linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 000/305] 3.16.63-rc1 review
@ 2019-02-03 13:45 Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 157/305] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Ben Hutchings
                   ` (305 more replies)
  0 siblings, 306 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: torvalds, Guenter Roeck, Denis Kirjanov, akpm, Denis Kirjanov

This is the start of the stable review cycle for the 3.16.63 release.
There are 305 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Feb 08 18:00:00 UTC 2019.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Aaro Koskinen (1):
      MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
         [e8cde625bfe8a714a856e1366bcbb259d7346095]

Aaron Ma (2):
      usb: xhci: fix timeout for transition from RExit to U0
         [a5baeaeabcca3244782a9b6382ebab6f8a58f583]
      usb: xhci: fix uninitialized completion when USB3 port got wrong status
         [958c0bd86075d4ef1c936998deefe1947e539240]

Ahmad Fatoum (1):
      mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus
         [000412276370a9bcfec73b3752ceefd9a927f1db]

Al Viro (2):
      gfs2_meta: ->mount() can get NULL dev_name
         [3df629d873f8683af6f0d34dfc743f637966d483]
      new helper: uaccess_kernel()
         [db68ce10c4f0a27c1ff9fa0e789e5c41f8c4ea63]

Alex Stanoev (1):
      ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
         [ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5]

Alexander Theissen (1):
      usb: appledisplay: Add 27" Apple Cinema Display
         [d7859905301880ad3e16272399d26900af3ac496]

Amir Goldstein (1):
      lockd: fix access beyond unterminated strings in prints
         [93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee]

Anders Roxell (1):
      cpupower: remove stringop-truncation waring
         [8a7e2d2ea080d10a189a1d611344b0330468ebc3]

Andrea Parri (1):
      uprobes: Fix handle_swbp() vs. unregister() + register() race once more
         [09d3f015d1e1b4fee7e9bbdcf54201d239393391]

Andreas Kemnade (1):
      w1: omap-hdq: fix missing bus unregister at removal
         [a007734618fee1bf35556c04fa498d41d42c7301]

Andreas Larsson (1):
      sparc32: Fix inverted invalid_frame_pointer checks on sigreturns
         [07b5ab3f71d318e52c18cc3b73c1d44c908aacfa]

Andy Lutomirski (1):
      x86/vdso: Fix vDSO syscall fallback asm constraint regression
         [02e425668f5c9deb42787d10001a3b605993ad15]

Anssi Hannula (2):
      net: macb: add missing barriers when reading descriptors
         [6e0af298066f3b6d99f58989bb0dca6f764b4c6d]
      net: macb: fix dropped RX frames due to a race
         [8159ecab0db9095902d4c73605fb8787f5c7d653]

Arnd Bergmann (4):
      ARM: fix put_user() for gcc-8
         [9f73bd8bb445e0cbe4bcef6d4cfc788f1e184007]
      kbuild: fix kernel/bounds.c 'W=1' warning
         [6a32c2469c3fbfee8f25bcd20af647326650a6cf]
      mtd: docg3: don't set conflicting BCH_CONST_PARAMS option
         [be2e1c9dcf76886a83fb1c433a316e26d4ca2550]
      turn off -Wattribute-alias
         [bee20031772af3debe8cbaa234528f24c7892e8f]

Aya Levin (1):
      net/mlx4: Fix UBSAN warning of signed integer overflow
         [a463146e67c848cbab5ce706d6528281b7cded08]

Ben Greear (1):
      mac80211: Clear beacon_int in ieee80211_do_stop
         [5c21e8100dfd57c806e833ae905e26efbb87840f]

Ben Hutchings (3):
      ipv6: Fix another sparse warning on rt6i_node
         [not upstream; function has been removed]
      s390/dasd: Restore a necessary cast
         [not upstream; variable type has been changed]
      x86/boot: eboot.c: Include string function declarations
         [393f203f5fd54421fddb1e2a263f64d3876eeadb]

Benjamin Poirier (1):
      xfrm: Fix bucket count reported to userspace
         [ca92e173ab34a4f7fc4128bd372bd96f1af6f507]

Bin Meng (1):
      PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
         [d0c9606b31a21028fb5b753c8ad79626292accfd]

Breno Leitao (1):
      HID: hiddev: fix potential Spectre v1
         [f11274396a538b31bc010f782e05c2ce3f804c13]

Carlos Maiolino (1):
      xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat
         [41657e5507b13e963be906d5d874f4f02374fd5c]

Chad Austin (1):
      fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
         [2e64ff154ce6ce9a8dc0f9556463916efa6ff460]

Changwei Ge (1):
      ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
         [29aa30167a0a2e6045a0d6d2e89d8168132333d5]

Chen Gang (1):
      s390/timex: fix get_tod_clock_ext() inline assembly
         [e38f97813302065fbc9c9eab5c1a94dc021d71e2]

Chris Mason (1):
      Btrfs: don't clean dirty pages during buffered writes
         [7703bdd8d23e6ef057af3253958a793ec6066b28]

Chris Wilson (1):
      drm/i915: Large page offsets for pread/pwrite
         [a5e856a5348f6cd50889d125c40bbeec7328e466]

Christian Hoff (1):
      Input: matrix_keypad - check for errors from of_get_named_gpio()
         [d55bda1b3e7c5a87f10da54fdda866a9a9cef30b]

Christophe Leroy (1):
      gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
         [abf221d2f51b8ce7b9959a8953f880a8b0a1400d]

Chuck Lever (1):
      SUNRPC: Fix leak of krb5p encode pages
         [8dae5398ab1ac107b1517e8195ed043d5f422bd0]

Colin Ian King (3):
      media: cx231xx: fix potential sign-extension overflow on large shift
         [32ae592036d7aeaabcccb2b1715373a68639a768]
      vxge: ensure data0 is initialized in when fetching firmware version information
         [f7db2beb4c2c6cc8111f5ab90fc7363ca91107b6]
      x86/mtrr: Don't copy uninitialized gentry fields back to userspace
         [32043fa065b51e0b1433e48d118821c71b5cd65d]

Dan Carpenter (6):
      bnx2fc: fix an error code in _bnx2fc_create()
         [2043e1fd09c1896bb03a6e25b64baa84a30879c9]
      libertas_tf: prevent underflow in process_cmdrequest()
         [3348ef6a6a126706d6a73ed40c18d8033df72783]
      qlcnic: fix a return in qlcnic_dcb_get_capability()
         [c94f026fb742b2d3199422751dbc4f6fc0e753d8]
      scsi: bnx2fc: Fix NULL dereference in error handling
         [9ae4f8420ed7be4b13c96600e3568c144d101a23]
      staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
         [1376b0a2160319125c3a2822e8c09bd283cd8141]
      uio: Fix an Oops on load
         [432798195bbce1f8cd33d1c0284d0538835e25fb]

Dennis Wassenberg (1):
      usb: core: Fix hub port connection events lost
         [22454b79e6de05fa61a2a72d00d2eed798abbb75]

Dexuan Cui (4):
      Drivers: hv: kvp: Fix the recent regression caused by incorrect clean-up
         [e670de54c813b5bc3672dd1c67871dc60e9206f4]
      Drivers: hv: kvp: Fix two "this statement may fall through" warnings
         [fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d]
      Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
         [fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce]
      Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl()
         [eceb05965489784f24bbf4d61ba60e475a983016]

Diego Viola (2):
      libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9
         [a435ab4f80f983c53b4ca4f8c12b3ddd3ca17670]
      libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD
         [410b5c7b48368317af95f0113692561d01d8144e]

Dmitry Bazhenov (1):
      hwmon: (pmbus) Fix page count auto-detection.
         [e7c6a55606b5c46b449d76588968b4d8caae903f]

Dmitry Bilunov (1):
      KVM: Handle MSR_IA32_PERF_CTL
         [0c2df2a1affd183ba9c114915f42a2d464b4f58f]

Dmitry V. Levin (1):
      mips: fix mips_get_syscall_arg o32 check
         [c50cbd85cd7027d32ac5945bb60217936b4f7eaf]

Eduardo Habkost (1):
      kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
         [0e1b869fff60c81b510c2d00602d778f8f59dd9a]

Emmanuel Grumbach (1):
      mac80211: ignore NullFunc frames in the duplicate detection
         [990d71846a0b7281bd933c34d734e6afc7408e7e]

Emmanuel Pescosta (1):
      usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
         [a77112577667cbda7c6292c52d909636aef31fd9]

Enric Balletbo i Serra (1):
      PM / devfreq: Fix devfreq_add_device() when drivers are built as modules.
         [23c7b54ca1cd1797ef39169ab85e6d46f1c2d061]

Eric Biggers (2):
      HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
         [8c01db7619f07c85c5cd81ec5eb83608b56c88f5]
      ima: fix showing large 'violations' or 'runtime_measurements_count'
         [1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7]

Eric Dumazet (4):
      ipv6: tunnels: fix two use-after-free
         [cbb49697d5512ce9e61b45ce75d3ee43d7ea5524]
      llc: do not use sk_eat_skb()
         [604d415e2bd642b7e02c80e719e0396b9d4a77a6]
      net-gro: reset skb->pkt_type in napi_reuse_skb()
         [33d9a2c72f086cbf1087b2fd2d1a15aa9df14a7f]
      rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
         [688838934c231bb08f46db687e57f6d8bf82709c]

Eric W. Biederman (5):
      mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
         [df7342b240185d58d3d9665c0bbf0a0f5570ec29]
      mount: Prevent MNT_DETACH from disconnecting locked mounts
         [9c8e0a1b683525464a2abe9fb4b54404a50ed2b4]
      mount: Retest MNT_LOCKED in do_umount
         [25d202ed820ee347edec0bf3bf553544556bf64b]
      signal/GenWQE: Fix sending of SIGKILL
         [0ab93e9c99f8208c0a1a7b7170c827936268c996]
      signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init
         [3597dfe01d12f570bc739da67f857fd222a3ea66]

Erik Schmauss (1):
      ACPICA: AML interpreter: add region addresses in global list during initialization
         [4abb951b73ff0a8a979113ef185651aa3c8da19b]

Eugen Hristev (2):
      iio: adc: at91: fix acking DRDY irq on simple conversions
         [bc1b45326223e7e890053cf6266357adfa61942d]
      iio: adc: at91: fix wrong channel number in triggered buffer mode
         [aea835f2dc8a682942b859179c49ad1841a6c8b9]

Felipe Balbi (1):
      Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
         [38317f5c0f2faae5110854f36edad810f841d62f]

Felix Fietkau (1):
      mac80211: fix reordering of buffered broadcast packets
         [9ec1190d065998650fd9260dea8cf3e1f56c0e8c]

Filipe Manana (5):
      Btrfs: ensure path name is null terminated at btrfs_control_ioctl
         [f505754fd6599230371cb01b9332754ddc104be1]
      Btrfs: fix data corruption due to cloning of eof block
         [ac765f83f1397646c11092a032d4f62c3d478b81]
      Btrfs: fix null pointer dereference on compressed write path error
         [3527a018c00e5dbada2f9d7ed5576437b6dd5cfb]
      Btrfs: fix race between enabling quotas and subvolume creation
         [552f0329c75b3e1d7f9bb8c9e421d37403f192cd]
      Btrfs: fix use-after-free when dumping free space
         [9084cb6a24bf5838a665af92ded1af8363f9e563]

Finn Thain (1):
      scsi: esp_scsi: Track residual for PIO transfers
         [fd47d919d0c336e7c22862b51ee94927ffea227a]

Florian Fainelli (1):
      net: phy: Stop with excessive soft reset
         [6e2d85ec05591b739059f65fe8438c9c5999f7d8]

Florian Westphal (4):
      netfilter: nf_tables: don't use position attribute on rule replacement
         [447750f281abef547be44fdcfe3bc4447b3115a8]
      netfilter: nf_tables: fix oob access
         [3e38df136e453aa69eb4472108ebce2fb00b1ba6]
      netfilter: nf_tables: fix use-after-free when deleting compat expressions
         [29e3880109e357fdc607b4393f8308cef6af9413]
      netfilter: x_tables: add and use xt_check_proc_name
         [b1d0a5d0cba4597c0394997b2d5fced3e3841b4e]

Frank Sorenson (1):
      sunrpc: correct the computation for page_ptr when truncating
         [5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb]

François Cami (1):
      libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q.
         [76936e9a6df17b89481bd2655c8684291afbe656]

Geert Uytterhoeven (4):
      iommu/ipmmu-vmsa: Fix crash on early domain free
         [e5b78f2e349eef5d4fca5dc1cf5a3b4b2cc27abd]
      thermal: rcar: Make error and remove paths symmetrical with init
         [ac71c7025ebc1ed25114b1be77dc60b7f8cb8544]
      thermal: rcar_thermal: Prevent doing work after unbind
         [697ee786f15d7b65c7f3045d45fe3a05d28e0911]
      thermal: rcar_thermal: Prevent hardware access during system suspend
         [3a31386217628ffe2491695be2db933c25dde785]

Gustavo A. R. Silva (2):
      drivers/misc/sgi-gru: fix Spectre v1 vulnerability
         [fee05f455ceb5c670cbe48e2f9454ebc4a388554]
      drm/ioctl: Fix Spectre v1 vulnerabilities
         [505b5240329b922f21f91d5b5d1e535c805eca6d]

H Hartley Sweeten (2):
      staging: comedi: quatech_daqp_cs: fix bug in  daqp_ao_insn_write()
         [e024181b02ed6b833358bede3f2d0c52cb5fb6bc]
      staging: comedi: quatech_daqp_cs: use comedi_timeout() in ao (*insn_write)
         [e031642eccc040648b09cfc7d632e2e8d0b6f94f]

H. Peter Anvin (2):
      arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
         [d0ffb805b729322626639336986bc83fc2e60871]
      termios, tty/tty_baudrate.c: fix buffer overrun
         [991a25194097006ec1e0d2e0814ff920e59e3465]

Halil Pasic (2):
      virtio/s390: avoid race on vcdev->config
         [2448a299ec416a80f699940a86f4a6d9a4f643b1]
      virtio/s390: fix race in ccw_io_helper()
         [78b1a52e05c9db11d293342e8d6d8a230a04b4e7]

Hangbin Liu (1):
      team: no need to do team_notify_peers or team_mcast_rejoin when disabling port
         [5ed9dc99107144f83b6c1bb52a69b58875baf540]

Hans Verkuil (1):
      media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed
         [04990215dec43c424daff00d1f622167b8aafd1f]

Hans de Goede (3):
      ACPI / platform: Add SMB0001 HID to forbidden_id_list
         [2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa]
      iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers
         [0145b50566e7de5637e80ecba96c7f0e6fff1aad]
      libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD
         [b5b4d3a52c8fd6e3fc6469c5a64ca0139c07229e]

Harry Pan (1):
      usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
         [2f2dde6ba89b1ef1fe23c1138131b315d9aa4019]

He Zhe (3):
      kgdboc: Passing ekgdboc to command line causes panic
         [1bd54d851f50dea6af30c3e6ff4f3e9aab5558f9]
      printk: Fix panic caused by passing log_buf_len to command line
         [277fcdb2cfee38ccdbe07e705dbd4896ba0c9930]
      x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
         [ccde460b9ae5c2bd5e4742af0a7f623c2daad566]

Helge Deller (1):
      parisc: Fix map_pages() to not overwrite existing pte entries
         [3c229b3f2dd8133f61bb81d3cb018be92f4bba39]

Himanshu Madhani (1):
      scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
         [4c1458df9635c7e3ced155f594d2e7dfd7254e21]

Hou Tao (1):
      jffs2: free jffs2_sb_info through jffs2_kill_sb()
         [92e2921f7eee63450a5f953f4b15dc6210219430]

Huacai Chen (1):
      hwmon: (w83795) temp4_type has writable permission
         [09aaf6813cfca4c18034fda7a43e68763f34abb1]

Hui Peng (1):
      ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
         [5f8cf712582617d523120df67d392059eaf2fc4b]

Ido Schimmel (1):
      rtnetlink: Disallow FDB configuration for non-Ethernet device
         [da71577545a52be3e0e9225a946e5fd79cfab015]

Ilya Dryomov (1):
      libceph: bump CEPH_MSG_MAX_DATA_LEN
         [94e6992bb560be8bffb47f287194adf070b57695]

Ingo Molnar (1):
      timer/debug: Change /proc/timer_list from 0444 to 0400
         [8e7df2b5b7f245c9bd11064712db5cb69044a362]

Jakub Kicinski (1):
      net: sched: gred: pass the right attribute to gred_change_table_def()
         [38b4f18d56372e1e21771ab7b0357b853330186c]

Janusz Krzysztofik (1):
      ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
         [cec83ff1241ec98113a19385ea9e9cfa9aa4125b]

Jason Wang (1):
      vhost: make sure used idx is seen before log in vhost_add_used_n()
         [841df922417eb82c835e93d4b93eb6a68c99d599]

Jeff Mahoney (1):
      btrfs: fix error handling in btrfs_dev_replace_start
         [5c06147128fbbdf7a84232c5f0d808f53153defe]

Jeff Moyer (1):
      aio: fix spectre gadget in lookup_ioctx
         [a538e3ff9dabcdf6c3f477a373c629213d1c3066]

Jens Axboe (2):
      floppy: fix race condition in __floppy_read_block_0()
         [de7b75d82f70c5469675b99ad632983c50b6f7e7]
      scsi: sd: use mempool for discard special page
         [61cce6f6eeced5ddd9cac55e807fe28b4f18c1ba]

Jeremy Cline (1):
      ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
         [e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b]

Jim Mattson (2):
      KVM: nVMX: Always reflect #NM VM-exits to L1
         [3c6e099fa15fdb6fb1892199ed8709012e1294f2]
      kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
         [fd65d3142f734bc4376053c8d75670041903134d]

Jiri Kosina (1):
      x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
         [dbfe2953f63c640463c630746cd5d9de8b2f63ae]

Joe Jin (1):
      xen-swiotlb: use actually allocated size on check physical continuous
         [7250f422da0480d8512b756640f131b9b893ccda]

Johan Hovold (3):
      USB: serial: cypress_m8: fix interrupt-out transfer length
         [56445eef55cb5904096fed7a73cf87b755dfffc7]
      net: bcmgenet: fix OF child-node lookup
         [d397dbe606120a1ea1b11b0020c3f7a3852da5ac]
      of: add helper to lookup compatible child node
         [36156f9241cb0f9e37d998052873ca7501ad4b36]

John David Anglin (1):
      parisc: Fix address in HPMC IVA
         [1138b6718ff74d2a934459643e3754423d23b5e2]

Jorgen Hansen (2):
      VMCI: Resource wildcard match fixed
         [11924ba5e671d6caef1516923e2bd8c72929a3fe]
      VSOCK: Send reset control packet when socket is partially bound
         [a915b982d8f5e4295f64b8dd37ce753874867e88]

Josef Bacik (1):
      btrfs: wait on caching when putting the bg cache
         [3aa7c7a31c26321696b92841d5103461c6f3f517]

Juergen Gross (1):
      x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
         [b2d7a075a1ccef2fb321d595802190c8e9b39004]

Julian Wiedmann (2):
      s390/qeth: fix length check in SNMP processing
         [9a764c1e59684c0358e16ccaafd870629f2cfe67]
      s390/qeth: invoke softirqs after napi_schedule()
         [4d19db777a2f32c9b76f6fd517ed8960576cb43e]

Junaid Shahid (1):
      kvm: mmu: Fix race in emulated page table writes
         [0e0fee5c539b61fdd098332e0e2cc375d9073706]

Jörgen Storvist (1):
      USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
         [cc6730df08a291e51e145bc65e24ffb5e2f17ab6]

Kai-Heng Feng (4):
      ALSA: hda: Add support for AMD Stoney Ridge
         [3deef52ce10514ccdebba8e8ab85f9cebd0eb3f7]
      USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub
         [781f0766cc41a9dd2e5d118ef4b1d5d89430257b]
      USB: quirks: Add no-lpm quirk for Raydium touchscreens
         [deefd24228a172d1b27d4a9adbfd2cdacd60ae64]
      USB: usb-storage: Add new IDs to ums-realtek
         [a84a1bcc992f0545a51d2e120b8ca2ef20e2ea97]

Kirill A. Shutemov (1):
      x86/mm: Fix regression with huge pages on PAE
         [70f1528747651b20c7769d3516ade369f9963237]

Krzysztof Kozlowski (1):
      clk: s2mps11: Fix matching when built as module and DT node contains compatible
         [8985167ecf57f97061599a155bb9652c84ea4913]

Ladi Prosek (1):
      KVM: x86: Add MSR_AMD64_DC_CFG to the list of ignored MSRs
         [405a353a0e20d09090ad96147da6afad9b0ce056]

Lars-Peter Clausen (1):
      iio: ad5064: Fix regulator handling
         [8911a43bc198877fad9f4b0246a866b26bb547ab]

Leon Romanovsky (1):
      RDMA/cm: Respect returned status of cm_init_av_by_path
         [e54b6a3bcd1ec972b25a164bdf495d9e7120b107]

Linus Torvalds (1):
      disable new gcc-7.1.1 warnings for now
         [bd664f6b3e376a8ef4990f87d08271cc2d01ba9a]

Loic Poulain (1):
      usb: chipidea: Prevent unbalanced IRQ disable
         [8b97d73c4d72a2abf58f8e49062a7ee1e5f1334e]

Lubomir Rintel (2):
      ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt
         [76f4e2c3b6a560cdd7a75b87df543e04d05a9e5f]
      libertas: don't set URB_ZERO_PACKET on IN USB transfer
         [6528d88047801b80d2a5370ad46fb6eff2f509e0]

Luca Coelho (1):
      iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
         [3d71c3f1f50cf309bd20659422af549bc784bfff]

Lukas Czerner (1):
      ext4: initialize retries variable in ext4_da_write_inline_data_begin()
         [625ef8a3acd111d5f496d190baf99d1a815bd03e]

Lukas Wunner (2):
      PCI/ASPM: Fix link_state teardown on device removal
         [aeae4f3e5c38d47bdaef50446dc0ec857307df68]
      genirq: Fix race on spurious interrupt detection
         [746a923b863a1065ef77324e1e43f19b1a3eab5c]

Maarten Jacobs (1):
      usb: cdc-acm: add entry for Hiro (Conexant) modem
         [63529eaa6164ef7ab4b907b25ac3648177e5e78f]

Maciej S. Szmigiero (1):
      pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
         [95691e3eddc41da2d1cd3cca51fecdfb46bd85bc]

Macpaul Lin (1):
      kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
         [dada6a43b0402eba438a17ac86fdc64ac56a4607]

Marc Kleine-Budde (4):
      can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
         [e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc]
      can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb
         [7da11ba5c5066dadc2e96835a6233d56d7b7764a]
      can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length
         [200f5c49f7a2cd694436bfc6cb0662b794c96736]
      can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb()
         [a4310fa2f24687888ce80fdb0e88583561a23700]

Marco Felsch (1):
      media: tvp5150: fix width alignment during set_selection()
         [bd24db04101f45a9c1d874fe21b0c7eab7bcadec]

Marek Szyprowski (1):
      ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen
         [f5e758b8358f6c27e8a351ddf0b441a64cdabb94]

Mathias Nyman (3):
      usb: xhci: Prevent bus suspend if a port connect change or polling state is detected
         [2f31a67f01a8beb22cae754c53522cb61a005750]
      xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
         [45f750c16cae3625014c14c77bd9005eda975d35]
      xhci: Prevent U1/U2 link pm states if exit latency is too long
         [0472bf06c6fd33c1a18aaead4c8f91e5a03d8d7b]

Mathias Payer (1):
      USB: check usb_get_extra_descriptor for proper size
         [704620afc70cf47abb9d6a1a57f3825d2bca49cf]

Mattias Jacobsson (1):
      USB: misc: appledisplay: add 20" Apple Cinema Display
         [f6501f49199097b99e4e263644d88c90d1ec1060]

Mauro Carvalho Chehab (3):
      media: em28xx: fix input name for Terratec AV 350
         [15644bfa195bd166d0a5ed76ae2d587f719c3dac]
      media: em28xx: make v4l2-compliance happier by starting sequence on zero
         [afeaade90db4c5dab93f326d9582be1d5954a198]
      media: em28xx: use a default format if TRY_FMT fails
         [f823ce2a1202d47110a7ef86b65839f0be8adc38]

Max Filippov (6):
      xtensa: add NOTES section to the linker script
         [4119ba211bc4f1bf638f41e50b7a0f329f58aa16]
      xtensa: enable coprocessors that are being flushed
         [2958b66694e018c552be0b60521fec27e8d12988]
      xtensa: fix boot parameters address translation
         [40dc948f234b73497c3278875eb08a01d5854d3f]
      xtensa: fix coprocessor context offset definitions
         [03bc996af0cc71c7f30c384d8ce7260172423b34]
      xtensa: fix coprocessor part of ptrace_{get,set}xregs
         [38a35a78c5e270cbe53c4fef6b0d3c2da90dd849]
      xtensa: make sure bFLT stack is 16 byte aligned
         [0773495b1f5f1c5e23551843f87b5ff37e7af8f7]

Michael Kelley (2):
      clockevents/drivers/i8253: Add support for PIT shutdown quirk
         [35b69a420bfb56b7b74cb635ea903db05e357bec]
      x86/hyper-v: Enable PIT shutdown quirk
         [1de72c706488b7be664a601cf3843bd01e327e58]

Michael Niewöhner (1):
      usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
         [effd14f66cc1ef6701a19c5a56e39c35f4d395a5]

Michal Hocko (1):
      memory_hotplug: cond_resched in __remove_pages
         [dd33ad7b251f900481701b2a82d25de583867708]

Mike Kravetz (2):
      hugetlbfs: dirty pages as they are added to pagecache
         [22146c3ce98962436e401f7b7016a6f664c9ffb5]
      hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
         [5e41540c8a0f0e98c337dda8b391e5dda0cde7cf]

Miklos Szeredi (3):
      fuse: cleanup fuse_file refcounting
         [267d84449f52349ee252db684ed95ede18e51744]
      fuse: fix blocked_waitq wakeup
         [908a572b80f6e9577b45e81b3dfe2e22111286b8]
      fuse: fix leaked notify reply
         [7fabaf303458fcabb694999d6fa772cc13d4e217]

Mikulas Patocka (2):
      mach64: fix display corruption on big endian machines
         [3c6c6a7878d00a3ac997a779c5b9861ff25dfcc8]
      mach64: fix image corruption due to reading accelerator registers
         [c09bcc91bb94ed91f1391bffcbe294963d605732]

Nadav Amit (1):
      media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
         [89dd34caf73e28018c58cd193751e41b1f8bdc56]

Nathan Chancellor (2):
      clk: s2mps11: Add used attribute to s2mps11_dt_match
         [9c940bbe2bb47e03ca5e937d30b6a50bf9c0e671]
      misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
         [7c97301285b62a41d6bceded7d964085fc8cc50f]

Naveen N. Rao (2):
      powerpc/pseries: Fix DTL buffer registration
         [db787af1b8a6b4be428ee2ea7d409dafcaa4a43c]
      powerpc/pseries: Fix how we iterate over the DTL entries
         [9258227e9dd1da8feddb07ad9702845546a581c9]

Nicholas Mc Guire (2):
      media: pci: cx23885: handle adding to list failure
         [c5d59528e24ad22500347b199d52b9368e686a42]
      usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure
         [4ab2b48c98f2ec9712452d520a381917f91ac3d2]

Nicolas Dichtel (1):
      tun: forbid iface creation with rtnl ops
         [35b827b6d06199841a83839e8bb69c0cd13a28be]

Nicolas Huaman (1):
      ALSA: usb-audio: update quirk for B&W PX to remove microphone
         [c369c8db15d51fa175d2ba85928f79d16af6b562]

Nicolas Pitre (1):
      Cramfs: fix abad comparison when wrap-arounds occur
         [672ca9dd13f1aca0c17516f76fc5b0e8344b3e46]

Nikolay Borisov (1):
      btrfs: Always try all copies when reading extent buffers
         [f8397d69daef06d358430d3054662fb597e37c00]

Oliver Hartkopp (1):
      can: raw: check for CAN FD capable netdev in raw_sendmsg()
         [a43608fa77213ad5ac5f75994254b9f65d57cfa0]

Ondrej Mosnacek (1):
      crypto: lrw - Fix out-of bounds access on counter overflow
         [fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2]

Pan Bian (5):
      btrfs: relocation: set trans to be NULL after ending transaction
         [42a657f57628402c73237547f0134e083e2f6764]
      exportfs: do not read dentry after free
         [2084ac6c505a58f7efdec13eba633c6aaa085ca5]
      ext2: fix potential use after free
         [ecebf55d27a11538ea84aee0be643dd953f830d5]
      hfs: do not free node before using
         [ce96a407adef126870b3f4a1b73529dd8aa80f49]
      rapidio/rionet: do not free skb before reading its length
         [cfc435198f53a6fa1f656d98466b24967ff457d0]

Paolo Bonzini (1):
      KVM: x86: remove code for lazy FPU handling
         [bd7e5b0899a429445cc6e3037c13f8b5ae3be903]

Parav Pandit (3):
      IB/cm: Avoid AV ah_attr overwriting during LAP message handling
         [a5c57d327272bdf3a8b19686eaca2ec683449e67]
      IB/cm: Fix sleeping while spin lock is held
         [33f93e1ebcf5acfaef06cda2d3e373730519e33e]
      IB/{cm, umad}: Handle av init error
         [0c4386ec77cfcd0ccbdbe8c2e67dd3a49b2a4c7f]

Paul Mackerras (1):
      powerpc: Fix COFF zImage booting on old powermacs
         [5564597d51c8ff5b88d95c76255e18b13b760879]

Paul Moore (1):
      cipso: don't use IPCB() to locate the CIPSO IP option
         [04f81f0154e4bf002be6f4d85668ce1257efa4d9]

Paulo Alcantara (1):
      cifs: Fix separator when building path from dentry
         [c988de29ca161823db6a7125e803d597ef75b49c]

Petr Machata (1):
      vxlan: Fix error path in __vxlan_dev_create()
         [6db9246871394b3a136cd52001a0763676563840]

Punnaiah Choudary Kalluri (1):
      net: macb: Fix race condition in driver when Rx frame is dropped
         [d4c216c54197d741ed8b7ca54f13645dfb3eacde]

Quinn Tran (1):
      scsi: qla2xxx: shutdown chip if reset fail
         [1e4ac5d6fe0a4af17e4b6251b884485832bf75a3]

Richard Genoud (2):
      dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
         [98f5f932254b88ce828bc8e4d1642d14e5854caa]
      dmaengine: at_hdmac: fix module unloading
         [77e75fda94d2ebb86aa9d35fb1860f6395bf95de]

Richard Weinberger (2):
      um: Drop own definition of PTRACE_SYSEMU/_SINGLESTEP
         [0676b957c24bfb6e495449ba7b7e72c5b5d79233]
      um: Give start_idle_thread() a return code
         [7ff1e34bbdc15acab823b1ee4240e94623d50ee8]

Robbie Ko (1):
      Btrfs: fix cur_offset in the error case for nocow
         [506481b20e818db40b6198815904ecd2d6daee64]

Russell King (1):
      mmc: omap_hsmmc: fix DMA API warning
         [0b479790684192ab7024ce6a621f93f6d0a64d92]

Sagi Grimberg (1):
      iser: set sector for ambiguous mr status errors
         [24c3456c8d5ee6fc1933ca40f7b4406130682668]

Sakari Ailus (1):
      media: v4l: event: Add subscription to list before calling "add" operation
         [92539d3eda2c090b382699bbb896d4b54e9bdece]

Sandeep Singh (1):
      xhci: workaround CSS timeout on AMD SNPS 3.0 xHC
         [a7d57abcc8a5bdeb53bbf8e87558e8e0a2c2a29d]

Sebastian Parschauer (2):
      HID: Add quirk for Microsoft PIXART OEM mouse
         [e82e62e390d39c3819641cd721695702180d54fb]
      HID: Add quirk for Primax PIXART OEM mice
         [fb862c3b199d28bee238d52e8270eae8650d6cb0]

Sergei Shtylyov (1):
      spi: sh-msiof: fix deferred probing
         [f34c6e6257aa477cdfe7e9bbbecd3c5648ecda69]

Serhey Popovych (1):
      tun: Consistently configure generic netdev params via rtnetlink
         [df52eab23d703142c766ac00bdb8db19d71238d0]

Spencer E. Olson (1):
      staging: comedi: ni_mio_common: protect register write overflow
         [1cbca5852d6c16e85a21487a15d211195aacd4a1]

Stefan Nuernberger (1):
      net/ipv4: defensive cipso option parsing
         [076ed3da0c9b2f88d9157dbe7044a45641ae369e]

Stefano Brivio (1):
      ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
         [ee1abcf689353f36d9322231b4320926096bdee0]

Steve French (3):
      smb3: allow stats which track session and share reconnects to be reset
         [2c887635cd6ab3af619dc2be94e5bf8f2e172b78]
      smb3: do not attempt cifs operation in smb3 query info error path
         [1e77a8c204c9d1b655c61751b8ad0fde22421dbb]
      smb3: on kerberos mount if server doesn't specify auth type use krb5
         [926674de6705f0f1dbf29a62fd758d0977f535d6]

Steven Rostedt (2):
      tracing: Fix memory leak in set_trigger_filter()
         [3cec638b3d793b7cacdec5b8072364b41caeb0e1]
      tracing: Fix memory leak of instance function hash filters
         [2840f84f74035e5a535959d5f17269c69fa6edc5]

Sven Eckelmann (3):
      batman-adv: Check total_size when queueing fragments
         [53e771457e823fbc21834f60508c42a4270534fd]
      batman-adv: Expand merged fragment buffer for full packet
         [d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60]
      batman-adv: Use only queued fragments when merging
         [83e8b87721f21b26b843633caca8ef453e943623]

Taehee Yoo (1):
      netfilter: xt_IDLETIMER: add sysfs filename checking routine
         [54451f60c8fa061af9051a53be9786393947367c]

Takashi Iwai (8):
      ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
         [7194eda1ba0872d917faf3b322540b4f57f11ba5]
      ALSA: control: Fix race between adding and removing a user element
         [e1a7bfe3807974e66f971f2589d4e0197ec0fced]
      ALSA: oss: Use kvzalloc() for local buffer allocations
         [65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476]
      ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
         [b51abed8355e5556886623b2772fa6b7598d2282]
      ALSA: sparc: Fix invalid snd_free_pages() at error path
         [9a20332ab373b1f8f947e0a9c923652b32dab031]
      ALSA: usb-audio: Avoid nested autoresume calls
         [47ab154593827b1a8f0713a2b9dd445753d551d8]
      ALSA: usb-audio: Replace probing flag with active refcount
         [a6da499b76b1a75412f047ac388e9ffd69a5c55b]
      ALSA: wss: Fix invalid snd_free_pages() at error path
         [7b69154171b407844c273ab4c10b5f0ddcd6aa29]

Takashi Sakamoto (1):
      ALSA: control: fix failure to return numerical ID in 'add' event
         [d34890cf4113397625a6629d71749fa638a7a734]

Tang Junhui (1):
      bcache: fix miss key refill->end in writeback
         [2d6cb6edd2c7fb4f40998895bda45006281b1ac5]

Tang.Junhui (1):
      bcache: fix wrong cache_misses statistics
         [c157313791a999646901b3e3c6888514ebc36d62]

Tarick Bedeir (1):
      net/mlx4_core: Correctly set PFC param if global pause is turned off.
         [bd5122cd1e0644d8bd8dd84517c932773e999766]

Theodore Ts'o (4):
      ext4: avoid possible double brelse() in add_new_gdb() on error path
         [4f32c38b4662312dd3c5f113d8bdd459887fb773]
      ext4: fix EXT4_IOC_SWAP_BOOT
         [18aded17492088962ef43f00825179598b3e8c58]
      ext4: fix possible leak of sbi->s_group_desc_leak in error path
         [9e463084cdb22e0b56b2dfbc50461020409a5fd3]
      ext4: fix use-after-free race in ext4_remount()'s error path
         [33458eaba4dfe778a426df6a19b7aad2ff9f7eec]

Thomas Gleixner (2):
      mac80211_hwsim: Replace bogus hrtimer clockid
         [8fbcfeb8a9cc803464d6c166e7991913711c612c]
      x86/eisa: Add missing include
         [ef1d4deab953ecb1dfcf9f167043bda8b3f14a11]

Thomas Zimmermann (1):
      drm/ast: Remove existing framebuffers before loading driver
         [5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a]

Thor Thayer (1):
      net: stmmac: Fix RX packet size > 8191
         [8137b6ef0ce469154e5cf19f8e7fe04d9a72ac5e]

Tom Lendacky (1):
      x86/mm: Simplify p[g4um]d_page() macros
         [fd7e315988b784509ba3f1b42f539bd0b1fca9bb]

Tomasz Figa (1):
      power: supply: max8998-charger: Fix platform data retrieval
         [cb90a2c6f77fe9b43d1e3f759bb2f13fe7fa1811]

Tony Luck (1):
      EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
         [432de7fd7630c84ad24f1c2acd1e3bb4ce3741ca]

Tore Anderson (1):
      USB: serial: option: add HP lt4132
         [d57ec3c83b5153217a70b561d4fb6ed96f2f7a25]

Toshi Kani (3):
      x86/asm: Add pud/pmd mask interfaces to handle large  PAT bit
         [4be4c1fb9a754b100466ebaec50f825be0b2050b]
      x86/asm: Fix pud/pmd interfaces to handle large PAT bit
         [f70abb0fc3da1b2945c92751ccda2744081bf2b7]
      x86/asm: Move PUD_PAGE macros to page_types.h
         [832102671855f73962e7a04fdafd48b9385ea5c6]

Trond Myklebust (3):
      NFSv4: Don't exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING
         [21a446cf186570168b7281b154b1993968598aca]
      SUNRPC: Fix a potential race in xprt_connect()
         [0a9a4304f3614e25d9de9b63502ca633c01c0d70]
      nfsd: Fix an Oops in free_session()
         [bb6ad5572c0022e17e846b382d7413cdcf8055be]

Ulf Hansson (2):
      mmc: core: Reset HPI enabled state during re-init and in case of errors
         [a0741ba40a009f97c019ae7541dc61c1fdf41efb]
      mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
         [e3ae3401aa19432ee4943eb0bbc2ec704d07d793]

Vasily Averin (10):
      ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
         [61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0]
      ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
         [cea5794122125bf67559906a0762186cf417099c]
      ext4: add missing brelse() update_backups()'s error path
         [ea0abbb648452cdb6e1734b702b6330a7448fcf8]
      ext4: avoid buffer leak in ext4_orphan_add() after prior errors
         [feaf264ce7f8d54582e2f66eb82dd9dd124c94f3]
      ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
         [9e4028935cca3f9ef9b6a90df9da6f1f94853536]
      ext4: fix buffer leak in __ext4_read_dirblock() on error path
         [de59fae0043f07de5d25e02ca360f7d57bfa5866]
      ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
         [6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f]
      ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
         [f348e2241fb73515d65b5d77dd9c174128a7fbf2]
      ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
         [db6aee62406d9fbb53315fcddd81f1dc271d49fa]
      ext4: release bs.bh before re-using in ext4_xattr_block_find()
         [45ae932d246f721e6584430017176cbcadfde610]

Vasyl Vavrychuk (1):
      mac80211_hwsim: Timer should be initialized before device registered
         [a1881c9b8a1edef0a5ae1d5c1b61406fe3402114]

Ville Syrjälä (2):
      drm/i915: Disable LP3 watermarks on all SNB machines
         [03981c6ebec4fc7056b9b45f847393aeac90d060]
      drm: Rewrite drm_ioctl_flags() to resemble the new drm_ioctl() code
         [7ef5f82b100716b23de7d2da6ff602b0842e5804]

Wanpeng Li (1):
      KVM: X86: Fix NULL deref in vcpu_scan_ioapic
         [dcbd3e49c2f0b2c2d8a321507ff8f3de4af76d7c]

Wei Yongjun (1):
      IB/mthca: Fix error return code in __mthca_init_one()
         [39f2495618c5e980d2873ea3f2d1877dd253e07a]

Wenwen Wang (1):
      dm ioctl: harden copy_params()'s copy_from_user() from malicious users
         [800a7340ab7dd667edf95e74d8e4f23a17e87076]

Wolfram Sang (1):
      mmc: core: use mrq->sbc when sending CMD23 for RPMB
         [a44f7cb937321d4961bfc8f28912126b06e701c5]

Xin Long (1):
      l2tp: fix a sock refcnt leak in l2tp_tunnel_register
         [f8504f4ca0a0e9f84546ef86e00b24d2ea9a0bd2]

Y.C. Chen (2):
      drm/ast: change resolution may cause screen blurred
         [1a37bd823891568f8721989aed0615835632d81a]
      drm/ast: fixed cursor may disappear sometimes
         [7989b9ee8bafe5cc625381dd0c3c4586de27ca26]

Yogesh Gaur (1):
      mtd: spi-nor: fsl-quadspi: fix api naming typo _init_ahb_read
         [dd50a1c4e56d6d2ea753f87a35b1f1e09cb877d7]

Young Xiao (1):
      staging: rtl8712: Fix possible buffer overrun
         [300cd664865bed5d50ae0a42fb4e3a6f415e8a10]

YueHaibing (3):
      SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
         [025911a5f4e36955498ed50806ad1b02f0f76288]
      exportfs: fix 'passing zero to ERR_PTR()' warning
         [909e22e05353a783c526829427e9a8de122fba9c]
      sysv: return 'err' instead of 0 in __sysv_write_inode
         [c4b7d1ba7d263b74bb72e9325262a67139605cde]

Yujuan.Qi (1):
      Cipso: cipso_v4_optptr enter infinite loop
         [40413955ee265a5e42f710940ec78f5450d49149]

Zhimin Gu (1):
      x86, hibernate: Fix nosave_regions setup for hibernation
         [cc55f7537db6af371e9c1c6a71161ee40f918824]

 Makefile                                         |   8 +-
 arch/alpha/include/asm/termios.h                 |   8 +-
 arch/alpha/include/uapi/asm/ioctls.h             |   5 +
 arch/alpha/include/uapi/asm/termbits.h           |  17 ++++
 arch/arm/boot/dts/exynos4210-origen.dts          |   9 ++
 arch/arm/include/asm/uaccess.h                   |   2 +-
 arch/arm/mach-mmp/include/mach/cputype.h         |   6 +-
 arch/arm/mach-omap1/board-ams-delta.c            |   3 +
 arch/mips/include/asm/syscall.h                  |   2 +-
 arch/parisc/kernel/entry.S                       |   2 +-
 arch/parisc/kernel/traps.c                       |   3 +-
 arch/parisc/mm/init.c                            |   8 +-
 arch/powerpc/boot/crt0.S                         |   4 +-
 arch/powerpc/platforms/pseries/dtl.c             |   4 +-
 arch/s390/hypfs/hypfs_vm.c                       |   2 +-
 arch/s390/include/asm/timex.h                    |  10 +-
 arch/sparc/kernel/signal_32.c                    |   4 +-
 arch/um/os-Linux/skas/process.c                  |   5 +
 arch/x86/boot/boot.h                             |   1 -
 arch/x86/boot/compressed/eboot.c                 |   3 +-
 arch/x86/boot/video-mode.c                       |   2 +
 arch/x86/boot/video.c                            |   2 +
 arch/x86/include/asm/kvm_host.h                  |   2 -
 arch/x86/include/asm/page_64_types.h             |   3 -
 arch/x86/include/asm/page_types.h                |  13 ++-
 arch/x86/include/asm/pgtable-3level.h            |   7 +-
 arch/x86/include/asm/pgtable.h                   |  19 ++--
 arch/x86/include/asm/pgtable_types.h             |  34 ++++++-
 arch/x86/include/asm/x86_init.h                  |   1 -
 arch/x86/include/uapi/asm/msr-index.h            |   1 +
 arch/x86/kernel/check.c                          |  15 +++
 arch/x86/kernel/cpu/mshyperv.c                   |  11 +++
 arch/x86/kernel/cpu/mtrr/if.c                    |   2 +
 arch/x86/kernel/eisa.c                           |   1 +
 arch/x86/kernel/setup.c                          |   2 +-
 arch/x86/kvm/mmu.c                               |  27 ++---
 arch/x86/kvm/svm.c                               |  62 ++++--------
 arch/x86/kvm/vmx.c                               | 121 +++--------------------
 arch/x86/kvm/x86.c                               |  21 ++--
 arch/x86/mm/tlb.c                                |  29 ++++--
 arch/x86/um/shared/sysdep/ptrace_32.h            |  10 --
 arch/x86/vdso/vclock_gettime.c                   |   8 +-
 arch/xtensa/boot/Makefile                        |   2 +-
 arch/xtensa/include/asm/processor.h              |   6 +-
 arch/xtensa/kernel/asm-offsets.c                 |  16 +--
 arch/xtensa/kernel/head.S                        |   7 +-
 arch/xtensa/kernel/process.c                     |   5 +-
 arch/xtensa/kernel/ptrace.c                      |  42 +++++++-
 arch/xtensa/kernel/vmlinux.lds.S                 |   1 +
 crypto/lrw.c                                     |   7 +-
 drivers/acpi/acpi_platform.c                     |   1 +
 drivers/acpi/acpica/dsopcode.c                   |   4 +
 drivers/ata/libata-core.c                        |   5 +
 drivers/block/floppy.c                           |   3 +-
 drivers/clk/clk-s2mps11.c                        |  27 +++++
 drivers/clocksource/i8253.c                      |  14 ++-
 drivers/devfreq/devfreq.c                        |  53 +++++++++-
 drivers/dma/at_hdmac.c                           |  10 +-
 drivers/edac/i7core_edac.c                       |   1 +
 drivers/edac/sb_edac.c                           |   1 +
 drivers/gpio/gpio-max7301.c                      |  12 +--
 drivers/gpu/drm/ast/ast_drv.c                    |  21 ++++
 drivers/gpu/drm/ast/ast_mode.c                   |   3 +-
 drivers/gpu/drm/drm_drv.c                        |  21 ++--
 drivers/gpu/drm/i915/i915_gem.c                  |  15 ++-
 drivers/gpu/drm/i915/intel_pm.c                  |  43 +++++++-
 drivers/hid/hid-ids.h                            |   3 +
 drivers/hid/hid-sensor-hub.c                     |  13 ++-
 drivers/hid/uhid.c                               |  13 +++
 drivers/hid/usbhid/hid-quirks.c                  |   3 +
 drivers/hid/usbhid/hiddev.c                      |  18 +++-
 drivers/hv/channel.c                             |   8 ++
 drivers/hv/hv_kvp.c                              |  24 ++++-
 drivers/hv/vmbus_drv.c                           |  20 ++++
 drivers/hwmon/pmbus/pmbus.c                      |   2 +
 drivers/hwmon/pmbus/pmbus_core.c                 |   5 +-
 drivers/hwmon/w83795.c                           |   2 +-
 drivers/iio/accel/hid-sensor-accel-3d.c          |   5 +-
 drivers/iio/adc/at91_adc.c                       |   6 +-
 drivers/iio/dac/ad5064.c                         |  55 ++++++++---
 drivers/iio/gyro/hid-sensor-gyro-3d.c            |   5 +-
 drivers/iio/light/hid-sensor-als.c               |   8 +-
 drivers/iio/light/hid-sensor-prox.c              |   8 +-
 drivers/iio/magnetometer/hid-sensor-magn-3d.c    |   8 +-
 drivers/iio/orientation/hid-sensor-incl-3d.c     |   8 +-
 drivers/iio/pressure/hid-sensor-press.c          |   8 +-
 drivers/infiniband/core/cm.c                     |  42 +++++---
 drivers/infiniband/core/user_mad.c               |  10 +-
 drivers/infiniband/hw/mthca/mthca_main.c         |   3 +-
 drivers/infiniband/ulp/iser/iser_verbs.c         |   7 +-
 drivers/input/keyboard/matrix_keypad.c           |  23 +++--
 drivers/iommu/ipmmu-vmsa.c                       |   3 +
 drivers/md/bcache/btree.c                        |   2 +-
 drivers/md/bcache/request.c                      |   6 +-
 drivers/md/dm-ioctl.c                            |  18 ++--
 drivers/media/i2c/tvp5150.c                      |  14 ++-
 drivers/media/pci/cx23885/altera-ci.c            |  10 ++
 drivers/media/usb/cx231xx/cx231xx-video.c        |   2 +-
 drivers/media/usb/em28xx/em28xx-cards.c          |   4 +-
 drivers/media/usb/em28xx/em28xx-video.c          |   8 +-
 drivers/media/usb/uvc/uvc_driver.c               |   2 +-
 drivers/media/v4l2-core/v4l2-event.c             |  43 ++++----
 drivers/media/v4l2-core/videobuf2-core.c         |   4 +-
 drivers/misc/atmel-ssc.c                         |   2 +-
 drivers/misc/genwqe/card_base.h                  |   2 +-
 drivers/misc/genwqe/card_dev.c                   |   9 +-
 drivers/misc/sgi-gru/grukdump.c                  |   4 +
 drivers/misc/vmw_vmci/vmci_resource.c            |   3 +-
 drivers/mmc/card/block.c                         |  15 ++-
 drivers/mmc/core/mmc.c                           |  19 +++-
 drivers/mmc/host/omap.c                          |  11 ++-
 drivers/mmc/host/omap_hsmmc.c                    |  12 ++-
 drivers/mtd/devices/Kconfig                      |   2 +-
 drivers/mtd/spi-nor/fsl-quadspi.c                |  14 ++-
 drivers/net/can/dev.c                            |  48 ++++++---
 drivers/net/ethernet/broadcom/genet/bcmmii.c     |   2 +-
 drivers/net/ethernet/cadence/macb.c              |  22 ++++-
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c  |   4 +-
 drivers/net/ethernet/mellanox/mlx4/mlx4.h        |   4 +-
 drivers/net/ethernet/neterion/vxge/vxge-config.c |   2 +-
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c  |   2 +-
 drivers/net/ethernet/stmicro/stmmac/common.h     |   3 +-
 drivers/net/ethernet/stmicro/stmmac/descs_com.h  |   2 +-
 drivers/net/ethernet/stmicro/stmmac/enh_desc.c   |   2 +-
 drivers/net/ethernet/stmicro/stmmac/ring_mode.c  |   2 +-
 drivers/net/phy/phy_device.c                     |   2 -
 drivers/net/rionet.c                             |   2 +-
 drivers/net/team/team.c                          |   2 -
 drivers/net/tun.c                                |   2 +-
 drivers/net/vxlan.c                              |  13 ++-
 drivers/net/wireless/iwlwifi/mvm/rs.c            |  29 ++++--
 drivers/net/wireless/libertas/if_usb.c           |   2 -
 drivers/net/wireless/libertas_tf/if_usb.c        |   5 +-
 drivers/net/wireless/mac80211_hwsim.c            |   8 +-
 drivers/of/base.c                                |  25 +++++
 drivers/pci/pcie/aspm.c                          |   2 +-
 drivers/pci/quirks.c                             |   4 +
 drivers/pci/remove.c                             |   4 +-
 drivers/pcmcia/ricoh.h                           |  35 +++++++
 drivers/pcmcia/yenta_socket.c                    |   3 +-
 drivers/power/max8998_charger.c                  |   2 +-
 drivers/rtc/rtc-hid-sensor-time.c                |   2 +-
 drivers/s390/block/dasd_alias.c                  |   3 +-
 drivers/s390/kvm/virtio_ccw.c                    |  17 +++-
 drivers/s390/net/qeth_core_main.c                |  27 +++--
 drivers/s390/net/qeth_l2_main.c                  |   3 +
 drivers/s390/net/qeth_l3_main.c                  |   3 +
 drivers/scsi/bnx2fc/bnx2fc_fcoe.c                |   3 +-
 drivers/scsi/esp_scsi.c                          |   1 +
 drivers/scsi/esp_scsi.h                          |   2 +
 drivers/scsi/mac_esp.c                           |   2 +
 drivers/scsi/qla2xxx/qla_init.c                  |   2 +-
 drivers/scsi/qla2xxx/qla_mbx.c                   |   5 +-
 drivers/scsi/sd.c                                |  17 +++-
 drivers/spi/spi-sh-msiof.c                       |   4 +-
 drivers/staging/comedi/drivers/ni_mio_common.c   |  22 +++--
 drivers/staging/comedi/drivers/quatech_daqp_cs.c |  25 ++++-
 drivers/staging/rtl8712/mlme_linux.c             |   2 +-
 drivers/staging/rtl8712/rtl871x_mlme.c           |   2 +-
 drivers/thermal/rcar_thermal.c                   |   9 +-
 drivers/tty/serial/kgdboc.c                      |   9 +-
 drivers/tty/tty_ioctl.c                          |   4 +-
 drivers/uio/uio.c                                |   7 +-
 drivers/usb/chipidea/otg.h                       |   3 +-
 drivers/usb/class/cdc-acm.c                      |   3 +
 drivers/usb/core/hub.c                           |  16 ++-
 drivers/usb/core/quirks.c                        |  18 ++++
 drivers/usb/core/usb.c                           |   6 +-
 drivers/usb/dwc3/gadget.c                        |   6 --
 drivers/usb/gadget/fsl_udc_core.c                |  30 +++++-
 drivers/usb/host/hwa-hc.c                        |   2 +-
 drivers/usb/host/xhci-hub.c                      |  67 +++++++++----
 drivers/usb/host/xhci-pci.c                      |   4 +
 drivers/usb/host/xhci-ring.c                     |   2 +-
 drivers/usb/host/xhci.c                          |  42 +++++++-
 drivers/usb/host/xhci.h                          |   5 +-
 drivers/usb/misc/appledisplay.c                  |   2 +
 drivers/usb/serial/cypress_m8.c                  |   2 +-
 drivers/usb/serial/option.c                      |   8 +-
 drivers/usb/storage/unusual_realtek.h            |  10 ++
 drivers/vhost/vhost.c                            |   2 +
 drivers/video/fbdev/aty/mach64_accel.c           |  28 +++---
 drivers/w1/masters/omap_hdq.c                    |   2 +
 drivers/xen/swiotlb-xen.c                        |   6 ++
 fs/aio.c                                         |   2 +
 fs/btrfs/dev-replace.c                           |   7 +-
 fs/btrfs/disk-io.c                               |  10 +-
 fs/btrfs/extent-tree.c                           |   1 +
 fs/btrfs/file.c                                  |  30 ++++--
 fs/btrfs/free-space-cache.c                      |   2 +
 fs/btrfs/inode.c                                 |   6 +-
 fs/btrfs/ioctl.c                                 |  12 ++-
 fs/btrfs/qgroup.c                                |   3 +-
 fs/btrfs/relocation.c                            |   1 +
 fs/btrfs/super.c                                 |   1 +
 fs/cifs/cifs_debug.c                             |   3 +
 fs/cifs/cifs_spnego.c                            |   6 +-
 fs/cifs/dir.c                                    |   2 +-
 fs/cifs/inode.c                                  |  10 +-
 fs/cramfs/inode.c                                |   3 +-
 fs/exportfs/expfs.c                              |   3 +-
 fs/ext2/xattr.c                                  |   2 +-
 fs/ext4/ext4.h                                   |   3 +-
 fs/ext4/inline.c                                 |   2 +-
 fs/ext4/ioctl.c                                  |  33 +++++--
 fs/ext4/namei.c                                  |   5 +-
 fs/ext4/resize.c                                 |  28 +++---
 fs/ext4/super.c                                  |  91 ++++++++++-------
 fs/ext4/xattr.c                                  |   4 +
 fs/fuse/dev.c                                    |  19 +++-
 fs/fuse/dir.c                                    |   4 +-
 fs/fuse/file.c                                   |  37 +++----
 fs/fuse/fuse_i.h                                 |   3 +-
 fs/gfs2/ops_fstype.c                             |   3 +
 fs/hfs/btree.c                                   |   3 +-
 fs/jffs2/super.c                                 |   4 +-
 fs/lockd/host.c                                  |   2 +-
 fs/namespace.c                                   |  22 ++++-
 fs/nfs/nfs4state.c                               |   8 +-
 fs/ocfs2/dir.c                                   |   3 +-
 fs/sysv/inode.c                                  |   2 +-
 fs/xfs/xfs_stats.c                               |   2 +-
 include/linux/can/dev.h                          |   1 +
 include/linux/ceph/libceph.h                     |   8 +-
 include/linux/hid-sensor-hub.h                   |   4 +-
 include/linux/i8253.h                            |   1 +
 include/linux/kvm_host.h                         |   2 -
 include/linux/netfilter/x_tables.h               |   2 +
 include/linux/of.h                               |   8 ++
 include/linux/ptrace.h                           |  21 +++-
 include/linux/uaccess.h                          |   3 +
 include/linux/usb.h                              |   4 +-
 include/linux/usb/quirks.h                       |   3 +
 include/net/cipso_ipv4.h                         |  25 +++--
 kernel/bounds.c                                  |   4 +-
 kernel/events/uprobes.c                          |  12 ++-
 kernel/irq/manage.c                              |   8 +-
 kernel/printk/printk.c                           |   7 +-
 kernel/ptrace.c                                  |  10 ++
 kernel/signal.c                                  |   2 +-
 kernel/time/timer_list.c                         |   2 +-
 kernel/trace/ftrace.c                            |   1 +
 kernel/trace/trace_events_trigger.c              |   6 +-
 mm/hugetlb.c                                     |  29 +++++-
 mm/memory_hotplug.c                              |   2 +
 net/batman-adv/fragmentation.c                   |  20 ++--
 net/batman-adv/types.h                           |   2 +
 net/can/raw.c                                    |  15 +--
 net/core/dev.c                                   |   4 +
 net/core/rtnetlink.c                             |  13 +++
 net/ipv4/cipso_ipv4.c                            |  62 ++++++++----
 net/ipv6/ip6_fib.c                               |   6 +-
 net/ipv6/ip6_vti.c                               |   1 +
 net/ipv6/ndisc.c                                 |   3 +-
 net/l2tp/l2tp_core.c                             |   9 +-
 net/llc/af_llc.c                                 |  13 +--
 net/mac80211/iface.c                             |   2 +
 net/mac80211/rx.c                                |   1 +
 net/mac80211/tx.c                                |   4 +-
 net/netfilter/nf_tables_api.c                    |  22 ++---
 net/netfilter/nft_compat.c                       |   3 +-
 net/netfilter/x_tables.c                         |  30 ++++++
 net/netfilter/xt_IDLETIMER.c                     |  20 ++++
 net/netfilter/xt_hashlimit.c                     |   5 +-
 net/netfilter/xt_recent.c                        |   6 +-
 net/netlabel/netlabel_kapi.c                     |  15 ++-
 net/sched/sch_gred.c                             |   2 +-
 net/sunrpc/auth_gss/auth_gss.c                   |   4 +
 net/sunrpc/svc_xprt.c                            |   2 +-
 net/sunrpc/xdr.c                                 |   7 +-
 net/sunrpc/xprt.c                                |  11 ++-
 net/vmw_vsock/vmci_transport.c                   |  67 +++++++++----
 net/xfrm/xfrm_state.c                            |   2 +-
 security/integrity/ima/ima_fs.c                  |   6 +-
 sound/core/control.c                             |  79 ++++++++-------
 sound/core/oss/pcm_oss.c                         |   2 +-
 sound/core/oss/pcm_plugin.c                      |   2 +-
 sound/core/pcm_native.c                          |   3 +-
 sound/isa/wss/wss_lib.c                          |   2 -
 sound/pci/ac97/ac97_codec.c                      |   2 +-
 sound/pci/ca0106/ca0106.h                        |   2 +-
 sound/pci/hda/hda_intel.c                        |   4 +
 sound/pci/hda/patch_conexant.c                   |   1 +
 sound/sparc/cs4231.c                             |   8 +-
 sound/usb/card.c                                 |  81 ++++++++++-----
 sound/usb/endpoint.c                             |  10 +-
 sound/usb/mixer.c                                |  32 ++----
 sound/usb/mixer_quirks.c                         | 112 ++++++++++-----------
 sound/usb/pcm.c                                  |  32 +++---
 sound/usb/proc.c                                 |   4 +-
 sound/usb/quirks-table.h                         |   9 +-
 sound/usb/usbaudio.h                             |  11 ++-
 tools/power/cpupower/bench/parse.c               |   2 +-
 293 files changed, 2221 insertions(+), 1084 deletions(-)

-- 
Ben Hutchings
Horngren's Observation:
              Among economists, the real world is often a special case.


