       ih_free_space(ih));
+		return p - buf;
 	} else
-		sprintf(buf, "[NULL]");
+		return scnprintf(buf, size, "[NULL]");
 }
 
-static void sprintf_direntry(char *buf, struct reiserfs_dir_entry *de)
+static int scnprintf_direntry(char *buf, size_t size,
+			      struct reiserfs_dir_entry *de)
 {
 	char name[20];
 
 	memcpy(name, de->de_name, de->de_namelen > 19 ? 19 : de->de_namelen);
 	name[de->de_namelen > 19 ? 19 : de->de_namelen] = 0;
-	sprintf(buf, "\"%s\"==>[%d %d]", name, de->de_dir_id, de->de_objectid);
+	return scnprintf(buf, size, "\"%s\"==>[%d %d]",
+			 name, de->de_dir_id, de->de_objectid);
 }
 
-static void sprintf_block_head(char *buf, struct buffer_head *bh)
+static int scnprintf_block_head(char *buf, size_t size, struct buffer_head *bh)
 {
-	sprintf(buf, "level=%d, nr_items=%d, free_space=%d rdkey ",
-		B_LEVEL(bh), B_NR_ITEMS(bh), B_FREE_SPACE(bh));
+	return scnprintf(buf, size,
+			 "level=%d, nr_items=%d, free_space=%d rdkey ",
+			 B_LEVEL(bh), B_NR_ITEMS(bh), B_FREE_SPACE(bh));
 }
 
-static void sprintf_buffer_head(char *buf, struct buffer_head *bh)
+static int scnprintf_buffer_head(char *buf, size_t size, struct buffer_head *bh)
 {
 	char b[BDEVNAME_SIZE];
 
-	sprintf(buf,
-		"dev %s, size %zd, blocknr %llu, count %d, state 0x%lx, page %p, (%s, %s, %s)",
-		bdevname(bh->b_bdev, b), bh->b_size,
-		(unsigned long long)bh->b_blocknr, atomic_read(&(bh->b_count)),
-		bh->b_state, bh->b_page,
-		buffer_uptodate(bh) ? "UPTODATE" : "!UPTODATE",
-		buffer_dirty(bh) ? "DIRTY" : "CLEAN",
-		buffer_locked(bh) ? "LOCKED" : "UNLOCKED");
+	return scnprintf(buf, size,
+			 "dev %s, size %zd, blocknr %llu, count %d, state 0x%lx, page %p, (%s, %s, %s)",
+			 bdevname(bh->b_bdev, b), bh->b_size,
+			 (unsigned long long)bh->b_blocknr,
+			 atomic_read(&(bh->b_count)),
+			 bh->b_state, bh->b_page,
+			 buffer_uptodate(bh) ? "UPTODATE" : "!UPTODATE",
+			 buffer_dirty(bh) ? "DIRTY" : "CLEAN",
+			 buffer_locked(bh) ? "LOCKED" : "UNLOCKED");
 }
 
-static void sprintf_disk_child(char *buf, struct disk_child *dc)
+static int scnprintf_disk_child(char *buf, size_t size, struct disk_child *dc)
 {
-	sprintf(buf, "[dc_number=%d, dc_size=%u]", dc_block_number(dc),
-		dc_size(dc));
+	return scnprintf(buf, size, "[dc_number=%d, dc_size=%u]",
+			 dc_block_number(dc), dc_size(dc));
 }
 
 static char *is_there_reiserfs_struct(char *fmt, int *what)
@@ -191,55 +207,60 @@ static void prepare_error_buf(const char
 	char *fmt1 = fmt_buf;
 	char *k;
 	char *p = error_buf;
+	char * const end = &error_buf[sizeof(error_buf)];
 	int what;
 
 	spin_lock(&error_lock);
 
-	strcpy(fmt1, fmt);
+	if (WARN_ON(strscpy(fmt_buf, fmt, sizeof(fmt_buf)) < 0)) {
+		strscpy(error_buf, "format string too long", end - error_buf);
+		goto out_unlock;
+	}
 
 	while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) {
 		*k = 0;
 
-		p += vsprintf(p, fmt1, args);
+		p += vscnprintf(p, end - p, fmt1, args);
 
 		switch (what) {
 		case 'k':
-			sprintf_le_key(p, va_arg(args, struct reiserfs_key *));
+			p += scnprintf_le_key(p, end - p,
+					      va_arg(args, struct reiserfs_key *));
 			break;
 		case 'K':
-			sprintf_cpu_key(p, va_arg(args, struct cpu_key *));
+			p += scnprintf_cpu_key(p, end - p,
+					       va_arg(args, struct cpu_key *));
 			break;
 		case 'h':
-			sprintf_item_head(p, va_arg(args, struct item_head *));
+			p += scnprintf_item_head(p, end - p,
+						 va_arg(args, struct item_head *));
 			break;
 		case 't':
-			sprintf_direntry(p,
-					 va_arg(args,
-						struct reiserfs_dir_entry *));
+			p += scnprintf_direntry(p, end - p,
+						va_arg(args, struct reiserfs_dir_entry *));
 			break;
 		case 'y':
-			sprintf_disk_child(p,
-					   va_arg(args, struct disk_child *));
+			p += scnprintf_disk_child(p, end - p,
+						  va_arg(args, struct disk_child *));
 			break;
 		case 'z':
-			sprintf_block_head(p,
-					   va_arg(args, struct buffer_head *));
+			p += scnprintf_block_head(p, end - p,
+						  va_arg(args, struct buffer_head *));
 			break;
 		case 'b':
-			sprintf_buffer_head(p,
-					    va_arg(args, struct buffer_head *));
+			p += scnprintf_buffer_head(p, end - p,
+						   va_arg(args, struct buffer_head *));
 			break;
 		case 'a':
-			sprintf_de_head(p,
-					va_arg(args,
-					       struct reiserfs_de_head *));
+			p += scnprintf_de_head(p, end - p,
+					       va_arg(args, struct reiserfs_de_head *));
 			break;
 		}
 
-		p += strlen(p);
 		fmt1 = k + 2;
 	}
-	vsprintf(p, fmt1, args);
+	p += vscnprintf(p, end - p, fmt1, args);
+out_unlock:
 	spin_unlock(&error_lock);
 
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 351/366] usb: misc: usb3503: Update error code in print message
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (187 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 002/366] arm64: ensure extension of smp_store_release value Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 053/366] sbitmap: fix race in wait batch accounting Ben Hutchings
                   ` (177 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Marek Szyprowski, Tushar Behera, Greg Kroah-Hartman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tushar Behera <tushar.b@samsung.com>

commit ec5734c41bee2ee7c938a8f34853d31cada7e67a upstream.

'err' is uninitialized, rather print the error code directly.

This also fixes following warning.
drivers/usb/misc/usb3503.c: In function ‘usb3503_probe’:
drivers/usb/misc/usb3503.c:195:11: warning: ‘err’ may be used uninitialized
in this function [-Wmaybe-uninitialized]
    dev_err(dev, "unable to request refclk (%d)\n", err);

Signed-off-by: Tushar Behera <tushar.b@samsung.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/usb3503.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/misc/usb3503.c
+++ b/drivers/usb/misc/usb3503.c
@@ -192,7 +192,8 @@ static int usb3503_probe(struct usb3503
 
 		clk = devm_clk_get(dev, "refclk");
 		if (IS_ERR(clk) && PTR_ERR(clk) != -ENOENT) {
-			dev_err(dev, "unable to request refclk (%d)\n", err);
+			dev_err(dev, "unable to request refclk (%ld)\n",
+					PTR_ERR(clk));
 			return PTR_ERR(clk);
 		}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 254/366] mm: do not bug_on on incorrect length in __mm_populate()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (266 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 108/366] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 285/366] can: xilinx_can: fix RX overflow interrupt not being enabled Ben Hutchings
                   ` (98 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Huang, Ying, Michael S. Tsirkin, Dan Williams, syzbot,
	Linus Torvalds, Aneesh Kumar K.V, Oscar Salvador, Zi Yan,
	Al Viro, Michal Hocko, Kirill A. Shutemov, Tetsuo Handa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Hocko <mhocko@suse.com>

commit bb177a732c4369bb58a1fe1df8f552b6f0f7db5f upstream.

syzbot has noticed that a specially crafted library can easily hit
VM_BUG_ON in __mm_populate

  kernel BUG at mm/gup.c:1242!
  invalid opcode: 0000 [#1] SMP
  CPU: 2 PID: 9667 Comm: a.out Not tainted 4.18.0-rc3 #644
  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
  RIP: 0010:__mm_populate+0x1e2/0x1f0
  Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
  Call Trace:
     vm_brk_flags+0xc3/0x100
     vm_brk+0x1f/0x30
     load_elf_library+0x281/0x2e0
     __ia32_sys_uselib+0x170/0x1e0
     do_fast_syscall_32+0xca/0x420
     entry_SYSENTER_compat+0x70/0x7f

The reason is that the length of the new brk is not page aligned when we
try to populate the it.  There is no reason to bug on that though.
do_brk_flags already aligns the length properly so the mapping is
expanded as it should.  All we need is to tell mm_populate about it.
Besides that there is absolutely no reason to to bug_on in the first
place.  The worst thing that could happen is that the last page wouldn't
get populated and that is far from putting system into an inconsistent
state.

Fix the issue by moving the length sanitization code from do_brk_flags
up to vm_brk_flags.  The only other caller of do_brk_flags is brk
syscall entry and it makes sure to provide the proper length so t here
is no need for sanitation and so we can use do_brk_flags without it.

Also remove the bogus BUG_ONs.

[osalvador@techadventures.net: fix up vm_brk_flags s@request@len@]
Link: http://lkml.kernel.org/r/20180706090217.GI32658@dhcp22.suse.cz
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: syzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>
Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Zi Yan <zi.yan@cs.rutgers.edu>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Huang, Ying" <ying.huang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - There is no do_brk_flags() function; update do_brk()
 - do_brk(), vm_brk() return the address on success
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -669,8 +669,6 @@ int __mm_populate(unsigned long start, u
 	int locked = 0;
 	long ret = 0;
 
-	VM_BUG_ON(start & ~PAGE_MASK);
-	VM_BUG_ON(len != PAGE_ALIGN(len));
 	end = start + len;
 
 	for (nstart = start; nstart < end; nstart = nend) {
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2751,21 +2751,15 @@ static inline void verify_mm_writelocked
  *  anonymous maps.  eventually we may be able to do some
  *  brk-specific accounting here.
  */
-static unsigned long do_brk(unsigned long addr, unsigned long request)
+static unsigned long do_brk(unsigned long addr, unsigned long len)
 {
 	struct mm_struct * mm = current->mm;
 	struct vm_area_struct * vma, * prev;
-	unsigned long flags, len;
+	unsigned long flags;
 	struct rb_node ** rb_link, * rb_parent;
 	pgoff_t pgoff = addr >> PAGE_SHIFT;
 	int error;
 
-	len = PAGE_ALIGN(request);
-	if (len < request)
-		return -ENOMEM;
-	if (!len)
-		return addr;
-
 	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
 
 	error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
@@ -2834,12 +2828,19 @@ out:
 	return addr;
 }
 
-unsigned long vm_brk(unsigned long addr, unsigned long len)
+unsigned long vm_brk(unsigned long addr, unsigned long request)
 {
 	struct mm_struct *mm = current->mm;
+	unsigned long len;
 	unsigned long ret;
 	bool populate;
 
+	len = PAGE_ALIGN(request);
+	if (len < request)
+		return -ENOMEM;
+	if (!len)
+		return addr;
+
 	down_write(&mm->mmap_sem);
 	ret = do_brk(addr, len);
 	populate = ((mm->def_flags & VM_LOCKED) != 0);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 257/366] usb: cdc_acm: Add quirk for Castles VEGA3000
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (180 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 009/366] eeepc-laptop: simplify parse_arg() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 206/366] ARM: dts: da850: Fix interrups property for gpio Ben Hutchings
                   ` (184 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Oliver Neukum, Greg Kroah-Hartman, Lubomir Rintel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lubomir Rintel <lkundrak@v3.sk>

commit 1445cbe476fc3dd09c0b380b206526a49403c071 upstream.

The device (a POS terminal) implements CDC ACM, but has not union
descriptor.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-acm.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1784,6 +1784,9 @@ static const struct usb_device_id acm_id
 	{ USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */
 	.driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */
 	},
+	{ USB_DEVICE(0x0ca6, 0xa050), /* Castles VEGA3000 */
+	.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
+	},
 
 	{ USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
 	.driver_info = CLEAR_HALT_CONDITIONS,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (217 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 064/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 286/366] can: xilinx_can: fix incorrect clear of non-processed interrupts Ben Hutchings
                   ` (147 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware)

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 15cc78644d0075e76d59476a4467e7143860f660 upstream.

There was a case that triggered a double free in event_trigger_callback()
due to the called reg() function freeing the trigger_data and then it
getting freed again by the error return by the caller. The solution there
was to up the trigger_data ref count.

Code inspection found that event_enable_trigger_func() has the same issue,
but is not as easy to trigger (requires harder to trigger failures). It
needs to be solved slightly different as it needs more to clean up when the
reg() function fails.

Link: http://lkml.kernel.org/r/20180725124008.7008e586@gandalf.local.home

Fixes: 7862ad1846e99 ("tracing: Add 'enable_event' and 'disable_event' event trigger commands")
Reivewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_events_trigger.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -1231,6 +1231,9 @@ event_enable_trigger_func(struct event_c
 		goto out;
 	}
 
+	/* Up the trigger_data count to make sure nothing frees it on failure */
+	event_trigger_init(trigger_ops, trigger_data);
+
 	if (trigger) {
 		number = strsep(&trigger, ":");
 
@@ -1281,6 +1284,7 @@ event_enable_trigger_func(struct event_c
 		goto out_disable;
 	/* Just return zero, not the number of enabled functions */
 	ret = 0;
+	event_trigger_free(trigger_ops, trigger_data);
  out:
 	return ret;
 
@@ -1291,7 +1295,7 @@ event_enable_trigger_func(struct event_c
  out_free:
 	if (cmd_ops->set_filter)
 		cmd_ops->set_filter(NULL, trigger_data, NULL);
-	kfree(trigger_data);
+	event_trigger_free(trigger_ops, trigger_data);
 	kfree(enable_data);
 	goto out;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 251/366] binfmt_elf: fix calculations for bss padding
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (134 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 249/366] qlogic: check kstrtoul() for errors Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 047/366] tty: pl011: Avoid spuriously stuck-off interrupts Ben Hutchings
                   ` (230 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ismael Ripoll Ripoll, Andrey Ryabinin, Oleg Nesterov,
	Alexander Viro, Chen Gang, Hector Marco-Gisbert, Michal Hocko,
	Kirill A. Shutemov, Konstantin Khlebnikov, Linus Torvalds,
	Kees Cook, Andrea Arcangeli

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>

commit 0036d1f7eb95bcc52977f15507f00dd07018e7e2 upstream.

A double-bug exists in the bss calculation code, where an overflow can
happen in the "last_bss - elf_bss" calculation, but vm_brk internally
aligns the argument, underflowing it, wrapping back around safe.  We
shouldn't depend on these bugs staying in sync, so this cleans up the
bss padding handling to avoid the overflow.

This moves the bss padzero() before the last_bss > elf_bss case, since
the zero-filling of the ELF_PAGE should have nothing to do with the
relationship of last_bss and elf_bss: any trailing portion should be
zeroed, and a zero size is already handled by padzero().

Then it handles the math on elf_bss vs last_bss correctly.  These need
to both be ELF_PAGE aligned to get the comparison correct, since that's
the expected granularity of the mappings.  Since elf_bss already had
alignment-based padding happen in padzero(), the "start" of the new
vm_brk() should be moved forward as done in the original code.  However,
since the "end" of the vm_brk() area will already become PAGE_ALIGNed in
vm_brk() then last_bss should get aligned here to avoid hiding it as a
side-effect.

Additionally makes a cosmetic change to the initial last_bss calculation
so it's easier to read in comparison to the load_addr calculation above
it (i.e.  the only difference is p_filesz vs p_memsz).

Link: http://lkml.kernel.org/r/1468014494-25291-2-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/binfmt_elf.c | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -508,28 +508,30 @@ static unsigned long load_elf_interp(str
 			 * Do the same thing for the memory mapping - between
 			 * elf_bss and last_bss is the bss section.
 			 */
-			k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
+			k = load_addr + eppnt->p_vaddr + eppnt->p_memsz;
 			if (k > last_bss)
 				last_bss = k;
 		}
 	}
 
+	/*
+	 * Now fill out the bss section: first pad the last page from
+	 * the file up to the page boundary, and zero it from elf_bss
+	 * up to the end of the page.
+	 */
+	if (padzero(elf_bss)) {
+		error = -EFAULT;
+		goto out_close;
+	}
+	/*
+	 * Next, align both the file and mem bss up to the page size,
+	 * since this is where elf_bss was just zeroed up to, and where
+	 * last_bss will end after the vm_brk() below.
+	 */
+	elf_bss = ELF_PAGEALIGN(elf_bss);
+	last_bss = ELF_PAGEALIGN(last_bss);
+	/* Finally, if there is still more bss to allocate, do it. */
 	if (last_bss > elf_bss) {
-		/*
-		 * Now fill out the bss section.  First pad the last page up
-		 * to the page boundary, and then perform a mmap to make sure
-		 * that there are zero-mapped pages up to and including the
-		 * last bss page.
-		 */
-		if (padzero(elf_bss)) {
-			error = -EFAULT;
-			goto out_close;
-		}
-
-		/* What we have mapped so far */
-		elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
-
-		/* Map the last of the bss segment */
 		error = vm_brk(elf_bss, last_bss - elf_bss);
 		if (BAD_ADDR(error))
 			goto out_close;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 244/366] ext4: fix inline data updates with checksums enabled
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (169 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 186/366] batman-adv: debugfs, avoid compiling for !DEBUG_FS Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 236/366] USB: serial: mos7840: fix status-register error handling Ben Hutchings
                   ` (195 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 362eca70b53389bddf3143fe20f53dcce2cfdf61 upstream.

The inline data code was updating the raw inode directly; this is
problematic since if metadata checksums are enabled,
ext4_mark_inode_dirty() must be called to update the inode's checksum.
In addition, the jbd2 layer requires that get_write_access() be called
before the metadata buffer is modified.  Fix both of these problems.

https://bugzilla.kernel.org/show_bug.cgi?id=200443

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inline.c | 19 +++++++++++--------
 fs/ext4/inode.c  | 16 +++++++---------
 2 files changed, 18 insertions(+), 17 deletions(-)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -681,6 +681,10 @@ int ext4_try_to_write_inline_data(struct
 		goto convert;
 	}
 
+	ret = ext4_journal_get_write_access(handle, iloc.bh);
+	if (ret)
+		goto out;
+
 	flags |= AOP_FLAG_NOFS;
 
 	page = grab_cache_page_write_begin(mapping, 0, flags);
@@ -709,7 +713,7 @@ int ext4_try_to_write_inline_data(struct
 out_up_read:
 	up_read(&EXT4_I(inode)->xattr_sem);
 out:
-	if (handle)
+	if (handle && (ret != 1))
 		ext4_journal_stop(handle);
 	brelse(iloc.bh);
 	return ret;
@@ -751,6 +755,7 @@ int ext4_write_inline_data_end(struct in
 
 	ext4_write_unlock_xattr(inode, &no_expand);
 	brelse(iloc.bh);
+	mark_inode_dirty(inode);
 out:
 	return copied;
 }
@@ -911,6 +916,9 @@ retry_journal:
 		if (ret < 0)
 			goto out_release_page;
 	}
+	ret = ext4_journal_get_write_access(handle, iloc.bh);
+	if (ret)
+		goto out_release_page;
 
 	up_read(&EXT4_I(inode)->xattr_sem);
 	*pagep = page;
@@ -931,7 +939,6 @@ int ext4_da_write_inline_data_end(struct
 				  unsigned len, unsigned copied,
 				  struct page *page)
 {
-	int i_size_changed = 0;
 	int ret;
 
 	ret = ext4_write_inline_data_end(inode, pos, len, copied, page);
@@ -949,10 +956,8 @@ int ext4_da_write_inline_data_end(struct
 	 * But it's important to update i_size while still holding page lock:
 	 * page writeout could otherwise come in and zero beyond i_size.
 	 */
-	if (pos+copied > inode->i_size) {
+	if (pos+copied > inode->i_size)
 		i_size_write(inode, pos+copied);
-		i_size_changed = 1;
-	}
 	unlock_page(page);
 	page_cache_release(page);
 
@@ -962,8 +967,7 @@ int ext4_da_write_inline_data_end(struct
 	 * ordering of page lock and transaction start for journaling
 	 * filesystems.
 	 */
-	if (i_size_changed)
-		mark_inode_dirty(inode);
+	mark_inode_dirty(inode);
 
 	return copied;
 }
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1113,9 +1113,10 @@ static int ext4_write_end(struct file *f
 	struct inode *inode = mapping->host;
 	int ret = 0, ret2;
 	int i_size_changed = 0;
+	int inline_data = ext4_has_inline_data(inode);
 
 	trace_ext4_write_end(inode, pos, len, copied);
-	if (ext4_has_inline_data(inode)) {
+	if (inline_data) {
 		ret = ext4_write_inline_data_end(inode, pos, len,
 						 copied, page);
 		if (ret < 0) {
@@ -1141,7 +1142,7 @@ static int ext4_write_end(struct file *f
 	 * ordering of page lock and transaction start for journaling
 	 * filesystems.
 	 */
-	if (i_size_changed)
+	if (i_size_changed || inline_data)
 		ext4_mark_inode_dirty(handle, inode);
 
 	if (pos + len > inode->i_size && ext4_can_truncate(inode))
@@ -1214,6 +1215,7 @@ static int ext4_journalled_write_end(str
 	int partial = 0;
 	unsigned from, to;
 	int size_changed = 0;
+	int inline_data = ext4_has_inline_data(inode);
 
 	trace_ext4_journalled_write_end(inode, pos, len, copied);
 	from = pos & (PAGE_CACHE_SIZE - 1);
@@ -1221,7 +1223,7 @@ static int ext4_journalled_write_end(str
 
 	BUG_ON(!ext4_handle_valid(handle));
 
-	if (ext4_has_inline_data(inode)) {
+	if (inline_data) {
 		ret = ext4_write_inline_data_end(inode, pos, len,
 						 copied, page);
 		if (ret < 0) {
@@ -1249,7 +1251,7 @@ static int ext4_journalled_write_end(str
 	unlock_page(page);
 	page_cache_release(page);
 
-	if (size_changed) {
+	if (size_changed || inline_data) {
 		ret2 = ext4_mark_inode_dirty(handle, inode);
 		if (!ret)
 			ret = ret2;
@@ -1856,11 +1858,7 @@ static int __ext4_journalled_writepage(s
 	}
 
 	if (inline_data) {
-		BUFFER_TRACE(inode_bh, "get write access");
-		ret = ext4_journal_get_write_access(handle, inode_bh);
-
-		err = ext4_handle_dirty_metadata(handle, inode, inode_bh);
-
+		ret = ext4_mark_inode_dirty(handle, inode);
 	} else {
 		ret = ext4_walk_page_buffers(handle, page_bufs, 0, len, NULL,
 					     do_journal_get_write_access);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 240/366] ibmasm: don't write out of bounds in read handler
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (233 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 365/366] perf thread_map: Correctly size buffer used with dirent->dt_name Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 189/366] batman-adv: Avoid storing non-TT-sync flags on singular entries too Ben Hutchings
                   ` (131 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Jann Horn

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream.

This read handler had a lot of custom logic and wrote outside the bounds of
the provided buffer. This could lead to kernel and userspace memory
corruption. Just use simple_read_from_buffer() with a stack buffer.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------
 1 file changed, 3 insertions(+), 24 deletions(-)

--- a/drivers/misc/ibmasm/ibmasmfs.c
+++ b/drivers/misc/ibmasm/ibmasmfs.c
@@ -507,35 +507,14 @@ static int remote_settings_file_close(st
 static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
 {
 	void __iomem *address = (void __iomem *)file->private_data;
-	unsigned char *page;
-	int retval;
 	int len = 0;
 	unsigned int value;
-
-	if (*offset < 0)
-		return -EINVAL;
-	if (count == 0 || count > 1024)
-		return 0;
-	if (*offset != 0)
-		return 0;
-
-	page = (unsigned char *)__get_free_page(GFP_KERNEL);
-	if (!page)
-		return -ENOMEM;
+	char lbuf[20];
 
 	value = readl(address);
-	len = sprintf(page, "%d\n", value);
-
-	if (copy_to_user(buf, page, len)) {
-		retval = -EFAULT;
-		goto exit;
-	}
-	*offset += len;
-	retval = len;
+	len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
 
-exit:
-	free_page((unsigned long)page);
-	return retval;
+	return simple_read_from_buffer(buf, count, offset, lbuf, len);
 }
 
 static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 252/366] mm: refuse wrapped vm_brk requests
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (355 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 282/366] can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 093/366] libata: zpodd: make arrays cdb static, reduces object code size Ben Hutchings
                   ` (9 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Kees Cook, Andrea Arcangeli, Konstantin Khlebnikov,
	Linus Torvalds, Alexander Viro, Chen Gang, Hector Marco-Gisbert,
	Michal Hocko, Kirill A. Shutemov, Ismael Ripoll Ripoll,
	Andrey Ryabinin, Oleg Nesterov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>

commit ba093a6d9397da8eafcfbaa7d95bd34255da39a0 upstream.

The vm_brk() alignment calculations should refuse to overflow.  The ELF
loader depending on this, but it has been fixed now.  No other unsafe
callers have been found.

Link: http://lkml.kernel.org/r/1468014494-25291-3-git-send-email-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Ismael Ripoll Ripoll <iripoll@upv.es>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/mmap.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2751,16 +2751,18 @@ static inline void verify_mm_writelocked
  *  anonymous maps.  eventually we may be able to do some
  *  brk-specific accounting here.
  */
-static unsigned long do_brk(unsigned long addr, unsigned long len)
+static unsigned long do_brk(unsigned long addr, unsigned long request)
 {
 	struct mm_struct * mm = current->mm;
 	struct vm_area_struct * vma, * prev;
-	unsigned long flags;
+	unsigned long flags, len;
 	struct rb_node ** rb_link, * rb_parent;
 	pgoff_t pgoff = addr >> PAGE_SHIFT;
 	int error;
 
-	len = PAGE_ALIGN(len);
+	len = PAGE_ALIGN(request);
+	if (len < request)
+		return -ENOMEM;
 	if (!len)
 		return addr;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 241/366] mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 001/366] arm64: add missing data types in smp_load_acquire/smp_store_release Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 358/366] tools include: Add a __fallthrough statement Ben Hutchings
                   ` (324 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Stefan Agner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Agner <stefan@agner.ch>

commit 92748beac07c471d995fbec642b63572dc01b3dc upstream.

If pinctrl nodes for 100/200MHz are missing, the controller should
not select any mode which need signal frequencies 100MHz or higher.
To prevent such speed modes the driver currently uses the quirk flag
SDHCI_QUIRK2_NO_1_8_V. This works nicely for SD cards since 1.8V
signaling is required for all faster modes and slower modes use 3.3V
signaling only.

However, there are eMMC modes which use 1.8V signaling and run below
100MHz, e.g. DDR52 at 1.8V. With using SDHCI_QUIRK2_NO_1_8_V this
mode is prevented. When using a fixed 1.8V regulator as vqmmc-supply
the stack has no valid mode to use. In this tenuous situation the
kernel continuously prints voltage switching errors:
  mmc1: Switching to 3.3V signalling voltage failed

Avoid using SDHCI_QUIRK2_NO_1_8_V and prevent faster modes by
altering the SDHCI capability register. With that the stack is able
to select 1.8V modes even if no faster pinctrl states are available:
  # cat /sys/kernel/debug/mmc1/ios
  ...
  timing spec:    8 (mmc DDR52)
  signal voltage: 1 (1.80 V)
  ...

Link: http://lkml.kernel.org/r/20180628081331.13051-1-stefan@agner.ch
Signed-off-by: Stefan Agner <stefan@agner.ch>
Fixes: ad93220de7da ("mmc: sdhci-esdhc-imx: change pinctrl state according
to uhs mode")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
 - There is no SDHCI_SUPPORT_HS400 flag to clear
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/host/sdhci-esdhc-imx.c
+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
@@ -261,6 +261,15 @@ static u32 esdhc_readl_le(struct sdhci_h
 				val = SDHCI_SUPPORT_DDR50 | SDHCI_SUPPORT_SDR104
 					| SDHCI_SUPPORT_SDR50
 					| SDHCI_USE_SDR50_TUNING;
+
+			/*
+			 * Do not advertise faster UHS modes if there are no
+			 * pinctrl states for 100MHz/200MHz.
+			 */
+			if (IS_ERR_OR_NULL(imx_data->pins_100mhz) ||
+			    IS_ERR_OR_NULL(imx_data->pins_200mhz))
+				val &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50
+					 | SDHCI_SUPPORT_SDR104);
 		}
 	}
 
@@ -1108,15 +1117,6 @@ static int sdhci_esdhc_imx_probe(struct
 						ESDHC_PINCTRL_STATE_100MHZ);
 		imx_data->pins_200mhz = pinctrl_lookup_state(imx_data->pinctrl,
 						ESDHC_PINCTRL_STATE_200MHZ);
-		if (IS_ERR(imx_data->pins_100mhz) ||
-				IS_ERR(imx_data->pins_200mhz)) {
-			dev_warn(mmc_dev(host->mmc),
-				"could not get ultra high speed state, work on normal mode\n");
-			/* fall back to not support uhs by specify no 1.8v quirk */
-			host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
-		}
-	} else {
-		host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
 	}
 
 	err = sdhci_add_host(host);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 242/366] HID: hiddev: fix potential Spectre v1
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 245/366] ARC: mm: allow mprotect to make stack mappings executable Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 278/366] can: constify of_device_id array Ben Hutchings
                   ` (342 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Gustavo A. R. Silva, Jiri Kosina

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit 4f65245f2d178b9cba48350620d76faa4a098841 upstream.

uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
indirectly controlled by user-space, hence leading to a potential exploitation
of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)

Fix this by sanitizing such structure fields before using them to index
report->field, field->usage and hid->collection

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/usbhid/hiddev.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -35,6 +35,7 @@
 #include <linux/hiddev.h>
 #include <linux/compat.h>
 #include <linux/vmalloc.h>
+#include <linux/nospec.h>
 #include "usbhid.h"
 
 #ifdef CONFIG_USB_DYNAMIC_MINORS
@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(s
 
 		if (uref->field_index >= report->maxfield)
 			goto inval;
+		uref->field_index = array_index_nospec(uref->field_index,
+						       report->maxfield);
 
 		field = report->field[uref->field_index];
 		if (uref->usage_index >= field->maxusage)
 			goto inval;
+		uref->usage_index = array_index_nospec(uref->usage_index,
+						       field->maxusage);
 
 		uref->usage_code = field->usage[uref->usage_index].hid;
 
@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(s
 
 			if (uref->field_index >= report->maxfield)
 				goto inval;
+			uref->field_index = array_index_nospec(uref->field_index,
+							       report->maxfield);
 
 			field = report->field[uref->field_index];
 
@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *fi
 
 		if (finfo.field_index >= report->maxfield)
 			break;
+		finfo.field_index = array_index_nospec(finfo.field_index,
+						       report->maxfield);
 
 		field = report->field[finfo.field_index];
 		memset(&finfo, 0, sizeof(finfo));
@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *fi
 
 		if (cinfo.index >= hid->maxcollection)
 			break;
+		cinfo.index = array_index_nospec(cinfo.index,
+						 hid->maxcollection);
 
 		cinfo.type = hid->collection[cinfo.index].type;
 		cinfo.usage = hid->collection[cinfo.index].usage;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 247/366] ext4: check for allocation block validity with block group locked
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 092/366] media: uvcvideo: Support realtek's UVC 1.5 device Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 321/366] xen/netfront: don't cache skb_shinfo() Ben Hutchings
                   ` (286 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 8d5a803c6a6ce4ec258e31f76059ea5153ba46ef upstream.