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 018/305] staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (229 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 070/305] mtd: spi-nor: fsl-quadspi: fix api naming typo _init_ahb_read Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 179/305] usb: xhci: fix uninitialized completion when USB3 port got wrong status Ben Hutchings
                   ` (74 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ian Abbott, Dan Carpenter, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 1376b0a2160319125c3a2822e8c09bd283cd8141 upstream.

There is a '>' vs '<' typo so this loop is a no-op.

Fixes: d35dcc89fc93 ("staging: comedi: quatech_daqp_cs: fix daqp_ao_insn_write()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/comedi/drivers/quatech_daqp_cs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c
+++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
@@ -661,7 +661,7 @@ static int daqp_ao_insn_write(struct com
 	/* Make sure D/A update mode is direct update */
 	outb(0, dev->iobase + DAQP_AUX);
 
-	for (i = 0; i > insn->n; i++) {
+	for (i = 0; i < insn->n; i++) {
 		unsigned val = data[i];
 		int ret;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 006/305] x86/eisa: Add missing include
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (203 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 225/305] exportfs: do not read dentry after free Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 196/305] NFSv4: Don't exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING Ben Hutchings
                   ` (100 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ingo Molnar, Thomas Gleixner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit ef1d4deab953ecb1dfcf9f167043bda8b3f14a11 upstream.

The seperation of the EISA init missed to include linux/io.h which breaks
the build with some special configurations.

Reported-by: Ingo Molnar <mingo@kernel.org>
Fixes: f7eaf6e00fd5 ("x86/boot: Move EISA setup to a separate file")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/eisa.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kernel/eisa.c
+++ b/arch/x86/kernel/eisa.c
@@ -5,6 +5,7 @@
  */
 #include <linux/ioport.h>
 #include <linux/eisa.h>
+#include <linux/io.h>
 
 #include <xen/xen.h>
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 023/305] ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (296 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 051/305] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 112/305] smb3: allow stats which track session and share reconnects to be reset Ben Hutchings
                   ` (7 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marek Szyprowski, Krzysztof Kozlowski

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit f5e758b8358f6c27e8a351ddf0b441a64cdabb94 upstream.

PMIC_IRQB and PMIC_KEYINB lines on Exynos4210-based Origen board have
external pull-up resistors, so disable any pull control for those lines
in respective pin controller node. This fixes support for MAX8997
interrupts and enables operation of wakeup from MAX8997 RTC alarm.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Fixes: 17419726aaa1 ("ARM: dts: add max8997 device node for exynos4210-origen board")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
[bwh: Backported to 3.16:
 - Use literal 0 instead of EXYNOS_PIN_PULL_NONE
 - Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/boot/dts/exynos4210-origen.dts | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/arm/boot/dts/exynos4210-origen.dts
+++ b/arch/arm/boot/dts/exynos4210-origen.dts
@@ -115,6 +115,8 @@
 			reg = <0x66>;
 			interrupt-parent = <&gpx0>;
 			interrupts = <4 0>, <3 0>;
+			pinctrl-names = "default";
+			pinctrl-0 = <&max8997_irq>;
 
 			max8997,pmic-buck1-dvs-voltage = <1350000>;
 			max8997,pmic-buck2-dvs-voltage = <1100000>;
@@ -334,3 +336,10 @@
 		};
 	};
 };
+
+&pinctrl_1 {
+	max8997_irq: max8997-irq {
+		samsung,pins = "gpx0-3", "gpx0-4";
+		samsung,pin-pud = <0>;
+	};
+};


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 128/305] Cramfs: fix abad comparison when wrap-arounds occur Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-06-07 15:09   ` Doug Anderson
  2019-02-03 13:45 ` [PATCH 3.16 227/305] team: no need to do team_notify_peers or team_mcast_rejoin when disabling port Ben Hutchings
                   ` (258 subsequent siblings)
  305 siblings, 1 reply; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nadav Amit, Mauro Carvalho Chehab,
	Laurent Pinchart

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nadav Amit <namit@vmware.com>

commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream.

The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of
(entity->pads) is not a power of two. As a stop-gap, until a better
solution is adapted, use roundup() instead.

Found by a static assertion. Compile-tested only.

Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity")

Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/uvc/uvc_driver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -826,7 +826,7 @@ static struct uvc_entity *uvc_alloc_enti
 	unsigned int size;
 	unsigned int i;
 
-	extra_size = ALIGN(extra_size, sizeof(*entity->pads));
+	extra_size = roundup(extra_size, sizeof(*entity->pads));
 	num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1;
 	size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads
 	     + num_inputs;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 011/305] timer/debug: Change /proc/timer_list from 0444 to 0400
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (99 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 282/305] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 066/305] mach64: fix display corruption on big endian machines Ben Hutchings
                   ` (204 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Gleixner, Peter Zijlstra,
	Linus Torvalds, Ingo Molnar

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ingo Molnar <mingo@kernel.org>

commit 8e7df2b5b7f245c9bd11064712db5cb69044a362 upstream.

While it uses %pK, there's still few reasons to read this file
as non-root.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time/timer_list.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/time/timer_list.c
+++ b/kernel/time/timer_list.c
@@ -362,7 +362,7 @@ static int __init init_timer_list_procfs
 {
 	struct proc_dir_entry *pe;
 
-	pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
+	pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
 	if (!pe)
 		return -ENOMEM;
 	return 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 147/305] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (178 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 190/305] netfilter: nf_tables: don't use position attribute on rule replacement Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 292/305] KVM: Handle MSR_IA32_PERF_CTL Ben Hutchings
                   ` (125 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit f348e2241fb73515d65b5d77dd9c174128a7fbf2 upstream.

Fixes: 117fff10d7f1 ("ext4: grow the s_flex_groups array as needed ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1993,7 +1993,7 @@ retry:
 
 	err = ext4_alloc_flex_bg_array(sb, n_group + 1);
 	if (err)
-		return err;
+		goto out;
 
 	err = ext4_mb_alloc_groupinfo(sb, n_group + 1);
 	if (err)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 146/305] Btrfs: fix data corruption due to cloning of eof block
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (262 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 266/305] USB: check usb_get_extra_descriptor for proper size Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 119/305] hugetlbfs: dirty pages as they are added to pagecache Ben Hutchings
                   ` (41 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Filipe Manana, David Sterba

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit ac765f83f1397646c11092a032d4f62c3d478b81 upstream.

We currently allow cloning a range from a file which includes the last
block of the file even if the file's size is not aligned to the block
size. This is fine and useful when the destination file has the same size,
but when it does not and the range ends somewhere in the middle of the
destination file, it leads to corruption because the bytes between the EOF
and the end of the block have undefined data (when there is support for
discard/trimming they have a value of 0x00).

Example:

 $ mkfs.btrfs -f /dev/sdb
 $ mount /dev/sdb /mnt

 $ export foo_size=$((256 * 1024 + 100))
 $ xfs_io -f -c "pwrite -S 0x3c 0 $foo_size" /mnt/foo
 $ xfs_io -f -c "pwrite -S 0xb5 0 1M" /mnt/bar

 $ xfs_io -c "reflink /mnt/foo 0 512K $foo_size" /mnt/bar

 $ od -A d -t x1 /mnt/bar
 0000000 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5
 *
 0524288 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c
 *
 0786528 3c 3c 3c 3c 00 00 00 00 00 00 00 00 00 00 00 00
 0786544 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 *
 0790528 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5
 *
 1048576

The bytes in the range from 786532 (512Kb + 256Kb + 100 bytes) to 790527
(512Kb + 256Kb + 4Kb - 1) got corrupted, having now a value of 0x00 instead
of 0xb5.

This is similar to the problem we had for deduplication that got recently
fixed by commit de02b9f6bb65 ("Btrfs: fix data corruption when
deduplicating between different files").

Fix this by not allowing such operations to be performed and return the
errno -EINVAL to user space. This is what XFS is doing as well at the VFS
level. This change however now makes us return -EINVAL instead of
-EOPNOTSUPP for cases where the source range maps to an inline extent and
the destination range's end is smaller then the destination file's size,
since the detection of inline extents is done during the actual process of
dropping file extent items (at __btrfs_drop_extents()). Returning the
-EINVAL error is done early on and solely based on the input parameters
(offsets and length) and destination file's size. This makes us consistent
with XFS and anyone else supporting cloning since this case is now checked
at a higher level in the VFS and is where the -EINVAL will be returned
from starting with kernel 4.20 (the VFS changed was introduced in 4.20-rc1
by commit 07d19dc9fbe9 ("vfs: avoid problematic remapping requests into
partial EOF block"). So this change is more geared towards stable kernels,
as it's unlikely the new VFS checks get removed intentionally.

A test case for fstests follows soon, as well as an update to filter
existing tests that expect -EOPNOTSUPP to accept -EINVAL as well.

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/ioctl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3806,9 +3806,17 @@ static noinline long btrfs_ioctl_clone(s
 		goto out_unlock;
 	if (len == 0)
 		olen = len = src->i_size - off;
-	/* if we extend to eof, continue to block boundary */
-	if (off + len == src->i_size)
+	/*
+	 * If we extend to eof, continue to block boundary if and only if the
+	 * destination end offset matches the destination file's size, otherwise
+	 * we would be corrupting data by placing the eof block into the middle
+	 * of a file.
+	 */
+	if (off + len == src->i_size) {
+		if (!IS_ALIGNED(len, bs) && destoff + len < inode->i_size)
+			goto out_unlock;
 		len = ALIGN(src->i_size, bs) - off;
+	}
 
 	if (len == 0) {
 		ret = 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 141/305] mtd: docg3: don't set conflicting BCH_CONST_PARAMS option
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (125 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 264/305] mac80211: fix reordering of buffered broadcast packets Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 105/305] genirq: Fix race on spurious interrupt detection Ben Hutchings
                   ` (178 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Boris Brezillon, Robert Jarzmik, Arnd Bergmann

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit be2e1c9dcf76886a83fb1c433a316e26d4ca2550 upstream.

I noticed during the creation of another bugfix that the BCH_CONST_PARAMS
option that is set by DOCG3 breaks setting variable parameters for any
other users of the BCH library code.

The only other user we have today is the MTD_NAND software BCH
implementation (most flash controllers use hardware BCH these days
and are not affected). I considered removing BCH_CONST_PARAMS entirely
because of the inherent conflict, but according to the description in
lib/bch.c there is a significant performance benefit in keeping it.

To avoid the immediate problem of the conflict between MTD_NAND_BCH
and DOCG3, this only sets the constant parameters if MTD_NAND_BCH
is disabled, which should fix the problem for all cases that
are affected. This should also work for all stable kernels.

Note that there is only one machine that actually seems to use the
DOCG3 driver (arch/arm/mach-pxa/mioa701.c), so most users should have
the driver disabled, but it almost certainly shows up if we wanted
to test random kernels on machines that use software BCH in MTD.

Fixes: d13d19ece39f ("mtd: docg3: add ECC correction code")
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/devices/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/devices/Kconfig
+++ b/drivers/mtd/devices/Kconfig
@@ -200,7 +200,7 @@ comment "Disk-On-Chip Device Drivers"
 config MTD_DOCG3
 	tristate "M-Systems Disk-On-Chip G3"
 	select BCH
-	select BCH_CONST_PARAMS
+	select BCH_CONST_PARAMS if !MTD_NAND_BCH
 	select BITREVERSE
 	---help---
 	  This provides an MTD device driver for the M-Systems DiskOnChip


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 192/305] libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q.
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (163 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 280/305] fuse: cleanup fuse_file refcounting Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 081/305] spi: sh-msiof: fix deferred probing Ben Hutchings
                   ` (140 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans de Goede, Tejun Heo, François Cami

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: François Cami <fcami@fedoraproject.org>

commit 76936e9a6df17b89481bd2655c8684291afbe656 upstream.

Without this patch the drive errors out regularly:

[    1.090154] ata1.00: ATA-8: SAMSUNG SSD PM830 mSATA 256GB,
CXM13D1Q, max UDMA/133
(...)
[  345.154996] ata1.00: exception Emask 0x40 SAct 0x0 SErr 0xc0800 action 0x6
[  345.155006] ata1.00: irq_stat 0x40000001
[  345.155013] ata1: SError: { HostInt CommWake 10B8B }
[  345.155018] ata1.00: failed command: SET FEATURES
[  345.155032] ata1.00: cmd ef/05:e1:00:00:00/00:00:00:00:00/40 tag 7
                        res 51/04:e1:00:00:00/00:00:00:00:00/40 Emask 0x41 (internal error)
[  345.155038] ata1.00: status: { DRDY ERR }
[  345.155042] ata1.00: error: { ABRT }
[  345.155051] ata1: hard resetting link
[  345.465661] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[  345.466955] ata1.00: configured for UDMA/133
[  345.467085] ata1: EH complete

Signed-off-by: François Cami <fcami@fedoraproject.org>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4246,8 +4246,9 @@ static const struct ata_blacklist_entry
 	{ "Crucial_CT960M500*",		NULL,	ATA_HORKAGE_NO_NCQ_TRIM |
 						ATA_HORKAGE_NOLPM, },
 
-	/* This specific Samsung model/firmware-rev does not handle LPM well */
+	/* These specific Samsung models/firmware-revs do not handle LPM well */
 	{ "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
+	{ "SAMSUNG SSD PM830 mSATA *",  "CXM13D1Q", ATA_HORKAGE_NOLPM, },
 
 	/* devices that don't properly handle queued TRIM commands */
 	{ "Micron_M500IT_*",		"MU01",	ATA_HORKAGE_NO_NCQ_TRIM, },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 187/305] batman-adv: Check total_size when queueing fragments
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 230/305] ALSA: control: fix failure to return numerical ID in 'add' event Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 054/305] ext4: fix EXT4_IOC_SWAP_BOOT Ben Hutchings
                   ` (279 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marek Lindner, Martin Hundebøll,
	Sven Eckelmann

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 53e771457e823fbc21834f60508c42a4270534fd upstream.

The fragmentation code was replaced in
610bfc6bc99bc83680d190ebc69359a05fc7f605 ("batman-adv: Receive fragmented
packets and merge") by an implementation which handles the queueing+merging
of fragments based on their size and the total_size of the non-fragmented
packet. This total_size is announced by each fragment. The new
implementation doesn't check if the the total_size information of the
packets inside one chain is consistent.

This is consistency check is recommended to allow using any of the packets
in the queue to decide whether all fragments of a packet are received or
not.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Martin Hundebøll <martin@hundeboll.net>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/fragmentation.c | 7 +++++--
 net/batman-adv/types.h         | 2 ++
 2 files changed, 7 insertions(+), 2 deletions(-)

--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -162,6 +162,7 @@ static bool batadv_frag_insert_packet(st
 		hlist_add_head(&frag_entry_new->list, &chain->head);
 		chain->size = skb->len - hdr_size;
 		chain->timestamp = jiffies;
+		chain->total_size = ntohs(frag_packet->total_size);
 		ret = true;
 		goto out;
 	}
@@ -196,9 +197,11 @@ static bool batadv_frag_insert_packet(st
 
 out:
 	if (chain->size > batadv_frag_size_limit() ||
-	    ntohs(frag_packet->total_size) > batadv_frag_size_limit()) {
+	    chain->total_size != ntohs(frag_packet->total_size) ||
+	    chain->total_size > batadv_frag_size_limit()) {
 		/* Clear chain if total size of either the list or the packet
-		 * exceeds the maximum size of one merged packet.
+		 * exceeds the maximum size of one merged packet. Don't allow
+		 * packets to have different total_size.
 		 */
 		batadv_frag_clear_chain(&chain->head);
 		chain->size = 0;
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -132,6 +132,7 @@ struct batadv_orig_ifinfo {
  * @timestamp: time (jiffie) of last received fragment
  * @seqno: sequence number of the fragments in the list
  * @size: accumulated size of packets in list
+ * @total_size: expected size of the assembled packet
  */
 struct batadv_frag_table_entry {
 	struct hlist_head head;
@@ -139,6 +140,7 @@ struct batadv_frag_table_entry {
 	unsigned long timestamp;
 	uint16_t seqno;
 	uint16_t size;
+	uint16_t total_size;
 };
 
 /**


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 225/305] exportfs: do not read dentry after free
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (202 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 296/305] net: macb: Fix race condition in driver when Rx frame is dropped Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 006/305] x86/eisa: Add missing include Ben Hutchings
                   ` (101 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pan Bian, Al Viro

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 2084ac6c505a58f7efdec13eba633c6aaa085ca5 upstream.

The function dentry_connected calls dput(dentry) to drop the previously
acquired reference to dentry. In this case, dentry can be released.
After that, IS_ROOT(dentry) checks the condition
(dentry == dentry->d_parent), which may result in a use-after-free bug.
This patch directly compares dentry with its parent obtained before
dropping the reference.

Fixes: a056cc8934c("exportfs: stop retrying once we race with
rename/remove")

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/exportfs/expfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -76,7 +76,7 @@ static bool dentry_connected(struct dent
 		struct dentry *parent = dget_parent(dentry);
 
 		dput(dentry);
-		if (IS_ROOT(dentry)) {
+		if (dentry == parent) {
 			dput(parent);
 			return false;
 		}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 219/305] iser: set sector for ambiguous mr status errors
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (155 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 007/305] x86/boot: eboot.c: Include string function declarations Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 295/305] x86/mtrr: Don't copy uninitialized gentry fields back to userspace Ben Hutchings
                   ` (148 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jason Gunthorpe, Sagi Grimberg, Dan Carpenter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sagi Grimberg <sagi@grimberg.me>

commit 24c3456c8d5ee6fc1933ca40f7b4406130682668 upstream.

If for some reason we failed to query the mr status, we need to make sure
to provide sufficient information for an ambiguous error (guard error on
sector 0).

Fixes: 0a7a08ad6f5f ("IB/iser: Implement check_protection")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/iser/iser_verbs.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/ulp/iser/iser_verbs.c
+++ b/drivers/infiniband/ulp/iser/iser_verbs.c
@@ -1165,7 +1165,9 @@ u8 iser_check_task_pi_status(struct iscs
 					 IB_MR_CHECK_SIG_STATUS, &mr_status);
 		if (ret) {
 			pr_err("ib_check_mr_status failed, ret %d\n", ret);
-			goto err;
+			/* Not a lot we can do, return ambiguous guard error */
+			*sector = 0;
+			return 0x1;
 		}
 
 		if (mr_status.fail_status & IB_MR_CHECK_SIG_STATUS) {
@@ -1193,7 +1195,4 @@ u8 iser_check_task_pi_status(struct iscs
 	}
 
 	return 0;
-err:
-	/* Not alot we can do here, return ambiguous guard error */
-	return 0x1;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 249/305] hfs: do not free node before using
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 156/305] ext4: release bs.bh before re-using in ext4_xattr_block_find() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 093/305] KVM: x86: remove code for lazy FPU handling Ben Hutchings
                   ` (266 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ernesto A. Fernandez, Pan Bian,
	Joe Perches, Viacheslav Dubeyko, Linus Torvalds

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit ce96a407adef126870b3f4a1b73529dd8aa80f49 upstream.

hfs_bmap_free() frees the node via hfs_bnode_put(node).  However, it
then reads node->this when dumping error message on an error path, which
may result in a use-after-free bug.  This patch frees the node only when
it is never again used.

Link: http://lkml.kernel.org/r/1542963889-128825-1-git-send-email-bianpan2016@163.com
Fixes: a1185ffa2fc ("HFS rewrite")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Joe Perches <joe@perches.com>
Cc: Ernesto A. Fernandez <ernesto.mnd.fernandez@gmail.com>
Cc: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/hfs/btree.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/hfs/btree.c
+++ b/fs/hfs/btree.c
@@ -328,13 +328,14 @@ void hfs_bmap_free(struct hfs_bnode *nod
 
 		nidx -= len * 8;
 		i = node->next;
-		hfs_bnode_put(node);
 		if (!i) {
 			/* panic */;
 			pr_crit("unable to free bnode %u. bmap not found!\n",
 				node->this);
+			hfs_bnode_put(node);
 			return;
 		}
+		hfs_bnode_put(node);
 		node = hfs_bnode_find(tree, i);
 		if (IS_ERR(node))
 			return;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 280/305] fuse: cleanup fuse_file refcounting
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (162 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 039/305] net/ipv4: defensive cipso option parsing Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 192/305] libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q Ben Hutchings
                   ` (141 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Miklos Szeredi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 267d84449f52349ee252db684ed95ede18e51744 upstream.

struct fuse_file is stored in file->private_data.  Make this always be a
counting reference for consistency.

This also allows fuse_sync_release() to call fuse_file_put() instead of
partially duplicating its functionality.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: force and background flags are bitfields]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dir.c    |  2 +-
 fs/fuse/file.c   | 18 +++++++++---------
 fs/fuse/fuse_i.h |  1 -
 3 files changed, 10 insertions(+), 11 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -488,7 +488,7 @@ static int fuse_create_open(struct inode
 	if (err) {
 		fuse_sync_release(ff, flags);
 	} else {
-		file->private_data = fuse_file_get(ff);
+		file->private_data = ff;
 		fuse_finish_open(inode, file);
 	}
 	return err;
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -66,7 +66,7 @@ struct fuse_file *fuse_file_alloc(struct
 	}
 
 	INIT_LIST_HEAD(&ff->write_entry);
-	atomic_set(&ff->count, 0);
+	atomic_set(&ff->count, 1);
 	RB_CLEAR_NODE(&ff->polled_node);
 	init_waitqueue_head(&ff->poll_wait);
 
@@ -83,7 +83,7 @@ void fuse_file_free(struct fuse_file *ff
 	kfree(ff);
 }
 
-struct fuse_file *fuse_file_get(struct fuse_file *ff)
+static struct fuse_file *fuse_file_get(struct fuse_file *ff)
 {
 	atomic_inc(&ff->count);
 	return ff;
@@ -183,7 +183,7 @@ int fuse_do_open(struct fuse_conn *fc, u
 		ff->open_flags &= ~FOPEN_DIRECT_IO;
 
 	ff->nodeid = nodeid;
-	file->private_data = fuse_file_get(ff);
+	file->private_data = ff;
 
 	return 0;
 }
@@ -335,13 +335,13 @@ static int fuse_release(struct inode *in
 
 void fuse_sync_release(struct fuse_file *ff, int flags)
 {
-	WARN_ON(atomic_read(&ff->count) > 1);
+	WARN_ON(atomic_read(&ff->count) != 1);
 	fuse_prepare_release(ff, flags, FUSE_RELEASE);
-	ff->reserved_req->force = 1;
-	ff->reserved_req->background = 0;
-	fuse_request_send(ff->fc, ff->reserved_req);
-	fuse_put_request(ff->fc, ff->reserved_req);
-	kfree(ff);
+	/*
+	 * iput(NULL) is a no-op and since the refcount is 1 and everything's
+	 * synchronous, we are fine with not doing igrab() here"
+	 */
+	fuse_file_put(ff, true);
 }
 EXPORT_SYMBOL_GPL(fuse_sync_release);
 
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -663,7 +663,6 @@ void fuse_read_fill(struct fuse_req *req
 int fuse_open_common(struct inode *inode, struct file *file, bool isdir);
 
 struct fuse_file *fuse_file_alloc(struct fuse_conn *fc);
-struct fuse_file *fuse_file_get(struct fuse_file *ff);
 void fuse_file_free(struct fuse_file *ff);
 void fuse_finish_open(struct inode *inode, struct file *file);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 281/305] fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (221 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 298/305] net: macb: add missing barriers when reading descriptors Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 092/305] clk: s2mps11: Fix matching when built as module and DT node contains compatible Ben Hutchings
                   ` (82 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Chad Austin, Miklos Szeredi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chad Austin <chadaustin@fb.com>

commit 2e64ff154ce6ce9a8dc0f9556463916efa6ff460 upstream.

When FUSE_OPEN returns ENOSYS, the no_open bit is set on the connection.

Because the FUSE_RELEASE and FUSE_RELEASEDIR paths share code, this
incorrectly caused the FUSE_RELEASEDIR request to be dropped and never sent
to userspace.

Pass an isdir bool to distinguish between FUSE_RELEASE and FUSE_RELEASEDIR
inside of fuse_file_put.

Fixes: 7678ac50615d ("fuse: support clients that don't implement 'open'")
Signed-off-by: Chad Austin <chadaustin@fb.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dir.c    |  2 +-
 fs/fuse/file.c   | 21 +++++++++++----------
 fs/fuse/fuse_i.h |  2 +-
 3 files changed, 13 insertions(+), 12 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1510,7 +1510,7 @@ static int fuse_dir_open(struct inode *i
 
 static int fuse_dir_release(struct inode *inode, struct file *file)
 {
-	fuse_release_common(file, FUSE_RELEASEDIR);
+	fuse_release_common(file, true);
 
 	return 0;
 }
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -122,12 +122,12 @@ static void fuse_release_end(struct fuse
 	}
 }
 
-static void fuse_file_put(struct fuse_file *ff, bool sync)
+static void fuse_file_put(struct fuse_file *ff, bool sync, bool isdir)
 {
 	if (atomic_dec_and_test(&ff->count)) {
 		struct fuse_req *req = ff->reserved_req;
 
-		if (ff->fc->no_open) {
+		if (ff->fc->no_open && !isdir) {
 			/*
 			 * Drop the release request when client does not
 			 * implement 'open'
@@ -280,10 +280,11 @@ static void fuse_prepare_release(struct
 	req->in.args[0].value = inarg;
 }
 
-void fuse_release_common(struct file *file, int opcode)
+void fuse_release_common(struct file *file, bool isdir)
 {
 	struct fuse_file *ff;
 	struct fuse_req *req;
+	int opcode = isdir ? FUSE_RELEASEDIR : FUSE_RELEASE;
 
 	ff = file->private_data;
 	if (unlikely(!ff))
@@ -311,7 +312,7 @@ void fuse_release_common(struct file *fi
 	 * synchronous RELEASE is allowed (and desirable) in this case
 	 * because the server can be trusted not to screw up.
 	 */
-	fuse_file_put(ff, ff->fc->destroy_req != NULL);
+	fuse_file_put(ff, ff->fc->destroy_req != NULL, isdir);
 }
 
 static int fuse_open(struct inode *inode, struct file *file)
@@ -327,7 +328,7 @@ static int fuse_release(struct inode *in
 	if (fc->writeback_cache)
 		write_inode_now(inode, 1);
 
-	fuse_release_common(file, FUSE_RELEASE);
+	fuse_release_common(file, false);
 
 	/* return value is ignored by VFS */
 	return 0;
@@ -341,7 +342,7 @@ void fuse_sync_release(struct fuse_file
 	 * iput(NULL) is a no-op and since the refcount is 1 and everything's
 	 * synchronous, we are fine with not doing igrab() here"
 	 */
-	fuse_file_put(ff, true);
+	fuse_file_put(ff, true, false);
 }
 EXPORT_SYMBOL_GPL(fuse_sync_release);
 
@@ -849,7 +850,7 @@ static void fuse_readpages_end(struct fu
 		page_cache_release(page);
 	}
 	if (req->ff)
-		fuse_file_put(req->ff, false);
+		fuse_file_put(req->ff, false, false);
 }
 
 static void fuse_send_readpages(struct fuse_req *req, struct file *file)
@@ -1528,7 +1529,7 @@ static void fuse_writepage_free(struct f
 		__free_page(req->pages[i]);
 
 	if (req->ff)
-		fuse_file_put(req->ff, false);
+		fuse_file_put(req->ff, false, false);
 }
 
 static void fuse_writepage_finish(struct fuse_conn *fc, struct fuse_req *req)
@@ -1685,7 +1686,7 @@ int fuse_write_inode(struct inode *inode
 	ff = __fuse_write_file_get(fc, fi);
 	err = fuse_flush_times(inode, ff);
 	if (ff)
-		fuse_file_put(ff, 0);
+		fuse_file_put(ff, false, false);
 
 	return err;
 }
@@ -1998,7 +1999,7 @@ static int fuse_writepages(struct addres
 		err = 0;
 	}
 	if (data.ff)
-		fuse_file_put(data.ff, false);
+		fuse_file_put(data.ff, false, false);
 
 	kfree(data.orig_pages);
 out:
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -671,7 +671,7 @@ void fuse_sync_release(struct fuse_file
 /**
  * Send RELEASE or RELEASEDIR request
  */
-void fuse_release_common(struct file *file, int opcode);
+void fuse_release_common(struct file *file, bool isdir);
 
 /**
  * Send FSYNC or FSYNCDIR request


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 265/305] mac80211: ignore NullFunc frames in the duplicate detection
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 261/305] staging: rtl8712: Fix possible buffer overrun Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 301/305] drm: Rewrite drm_ioctl_flags() to resemble the new drm_ioctl() code Ben Hutchings
                   ` (229 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Emmanuel Grumbach, Johannes Berg

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream.

NullFunc packets should never be duplicate just like
QoS-NullFunc packets.

We saw a client that enters / exits power save with
NullFunc frames (and not with QoS-NullFunc) despite the
fact that the association supports HT.
This specific client also re-uses a non-zero sequence number
for different NullFunc frames.
At some point, the client had to send a retransmission of
the NullFunc frame and we dropped it, leading to a
misalignment in the power save state.
Fix this by never consider a NullFunc frame as duplicate,
just like we do for QoS NullFunc frames.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.16: The condition for "should we check for duplication"
 is in ieee80211_rx_h_check() and is not inverted]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/mac80211/rx.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -967,6 +967,7 @@ ieee80211_rx_h_check(struct ieee80211_rx
 	 */
 	if (rx->skb->len >= 24 && rx->sta &&
 	    !ieee80211_is_ctl(hdr->frame_control) &&
+	    !ieee80211_is_nullfunc(hdr->frame_control) &&
 	    !ieee80211_is_qos_nullfunc(hdr->frame_control) &&
 	    !is_multicast_ether_addr(hdr->addr1)) {
 		if (unlikely(ieee80211_has_retry(hdr->frame_control) &&


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 283/305] scsi: sd: use mempool for discard special page
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (277 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 087/305] jffs2: free jffs2_sb_info through jffs2_kill_sb() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 291/305] KVM: X86: Fix NULL deref in vcpu_scan_ioapic Ben Hutchings
                   ` (26 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Martin K. Petersen, Christoph Hellwig, Jens Axboe

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jens Axboe <axboe@kernel.dk>

commit 61cce6f6eeced5ddd9cac55e807fe28b4f18c1ba upstream.

When boxes are run near (or to) OOM, we have a problem with the discard
page allocation in sd. If we fail allocating the special page, we return
busy, and it'll get retried. But since ordering is honored for dispatch
requests, we can keep retrying this same IO and failing. Behind that IO
could be requests that want to free memory, but they never get the
chance. This means you get repeated spews of traces like this:

[1201401.625972] Call Trace:
[1201401.631748]  dump_stack+0x4d/0x65
[1201401.639445]  warn_alloc+0xec/0x190
[1201401.647335]  __alloc_pages_slowpath+0xe84/0xf30
[1201401.657722]  ? get_page_from_freelist+0x11b/0xb10
[1201401.668475]  ? __alloc_pages_slowpath+0x2e/0xf30
[1201401.679054]  __alloc_pages_nodemask+0x1f9/0x210
[1201401.689424]  alloc_pages_current+0x8c/0x110
[1201401.699025]  sd_setup_write_same16_cmnd+0x51/0x150
[1201401.709987]  sd_init_command+0x49c/0xb70
[1201401.719029]  scsi_setup_cmnd+0x9c/0x160
[1201401.727877]  scsi_queue_rq+0x4d9/0x610
[1201401.736535]  blk_mq_dispatch_rq_list+0x19a/0x360
[1201401.747113]  blk_mq_sched_dispatch_requests+0xff/0x190
[1201401.758844]  __blk_mq_run_hw_queue+0x95/0xa0
[1201401.768653]  blk_mq_run_work_fn+0x2c/0x30
[1201401.777886]  process_one_work+0x14b/0x400
[1201401.787119]  worker_thread+0x4b/0x470
[1201401.795586]  kthread+0x110/0x150
[1201401.803089]  ? rescuer_thread+0x320/0x320
[1201401.812322]  ? kthread_park+0x90/0x90
[1201401.820787]  ? do_syscall_64+0x53/0x150
[1201401.829635]  ret_from_fork+0x29/0x40

Ensure that the discard page allocation has a mempool backing, so we
know we can make progress.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: Only sd_setup_discard_cmnd() does page-allocation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -129,6 +129,7 @@ static DEFINE_MUTEX(sd_ref_mutex);
 
 static struct kmem_cache *sd_cdb_cache;
 static mempool_t *sd_cdb_pool;
+static mempool_t *sd_page_pool;
 
 static const char *sd_cache_types[] = {
 	"write through", "none", "write back",
@@ -704,9 +705,10 @@ static int sd_setup_discard_cmnd(struct
 
 	memset(rq->cmd, 0, rq->cmd_len);
 
-	page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
+	page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
 	if (!page)
 		return BLKPREP_DEFER;
+	clear_highpage(page);
 
 	switch (sdkp->provisioning_mode) {
 	case SD_LBP_UNMAP:
@@ -758,7 +760,7 @@ static int sd_setup_discard_cmnd(struct
 
 out:
 	if (ret != BLKPREP_OK)
-		__free_page(page);
+		mempool_free(page, sd_page_pool);
 	return ret;
 }
 
@@ -3260,6 +3262,13 @@ static int __init init_sd(void)
 		goto err_out_cache;
 	}
 
+	sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, 0);
+	if (!sd_page_pool) {
+		printk(KERN_ERR "sd: can't init discard page pool\n");
+		err = -ENOMEM;
+		goto err_out_ppool;
+	}
+
 	err = scsi_register_driver(&sd_template.gendrv);
 	if (err)
 		goto err_out_driver;
@@ -3267,6 +3276,9 @@ static int __init init_sd(void)
 	return 0;
 
 err_out_driver:
+	mempool_destroy(sd_page_pool);
+
+err_out_ppool:
 	mempool_destroy(sd_cdb_pool);
 
 err_out_cache:
@@ -3293,6 +3305,7 @@ static void __exit exit_sd(void)
 
 	scsi_unregister_driver(&sd_template.gendrv);
 	mempool_destroy(sd_cdb_pool);
+	mempool_destroy(sd_page_pool);
 	kmem_cache_destroy(sd_cdb_cache);
 
 	class_unregister(&sd_disk_class);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 284/305] vhost: make sure used idx is seen before log in vhost_add_used_n()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (186 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 088/305] IB/{cm, umad}: Handle av init error Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 067/305] mach64: fix image corruption due to reading accelerator registers Ben Hutchings
                   ` (117 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Michael S. Tsirkin, Jason Wang

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Wang <jasowang@redhat.com>

commit 841df922417eb82c835e93d4b93eb6a68c99d599 upstream.

We miss a write barrier that guarantees used idx is updated and seen
before log. This will let userspace sync and copy used ring before
used idx is update. Fix this by adding a barrier before log_write().

Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support")
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/vhost/vhost.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1411,6 +1411,8 @@ int vhost_add_used_n(struct vhost_virtqu
 		return -EFAULT;
 	}
 	if (unlikely(vq->log_used)) {
+		/* Make sure used idx is seen before log. */
+		smp_wmb();
 		/* Log used index update. */
 		log_write(vq->log_base,
 			  vq->log_addr + offsetof(struct vring_used, idx),


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 218/305] mips: fix mips_get_syscall_arg o32 check
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 176/305] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 168/305] net: stmmac: Fix RX packet size > 8191 Ben Hutchings
                   ` (208 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paul Burton, Dmitry V. Levin, Ralf Baechle,
	linux-mips, Elvira Khabirova, James Hogan

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Dmitry V. Levin" <ldv@altlinux.org>

commit c50cbd85cd7027d32ac5945bb60217936b4f7eaf upstream.

When checking for TIF_32BIT_REGS flag, mips_get_syscall_arg() should
use the task specified as its argument instead of the current task.

This potentially affects all syscall_get_arguments() users
who specify tasks different from the current.

Fixes: c0ff3c53d4f99 ("MIPS: Enable HAVE_ARCH_TRACEHOOK.")
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Patchwork: https://patchwork.linux-mips.org/patch/21185/
Cc: Elvira Khabirova <lineprinter@altlinux.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/mips/include/asm/syscall.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -57,7 +57,7 @@ static inline unsigned long mips_get_sys
 #ifdef CONFIG_64BIT
 	case 4: case 5: case 6: case 7:
 #ifdef CONFIG_MIPS32_O32
-		if (test_thread_flag(TIF_32BIT_REGS))
+		if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
 			return get_user(*arg, (int *)usp + n);
 		else
 #endif


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 206/305] iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (183 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 243/305] rapidio/rionet: do not free skb before reading its length Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 167/305] ARM: OMAP1: ams-delta: Fix possible use of uninitialized field Ben Hutchings
                   ` (120 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Srinivas Pandruvada, Jonathan Cameron,
	Hans de Goede, Benjamin Tissoires

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 0145b50566e7de5637e80ecba96c7f0e6fff1aad upstream.

Before this commit sensor_hub_input_attr_get_raw_value() failed to take
the signedness of 16 and 8 bit values into account, returning e.g.
65436 instead of -100 for the z-axis reading of an accelerometer.

This commit adds a new is_signed parameter to the function and makes all
callers pass the appropriate value for this.

While at it, this commit also fixes up some neighboring lines where
statements were needlessly split over 2 lines to improve readability.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16:
 - sensor_hub_input_attr_get_raw_value() doesn't take a sync/async flag
   parameter
 - In sensor_hub_input_attr_get_raw_value() keep using data->pending instead of
   hsdev->pending
 - In magn_3d_read_raw() keep using chan->scan_index intstead of chan->address
 - Drop changes in hid-sensor-{custom,humidity,temperature}
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -257,7 +257,8 @@ EXPORT_SYMBOL_GPL(sensor_hub_get_feature
 
 int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
 					u32 usage_id,
-					u32 attr_usage_id, u32 report_id)
+					u32 attr_usage_id, u32 report_id,
+					bool is_signed)
 {
 	struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev);
 	unsigned long flags;
@@ -282,10 +283,16 @@ int sensor_hub_input_attr_get_raw_value(
 	wait_for_completion_interruptible_timeout(&data->pending.ready, HZ*5);
 	switch (data->pending.raw_size) {
 	case 1:
-		ret_val = *(u8 *)data->pending.raw_data;
+		if (is_signed)
+			ret_val = *(s8 *)data->pending.raw_data;
+		else
+			ret_val = *(u8 *)data->pending.raw_data;
 		break;
 	case 2:
-		ret_val = *(u16 *)data->pending.raw_data;
+		if (is_signed)
+			ret_val = *(s16 *)data->pending.raw_data;
+		else
+			ret_val = *(u16 *)data->pending.raw_data;
 		break;
 	case 4:
 		ret_val = *(u32 *)data->pending.raw_data;
--- a/drivers/iio/accel/hid-sensor-accel-3d.c
+++ b/drivers/iio/accel/hid-sensor-accel-3d.c
@@ -112,6 +112,7 @@ static int accel_3d_read_raw(struct iio_
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -125,12 +126,14 @@ static int accel_3d_read_raw(struct iio_
 		hid_sensor_power_state(&accel_state->common_attributes, true);
 		msleep_interruptible(poll_value * 2);
 		report_id = accel_state->accel[chan->scan_index].report_id;
+		min = accel_state->accel[chan->scan_index].logical_minimum;
 		address = accel_3d_addresses[chan->scan_index];
 		if (report_id >= 0)
 			*val = sensor_hub_input_attr_get_raw_value(
 					accel_state->common_attributes.hsdev,
 					HID_USAGE_SENSOR_ACCEL_3D, address,
-					report_id);
+					report_id,
+					min < 0);
 		else {
 			*val = 0;
 			hid_sensor_power_state(&accel_state->common_attributes,
--- a/drivers/iio/gyro/hid-sensor-gyro-3d.c
+++ b/drivers/iio/gyro/hid-sensor-gyro-3d.c
@@ -112,6 +112,7 @@ static int gyro_3d_read_raw(struct iio_d
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -125,12 +126,14 @@ static int gyro_3d_read_raw(struct iio_d
 		hid_sensor_power_state(&gyro_state->common_attributes, true);
 		msleep_interruptible(poll_value * 2);
 		report_id = gyro_state->gyro[chan->scan_index].report_id;
+		min = gyro_state->gyro[chan->scan_index].logical_minimum;
 		address = gyro_3d_addresses[chan->scan_index];
 		if (report_id >= 0)
 			*val = sensor_hub_input_attr_get_raw_value(
 					gyro_state->common_attributes.hsdev,
 					HID_USAGE_SENSOR_GYRO_3D, address,
-					report_id);
+					report_id,
+					min < 0);
 		else {
 			*val = 0;
 			hid_sensor_power_state(&gyro_state->common_attributes,
--- a/drivers/iio/light/hid-sensor-als.c
+++ b/drivers/iio/light/hid-sensor-als.c
@@ -81,6 +81,7 @@ static int als_read_raw(struct iio_dev *
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -89,8 +90,8 @@ static int als_read_raw(struct iio_dev *
 		switch (chan->scan_index) {
 		case  CHANNEL_SCAN_INDEX_ILLUM:
 			report_id = als_state->als_illum.report_id;
-			address =
-			HID_USAGE_SENSOR_LIGHT_ILLUM;
+			min = als_state->als_illum.logical_minimum;
+			address = HID_USAGE_SENSOR_LIGHT_ILLUM;
 			break;
 		default:
 			report_id = -1;
@@ -109,7 +110,8 @@ static int als_read_raw(struct iio_dev *
 			*val = sensor_hub_input_attr_get_raw_value(
 					als_state->common_attributes.hsdev,
 					HID_USAGE_SENSOR_ALS, address,
-					report_id);
+					report_id,
+					min < 0);
 			hid_sensor_power_state(&als_state->common_attributes,
 						false);
 		} else {
--- a/drivers/iio/light/hid-sensor-prox.c
+++ b/drivers/iio/light/hid-sensor-prox.c
@@ -74,6 +74,7 @@ static int prox_read_raw(struct iio_dev
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -82,8 +83,8 @@ static int prox_read_raw(struct iio_dev
 		switch (chan->scan_index) {
 		case  CHANNEL_SCAN_INDEX_PRESENCE:
 			report_id = prox_state->prox_attr.report_id;
-			address =
-			HID_USAGE_SENSOR_HUMAN_PRESENCE;
+			min = prox_state->prox_attr.logical_minimum;
+			address = HID_USAGE_SENSOR_HUMAN_PRESENCE;
 			break;
 		default:
 			report_id = -1;
@@ -103,7 +104,8 @@ static int prox_read_raw(struct iio_dev
 			*val = sensor_hub_input_attr_get_raw_value(
 				prox_state->common_attributes.hsdev,
 				HID_USAGE_SENSOR_PROX, address,
-				report_id);
+				report_id,
+				min < 0);
 			hid_sensor_power_state(&prox_state->common_attributes,
 						false);
 		} else {
--- a/drivers/iio/magnetometer/hid-sensor-magn-3d.c
+++ b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
@@ -112,6 +112,7 @@ static int magn_3d_read_raw(struct iio_d
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -125,14 +126,15 @@ static int magn_3d_read_raw(struct iio_d
 		hid_sensor_power_state(&magn_state->common_attributes, true);
 		msleep_interruptible(poll_value * 2);
 
-		report_id =
-			magn_state->magn[chan->scan_index].report_id;
+		report_id = magn_state->magn[chan->scan_index].report_id;
+		min = magn_state->magn[chan->scan_index].logical_minimum;
 		address = magn_3d_addresses[chan->scan_index];
 		if (report_id >= 0)
 			*val = sensor_hub_input_attr_get_raw_value(
 				magn_state->common_attributes.hsdev,
 				HID_USAGE_SENSOR_COMPASS_3D, address,
-				report_id);
+				report_id,
+				min < 0);
 		else {
 			*val = 0;
 			hid_sensor_power_state(&magn_state->common_attributes,
--- a/drivers/iio/orientation/hid-sensor-incl-3d.c
+++ b/drivers/iio/orientation/hid-sensor-incl-3d.c
@@ -112,6 +112,7 @@ static int incl_3d_read_raw(struct iio_d
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -125,14 +126,15 @@ static int incl_3d_read_raw(struct iio_d
 		hid_sensor_power_state(&incl_state->common_attributes, true);
 		msleep_interruptible(poll_value * 2);
 
-		report_id =
-			incl_state->incl[chan->scan_index].report_id;
+		report_id = incl_state->incl[chan->scan_index].report_id;
+		min = incl_state->incl[chan->scan_index].logical_minimum;
 		address = incl_3d_addresses[chan->scan_index];
 		if (report_id >= 0)
 			*val = sensor_hub_input_attr_get_raw_value(
 				incl_state->common_attributes.hsdev,
 				HID_USAGE_SENSOR_INCLINOMETER_3D, address,
-				report_id);
+				report_id,
+				min < 0);
 		else {
 			hid_sensor_power_state(&incl_state->common_attributes,
 						false);
--- a/drivers/iio/pressure/hid-sensor-press.c
+++ b/drivers/iio/pressure/hid-sensor-press.c
@@ -78,6 +78,7 @@ static int press_read_raw(struct iio_dev
 	u32 address;
 	int ret_type;
 	s32 poll_value;
+	s32 min;
 
 	*val = 0;
 	*val2 = 0;
@@ -86,8 +87,8 @@ static int press_read_raw(struct iio_dev
 		switch (chan->scan_index) {
 		case  CHANNEL_SCAN_INDEX_PRESSURE:
 			report_id = press_state->press_attr.report_id;
-			address =
-			HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE;
+			min = press_state->press_attr.logical_minimum;
+			address = HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE;
 			break;
 		default:
 			report_id = -1;
@@ -106,7 +107,8 @@ static int press_read_raw(struct iio_dev
 			*val = sensor_hub_input_attr_get_raw_value(
 				press_state->common_attributes.hsdev,
 				HID_USAGE_SENSOR_PRESSURE, address,
-				report_id);
+				report_id,
+				min < 0);
 			hid_sensor_power_state(&press_state->common_attributes,
 						false);
 		} else {
--- a/drivers/rtc/rtc-hid-sensor-time.c
+++ b/drivers/rtc/rtc-hid-sensor-time.c
@@ -213,7 +213,7 @@ static int hid_rtc_read_time(struct devi
 	/* get a report with all values through requesting one value */
 	sensor_hub_input_attr_get_raw_value(time_state->common_attributes.hsdev,
 			HID_USAGE_SENSOR_TIME, hid_time_addresses[0],
-			time_state->info[0].report_id);
+			time_state->info[0].report_id, false);
 	/* wait for all values (event) */
 	ret = wait_for_completion_killable_timeout(
 			&time_state->comp_last_time, HZ*6);
--- a/include/linux/hid-sensor-hub.h
+++ b/include/linux/hid-sensor-hub.h
@@ -149,6 +149,7 @@ int sensor_hub_input_get_attribute_info(
 * @usage_id:	Attribute usage id of parent physical device as per spec
 * @attr_usage_id:	Attribute usage id as per spec
 * @report_id:	Report id to look for
+* @is_signed:   If true then fields < 32 bits will be sign-extended
 *
 * Issues a synchronous read request for an input attribute. Returns
 * data upto 32 bits. Since client can get events, so this call should
@@ -157,7 +158,8 @@ int sensor_hub_input_get_attribute_info(
 
 int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
 			u32 usage_id,
-			u32 attr_usage_id, u32 report_id);
+			u32 attr_usage_id, u32 report_id,
+			bool is_signed);
 /**
 * sensor_hub_set_feature() - Feature set request
 * @report_id:	Report id to look for


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 278/305] tracing: Fix memory leak in set_trigger_filter()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (271 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 174/305] can: raw: check for CAN FD capable netdev in raw_sendmsg() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 101/305] ACPICA: AML interpreter: add region addresses in global list during initialization Ben Hutchings
                   ` (32 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steven Rostedt (VMware), Tom Zanussi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 3cec638b3d793b7cacdec5b8072364b41caeb0e1 upstream.

When create_event_filter() fails in set_trigger_filter(), the filter may
still be allocated and needs to be freed. The caller expects the
data->filter to be updated with the new filter, even if the new filter
failed (we could add an error message by setting set_str parameter of
create_event_filter(), but that's another update).

But because the error would just exit, filter was left hanging and
nothing could free it.

Found by kmemleak detector.

Fixes: bac5fb97a173a ("tracing: Add and use generic set_trigger_filter() implementation")
Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_events_trigger.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -727,8 +727,10 @@ static int set_trigger_filter(char *filt
 
 	/* The filter is for the 'trigger' event, not the triggered event */
 	ret = create_event_filter(file->event_call, filter_str, false, &filter);
-	if (ret)
-		goto out;
+	/*
+	 * If create_event_filter() fails, filter still needs to be freed.
+	 * Which the calling code will do with data->filter.
+	 */
  assign:
 	tmp = rcu_access_pointer(data->filter);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 204/305] usb: xhci: Prevent bus suspend if a port connect change or polling state is detected
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 026/305] signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 022/305] libertas_tf: prevent underflow in process_cmdrequest() Ben Hutchings
                   ` (270 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Nyman, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 2f31a67f01a8beb22cae754c53522cb61a005750 upstream.

USB3 roothub might autosuspend before a plugged USB3 device is detected,
causing USB3 device enumeration failure.

USB3 devices don't show up as connected and enabled until USB3 link trainig
completes. On a fast booting platform with a slow USB3 link training the
link might reach the connected enabled state just as the bus is suspending.

If this device is discovered first time by the xhci_bus_suspend() routine
it will be put to U3 suspended state like the other ports which failed to
suspend earlier.

The hub thread will notice the connect change and resume the bus,
moving the port back to U0

This U0 -> U3 -> U0 transition right after being connected seems to be
too much for some devices, causing them to first go to SS.Inactive state,
and finally end up stuck in a polling state with reset asserted

Fix this by failing the bus suspend if a port has a connect change or is
in a polling state in xhci_bus_suspend().

Don't do any port changes until all ports are checked, buffer all port
changes and only write them in the end if suspend can proceed

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Keep  port_array[] to look up port I/O address
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-hub.c | 60 ++++++++++++++++++++++++++++---------
 1 file changed, 46 insertions(+), 14 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1174,13 +1174,16 @@ int xhci_bus_suspend(struct usb_hcd *hcd
 	__le32 __iomem **port_array;
 	struct xhci_bus_state *bus_state;
 	unsigned long flags;
+	u32 portsc_buf[USB_MAXCHILDREN];
+	bool wake_enabled;
 
 	max_ports = xhci_get_ports(hcd, &port_array);
 	bus_state = &xhci->bus_state[hcd_index(hcd)];
+	wake_enabled = hcd->self.root_hub->do_remote_wakeup;
 
 	spin_lock_irqsave(&xhci->lock, flags);
 
-	if (hcd->self.root_hub->do_remote_wakeup) {
+	if (wake_enabled) {
 		if (bus_state->resuming_ports ||	/* USB2 */
 		    bus_state->port_remote_wakeup) {	/* USB3 */
 			spin_unlock_irqrestore(&xhci->lock, flags);
@@ -1188,26 +1191,36 @@ int xhci_bus_suspend(struct usb_hcd *hcd
 			return -EBUSY;
 		}
 	}
-
-	port_index = max_ports;
+	/*
+	 * Prepare ports for suspend, but don't write anything before all ports
+	 * are checked and we know bus suspend can proceed
+	 */
 	bus_state->bus_suspended = 0;
+	port_index = max_ports;
 	while (port_index--) {
-		/* suspend the port if the port is not suspended */
 		u32 t1, t2;
-		int slot_id;
 
 		t1 = readl(port_array[port_index]);
 		t2 = xhci_port_state_to_neutral(t1);
+		portsc_buf[port_index] = 0;
 
-		if ((t1 & PORT_PE) && !(t1 & PORT_PLS_MASK)) {
-			xhci_dbg(xhci, "port %d not suspended\n", port_index);
-			slot_id = xhci_find_slot_id_by_port(hcd, xhci,
-					port_index + 1);
-			if (slot_id) {
+		/* Bail out if a USB3 port has a new device in link training */
+		if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
+			bus_state->bus_suspended = 0;
+			spin_unlock_irqrestore(&xhci->lock, flags);
+			xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
+			return -EBUSY;
+		}
+
+		/* suspend ports in U0, or bail out for new connect changes */
+		if ((t1 & PORT_PE) && (t1 & PORT_PLS_MASK) == XDEV_U0) {
+			if ((t1 & PORT_CSC) && wake_enabled) {
+				bus_state->bus_suspended = 0;
 				spin_unlock_irqrestore(&xhci->lock, flags);
-				xhci_stop_device(xhci, slot_id, 1);
-				spin_lock_irqsave(&xhci->lock, flags);
+				xhci_dbg(xhci, "Bus suspend bailout, port connect change\n");
+				return -EBUSY;
 			}
+			xhci_dbg(xhci, "port %d not suspended\n", port_index);
 			t2 &= ~PORT_PLS_MASK;
 			t2 |= PORT_LINK_STROBE | XDEV_U3;
 			set_bit(port_index, &bus_state->bus_suspended);
@@ -1216,7 +1229,7 @@ int xhci_bus_suspend(struct usb_hcd *hcd
 		 * including the USB 3.0 roothub, but only if CONFIG_PM_RUNTIME
 		 * is enabled, so also enable remote wake here.
 		 */
-		if (hcd->self.root_hub->do_remote_wakeup) {
+		if (wake_enabled) {
 			if (t1 & PORT_CONNECT) {
 				t2 |= PORT_WKOC_E | PORT_WKDISC_E;
 				t2 &= ~PORT_WKCONN_E;
@@ -1232,7 +1245,26 @@ int xhci_bus_suspend(struct usb_hcd *hcd
 
 		t1 = xhci_port_state_to_neutral(t1);
 		if (t1 != t2)
-			writel(t2, port_array[port_index]);
+			portsc_buf[port_index] = t2;
+	}
+
+	/* write port settings, stopping and suspending ports if needed */
+	port_index = max_ports;
+	while (port_index--) {
+		if (!portsc_buf[port_index])
+			continue;
+		if (test_bit(port_index, &bus_state->bus_suspended)) {
+			int slot_id;
+
+			slot_id = xhci_find_slot_id_by_port(hcd, xhci,
+							    port_index + 1);
+			if (slot_id) {
+				spin_unlock_irqrestore(&xhci->lock, flags);
+				xhci_stop_device(xhci, slot_id, 1);
+				spin_lock_irqsave(&xhci->lock, flags);
+			}
+		}
+		writel(portsc_buf[port_index], port_array[port_index]);
 	}
 	hcd->state = HC_STATE_SUSPENDED;
 	bus_state->next_statechange = jiffies + msecs_to_jiffies(10);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 182/305] floppy: fix race condition in __floppy_read_block_0()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (255 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 071/305] mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 254/305] ALSA: usb-audio: Replace probing flag with active refcount Ben Hutchings
                   ` (48 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jens Axboe, Omar Sandoval

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jens Axboe <axboe@kernel.dk>

commit de7b75d82f70c5469675b99ad632983c50b6f7e7 upstream.

LKP recently reported a hang at bootup in the floppy code:

[  245.678853] INFO: task mount:580 blocked for more than 120 seconds.
[  245.679906]       Tainted: G                T 4.19.0-rc6-00172-ga9f38e1 #1
[  245.680959] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  245.682181] mount           D 6372   580      1 0x00000004
[  245.683023] Call Trace:
[  245.683425]  __schedule+0x2df/0x570
[  245.683975]  schedule+0x2d/0x80
[  245.684476]  schedule_timeout+0x19d/0x330
[  245.685090]  ? wait_for_common+0xa5/0x170
[  245.685735]  wait_for_common+0xac/0x170
[  245.686339]  ? do_sched_yield+0x90/0x90
[  245.686935]  wait_for_completion+0x12/0x20
[  245.687571]  __floppy_read_block_0+0xfb/0x150
[  245.688244]  ? floppy_resume+0x40/0x40
[  245.688844]  floppy_revalidate+0x20f/0x240
[  245.689486]  check_disk_change+0x43/0x60
[  245.690087]  floppy_open+0x1ea/0x360
[  245.690653]  __blkdev_get+0xb4/0x4d0
[  245.691212]  ? blkdev_get+0x1db/0x370
[  245.691777]  blkdev_get+0x1f3/0x370
[  245.692351]  ? path_put+0x15/0x20
[  245.692871]  ? lookup_bdev+0x4b/0x90
[  245.693539]  blkdev_get_by_path+0x3d/0x80
[  245.694165]  mount_bdev+0x2a/0x190
[  245.694695]  squashfs_mount+0x10/0x20
[  245.695271]  ? squashfs_alloc_inode+0x30/0x30
[  245.695960]  mount_fs+0xf/0x90
[  245.696451]  vfs_kern_mount+0x43/0x130
[  245.697036]  do_mount+0x187/0xc40
[  245.697563]  ? memdup_user+0x28/0x50
[  245.698124]  ksys_mount+0x60/0xc0
[  245.698639]  sys_mount+0x19/0x20
[  245.699167]  do_int80_syscall_32+0x61/0x130
[  245.699813]  entry_INT80_32+0xc7/0xc7

showing that we never complete that read request. The reason is that
the completion setup is racy - it initializes the completion event
AFTER submitting the IO, which means that the IO could complete
before/during the init. If it does, we are passing garbage to
complete() and we may sleep forever waiting for the event to
occur.

Fixes: 7b7b68bba5ef ("floppy: bail out in open() if drive is not responding to block0 read")
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/block/floppy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3819,10 +3819,11 @@ static int __floppy_read_block_0(struct
 	bio.bi_private = &cbdata;
 	bio.bi_end_io = floppy_rb0_cb;
 
+	init_completion(&cbdata.complete);
+
 	submit_bio(READ, &bio);
 	process_fd_request();
 
-	init_completion(&cbdata.complete);
 	wait_for_completion(&cbdata.complete);
 
 	__free_page(page);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 257/305] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 093/305] KVM: x86: remove code for lazy FPU handling Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 116/305] thermal: rcar_thermal: Prevent doing work after unbind Ben Hutchings
                   ` (264 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lubomir Rintel, Arnd Bergmann, Olof Johansson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lubomir Rintel <lkundrak@v3.sk>

commit 76f4e2c3b6a560cdd7a75b87df543e04d05a9e5f upstream.

cpu_is_mmp2() was equivalent to cpu_is_pj4(), wouldn't be correct for
multiplatform kernels. Fix it by also considering mmp_chip_id, as is
done for cpu_is_pxa168() and cpu_is_pxa910() above.

Moreover, it is only available with CONFIG_CPU_MMP2 and thus doesn't work
on DT-based MMP2 machines. Enable it on CONFIG_MACH_MMP2_DT too.

Note: CONFIG_CPU_MMP2 is only used for machines that use board files
instead of DT. It should perhaps be renamed. I'm not doing it now, because
I don't have a better idea.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Olof Johansson <olof@lixom.net>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-mmp/include/mach/cputype.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/arm/mach-mmp/include/mach/cputype.h
+++ b/arch/arm/mach-mmp/include/mach/cputype.h
@@ -43,10 +43,12 @@ static inline int cpu_is_pxa910(void)
 #define cpu_is_pxa910()	(0)
 #endif
 
-#ifdef CONFIG_CPU_MMP2
+#if defined(CONFIG_CPU_MMP2) || defined(CONFIG_MACH_MMP2_DT)
 static inline int cpu_is_mmp2(void)
 {
-	return (((read_cpuid_id() >> 8) & 0xff) == 0x58);
+	return (((read_cpuid_id() >> 8) & 0xff) == 0x58) &&
+		(((mmp_chip_id & 0xfff) == 0x410) ||
+		 ((mmp_chip_id & 0xfff) == 0x610));
 }
 #else
 #define cpu_is_mmp2()	(0)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 179/305] usb: xhci: fix uninitialized completion when USB3 port got wrong status
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (230 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 018/305] staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 231/305] ALSA: control: Fix race between adding and removing a user element Ben Hutchings
                   ` (73 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Aaron Ma, Greg Kroah-Hartman, Mathias Nyman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit 958c0bd86075d4ef1c936998deefe1947e539240 upstream.

Realtek USB3.0 Card Reader [0bda:0328] reports wrong port status on
Cannon lake PCH USB3.1 xHCI [8086:a36d] after resume from S3,
after clear port reset it works fine.

Since this device is registered on USB3 roothub at boot,
when port status reports not superspeed, xhci_get_port_status will call
an uninitialized completion in bus_state[0].
Kernel will hang because of NULL pointer.

Restrict the USB2 resume status check in USB2 roothub to fix hang issue.

Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-hub.c  | 2 +-
 drivers/usb/host/xhci-ring.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -620,7 +620,7 @@ static u32 xhci_get_port_status(struct u
 			status |= USB_PORT_STAT_SUSPEND;
 	}
 	if ((raw_port_status & PORT_PLS_MASK) == XDEV_RESUME &&
-			!DEV_SUPERSPEED(raw_port_status)) {
+		!DEV_SUPERSPEED(raw_port_status) && hcd->speed < HCD_USB3) {
 		if ((raw_port_status & PORT_RESET) ||
 				!(raw_port_status & PORT_PE))
 			return 0xffffffff;
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1676,7 +1676,7 @@ static void handle_port_status(struct xh
 	 * RExit to a disconnect state).  If so, let the the driver know it's
 	 * out of the RExit state.
 	 */
-	if (!DEV_SUPERSPEED(temp) &&
+	if (!DEV_SUPERSPEED(temp) && hcd->speed < HCD_USB3 &&
 			test_and_clear_bit(faked_port_index,
 				&bus_state->rexit_ports)) {
 		complete(&bus_state->rexit_done[faked_port_index]);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 152/305] usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (294 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 010/305] ipv6: Fix another sparse warning on rt6i_node Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 051/305] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Ben Hutchings
                   ` (9 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Emmanuel Pescosta, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>

commit a77112577667cbda7c6292c52d909636aef31fd9 upstream.

Following on from this patch: https://lkml.org/lkml/2017/11/3/516,
Corsair K70 LUX RGB keyboards also require the DELAY_INIT quirk to
start correctly at boot.

Dmesg output:
usb 1-6: string descriptor 0 read error: -110
usb 1-6: New USB device found, idVendor=1b1c, idProduct=1b33
usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-6: can't set config #1, error -110

Signed-off-by: Emmanuel Pescosta <emmanuelpescosta099@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -243,6 +243,9 @@ static const struct usb_device_id usb_qu
 	{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
 	  USB_QUIRK_DELAY_CTRL_MSG },
 
+	/* Corsair K70 LUX RGB */
+	{ USB_DEVICE(0x1b1c, 0x1b33), .driver_info = USB_QUIRK_DELAY_INIT },
+
 	/* Corsair K70 LUX */
 	{ USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 156/305] ext4: release bs.bh before re-using in ext4_xattr_block_find()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 305/305] x86/vdso: Fix vDSO syscall fallback asm constraint regression Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 249/305] hfs: do not free node before using Ben Hutchings
                   ` (267 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vasily Averin, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 45ae932d246f721e6584430017176cbcadfde610 upstream.

bs.bh was taken in previous ext4_xattr_block_find() call,
it should be released before re-using

Fixes: 7e01c8e5420b ("ext3/4: fix uninitialized bs in ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/xattr.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1202,6 +1202,8 @@ ext4_xattr_set_handle(handle_t *handle,
 			error = ext4_xattr_block_set(handle, inode, &i, &bs);
 		} else if (error == -ENOSPC) {
 			if (EXT4_I(inode)->i_file_acl && !bs.s.base) {
+				brelse(bs.bh);
+				bs.bh = NULL;
 				error = ext4_xattr_block_find(inode, &i, &bs);
 				if (error)
 					goto cleanup;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 285/305] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (159 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 293/305] KVM: x86: Add MSR_AMD64_DC_CFG to the list of ignored MSRs Ben Hutchings
                   ` (144 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, K. Y. Srinivasan, Stephen Hemminger,
	Dexuan Cui, Sasha Levin, Haiyang Zhang

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dexuan Cui <decui@microsoft.com>

commit fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce upstream.

Before 98f4c651762c, we returned zeros for unopened channels.
With 98f4c651762c, we started to return random on-stack values.

We'd better return -EINVAL instead.

Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups")
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hv/vmbus_drv.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -260,6 +260,8 @@ static ssize_t out_intr_mask_show(struct
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
 	return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
 }
@@ -273,6 +275,8 @@ static ssize_t out_read_index_show(struc
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
 	return sprintf(buf, "%d\n", outbound.current_read_index);
 }
@@ -287,6 +291,8 @@ static ssize_t out_write_index_show(stru
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
 	return sprintf(buf, "%d\n", outbound.current_write_index);
 }
@@ -301,6 +307,8 @@ static ssize_t out_read_bytes_avail_show
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
 	return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
 }
@@ -315,6 +323,8 @@ static ssize_t out_write_bytes_avail_sho
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
 	return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
 }
@@ -328,6 +338,8 @@ static ssize_t in_intr_mask_show(struct
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
 	return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
 }
@@ -341,6 +353,8 @@ static ssize_t in_read_index_show(struct
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
 	return sprintf(buf, "%d\n", inbound.current_read_index);
 }
@@ -354,6 +368,8 @@ static ssize_t in_write_index_show(struc
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
 	return sprintf(buf, "%d\n", inbound.current_write_index);
 }
@@ -368,6 +384,8 @@ static ssize_t in_read_bytes_avail_show(
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
 	return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
 }
@@ -382,6 +400,8 @@ static ssize_t in_write_bytes_avail_show
 
 	if (!hv_dev->channel)
 		return -ENODEV;
+	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+		return -EINVAL;
 	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
 	return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 143/305] xtensa: make sure bFLT stack is 16 byte aligned
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (299 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 248/305] dmaengine: at_hdmac: fix module unloading Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 185/305] misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data Ben Hutchings
                   ` (4 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 0773495b1f5f1c5e23551843f87b5ff37e7af8f7 upstream.

Xtensa ABI requires stack alignment to be at least 16. In noMMU
configuration ARCH_SLAB_MINALIGN is used to align stack. Make it at
least 16.

This fixes the following runtime error in noMMU configuration, caused by
interaction between insufficiently aligned stack and alloca function,
that results in corruption of on-stack variable in the libc function
glob:

 Caught unhandled exception in 'sh' (pid = 47, pc = 0x02d05d65)
  - should not happen
  EXCCAUSE is 15

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/include/asm/processor.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/xtensa/include/asm/processor.h
+++ b/arch/xtensa/include/asm/processor.h
@@ -25,7 +25,11 @@
 # error Linux requires the Xtensa Windowed Registers Option.
 #endif
 
-#define ARCH_SLAB_MINALIGN	XCHAL_DATA_WIDTH
+/* Xtensa ABI requires stack alignment to be at least 16 */
+
+#define STACK_ALIGN (XCHAL_DATA_WIDTH > 16 ? XCHAL_DATA_WIDTH : 16)
+
+#define ARCH_SLAB_MINALIGN STACK_ALIGN
 
 /*
  * User space process size: 1 GB.


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 117/305] HID: hiddev: fix potential Spectre v1
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (217 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 131/305] netfilter: x_tables: add and use xt_check_proc_name Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 171/305] mac80211: Clear beacon_int in ieee80211_do_stop Ben Hutchings
                   ` (86 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jiri Kosina, Breno Leitao

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Breno Leitao <leitao@debian.org>

commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.

uref->usage_index can be indirectly controlled by userspace, hence leading
to a potential exploitation of the Spectre variant 1 vulnerability.

This field is used as an array index by the hiddev_ioctl_usage() function,
when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
HIDIOCSUSAGES.

For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
field->maxusage and then used as an index to dereference field->usage
array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
uref->usage_index is checked against an array maximum value and then it is
used as an index in an array.

This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
traditional Spectre V1 first load:

	copy_from_user(uref, user_arg, sizeof(*uref))
	if (uref->usage_index >= field->maxusage)
		goto inval;
	i = field->usage[uref->usage_index].collection_index;
	return i;

This patch fixes this by sanitizing field uref->usage_index before using it
to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.

Signed-off-by: Breno Leitao <leitao@debian.org>
--

v2: Contemplate cmd == HIDIOC{G,S}USAGES case
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/usbhid/hiddev.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -521,14 +521,24 @@ static noinline int hiddev_ioctl_usage(s
 			if (cmd == HIDIOCGCOLLECTIONINDEX) {
 				if (uref->usage_index >= field->maxusage)
 					goto inval;
+				uref->usage_index =
+					array_index_nospec(uref->usage_index,
+							   field->maxusage);
 			} else if (uref->usage_index >= field->report_count)
 				goto inval;
 		}
 
-		if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
-		    (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
-		     uref->usage_index + uref_multi->num_values > field->report_count))
-			goto inval;
+		if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
+			if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+			    uref->usage_index + uref_multi->num_values >
+			    field->report_count)
+				goto inval;
+
+			uref->usage_index =
+				array_index_nospec(uref->usage_index,
+						   field->report_count -
+						   uref_multi->num_values);
+		}
 
 		switch (cmd) {
 		case HIDIOCGUSAGE:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 111/305] net: bcmgenet: fix OF child-node lookup
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (239 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 107/305] Btrfs: fix use-after-free when dumping free space Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 060/305] powerpc/pseries: Fix how we iterate over the DTL entries Ben Hutchings
                   ` (64 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Rob Herring, David S. Miller,
	Florian Fainelli, Johan Hovold

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac upstream.

Use the new of_get_compatible_child() helper to lookup the mdio child
node instead of using of_find_compatible_node(), which searches the
entire tree from a given start node and thus can return an unrelated
(i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the node of the device being probed).

Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines")
Cc: David S. Miller <davem@davemloft.net>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -410,7 +410,7 @@ static int bcmgenet_mii_of_init(struct b
 	if (!compat)
 		return -ENOMEM;
 
-	mdio_dn = of_find_compatible_node(dn, NULL, compat);
+	mdio_dn = of_get_compatible_child(dn, compat);
 	kfree(compat);
 	if (!mdio_dn) {
 		dev_err(kdev, "unable to find MDIO bus node\n");


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 084/305] Btrfs: don't clean dirty pages during buffered writes
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (281 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 075/305] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 110/305] of: add helper to lookup compatible child node Ben Hutchings
                   ` (22 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Chris Mason, David Sterba

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Mason <clm@fb.com>

commit 7703bdd8d23e6ef057af3253958a793ec6066b28 upstream.

During buffered writes, we follow this basic series of steps:

again:
	lock all the pages
	wait for writeback on all the pages
	Take the extent range lock
	wait for ordered extents on the whole range
	clean all the pages

	if (copy_from_user_in_atomic() hits a fault) {
		drop our locks
		goto again;
	}

	dirty all the pages
	release all the locks

The extra waiting, cleaning and locking are there to make sure we don't
modify pages in flight to the drive, after they've been crc'd.

If some of the pages in the range were already dirty when the write
began, and we need to goto again, we create a window where a dirty page
has been cleaned and unlocked.  It may be reclaimed before we're able to
lock it again, which means we'll read the old contents off the drive and
lose any modifications that had been pending writeback.

We don't actually need to clean the pages.  All of the other locking in
place makes sure we don't start IO on the pages, so we can just leave
them dirty for the duration of the write.

Fixes: 73d59314e6ed (the original btrfs merge)
Signed-off-by: Chris Mason <clm@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Keep passing additional argument of GFP_NOFS to clear_extent_bit()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -506,6 +506,16 @@ int btrfs_dirty_pages(struct btrfs_root
 	num_bytes = ALIGN(write_bytes + pos - start_pos, root->sectorsize);
 
 	end_of_last_block = start_pos + num_bytes - 1;
+
+	/*
+	 * The pages may have already been dirty, clear out old accounting so
+	 * we can set things up properly
+	 */
+	clear_extent_bit(&BTRFS_I(inode)->io_tree, start_pos, end_of_last_block,
+			 EXTENT_DIRTY | EXTENT_DELALLOC |
+			 EXTENT_DO_ACCOUNTING | EXTENT_DEFRAG, 0, 0, cached,
+			 GFP_NOFS);
+
 	err = btrfs_set_extent_delalloc(inode, start_pos, end_of_last_block,
 					cached);
 	if (err)
@@ -1408,18 +1418,26 @@ lock_and_cleanup_extent_if_need(struct i
 		if (ordered)
 			btrfs_put_ordered_extent(ordered);
 
-		clear_extent_bit(&BTRFS_I(inode)->io_tree, start_pos,
-				  last_pos, EXTENT_DIRTY | EXTENT_DELALLOC |
-				  EXTENT_DO_ACCOUNTING | EXTENT_DEFRAG,
-				  0, 0, cached_state, GFP_NOFS);
 		*lockstart = start_pos;
 		*lockend = last_pos;
 		ret = 1;
 	}
 
+	/*
+	 * It's possible the pages are dirty right now, but we don't want
+	 * to clean them yet because copy_from_user may catch a page fault
+	 * and we might have to fall back to one page at a time.  If that
+	 * happens, we'll unlock these pages and we'd have a window where
+	 * reclaim could sneak in and drop the once-dirty page on the floor
+	 * without writing it.
+	 *
+	 * We have the pages locked and the extent range locked, so there's
+	 * no way someone can start IO on any dirty pages in this range.
+	 *
+	 * We'll call btrfs_dirty_pages() later on, and that will flip around
+	 * delalloc bits and dirty the pages as required.
+	 */
 	for (i = 0; i < num_pages; i++) {
-		if (clear_page_dirty_for_io(pages[i]))
-			account_page_redirty(pages[i]);
 		set_page_extent_mapped(pages[i]);
 		WARN_ON(!PageLocked(pages[i]));
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 024/305] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (248 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 195/305] Input: matrix_keypad - check for errors from of_get_named_gpio() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 139/305] clockevents/drivers/i8253: Add support for PIT shutdown quirk Ben Hutchings
                   ` (55 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, He Zhe, gregkh, Ingo Molnar,
	Linus Torvalds, Peter Zijlstra, kstewart, Thomas Gleixner,
	pombredanne

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: He Zhe <zhe.he@windriver.com>

commit ccde460b9ae5c2bd5e4742af0a7f623c2daad566 upstream.

memory_corruption_check[{_period|_size}]()'s handlers do not check input
argument before passing it to kstrtoul() or simple_strtoull(). The argument
would be a NULL pointer if each of the kernel parameters, without its
value, is set in command line and thus cause the following panic.

PANIC: early exception 0xe3 IP 10:ffffffff73587c22 error 0 cr2 0x0
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #2
[    0.000000] RIP: 0010:kstrtoull+0x2/0x10
...
[    0.000000] Call Trace
[    0.000000]  ? set_corruption_check+0x21/0x49
[    0.000000]  ? do_early_param+0x4d/0x82
[    0.000000]  ? parse_args+0x212/0x330
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_options+0x20/0x23
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_param+0x2d/0x39
[    0.000000]  ? setup_arch+0x2f7/0xbf4
[    0.000000]  ? start_kernel+0x5e/0x4c2
[    0.000000]  ? load_ucode_bsp+0x113/0x12f
[    0.000000]  ? secondary_startup_64+0xa5/0xb0

This patch adds checks to prevent the panic.

Signed-off-by: He Zhe <zhe.he@windriver.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: gregkh@linuxfoundation.org
Cc: kstewart@linuxfoundation.org
Cc: pombredanne@nexb.com
Link: http://lkml.kernel.org/r/1534260823-87917-1-git-send-email-zhe.he@windriver.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/check.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/arch/x86/kernel/check.c
+++ b/arch/x86/kernel/check.c
@@ -30,6 +30,11 @@ static __init int set_corruption_check(c
 	ssize_t ret;
 	unsigned long val;
 
+	if (!arg) {
+		pr_err("memory_corruption_check config string not provided\n");
+		return -EINVAL;
+	}
+
 	ret = kstrtoul(arg, 10, &val);
 	if (ret)
 		return ret;
@@ -44,6 +49,11 @@ static __init int set_corruption_check_p
 	ssize_t ret;
 	unsigned long val;
 
+	if (!arg) {
+		pr_err("memory_corruption_check_period config string not provided\n");
+		return -EINVAL;
+	}
+
 	ret = kstrtoul(arg, 10, &val);
 	if (ret)
 		return ret;
@@ -58,6 +68,11 @@ static __init int set_corruption_check_s
 	char *end;
 	unsigned size;
 
+	if (!arg) {
+		pr_err("memory_corruption_check_size config string not provided\n");
+		return -EINVAL;
+	}
+
 	size = memparse(arg, &end);
 
 	if (*end == '\0')


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 279/305] tracing: Fix memory leak of instance function hash filters
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 198/305] netfilter: nf_tables: fix oob access Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 104/305] xen-swiotlb: use actually allocated size on check physical continuous Ben Hutchings
                   ` (253 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Steven Rostedt (VMware)

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>

commit 2840f84f74035e5a535959d5f17269c69fa6edc5 upstream.

The following commands will cause a memory leak:

 # cd /sys/kernel/tracing
 # mkdir instances/foo
 # echo schedule > instance/foo/set_ftrace_filter
 # rmdir instances/foo

The reason is that the hashes that hold the filters to set_ftrace_filter and
set_ftrace_notrace are not freed if they contain any data on the instance
and the instance is removed.

Found by kmemleak detector.

Fixes: 591dffdade9f ("ftrace: Allow for function tracing instance to filter functions")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/ftrace.c | 1 +
 1 file changed, 1 insertion(+)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -4127,6 +4127,7 @@ void ftrace_destroy_filter_files(struct
 	if (ops->flags & FTRACE_OPS_FL_ENABLED)
 		ftrace_shutdown(ops, 0);
 	ops->flags |= FTRACE_OPS_FL_DELETED;
+	ftrace_free_filter(ops);
 	mutex_unlock(&ftrace_lock);
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 098/305] drm/i915: Large page offsets for pread/pwrite
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (241 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 060/305] powerpc/pseries: Fix how we iterate over the DTL entries Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 181/305] sysv: return 'err' instead of 0 in __sysv_write_inode Ben Hutchings
                   ` (62 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Rodrigo Vivi, Chris Wilson, Tvrtko Ursulin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit ab0d6a141843e0b4b2709dfd37b53468b5452c3a upstream.

Handle integer overflow when computing the sub-page length for shmem
backed pread/pwrite.

Reported-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181012140228.29783-1-chris@chris-wilson.co.uk
(cherry picked from commit a5e856a5348f6cd50889d125c40bbeec7328e466)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
[bwh: Backported to 3.16:
 - Length variable is page_length, not length
 - Page-offset variable is shmem_page_offset, not offset]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -573,7 +573,7 @@ i915_gem_shmem_pread(struct drm_device *
 	char __user *user_data;
 	ssize_t remain;
 	loff_t offset;
-	int shmem_page_offset, page_length, ret = 0;
+	int shmem_page_offset, ret = 0;
 	int obj_do_bit17_swizzling, page_do_bit17_swizzling;
 	int prefaulted = 0;
 	int needs_clflush = 0;
@@ -593,6 +593,7 @@ i915_gem_shmem_pread(struct drm_device *
 	for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents,
 			 offset >> PAGE_SHIFT) {
 		struct page *page = sg_page_iter_page(&sg_iter);
+		unsigned int page_length;
 
 		if (remain <= 0)
 			break;
@@ -603,9 +604,7 @@ i915_gem_shmem_pread(struct drm_device *
 		 * page_length = bytes to copy for this page
 		 */
 		shmem_page_offset = offset_in_page(offset);
-		page_length = remain;
-		if ((shmem_page_offset + page_length) > PAGE_SIZE)
-			page_length = PAGE_SIZE - shmem_page_offset;
+		page_length = min_t(u64, remain, PAGE_SIZE - shmem_page_offset);
 
 		page_do_bit17_swizzling = obj_do_bit17_swizzling &&
 			(page_to_phys(page) & (1 << 17)) != 0;
@@ -870,7 +869,7 @@ i915_gem_shmem_pwrite(struct drm_device
 	ssize_t remain;
 	loff_t offset;
 	char __user *user_data;
-	int shmem_page_offset, page_length, ret = 0;
+	int shmem_page_offset, ret = 0;
 	int obj_do_bit17_swizzling, page_do_bit17_swizzling;
 	int hit_slowpath = 0;
 	int needs_clflush_after = 0;
@@ -913,6 +912,7 @@ i915_gem_shmem_pwrite(struct drm_device
 			 offset >> PAGE_SHIFT) {
 		struct page *page = sg_page_iter_page(&sg_iter);
 		int partial_cacheline_write;
+		unsigned int page_length;
 
 		if (remain <= 0)
 			break;
@@ -923,10 +923,7 @@ i915_gem_shmem_pwrite(struct drm_device
 		 * page_length = bytes to copy for this page
 		 */
 		shmem_page_offset = offset_in_page(offset);
-
-		page_length = remain;
-		if ((shmem_page_offset + page_length) > PAGE_SIZE)
-			page_length = PAGE_SIZE - shmem_page_offset;
+		page_length = min_t(u64, remain, PAGE_SIZE - shmem_page_offset);
 
 		/* If we don't overwrite a cacheline completely we need to be
 		 * careful to have up-to-date data by first clflushing. Don't


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 097/305] Btrfs: fix null pointer dereference on compressed write path error
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (302 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 211/305] exportfs: fix 'passing zero to ERR_PTR()' warning Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 228/305] ALSA: wss: Fix invalid snd_free_pages() at error path Ben Hutchings
  2019-02-04 21:38 ` [PATCH 3.16 000/305] 3.16.63-rc1 review Guenter Roeck
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Filipe Manana, Liu Bo, David Sterba

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 3527a018c00e5dbada2f9d7ed5576437b6dd5cfb upstream.

At inode.c:compress_file_range(), under the "free_pages_out" label, we can
end up dereferencing the "pages" pointer when it has a NULL value. This
case happens when "start" has a value of 0 and we fail to allocate memory
for the "pages" pointer. When that happens we jump to the "cont" label and
then enter the "if (start == 0)" branch where we immediately call the
cow_file_range_inline() function. If that function returns 0 (success
creating an inline extent) or an error (like -ENOMEM for example) we jump
to the "free_pages_out" label and then access "pages[i]" leading to a NULL
pointer dereference, since "nr_pages" has a value greater than zero at
that point.

Fix this by setting "nr_pages" to 0 when we fail to allocate memory for
the "pages" pointer.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119
Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads")
Reviewed-by: Liu Bo <bo.liu@linux.alibaba.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -452,6 +452,7 @@ again:
 		pages = kzalloc(sizeof(struct page *) * nr_pages, GFP_NOFS);
 		if (!pages) {
 			/* just bail out to the uncompressed code */
+			nr_pages = 0;
 			goto cont;
 		}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 029/305] signal/GenWQE: Fix sending of SIGKILL
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 169/305] mac80211_hwsim: Replace bogus hrtimer clockid Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 089/305] IB/cm: Fix sleeping while spin lock is held Ben Hutchings
                   ` (296 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kleber Sacilotto de Souza,
	Michael Ruettger, Joerg-Stephan Vogt, Eberhard S. Amann,
	Frank Haverkamp, Gabriel Krisman Bertazi, Michael Jung,
	Guilherme G. Piccoli, Greg Kroah-Hartman, Eric W. Biederman,
	Sebastian Ott

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.

The genweq_add_file and genwqe_del_file by caching current without
using reference counting embed the assumption that a file descriptor
will never be passed from one process to another.  It even embeds the
assumption that the the thread that opened the file will be in
existence when the process terminates.   Neither of which are
guaranteed to be true.

Therefore replace caching the task_struct of the opener with
pid of the openers thread group id.  All the knowledge of the
opener is used for is as the target of SIGKILL and a SIGKILL
will kill the entire process group.

Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
signal argument, update it's ownly caller, and use kill_pid
instead of force_sig.

The work force_sig does in changing signal handling state is not
relevant to SIGKILL sent as SEND_SIG_PRIV.  The exact same processess
will be killed just with less work, and less confusion.  The work done
by force_sig is really only needed for handling syncrhonous
exceptions.

It will still be possible to cause genwqe_device_remove to wait
8 seconds by passing a file descriptor to another process but
the possible user after free is fixed.

Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
Cc: Michael Jung <mijung@gmx.net>
Cc: Michael Ruettger <michael@ibmra.de>
Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/misc/genwqe/card_base.h | 2 +-
 drivers/misc/genwqe/card_dev.c  | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/misc/genwqe/card_base.h
+++ b/drivers/misc/genwqe/card_base.h
@@ -401,7 +401,7 @@ struct genwqe_file {
 	struct file *filp;
 
 	struct fasync_struct *async_queue;
-	struct task_struct *owner;
+	struct pid *opener;
 	struct list_head list;		/* entry in list of open files */
 
 	spinlock_t map_lock;		/* lock for dma_mappings */
--- a/drivers/misc/genwqe/card_dev.c
+++ b/drivers/misc/genwqe/card_dev.c
@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq
 {
 	unsigned long flags;
 
-	cfile->owner = current;
+	cfile->opener = get_pid(task_tgid(current));
 	spin_lock_irqsave(&cd->file_lock, flags);
 	list_add(&cfile->list, &cd->file_list);
 	spin_unlock_irqrestore(&cd->file_lock, flags);
@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe
 	spin_lock_irqsave(&cd->file_lock, flags);
 	list_del(&cfile->list);
 	spin_unlock_irqrestore(&cd->file_lock, flags);
+	put_pid(cfile->opener);
 
 	return 0;
 }
@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen
 	return files;
 }
 
-static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
+static int genwqe_terminate(struct genwqe_dev *cd)
 {
 	unsigned int files = 0;
 	unsigned long flags;
@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq
 
 	spin_lock_irqsave(&cd->file_lock, flags);
 	list_for_each_entry(cfile, &cd->file_list, list) {
-		force_sig(sig, cfile->owner);
+		kill_pid(cfile->opener, SIGKILL, 1);
 		files++;
 	}
 	spin_unlock_irqrestore(&cd->file_lock, flags);
@@ -1346,7 +1347,7 @@ static int genwqe_inform_and_stop_proces
 		dev_warn(&pci_dev->dev,
 			 "[%s] send SIGKILL and wait ...\n", __func__);
 
-		rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */
+		rc = genwqe_terminate(cd);
 		if (rc) {
 			/* Give kill_timout more seconds to end processes */
 			for (i = 0; (i < genwqe_kill_timeout) &&


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 030/305] power: supply: max8998-charger: Fix platform data retrieval
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (232 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 231/305] ALSA: control: Fix race between adding and removing a user element Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 053/305] usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure Ben Hutchings
                   ` (71 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tomasz Figa, Paweł Chmiel, Sebastian Reichel

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tomasz Figa <tomasz.figa@gmail.com>

commit cb90a2c6f77fe9b43d1e3f759bb2f13fe7fa1811 upstream.

Since the max8998 MFD driver supports instantiation by DT, platform data
retrieval is handled in MFD probe and cell drivers should get use
the pdata field of max8998_dev struct to obtain them.

Fixes: ee999fb3f17f ("mfd: max8998: Add support for Device Tree")
Signed-off-by: Tomasz Figa <tomasz.figa@gmail.com>
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/power/max8998_charger.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/power/max8998_charger.c
+++ b/drivers/power/max8998_charger.c
@@ -78,7 +78,7 @@ static int max8998_battery_get_property(
 static int max8998_battery_probe(struct platform_device *pdev)
 {
 	struct max8998_dev *iodev = dev_get_drvdata(pdev->dev.parent);
-	struct max8998_platform_data *pdata = dev_get_platdata(iodev->dev);
+	struct max8998_platform_data *pdata = iodev->pdata;
 	struct max8998_battery_data *max8998;
 	struct i2c_client *i2c;
 	int ret = 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 256/305] media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 154/305] USB: misc: appledisplay: add 20" Apple Cinema Display Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 021/305] cpupower: remove stringop-truncation waring Ben Hutchings
                   ` (224 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans Verkuil, Sakari Ailus, Mauro Carvalho Chehab

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 04990215dec43c424daff00d1f622167b8aafd1f upstream.

vb2_start_streaming() already rolls back the buffers, so there is no
need to call __vb2_queue_cancel(). Especially since __vb2_queue_cancel()
does too much, such as zeroing the q->queued_count value, causing vb2
to think that no buffers have been queued.

It appears that this call to __vb2_queue_cancel() is a left-over from
before commit b3379c6201bb3.

Fixes: b3379c6201bb3 ('vb2: only call start_streaming if sufficient buffers are queued')

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/videobuf2-core.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -2200,10 +2200,8 @@ static int vb2_internal_streamon(struct
 	 */
 	if (q->queued_count >= q->min_buffers_needed) {
 		ret = vb2_start_streaming(q);
-		if (ret) {
-			__vb2_queue_cancel(q);
+		if (ret)
 			return ret;
-		}
 	}
 
 	q->streaming = 1;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 251/305] SUNRPC: Fix leak of krb5p encode pages
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (292 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 242/305] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 010/305] ipv6: Fix another sparse warning on rt6i_node Ben Hutchings
                   ` (11 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Trond Myklebust, Chuck Lever

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit 8dae5398ab1ac107b1517e8195ed043d5f422bd0 upstream.

call_encode can be invoked more than once per RPC call. Ensure that
each call to gss_wrap_req_priv does not overwrite pointers to
previously allocated memory.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/auth_gss/auth_gss.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1641,6 +1641,7 @@ priv_release_snd_buf(struct rpc_rqst *rq
 	for (i=0; i < rqstp->rq_enc_pages_num; i++)
 		__free_page(rqstp->rq_enc_pages[i]);
 	kfree(rqstp->rq_enc_pages);
+	rqstp->rq_release_snd_buf = NULL;
 }
 
 static int
@@ -1649,6 +1650,9 @@ alloc_enc_pages(struct rpc_rqst *rqstp)
 	struct xdr_buf *snd_buf = &rqstp->rq_snd_buf;
 	int first, last, i;
 
+	if (rqstp->rq_release_snd_buf)
+		rqstp->rq_release_snd_buf(rqstp);
+
 	if (snd_buf->page_len == 0) {
 		rqstp->rq_enc_pages_num = 0;
 		return 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 165/305] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (132 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 173/305] fuse: fix leaked notify reply Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 276/305] USB: serial: option: add HP lt4132 Ben Hutchings
                   ` (171 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, H. Peter Anvin (Intel),
	Greg Kroah-Hartman, Ivan Kokshaysky, linux-alpha, Johan Hovold,
	Matt Turner, Thomas Gleixner, Eugene Syromiatnikov, linux-serial,
	Al Viro, Richard Henderson, Kate Stewart, Philippe Ombredanne,
	Jiri Slaby, Alan Cox

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "H. Peter Anvin (Intel)" <hpa@zytor.com>

commit d0ffb805b729322626639336986bc83fc2e60871 upstream.

Alpha has had c_ispeed and c_ospeed, but still set speeds in c_cflags
using arbitrary flags. Because BOTHER is not defined, the general
Linux code doesn't allow setting arbitrary baud rates, and because
CBAUDEX == 0, we can have an array overrun of the baud_rate[] table in
drivers/tty/tty_baudrate.c if (c_cflags & CBAUD) == 037.

Resolve both problems by #defining BOTHER to 037 on Alpha.

However, userspace still needs to know if setting BOTHER is actually
safe given legacy kernels (does anyone actually care about that on
Alpha anymore?), so enable the TCGETS2/TCSETS*2 ioctls on Alpha, even
though they use the same structure. Define struct termios2 just for
compatibility; it is the exact same structure as struct termios. In a
future patchset, this will be cleaned up so the uapi headers are
usable from libc.

Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: <linux-alpha@vger.kernel.org>
Cc: <linux-serial@vger.kernel.org>
Cc: Johan Hovold <johan@kernel.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/alpha/include/asm/termios.h       |  8 +++++++-
 arch/alpha/include/uapi/asm/ioctls.h   |  5 +++++
 arch/alpha/include/uapi/asm/termbits.h | 17 +++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

--- a/arch/alpha/include/asm/termios.h
+++ b/arch/alpha/include/asm/termios.h
@@ -72,9 +72,15 @@
 })
 
 #define user_termios_to_kernel_termios(k, u) \
-	copy_from_user(k, u, sizeof(struct termios))
+	copy_from_user(k, u, sizeof(struct termios2))
 
 #define kernel_termios_to_user_termios(u, k) \
+	copy_to_user(u, k, sizeof(struct termios2))
+
+#define user_termios_to_kernel_termios_1(k, u) \
+	copy_from_user(k, u, sizeof(struct termios))
+
+#define kernel_termios_to_user_termios_1(u, k) \
 	copy_to_user(u, k, sizeof(struct termios))
 
 #endif	/* _ALPHA_TERMIOS_H */
--- a/arch/alpha/include/uapi/asm/ioctls.h
+++ b/arch/alpha/include/uapi/asm/ioctls.h
@@ -31,6 +31,11 @@
 #define TCXONC		_IO('t', 30)
 #define TCFLSH		_IO('t', 31)
 
+#define TCGETS2		_IOR('T', 42, struct termios2)
+#define TCSETS2		_IOW('T', 43, struct termios2)
+#define TCSETSW2	_IOW('T', 44, struct termios2)
+#define TCSETSF2	_IOW('T', 45, struct termios2)
+
 #define TIOCSWINSZ	_IOW('t', 103, struct winsize)
 #define TIOCGWINSZ	_IOR('t', 104, struct winsize)
 #define	TIOCSTART	_IO('t', 110)		/* start output, like ^Q */
--- a/arch/alpha/include/uapi/asm/termbits.h
+++ b/arch/alpha/include/uapi/asm/termbits.h
@@ -25,6 +25,19 @@ struct termios {
 	speed_t c_ospeed;		/* output speed */
 };
 
+/* Alpha has identical termios and termios2 */
+
+struct termios2 {
+	tcflag_t c_iflag;		/* input mode flags */
+	tcflag_t c_oflag;		/* output mode flags */
+	tcflag_t c_cflag;		/* control mode flags */
+	tcflag_t c_lflag;		/* local mode flags */
+	cc_t c_cc[NCCS];		/* control characters */
+	cc_t c_line;			/* line discipline (== c_cc[19]) */
+	speed_t c_ispeed;		/* input speed */
+	speed_t c_ospeed;		/* output speed */
+};
+
 /* Alpha has matching termios and ktermios */
 
 struct ktermios {
@@ -147,6 +160,7 @@ struct ktermios {
 #define B3000000  00034
 #define B3500000  00035
 #define B4000000  00036
+#define BOTHER    00037
 
 #define CSIZE	00001400
 #define   CS5	00000000
@@ -164,6 +178,9 @@ struct ktermios {
 #define CMSPAR	  010000000000		/* mark or space (stick) parity */
 #define CRTSCTS	  020000000000		/* flow control */
 
+#define CIBAUD	07600000
+#define IBSHIFT	16
+
 /* c_lflag bits */
 #define ISIG	0x00000080
 #define ICANON	0x00000100


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 252/305] SUNRPC: Fix a potential race in xprt_connect()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (198 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 057/305] Drivers: hv: kvp: Fix two "this statement may fall through" warnings Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 069/305] bcache: fix miss key refill->end in writeback Ben Hutchings
                   ` (105 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Trond Myklebust

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 0a9a4304f3614e25d9de9b63502ca633c01c0d70 upstream.

If an asynchronous connection attempt completes while another task is
in xprt_connect(), then the call to rpc_sleep_on() could end up
racing with the call to xprt_wake_pending_tasks().
So add a second test of the connection state after we've put the
task to sleep and set the XPRT_CONNECTING flag, when we know that there
can be no asynchronous connection attempts still in progress.

Fixes: 0b9e79431377d ("SUNRPC: Move the test for XPRT_CONNECTING into...")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/xprt.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -721,8 +721,15 @@ void xprt_connect(struct rpc_task *task)
 			return;
 		if (xprt_test_and_set_connecting(xprt))
 			return;
-		xprt->stat.connect_start = jiffies;
-		xprt->ops->connect(xprt, task);
+		/* Race breaker */
+		if (!xprt_connected(xprt)) {
+			xprt->stat.connect_start = jiffies;
+			xprt->ops->connect(xprt, task);
+		} else {
+			xprt_clear_connecting(xprt);
+			task->tk_status = 0;
+			rpc_wake_up_queued_task(&xprt->pending, task);
+		}
 	}
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 230/305] ALSA: control: fix failure to return numerical ID in 'add' event
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 200/305] xtensa: fix boot parameters address translation Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 187/305] batman-adv: Check total_size when queueing fragments Ben Hutchings
                   ` (280 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Takashi Sakamoto

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit d34890cf4113397625a6629d71749fa638a7a734 upstream.

Currently when adding a new control, the assigned numerical ID is not
set for event data, thus userspace applications cannot realize it just
by event data.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/control.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -368,6 +368,7 @@ int snd_ctl_add(struct snd_card *card, s
 	card->controls_count += kcontrol->count;
 	kcontrol->id.numid = card->last_numid + 1;
 	card->last_numid += kcontrol->count;
+	id = kcontrol->id;
 	count = kcontrol->count;
 	up_write(&card->controls_rwsem);
 	for (idx = 0; idx < count; idx++, id.index++, id.numid++)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 250/305] tun: forbid iface creation with rtnl ops
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 055/305] w1: omap-hdq: fix missing bus unregister at removal Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 260/305] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices Ben Hutchings
                   ` (243 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nicolas Dichtel, David S. Miller,
	Eric W. Biederman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>

commit 35b827b6d06199841a83839e8bb69c0cd13a28be upstream.

It's not supported right now (the goal of the initial patch was to support
'ip link del' only).

Before the patch:
$ ip link add foo type tun
[  239.632660] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[snip]
[  239.636410] RIP: 0010:register_netdevice+0x8e/0x3a0

This panic occurs because dev->netdev_ops is not set by tun_setup(). But to
have something usable, it will require more than just setting
netdev_ops.

Fixes: f019a7a594d9 ("tun: Implement ip link del tunXXX")
CC: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Don't use extack]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1415,9 +1415,7 @@ static void tun_setup(struct net_device
  */
 static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
 {
-	if (!data)
-		return 0;
-	return -EINVAL;
+	return -EOPNOTSUPP;
 }
 
 static struct rtnl_link_ops tun_link_ops __read_mostly = {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 275/305] net/mlx4_core: Correctly set PFC param if global pause is turned off.
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (219 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 171/305] mac80211: Clear beacon_int in ieee80211_do_stop Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 298/305] net: macb: add missing barriers when reading descriptors Ben Hutchings
                   ` (84 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eran Ben Elisha, David S. Miller, Tarick Bedeir

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tarick Bedeir <tarick@google.com>

commit bd5122cd1e0644d8bd8dd84517c932773e999766 upstream.

rx_ppp and tx_ppp can be set between 0 and 255, so don't clamp to 1.

Fixes: 6e8814ceb7e8 ("net/mlx4_en: Fix mixed PFC and Global pause user control requests")
Signed-off-by: Tarick Bedeir <tarick@google.com>
Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -498,8 +498,8 @@ static int mlx4_en_set_pauseparam(struct
 
 	tx_pause = !!(pause->tx_pause);
 	rx_pause = !!(pause->rx_pause);
-	rx_ppp = priv->prof->rx_ppp && !(tx_pause || rx_pause);
-	tx_ppp = priv->prof->tx_ppp && !(tx_pause || rx_pause);
+	rx_ppp = (tx_pause || rx_pause) ? 0 : priv->prof->rx_ppp;
+	tx_ppp = (tx_pause || rx_pause) ? 0 : priv->prof->tx_ppp;
 
 	err = mlx4_SET_PORT_general(mdev->dev, priv->port,
 				    priv->rx_skb_size + ETH_FCS_LEN,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 253/305] ALSA: usb-audio: Avoid nested autoresume calls
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (290 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 184/305] drivers/misc/sgi-gru: fix Spectre v1 vulnerability Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 242/305] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb Ben Hutchings
                   ` (13 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 47ab154593827b1a8f0713a2b9dd445753d551d8 upstream.

After the recent fix of runtime PM for USB-audio driver, we got a
lockdep warning like:

  =============================================
  [ INFO: possible recursive locking detected ]
  4.2.0-rc8+ #61 Not tainted
  ---------------------------------------------
  pulseaudio/980 is trying to acquire lock:
   (&chip->shutdown_rwsem){.+.+.+}, at: [<ffffffffa0355dac>] snd_usb_autoresume+0x1d/0x52 [snd_usb_audio]
  but task is already holding lock:
   (&chip->shutdown_rwsem){.+.+.+}, at: [<ffffffffa0355dac>] snd_usb_autoresume+0x1d/0x52 [snd_usb_audio]

This comes from snd_usb_autoresume() invoking down_read() and it's
used in a nested way.  Although it's basically safe, per se (as these
are read locks), it's better to reduce such spurious warnings.

The read lock is needed to guarantee the execution of "shutdown"
(cleanup at disconnection) task after all concurrent tasks are
finished.  This can be implemented in another better way.

Also, the current check of chip->in_pm isn't good enough for
protecting the racy execution of multiple auto-resumes.

This patch rewrites the logic of snd_usb_autoresume() & co; namely,
- The recursive call of autopm is avoided by the new refcount,
  chip->active.  The chip->in_pm flag is removed accordingly.
- Instead of rwsem, another refcount, chip->usage_count, is introduced
  for tracking the period to delay the shutdown procedure.  At
  the last clear of this refcount, wake_up() to the shutdown waiter is
  called.
- The shutdown flag is replaced with shutdown atomic count; this is
  for reducing the lock.
- Two new helpers are introduced to simplify the management of these
  refcounts; snd_usb_lock_shutdown() increases the usage_count, checks
  the shutdown state, and does autoresume.  snd_usb_unlock_shutdown()
  does the opposite.  Most of mixer and other codes just need this,
  and simply returns an error if it receives an error from lock.

Fixes: 9003ebb13f61 ('ALSA: usb-audio: Fix runtime PM unbalance')
Reported-and-tested-by: Alexnader Kuleshov <kuleshovmail@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16:
 - Drop inapplicable changes in mixer quirk functions
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -396,13 +396,15 @@ static int snd_usb_audio_create(struct u
 	}
 
 	mutex_init(&chip->mutex);
-	init_rwsem(&chip->shutdown_rwsem);
+	init_waitqueue_head(&chip->shutdown_wait);
 	chip->index = idx;
 	chip->dev = dev;
 	chip->card = card;
 	chip->setup = device_setup[idx];
 	chip->autoclock = autoclock;
 	chip->probing = 1;
+	atomic_set(&chip->usage_count, 0);
+	atomic_set(&chip->shutdown, 0);
 
 	chip->usb_id = USB_ID(le16_to_cpu(dev->descriptor.idVendor),
 			      le16_to_cpu(dev->descriptor.idProduct));
@@ -525,7 +527,7 @@ snd_usb_audio_probe(struct usb_device *d
 	mutex_lock(&register_mutex);
 	for (i = 0; i < SNDRV_CARDS; i++) {
 		if (usb_chip[i] && usb_chip[i]->dev == dev) {
-			if (usb_chip[i]->shutdown) {
+			if (atomic_read(&usb_chip[i]->shutdown)) {
 				dev_err(&dev->dev, "USB device is in the shutdown state, cannot create a card instance\n");
 				goto __error;
 			}
@@ -610,21 +612,21 @@ static void snd_usb_audio_disconnect(str
 {
 	struct snd_card *card;
 	struct list_head *p;
-	bool was_shutdown;
 
 	if (chip == (void *)-1L)
 		return;
 
 	card = chip->card;
-	down_write(&chip->shutdown_rwsem);
-	was_shutdown = chip->shutdown;
-	chip->shutdown = 1;
-	up_write(&chip->shutdown_rwsem);
 
 	mutex_lock(&register_mutex);
-	if (!was_shutdown) {
+	if (atomic_inc_return(&chip->shutdown) == 1) {
 		struct snd_usb_endpoint *ep;
 
+		/* wait until all pending tasks done;
+		 * they are protected by snd_usb_lock_shutdown()
+		 */
+		wait_event(chip->shutdown_wait,
+			   !atomic_read(&chip->usage_count));
 		snd_card_disconnect(card);
 		/* release the pcm resources */
 		list_for_each(p, &chip->pcm_list) {
@@ -675,28 +677,54 @@ static void usb_audio_disconnect(struct
 				 usb_get_intfdata(intf));
 }
 
-#ifdef CONFIG_PM
-
-int snd_usb_autoresume(struct snd_usb_audio *chip)
+/* lock the shutdown (disconnect) task and autoresume */
+int snd_usb_lock_shutdown(struct snd_usb_audio *chip)
 {
-	int err = -ENODEV;
+	int err;
 
-	down_read(&chip->shutdown_rwsem);
-	if (chip->probing || chip->in_pm)
-		err = 0;
-	else if (!chip->shutdown)
-		err = usb_autopm_get_interface(chip->pm_intf);
-	up_read(&chip->shutdown_rwsem);
+	atomic_inc(&chip->usage_count);
+	if (atomic_read(&chip->shutdown)) {
+		err = -EIO;
+		goto error;
+	}
+	err = snd_usb_autoresume(chip);
+	if (err < 0)
+		goto error;
+	return 0;
 
+ error:
+	if (atomic_dec_and_test(&chip->usage_count))
+		wake_up(&chip->shutdown_wait);
 	return err;
 }
 
+/* autosuspend and unlock the shutdown */
+void snd_usb_unlock_shutdown(struct snd_usb_audio *chip)
+{
+	snd_usb_autosuspend(chip);
+	if (atomic_dec_and_test(&chip->usage_count))
+		wake_up(&chip->shutdown_wait);
+}
+
+#ifdef CONFIG_PM
+
+int snd_usb_autoresume(struct snd_usb_audio *chip)
+{
+	if (atomic_read(&chip->shutdown))
+		return -EIO;
+	if (chip->probing)
+		return 0;
+	if (atomic_inc_return(&chip->active) == 1)
+		return usb_autopm_get_interface(chip->pm_intf);
+	return 0;
+}
+
 void snd_usb_autosuspend(struct snd_usb_audio *chip)
 {
-	down_read(&chip->shutdown_rwsem);
-	if (!chip->shutdown && !chip->probing && !chip->in_pm)
+	if (chip->probing)
+		return;
+	if (atomic_dec_and_test(&chip->active))
 		usb_autopm_put_interface(chip->pm_intf);
-	up_read(&chip->shutdown_rwsem);
 }
 
 static int usb_audio_suspend(struct usb_interface *intf, pm_message_t message)
@@ -744,7 +772,7 @@ static int __usb_audio_resume(struct usb
 	if (--chip->num_suspended_intf)
 		return 0;
 
-	chip->in_pm = 1;
+	atomic_inc(&chip->active); /* avoid autopm */
 	/*
 	 * ALSA leaves material resumption to user space
 	 * we just notify and restart the mixers
@@ -760,7 +788,7 @@ static int __usb_audio_resume(struct usb
 	chip->autosuspended = 0;
 
 err_out:
-	chip->in_pm = 0;
+	atomic_dec(&chip->active); /* allow autopm after this point */
 	return err;
 }
 
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -353,8 +353,10 @@ static void snd_complete_urb(struct urb
 	if (unlikely(urb->status == -ENOENT ||		/* unlinked */
 		     urb->status == -ENODEV ||		/* device removed */
 		     urb->status == -ECONNRESET ||	/* unlinked */
-		     urb->status == -ESHUTDOWN ||	/* device disabled */
-		     ep->chip->shutdown))		/* device disconnected */
+		     urb->status == -ESHUTDOWN))	/* device disabled */
+		goto exit_clear;
+	/* device disconnected */
+	if (unlikely(atomic_read(&ep->chip->shutdown)))
 		goto exit_clear;
 
 	if (usb_pipeout(ep->pipe)) {
@@ -529,7 +531,7 @@ static int deactivate_urbs(struct snd_us
 {
 	unsigned int i;
 
-	if (!force && ep->chip->shutdown) /* to be sure... */
+	if (!force && atomic_read(&ep->chip->shutdown)) /* to be sure... */
 		return -EBADFD;
 
 	clear_bit(EP_FLAG_RUNNING, &ep->flags);
@@ -868,7 +870,7 @@ int snd_usb_endpoint_start(struct snd_us
 	int err;
 	unsigned int i;
 
-	if (ep->chip->shutdown)
+	if (atomic_read(&ep->chip->shutdown))
 		return -EBADFD;
 
 	/* already running? */
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -296,14 +296,11 @@ static int get_ctl_value_v1(struct usb_m
 	int timeout = 10;
 	int idx = 0, err;
 
-	err = snd_usb_autoresume(cval->mixer->chip);
+	err = snd_usb_lock_shutdown(chip);
 	if (err < 0)
 		return -EIO;
 
-	down_read(&chip->shutdown_rwsem);
 	while (timeout-- > 0) {
-		if (chip->shutdown)
-			break;
 		idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
 		if (snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), request,
 				    USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
@@ -319,8 +316,7 @@ static int get_ctl_value_v1(struct usb_m
 	err = -EINVAL;
 
  out:
-	up_read(&chip->shutdown_rwsem);
-	snd_usb_autosuspend(cval->mixer->chip);
+	snd_usb_unlock_shutdown(chip);
 	return err;
 }
 
@@ -343,21 +339,15 @@ static int get_ctl_value_v2(struct usb_m
 
 	memset(buf, 0, sizeof(buf));
 
-	ret = snd_usb_autoresume(chip) ? -EIO : 0;
+	ret = snd_usb_lock_shutdown(chip) ? -EIO : 0;
 	if (ret)
 		goto error;
 
-	down_read(&chip->shutdown_rwsem);
-	if (chip->shutdown) {
-		ret = -ENODEV;
-	} else {
-		idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
-		ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), bRequest,
+	idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
+	ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0), bRequest,
 			      USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
 			      validx, idx, buf, size);
-	}
-	up_read(&chip->shutdown_rwsem);
-	snd_usb_autosuspend(chip);
+	snd_usb_unlock_shutdown(chip);
 
 	if (ret < 0) {
 error:
@@ -469,13 +459,12 @@ int snd_usb_mixer_set_ctl_value(struct u
 	value_set = convert_bytes_value(cval, value_set);
 	buf[0] = value_set & 0xff;
 	buf[1] = (value_set >> 8) & 0xff;
-	err = snd_usb_autoresume(chip);
+
+	err = snd_usb_lock_shutdown(chip);
 	if (err < 0)
 		return -EIO;
-	down_read(&chip->shutdown_rwsem);
+
 	while (timeout-- > 0) {
-		if (chip->shutdown)
-			break;
 		idx = snd_usb_ctrl_intf(chip) | (cval->id << 8);
 		if (snd_usb_ctl_msg(chip->dev,
 				    usb_sndctrlpipe(chip->dev, 0), request,
@@ -490,8 +479,7 @@ int snd_usb_mixer_set_ctl_value(struct u
 	err = -EINVAL;
 
  out:
-	up_read(&chip->shutdown_rwsem);
-	snd_usb_autosuspend(chip);
+	snd_usb_unlock_shutdown(chip);
 	return err;
 }
 
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -302,11 +302,10 @@ static int snd_audigy2nx_led_put(struct
 	if (value > 1)
 		return -EINVAL;
 	changed = value != mixer->audigy2nx_leds[index];
-	down_read(&mixer->chip->shutdown_rwsem);
-	if (mixer->chip->shutdown) {
-		err = -ENODEV;
-		goto out;
-	}
+	err = snd_usb_lock_shutdown(mixer->chip);
+	if (err < 0)
+		return err;
+
 	if (mixer->chip->usb_id == USB_ID(0x041e, 0x3042))
 		err = snd_usb_ctl_msg(mixer->chip->dev,
 			      usb_sndctrlpipe(mixer->chip->dev, 0), 0x24,
@@ -323,8 +322,7 @@ static int snd_audigy2nx_led_put(struct
 			      usb_sndctrlpipe(mixer->chip->dev, 0), 0x24,
 			      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER,
 			      value, index + 2, NULL, 0);
- out:
-	up_read(&mixer->chip->shutdown_rwsem);
+	snd_usb_unlock_shutdown(mixer->chip);
 	if (err < 0)
 		return err;
 	mixer->audigy2nx_leds[index] = value;
@@ -418,16 +416,15 @@ static void snd_audigy2nx_proc_read(stru
 
 	for (i = 0; jacks[i].name; ++i) {
 		snd_iprintf(buffer, "%s: ", jacks[i].name);
-		down_read(&mixer->chip->shutdown_rwsem);
-		if (mixer->chip->shutdown)
-			err = 0;
-		else
-			err = snd_usb_ctl_msg(mixer->chip->dev,
+		err = snd_usb_lock_shutdown(mixer->chip);
+		if (err < 0)
+			return;
+		err = snd_usb_ctl_msg(mixer->chip->dev,
 				      usb_rcvctrlpipe(mixer->chip->dev, 0),
 				      UAC_GET_MEM, USB_DIR_IN | USB_TYPE_CLASS |
 				      USB_RECIP_INTERFACE, 0,
 				      jacks[i].unitid << 8, buf, 3);
-		up_read(&mixer->chip->shutdown_rwsem);
+		snd_usb_unlock_shutdown(mixer->chip);
 		if (err == 3 && (buf[0] == 3 || buf[0] == 6))
 			snd_iprintf(buffer, "%02x %02x\n", buf[1], buf[2]);
 		else
@@ -476,17 +473,14 @@ static int snd_emu0204_ch_switch_put(str
 	buf[1] = value ? 0x02 : 0x01;
 
 	changed = value != kcontrol->private_value;
-	down_read(&mixer->chip->shutdown_rwsem);
-	if (mixer->chip->shutdown) {
-		err = -ENODEV;
-		goto out;
-	}
+	err = snd_usb_lock_shutdown(mixer->chip);
+	if (err < 0)
+		return err;
 	err = snd_usb_ctl_msg(mixer->chip->dev,
 		      usb_sndctrlpipe(mixer->chip->dev, 0), UAC_SET_CUR,
 		      USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
 		      0x0400, 0x0e00, buf, 2);
- out:
-	up_read(&mixer->chip->shutdown_rwsem);
+	snd_usb_unlock_shutdown(mixer->chip);
 	if (err < 0)
 		return err;
 	kcontrol->private_value = value;
@@ -542,15 +536,14 @@ static int snd_xonar_u1_switch_put(struc
 	else
 		new_status = old_status & ~0x02;
 	changed = new_status != old_status;
-	down_read(&mixer->chip->shutdown_rwsem);
-	if (mixer->chip->shutdown)
-		err = -ENODEV;
-	else
-		err = snd_usb_ctl_msg(mixer->chip->dev,
+	err = snd_usb_lock_shutdown(mixer->chip);
+	if (err < 0)
+		return err;
+	err = snd_usb_ctl_msg(mixer->chip->dev,
 			      usb_sndctrlpipe(mixer->chip->dev, 0), 0x08,
 			      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_OTHER,
 			      50, 0, &new_status, 1);
-	up_read(&mixer->chip->shutdown_rwsem);
+	snd_usb_unlock_shutdown(mixer->chip);
 	if (err < 0)
 		return err;
 	mixer->xonar_u1_status = new_status;
@@ -591,15 +584,14 @@ static int snd_nativeinstruments_control
 	u8 tmp;
 	int ret;
 
-	down_read(&mixer->chip->shutdown_rwsem);
-	if (mixer->chip->shutdown)
-		ret = -ENODEV;
-	else
-		ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), bRequest,
-				  USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
-				  0, wIndex,
-				  &tmp, sizeof(tmp), 1000);
-	up_read(&mixer->chip->shutdown_rwsem);
+	ret = snd_usb_lock_shutdown(mixer->chip);
+	if (ret < 0)
+		return ret;
+	ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), bRequest,
+			      USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
+			      0, wIndex,
+			      &tmp, sizeof(tmp), 1000);
+	snd_usb_unlock_shutdown(mixer->chip);
 
 	if (ret < 0) {
 		dev_err(&dev->dev,
@@ -622,15 +614,14 @@ static int snd_nativeinstruments_control
 	u16 wValue = ucontrol->value.integer.value[0];
 	int ret;
 
-	down_read(&mixer->chip->shutdown_rwsem);
-	if (mixer->chip->shutdown)
-		ret = -ENODEV;
-	else
-		ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), bRequest,
-				  USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
-				  wValue, wIndex,
-				  NULL, 0, 1000);
-	up_read(&mixer->chip->shutdown_rwsem);
+	ret = snd_usb_lock_shutdown(mixer->chip);
+	if (ret < 0)
+		return ret;
+	ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), bRequest,
+			      USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+			      wValue, wIndex,
+			      NULL, 0, 1000);
+	snd_usb_unlock_shutdown(mixer->chip);
 
 	if (ret < 0) {
 		dev_err(&dev->dev,
@@ -792,16 +783,15 @@ static int snd_ftu_eff_switch_get(struct
 	id = pval->bUnitID;
 	validx = pval->validx;
 
-	down_read(&mixer->chip->shutdown_rwsem);
-	if (mixer->chip->shutdown)
-		err = -ENODEV;
-	else
-		err = snd_usb_ctl_msg(chip->dev,
+	err = snd_usb_lock_shutdown(mixer->chip);
+	if (err < 0)
+		return err;
+	err = snd_usb_ctl_msg(chip->dev,
 			usb_rcvctrlpipe(chip->dev, 0), UAC_GET_CUR,
 			USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
 			validx << 8, snd_usb_ctrl_intf(chip) | (id << 8),
 			value, val_len);
-	up_read(&mixer->chip->shutdown_rwsem);
+	snd_usb_unlock_shutdown(mixer->chip);
 	if (err < 0)
 		return err;
 
@@ -845,16 +835,15 @@ static int snd_ftu_eff_switch_put(struct
 
 	if (!pval->is_cached) {
 		/* Read current value */
-		down_read(&mixer->chip->shutdown_rwsem);
-		if (mixer->chip->shutdown)
-			err = -ENODEV;
-		else
-			err = snd_usb_ctl_msg(chip->dev,
+		err = snd_usb_lock_shutdown(mixer->chip);
+		if (err < 0)
+			return err;
+		err = snd_usb_ctl_msg(chip->dev,
 				usb_rcvctrlpipe(chip->dev, 0), UAC_GET_CUR,
 				USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
 				validx << 8, snd_usb_ctrl_intf(chip) | (id << 8),
 				value, val_len);
-		up_read(&mixer->chip->shutdown_rwsem);
+		snd_usb_unlock_shutdown(mixer->chip);
 		if (err < 0)
 			return err;
 
@@ -866,16 +855,15 @@ static int snd_ftu_eff_switch_put(struct
 	if (cur_val != new_val) {
 		value[0] = new_val;
 		value[1] = 0;
-		down_read(&mixer->chip->shutdown_rwsem);
-		if (mixer->chip->shutdown)
-			err = -ENODEV;
-		else
-			err = snd_usb_ctl_msg(chip->dev,
+		err = snd_usb_lock_shutdown(chip);
+		if (err < 0)
+			return err;
+		err = snd_usb_ctl_msg(chip->dev,
 				usb_sndctrlpipe(chip->dev, 0), UAC_SET_CUR,
 				USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
 				validx << 8, snd_usb_ctrl_intf(chip) | (id << 8),
 				value, val_len);
-		up_read(&mixer->chip->shutdown_rwsem);
+		snd_usb_unlock_shutdown(chip);
 		if (err < 0)
 			return err;
 
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -80,7 +80,7 @@ static snd_pcm_uframes_t snd_usb_pcm_poi
 	unsigned int hwptr_done;
 
 	subs = (struct snd_usb_substream *)substream->runtime->private_data;
-	if (subs->stream->chip->shutdown)
+	if (atomic_read(&subs->stream->chip->shutdown))
 		return SNDRV_PCM_POS_XRUN;
 	spin_lock(&subs->lock);
 	hwptr_done = subs->hwptr_done;
@@ -713,12 +713,11 @@ static int snd_usb_hw_params(struct snd_
 		return -EINVAL;
 	}
 
-	down_read(&subs->stream->chip->shutdown_rwsem);
-	if (subs->stream->chip->shutdown)
-		ret = -ENODEV;
-	else
-		ret = set_format(subs, fmt);
-	up_read(&subs->stream->chip->shutdown_rwsem);
+	ret = snd_usb_lock_shutdown(subs->stream->chip);
+	if (ret < 0)
+		return ret;
+	ret = set_format(subs, fmt);
+	snd_usb_unlock_shutdown(subs->stream->chip);
 	if (ret < 0)
 		return ret;
 
@@ -741,13 +740,12 @@ static int snd_usb_hw_free(struct snd_pc
 	subs->cur_audiofmt = NULL;
 	subs->cur_rate = 0;
 	subs->period_bytes = 0;
-	down_read(&subs->stream->chip->shutdown_rwsem);
-	if (!subs->stream->chip->shutdown) {
+	if (!snd_usb_lock_shutdown(subs->stream->chip)) {
 		stop_endpoints(subs, true);
 		snd_usb_endpoint_deactivate(subs->sync_endpoint);
 		snd_usb_endpoint_deactivate(subs->data_endpoint);
+		snd_usb_unlock_shutdown(subs->stream->chip);
 	}
-	up_read(&subs->stream->chip->shutdown_rwsem);
 	return snd_pcm_lib_free_vmalloc_buffer(substream);
 }
 
@@ -769,11 +767,9 @@ static int snd_usb_pcm_prepare(struct sn
 		return -ENXIO;
 	}
 
-	down_read(&subs->stream->chip->shutdown_rwsem);
-	if (subs->stream->chip->shutdown) {
-		ret = -ENODEV;
-		goto unlock;
-	}
+	ret = snd_usb_lock_shutdown(subs->stream->chip);
+	if (ret < 0)
+		return ret;
 	if (snd_BUG_ON(!subs->data_endpoint)) {
 		ret = -EIO;
 		goto unlock;
@@ -822,7 +818,7 @@ static int snd_usb_pcm_prepare(struct sn
 		ret = start_endpoints(subs, true);
 
  unlock:
-	up_read(&subs->stream->chip->shutdown_rwsem);
+	snd_usb_unlock_shutdown(subs->stream->chip);
 	return ret;
 }
 
@@ -1224,9 +1220,11 @@ static int snd_usb_pcm_close(struct snd_
 
 	stop_endpoints(subs, true);
 
-	if (!as->chip->shutdown && subs->interface >= 0) {
+	if (subs->interface >= 0 &&
+	    !snd_usb_lock_shutdown(subs->stream->chip)) {
 		usb_set_interface(subs->dev, subs->interface, 0);
 		subs->interface = -1;
+		snd_usb_unlock_shutdown(subs->stream->chip);
 	}
 
 	subs->pcm_substream = NULL;
--- a/sound/usb/proc.c
+++ b/sound/usb/proc.c
@@ -46,14 +46,14 @@ static inline unsigned get_high_speed_hz
 static void proc_audio_usbbus_read(struct snd_info_entry *entry, struct snd_info_buffer *buffer)
 {
 	struct snd_usb_audio *chip = entry->private_data;
-	if (!chip->shutdown)
+	if (!atomic_read(&chip->shutdown))
 		snd_iprintf(buffer, "%03d/%03d\n", chip->dev->bus->busnum, chip->dev->devnum);
 }
 
 static void proc_audio_usbid_read(struct snd_info_entry *entry, struct snd_info_buffer *buffer)
 {
 	struct snd_usb_audio *chip = entry->private_data;
-	if (!chip->shutdown)
+	if (!atomic_read(&chip->shutdown))
 		snd_iprintf(buffer, "%04x:%04x\n", 
 			    USB_ID_VENDOR(chip->usb_id),
 			    USB_ID_PRODUCT(chip->usb_id));
--- a/sound/usb/usbaudio.h
+++ b/sound/usb/usbaudio.h
@@ -37,11 +37,12 @@ struct snd_usb_audio {
 	struct usb_interface *pm_intf;
 	u32 usb_id;
 	struct mutex mutex;
-	struct rw_semaphore shutdown_rwsem;
-	unsigned int shutdown:1;
 	unsigned int probing:1;
-	unsigned int in_pm:1;
 	unsigned int autosuspended:1;	
+	atomic_t active;
+	atomic_t shutdown;
+	atomic_t usage_count;
+	wait_queue_head_t shutdown_wait;
 	unsigned int txfr_quirk:1; /* Subframe boundaries on transfers */
 	
 	int num_interfaces;
@@ -116,4 +117,7 @@ struct snd_usb_audio_quirk {
 #define combine_triple(s)  (combine_word(s) | ((unsigned int)(s)[2] << 16))
 #define combine_quad(s)    (combine_triple(s) | ((unsigned int)(s)[3] << 24))
 
+int snd_usb_lock_shutdown(struct snd_usb_audio *chip);
+void snd_usb_unlock_shutdown(struct snd_usb_audio *chip);
+
 #endif /* __USBAUDIO_H */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 254/305] ALSA: usb-audio: Replace probing flag with active refcount
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (256 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 182/305] floppy: fix race condition in __floppy_read_block_0() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 188/305] batman-adv: Use only queued fragments when merging Ben Hutchings
                   ` (47 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit a6da499b76b1a75412f047ac388e9ffd69a5c55b upstream.