With commit 044e6e3d74a3: "ext4: don't update checksum of new
initialized bitmaps" the buffer valid bit will get set without
actually setting up the checksum for the allocation bitmap, since the
checksum will get calculated once we actually allocate an inode or
block.

If we are doing this, then we need to (re-)check the verified bit
after we take the block group lock.  Otherwise, we could race with
another process reading and verifying the bitmap, which would then
complain about the checksum being invalid.

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780137

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -377,6 +377,8 @@ static void ext4_validate_block_bitmap(s
 		return;
 
 	ext4_lock_group(sb, block_group);
+	if (buffer_verified(bh))
+		goto verified;
 	blk = ext4_valid_block_bitmap(sb, desc, block_group, bh);
 	if (unlikely(blk != 0)) {
 		ext4_unlock_group(sb, block_group);
@@ -399,6 +401,7 @@ static void ext4_validate_block_bitmap(s
 		return;
 	}
 	set_buffer_verified(bh);
+verified:
 	ext4_unlock_group(sb, block_group);
 }
 
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -166,6 +166,8 @@ ext4_read_inode_bitmap(struct super_bloc
 
 verify:
 	ext4_lock_group(sb, block_group);
+	if (buffer_verified(bh))
+		goto verified;
 	if (!buffer_verified(bh) &&
 	    !ext4_inode_bitmap_csum_verify(sb, block_group, desc, bh,
 					   EXT4_INODES_PER_GROUP(sb) / 8)) {
@@ -183,8 +185,9 @@ verify:
 		set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state);
 		return NULL;
 	}
-	ext4_unlock_group(sb, block_group);
 	set_buffer_verified(bh);
+verified:
+	ext4_unlock_group(sb, block_group);
 	return bh;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 249/366] qlogic: check kstrtoul() for errors
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (133 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 200/366] netfilter: nf_log: don't hold nf_log_mutex during user access Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 251/366] binfmt_elf: fix calculations for bss padding Ben Hutchings
                   ` (231 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 5fc853cc01c68f84984ecc2d5fd777ecad78240f upstream.

We accidentally left out the error handling for kstrtoul().

Fixes: a520030e326a ("qlcnic: Implement flash sysfs callback for 83xx adapter")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c
@@ -1122,6 +1122,8 @@ static ssize_t qlcnic_83xx_sysfs_flash_w
 		return QL_STATUS_INVALID_PARAM;
 
 	ret = kstrtoul(buf, 16, &data);
+	if (ret)
+		return ret;
 
 	switch (data) {
 	case QLC_83XX_FLASH_SECTOR_ERASE_CMD:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 170/366] xen-netfront: Improve error handling during initialization
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (174 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 324/366] ceph: fix llistxattr on symlink Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 357/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
                   ` (190 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, David S. Miller, Boris Ostrovsky, Ross Lagerwall

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Lagerwall <ross.lagerwall@citrix.com>

commit e2e004acc7cbe3c531e752a270a74e95cde3ea48 upstream.

This fixes a crash when running out of grant refs when creating many
queues across many netdevs.

* If creating queues fails (i.e. there are no grant refs available),
call xenbus_dev_fatal() to ensure that the xenbus device is set to the
closed state.
* If no queues are created, don't call xennet_disconnect_backend as
netdev->real_num_tx_queues will not have been set correctly.
* If setup_netfront() fails, ensure that all the queues created are
cleaned up, not just those that have been set up.
* If any queues were set up and an error occurs, call
xennet_destroy_queues() to clean up the napi context.
* If any fatal error occurs, unregister and destroy the netdev to avoid
leaving around a half setup network device.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1879,27 +1879,19 @@ static int talk_to_netback(struct xenbus
 		xennet_destroy_queues(info);
 
 	err = xennet_create_queues(info, &num_queues);
-	if (err < 0)
-		goto destroy_ring;
+	if (err < 0) {
+		xenbus_dev_fatal(dev, err, "creating queues");
+		kfree(info->queues);
+		info->queues = NULL;
+		goto out;
+	}
 
 	/* Create shared ring, alloc event channel -- for each queue */
 	for (i = 0; i < num_queues; ++i) {
 		queue = &info->queues[i];
 		err = setup_netfront(dev, queue, feature_split_evtchn);
-		if (err) {
-			/* setup_netfront() will tidy up the current
-			 * queue on error, but we need to clean up
-			 * those already allocated.
-			 */
-			if (i > 0) {
-				rtnl_lock();
-				netif_set_real_num_tx_queues(info->netdev, i);
-				rtnl_unlock();
-				goto destroy_ring;
-			} else {
-				goto out;
-			}
-		}
+		if (err)
+			goto destroy_ring;
 	}
 
 again:
@@ -1986,9 +1978,10 @@ abort_transaction_no_dev_fatal:
 	xenbus_transaction_end(xbt, 1);
  destroy_ring:
 	xennet_disconnect_backend(info);
-	kfree(info->queues);
-	info->queues = NULL;
+	xennet_destroy_queues(info);
  out:
+	unregister_netdev(info->netdev);
+	xennet_free_netdev(info->netdev);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 250/366] mm, elf: handle vm_brk error
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (254 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 005/366] staging: rtl8192ee: Fix misleading indentation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 313/366] vsock: split dwork to avoid reinitializations Ben Hutchings
                   ` (110 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Michal Hocko, Alexander Viro, Linus Torvalds, Vlastimil Babka

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Hocko <mhocko@suse.com>

commit ecc2bc8ac03884266cf73f8a2a42b911465b2fbc upstream.

load_elf_library doesn't handle vm_brk failure although nothing really
indicates it cannot do that because the function is allowed to fail due
to vm_mmap failures already.  This might be not a problem now but later
patch will make vm_brk killable (resp.  mmap_sem for write waiting will
become killable) and so the failure will be more probable.

Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/binfmt_elf.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1084,8 +1084,11 @@ static int load_elf_library(struct file
 	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
 			    ELF_MIN_ALIGN - 1);
 	bss = eppnt->p_memsz + eppnt->p_vaddr;
-	if (bss > len)
-		vm_brk(len, bss - len);
+	if (bss > len) {
+		error = vm_brk(len, bss - len);
+		if (BAD_ADDR(error))
+			goto out_free_ph;
+	}
 	error = 0;
 
 out_free_ph:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 248/366] skbuff: Unconditionally copy pfmemalloc in __skb_clone()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (103 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 214/366] s390/qeth: don't clobber buffer on async TX completion Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 010/366] rtl8723be: Fix misleading indentation Ben Hutchings
                   ` (261 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Sabrina Dubroca, Stefano Brivio, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit e78bfb0751d4e312699106ba7efbed2bab1a53ca upstream.

Commit 8b7008620b84 ("net: Don't copy pfmemalloc flag in
__copy_skb_header()") introduced a different handling for the
pfmemalloc flag in copy and clone paths.

In __skb_clone(), now, the flag is set only if it was set in the
original skb, but not cleared if it wasn't. This is wrong and
might lead to socket buffers being flagged with pfmemalloc even
if the skb data wasn't allocated from pfmemalloc reserves. Copy
the flag instead of ORing it.

Reported-by: Sabrina Dubroca <sd@queasysnail.net>
Fixes: 8b7008620b84 ("net: Don't copy pfmemalloc flag in __copy_skb_header()")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: We didn't set the pfmemalloc flag in either copy
 or clone path until now]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -768,6 +768,7 @@ static struct sk_buff *__skb_clone(struc
 	n->cloned = 1;
 	n->nohdr = 0;
 	n->peeked = 0;
+	C(pfmemalloc);
 	n->destructor = NULL;
 	C(tail);
 	C(end);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 166/366] xen-netfront: Use static attribute groups for sysfs entries
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 013/366] arch/x86/kernel/cpu/common.c: fix unused symbol warning Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 229/366] USB: serial: ch341: fix type promotion bug in ch341_control_in() Ben Hutchings
                   ` (309 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, David Vrabel, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 27b917e54bed7156c2b0249969ace34a5f585626 upstream.

Instead of manual calls of device_create_file() and
device_remove_files(), assign the static attribute groups to netdev
groups array.  This simplifies the code and avoids the possible
races.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 62 ++++++++++----------------------------
 1 file changed, 16 insertions(+), 46 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -228,11 +228,7 @@ static grant_ref_t xennet_get_rx_ref(str
 }
 
 #ifdef CONFIG_SYSFS
-static int xennet_sysfs_addif(struct net_device *netdev);
-static void xennet_sysfs_delif(struct net_device *netdev);
-#else /* !CONFIG_SYSFS */
-#define xennet_sysfs_addif(dev) (0)
-#define xennet_sysfs_delif(dev) do { } while (0)
+static const struct attribute_group xennet_dev_group;
 #endif
 
 static bool xennet_can_sg(struct net_device *dev)
@@ -1399,20 +1395,15 @@ static int netfront_probe(struct xenbus_
 
 	info = netdev_priv(netdev);
 	dev_set_drvdata(&dev->dev, info);
-
+#ifdef CONFIG_SYSFS
+	info->netdev->sysfs_groups[0] = &xennet_dev_group;
+#endif
 	err = register_netdev(info->netdev);
 	if (err) {
 		pr_warn("%s: register_netdev err=%d\n", __func__, err);
 		goto fail;
 	}
 
-	err = xennet_sysfs_addif(info->netdev);
-	if (err) {
-		unregister_netdev(info->netdev);
-		pr_warn("%s: add sysfs failed err=%d\n", __func__, err);
-		goto fail;
-	}
-
 	return 0;
 
  fail:
@@ -2278,39 +2269,20 @@ static ssize_t show_rxbuf_cur(struct dev
 		return sprintf(buf, "0\n");
 }
 
-static struct device_attribute xennet_attrs[] = {
-	__ATTR(rxbuf_min, S_IRUGO|S_IWUSR, show_rxbuf_min, store_rxbuf_min),
-	__ATTR(rxbuf_max, S_IRUGO|S_IWUSR, show_rxbuf_max, store_rxbuf_max),
-	__ATTR(rxbuf_cur, S_IRUGO, show_rxbuf_cur, NULL),
+static DEVICE_ATTR(rxbuf_min, S_IRUGO|S_IWUSR, show_rxbuf_min, store_rxbuf_min);
+static DEVICE_ATTR(rxbuf_max, S_IRUGO|S_IWUSR, show_rxbuf_max, store_rxbuf_max);
+static DEVICE_ATTR(rxbuf_cur, S_IRUGO, show_rxbuf_cur, NULL);
+
+static struct attribute *xennet_dev_attrs[] = {
+	&dev_attr_rxbuf_min.attr,
+	&dev_attr_rxbuf_max.attr,
+	&dev_attr_rxbuf_cur.attr,
+	NULL
 };
 
-static int xennet_sysfs_addif(struct net_device *netdev)
-{
-	int i;
-	int err;
-
-	for (i = 0; i < ARRAY_SIZE(xennet_attrs); i++) {
-		err = device_create_file(&netdev->dev,
-					   &xennet_attrs[i]);
-		if (err)
-			goto fail;
-	}
-	return 0;
-
- fail:
-	while (--i >= 0)
-		device_remove_file(&netdev->dev, &xennet_attrs[i]);
-	return err;
-}
-
-static void xennet_sysfs_delif(struct net_device *netdev)
-{
-	int i;
-
-	for (i = 0; i < ARRAY_SIZE(xennet_attrs); i++)
-		device_remove_file(&netdev->dev, &xennet_attrs[i]);
-}
-
+static const struct attribute_group xennet_dev_group = {
+	.attrs = xennet_dev_attrs
+};
 #endif /* CONFIG_SYSFS */
 
 static const struct xenbus_device_id netfront_ids[] = {
@@ -2328,8 +2300,6 @@ static int xennet_remove(struct xenbus_d
 
 	xennet_disconnect_backend(info);
 
-	xennet_sysfs_delif(info->netdev);
-
 	unregister_netdev(info->netdev);
 
 	if (num_queues) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 168/366] xen-netfront: Remove the meaningless code
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (264 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 262/366] x86/apm: Don't access __preempt_count with zeroed fs Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 108/366] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Ben Hutchings
                   ` (100 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Li, Liang Z, David Vrabel, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Li, Liang Z" <liang.z.li@intel.com>

commit 905726c1c5a3ca620ba7d73c78eddfb91de5ce28 upstream.

The function netif_set_real_num_tx_queues() will return -EINVAL if
the second parameter < 1, so call this function with the second
parameter set to 0 is meaningless.

Signed-off-by: Liang Li <liang.z.li@intel.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 7 -------
 1 file changed, 7 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1330,10 +1330,6 @@ static struct net_device *xennet_create_
 	np                   = netdev_priv(netdev);
 	np->xbdev            = dev;
 
-	/* No need to use rtnl_lock() before the call below as it
-	 * happens before register_netdev().
-	 */
-	netif_set_real_num_tx_queues(netdev, 0);
 	np->queues = NULL;
 
 	err = -ENOMEM;
@@ -1992,9 +1988,6 @@ abort_transaction_no_dev_fatal:
 	xennet_disconnect_backend(info);
 	kfree(info->queues);
 	info->queues = NULL;
-	rtnl_lock();
-	netif_set_real_num_tx_queues(info->netdev, 0);
-	rtnl_unlock();
  out:
 	return err;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 173/366] xen-netfront: Fix mismatched rtnl_unlock
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (196 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 007/366] [media] drxk_hard: fix bad alignments Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 201/366] nfsd: silence sparse warning about accessing credentials Ben Hutchings
                   ` (168 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Juergen Gross, David S. Miller, Ross Lagerwall, Ben Hutchings

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Lagerwall <ross.lagerwall@citrix.com>

commit cb257783c2927b73614b20f915a91ff78aa6f3e8 upstream.

Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1857,7 +1857,7 @@ static int talk_to_netback(struct xenbus
 	err = xen_net_read_mac(dev, info->netdev->dev_addr);
 	if (err) {
 		xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename);
-		goto out;
+		goto out_unlocked;
 	}
 
 	rtnl_lock();
@@ -1969,6 +1969,7 @@ abort_transaction_no_dev_fatal:
 	xennet_destroy_queues(info);
  out:
 	rtnl_unlock();
+out_unlocked:
 	device_unregister(&dev->dev);
 	return err;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 167/366] xen-netfront: properly destroy queues when removing device
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 338/366] gcov: support GCC 7.1 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 353/366] perf tools: define _DEFAULT_SOURCE for glibc_2.20 Ben Hutchings
                   ` (269 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Vrabel, David S. Miller, Boris Ostrovsky

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Vrabel <david.vrabel@citrix.com>

commit ad0681185770716523c81b156c44b9804d7b8ed2 upstream.

xennet_remove() freed the queues before freeing the netdevice which
results in a use-after-free when free_netdev() tries to delete the
napi instances that have already been freed.

Fix this by fully destroy the queues (which includes deleting the napi
instances) before freeing the netdevice.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: I already backported most of this along with
 the later commit 74470954857c "xen-netfront: Delete rx_refill_timer in
  xennet_disconnect_backend()"; don't move the del_timer_sync() again.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -2294,7 +2294,6 @@ static const struct xenbus_device_id net
 static int xennet_remove(struct xenbus_device *dev)
 {
 	struct netfront_info *info = dev_get_drvdata(&dev->dev);
-	unsigned int num_queues = info->netdev->real_num_tx_queues;
 
 	dev_dbg(&dev->dev, "%s\n", dev->nodename);
 
@@ -2302,11 +2301,7 @@ static int xennet_remove(struct xenbus_d
 
 	unregister_netdev(info->netdev);
 
-	if (num_queues) {
-		kfree(info->queues);
-		info->queues = NULL;
-	}
-
+	xennet_destroy_queues(info);
 	xennet_free_netdev(info->netdev);
 
 	return 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 179/366] xen: Remove unnecessary BUG_ON from __unbind_from_irq()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 199/366] RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 302/366] can: ems_usb: Fix memory leak on ems_usb_disconnect() Ben Hutchings
                   ` (291 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Boris Ostrovsky, Ben Hutchings, Juergen Gross

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Ostrovsky <boris.ostrovsky@oracle.com>

commit eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff upstream.

Commit 910f8befdf5b ("xen/pirq: fix error path cleanup when binding
MSIs") fixed a couple of errors in error cleanup path of
xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
__unbind_from_irq() with an unbound irq, which would result in
triggering the BUG_ON there.

Since there is really no reason for the BUG_ON (xen_free_irq() can
operate on unbound irqs) we can remove it.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/xen/events/events_base.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -636,8 +636,6 @@ static void __unbind_from_irq(unsigned i
 		xen_irq_info_cleanup(info);
 	}
 
-	BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND);
-
 	xen_free_irq(irq);
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 237/366] xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (346 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 165/366] xen-netfront: use different locks for Rx and Tx stats Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 132/366] backlight: tps65217_bl: Fix Device Tree node lookup Ben Hutchings
                   ` (18 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Dan Carpenter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 313db3d6488bb03b61b99de9dbca061f1fd838e1 upstream.

The > should be >= here so that we don't read one element beyond the end
of the ep->stream_info->stream_rings[] array.

Fixes: e9df17eb1408 ("USB: xhci: Correct assumptions about number of rings per endpoint.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -638,7 +638,7 @@ struct xhci_ring *xhci_stream_id_to_ring
 	if (!ep->stream_info)
 		return NULL;
 
-	if (stream_id > ep->stream_info->num_streams)
+	if (stream_id >= ep->stream_info->num_streams)
 		return NULL;
 	return ep->stream_info->stream_rings[stream_id];
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 169/366] net/xen-netfront: only clean up queues if present
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (113 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 283/366] can: xilinx_can: fix recovery from error states not being propagated Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 076/366] ipmi:bt: Set the timeout before doing a capabilities check Ben Hutchings
                   ` (251 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Chas Williams, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chas Williams <3chas3@gmail.com>

commit 9a873c71e91cabf4c10fd9bbd8358c22deaf6c9e upstream.

If you simply load and unload the module without starting the interfaces,
the queues are never created and you get a bad pointer dereference.

Signed-off-by: Chas Williams <3chas3@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1422,7 +1422,7 @@ static void xennet_disconnect_backend(st
 
 	netif_carrier_off(info->netdev);
 
-	for (i = 0; i < num_queues; ++i) {
+	for (i = 0; i < num_queues && info->queues; ++i) {
 		struct netfront_queue *queue = &info->queues[i];
 
 		del_timer_sync(&queue->rx_refill_timer);
@@ -2294,7 +2294,8 @@ static int xennet_remove(struct xenbus_d
 
 	unregister_netdev(info->netdev);
 
-	xennet_destroy_queues(info);
+	if (info->queues)
+		xennet_destroy_queues(info);
 	xennet_free_netdev(info->netdev);
 
 	return 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 178/366] Input: elantech - fix V4 report decoding for module with middle key
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 073/366] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 037/366] s390/cpum_sf: Add data entry sizes to sampling trailer entry Ben Hutchings
                   ` (361 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, ???

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: ??? <kt.liao@emc.com.tw>

commit e0ae2519ca004a628fa55aeef969c37edce522d3 upstream.

Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
We need to fix V4 formation's byte mask to prevent error decoding.

Signed-off-by: KT Liao <kt.liao@emc.com.tw>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/elantech.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -737,7 +737,7 @@ static int elantech_packet_check_v4(stru
 	if (etd->crc_enabled)
 		sanity_check = ((packet[3] & 0x08) == 0x00);
 	else
-		sanity_check = ((packet[0] & 0x0c) == 0x04 &&
+		sanity_check = ((packet[0] & 0x08) == 0x00 &&
 				(packet[3] & 0x1c) == 0x10);
 
 	if (!sanity_check)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 174/366] xen-netfront: Update features after registering netdev
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (201 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 130/366] backlight: as3711_bl: Fix Device Tree node lookup Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 361/366] perf trace: Fix up fd -> pathname resolution Ben Hutchings
                   ` (163 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Juergen Gross, David S. Miller, Ross Lagerwall, Liam Shepherd

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Lagerwall <ross.lagerwall@citrix.com>

commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 upstream.

Update the features after calling register_netdev() otherwise the
device features are not set up correctly and it not possible to change
the MTU of the device. After this change, the features reported by
ethtool match the device's features before the commit which introduced
the issue and it is possible to change the device's MTU.

Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
Reported-by: Liam Shepherd <liam@dancer.es>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -2001,10 +2001,6 @@ static int xennet_connect(struct net_dev
 	/* talk_to_netback() sets the correct number of queues */
 	num_queues = dev->real_num_tx_queues;
 
-	rtnl_lock();
-	netdev_update_features(dev);
-	rtnl_unlock();
-
 	if (dev->reg_state == NETREG_UNINITIALIZED) {
 		err = register_netdev(dev);
 		if (err) {
@@ -2014,6 +2010,10 @@ static int xennet_connect(struct net_dev
 		}
 	}
 
+	rtnl_lock();
+	netdev_update_features(dev);
+	rtnl_unlock();
+
 	/*
 	 * All public and private state should now be sane.  Get
 	 * ready to start sending and receiving packets and give the driver


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 163/366] xen-netfront: fix locking in connect error path
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (127 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 227/366] smsc75xx: Add workaround for gigabit link up hardware errata Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 045/366] vfs: add the sb_start_intwrite_trylock() helper Ben Hutchings
                   ` (237 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David Vrabel, David S. Miller

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Vrabel <david.vrabel@citrix.com>

commit db8c8ab61a28d7e3eb86d247b342a853263262c3 upstream.

If no queues could be created when connecting to the backend, one of the
error paths would deadlock.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -2000,7 +2000,7 @@ abort_transaction_no_dev_fatal:
 	info->queues = NULL;
 	rtnl_lock();
 	netif_set_real_num_tx_queues(info->netdev, 0);
-	rtnl_lock();
+	rtnl_unlock();
  out:
 	return err;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 176/366] Input: elantech - report the middle button of the touchpad
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 158/366] x86: Call fixup_exception() before notify_die() in math_error() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 157/366] udf: Detect incorrect directory size Ben Hutchings
                   ` (305 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Stefan Valouch, Ulrik De Bie

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ulrik De Bie <ulrik.debie-os@e2big.org>

commit f386474e12a560e005ec7899e78f51f6bdc3cf41 upstream.

In the past, no elantech was known with 3 touchpad mouse buttons.
Fujitsu H730 is the first known elantech with a middle button. This commit
enables this middle button. For backwards compatibility, the Fujitsu is
detected via DMI, and only for this one 3 buttons will be announced.

Reported-by: Stefan Valouch <stefan@valouch.com>
Signed-off-by: Ulrik De Bie <ulrik.debie-os@e2big.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/elantech.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -500,6 +500,7 @@ static void elantech_input_sync_v4(struc
 	} else {
 		input_report_key(dev, BTN_LEFT, packet[0] & 0x01);
 		input_report_key(dev, BTN_RIGHT, packet[0] & 0x02);
+		input_report_key(dev, BTN_MIDDLE, packet[0] & 0x04);
 	}
 
 	input_mt_report_pointer_emulation(dev, true);
@@ -1064,6 +1065,22 @@ static void elantech_set_buttonpad_prop(
 }
 
 /*
+ * Some hw_version 4 models do have a middle button
+ */
+static const struct dmi_system_id elantech_dmi_has_middle_button[] = {
+#if defined(CONFIG_DMI) && defined(CONFIG_X86)
+	{
+		/* Fujitsu H730 has a middle button */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H730"),
+		},
+	},
+#endif
+	{ }
+};
+
+/*
  * Set the appropriate event bits for the input subsystem
  */
 static int elantech_set_input_params(struct psmouse *psmouse)
@@ -1082,6 +1099,8 @@ static int elantech_set_input_params(str
 	__clear_bit(EV_REL, dev->evbit);
 
 	__set_bit(BTN_LEFT, dev->keybit);
+	if (dmi_check_system(elantech_dmi_has_middle_button))
+		__set_bit(BTN_MIDDLE, dev->keybit);
 	__set_bit(BTN_RIGHT, dev->keybit);
 
 	__set_bit(BTN_TOUCH, dev->keybit);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 172/366] xen-netfront: Fix race between device setup and open
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (235 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 189/366] batman-adv: Avoid storing non-TT-sync flags on singular entries too Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 323/366] media: v4l: event: Prevent freeing event subscriptions while accessed Ben Hutchings
                   ` (129 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Ross Lagerwall, Boris Ostrovsky, Juergen Gross

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Lagerwall <ross.lagerwall@citrix.com>

commit f599c64fdf7d9c108e8717fb04bc41c680120da4 upstream.

When a netfront device is set up it registers a netdev fairly early on,
before it has set up the queues and is actually usable. A userspace tool
like NetworkManager will immediately try to open it and access its state
as soon as it appears. The bug can be reproduced by hotplugging VIFs
until the VM runs out of grant refs. It registers the netdev but fails
to set up any queues (since there are no more grant refs). In the
meantime, NetworkManager opens the device and the kernel crashes trying
to access the queues (of which there are none).

Fix this in two ways:
* For initial setup, register the netdev much later, after the queues
are setup. This avoids the race entirely.
* During a suspend/resume cycle, the frontend reconnects to the backend
and the queues are recreated. It is possible (though highly unlikely) to
race with something opening the device and accessing the queues after
they have been destroyed but before they have been recreated. Extend the
region covered by the rtnl semaphore to protect against this race. There
is a possibility that we fail to recreate the queues so check for this
in the open function.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 46 ++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 22 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -369,6 +369,9 @@ static int xennet_open(struct net_device
 	unsigned int i = 0;
 	struct netfront_queue *queue = NULL;
 
+	if (!np->queues)
+		return -ENODEV;
+
 	for (i = 0; i < num_queues; ++i) {
 		queue = &np->queues[i];
 		napi_enable(&queue->napi);
@@ -1394,18 +1397,8 @@ static int netfront_probe(struct xenbus_
 #ifdef CONFIG_SYSFS
 	info->netdev->sysfs_groups[0] = &xennet_dev_group;
 #endif
-	err = register_netdev(info->netdev);
-	if (err) {
-		pr_warn("%s: register_netdev err=%d\n", __func__, err);
-		goto fail;
-	}
 
 	return 0;
-
- fail:
-	xennet_free_netdev(netdev);
-	dev_set_drvdata(&dev->dev, NULL);
-	return err;
 }
 
 static void xennet_end_access(int ref, void *page)
@@ -1779,8 +1772,6 @@ static void xennet_destroy_queues(struct
 {
 	unsigned int i;
 
-	rtnl_lock();
-
 	for (i = 0; i < info->netdev->real_num_tx_queues; i++) {
 		struct netfront_queue *queue = &info->queues[i];
 
@@ -1789,8 +1780,6 @@ static void xennet_destroy_queues(struct
 		netif_napi_del(&queue->napi);
 	}
 
-	rtnl_unlock();
-
 	kfree(info->queues);
 	info->queues = NULL;
 }
@@ -1806,8 +1795,6 @@ static int xennet_create_queues(struct n
 	if (!info->queues)
 		return -ENOMEM;
 
-	rtnl_lock();
-
 	for (i = 0; i < *num_queues; i++) {
 		struct netfront_queue *queue = &info->queues[i];
 
@@ -1816,7 +1803,7 @@ static int xennet_create_queues(struct n
 
 		ret = xennet_init_queue(queue);
 		if (ret < 0) {
-			dev_warn(&info->netdev->dev,
+			dev_warn(&info->xbdev->dev,
 				 "only created %d queues\n", i);
 			*num_queues = i;
 			break;
@@ -1830,10 +1817,8 @@ static int xennet_create_queues(struct n
 
 	netif_set_real_num_tx_queues(info->netdev, *num_queues);
 
-	rtnl_unlock();
-
 	if (*num_queues == 0) {
-		dev_err(&info->netdev->dev, "no queues\n");
+		dev_err(&info->xbdev->dev, "no queues\n");
 		return -EINVAL;
 	}
 	return 0;
@@ -1875,6 +1860,7 @@ static int talk_to_netback(struct xenbus
 		goto out;
 	}
 
+	rtnl_lock();
 	if (info->queues)
 		xennet_destroy_queues(info);
 
@@ -1885,6 +1871,7 @@ static int talk_to_netback(struct xenbus
 		info->queues = NULL;
 		goto out;
 	}
+	rtnl_unlock();
 
 	/* Create shared ring, alloc event channel -- for each queue */
 	for (i = 0; i < num_queues; ++i) {
@@ -1978,8 +1965,10 @@ abort_transaction_no_dev_fatal:
 	xenbus_transaction_end(xbt, 1);
  destroy_ring:
 	xennet_disconnect_backend(info);
+	rtnl_lock();
 	xennet_destroy_queues(info);
  out:
+	rtnl_unlock();
 	device_unregister(&dev->dev);
 	return err;
 }
@@ -2015,6 +2004,15 @@ static int xennet_connect(struct net_dev
 	netdev_update_features(dev);
 	rtnl_unlock();
 
+	if (dev->reg_state == NETREG_UNINITIALIZED) {
+		err = register_netdev(dev);
+		if (err) {
+			pr_warn("%s: register_netdev err=%d\n", __func__, err);
+			device_unregister(&np->xbdev->dev);
+			return err;
+		}
+	}
+
 	/*
 	 * All public and private state should now be sane.  Get
 	 * ready to start sending and receiving packets and give the driver
@@ -2284,10 +2282,14 @@ static int xennet_remove(struct xenbus_d
 
 	xennet_disconnect_backend(info);
 
-	unregister_netdev(info->netdev);
+	if (info->netdev->reg_state == NETREG_REGISTERED)
+		unregister_netdev(info->netdev);
 
-	if (info->queues)
+	if (info->queues) {
+		rtnl_lock();
 		xennet_destroy_queues(info);
+		rtnl_unlock();
+	}
 	xennet_free_netdev(info->netdev);
 
 	return 0;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 180/366] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (321 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 295/366] tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 233/366] cifs: store the leaseKey in the fid on SMB2_open Ben Hutchings
                   ` (43 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Joakim Tjernlund, Boris Brezillon

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joakim Tjernlund <joakim.tjernlund@infinera.com>

commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream.

cfi_ppb_unlock() walks all flash chips when unlocking sectors,
avoid walking chips unaffected by the unlock operation.

Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -2356,6 +2356,8 @@ static int __maybe_unused cfi_ppb_unlock
 			i++;
 
 		if (adr >> cfi->chipshift) {
+			if (offset >= (ofs + len))
+				break;
 			adr = 0;
 			chipnum++;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 153/366] powerpc/e500mc: Set assembler machine type to e500mc
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (238 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 175/366] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 088/366] ext4: fix fencepost error in check for inode count overflow during resize Ben Hutchings
                   ` (126 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, linuxppc-dev, Scott Wood, Kumar Gala,
	Benjamin Herrenschmidt, Vakul Garg, Michael Jeanson,
	Michael Ellerman, Mathieu Desnoyers, Paul Mackerras

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Jeanson <mjeanson@efficios.com>

commit 69a8405999aa1c489de4b8d349468f0c2b83f093 upstream.

In binutils 2.26 a new opcode for the "wait" instruction was added for the
POWER9 and has precedence over the one specific to the e500mc. Commit
ebf714ff3756 ("powerpc/e500mc: Add support for the wait instruction in
e500_idle") uses this instruction specifically on the e500mc to work around
an erratum.

This results in an invalid instruction in idle_e500 when we build for the
e500mc on bintutils >= 2.26 with the default assembler machine type.

Since multiplatform between e500 and non-e500 is not supported, set the
assembler machine type globaly when CONFIG_PPC_E500MC=y.

Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: Paul Mackerras <paulus@samba.org>
CC: Michael Ellerman <mpe@ellerman.id.au>
CC: Kumar Gala <galak@kernel.crashing.org>
CC: Vakul Garg <vakul.garg@nxp.com>
CC: Scott Wood <swood@redhat.com>
CC: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: linuxppc-dev@lists.ozlabs.org
CC: linux-kernel@vger.kernel.org
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/Makefile | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -205,6 +205,7 @@ endif
 cpu-as-$(CONFIG_4xx)		+= -Wa,-m405
 cpu-as-$(CONFIG_ALTIVEC)	+= -Wa,-maltivec
 cpu-as-$(CONFIG_E200)		+= -Wa,-me200
+cpu-as-$(CONFIG_PPC_E500MC)	+= $(call as-option,-Wa$(comma)-me500mc)
 
 KBUILD_AFLAGS += $(cpu-as-y)
 KBUILD_CFLAGS += $(cpu-as-y)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 165/366] xen-netfront: use different locks for Rx and Tx stats
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (345 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 027/366] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 237/366] xhci: xhci-mem: off by one in xhci_stream_id_to_ring() Ben Hutchings
                   ` (19 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Dmitry Piotrovsky, David S. Miller, David Vrabel

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Vrabel <david.vrabel@citrix.com>

commit 900e183301b54f8ca17a86d9835e9569090d182a upstream.

In netfront the Rx and Tx path are independent and use different
locks.  The Tx lock is held with hard irqs disabled, but Rx lock is
held with only BH disabled.  Since both sides use the same stats lock,
a deadlock may occur.

  [ INFO: possible irq lock inversion dependency detected ]
  3.16.2 #16 Not tainted
  ---------------------------------------------------------
  swapper/0/0 just changed the state of lock:
   (&(&queue->tx_lock)->rlock){-.....}, at: [<c03adec8>]
  xennet_tx_interrupt+0x14/0x34
  but this lock took another, HARDIRQ-unsafe lock in the past:
   (&stat->syncp.seq#2){+.-...}
  and interrupts could create inverse lock ordering between them.
  other info that might help us debug this:
   Possible interrupt unsafe locking scenario:

         CPU0                    CPU1
         ----                    ----
    lock(&stat->syncp.seq#2);
                                 local_irq_disable();
                                 lock(&(&queue->tx_lock)->rlock);
                                 lock(&stat->syncp.seq#2);
    <Interrupt>
      lock(&(&queue->tx_lock)->rlock);

Using separate locks for the Rx and Tx stats fixes this deadlock.

Reported-by: Dmitry Piotrovsky <piotrovskydmitry@gmail.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 71 ++++++++++++++++++++++----------------
 1 file changed, 42 insertions(+), 29 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -86,10 +86,8 @@ struct netfront_cb {
 #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3)
 
 struct netfront_stats {
-	u64			rx_packets;
-	u64			tx_packets;
-	u64			rx_bytes;
-	u64			tx_bytes;
+	u64			packets;
+	u64			bytes;
 	struct u64_stats_sync	syncp;
 };
 
@@ -165,7 +163,8 @@ struct netfront_info {
 	struct netfront_queue *queues;
 
 	/* Statistics */
-	struct netfront_stats __percpu *stats;
+	struct netfront_stats __percpu *rx_stats;
+	struct netfront_stats __percpu *tx_stats;
 
 	atomic_t rx_gso_checksum_fixup;
 };
@@ -588,7 +587,7 @@ static int xennet_start_xmit(struct sk_b
 {
 	unsigned short id;
 	struct netfront_info *np = netdev_priv(dev);
-	struct netfront_stats *stats = this_cpu_ptr(np->stats);
+	struct netfront_stats *tx_stats = this_cpu_ptr(np->tx_stats);
 	struct xen_netif_tx_request *tx;
 	char *data = skb->data;
 	RING_IDX i;
@@ -695,10 +694,10 @@ static int xennet_start_xmit(struct sk_b
 	if (notify)
 		notify_remote_via_irq(queue->tx_irq);
 
-	u64_stats_update_begin(&stats->syncp);
-	stats->tx_bytes += skb->len;
-	stats->tx_packets++;
-	u64_stats_update_end(&stats->syncp);
+	u64_stats_update_begin(&tx_stats->syncp);
+	tx_stats->bytes += skb->len;
+	tx_stats->packets++;
+	u64_stats_update_end(&tx_stats->syncp);
 
 	/* Note: It is not safe to access skb after xennet_tx_buf_gc()! */
 	xennet_tx_buf_gc(queue);
@@ -954,7 +953,7 @@ static int checksum_setup(struct net_dev
 static int handle_incoming_queue(struct netfront_queue *queue,
 				 struct sk_buff_head *rxq)
 {
-	struct netfront_stats *stats = this_cpu_ptr(queue->info->stats);
+	struct netfront_stats *rx_stats = this_cpu_ptr(queue->info->rx_stats);
 	int packets_dropped = 0;
 	struct sk_buff *skb;
 
@@ -975,10 +974,10 @@ static int handle_incoming_queue(struct
 			continue;
 		}
 
-		u64_stats_update_begin(&stats->syncp);
-		stats->rx_packets++;
-		stats->rx_bytes += skb->len;
-		u64_stats_update_end(&stats->syncp);
+		u64_stats_update_begin(&rx_stats->syncp);
+		rx_stats->packets++;
+		rx_stats->bytes += skb->len;
+		u64_stats_update_end(&rx_stats->syncp);
 
 		/* Pass it up. */
 		napi_gro_receive(&queue->napi, skb);
@@ -1113,18 +1112,22 @@ static struct rtnl_link_stats64 *xennet_
 	int cpu;
 
 	for_each_possible_cpu(cpu) {
-		struct netfront_stats *stats = per_cpu_ptr(np->stats, cpu);
+		struct netfront_stats *rx_stats = per_cpu_ptr(np->rx_stats, cpu);
+		struct netfront_stats *tx_stats = per_cpu_ptr(np->tx_stats, cpu);
 		u64 rx_packets, rx_bytes, tx_packets, tx_bytes;
 		unsigned int start;
 
 		do {
-			start = u64_stats_fetch_begin_irq(&stats->syncp);
+			start = u64_stats_fetch_begin_irq(&tx_stats->syncp);
+			tx_packets = tx_stats->packets;
+			tx_bytes = tx_stats->bytes;
+		} while (u64_stats_fetch_retry_irq(&tx_stats->syncp, start));
 
-			rx_packets = stats->rx_packets;
-			tx_packets = stats->tx_packets;
-			rx_bytes = stats->rx_bytes;
-			tx_bytes = stats->tx_bytes;
-		} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
+		do {
+			start = u64_stats_fetch_begin_irq(&rx_stats->syncp);
+			rx_packets = rx_stats->packets;
+			rx_bytes = rx_stats->bytes;
+		} while (u64_stats_fetch_retry_irq(&rx_stats->syncp, start));
 
 		tot->rx_packets += rx_packets;
 		tot->tx_packets += tx_packets;
@@ -1309,6 +1312,15 @@ static const struct net_device_ops xenne
 #endif
 };
 
+static void xennet_free_netdev(struct net_device *netdev)
+{
+	struct netfront_info *np = netdev_priv(netdev);
+
+	free_percpu(np->rx_stats);
+	free_percpu(np->tx_stats);
+	free_netdev(netdev);
+}
+
 static struct net_device *xennet_create_dev(struct xenbus_device *dev)
 {
 	int err;
@@ -1329,8 +1341,11 @@ static struct net_device *xennet_create_
 	np->queues = NULL;
 
 	err = -ENOMEM;
-	np->stats = netdev_alloc_pcpu_stats(struct netfront_stats);
-	if (np->stats == NULL)
+	np->rx_stats = netdev_alloc_pcpu_stats(struct netfront_stats);
+	if (np->rx_stats == NULL)
+		goto exit;
+	np->tx_stats = netdev_alloc_pcpu_stats(struct netfront_stats);
+	if (np->tx_stats == NULL)
 		goto exit;
 
 	netdev->netdev_ops	= &xennet_netdev_ops;
@@ -1359,7 +1374,7 @@ static struct net_device *xennet_create_
 	return netdev;
 
  exit:
-	free_netdev(netdev);
+	xennet_free_netdev(netdev);
 	return ERR_PTR(err);
 }
 
@@ -1401,7 +1416,7 @@ static int netfront_probe(struct xenbus_
 	return 0;
 
  fail:
-	free_netdev(netdev);
+	xennet_free_netdev(netdev);
 	dev_set_drvdata(&dev->dev, NULL);
 	return err;
 }
@@ -2322,9 +2337,7 @@ static int xennet_remove(struct xenbus_d
 		info->queues = NULL;
 	}
 
-	free_percpu(info->stats);
-
-	free_netdev(info->netdev);
+	xennet_free_netdev(info->netdev);
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 181/366] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (316 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 239/366] sh_eth: fix invalid context bug while changing link options by ethtool Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 020/366] pinctrl: samsung: Correct EINTG banks order Ben Hutchings
                   ` (48 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Takashi Iwai

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 275ec0cb946cb75ac8977f662e608fce92f8b8a8 upstream.

Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
for the correct pin configs.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_realtek.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2496,6 +2496,7 @@ static const struct snd_pci_quirk alc262
 	SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110),
 	SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ),
 	SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN),
+	SND_PCI_QUIRK(0x1734, 0x1141, "FSC ESPRIMO U9210", ALC262_FIXUP_FSC_H270),
 	SND_PCI_QUIRK(0x1734, 0x1147, "FSC Celsius H270", ALC262_FIXUP_FSC_H270),
 	SND_PCI_QUIRK(0x17aa, 0x384e, "Lenovo 3000", ALC262_FIXUP_LENOVO_3000),
 	SND_PCI_QUIRK(0x17ff, 0x0560, "Benq ED8", ALC262_FIXUP_BENQ),


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 157/366] udf: Detect incorrect directory size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 176/366] Input: elantech - report the middle button of the touchpad Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 082/366] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Ben Hutchings
                   ` (304 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Jan Kara, Anatoly Trosinenko

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream.

Detect when a directory entry is (possibly partially) beyond directory
size and return EIO in that case since it means the filesystem is
corrupted. Otherwise directory operations can further corrupt the
directory and possibly also oops the kernel.

CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Reported-and-tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/udf/directory.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/fs/udf/directory.c
+++ b/fs/udf/directory.c
@@ -151,6 +151,9 @@ struct fileIdentDesc *udf_fileident_read
 			       sizeof(struct fileIdentDesc));
 		}
 	}
+	/* Got last entry outside of dir size - fs is corrupted! */
+	if (*nf_pos > dir->i_size)
+		return NULL;
 	return fi;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 177/366] Input: elantech - enable middle button of touchpads on ThinkPad P52
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (241 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 146/366] ext4: add more mount time checks of the superblock Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 318/366] use ->d_seq to get coherency between ->d_inode and ->d_flags Ben Hutchings
                   ` (123 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Aaron Ma, Dmitry Torokhov, Benjamin Tissoires

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit 24bb555e6e46d96e2a954aa0295029a81cc9bbaa upstream.

PNPID is better way to identify the type of touchpads.
Enable middle button support on 2 types of touchpads on Lenovo P52.

Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/mouse/elantech.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1080,6 +1080,12 @@ static const struct dmi_system_id elante
 	{ }
 };
 
+static const char * const middle_button_pnp_ids[] = {
+	"LEN2131", /* ThinkPad P52 w/ NFC */
+	"LEN2132", /* ThinkPad P52 */
+	NULL
+};
+
 /*
  * Set the appropriate event bits for the input subsystem
  */
@@ -1099,7 +1105,8 @@ static int elantech_set_input_params(str
 	__clear_bit(EV_REL, dev->evbit);
 
 	__set_bit(BTN_LEFT, dev->keybit);
-	if (dmi_check_system(elantech_dmi_has_middle_button))
+	if (dmi_check_system(elantech_dmi_has_middle_button) ||
+			psmouse_matches_pnp_id(psmouse, middle_button_pnp_ids))
 		__set_bit(BTN_MIDDLE, dev->keybit);
 	__set_bit(BTN_RIGHT, dev->keybit);
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 171/366] xen-netfront: avoid crashing on resume after a failure in talk_to_netback()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 141/366] l2tp: clean up stale tunnel or session in pppol2tp_connect's error path Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 350/366] sched/topology: Make local variables static Ben Hutchings
                   ` (318 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, David S. Miller, Vitaly Kuznetsov

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e upstream.

Unavoidable crashes in netfront_resume() and netback_changed() after a
previous fail in talk_to_netback() (e.g. when we fail to read MAC from
xenstore) were discovered. The failure path in talk_to_netback() does
unregister/free for netdev but we don't reset drvdata and we try accessing
it after resume.

Fix the bug by removing the whole xen device completely with
device_unregister(), this guarantees we won't have any calls into netfront
after a failure.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/xen-netfront.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1980,8 +1980,7 @@ abort_transaction_no_dev_fatal:
 	xennet_disconnect_backend(info);
 	xennet_destroy_queues(info);
  out:
-	unregister_netdev(info->netdev);
-	xennet_free_netdev(info->netdev);
+	device_unregister(&dev->dev);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 159/366] x86/speculation: Fix up array_index_nospec_mask() asm constraint
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 289/366] cachefiles: Fix refcounting bug in backing-file read monitoring Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 259/366] drm/nouveau: Remove bogus crtc check in pmops_runtime_idle Ben Hutchings
                   ` (331 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Zijlstra, Andy Lutomirski, Linus Torvalds,
	Ingo Molnar, Dan Williams, Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit be3233fbfcb8f5acb6e3bcd0895c3ef9e100d470 upstream.

Allow the compiler to handle @size as an immediate value or memory
directly rather than allocating a register.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/151797010204.1289.1510000292250184993.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/barrier.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/barrier.h
+++ b/arch/x86/include/asm/barrier.h
@@ -40,7 +40,7 @@ static inline unsigned long array_index_
 
 	asm ("cmp %1,%2; sbb %0,%0;"
 			:"=r" (mask)
-			:"r"(size),"r" (index)
+			:"g"(size),"r" (index)
 			:"cc");
 	return mask;
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 099/366] mtd: cfi_cmdset_0002: Change erase functions to check chip good only
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (296 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 102/366] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 143/366] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Ben Hutchings
                   ` (68 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Cyrille Pitchen, Marek Vasut, Boris Brezillon,
	Brian Norris, Chris Packham, Tokunori Ikegami, linux-mtd,
	Boris Brezillon, Richard Weinberger, David Woodhouse,
	Joakim Tjernlund

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit 79ca484b613041ca223f74b34608bb6f5221724b upstream.

Currently the functions use to check both chip ready and good.
But the chip ready is not enough to check the operation status.
So change this to check the chip good instead of this.
About the retry functions to make sure the error handling remain it.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Marek Vasut <marek.vasut@gmail.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -1955,12 +1955,13 @@ static int __xipram do_erase_chip(struct
 			chip->erase_suspended = 0;
 		}
 
-		if (chip_ready(map, adr))
+		if (chip_good(map, adr, map_word_ff(map)))
 			break;
 
 		if (time_after(jiffies, timeo)) {
 			printk(KERN_WARNING "MTD %s(): software timeout\n",
 				__func__ );
+			ret = -EIO;
 			break;
 		}
 
@@ -1968,15 +1969,15 @@ static int __xipram do_erase_chip(struct
 		UDELAY(map, chip, adr, 1000000/HZ);
 	}
 	/* Did we succeed? */
-	if (!chip_good(map, adr, map_word_ff(map))) {
+	if (ret) {
 		/* reset on all failures. */
 		map_write( map, CMD(0xF0), chip->start );
 		/* FIXME - should have reset delay before continuing */
 
-		if (++retry_cnt <= MAX_RETRIES)
+		if (++retry_cnt <= MAX_RETRIES) {
+			ret = 0;
 			goto retry;
-
-		ret = -EIO;
+		}
 	}
 
 	chip->state = FL_READY;
@@ -2050,7 +2051,7 @@ static int __xipram do_erase_oneblock(st
 			chip->erase_suspended = 0;
 		}
 
-		if (chip_ready(map, adr)) {
+		if (chip_good(map, adr, map_word_ff(map))) {
 			xip_enable(map, chip, adr);
 			break;
 		}
@@ -2059,6 +2060,7 @@ static int __xipram do_erase_oneblock(st
 			xip_enable(map, chip, adr);
 			printk(KERN_WARNING "MTD %s(): software timeout\n",
 				__func__ );
+			ret = -EIO;
 			break;
 		}
 
@@ -2066,15 +2068,15 @@ static int __xipram do_erase_oneblock(st
 		UDELAY(map, chip, adr, 1000000/HZ);
 	}
 	/* Did we succeed? */
-	if (!chip_good(map, adr, map_word_ff(map))) {
+	if (ret) {
 		/* reset on all failures. */
 		map_write( map, CMD(0xF0), chip->start );
 		/* FIXME - should have reset delay before continuing */
 
-		if (++retry_cnt <= MAX_RETRIES)
+		if (++retry_cnt <= MAX_RETRIES) {
+			ret = 0;
 			goto retry;
-
-		ret = -EIO;
+		}
 	}
 
 	chip->state = FL_READY;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 096/366] mtd: cfi_cmdset_0002: Change write buffer to check correct value
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 272/366] crypto: padlock-aes - Fix Nano workaround data corruption Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 052/366] driver core: Don't ignore class_dir_create_and_add() failure Ben Hutchings
                   ` (295 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Boris Brezillon, linux-mtd, Tokunori Ikegami,
	Chris Packham, Brian Norris, Marek Vasut, Boris Brezillon,
	Cyrille Pitchen, David Woodhouse, Joakim Tjernlund,
	Richard Weinberger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream.

For the word write it is checked if the chip has the correct value.
But it is not checked for the write buffer as only checked if ready.
To make sure for the write buffer change to check the value.

It is enough as this patch is only checking the last written word.
Since it is described by data sheets to check the operation status.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Marek Vasut <marek.vasut@gmail.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -1541,7 +1541,7 @@ static int __xipram do_write_buffer(stru
 		if (time_after(jiffies, timeo) && !chip_ready(map, adr))
 			break;
 
-		if (chip_ready(map, adr)) {
+		if (chip_good(map, adr, datum)) {
 			xip_enable(map, chip, adr);
 			goto op_done;
 		}


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 098/366] mtd: cfi_cmdset_0002: Change erase functions to retry for error
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (244 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 024/366] PCI: ibmphp: Fix use-before-set in get_max_bus_speed() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 264/366] usb: gadget: u_audio: update hw_ptr in iso_complete after data copied Ben Hutchings
                   ` (120 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Boris Brezillon, Tokunori Ikegami, linux-mtd, Marek Vasut,
	Boris Brezillon, Chris Packham, Brian Norris, Cyrille Pitchen,
	Joakim Tjernlund, David Woodhouse, Richard Weinberger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit 45f75b8a919a4255f52df454f1ffdee0e42443b2 upstream.

For the word write functions it is retried for error.
But it is not implemented to retry for the erase functions.
To make sure for the erase functions change to retry as same.

This is needed to prevent the flash erase error caused only once.
It was caused by the error case of chip_good() in the do_erase_oneblock().
Also it was confirmed on the MACRONIX flash device MX29GL512FHT2I-11G.
But the error issue behavior is not able to reproduce at this moment.
The flash controller is parallel Flash interface integrated on BCM53003.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Marek Vasut <marek.vasut@gmail.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -1900,6 +1900,7 @@ static int __xipram do_erase_chip(struct
 	unsigned long int adr;
 	DECLARE_WAITQUEUE(wait, current);
 	int ret = 0;
+	int retry_cnt = 0;
 
 	adr = cfi->addr_unlock1;
 
@@ -1917,6 +1918,7 @@ static int __xipram do_erase_chip(struct
 	ENABLE_VPP(map);
 	xip_disable(map, chip, adr);
 
+ retry:
 	cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
 	cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
 	cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
@@ -1971,6 +1973,9 @@ static int __xipram do_erase_chip(struct
 		map_write( map, CMD(0xF0), chip->start );
 		/* FIXME - should have reset delay before continuing */
 
+		if (++retry_cnt <= MAX_RETRIES)
+			goto retry;
+
 		ret = -EIO;
 	}
 
@@ -1990,6 +1995,7 @@ static int __xipram do_erase_oneblock(st
 	unsigned long timeo = jiffies + HZ;
 	DECLARE_WAITQUEUE(wait, current);
 	int ret = 0;
+	int retry_cnt = 0;
 
 	adr += chip->start;
 
@@ -2007,6 +2013,7 @@ static int __xipram do_erase_oneblock(st
 	ENABLE_VPP(map);
 	xip_disable(map, chip, adr);
 
+ retry:
 	cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
 	cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
 	cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
@@ -2064,6 +2071,9 @@ static int __xipram do_erase_oneblock(st
 		map_write( map, CMD(0xF0), chip->start );
 		/* FIXME - should have reset delay before continuing */
 
+		if (++retry_cnt <= MAX_RETRIES)
+			goto retry;
+
 		ret = -EIO;
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 097/366] mtd: cfi_cmdset_0002: Change definition naming to retry write operation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (125 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 270/366] scsi: qla2xxx: Fix ISP recovery on unload Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 227/366] smsc75xx: Add workaround for gigabit link up hardware errata Ben Hutchings
                   ` (239 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Boris Brezillon, Tokunori Ikegami, linux-mtd, Marek Vasut,
	Boris Brezillon, Chris Packham, Brian Norris, Cyrille Pitchen,
	David Woodhouse, Joakim Tjernlund, Richard Weinberger

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>

commit 85a82e28b023de9b259a86824afbd6ba07bd6475 upstream.

The definition can be used for other program and erase operations also.
So change the naming to MAX_RETRIES from MAX_WORD_RETRIES.

Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Brian Norris <computersforpeace@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Marek Vasut <marek.vasut@gmail.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -42,7 +42,7 @@
 #define AMD_BOOTLOC_BUG
 #define FORCE_WORD_WRITE 0
 
-#define MAX_WORD_RETRIES 3
+#define MAX_RETRIES 3
 
 #define SST49LF004B	        0x0060
 #define SST49LF040B	        0x0050
@@ -1314,7 +1314,7 @@ static int __xipram do_write_oneword(str
 		map_write( map, CMD(0xF0), chip->start );
 		/* FIXME - should have reset delay before continuing */
 
-		if (++retry_cnt <= MAX_WORD_RETRIES)
+		if (++retry_cnt <= MAX_RETRIES)
 			goto retry;
 
 		ret = -EIO;
@@ -1765,7 +1765,7 @@ retry:
 		map_write(map, CMD(0xF0), chip->start);
 		/* FIXME - should have reset delay before continuing */
 
-		if (++retry_cnt <= MAX_WORD_RETRIES)
+		if (++retry_cnt <= MAX_RETRIES)
 			goto retry;
 
 		ret = -EIO;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 155/366] scsi: target: Fix truncated PR-in ReadKeys response
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (191 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 341/366] MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 209/366] n_tty: Fix stall at n_tty_receive_char_special() Ben Hutchings
                   ` (173 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Maged Mokhtar, Mike Christie, Martin K. Petersen,
	Christoph Hellwig, David Disseldorp

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: David Disseldorp <ddiss@suse.de>

commit 63ce3c384db26494615e3c8972bcd419ed71f4c4 upstream.

SPC5r17 states that the contents of the ADDITIONAL LENGTH field are not
altered based on the allocation length, so always calculate and pack the
full key list length even if the list itself is truncated.

According to Maged:

  Yes it fixes the "Storage Spaces Persistent Reservation" test in the
  Windows 2016 Server Failover Cluster validation suites when having
  many connections that result in more than 8 registrations. I tested
  your patch on 4.17 with iblock.

This behaviour can be tested using the libiscsi PrinReadKeys.Truncate test.

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Tested-by: Maged Mokhtar <mmokhtar@petasan.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: Convert from open-coded put_unaligned_be64()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/target/target_core_pr.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -3726,18 +3726,16 @@ core_scsi3_pri_read_keys(struct se_cmd *
 		 * Check for overflow of 8byte PRI READ_KEYS payload and
 		 * next reservation key list descriptor.
 		 */
-		if ((add_len + 8) > (cmd->data_length - 8))
-			break;
-
-		buf[off++] = ((pr_reg->pr_res_key >> 56) & 0xff);
-		buf[off++] = ((pr_reg->pr_res_key >> 48) & 0xff);
-		buf[off++] = ((pr_reg->pr_res_key >> 40) & 0xff);
-		buf[off++] = ((pr_reg->pr_res_key >> 32) & 0xff);
-		buf[off++] = ((pr_reg->pr_res_key >> 24) & 0xff);
-		buf[off++] = ((pr_reg->pr_res_key >> 16) & 0xff);
-		buf[off++] = ((pr_reg->pr_res_key >> 8) & 0xff);
-		buf[off++] = (pr_reg->pr_res_key & 0xff);
-
+		if (off + 8 <= cmd->data_length) {
+			put_unaligned_be64(pr_reg->pr_res_key, &buf[off]);
+			off += 8;
+		}
+		/*
+		 * SPC5r17: 6.16.2 READ KEYS service action
+		 * The ADDITIONAL LENGTH field indicates the number of bytes in
+		 * the Reservation key list. The contents of the ADDITIONAL
+		 * LENGTH field are not altered based on the allocation length
+		 */
 		add_len += 8;
 	}
 	spin_unlock(&dev->t10_pr.registration_lock);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 092/366] media: uvcvideo: Support realtek's UVC 1.5 device
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 058/366] ALSA: core: Assure control device to be registered at last Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 247/366] ext4: check for allocation block validity with block group locked Ben Hutchings
                   ` (287 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, ming_qian, Mauro Carvalho Chehab, Laurent Pinchart,
	Ana Guerrero Lopez, Kai-Heng Feng

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: ming_qian <ming_qian@realsil.com.cn>

commit f620d1d7afc7db57ab59f35000752840c91f67e7 upstream.

media: uvcvideo: Support UVC 1.5 video probe & commit controls

The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1.
Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be
recognized.

More changes to the driver are needed for full UVC 1.5 compatibility.
However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been
reported to work well.