We can use active refcount for preventing autopm during probe.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/card.c     | 12 ++++--------
 sound/usb/usbaudio.h |  1 -
 2 files changed, 4 insertions(+), 9 deletions(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -402,7 +402,7 @@ static int snd_usb_audio_create(struct u
 	chip->card = card;
 	chip->setup = device_setup[idx];
 	chip->autoclock = autoclock;
-	chip->probing = 1;
+	atomic_set(&chip->active, 1); /* avoid autopm during probing */
 	atomic_set(&chip->usage_count, 0);
 	atomic_set(&chip->shutdown, 0);
 
@@ -532,7 +532,7 @@ snd_usb_audio_probe(struct usb_device *d
 				goto __error;
 			}
 			chip = usb_chip[i];
-			chip->probing = 1;
+			atomic_inc(&chip->active); /* avoid autopm */
 			break;
 		}
 	}
@@ -588,7 +588,7 @@ snd_usb_audio_probe(struct usb_device *d
 
 	usb_chip[chip->index] = chip;
 	chip->num_interfaces++;
-	chip->probing = 0;
+	atomic_dec(&chip->active);
 	mutex_unlock(&register_mutex);
 	return chip;
 
@@ -596,7 +596,7 @@ snd_usb_audio_probe(struct usb_device *d
 	if (chip) {
 		if (!chip->num_interfaces)
 			snd_card_free(chip->card);
-		chip->probing = 0;
+		atomic_dec(&chip->active);
 	}
 	mutex_unlock(&register_mutex);
  __err_val:
@@ -712,8 +712,6 @@ int snd_usb_autoresume(struct snd_usb_au
 {
 	if (atomic_read(&chip->shutdown))
 		return -EIO;
-	if (chip->probing)
-		return 0;
 	if (atomic_inc_return(&chip->active) == 1)
 		return usb_autopm_get_interface(chip->pm_intf);
 	return 0;
@@ -721,8 +719,6 @@ int snd_usb_autoresume(struct snd_usb_au
 
 void snd_usb_autosuspend(struct snd_usb_audio *chip)
 {
-	if (chip->probing)
-		return;
 	if (atomic_dec_and_test(&chip->active))
 		usb_autopm_put_interface(chip->pm_intf);
 }
--- a/sound/usb/usbaudio.h
+++ b/sound/usb/usbaudio.h
@@ -37,7 +37,6 @@ struct snd_usb_audio {
 	struct usb_interface *pm_intf;
 	u32 usb_id;
 	struct mutex mutex;
-	unsigned int probing:1;
 	unsigned int autosuspended:1;	
 	atomic_t active;
 	atomic_t shutdown;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 241/305] kvm: mmu: Fix race in emulated page table writes
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 166/305] SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 090/305] IB/cm: Avoid AV ah_attr overwriting during LAP message handling Ben Hutchings
                   ` (216 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Wanpeng Li, Junaid Shahid, Paolo Bonzini

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Junaid Shahid <junaids@google.com>

commit 0e0fee5c539b61fdd098332e0e2cc375d9073706 upstream.

When a guest page table is updated via an emulated write,
kvm_mmu_pte_write() is called to update the shadow PTE using the just
written guest PTE value. But if two emulated guest PTE writes happened
concurrently, it is possible that the guest PTE and the shadow PTE end
up being out of sync. Emulated writes do not mark the shadow page as
unsync-ed, so this inconsistency will not be resolved even by a guest TLB
flush (unless the page was marked as unsync-ed at some other point).

This is fixed by re-reading the current value of the guest PTE after the
MMU lock has been acquired instead of just using the value that was
written prior to calling kvm_mmu_pte_write().

Signed-off-by: Junaid Shahid <junaids@google.com>
Reviewed-by: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: Use kvm_read_guest_atomic()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/mmu.c | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3926,9 +3926,9 @@ static void mmu_pte_write_flush_tlb(stru
 }
 
 static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
-				    const u8 *new, int *bytes)
+				    int *bytes)
 {
-	u64 gentry;
+	u64 gentry = 0;
 	int r;
 
 	/*
@@ -3940,22 +3940,12 @@ static u64 mmu_pte_write_fetch_gpte(stru
 		/* Handle a 32-bit guest writing two halves of a 64-bit gpte */
 		*gpa &= ~(gpa_t)7;
 		*bytes = 8;
-		r = kvm_read_guest(vcpu->kvm, *gpa, &gentry, 8);
-		if (r)
-			gentry = 0;
-		new = (const u8 *)&gentry;
 	}
 
-	switch (*bytes) {
-	case 4:
-		gentry = *(const u32 *)new;
-		break;
-	case 8:
-		gentry = *(const u64 *)new;
-		break;
-	default:
-		gentry = 0;
-		break;
+	if (*bytes == 4 || *bytes == 8) {
+		r = kvm_read_guest_atomic(vcpu->kvm, *gpa, &gentry, *bytes);
+		if (r)
+			gentry = 0;
 	}
 
 	return gentry;
@@ -4064,8 +4054,6 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
 
 	pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
 
-	gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, new, &bytes);
-
 	/*
 	 * No need to care whether allocation memory is successful
 	 * or not since pte prefetch is skiped if it does not have
@@ -4074,6 +4062,9 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
 	mmu_topup_memory_caches(vcpu);
 
 	spin_lock(&vcpu->kvm->mmu_lock);
+
+	gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes);
+
 	++vcpu->kvm->stat.mmu_pte_write;
 	kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 270/305] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 145/305] Btrfs: fix cur_offset in the error case for nocow Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 133/305] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Ben Hutchings
                   ` (212 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Macpaul Lin, Greg Kroah-Hartman, Daniel Thompson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Macpaul Lin <macpaul@gmail.com>

commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.

This patch is trying to fix KE issue due to
"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
reported by Syzkaller scan."

[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
[26364:syz-executor0][name:report&]
[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
[26364:syz-executor0]Call trace:
[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:report&]Memory state around the buggy address:
[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
[26364:syz-executor0][name:report&]                                       ^
[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
[26364:syz-executor0][name:report&]
[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
[26364:syz-executor0]------------[cut here]------------

After checking the source code, we've found there might be an out-of-bounds
access to "config[len - 1]" array when the variable "len" is zero.

Signed-off-by: Macpaul Lin <macpaul@gmail.com>
Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/kgdboc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/serial/kgdboc.c
+++ b/drivers/tty/serial/kgdboc.c
@@ -252,7 +252,7 @@ static void kgdboc_put_char(u8 chr)
 
 static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
 {
-	int len = strlen(kmessage);
+	size_t len = strlen(kmessage);
 
 	if (len >= MAX_CONFIG_LEN) {
 		printk(KERN_ERR "kgdboc: config string too long\n");
@@ -274,7 +274,7 @@ static int param_set_kgdboc_var(const ch
 
 	strcpy(config, kmessage);
 	/* Chop out \n char as a result of echo */
-	if (config[len - 1] == '\n')
+	if (len && config[len - 1] == '\n')
 		config[len - 1] = '\0';
 
 	if (configured == 1)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 273/305] bnx2fc: fix an error code in _bnx2fc_create()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (142 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 201/305] Btrfs: ensure path name is null terminated at btrfs_control_ioctl Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 137/305] ext4: add missing brelse() add_new_gdb_meta_bg()'s error path Ben Hutchings
                   ` (161 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christoph Hellwig, Chad Dupuis, Dan Carpenter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 2043e1fd09c1896bb03a6e25b64baa84a30879c9 upstream.

We should be returning an error code here instead of success.  Either
-ENODEV or -ENOMEM would work.  There is also a failure message in
printk().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
@@ -2201,6 +2201,7 @@ static int _bnx2fc_create(struct net_dev
 	interface = bnx2fc_interface_create(hba, netdev, fip_mode);
 	if (!interface) {
 		printk(KERN_ERR PFX "bnx2fc_interface_create failed\n");
+		rc = -ENOMEM;
 		goto ifput_err;
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 209/305] hwmon: (w83795) temp4_type has writable permission
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 052/305] PM / devfreq: Fix devfreq_add_device() when drivers are built as modules Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 261/305] staging: rtl8712: Fix possible buffer overrun Ben Hutchings
                   ` (231 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Guenter Roeck, Yao Wang, Huacai Chen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit 09aaf6813cfca4c18034fda7a43e68763f34abb1 upstream.

Both datasheet and comments of store_temp_mode() tell us that temp1~4_type
is writable, so fix it.

Signed-off-by: Yao Wang <wangyao@lemote.com>
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Fixes: 39deb6993e7c (" hwmon: (w83795) Simplify temperature sensor type handling")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hwmon/w83795.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hwmon/w83795.c
+++ b/drivers/hwmon/w83795.c
@@ -1693,7 +1693,7 @@ store_sf_setup(struct device *dev, struc
  * somewhere else in the code
  */
 #define SENSOR_ATTR_TEMP(index) {					\
-	SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 4 ? S_IWUSR : 0), \
+	SENSOR_ATTR_2(temp##index##_type, S_IRUGO | (index < 5 ? S_IWUSR : 0), \
 		show_temp_mode, store_temp_mode, NOT_USED, index - 1),	\
 	SENSOR_ATTR_2(temp##index##_input, S_IRUGO, show_temp,		\
 		NULL, TEMP_READ, index - 1),				\


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 294/305] kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (287 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 158/305] ext4: fix buffer leak in __ext4_read_dirblock() on error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 161/305] mount: Prevent MNT_DETACH from disconnecting locked mounts Ben Hutchings
                   ` (16 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Bonzini, Eduardo Habkost

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eduardo Habkost <ehabkost@redhat.com>

commit 0e1b869fff60c81b510c2d00602d778f8f59dd9a upstream.

Some guests OSes (including Windows 10) write to MSR 0xc001102c
on some cases (possibly while trying to apply a CPU errata).
Make KVM ignore reads and writes to that MSR, so the guest won't
crash.

The MSR is documented as "Execution Unit Configuration (EX_CFG)",
at AMD's "BIOS and Kernel Developer's Guide (BKDG) for AMD Family
15h Models 00h-0Fh Processors".

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/uapi/asm/msr-index.h | 1 +
 arch/x86/kvm/x86.c                    | 2 ++
 2 files changed, 3 insertions(+)

--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -236,6 +236,7 @@
 #define MSR_F15H_PERF_CTR		0xc0010201
 #define MSR_F15H_NB_PERF_CTL		0xc0010240
 #define MSR_F15H_NB_PERF_CTR		0xc0010241
+#define MSR_F15H_EX_CFG			0xc001102c
 
 /* Fam 10h MSRs */
 #define MSR_FAM10H_MMIO_CONF_BASE	0xc0010058
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2086,6 +2086,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
 	case MSR_AMD64_PATCH_LOADER:
 	case MSR_AMD64_BU_CFG2:
 	case MSR_AMD64_DC_CFG:
+	case MSR_F15H_EX_CFG:
 		break;
 
 	case MSR_EFER:
@@ -2464,6 +2465,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
 	case MSR_AMD64_BU_CFG2:
 	case MSR_IA32_PERF_CTL:
 	case MSR_AMD64_DC_CFG:
+	case MSR_F15H_EX_CFG:
 		msr_info->data = 0;
 		break;
 	case MSR_P6_PERFCTR0:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 274/305] scsi: bnx2fc: Fix NULL dereference in error handling
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 138/305] ext4: add missing brelse() update_backups()'s " Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 031/305] s390/qeth: invoke softirqs after napi_schedule() Ben Hutchings
                   ` (247 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dan Carpenter, Martin K. Petersen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 9ae4f8420ed7be4b13c96600e3568c144d101a23 upstream.

If "interface" is NULL then we can't release it and trying to will only
lead to an Oops.

Fixes: aea71a024914 ("[SCSI] bnx2fc: Introduce interface structure for each vlan interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
@@ -2202,7 +2202,7 @@ static int _bnx2fc_create(struct net_dev
 	if (!interface) {
 		printk(KERN_ERR PFX "bnx2fc_interface_create failed\n");
 		rc = -ENOMEM;
-		goto ifput_err;
+		goto netdev_err;
 	}
 
 	if (netdev->priv_flags & IFF_802_1Q_VLAN) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 271/305] virtio/s390: avoid race on vcdev->config
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 263/305] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 166/305] SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() Ben Hutchings
                   ` (218 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Halil Pasic, Michael S. Tsirkin, Cornelia Huck

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Halil Pasic <pasic@linux.ibm.com>

commit 2448a299ec416a80f699940a86f4a6d9a4f643b1 upstream.

Currently we have a race on vcdev->config in virtio_ccw_get_config() and
in virtio_ccw_set_config().

This normally does not cause problems, as these are usually infrequent
operations. However, for some devices writing to/reading from the config
space can be triggered through sysfs attributes. For these, userspace can
force the race by increasing the frequency.

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Message-Id: <20180925121309.58524-2-pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/kvm/virtio_ccw.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/s390/kvm/virtio_ccw.c
+++ b/drivers/s390/kvm/virtio_ccw.c
@@ -741,6 +741,7 @@ static void virtio_ccw_get_config(struct
 	int ret;
 	struct ccw1 *ccw;
 	void *config_area;
+	unsigned long flags;
 
 	ccw = kzalloc(sizeof(*ccw), GFP_DMA | GFP_KERNEL);
 	if (!ccw)
@@ -759,11 +760,13 @@ static void virtio_ccw_get_config(struct
 	if (ret)
 		goto out_free;
 
+	spin_lock_irqsave(&vcdev->lock, flags);
 	memcpy(vcdev->config, config_area, offset + len);
-	if (buf)
-		memcpy(buf, &vcdev->config[offset], len);
 	if (vcdev->config_ready < offset + len)
 		vcdev->config_ready = offset + len;
+	spin_unlock_irqrestore(&vcdev->lock, flags);
+	if (buf)
+		memcpy(buf, config_area + offset, len);
 
 out_free:
 	kfree(config_area);
@@ -777,6 +780,7 @@ static void virtio_ccw_set_config(struct
 	struct virtio_ccw_device *vcdev = to_vc_device(vdev);
 	struct ccw1 *ccw;
 	void *config_area;
+	unsigned long flags;
 
 	ccw = kzalloc(sizeof(*ccw), GFP_DMA | GFP_KERNEL);
 	if (!ccw)
@@ -789,9 +793,11 @@ static void virtio_ccw_set_config(struct
 	/* Make sure we don't overwrite fields. */
 	if (vcdev->config_ready < offset)
 		virtio_ccw_get_config(vdev, 0, NULL, offset);
+	spin_lock_irqsave(&vcdev->lock, flags);
 	memcpy(&vcdev->config[offset], buf, len);
 	/* Write the config area to the host. */
 	memcpy(config_area, vcdev->config, sizeof(vcdev->config));
+	spin_unlock_irqrestore(&vcdev->lock, flags);
 	ccw->cmd_code = CCW_CMD_WRITE_CONF;
 	ccw->flags = 0;
 	ccw->count = offset + len;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 260/305] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 250/305] tun: forbid iface creation with rtnl ops Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 073/305] staging: comedi: ni_mio_common: protect register write overflow Ben Hutchings
                   ` (242 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, John Fastabend, Ido Schimmel, David Ahern,
	Eric Dumazet, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 688838934c231bb08f46db687e57f6d8bf82709c upstream.

kmsan was able to trigger a kernel-infoleak using a gre device [1]

nlmsg_populate_fdb_fill() has a hard coded assumption
that dev->addr_len is ETH_ALEN, as normally guaranteed
for ARPHRD_ETHER devices.

A similar issue was fixed recently in commit da71577545a5
("rtnetlink: Disallow FDB configuration for non-Ethernet device")

[1]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:143 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
CPU: 0 PID: 6697 Comm: syz-executor310 Not tainted 4.20.0-rc3+ #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x32d/0x480 lib/dump_stack.c:113
 kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
 kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
 kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
 copyout lib/iov_iter.c:143 [inline]
 _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
 copy_to_iter include/linux/uio.h:143 [inline]
 skb_copy_datagram_iter+0x4e2/0x1070 net/core/datagram.c:431
 skb_copy_datagram_msg include/linux/skbuff.h:3316 [inline]
 netlink_recvmsg+0x6f9/0x19d0 net/netlink/af_netlink.c:1975
 sock_recvmsg_nosec net/socket.c:794 [inline]
 sock_recvmsg+0x1d1/0x230 net/socket.c:801
 ___sys_recvmsg+0x444/0xae0 net/socket.c:2278
 __sys_recvmsg net/socket.c:2327 [inline]
 __do_sys_recvmsg net/socket.c:2337 [inline]
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x441119
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffc7f008a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441119
RDX: 0000000000000040 RSI: 00000000200005c0 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000000000100 R09: 0000000000000100
R10: 0000000000000100 R11: 0000000000000207 R12: 0000000000402080
R13: 0000000000402110 R14: 0000000000000000 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
 kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
 kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
 __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
 __nla_put lib/nlattr.c:744 [inline]
 nla_put+0x20a/0x2d0 lib/nlattr.c:802
 nlmsg_populate_fdb_fill+0x444/0x810 net/core/rtnetlink.c:3466
 nlmsg_populate_fdb net/core/rtnetlink.c:3775 [inline]
 ndo_dflt_fdb_dump+0x73a/0x960 net/core/rtnetlink.c:3807
 rtnl_fdb_dump+0x1318/0x1cb0 net/core/rtnetlink.c:3979
 netlink_dump+0xc79/0x1c90 net/netlink/af_netlink.c:2244
 __netlink_dump_start+0x10c4/0x11d0 net/netlink/af_netlink.c:2352
 netlink_dump_start include/linux/netlink.h:216 [inline]
 rtnetlink_rcv_msg+0x141b/0x1540 net/core/rtnetlink.c:4910
 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
 __sys_sendmsg net/socket.c:2154 [inline]
 __do_sys_sendmsg net/socket.c:2163 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
 kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
 kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
 __kmalloc+0x14c/0x4d0 mm/slub.c:3825
 kmalloc include/linux/slab.h:551 [inline]
 __hw_addr_create_ex net/core/dev_addr_lists.c:34 [inline]
 __hw_addr_add_ex net/core/dev_addr_lists.c:80 [inline]
 __dev_mc_add+0x357/0x8a0 net/core/dev_addr_lists.c:670
 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
 ip_mc_filter_add net/ipv4/igmp.c:1128 [inline]
 igmp_group_added+0x4d4/0xb80 net/ipv4/igmp.c:1311
 __ip_mc_inc_group+0xea9/0xf70 net/ipv4/igmp.c:1444
 ip_mc_inc_group net/ipv4/igmp.c:1453 [inline]
 ip_mc_up+0x1c3/0x400 net/ipv4/igmp.c:1775
 inetdev_event+0x1d03/0x1d80 net/ipv4/devinet.c:1522
 notifier_call_chain kernel/notifier.c:93 [inline]
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401
 __dev_notify_flags+0x3da/0x860 net/core/dev.c:1733
 dev_change_flags+0x1ac/0x230 net/core/dev.c:7569
 do_setlink+0x165f/0x5ea0 net/core/rtnetlink.c:2492
 rtnl_newlink+0x2ad7/0x35a0 net/core/rtnetlink.c:3111
 rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
 __sys_sendmsg net/socket.c:2154 [inline]
 __do_sys_sendmsg net/socket.c:2163 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Bytes 36-37 of 105 are uninitialized
Memory access of size 105 starts at ffff88819686c000
Data copied to user address 0000000020000380

Fixes: d83b06036048 ("net: add fdb generic dump routine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Ido Schimmel <idosch@mellanox.com>
Cc: David Ahern <dsahern@gmail.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/rtnetlink.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2546,6 +2546,9 @@ int ndo_dflt_fdb_dump(struct sk_buff *sk
 {
 	int err;
 
+	if (dev->type != ARPHRD_ETHER)
+		return -EINVAL;
+
 	netif_addr_lock_bh(dev);
 	err = nlmsg_populate_fdb(skb, cb, dev, &idx, &dev->uc);
 	if (err)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 272/305] virtio/s390: fix race in ccw_io_helper()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (170 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 108/305] qlcnic: fix a return in qlcnic_dcb_get_capability() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 004/305] x86/mm: Simplify p[g4um]d_page() macros Ben Hutchings
                   ` (133 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael S. Tsirkin, Cornelia Huck,
	Colin Ian King, Halil Pasic

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Halil Pasic <pasic@linux.ibm.com>

commit 78b1a52e05c9db11d293342e8d6d8a230a04b4e7 upstream.

While ccw_io_helper() seems like intended to be exclusive in a sense that
it is supposed to facilitate I/O for at most one thread at any given
time, there is actually nothing ensuring that threads won't pile up at
vcdev->wait_q. If they do, all threads get woken up and see the status
that belongs to some other request than their own. This can lead to bugs.
For an example see:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1788432

This race normally does not cause any problems. The operations provided
by struct virtio_config_ops are usually invoked in a well defined
sequence, normally don't fail, and are normally used quite infrequent
too.

Yet, if some of the these operations are directly triggered via sysfs
attributes, like in the case described by the referenced bug, userspace
is given an opportunity to force races by increasing the frequency of the
given operations.

Let us fix the problem by ensuring, that for each device, we finish
processing the previous request before starting with a new one.

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reported-by: Colin Ian King <colin.king@canonical.com>
Message-Id: <20180925121309.58524-3-pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/kvm/virtio_ccw.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/s390/kvm/virtio_ccw.c
+++ b/drivers/s390/kvm/virtio_ccw.c
@@ -57,6 +57,7 @@ struct virtio_ccw_device {
 	int err;
 	wait_queue_head_t wait_q;
 	spinlock_t lock;
+	struct mutex io_lock; /* Serializes I/O requests */
 	struct list_head virtqueues;
 	unsigned long indicators;
 	unsigned long indicators2;
@@ -282,6 +283,7 @@ static int ccw_io_helper(struct virtio_c
 	unsigned long flags;
 	int flag = intparm & VIRTIO_CCW_INTPARM_MASK;
 
+	mutex_lock(&vcdev->io_lock);
 	do {
 		spin_lock_irqsave(get_ccwdev_lock(vcdev->cdev), flags);
 		ret = ccw_device_start(vcdev->cdev, ccw, intparm, 0, 0);
@@ -294,7 +296,9 @@ static int ccw_io_helper(struct virtio_c
 		cpu_relax();
 	} while (ret == -EBUSY);
 	wait_event(vcdev->wait_q, doing_io(vcdev, flag) == 0);
-	return ret ? ret : vcdev->err;
+	ret = ret ? ret : vcdev->err;
+	mutex_unlock(&vcdev->io_lock);
+	return ret;
 }
 
 static void virtio_ccw_drop_indicator(struct virtio_ccw_device *vcdev,
@@ -1086,6 +1090,7 @@ static int virtio_ccw_online(struct ccw_
 	init_waitqueue_head(&vcdev->wait_q);
 	INIT_LIST_HEAD(&vcdev->virtqueues);
 	spin_lock_init(&vcdev->lock);
+	mutex_init(&vcdev->io_lock);
 
 	spin_lock_irqsave(get_ccwdev_lock(cdev), flags);
 	dev_set_drvdata(&cdev->dev, vcdev);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 266/305] USB: check usb_get_extra_descriptor for proper size
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (261 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 222/305] Btrfs: fix race between enabling quotas and subvolume creation Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 146/305] Btrfs: fix data corruption due to cloning of eof block Ben Hutchings
                   ` (42 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Payer, Hui Peng,
	Greg Kroah-Hartman, Linus Torvalds

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Payer <mathias.payer@nebelwelt.net>

commit 704620afc70cf47abb9d6a1a57f3825d2bca49cf upstream.

When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.

Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c    | 2 +-
 drivers/usb/core/usb.c    | 6 +++---
 drivers/usb/host/hwa-hc.c | 2 +-
 include/linux/usb.h       | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2211,7 +2211,7 @@ static int usb_enumerate_device_otg(stru
 		/* descriptor may appear anywhere in config */
 		if (__usb_get_extra_descriptor (udev->rawdescriptors[0],
 					le16_to_cpu(udev->config[0].desc.wTotalLength),
-					USB_DT_OTG, (void **) &desc) == 0) {
+					USB_DT_OTG, (void **) &desc, sizeof(*desc)) == 0) {
 			if (desc->bmAttributes & USB_OTG_HNP) {
 				unsigned		port1 = udev->portnum;
 
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -663,14 +663,14 @@ EXPORT_SYMBOL_GPL(usb_get_current_frame_
  */
 
 int __usb_get_extra_descriptor(char *buffer, unsigned size,
-			       unsigned char type, void **ptr)
+			       unsigned char type, void **ptr, size_t minsize)
 {
 	struct usb_descriptor_header *header;
 
 	while (size >= sizeof(struct usb_descriptor_header)) {
 		header = (struct usb_descriptor_header *)buffer;
 
-		if (header->bLength < 2) {
+		if (header->bLength < 2 || header->bLength > size) {
 			printk(KERN_ERR
 				"%s: bogus descriptor, type %d length %d\n",
 				usbcore_name,
@@ -679,7 +679,7 @@ int __usb_get_extra_descriptor(char *buf
 			return -1;
 		}
 
-		if (header->bDescriptorType == type) {
+		if (header->bDescriptorType == type && header->bLength >= minsize) {
 			*ptr = header;
 			return 0;
 		}
--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
@@ -654,7 +654,7 @@ static int hwahc_security_create(struct
 	top = itr + itr_size;
 	result = __usb_get_extra_descriptor(usb_dev->rawdescriptors[index],
 			le16_to_cpu(usb_dev->actconfig->desc.wTotalLength),
-			USB_DT_SECURITY, (void **) &secd);
+			USB_DT_SECURITY, (void **) &secd, sizeof(*secd));
 	if (result == -1) {
 		dev_warn(dev, "BUG? WUSB host has no security descriptors\n");
 		return 0;
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -334,11 +334,11 @@ struct usb_host_bos {
 };
 
 int __usb_get_extra_descriptor(char *buffer, unsigned size,
-	unsigned char type, void **ptr);
+	unsigned char type, void **ptr, size_t min);
 #define usb_get_extra_descriptor(ifpoint, type, ptr) \
 				__usb_get_extra_descriptor((ifpoint)->extra, \
 				(ifpoint)->extralen, \
-				type, (void **)ptr)
+				type, (void **)ptr, sizeof(**(ptr)))
 
 /* ----------------------------------------------------------------------- */
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 269/305] xhci: Prevent U1/U2 link pm states if exit latency is too long
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (168 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 014/305] disable new gcc-7.1.1 warnings for now Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 108/305] qlcnic: fix a return in qlcnic_dcb_get_capability() Ben Hutchings
                   ` (135 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Mathias Nyman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 0472bf06c6fd33c1a18aaead4c8f91e5a03d8d7b upstream.

Don't allow USB3 U1 or U2 if the latency to wake up from the U-state
reaches the service interval for a periodic endpoint.

This is according to xhci 1.1 specification section 4.23.5.2 extra note:

"Software shall ensure that a device is prevented from entering a U-state
 where its worst case exit latency approaches the ESIT."

Allowing too long exit latencies for periodic endpoint confuses xHC
internal scheduling, and new devices may fail to enumerate with a
"Not enough bandwidth for new device state" error from the host.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4466,9 +4466,25 @@ static u16 xhci_call_host_update_timeout
 		u16 *timeout)
 {
 	if (state == USB3_LPM_U1) {
+		/* Prevent U1 if service interval is shorter than U1 exit latency */
+		if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
+			if (xhci_service_interval_to_ns(desc) <= udev->u1_params.mel) {
+				dev_dbg(&udev->dev, "Disable U1, ESIT shorter than exit latency\n");
+				return USB3_LPM_DISABLED;
+			}
+		}
+
 		if (xhci->quirks & XHCI_INTEL_HOST)
 			return xhci_calculate_intel_u1_timeout(udev, desc);
 	} else {
+		/* Prevent U2 if service interval is shorter than U2 exit latency */
+		if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
+			if (xhci_service_interval_to_ns(desc) <= udev->u2_params.mel) {
+				dev_dbg(&udev->dev, "Disable U2, ESIT shorter than exit latency\n");
+				return USB3_LPM_DISABLED;
+			}
+		}
+
 		if (xhci->quirks & XHCI_INTEL_HOST)
 			return xhci_calculate_intel_u2_timeout(udev, desc);
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 295/305] x86/mtrr: Don't copy uninitialized gentry fields back to userspace
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (156 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 219/305] iser: set sector for ambiguous mr status errors Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 267/305] cifs: Fix separator when building path from dentry Ben Hutchings
                   ` (147 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Colin Ian King, security, Tyler Hicks,
	Thomas Gleixner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream.

Currently the copy_to_user of data in the gentry struct is copying
uninitiaized data in field _pad from the stack to userspace.

Fix this by explicitly memset'ing gentry to zero, this also will zero any
compiler added padding fields that may be in struct (currently there are
none).

Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")

Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: security@kernel.org
Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/mtrr/if.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned i
 	struct mtrr_gentry gentry;
 	void __user *arg = (void __user *) __arg;
 
+	memset(&gentry, 0, sizeof(gentry));
+
 	switch (cmd) {
 	case MTRRIOC_ADD_ENTRY:
 	case MTRRIOC_SET_ENTRY:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 302/305] drm/ioctl: Fix Spectre v1 vulnerabilities
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (153 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 300/305] vxge: ensure data0 is initialized in when fetching firmware version information Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 007/305] x86/boot: eboot.c: Include string function declarations Ben Hutchings
                   ` (150 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Daniel Vetter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.

nr is indirectly controlled by user-space, hence leading to a
potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r]
drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap)

Fix this by sanitizing nr before using it to index dev->driver->ioctls
and drm_ioctls.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/drm_drv.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -49,6 +49,7 @@
 #include <linux/debugfs.h>
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/nospec.h>
 #include <drm/drmP.h>
 #include <drm/drm_core.h>
 
@@ -360,7 +361,10 @@ long drm_ioctl(struct file *filp,
 	if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) &&
 	    (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) {
 		u32 drv_size;
-		ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
+		unsigned int index = nr - DRM_COMMAND_BASE;
+
+		index = array_index_nospec(index, dev->driver->num_ioctls);
+		ioctl = &dev->driver->ioctls[index];
 		drv_size = _IOC_SIZE(ioctl->cmd_drv);
 		usize = asize = _IOC_SIZE(cmd);
 		if (drv_size > asize)
@@ -370,6 +374,7 @@ long drm_ioctl(struct file *filp,
 	else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
 		u32 drv_size;
 
+		nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
 		ioctl = &drm_ioctls[nr];
 
 		drv_size = _IOC_SIZE(ioctl->cmd);
@@ -465,6 +470,7 @@ bool drm_ioctl_flags(unsigned int nr, un
 
 	if (nr >= DRM_CORE_IOCTL_COUNT)
 		return false;
+	nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
 
 	*flags = drm_ioctls[nr].flags;
 	return true;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 303/305] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (225 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 132/305] netfilter: xt_IDLETIMER: add sysfs filename checking routine Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 016/305] staging: comedi: quatech_daqp_cs: fix bug in daqp_ao_insn_write() Ben Hutchings
                   ` (78 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christophe Leroy, Linus Walleij

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit abf221d2f51b8ce7b9959a8953f880a8b0a1400d upstream.

spi_read() and spi_write() require DMA-safe memory. When
CONFIG_VMAP_STACK is selected, those functions cannot be used
with buffers on stack.

This patch replaces calls to spi_read() and spi_write() by
spi_write_then_read() which doesn't require DMA-safe buffers.

Fixes: 0c36ec314735 ("gpio: gpio driver for max7301 SPI GPIO expander")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpio/gpio-max7301.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

--- a/drivers/gpio/gpio-max7301.c
+++ b/drivers/gpio/gpio-max7301.c
@@ -25,7 +25,7 @@ static int max7301_spi_write(struct devi
 	struct spi_device *spi = to_spi_device(dev);
 	u16 word = ((reg & 0x7F) << 8) | (val & 0xFF);
 
-	return spi_write(spi, (const u8 *)&word, sizeof(word));
+	return spi_write_then_read(spi, &word, sizeof(word), NULL, 0);
 }
 
 /* A read from the MAX7301 means two transfers; here, one message each */
@@ -37,14 +37,8 @@ static int max7301_spi_read(struct devic
 	struct spi_device *spi = to_spi_device(dev);
 
 	word = 0x8000 | (reg << 8);
-	ret = spi_write(spi, (const u8 *)&word, sizeof(word));
-	if (ret)
-		return ret;
-	/*
-	 * This relies on the fact, that a transfer with NULL tx_buf shifts out
-	 * zero bytes (=NOOP for MAX7301)
-	 */
-	ret = spi_read(spi, (u8 *)&word, sizeof(word));
+	ret = spi_write_then_read(spi, &word, sizeof(word), &word,
+				  sizeof(word));
 	if (ret)
 		return ret;
 	return word & 0xff;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 258/305] mmc: core: use mrq->sbc when sending CMD23 for RPMB
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 186/305] uio: Fix an Oops on load Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 142/305] sunrpc: correct the computation for page_ptr when truncating Ben Hutchings
                   ` (299 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Avri Altman, Masaharu Hayakawa,
	Ulf Hansson, Clément Péron, Wolfram Sang,
	Niklas Söderlund

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit a44f7cb937321d4961bfc8f28912126b06e701c5 upstream.

When sending out CMD23 in the blk preparation, the comment there
rightfully says:

	 * However, it is not sufficient to just send CMD23,
	 * and avoid the final CMD12, as on an error condition
	 * CMD12 (stop) needs to be sent anyway. This, coupled
	 * with Auto-CMD23 enhancements provided by some
	 * hosts, means that the complexity of dealing
	 * with this is best left to the host. If CMD23 is
	 * supported by card and host, we'll fill sbc in and let
	 * the host deal with handling it correctly.

Let's do this behaviour for RPMB as well, and not send CMD23
independently. Otherwise IP cores (like Renesas SDHI) may timeout
because of automatic CMD23/CMD12 handling.

Reported-by: Masaharu Hayakawa <masaharu.hayakawa.ry@renesas.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Clément Péron <peron.clem@gmail.com>
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/card/block.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -449,7 +449,7 @@ static int mmc_blk_ioctl_cmd(struct bloc
 	struct mmc_blk_ioc_data *idata;
 	struct mmc_blk_data *md;
 	struct mmc_card *card;
-	struct mmc_command cmd = {0};
+	struct mmc_command cmd = {}, sbc = {};
 	struct mmc_data data = {0};
 	struct mmc_request mrq = {NULL};
 	struct scatterlist sg;
@@ -539,10 +539,15 @@ static int mmc_blk_ioctl_cmd(struct bloc
 	}
 
 	if (is_rpmb) {
-		err = mmc_set_blockcount(card, data.blocks,
-			idata->ic.write_flag & (1 << 31));
-		if (err)
-			goto cmd_rel_host;
+		sbc.opcode = MMC_SET_BLOCK_COUNT;
+		/*
+		 * We don't do any blockcount validation because the max size
+		 * may be increased by a future standard. We just copy the
+		 * 'Reliable Write' bit here.
+		 */
+		sbc.arg = data.blocks | (idata->ic.write_flag & BIT(31));
+		sbc.flags = MMC_RSP_R1 | MMC_CMD_AC;
+		mrq.sbc = &sbc;
 	}
 
 	if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_SANITIZE_START) &&


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 289/305] mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (244 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 144/305] xfrm: Fix bucket count reported to userspace Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 103/305] clk: s2mps11: Add used attribute to s2mps11_dt_match Ben Hutchings
                   ` (59 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andreas Dannenberg, Sjoerd Simons,
	Faiz Abbas, Ulf Hansson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ulf Hansson <ulf.hansson@linaro.org>

commit e3ae3401aa19432ee4943eb0bbc2ec704d07d793 upstream.

Some eMMCs from Micron have been reported to need ~800 ms timeout, while
enabling the CACHE ctrl after running sudden power failure tests. The
needed timeout is greater than what the card specifies as its generic CMD6
timeout, through the EXT_CSD register, hence the problem.

Normally we would introduce a card quirk to extend the timeout for these
specific Micron cards. However, due to the rather complicated debug process
needed to find out the error, let's simply use a minimum timeout of 1600ms,
the double of what has been reported, for all cards when enabling CACHE
ctrl.

Reported-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
Reported-by: Andreas Dannenberg <dannenberg@ti.com>
Reported-by: Faiz Abbas <faiz_abbas@ti.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -24,6 +24,8 @@
 #include "mmc_ops.h"
 #include "sd_ops.h"
 
+#define MIN_CACHE_EN_TIMEOUT_MS 1600
+
 static const unsigned int tran_exp[] = {
 	10000,		100000,		1000000,	10000000,
 	0,		0,		0,		0
@@ -1426,13 +1428,18 @@ static int mmc_init_card(struct mmc_host
 	}
 
 	/*
-	 * If cache size is higher than 0, this indicates
-	 * the existence of cache and it can be turned on.
+	 * If cache size is higher than 0, this indicates the existence of cache
+	 * and it can be turned on. Note that some eMMCs from Micron has been
+	 * reported to need ~800 ms timeout, while enabling the cache after
+	 * sudden power failure tests. Let's extend the timeout to a minimum of
+	 * DEFAULT_CACHE_EN_TIMEOUT_MS and do it for all cards.
 	 */
 	if (card->ext_csd.cache_size > 0) {
+		unsigned int timeout_ms = MIN_CACHE_EN_TIMEOUT_MS;
+
+		timeout_ms = max(card->ext_csd.generic_cmd6_time, timeout_ms);
 		err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
-				EXT_CSD_CACHE_CTRL, 1,
-				card->ext_csd.generic_cmd6_time);
+				EXT_CSD_CACHE_CTRL, 1, timeout_ms);
 		if (err && err != -EBADMSG)
 			goto free_card;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 259/305] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (273 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 101/305] ACPICA: AML interpreter: add region addresses in global list during initialization Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 100/305] xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat Ben Hutchings
                   ` (30 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tony Lindgren, Ladislav Michl,
	Andrzej Zaborowski, Aaro Koskinen, Ulf Hansson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@iki.fi>

commit e8cde625bfe8a714a856e1366bcbb259d7346095 upstream.

Since v2.6.22 or so there has been reports [1] about OMAP MMC being
broken on OMAP15XX based hardware (OMAP5910 and OMAP310). The breakage
seems to have been caused by commit 46a6730e3ff9 ("mmc-omap: Fix
omap to use MMC_POWER_ON") that changed clock enabling to be done
on MMC_POWER_ON. This can happen multiple times in a row, and on 15XX
the hardware doesn't seem to like it and the MMC just stops responding.
Fix by memorizing the power mode and do the init only when necessary.

Before the patch (on Palm TE):

	mmc0: new SD card at address b368
	mmcblk0: mmc0:b368 SDC   977 MiB
	mmci-omap mmci-omap.0: command timeout (CMD18)
	mmci-omap mmci-omap.0: command timeout (CMD13)
	mmci-omap mmci-omap.0: command timeout (CMD13)
	mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
	mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
	mmcblk0: error -110 requesting status
	mmci-omap mmci-omap.0: command timeout (CMD8)
	mmci-omap mmci-omap.0: command timeout (CMD18)
	mmci-omap mmci-omap.0: command timeout (CMD13)
	mmci-omap mmci-omap.0: command timeout (CMD13)
	mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
	mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
	mmcblk0: error -110 requesting status
	mmcblk0: recovery failed!
	print_req_error: I/O error, dev mmcblk0, sector 0
	Buffer I/O error on dev mmcblk0, logical block 0, async page read
	 mmcblk0: unable to read partition table

After the patch:

	mmc0: new SD card at address b368
	mmcblk0: mmc0:b368 SDC   977 MiB
	 mmcblk0: p1

The patch is based on a fix and analysis done by Ladislav Michl.

Tested on OMAP15XX/OMAP310 (Palm TE), OMAP1710 (Nokia 770)
and OMAP2420 (Nokia N810).

[1] https://marc.info/?t=123175197000003&r=1&w=2

Fixes: 46a6730e3ff9 ("mmc-omap: Fix omap to use MMC_POWER_ON")
Reported-by: Ladislav Michl <ladis@linux-mips.org>
Reported-by: Andrzej Zaborowski <balrogg@gmail.com>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: Set initial state to MMC_POWER_OFF instead of
 MMC_POWER_UNDEFINED]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/omap.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/omap.c
+++ b/drivers/mmc/host/omap.c
@@ -105,6 +105,7 @@ struct mmc_omap_slot {
 	unsigned int		vdd;
 	u16			saved_con;
 	u16			bus_mode;
+	u16			power_mode;
 	unsigned int		fclk_freq;
 
 	struct tasklet_struct	cover_tasklet;
@@ -1155,7 +1156,7 @@ static void mmc_omap_set_ios(struct mmc_
 	struct mmc_omap_slot *slot = mmc_priv(mmc);
 	struct mmc_omap_host *host = slot->host;
 	int i, dsor;
-	int clk_enabled;
+	int clk_enabled, init_stream;
 
 	mmc_omap_select_slot(slot, 0);
 
@@ -1165,6 +1166,7 @@ static void mmc_omap_set_ios(struct mmc_
 		slot->vdd = ios->vdd;
 
 	clk_enabled = 0;
+	init_stream = 0;
 	switch (ios->power_mode) {
 	case MMC_POWER_OFF:
 		mmc_omap_set_power(slot, 0, ios->vdd);
@@ -1172,13 +1174,17 @@ static void mmc_omap_set_ios(struct mmc_
 	case MMC_POWER_UP:
 		/* Cannot touch dsor yet, just power up MMC */
 		mmc_omap_set_power(slot, 1, ios->vdd);
+		slot->power_mode = ios->power_mode;
 		goto exit;
 	case MMC_POWER_ON:
 		mmc_omap_fclk_enable(host, 1);
 		clk_enabled = 1;
 		dsor |= 1 << 11;
+		if (slot->power_mode != MMC_POWER_ON)
+			init_stream = 1;
 		break;
 	}
+	slot->power_mode = ios->power_mode;
 
 	if (slot->bus_mode != ios->bus_mode) {
 		if (slot->pdata->set_bus_mode != NULL)
@@ -1194,7 +1200,7 @@ static void mmc_omap_set_ios(struct mmc_
 	for (i = 0; i < 2; i++)
 		OMAP_MMC_WRITE(host, CON, dsor);
 	slot->saved_con = dsor;
-	if (ios->power_mode == MMC_POWER_ON) {
+	if (init_stream) {
 		/* worst case at 400kHz, 80 cycles makes 200 microsecs */
 		int usecs = 250;
 
@@ -1232,6 +1238,7 @@ static int mmc_omap_new_slot(struct mmc_
 	slot->host = host;
 	slot->mmc = mmc;
 	slot->id = id;
+	slot->power_mode = MMC_POWER_OFF;
 	slot->pdata = &host->pdata->slots[id];
 
 	host->slots[id] = slot;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 267/305] cifs: Fix separator when building path from dentry
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (157 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 295/305] x86/mtrr: Don't copy uninitialized gentry fields back to userspace Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak Ben Hutchings
                   ` (146 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paulo Alcantara, Aurelien Aptel, Steve French

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paulo Alcantara <palcantara@suse.com>

commit c988de29ca161823db6a7125e803d597ef75b49c upstream.

Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
prefixpath too. Fixes a bug with smb1 UNIX extensions.

Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable")
Signed-off-by: Paulo Alcantara <palcantara@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -163,7 +163,7 @@ cifs_bp_rename_retry:
 
 		cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
 		memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
-		full_path[dfsplen] = '\\';
+		full_path[dfsplen] = dirsep;
 		for (i = 0; i < pplen-1; i++)
 			if (full_path[dfsplen+1+i] == '/')
 				full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 255/305] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (205 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 196/305] NFSv4: Don't exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 050/305] iio: ad5064: Fix regulator handling Ben Hutchings
                   ` (98 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Takashi Iwai, Mathias Payer, Hui Peng

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Peng <benquike@gmail.com>

commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.

If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.

[ The original problem was introduced in 3.1 kernel, while it was
  developed in a different form.  The Fixes tag below indicates the
  original commit but it doesn't mean that the patch is applicable
  cleanly. -- tiwai ]

Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/card.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -594,9 +594,12 @@ snd_usb_audio_probe(struct usb_device *d
 
  __error:
 	if (chip) {
+		/* chip->active is inside the chip->card object,
+		 * decrement before memory is possibly returned.
+		 */
+		atomic_dec(&chip->active);
 		if (!chip->num_interfaces)
 			snd_card_free(chip->card);
-		atomic_dec(&chip->active);
 	}
 	mutex_unlock(&register_mutex);
  __err_val:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 214/305] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (194 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 130/305] smb3: on kerberos mount if server doesn't specify auth type use krb5 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 036/305] PCI/ASPM: Fix link_state teardown on device removal Ben Hutchings
                   ` (109 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Biggers, Andy Lutomirski, Jiri Kosina,
	Jann Horn, syzbot+72473edc9bf4eb1c6556

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 8c01db7619f07c85c5cd81ec5eb83608b56c88f5 upstream.

When a UHID_CREATE command is written to the uhid char device, a
copy_from_user() is done from a user pointer embedded in the command.
When the address limit is KERNEL_DS, e.g. as is the case during
sys_sendfile(), this can read from kernel memory.  Alternatively,
information can be leaked from a setuid binary that is tricked to write
to the file descriptor.  Therefore, forbid UHID_CREATE in these cases.

No other commands in uhid_char_write() are affected by this bug and
UHID_CREATE is marked as "obsolete", so apply the restriction to
UHID_CREATE only rather than to uhid_char_write() entirely.

Thanks to Dmitry Vyukov for adding uhid definitions to syzkaller and to
Jann Horn for commit 9da3f2b740544 ("x86/fault: BUG() when uaccess
helpers fault on kernel addresses"), allowing this bug to be found.

Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
Fixes: d365c6cfd337 ("HID: uhid: add UHID_CREATE and UHID_DESTROY events")
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16; Directly include <linux/uaccess.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -12,6 +12,7 @@
 
 #include <linux/atomic.h>
 #include <linux/compat.h>
+#include <linux/cred.h>
 #include <linux/device.h>
 #include <linux/fs.h>
 #include <linux/hid.h>
@@ -22,6 +23,7 @@
 #include <linux/poll.h>
 #include <linux/sched.h>
 #include <linux/spinlock.h>
+#include <linux/uaccess.h>
 #include <linux/uhid.h>
 #include <linux/wait.h>
 
@@ -676,6 +678,17 @@ static ssize_t uhid_char_write(struct fi
 
 	switch (uhid->input_buf.type) {
 	case UHID_CREATE:
+		/*
+		 * 'struct uhid_create_req' contains a __user pointer which is
+		 * copied from, so it's unsafe to allow this with elevated
+		 * privileges (e.g. from a setuid binary) or via kernel_write().
+		 */
+		if (file->f_cred != current_cred() || uaccess_kernel()) {
+			pr_err_once("UHID_CREATE from different security context by process %d (%s), this is not allowed.\n",
+				    task_tgid_vnr(current), current->comm);
+			ret = -EACCES;
+			goto unlock;
+		}
 		ret = uhid_dev_create(uhid, &uhid->input_buf);
 		break;
 	case UHID_CREATE2:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 210/305] drm/ast: Remove existing framebuffers before loading driver
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (174 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 162/305] iommu/ipmmu-vmsa: Fix crash on early domain free Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 082/305] btrfs: fix error handling in btrfs_dev_replace_start Ben Hutchings
                   ` (129 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Zimmermann, Y.C. Chen, Dave Airlie,
	Jean Delvare

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Zimmermann <tzimmermann@suse.de>

commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream.

If vesafb attaches to the AST device, it configures the framebuffer memory
for uncached access by default. When ast.ko later tries to attach itself to
the device, it wants to use write-combining on the framebuffer memory, but
vesefb's existing configuration for uncached access takes precedence. This
results in reduced performance.

Removing the framebuffer's configuration before loding the AST driver fixes
the problem. Other DRM drivers already contain equivalent code.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Tested-by: Y.C. Chen <yc_chen@aspeedtech.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Tested-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[bwh: Backported to 3.16: Use remove_conflicting_framebuffers()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/ast/ast_drv.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

--- a/drivers/gpu/drm/ast/ast_drv.c
+++ b/drivers/gpu/drm/ast/ast_drv.c
@@ -60,8 +60,29 @@ static DEFINE_PCI_DEVICE_TABLE(pciidlist
 
 MODULE_DEVICE_TABLE(pci, pciidlist);
 
+static void ast_kick_out_firmware_fb(struct pci_dev *pdev)
+{
+	struct apertures_struct *ap;
+	bool primary = false;
+
+	ap = alloc_apertures(1);
+	if (!ap)
+		return;
+
+	ap->ranges[0].base = pci_resource_start(pdev, 0);
+	ap->ranges[0].size = pci_resource_len(pdev, 0);
+
+#ifdef CONFIG_X86
+	primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
+#endif
+	remove_conflicting_framebuffers(ap, "astdrmfb", primary);
+	kfree(ap);
+}
+
 static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 {
+	ast_kick_out_firmware_fb(pdev);
+
 	return drm_get_pci_dev(pdev, ent, &driver);
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 224/305] btrfs: relocation: set trans to be NULL after ending transaction
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 020/305] sparc32: Fix inverted invalid_frame_pointer checks on sigreturns Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 238/305] xtensa: fix coprocessor context offset definitions Ben Hutchings
                   ` (195 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pan Bian, Qu Wenruo, David Sterba

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 42a657f57628402c73237547f0134e083e2f6764 upstream.

The function relocate_block_group calls btrfs_end_transaction to release
trans when update_backref_cache returns 1, and then continues the loop
body. If btrfs_block_rsv_refill fails this time, it will jump out the
loop and the freed trans will be accessed. This may result in a
use-after-free bug. The patch assigns NULL to trans after trans is
released so that it will not be accessed.

Fixes: 0647bf564f1 ("Btrfs: improve forever loop when doing balance relocation")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/relocation.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -3955,6 +3955,7 @@ static noinline_for_stack int relocate_b
 restart:
 		if (update_backref_cache(trans, &rc->backref_cache)) {
 			btrfs_end_transaction(trans, rc->extent_root);
+			trans = NULL;
 			continue;
 		}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 211/305] exportfs: fix 'passing zero to ERR_PTR()' warning
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (301 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 185/305] misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 097/305] Btrfs: fix null pointer dereference on compressed write path error Ben Hutchings
                   ` (2 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, YueHaibing, Al Viro

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 909e22e05353a783c526829427e9a8de122fba9c upstream.

Fix a static code checker warning:
  fs/exportfs/expfs.c:171 reconnect_one() warn: passing zero to 'ERR_PTR'

The error path for lookup_one_len_unlocked failure
should set err to PTR_ERR.

Fixes: bbf7a8a3562f ("exportfs: move most of reconnect_path to helper function")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/exportfs/expfs.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -148,6 +148,7 @@ static struct dentry *reconnect_one(stru
 	mutex_unlock(&parent->d_inode->i_mutex);
 	if (IS_ERR(tmp)) {
 		dprintk("%s: lookup failed: %d\n", __func__, PTR_ERR(tmp));
+		err = PTR_ERR(tmp);
 		goto out_err;
 	}
 	if (tmp != dentry) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 220/305] drm/ast: change resolution may cause screen blurred
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 109/305] llc: do not use sk_eat_skb() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 186/305] uio: Fix an Oops on load Ben Hutchings
                   ` (301 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Y.C. Chen, Jean Delvare, Dave Airlie

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Y.C. Chen" <yc_chen@aspeedtech.com>

commit 1a37bd823891568f8721989aed0615835632d81a upstream.

The value of pitches is not correct while calling mode_set.
The issue we found so far on following system:
- Debian8 with XFCE Desktop
- Ubuntu with KDE Desktop
- SUSE15 with KDE Desktop

Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Tested-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/ast/ast_mode.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/ast/ast_mode.c
+++ b/drivers/gpu/drm/ast/ast_mode.c
@@ -527,6 +527,7 @@ static int ast_crtc_do_set_base(struct d
 	}
 	ast_bo_unreserve(bo);
 
+	ast_set_offset_reg(crtc);
 	ast_set_start_address_crt1(crtc, (u32)gpu_addr);
 
 	return 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 208/305] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 127/305] rtnetlink: Disallow FDB configuration for non-Ethernet device Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 056/305] VMCI: Resource wildcard match fixed Ben Hutchings
                   ` (274 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Prakash Sangappa, Davidlohr Bueso,
	Naoya Horiguchi, Mike Kravetz, Michal Hocko, Kirill A . Shutemov,
	Andrea Arcangeli, Hugh Dickins, Linus Torvalds

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf upstream.

This bug has been experienced several times by the Oracle DB team.  The
BUG is in remove_inode_hugepages() as follows:

	/*
	 * If page is mapped, it was faulted in after being
	 * unmapped in caller.  Unmap (again) now after taking
	 * the fault mutex.  The mutex will prevent faults
	 * until we finish removing the page.
	 *
	 * This race can only happen in the hole punch case.
	 * Getting here in a truncate operation is a bug.
	 */
	if (unlikely(page_mapped(page))) {
		BUG_ON(truncate_op);

In this case, the elevated map count is not the result of a race.
Rather it was incorrectly incremented as the result of a bug in the huge
pmd sharing code.  Consider the following:

 - Process A maps a hugetlbfs file of sufficient size and alignment
   (PUD_SIZE) that a pmd page could be shared.

 - Process B maps the same hugetlbfs file with the same size and
   alignment such that a pmd page is shared.

 - Process B then calls mprotect() to change protections for the mapping
   with the shared pmd. As a result, the pmd is 'unshared'.

 - Process B then calls mprotect() again to chage protections for the
   mapping back to their original value. pmd remains unshared.

 - Process B then forks and process C is created. During the fork
   process, we do dup_mm -> dup_mmap -> copy_page_range to copy page
   tables. Copying page tables for hugetlb mappings is done in the
   routine copy_hugetlb_page_range.

In copy_hugetlb_page_range(), the destination pte is obtained by:

	dst_pte = huge_pte_alloc(dst, addr, sz);

If pmd sharing is possible, the returned pointer will be to a pte in an
existing page table.  In the situation above, process C could share with
either process A or process B.  Since process A is first in the list,
the returned pte is a pointer to a pte in process A's page table.

However, the check for pmd sharing in copy_hugetlb_page_range is:

	/* If the pagetables are shared don't copy or take references */
	if (dst_pte == src_pte)
		continue;

Since process C is sharing with process A instead of process B, the
above test fails.  The code in copy_hugetlb_page_range which follows
assumes dst_pte points to a huge_pte_none pte.  It copies the pte entry
from src_pte to dst_pte and increments this map count of the associated
page.  This is how we end up with an elevated map count.

To solve, check the dst_pte entry for huge_pte_none.  If !none, this
implies PMD sharing so do not copy.

Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com
Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/hugetlb.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2606,7 +2606,7 @@ static int is_hugetlb_entry_hwpoisoned(p
 int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
 			    struct vm_area_struct *vma)
 {
-	pte_t *src_pte, *dst_pte, entry;
+	pte_t *src_pte, *dst_pte, entry, dst_entry;
 	struct page *ptepage;
 	unsigned long addr;
 	int cow;
@@ -2634,15 +2634,30 @@ int copy_hugetlb_page_range(struct mm_st
 			break;
 		}
 
-		/* If the pagetables are shared don't copy or take references */
-		if (dst_pte == src_pte)
+		/*
+		 * If the pagetables are shared don't copy or take references.
+		 * dst_pte == src_pte is the common case of src/dest sharing.
+		 *
+		 * However, src could have 'unshared' and dst shares with
+		 * another vma.  If dst_pte !none, this implies sharing.
+		 * Check here before taking page table lock, and once again
+		 * after taking the lock below.
+		 */
+		dst_entry = huge_ptep_get(dst_pte);
+		if ((dst_pte == src_pte) || !huge_pte_none(dst_entry))
 			continue;
 
 		dst_ptl = huge_pte_lock(h, dst, dst_pte);
 		src_ptl = huge_pte_lockptr(h, src, src_pte);
 		spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
 		entry = huge_ptep_get(src_pte);
-		if (huge_pte_none(entry)) { /* skip none entry */
+		dst_entry = huge_ptep_get(dst_pte);
+		if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) {
+			/*
+			 * Skip if src entry none.  Also, skip in the
+			 * unlikely case dst entry !none as this implies
+			 * sharing with another vma.
+			 */
 			;
 		} else if (unlikely(is_hugetlb_entry_migration(entry) ||
 				    is_hugetlb_entry_hwpoisoned(entry))) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 212/305] drm/i915: Disable LP3 watermarks on all SNB machines
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 227/305] team: no need to do team_notify_peers or team_mcast_rejoin when disabling port Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 235/305] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() Ben Hutchings
                   ` (256 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ville Syrjälä,
	Joonas Lahtinen, Chris Wilson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 21556350ade3cb5d7afecc8b3544e56431d21695 upstream.