[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks]

Signed-off-by: ming_qian <ming_qian@realsil.com.cn>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -155,14 +155,27 @@ static void uvc_fixup_video_ctrl(struct
 	}
 }
 
+static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
+{
+	/*
+	 * Return the size of the video probe and commit controls, which depends
+	 * on the protocol version.
+	 */
+	if (stream->dev->uvc_version < 0x0110)
+		return 26;
+	else if (stream->dev->uvc_version < 0x0150)
+		return 34;
+	else
+		return 48;
+}
+
 static int uvc_get_video_ctrl(struct uvc_streaming *stream,
 	struct uvc_streaming_control *ctrl, int probe, __u8 query)
 {
+	u16 size = uvc_video_ctrl_size(stream);
 	__u8 *data;
-	__u16 size;
 	int ret;
 
-	size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
 	if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) &&
 			query == UVC_GET_DEF)
 		return -EIO;
@@ -217,7 +230,7 @@ static int uvc_get_video_ctrl(struct uvc
 	ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]);
 	ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]);
 
-	if (size == 34) {
+	if (size >= 34) {
 		ctrl->dwClockFrequency = get_unaligned_le32(&data[26]);
 		ctrl->bmFramingInfo = data[30];
 		ctrl->bPreferedVersion = data[31];
@@ -246,11 +259,10 @@ out:
 static int uvc_set_video_ctrl(struct uvc_streaming *stream,
 	struct uvc_streaming_control *ctrl, int probe)
 {
+	u16 size = uvc_video_ctrl_size(stream);
 	__u8 *data;
-	__u16 size;
 	int ret;
 
-	size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
 	data = kzalloc(size, GFP_KERNEL);
 	if (data == NULL)
 		return -ENOMEM;
@@ -267,7 +279,7 @@ static int uvc_set_video_ctrl(struct uvc
 	put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]);
 	put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]);
 
-	if (size == 34) {
+	if (size >= 34) {
 		put_unaligned_le32(ctrl->dwClockFrequency, &data[26]);
 		data[30] = ctrl->bmFramingInfo;
 		data[31] = ctrl->bPreferedVersion;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 156/366] MIPS: io: Add barrier after register read in inX()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (251 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 022/366] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 154/366] xfrm_user: prevent leaking 2 bytes of kernel memory Ben Hutchings
                   ` (113 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, James Hogan, Fuxin Zhang, Huacai Chen, Huacai Chen,
	linux-mips, Paul Burton, Zhangjin Wu

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit 18f3e95b90b28318ef35910d21c39908de672331 upstream.

While a barrier is present in the outX() functions before the register
write, a similar barrier is missing in the inX() functions after the
register read. This could allow memory accesses following inX() to
observe stale data.

This patch is very similar to commit a1cc7034e33d12dc1 ("MIPS: io: Add
barrier after register read in readX()"). Because war_io_reorder_wmb()
is both used by writeX() and outX(), if readX() need a barrier then so
does inX().

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Patchwork: https://patchwork.linux-mips.org/patch/19516/
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: James Hogan <james.hogan@mips.com>
Cc: linux-mips@linux-mips.org
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: Huacai Chen <chenhuacai@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/io.h | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -410,6 +410,8 @@ static inline type pfx##in##bwlq##p(unsi
 	__val = *__addr;						\
 	slow;								\
 									\
+	/* prevent prefetching of coherent DMA data prematurely */	\
+	rmb();								\
 	return pfx##ioswab##bwlq(__addr, __val);			\
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 160/366] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (309 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 095/366] tpm: fix race condition in tpm_common_write() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 292/366] cachefiles: Wait rather than BUG'ing on "Unexpected object collision" Ben Hutchings
                   ` (55 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Peter Zijlstra, Linus Torvalds, Mark Rutland, Ingo Molnar,
	Dan Williams, Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit eab6870fee877258122a042bfd99ee7908c40280 upstream.

Mark Rutland noticed that GCC optimization passes have the potential to elide
necessary invocations of the array_index_mask_nospec() instruction sequence,
so mark the asm() volatile.

Mark explains:

"The volatile will inhibit *some* cases where the compiler could lift the
 array_index_nospec() call out of a branch, e.g. where there are multiple
 invocations of array_index_nospec() with the same arguments:

        if (idx < foo) {
                idx1 = array_idx_nospec(idx, foo)
                do_something(idx1);
        }

        < some other code >

        if (idx < foo) {
                idx2 = array_idx_nospec(idx, foo);
                do_something_else(idx2);
        }

 ... since the compiler can determine that the two invocations yield the same
 result, and reuse the first result (likely the same register as idx was in
 originally) for the second branch, effectively re-writing the above as:

        if (idx < foo) {
                idx = array_idx_nospec(idx, foo);
                do_something(idx);
        }

        < some other code >

        if (idx < foo) {
                do_something_else(idx);
        }

 ... if we don't take the first branch, then speculatively take the second, we
 lose the nospec protection.

 There's more info on volatile asm in the GCC docs:

   https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#Volatile
 "

Reported-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: babdde2698d4 ("x86: Implement array_index_mask_nospec")
Link: https://lkml.kernel.org/lkml/152838798950.14521.4893346294059739135.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/barrier.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/barrier.h
+++ b/arch/x86/include/asm/barrier.h
@@ -38,7 +38,7 @@ static inline unsigned long array_index_
 {
 	unsigned long mask;
 
-	asm ("cmp %1,%2; sbb %0,%0;"
+	asm volatile ("cmp %1,%2; sbb %0,%0;"
 			:"=r" (mask)
 			:"g"(size),"r" (index)
 			:"cc");


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 101/366] fuse: don't keep dead fuse_conn at fuse_fill_super().
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 260/366] drm: re-enable error handling Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 253/366] fs, elf: make sure to page align bss in load_elf_library Ben Hutchings
                   ` (334 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Tetsuo Handa, Miklos Szeredi, syzbot, Anand Avati,
	Csaba Henk, John Muir

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.

syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
Since sb->s_fs_info field is not cleared after fc was released by
fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
already released fc and tries to hold the lock. Fix this by clearing
sb->s_fs_info field after calling fuse_conn_put().

[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
Cc: John Muir <john@jmuir.com>
Cc: Csaba Henk <csaba@gluster.com>
Cc: Anand Avati <avati@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/inode.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1125,6 +1125,7 @@ static int fuse_fill_super(struct super_
  err_put_conn:
 	fuse_bdi_destroy(fc);
 	fuse_conn_put(fc);
+	sb->s_fs_info = NULL;
  err_fput:
 	fput(file);
  err:


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 158/366] x86: Call fixup_exception() before notify_die() in math_error()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 301/366] squashfs: be more careful about metadata corruption Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 176/366] Input: elantech - report the middle button of the touchpad Ben Hutchings
                   ` (306 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Borislav  Petkov, H. Peter Anvin, Andy Lutomirski,
	Siarhei Liakh, Siarhei Liakh, Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Siarhei Liakh <Siarhei.Liakh@concurrent-rt.com>

commit 3ae6295ccb7cf6d344908209701badbbbb503e40 upstream.

fpu__drop() has an explicit fwait which under some conditions can trigger a
fixable FPU exception while in kernel. Thus, we should attempt to fixup the
exception first, and only call notify_die() if the fixup failed just like
in do_general_protection(). The original call sequence incorrectly triggers
KDB entry on debug kernels under particular FPU-intensive workloads.

Andy noted, that this makes the whole conditional irq enable thing even
more inconsistent, but fixing that it outside the scope of this.

Signed-off-by: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Borislav  Petkov" <bpetkov@suse.de>
Link: https://lkml.kernel.org/r/DM5PR11MB201156F1CAB2592B07C79A03B17D0@DM5PR11MB2011.namprd11.prod.outlook.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/traps.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -556,17 +556,19 @@ static void math_error(struct pt_regs *r
 	char *str = (trapnr == X86_TRAP_MF) ? "fpu exception" :
 						"simd exception";
 
-	if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, SIGFPE) == NOTIFY_STOP)
-		return;
 	conditional_sti(regs);
 
 	if (!user_mode_vm(regs))
 	{
-		if (!fixup_exception(regs)) {
-			task->thread.error_code = error_code;
-			task->thread.trap_nr = trapnr;
+		if (fixup_exception(regs))
+			return;
+
+		task->thread.error_code = error_code;
+		task->thread.trap_nr = trapnr;
+
+		if (notify_die(DIE_TRAP, str, regs, error_code,
+					trapnr, SIGFPE) != NOTIFY_STOP)
 			die(str, regs, error_code);
-		}
 		return;
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 095/366] tpm: fix race condition in tpm_common_write()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (308 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 131/366] backlight: max8925_bl: Fix Device Tree node lookup Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 160/366] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Ben Hutchings
                   ` (56 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tadeusz Struk, Jarkko Sakkinen

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream.

There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm<N>, or two different applications
on the same /dev/tpmrm<N> to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.

Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
[bwh: Backported to 3.16: adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -26,7 +26,7 @@ struct file_priv {
 	struct tpm_chip *chip;
 
 	/* Data passed to and from the tpm via the read/write calls */
-	atomic_t data_pending;
+	size_t data_pending;
 	struct mutex buffer_mutex;
 
 	struct timer_list user_read_timer;      /* user needs to claim result */
@@ -47,7 +47,7 @@ static void timeout_work(struct work_str
 	struct file_priv *priv = container_of(work, struct file_priv, work);
 
 	mutex_lock(&priv->buffer_mutex);
-	atomic_set(&priv->data_pending, 0);
+	priv->data_pending = 0;
 	memset(priv->data_buffer, 0, sizeof(priv->data_buffer));
 	mutex_unlock(&priv->buffer_mutex);
 }
@@ -74,7 +74,6 @@ static int tpm_open(struct inode *inode,
 	}
 
 	priv->chip = chip;
-	atomic_set(&priv->data_pending, 0);
 	mutex_init(&priv->buffer_mutex);
 	setup_timer(&priv->user_read_timer, user_reader_timeout,
 			(unsigned long)priv);
@@ -89,28 +88,24 @@ static ssize_t tpm_read(struct file *fil
 			size_t size, loff_t *off)
 {
 	struct file_priv *priv = file->private_data;
-	ssize_t ret_size;
+	ssize_t ret_size = 0;
 	int rc;
 
 	del_singleshot_timer_sync(&priv->user_read_timer);
 	flush_work(&priv->work);
-	ret_size = atomic_read(&priv->data_pending);
-	if (ret_size > 0) {	/* relay data */
-		ssize_t orig_ret_size = ret_size;
-		if (size < ret_size)
-			ret_size = size;
+	mutex_lock(&priv->buffer_mutex);
 
-		mutex_lock(&priv->buffer_mutex);
+	if (priv->data_pending) {
+		ret_size = min_t(ssize_t, size, priv->data_pending);
 		rc = copy_to_user(buf, priv->data_buffer, ret_size);
-		memset(priv->data_buffer, 0, orig_ret_size);
+		memset(priv->data_buffer, 0, priv->data_pending);
 		if (rc)
 			ret_size = -EFAULT;
 
-		mutex_unlock(&priv->buffer_mutex);
+		priv->data_pending = 0;
 	}
 
-	atomic_set(&priv->data_pending, 0);
-
+	mutex_unlock(&priv->buffer_mutex);
 	return ret_size;
 }
 
@@ -121,17 +116,19 @@ static ssize_t tpm_write(struct file *fi
 	size_t in_size = size;
 	ssize_t out_size;
 
+	if (in_size > TPM_BUFSIZE)
+		return -E2BIG;
+
+	mutex_lock(&priv->buffer_mutex);
+
 	/* cannot perform a write until the read has cleared
 	   either via tpm_read or a user_read_timer timeout.
 	   This also prevents splitted buffered writes from blocking here.
 	*/
-	if (atomic_read(&priv->data_pending) != 0)
+	if (priv->data_pending != 0) {
+		mutex_unlock(&priv->buffer_mutex);
 		return -EBUSY;
-
-	if (in_size > TPM_BUFSIZE)
-		return -E2BIG;
-
-	mutex_lock(&priv->buffer_mutex);
+	}
 
 	if (copy_from_user
 	    (priv->data_buffer, (void __user *) buf, in_size)) {
@@ -153,7 +150,7 @@ static ssize_t tpm_write(struct file *fi
 		return out_size;
 	}
 
-	atomic_set(&priv->data_pending, out_size);
+	priv->data_pending = out_size;
 	mutex_unlock(&priv->buffer_mutex);
 
 	/* Set a timeout by which the reader must come claim the result */
@@ -172,7 +169,7 @@ static int tpm_release(struct inode *ino
 	del_singleshot_timer_sync(&priv->user_read_timer);
 	flush_work(&priv->work);
 	file->private_data = NULL;
-	atomic_set(&priv->data_pending, 0);
+	priv->data_pending = 0;
 	clear_bit(0, &priv->chip->is_open);
 	put_device(priv->chip->dev);
 	kfree(priv);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 093/366] libata: zpodd: make arrays cdb static, reduces object code size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (356 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 252/366] mm: refuse wrapped vm_brk requests Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 354/366] perf script: Use readdir() instead of deprecated readdir_r() Ben Hutchings
                   ` (8 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Colin Ian King, Tejun Heo

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 795ef788145ed2fa023efdf11e8d5d7bedc21462 upstream.

Don't populate the arrays cdb on the stack, instead make them static.
Makes the object code smaller by 230 bytes:

Before:
   text	   data	    bss	    dec	    hex	filename
   3797	    240	      0	   4037	    fc5	drivers/ata/libata-zpodd.o

After:
   text	   data	    bss	    dec	    hex	filename
   3407	    400	      0	   3807	    edf	drivers/ata/libata-zpodd.o

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-zpodd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -34,7 +34,7 @@ struct zpodd {
 static int eject_tray(struct ata_device *dev)
 {
 	struct ata_taskfile tf;
-	const char cdb[] = {  GPCMD_START_STOP_UNIT,
+	static const char cdb[] = {  GPCMD_START_STOP_UNIT,
 		0, 0, 0,
 		0x02,     /* LoEj */
 		0, 0, 0, 0, 0, 0, 0,
@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech
 	unsigned int ret;
 	struct rm_feature_desc *desc = (void *)(buf + 8);
 	struct ata_taskfile tf;
-	char cdb[] = {  GPCMD_GET_CONFIGURATION,
+	static const char cdb[] = {  GPCMD_GET_CONFIGURATION,
 			2,      /* only 1 feature descriptor requested */
 			0, 3,   /* 3, removable medium feature */
 			0, 0, 0,/* reserved */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 154/366] xfrm_user: prevent leaking 2 bytes of kernel memory
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (252 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 156/366] MIPS: io: Add barrier after register read in inX() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 005/366] staging: rtl8192ee: Fix misleading indentation Ben Hutchings
                   ` (112 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Steffen Klassert, Herbert Xu, Eric Dumazet, syzbot

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 45c180bc29babbedd6b8c01b975780ef44d9d09c upstream.

struct xfrm_userpolicy_type has two holes, so we should not
use C99 style initializer.

KMSAN report:

BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
 kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
 kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
 copyout lib/iov_iter.c:140 [inline]
 _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
 copy_to_iter include/linux/uio.h:106 [inline]
 skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
 skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
 netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
 sock_recvmsg_nosec net/socket.c:802 [inline]
 sock_recvmsg+0x1d6/0x230 net/socket.c:809
 ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
 __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
 do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
 __do_sys_recvmmsg net/socket.c:2485 [inline]
 __se_sys_recvmmsg net/socket.c:2481 [inline]
 __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x446ce9
RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
 kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
 __nla_put lib/nlattr.c:569 [inline]
 nla_put+0x276/0x340 lib/nlattr.c:627
 copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
 dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
 xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
 xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
 netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
 __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
 netlink_dump_start include/linux/netlink.h:214 [inline]
 xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
 netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
 xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg net/socket.c:639 [inline]
 ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
 __sys_sendmsg net/socket.c:2155 [inline]
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
 do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
Local variable description: ----upt.i@dump_one_policy
Variable was created at:
 dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
 xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013

Byte 130 of 137 is uninitialized
Memory access starts at ffff88019550407f

Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_user.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1515,9 +1515,11 @@ static inline size_t userpolicy_type_att
 #ifdef CONFIG_XFRM_SUB_POLICY
 static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
 {
-	struct xfrm_userpolicy_type upt = {
-		.type = type,
-	};
+	struct xfrm_userpolicy_type upt;
+
+	/* Sadly there are two holes in struct xfrm_userpolicy_type */
+	memset(&upt, 0, sizeof(upt));
+	upt.type = type;
 
 	return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
 }


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 094/366] libata: zpodd: small read overflow in eject_tray()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (342 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 118/366] net: metrics: add proper netlink validation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 192/366] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Ben Hutchings
                   ` (22 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Dan Carpenter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 18c9a99bce2a57dfd7e881658703b5d7469cc7b9 upstream.

We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Fixes: 213342053db5 ("libata: handle power transition of ODD")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-zpodd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -34,7 +34,7 @@ struct zpodd {
 static int eject_tray(struct ata_device *dev)
 {
 	struct ata_taskfile tf;
-	static const char cdb[] = {  GPCMD_START_STOP_UNIT,
+	static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_START_STOP_UNIT,
 		0, 0, 0,
 		0x02,     /* LoEj */
 		0, 0, 0, 0, 0, 0, 0,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 102/366] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (295 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 219/366] x86/cpufeatures: Hide AMD-specific speculation flags Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 099/366] mtd: cfi_cmdset_0002: Change erase functions to check chip good only Ben Hutchings
                   ` (69 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Lorenzo Dalrio, Richard W.M. Jones, Hans de Goede, Tejun Heo

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 2cfce3a86b64b53f0a70e92a6a659c720c319b45 upstream.

Commit 184add2ca23c ("libata: Apply NOLPM quirk for SanDisk
SD7UB3Q*G1001 SSDs") disabled LPM for SanDisk SD7UB3Q*G1001 SSDs.

This has lead to several reports of users of that SSD where LPM
was working fine and who know have a significantly increased idle
power consumption on their laptops.

Likely there is another problem on the T450s from the original
reporter which gets exposed by the uncore reaching deeper sleep
states (higher PC-states) due to LPM being enabled. The problem as
reported, a hardfreeze about once a day, already did not sound like
it would be caused by LPM and the reports of the SSD working fine
confirm this. The original reporter is ok with dropping the quirk.

A X250 user has reported the same hard freeze problem and for him
the problem went away after unrelated updates, I suspect some GPU
driver stack changes fixed things.

TL;DR: The original reporters problem were triggered by LPM but not
an LPM issue, so drop the quirk for the SSD in question.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1583207
Cc: Richard W.M. Jones <rjones@redhat.com>
Cc: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
Reported-by: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: "Richard W.M. Jones" <rjones@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-core.c | 3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4243,9 +4243,6 @@ static const struct ata_blacklist_entry
 	{ "Crucial_CT960M500*",		NULL,	ATA_HORKAGE_NO_NCQ_TRIM |
 						ATA_HORKAGE_NOLPM, },
 
-	/* Sandisk devices which are known to not handle LPM well */
-	{ "SanDisk SD7UB3Q*G1001",	NULL,	ATA_HORKAGE_NOLPM, },
-
 	/* devices that don't properly handle queued TRIM commands */
 	{ "Micron_M500IT_*",		"MU01",	ATA_HORKAGE_NO_NCQ_TRIM, },
 	{ "Micron_M500_*",		NULL,	ATA_HORKAGE_NO_NCQ_TRIM, },


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 025/366] mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (272 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 134/366] UBIFS: Fix potential integer overflow in allocation Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 190/366] batman-adv: unify flags access style in tt global add Ben Hutchings
                   ` (92 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Dan Carpenter

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 01eca2842874b9a85b7cd1e1b0e5b34a5d53a21f upstream.

If "evt_len" is 1 then we try to memcpy() negative 3 bytes and it would
cause memory corruption.

Fixes: d930faee141b ("mwifiex: add support for Marvell pcie8766 chipset")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/pcie.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/mwifiex/pcie.c
+++ b/drivers/net/wireless/mwifiex/pcie.c
@@ -1692,7 +1692,8 @@ static int mwifiex_pcie_process_event_re
 		skb_pull(skb_cmd, INTF_HEADER_LEN);
 		dev_dbg(adapter->dev, "info: Event length: %d\n", evt_len);
 
-		if ((evt_len > 0) && (evt_len  < MAX_EVENT_SIZE))
+		if (evt_len > MWIFIEX_EVENT_HEADER_LEN &&
+		    evt_len < MAX_EVENT_SIZE)
 			memcpy(adapter->event_body, skb_cmd->data +
 			       MWIFIEX_EVENT_HEADER_LEN, evt_len -
 			       MWIFIEX_EVENT_HEADER_LEN);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 014/366] fuse: atomic_o_trunc should truncate pagecache
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (332 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 356/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 006/366] fnic: Fix misleading indentation Ben Hutchings
                   ` (32 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Miklos Szeredi, Chad Austin

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit df0e91d488276086bc07da2e389986cae0048c37 upstream.

Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
O_TRUNC flag in the OPEN request to truncate the file atomically with the
open.

In this mode there's no need to send a SETATTR request to userspace after
the open, so fuse_do_setattr() checks this mode and returns.  But this
misses the important step of truncating the pagecache.

Add the missing parts of truncation to the ATTR_OPEN branch.

Reported-by: Chad Austin <chadaustin@fb.com>
Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dir.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1728,8 +1728,19 @@ int fuse_do_setattr(struct dentry *dentr
 		return err;
 
 	if (attr->ia_valid & ATTR_OPEN) {
-		if (fc->atomic_o_trunc)
+		/* This is coming from open(..., ... | O_TRUNC); */
+		WARN_ON(!(attr->ia_valid & ATTR_SIZE));
+		WARN_ON(attr->ia_size != 0);
+		if (fc->atomic_o_trunc) {
+			/*
+			 * No need to send request to userspace, since actual
+			 * truncation has already been done by OPEN.  But still
+			 * need to truncate page cache.
+			 */
+			i_size_write(inode, 0);
+			truncate_pagecache(inode, 0);
 			return 0;
+		}
 		file = NULL;
 	}
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 026/366] usb: do not reset if a low-speed or full-speed device timed out
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (287 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 290/366] fscache: Fix reference overput in fscache_attach_object() error handling Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 235/366] USB: serial: keyspan_pda: fix modem-status error handling Ben Hutchings
                   ` (77 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Maxim Moseychuk

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>

commit 6e01827ed93947895680fbdad68c072a0f4e2450 upstream.

Some low-speed and full-speed devices (for example, bluetooth)
do not have time to initialize. For them, ETIMEDOUT is a valid error.
We need to give them another try. Otherwise, they will
never be initialized correctly and in dmesg will be messages
"Bluetooth: hci0 command 0x1002 tx timeout" or similars.

Fixes: 264904ccc33c ("usb: retry reset if a device times out")
Signed-off-by: Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4381,7 +4381,9 @@ hub_port_init (struct usb_hub *hub, stru
 				 * reset. But only on the first attempt,
 				 * lest we get into a time out/reset loop
 				 */
-				if (r == 0  || (r == -ETIMEDOUT && retries == 0))
+				if (r == 0 || (r == -ETIMEDOUT &&
+						retries == 0 &&
+						udev->speed > USB_SPEED_FULL))
 					break;
 			}
 			udev->descriptor.bMaxPacketSize0 =


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 022/366] media: cx231xx: Add support for AverMedia DVD EZMaker 7
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (250 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 030/366] ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 156/366] MIPS: io: Add barrier after register read in inX() Ben Hutchings
                   ` (114 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Kai-Heng Feng, Hans Verkuil

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 29e61d6ef061b012d320327af7dbb3990e75be45 upstream.

User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER.
Add the device to the id_table to make it work.

BugLink: https://bugs.launchpad.net/bugs/1620762

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/cx231xx/cx231xx-cards.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -727,6 +727,9 @@ struct usb_device_id cx231xx_id_table[]
 	 .driver_info = CX231XX_BOARD_CNXT_RDE_250},
 	{USB_DEVICE(0x0572, 0x58A0),
 	 .driver_info = CX231XX_BOARD_CNXT_RDU_250},
+	/* AverMedia DVD EZMaker 7 */
+	{USB_DEVICE(0x07ca, 0xc039),
+	 .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER},
 	{USB_DEVICE(0x2040, 0xb110),
 	 .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL},
 	{USB_DEVICE(0x2040, 0xb111),


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 024/366] PCI: ibmphp: Fix use-before-set in get_max_bus_speed()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (243 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 318/366] use ->d_seq to get coherency between ->d_inode and ->d_flags Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 098/366] mtd: cfi_cmdset_0002: Change erase functions to retry for error Ben Hutchings
                   ` (121 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Bjorn Helgaas

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4051f5ebb11c6ef4b0d3eac2fbbd187c070656c5 upstream.

The "rc" variable is only initialized on the error path.  The caller
doesn't check the return but, if "rc" is non-zero, then this function is
basically a no-op.

Fixes: 3749c51ac6c1 ("PCI: Make current and maximum bus speeds part of the PCI core")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/hotplug/ibmphp_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pci/hotplug/ibmphp_core.c
+++ b/drivers/pci/hotplug/ibmphp_core.c
@@ -397,7 +397,7 @@ static int get_adapter_present(struct ho
 
 static int get_max_bus_speed(struct slot *slot)
 {
-	int rc;
+	int rc = 0;
 	u8 mode = 0;
 	enum pci_bus_speed speed;
 	struct pci_bus *bus = slot->hotplug_slot->pci_slot->bus;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 029/366] ASoC: cirrus: i2s: Fix LRCLK configuration
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (337 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 347/366] arm64: use linux/types.h in kvm.h Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 312/366] packet: refine ring v3 block size test to hold one frame Ben Hutchings
                   ` (27 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alexander Sverdlin, Mark Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander.sverdlin@gmail.com>

commit 2d534113be9a2aa532a1ae127a57e83558aed358 upstream.

The bit responsible for LRCLK polarity is i2s_tlrs (0), not i2s_trel (2)
(refer to "EP93xx User's Guide").

Previously card drivers which specified SND_SOC_DAIFMT_NB_IF actually got
SND_SOC_DAIFMT_NB_NF, an adaptation is necessary to retain the old
behavior.

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/cirrus/edb93xx.c     | 2 +-
 sound/soc/cirrus/ep93xx-i2s.c  | 8 ++++----
 sound/soc/cirrus/snappercl15.c | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

--- a/sound/soc/cirrus/edb93xx.c
+++ b/sound/soc/cirrus/edb93xx.c
@@ -67,7 +67,7 @@ static struct snd_soc_dai_link edb93xx_d
 	.cpu_dai_name	= "ep93xx-i2s",
 	.codec_name	= "spi0.0",
 	.codec_dai_name	= "cs4271-hifi",
-	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
 			  SND_SOC_DAIFMT_CBS_CFS,
 	.ops		= &edb93xx_ops,
 };
--- a/sound/soc/cirrus/ep93xx-i2s.c
+++ b/sound/soc/cirrus/ep93xx-i2s.c
@@ -213,24 +213,24 @@ static int ep93xx_i2s_set_dai_fmt(struct
 	switch (fmt & SND_SOC_DAIFMT_INV_MASK) {
 	case SND_SOC_DAIFMT_NB_NF:
 		/* Negative bit clock, lrclk low on left word */
-		clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL);
+		clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS);
 		break;
 
 	case SND_SOC_DAIFMT_NB_IF:
 		/* Negative bit clock, lrclk low on right word */
 		clk_cfg &= ~EP93XX_I2S_CLKCFG_CKP;
-		clk_cfg |= EP93XX_I2S_CLKCFG_REL;
+		clk_cfg |= EP93XX_I2S_CLKCFG_LRS;
 		break;
 
 	case SND_SOC_DAIFMT_IB_NF:
 		/* Positive bit clock, lrclk low on left word */
 		clk_cfg |= EP93XX_I2S_CLKCFG_CKP;
-		clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
+		clk_cfg &= ~EP93XX_I2S_CLKCFG_LRS;
 		break;
 
 	case SND_SOC_DAIFMT_IB_IF:
 		/* Positive bit clock, lrclk low on right word */
-		clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL;
+		clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS;
 		break;
 	}
 
--- a/sound/soc/cirrus/snappercl15.c
+++ b/sound/soc/cirrus/snappercl15.c
@@ -72,7 +72,7 @@ static struct snd_soc_dai_link snappercl
 	.codec_dai_name	= "tlv320aic23-hifi",
 	.codec_name	= "tlv320aic23-codec.0-001a",
 	.platform_name	= "ep93xx-i2s",
-	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
+	.dai_fmt	= SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
 			  SND_SOC_DAIFMT_CBS_CFS,
 	.ops		= &snappercl15_ops,
 };


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 028/366] sctp: fix identification of new acks for SFR-CACC
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (172 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 299/366] ipv4: remove BUG_ON() from fib_compute_spec_dst Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 324/366] ceph: fix llistxattr on symlink Ben Hutchings
                   ` (192 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Xin Long, Marcelo Ricardo Leitner, David S. Miller, Neil Horman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

commit 51446780fc33e45cb790c05a7fa2c5bf7e8bc53b upstream.

It's currently written as:

if (!tchunk->tsn_gap_acked) {   [1]
	tchunk->tsn_gap_acked = 1;
	...
}

if (TSN_lte(tsn, sack_ctsn)) {
	if (!tchunk->tsn_gap_acked) {
		/* SFR-CACC processing */
		...
	}
}

Which causes the SFR-CACC processing on ack reception to never process,
as tchunk->tsn_gap_acked is always true by then. Block [1] was
moved to that position by the commit marked below.

This patch fixes it by doing SFR-CACC processing earlier, before
tsn_gap_acked is set to true.

Fixes: 31b02e154940 ("sctp: Failover transmitted list on transport delete")
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/outqueue.c | 48 ++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 25 deletions(-)

--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -1346,7 +1346,7 @@ static void sctp_check_transmitted(struc
 			 * the outstanding bytes for this chunk, so only
 			 * count bytes associated with a transport.
 			 */
-			if (transport) {
+			if (transport && !tchunk->tsn_gap_acked) {
 				/* If this chunk is being used for RTT
 				 * measurement, calculate the RTT and update
 				 * the RTO using this value.
@@ -1358,14 +1358,34 @@ static void sctp_check_transmitted(struc
 				 * first instance of the packet or a later
 				 * instance).
 				 */
-				if (!tchunk->tsn_gap_acked &&
-				    !tchunk->resent &&
+				if (!tchunk->resent &&
 				    tchunk->rtt_in_progress) {
 					tchunk->rtt_in_progress = 0;
 					rtt = jiffies - tchunk->sent_at;
 					sctp_transport_update_rto(transport,
 								  rtt);
 				}
+
+				if (TSN_lte(tsn, sack_ctsn)) {
+					/*
+					 * SFR-CACC algorithm:
+					 * 2) If the SACK contains gap acks
+					 * and the flag CHANGEOVER_ACTIVE is
+					 * set the receiver of the SACK MUST
+					 * take the following action:
+					 *
+					 * B) For each TSN t being acked that
+					 * has not been acked in any SACK so
+					 * far, set cacc_saw_newack to 1 for
+					 * the destination that the TSN was
+					 * sent to.
+					 */
+					if (sack->num_gap_ack_blocks &&
+					    q->asoc->peer.primary_path->cacc.
+					    changeover_active)
+						transport->cacc.cacc_saw_newack
+							= 1;
+				}
 			}
 
 			/* If the chunk hasn't been marked as ACKED,
@@ -1397,28 +1417,6 @@ static void sctp_check_transmitted(struc
 				restart_timer = 1;
 				forward_progress = true;
 
-				if (!tchunk->tsn_gap_acked) {
-					/*
-					 * SFR-CACC algorithm:
-					 * 2) If the SACK contains gap acks
-					 * and the flag CHANGEOVER_ACTIVE is
-					 * set the receiver of the SACK MUST
-					 * take the following action:
-					 *
-					 * B) For each TSN t being acked that
-					 * has not been acked in any SACK so
-					 * far, set cacc_saw_newack to 1 for
-					 * the destination that the TSN was
-					 * sent to.
-					 */
-					if (transport &&
-					    sack->num_gap_ack_blocks &&
-					    q->asoc->peer.primary_path->cacc.
-					    changeover_active)
-						transport->cacc.cacc_saw_newack
-							= 1;
-				}
-
 				list_add_tail(&tchunk->transmitted_list,
 					      &q->sacked);
 			} else {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 027/366] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (344 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 192/366] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 165/366] xen-netfront: use different locks for Rx and Tx stats Ben Hutchings
                   ` (20 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, linux-xtensa, Max Filippov, Chris Zankel, Eric W. Biederman

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit 7de712ccc096b81d23cc0a941cd9b8cb3956605d upstream.

While working on changing this code to use force_sig_fault I
discovered that do_unaliged_user is sets si_signo to SIGBUS and passes
SIGSEGV to force_sig_info.  Which is just b0rked.

The code is reporting a SIGBUS error so replace the SIGSEGV with SIGBUS.

Cc: Chris Zankel <chris@zankel.net>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: linux-xtensa@linux-xtensa.org
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Fixes: 5a0015d62668 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 3")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/kernel/traps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/xtensa/kernel/traps.c
+++ b/arch/xtensa/kernel/traps.c
@@ -282,7 +282,7 @@ do_unaligned_user (struct pt_regs *regs)
 	info.si_errno = 0;
 	info.si_code = BUS_ADRALN;
 	info.si_addr = (void *) regs->excvaddr;
-	force_sig_info(SIGSEGV, &info, current);
+	force_sig_info(SIGBUS, &info, current);
 
 }
 #endif


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 005/366] staging: rtl8192ee: Fix misleading indentation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (253 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 154/366] xfrm_user: prevent leaking 2 bytes of kernel memory Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 250/366] mm, elf: handle vm_brk error Ben Hutchings
                   ` (111 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Fix the compiler warnings:

drivers/staging/rtl8192ee/rtl8192ee/hw.c:524:4: warning: this 'if' clause does not guard...
drivers/staging/rtl8192ee/rtl8192ee/hw.c:529:5: warning: this 'if' clause does not guard...
drivers/staging/rtl8192ee/btcoexist/halbtc8821a2ant.c:2338:2: warning: this 'else' clause does not guard...

by changing the indentation of these statements to match the upstream
code in drivers/net/wireless/realtek/rtlwifi/rtl8192ee/hw.c and
drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtc8821a2ant.c.

These were fixed upstream when the driver was removed from staging and
re-added with some clean-ups.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/staging/rtl8192ee/rtl8192ee/hw.c
+++ b/drivers/staging/rtl8192ee/rtl8192ee/hw.c
@@ -523,17 +523,17 @@ void rtl92ee_set_hw_reg(struct ieee80211
 			fac = (1 << (fac + 2));
 			if (fac > 0xf)
 				fac = 0xf;
-				for (i = 0; i < 4; i++) {
+			for (i = 0; i < 4; i++) {
 				if ((reg[i] & 0xf0) > (fac << 4))
 					reg[i] = (reg[i] & 0x0f) | (fac << 4);
 				if ((reg[i] & 0x0f) > fac)
 					reg[i] = (reg[i] & 0xf0) | fac;
-					rtl_write_byte(rtlpriv,
-						       (REG_AGGLEN_LMT + i),
-						       reg[i]);
-				}
-				RT_TRACE(COMP_MLME, DBG_LOUD,
-					("Set HW_VAR_AMPDU_FACTOR:%#x\n", fac));
+				rtl_write_byte(rtlpriv,
+					       (REG_AGGLEN_LMT + i),
+					       reg[i]);
+			}
+			RT_TRACE(COMP_MLME, DBG_LOUD,
+				 ("Set HW_VAR_AMPDU_FACTOR:%#x\n", fac));
 		}
 		break; }
 	case HW_VAR_AC_PARAM:{
--- a/drivers/staging/rtl8192ee/btcoexist/halbtc8821a2ant.c
+++ b/drivers/staging/rtl8192ee/btcoexist/halbtc8821a2ant.c
@@ -2339,8 +2339,8 @@ static void halbtc8821a2ant_action_pan_e
 		halbtc8821a2ant_coex_table(btcoexist, NORMAL_EXEC, 0x55ff55ff,
 					   0x5aff5aff, 0xffff, 0x3);
 
-		if (BTC_WIFI_BW_HT40 == wifi_bw) {
-			/*  fw mechanism */
+	if (BTC_WIFI_BW_HT40 == wifi_bw) {
+		/*  fw mechanism */
 		if ((bt_rssi_state == BTC_RSSI_STATE_HIGH) ||
 		    (bt_rssi_state == BTC_RSSI_STATE_STAY_HIGH))
 			ps21a_tdma(btcoexist, NORMAL_EXEC, true, 1);


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 023/366] media: rc: mce_kbd decoder: fix stuck keys
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (131 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 083/366] IB/isert: Fix for lib/dma_debug check_sync warning Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 200/366] netfilter: nf_log: don't hold nf_log_mutex during user access Ben Hutchings
                   ` (233 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Sean Young, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Young <sean@mess.org>

commit 63039c29f7a4ce8a8bd165173840543c0098d7b0 upstream.

The MCE Remote sends a 0 scancode when keys are released. If this is not
received or decoded, then keys can get "stuck"; the keyup event is not
sent since the input_sync() is missing from the timeout handler.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: s/raw->mce_kbd\.idev/mce_kbd->idev/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/rc/ir-mce_kbd-decoder.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/rc/ir-mce_kbd-decoder.c
+++ b/drivers/media/rc/ir-mce_kbd-decoder.c
@@ -130,6 +130,8 @@ static void mce_kbd_rx_timeout(unsigned
 
 	for (i = 0; i < MCIR2_MASK_KEYS_START; i++)
 		input_report_key(mce_kbd->idev, kbd_keycodes[i], 0);
+
+	input_sync(mce_kbd->idev);
 }
 
 static enum mce_kbd_mode mce_kbd_mode(struct mce_kbd_dec *data)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 030/366] ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (249 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 280/366] can: dev: Consolidate and unify state change handling Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 022/366] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Ben Hutchings
                   ` (115 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Alexander Sverdlin, Mark Brown

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander.sverdlin@gmail.com>

commit 5d302ed3cc80564fb835bed5fdba1e1250ecc9e5 upstream.

According to "EP93xx User’s Guide", I2STXLinCtrlData and I2SRXLinCtrlData
registers actually have different format. The only currently used bit
(Left_Right_Justify) has different position. Fix this and simplify the
whole setup taking into account the fact that both registers have zero
default value.

The practical effect of the above is repaired SND_SOC_DAIFMT_RIGHT_J
support (currently unused).

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/cirrus/ep93xx-i2s.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/sound/soc/cirrus/ep93xx-i2s.c
+++ b/sound/soc/cirrus/ep93xx-i2s.c
@@ -51,7 +51,9 @@
 #define EP93XX_I2S_WRDLEN_24		(1 << 0)
 #define EP93XX_I2S_WRDLEN_32		(2 << 0)
 
-#define EP93XX_I2S_LINCTRLDATA_R_JUST	(1 << 2) /* Right justify */
+#define EP93XX_I2S_RXLINCTRLDATA_R_JUST	BIT(1) /* Right justify */
+
+#define EP93XX_I2S_TXLINCTRLDATA_R_JUST	BIT(2) /* Right justify */
 
 #define EP93XX_I2S_CLKCFG_LRS		(1 << 0) /* lrclk polarity */
 #define EP93XX_I2S_CLKCFG_CKP		(1 << 1) /* Bit clock polarity */
@@ -170,25 +172,25 @@ static int ep93xx_i2s_set_dai_fmt(struct
 				  unsigned int fmt)
 {
 	struct ep93xx_i2s_info *info = snd_soc_dai_get_drvdata(cpu_dai);
-	unsigned int clk_cfg, lin_ctrl;
+	unsigned int clk_cfg;
+	unsigned int txlin_ctrl = 0;
+	unsigned int rxlin_ctrl = 0;
 
 	clk_cfg  = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXCLKCFG);
-	lin_ctrl = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXLINCTRLDATA);
 
 	switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
 	case SND_SOC_DAIFMT_I2S:
 		clk_cfg |= EP93XX_I2S_CLKCFG_REL;
-		lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST;
 		break;
 
 	case SND_SOC_DAIFMT_LEFT_J:
 		clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
-		lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST;
 		break;
 
 	case SND_SOC_DAIFMT_RIGHT_J:
 		clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
-		lin_ctrl |= EP93XX_I2S_LINCTRLDATA_R_JUST;
+		rxlin_ctrl |= EP93XX_I2S_RXLINCTRLDATA_R_JUST;
+		txlin_ctrl |= EP93XX_I2S_TXLINCTRLDATA_R_JUST;
 		break;
 
 	default:
@@ -237,8 +239,8 @@ static int ep93xx_i2s_set_dai_fmt(struct
 	/* Write new register values */
 	ep93xx_i2s_write_reg(info, EP93XX_I2S_RXCLKCFG, clk_cfg);
 	ep93xx_i2s_write_reg(info, EP93XX_I2S_TXCLKCFG, clk_cfg);
-	ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, lin_ctrl);
-	ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, lin_ctrl);
+	ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, rxlin_ctrl);
+	ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, txlin_ctrl);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 020/366] pinctrl: samsung: Correct EINTG banks order
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (317 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 181/366] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Ben Hutchings
                   ` (47 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Paweł Chmiel, Krzysztof Kozlowski, Tomasz Figa

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>

commit 5cf9a338db94cfd570aa2607bef1b30996f188e3 upstream.

All banks with GPIO interrupts should be at beginning of bank array and
without any other types of banks between them.  This order is expected
by exynos_eint_gpio_irq, when doing interrupt group to bank translation.
Otherwise, kernel NULL pointer dereference would happen when trying to
handle interrupt, due to wrong bank being looked up.  Observed on
s5pv210, when trying to handle gpj0 interrupt, where kernel was mapping
it to gpi bank.

Fixes: 023e06dfa688 ("pinctrl: exynos: add exynos5410 SoC specific data")
Fixes: 608a26a7bc04 ("pinctrl: Add s5pv210 support to pinctrl-exynos)
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Reviewed-by: Tomasz Figa <tomasz.figa@gmail.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
[bwh: Backported to 3.16:
 - Drop change to exynos5410_pin_banks0
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/pinctrl/pinctrl-exynos.c
+++ b/drivers/pinctrl/pinctrl-exynos.c
@@ -679,12 +679,12 @@ static struct samsung_pin_bank s5pv210_p
 	EXYNOS_PIN_BANK_EINTG(7, 0x1c0, "gpg1", 0x38),
 	EXYNOS_PIN_BANK_EINTG(7, 0x1e0, "gpg2", 0x3c),
 	EXYNOS_PIN_BANK_EINTG(7, 0x200, "gpg3", 0x40),
-	EXYNOS_PIN_BANK_EINTN(7, 0x220, "gpi"),
 	EXYNOS_PIN_BANK_EINTG(8, 0x240, "gpj0", 0x44),
 	EXYNOS_PIN_BANK_EINTG(6, 0x260, "gpj1", 0x48),
 	EXYNOS_PIN_BANK_EINTG(8, 0x280, "gpj2", 0x4c),
 	EXYNOS_PIN_BANK_EINTG(8, 0x2a0, "gpj3", 0x50),
 	EXYNOS_PIN_BANK_EINTG(5, 0x2c0, "gpj4", 0x54),
+	EXYNOS_PIN_BANK_EINTN(7, 0x220, "gpi"),
 	EXYNOS_PIN_BANK_EINTN(8, 0x2e0, "mp01"),
 	EXYNOS_PIN_BANK_EINTN(4, 0x300, "mp02"),
 	EXYNOS_PIN_BANK_EINTN(8, 0x320, "mp03"),


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 004/366] bcmgenet: Delete unused variable
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (351 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 232/366] cifs: Fix infinite loop when using hard mount option Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 310/366] netlink: Don't shift on 64 for ngroups Ben Hutchings
                   ` (13 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

I needed to add a "kdev" variable to bcmgenet_desc_rx() when
backporting commit 8c4799ac7996 "net: bcmgenet: Utilize correct struct
device for all DMA operations", but when I later backported commit
d6707bec5986 "net: bcmgenet: rewrite bcmgenet_rx_refill()" it became
unused.  Delete it.

There is no corresponding upstream commit because these commits were
applied in the opposite order and this variable was never introduced.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1344,7 +1344,6 @@ static unsigned int bcmgenet_desc_rx(str
 				     unsigned int budget)
 {
 	struct net_device *dev = priv->dev;
-	struct device *kdev = &priv->pdev->dev;
 	struct enet_cb *cb;
 	struct sk_buff *skb;
 	u32 dma_length_status;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 010/366] rtl8723be: Fix misleading indentation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (104 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 248/366] skbuff: Unconditionally copy pfmemalloc in __skb_clone() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 195/366] xfrm: free skb if nlsk pointer is NULL Ben Hutchings
                   ` (260 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Fix the compiler warning:

drivers/net/wireless/rtlwifi/rtl8723be/hw.c:1132:2: warning: this 'else' clause does not guard...

by reducing indentation of the following statement.  This was fixed
upstream as part of commit 5c99f04fec93 "rtlwifi: rtl8723be: Update
driver to match Realtek release of 06/28/14".

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/rtlwifi/rtl8723be/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8723be/hw.c
@@ -1132,7 +1132,7 @@ static enum version_8723e _rtl8723be_rea
 	else
 		version = (enum version_8723e) VERSION_TEST_CHIP_1T1R_8723B;
 
-		rtlphy->rf_type = RF_1T1R;
+	rtlphy->rf_type = RF_1T1R;
 
 	value8 = rtl_read_byte(rtlpriv, REG_ROM_VERSION);
 	if (value8 >= 0x02)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 006/366] fnic: Fix misleading indentation
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (333 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 014/366] fuse: atomic_o_trunc should truncate pagecache Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 215/366] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS Ben Hutchings
                   ` (31 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Fix the compiler warning:

drivers/scsi/fnic/fnic_fcs.c:104:6: warning: this 'else' clause does not guard...

This was done upstream as part of commit 86001f248e94 "fnic: assign
FIP_ALL_FCF_MACS to fcoe_all_fcfs".

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/fnic/fnic_fcs.c
+++ b/drivers/scsi/fnic/fnic_fcs.c
@@ -101,13 +101,14 @@ void fnic_handle_link(struct work_struct
 				FNIC_FCS_DBG(KERN_DEBUG, fnic->lport->host,
 					     "link up\n");
 				fcoe_ctlr_link_up(&fnic->ctlr);
-			} else
+			} else {
 				/* UP -> UP */
 				spin_unlock_irqrestore(&fnic->fnic_lock, flags);
 				fnic_fc_trace_set_data(
 					fnic->lport->host->host_no, FNIC_FC_LE,
 					"Link Status: UP_UP",
 					strlen("Link Status: UP_UP"));
+			}
 		}
 	} else if (fnic->link_status) {
 		/* DOWN -> UP */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 018/366] media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (182 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 206/366] ARM: dts: da850: Fix interrups property for gpio Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 054/366] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Ben Hutchings
                   ` (182 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab@s-opensource.com>

commit 76d81243a487c09619822ef8e7201a756e58a87d upstream.

As warned by smatch:
	drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
	  Locked on:   line 288
	               line 295
	               line 306
	               line 314
	  Unlocked on: line 303

The lock implementation for get event is wrong, as, if an
interrupt occurs, down_interruptible() will fail, and the
routine will call up() twice when userspace calls the ioctl
again.

The bad code is there since when Linux migrated to git, in
2005.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/dvb-core/dvb_frontend.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -229,8 +229,20 @@ static void dvb_frontend_add_event(struc
 	wake_up_interruptible (&events->wait_queue);
 }
 
+static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv,
+				   struct dvb_fe_events *events)
+{
+	int ret;
+
+	up(&fepriv->sem);
+	ret = events->eventw != events->eventr;
+	down(&fepriv->sem);
+
+	return ret;
+}
+
 static int dvb_frontend_get_event(struct dvb_frontend *fe,
-			    struct dvb_frontend_event *event, int flags)
+			          struct dvb_frontend_event *event, int flags)
 {
 	struct dvb_frontend_private *fepriv = fe->frontend_priv;
 	struct dvb_fe_events *events = &fepriv->events;
@@ -248,13 +260,8 @@ static int dvb_frontend_get_event(struct
 		if (flags & O_NONBLOCK)
 			return -EWOULDBLOCK;
 
-		up(&fepriv->sem);
-
-		ret = wait_event_interruptible (events->wait_queue,
-						events->eventw != events->eventr);
-
-		if (down_interruptible (&fepriv->sem))
-			return -ERESTARTSYS;
+		ret = wait_event_interruptible(events->wait_queue,
+					       dvb_frontend_test_event(fepriv, events));
 
 		if (ret < 0)
 			return ret;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 015/366] staging:iio:ade7854: Fix error handling on read/write
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (150 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 110/366] IB/isert: fix T10-pi check mask setting Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 113/366] PCI: shpchp: Fix AMD POGO identification Ben Hutchings
                   ` (214 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, John Syne, Jonathan Cameron, John Syne

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: John Syne <rodrigosiqueiramelo@gmail.com>

commit 4297b23d927fa5265378f4a71372ecef3c33023a upstream.

The original code does not correctly handle the error related to I2C
read and write. This patch fixes the error handling related to all
read/write functions for I2C.

Signed-off-by: John Syne <john3909@gmail.com>
Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Fixes: 8d97a5877 ("staging: iio: meter: new driver for ADE7754 devices")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/meter/ade7854-i2c.c | 24 ++++++++++++------------
 drivers/staging/iio/meter/ade7854.c     | 10 +++++-----
 2 files changed, 17 insertions(+), 17 deletions(-)

--- a/drivers/staging/iio/meter/ade7854-i2c.c
+++ b/drivers/staging/iio/meter/ade7854-i2c.c
@@ -31,7 +31,7 @@ static int ade7854_i2c_write_reg_8(struc
 	ret = i2c_master_send(st->i2c, st->tx, 3);
 	mutex_unlock(&st->buf_lock);
 
-	return ret;
+	return ret < 0 ? ret : 0;
 }
 
 static int ade7854_i2c_write_reg_16(struct device *dev,
@@ -51,7 +51,7 @@ static int ade7854_i2c_write_reg_16(stru
 	ret = i2c_master_send(st->i2c, st->tx, 4);
 	mutex_unlock(&st->buf_lock);
 
-	return ret;
+	return ret < 0 ? ret : 0;
 }
 
 static int ade7854_i2c_write_reg_24(struct device *dev,
@@ -72,7 +72,7 @@ static int ade7854_i2c_write_reg_24(stru
 	ret = i2c_master_send(st->i2c, st->tx, 5);
 	mutex_unlock(&st->buf_lock);
 
-	return ret;
+	return ret < 0 ? ret : 0;
 }
 
 static int ade7854_i2c_write_reg_32(struct device *dev,
@@ -94,7 +94,7 @@ static int ade7854_i2c_write_reg_32(stru
 	ret = i2c_master_send(st->i2c, st->tx, 6);
 	mutex_unlock(&st->buf_lock);
 
-	return ret;
+	return ret < 0 ? ret : 0;
 }
 
 static int ade7854_i2c_read_reg_8(struct device *dev,
@@ -110,11 +110,11 @@ static int ade7854_i2c_read_reg_8(struct
 	st->tx[1] = reg_address & 0xFF;
 
 	ret = i2c_master_send(st->i2c, st->tx, 2);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	ret = i2c_master_recv(st->i2c, st->rx, 1);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	*val = st->rx[0];
@@ -136,11 +136,11 @@ static int ade7854_i2c_read_reg_16(struc
 	st->tx[1] = reg_address & 0xFF;
 
 	ret = i2c_master_send(st->i2c, st->tx, 2);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	ret = i2c_master_recv(st->i2c, st->rx, 2);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	*val = (st->rx[0] << 8) | st->rx[1];
@@ -162,11 +162,11 @@ static int ade7854_i2c_read_reg_24(struc
 	st->tx[1] = reg_address & 0xFF;
 
 	ret = i2c_master_send(st->i2c, st->tx, 2);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	ret = i2c_master_recv(st->i2c, st->rx, 3);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	*val = (st->rx[0] << 16) | (st->rx[1] << 8) | st->rx[2];
@@ -188,11 +188,11 @@ static int ade7854_i2c_read_reg_32(struc
 	st->tx[1] = reg_address & 0xFF;
 
 	ret = i2c_master_send(st->i2c, st->tx, 2);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	ret = i2c_master_recv(st->i2c, st->rx, 3);
-	if (ret)
+	if (ret < 0)
 		goto out;
 
 	*val = (st->rx[0] << 24) | (st->rx[1] << 16) | (st->rx[2] << 8) | st->rx[3];
--- a/drivers/staging/iio/meter/ade7854.c
+++ b/drivers/staging/iio/meter/ade7854.c
@@ -33,7 +33,7 @@ static ssize_t ade7854_read_8bit(struct
 	struct iio_dev_attr *this_attr = to_iio_dev_attr(attr);
 
 	ret = st->read_reg_8(dev, this_attr->address, &val);
-	if (ret)
+	if (ret < 0)
 		return ret;
 
 	return sprintf(buf, "%u\n", val);
@@ -50,7 +50,7 @@ static ssize_t ade7854_read_16bit(struct
 	struct iio_dev_attr *this_attr = to_iio_dev_attr(attr);
 
 	ret = st->read_reg_16(dev, this_attr->address, &val);
-	if (ret)
+	if (ret < 0)
 		return ret;
 
 	return sprintf(buf, "%u\n", val);
@@ -67,7 +67,7 @@ static ssize_t ade7854_read_24bit(struct
 	struct iio_dev_attr *this_attr = to_iio_dev_attr(attr);
 
 	ret = st->read_reg_24(dev, this_attr->address, &val);
-	if (ret)
+	if (ret < 0)
 		return ret;
 
 	return sprintf(buf, "%u\n", val);
@@ -84,7 +84,7 @@ static ssize_t ade7854_read_32bit(struct
 	struct ade7854_state *st = iio_priv(indio_dev);
 
 	ret = st->read_reg_32(dev, this_attr->address, &val);
-	if (ret)
+	if (ret < 0)
 		return ret;
 
 	return sprintf(buf, "%u\n", val);
@@ -416,7 +416,7 @@ static int ade7854_set_irq(struct device
 	u32 irqen;
 
 	ret = st->read_reg_32(dev, ADE7854_MASK0, &irqen);
-	if (ret)
+	if (ret < 0)
 		goto error_ret;
 
 	if (enable)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 016/366] staging:iio:ade7854: Fix the wrong number of bits to read
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (362 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 111/366] net/packet: refine check for priv area size Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 077/366] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Ben Hutchings
                   ` (2 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, John Syne, John Syne, Jonathan Cameron

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: John Syne <rodrigosiqueiramelo@gmail.com>

commit 6cef2ab01636b6021044f349df466a97c408ec27 upstream.

Fixes: correctly handle the data size in the read operation for I2C

The function ade7854_i2c_read_reg_32() have to invoke the
i2c_master_recv() for read 32 bits values, however, the counter is set
to 3 which means 24 bits. This patch fixes the wrong size of 24 bits, to
32 bits.

Signed-off-by: John Syne <john3909@gmail.com>
Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
Fixes: 8d97a5877 ("staging: iio: meter: new driver for ADE7754 devices")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/meter/ade7854-i2c.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/meter/ade7854-i2c.c
+++ b/drivers/staging/iio/meter/ade7854-i2c.c
@@ -191,7 +191,7 @@ static int ade7854_i2c_read_reg_32(struc
 	if (ret < 0)
 		goto out;
 
-	ret = i2c_master_recv(st->i2c, st->rx, 3);
+	ret = i2c_master_recv(st->i2c, st->rx, 4);
 	if (ret < 0)
 		goto out;
 


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 019/366] media: v4l2-compat-ioctl32: prevent go past max size
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (123 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 039/366] clk: qcom: Base rcg parent rate off plan frequency Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 270/366] scsi: qla2xxx: Fix ISP recovery on unload Ben Hutchings
                   ` (241 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab@s-opensource.com>

commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.

As warned by smatch:
	drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'

The access_ok() logic should check for too big arrays too.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -848,7 +848,7 @@ static int put_v4l2_ext_controls32(struc
 	    get_user(kcontrols, &kp->controls))
 		return -EFAULT;
 
-	if (!count)
+	if (!count || count > (U32_MAX/sizeof(*ucontrols)))
 		return 0;
 	if (get_user(p, &up->controls))
 		return -EFAULT;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 013/366] arch/x86/kernel/cpu/common.c: fix unused symbol warning
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 220/366] x86/bugs: Add AMD's variant of SSB_NO Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 166/366] xen-netfront: Use static attribute groups for sysfs entries Ben Hutchings
                   ` (310 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Ingo Molnar, H. Peter Anvin, Linus Torvalds, Thomas Gleixner

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Morton <akpm@linux-foundation.org>

commit e48510f45107613bf14060eeabd658c49a044242 upstream.

x86_64 allnoconfig:

arch/x86/kernel/cpu/common.c:968: warning: 'syscall32_cpu_init' defined but not used

Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/common.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1156,6 +1156,7 @@ static void vgetcpu_set_mode(void)
 		vgetcpu_mode = VGETCPU_LSL;
 }
 
+#ifdef CONFIG_IA32_EMULATION
 /* May not be __init: called during resume */
 static void syscall32_cpu_init(void)
 {
@@ -1167,7 +1168,8 @@ static void syscall32_cpu_init(void)
 
 	wrmsrl(MSR_CSTAR, ia32_cstar_target);
 }
-#endif
+#endif		/* CONFIG_IA32_EMULATION */
+#endif		/* CONFIG_X86_64 */
 
 #ifdef CONFIG_X86_32
 void enable_sep_cpu(void)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 012/366] media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 127/366] fs/binfmt_misc.c: do not allow offset overflow Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 293/366] tracing: Fix double free of event_trigger_data Ben Hutchings
                   ` (273 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Mauro Carvalho Chehab, Prabhakar Lad, Hans Verkuil

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Prabhakar Lad <prabhakar.csengg@gmail.com>

commit d75cf0144f150272be806b69b4e62553ba07ea1b upstream.

drop VPFE_CMD_S_CCDC_RAW_PARAMS ioctl from dm355/dm644x following reasons:

- This ioctl was never in public api and was only defined in kernel header.
- The function set_params constantly mixes up pointers and phys_addr_t
  numbers.
- This is part of a 'VPFE_CMD_S_CCDC_RAW_PARAMS' ioctl command that is
  described as an 'experimental ioctl that will change in future kernels'.
- The code to allocate the table never gets called after we copy_from_user
  the user input over the kernel settings, and then compare them
  for inequality.
- We then go on to use an address provided by user space as both the
  __user pointer for input and pass it through phys_to_virt to come up
  with a kernel pointer to copy the data to. This looks like a trivially
  exploitable root hole.