I have a Thinkpad X220 Tablet in my hands that is losing vblank
interrupts whenever LP3 watermarks are used.

If I nudge the latency value written to the WM3 register just
by one in either direction the problem disappears. That to me
suggests that the punit will not enter the corrsponding
powersave mode (MPLL shutdown IIRC) unless the latency value
in the register matches exactly what we read from SSKPD. Ie.
it's not really a latency value but rather just a cookie
by which the punit can identify the desired power saving state.
On HSW/BDW this was changed such that we actually just write
the WM level number into those bits, which makes much more
sense given the observed behaviour.

We could try to handle this by disallowing LP3 watermarks
only when vblank interrupts are enabled but we'd first have
to prove that only vblank interrupts are affected, which
seems unlikely. Also we can't grab the wm mutex from the
vblank enable/disable hooks because those are called with
various spinlocks held. Thus we'd have to redesigne the
watermark locking. So to play it safe and keep the code
simple we simply disable LP3 watermarks on all SNB machines.

To do that we simply zero out the latency values for
watermark level 3, and we adjust the watermark computation
to check for that. The behaviour now matches that of the
g4x/vlv/skl wm code in the presence of a zeroed latency
value.

v2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris)

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com
(cherry picked from commit 03981c6ebec4fc7056b9b45f847393aeac90d060)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
[bwh: Backported to 3.16:
 - Pass drm_device pointer, rather than drm_i915_private pointer, to
   snb_wm_lp3_irq_quirk() and intel_print_wm_latency()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/i915/intel_pm.c | 41 ++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -1749,6 +1749,9 @@ static uint32_t ilk_compute_pri_wm(const
 {
 	uint32_t method1, method2;
 
+	if (mem_value == 0)
+		return U32_MAX;
+
 	if (!params->active || !params->pri.enabled)
 		return 0;
 
@@ -1777,6 +1780,9 @@ static uint32_t ilk_compute_spr_wm(const
 {
 	uint32_t method1, method2;
 
+	if (mem_value == 0)
+		return U32_MAX;
+
 	if (!params->active || !params->spr.enabled)
 		return 0;
 
@@ -1798,6 +1804,9 @@ static uint32_t ilk_compute_spr_wm(const
 static uint32_t ilk_compute_cur_wm(const struct ilk_pipe_wm_parameters *params,
 				   uint32_t mem_value)
 {
+	if (mem_value == 0)
+		return U32_MAX;
+
 	if (!params->active || !params->cur.enabled)
 		return 0;
 
@@ -2149,6 +2158,36 @@ static void snb_wm_latency_quirk(struct
 	intel_print_wm_latency(dev, "Cursor", dev_priv->wm.cur_latency);
 }
 
+static void snb_wm_lp3_irq_quirk(struct drm_device *dev)
+{
+	struct drm_i915_private *dev_priv = dev->dev_private;
+
+	/*
+	 * On some SNB machines (Thinkpad X220 Tablet at least)
+	 * LP3 usage can cause vblank interrupts to be lost.
+	 * The DEIIR bit will go high but it looks like the CPU
+	 * never gets interrupted.
+	 *
+	 * It's not clear whether other interrupt source could
+	 * be affected or if this is somehow limited to vblank
+	 * interrupts only. To play it safe we disable LP3
+	 * watermarks entirely.
+	 */
+	if (dev_priv->wm.pri_latency[3] == 0 &&
+	    dev_priv->wm.spr_latency[3] == 0 &&
+	    dev_priv->wm.cur_latency[3] == 0)
+		return;
+
+	dev_priv->wm.pri_latency[3] = 0;
+	dev_priv->wm.spr_latency[3] = 0;
+	dev_priv->wm.cur_latency[3] = 0;
+
+	DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n");
+	intel_print_wm_latency(dev, "Primary", dev_priv->wm.pri_latency);
+	intel_print_wm_latency(dev, "Sprite", dev_priv->wm.spr_latency);
+	intel_print_wm_latency(dev, "Cursor", dev_priv->wm.cur_latency);
+}
+
 static void ilk_setup_wm_latency(struct drm_device *dev)
 {
 	struct drm_i915_private *dev_priv = dev->dev_private;
@@ -2167,8 +2206,10 @@ static void ilk_setup_wm_latency(struct
 	intel_print_wm_latency(dev, "Sprite", dev_priv->wm.spr_latency);
 	intel_print_wm_latency(dev, "Cursor", dev_priv->wm.cur_latency);
 
-	if (IS_GEN6(dev))
+	if (IS_GEN6(dev)) {
 		snb_wm_latency_quirk(dev);
+		snb_wm_lp3_irq_quirk(dev);
+	}
 }
 
 static void ilk_compute_wm_parameters(struct drm_crtc *crtc,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 216/305] HID: Add quirk for Primax PIXART OEM mice
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (267 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 114/305] thermal: rcar_thermal: Prevent hardware access during system suspend Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 153/305] USB: quirks: Add no-lpm quirk for Raydium touchscreens Ben Hutchings
                   ` (36 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sebastian Parschauer, Jiri Kosina

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Parschauer <sparschauer@suse.de>

commit fb862c3b199d28bee238d52e8270eae8650d6cb0 upstream.

The PixArt OEM mice are known for disconnecting every minute in
runlevel 1 or 3 if they are not always polled. So add quirk
ALWAYS_POLL for two Primax mice as well.

0x4e22 is the Dell MS111-P and 0x4d0f is the unbranded HP Portia
mouse HP 697738-001. Both were built until approx. 2014.
Those were the standard mice from those vendors and are still
around - even as new old stock.

Reference: https://github.com/sriemer/fix-linux-mouse/issues/11

Signed-off-by: Sebastian Parschauer <sparschauer@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16:
 - Don't use HID_USB_DEVICE()
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-ids.h           | 2 ++
 drivers/hid/usbhid/hid-quirks.c | 2 ++
 2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -1055,6 +1055,8 @@
 #define USB_VENDOR_ID_PRIMAX	0x0461
 #define USB_DEVICE_ID_PRIMAX_MOUSE_4D22	0x4d22
 #define USB_DEVICE_ID_PRIMAX_KEYBOARD	0x4e05
+#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F	0x4d0f
+#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22	0x4e22
 
 
 #define USB_VENDOR_ID_RISO_KAGAKU	0x1294	/* Riso Kagaku Corp. */
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -129,6 +129,8 @@ static const struct hid_blacklist {
 	{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN1, HID_QUIRK_NO_INIT_REPORTS },
 	{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN2, HID_QUIRK_NO_INIT_REPORTS },
 	{ USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22, HID_QUIRK_ALWAYS_POLL },
+	{ USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F, HID_QUIRK_ALWAYS_POLL },
+	{ USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22, HID_QUIRK_ALWAYS_POLL },
 	{ USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS, HID_QUIRK_NOGET },
 	{ USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001, HID_QUIRK_NOGET },
 	{ USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3003, HID_QUIRK_NOGET },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 221/305] drm/ast: fixed cursor may disappear sometimes
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (252 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 042/305] crypto: lrw - Fix out-of bounds access on counter overflow Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 078/305] gfs2_meta: ->mount() can get NULL dev_name Ben Hutchings
                   ` (51 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dave Airlie, Y.C. Chen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Y.C. Chen" <yc_chen@aspeedtech.com>

commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream.

Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/ast/ast_mode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/ast/ast_mode.c
+++ b/drivers/gpu/drm/ast/ast_mode.c
@@ -1233,7 +1233,7 @@ static int ast_cursor_move(struct drm_cr
 	ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xc7, ((y >> 8) & 0x07));
 
 	/* dummy write to fire HWC */
-	ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xCB, 0xFF, 0x00);
+	ast_show_cursor(crtc);
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 217/305] ACPI / platform: Add SMB0001 HID to forbidden_id_list
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (134 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 276/305] USB: serial: option: add HP lt4132 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 083/305] btrfs: wait on caching when putting the bg cache Ben Hutchings
                   ` (169 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marc, Rafael J. Wysocki, Lukas Kahnert,
	Hans de Goede

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 2bbb5fa37475d7aa5fa62f34db1623f3da2dfdfa upstream.

Many HP AMD based laptops contain an SMB0001 device like this:

Device (SMBD)
{
    Name (_HID, "SMB0001")  // _HID: Hardware ID
    Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
    {
        IO (Decode16,
            0x0B20,             // Range Minimum
            0x0B20,             // Range Maximum
            0x20,               // Alignment
            0x20,               // Length
            )
        IRQ (Level, ActiveLow, Shared, )
            {7}
    })
}

The legacy style IRQ resource here causes acpi_dev_get_irqresource() to
be called with legacy=true and this message to show in dmesg:
ACPI: IRQ 7 override to edge, high

This causes issues when later on the AMD0030 GPIO device gets enumerated:

Device (GPIO)
{
    Name (_HID, "AMDI0030")  // _HID: Hardware ID
    Name (_CID, "AMDI0030")  // _CID: Compatible ID
    Name (_UID, Zero)  // _UID: Unique ID
    Method (_CRS, 0, NotSerialized)  // _CRS: Current Resource Settings
    {
	Name (RBUF, ResourceTemplate ()
	{
	    Interrupt (ResourceConsumer, Level, ActiveLow, Shared, ,, )
	    {
		0x00000007,
	    }
	    Memory32Fixed (ReadWrite,
		0xFED81500,         // Address Base
		0x00000400,         // Address Length
		)
	})
	Return (RBUF) /* \_SB_.GPIO._CRS.RBUF */
    }
}

Now acpi_dev_get_irqresource() gets called with legacy=false, but because
of the earlier override of the trigger-type acpi_register_gsi() returns
-EBUSY (because we try to register the same interrupt with a different
trigger-type) and we end up setting IORESOURCE_DISABLED in the flags.

The setting of IORESOURCE_DISABLED causes platform_get_irq() to call
acpi_irq_get() which is not implemented on x86 and returns -EINVAL.
resulting in the following in dmesg:

amd_gpio AMDI0030:00: Failed to get gpio IRQ: -22
amd_gpio: probe of AMDI0030:00 failed with error -22

The SMB0001 is a "virtual" device in the sense that the only way the OS
interacts with it is through calling a couple of methods to do SMBus
transfers. As such it is weird that it has IO and IRQ resources at all,
because the driver for it is not expected to ever access the hardware
directly.

The Linux driver for the SMB0001 device directly binds to the acpi_device
through the acpi_bus, so we do not need to instantiate a platform_device
for this ACPI device. This commit adds the SMB0001 HID to the
forbidden_id_list, avoiding the instantiating of a platform_device for it.
Not instantiating a platform_device means we will no longer call
acpi_dev_get_irqresource() for the legacy IRQ resource fixing the probe of
the AMDI0030 device failing.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1644013
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198715
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199523
Reported-by: Lukas Kahnert <openproggerfreak@gmail.com>
Tested-by: Marc <suaefar@googlemail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/acpi_platform.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/acpi/acpi_platform.c
+++ b/drivers/acpi/acpi_platform.c
@@ -28,6 +28,7 @@ static const struct acpi_device_id forbi
 	{"PNP0200",  0},	/* AT DMA Controller */
 	{"ACPI0009", 0},	/* IOxAPIC */
 	{"ACPI000A", 0},	/* IOAPIC */
+	{"SMB0001",  0},	/* ACPI SMBUS virtual device */
 	{"", 0},
 };
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 215/305] usb: cdc-acm: add entry for Hiro (Conexant) modem
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 177/305] can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 040/305] kgdboc: Passing ekgdboc to command line causes panic Ben Hutchings
                   ` (288 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Maarten Jacobs, Greg Kroah-Hartman, Oliver Neukum

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Maarten Jacobs <maarten256@outlook.com>

commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f upstream.

The cdc-acm kernel module currently does not support the Hiro (Conexant)
H05228 USB modem. The patch below adds the device specific information:
	idVendor	0x0572
	idProduct	0x1349

Signed-off-by: Maarten Jacobs <maarten256@outlook.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-acm.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1729,6 +1729,9 @@ static const struct usb_device_id acm_id
 	{ USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */
 	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
 	},
+	{ USB_DEVICE(0x0572, 0x1349), /* Hiro (Conexant) USB MODEM H50228 */
+	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+	},
 	{ USB_DEVICE(0x20df, 0x0001), /* Simtec Electronics Entropy Key */
 	.driver_info = QUIRK_CONTROL_LINE_STATE, },
 	{ USB_DEVICE(0x2184, 0x001c) },	/* GW Instek AFG-2225 */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 026/305] signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 121/305] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 204/305] usb: xhci: Prevent bus suspend if a port connect change or polling state is detected Ben Hutchings
                   ` (271 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Gleixner, Eric W. Biederman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit 3597dfe01d12f570bc739da67f857fd222a3ea66 upstream.

Instead of playing whack-a-mole and changing SEND_SIG_PRIV to
SEND_SIG_FORCED throughout the kernel to ensure a pid namespace init
gets signals sent by the kernel, stop allowing a pid namespace init to
ignore SIGKILL or SIGSTOP sent by the kernel.  A pid namespace init is
only supposed to be able to ignore signals sent from itself and
children with SIG_DFL.

Fixes: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals")
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/signal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1040,7 +1040,7 @@ static int __send_signal(int sig, struct
 
 	result = TRACE_SIGNAL_IGNORED;
 	if (!prepare_signal(sig, t,
-			from_ancestor_ns || (info == SEND_SIG_FORCED)))
+			from_ancestor_ns || (info == SEND_SIG_PRIV) || (info == SEND_SIG_FORCED)))
 		goto ret;
 
 	pending = group ? &t->signal->shared_pending : &t->pending;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 222/305] Btrfs: fix race between enabling quotas and subvolume creation
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (260 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 003/305] x86/asm: Fix pud/pmd interfaces to handle large PAT bit Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 266/305] USB: check usb_get_extra_descriptor for proper size Ben Hutchings
                   ` (43 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Qu Wenruo, Filipe Manana

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 552f0329c75b3e1d7f9bb8c9e421d37403f192cd upstream.

We have a race between enabling quotas end subvolume creation that cause
subvolume creation to fail with -EINVAL, and the following diagram shows
how it happens:

              CPU 0                                          CPU 1

 btrfs_ioctl()
  btrfs_ioctl_quota_ctl()
   btrfs_quota_enable()
    mutex_lock(fs_info->qgroup_ioctl_lock)

                                                  btrfs_ioctl()
                                                   create_subvol()
                                                    btrfs_qgroup_inherit()
                                                     -> save fs_info->quota_root
                                                        into quota_root
                                                     -> stores a NULL value
                                                     -> tries to lock the mutex
                                                        qgroup_ioctl_lock
                                                        -> blocks waiting for
                                                           the task at CPU0

   -> sets BTRFS_FS_QUOTA_ENABLED in fs_info
   -> sets quota_root in fs_info->quota_root
      (non-NULL value)

   mutex_unlock(fs_info->qgroup_ioctl_lock)

                                                     -> checks quota enabled
                                                        flag is set
                                                     -> returns -EINVAL because
                                                        fs_info->quota_root was
                                                        NULL before it acquired
                                                        the mutex
                                                        qgroup_ioctl_lock
                                                   -> ioctl returns -EINVAL

Returning -EINVAL to user space will be confusing if all the arguments
passed to the subvolume creation ioctl were valid.

Fix it by grabbing the value from fs_info->quota_root after acquiring
the mutex.

Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/qgroup.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -2024,7 +2024,7 @@ int btrfs_qgroup_inherit(struct btrfs_tr
 	int ret = 0;
 	int i;
 	u64 *i_qgroups;
-	struct btrfs_root *quota_root = fs_info->quota_root;
+	struct btrfs_root *quota_root;
 	struct btrfs_qgroup *srcgroup;
 	struct btrfs_qgroup *dstgroup;
 	u32 level_size = 0;
@@ -2034,6 +2034,7 @@ int btrfs_qgroup_inherit(struct btrfs_tr
 	if (!fs_info->quota_enabled)
 		goto out;
 
+	quota_root = fs_info->quota_root;
 	if (!quota_root) {
 		ret = -EINVAL;
 		goto out;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 226/305] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (180 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 292/305] KVM: Handle MSR_IA32_PERF_CTL Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 299/305] vxlan: Fix error path in __vxlan_dev_create() Ben Hutchings
                   ` (123 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 7194eda1ba0872d917faf3b322540b4f57f11ba5 upstream.

The function snd_ac97_put_spsa() gets the bit shift value from the
associated private_value, but it extracts too much; the current code
extracts 8 bit values in bits 8-15, but this is a combination of two
nibbles (bits 8-11 and bits 12-15) for left and right shifts.
Due to the incorrect bits extraction, the actual shift may go beyond
the 32bit value, as spotted recently by UBSAN check:
 UBSAN: Undefined behaviour in sound/pci/ac97/ac97_codec.c:836:7
 shift exponent 68 is too large for 32-bit type 'int'

This patch fixes the shift value extraction by masking the properly
with 0x0f instead of 0xff.

Reported-and-tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/ac97/ac97_codec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/ac97/ac97_codec.c
+++ b/sound/pci/ac97/ac97_codec.c
@@ -829,7 +829,7 @@ static int snd_ac97_put_spsa(struct snd_
 {
 	struct snd_ac97 *ac97 = snd_kcontrol_chip(kcontrol);
 	int reg = kcontrol->private_value & 0xff;
-	int shift = (kcontrol->private_value >> 8) & 0xff;
+	int shift = (kcontrol->private_value >> 8) & 0x0f;
 	int mask = (kcontrol->private_value >> 16) & 0xff;
 	// int invert = (kcontrol->private_value >> 24) & 0xff;
 	unsigned short value, old, new;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 004/305] x86/mm: Simplify p[g4um]d_page() macros
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (171 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 272/305] virtio/s390: fix race in ccw_io_helper() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 095/305] parisc: Fix map_pages() to not overwrite existing pte entries Ben Hutchings
                   ` (132 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, kasan-dev, Dave Young, Andy Lutomirski,
	Arnd Bergmann, Andrey Ryabinin, Dmitry Vyukov,
	Alexander Potapenko, Konrad Rzeszutek Wilk, linux-efi,
	Jonathan Corbet, Brijesh Singh, Peter Zijlstra, Paolo Bonzini,
	Toshimitsu Kani, linux-doc, Borislav Petkov, Thomas Gleixner,
	Wenkuan Wang, Tom Lendacky, linux-arch, Rik van Riel,
	Matt Fleming, Larry Woodman, kvm, linux-mm, Ingo Molnar,
	Linus Torvalds, Andi Kleen, Greg Kroah-Hartman, Borislav Petkov,
	Michael S. Tsirkin, Radim Krčmář

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit fd7e315988b784509ba3f1b42f539bd0b1fca9bb upstream.

Create a pgd_pfn() macro similar to the p[4um]d_pfn() macros and then
use the p[g4um]d_pfn() macros in the p[g4um]d_page() macros instead of
duplicating the code.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Toshimitsu Kani <toshi.kani@hpe.com>
Cc: kasan-dev@googlegroups.com
Cc: kvm@vger.kernel.org
Cc: linux-arch@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-efi@vger.kernel.org
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/e61eb533a6d0aac941db2723d8aa63ef6b882dee.1500319216.git.thomas.lendacky@amd.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[Backported to 4.9 stable by AK, suggested by Michael Hocko]
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Wenkuan Wang <Wenkuan.Wang@windriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/pgtable.h | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -166,6 +166,11 @@ static inline unsigned long pud_pfn(pud_
 	return (pfn & pud_pfn_mask(pud)) >> PAGE_SHIFT;
 }
 
+static inline unsigned long pgd_pfn(pgd_t pgd)
+{
+	return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT;
+}
+
 #define pte_page(pte)	pfn_to_page(pte_pfn(pte))
 
 static inline int pmd_large(pmd_t pte)
@@ -591,8 +596,7 @@ static inline unsigned long pmd_page_vad
  * Currently stuck as a macro due to indirect forward reference to
  * linux/mmzone.h's __section_mem_map_addr() definition:
  */
-#define pmd_page(pmd)		\
-	pfn_to_page((pmd_val(pmd) & pmd_pfn_mask(pmd)) >> PAGE_SHIFT)
+#define pmd_page(pmd)	pfn_to_page(pmd_pfn(pmd))
 
 /*
  * the pmd page can be thought of an array like this: pmd_t[PTRS_PER_PMD]
@@ -665,8 +669,7 @@ static inline unsigned long pud_page_vad
  * Currently stuck as a macro due to indirect forward reference to
  * linux/mmzone.h's __section_mem_map_addr() definition:
  */
-#define pud_page(pud)		\
-	pfn_to_page((pud_val(pud) & pud_pfn_mask(pud)) >> PAGE_SHIFT)
+#define pud_page(pud)	pfn_to_page(pud_pfn(pud))
 
 /* Find an entry in the second-level page table.. */
 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
@@ -706,7 +709,7 @@ static inline unsigned long pgd_page_vad
  * Currently stuck as a macro due to indirect forward reference to
  * linux/mmzone.h's __section_mem_map_addr() definition:
  */
-#define pgd_page(pgd)		pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT)
+#define pgd_page(pgd)		pfn_to_page(pgd_pfn(pgd))
 
 /* to find an entry in a page-table-directory. */
 static inline unsigned long pud_index(unsigned long address)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 213/305] new helper: uaccess_kernel()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (211 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 262/305] usb: appledisplay: Add 27" Apple Cinema Display Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 297/305] net: macb: fix dropped RX frames due to a race Ben Hutchings
                   ` (92 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Al Viro

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit db68ce10c4f0a27c1ff9fa0e789e5c41f8c4ea63 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[only take the include/linux/uaccess.h portion - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/uaccess.h | 3 +++
 1 file changed, 3 insertions(+)

--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -2,6 +2,9 @@
 #define __LINUX_UACCESS_H__
 
 #include <linux/preempt.h>
+
+#define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
+
 #include <asm/uaccess.h>
 
 /*


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 013/305] ARM: fix put_user() for gcc-8
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (127 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 105/305] genirq: Fix race on spurious interrupt detection Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 047/305] EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting Ben Hutchings
                   ` (176 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Bernd Edlinger, Arnd Bergmann,
	Greg Kroah-Hartman, Johannes Pointner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

Building kernels before linux-4.7 with gcc-8 results in many build failures
when gcc triggers a check that was meant to catch broken compilers:

/tmp/ccCGMQmS.s:648: Error: .err encountered

According to the discussion in the gcc bugzilla, a local "register
asm()" variable is still supposed to be the correct way to force an
inline assembly to use a particular register, but marking it 'const'
lets the compiler do optimizations that break that, i.e the compiler is
free to treat the variable as either 'const' or 'register' in that case.

Upstream commit 9f73bd8bb445 ("ARM: uaccess: remove put_user() code
duplication") fixed this problem in linux-4.8 as part of a larger change,
but seems a little too big to be backported to 4.4.

Let's take the simplest fix and change only the one broken line in the
same way as newer kernels.

Suggested-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85745
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86673
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Johannes Pointner <h4nn35.work@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/include/asm/uaccess.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -172,7 +172,7 @@ extern int __put_user_8(void *, unsigned
 	({								\
 		unsigned long __limit = current_thread_info()->addr_limit - 1; \
 		const typeof(*(p)) __user *__tmp_p = (p);		\
-		register const typeof(*(p)) __r2 asm("r2") = (x);	\
+		register typeof(*(p)) __r2 asm("r2") = (x);	\
 		register const typeof(*(p)) __user *__p asm("r0") = __tmp_p; \
 		register unsigned long __l asm("r1") = __limit;		\
 		register int __e asm("r0");				\


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 190/305] netfilter: nf_tables: don't use position attribute on rule replacement
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (177 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 044/305] net: phy: Stop with excessive soft reset Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 147/305] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Ben Hutchings
                   ` (126 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Florian Westphal, Pablo Neira Ayuso

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 447750f281abef547be44fdcfe3bc4447b3115a8 upstream.

Its possible to set both HANDLE and POSITION when replacing a rule.
In this case, the rule at POSITION gets replaced using the
userspace-provided handle.  Rule handles are supposed to be generated
by the kernel only.

Duplicate handles should be harmless, however better disable this "feature"
by only checking for the POSITION attribute on insert operations.

Fixes: 5e94846686d0 ("netfilter: nf_tables: add insert operation")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16:
 - Don't use extack
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1767,16 +1767,13 @@ static int nf_tables_newrule(struct sock
 
 		if (chain->use == UINT_MAX)
 			return -EOVERFLOW;
-	}
-
-	if (nla[NFTA_RULE_POSITION]) {
-		if (!(nlh->nlmsg_flags & NLM_F_CREATE))
-			return -EOPNOTSUPP;
 
-		pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
-		old_rule = __nf_tables_rule_lookup(chain, pos_handle);
-		if (IS_ERR(old_rule))
-			return PTR_ERR(old_rule);
+		if (nla[NFTA_RULE_POSITION]) {
+			pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
+			old_rule = __nf_tables_rule_lookup(chain, pos_handle);
+			if (IS_ERR(old_rule))
+				return PTR_ERR(old_rule);
+		}
 	}
 
 	nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 191/305] libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 102/305] dm ioctl: harden copy_params()'s copy_from_user() from malicious users Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 177/305] can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds Ben Hutchings
                   ` (290 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans de Goede, Kevin Shanahan, Tejun Heo

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit b5b4d3a52c8fd6e3fc6469c5a64ca0139c07229e upstream.

Kevin Shanahan reports the following repeating errors when using LPM,
causing long delays accessing the disk:

  Apr 23 10:21:43 link kernel: ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x50000 action 0x6 frozen
  Apr 23 10:21:43 link kernel: ata1: SError: { PHYRdyChg CommWake }
  Apr 23 10:21:43 link kernel: ata1.00: failed command: WRITE DMA
  Apr 23 10:21:43 link kernel: ata1.00: cmd ca/00:08:60:5d:cd/00:00:00:00:00/e1 tag 9 dma 4096 out
                                        res 50/01:01:01:00:00/00:00:00:00:00/00 Emask 0x4 (timeout)
  Apr 23 10:21:43 link kernel: ata1.00: status: { DRDY }
  Apr 23 10:21:43 link kernel: ata1.00: error: { AMNF }
  Apr 23 10:21:43 link kernel: ata1: hard resetting link
  Apr 23 10:21:43 link kernel: ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
  Apr 23 10:21:43 link kernel: ata1.00: configured for UDMA/133
  Apr 23 10:21:43 link kernel: ata1: EH complete

These go away when switching from med_power_with_dipm to medium_power.

This is somewhat weird as the PM830 datasheet explicitly mentions DIPM
being supported and the idle power-consumption is specified with DIPM
enabled.

There are many OEM customized firmware versions for the PM830, so for now
lets assume this is firmware version specific and blacklist LPM based on
the firmware version.

Cc: Kevin Shanahan <kevin@shanahan.id.au>
Reported-by: Kevin Shanahan <kevin@shanahan.id.au>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-core.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4246,6 +4246,9 @@ static const struct ata_blacklist_entry
 	{ "Crucial_CT960M500*",		NULL,	ATA_HORKAGE_NO_NCQ_TRIM |
 						ATA_HORKAGE_NOLPM, },
 
+	/* This specific Samsung model/firmware-rev does not handle LPM well */
+	{ "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
+
 	/* devices that don't properly handle queued TRIM commands */
 	{ "Micron_M500IT_*",		"MU01",	ATA_HORKAGE_NO_NCQ_TRIM, },
 	{ "Micron_M500_*",		NULL,	ATA_HORKAGE_NO_NCQ_TRIM, },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 189/305] batman-adv: Expand merged fragment buffer for full packet
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (208 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 268/305] xhci: workaround CSS timeout on AMD SNPS 3.0 xHC Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 002/305] x86/asm: Move PUD_PAGE macros to page_types.h Ben Hutchings
                   ` (95 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Simon Wunderlich, Martin Weinelt, Sven Eckelmann

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 upstream.

The complete size ("total_size") of the fragmented packet is stored in the
fragment header and in the size of the fragment chain. When the fragments
are ready for merge, the skbuff's tail of the first fragment is expanded to
have enough room after the data pointer for at least total_size. This means
that it gets expanded by total_size - first_skb->len.

But this is ignoring the fact that after expanding the buffer, the fragment
header is pulled by from this buffer. Assuming that the tailroom of the
buffer was already 0, the buffer after the data pointer of the skbuff is
now only total_size - len(fragment_header) large. When the merge function
is then processing the remaining fragments, the code to copy the data over
to the merged skbuff will cause an skb_over_panic when it tries to actually
put enough data to fill the total_size bytes of the packet.

The size of the skb_pull must therefore also be taken into account when the
buffer's tailroom is expanded.

Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/fragmentation.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -250,7 +250,7 @@ batadv_frag_merge_packets(struct hlist_h
 	kfree(entry);
 
 	packet = (struct batadv_frag_packet *)skb_out->data;
-	size = ntohs(packet->total_size);
+	size = ntohs(packet->total_size) + hdr_size;
 
 	/* Make room for the rest of the fragments. */
 	if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 188/305] batman-adv: Use only queued fragments when merging
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (257 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 254/305] ALSA: usb-audio: Replace probing flag with active refcount Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 151/305] USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub Ben Hutchings
                   ` (46 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marek Lindner, Martin Hundebøll,
	Sven Eckelmann

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 83e8b87721f21b26b843633caca8ef453e943623 upstream.

The fragment queueing code now validates the total_size of each fragment,
checks when enough fragments are queued to allow to merge them into a
single packet and if the fragments have the correct size. Therefore, it is
not required to have any other parameter for the merging function than a
list of queued fragments.

This change should avoid problems like in the past when the different skb
from the list and the function parameter were mixed incorrectly.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Martin Hundebøll <martin@hundeboll.net>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/batman-adv/fragmentation.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -234,19 +234,13 @@ err:
  * Returns the merged skb or NULL on error.
  */
 static struct sk_buff *
-batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb)
+batadv_frag_merge_packets(struct hlist_head *chain)
 {
 	struct batadv_frag_packet *packet;
 	struct batadv_frag_list_entry *entry;
 	struct sk_buff *skb_out = NULL;
 	int size, hdr_size = sizeof(struct batadv_frag_packet);
 
-	/* Make sure incoming skb has non-bogus data. */
-	packet = (struct batadv_frag_packet *)skb->data;
-	size = ntohs(packet->total_size);
-	if (size > batadv_frag_size_limit())
-		goto free;
-
 	/* Remove first entry, as this is the destination for the rest of the
 	 * fragments.
 	 */
@@ -255,6 +249,9 @@ batadv_frag_merge_packets(struct hlist_h
 	skb_out = entry->skb;
 	kfree(entry);
 
+	packet = (struct batadv_frag_packet *)skb_out->data;
+	size = ntohs(packet->total_size);
+
 	/* Make room for the rest of the fragments. */
 	if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
 		kfree_skb(skb_out);
@@ -311,7 +308,7 @@ bool batadv_frag_skb_buffer(struct sk_bu
 	if (hlist_empty(&head))
 		goto out;
 
-	skb_out = batadv_frag_merge_packets(&head, *skb);
+	skb_out = batadv_frag_merge_packets(&head);
 	if (!skb_out)
 		goto out_err;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 164/305] termios, tty/tty_baudrate.c: fix buffer overrun
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 113/305] smb3: do not attempt cifs operation in smb3 query info error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 178/305] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Ben Hutchings
                   ` (189 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Gleixner, Eugene Syromiatnikov,
	Al Viro, Richard Henderson, Kate Stewart, Philippe Ombredanne,
	Jiri Slaby, Alan Cox, H. Peter Anvin, Greg Kroah-Hartman,
	Ivan Kokshaysky, Cc: Johan Hovold, Matt Turner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "H. Peter Anvin" <hpa@zytor.com>

commit 991a25194097006ec1e0d2e0814ff920e59e3465 upstream.

On architectures with CBAUDEX == 0 (Alpha and PowerPC), the code in tty_baudrate.c does
not do any limit checking on the tty_baudrate[] array, and in fact a
buffer overrun is possible on both architectures. Add a limit check to
prevent that situation.

This will be followed by a much bigger cleanup/simplification patch.

Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Requested-by: Cc: Johan Hovold <johan@kernel.org>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Eugene Syromiatnikov <esyr@redhat.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/tty_ioctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -327,7 +327,7 @@ speed_t tty_termios_baud_rate(struct kte
 		else
 			cbaud += 15;
 	}
-	return baud_table[cbaud];
+	return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
 }
 EXPORT_SYMBOL(tty_termios_baud_rate);
 
@@ -363,7 +363,7 @@ speed_t tty_termios_input_baud_rate(stru
 		else
 			cbaud += 15;
 	}
-	return baud_table[cbaud];
+	return cbaud >= n_baud_table ? 0 : baud_table[cbaud];
 #else
 	return tty_termios_baud_rate(termios);
 #endif


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 177/305] can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 191/305] libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 215/305] usb: cdc-acm: add entry for Hiro (Conexant) modem Ben Hutchings
                   ` (289 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Marc Kleine-Budde

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream.

If the "struct can_priv::echo_skb" is accessed out of bounds would lead
to a kernel crash. Better print a sensible warning message instead and
try to recover.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/dev.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -426,7 +426,11 @@ struct sk_buff *__can_get_echo_skb(struc
 {
 	struct can_priv *priv = netdev_priv(dev);
 
-	BUG_ON(idx >= priv->echo_skb_max);
+	if (idx >= priv->echo_skb_max) {
+		netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+			   __func__, idx, priv->echo_skb_max);
+		return NULL;
+	}
 
 	if (priv->echo_skb[idx]) {
 		/* Using "struct canfd_frame::len" for the frame


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 181/305] sysv: return 'err' instead of 0 in __sysv_write_inode
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (242 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 098/305] drm/i915: Large page offsets for pread/pwrite Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 144/305] xfrm: Fix bucket count reported to userspace Ben Hutchings
                   ` (61 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, YueHaibing, Al Viro

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit c4b7d1ba7d263b74bb72e9325262a67139605cde upstream.

Fixes gcc '-Wunused-but-set-variable' warning:

fs/sysv/inode.c: In function '__sysv_write_inode':
fs/sysv/inode.c:239:6: warning:
 variable 'err' set but not used [-Wunused-but-set-variable]

__sysv_write_inode should return 'err' instead of 0

Fixes: 05459ca81ac3 ("repair sysv_write_inode(), switch sysv to simple_fsync()")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/sysv/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/sysv/inode.c
+++ b/fs/sysv/inode.c
@@ -275,7 +275,7 @@ static int __sysv_write_inode(struct ino
                 }
         }
 	brelse(bh);
-	return 0;
+	return err;
 }
 
 int sysv_write_inode(struct inode *inode, struct writeback_control *wbc)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 186/305] uio: Fix an Oops on load
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 220/305] drm/ast: change resolution may cause screen blurred Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 258/305] mmc: core: use mrq->sbc when sending CMD23 for RPMB Ben Hutchings
                   ` (300 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Dan Carpenter, Mathias Thore

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.

I was trying to solve a double free but I introduced a more serious
NULL dereference bug.  The problem is that if there is an IRQ which
triggers immediately, then we need "info->uio_dev" but it's not set yet.

This patch puts the original initialization back to how it was and just
sets info->uio_dev to NULL on the error path so it should solve both
the Oops and the double free.

Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails")
Reported-by: Mathias Thore <Mathias.Thore@infinera.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Mathias Thore <Mathias.Thore@infinera.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/uio/uio.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -852,14 +852,17 @@ int __uio_register_device(struct module
 	if (ret)
 		goto err_uio_dev_add_attributes;
 
+	info->uio_dev = idev;
+
 	if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
 		ret = devm_request_irq(idev->dev, info->irq, uio_interrupt,
 				  info->irq_flags, info->name, idev);
-		if (ret)
+		if (ret) {
+			info->uio_dev = NULL;
 			goto err_request_irq;
+		}
 	}
 
-	info->uio_dev = idev;
 	return 0;
 
 err_request_irq:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 180/305] usb: xhci: fix timeout for transition from RExit to U0
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (136 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 083/305] btrfs: wait on caching when putting the bg cache Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 063/305] ALSA: usb-audio: update quirk for B&W PX to remove microphone Ben Hutchings
                   ` (167 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Nyman, Aaron Ma, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Ma <aaron.ma@canonical.com>

commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream.

This definition is used by msecs_to_jiffies in milliseconds.
According to the comments, max rexit timeout should be 20ms.
Align with the comments to properly calculate the delay.

Verified on Sunrise Point-LP and Cannon Lake.

Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-hub.c | 4 ++--
 drivers/usb/host/xhci.h     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -666,7 +666,7 @@ static u32 xhci_get_port_status(struct u
 			time_left = wait_for_completion_timeout(
 					&bus_state->rexit_done[wIndex],
 					msecs_to_jiffies(
-						XHCI_MAX_REXIT_TIMEOUT));
+						XHCI_MAX_REXIT_TIMEOUT_MS));
 			spin_lock_irqsave(&xhci->lock, flags);
 
 			if (time_left) {
@@ -680,7 +680,7 @@ static u32 xhci_get_port_status(struct u
 			} else {
 				int port_status = readl(port_array[wIndex]);
 				xhci_warn(xhci, "Port resume took longer than %i msec, port status = 0x%x\n",
-						XHCI_MAX_REXIT_TIMEOUT,
+						XHCI_MAX_REXIT_TIMEOUT_MS,
 						port_status);
 				status |= USB_PORT_STAT_SUSPEND;
 				clear_bit(wIndex, &bus_state->rexit_ports);
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1433,7 +1433,7 @@ struct xhci_bus_state {
  * It can take up to 20 ms to transition from RExit to U0 on the
  * Intel Lynx Point LP xHCI host.
  */
-#define	XHCI_MAX_REXIT_TIMEOUT	(20 * 1000)
+#define	XHCI_MAX_REXIT_TIMEOUT_MS	20
 
 static inline unsigned int hcd_index(struct usb_hcd *hcd)
 {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 178/305] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 164/305] termios, tty/tty_baudrate.c: fix buffer overrun Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 099/305] scsi: esp_scsi: Track residual for PIO transfers Ben Hutchings
                   ` (188 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Marc Kleine-Budde

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream.

Prior to echoing a successfully transmitted CAN frame (by calling
can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling
can_put_echo_skb() in the transmit function). These put and get function
take an index as parameter, which is used to identify the CAN frame.

A driver calling can_get_echo_skb() with a index not pointing to a skb
is a BUG, so add an appropriate error message.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/dev.c | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -425,6 +425,8 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
 struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
 {
 	struct can_priv *priv = netdev_priv(dev);
+	struct sk_buff *skb = priv->echo_skb[idx];
+	struct canfd_frame *cf;
 
 	if (idx >= priv->echo_skb_max) {
 		netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
@@ -432,21 +434,20 @@ struct sk_buff *__can_get_echo_skb(struc
 		return NULL;
 	}
 
-	if (priv->echo_skb[idx]) {
-		/* Using "struct canfd_frame::len" for the frame
-		 * length is supported on both CAN and CANFD frames.
-		 */
-		struct sk_buff *skb = priv->echo_skb[idx];
-		struct canfd_frame *cf = (struct canfd_frame *)skb->data;
-		u8 len = cf->len;
-
-		*len_ptr = len;
-		priv->echo_skb[idx] = NULL;
-
-		return skb;
+	if (!skb) {
+		netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
+			   __func__, idx);
+		return NULL;
 	}
 
-	return NULL;
+	/* Using "struct canfd_frame::len" for the frame
+	 * length is supported on both CAN and CANFD frames.
+	 */
+	cf = (struct canfd_frame *)skb->data;
+	*len_ptr = cf->len;
+	priv->echo_skb[idx] = NULL;
+
+	return skb;
 }
 
 /*


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 183/305] Drivers: hv: kvp: Fix the recent regression caused by incorrect clean-up
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (101 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 066/305] mach64: fix display corruption on big endian machines Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 032/305] media: em28xx: use a default format if TRY_FMT fails Ben Hutchings
                   ` (202 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, K. Y. Srinivasan, Stephen Hemminger,
	Greg Kroah-Hartman, Haiyang Zhang, Dexuan Cui

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dexuan Cui <decui@microsoft.com>

commit e670de54c813b5bc3672dd1c67871dc60e9206f4 upstream.

In kvp_send_key(), we do need call process_ib_ipinfo() if
message->kvp_hdr.operation is KVP_OP_GET_IP_INFO, because it turns out
the userland hv_kvp_daemon needs the info of operation, adapter_id and
addr_family. With the incorrect fc62c3b1977d, the host can't get the
VM's IP via KVP.

And, fc62c3b1977d added a "break;", but actually forgot to initialize
the key_size/value in the case of KVP_OP_SET, so the default key_size of
0 is passed to the kvp daemon, and the pool files
/var/lib/hyperv/.kvp_pool_* can't be updated.

This patch effectively rolls back the previous fc62c3b1977d, and
correctly fixes the "this statement may fall through" warnings.

This patch is tested on WS 2012 R2 and 2016.

Fixes: fc62c3b1977d ("Drivers: hv: kvp: Fix two "this statement may fall through" warnings")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hv/hv_kvp.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

--- a/drivers/hv/hv_kvp.c
+++ b/drivers/hv/hv_kvp.c
@@ -326,6 +326,9 @@ static void process_ib_ipinfo(void *in_m
 
 		out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled;
 
+		/* fallthrough */
+
+	case KVP_OP_GET_IP_INFO:
 		utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id,
 				MAX_ADAPTER_ID_SIZE,
 				UTF16_LITTLE_ENDIAN,
@@ -378,7 +381,11 @@ kvp_send_key(struct work_struct *dummy)
 		process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO);
 		break;
 	case KVP_OP_GET_IP_INFO:
-		/* We only need to pass on message->kvp_hdr.operation.  */
+		/*
+		 * We only need to pass on the info of operation, adapter_id
+		 * and addr_family to the userland kvp daemon.
+		 */
+		process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO);
 		break;
 	case KVP_OP_SET:
 		switch (in_msg->body.kvp_set.data.value_type) {
@@ -419,9 +426,9 @@ kvp_send_key(struct work_struct *dummy)
 
 		}
 
-		break;
-
-	case KVP_OP_GET:
+		/*
+		 * The key is always a string - utf16 encoding.
+		 */
 		message->body.kvp_set.data.key_size =
 			utf16s_to_utf8s(
 			(wchar_t *)in_msg->body.kvp_set.data.key,
@@ -429,6 +436,17 @@ kvp_send_key(struct work_struct *dummy)
 			UTF16_LITTLE_ENDIAN,
 			message->body.kvp_set.data.key,
 			HV_KVP_EXCHANGE_MAX_KEY_SIZE - 1) + 1;
+
+		break;
+
+	case KVP_OP_GET:
+		message->body.kvp_get.data.key_size =
+			utf16s_to_utf8s(
+			(wchar_t *)in_msg->body.kvp_get.data.key,
+			in_msg->body.kvp_get.data.key_size,
+			UTF16_LITTLE_ENDIAN,
+			message->body.kvp_get.data.key,
+			HV_KVP_EXCHANGE_MAX_KEY_SIZE - 1) + 1;
 			break;
 
 	case KVP_OP_DELETE:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 007/305] x86/boot: eboot.c: Include string function declarations
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (154 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 302/305] drm/ioctl: Fix Spectre v1 vulnerabilities Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 219/305] iser: set sector for ambiguous mr status errors Ben Hutchings
                   ` (149 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, kbuild test robot

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

The earliest boot code has its own string functions, since it can't
use those included in the main kernel image.  Under some compiler
versions eboot.c fails to include a suitable declaration, resulting in
the warning:

   In file included from arch/x86/boot/compressed/eboot.c:287:0:
   arch/x86/boot/compressed/../../../../drivers/firmware/efi/efi-stub-helper.c: In function 'efi_relocate_kernel':
>> arch/x86/boot/compressed/../../../../drivers/firmware/efi/efi-stub-helper.c:566:2: warning: implicit declaration of function 'memcpy'; did you mean 'memchr'? [-Wimplicit-function-declaration]
     memcpy((void *)new_addr, (void *)cur_image_addr, image_size);
     ^~~~~~
     memchr

Include "../string.h" which provides the correct declarations.  This
was done upstream as part of commit 393f203f5fd5 "x86_64: kasan: add
interceptors for memset/memmove/memcpy functions".

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -13,8 +13,7 @@
 #include <asm/setup.h>
 #include <asm/desc.h>
 
-#undef memcpy			/* Use memcpy from misc.c */
-
+#include "../string.h"
 #include "eboot.h"
 
 static efi_system_table_t *sys_table;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 184/305] drivers/misc/sgi-gru: fix Spectre v1 vulnerability
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (289 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 161/305] mount: Prevent MNT_DETACH from disconnecting locked mounts Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 253/305] ALSA: usb-audio: Avoid nested autoresume calls Ben Hutchings
                   ` (14 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Gustavo A. R. Silva

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit fee05f455ceb5c670cbe48e2f9454ebc4a388554 upstream.

req.gid can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

vers/misc/sgi-gru/grukdump.c:200 gru_dump_chiplet_request() warn:
potential spectre issue 'gru_base' [w]

Fix this by sanitizing req.gid before calling macro GID_TO_GRU, which
uses it to index gru_base.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/misc/sgi-gru/grukdump.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/misc/sgi-gru/grukdump.c
+++ b/drivers/misc/sgi-gru/grukdump.c
@@ -27,6 +27,9 @@
 #include <linux/delay.h>
 #include <linux/bitops.h>
 #include <asm/uv/uv_hub.h>
+
+#include <linux/nospec.h>
+
 #include "gru.h"
 #include "grutables.h"
 #include "gruhandles.h"
@@ -198,6 +201,7 @@ int gru_dump_chiplet_request(unsigned lo
 	/* Currently, only dump by gid is implemented */
 	if (req.gid >= gru_max_gids || req.gid < 0)
 		return -EINVAL;
+	req.gid = array_index_nospec(req.gid, gru_max_gids);
 
 	gru = GID_TO_GRU(req.gid);
 	ubuf = req.buf;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 185/305] misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (300 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 143/305] xtensa: make sure bFLT stack is 16 byte aligned Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 211/305] exportfs: fix 'passing zero to ERR_PTR()' warning Ben Hutchings
                   ` (3 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nathan Chancellor, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit 7c97301285b62a41d6bceded7d964085fc8cc50f upstream.

After building the kernel with Clang, the following section mismatch
warning appears:

WARNING: vmlinux.o(.text+0x3bf19a6): Section mismatch in reference from
the function ssc_probe() to the function
.init.text:atmel_ssc_get_driver_data()
The function ssc_probe() references
the function __init atmel_ssc_get_driver_data().
This is often because ssc_probe lacks a __init
annotation or the annotation of atmel_ssc_get_driver_data is wrong.

Remove __init from atmel_ssc_get_driver_data to get rid of the mismatch.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/misc/atmel-ssc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/misc/atmel-ssc.c
+++ b/drivers/misc/atmel-ssc.c
@@ -116,7 +116,7 @@ static const struct of_device_id atmel_s
 MODULE_DEVICE_TABLE(of, atmel_ssc_dt_ids);
 #endif
 
-static inline const struct atmel_ssc_platform_data * __init
+static inline const struct atmel_ssc_platform_data *
 	atmel_ssc_get_driver_data(struct platform_device *pdev)
 {
 	if (pdev->dev.of_node) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 176/305] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 008/305] s390/timex: fix get_tod_clock_ext() inline assembly Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 218/305] mips: fix mips_get_syscall_arg o32 check Ben Hutchings
                   ` (209 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Marc Kleine-Budde

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream.

This patch replaces the use of "struct can_frame::can_dlc" by "struct
canfd_frame::len" to access the frame's length. As it is ensured that
both structures have a compatible memory layout for this member this is
no functional change. Futher, this compatibility is documented in a
comment.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/dev.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -429,11 +429,14 @@ struct sk_buff *__can_get_echo_skb(struc
 	BUG_ON(idx >= priv->echo_skb_max);
 
 	if (priv->echo_skb[idx]) {
+		/* Using "struct canfd_frame::len" for the frame
+		 * length is supported on both CAN and CANFD frames.
+		 */
 		struct sk_buff *skb = priv->echo_skb[idx];
-		struct can_frame *cf = (struct can_frame *)skb->data;
-		u8 dlc = cf->can_dlc;
+		struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+		u8 len = cf->len;
 
-		*len_ptr = dlc;
+		*len_ptr = len;
 		priv->echo_skb[idx] = NULL;
 
 		return skb;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 133/305] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 270/305] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 008/305] s390/timex: fix get_tod_clock_ext() inline assembly Ben Hutchings
                   ` (211 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Joel Becker, Joseph Qi, Linus Torvalds,
	Changkuo Shi, Mark Fasheh, Changwei Ge, Junxiao Bi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Changwei Ge <ge.changwei@h3c.com>

commit 29aa30167a0a2e6045a0d6d2e89d8168132333d5 upstream.

Somehow, file system metadata was corrupted, which causes
ocfs2_check_dir_entry() to fail in function ocfs2_dir_foreach_blk_el().

According to the original design intention, if above happens we should
skip the problematic block and continue to retrieve dir entry.  But
there is obviouse misuse of brelse around related code.

After failure of ocfs2_check_dir_entry(), current code just moves to
next position and uses the problematic buffer head again and again
during which the problematic buffer head is released for multiple times.
I suppose, this a serious issue which is long-lived in ocfs2.  This may
cause other file systems which is also used in a the same host insane.

So we should also consider about bakcporting this patch into linux
-stable.

Link: http://lkml.kernel.org/r/HK2PR06MB045211675B43EED794E597B6D56E0@HK2PR06MB0452.apcprd06.prod.outlook.com
Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
Suggested-by: Changkuo Shi <shi.changkuo@h3c.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ocfs2/dir.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -1906,8 +1906,7 @@ static int ocfs2_dir_foreach_blk_el(stru
 				/* On error, skip the f_pos to the
 				   next block. */
 				ctx->pos = (ctx->pos | (sb->s_blocksize - 1)) + 1;
-				brelse(bh);
-				continue;
+				break;
 			}
 			if (le64_to_cpu(de->inode)) {
 				unsigned char d_type = DT_UNKNOWN;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 170/305] mac80211_hwsim: Timer should be initialized before device registered
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (146 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 246/305] ALSA: hda: Add support for AMD Stoney Ridge Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 019/305] media: v4l: event: Add subscription to list before calling "add" operation Ben Hutchings
                   ` (157 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johannes Berg, Vasyl Vavrychuk

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>

commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.

Otherwise if network manager starts configuring Wi-Fi interface
immidiatelly after getting notification of its creation, we will get
NULL pointer dereference:

  BUG: unable to handle kernel NULL pointer dereference at           (null)
  IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
  ...
  Call Trace:
   [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
   [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
   [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]

Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mac80211_hwsim.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2153,6 +2153,10 @@ static int mac80211_hwsim_create_radio(i
 		schedule_timeout_interruptible(1);
 	}
 
+	tasklet_hrtimer_init(&data->beacon_timer,
+			     mac80211_hwsim_beacon,
+			     CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
+
 	err = ieee80211_register_hw(hw);
 	if (err < 0) {
 		printk(KERN_DEBUG "mac80211_hwsim: ieee80211_register_hw failed (%d)\n",
@@ -2174,10 +2178,6 @@ static int mac80211_hwsim_create_radio(i
 				    data->debugfs,
 				    data, &hwsim_simulate_radar);
 
-	tasklet_hrtimer_init(&data->beacon_timer,
-			     mac80211_hwsim_beacon,
-			     CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
-
 	spin_lock_bh(&hwsim_radio_lock);
 	list_add_tail(&data->list, &hwsim_radios);
 	spin_unlock_bh(&hwsim_radio_lock);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 154/305] USB: misc: appledisplay: add 20" Apple Cinema Display
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 017/305] staging: comedi: quatech_daqp_cs: use comedi_timeout() in ao (*insn_write) Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 256/305] media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Ben Hutchings
                   ` (225 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mattias Jacobsson, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mattias Jacobsson <2pi@mok.nu>

commit f6501f49199097b99e4e263644d88c90d1ec1060 upstream.

Add another Apple Cinema Display to the list of supported displays

Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/appledisplay.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -63,6 +63,7 @@ static const struct usb_device_id appled
 	{ APPLEDISPLAY_DEVICE(0x9219) },
 	{ APPLEDISPLAY_DEVICE(0x921c) },
 	{ APPLEDISPLAY_DEVICE(0x921d) },
+	{ APPLEDISPLAY_DEVICE(0x9222) },
 	{ APPLEDISPLAY_DEVICE(0x9236) },
 
 	/* Terminating entry */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 142/305] sunrpc: correct the computation for page_ptr when truncating
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 258/305] mmc: core: use mrq->sbc when sending CMD23 for RPMB Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 169/305] mac80211_hwsim: Replace bogus hrtimer clockid Ben Hutchings
                   ` (298 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Frank Sorenson, J. Bruce Fields

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Frank Sorenson <sorenson@redhat.com>

commit 5d7a5bcb67c70cbc904057ef52d3fcfeb24420bb upstream.

When truncating the encode buffer, the page_ptr is getting
advanced, causing the next page to be skipped while encoding.
The page is still included in the response, so the response
contains a page of bogus data.

We need to adjust the page_ptr backwards to ensure we encode
the next page into the correct place.

We saw this triggered when concurrent directory modifications caused
nfsd4_encode_direct_fattr() to return nfserr_noent, and the resulting
call to xdr_truncate_encode() corrupted the READDIR reply.

Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/xdr.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -637,11 +637,10 @@ void xdr_truncate_encode(struct xdr_stre
 		/* xdr->iov should already be NULL */
 		return;
 	}
-	if (fraglen) {
+	if (fraglen)
 		xdr->end = head->iov_base + head->iov_len;
-		xdr->page_ptr--;
-	}
 	/* (otherwise assume xdr->end is already set) */
+	xdr->page_ptr--;
 	head->iov_len = len;
 	buf->len = len;
 	xdr->p = head->iov_base + head->iov_len;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 153/305] USB: quirks: Add no-lpm quirk for Raydium touchscreens
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (268 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 216/305] HID: Add quirk for Primax PIXART OEM mice Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 065/305] printk: Fix panic caused by passing log_buf_len to command line Ben Hutchings
                   ` (35 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Kai-Heng Feng

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit deefd24228a172d1b27d4a9adbfd2cdacd60ae64 upstream.

Raydium USB touchscreen fails to set config if LPM is enabled:
[    2.030658] usb 1-8: New USB device found, idVendor=2386, idProduct=3119
[    2.030659] usb 1-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    2.030660] usb 1-8: Product: Raydium Touch System
[    2.030661] usb 1-8: Manufacturer: Raydium Corporation
[    7.132209] usb 1-8: can't set config #1, error -110

Same behavior can be observed on 2386:3114.

Raydium claims the touchscreen supports LPM under Windows, so I used
Microsoft USB Test Tools (MUTT) [1] to check its LPM status. MUTT shows
that the LPM doesn't work under Windows, either. So let's just disable LPM
for Raydium touchscreens.

[1] https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-test-tools

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -266,6 +266,11 @@ static const struct usb_device_id usb_qu
 	{ USB_DEVICE(0x2040, 0x7200), .driver_info =
 			USB_QUIRK_CONFIG_INTF_STRINGS },
 
+	/* Raydium Touchscreen */
+	{ USB_DEVICE(0x2386, 0x3114), .driver_info = USB_QUIRK_NO_LPM },
+
+	{ USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* DJI CineSSD */
 	{ USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 155/305] ext4: fix possible leak of sbi->s_group_desc_leak in error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 072/305] media: cx231xx: fix potential sign-extension overflow on large shift Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 205/305] net/mlx4: Fix UBSAN warning of signed integer overflow Ben Hutchings
                   ` (237 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 9e463084cdb22e0b56b2dfbc50461020409a5fd3 upstream.

Fixes: bfe0a5f47ada ("ext4: add more mount time checks of the superblock")
Reported-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/super.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3980,6 +3980,14 @@ static int ext4_fill_super(struct super_
 	sbi->s_groups_count = blocks_count;
 	sbi->s_blockfile_groups = min_t(ext4_group_t, sbi->s_groups_count,
 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
+	if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
+	    le32_to_cpu(es->s_inodes_count)) {
+		ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
+			 le32_to_cpu(es->s_inodes_count),
+			 ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
+		ret = -EINVAL;
+		goto failed_mount;
+	}
 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
 		   EXT4_DESC_PER_BLOCK(sb);
 	if (EXT4_HAS_INCOMPAT_FEATURE(sb,EXT4_FEATURE_INCOMPAT_META_BG)) {
@@ -3999,14 +4007,6 @@ static int ext4_fill_super(struct super_
 		ret = -ENOMEM;
 		goto failed_mount;
 	}
-	if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
-	    le32_to_cpu(es->s_inodes_count)) {
-		ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
-			 le32_to_cpu(es->s_inodes_count),
-			 ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
-		ret = -EINVAL;
-		goto failed_mount;
-	}
 
 	if (ext4_proc_root)
 		sbi->s_proc = proc_mkdir(sb->s_id, ext4_proc_root);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 138/305] ext4: add missing brelse() update_backups()'s error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 150/305] ext4: avoid possible double brelse() in add_new_gdb() on error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 274/305] scsi: bnx2fc: Fix NULL dereference in error handling Ben Hutchings
                   ` (248 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit ea0abbb648452cdb6e1734b702b6330a7448fcf8 upstream.

Fixes: ac27a0ec112a ("ext4: initial copy of files from ext3")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1093,8 +1093,10 @@ static void update_backups(struct super_
 			   backup_block, backup_block -
 			   ext4_group_first_block_no(sb, group));
 		BUFFER_TRACE(bh, "get_write_access");
-		if ((err = ext4_journal_get_write_access(handle, bh)))
+		if ((err = ext4_journal_get_write_access(handle, bh))) {
+			brelse(bh);
 			break;
+		}
 		lock_buffer(bh);
 		memcpy(bh->b_data, data, size);
 		if (rest)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 016/305] staging: comedi: quatech_daqp_cs: fix bug in daqp_ao_insn_write()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (226 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 303/305] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 086/305] tun: Consistently configure generic netdev params via rtnetlink Ben Hutchings
                   ` (77 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, H Hartley Sweeten, Ian Abbott

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: H Hartley Sweeten <hsweeten@visionengravers.com>

commit e024181b02ed6b833358bede3f2d0c52cb5fb6bc upstream.

The comedi core expects (*insn_write) functions to write insn->n values
to the hardware and return the number of values written.

Currently, this function only writes the first value. Fix it to work
like the core expects.

Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/comedi/drivers/quatech_daqp_cs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c
+++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
@@ -640,7 +640,6 @@ static int daqp_ao_insn_write(struct com
 {
 	struct daqp_private *devpriv = dev->private;
 	unsigned int chan = CR_CHAN(insn->chanspec);
-	unsigned int val;
 	int i;
 
 	if (devpriv->stop)
@@ -650,7 +649,8 @@ static int daqp_ao_insn_write(struct com
 	outb(0, dev->iobase + DAQP_AUX);
 
 	for (i = 0; i > insn->n; i++) {
-		val = data[0];
+		unsigned val = data[i];
+
 		val &= 0x0fff;
 		val ^= 0x0800;		/* Flip the sign */
 		val |= (chan << 12);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 148/305] ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (140 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 048/305] iio: adc: at91: fix acking DRDY irq on simple conversions Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 201/305] Btrfs: ensure path name is null terminated at btrfs_control_ioctl Ben Hutchings
                   ` (163 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit db6aee62406d9fbb53315fcddd81f1dc271d49fa upstream.

Fixes: 1c6bd7173d66 ("ext4: convert file system to meta_bg if needed ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -2029,6 +2029,10 @@ retry:
 		n_blocks_count_retry = 0;
 		free_flex_gd(flex_gd);
 		flex_gd = NULL;
+		if (resize_inode) {
+			iput(resize_inode);
+			resize_inode = NULL;
+		}
 		goto retry;
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 135/305] ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 073/305] staging: comedi: ni_mio_common: protect register write overflow Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 124/305] um: Drop own definition of PTRACE_SYSEMU/_SINGLESTEP Ben Hutchings
                   ` (240 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vasily Averin, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 9e4028935cca3f9ef9b6a90df9da6f1f94853536 upstream.

Currently bh is set to NULL only during first iteration of for cycle,
then this pointer is not cleared after end of using.
Therefore rollback after errors can lead to extra brelse(bh) call,
decrements bh counter and later trigger an unexpected warning in __brelse()

Patch moves brelse() calls in body of cycle to exclude requirement of
brelse() call in rollback.

Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -588,7 +588,6 @@ handle_bb:
 		bh = bclean(handle, sb, block);
 		if (IS_ERR(bh)) {
 			err = PTR_ERR(bh);
-			bh = NULL;
 			goto out;
 		}
 		overhead = ext4_group_overhead_blocks(sb, group);
@@ -600,9 +599,9 @@ handle_bb:
 		ext4_mark_bitmap_end(group_data[i].blocks_count,
 				     sb->s_blocksize * 8, bh->b_data);
 		err = ext4_handle_dirty_metadata(handle, NULL, bh);
+		brelse(bh);
 		if (err)
 			goto out;
-		brelse(bh);
 
 handle_ib:
 		if (bg_flags[i] & EXT4_BG_INODE_UNINIT)
@@ -617,18 +616,16 @@ handle_ib:
 		bh = bclean(handle, sb, block);
 		if (IS_ERR(bh)) {
 			err = PTR_ERR(bh);
-			bh = NULL;
 			goto out;
 		}
 
 		ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
 				     sb->s_blocksize * 8, bh->b_data);
 		err = ext4_handle_dirty_metadata(handle, NULL, bh);
+		brelse(bh);
 		if (err)
 			goto out;
-		brelse(bh);
 	}
-	bh = NULL;
 
 	/* Mark group tables in block bitmap */
 	for (j = 0; j < GROUP_TABLE_COUNT; j++) {
@@ -659,7 +656,6 @@ handle_ib:
 	}
 
 out:
-	brelse(bh);
 	err2 = ext4_journal_stop(handle);
 	if (err2 && !err)
 		err = err2;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 145/305] Btrfs: fix cur_offset in the error case for nocow
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 125/305] um: Give start_idle_thread() a return code Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 270/305] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() Ben Hutchings
                   ` (213 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Filipe Manana, Robbie Ko

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Robbie Ko <robbieko@synology.com>

commit 506481b20e818db40b6198815904ecd2d6daee64 upstream.

When the cow_file_range fails, the related resources are unlocked
according to the range [start..end), so the unlock cannot be repeated in
run_delalloc_nocow.

In some cases (e.g. cur_offset <= end && cow_start != -1), cur_offset is
not updated correctly, so move the cur_offset update before
cow_file_range.

  kernel BUG at mm/page-writeback.c:2663!
  Internal error: Oops - BUG: 0 [#1] SMP
  CPU: 3 PID: 31525 Comm: kworker/u8:7 Tainted: P O
  Hardware name: Realtek_RTD1296 (DT)
  Workqueue: writeback wb_workfn (flush-btrfs-1)
  task: ffffffc076db3380 ti: ffffffc02e9ac000 task.ti: ffffffc02e9ac000
  PC is at clear_page_dirty_for_io+0x1bc/0x1e8
  LR is at clear_page_dirty_for_io+0x14/0x1e8
  pc : [<ffffffc00033c91c>] lr : [<ffffffc00033c774>] pstate: 40000145
  sp : ffffffc02e9af4f0
  Process kworker/u8:7 (pid: 31525, stack limit = 0xffffffc02e9ac020)
  Call trace:
  [<ffffffc00033c91c>] clear_page_dirty_for_io+0x1bc/0x1e8
  [<ffffffbffc514674>] extent_clear_unlock_delalloc+0x1e4/0x210 [btrfs]
  [<ffffffbffc4fb168>] run_delalloc_nocow+0x3b8/0x948 [btrfs]
  [<ffffffbffc4fb948>] run_delalloc_range+0x250/0x3a8 [btrfs]
  [<ffffffbffc514c0c>] writepage_delalloc.isra.21+0xbc/0x1d8 [btrfs]
  [<ffffffbffc516048>] __extent_writepage+0xe8/0x248 [btrfs]
  [<ffffffbffc51630c>] extent_write_cache_pages.isra.17+0x164/0x378 [btrfs]
  [<ffffffbffc5185a8>] extent_writepages+0x48/0x68 [btrfs]
  [<ffffffbffc4f5828>] btrfs_writepages+0x20/0x30 [btrfs]
  [<ffffffc00033d758>] do_writepages+0x30/0x88
  [<ffffffc0003ba0f4>] __writeback_single_inode+0x34/0x198
  [<ffffffc0003ba6c4>] writeback_sb_inodes+0x184/0x3c0
  [<ffffffc0003ba96c>] __writeback_inodes_wb+0x6c/0xc0
  [<ffffffc0003bac20>] wb_writeback+0x1b8/0x1c0
  [<ffffffc0003bb0f0>] wb_workfn+0x150/0x250
  [<ffffffc0002b0014>] process_one_work+0x1dc/0x388
  [<ffffffc0002b02f0>] worker_thread+0x130/0x500
  [<ffffffc0002b6344>] kthread+0x10c/0x110
  [<ffffffc000284590>] ret_from_fork+0x10/0x40
  Code: d503201f a9025bb5 a90363b7 f90023b9 (d4210000)

Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Robbie Ko <robbieko@synology.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/inode.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -1449,12 +1449,11 @@ out_check:
 	}
 	btrfs_release_path(path);
 
-	if (cur_offset <= end && cow_start == (u64)-1) {
+	if (cur_offset <= end && cow_start == (u64)-1)
 		cow_start = cur_offset;
-		cur_offset = end;
-	}
 
 	if (cow_start != (u64)-1) {
+		cur_offset = end;
 		ret = cow_file_range(inode, locked_page, cow_start, end,
 				     page_started, nr_written, 1);
 		if (ret)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 136/305] ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (236 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 239/305] xtensa: fix coprocessor part of ptrace_{get,set}xregs Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 277/305] aio: fix spectre gadget in lookup_ioctx Ben Hutchings
                   ` (67 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit cea5794122125bf67559906a0762186cf417099c upstream.

Fixes: 33afdcc5402d ("ext4: add a function which sets up group blocks ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -442,16 +442,18 @@ static int set_flexbg_block_bitmap(struc
 
 		BUFFER_TRACE(bh, "get_write_access");
 		err = ext4_journal_get_write_access(handle, bh);
-		if (err)
+		if (err) {
+			brelse(bh);
 			return err;
+		}
 		ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
 			   block - start, count2);
 		ext4_set_bits(bh->b_data, block - start, count2);
 
 		err = ext4_handle_dirty_metadata(handle, NULL, bh);
+		brelse(bh);
 		if (unlikely(err))
 			return err;
-		brelse(bh);
 	}
 
 	return 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 137/305] ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (143 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 273/305] bnx2fc: fix an error code in _bnx2fc_create() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 286/305] xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only Ben Hutchings
                   ` (160 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 61a9c11e5e7a0dab5381afa5d9d4dd5ebf18f7a0 upstream.

Fixes: 01f795f9e0d6 ("ext4: add online resizing support for meta_bg ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -896,6 +896,7 @@ static int add_new_gdb_meta_bg(struct su
 				     sizeof(struct buffer_head *),
 				     GFP_NOFS);
 	if (!n_group_desc) {
+		brelse(gdb_bh);
 		err = -ENOMEM;
 		ext4_warning(sb, "not enough memory for %lu groups",
 			     gdb_num + 1);
@@ -911,8 +912,6 @@ static int add_new_gdb_meta_bg(struct su
 	ext4_kvfree(o_group_desc);
 	BUFFER_TRACE(gdb_bh, "get_write_access");
 	err = ext4_journal_get_write_access(handle, gdb_bh);
-	if (unlikely(err))
-		brelse(gdb_bh);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 134/305] memory_hotplug: cond_resched in __remove_pages
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 033/305] media: em28xx: fix input name for Terratec AV 350 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 046/305] fuse: fix blocked_waitq wakeup Ben Hutchings
                   ` (285 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, Michal Hocko, Dan Williams,
	Johannes Thumshirn

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Hocko <mhocko@suse.com>

commit dd33ad7b251f900481701b2a82d25de583867708 upstream.

We have received a bug report that unbinding a large pmem (>1TB) can
result in a soft lockup:

  NMI watchdog: BUG: soft lockup - CPU#9 stuck for 23s! [ndctl:4365]
  [...]
  Supported: Yes
  CPU: 9 PID: 4365 Comm: ndctl Not tainted 4.12.14-94.40-default #1 SLE12-SP4
  Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.01.00.0833.051120182255 05/11/2018
  task: ffff9cce7d4410c0 task.stack: ffffbe9eb1bc4000
  RIP: 0010:__put_page+0x62/0x80
  Call Trace:
   devm_memremap_pages_release+0x152/0x260
   release_nodes+0x18d/0x1d0
   device_release_driver_internal+0x160/0x210
   unbind_store+0xb3/0xe0
   kernfs_fop_write+0x102/0x180
   __vfs_write+0x26/0x150
   vfs_write+0xad/0x1a0
   SyS_write+0x42/0x90
   do_syscall_64+0x74/0x150
   entry_SYSCALL_64_after_hwframe+0x3d/0xa2
  RIP: 0033:0x7fd13166b3d0

It has been reported on an older (4.12) kernel but the current upstream
code doesn't cond_resched in the hot remove code at all and the given
range to remove might be really large.  Fix the issue by calling
cond_resched once per memory section.

Link: http://lkml.kernel.org/r/20181031125840.23982-1-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Dan Williams <dan.j.williams@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/memory_hotplug.c | 1 +
 1 file changed, 1 insertion(+)

--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -780,6 +780,8 @@ int __remove_pages(struct zone *zone, un
 	sections_to_remove = nr_pages / PAGES_PER_SECTION;
 	for (i = 0; i < sections_to_remove; i++) {
 		unsigned long pfn = phys_start_pfn + i*PAGES_PER_SECTION;
+
+		cond_resched();
 		ret = __remove_section(zone, __pfn_to_section(pfn));
 		if (ret)
 			break;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 008/305] s390/timex: fix get_tod_clock_ext() inline assembly
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 133/305] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 176/305] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Ben Hutchings
                   ` (210 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Chen Gang, Heiko Carstens, Chen Gang,
	Martin Schwidefsky

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chen Gang <gang.chen@sunrus.com.cn>

commit e38f97813302065fbc9c9eab5c1a94dc021d71e2 upstream.

For C language, it treats array parameter as a pointer, so sizeof for an
array parameter is equal to sizeof for a pointer, which causes compiler
warning (with allmodconfig by gcc 5):

  ./arch/s390/include/asm/timex.h: In function 'get_tod_clock_ext':
  ./arch/s390/include/asm/timex.h:76:32: warning: 'sizeof' on array function parameter 'clk' will return size of 'char *' [-Wsizeof-array-argument]
    typedef struct { char _[sizeof(clk)]; } addrtype;
                                  ^
Can use macro CLOCK_STORE_SIZE instead of all related hard code numbers,
which also can avoid this warning. And also add a tab to CLOCK_TICK_RATE
definition to match coding styles.

[heiko.carstens@de.ibm.com]:
Chen's patch actually fixes a bug within the get_tod_clock_ext() inline assembly
where we incorrectly tell the compiler that only 8 bytes of memory get changed
instead of 16 bytes.
This would allow gcc to generate incorrect code. Right now this doesn't seem to
be the case.
Also slightly changed the patch a bit.
- renamed CLOCK_STORE_SIZE to STORE_CLOCK_EXT_SIZE
- changed get_tod_clock_ext() to receive a char pointer parameter

Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/s390/hypfs/hypfs_vm.c    |  2 +-
 arch/s390/include/asm/timex.h | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

--- a/arch/s390/hypfs/hypfs_vm.c
+++ b/arch/s390/hypfs/hypfs_vm.c
@@ -231,7 +231,7 @@ failed:
 struct dbfs_d2fc_hdr {
 	u64	len;		/* Length of d2fc buffer without header */
 	u16	version;	/* Version of header */
-	char	tod_ext[16];	/* TOD clock for d2fc */
+	char	tod_ext[STORE_CLOCK_EXT_SIZE]; /* TOD clock for d2fc */
 	u64	count;		/* Number of VM guests in d2fc buffer */
 	char	reserved[30];
 } __attribute__ ((packed));
--- a/arch/s390/include/asm/timex.h
+++ b/arch/s390/include/asm/timex.h
@@ -67,20 +67,22 @@ static inline void local_tick_enable(uns
 	set_clock_comparator(S390_lowcore.clock_comparator);
 }
 
-#define CLOCK_TICK_RATE	1193180 /* Underlying HZ */
+#define CLOCK_TICK_RATE		1193180 /* Underlying HZ */
+#define STORE_CLOCK_EXT_SIZE	16	/* stcke writes 16 bytes */
 
 typedef unsigned long long cycles_t;
 
-static inline void get_tod_clock_ext(char clk[16])
+static inline void get_tod_clock_ext(char *clk)
 {
-	typedef struct { char _[sizeof(clk)]; } addrtype;
+	typedef struct { char _[STORE_CLOCK_EXT_SIZE]; } addrtype;
 
 	asm volatile("stcke %0" : "=Q" (*(addrtype *) clk) : : "cc");
 }
 
 static inline unsigned long long get_tod_clock(void)
 {
-	unsigned char clk[16];
+	unsigned char clk[STORE_CLOCK_EXT_SIZE];
+
 	get_tod_clock_ext(clk);
 	return *((unsigned long long *)&clk[1]);
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 128/305] Cramfs: fix abad comparison when wrap-arounds occur
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 049/305] iio: adc: at91: fix wrong channel number in triggered buffer mode Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Ben Hutchings
                   ` (259 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nicolas Pitre, Nicolas Pitre, Anatoly Trosinenko

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Pitre <nicolas.pitre@linaro.org>

commit 672ca9dd13f1aca0c17516f76fc5b0e8344b3e46 upstream.

It is possible for corrupted filesystem images to produce very large
block offsets that may wrap when a length is added, and wrongly pass
the buffer size test.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cramfs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -183,7 +183,8 @@ static void *cramfs_read(struct super_bl
 			continue;
 		blk_offset = (blocknr - buffer_blocknr[i]) << PAGE_CACHE_SHIFT;
 		blk_offset += offset;
-		if (blk_offset + len > BUFFER_SIZE)
+		if (blk_offset > BUFFER_SIZE ||
+		    blk_offset + len > BUFFER_SIZE)
 			continue;
 		return read_buffers[i] + blk_offset;
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 017/305] staging: comedi: quatech_daqp_cs: use comedi_timeout() in ao (*insn_write)
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 304/305] ipv6: tunnels: fix two use-after-free Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 154/305] USB: misc: appledisplay: add 20" Apple Cinema Display Ben Hutchings
                   ` (226 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, H Hartley Sweeten, Ian Abbott

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: H Hartley Sweeten <hsweeten@visionengravers.com>

commit e031642eccc040648b09cfc7d632e2e8d0b6f94f upstream.

The data link between the D/A data port and the D/A converter is a serial
link. The serial link requires about 8ms to complete a transfer. Use the
comedi_timeout() helper to ensure that there is not a previous transfer
still happening before trying to write new data to the channel.

Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ija: Backported to 3.16: No 'readback' member in subdevice.]
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../staging/comedi/drivers/quatech_daqp_cs.c  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c
+++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
@@ -633,6 +633,19 @@ static int daqp_ai_cmd(struct comedi_dev
 	return 0;
 }
 
+static int daqp_ao_empty(struct comedi_device *dev,
+			 struct comedi_subdevice *s,
+			 struct comedi_insn *insn,
+			 unsigned long context)
+{
+	unsigned int status;
+
+	status = inb(dev->iobase + DAQP_AUX);
+	if ((status & DAQP_AUX_DA_BUFFER) == 0)
+		return 0;
+	return -EBUSY;
+}
+
 static int daqp_ao_insn_write(struct comedi_device *dev,
 			      struct comedi_subdevice *s,
 			      struct comedi_insn *insn,
@@ -650,6 +663,12 @@ static int daqp_ao_insn_write(struct com
 
 	for (i = 0; i > insn->n; i++) {
 		unsigned val = data[i];
+		int ret;
+
+		/* D/A transfer rate is about 8ms */
+		ret = comedi_timeout(dev, s, insn, daqp_ao_empty, 0);
+		if (ret)
+			return ret;
 
 		val &= 0x0fff;
 		val ^= 0x0800;		/* Flip the sign */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 087/305] jffs2: free jffs2_sb_info through jffs2_kill_sb()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (276 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 233/305] USB: usb-storage: Add new IDs to ums-realtek Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 283/305] scsi: sd: use mempool for discard special page Ben Hutchings
                   ` (27 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Boris Brezillon, Richard Weinberger, Hou Tao

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hou Tao <houtao1@huawei.com>

commit 92e2921f7eee63450a5f953f4b15dc6210219430 upstream.

When an invalid mount option is passed to jffs2, jffs2_parse_options()
will fail and jffs2_sb_info will be freed, but then jffs2_sb_info will
be used (use-after-free) and freeed (double-free) in jffs2_kill_sb().

Fix it by removing the buggy invocation of kfree() when getting invalid
mount options.

Fixes: 92abc475d8de ("jffs2: implement mount option parsing and compression overriding")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Reviewed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/jffs2/super.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -285,10 +285,8 @@ static int jffs2_fill_super(struct super
 	sb->s_fs_info = c;
 
 	ret = jffs2_parse_options(c, data);
-	if (ret) {
-		kfree(c);
+	if (ret)
 		return -EINVAL;
-	}
 
 	/* Initialize JFFS2 superblock locks, the further initialization will
 	 * be done later */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 086/305] tun: Consistently configure generic netdev params via rtnetlink
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (227 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 016/305] staging: comedi: quatech_daqp_cs: fix bug in daqp_ao_insn_write() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 070/305] mtd: spi-nor: fsl-quadspi: fix api naming typo _init_ahb_read Ben Hutchings
                   ` (76 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Serhey Popovych

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Serhey Popovych <serhe.popovych@gmail.com>

commit df52eab23d703142c766ac00bdb8db19d71238d0 upstream.

Configuring generic network device parameters on tun will fail in
presence of IFLA_INFO_KIND attribute in IFLA_LINKINFO nested attribute
since tun_validate() always return failure.

This can be visualized with following ip-link(8) command sequences:

  # ip link set dev tun0 group 100
  # ip link set dev tun0 group 100 type tun
  RTNETLINK answers: Invalid argument

with contrast to dummy and veth drivers:

  # ip link set dev dummy0 group 100
  # ip link set dev dummy0 type dummy

  # ip link set dev veth0 group 100
  # ip link set dev veth0 group 100 type veth

Fix by returning zero in tun_validate() when @data is NULL that is
always in case since rtnl_link_ops->maxtype is zero in tun driver.

Fixes: f019a7a594d9 ("tun: Implement ip link del tunXXX")
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/tun.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1415,6 +1415,8 @@ static void tun_setup(struct net_device
  */
 static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
 {
+	if (!data)
+		return 0;
 	return -EINVAL;
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 109/305] llc: do not use sk_eat_skb()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 157/305] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 041/305] usb: chipidea: Prevent unbalanced IRQ disable Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 220/305] drm/ast: change resolution may cause screen blurred Ben Hutchings
                   ` (302 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, David S. Miller, syzbot

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream.

syzkaller triggered a use-after-free [1], caused by a combination of
skb_get() in llc_conn_state_process() and usage of sk_eat_skb()

sk_eat_skb() is assuming the skb about to be freed is only used by
the current thread. TCP/DCCP stacks enforce this because current
thread holds the socket lock.

llc_conn_state_process() wants to make sure skb does not disappear,
and holds a reference on the skb it manipulates. But as soon as this
skb is added to socket receive queue, another thread can consume it.

This means that llc must use regular skb_unlink() and kfree_skb()
so that both producer and consumer can safely work on the same skb.

[1]
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655
Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18

CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_read include/linux/refcount.h:43 [inline]
 skb_unref include/linux/skbuff.h:967 [inline]
 kfree_skb+0xb7/0x580 net/core/skbuff.c:655
 llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224
 llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297
 llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438
 llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
 process_backlog+0x218/0x6f0 net/core/dev.c:5829
 napi_poll net/core/dev.c:6249 [inline]
 net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
 __do_softirq+0x30c/0xb03 kernel/softirq.c:292
 run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
 smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
 kthread+0x35a/0x420 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413

Allocated by task 18:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
 __alloc_skb+0x119/0x770 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:995 [inline]
 llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54
 llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline]
 llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111
 llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
 process_backlog+0x218/0x6f0 net/core/dev.c:5829
 napi_poll net/core/dev.c:6249 [inline]
 net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
 __do_softirq+0x30c/0xb03 kernel/softirq.c:292

Freed by task 16383:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3756
 kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
 __kfree_skb+0x1d/0x20 net/core/skbuff.c:642
 sk_eat_skb include/net/sock.h:2366 [inline]
 llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882
 sock_recvmsg_nosec net/socket.c:794 [inline]
 sock_recvmsg+0xd0/0x110 net/socket.c:801
 ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278
 __sys_recvmmsg+0x303/0xb90 net/socket.c:2390
 do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466
 __do_sys_recvmmsg net/socket.c:2484 [inline]
 __se_sys_recvmmsg net/socket.c:2480 [inline]
 __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d1f6fac0
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 228 bytes inside of
 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8)
The buggy address belongs to the page:
page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680
raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - sk_eat_skb() takes a third parameter here
 - Adjust indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/llc/af_llc.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -723,7 +723,6 @@ static int llc_ui_recvmsg(struct kiocb *
 	struct sk_buff *skb = NULL;
 	struct sock *sk = sock->sk;
 	struct llc_sock *llc = llc_sk(sk);
-	unsigned long cpu_flags;
 	size_t copied = 0;
 	u32 peek_seq = 0;
 	u32 *seq, skb_len;
@@ -849,9 +848,8 @@ static int llc_ui_recvmsg(struct kiocb *
 			goto copy_uaddr;
 
 		if (!(flags & MSG_PEEK)) {
-			spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
-			sk_eat_skb(sk, skb, false);
-			spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
+			skb_unlink(skb, &sk->sk_receive_queue);
+			kfree_skb(skb);
 			*seq = 0;
 		}
 
@@ -872,10 +870,9 @@ copy_uaddr:
 		llc_cmsg_rcv(msg, skb);
 
 	if (!(flags & MSG_PEEK)) {
-			spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
-			sk_eat_skb(sk, skb, false);
-			spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
-			*seq = 0;
+		skb_unlink(skb, &sk->sk_receive_queue);
+		kfree_skb(skb);
+		*seq = 0;
 	}
 
 	goto out;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 112/305] smb3: allow stats which track session and share reconnects to be reset
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (297 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 023/305] ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 248/305] dmaengine: at_hdmac: fix module unloading Ben Hutchings
                   ` (6 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Aurelien Aptel, Steve French

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream.

Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats
except the session and share reconnect counts.  Fix it to
reset those as well.

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifs_debug.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/fs/cifs/cifs_debug.c
+++ b/fs/cifs/cifs_debug.c
@@ -383,6 +383,9 @@ static int cifs_stats_proc_show(struct s
 				if (server->ops->print_stats)
 					server->ops->print_stats(m, tcon);
 			}
+		atomic_set(&tcpSesReconnectCount, 0);
+		atomic_set(&tconInfoReconnectCount, 0);
+
 		}
 	}
 	spin_unlock(&cifs_tcp_ses_lock);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 116/305] thermal: rcar_thermal: Prevent doing work after unbind
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 257/305] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 120/305] net: sched: gred: pass the right attribute to gred_change_table_def() Ben Hutchings
                   ` (263 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Eduardo Valentin,
	Niklas Söderlund

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 697ee786f15d7b65c7f3045d45fe3a05d28e0911 upstream.

When testing bind/unbind on r8a7791/koelsch:

    WARNING: CPU: 1 PID: 697 at lib/debugobjects.c:329 debug_print_object+0x8c/0xb4
    ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x10

This happens if the workqueue runs after the device has been unbound.
Fix this by cancelling any queued work during remove.

Fixes: e0a5172e9eec7f0d ("thermal: rcar: add interrupt support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/thermal/rcar_thermal.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/thermal/rcar_thermal.c
+++ b/drivers/thermal/rcar_thermal.c
@@ -464,6 +464,7 @@ error_unregister:
 	rcar_thermal_for_each_priv(priv, common) {
 		if (rcar_has_irq_support(priv))
 			rcar_thermal_irq_disable(priv);
+		cancel_delayed_work_sync(&priv->work);
 		thermal_zone_device_unregister(priv->zone);
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 081/305] spi: sh-msiof: fix deferred probing
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (164 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 192/305] libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 061/305] x86, hibernate: Fix nosave_regions setup for hibernation Ben Hutchings
                   ` (139 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Sergei Shtylyov, Mark Brown

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit f34c6e6257aa477cdfe7e9bbbecd3c5648ecda69 upstream.

Since commit 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
platform_get_irq() can return -EPROBE_DEFER. However, the driver overrides
an error returned by that function with -ENOENT which breaks the deferred
probing. Propagate upstream an error code returned by platform_get_irq()
and remove the bogus "platform" from the error message, while at it...

Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-sh-msiof.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-sh-msiof.c
+++ b/drivers/spi/spi-sh-msiof.c
@@ -766,8 +766,8 @@ static int sh_msiof_spi_probe(struct pla
 
 	i = platform_get_irq(pdev, 0);
 	if (i < 0) {
-		dev_err(&pdev->dev, "cannot get platform IRQ\n");
-		ret = -ENOENT;
+		dev_err(&pdev->dev, "cannot get IRQ\n");
+		ret = i;
 		goto err1;
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 082/305] btrfs: fix error handling in btrfs_dev_replace_start
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (175 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 210/305] drm/ast: Remove existing framebuffers before loading driver Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 044/305] net: phy: Stop with excessive soft reset Ben Hutchings
                   ` (128 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David Sterba, Jeff Mahoney

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit 5c06147128fbbdf7a84232c5f0d808f53153defe upstream.

When we fail to start a transaction in btrfs_dev_replace_start, we leave
dev_replace->replace_start set to STARTED but clear ->srcdev and
->tgtdev.  Later, that can result in an Oops in
btrfs_dev_replace_progress when having state set to STARTED or SUSPENDED
implies that ->srcdev is valid.

Also fix error handling when the state is already STARTED or SUSPENDED
while starting.  That, too, will clear ->srcdev and ->tgtdev even though
it doesn't own them.  This should be an impossible case to hit since we
should be protected by the BTRFS_FS_EXCL_OP bit being set.  Let's add an
ASSERT there while we're at it.

Fixes: e93c89c1aaaaa (Btrfs: add new sources for device replace code)
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/dev-replace.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/btrfs/dev-replace.c
+++ b/fs/btrfs/dev-replace.c
@@ -362,6 +362,7 @@ int btrfs_dev_replace_start(struct btrfs
 		break;
 	case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED:
 	case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED:
+		ASSERT(0);
 		args->result = BTRFS_IOCTL_DEV_REPLACE_RESULT_ALREADY_STARTED;
 		goto leave;
 	}
@@ -406,6 +407,10 @@ int btrfs_dev_replace_start(struct btrfs
 	if (IS_ERR(trans)) {
 		ret = PTR_ERR(trans);
 		btrfs_dev_replace_lock(dev_replace);
+		dev_replace->replace_state =
+			BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED;
+		dev_replace->srcdev = NULL;
+		dev_replace->tgtdev = NULL;
 		goto leave;
 	}
 
@@ -423,8 +428,6 @@ int btrfs_dev_replace_start(struct btrfs
 	return 0;
 
 leave:
-	dev_replace->srcdev = NULL;
-	dev_replace->tgtdev = NULL;
 	btrfs_dev_replace_unlock(dev_replace);
 leave_no_lock:
 	if (tgt_device)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 083/305] btrfs: wait on caching when putting the bg cache
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (135 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 217/305] ACPI / platform: Add SMB0001 HID to forbidden_id_list Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 180/305] usb: xhci: fix timeout for transition from RExit to U0 Ben Hutchings
                   ` (168 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Josef Bacik, Omar Sandoval

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <josef@toxicpanda.com>

commit 3aa7c7a31c26321696b92841d5103461c6f3f517 upstream.

While testing my backport I noticed there was a panic if I ran
generic/416 generic/417 generic/418 all in a row.  This just happened to
uncover a race where we had outstanding IO after we destroy all of our
workqueues, and then we'd go to queue the endio work on those free'd
workqueues.

This is because we aren't waiting for the caching threads to be done
before freeing everything up, so to fix this make sure we wait on any
outstanding caching that's being done before we free up the block group,
so we're sure to be done with all IO by the time we get to
btrfs_stop_all_workers().  This fixes the panic I was seeing
consistently in testing.

------------[ cut here ]------------
kernel BUG at fs/btrfs/volumes.c:6112!
SMP PTI
Modules linked in:
CPU: 1 PID: 27165 Comm: kworker/u4:7 Not tainted 4.16.0-02155-g3553e54a578d-dirty #875
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: btrfs-cache btrfs_cache_helper
RIP: 0010:btrfs_map_bio+0x346/0x370
RSP: 0000:ffffc900061e79d0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff880071542e00 RCX: 0000000000533000
RDX: ffff88006bb74380 RSI: 0000000000000008 RDI: ffff880078160000
RBP: 0000000000000001 R08: ffff8800781cd200 R09: 0000000000503000
R10: ffff88006cd21200 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8800781cd200 R15: ffff880071542e00
FS:  0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000817ffc4 CR3: 0000000078314000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 btree_submit_bio_hook+0x8a/0xd0
 submit_one_bio+0x5d/0x80
 read_extent_buffer_pages+0x18a/0x320
 btree_read_extent_buffer_pages+0xbc/0x200
 ? alloc_extent_buffer+0x359/0x3e0
 read_tree_block+0x3d/0x60
 read_block_for_search.isra.30+0x1a5/0x360
 btrfs_search_slot+0x41b/0xa10
 btrfs_next_old_leaf+0x212/0x470
 caching_thread+0x323/0x490
 normal_work_helper+0xc5/0x310
 process_one_work+0x141/0x340
 worker_thread+0x44/0x3c0
 kthread+0xf8/0x130
 ? process_one_work+0x340/0x340
 ? kthread_bind+0x10/0x10
 ret_from_fork+0x35/0x40
RIP: btrfs_map_bio+0x346/0x370 RSP: ffffc900061e79d0
---[ end trace 827eb13e50846033 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/extent-tree.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -8590,6 +8590,7 @@ void btrfs_put_block_group_cache(struct
 
 		block_group = btrfs_lookup_first_block_group(info, last);
 		while (block_group) {
+			wait_block_group_cache_done(block_group);
 			spin_lock(&block_group->lock);
 			if (block_group->iref)
 				break;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 088/305] IB/{cm, umad}: Handle av init error
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (185 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 167/305] ARM: OMAP1: ams-delta: Fix possible use of uninitialized field Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 284/305] vhost: make sure used idx is seen before log in vhost_add_used_n() Ben Hutchings
                   ` (118 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jason Gunthorpe, Leon Romanovsky,
	Parav Pandit, Daniel Jurgens

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Parav Pandit <parav@mellanox.com>

commit 0c4386ec77cfcd0ccbdbe8c2e67dd3a49b2a4c7f upstream.

cm_init_av_for_response depends on ib_init_ah_from_wc() whose return
status is ignored.
ib_init_ah_from_wc() can fail and its return status should be handled as
done in this patch.

Signed-off-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/cm.c       | 34 ++++++++++++++++++------------
 drivers/infiniband/core/user_mad.c | 10 ++++++---
 2 files changed, 28 insertions(+), 16 deletions(-)

--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -380,13 +380,13 @@ static void cm_set_private_data(struct c
 	cm_id_priv->private_data_len = private_data_len;
 }
 
-static void cm_init_av_for_response(struct cm_port *port, struct ib_wc *wc,
-				    struct ib_grh *grh, struct cm_av *av)
+static int cm_init_av_for_response(struct cm_port *port, struct ib_wc *wc,
+				   struct ib_grh *grh, struct cm_av *av)
 {
 	av->port = port;
 	av->pkey_index = wc->pkey_index;
-	ib_init_ah_from_wc(port->cm_dev->ib_device, port->port_num, wc,
-			   grh, &av->ah_attr);
+	return ib_init_ah_from_wc(port->cm_dev->ib_device, port->port_num, wc,
+				  grh, &av->ah_attr);
 }
 
 static int cm_init_av_by_path(struct ib_sa_path_rec *path, struct cm_av *av,
@@ -1601,9 +1601,11 @@ static int cm_req_handler(struct cm_work
 
 	cm_id_priv = container_of(cm_id, struct cm_id_private, id);
 	cm_id_priv->id.remote_id = req_msg->local_comm_id;
-	cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
-				work->mad_recv_wc->recv_buf.grh,
-				&cm_id_priv->av);
+	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
+				      work->mad_recv_wc->recv_buf.grh,
+				      &cm_id_priv->av);
+	if (ret)
+		goto destroy;
 	cm_id_priv->timewait_info = cm_create_timewait_info(cm_id_priv->
 							    id.local_id);
 	if (IS_ERR(cm_id_priv->timewait_info)) {
@@ -2807,9 +2809,11 @@ static int cm_lap_handler(struct cm_work
 
 	cm_id_priv->id.lap_state = IB_CM_LAP_RCVD;
 	cm_id_priv->tid = lap_msg->hdr.tid;
-	cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
-				work->mad_recv_wc->recv_buf.grh,
-				&cm_id_priv->av);
+	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
+				      work->mad_recv_wc->recv_buf.grh,
+				      &cm_id_priv->av);
+	if (ret)
+		goto unlock;
 	cm_init_av_by_path(param->alternate_path, &cm_id_priv->alt_av,
 			   cm_id_priv);
 	ret = atomic_inc_and_test(&cm_id_priv->work_count);
@@ -3060,6 +3064,7 @@ static int cm_sidr_req_handler(struct cm
 	struct cm_id_private *cm_id_priv, *cur_cm_id_priv;
 	struct cm_sidr_req_msg *sidr_req_msg;
 	struct ib_wc *wc;
+	int ret;
 
 	cm_id = ib_create_cm_id(work->port->cm_dev->ib_device, NULL, NULL);
 	if (IS_ERR(cm_id))
@@ -3072,9 +3077,12 @@ static int cm_sidr_req_handler(struct cm
 	wc = work->mad_recv_wc->wc;
 	cm_id_priv->av.dgid.global.subnet_prefix = cpu_to_be64(wc->slid);
 	cm_id_priv->av.dgid.global.interface_id = 0;
-	cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
-				work->mad_recv_wc->recv_buf.grh,
-				&cm_id_priv->av);
+	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
+				      work->mad_recv_wc->recv_buf.grh,
+				      &cm_id_priv->av);
+	if (ret)
+		goto out;
+
 	cm_id_priv->id.remote_id = sidr_req_msg->request_id;
 	cm_id_priv->tid = sidr_req_msg->hdr.tid;
 	atomic_inc(&cm_id_priv->work_count);
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -234,10 +234,14 @@ static void recv_handler(struct ib_mad_a
 	packet->mad.hdr.grh_present = !!(mad_recv_wc->wc->wc_flags & IB_WC_GRH);
 	if (packet->mad.hdr.grh_present) {
 		struct ib_ah_attr ah_attr;
+		int ret;
 
-		ib_init_ah_from_wc(agent->device, agent->port_num,
-				   mad_recv_wc->wc, mad_recv_wc->recv_buf.grh,
-				   &ah_attr);
+		ret = ib_init_ah_from_wc(agent->device, agent->port_num,
+					 mad_recv_wc->wc,
+					 mad_recv_wc->recv_buf.grh,
+					 &ah_attr);
+		if (ret)
+			goto err2;
 
 		packet->mad.hdr.gid_index = ah_attr.grh.sgid_index;
 		packet->mad.hdr.hop_limit = ah_attr.grh.hop_limit;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 144/305] xfrm: Fix bucket count reported to userspace
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (243 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 181/305] sysv: return 'err' instead of 0 in __sysv_write_inode Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 289/305] mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl Ben Hutchings
                   ` (60 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Klassert, Benjamin Poirier

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Poirier <bpoirier@suse.com>

commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 upstream.

sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
hash mask.

Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_state.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -631,7 +631,7 @@ void xfrm_sad_getinfo(struct net *net, s
 {
 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
 	si->sadcnt = net->xfrm.state_num;
-	si->sadhcnt = net->xfrm.state_hmask;
+	si->sadhcnt = net->xfrm.state_hmask + 1;
 	si->sadhmcnt = xfrm_state_hashmax;
 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 085/305] hwmon: (pmbus) Fix page count auto-detection.
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (138 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 063/305] ALSA: usb-audio: update quirk for B&W PX to remove microphone Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 048/305] iio: adc: at91: fix acking DRDY irq on simple conversions Ben Hutchings
                   ` (165 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Guenter Roeck, Dmitry Bazhenov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Bazhenov <bazhenov.dn@gmail.com>

commit e7c6a55606b5c46b449d76588968b4d8caae903f upstream.

Devices with compatible="pmbus" field have zero initial page count,
and pmbus_clear_faults() being called before the page count auto-
detection does not actually clear faults because it depends on the
page count. Non-cleared faults in its turn may fail the subsequent
page count auto-detection.

This patch fixes this problem by calling pmbus_clear_fault_page()
for currently set page and calling pmbus_clear_faults() after the
page count was detected.

Signed-off-by: Dmitry Bazhenov <bazhenov.dn@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hwmon/pmbus/pmbus.c      | 2 ++
 drivers/hwmon/pmbus/pmbus_core.c | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/hwmon/pmbus/pmbus.c
+++ b/drivers/hwmon/pmbus/pmbus.c
@@ -117,6 +117,8 @@ static int pmbus_identify(struct i2c_cli
 		} else {
 			info->pages = 1;
 		}
+
+		pmbus_clear_faults(client);
 	}
 
 	if (pmbus_check_byte_register(client, 0, PMBUS_VOUT_MODE)) {
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -1705,7 +1705,10 @@ static int pmbus_init_common(struct i2c_
 		}
 	}
 
-	pmbus_clear_faults(client);
+	if (data->info->pages)
+		pmbus_clear_faults(client);
+	else
+		pmbus_clear_fault_page(client, -1);
 
 	if (info->identify) {
 		ret = (*info->identify)(client, info);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 089/305] IB/cm: Fix sleeping while spin lock is held
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 029/305] signal/GenWQE: Fix sending of SIGKILL Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 199/305] netfilter: nf_tables: fix use-after-free when deleting compat expressions Ben Hutchings
                   ` (295 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Leon Romanovsky, Jason Gunthorpe,
	Parav Pandit, Daniel Jurgens

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Parav Pandit <parav@mellanox.com>

commit 33f93e1ebcf5acfaef06cda2d3e373730519e33e upstream.

In case of LAP are used for RoCE, it can lead to a problem of sleeping a
context while spin lock is held in below flow.

cm_lap_handler
	->spin_lock
	-> <..switch_case..>
	-> cm_init_av_for_response
		-> ib_init_ah_from_wc
			-> rdma_addr_find_l2_eth_by_grh
				wait_for_completion()

Therefore ah attribute initialization is done for incoming lap requests
outside of the lock context.

Signed-off-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/cm.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -2770,6 +2770,12 @@ static int cm_lap_handler(struct cm_work
 	if (!cm_id_priv)
 		return -EINVAL;
 
+	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
+				      work->mad_recv_wc->recv_buf.grh,
+				      &cm_id_priv->av);
+	if (ret)
+		goto deref;
+
 	param = &work->cm_event.param.lap_rcvd;
 	param->alternate_path = &work->path[0];
 	cm_format_path_from_lap(cm_id_priv, param->alternate_path, lap_msg);
@@ -2809,11 +2815,6 @@ static int cm_lap_handler(struct cm_work
 
 	cm_id_priv->id.lap_state = IB_CM_LAP_RCVD;
 	cm_id_priv->tid = lap_msg->hdr.tid;
-	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
-				      work->mad_recv_wc->recv_buf.grh,
-				      &cm_id_priv->av);
-	if (ret)
-		goto unlock;
 	cm_init_av_by_path(param->alternate_path, &cm_id_priv->alt_av,
 			   cm_id_priv);
 	ret = atomic_inc_and_test(&cm_id_priv->work_count);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 080/305] libertas: don't set URB_ZERO_PACKET on IN USB transfer
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (200 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 069/305] bcache: fix miss key refill->end in writeback Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 296/305] net: macb: Fix race condition in driver when Rx frame is dropped Ben Hutchings
                   ` (103 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Lubomir Rintel, Kalle Valo

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lubomir Rintel <lkundrak@v3.sk>

commit 6528d88047801b80d2a5370ad46fb6eff2f509e0 upstream.

The USB core gets rightfully upset:

  usb 1-1: BOGUS urb flags, 240 --> 200
  WARNING: CPU: 0 PID: 60 at drivers/usb/core/urb.c:503 usb_submit_urb+0x2f8/0x3ed
  Modules linked in:
  CPU: 0 PID: 60 Comm: kworker/0:3 Not tainted 4.19.0-rc6-00319-g5206d00a45c7 #39
  Hardware name: OLPC XO/XO, BIOS OLPC Ver 1.00.01 06/11/2014
  Workqueue: events request_firmware_work_func
  EIP: usb_submit_urb+0x2f8/0x3ed
  Code: 75 06 8b 8f 80 00 00 00 8d 47 78 89 4d e4 89 55 e8 e8 35 1c f6 ff 8b 55 e8 56 52 8b 4d e4 51 50 68 e3 ce c7 c0 e8 ed 18 c6 ff <0f> 0b 83 c4 14 80 7d ef 01 74 0a 80 7d ef 03 0f 85 b8 00 00 00 8b
  EAX: 00000025 EBX: ce7d4980 ECX: 00000000 EDX: 00000001
  ESI: 00000200 EDI: ce7d8800 EBP: ce7f5ea8 ESP: ce7f5e70
  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 EFLAGS: 00210292
  CR0: 80050033 CR2: 00000000 CR3: 00e80000 CR4: 00000090
  Call Trace:
   ? if_usb_fw_timeo+0x64/0x64
   __if_usb_submit_rx_urb+0x85/0xe6
   ? if_usb_fw_timeo+0x64/0x64
   if_usb_submit_rx_urb_fwload+0xd/0xf
   if_usb_prog_firmware+0xc0/0x3db
   ? _request_firmware+0x54/0x47b
   ? _request_firmware+0x89/0x47b
   ? if_usb_probe+0x412/0x412
   lbs_fw_loaded+0x55/0xa6
   ? debug_smp_processor_id+0x12/0x14
   helper_firmware_cb+0x3c/0x3f
   request_firmware_work_func+0x37/0x6f
   process_one_work+0x164/0x25a
   worker_thread+0x1c4/0x284
   kthread+0xec/0xf1
   ? cancel_delayed_work_sync+0xf/0xf
   ? kthread_create_on_node+0x1a/0x1a
   ret_from_fork+0x2e/0x38
  ---[ end trace 3ef1e3b2dd53852f ]---

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/libertas/if_usb.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/libertas/if_usb.c
+++ b/drivers/net/wireless/libertas/if_usb.c
@@ -467,8 +467,6 @@ static int __if_usb_submit_rx_urb(struct
 			  MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn,
 			  cardp);
 
-	cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET;
-
 	lbs_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n", cardp->rx_urb);
 	if ((ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC))) {
 		lbs_deb_usbd(&cardp->udev->dev, "Submit Rx URB failed: %d\n", ret);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 095/305] parisc: Fix map_pages() to not overwrite existing pte entries
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (172 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 004/305] x86/mm: Simplify p[g4um]d_page() macros Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 162/305] iommu/ipmmu-vmsa: Fix crash on early domain free Ben Hutchings
                   ` (131 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Helge Deller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Helge Deller <deller@gmx.de>

commit 3c229b3f2dd8133f61bb81d3cb018be92f4bba39 upstream.

Fix a long-existing small nasty bug in the map_pages() implementation which
leads to overwriting already written pte entries with zero, *if* map_pages() is
called a second time with an end address which isn't aligned on a pmd boundry.
This happens for example if we want to remap only the text segment read/write
in order to run alternative patching on the code. Exiting the loop when we
reach the end address fixes this.

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/parisc/mm/init.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/arch/parisc/mm/init.c
+++ b/arch/parisc/mm/init.c
@@ -492,12 +492,8 @@ static void __init map_pages(unsigned lo
 #endif
 					pte = __mk_pte(address, pgprot);
 
-				if (address >= end_paddr) {
-					if (force)
-						break;
-					else
-						pte_val(pte) = 0;
-				}
+				if (address >= end_paddr)
+					break;
 
 				set_pte(pg_table, pte);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 093/305] KVM: x86: remove code for lazy FPU handling
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 249/305] hfs: do not free node before using Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 257/305] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Ben Hutchings
                   ` (265 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paolo Bonzini, David Matlack, Bandan Das

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit bd7e5b0899a429445cc6e3037c13f8b5ae3be903 upstream.

The FPU is always active now when running KVM.

Reviewed-by: David Matlack <dmatlack@google.com>
Reviewed-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
 - eagerfpu is still optional (but enabled by default) so disable KVM if
   eagerfpu is disabled
 - Remove one additional use of KVM_REQ_DEACTIVATE_FPU which was
   removed earlier upstream in commit c592b5734706
   "x86/fpu: Remove use_eager_fpu()"
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -711,8 +711,6 @@ struct kvm_x86_ops {
 	void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg);
 	unsigned long (*get_rflags)(struct kvm_vcpu *vcpu);
 	void (*set_rflags)(struct kvm_vcpu *vcpu, unsigned long rflags);
-	void (*fpu_activate)(struct kvm_vcpu *vcpu);
-	void (*fpu_deactivate)(struct kvm_vcpu *vcpu);
 
 	void (*tlb_flush)(struct kvm_vcpu *vcpu);
 
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1119,7 +1119,6 @@ static void init_vmcb(struct vcpu_svm *s
 	struct vmcb_control_area *control = &svm->vmcb->control;
 	struct vmcb_save_area *save = &svm->vmcb->save;
 
-	svm->vcpu.fpu_active = 1;
 	svm->vcpu.arch.hflags = 0;
 
 	set_cr_intercept(svm, INTERCEPT_CR0_READ);
@@ -1574,15 +1573,12 @@ static void update_cr0_intercept(struct
 	ulong gcr0 = svm->vcpu.arch.cr0;
 	u64 *hcr0 = &svm->vmcb->save.cr0;
 
-	if (!svm->vcpu.fpu_active)
-		*hcr0 |= SVM_CR0_SELECTIVE_MASK;
-	else
-		*hcr0 = (*hcr0 & ~SVM_CR0_SELECTIVE_MASK)
-			| (gcr0 & SVM_CR0_SELECTIVE_MASK);
+	*hcr0 = (*hcr0 & ~SVM_CR0_SELECTIVE_MASK)
+		| (gcr0 & SVM_CR0_SELECTIVE_MASK);
 
 	mark_dirty(svm->vmcb, VMCB_CR);
 
-	if (gcr0 == *hcr0 && svm->vcpu.fpu_active) {
+	if (gcr0 == *hcr0) {
 		clr_cr_intercept(svm, INTERCEPT_CR0_READ);
 		clr_cr_intercept(svm, INTERCEPT_CR0_WRITE);
 	} else {
@@ -1613,8 +1609,6 @@ static void svm_set_cr0(struct kvm_vcpu
 	if (!npt_enabled)
 		cr0 |= X86_CR0_PG | X86_CR0_WP;
 
-	if (!vcpu->fpu_active)
-		cr0 |= X86_CR0_TS;
 	/*
 	 * re-enable caching here because the QEMU bios
 	 * does not do it - this results in some delay at
@@ -1834,22 +1828,6 @@ static int ac_interception(struct vcpu_s
 	return 1;
 }
 
-static void svm_fpu_activate(struct kvm_vcpu *vcpu)
-{
-	struct vcpu_svm *svm = to_svm(vcpu);
-
-	clr_exception_intercept(svm, NM_VECTOR);
-
-	svm->vcpu.fpu_active = 1;
-	update_cr0_intercept(svm);
-}
-
-static int nm_interception(struct vcpu_svm *svm)
-{
-	svm_fpu_activate(&svm->vcpu);
-	return 1;
-}
-
 static bool is_erratum_383(void)
 {
 	int err, i;
@@ -2227,9 +2205,6 @@ static int nested_svm_exit_special(struc
 		if (!npt_enabled && svm->apf_reason == 0)
 			return NESTED_EXIT_HOST;
 		break;
-	case SVM_EXIT_EXCP_BASE + NM_VECTOR:
-		nm_interception(svm);
-		break;
 	default:
 		break;
 	}
@@ -3448,7 +3423,6 @@ static int (*const svm_exit_handlers[])(
 	[SVM_EXIT_EXCP_BASE + BP_VECTOR]	= bp_interception,
 	[SVM_EXIT_EXCP_BASE + UD_VECTOR]	= ud_interception,
 	[SVM_EXIT_EXCP_BASE + PF_VECTOR]	= pf_interception,
-	[SVM_EXIT_EXCP_BASE + NM_VECTOR]	= nm_interception,
 	[SVM_EXIT_EXCP_BASE + MC_VECTOR]	= mc_interception,
 	[SVM_EXIT_EXCP_BASE + AC_VECTOR]	= ac_interception,
 	[SVM_EXIT_INTR]				= intr_interception,
@@ -4285,14 +4259,6 @@ static bool svm_has_wbinvd_exit(void)
 	return true;
 }
 
-static void svm_fpu_deactivate(struct kvm_vcpu *vcpu)
-{
-	struct vcpu_svm *svm = to_svm(vcpu);
-
-	set_exception_intercept(svm, NM_VECTOR);
-	update_cr0_intercept(svm);
-}
-
 #define PRE_EX(exit)  { .exit_code = (exit), \
 			.stage = X86_ICPT_PRE_EXCEPT, }
 #define POST_EX(exit) { .exit_code = (exit), \
@@ -4526,8 +4492,6 @@ static struct kvm_x86_ops svm_x86_ops =
 	.cache_reg = svm_cache_reg,
 	.get_rflags = svm_get_rflags,
 	.set_rflags = svm_set_rflags,
-	.fpu_activate = svm_fpu_activate,
-	.fpu_deactivate = svm_fpu_deactivate,
 
 	.tlb_flush = svm_flush_tlb,
 
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1491,7 +1491,7 @@ static void update_exception_bitmap(stru
 	u32 eb;
 
 	eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
-	     (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
+	     (1u << DB_VECTOR) | (1u << AC_VECTOR);
 	if ((vcpu->guest_debug &
 	     (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
 	    (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
@@ -1500,8 +1500,6 @@ static void update_exception_bitmap(stru
 		eb = ~0;
 	if (enable_ept)
 		eb &= ~(1u << PF_VECTOR); /* bypass_guest_pf = 0 */
-	if (vcpu->fpu_active)
-		eb &= ~(1u << NM_VECTOR);
 
 	/* When we are running a nested L2 guest and L1 specified for it a
 	 * certain exception bitmap, we must trap the same exceptions and pass
@@ -1904,25 +1902,6 @@ static void vmx_vcpu_put(struct kvm_vcpu
 	}
 }
 
-static void vmx_fpu_activate(struct kvm_vcpu *vcpu)
-{
-	ulong cr0;
-
-	if (vcpu->fpu_active)
-		return;
-	vcpu->fpu_active = 1;
-	cr0 = vmcs_readl(GUEST_CR0);
-	cr0 &= ~(X86_CR0_TS | X86_CR0_MP);
-	cr0 |= kvm_read_cr0_bits(vcpu, X86_CR0_TS | X86_CR0_MP);
-	vmcs_writel(GUEST_CR0, cr0);
-	update_exception_bitmap(vcpu);
-	vcpu->arch.cr0_guest_owned_bits = X86_CR0_TS;
-	if (is_guest_mode(vcpu))
-		vcpu->arch.cr0_guest_owned_bits &=
-			~get_vmcs12(vcpu)->cr0_guest_host_mask;
-	vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
-}
-
 static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu);
 
 /*
@@ -1941,33 +1920,6 @@ static inline unsigned long nested_read_
 		(fields->cr4_read_shadow & fields->cr4_guest_host_mask);
 }
 
-static void vmx_fpu_deactivate(struct kvm_vcpu *vcpu)
-{
-	/* Note that there is no vcpu->fpu_active = 0 here. The caller must
-	 * set this *before* calling this function.
-	 */
-	vmx_decache_cr0_guest_bits(vcpu);
-	vmcs_set_bits(GUEST_CR0, X86_CR0_TS | X86_CR0_MP);
-	update_exception_bitmap(vcpu);
-	vcpu->arch.cr0_guest_owned_bits = 0;
-	vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
-	if (is_guest_mode(vcpu)) {
-		/*
-		 * L1's specified read shadow might not contain the TS bit,
-		 * so now that we turned on shadowing of this bit, we need to
-		 * set this bit of the shadow. Like in nested_vmx_run we need
-		 * nested_read_cr0(vmcs12), but vmcs12->guest_cr0 is not yet
-		 * up-to-date here because we just decached cr0.TS (and we'll
-		 * only update vmcs12->guest_cr0 on nested exit).
-		 */
-		struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-		vmcs12->guest_cr0 = (vmcs12->guest_cr0 & ~X86_CR0_TS) |
-			(vcpu->arch.cr0 & X86_CR0_TS);
-		vmcs_writel(CR0_READ_SHADOW, nested_read_cr0(vmcs12));
-	} else
-		vmcs_writel(CR0_READ_SHADOW, vcpu->arch.cr0);
-}
-
 static unsigned long vmx_get_rflags(struct kvm_vcpu *vcpu)
 {
 	unsigned long rflags, save_rflags;
@@ -3586,9 +3538,6 @@ static void vmx_set_cr0(struct kvm_vcpu
 	if (enable_ept)
 		ept_update_paging_mode_cr0(&hw_cr0, cr0, vcpu);
 
-	if (!vcpu->fpu_active)
-		hw_cr0 |= X86_CR0_TS | X86_CR0_MP;
-
 	vmcs_writel(CR0_READ_SHADOW, cr0);
 	vmcs_writel(GUEST_CR0, hw_cr0);
 	vcpu->arch.cr0 = cr0;
@@ -4644,7 +4593,9 @@ static int vmx_vcpu_setup(struct vcpu_vm
 	/* 22.2.1, 20.8.1 */
 	vm_entry_controls_init(vmx, vmcs_config.vmentry_ctrl);
 
-	vmcs_writel(CR0_GUEST_HOST_MASK, ~0UL);
+	vmx->vcpu.arch.cr0_guest_owned_bits = X86_CR0_TS;
+	vmcs_writel(CR0_GUEST_HOST_MASK, ~X86_CR0_TS);
+
 	set_cr4_guest_host_mask(vmx);
 
 	return 0;
@@ -4736,7 +4687,7 @@ static void vmx_vcpu_reset(struct kvm_vc
 	vmx_set_cr0(&vmx->vcpu, kvm_read_cr0(vcpu)); /* enter rmode */
 	vmx_set_cr4(&vmx->vcpu, 0);
 	vmx_set_efer(&vmx->vcpu, 0);
-	vmx_fpu_activate(&vmx->vcpu);
+
 	update_exception_bitmap(&vmx->vcpu);
 
 	vpid_sync_context(vmx);
@@ -5022,11 +4973,6 @@ static int handle_exception(struct kvm_v
 	if (is_nmi(intr_info))
 		return 1;  /* already handled by vmx_vcpu_run() */
 
-	if (is_no_device(intr_info)) {
-		vmx_fpu_activate(vcpu);
-		return 1;
-	}
-
 	if (is_invalid_opcode(intr_info)) {
 		er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
 		if (er == EMULATE_USER_EXIT)
@@ -5218,22 +5164,6 @@ static int handle_set_cr4(struct kvm_vcp
 		return kvm_set_cr4(vcpu, val);
 }
 
-/* called to set cr0 as approriate for clts instruction exit. */
-static void handle_clts(struct kvm_vcpu *vcpu)
-{
-	if (is_guest_mode(vcpu)) {
-		/*
-		 * We get here when L2 did CLTS, and L1 didn't shadow CR0.TS
-		 * but we did (!fpu_active). We need to keep GUEST_CR0.TS on,
-		 * just pretend it's off (also in arch.cr0 for fpu_activate).
-		 */
-		vmcs_writel(CR0_READ_SHADOW,
-			vmcs_readl(CR0_READ_SHADOW) & ~X86_CR0_TS);
-		vcpu->arch.cr0 &= ~X86_CR0_TS;
-	} else
-		vmx_set_cr0(vcpu, kvm_read_cr0_bits(vcpu, ~X86_CR0_TS));
-}
-
 static int handle_cr(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification, val;
@@ -5276,10 +5206,10 @@ static int handle_cr(struct kvm_vcpu *vc
 		}
 		break;
 	case 2: /* clts */
-		handle_clts(vcpu);
+		WARN_ONCE(1, "Guest should always own CR0.TS");
+		vmx_set_cr0(vcpu, kvm_read_cr0_bits(vcpu, ~X86_CR0_TS));
 		trace_kvm_cr_write(0, kvm_read_cr0(vcpu));
 		skip_emulated_instruction(vcpu);
-		vmx_fpu_activate(vcpu);
 		return 1;
 	case 1: /*mov from cr*/
 		switch (cr) {
@@ -8299,8 +8229,8 @@ static void prepare_vmcs02(struct kvm_vc
 	vmx_set_efer(vcpu, vcpu->arch.efer);
 
 	/*
-	 * This sets GUEST_CR0 to vmcs12->guest_cr0, with possibly a modified
-	 * TS bit (for lazy fpu) and bits which we consider mandatory enabled.
+	 * This sets GUEST_CR0 to vmcs12->guest_cr0, possibly modifying those
+	 * bits which we consider mandatory enabled.
 	 * The CR0_READ_SHADOW is what L2 should have expected to read given
 	 * the specifications by L1; It's not enough to take
 	 * vmcs12->cr0_read_shadow because on our cr0_guest_host_mask we we
@@ -8814,24 +8744,15 @@ static void load_vmcs12_host_state(struc
 	vmx_set_rflags(vcpu, X86_EFLAGS_FIXED);
 	/*
 	 * Note that calling vmx_set_cr0 is important, even if cr0 hasn't
-	 * actually changed, because it depends on the current state of
-	 * fpu_active (which may have changed).
-	 * Note that vmx_set_cr0 refers to efer set above.
+	 * actually changed, because vmx_set_cr0 refers to efer set above.
+	 *
+	 * CR0_GUEST_HOST_MASK is already set in the original vmcs01
+	 * (KVM doesn't change it);
 	 */
+	vcpu->arch.cr0_guest_owned_bits = X86_CR0_TS;
 	vmx_set_cr0(vcpu, vmcs12->host_cr0);
-	/*
-	 * If we did fpu_activate()/fpu_deactivate() during L2's run, we need
-	 * to apply the same changes to L1's vmcs. We just set cr0 correctly,
-	 * but we also need to update cr0_guest_host_mask and exception_bitmap.
-	 */
-	update_exception_bitmap(vcpu);
-	vcpu->arch.cr0_guest_owned_bits = (vcpu->fpu_active ? X86_CR0_TS : 0);
-	vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
 
-	/*
-	 * Note that CR4_GUEST_HOST_MASK is already set in the original vmcs01
-	 * (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask();
-	 */
+	/* Same as above - no reason to call set_cr4_guest_host_mask().  */
 	vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
 	vmx_set_cr4(vcpu, vmcs12->host_cr4);
 
@@ -9081,8 +9002,6 @@ static struct kvm_x86_ops vmx_x86_ops =
 	.cache_reg = vmx_cache_reg,
 	.get_rflags = vmx_get_rflags,
 	.set_rflags = vmx_set_rflags,
-	.fpu_activate = vmx_fpu_activate,
-	.fpu_deactivate = vmx_fpu_deactivate,
 
 	.tlb_flush = vmx_flush_tlb,
 
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5698,6 +5698,12 @@ int kvm_arch_init(void *opaque)
 		goto out;
 	}
 
+	if (!boot_cpu_has(X86_FEATURE_EAGER_FPU)) {
+		pr_err("kvm: requires eagerfpu\n");
+		r = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (!ops->cpu_has_kvm_support()) {
 		printk(KERN_ERR "kvm: no hardware support\n");
 		r = -EOPNOTSUPP;
@@ -6099,10 +6105,6 @@ static int vcpu_enter_guest(struct kvm_v
 			r = 0;
 			goto out;
 		}
-		if (kvm_check_request(KVM_REQ_DEACTIVATE_FPU, vcpu)) {
-			vcpu->fpu_active = 0;
-			kvm_x86_ops->fpu_deactivate(vcpu);
-		}
 		if (kvm_check_request(KVM_REQ_APF_HALT, vcpu)) {
 			/* Page is swapped out. Do synthetic halt */
 			vcpu->arch.apf.halted = true;
@@ -6159,8 +6161,7 @@ static int vcpu_enter_guest(struct kvm_v
 	preempt_disable();
 
 	kvm_x86_ops->prepare_guest_switch(vcpu);
-	if (vcpu->fpu_active)
-		kvm_load_guest_fpu(vcpu);
+	kvm_load_guest_fpu(vcpu);
 	vcpu->mode = IN_GUEST_MODE;
 
 	srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
@@ -6917,7 +6918,6 @@ void kvm_put_guest_fpu(struct kvm_vcpu *
 	fpu_save_init(&vcpu->arch.guest_fpu);
 	__kernel_fpu_end();
 	++vcpu->stat.fpu_reload;
-	kvm_make_request(KVM_REQ_DEACTIVATE_FPU, vcpu);
 	trace_kvm_fpu(0);
 }
 
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -121,7 +121,6 @@ static inline bool is_error_page(struct
 #define KVM_REQ_MMU_SYNC           7
 #define KVM_REQ_CLOCK_UPDATE       8
 #define KVM_REQ_KICK               9
-#define KVM_REQ_DEACTIVATE_FPU    10
 #define KVM_REQ_EVENT             11
 #define KVM_REQ_APF_HALT          12
 #define KVM_REQ_STEAL_UPDATE      13
@@ -232,7 +231,6 @@ struct kvm_vcpu {
 	struct mutex mutex;
 	struct kvm_run *run;
 
-	int fpu_active;
 	int guest_fpu_loaded, guest_xcr0_loaded;
 	wait_queue_head_t wq;
 	struct pid *pid;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 092/305] clk: s2mps11: Fix matching when built as module and DT node contains compatible
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (222 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 281/305] fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 058/305] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Ben Hutchings
                   ` (81 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Krzysztof Kozlowski, Stephen Boyd

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <krzk@kernel.org>

commit 8985167ecf57f97061599a155bb9652c84ea4913 upstream.