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: deleted code was slightly different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../media/platform/davinci/ccdc_hw_device.h   |  10 --
 drivers/media/platform/davinci/dm355_ccdc.c   |  92 +----------
 drivers/media/platform/davinci/dm644x_ccdc.c  | 151 +-----------------
 drivers/media/platform/davinci/vpfe_capture.c |  75 ---------
 include/media/davinci/dm644x_ccdc.h           |  12 --
 include/media/davinci/vpfe_capture.h          |  10 --
 6 files changed, 4 insertions(+), 346 deletions(-)

--- a/drivers/media/platform/davinci/ccdc_hw_device.h
+++ b/drivers/media/platform/davinci/ccdc_hw_device.h
@@ -46,16 +46,6 @@ struct ccdc_hw_ops {
 	int (*set_hw_if_params) (struct vpfe_hw_if_param *param);
 	/* get interface parameters */
 	int (*get_hw_if_params) (struct vpfe_hw_if_param *param);
-	/*
-	 * Pointer to function to set parameters. Used
-	 * for implementing VPFE_S_CCDC_PARAMS
-	 */
-	int (*set_params) (void *params);
-	/*
-	 * Pointer to function to get parameter. Used
-	 * for implementing VPFE_G_CCDC_PARAMS
-	 */
-	int (*get_params) (void *params);
 	/* Pointer to function to configure ccdc */
 	int (*configure) (void);
 
--- a/drivers/media/platform/davinci/dm355_ccdc.c
+++ b/drivers/media/platform/davinci/dm355_ccdc.c
@@ -21,12 +21,7 @@
  * This module is for configuring DM355 CCD controller of VPFE to capture
  * Raw yuv or Bayer RGB data from a decoder. CCDC has several modules
  * such as Defect Pixel Correction, Color Space Conversion etc to
- * pre-process the Bayer RGB data, before writing it to SDRAM. This
- * module also allows application to configure individual
- * module parameters through VPFE_CMD_S_CCDC_RAW_PARAMS IOCTL.
- * To do so, application include dm355_ccdc.h and vpfe_capture.h header
- * files. The setparams() API is called by vpfe_capture driver
- * to configure module parameters
+ * pre-process the Bayer RGB data, before writing it to SDRAM.
  *
  * TODO: 1) Raw bayer parameter settings and bayer capture
  * 	 2) Split module parameter structure to module specific ioctl structs
@@ -264,90 +259,6 @@ static void ccdc_setwin(struct v4l2_rect
 	dev_dbg(ccdc_cfg.dev, "\nEnd of ccdc_setwin...");
 }
 
-static int validate_ccdc_param(struct ccdc_config_params_raw *ccdcparam)
-{
-	if (ccdcparam->datasft < CCDC_DATA_NO_SHIFT ||
-	    ccdcparam->datasft > CCDC_DATA_SHIFT_6BIT) {
-		dev_dbg(ccdc_cfg.dev, "Invalid value of data shift\n");
-		return -EINVAL;
-	}
-
-	if (ccdcparam->mfilt1 < CCDC_NO_MEDIAN_FILTER1 ||
-	    ccdcparam->mfilt1 > CCDC_MEDIAN_FILTER1) {
-		dev_dbg(ccdc_cfg.dev, "Invalid value of median filter1\n");
-		return -EINVAL;
-	}
-
-	if (ccdcparam->mfilt2 < CCDC_NO_MEDIAN_FILTER2 ||
-	    ccdcparam->mfilt2 > CCDC_MEDIAN_FILTER2) {
-		dev_dbg(ccdc_cfg.dev, "Invalid value of median filter2\n");
-		return -EINVAL;
-	}
-
-	if ((ccdcparam->med_filt_thres < 0) ||
-	   (ccdcparam->med_filt_thres > CCDC_MED_FILT_THRESH)) {
-		dev_dbg(ccdc_cfg.dev,
-			"Invalid value of median filter threshold\n");
-		return -EINVAL;
-	}
-
-	if (ccdcparam->data_sz < CCDC_DATA_16BITS ||
-	    ccdcparam->data_sz > CCDC_DATA_8BITS) {
-		dev_dbg(ccdc_cfg.dev, "Invalid value of data size\n");
-		return -EINVAL;
-	}
-
-	if (ccdcparam->alaw.enable) {
-		if (ccdcparam->alaw.gamma_wd < CCDC_GAMMA_BITS_13_4 ||
-		    ccdcparam->alaw.gamma_wd > CCDC_GAMMA_BITS_09_0) {
-			dev_dbg(ccdc_cfg.dev, "Invalid value of ALAW\n");
-			return -EINVAL;
-		}
-	}
-
-	if (ccdcparam->blk_clamp.b_clamp_enable) {
-		if (ccdcparam->blk_clamp.sample_pixel < CCDC_SAMPLE_1PIXELS ||
-		    ccdcparam->blk_clamp.sample_pixel > CCDC_SAMPLE_16PIXELS) {
-			dev_dbg(ccdc_cfg.dev,
-				"Invalid value of sample pixel\n");
-			return -EINVAL;
-		}
-		if (ccdcparam->blk_clamp.sample_ln < CCDC_SAMPLE_1LINES ||
-		    ccdcparam->blk_clamp.sample_ln > CCDC_SAMPLE_16LINES) {
-			dev_dbg(ccdc_cfg.dev,
-				"Invalid value of sample lines\n");
-			return -EINVAL;
-		}
-	}
-	return 0;
-}
-
-/* Parameter operations */
-static int ccdc_set_params(void __user *params)
-{
-	struct ccdc_config_params_raw ccdc_raw_params;
-	int x;
-
-	/* only raw module parameters can be set through the IOCTL */
-	if (ccdc_cfg.if_type != VPFE_RAW_BAYER)
-		return -EINVAL;
-
-	x = copy_from_user(&ccdc_raw_params, params, sizeof(ccdc_raw_params));
-	if (x) {
-		dev_dbg(ccdc_cfg.dev, "ccdc_set_params: error in copying ccdc"
-			"params, %d\n", x);
-		return -EFAULT;
-	}
-
-	if (!validate_ccdc_param(&ccdc_raw_params)) {
-		memcpy(&ccdc_cfg.bayer.config_params,
-			&ccdc_raw_params,
-			sizeof(ccdc_raw_params));
-		return 0;
-	}
-	return -EINVAL;
-}
-
 /* This function will configure CCDC for YCbCr video capture */
 static void ccdc_config_ycbcr(void)
 {
@@ -943,7 +854,6 @@ static struct ccdc_hw_device ccdc_hw_dev
 		.enable = ccdc_enable,
 		.enable_out_to_sdram = ccdc_enable_output_to_sdram,
 		.set_hw_if_params = ccdc_set_hw_if_params,
-		.set_params = ccdc_set_params,
 		.configure = ccdc_configure,
 		.set_buftype = ccdc_set_buftype,
 		.get_buftype = ccdc_get_buftype,
--- a/drivers/media/platform/davinci/dm644x_ccdc.c
+++ b/drivers/media/platform/davinci/dm644x_ccdc.c
@@ -21,13 +21,9 @@
  * This module is for configuring CCD controller of DM6446 VPFE to capture
  * Raw yuv or Bayer RGB data from a decoder. CCDC has several modules
  * such as Defect Pixel Correction, Color Space Conversion etc to
- * pre-process the Raw Bayer RGB data, before writing it to SDRAM. This
- * module also allows application to configure individual
- * module parameters through VPFE_CMD_S_CCDC_RAW_PARAMS IOCTL.
- * To do so, application includes dm644x_ccdc.h and vpfe_capture.h header
- * files.  The setparams() API is called by vpfe_capture driver
- * to configure module parameters. This file is named DM644x so that other
- * variants such DM6443 may be supported using the same module.
+ * pre-process the Raw Bayer RGB data, before writing it to SDRAM.
+ * This file is named DM644x so that other variants such DM6443
+ * may be supported using the same module.
  *
  * TODO: Test Raw bayer parameter settings and bayer capture
  * 	 Split module parameter structure to module specific ioctl structs
@@ -220,96 +216,8 @@ static void ccdc_readregs(void)
 	dev_notice(ccdc_cfg.dev, "\nReading 0x%x to VERT_LINES...\n", val);
 }
 
-static int validate_ccdc_param(struct ccdc_config_params_raw *ccdcparam)
-{
-	if (ccdcparam->alaw.enable) {
-		u8 max_gamma = ccdc_gamma_width_max_bit(ccdcparam->alaw.gamma_wd);
-		u8 max_data = ccdc_data_size_max_bit(ccdcparam->data_sz);
-
-		if ((ccdcparam->alaw.gamma_wd > CCDC_GAMMA_BITS_09_0) ||
-		    (ccdcparam->alaw.gamma_wd < CCDC_GAMMA_BITS_15_6) ||
-		    (max_gamma > max_data)) {
-			dev_dbg(ccdc_cfg.dev, "\nInvalid data line select");
-			return -1;
-		}
-	}
-	return 0;
-}
-
-static int ccdc_update_raw_params(struct ccdc_config_params_raw *raw_params)
-{
-	struct ccdc_config_params_raw *config_params =
-				&ccdc_cfg.bayer.config_params;
-	unsigned int *fpc_virtaddr = NULL;
-	unsigned int *fpc_physaddr = NULL;
-
-	memcpy(config_params, raw_params, sizeof(*raw_params));
-	/*
-	 * allocate memory for fault pixel table and copy the user
-	 * values to the table
-	 */
-	if (!config_params->fault_pxl.enable)
-		return 0;
-
-	fpc_physaddr = (unsigned int *)config_params->fault_pxl.fpc_table_addr;
-	fpc_virtaddr = (unsigned int *)phys_to_virt(
-				(unsigned long)fpc_physaddr);
-	/*
-	 * Allocate memory for FPC table if current
-	 * FPC table buffer is not big enough to
-	 * accommodate FPC Number requested
-	 */
-	if (raw_params->fault_pxl.fp_num != config_params->fault_pxl.fp_num) {
-		if (fpc_physaddr != NULL) {
-			free_pages((unsigned long)fpc_physaddr,
-				   get_order
-				   (config_params->fault_pxl.fp_num *
-				   FP_NUM_BYTES));
-		}
-
-		/* Allocate memory for FPC table */
-		fpc_virtaddr =
-			(unsigned int *)__get_free_pages(GFP_KERNEL | GFP_DMA,
-							 get_order(raw_params->
-							 fault_pxl.fp_num *
-							 FP_NUM_BYTES));
-
-		if (fpc_virtaddr == NULL) {
-			dev_dbg(ccdc_cfg.dev,
-				"\nUnable to allocate memory for FPC");
-			return -EFAULT;
-		}
-		fpc_physaddr =
-		    (unsigned int *)virt_to_phys((void *)fpc_virtaddr);
-	}
-
-	/* Copy number of fault pixels and FPC table */
-	config_params->fault_pxl.fp_num = raw_params->fault_pxl.fp_num;
-	if (copy_from_user(fpc_virtaddr,
-			(void __user *)raw_params->fault_pxl.fpc_table_addr,
-			config_params->fault_pxl.fp_num * FP_NUM_BYTES)) {
-		dev_dbg(ccdc_cfg.dev, "\n copy_from_user failed");
-		return -EFAULT;
-	}
-	config_params->fault_pxl.fpc_table_addr = (unsigned int)fpc_physaddr;
-	return 0;
-}
-
 static int ccdc_close(struct device *dev)
 {
-	struct ccdc_config_params_raw *config_params =
-				&ccdc_cfg.bayer.config_params;
-	unsigned int *fpc_physaddr = NULL, *fpc_virtaddr = NULL;
-
-	fpc_physaddr = (unsigned int *)config_params->fault_pxl.fpc_table_addr;
-
-	if (fpc_physaddr != NULL) {
-		fpc_virtaddr = (unsigned int *)
-		    phys_to_virt((unsigned long)fpc_physaddr);
-		free_pages((unsigned long)fpc_virtaddr,
-			   get_order(config_params->fault_pxl.fp_num *
-			   FP_NUM_BYTES));
-	}
 	return 0;
 }
 
@@ -343,29 +251,6 @@ static void ccdc_sbl_reset(void)
 	vpss_clear_wbl_overflow(VPSS_PCR_CCDC_WBL_O);
 }
 
-/* Parameter operations */
-static int ccdc_set_params(void __user *params)
-{
-	struct ccdc_config_params_raw ccdc_raw_params;
-	int x;
-
-	if (ccdc_cfg.if_type != VPFE_RAW_BAYER)
-		return -EINVAL;
-
-	x = copy_from_user(&ccdc_raw_params, params, sizeof(ccdc_raw_params));
-	if (x) {
-		dev_dbg(ccdc_cfg.dev, "ccdc_set_params: error in copying"
-			   "ccdc params, %d\n", x);
-		return -EFAULT;
-	}
-
-	if (!validate_ccdc_param(&ccdc_raw_params)) {
-		if (!ccdc_update_raw_params(&ccdc_raw_params))
-			return 0;
-	}
-	return -EINVAL;
-}
-
 /*
  * ccdc_config_ycbcr()
  * This function will configure CCDC for YCbCr video capture
@@ -493,32 +378,6 @@ static void ccdc_config_black_compense(s
 	regw(val, CCDC_BLKCMP);
 }
 
-static void ccdc_config_fpc(struct ccdc_fault_pixel *fpc)
-{
-	u32 val;
-
-	/* Initially disable FPC */
-	val = CCDC_FPC_DISABLE;
-	regw(val, CCDC_FPC);
-
-	if (!fpc->enable)
-		return;
-
-	/* Configure Fault pixel if needed */
-	regw(fpc->fpc_table_addr, CCDC_FPC_ADDR);
-	dev_dbg(ccdc_cfg.dev, "\nWriting 0x%x to FPC_ADDR...\n",
-		       (fpc->fpc_table_addr));
-	/* Write the FPC params with FPC disable */
-	val = fpc->fp_num & CCDC_FPC_FPC_NUM_MASK;
-	regw(val, CCDC_FPC);
-
-	dev_dbg(ccdc_cfg.dev, "\nWriting 0x%x to FPC...\n", val);
-	/* read the FPC register */
-	val = regr(CCDC_FPC) | CCDC_FPC_ENABLE;
-	regw(val, CCDC_FPC);
-	dev_dbg(ccdc_cfg.dev, "\nWriting 0x%x to FPC...\n", val);
-}
-
 /*
  * ccdc_config_raw()
  * This function will configure CCDC for Raw capture mode
@@ -573,9 +432,6 @@ void ccdc_config_raw(void)
 	/* Configure Black level compensation */
 	ccdc_config_black_compense(&config_params->blk_comp);
 
-	/* Configure Fault Pixel Correction */
-	ccdc_config_fpc(&config_params->fault_pxl);
-
 	/* If data size is 8 bit then pack the data */
 	if ((config_params->data_sz == CCDC_DATA_8BITS) ||
 	     config_params->alaw.enable)
@@ -938,7 +794,6 @@ static struct ccdc_hw_device ccdc_hw_dev
 		.reset = ccdc_sbl_reset,
 		.enable = ccdc_enable,
 		.set_hw_if_params = ccdc_set_hw_if_params,
-		.set_params = ccdc_set_params,
 		.configure = ccdc_configure,
 		.set_buftype = ccdc_set_buftype,
 		.get_buftype = ccdc_get_buftype,
--- a/drivers/media/platform/davinci/vpfe_capture.c
+++ b/drivers/media/platform/davinci/vpfe_capture.c
@@ -286,45 +286,6 @@ void vpfe_unregister_ccdc_device(struct
 EXPORT_SYMBOL(vpfe_unregister_ccdc_device);
 
 /*
- * vpfe_get_ccdc_image_format - Get image parameters based on CCDC settings
- */
-static int vpfe_get_ccdc_image_format(struct vpfe_device *vpfe_dev,
-				 struct v4l2_format *f)
-{
-	struct v4l2_rect image_win;
-	enum ccdc_buftype buf_type;
-	enum ccdc_frmfmt frm_fmt;
-
-	memset(f, 0, sizeof(*f));
-	f->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
-	ccdc_dev->hw_ops.get_image_window(&image_win);
-	f->fmt.pix.width = image_win.width;
-	f->fmt.pix.height = image_win.height;
-	f->fmt.pix.bytesperline = ccdc_dev->hw_ops.get_line_length();
-	f->fmt.pix.sizeimage = f->fmt.pix.bytesperline *
-				f->fmt.pix.height;
-	buf_type = ccdc_dev->hw_ops.get_buftype();
-	f->fmt.pix.pixelformat = ccdc_dev->hw_ops.get_pixel_format();
-	frm_fmt = ccdc_dev->hw_ops.get_frame_format();
-	if (frm_fmt == CCDC_FRMFMT_PROGRESSIVE)
-		f->fmt.pix.field = V4L2_FIELD_NONE;
-	else if (frm_fmt == CCDC_FRMFMT_INTERLACED) {
-		if (buf_type == CCDC_BUFTYPE_FLD_INTERLEAVED)
-			f->fmt.pix.field = V4L2_FIELD_INTERLACED;
-		else if (buf_type == CCDC_BUFTYPE_FLD_SEPARATED)
-			f->fmt.pix.field = V4L2_FIELD_SEQ_TB;
-		else {
-			v4l2_err(&vpfe_dev->v4l2_dev, "Invalid buf_type\n");
-			return -EINVAL;
-		}
-	} else {
-		v4l2_err(&vpfe_dev->v4l2_dev, "Invalid frm_fmt\n");
-		return -EINVAL;
-	}
-	return 0;
-}
-
-/*
  * vpfe_config_ccdc_image_format()
  * For a pix format, configure ccdc to setup the capture
  */
@@ -1686,41 +1647,6 @@ unlock_out:
 	return ret;
 }
 
-
-static long vpfe_param_handler(struct file *file, void *priv,
-		bool valid_prio, unsigned int cmd, void *param)
-{
-	struct vpfe_device *vpfe_dev = video_drvdata(file);
-	int ret = 0;
-
-	v4l2_dbg(2, debug, &vpfe_dev->v4l2_dev, "vpfe_param_handler\n");
-
-	if (vpfe_dev->started) {
-		/* only allowed if streaming is not started */
-		v4l2_dbg(1, debug, &vpfe_dev->v4l2_dev,
-			"device already started\n");
-		return -EBUSY;
-	}
-
-	ret = mutex_lock_interruptible(&vpfe_dev->lock);
-	if (ret)
-		return ret;
-
-	switch (cmd) {
-	case VPFE_CMD_S_CCDC_RAW_PARAMS:
-		ret = -EINVAL;
-		v4l2_warn(&vpfe_dev->v4l2_dev,
-			"VPFE_CMD_S_CCDC_RAW_PARAMS not supported\n");
-		break;
-	default:
-		ret = -ENOTTY;
-	}
-unlock_out:
-	mutex_unlock(&vpfe_dev->lock);
-	return ret;
-}
-
-
 /* vpfe capture ioctl operations */
 static const struct v4l2_ioctl_ops vpfe_ioctl_ops = {
 	.vidioc_querycap	 = vpfe_querycap,
@@ -1743,7 +1669,6 @@ static const struct v4l2_ioctl_ops vpfe_
 	.vidioc_cropcap		 = vpfe_cropcap,
 	.vidioc_g_crop		 = vpfe_g_crop,
 	.vidioc_s_crop		 = vpfe_s_crop,
-	.vidioc_default		 = vpfe_param_handler,
 };
 
 static struct vpfe_device *vpfe_initialize(void)
--- a/include/media/davinci/dm644x_ccdc.h
+++ b/include/media/davinci/dm644x_ccdc.h
@@ -107,16 +107,6 @@ struct ccdc_black_compensation {
 	char gb;
 };
 
-/* structure for fault pixel correction */
-struct ccdc_fault_pixel {
-	/* Enable or Disable fault pixel correction */
-	unsigned char enable;
-	/* Number of fault pixel */
-	unsigned short fp_num;
-	/* Address of fault pixel table */
-	unsigned int fpc_table_addr;
-};
-
 /* Structure for CCDC configuration parameters for raw capture mode passed
  * by application
  */
@@ -129,8 +119,6 @@ struct ccdc_config_params_raw {
 	struct ccdc_black_clamp blk_clamp;
 	/* Structure for Black Compensation */
 	struct ccdc_black_compensation blk_comp;
-	/* Structure for Fault Pixel Module Configuration */
-	struct ccdc_fault_pixel fault_pxl;
 };
 
 
--- a/include/media/davinci/vpfe_capture.h
+++ b/include/media/davinci/vpfe_capture.h
@@ -187,14 +187,4 @@ struct vpfe_config_params {
 };
 
 #endif				/* End of __KERNEL__ */
-/**
- * VPFE_CMD_S_CCDC_RAW_PARAMS - EXPERIMENTAL IOCTL to set raw capture params
- * This can be used to configure modules such as defect pixel correction,
- * color space conversion, culling etc. This is an experimental ioctl that
- * will change in future kernels. So use this ioctl with care !
- * TODO: This is to be split into multiple ioctls and also explore the
- * possibility of extending the v4l2 api to include this
- **/
-#define VPFE_CMD_S_CCDC_RAW_PARAMS _IOW('V', BASE_VIDIOC_PRIVATE + 1, \
-					void *)
 #endif				/* _DAVINCI_VPFE_H */


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 007/366] [media] drxk_hard: fix bad alignments
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (195 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 208/366] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 173/366] xen-netfront: Fix mismatched rtnl_unlock Ben Hutchings
                   ` (169 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <m.chehab@samsung.com>

commit 89fffac802c18caebdf4e91c0785b522c9f6399a upstream.

drivers/media/dvb-frontends/drxk_hard.c:2224:3-22: code aligned with following code on line 2227

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/dvb-frontends/drxk_hard.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/dvb-frontends/drxk_hard.c
+++ b/drivers/media/dvb-frontends/drxk_hard.c
@@ -2220,12 +2220,13 @@ static int set_agc_rf(struct drxk_state
 		}
 
 		/* Set TOP, only if IF-AGC is in AUTO mode */
-		if (p_if_agc_settings->ctrl_mode == DRXK_AGC_CTRL_AUTO)
+		if (p_if_agc_settings->ctrl_mode == DRXK_AGC_CTRL_AUTO) {
 			status = write16(state,
 					 SCU_RAM_AGC_IF_IACCU_HI_TGT_MAX__A,
 					 p_agc_cfg->top);
 			if (status < 0)
 				goto error;
+		}
 
 		/* Cut-Off current */
 		status = write16(state, SCU_RAM_AGC_RF_IACCU_HI_CO__A,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 008/366] [media] drxd_hard: fix bad alignments
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (257 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 326/366] ceph: don't set req->r_locked_dir in ceph_d_revalidate Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 329/366] dm bufio: drop the lock when doing GFP_NOIO allocation Ben Hutchings
                   ` (107 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <m.chehab@samsung.com>

commit cea130021448763b15f4b16af184bbab4be118fb upstream.

As reported by cocinelle:

drivers/media/dvb-frontends/drxd_hard.c:2632:3-51: code aligned with following code on line 2633

Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/dvb-frontends/drxd_hard.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/dvb-frontends/drxd_hard.c
+++ b/drivers/media/dvb-frontends/drxd_hard.c
@@ -2628,10 +2628,11 @@ static int DRXD_init(struct drxd_state *
 			break;
 
 		/* Apply I2c address patch to B1 */
-		if (!state->type_A && state->m_HiI2cPatch != NULL)
+		if (!state->type_A && state->m_HiI2cPatch != NULL) {
 			status = WriteTable(state, state->m_HiI2cPatch);
 			if (status < 0)
 				break;
+		}
 
 		if (state->type_A) {
 			/* HI firmware patch for UIO readout,


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 011/366] Revert "mtd: nand: omap2: Fix subpage write"
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 187/366] batman-adv: Fix debugfs path for renamed hardif Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup() Ben Hutchings
                   ` (358 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

This reverts commit e7e13fa736726e9860a86e5e1ae19ce162e11b71, which
was commit 739c64414f01748a36e7d82c8e0611dea94412bd upstream.  It
doesn't appear to fix a real bug in 3.16, and it results in build
breakage and/or compiler warnings depending on the kernel
configuration.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/nand/omap2.c | 340 +++++++++++++--------------------------
 1 file changed, 115 insertions(+), 225 deletions(-)

--- a/drivers/mtd/nand/omap2.c
+++ b/drivers/mtd/nand/omap2.c
@@ -1163,174 +1163,130 @@ static u8  bch8_polynomial[] = {0xef, 0x
 				0x97, 0x79, 0xe5, 0x24, 0xb5};
 
 /**
- * _omap_calculate_ecc_bch - Generate ECC bytes for one sector
+ * omap_calculate_ecc_bch - Generate bytes of ECC bytes
  * @mtd:	MTD device structure
  * @dat:	The pointer to data on which ecc is computed
  * @ecc_code:	The ecc_code buffer
- * @i:		The sector number (for a multi sector page)
  *
- * Support calculating of BCH4/8/16 ECC vectors for one sector
- * within a page. Sector number is in @i.
+ * Support calculating of BCH4/8 ecc vectors for the page
  */
-static int _omap_calculate_ecc_bch(struct mtd_info *mtd,
-				   const u_char *dat, u_char *ecc_calc, int i)
+static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd,
+					const u_char *dat, u_char *ecc_calc)
 {
 	struct omap_nand_info *info = container_of(mtd, struct omap_nand_info,
 						   mtd);
 	int eccbytes	= info->nand.ecc.bytes;
 	struct gpmc_nand_regs	*gpmc_regs = &info->reg;
 	u8 *ecc_code;
-	unsigned long bch_val1, bch_val2, bch_val3, bch_val4;
+	unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4;
 	u32 val;
-	int j;
-
-	ecc_code = ecc_calc;
-	switch (info->ecc_opt) {
-	case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
-	case OMAP_ECC_BCH8_CODE_HW:
-		bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
-		bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
-		bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
-		bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
-		*ecc_code++ = (bch_val4 & 0xFF);
-		*ecc_code++ = ((bch_val3 >> 24) & 0xFF);
-		*ecc_code++ = ((bch_val3 >> 16) & 0xFF);
-		*ecc_code++ = ((bch_val3 >> 8) & 0xFF);
-		*ecc_code++ = (bch_val3 & 0xFF);
-		*ecc_code++ = ((bch_val2 >> 24) & 0xFF);
-		*ecc_code++ = ((bch_val2 >> 16) & 0xFF);
-		*ecc_code++ = ((bch_val2 >> 8) & 0xFF);
-		*ecc_code++ = (bch_val2 & 0xFF);
-		*ecc_code++ = ((bch_val1 >> 24) & 0xFF);
-		*ecc_code++ = ((bch_val1 >> 16) & 0xFF);
-		*ecc_code++ = ((bch_val1 >> 8) & 0xFF);
-		*ecc_code++ = (bch_val1 & 0xFF);
-		break;
-	case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
-	case OMAP_ECC_BCH4_CODE_HW:
-		bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
-		bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
-		*ecc_code++ = ((bch_val2 >> 12) & 0xFF);
-		*ecc_code++ = ((bch_val2 >> 4) & 0xFF);
-		*ecc_code++ = ((bch_val2 & 0xF) << 4) |
-			((bch_val1 >> 28) & 0xF);
-		*ecc_code++ = ((bch_val1 >> 20) & 0xFF);
-		*ecc_code++ = ((bch_val1 >> 12) & 0xFF);
-		*ecc_code++ = ((bch_val1 >> 4) & 0xFF);
-		*ecc_code++ = ((bch_val1 & 0xF) << 4);
-		break;
-	case OMAP_ECC_BCH16_CODE_HW:
-		val = readl(gpmc_regs->gpmc_bch_result6[i]);
-		ecc_code[0]  = ((val >>  8) & 0xFF);
-		ecc_code[1]  = ((val >>  0) & 0xFF);
-		val = readl(gpmc_regs->gpmc_bch_result5[i]);
-		ecc_code[2]  = ((val >> 24) & 0xFF);
-		ecc_code[3]  = ((val >> 16) & 0xFF);
-		ecc_code[4]  = ((val >>  8) & 0xFF);
-		ecc_code[5]  = ((val >>  0) & 0xFF);
-		val = readl(gpmc_regs->gpmc_bch_result4[i]);
-		ecc_code[6]  = ((val >> 24) & 0xFF);
-		ecc_code[7]  = ((val >> 16) & 0xFF);
-		ecc_code[8]  = ((val >>  8) & 0xFF);
-		ecc_code[9]  = ((val >>  0) & 0xFF);
-		val = readl(gpmc_regs->gpmc_bch_result3[i]);
-		ecc_code[10] = ((val >> 24) & 0xFF);
-		ecc_code[11] = ((val >> 16) & 0xFF);
-		ecc_code[12] = ((val >>  8) & 0xFF);
-		ecc_code[13] = ((val >>  0) & 0xFF);
-		val = readl(gpmc_regs->gpmc_bch_result2[i]);
-		ecc_code[14] = ((val >> 24) & 0xFF);
-		ecc_code[15] = ((val >> 16) & 0xFF);
-		ecc_code[16] = ((val >>  8) & 0xFF);
-		ecc_code[17] = ((val >>  0) & 0xFF);
-		val = readl(gpmc_regs->gpmc_bch_result1[i]);
-		ecc_code[18] = ((val >> 24) & 0xFF);
-		ecc_code[19] = ((val >> 16) & 0xFF);
-		ecc_code[20] = ((val >>  8) & 0xFF);
-		ecc_code[21] = ((val >>  0) & 0xFF);
-		val = readl(gpmc_regs->gpmc_bch_result0[i]);
-		ecc_code[22] = ((val >> 24) & 0xFF);
-		ecc_code[23] = ((val >> 16) & 0xFF);
-		ecc_code[24] = ((val >>  8) & 0xFF);
-		ecc_code[25] = ((val >>  0) & 0xFF);
-		break;
-	default:
-		return -EINVAL;
-	}
-
-	/* ECC scheme specific syndrome customizations */
-	switch (info->ecc_opt) {
-	case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
-		/* Add constant polynomial to remainder, so that
-		 * ECC of blank pages results in 0x0 on reading back
-		 */
-		for (j = 0; j < eccbytes; j++)
-			ecc_calc[j] ^= bch4_polynomial[j];
-		break;
-	case OMAP_ECC_BCH4_CODE_HW:
-		/* Set  8th ECC byte as 0x0 for ROM compatibility */
-		ecc_calc[eccbytes - 1] = 0x0;
-		break;
-	case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
-		/* Add constant polynomial to remainder, so that
-		 * ECC of blank pages results in 0x0 on reading back
-		 */
-		for (j = 0; j < eccbytes; j++)
-			ecc_calc[j] ^= bch8_polynomial[j];
-		break;
-	case OMAP_ECC_BCH8_CODE_HW:
-		/* Set 14th ECC byte as 0x0 for ROM compatibility */
-		ecc_calc[eccbytes - 1] = 0x0;
-		break;
-	case OMAP_ECC_BCH16_CODE_HW:
-		break;
-	default:
-		return -EINVAL;
-	}
-
-	return 0;
-}
-
-/**
- * omap_calculate_ecc_bch_sw - ECC generator for sector for SW based correction
- * @mtd:	MTD device structure
- * @dat:	The pointer to data on which ecc is computed
- * @ecc_code:	The ecc_code buffer
- *
- * Support calculating of BCH4/8/16 ECC vectors for one sector. This is used
- * when SW based correction is required as ECC is required for one sector
- * at a time.
- */
-static int omap_calculate_ecc_bch_sw(struct mtd_info *mtd,
-				     const u_char *dat, u_char *ecc_calc)
-{
-	return _omap_calculate_ecc_bch(mtd, dat, ecc_calc, 0);
-}
-
-/**
- * omap_calculate_ecc_bch_multi - Generate ECC for multiple sectors
- * @mtd:	MTD device structure
- * @dat:	The pointer to data on which ecc is computed
- * @ecc_code:	The ecc_code buffer
- *
- * Support calculating of BCH4/8/16 ecc vectors for the entire page in one go.
- */
-static int omap_calculate_ecc_bch_multi(struct mtd_info *mtd,
-					const u_char *dat, u_char *ecc_calc)
-{
-	struct omap_nand_info *info = container_of(mtd, struct omap_nand_info,
-						   mtd);
-	int eccbytes = info->nand.ecc.bytes;
-	unsigned long nsectors;
-	int i, ret;
+	int i, j;
 