When driver is built as module and DT node contains clocks compatible
(e.g. "samsung,s2mps11-clk"), the module will not be autoloaded because
module aliases won't match.

The modalias from uevent: of:NclocksT<NULL>Csamsung,s2mps11-clk
The modalias from driver: platform:s2mps11-clk

The devices are instantiated by parent's MFD.  However both Device Tree
bindings and parent define the compatible for clocks devices.  In case
of module matching this DT compatible will be used.

The issue will not happen if this is a built-in (no need for module
matching) or when clocks DT node does not contain compatible (not
correct from bindings perspective but working for driver).

Note when backporting to stable kernels: adjust the list of device ID
entries.

Fixes: 53c31b3437a6 ("mfd: sec-core: Add of_compatible strings for clock MFD cells")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: drop entry for "samsung,s2mps13-clk"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clk/clk-s2mps11.c
+++ b/drivers/clk/clk-s2mps11.c
@@ -296,6 +296,33 @@ static const struct platform_device_id s
 };
 MODULE_DEVICE_TABLE(platform, s2mps11_clk_id);
 
+#ifdef CONFIG_OF
+/*
+ * Device is instantiated through parent MFD device and device matching is done
+ * through platform_device_id.
+ *
+ * However if device's DT node contains proper clock compatible and driver is
+ * built as a module, then the *module* matching will be done trough DT aliases.
+ * This requires of_device_id table.  In the same time this will not change the
+ * actual *device* matching so do not add .of_match_table.
+ */
+static const struct of_device_id s2mps11_dt_match[] = {
+	{
+		.compatible = "samsung,s2mps11-clk",
+		.data = (void *)S2MPS11X,
+	}, {
+		.compatible = "samsung,s2mps14-clk",
+		.data = (void *)S2MPS14X,
+	}, {
+		.compatible = "samsung,s5m8767-clk",
+		.data = (void *)S5M8767X,
+	}, {
+		/* Sentinel */
+	},
+};
+MODULE_DEVICE_TABLE(of, s2mps11_dt_match);
+#endif
+
 static struct platform_driver s2mps11_clk_driver = {
 	.driver = {
 		.name  = "s2mps11-clk",


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 091/305] RDMA/cm: Respect returned status of cm_init_av_by_path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 159/305] mount: Retest MNT_LOCKED in do_umount Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 200/305] xtensa: fix boot parameters address translation Ben Hutchings
                   ` (282 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jason Gunthorpe, Leon Romanovsky,
	Slava Shwartsman, Parav Pandit

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leonro@mellanox.com>

commit e54b6a3bcd1ec972b25a164bdf495d9e7120b107 upstream.

Add missing check for failure of cm_init_av_by_path

Fixes: e1444b5a163e ("IB/cm: Fix automatic path migration support")
Reported-by: Slava Shwartsman <slavash@mellanox.com>
Reviewed-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: cm_init_av_by_path() doesn't take an sgid_attr
 parameter]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/cm.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -2813,8 +2813,11 @@ static int cm_lap_handler(struct cm_work
 	if (ret)
 		goto unlock;
 
-	cm_init_av_by_path(param->alternate_path, &cm_id_priv->alt_av,
-			   cm_id_priv);
+	ret = cm_init_av_by_path(param->alternate_path,
+				 &cm_id_priv->alt_av, cm_id_priv);
+	if (ret)
+		goto unlock;
+
 	cm_id_priv->id.lap_state = IB_CM_LAP_RCVD;
 	cm_id_priv->tid = lap_msg->hdr.tid;
 	ret = atomic_inc_and_test(&cm_id_priv->work_count);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 015/305] turn off -Wattribute-alias
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (192 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 028/305] scsi: qla2xxx: shutdown chip if reset fail Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 130/305] smb3: on kerberos mount if server doesn't specify auth type use krb5 Ben Hutchings
                   ` (111 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Johannes Pointner,
	Arnd Bergmann

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

Starting with gcc-8.1, we get a warning about all system call definitions,
which use an alias between functions with incompatible prototypes, e.g.:

In file included from ../mm/process_vm_access.c:19:
../include/linux/syscalls.h:211:18: warning: 'sys_process_vm_readv' alias between functions of incompatible types 'long int(pid_t,  const struct iovec *, long unsigned int,  const struct iovec *, long unsigned int,  long unsigned int)' {aka 'long int(int,  const struct iovec *, long unsigned int,  const struct iovec *, long unsigned int,  long unsigned int)'} and 'long int(long int,  long int,  long int,  long int,  long int,  long int)' [-Wattribute-alias]
  asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
                  ^~~
../include/linux/syscalls.h:207:2: note: in expansion of macro '__SYSCALL_DEFINEx'
  __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
  ^~~~~~~~~~~~~~~~~
../include/linux/syscalls.h:201:36: note: in expansion of macro 'SYSCALL_DEFINEx'
 #define SYSCALL_DEFINE6(name, ...) SYSCALL_DEFINEx(6, _##name, __VA_ARGS__)
                                    ^~~~~~~~~~~~~~~
../mm/process_vm_access.c:300:1: note: in expansion of macro 'SYSCALL_DEFINE6'
 SYSCALL_DEFINE6(process_vm_readv, pid_t, pid, const struct iovec __user *, lvec,
 ^~~~~~~~~~~~~~~
../include/linux/syscalls.h:215:18: note: aliased declaration here
  asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
                  ^~~
../include/linux/syscalls.h:207:2: note: in expansion of macro '__SYSCALL_DEFINEx'
  __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
  ^~~~~~~~~~~~~~~~~
../include/linux/syscalls.h:201:36: note: in expansion of macro 'SYSCALL_DEFINEx'
 #define SYSCALL_DEFINE6(name, ...) SYSCALL_DEFINEx(6, _##name, __VA_ARGS__)
                                    ^~~~~~~~~~~~~~~
../mm/process_vm_access.c:300:1: note: in expansion of macro 'SYSCALL_DEFINE6'
 SYSCALL_DEFINE6(process_vm_readv, pid_t, pid, const struct iovec __user *, lvec,

This is really noisy and does not indicate a real problem. In the latest
mainline kernel, this was addressed by commit bee20031772a ("disable
-Wattribute-alias warning for SYSCALL_DEFINEx()"), which seems too invasive
to backport.

This takes a much simpler approach and just disables the warning across the
kernel.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Johannes Pointner <h4nn35.work@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

--- a/Makefile
+++ b/Makefile
@@ -620,6 +620,7 @@ KBUILD_CFLAGS	+= $(call cc-disable-warni
 KBUILD_CFLAGS	+= $(call cc-disable-warning, format-truncation)
 KBUILD_CFLAGS	+= $(call cc-disable-warning, format-overflow)
 KBUILD_CFLAGS	+= $(call cc-disable-warning, int-in-bool-context)
+KBUILD_CFLAGS	+= $(call cc-disable-warning, attribute-alias)
 
 ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
 KBUILD_CFLAGS	+= -Os $(call cc-disable-warning,maybe-uninitialized,)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 090/305] IB/cm: Avoid AV ah_attr overwriting during LAP message handling
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 241/305] kvm: mmu: Fix race in emulated page table writes Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 125/305] um: Give start_idle_thread() a return code Ben Hutchings
                   ` (215 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Leon Romanovsky, Jason Gunthorpe, Parav Pandit

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Parav Pandit <parav@mellanox.com>

commit a5c57d327272bdf3a8b19686eaca2ec683449e67 upstream.

AH attribute of the cm_id can be overwritten if LAP message is received
on CM request which is in progress. This bug got introduced to avoid
sleeping when spin lock is held as part of commit in Fixes tag.

Therefore validate the cm_id state first and continue to perform AV
ah_attr initialization.

Given that Aleternative path related messages are not supported for
RoCE, init_av_from_response/path is such messages are ok to be called
from blocking context.

Fixes: 33f93e1ebcf5 ("IB/cm: Fix sleeping while spin lock is held")
Signed-off-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/core/cm.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -2770,12 +2770,6 @@ static int cm_lap_handler(struct cm_work
 	if (!cm_id_priv)
 		return -EINVAL;
 
-	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
-				      work->mad_recv_wc->recv_buf.grh,
-				      &cm_id_priv->av);
-	if (ret)
-		goto deref;
-
 	param = &work->cm_event.param.lap_rcvd;
 	param->alternate_path = &work->path[0];
 	cm_format_path_from_lap(cm_id_priv, param->alternate_path, lap_msg);
@@ -2813,10 +2807,16 @@ static int cm_lap_handler(struct cm_work
 		goto unlock;
 	}
 
-	cm_id_priv->id.lap_state = IB_CM_LAP_RCVD;
-	cm_id_priv->tid = lap_msg->hdr.tid;
+	ret = cm_init_av_for_response(work->port, work->mad_recv_wc->wc,
+				      work->mad_recv_wc->recv_buf.grh,
+				      &cm_id_priv->av);
+	if (ret)
+		goto unlock;
+
 	cm_init_av_by_path(param->alternate_path, &cm_id_priv->alt_av,
 			   cm_id_priv);
+	cm_id_priv->id.lap_state = IB_CM_LAP_RCVD;
+	cm_id_priv->tid = lap_msg->hdr.tid;
 	ret = atomic_inc_and_test(&cm_id_priv->work_count);
 	if (!ret)
 		list_add_tail(&work->list, &cm_id_priv->work_list);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 005/305] x86/mm: Fix regression with huge pages on PAE
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (265 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 203/305] l2tp: fix a sock refcnt leak in l2tp_tunnel_register Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 114/305] thermal: rcar_thermal: Prevent hardware access during system suspend Ben Hutchings
                   ` (38 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andy Lutomirski, Kirill A. Shutemov,
	Mel Gorman, Denys Vlasenko, H. Peter Anvin, elliott,
	Borislav Petkov, linux-mm, Ingo Molnar, Jürgen Gross,
	Linus Torvalds, Brian Gerst, Peter Zijlstra, konrad.wilk,
	Thomas Gleixner, Borislav Petkov, Toshi Kani

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>

commit 70f1528747651b20c7769d3516ade369f9963237 upstream.

Recent PAT patchset has caused issue on 32-bit PAE machines:

  page:eea45000 count:0 mapcount:-128 mapping:  (null) index:0x0 flags: 0x40000000()
  page dumped because: VM_BUG_ON_PAGE(page_mapcount(page) < 0)
  ------------[ cut here ]------------
  kernel BUG at /home/build/linux-boris/mm/huge_memory.c:1485!
  invalid opcode: 0000 [#1] SMP
  [...]
  Call Trace:
   unmap_single_vma
   ? __wake_up
   unmap_vmas
   unmap_region
   do_munmap
   vm_munmap
   SyS_munmap
   do_fast_syscall_32
   ? __do_page_fault
   sysenter_past_esp
  Code: ...
  EIP: [<c11bde80>] zap_huge_pmd+0x240/0x260 SS:ESP 0068:f6459d98

The problem is in pmd_pfn_mask() and pmd_flags_mask(). These
helpers use PMD_PAGE_MASK to calculate resulting mask.
PMD_PAGE_MASK is 'unsigned long', not 'unsigned long long' as
phys_addr_t is on 32-bit PAE (ARCH_PHYS_ADDR_T_64BIT). As a
result, the upper bits of resulting mask get truncated.

pud_pfn_mask() and pud_flags_mask() aren't problematic since we
don't have PUD page table level on 32-bit systems, but it's
reasonable to keep them consistent with PMD counterpart.

Introduce PHYSICAL_PMD_PAGE_MASK and PHYSICAL_PUD_PAGE_MASK in
addition to existing PHYSICAL_PAGE_MASK and reworks helpers to
use them.

Reported-and-Tested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
[ Fix -Woverflow warnings from the realmode code. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jürgen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: elliott@hpe.com
Cc: konrad.wilk@oracle.com
Cc: linux-mm <linux-mm@kvack.org>
Fixes: f70abb0fc3da ("x86/asm: Fix pud/pmd interfaces to handle large PAT bit")
Link: http://lkml.kernel.org/r/1448878233-11390-2-git-send-email-bp@alien8.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>

Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/boot/boot.h                 |  1 -
 arch/x86/boot/video-mode.c           |  2 ++
 arch/x86/boot/video.c                |  2 ++
 arch/x86/include/asm/page_types.h    | 16 +++++++++-------
 arch/x86/include/asm/pgtable_types.h | 14 ++++----------
 arch/x86/include/asm/x86_init.h      |  1 -
 6 files changed, 17 insertions(+), 19 deletions(-)

--- a/arch/x86/boot/boot.h
+++ b/arch/x86/boot/boot.h
@@ -23,7 +23,6 @@
 #include <stdarg.h>
 #include <linux/types.h>
 #include <linux/edd.h>
-#include <asm/boot.h>
 #include <asm/setup.h>
 #include "bitops.h"
 #include "ctype.h"
--- a/arch/x86/boot/video-mode.c
+++ b/arch/x86/boot/video-mode.c
@@ -19,6 +19,8 @@
 #include "video.h"
 #include "vesa.h"
 
+#include <uapi/asm/boot.h>
+
 /*
  * Common variables
  */
--- a/arch/x86/boot/video.c
+++ b/arch/x86/boot/video.c
@@ -13,6 +13,8 @@
  * Select video mode
  */
 
+#include <uapi/asm/boot.h>
+
 #include "boot.h"
 #include "video.h"
 #include "vesa.h"
--- a/arch/x86/include/asm/page_types.h
+++ b/arch/x86/include/asm/page_types.h
@@ -9,19 +9,21 @@
 #define PAGE_SIZE	(_AC(1,UL) << PAGE_SHIFT)
 #define PAGE_MASK	(~(PAGE_SIZE-1))
 
+#define PMD_PAGE_SIZE		(_AC(1, UL) << PMD_SHIFT)
+#define PMD_PAGE_MASK		(~(PMD_PAGE_SIZE-1))
+
+#define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
+#define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
+
 #define __PHYSICAL_MASK		((phys_addr_t)((1ULL << __PHYSICAL_MASK_SHIFT) - 1))
 #define __VIRTUAL_MASK		((1UL << __VIRTUAL_MASK_SHIFT) - 1)
 
-/* Cast PAGE_MASK to a signed type so that it is sign-extended if
+/* Cast *PAGE_MASK to a signed type so that it is sign-extended if
    virtual addresses are 32-bits but physical addresses are larger
    (ie, 32-bit PAE). */
 #define PHYSICAL_PAGE_MASK	(((signed long)PAGE_MASK) & __PHYSICAL_MASK)
-
-#define PMD_PAGE_SIZE		(_AC(1, UL) << PMD_SHIFT)
-#define PMD_PAGE_MASK		(~(PMD_PAGE_SIZE-1))
-
-#define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
-#define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
+#define PHYSICAL_PMD_PAGE_MASK	(((signed long)PMD_PAGE_MASK) & __PHYSICAL_MASK)
+#define PHYSICAL_PUD_PAGE_MASK	(((signed long)PUD_PAGE_MASK) & __PHYSICAL_MASK)
 
 #define HPAGE_SHIFT		PMD_SHIFT
 #define HPAGE_SIZE		(_AC(1,UL) << HPAGE_SHIFT)
--- a/arch/x86/include/asm/pgtable_types.h
+++ b/arch/x86/include/asm/pgtable_types.h
@@ -332,17 +332,14 @@ static inline pmdval_t native_pmd_val(pm
 static inline pudval_t pud_pfn_mask(pud_t pud)
 {
 	if (native_pud_val(pud) & _PAGE_PSE)
-		return PUD_PAGE_MASK & PHYSICAL_PAGE_MASK;
+		return PHYSICAL_PUD_PAGE_MASK;
 	else
 		return PTE_PFN_MASK;
 }
 
 static inline pudval_t pud_flags_mask(pud_t pud)
 {
-	if (native_pud_val(pud) & _PAGE_PSE)
-		return ~(PUD_PAGE_MASK & (pudval_t)PHYSICAL_PAGE_MASK);
-	else
-		return ~PTE_PFN_MASK;
+	return ~pud_pfn_mask(pud);
 }
 
 static inline pudval_t pud_flags(pud_t pud)
@@ -353,17 +350,14 @@ static inline pudval_t pud_flags(pud_t p
 static inline pmdval_t pmd_pfn_mask(pmd_t pmd)
 {
 	if (native_pmd_val(pmd) & _PAGE_PSE)
-		return PMD_PAGE_MASK & PHYSICAL_PAGE_MASK;
+		return PHYSICAL_PMD_PAGE_MASK;
 	else
 		return PTE_PFN_MASK;
 }
 
 static inline pmdval_t pmd_flags_mask(pmd_t pmd)
 {
-	if (native_pmd_val(pmd) & _PAGE_PSE)
-		return ~(PMD_PAGE_MASK & (pmdval_t)PHYSICAL_PAGE_MASK);
-	else
-		return ~PTE_PFN_MASK;
+	return ~pmd_pfn_mask(pmd);
 }
 
 static inline pmdval_t pmd_flags(pmd_t pmd)
--- a/arch/x86/include/asm/x86_init.h
+++ b/arch/x86/include/asm/x86_init.h
@@ -1,7 +1,6 @@
 #ifndef _ASM_X86_PLATFORM_H
 #define _ASM_X86_PLATFORM_H
 
-#include <asm/pgtable_types.h>
 #include <asm/bootparam.h>
 
 struct mpc_bus;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 012/305] x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 205/305] net/mlx4: Fix UBSAN warning of signed integer overflow Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 059/305] powerpc/pseries: Fix DTL buffer registration Ben Hutchings
                   ` (235 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Gleixner, Jan Beulich,
	Boris Ostrovsky, Jason Andryuk, Juergen Gross

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit b2d7a075a1ccef2fb321d595802190c8e9b39004 upstream.

Using only 32-bit writes for the pte will result in an intermediate
L1TF vulnerable PTE. When running as a Xen PV guest this will at once
switch the guest to shadow mode resulting in a loss of performance.

Use arch_atomic64_xchg() instead which will perform the requested
operation atomically with all 64 bits.

Some performance considerations according to:

https://software.intel.com/sites/default/files/managed/ad/dc/Intel-Xeon-Scalable-Processor-throughput-latency.pdf

The main number should be the latency, as there is no tight loop around
native_ptep_get_and_clear().

"lock cmpxchg8b" has a latency of 20 cycles, while "lock xchg" (with a
memory operand) isn't mentioned in that document. "lock xadd" (with xadd
having 3 cycles less latency than xchg) has a latency of 11, so we can
assume a latency of 14 for "lock xchg".

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
[bwh: Backported to 3.16: Use atomic64_cxhg()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/pgtable-3level.h | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/arch/x86/include/asm/pgtable-3level.h
+++ b/arch/x86/include/asm/pgtable-3level.h
@@ -1,6 +1,8 @@
 #ifndef _ASM_X86_PGTABLE_3LEVEL_H
 #define _ASM_X86_PGTABLE_3LEVEL_H
 
+#include <asm/atomic64_32.h>
+
 /*
  * Intel Physical Address Extension (PAE) Mode - three-level page
  * tables on PPro+ CPUs.
@@ -142,10 +144,7 @@ static inline pte_t native_ptep_get_and_
 {
 	pte_t res;
 
-	/* xchg acts as a barrier before the setting of the high bits */
-	res.pte_low = xchg(&ptep->pte_low, 0);
-	res.pte_high = ptep->pte_high;
-	ptep->pte_high = 0;
+	res.pte = (pteval_t)atomic64_xchg((atomic64_t *)ptep, 0);
 
 	return res;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 305/305] x86/vdso: Fix vDSO syscall fallback asm constraint regression
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 022/305] libertas_tf: prevent underflow in process_cmdrequest() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 156/305] ext4: release bs.bh before re-using in ext4_xattr_block_find() Ben Hutchings
                   ` (268 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Peter Zijlstra, Thomas Gleixner,
	Andy Lutomirski, Matthew Whitehead, Ingo Molnar, Linus Torvalds

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit 02e425668f5c9deb42787d10001a3b605993ad15 upstream.

When I added the missing memory outputs, I failed to update the
index of the first argument (ebx) on 32-bit builds, which broke the
fallbacks.  Somehow I must have screwed up my testing or gotten
lucky.

Add another test to cover gettimeofday() as well.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 715bd9d12f84 ("x86/vdso: Fix asm constraints on vDSO syscall fallbacks")
Link: http://lkml.kernel.org/r/21bd45ab04b6d838278fa5bebfa9163eceffa13c.1538608971.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
 - Drop selftest changes
 - Adjust filename]
Tested-by: Matthew Whitehead <tedheadster@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/vdso/vclock_gettime.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/x86/vdso/vclock_gettime.c
+++ b/arch/x86/vdso/vclock_gettime.c
@@ -147,11 +147,11 @@ notrace static long vdso_fallback_gettim
 
 	asm (
 		"mov %%ebx, %%edx \n"
-		"mov %2, %%ebx \n"
+		"mov %[clock], %%ebx \n"
 		"call __kernel_vsyscall \n"
 		"mov %%edx, %%ebx \n"
 		: "=a" (ret), "=m" (*ts)
-		: "0" (__NR_clock_gettime), "g" (clock), "c" (ts)
+		: "0" (__NR_clock_gettime), [clock] "g" (clock), "c" (ts)
 		: "memory", "edx");
 	return ret;
 }
@@ -162,11 +162,11 @@ notrace static long vdso_fallback_gtod(s
 
 	asm (
 		"mov %%ebx, %%edx \n"
-		"mov %2, %%ebx \n"
+		"mov %[tv], %%ebx \n"
 		"call __kernel_vsyscall \n"
 		"mov %%edx, %%ebx \n"
 		: "=a" (ret), "=m" (*tv), "=m" (*tz)
-		: "0" (__NR_gettimeofday), "g" (tv), "c" (tz)
+		: "0" (__NR_gettimeofday), [tv] "g" (tv), "c" (tz)
 		: "memory", "edx");
 	return ret;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 096/305] parisc: Fix address in HPMC IVA
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (166 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 061/305] x86, hibernate: Fix nosave_regions setup for hibernation Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 014/305] disable new gcc-7.1.1 warnings for now Ben Hutchings
                   ` (137 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, John David Anglin, Helge Deller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: John David Anglin <dave.anglin@bell.net>

commit 1138b6718ff74d2a934459643e3754423d23b5e2 upstream.

Helge noticed that the address of the os_hpmc handler was not being
correctly calculated in the hpmc macro.  As a result, PDCE_CHECK would
fail to call os_hpmc:

<Cpu2> e800009802e00000  0000000000000000  CC_ERR_CHECK_HPMC
<Cpu2> 37000f7302e00000  8040004000000000  CC_ERR_CPU_CHECK_SUMMARY
<Cpu2> f600105e02e00000  fffffff0f0c00000  CC_MC_HPMC_MONARCH_SELECTED
<Cpu2> 140003b202e00000  000000000000000b  CC_ERR_HPMC_STATE_ENTRY
<Cpu2> 5600100b02e00000  00000000000001a0  CC_MC_OS_HPMC_LEN_ERR
<Cpu2> 5600106402e00000  fffffff0f0438e70  CC_MC_BR_TO_OS_HPMC_FAILED
<Cpu2> e800009802e00000  0000000000000000  CC_ERR_CHECK_HPMC
<Cpu2> 37000f7302e00000  8040004000000000  CC_ERR_CPU_CHECK_SUMMARY
<Cpu2> 4000109f02e00000  0000000000000000  CC_MC_HPMC_INITIATED
<Cpu2> 4000101902e00000  0000000000000000  CC_MC_MULTIPLE_HPMCS
<Cpu2> 030010d502e00000  0000000000000000  CC_CPU_STOP

The address problem can be seen by dumping the fault vector:

0000000040159000 <fault_vector_20>:
    40159000:   63 6f 77 73     stb r15,-2447(dp)
    40159004:   20 63 61 6e     ldil L%b747000,r3
    40159008:   20 66 6c 79     ldil L%-1c3b3000,r3
        ...
    40159020:   08 00 02 40     nop
    40159024:   20 6e 60 02     ldil L%15d000,r3
    40159028:   34 63 00 00     ldo 0(r3),r3
    4015902c:   e8 60 c0 02     bv,n r0(r3)
    40159030:   08 00 02 40     nop
    40159034:   00 00 00 00     break 0,0
    40159038:   c0 00 70 00     bb,*< r0,sar,40159840 <fault_vector_20+0x840>
    4015903c:   00 00 00 00     break 0,0

Location 40159038 should contain the physical address of os_hpmc:

000000004015d000 <os_hpmc>:
    4015d000:   08 1a 02 43     copy r26,r3
    4015d004:   01 c0 08 a4     mfctl iva,r4
    4015d008:   48 85 00 68     ldw 34(r4),r5

This patch moves the address setup into initialize_ivt to resolve the
above problem.  I tested the change by dumping the HPMC entry after setup:

0000000040209020:  8000240
0000000040209024: 206a2004
0000000040209028: 34630ac0
000000004020902c: e860c002
0000000040209030:  8000240
0000000040209034: 1bdddce6
0000000040209038:   15d000
000000004020903c:      1a0

Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/parisc/kernel/entry.S | 2 +-
 arch/parisc/kernel/traps.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -176,7 +176,7 @@
 	bv,n	0(%r3)
 	nop
 	.word	0		/* checksum (will be patched) */
-	.word	PA(os_hpmc)	/* address of handler */
+	.word	0		/* address of handler */
 	.word	0		/* length of handler */
 	.endm
 
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -833,7 +833,8 @@ int __init check_ivt(void *iva)
 	for (i = 0; i < 8; i++)
 	    *ivap++ = 0;
 
-	/* Compute Checksum for HPMC handler */
+	/* Setup IVA and compute checksum for HPMC handler */
+	ivap[6] = (u32)__pa(os_hpmc);
 	length = os_hpmc_size;
 	ivap[7] = length;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 100/305] xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (274 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 259/305] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 233/305] USB: usb-storage: Add new IDs to ums-realtek Ben Hutchings
                   ` (29 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Carlos Maiolino, Dave Chinner, Eric Sandeen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Carlos Maiolino <cmaiolino@redhat.com>

commit 41657e5507b13e963be906d5d874f4f02374fd5c upstream.

The addition of FIBT, RMAP and REFCOUNT changed the offsets into
__xfssats structure.

This caused xqmstat_proc_show() to display garbage data via
/proc/fs/xfs/xqmstat, once it relies on the offsets marked via macros.

Fix it.

Fixes: 00f4e4f9 xfs: add rmap btree stats infrastructure
Fixes: aafc3c24 xfs: support the XFS_BTNUM_FINOBT free inode btree type
Fixes: 46eeb521 xfs: introduce refcount btree definitions
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
[bwh: Backported to 3.16:
 - Only the FIBT stats have been added, so start from XFSSTAT_END_FIBT_V2
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/xfs/xfs_stats.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/xfs/xfs_stats.c
+++ b/fs/xfs/xfs_stats.c
@@ -135,7 +135,7 @@ static int xqmstat_proc_show(struct seq_
 	int j;
 
 	seq_printf(m, "qm");
-	for (j = XFSSTAT_END_IBT_V2; j < XFSSTAT_END_XQMSTAT; j++)
+	for (j = XFSSTAT_END_FIBT_V2; j < XFSSTAT_END_XQMSTAT; j++)
 		seq_printf(m, " %u", counter_val(j));
 	seq_putc(m, '\n');
 	return 0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 291/305] KVM: X86: Fix NULL deref in vcpu_scan_ioapic
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (278 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 283/305] scsi: sd: use mempool for discard special page Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 027/305] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Ben Hutchings
                   ` (25 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paolo Bonzini, Radim Krčmář,
	syzbot+39810e6c400efadfef71, Wanpeng Li

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpengli@tencent.com>

commit dcbd3e49c2f0b2c2d8a321507ff8f3de4af76d7c upstream.

Reported by syzkaller:

    CPU: 1 PID: 5962 Comm: syz-executor118 Not tainted 4.20.0-rc6+ #374
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:kvm_apic_hw_enabled arch/x86/kvm/lapic.h:169 [inline]
    RIP: 0010:vcpu_scan_ioapic arch/x86/kvm/x86.c:7449 [inline]
    RIP: 0010:vcpu_enter_guest arch/x86/kvm/x86.c:7602 [inline]
    RIP: 0010:vcpu_run arch/x86/kvm/x86.c:7874 [inline]
    RIP: 0010:kvm_arch_vcpu_ioctl_run+0x5296/0x7320 arch/x86/kvm/x86.c:8074
    Call Trace:
	 kvm_vcpu_ioctl+0x5c8/0x1150 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2596
	 vfs_ioctl fs/ioctl.c:46 [inline]
	 file_ioctl fs/ioctl.c:509 [inline]
	 do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
	 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
	 __do_sys_ioctl fs/ioctl.c:720 [inline]
	 __se_sys_ioctl fs/ioctl.c:718 [inline]
	 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
	 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
	 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT14 msr
and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
However, irqchip is not initialized by this simple testcase, ioapic/apic
objects should not be accessed.

This patch fixes it by also considering whether or not apic is present.

Reported-by: syzbot+39810e6c400efadfef71@syzkaller.appspotmail.com
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6054,7 +6054,7 @@ static void vcpu_scan_ioapic(struct kvm_
 	u64 eoi_exit_bitmap[4];
 	u32 tmr[8];
 
-	if (!kvm_apic_hw_enabled(vcpu->arch.apic))
+	if (!kvm_apic_present(vcpu))
 		return;
 
 	memset(eoi_exit_bitmap, 0, 32);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 019/305] media: v4l: event: Add subscription to list before calling "add" operation
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (147 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 170/305] mac80211_hwsim: Timer should be initialized before device registered Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 140/305] x86/hyper-v: Enable PIT shutdown quirk Ben Hutchings
                   ` (156 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sakari Ailus, Mauro Carvalho Chehab,
	Hans Verkuil, Dave Stevenson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sakari Ailus <sakari.ailus@linux.intel.com>

commit 92539d3eda2c090b382699bbb896d4b54e9bdece upstream.

Patch ad608fbcf166 changed how events were subscribed to address an issue
elsewhere. As a side effect of that change, the "add" callback was called
before the event subscription was added to the list of subscribed events,
causing the first event queued by the add callback (and possibly other
events arriving soon afterwards) to be lost.

Fix this by adding the subscription to the list before calling the "add"
callback, and clean up afterwards if that fails.

Fixes: ad608fbcf166 ("media: v4l: event: Prevent freeing event subscriptions while accessed")

Reported-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Tested-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/v4l2-core/v4l2-event.c | 43 ++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 19 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-event.c
+++ b/drivers/media/v4l2-core/v4l2-event.c
@@ -194,6 +194,22 @@ int v4l2_event_pending(struct v4l2_fh *f
 }
 EXPORT_SYMBOL_GPL(v4l2_event_pending);
 
+static void __v4l2_event_unsubscribe(struct v4l2_subscribed_event *sev)
+{
+	struct v4l2_fh *fh = sev->fh;
+	unsigned int i;
+
+	lockdep_assert_held(&fh->subscribe_lock);
+	assert_spin_locked(&fh->vdev->fh_lock);
+
+	/* Remove any pending events for this subscription */
+	for (i = 0; i < sev->in_use; i++) {
+		list_del(&sev->events[sev_pos(sev, i)].list);
+		fh->navailable--;
+	}
+	list_del(&sev->list);
+}
+
 int v4l2_event_subscribe(struct v4l2_fh *fh,
 			 const struct v4l2_event_subscription *sub, unsigned elems,
 			 const struct v4l2_subscribed_event_ops *ops)
@@ -225,27 +241,23 @@ int v4l2_event_subscribe(struct v4l2_fh
 
 	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
 	found_ev = v4l2_event_subscribed(fh, sub->type, sub->id);
+	if (!found_ev)
+		list_add(&sev->list, &fh->subscribed);
 	spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
 
 	if (found_ev) {
 		/* Already listening */
 		kfree(sev);
-		goto out_unlock;
-	}
-
-	if (sev->ops && sev->ops->add) {
+	} else if (sev->ops && sev->ops->add) {
 		ret = sev->ops->add(sev, elems);
 		if (ret) {
+			spin_lock_irqsave(&fh->vdev->fh_lock, flags);
+			__v4l2_event_unsubscribe(sev);
+			spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
 			kfree(sev);
-			goto out_unlock;
 		}
 	}
 
-	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
-	list_add(&sev->list, &fh->subscribed);
-	spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
-
-out_unlock:
 	mutex_unlock(&fh->subscribe_lock);
 
 	return ret;
@@ -280,7 +292,6 @@ int v4l2_event_unsubscribe(struct v4l2_f
 {
 	struct v4l2_subscribed_event *sev;
 	unsigned long flags;
-	int i;
 
 	if (sub->type == V4L2_EVENT_ALL) {
 		v4l2_event_unsubscribe_all(fh);
@@ -292,14 +303,8 @@ int v4l2_event_unsubscribe(struct v4l2_f
 	spin_lock_irqsave(&fh->vdev->fh_lock, flags);
 
 	sev = v4l2_event_subscribed(fh, sub->type, sub->id);
-	if (sev != NULL) {
-		/* Remove any pending events for this subscription */
-		for (i = 0; i < sev->in_use; i++) {
-			list_del(&sev->events[sev_pos(sev, i)].list);
-			fh->navailable--;
-		}
-		list_del(&sev->list);
-	}
+	if (sev != NULL)
+		__v4l2_event_unsubscribe(sev);
 
 	spin_unlock_irqrestore(&fh->vdev->fh_lock, flags);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 094/305] KVM: nVMX: Always reflect #NM VM-exits to L1
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 031/305] s390/qeth: invoke softirqs after napi_schedule() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 055/305] w1: omap-hdq: fix missing bus unregister at removal Ben Hutchings
                   ` (245 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Liran Alon, Jim Mattson, Abhiroop Dabral,
	Peter Shier, Paolo Bonzini

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jim Mattson <jmattson@google.com>

commit 3c6e099fa15fdb6fb1892199ed8709012e1294f2 upstream.

When bit 3 (corresponding to CR0.TS) of the VMCS12 cr0_guest_host_mask
field is clear, the VMCS12 guest_cr0 field does not necessarily hold
the current value of the L2 CR0.TS bit, so the code that checked for
L2's CR0.TS bit being set was incorrect. Moreover, I'm not sure that
the CR0.TS check was adequate. (What if L2's CR0.EM was set, for
instance?)

Fortunately, lazy FPU has gone away, so L0 has lost all interest in
intercepting #NM exceptions. See commit bd7e5b0899a4 ("KVM: x86:
remove code for lazy FPU handling"). Therefore, there is no longer any
question of which hypervisor gets first dibs. The #NM VM-exit should
always be reflected to L1. (Note that the corresponding bit must be
set in the VMCS12 exception_bitmap field for there to be an #NM
VM-exit at all.)

Fixes: ccf9844e5d99c ("kvm, vmx: Really fix lazy FPU on nested guest")
Reported-by: Abhiroop Dabral <adabral@paloaltonetworks.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Tested-by: Abhiroop Dabral <adabral@paloaltonetworks.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
 - is_no_device() hadn't been converted to use is_exception_n()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/vmx.c | 8 --------
 1 file changed, 8 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -847,13 +847,6 @@ static inline bool is_page_fault(u32 int
 		(INTR_TYPE_HARD_EXCEPTION | PF_VECTOR | INTR_INFO_VALID_MASK);
 }
 
-static inline bool is_no_device(u32 intr_info)
-{
-	return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
-			     INTR_INFO_VALID_MASK)) ==
-		(INTR_TYPE_HARD_EXCEPTION | NM_VECTOR | INTR_INFO_VALID_MASK);
-}
-
 static inline bool is_invalid_opcode(u32 intr_info)
 {
 	return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
@@ -6939,9 +6932,6 @@ static bool nested_vmx_exit_handled(stru
 			return 0;
 		else if (is_page_fault(intr_info))
 			return enable_ept;
-		else if (is_no_device(intr_info) &&
-			 !(vmcs12->guest_cr0 & X86_CR0_TS))
-			return 0;
 		return vmcs12->exception_bitmap &
 				(1u << (intr_info & INTR_INFO_VECTOR_MASK));
 	case EXIT_REASON_EXTERNAL_INTERRUPT:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 037/305] cipso: don't use IPCB() to locate the CIPSO IP option
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (121 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 194/305] libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 001/305] x86/asm: Add pud/pmd mask interfaces to handle large PAT bit Ben Hutchings
                   ` (182 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paul Moore, Casey Schaufler

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Moore <pmoore@redhat.com>

commit 04f81f0154e4bf002be6f4d85668ce1257efa4d9 upstream.

Using the IPCB() macro to get the IPv4 options is convenient, but
unfortunately NetLabel often needs to examine the CIPSO option outside
of the scope of the IP layer in the stack.  While historically IPCB()
worked above the IP layer, due to the inclusion of the inet_skb_param
struct at the head of the {tcp,udp}_skb_cb structs, recent commit
971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
reordered the tcp_skb_cb struct and invalidated this IPCB() trick.

This patch fixes the problem by creating a new function,
cipso_v4_optptr(), which locates the CIPSO option inside the IP header
without calling IPCB().  Unfortunately, this isn't as fast as a simple
lookup so some additional tweaks were made to limit the use of this
new function.

Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/cipso_ipv4.h     | 25 +++++++++++-------
 net/ipv4/cipso_ipv4.c        | 51 +++++++++++++++++++++---------------
 net/netlabel/netlabel_kapi.c | 15 +++++++----
 3 files changed, 56 insertions(+), 35 deletions(-)

--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -121,13 +121,6 @@ extern int cipso_v4_rbm_strictvalid;
 #endif
 
 /*
- * Helper Functions
- */
-
-#define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0)
-#define CIPSO_V4_OPTPTR(x) (skb_network_header(x) + IPCB(x)->opt.cipso)
-
-/*
  * DOI List Functions
  */
 
@@ -190,7 +183,7 @@ static inline int cipso_v4_doi_domhsh_re
 
 #ifdef CONFIG_NETLABEL
 void cipso_v4_cache_invalidate(void);
-int cipso_v4_cache_add(const struct sk_buff *skb,
+int cipso_v4_cache_add(const unsigned char *cipso_ptr,
 		       const struct netlbl_lsm_secattr *secattr);
 #else
 static inline void cipso_v4_cache_invalidate(void)
@@ -198,7 +191,7 @@ static inline void cipso_v4_cache_invali
 	return;
 }
 
-static inline int cipso_v4_cache_add(const struct sk_buff *skb,
+static inline int cipso_v4_cache_add(const unsigned char *cipso_ptr,
 				     const struct netlbl_lsm_secattr *secattr)
 {
 	return 0;
@@ -211,6 +204,8 @@ static inline int cipso_v4_cache_add(con
 
 #ifdef CONFIG_NETLABEL
 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
+int cipso_v4_getattr(const unsigned char *cipso,
+		     struct netlbl_lsm_secattr *secattr);
 int cipso_v4_sock_setattr(struct sock *sk,
 			  const struct cipso_v4_doi *doi_def,
 			  const struct netlbl_lsm_secattr *secattr);
@@ -226,6 +221,7 @@ int cipso_v4_skbuff_setattr(struct sk_bu
 int cipso_v4_skbuff_delattr(struct sk_buff *skb);
 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
 			    struct netlbl_lsm_secattr *secattr);
+unsigned char *cipso_v4_optptr(const struct sk_buff *skb);
 int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option);
 #else
 static inline void cipso_v4_error(struct sk_buff *skb,
@@ -235,6 +231,12 @@ static inline void cipso_v4_error(struct
 	return;
 }
 
+static inline int cipso_v4_getattr(const unsigned char *cipso,
+				   struct netlbl_lsm_secattr *secattr)
+{
+	return -ENOSYS;
+}
+
 static inline int cipso_v4_sock_setattr(struct sock *sk,
 				      const struct cipso_v4_doi *doi_def,
 				      const struct netlbl_lsm_secattr *secattr)
@@ -282,6 +284,11 @@ static inline int cipso_v4_skbuff_getatt
 	return -ENOSYS;
 }
 
+static inline unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+{
+	return NULL;
+}
+
 static inline int cipso_v4_validate(const struct sk_buff *skb,
 				    unsigned char **option)
 {
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -376,20 +376,18 @@ static int cipso_v4_cache_check(const un
  * negative values on failure.
  *
  */
-int cipso_v4_cache_add(const struct sk_buff *skb,
+int cipso_v4_cache_add(const unsigned char *cipso_ptr,
 		       const struct netlbl_lsm_secattr *secattr)
 {
 	int ret_val = -EPERM;
 	u32 bkt;
 	struct cipso_v4_map_cache_entry *entry = NULL;
 	struct cipso_v4_map_cache_entry *old_entry = NULL;
-	unsigned char *cipso_ptr;
 	u32 cipso_ptr_len;
 
 	if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0)
 		return 0;
 
-	cipso_ptr = CIPSO_V4_OPTPTR(skb);
 	cipso_ptr_len = cipso_ptr[1];
 
 	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
@@ -1592,6 +1590,33 @@ static int cipso_v4_parsetag_loc(const s
 }
 
 /**
+ * cipso_v4_optptr - Find the CIPSO option in the packet
+ * @skb: the packet
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option.  Returns a pointer
+ * to the start of the CIPSO option on success, NULL if one if not found.
+ *
+ */
+unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+{
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned char *optptr = (unsigned char *)&(ip_hdr(skb)[1]);
+	int optlen;
+	int taglen;
+
+	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+		if (optptr[0] == IPOPT_CIPSO)
+			return optptr;
+		taglen = optptr[1];
+		optlen -= taglen;
+		optptr += taglen;
+	}
+
+	return NULL;
+}
+
+/**
  * cipso_v4_validate - Validate a CIPSO option
  * @option: the start of the option, on error it is set to point to the error
  *
@@ -2136,8 +2161,8 @@ void cipso_v4_req_delattr(struct request
  * on success and negative values on failure.
  *
  */
-static int cipso_v4_getattr(const unsigned char *cipso,
-			    struct netlbl_lsm_secattr *secattr)
+int cipso_v4_getattr(const unsigned char *cipso,
+		     struct netlbl_lsm_secattr *secattr)
 {
 	int ret_val = -ENOMSG;
 	u32 doi;
@@ -2322,22 +2347,6 @@ int cipso_v4_skbuff_delattr(struct sk_bu
 	return 0;
 }
 
-/**
- * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
- * @skb: the packet
- * @secattr: the security attributes
- *
- * Description:
- * Parse the given packet's CIPSO option and return the security attributes.
- * Returns zero on success and negative values on failure.
- *
- */
-int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
-			    struct netlbl_lsm_secattr *secattr)
-{
-	return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr);
-}
-
 /*
  * Setup Functions
  */
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -948,10 +948,12 @@ int netlbl_skbuff_getattr(const struct s
 			  u16 family,
 			  struct netlbl_lsm_secattr *secattr)
 {
+	unsigned char *ptr;
+
 	switch (family) {
 	case AF_INET:
-		if (CIPSO_V4_OPTEXIST(skb) &&
-		    cipso_v4_skbuff_getattr(skb, secattr) == 0)
+		ptr = cipso_v4_optptr(skb);
+		if (ptr && cipso_v4_getattr(ptr, secattr) == 0)
 			return 0;
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
@@ -977,7 +979,7 @@ int netlbl_skbuff_getattr(const struct s
  */
 void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
 {
-	if (CIPSO_V4_OPTEXIST(skb))
+	if (cipso_v4_optptr(skb))
 		cipso_v4_error(skb, error, gateway);
 }
 
@@ -1009,11 +1011,14 @@ void netlbl_cache_invalidate(void)
 int netlbl_cache_add(const struct sk_buff *skb,
 		     const struct netlbl_lsm_secattr *secattr)
 {
+	unsigned char *ptr;
+
 	if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
 		return -ENOMSG;
 
-	if (CIPSO_V4_OPTEXIST(skb))
-		return cipso_v4_cache_add(skb, secattr);
+	ptr = cipso_v4_optptr(skb);
+	if (ptr)
+		return cipso_v4_cache_add(ptr, secattr);
 
 	return -ENOMSG;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 036/305] PCI/ASPM: Fix link_state teardown on device removal
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (195 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 214/305] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 074/305] ima: fix showing large 'violations' or 'runtime_measurements_count' Ben Hutchings
                   ` (108 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lukas Wunner, Bjorn Helgaas, Shaohua Li

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit aeae4f3e5c38d47bdaef50446dc0ec857307df68 upstream.

Upon removal of the last device on a bus, the link_state of the bridge
leading to that bus is sought to be torn down by having pci_stop_dev()
call pcie_aspm_exit_link_state().

When ASPM was originally introduced by commit 7d715a6c1ae5 ("PCI: add
PCI Express ASPM support"), it determined whether the device being
removed is the last one by calling list_empty() on the bridge's
subordinate devices list.  That didn't work because the device is only
removed from the list slightly later in pci_destroy_dev().

Commit 3419c75e15f8 ("PCI: properly clean up ASPM link state on device
remove") attempted to fix it by calling list_is_last(), but that's not
correct either because it checks whether the device is at the *end* of
the list, not whether it's the last one *left* in the list.  If the user
removes the device which happens to be at the end of the list via sysfs
but other devices are preceding the device in the list, the link_state
is torn down prematurely.

The real fix is to move the invocation of pcie_aspm_exit_link_state() to
pci_destroy_dev() and reinstate the call to list_empty().  Remove a
duplicate check for dev->bus->self because pcie_aspm_exit_link_state()
already contains an identical check.

Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Shaohua Li <shaohua.li@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/pcie/aspm.c | 2 +-
 drivers/pci/remove.c    | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/pci/pcie/aspm.c
+++ b/drivers/pci/pcie/aspm.c
@@ -646,7 +646,7 @@ void pcie_aspm_exit_link_state(struct pc
 	 * All PCIe functions are in one slot, remove one function will remove
 	 * the whole slot, so just wait until we are the last function left.
 	 */
-	if (!list_is_last(&pdev->bus_list, &parent->subordinate->devices))
+	if (!list_empty(&parent->subordinate->devices))
 		goto out;
 
 	link = parent->link_state;
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -25,9 +25,6 @@ static void pci_stop_dev(struct pci_dev
 		device_release_driver(&dev->dev);
 		dev->is_added = 0;
 	}
-
-	if (dev->bus->self)
-		pcie_aspm_exit_link_state(dev);
 }
 
 static void pci_destroy_dev(struct pci_dev *dev)
@@ -41,6 +38,7 @@ static void pci_destroy_dev(struct pci_d
 	list_del(&dev->bus_list);
 	up_write(&pci_bus_sem);
 
+	pcie_aspm_exit_link_state(dev);
 	pci_free_resources(dev);
 	put_device(&dev->dev);
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 033/305] media: em28xx: fix input name for Terratec AV 350
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 040/305] kgdboc: Passing ekgdboc to command line causes panic Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 134/305] memory_hotplug: cond_resched in __remove_pages Ben Hutchings
                   ` (286 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit 15644bfa195bd166d0a5ed76ae2d587f719c3dac upstream.

Instead of using a register value, use an AMUX name, as otherwise
VIDIOC_G_AUDIO would fail.

Fixes: 766ed64de554 ("V4L/DVB (11827): Add support for Terratec Grabster AV350")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/em28xx/em28xx-cards.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -2001,13 +2001,13 @@ struct em28xx_board em28xx_boards[] = {
 		.input           = { {
 			.type     = EM28XX_VMUX_COMPOSITE1,
 			.vmux     = TVP5150_COMPOSITE1,
-			.amux     = EM28XX_AUDIO_SRC_LINE,
+			.amux     = EM28XX_AMUX_LINE_IN,
 			.gpio     = terratec_av350_unmute_gpio,
 
 		}, {
 			.type     = EM28XX_VMUX_SVIDEO,
 			.vmux     = TVP5150_SVIDEO,
-			.amux     = EM28XX_AUDIO_SRC_LINE,
+			.amux     = EM28XX_AMUX_LINE_IN,
 			.gpio     = terratec_av350_unmute_gpio,
 		} },
 	},


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 304/305] ipv6: tunnels: fix two use-after-free
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 301/305] drm: Rewrite drm_ioctl_flags() to resemble the new drm_ioctl() code Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 017/305] staging: comedi: quatech_daqp_cs: use comedi_timeout() in ao (*insn_write) Ben Hutchings
                   ` (227 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Klassert, Eric Dumazet, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit cbb49697d5512ce9e61b45ce75d3ee43d7ea5524 upstream.

xfrm6_policy_check() might have re-allocated skb->head, we need
to reload ipv6 header pointer.

sysbot reported :

BUG: KASAN: use-after-free in __ipv6_addr_type+0x302/0x32f net/ipv6/addrconf_core.c:40
Read of size 4 at addr ffff888191b8cb70 by task syz-executor2/1304

CPU: 0 PID: 1304 Comm: syz-executor2 Not tainted 4.20.0-rc7+ #356
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 __ipv6_addr_type+0x302/0x32f net/ipv6/addrconf_core.c:40
 ipv6_addr_type include/net/ipv6.h:403 [inline]
 ip6_tnl_get_cap+0x27/0x190 net/ipv6/ip6_tunnel.c:727
 ip6_tnl_rcv_ctl+0xdb/0x2a0 net/ipv6/ip6_tunnel.c:757
 vti6_rcv+0x336/0x8f3 net/ipv6/ip6_vti.c:321
 xfrm6_ipcomp_rcv+0x1a5/0x3a0 net/ipv6/xfrm6_protocol.c:132
 ip6_protocol_deliver_rcu+0x372/0x1940 net/ipv6/ip6_input.c:394
 ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:434
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:443
IPVS: ftp: loaded support on port[0] = 21
 ip6_mc_input+0x514/0x11c0 net/ipv6/ip6_input.c:537
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0x115/0x640 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5083
 process_backlog+0x24e/0x7a0 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x7fa/0x19b0 net/core/dev.c:6412
 __do_softirq+0x308/0xb7e kernel/softirq.c:292
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027
 </IRQ>
 do_softirq.part.14+0x126/0x160 kernel/softirq.c:337
 do_softirq+0x19/0x20 kernel/softirq.c:340
 netif_rx_ni+0x521/0x860 net/core/dev.c:4569
 dev_loopback_xmit+0x287/0x8c0 net/core/dev.c:3576
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_finish_output2+0x193a/0x2930 net/ipv6/ip6_output.c:84
 ip6_fragment+0x2b06/0x3850 net/ipv6/ip6_output.c:727
 ip6_finish_output+0x6b7/0xc50 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x232/0x9d0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:444 [inline]
 ip6_local_out+0xc5/0x1b0 net/ipv6/output_core.c:176
 ip6_send_skb+0xbc/0x340 net/ipv6/ip6_output.c:1727
 ip6_push_pending_frames+0xc5/0xf0 net/ipv6/ip6_output.c:1747
 rawv6_push_pending_frames net/ipv6/raw.c:615 [inline]
 rawv6_sendmsg+0x3a3e/0x4b40 net/ipv6/raw.c:945
kobject: 'queues' (0000000089e6eea2): kobject_add_internal: parent: 'tunl0', set: '<NULL>'
kobject: 'queues' (0000000089e6eea2): kobject_uevent_env
 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
kobject: 'queues' (0000000089e6eea2): kobject_uevent_env: filter function caused the event to drop!
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 sock_write_iter+0x35e/0x5c0 net/socket.c:900
 call_write_iter include/linux/fs.h:1857 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x6b8/0x9f0 fs/read_write.c:487
kobject: 'rx-0' (00000000e2d902d9): kobject_add_internal: parent: 'queues', set: 'queues'
kobject: 'rx-0' (00000000e2d902d9): kobject_uevent_env
 vfs_write+0x1fc/0x560 fs/read_write.c:549
 ksys_write+0x101/0x260 fs/read_write.c:598
kobject: 'rx-0' (00000000e2d902d9): fill_kobj_path: path = '/devices/virtual/net/tunl0/queues/rx-0'
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:607
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
kobject: 'tx-0' (00000000443b70ac): kobject_add_internal: parent: 'queues', set: 'queues'
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457669
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f9bd200bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
RDX: 000000000000058f RSI: 00000000200033c0 RDI: 0000000000000003
kobject: 'tx-0' (00000000443b70ac): kobject_uevent_env
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9bd200c6d4
R13: 00000000004c2dcc R14: 00000000004da398 R15: 00000000ffffffff

Allocated by task 1304:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3684 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3698
 __kmalloc_reserve.isra.41+0x41/0xe0 net/core/skbuff.c:140
 __alloc_skb+0x155/0x760 net/core/skbuff.c:208
kobject: 'tx-0' (00000000443b70ac): fill_kobj_path: path = '/devices/virtual/net/tunl0/queues/tx-0'
 alloc_skb include/linux/skbuff.h:1011 [inline]
 __ip6_append_data.isra.49+0x2f1a/0x3f50 net/ipv6/ip6_output.c:1450
 ip6_append_data+0x1bc/0x2d0 net/ipv6/ip6_output.c:1619
 rawv6_sendmsg+0x15ab/0x4b40 net/ipv6/raw.c:938
 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2116
 __sys_sendmsg+0x11d/0x280 net/socket.c:2154
 __do_sys_sendmsg net/socket.c:2163 [inline]
 __se_sys_sendmsg net/socket.c:2161 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
kobject: 'gre0' (00000000cb1b2d7b): kobject_add_internal: parent: 'net', set: 'devices'

Freed by task 1304:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3817
 skb_free_head+0x93/0xb0 net/core/skbuff.c:553
 pskb_expand_head+0x3b2/0x10d0 net/core/skbuff.c:1498
 __pskb_pull_tail+0x156/0x18a0 net/core/skbuff.c:1896
 pskb_may_pull include/linux/skbuff.h:2188 [inline]
 _decode_session6+0xd11/0x14d0 net/ipv6/xfrm6_policy.c:150
 __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:3272
kobject: 'gre0' (00000000cb1b2d7b): kobject_uevent_env
 __xfrm_policy_check+0x380/0x2c40 net/xfrm/xfrm_policy.c:3322
 __xfrm_policy_check2 include/net/xfrm.h:1170 [inline]
 xfrm_policy_check include/net/xfrm.h:1175 [inline]
 xfrm6_policy_check include/net/xfrm.h:1185 [inline]
 vti6_rcv+0x4bd/0x8f3 net/ipv6/ip6_vti.c:316
 xfrm6_ipcomp_rcv+0x1a5/0x3a0 net/ipv6/xfrm6_protocol.c:132
 ip6_protocol_deliver_rcu+0x372/0x1940 net/ipv6/ip6_input.c:394
 ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:434
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:443
 ip6_mc_input+0x514/0x11c0 net/ipv6/ip6_input.c:537
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0x115/0x640 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5083
 process_backlog+0x24e/0x7a0 net/core/dev.c:5923
kobject: 'gre0' (00000000cb1b2d7b): fill_kobj_path: path = '/devices/virtual/net/gre0'
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x7fa/0x19b0 net/core/dev.c:6412
 __do_softirq+0x308/0xb7e kernel/softirq.c:292

The buggy address belongs to the object at ffff888191b8cac0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 176 bytes inside of
 512-byte region [ffff888191b8cac0, ffff888191b8ccc0)
The buggy address belongs to the page:
page:ffffea000646e300 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea0006eaaa48 ffffea00065356c8 ffff8881da800940
raw: 0000000000000000 ffff888191b8c0c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
kobject: 'queues' (000000005fd6226e): kobject_add_internal: parent: 'gre0', set: '<NULL>'

Memory state around the buggy address:
 ffff888191b8ca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888191b8ca80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff888191b8cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888191b8cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888191b8cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 0d3c703a9d17 ("ipv6: Cleanup IPv6 tunnel receive path")
Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Drop change in ipxip6_rcv()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -297,6 +297,7 @@ static int vti6_rcv(struct sk_buff *skb)
 			return 0;
 		}
 
+		ipv6h = ipv6_hdr(skb);
 		if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
 			t->dev->stats.rx_dropped++;
 			rcu_read_unlock();


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 292/305] KVM: Handle MSR_IA32_PERF_CTL
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (179 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 147/305] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 226/305] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write Ben Hutchings
                   ` (124 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Radim Krčmář, Dmitry Bilunov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Bilunov <kmeaw@yandex-team.ru>

commit 0c2df2a1affd183ba9c114915f42a2d464b4f58f upstream.

Intel CPUs having Turbo Boost feature implement an MSR to provide a
control interface via rdmsr/wrmsr instructions. One could detect the
presence of this feature by issuing one of these instructions and
handling the #GP exception which is generated in case the referenced MSR
is not implemented by the CPU.

KVM's vCPU model behaves exactly as a real CPU in this case by injecting
a fault when MSR_IA32_PERF_CTL is called (which KVM does not support).
However, some operating systems use this register during an early boot
stage in which their kernel is not capable of handling #GP correctly,
causing #DP and finally a triple fault effectively resetting the vCPU.

This patch implements a dummy handler for MSR_IA32_PERF_CTL to avoid the
crashes.

Signed-off-by: Dmitry Bilunov <kmeaw@yandex-team.ru>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2461,6 +2461,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
 	case MSR_AMD64_NB_CFG:
 	case MSR_FAM10H_MMIO_CONF_BASE:
 	case MSR_AMD64_BU_CFG2:
+	case MSR_IA32_PERF_CTL:
 		msr_info->data = 0;
 		break;
 	case MSR_P6_PERFCTR0:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 032/305] media: em28xx: use a default format if TRY_FMT fails
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 183/305] Drivers: hv: kvp: Fix the recent regression caused by incorrect clean-up Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 288/305] mmc: core: Reset HPI enabled state during re-init and in case of errors Ben Hutchings
                   ` (201 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit f823ce2a1202d47110a7ef86b65839f0be8adc38 upstream.