 	nsectors = ((readl(info->reg.gpmc_ecc_config) >> 4) & 0x7) + 1;
 	for (i = 0; i < nsectors; i++) {
-		ret = _omap_calculate_ecc_bch(mtd, dat, ecc_calc, i);
-		if (ret)
-			return ret;
+		ecc_code = ecc_calc;
+		switch (info->ecc_opt) {
+		case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+		case OMAP_ECC_BCH8_CODE_HW:
+			bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+			bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+			bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
+			bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
+			*ecc_code++ = (bch_val4 & 0xFF);
+			*ecc_code++ = ((bch_val3 >> 24) & 0xFF);
+			*ecc_code++ = ((bch_val3 >> 16) & 0xFF);
+			*ecc_code++ = ((bch_val3 >> 8) & 0xFF);
+			*ecc_code++ = (bch_val3 & 0xFF);
+			*ecc_code++ = ((bch_val2 >> 24) & 0xFF);
+			*ecc_code++ = ((bch_val2 >> 16) & 0xFF);
+			*ecc_code++ = ((bch_val2 >> 8) & 0xFF);
+			*ecc_code++ = (bch_val2 & 0xFF);
+			*ecc_code++ = ((bch_val1 >> 24) & 0xFF);
+			*ecc_code++ = ((bch_val1 >> 16) & 0xFF);
+			*ecc_code++ = ((bch_val1 >> 8) & 0xFF);
+			*ecc_code++ = (bch_val1 & 0xFF);
+			break;
+		case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+		case OMAP_ECC_BCH4_CODE_HW:
+			bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+			bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+			*ecc_code++ = ((bch_val2 >> 12) & 0xFF);
+			*ecc_code++ = ((bch_val2 >> 4) & 0xFF);
+			*ecc_code++ = ((bch_val2 & 0xF) << 4) |
+				((bch_val1 >> 28) & 0xF);
+			*ecc_code++ = ((bch_val1 >> 20) & 0xFF);
+			*ecc_code++ = ((bch_val1 >> 12) & 0xFF);
+			*ecc_code++ = ((bch_val1 >> 4) & 0xFF);
+			*ecc_code++ = ((bch_val1 & 0xF) << 4);
+			break;
+		case OMAP_ECC_BCH16_CODE_HW:
+			val = readl(gpmc_regs->gpmc_bch_result6[i]);
+			ecc_code[0]  = ((val >>  8) & 0xFF);
+			ecc_code[1]  = ((val >>  0) & 0xFF);
+			val = readl(gpmc_regs->gpmc_bch_result5[i]);
+			ecc_code[2]  = ((val >> 24) & 0xFF);
+			ecc_code[3]  = ((val >> 16) & 0xFF);
+			ecc_code[4]  = ((val >>  8) & 0xFF);
+			ecc_code[5]  = ((val >>  0) & 0xFF);
+			val = readl(gpmc_regs->gpmc_bch_result4[i]);
+			ecc_code[6]  = ((val >> 24) & 0xFF);
+			ecc_code[7]  = ((val >> 16) & 0xFF);
+			ecc_code[8]  = ((val >>  8) & 0xFF);
+			ecc_code[9]  = ((val >>  0) & 0xFF);
+			val = readl(gpmc_regs->gpmc_bch_result3[i]);
+			ecc_code[10] = ((val >> 24) & 0xFF);
+			ecc_code[11] = ((val >> 16) & 0xFF);
+			ecc_code[12] = ((val >>  8) & 0xFF);
+			ecc_code[13] = ((val >>  0) & 0xFF);
+			val = readl(gpmc_regs->gpmc_bch_result2[i]);
+			ecc_code[14] = ((val >> 24) & 0xFF);
+			ecc_code[15] = ((val >> 16) & 0xFF);
+			ecc_code[16] = ((val >>  8) & 0xFF);
+			ecc_code[17] = ((val >>  0) & 0xFF);
+			val = readl(gpmc_regs->gpmc_bch_result1[i]);
+			ecc_code[18] = ((val >> 24) & 0xFF);
+			ecc_code[19] = ((val >> 16) & 0xFF);
+			ecc_code[20] = ((val >>  8) & 0xFF);
+			ecc_code[21] = ((val >>  0) & 0xFF);
+			val = readl(gpmc_regs->gpmc_bch_result0[i]);
+			ecc_code[22] = ((val >> 24) & 0xFF);
+			ecc_code[23] = ((val >> 16) & 0xFF);
+			ecc_code[24] = ((val >>  8) & 0xFF);
+			ecc_code[25] = ((val >>  0) & 0xFF);
+			break;
+		default:
+			return -EINVAL;
+		}
+
+		/* ECC scheme specific syndrome customizations */
+		switch (info->ecc_opt) {
+		case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+			/* Add constant polynomial to remainder, so that
+			 * ECC of blank pages results in 0x0 on reading back */
+			for (j = 0; j < eccbytes; j++)
+				ecc_calc[j] ^= bch4_polynomial[j];
+			break;
+		case OMAP_ECC_BCH4_CODE_HW:
+			/* Set  8th ECC byte as 0x0 for ROM compatibility */
+			ecc_calc[eccbytes - 1] = 0x0;
+			break;
+		case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+			/* Add constant polynomial to remainder, so that
+			 * ECC of blank pages results in 0x0 on reading back */
+			for (j = 0; j < eccbytes; j++)
+				ecc_calc[j] ^= bch8_polynomial[j];
+			break;
+		case OMAP_ECC_BCH8_CODE_HW:
+			/* Set 14th ECC byte as 0x0 for ROM compatibility */
+			ecc_calc[eccbytes - 1] = 0x0;
+			break;
+		case OMAP_ECC_BCH16_CODE_HW:
+			break;
+		default:
+			return -EINVAL;
+		}
 
-		ecc_calc += eccbytes;
+	ecc_calc += eccbytes;
 	}
 
 	return 0;
@@ -1571,7 +1527,7 @@ static int omap_write_page_bch(struct mt
 	chip->write_buf(mtd, buf, mtd->writesize);
 
 	/* Update ecc vector from GPMC result registers */
-	omap_calculate_ecc_bch_multi(mtd, buf, &ecc_calc[0]);
+	chip->ecc.calculate(mtd, buf, &ecc_calc[0]);
 
 	for (i = 0; i < chip->ecc.total; i++)
 		chip->oob_poi[eccpos[i]] = ecc_calc[i];
@@ -1582,72 +1538,6 @@ static int omap_write_page_bch(struct mt
 }
 
 /**
- * omap_write_subpage_bch - BCH hardware ECC based subpage write
- * @mtd:	mtd info structure
- * @chip:	nand chip info structure
- * @offset:	column address of subpage within the page
- * @data_len:	data length
- * @buf:	data buffer
- * @oob_required: must write chip->oob_poi to OOB
- * @page: page number to write
- *
- * OMAP optimized subpage write method.
- */
-static int omap_write_subpage_bch(struct mtd_info *mtd,
-				  struct nand_chip *chip, u32 offset,
-				  u32 data_len, const u8 *buf,
-				  int oob_required, int page)
-{
-	u8 *ecc_calc = chip->buffers->ecccalc;
-	int ecc_size      = chip->ecc.size;
-	int ecc_bytes     = chip->ecc.bytes;
-	int ecc_steps     = chip->ecc.steps;
-	u32 start_step = offset / ecc_size;
-	u32 end_step   = (offset + data_len - 1) / ecc_size;
-	int step, ret = 0;
-
-	/*
-	 * Write entire page at one go as it would be optimal
-	 * as ECC is calculated by hardware.
-	 * ECC is calculated for all subpages but we choose
-	 * only what we want.
-	 */
-
-	/* Enable GPMC ECC engine */
-	chip->ecc.hwctl(mtd, NAND_ECC_WRITE);
-
-	/* Write data */
-	chip->write_buf(mtd, buf, mtd->writesize);
-
-	for (step = 0; step < ecc_steps; step++) {
-		/* mask ECC of un-touched subpages by padding 0xFF */
-		if (step < start_step || step > end_step)
-			memset(ecc_calc, 0xff, ecc_bytes);
-		else
-			ret = _omap_calculate_ecc_bch(mtd, buf, ecc_calc, step);
-
-		if (ret)
-			return ret;
-
-		buf += ecc_size;
-		ecc_calc += ecc_bytes;
-	}
-
-	/* copy calculated ECC for whole page to chip->buffer->oob */
-	/* this include masked-value(0xFF) for unwritten subpages */
-	ecc_calc = chip->buffers->ecccalc;
-	ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0,
-					 chip->ecc.total);
-	if (ret)
-		return ret;
-
-	/* write OOB buffer to NAND device */
-	chip->write_buf(mtd, chip->oob_poi, mtd->oobsize);
-
-	return 0;
-}
-
-/**
  * omap_read_page_bch - BCH ecc based page read function for entire page
  * @mtd:		mtd info structure
  * @chip:		nand chip info structure
@@ -1684,7 +1574,7 @@ static int omap_read_page_bch(struct mtd
 	chip->read_buf(mtd, oob, chip->ecc.total);
 
 	/* Calculate ecc bytes */
-	omap_calculate_ecc_bch_multi(mtd, buf, ecc_calc);
+	chip->ecc.calculate(mtd, buf, ecc_calc);
 
 	memcpy(ecc_code, &chip->oob_poi[eccpos[0]], chip->ecc.total);
 
@@ -1933,7 +1823,7 @@ static int omap_nand_probe(struct platfo
 		nand_chip->ecc.strength		= 4;
 		nand_chip->ecc.hwctl		= omap_enable_hwecc_bch;
 		nand_chip->ecc.correct		= nand_bch_correct_data;
-		nand_chip->ecc.calculate	= omap_calculate_ecc_bch_sw;
+		nand_chip->ecc.calculate	= omap_calculate_ecc_bch;
 		/* define ECC layout */
 		ecclayout->eccbytes		= nand_chip->ecc.bytes *
 							(mtd->writesize /
@@ -1973,9 +1863,9 @@ static int omap_nand_probe(struct platfo
 		nand_chip->ecc.strength		= 4;
 		nand_chip->ecc.hwctl		= omap_enable_hwecc_bch;
 		nand_chip->ecc.correct		= omap_elm_correct_data;
+		nand_chip->ecc.calculate	= omap_calculate_ecc_bch;
 		nand_chip->ecc.read_page	= omap_read_page_bch;
 		nand_chip->ecc.write_page	= omap_write_page_bch;
-		nand_chip->ecc.write_subpage	= omap_write_subpage_bch;
 		/* define ECC layout */
 		ecclayout->eccbytes		= nand_chip->ecc.bytes *
 							(mtd->writesize /
@@ -2008,7 +1898,7 @@ static int omap_nand_probe(struct platfo
 		nand_chip->ecc.strength		= 8;
 		nand_chip->ecc.hwctl		= omap_enable_hwecc_bch;
 		nand_chip->ecc.correct		= nand_bch_correct_data;
-		nand_chip->ecc.calculate	= omap_calculate_ecc_bch_sw;
+		nand_chip->ecc.calculate	= omap_calculate_ecc_bch;
 		/* define ECC layout */
 		ecclayout->eccbytes		= nand_chip->ecc.bytes *
 							(mtd->writesize /
@@ -2049,9 +1939,9 @@ static int omap_nand_probe(struct platfo
 		nand_chip->ecc.strength		= 8;
 		nand_chip->ecc.hwctl		= omap_enable_hwecc_bch;
 		nand_chip->ecc.correct		= omap_elm_correct_data;
+		nand_chip->ecc.calculate	= omap_calculate_ecc_bch;
 		nand_chip->ecc.read_page	= omap_read_page_bch;
 		nand_chip->ecc.write_page	= omap_write_page_bch;
-		nand_chip->ecc.write_subpage	= omap_write_subpage_bch;
 		/* This ECC scheme requires ELM H/W block */
 		err = is_elm_present(info, pdata->elm_of_node, BCH8_ECC);
 		if (err < 0) {
@@ -2084,9 +1974,9 @@ static int omap_nand_probe(struct platfo
 		nand_chip->ecc.strength		= 16;
 		nand_chip->ecc.hwctl		= omap_enable_hwecc_bch;
 		nand_chip->ecc.correct		= omap_elm_correct_data;
+		nand_chip->ecc.calculate	= omap_calculate_ecc_bch;
 		nand_chip->ecc.read_page	= omap_read_page_bch;
 		nand_chip->ecc.write_page	= omap_write_page_bch;
-		nand_chip->ecc.write_subpage	= omap_write_subpage_bch;
 		/* This ECC scheme requires ELM H/W block */
 		err = is_elm_present(info, pdata->elm_of_node, BCH16_ECC);
 		if (err < 0) {


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 009/366] eeepc-laptop: simplify parse_arg()
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (179 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 257/366] usb: cdc_acm: Add quirk for Castles VEGA3000 Ben Hutchings
                   ` (185 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Darren Hart, Paul Bolle

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Bolle <pebolle@tiscali.nl>

commit 95369a73a957ad221f1d6b8f11a63a376f38c544 upstream.

parse_arg() has three possible return values:
    -EINVAL if sscanf(), in short, fails;
    zero if "count" is zero; and
    "count" in all other cases

But "count" will never be zero. See, parse_arg() is called by the
various store functions. And the callchain of these functions starts
with sysfs_kf_write(). And that function checks for a zero "count". So
we can stop checking for a zero "count", drop the "count" argument
entirely, and transform parse_arg() into a function that returns zero on
success or a negative error. That, in turn, allows to make those store
functions just return "count" on success. The net effect is that the
code becomes a bit easier to understand.

A nice side effect is that this GCC warning is silenced too:
    drivers/platform/x86/eeepc-laptop.c: In function ‘store_sys_acpi’:
    drivers/platform/x86/eeepc-laptop.c:279:10: warning: ‘value’ may be used uninitialized in this function [-Wmaybe-uninitialized]
      int rv, value;

Which is, of course, the reason to have a look at parse_arg().

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/platform/x86/eeepc-laptop.c | 36 ++++++++++++++---------------
 1 file changed, 18 insertions(+), 18 deletions(-)

--- a/drivers/platform/x86/eeepc-laptop.c
+++ b/drivers/platform/x86/eeepc-laptop.c
@@ -263,13 +263,11 @@ static int acpi_setter_handle(struct eee
 /*
  * Sys helpers
  */
-static int parse_arg(const char *buf, unsigned long count, int *val)
+static int parse_arg(const char *buf, int *val)
 {
-	if (!count)
-		return 0;
 	if (sscanf(buf, "%i", val) != 1)
 		return -EINVAL;
-	return count;
+	return 0;
 }
 
 static ssize_t store_sys_acpi(struct device *dev, int cm,
@@ -278,12 +276,13 @@ static ssize_t store_sys_acpi(struct dev
 	struct eeepc_laptop *eeepc = dev_get_drvdata(dev);
 	int rv, value;
 
-	rv = parse_arg(buf, count, &value);
-	if (rv > 0)
-		value = set_acpi(eeepc, cm, value);
-	if (value < 0)
+	rv = parse_arg(buf, &value);
+	if (rv < 0)
+		return rv;
+	rv = set_acpi(eeepc, cm, value);
+	if (rv < 0)
 		return -EIO;
-	return rv;
+	return count;
 }
 
 static ssize_t show_sys_acpi(struct device *dev, int cm, char *buf)
@@ -377,13 +376,13 @@ static ssize_t store_cpufv(struct device
 		return -EPERM;
 	if (get_cpufv(eeepc, &c))
 		return -ENODEV;
-	rv = parse_arg(buf, count, &value);
+	rv = parse_arg(buf, &value);
 	if (rv < 0)
 		return rv;
-	if (!rv || value < 0 || value >= c.num)
+	if (value < 0 || value >= c.num)
 		return -EINVAL;
 	set_acpi(eeepc, CM_ASL_CPUFV, value);
-	return rv;
+	return count;
 }
 
 static ssize_t show_cpufv_disabled(struct device *dev,
@@ -402,7 +401,7 @@ static ssize_t store_cpufv_disabled(stru
 	struct eeepc_laptop *eeepc = dev_get_drvdata(dev);
 	int rv, value;
 
-	rv = parse_arg(buf, count, &value);
+	rv = parse_arg(buf, &value);
 	if (rv < 0)
 		return rv;
 
@@ -412,7 +411,7 @@ static ssize_t store_cpufv_disabled(stru
 			pr_warn("cpufv enabled (not officially supported "
 				"on this model)\n");
 		eeepc->cpufv_disabled = false;
-		return rv;
+		return count;
 	case 1:
 		return -EPERM;
 	default:
@@ -1042,10 +1041,11 @@ static ssize_t store_sys_hwmon(void (*se
 {
 	int rv, value;
 
-	rv = parse_arg(buf, count, &value);
-	if (rv > 0)
-		set(value);
-	return rv;
+	rv = parse_arg(buf, &value);
+	if (rv < 0)
+		return rv;
+	set(value);
+	return count;
 }
 
 static ssize_t show_sys_hwmon(int (*get)(void), char *buf)


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 001/366] arm64: add missing data types in smp_load_acquire/smp_store_release
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 129/366] net/sched: act_simple: fix parsing of TCA_DEF_DATA Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 241/366] mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states Ben Hutchings
                   ` (325 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Andre Przywara, Will Deacon

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andre Przywara <andre.przywara@arm.com>

commit 878a84d5a8a18a4ab241d40cebb791d6aedf5605 upstream.

Commit 8053871d0f7f ("smp: Fix smp_call_function_single_async()
locking") introduced a call to smp_load_acquire() with a u16 argument,
but we only cared about u32 and u64 types in that function so far.
This resulted in a compiler warning fortunately, pointing at an
uninitialized use. Due to the implementation structure the compiler
misses that bug in the smp_store_release(), though.
Add the u16 and u8 variants using ldarh/stlrh and ldarb/stlrb,
respectively. Together with the compiletime_assert_atomic_type() check
this should cover all cases now.

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/include/asm/barrier.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/arch/arm64/include/asm/barrier.h
+++ b/arch/arm64/include/asm/barrier.h
@@ -64,6 +64,14 @@ do {									\
 		{ .__val = (__force typeof(*p)) (v) }; 			\
 	compiletime_assert_atomic_type(*p);				\
 	switch (sizeof(*p)) {						\
+	case 1:								\
+		asm volatile ("stlrb %w1, %0"				\
+				: "=Q" (*p) : "r" (v) : "memory");	\
+		break;							\
+	case 2:								\
+		asm volatile ("stlrh %w1, %0"				\
+				: "=Q" (*p) : "r" (v) : "memory");	\
+		break;							\
 	case 4:								\
 		asm volatile ("stlr %w1, %0"				\
 				: "=Q" (*p)				\
@@ -84,6 +92,14 @@ do {									\
 	typeof(*p) ___p1;						\
 	compiletime_assert_atomic_type(*p);				\
 	switch (sizeof(*p)) {						\
+	case 1:								\
+		asm volatile ("ldarb %w0, %1"				\
+			: "=r" (___p1) : "Q" (*p) : "memory");		\
+		break;							\
+	case 2:								\
+		asm volatile ("ldarh %w0, %1"				\
+			: "=r" (___p1) : "Q" (*p) : "memory");		\
+		break;							\
 	case 4:								\
 		asm volatile ("ldar %w0, %1"				\
 			: "=r" (___p1) : "Q" (*p) : "memory");		\


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 017/366] media: omap3isp/isp: remove an unused static var
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (314 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 124/366] pagemap: hide physical addresses from non-privileged users Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 239/366] sh_eth: fix invalid context bug while changing link options by ethtool Ben Hutchings
                   ` (50 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Laurent Pinchart, Mauro Carvalho Chehab

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab@s-opensource.com>

commit 3f4836beb2ebeb0211d9911d878a267d687e0e6e upstream.

The isp_xclk_init_data const data isn't used anywere.

drivers/media/platform/omap3isp/isp.c:294:35: warning: ‘isp_xclk_init_data’ defined but not used [-Wunused-const-variable=]
 static const struct clk_init_data isp_xclk_init_data = {
                                   ^~~~~~~~~~~~~~~~~~

Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework")

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/platform/omap3isp/isp.c | 7 -------
 1 file changed, 7 deletions(-)

--- a/drivers/media/platform/omap3isp/isp.c
+++ b/drivers/media/platform/omap3isp/isp.c
@@ -279,13 +279,6 @@ static const struct clk_ops isp_xclk_ops
 
 static const char *isp_xclk_parent_name = "cam_mclk";
 
-static const struct clk_init_data isp_xclk_init_data = {
-	.name = "cam_xclk",
-	.ops = &isp_xclk_ops,
-	.parent_names = &isp_xclk_parent_name,
-	.num_parents = 1,
-};
-
 static int isp_xclk_init(struct isp_device *isp)
 {
 	struct isp_platform_data *pdata = isp->pdata;


^ permalink raw reply	[flat|nested] 376+ messages in thread

* [PATCH 3.16 002/366] arm64: ensure extension of smp_store_release value
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (186 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 065/366] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Ben Hutchings
@ 2018-11-11 19:49 ` Ben Hutchings
  2018-11-11 19:49 ` [PATCH 3.16 351/366] usb: misc: usb3503: Update error code in print message Ben Hutchings
                   ` (178 subsequent siblings)
  366 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-11 19:49 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Matthias Kaehlcke, Catalin Marinas, Will Deacon, Mark Rutland

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>

commit 994870bead4ab19087a79492400a5478e2906196 upstream.

When an inline assembly operand's type is narrower than the register it
is allocated to, the least significant bits of the register (up to the
operand type's width) are valid, and any other bits are permitted to
contain any arbitrary value. This aligns with the AAPCS64 parameter
passing rules.

Our __smp_store_release() implementation does not account for this, and
implicitly assumes that operands have been zero-extended to the width of
the type being stored to. Thus, we may store unknown values to memory
when the value type is narrower than the pointer type (e.g. when storing
a char to a long).

This patch fixes the issue by casting the value operand to the same
width as the pointer operand in all cases, which ensures that the value
is zero-extended as we expect. We use the same union trickery as
__smp_load_acquire and {READ,WRITE}_ONCE() to avoid GCC complaining that
pointers are potentially cast to narrower width integers in unreachable
paths.

A whitespace issue at the top of __smp_store_release() is also
corrected.

No changes are necessary for __smp_load_acquire(). Load instructions
implicitly clear any upper bits of the register, and the compiler will
only consider the least significant bits of the register as valid
regardless.

Fixes: 47933ad41a86 ("arch: Introduce smp_load_acquire(), smp_store_release()")
Fixes: 878a84d5a8a1 ("arm64: add missing data types in smp_load_acquire/smp_store_release")
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[bwh: The same upstream commit was already backported to 3.16, but we
 didn't have the 1-byte and 2-byte cases then so I dropped that part.
 Now that we do, pick up that part again.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/include/asm/barrier.h | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

--- a/arch/arm64/include/asm/barrier.h
+++ b/arch/arm64/include/asm/barrier.h
@@ -66,11 +66,15 @@ do {									\
 	switch (sizeof(*p)) {						\
 	case 1:								\
 		asm volatile ("stlrb %w1, %0"				\
-				: "=Q" (*p) : "r" (v) : "memory");	\
+				: "=Q" (*p)				\
+				: "r" (*(__u8 *)__u.__c)		\
+				: "memory");				\
 		break;							\
 	case 2:								\
 		asm volatile ("stlrh %w1, %0"				\
-				: "=Q" (*p) : "r" (v) : "memory");	\
+				: "=Q" (*p)				\
+				: "r" (*(__u16 *)__u.__c)		\
+				: "memory");				\
 		break;							\
 	case 4:								\
 		asm volatile ("stlr %w1, %0"				\


^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs*
  2018-11-11 19:49 ` [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Ben Hutchings
@ 2018-11-11 19:59   ` syzbot
  0 siblings, 0 replies; 376+ messages in thread
From: syzbot @ 2018-11-11 19:59 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: akpm, ben, glider, gregkh, linux-kernel, stable

> 3.16.61-rc1 review patch.  If anyone has any objections, please let me  
> know.

> ------------------

> From: Alexander Potapenko <glider@google.com>

> commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.

> KMSAN reported an infoleak when reading from /dev/vcs*:

>    BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
>    Call Trace:
>    ...
>     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
>     copy_to_user ./include/linux/uaccess.h:184
>     vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
>     __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
>     vfs_read+0x36c/0x6b0 fs/read_write.c:452
>    ...
>    Uninit was created at:
>     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
>     kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
>     kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
>     __kmalloc+0x13a/0x350 mm/slub.c:3818
>     kmalloc ./include/linux/slab.h:517
>     vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
>     con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
>     tty_driver_install_tty drivers/tty/tty_io.c:1224
>     tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
>     tty_open_by_driver drivers/tty/tty_io.c:1959
>     tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
>     chrdev_open+0xc25/0xd90 fs/char_dev.c:417
>     do_dentry_open+0xccc/0x1440 fs/open.c:794
>     vfs_open+0x1b6/0x2f0 fs/open.c:908
>    ...
>    Bytes 0-79 of 240 are uninitialized

> Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem

> Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
> Signed-off-by: Alexander Potapenko <glider@google.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>   drivers/tty/vt/vt.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)

> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -782,7 +782,7 @@ int vc_allocate(unsigned int currcons)	/
>   	if (!*vc->vc_uni_pagedir_loc)
>   		con_set_default_unimap(vc);

> -	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
> +	vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
>   	if (!vc->vc_screenbuf)
>   		goto err_free;

> @@ -869,7 +869,7 @@ static int vc_do_resize(struct tty_struc

>   	if (new_screen_size > (4 << 20))
>   		return -EINVAL;
> -	newscreen = kmalloc(new_screen_size, GFP_USER);
> +	newscreen = kzalloc(new_screen_size, GFP_USER);
>   	if (!newscreen)
>   		return -ENOMEM;



Can't find the corresponding bug.


^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
  2018-11-11 19:49 ` [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Ben Hutchings
@ 2018-11-11 20:17   ` Rafał Miłecki
  2018-11-20 17:51     ` Ben Hutchings
  0 siblings, 1 reply; 376+ messages in thread
From: Rafał Miłecki @ 2018-11-11 20:17 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Linux Kernel Mailing List, Stable, Andrew Morton, Paul Burton,
	Hauke Mehrtens, linux-mips, Chris Packham, James Hogan,
	Tokunori Ikegami

On Sun, 11 Nov 2018 at 21:05, Ben Hutchings <ben@decadent.org.uk> wrote:
> 3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

Nack. This patch has caused a regression and had to be reverted.
Please check upstream repository for a revert (search git log for
2a027b47dba6).

^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads
  2018-11-11 19:49 ` [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads Ben Hutchings
@ 2018-11-12  8:10   ` Snild Dolkow
  2018-11-20 17:52     ` Ben Hutchings
  0 siblings, 1 reply; 376+ messages in thread
From: Snild Dolkow @ 2018-11-12  8:10 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware)

On 11/11/18 8:49 PM, Ben Hutchings wrote:
> 3.16.61-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Snild Dolkow <snild@sony.com>
> 
> commit 3e536e222f2930534c252c1cc7ae799c725c5ff9 upstream.
> 
> There is a window for racing when printing directly to task->comm,
> allowing other threads to see a non-terminated string. The vsnprintf
> function fills the buffer, counts the truncated chars, then finally
> writes the \0 at the end.
> 
> 	creator                     other
> 	vsnprintf:
> 	  fill (not terminated)
> 	  count the rest            trace_sched_waking(p):
> 	  ...                         memcpy(comm, p->comm, TASK_COMM_LEN)
> 	  write \0
> 
> The consequences depend on how 'other' uses the string. In our case,
> it was copied into the tracing system's saved cmdlines, a buffer of
> adjacent TASK_COMM_LEN-byte buffers (note the 'n' where 0 should be):
> 
> 	crash-arm64> x/1024s savedcmd->saved_cmdlines | grep 'evenk'
> 	0xffffffd5b3818640:     "irq/497-pwr_evenkworker/u16:12"
> 
> ...and a strcpy out of there would cause stack corruption:
> 
> 	[224761.522292] Kernel panic - not syncing: stack-protector:
> 	    Kernel stack is corrupted in: ffffff9bf9783c78
> 
> 	crash-arm64> kbt | grep 'comm\|trace_print_context'
> 	#6  0xffffff9bf9783c78 in trace_print_context+0x18c(+396)
> 	      comm (char [16]) =  "irq/497-pwr_even"
> 
> 	crash-arm64> rd 0xffffffd4d0e17d14 8
> 	ffffffd4d0e17d14:  2f71726900000000 5f7277702d373934   ....irq/497-pwr_
> 	ffffffd4d0e17d24:  726f776b6e657665 3a3631752f72656b   evenkworker/u16:
> 	ffffffd4d0e17d34:  f9780248ff003231 cede60e0ffffff9b   12..H.x......`..
> 	ffffffd4d0e17d44:  cede60c8ffffffd4 00000fffffffffd4   .....`..........
> 
> The workaround in e09e28671 (use strlcpy in __trace_find_cmdline) was
> likely needed because of this same bug.
> 
> Solved by vsnprintf:ing to a local buffer, then using set_task_comm().
> This way, there won't be a window where comm is not terminated.
> 
> Link: http://lkml.kernel.org/r/20180726071539.188015-1-snild@sony.com
> 
> Fixes: bc0c38d139ec7 ("ftrace: latency tracer infrastructure")
> Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
> Signed-off-by: Snild Dolkow <snild@sony.com>
> Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
> [bwh: Backported to 3.16: adjust context]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  kernel/kthread.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> --- a/kernel/kthread.c
> +++ b/kernel/kthread.c
> @@ -309,10 +309,16 @@ struct task_struct *kthread_create_on_no
>  	if (!IS_ERR(task)) {
>  		static const struct sched_param param = { .sched_priority = 0 };
>  		va_list args;
> +		char name[TASK_COMM_LEN];
>  
> +		/*
> +		 * task is already visible to other tasks, so updating
> +		 * COMM must be protected.
> +		 */
>  		va_start(args, namefmt);
> -		vsnprintf(task->comm, sizeof(task->comm), namefmt, args);
> +		vsnprintf(name, sizeof(name), namefmt, args);
>  		va_end(args);
> +		set_task_comm(task, name);
>  		/*
>  		 * root may have changed our (kthreadd's) priority or CPU mask.
>  		 * The kernel thread should not inherit these properties.
> 

Reviewed-by: Snild Dolkow <snild@sony.com>


^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 000/366] 3.16.61-rc1 review
  2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
                   ` (365 preceding siblings ...)
  2018-11-11 19:49 ` [PATCH 3.16 128/366] video/omap: add module license tags Ben Hutchings
@ 2018-11-13  1:57 ` Guenter Roeck
  2018-11-14 20:47   ` Johannes Pointner
  2018-11-20 17:57   ` Ben Hutchings
  366 siblings, 2 replies; 376+ messages in thread
From: Guenter Roeck @ 2018-11-13  1:57 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, torvalds, akpm

On Sun, Nov 11, 2018 at 07:49:04PM +0000, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.61 release.
> There are 366 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Nov 16 18:00:00 UTC 2018.
> Anything received after that time might be too late.
> 
Build results:
	total: 140 pass: 139 fail: 1
Failed builds: 
	i386:tools/perf
Qemu test results:
	total: 217 pass: 217 fail: 0

Details are available at https://kerneltests.org/builders/.

Guenter

^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 000/366] 3.16.61-rc1 review
  2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
@ 2018-11-14 20:47   ` Johannes Pointner
  2019-01-02 17:44     ` Ben Hutchings
  2018-11-20 17:57   ` Ben Hutchings
  1 sibling, 1 reply; 376+ messages in thread
From: Johannes Pointner @ 2018-11-14 20:47 UTC (permalink / raw)
  To: ben; +Cc: linux, linux-kernel, stable, torvalds, akpm

On Tue, Nov 13, 2018 at 2:58 AM Guenter Roeck <linux@roeck-us.net> wrote:
>
> On Sun, Nov 11, 2018 at 07:49:04PM +0000, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.61 release.
> > There are 366 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri Nov 16 18:00:00 UTC 2018.
> > Anything received after that time might be too late.
> >
> Build results:
>         total: 140 pass: 139 fail: 1
> Failed builds:
>         i386:tools/perf
> Qemu test results:
>         total: 217 pass: 217 fail: 0
>
> Details are available at https://kerneltests.org/builders/.
>
> Guenter

Hello Ben,

could you please include the following patch which makes it possible
to build arm with gcc8
a71ae0513c232c844009738af135a13e5d7e39c ARM: fix put_user() for gcc-8
this is the version which landed in 3.18
and also the following patch
430c3fdb11ec1f0af1eca28460c922b9c1eb2ac5 turn off -Wattribute-alias
this also the version which landed in 3.18

Thx,
Hannes

^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
  2018-11-11 20:17   ` Rafał Miłecki
@ 2018-11-20 17:51     ` Ben Hutchings
  0 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-20 17:51 UTC (permalink / raw)
  To: Rafał Miłecki
  Cc: Linux Kernel Mailing List, Stable, Andrew Morton, Paul Burton,
	Hauke Mehrtens, linux-mips, Chris Packham, James Hogan,
	Tokunori Ikegami

[-- Attachment #1: Type: text/plain, Size: 533 bytes --]

On Sun, 2018-11-11 at 21:17 +0100, Rafał Miłecki wrote:
> On Sun, 11 Nov 2018 at 21:05, Ben Hutchings <ben@decadent.org.uk> wrote:
> > 3.16.61-rc1 review patch.  If anyone has any objections, please let me know.
> 
> Nack. This patch has caused a regression and had to be reverted.
> Please check upstream repository for a revert (search git log for
> 2a027b47dba6).

I've dropped this from the queue, thanks.

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads
  2018-11-12  8:10   ` Snild Dolkow
@ 2018-11-20 17:52     ` Ben Hutchings
  0 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-20 17:52 UTC (permalink / raw)
  To: Snild Dolkow, linux-kernel, stable; +Cc: akpm, Steven Rostedt (VMware)

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

On Mon, 2018-11-12 at 09:10 +0100, Snild Dolkow wrote:
> On 11/11/18 8:49 PM, Ben Hutchings wrote:
> > 3.16.61-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Snild Dolkow <snild@sony.com>
> > 
> > commit 3e536e222f2930534c252c1cc7ae799c725c5ff9 upstream.
[...]
> Reviewed-by: Snild Dolkow <snild@sony.com>

Thanks!

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 000/366] 3.16.61-rc1 review
  2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
  2018-11-14 20:47   ` Johannes Pointner
@ 2018-11-20 17:57   ` Ben Hutchings
  1 sibling, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2018-11-20 17:57 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: linux-kernel, stable, torvalds, akpm

[-- Attachment #1: Type: text/plain, Size: 978 bytes --]

On Mon, 2018-11-12 at 17:57 -0800, Guenter Roeck wrote:
> On Sun, Nov 11, 2018 at 07:49:04PM +0000, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.61 release.
> > There are 366 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Nov 16 18:00:00 UTC 2018.
> > Anything received after that time might be too late.
> > 
> Build results:
> 	total: 140 pass: 139 fail: 1

So perf now builds in your x86_64 environment but still fails on i386. 
I didn't try i386 but that's still surprising...

> Failed builds: 
> 	i386:tools/perf
> Qemu test results:
> 	total: 217 pass: 217 fail: 0
> 
> Details are available at https://kerneltests.org/builders/.

Thanks for checking.

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 376+ messages in thread

* Re: [PATCH 3.16 000/366] 3.16.61-rc1 review
  2018-11-14 20:47   ` Johannes Pointner
@ 2019-01-02 17:44     ` Ben Hutchings
  0 siblings, 0 replies; 376+ messages in thread
From: Ben Hutchings @ 2019-01-02 17:44 UTC (permalink / raw)
  To: Johannes Pointner; +Cc: linux, linux-kernel, stable, torvalds, akpm

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

On Wed, 2018-11-14 at 21:47 +0100, Johannes Pointner wrote:
> On Tue, Nov 13, 2018 at 2:58 AM Guenter Roeck <linux@roeck-us.net>
> wrote:
> > On Sun, Nov 11, 2018 at 07:49:04PM +0000, Ben Hutchings wrote:
> > > This is the start of the stable review cycle for the 3.16.61
> > > release.
> > > There are 366 patches in this series, which will be posted as
> > > responses
> > > to this one.  If anyone has any issues with these being applied,
> > > please
> > > let me know.
> > > 
> > > Responses should be made by Fri Nov 16 18:00:00 UTC 2018.
> > > Anything received after that time might be too late.
> > > 
> > Build results:
> >         total: 140 pass: 139 fail: 1
> > Failed builds:
> >         i386:tools/perf
> > Qemu test results:
> >         total: 217 pass: 217 fail: 0
> > 
> > Details are available at https://kerneltests.org/builders/.
> > 
> > Guenter
> 
> Hello Ben,
> 
> could you please include the following patch which makes it possible
> to build arm with gcc8
> a71ae0513c232c844009738af135a13e5d7e39c ARM: fix put_user() for gcc-8
> this is the version which landed in 3.18
> and also the following patch
> 430c3fdb11ec1f0af1eca28460c922b9c1eb2ac5 turn off -Wattribute-alias
> this also the version which landed in 3.18

I'm not sure how much point there is in using gcc 8 for Linux 3.16, but
these look harmless enough so I've queued them up for the next update.

Ben.

-- 
Ben Hutchings
Absolutum obsoletum. (If it works, it's out of date.) - Stafford Beer



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 376+ messages in thread

end of thread, other threads:[~2019-01-02 17:44 UTC | newest]

Thread overview: 376+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-11 19:49 [PATCH 3.16 000/366] 3.16.61-rc1 review Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 332/366] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 182/366] x86/mce: Do not overwrite MCi_STATUS in mce_no_way_out() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 137/366] mm/swapfile.c: fix swap_count comment about nonexistent SWAP_HAS_CONT Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 073/366] ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 178/366] Input: elantech - fix V4 report decoding for module with middle key Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 037/366] s390/cpum_sf: Add data entry sizes to sampling trailer entry Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 187/366] batman-adv: Fix debugfs path for renamed hardif Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 011/366] Revert "mtd: nand: omap2: Fix subpage write" Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 274/366] fat: fix memory allocation failure handling of match_strdup() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 211/366] tty: vt, remove reduntant check Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 061/366] scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 120/366] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 085/366] usb: gadget: function: printer: avoid spinlock recursion Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 307/366] nohz: Fix local_timer_softirq_pending() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 081/366] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 216/366] ext4: Fix WARN_ON_ONCE in ext4_commit_super() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 100/366] fuse: fix control dir setup and teardown Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 191/366] batman-adv: Fix multicast TT issues with bogus ROAM flags Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 117/366] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 335/366] usbip: stub_rx: fix static checker warning on unnecessary checks Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 067/366] scsi: qlogicpti: Fix an error handling path in 'qpti_sbus_probe()' Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 218/366] sched/fair: Fix bandwidth timer clock drift condition Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 245/366] ARC: mm: allow mprotect to make stack mappings executable Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 242/366] HID: hiddev: fix potential Spectre v1 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 278/366] can: constify of_device_id array Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 119/366] rtnetlink: validate attributes in do_setlink() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 035/366] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 342/366] clk: si5351: Constify clock names and struct regmap_config Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 109/366] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 260/366] drm: re-enable error handling Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 101/366] fuse: don't keep dead fuse_conn at fuse_fill_super() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 253/366] fs, elf: make sure to page align bss in load_elf_library Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 289/366] cachefiles: Fix refcounting bug in backing-file read monitoring Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 159/366] x86/speculation: Fix up array_index_nospec_mask() asm constraint Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 259/366] drm/nouveau: Remove bogus crtc check in pmops_runtime_idle Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 212/366] tty: vt, get rid of weird source code flow Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 352/366] perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 086/366] usb: gadget: function: printer: avoid wrong list handling in printer_write() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 129/366] net/sched: act_simple: fix parsing of TCA_DEF_DATA Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 001/366] arm64: add missing data types in smp_load_acquire/smp_store_release Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 241/366] mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 358/366] tools include: Add a __fallthrough statement Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 055/366] mfd: tps65911-comparator: Fix a build error Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 125/366] mm: /proc/pid/pagemap: hide swap entries from unprivileged users Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 288/366] fscache: Allow cancelled operations to be enqueued Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 141/366] l2tp: clean up stale tunnel or session in pppol2tp_connect's error path Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 171/366] xen-netfront: avoid crashing on resume after a failure in talk_to_netback() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 350/366] sched/topology: Make local variables static Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 287/366] net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 366/366] perf tools: Fix python extension build for gcc 8 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 268/366] Input: i8042 - add Lenovo LaVie Z to the i8042 reset list Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 205/366] net/mlx5: Fix command interface race in polling mode Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 224/366] RDMA/uverbs: Don't fail in creation of multiple flows Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 220/366] x86/bugs: Add AMD's variant of SSB_NO Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 013/366] arch/x86/kernel/cpu/common.c: fix unused symbol warning Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 166/366] xen-netfront: Use static attribute groups for sysfs entries Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 229/366] USB: serial: ch341: fix type promotion bug in ch341_control_in() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 301/366] squashfs: be more careful about metadata corruption Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 158/366] x86: Call fixup_exception() before notify_die() in math_error() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 176/366] Input: elantech - report the middle button of the touchpad Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 157/366] udf: Detect incorrect directory size Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 082/366] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 349/366] x86/apic: Fix build failure with X86_IO_APIC disabled Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 276/366] multicast: do not restore deleted record source filter mode to new one Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 314/366] dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 263/366] KEYS: DNS: fix parsing multiple options Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 112/366] of: platform: stop accessing invalid dev in of_platform_device_destroy Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 202/366] scsi: sg: mitigate read/write abuse Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 272/366] crypto: padlock-aes - Fix Nano workaround data corruption Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 096/366] mtd: cfi_cmdset_0002: Change write buffer to check correct value Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 052/366] driver core: Don't ignore class_dir_create_and_add() failure Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 183/366] time: Make sure jiffies_to_msecs() preserves non-zero time periods Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 199/366] RDMA/uverbs: Fix slab-out-of-bounds in ib_uverbs_ex_create_flow Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 179/366] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 302/366] can: ems_usb: Fix memory leak on ems_usb_disconnect() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 056/366] mfd: tps65911-comparator: Fix an off by one bug Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 058/366] ALSA: core: Assure control device to be registered at last Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 092/366] media: uvcvideo: Support realtek's UVC 1.5 device Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 247/366] ext4: check for allocation block validity with block group locked Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 321/366] xen/netfront: don't cache skb_shinfo() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 185/366] ipv6: mcast: fix unsolicited report interval after receiving querys Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 115/366] kconfig: Avoid format overflow warning from GCC 8.1 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 075/366] of: unittest: for strings, account for trailing \\0 in property length field Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 135/366] ksm: add cond_resched() to the rmap_walks Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 298/366] kthread, tracing: Don't expose half-written comm when creating kthreads Ben Hutchings
2018-11-12  8:10   ` Snild Dolkow
2018-11-20 17:52     ` Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 133/366] backlight: as3711_bl: Fix Device Tree node leaks Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 087/366] perf/core: Fix group scheduling with mixed hw and sw events Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 336/366] gcov: add support for GCC 5.1 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 184/366] vhost_net: validate sock before trying to put its fd Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 127/366] fs/binfmt_misc.c: do not allow offset overflow Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 012/366] media: platform: davinci: drop VPFE_CMD_S_CCDC_RAW_PARAMS Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 293/366] tracing: Fix double free of event_trigger_data Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 265/366] x86/MCE: Remove min interval polling limitation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 338/366] gcov: support GCC 7.1 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 167/366] xen-netfront: properly destroy queues when removing device Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 353/366] perf tools: define _DEFAULT_SOURCE for glibc_2.20 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 147/366] USB: serial: cp210x: add Silicon Labs IDs for Windows Update Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 360/366] perf tools: Fix snprint warnings for gcc 8 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 228/366] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 334/366] HID: clamp input to logical range if no null state Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 243/366] ARC: Fix CONFIG_SWAP Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 214/366] s390/qeth: don't clobber buffer on async TX completion Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 248/366] skbuff: Unconditionally copy pfmemalloc in __skb_clone() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 010/366] rtl8723be: Fix misleading indentation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 195/366] xfrm: free skb if nlsk pointer is NULL Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 359/366] perf top: Use __fallthrough Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 074/366] RDMA/ipoib: Update paths on CLIENT_REREG/SM_CHANGE events Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 221/366] x86/bugs: Add AMD's SPEC_CTRL MSR usage Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 036/366] perf: fix invalid bit in diagnostic entry Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 043/366] ext4: update mtime in ext4_punch_hole even if no blocks are released Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 050/366] 1wire: family module autoload fails because of upper/lower case mismatch Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 283/366] can: xilinx_can: fix recovery from error states not being propagated Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 169/366] net/xen-netfront: only clean up queues if present Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 076/366] ipmi:bt: Set the timeout before doing a capabilities check Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 217/366] ext4: check superblock mapped prior to committing Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 103/366] NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 311/366] root dentries need RCU-delayed freeing Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 049/366] w1: support auto-load of w1_bq27000 module Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 150/366] netfilter: ipv6: nf_defrag: reduce struct net memory waste Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 304/366] netlink: Do not subscribe to non-existent groups Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 355/366] perf thread_map: Use readdir() instead of deprecated readdir_r() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 039/366] clk: qcom: Base rcg parent rate off plan frequency Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 019/366] media: v4l2-compat-ioctl32: prevent go past max size Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 270/366] scsi: qla2xxx: Fix ISP recovery on unload Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 097/366] mtd: cfi_cmdset_0002: Change definition naming to retry write operation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 227/366] smsc75xx: Add workaround for gigabit link up hardware errata Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 163/366] xen-netfront: fix locking in connect error path Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 045/366] vfs: add the sb_start_intwrite_trylock() helper Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 346/366] kexec: Fix make headers_check Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 083/366] IB/isert: Fix for lib/dma_debug check_sync warning Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 023/366] media: rc: mce_kbd decoder: fix stuck keys Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 200/366] netfilter: nf_log: don't hold nf_log_mutex during user access Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 249/366] qlogic: check kstrtoul() for errors Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 251/366] binfmt_elf: fix calculations for bss padding Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 047/366] tty: pl011: Avoid spuriously stuck-off interrupts Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 255/366] string: drop __must_check from strscpy() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 091/366] Btrfs: reserve space for O_TMPFILE orphan item deletion Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 223/366] x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 145/366] ext4: include the illegal physical block in the bad map ext4_error msg Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 144/366] l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 256/366] reiserfs: fix buffer overflow with long warning messages Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 291/366] cachefiles: Fix missing clear of the CACHEFILES_OBJECT_ACTIVE flag Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 198/366] RDMA/uverbs: Protect from attempts to create flows on unsupported QP Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 105/366] RDMA/mlx4: Discard unknown SQP work requests Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 116/366] l2tp: fix refcount leakage on PPPoL2TP sockets Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 225/366] tracing: Fix missing return symbol in function_graph output Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 114/366] branch-check: fix long->int truncation when profiling branches Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 110/366] IB/isert: fix T10-pi check mask setting Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 015/366] staging:iio:ade7854: Fix error handling on read/write Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 113/366] PCI: shpchp: Fix AMD POGO identification Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 040/366] powerpc/lib: Fix feature fixup test of external branch Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 090/366] Btrfs: don't return ino to ino cache if inode item removal fails Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 003/366] staging: vt6656: Fix misleading indentation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 364/366] perf trace: Do not process PERF_RECORD_LOST twice Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 297/366] tracing: Quiet gcc warning about maybe unused link variable Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 138/366] l2tp: fix pseudo-wire type for sessions created by pppol2tp_connect() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 071/366] net: ethernet: davinci_emac: Fix printing of base address Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 344/366] [media] ir-core: fix gcc-7 warning on bool arithmetic Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 142/366] cfg80211: initialize sinfo in cfg80211_get_station Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 152/366] mtd: rawnand: mxc: set spare area size register explicitly Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 148/366] USB: serial: cp210x: add CESINEL device ids Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 122/366] ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 063/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 059/366] media: smiapp: fix timeout checking in smiapp_read_nvm Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 269/366] net: cxgb3_main: fix potential Spectre v1 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 261/366] MIPS: Fix off-by-one in pci_resource_to_user() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 186/366] batman-adv: debugfs, avoid compiling for !DEBUG_FS Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 244/366] ext4: fix inline data updates with checksums enabled Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 236/366] USB: serial: mos7840: fix status-register error handling Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 299/366] ipv4: remove BUG_ON() from fib_compute_spec_dst Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 028/366] sctp: fix identification of new acks for SFR-CACC Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 324/366] ceph: fix llistxattr on symlink Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 170/366] xen-netfront: Improve error handling during initialization Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 357/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 303/366] virtio_balloon: fix another race between migration and ballooning Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 161/366] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 213/366] vt: prevent leaking uninitialized data to userspace via /dev/vcs* Ben Hutchings
2018-11-11 19:59   ` syzbot
2018-11-11 19:49 ` [PATCH 3.16 009/366] eeepc-laptop: simplify parse_arg() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 257/366] usb: cdc_acm: Add quirk for Castles VEGA3000 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 206/366] ARM: dts: da850: Fix interrups property for gpio Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 018/366] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 054/366] staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 121/366] pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 065/366] scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 002/366] arm64: ensure extension of smp_store_release value Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 351/366] usb: misc: usb3503: Update error code in print message Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 053/366] sbitmap: fix race in wait batch accounting Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 196/366] staging: android: ion: Return an ERR_PTR in ion_map_kernel Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 341/366] MIPS: asm: compiler: Add new macros to set ISA and arch asm annotations Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 155/366] scsi: target: Fix truncated PR-in ReadKeys response Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 209/366] n_tty: Fix stall at n_tty_receive_char_special() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 281/366] can: xilinx_can: fix device dropping off bus on RX overrun Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 208/366] dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 007/366] [media] drxk_hard: fix bad alignments Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 173/366] xen-netfront: Fix mismatched rtnl_unlock Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 201/366] nfsd: silence sparse warning about accessing credentials Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 279/366] can: mpc5xxx_can: check of_iomap return before use Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 070/366] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 130/366] backlight: as3711_bl: Fix Device Tree node lookup Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 174/366] xen-netfront: Update features after registering netdev Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 361/366] perf trace: Fix up fd -> pathname resolution Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 222/366] x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 044/366] ext4: factor out helper ext4_sample_last_mounted() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 305/366] netlink: Don't shift with UB on nlk->ngroups Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 139/366] l2tp: only accept PPP sessions in pppol2tp_connect() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 207/366] dm thin: handle running out of data space vs concurrent discard Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 230/366] drm/udl: fix display corruption of the last line Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 068/366] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 337/366] gcov: add support for gcc version >= 6 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 284/366] can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 345/366] p54: memset(0) whole array Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 315/366] fix mntput/mntput race Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 079/366] ext4: don't read out of bounds when checking for in-inode xattrs Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 064/366] scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 296/366] tracing: Fix possible double free in event_enable_trigger_func() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 286/366] can: xilinx_can: fix incorrect clear of non-processed interrupts Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 078/366] ext4: correct endianness conversion in __xattr_check_inode() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 275/366] net: caif: Add a missing rcu_read_unlock() in caif_flow_cb Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 328/366] dm bufio: avoid sleeping while holding the dm_bufio lock Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 363/366] perf tools: Remove duplicate const qualifier Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 072/366] m68k: Implement ndelay() as an inline function to force type checking/casting Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 316/366] fix __legitimize_mnt()/mntput() race Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 123/366] bnx2x: use the right constant Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 046/366] ext4: do not update s_last_mounted of a frozen fs Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 331/366] leds: do not overflow sysfs buffer in led_trigger_show Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 234/366] cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 057/366] regulator: max8998: Fix platform data retrieval Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 107/366] x86: msr-index.h: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 327/366] ceph: fix endianness of getattr mask in ceph_d_revalidate Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 365/366] perf thread_map: Correctly size buffer used with dirent->dt_name Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 240/366] ibmasm: don't write out of bounds in read handler Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 189/366] batman-adv: Avoid storing non-TT-sync flags on singular entries too Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 172/366] xen-netfront: Fix race between device setup and open Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 323/366] media: v4l: event: Prevent freeing event subscriptions while accessed Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 175/366] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 153/366] powerpc/e500mc: Set assembler machine type to e500mc Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 088/366] ext4: fix fencepost error in check for inode count overflow during resize Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 146/366] ext4: add more mount time checks of the superblock Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 177/366] Input: elantech - enable middle button of touchpads on ThinkPad P52 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 318/366] use ->d_seq to get coherency between ->d_inode and ->d_flags Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 024/366] PCI: ibmphp: Fix use-before-set in get_max_bus_speed() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 098/366] mtd: cfi_cmdset_0002: Change erase functions to retry for error Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 264/366] usb: gadget: u_audio: update hw_ptr in iso_complete after data copied Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 308/366] scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 151/366] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Ben Hutchings
2018-11-11 20:17   ` Rafał Miłecki
2018-11-20 17:51     ` Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 280/366] can: dev: Consolidate and unify state change handling Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 030/366] ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 022/366] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 156/366] MIPS: io: Add barrier after register read in inX() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 154/366] xfrm_user: prevent leaking 2 bytes of kernel memory Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 005/366] staging: rtl8192ee: Fix misleading indentation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 250/366] mm, elf: handle vm_brk error Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 313/366] vsock: split dwork to avoid reinitializations Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 326/366] ceph: don't set req->r_locked_dir in ceph_d_revalidate Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 008/366] [media] drxd_hard: fix bad alignments Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 329/366] dm bufio: drop the lock when doing GFP_NOIO allocation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 203/366] block: Fix transfer when chunk sectors exceeds max Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 333/366] HID: reject input outside logical range only if null state is set Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 330/366] fs/proc: Stop trying to report thread stacks Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 126/366] mm, page_alloc: do not break __GFP_THISNODE by zonelist reset Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 262/366] x86/apm: Don't access __preempt_count with zeroed fs Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 168/366] xen-netfront: Remove the meaningless code Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 108/366] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 254/366] mm: do not bug_on on incorrect length in __mm_populate() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 285/366] can: xilinx_can: fix RX overflow interrupt not being enabled Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 226/366] mm: hugetlb: yield when prepping struct pages Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 238/366] usb: quirks: add delay quirks for Corsair Strafe Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 277/366] atl1c: reserve min skb headroom Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 134/366] UBIFS: Fix potential integer overflow in allocation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 025/366] mwifiex: pcie: tighten a check in mwifiex_pcie_process_event_ready() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 190/366] batman-adv: unify flags access style in tt global add Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 038/366] PM / wakeup: Only update last time for active wakeup sources Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 032/366] iommu/vt-d: Ratelimit each dmar fault printing Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 309/366] l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 089/366] Btrfs: don't BUG_ON() in btrfs_truncate_inode_items() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 258/366] drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 060/366] scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 294/366] ring_buffer: tracing: Inherit the tracing setting to next ring buffer Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 325/366] ceph: use lookup request to revalidate dentry Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 048/366] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 193/366] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 348/366] MIPS: asmmacro: Ensure 64-bit FP registers are used with MSA Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 106/366] tools/power turbostat: Correct SNB_C1/C3_AUTO_UNDEMOTE defines Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 290/366] fscache: Fix reference overput in fscache_attach_object() error handling Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 026/366] usb: do not reset if a low-speed or full-speed device timed out Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 235/366] USB: serial: keyspan_pda: fix modem-status error handling Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 306/366] squashfs: more metadata hardening Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 051/366] rpmsg: Correct support for MODULE_DEVICE_TABLE() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 340/366] iio: iio-trig-periodic-rtc: Free trigger resource correctly Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 300/366] net: socket: fix potential spectre v1 gadget in socketcall Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 033/366] powerpc/fadump: Unregister fadump on kexec down path Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 219/366] x86/cpufeatures: Hide AMD-specific speculation flags Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 102/366] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 099/366] mtd: cfi_cmdset_0002: Change erase functions to check chip good only Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 143/366] l2tp: reject creation of non-PPP sessions on L2TPv2 tunnels Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 267/366] Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 188/366] batman-adv: Fix debugfs path for renamed softif Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 162/366] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 231/366] cifs: Fix use after free of a mid_q_entry Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 320/366] make sure that __dentry_kill() always invalidates d_seq, unhashed or not Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 204/366] net/mlx5: Fix incorrect raw command length parsing Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 164/366] xen-netfront: release per-queue Tx and Rx resource when disconnecting Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 042/366] powerpc/lib: Fix the feature fixup tests to actually work Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 197/366] X.509: unpack RSA signatureValue field from BIT STRING Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 131/366] backlight: max8925_bl: Fix Device Tree node lookup Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 095/366] tpm: fix race condition in tpm_common_write() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 160/366] x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 292/366] cachefiles: Wait rather than BUG'ing on "Unexpected object collision" Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 273/366] usb: core: handle hub C_PORT_OVER_CURRENT condition Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 140/366] l2tp: prevent pppol2tp_connect() from creating kernel sockets Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 124/366] pagemap: hide physical addresses from non-privileged users Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 017/366] media: omap3isp/isp: remove an unused static var Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 239/366] sh_eth: fix invalid context bug while changing link options by ethtool Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 181/366] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 020/366] pinctrl: samsung: Correct EINTG banks order Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 271/366] scsi: qla2xxx: Return error when TMF returns Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 295/366] tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 180/366] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 233/366] cifs: store the leaseKey in the fid on SMB2_open Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 246/366] RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 362/366] tools/lib/subcmd/pager.c: do not alias select() params Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 041/366] powerpc: make feature-fixup tests fortify-safe Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 319/366] unify dentry_iput() and dentry_unlink_inode() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 210/366] n_tty: Access echo_* variables carefully Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 066/366] scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 084/366] IB/qib: Fix DMA api warning with debug kernel Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 062/366] scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 356/366] perf tools: Use readdir() instead of deprecated readdir_r() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 014/366] fuse: atomic_o_trunc should truncate pagecache Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 006/366] fnic: Fix misleading indentation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 215/366] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 069/366] powerpc/ptrace: Fix enforcement of DAWR constraints Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 347/366] arm64: use linux/types.h in kvm.h Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 029/366] ASoC: cirrus: i2s: Fix LRCLK configuration Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 312/366] packet: refine ring v3 block size test to hold one frame Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 194/366] usb: cdc_acm: Add quirk for Uniden UBC125 scanner Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 343/366] net/wireless/brcm80211/brcmfmac: Make return type and name reflect actual semantics Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 118/366] net: metrics: add proper netlink validation Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 094/366] libata: zpodd: small read overflow in eject_tray() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 192/366] xfrm: fix missing dst_release() after policy blocking lbcast and multicast Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 027/366] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 165/366] xen-netfront: use different locks for Rx and Tx stats Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 237/366] xhci: xhci-mem: off by one in xhci_stream_id_to_ring() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 132/366] backlight: tps65217_bl: Fix Device Tree node lookup Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 034/366] spi: pxa2xx: check clk_prepare_enable() return value Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 317/366] VFS: Impose ordering on accesses of d_inode and d_flags Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 232/366] cifs: Fix infinite loop when using hard mount option Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 004/366] bcmgenet: Delete unused variable Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 310/366] netlink: Don't shift on 64 for ngroups Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 021/366] net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()) Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 282/366] can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 252/366] mm: refuse wrapped vm_brk requests Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 093/366] libata: zpodd: make arrays cdb static, reduces object code size Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 354/366] perf script: Use readdir() instead of deprecated readdir_r() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 149/366] netfilter: nf_queue: augment nfqa_cfg_policy Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 322/366] ALSA: msnd: add some missing curly braces Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 031/366] ALSA: hda/ca0132: fix build failure when a local macro is defined Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 111/366] net/packet: refine check for priv area size Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 016/366] staging:iio:ade7854: Fix the wrong number of bits to read Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 077/366] ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea() Ben Hutchings
2018-11-11 19:49 ` [PATCH 3.16 128/366] video/omap: add module license tags Ben Hutchings
2018-11-13  1:57 ` [PATCH 3.16 000/366] 3.16.61-rc1 review Guenter Roeck
2018-11-14 20:47   ` Johannes Pointner
2019-01-02 17:44     ` Ben Hutchings
2018-11-20 17:57   ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).