Follow the V4L2 spec, as warned by v4l2-compliance:

	warn: v4l2-test-formats.cpp(732): TRY_FMT cannot handle an invalid pixelformat.
	warn: v4l2-test-formats.cpp(733): This may or may not be a problem. For more information see:

warn: v4l2-test-formats.cpp(734): http://www.mail-archive.com/linux-media@vger.kernel.org/msg56550.html

Fixes: bddcf63313c6 ("V4L/DVB (9927): em28xx: use a more standard way to specify video formats")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/em28xx/em28xx-video.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -1279,9 +1279,9 @@ static int vidioc_try_fmt_vid_cap(struct
 
 	fmt = format_by_fourcc(f->fmt.pix.pixelformat);
 	if (!fmt) {
-		em28xx_videodbg("Fourcc format (%08x) invalid.\n",
-				f->fmt.pix.pixelformat);
-		return -EINVAL;
+		fmt = &format[0];
+		em28xx_videodbg("Fourcc format (%08x) invalid. Using default (%08x).\n",
+				f->fmt.pix.pixelformat, fmt->fourcc);
 	}
 
 	if (dev->board.is_em2800) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 035/305] media: tvp5150: fix width alignment during set_selection()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (215 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 229/305] ALSA: sparc: Fix invalid snd_free_pages() at error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 131/305] netfilter: x_tables: add and use xt_check_proc_name Ben Hutchings
                   ` (88 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Marco Felsch

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marco Felsch <m.felsch@pengutronix.de>

commit bd24db04101f45a9c1d874fe21b0c7eab7bcadec upstream.

The driver ignored the width alignment which exists due to the UYVY
colorspace format. Fix the width alignment and make use of the the
provided v4l2 helper function to set the width, height and all
alignments in one.

Fixes: 963ddc63e20d ("[media] media: tvp5150: Add cropping support")

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/i2c/tvp5150.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/media/i2c/tvp5150.c
+++ b/drivers/media/i2c/tvp5150.c
@@ -873,9 +873,6 @@ static int tvp5150_s_crop(struct v4l2_su
 
 	/* tvp5150 has some special limits */
 	rect.left = clamp(rect.left, 0, TVP5150_MAX_CROP_LEFT);
-	rect.width = clamp_t(unsigned int, rect.width,
-			     TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
-			     TVP5150_H_MAX - rect.left);
 	rect.top = clamp(rect.top, 0, TVP5150_MAX_CROP_TOP);
 
 	/* Calculate height based on current standard */
@@ -889,9 +886,16 @@ static int tvp5150_s_crop(struct v4l2_su
 	else
 		hmax = TVP5150_V_MAX_OTHERS;
 
-	rect.height = clamp_t(unsigned int, rect.height,
+	/*
+	 * alignments:
+	 *  - width = 2 due to UYVY colorspace
+	 *  - height, image = no special alignment
+	 */
+	v4l_bound_align_image(&rect.width,
+			      TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
+			      TVP5150_H_MAX - rect.left, 1, &rect.height,
 			      hmax - TVP5150_MAX_CROP_TOP - rect.top,
-			      hmax - rect.top);
+			      hmax - rect.top, 0, 0);
 
 	tvp5150_write(sd, TVP5150_VERT_BLANKING_START, rect.top);
 	tvp5150_write(sd, TVP5150_VERT_BLANKING_STOP,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 031/305] s390/qeth: invoke softirqs after napi_schedule()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 274/305] scsi: bnx2fc: Fix NULL dereference in error handling Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 094/305] KVM: nVMX: Always reflect #NM VM-exits to L1 Ben Hutchings
                   ` (246 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Julian Wiedmann, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.ibm.com>

commit 4d19db777a2f32c9b76f6fd517ed8960576cb43e upstream.

Calling napi_schedule() from process context does not ensure that the
NET_RX softirq is run in a timely fashion. So trigger it manually.

This is no big issue with current code. A call to ndo_open() is usually
followed by a ndo_set_rx_mode() call, and for qeth this contains a
spin_unlock_bh(). Except for OSN, where qeth_l2_set_rx_mode() bails out
early.
Nevertheless it's best to not depend on this behaviour, and just fix
the issue at its source like all other drivers do. For instance see
commit 83a0c6e58901 ("i40e: Invoke softirqs after napi_reschedule").

Fixes: a1c3ed4c9ca0 ("qeth: NAPI support for l2 and l3 discipline")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/net/qeth_l2_main.c | 3 +++
 drivers/s390/net/qeth_l3_main.c | 3 +++
 2 files changed, 6 insertions(+)

--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -856,7 +856,10 @@ static int __qeth_l2_open(struct net_dev
 
 	if (qdio_stop_irq(card->data.ccwdev, 0) >= 0) {
 		napi_enable(&card->napi);
+		local_bh_disable();
 		napi_schedule(&card->napi);
+		/* kick-start the NAPI softirq: */
+		local_bh_enable();
 	} else
 		rc = -EIO;
 	return rc;
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3127,7 +3127,10 @@ static int __qeth_l3_open(struct net_dev
 
 	if (qdio_stop_irq(card->data.ccwdev, 0) >= 0) {
 		napi_enable(&card->napi);
+		local_bh_disable();
 		napi_schedule(&card->napi);
+		/* kick-start the NAPI softirq: */
+		local_bh_enable();
 	} else
 		rc = -EIO;
 	return rc;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 027/305] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (279 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 291/305] KVM: X86: Fix NULL deref in vcpu_scan_ioapic Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 075/305] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk Ben Hutchings
                   ` (24 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Himanshu Madhani, Martin K. Petersen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@cavium.com>

commit 4c1458df9635c7e3ced155f594d2e7dfd7254e21 upstream.

Fixes: 6246b8a1d26c7c ("[SCSI] qla2xxx: Enhancements to support ISP83xx.")
Fixes: 1bb395485160d2 ("qla2xxx: Correct iiDMA-update calling conventions.")
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_mbx.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -3264,10 +3264,7 @@ qla2x00_set_idma_speed(scsi_qla_host_t *
 	mcp->mb[0] = MBC_PORT_PARAMS;
 	mcp->mb[1] = loop_id;
 	mcp->mb[2] = BIT_0;
-	if (IS_CNA_CAPABLE(vha->hw))
-		mcp->mb[3] = port_speed & (BIT_5|BIT_4|BIT_3|BIT_2|BIT_1|BIT_0);
-	else
-		mcp->mb[3] = port_speed & (BIT_2|BIT_1|BIT_0);
+	mcp->mb[3] = port_speed & (BIT_5|BIT_4|BIT_3|BIT_2|BIT_1|BIT_0);
 	mcp->mb[9] = vha->vp_idx;
 	mcp->out_mb = MBX_9|MBX_3|MBX_2|MBX_1|MBX_0;
 	mcp->in_mb = MBX_3|MBX_1|MBX_0;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 020/305] sparc32: Fix inverted invalid_frame_pointer checks on sigreturns
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 232/305] Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 224/305] btrfs: relocation: set trans to be NULL after ending transaction Ben Hutchings
                   ` (196 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Guenter Roeck, Andreas Larsson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Larsson <andreas@gaisler.com>

commit 07b5ab3f71d318e52c18cc3b73c1d44c908aacfa upstream.

Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/sparc/kernel/signal_32.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/sparc/kernel/signal_32.c
+++ b/arch/sparc/kernel/signal_32.c
@@ -89,7 +89,7 @@ asmlinkage void do_sigreturn(struct pt_r
 	sf = (struct signal_frame __user *) regs->u_regs[UREG_FP];
 
 	/* 1. Make sure we are not getting garbage from the user */
-	if (!invalid_frame_pointer(sf, sizeof(*sf)))
+	if (invalid_frame_pointer(sf, sizeof(*sf)))
 		goto segv_and_exit;
 
 	if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
@@ -150,7 +150,7 @@ asmlinkage void do_rt_sigreturn(struct p
 
 	synchronize_user_stack();
 	sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP];
-	if (!invalid_frame_pointer(sf, sizeof(*sf)))
+	if (invalid_frame_pointer(sf, sizeof(*sf)))
 		goto segv;
 
 	if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 028/305] scsi: qla2xxx: shutdown chip if reset fail
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (191 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 244/305] s390/qeth: fix length check in SNMP processing Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 015/305] turn off -Wattribute-alias Ben Hutchings
                   ` (112 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Quinn Tran, Himanshu Madhani, Martin K. Petersen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Quinn Tran <quinn.tran@cavium.com>

commit 1e4ac5d6fe0a4af17e4b6251b884485832bf75a3 upstream.

If chip unable to fully initialize, use full shutdown sequence to clear out
any stale FW state.

Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla2xxx/qla_init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -4667,7 +4667,7 @@ qla2x00_abort_isp(scsi_qla_host_t *vha)
 					 * The next call disables the board
 					 * completely.
 					 */
-					ha->isp_ops->reset_adapter(vha);
+					qla2x00_abort_isp_cleanup(vha);
 					vha->flags.online = 0;
 					clear_bit(ISP_ABORT_RETRY,
 					    &vha->dpc_flags);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 034/305] media: em28xx: make v4l2-compliance happier by starting sequence on zero
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 247/305] dmaengine: at_hdmac: fix memory leak in at_dma_xlate() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 102/305] dm ioctl: harden copy_params()'s copy_from_user() from malicious users Ben Hutchings
                   ` (292 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

commit afeaade90db4c5dab93f326d9582be1d5954a198 upstream.

The v4l2-compliance tool complains if a video doesn't start
with a zero sequence number.

While this shouldn't cause any real problem for apps, let's
make it happier, in order to better check the v4l2-compliance
differences before and after patchsets.

This is actually an old issue. It is there since at least its
videobuf2 conversion, e. g. changeset 3829fadc461 ("[media]
em28xx: convert to videobuf2"), if VB1 wouldn't suffer from
the same issue.

Fixes: d3829fadc461 ("[media] em28xx: convert to videobuf2")
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/em28xx/em28xx-video.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -928,6 +928,8 @@ int em28xx_start_analog_streaming(struct
 
 	em28xx_videodbg("%s\n", __func__);
 
+	dev->v4l2->field_count = 0;
+
 	/* Make sure streaming is not already in progress for this type
 	   of filehandle (e.g. video, vbi) */
 	rc = res_get(dev, vq->type);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 014/305] disable new gcc-7.1.1 warnings for now
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (167 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 096/305] parisc: Fix address in HPMC IVA Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 269/305] xhci: Prevent U1/U2 link pm states if exit latency is too long Ben Hutchings
                   ` (136 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Linus Torvalds

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit bd664f6b3e376a8ef4990f87d08271cc2d01ba9a upstream.

I made the mistake of upgrading my desktop to the new Fedora 26 that
comes with gcc-7.1.1.

There's nothing wrong per se that I've noticed, but I now have 1500
lines of warnings, mostly from the new format-truncation warning
triggering all over the tree.

We use 'snprintf()' and friends in a lot of places, and often know that
the numbers are fairly small (ie a controller index or similar), but gcc
doesn't know that, and sees an 'int', and thinks that it could be some
huge number.  And then complains when our buffers are not able to fit
the name for the ten millionth controller.

These warnings aren't necessarily bad per se, and we probably want to
look through them subsystem by subsystem, but at least during the merge
window they just mean that I can't even see if somebody is introducing
any *real* problems when I pull.

So warnings disabled for now.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

--- a/Makefile
+++ b/Makefile
@@ -617,6 +617,9 @@ include $(srctree)/arch/$(SRCARCH)/Makef
 
 KBUILD_CFLAGS	+= $(call cc-option,-fno-delete-null-pointer-checks,)
 KBUILD_CFLAGS	+= $(call cc-disable-warning,frame-address,)
+KBUILD_CFLAGS	+= $(call cc-disable-warning, format-truncation)
+KBUILD_CFLAGS	+= $(call cc-disable-warning, format-overflow)
+KBUILD_CFLAGS	+= $(call cc-disable-warning, int-in-bool-context)
 
 ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
 KBUILD_CFLAGS	+= -Os $(call cc-disable-warning,maybe-uninitialized,)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 022/305] libertas_tf: prevent underflow in process_cmdrequest()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 204/305] usb: xhci: Prevent bus suspend if a port connect change or polling state is detected Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 305/305] x86/vdso: Fix vDSO syscall fallback asm constraint regression Ben Hutchings
                   ` (269 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kalle Valo, Dan Carpenter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 3348ef6a6a126706d6a73ed40c18d8033df72783 upstream.

If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.

Fixes: c305a19a0d0a ("libertas_tf: usb specific functions")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/libertas_tf/if_usb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/libertas_tf/if_usb.c
+++ b/drivers/net/wireless/libertas_tf/if_usb.c
@@ -610,9 +610,10 @@ static inline void process_cmdrequest(in
 				      struct if_usb_card *cardp,
 				      struct lbtf_private *priv)
 {
-	if (recvlength > LBS_CMD_BUFFER_SIZE) {
+	if (recvlength < MESSAGE_HEADER_LEN ||
+	    recvlength > LBS_CMD_BUFFER_SIZE) {
 		lbtf_deb_usbd(&cardp->udev->dev,
-			     "The receive buffer is too large\n");
+			     "The receive buffer is invalid: %d\n", recvlength);
 		kfree_skb(skb);
 		return;
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 009/305] s390/dasd: Restore a necessary cast
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (123 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 001/305] x86/asm: Add pud/pmd mask interfaces to handle large PAT bit Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 264/305] mac80211: fix reordering of buffered broadcast packets Ben Hutchings
                   ` (180 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, kbuild test robot

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Commit c3925a3da617 "s390/dasd: fix IO error for newly defined
devices" removed a cast of dasd_device::private which was not
necessary in the upstream code.  However, in 3.16 the type of
dasd_device::private is char *, so the cast is still needed.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/s390/block/dasd_alias.c
+++ b/drivers/s390/block/dasd_alias.c
@@ -608,7 +608,8 @@ static int _schedule_lcu_update(struct a
 
 int dasd_alias_add_device(struct dasd_device *device)
 {
-	struct dasd_eckd_private *private = device->private;
+	struct dasd_eckd_private *private =
+		(struct dasd_eckd_private *)device->private;
 	__u8 uaddr = private->uid.real_unit_addr;
 	struct alias_lcu *lcu = private->lcu;
 	unsigned long flags;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 021/305] cpupower: remove stringop-truncation waring
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 256/305] media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 223/305] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Ben Hutchings
                   ` (223 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Anders Roxell, Shuah Khan (Samsung OSG)

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anders Roxell <anders.roxell@linaro.org>

commit 8a7e2d2ea080d10a189a1d611344b0330468ebc3 upstream.

The strncpy doesn't null terminate the string because the size is too
short by one byte.

parse.c: In function ‘prepare_default_config’:
parse.c:148:2: warning: ‘strncpy’ output truncated before terminating
    nul copying 8 bytes from a string of the same length
    [-Wstringop-truncation]
  strncpy(config->governor, "ondemand", 8);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The normal method of passing the length of the destination buffer works
correctly here.

Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features")
Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/power/cpupower/bench/parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/power/cpupower/bench/parse.c
+++ b/tools/power/cpupower/bench/parse.c
@@ -135,7 +135,7 @@ struct config *prepare_default_config()
 	config->cpu = 0;
 	config->prio = SCHED_HIGH;
 	config->verbose = 0;
-	strncpy(config->governor, "ondemand", 8);
+	strncpy(config->governor, "ondemand", sizeof(config->governor));
 
 	config->output = stdout;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 001/305] x86/asm: Add pud/pmd mask interfaces to handle large  PAT bit
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 037/305] cipso: don't use IPCB() to locate the CIPSO IP option Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 009/305] s390/dasd: Restore a necessary cast Ben Hutchings
                   ` (181 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Konrad Wilk, H. Peter Anvin, Robert Elliot,
	Wenkuan Wang, Thomas Gleixner, Borislav Petkov, Toshi Kani,
	linux-mm, Ingo Molnar, Juergen Gross

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Toshi Kani <toshi.kani@hpe.com>

commit 4be4c1fb9a754b100466ebaec50f825be0b2050b upstream.

The PAT bit gets relocated to bit 12 when PUD and PMD mappings are
used.  This bit 12, however, is not covered by PTE_FLAGS_MASK, which
is used for masking pfn and flags for all levels.

Add pud/pmd mask interfaces to handle pfn and flags properly by using
P?D_PAGE_MASK when PUD/PMD mappings are used, i.e. PSE bit is set.

Suggested-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Juergen Gross <jgross@suse.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: Robert Elliot <elliott@hpe.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/1442514264-12475-4-git-send-email-toshi.kani@hpe.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Wenkuan Wang <Wenkuan.Wang@windriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/pgtable_types.h | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/pgtable_types.h
+++ b/arch/x86/include/asm/pgtable_types.h
@@ -257,10 +257,10 @@
 
 #include <linux/types.h>
 
-/* PTE_PFN_MASK extracts the PFN from a (pte|pmd|pud|pgd)val_t */
+/* Extracts the PFN from a (pte|pmd|pud|pgd)val_t of a 4KB page */
 #define PTE_PFN_MASK		((pteval_t)PHYSICAL_PAGE_MASK)
 
-/* PTE_FLAGS_MASK extracts the flags from a (pte|pmd|pud|pgd)val_t */
+/* Extracts the flags from a (pte|pmd|pud|pgd)val_t of a 4KB page */
 #define PTE_FLAGS_MASK		(~PTE_PFN_MASK)
 
 typedef struct pgprot { pgprotval_t pgprot; } pgprot_t;
@@ -329,11 +329,43 @@ static inline pmdval_t native_pmd_val(pm
 }
 #endif
 
+static inline pudval_t pud_pfn_mask(pud_t pud)
+{
+	if (native_pud_val(pud) & _PAGE_PSE)
+		return PUD_PAGE_MASK & PHYSICAL_PAGE_MASK;
+	else
+		return PTE_PFN_MASK;
+}
+
+static inline pudval_t pud_flags_mask(pud_t pud)
+{
+	if (native_pud_val(pud) & _PAGE_PSE)
+		return ~(PUD_PAGE_MASK & (pudval_t)PHYSICAL_PAGE_MASK);
+	else
+		return ~PTE_PFN_MASK;
+}
+
 static inline pudval_t pud_flags(pud_t pud)
 {
 	return native_pud_val(pud) & PTE_FLAGS_MASK;
 }
 
+static inline pmdval_t pmd_pfn_mask(pmd_t pmd)
+{
+	if (native_pmd_val(pmd) & _PAGE_PSE)
+		return PMD_PAGE_MASK & PHYSICAL_PAGE_MASK;
+	else
+		return PTE_PFN_MASK;
+}
+
+static inline pmdval_t pmd_flags_mask(pmd_t pmd)
+{
+	if (native_pmd_val(pmd) & _PAGE_PSE)
+		return ~(PMD_PAGE_MASK & (pmdval_t)PHYSICAL_PAGE_MASK);
+	else
+		return ~PTE_PFN_MASK;
+}
+
 static inline pmdval_t pmd_flags(pmd_t pmd)
 {
 	return native_pmd_val(pmd) & PTE_FLAGS_MASK;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 002/305] x86/asm: Move PUD_PAGE macros to page_types.h
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (209 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 189/305] batman-adv: Expand merged fragment buffer for full packet Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 262/305] usb: appledisplay: Add 27" Apple Cinema Display Ben Hutchings
                   ` (94 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, linux-mm, Ingo Molnar, Juergen Gross,
	Konrad Wilk, H. Peter Anvin, Thomas Gleixner, Wenkuan Wang,
	Robert Elliot, Borislav Petkov, Toshi Kani

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Toshi Kani <toshi.kani@hpe.com>

commit 832102671855f73962e7a04fdafd48b9385ea5c6 upstream.

PUD_SHIFT is defined according to a given kernel configuration, which
allows it be commonly used by any x86 kernels.  However, PUD_PAGE_SIZE
and PUD_PAGE_MASK, which are set from PUD_SHIFT, are defined in
page_64_types.h, which can be used by 64-bit kernel only.

Move PUD_PAGE_SIZE and PUD_PAGE_MASK to page_types.h so that they can
be used by any x86 kernels as well.

Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Juergen Gross <jgross@suse.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: Robert Elliot <elliott@hpe.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/1442514264-12475-3-git-send-email-toshi.kani@hpe.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Wenkuan Wang <Wenkuan.Wang@windriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/page_64_types.h | 3 ---
 arch/x86/include/asm/page_types.h    | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/include/asm/page_64_types.h
+++ b/arch/x86/include/asm/page_64_types.h
@@ -20,9 +20,6 @@
 #define MCE_STACK 4
 #define N_EXCEPTION_STACKS 4  /* hw limit: 7 */
 
-#define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
-#define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
-
 /*
  * Set __PAGE_OFFSET to the most negative possible address +
  * PGDIR_SIZE*16 (pgd slot 272).  The gap is to allow a space for a
--- a/arch/x86/include/asm/page_types.h
+++ b/arch/x86/include/asm/page_types.h
@@ -20,6 +20,9 @@
 #define PMD_PAGE_SIZE		(_AC(1, UL) << PMD_SHIFT)
 #define PMD_PAGE_MASK		(~(PMD_PAGE_SIZE-1))
 
+#define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
+#define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
+
 #define HPAGE_SHIFT		PMD_SHIFT
 #define HPAGE_SIZE		(_AC(1,UL) << HPAGE_SHIFT)
 #define HPAGE_MASK		(~(HPAGE_SIZE - 1))


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 003/305] x86/asm: Fix pud/pmd interfaces to handle large PAT bit
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (259 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 151/305] USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 222/305] Btrfs: fix race between enabling quotas and subvolume creation Ben Hutchings
                   ` (44 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Konrad Wilk, Thomas Gleixner,
	Robert Elliot, Wenkuan Wang, H. Peter Anvin, Toshi Kani,
	Borislav Petkov, linux-mm, Juergen Gross, Ingo Molnar

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Toshi Kani <toshi.kani@hpe.com>

commit f70abb0fc3da1b2945c92751ccda2744081bf2b7 upstream.

Now that we have pud/pmd mask interfaces, which handle pfn & flags
mask properly for the large PAT bit.

Fix pud/pmd pfn & flags interfaces by replacing PTE_PFN_MASK and
PTE_FLAGS_MASK with the pud/pmd mask interfaces.

Suggested-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Juergen Gross <jgross@suse.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: Robert Elliot <elliott@hpe.com>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/1442514264-12475-5-git-send-email-toshi.kani@hpe.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Wenkuan Wang <Wenkuan.Wang@windriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/pgtable.h       | 14 ++++++++------
 arch/x86/include/asm/pgtable_types.h |  4 ++--
 2 files changed, 10 insertions(+), 8 deletions(-)

--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -156,14 +156,14 @@ static inline unsigned long pmd_pfn(pmd_
 {
 	phys_addr_t pfn = pmd_val(pmd);
 	pfn ^= protnone_mask(pfn);
-	return (pfn & PTE_PFN_MASK) >> PAGE_SHIFT;
+	return (pfn & pmd_pfn_mask(pmd)) >> PAGE_SHIFT;
 }
 
 static inline unsigned long pud_pfn(pud_t pud)
 {
 	phys_addr_t pfn = pud_val(pud);
 	pfn ^= protnone_mask(pfn);
-	return (pfn & PTE_PFN_MASK) >> PAGE_SHIFT;
+	return (pfn & pud_pfn_mask(pud)) >> PAGE_SHIFT;
 }
 
 #define pte_page(pte)	pfn_to_page(pte_pfn(pte))
@@ -584,14 +584,15 @@ static inline int pmd_none(pmd_t pmd)
 
 static inline unsigned long pmd_page_vaddr(pmd_t pmd)
 {
-	return (unsigned long)__va(pmd_val(pmd) & PTE_PFN_MASK);
+	return (unsigned long)__va(pmd_val(pmd) & pmd_pfn_mask(pmd));
 }
 
 /*
  * Currently stuck as a macro due to indirect forward reference to
  * linux/mmzone.h's __section_mem_map_addr() definition:
  */
-#define pmd_page(pmd)	pfn_to_page((pmd_val(pmd) & PTE_PFN_MASK) >> PAGE_SHIFT)
+#define pmd_page(pmd)		\
+	pfn_to_page((pmd_val(pmd) & pmd_pfn_mask(pmd)) >> PAGE_SHIFT)
 
 /*
  * the pmd page can be thought of an array like this: pmd_t[PTRS_PER_PMD]
@@ -657,14 +658,15 @@ static inline int pud_present(pud_t pud)
 
 static inline unsigned long pud_page_vaddr(pud_t pud)
 {
-	return (unsigned long)__va((unsigned long)pud_val(pud) & PTE_PFN_MASK);
+	return (unsigned long)__va(pud_val(pud) & pud_pfn_mask(pud));
 }
 
 /*
  * Currently stuck as a macro due to indirect forward reference to
  * linux/mmzone.h's __section_mem_map_addr() definition:
  */
-#define pud_page(pud)		pfn_to_page(pud_val(pud) >> PAGE_SHIFT)
+#define pud_page(pud)		\
+	pfn_to_page((pud_val(pud) & pud_pfn_mask(pud)) >> PAGE_SHIFT)
 
 /* Find an entry in the second-level page table.. */
 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
--- a/arch/x86/include/asm/pgtable_types.h
+++ b/arch/x86/include/asm/pgtable_types.h
@@ -347,7 +347,7 @@ static inline pudval_t pud_flags_mask(pu
 
 static inline pudval_t pud_flags(pud_t pud)
 {
-	return native_pud_val(pud) & PTE_FLAGS_MASK;
+	return native_pud_val(pud) & pud_flags_mask(pud);
 }
 
 static inline pmdval_t pmd_pfn_mask(pmd_t pmd)
@@ -368,7 +368,7 @@ static inline pmdval_t pmd_flags_mask(pm
 
 static inline pmdval_t pmd_flags(pmd_t pmd)
 {
-	return native_pmd_val(pmd) & PTE_FLAGS_MASK;
+	return native_pmd_val(pmd) & pmd_flags_mask(pmd);
 }
 
 static inline pte_t native_make_pte(pteval_t val)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 010/305] ipv6: Fix another sparse warning on rt6i_node
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (293 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 251/305] SUNRPC: Fix leak of krb5p encode pages Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 152/305] usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB Ben Hutchings
                   ` (10 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Commit 0933273ce750 "ipv6: fix sparse warning on rt6i_node" fixed some
sparse warnings in ip6_fib.c, but introduced a new one in
fib6_update_sernum() (which was removed before the corresponding
upstream commit).

fib6_update_sernum() is called in a RCU read-side section, so use
rcu_dereference() to read rt6_info::rt6i_node.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1681,10 +1681,10 @@ static void fib6_prune_clones(struct net
 static int fib6_update_sernum(struct rt6_info *rt, void *arg)
 {
 	__u32 sernum = *(__u32 *)arg;
+	struct fib6_node *fn = rcu_dereference(rt->rt6i_node);
 
-	if (rt->rt6i_node &&
-	    rt->rt6i_node->fn_sernum != sernum)
-		rt->rt6i_node->fn_sernum = sernum;
+	if (fn && fn->fn_sernum != sernum)
+		fn->fn_sernum = sernum;
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 172/305] ALSA: oss: Use kvzalloc() for local buffer allocations
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 236/305] powerpc: Fix COFF zImage booting on old powermacs Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 160/305] mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Ben Hutchings
                   ` (185 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+1cb36954e127c98dd037, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 upstream.

PCM OSS layer may allocate a few temporary buffers, one for the core
read/write and another for the conversions via plugins.  Currently
both are allocated via vmalloc().  But as the allocation size is
equivalent with the PCM period size, the required size might be quite
small, depending on the application.

This patch replaces these vmalloc() calls with kvzalloc() for covering
small period sizes better.  Also, we use "z"-alloc variant here for
addressing the possible uninitialized access reported by syzkaller.

Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: kvzalloc() does not exist, so only change to
 using vzalloc()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1075,7 +1075,7 @@ static int snd_pcm_oss_change_params_loc
 	runtime->oss.rate = params_rate(params);
 
 	vfree(runtime->oss.buffer);
-	runtime->oss.buffer = vmalloc(runtime->oss.period_bytes);
+	runtime->oss.buffer = vzalloc(runtime->oss.period_bytes);
 	if (!runtime->oss.buffer) {
 		err = -ENOMEM;
 		goto failure;
--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -67,7 +67,7 @@ static int snd_pcm_plugin_alloc(struct s
 	size /= 8;
 	if (plugin->buf_frames < frames) {
 		vfree(plugin->buf);
-		plugin->buf = vmalloc(size);
+		plugin->buf = vzalloc(size);
 		plugin->buf_frames = frames;
 	}
 	if (!plugin->buf) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 157/305] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 041/305] usb: chipidea: Prevent unbalanced IRQ disable Ben Hutchings
                   ` (304 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vasily Averin, Jan Kara, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit 6bdc9977fcdedf47118d2caf7270a19f4b6d8a8f upstream.

Fixes: 3f2571c1f91f ("ext4: factor out xattr moving")
Fixes: 6dd4ee7cab7e ("ext4: Expand extra_inodes space per ...")
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/xattr.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1529,6 +1529,8 @@ cleanup:
 	kfree(buffer);
 	if (is)
 		brelse(is->iloc.bh);
+	if (bs)
+		brelse(bs->bh);
 	kfree(is);
 	kfree(bs);
 	brelse(bh);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 076/305] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 059/305] powerpc/pseries: Fix DTL buffer registration Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 052/305] PM / devfreq: Fix devfreq_add_device() when drivers are built as modules Ben Hutchings
                   ` (233 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexander Ploumistos, Takashi Iwai, Jeremy Cline

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Cline <jcline@redhat.com>

commit e7bb6ad5685f05685dd8a6a5eda7bfcd14d5f95b upstream.

The Lenovo G50-30, like other G50 models, has a Conexant codec that
requires a quirk for its inverted stereo dmic.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1249364
Reported-by: Alexander Ploumistos <alex.ploumistos@gmail.com>
Tested-by: Alexander Ploumistos <alex.ploumistos@gmail.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/patch_conexant.c | 1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -3465,6 +3465,7 @@ static const struct snd_pci_quirk cxt506
 	SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410),
 	SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410),
 	SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD),
+	SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC),


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 071/305] mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (254 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 078/305] gfs2_meta: ->mount() can get NULL dev_name Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 182/305] floppy: fix race condition in __floppy_read_block_0() Ben Hutchings
                   ` (49 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ahmad Fatoum, Boris Brezillon

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ahmad Fatoum <a.fatoum@pengutronix.de>

commit 000412276370a9bcfec73b3752ceefd9a927f1db upstream.

fsl_qspi_get_seqid() may return -EINVAL, but fsl_qspi_init_ahb_read()
doesn't check for error codes with the result that -EINVAL could find
itself signalled over the bus.

In conjunction with the LS1046A SoC's A-009283 errata
("Illegal accesses to SPI flash memory can result in a system hang")
this illegal access to SPI flash memory results in a system hang
if userspace attempts reading later on.

Avoid this by always checking fsl_qspi_get_seqid()'s return value
and bail out otherwise.

Fixes: e46ecda764dc ("mtd: spi-nor: Add Freescale QuadSPI driver")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/spi-nor/fsl-quadspi.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/mtd/spi-nor/fsl-quadspi.c
+++ b/drivers/mtd/spi-nor/fsl-quadspi.c
@@ -451,6 +451,9 @@ fsl_qspi_runcmd(struct fsl_qspi *q, u8 c
 
 	/* trigger the LUT now */
 	seqid = fsl_qspi_get_seqid(q, cmd);
+	if (seqid < 0)
+		return seqid;
+
 	writel((seqid << QUADSPI_IPCR_SEQID_SHIFT) | len, base + QUADSPI_IPCR);
 
 	/* Wait for the interrupt. */
@@ -574,7 +577,7 @@ static void fsl_qspi_set_map_addr(struct
  * causes the controller to clear the buffer, and use the sequence pointed
  * by the QUADSPI_BFGENCR[SEQID] to initiate a read from the flash.
  */
-static void fsl_qspi_init_ahb_read(struct fsl_qspi *q)
+static int fsl_qspi_init_ahb_read(struct fsl_qspi *q)
 {
 	void __iomem *base = q->iobase;
 	int seqid;
@@ -592,8 +595,13 @@ static void fsl_qspi_init_ahb_read(struc
 
 	/* Set the default lut sequence for AHB Read. */
 	seqid = fsl_qspi_get_seqid(q, q->nor[0].read_opcode);
+	if (seqid < 0)
+		return seqid;
+
 	writel(seqid << QUADSPI_BFGENCR_SEQID_SHIFT,
 		q->iobase + QUADSPI_BFGENCR);
+
+	return 0;
 }
 
 /* We use this function to do some basic init for spi_nor_scan(). */
@@ -647,9 +655,7 @@ static int fsl_qspi_nor_setup_last(struc
 	fsl_qspi_init_lut(q);
 
 	/* Init for AHB read */
-	fsl_qspi_init_ahb_read(q);
-
-	return 0;
+	return fsl_qspi_init_ahb_read(q);
 }
 
 static struct of_device_id fsl_qspi_dt_ids[] = {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 243/305] rapidio/rionet: do not free skb before reading its length
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (182 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 299/305] vxlan: Fix error path in __vxlan_dev_create() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 206/305] iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers Ben Hutchings
                   ` (121 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pan Bian, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit cfc435198f53a6fa1f656d98466b24967ff457d0 upstream.

skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
may result in a use-after-free bug.

Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/rionet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/rionet.c
+++ b/drivers/net/rionet.c
@@ -215,9 +215,9 @@ static int rionet_start_xmit(struct sk_b
 			 * it just report sending a packet to the target
 			 * (without actual packet transfer).
 			 */
-			dev_kfree_skb_any(skb);
 			ndev->stats.tx_packets++;
 			ndev->stats.tx_bytes += skb->len;
+			dev_kfree_skb_any(skb);
 		}
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 041/305] usb: chipidea: Prevent unbalanced IRQ disable
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 157/305] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 109/305] llc: do not use sk_eat_skb() Ben Hutchings
                   ` (303 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Peter Chen, Loic Poulain

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Loic Poulain <loic.poulain@linaro.org>

commit 8b97d73c4d72a2abf58f8e49062a7ee1e5f1334e upstream.

The ChipIdea IRQ is disabled before scheduling the otg work and
re-enabled on otg work completion. However if the job is already
scheduled we have to undo the effect of disable_irq int order to
balance the IRQ disable-depth value.

Fixes: be6b0c1bd0be ("usb: chipidea: using one inline function to cover queue work operations")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/chipidea/otg.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/chipidea/otg.h
+++ b/drivers/usb/chipidea/otg.h
@@ -20,7 +20,8 @@ void ci_handle_vbus_change(struct ci_hdr
 static inline void ci_otg_queue_work(struct ci_hdrc *ci)
 {
 	disable_irq_nosync(ci->irq);
-	queue_work(ci->wq, &ci->work);
+	if (queue_work(ci->wq, &ci->work) == false)
+		enable_irq(ci->irq);
 }
 
 #endif /* __DRIVERS_USB_CHIPIDEA_OTG_H */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 232/305] Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (106 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 163/305] HID: Add quirk for Microsoft PIXART OEM mouse Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 020/305] sparc32: Fix inverted invalid_frame_pointer checks on sigreturns Ben Hutchings
                   ` (197 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Felipe Balbi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <felipe.balbi@linux.intel.com>

commit 38317f5c0f2faae5110854f36edad810f841d62f upstream.

This reverts commit ffb80fc672c3a7b6afd0cefcb1524fb99917b2f3.

Turns out that commit is wrong. Host controllers are allowed to use
Clear Feature HALT as means to sync data toggle between host and
periperal.

Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/dwc3/gadget.c | 5 -----
 1 file changed, 5 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1346,9 +1346,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc
 	memset(&params, 0x00, sizeof(params));
 
 	if (value) {
-		if (dep->flags & DWC3_EP_STALL)
-			return 0;
-
 		if (!protocol && ((dep->direction && dep->flags & DWC3_EP_BUSY) ||
 				(!list_empty(&dep->req_queued) ||
 				 !list_empty(&dep->request_list)))) {
@@ -1365,9 +1362,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc
 		else
 			dep->flags |= DWC3_EP_STALL;
 	} else {
-		if (!(dep->flags & DWC3_EP_STALL))
-			return 0;
-
 		ret = dwc3_send_gadget_ep_cmd(dwc, dep->number,
 			DWC3_DEPCMD_CLEARSTALL, &params);
 		if (ret)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 047/305] EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 013/305] ARM: fix put_user() for gcc-8 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 202/305] usb: core: Fix hub port connection events lost Ben Hutchings
                   ` (175 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tony Luck, linux-edac,
	Mauro Carvalho Chehab, Borislav Petkov, Aristeu Rozanski,
	Qiuxu Zhuo

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Luck <tony.luck@intel.com>

commit 432de7fd7630c84ad24f1c2acd1e3bb4ce3741ca upstream.

The count of errors is picked up from bits 52:38 of the machine check
bank status register. But this is the count of *corrected* errors. If an
uncorrected error is being logged, the h/w sets this field to 0. Which
means that when edac_mc_handle_error() is called, the EDAC core will
carefully add zero to the appropriate uncorrected error counts.

Signed-off-by: Tony Luck <tony.luck@intel.com>
[ Massage commit message. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Aristeu Rozanski <aris@redhat.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180928213934.19890-1-tony.luck@intel.com
[bwh: Backported to 3.16: Drop change in skx_edac.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/edac/i7core_edac.c
+++ b/drivers/edac/i7core_edac.c
@@ -1729,6 +1729,7 @@ static void i7core_mce_output_error(stru
 	u32 errnum = find_first_bit(&error, 32);
 
 	if (uncorrected_error) {
+		core_err_cnt = 1;
 		if (ripv)
 			tp_event = HW_EVENT_ERR_FATAL;
 		else
--- a/drivers/edac/sb_edac.c
+++ b/drivers/edac/sb_edac.c
@@ -1659,6 +1659,7 @@ static void sbridge_mce_output_error(str
 		recoverable = GET_BITFIELD(m->status, 56, 56);
 
 	if (uncorrected_error) {
+		core_err_cnt = 1;
 		if (ripv) {
 			type = "FATAL";
 			tp_event = HW_EVENT_ERR_FATAL;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 038/305] Cipso: cipso_v4_optptr enter infinite loop
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 118/305] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 150/305] ext4: avoid possible double brelse() in add_new_gdb() on error path Ben Hutchings
                   ` (250 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, yujuan.qi, David S. Miller, Paul Moore

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "yujuan.qi" <yujuan.qi@mediatek.com>

commit 40413955ee265a5e42f710940ec78f5450d49149 upstream.

in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.

Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue

Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/cipso_ipv4.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1606,9 +1606,17 @@ unsigned char *cipso_v4_optptr(const str
 	int taglen;
 
 	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
-		if (optptr[0] == IPOPT_CIPSO)
+		switch (optptr[0]) {
+		case IPOPT_CIPSO:
 			return optptr;
-		taglen = optptr[1];
+		case IPOPT_END:
+			return NULL;
+		case IPOPT_NOOP:
+			taglen = 1;
+			break;
+		default:
+			taglen = optptr[1];
+		}
 		optlen -= taglen;
 		optptr += taglen;
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 039/305] net/ipv4: defensive cipso option parsing
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (161 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 293/305] KVM: x86: Add MSR_AMD64_DC_CFG to the list of ignored MSRs Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 280/305] fuse: cleanup fuse_file refcounting Ben Hutchings
                   ` (142 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Simon Veith, David Woodhouse,
	Stefan Nuernberger, David S. Miller, Paul Moore

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Nuernberger <snu@amazon.com>

commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream.

commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
a possible infinite loop in the IP option parsing of CIPSO. The fix
assumes that ip_options_compile filtered out all zero length options and
that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
While this assumption currently holds true, add explicit checks for zero
length and invalid length options to be safe for the future. Even though
ip_options_compile should have validated the options, the introduction of
new one-byte options can still confuse this code without the additional
checks.

Signed-off-by: Stefan Nuernberger <snu@amazon.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Simon Veith <sveith@amazon.de>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/cipso_ipv4.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1595,7 +1595,7 @@ static int cipso_v4_parsetag_loc(const s
  *
  * Description:
  * Parse the packet's IP header looking for a CIPSO option.  Returns a pointer
- * to the start of the CIPSO option on success, NULL if one if not found.
+ * to the start of the CIPSO option on success, NULL if one is not found.
  *
  */
 unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
@@ -1605,10 +1605,8 @@ unsigned char *cipso_v4_optptr(const str
 	int optlen;
 	int taglen;
 
-	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
 		switch (optptr[0]) {
-		case IPOPT_CIPSO:
-			return optptr;
 		case IPOPT_END:
 			return NULL;
 		case IPOPT_NOOP:
@@ -1617,6 +1615,11 @@ unsigned char *cipso_v4_optptr(const str
 		default:
 			taglen = optptr[1];
 		}
+		if (!taglen || taglen > optlen)
+			return NULL;
+		if (optptr[0] == IPOPT_CIPSO)
+			return optptr;
+
 		optlen -= taglen;
 		optptr += taglen;
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 126/305] xtensa: add NOTES section to the linker script
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (234 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 053/305] usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 239/305] xtensa: fix coprocessor part of ptrace_{get,set}xregs Ben Hutchings
                   ` (69 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 4119ba211bc4f1bf638f41e50b7a0f329f58aa16 upstream.

This section collects all source .note.* sections together in the
vmlinux image. Without it .note.Linux section may be placed at address
0, while the rest of the kernel is at its normal address, resulting in a
huge vmlinux.bin image that may not be linked into the xtensa Image.elf.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/boot/Makefile        | 2 +-
 arch/xtensa/kernel/vmlinux.lds.S | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

--- a/arch/xtensa/boot/Makefile
+++ b/arch/xtensa/boot/Makefile
@@ -31,7 +31,7 @@ $(bootdir-y): $(addprefix $(obj)/,$(subd
 	      $(addprefix $(obj)/,$(host-progs))
 	$(Q)$(MAKE) $(build)=$(obj)/$@ $(MAKECMDGOALS)
 
-OBJCOPYFLAGS = --strip-all -R .comment -R .note.gnu.build-id -O binary
+OBJCOPYFLAGS = --strip-all -R .comment -R .notes -O binary
 
 vmlinux.bin: vmlinux FORCE
 	$(call if_changed,objcopy)
--- a/arch/xtensa/kernel/vmlinux.lds.S
+++ b/arch/xtensa/kernel/vmlinux.lds.S
@@ -110,6 +110,7 @@ SECTIONS
   .fixup   : { *(.fixup) }
 
   EXCEPTION_TABLE(16)
+  NOTES
   /* Data section */
 
   _sdata = .;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 044/305] net: phy: Stop with excessive soft reset
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (176 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 082/305] btrfs: fix error handling in btrfs_dev_replace_start Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 190/305] netfilter: nf_tables: don't use position attribute on rule replacement Ben Hutchings
                   ` (127 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Florian Fainelli, Andrew Lunn,
	David S. Miller, Clemens Gruber, Chris Healy, Wang, Dongsheng

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 6e2d85ec05591b739059f65fe8438c9c5999f7d8 upstream.

While consolidating the PHY reset in phy_init_hw() an unconditionaly
BMCR soft-reset I became quite trigger happy with those. This was later
on deactivated for the Generic PHY driver on the premise that a prior
software entity (e.g: bootloader) might have applied workarounds in
commit 0878fff1f42c ("net: phy: Do not perform software reset for
Generic PHY").

Since we have a hook to wire-up a soft_reset callback, just use that and
get rid of the call to genphy_soft_reset() entirely. This speeds up
initialization and link establishment for most PHYs out there that do
not require a reset.

Fixes: 87aa9f9c61ad ("net: phy: consolidate PHY reset in phy_init_hw()")
Tested-by: Wang, Dongsheng <dongsheng.wang@hxt-semitech.com>
Tested-by: Chris Healy <cphealy@gmail.com>
Tested-by: Andrew Lunn <andrew@lunn.ch>
Tested-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/phy/phy_device.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/phy/phy_device.c
+++ b/drivers/net/phy/phy_device.c
@@ -543,8 +543,6 @@ int phy_init_hw(struct phy_device *phyde
 
 	if (phydev->drv->soft_reset)
 		ret = phydev->drv->soft_reset(phydev);
-	else
-		ret = genphy_soft_reset(phydev);
 
 	if (ret < 0)
 		return ret;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 067/305] mach64: fix image corruption due to reading accelerator registers
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (187 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 284/305] vhost: make sure used idx is seen before log in vhost_add_used_n() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 245/305] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing Ben Hutchings
                   ` (116 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ville Syrjälä,
	Mikulas Patocka, Bartlomiej Zolnierkiewicz

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit c09bcc91bb94ed91f1391bffcbe294963d605732 upstream.

Reading the registers without waiting for engine idle returns
unpredictable values. These unpredictable values result in display
corruption - if atyfb_imageblit reads the content of DP_PIX_WIDTH with the
bit DP_HOST_TRIPLE_EN set (from previous invocation), the driver would
never ever clear the bit, resulting in display corruption.

We don't want to wait for idle because it would degrade performance, so
this patch modifies the driver so that it never reads accelerator
registers.

HOST_CNTL doesn't have to be read, we can just write it with
HOST_BYTE_ALIGN because no other part of the driver cares if
HOST_BYTE_ALIGN is set.

DP_PIX_WIDTH is written in the functions atyfb_copyarea and atyfb_fillrect
with the default value and in atyfb_imageblit with the value set according
to the source image data.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Ville Syrjälä <syrjala@sci.fi>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/aty/mach64_accel.c | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

--- a/drivers/video/fbdev/aty/mach64_accel.c
+++ b/drivers/video/fbdev/aty/mach64_accel.c
@@ -126,7 +126,7 @@ void aty_init_engine(struct atyfb_par *p
 
 	/* set host attributes */
 	wait_for_fifo(13, par);
-	aty_st_le32(HOST_CNTL, 0, par);
+	aty_st_le32(HOST_CNTL, HOST_BYTE_ALIGN, par);
 
 	/* set pattern attributes */
 	aty_st_le32(PAT_REG0, 0, par);
@@ -232,7 +232,8 @@ void atyfb_copyarea(struct fb_info *info
 		rotation = rotation24bpp(dx, direction);
 	}
 
-	wait_for_fifo(4, par);
+	wait_for_fifo(5, par);
+	aty_st_le32(DP_PIX_WIDTH, par->crtc.dp_pix_width, par);
 	aty_st_le32(DP_SRC, FRGD_SRC_BLIT, par);
 	aty_st_le32(SRC_Y_X, (sx << 16) | sy, par);
 	aty_st_le32(SRC_HEIGHT1_WIDTH1, (width << 16) | area->height, par);
@@ -268,7 +269,8 @@ void atyfb_fillrect(struct fb_info *info
 		rotation = rotation24bpp(dx, DST_X_LEFT_TO_RIGHT);
 	}
 
-	wait_for_fifo(3, par);
+	wait_for_fifo(4, par);
+	aty_st_le32(DP_PIX_WIDTH, par->crtc.dp_pix_width, par);
 	aty_st_le32(DP_FRGD_CLR, color, par);
 	aty_st_le32(DP_SRC,
 		    BKGD_SRC_BKGD_CLR | FRGD_SRC_FRGD_CLR | MONO_SRC_ONE,
@@ -283,7 +285,7 @@ void atyfb_imageblit(struct fb_info *inf
 {
 	struct atyfb_par *par = (struct atyfb_par *) info->par;
 	u32 src_bytes, dx = image->dx, dy = image->dy, width = image->width;
-	u32 pix_width_save, pix_width, host_cntl, rotation = 0, src, mix;
+	u32 pix_width, rotation = 0, src, mix;
 
 	if (par->asleep)
 		return;
@@ -295,8 +297,7 @@ void atyfb_imageblit(struct fb_info *inf
 		return;
 	}
 
-	pix_width = pix_width_save = aty_ld_le32(DP_PIX_WIDTH, par);
-	host_cntl = aty_ld_le32(HOST_CNTL, par) | HOST_BYTE_ALIGN;
+	pix_width = par->crtc.dp_pix_width;
 
 	switch (image->depth) {
 	case 1:
@@ -369,12 +370,11 @@ void atyfb_imageblit(struct fb_info *inf
 		mix = FRGD_MIX_D_XOR_S | BKGD_MIX_D;
 	}
 
-	wait_for_fifo(6, par);
-	aty_st_le32(DP_WRITE_MASK, 0xFFFFFFFF, par);
+	wait_for_fifo(5, par);
 	aty_st_le32(DP_PIX_WIDTH, pix_width, par);
 	aty_st_le32(DP_MIX, mix, par);
 	aty_st_le32(DP_SRC, src, par);
-	aty_st_le32(HOST_CNTL, host_cntl, par);
+	aty_st_le32(HOST_CNTL, HOST_BYTE_ALIGN, par);
 	aty_st_le32(DST_CNTL, DST_Y_TOP_TO_BOTTOM | DST_X_LEFT_TO_RIGHT | rotation, par);
 
 	draw_rect(dx, dy, width, image->height, par);
@@ -423,8 +423,4 @@ void atyfb_imageblit(struct fb_info *inf
 			aty_st_le32(HOST_DATA0, get_unaligned_le32(pbitmap), par);
 		}
 	}
-
-	/* restore pix_width */
-	wait_for_fifo(1, par);
-	aty_st_le32(DP_PIX_WIDTH, pix_width_save, par);
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 057/305] Drivers: hv: kvp: Fix two "this statement may fall through" warnings
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (197 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 074/305] ima: fix showing large 'violations' or 'runtime_measurements_count' Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 252/305] SUNRPC: Fix a potential race in xprt_connect() Ben Hutchings
                   ` (106 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, K. Y. Srinivasan,
	Stephen Hemminger, Dexuan Cui, Haiyang Zhang

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dexuan Cui <decui@microsoft.com>

commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream.

We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is
KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on
the op code from the host to the userspace; when the userspace returns
the info requested by the host, we pass the info on to the host in
kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code
actually doesn't cause any harm, because only message->kvp_hdr.operation
is used by the userspace, in the case of KVP_OP_GET_IP_INFO.

The patch also adds a missing "break;" in kvp_send_key(). BTW, the current
buggy code actually doesn't cause any harm, because in the case of
KVP_OP_SET, the unexpected fall-through corrupts
message->body.kvp_set.data.key_size, but that is not really used: see
the definition of struct hv_kvp_exchg_msg_value.

Signed-off-by: Dexuan Cui <decui@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hv/hv_kvp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/hv/hv_kvp.c
+++ b/drivers/hv/hv_kvp.c
@@ -326,7 +326,6 @@ static void process_ib_ipinfo(void *in_m
 
 		out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled;
 
-	default:
 		utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id,
 				MAX_ADAPTER_ID_SIZE,
 				UTF16_LITTLE_ENDIAN,
@@ -379,7 +378,7 @@ kvp_send_key(struct work_struct *dummy)
 		process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO);
 		break;
 	case KVP_OP_GET_IP_INFO:
-		process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO);
+		/* We only need to pass on message->kvp_hdr.operation.  */
 		break;
 	case KVP_OP_SET:
 		switch (in_msg->body.kvp_set.data.value_type) {
@@ -419,6 +418,9 @@ kvp_send_key(struct work_struct *dummy)
 			break;
 
 		}
+
+		break;
+
 	case KVP_OP_GET:
 		message->body.kvp_set.data.key_size =
 			utf16s_to_utf8s(


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (158 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 267/305] cifs: Fix separator when building path from dentry Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 19:05   ` Jiri Kosina
  2019-02-03 13:45 ` [PATCH 3.16 285/305] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Ben Hutchings
                   ` (145 subsequent siblings)
  305 siblings, 1 reply; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, WoodhouseDavid, Josh Poimboeuf, Andi Kleen,
	SchauflerCasey, Andrea Arcangeli, Thomas Gleixner, Jiri Kosina,
	Peter Zijlstra

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Kosina <jkosina@suse.cz>

commit dbfe2953f63c640463c630746cd5d9de8b2f63ae upstream.

Currently, IBPB is only issued in cases when switching into a non-dumpable
process, the rationale being to protect such 'important and security
sensitive' processess (such as GPG) from data leaking into a different
userspace process via spectre v2.

This is however completely insufficient to provide proper userspace-to-userpace
spectrev2 protection, as any process can poison branch buffers before being
scheduled out, and the newly scheduled process immediately becomes spectrev2
victim.

In order to minimize the performance impact (for usecases that do require
spectrev2 protection), issue the barrier only in cases when switching between
processess where the victim can't be ptraced by the potential attacker (as in
such cases, the attacker doesn't have to bother with branch buffers at all).

[ tglx: Split up PTRACE_MODE_NOACCESS_CHK into PTRACE_MODE_SCHED and
  PTRACE_MODE_IBPB to be able to do ptrace() context tracking reasonably
  fine-grained ]

Fixes: 18bf3c3ea8 ("x86/speculation: Use Indirect Branch Prediction Barrier in context switch")
Originally-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc:  "WoodhouseDavid" <dwmw@amazon.co.uk>
Cc: Andi Kleen <ak@linux.intel.com>
Cc:  "SchauflerCasey" <casey.schaufler@intel.com>
Link: https://lkml.kernel.org/r/nycvar.YFH.7.76.1809251437340.15880@cbobk.fhfr.pm
[bwh: Backported to 3.16: We don't have mm_context_t::ctx_id so can't use
 it to compare task identity.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -7,6 +7,7 @@
 #include <linux/module.h>
 #include <linux/cpu.h>
 #include <linux/debugfs.h>
+#include <linux/ptrace.h>
 
 #include <asm/tlbflush.h>
 #include <asm/mmu_context.h>
@@ -95,6 +96,19 @@ void switch_mm(struct mm_struct *prev, s
 	local_irq_restore(flags);
 }
 
+static bool ibpb_needed(struct task_struct *tsk)
+{
+	/*
+	 * Check if the current (previous) task has access to the memory
+	 * of the @tsk (next) task. If access is denied, make sure to
+	 * issue a IBPB to stop user->user Spectre-v2 attacks.
+	 *
+	 * Note: __ptrace_may_access() returns 0 or -ERRNO.
+	 */
+	return (tsk && tsk->mm &&
+		ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB));
+}
+
 void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
 			struct task_struct *tsk)
 {
@@ -107,16 +121,13 @@ void switch_mm_irqs_off(struct mm_struct
 		 * one process from doing Spectre-v2 attacks on another.
 		 *
 		 * As an optimization, flush indirect branches only when
-		 * switching into processes that disable dumping. This
-		 * protects high value processes like gpg, without having
-		 * too high performance overhead. IBPB is *expensive*!
-		 *
-		 * This will not flush branches when switching into kernel
-		 * threads. It will flush if we switch to a different non-
-		 * dumpable process.
+		 * switching into a processes that can't be ptrace by the
+		 * current one (as in such case, attacker has much more
+		 * convenient way how to tamper with the next process than
+		 * branch buffer poisoning).
 		 */
-		if (tsk && tsk->mm &&
-		    get_dumpable(tsk->mm) != SUID_DUMP_USER)
+		if (static_cpu_has(X86_FEATURE_USE_IBPB) &&
+				ibpb_needed(tsk))
 			indirect_branch_prediction_barrier();
 
 		this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -59,14 +59,17 @@ extern void exit_ptrace(struct task_stru
 #define PTRACE_MODE_READ	0x01
 #define PTRACE_MODE_ATTACH	0x02
 #define PTRACE_MODE_NOAUDIT	0x04
-#define PTRACE_MODE_FSCREDS 0x08
-#define PTRACE_MODE_REALCREDS 0x10
+#define PTRACE_MODE_FSCREDS	0x08
+#define PTRACE_MODE_REALCREDS	0x10
+#define PTRACE_MODE_SCHED	0x20
+#define PTRACE_MODE_IBPB	0x40
 
 /* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
 #define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
 #define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)
 #define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)
 #define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)
+#define PTRACE_MODE_SPEC_IBPB (PTRACE_MODE_ATTACH_REALCREDS | PTRACE_MODE_IBPB)
 
 /**
  * ptrace_may_access - check whether the caller is permitted to access
@@ -84,6 +87,20 @@ extern void exit_ptrace(struct task_stru
  */
 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
 
+/**
+ * ptrace_may_access - check whether the caller is permitted to access
+ * a target task.
+ * @task: target task
+ * @mode: selects type of access and caller credentials
+ *
+ * Returns true on success, false on denial.
+ *
+ * Similar to ptrace_may_access(). Only to be called from context switch
+ * code. Does not call into audit and the regular LSM hooks due to locking
+ * constraints.
+ */
+extern bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode);
+
 static inline int ptrace_reparented(struct task_struct *child)
 {
 	return !same_thread_group(child->real_parent, child->parent);
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -262,6 +262,9 @@ static int ptrace_check_attach(struct ta
 
 static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 {
+	if (mode & PTRACE_MODE_SCHED)
+		return false;
+
 	if (mode & PTRACE_MODE_NOAUDIT)
 		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
 	else
@@ -329,9 +332,16 @@ ok:
 	     !ptrace_has_cap(mm->user_ns, mode)))
 	    return -EPERM;
 
+	if (mode & PTRACE_MODE_SCHED)
+		return 0;
 	return security_ptrace_access_check(task, mode);
 }
 
+bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode)
+{
+	return __ptrace_may_access(task, mode | PTRACE_MODE_SCHED);
+}
+
 bool ptrace_may_access(struct task_struct *task, unsigned int mode)
 {
 	int err;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 262/305] usb: appledisplay: Add 27" Apple Cinema Display
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (210 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 002/305] x86/asm: Move PUD_PAGE macros to page_types.h Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 213/305] new helper: uaccess_kernel() Ben Hutchings
                   ` (93 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexander Theissen, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Theissen <alex.theissen@me.com>

commit d7859905301880ad3e16272399d26900af3ac496 upstream.

Add another Apple Cinema Display to the list of supported displays.

Signed-off-by: Alexander Theissen <alex.theissen@me.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/appledisplay.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -64,6 +64,7 @@ static const struct usb_device_id appled
 	{ APPLEDISPLAY_DEVICE(0x921c) },
 	{ APPLEDISPLAY_DEVICE(0x921d) },
 	{ APPLEDISPLAY_DEVICE(0x9222) },
+	{ APPLEDISPLAY_DEVICE(0x9226) },
 	{ APPLEDISPLAY_DEVICE(0x9236) },
 
 	/* Terminating entry */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 118/305] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 104/305] xen-swiotlb: use actually allocated size on check physical continuous Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 038/305] Cipso: cipso_v4_optptr enter infinite loop Ben Hutchings
                   ` (251 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Stefano Brivio, David S. Miller, Sabrina Dubroca

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit ee1abcf689353f36d9322231b4320926096bdee0 upstream.

Commit a61bbcf28a8c ("[NET]: Store skb->timestamp as offset to a base
timestamp") introduces a neighbour control buffer and zeroes it out in
ndisc_rcv(), as ndisc_recv_ns() uses it.

Commit f2776ff04722 ("[IPV6]: Fix address/interface handling in UDP and
DCCP, according to the scoping architecture.") introduces the usage of the
IPv6 control buffer in protocol error handlers (e.g. inet6_iif() in
present-day __udp6_lib_err()).

Now, with commit b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate
redirect, instead of rt6_redirect()."), we call protocol error handlers
from ndisc_redirect_rcv(), after the control buffer is already stolen and
some parts are already zeroed out. This implies that inet6_iif() on this
path will always return zero.

This gives unexpected results on UDP socket lookup in __udp6_lib_err(), as
we might actually need to match sockets for a given interface.

Instead of always claiming the control buffer in ndisc_rcv(), do that only
when needed.

Fixes: b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect().")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/ndisc.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1568,10 +1568,9 @@ int ndisc_rcv(struct sk_buff *skb)
 		return 0;
 	}
 
-	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
-
 	switch (msg->icmph.icmp6_type) {
 	case NDISC_NEIGHBOUR_SOLICITATION:
+		memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
 		ndisc_recv_ns(skb);
 		break;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 239/305] xtensa: fix coprocessor part of ptrace_{get,set}xregs
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (235 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 126/305] xtensa: add NOTES section to the linker script Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 136/305] ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path Ben Hutchings
                   ` (68 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 38a35a78c5e270cbe53c4fef6b0d3c2da90dd849 upstream.

Layout of coprocessor registers in the elf_xtregs_t and
xtregs_coprocessor_t may be different due to alignment. Thus it is not
always possible to copy data between the xtregs_coprocessor_t structure
and the elf_xtregs_t and get correct values for all registers.
Use a table of offsets and sizes of individual coprocessor register
groups to do coprocessor context copying in the ptrace_getxregs and
ptrace_setxregs.
This fixes incorrect coprocessor register values reading from the user
process by the native gdb on an xtensa core with multiple coprocessors
and registers with high alignment requirements.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/kernel/ptrace.c | 42 +++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

--- a/arch/xtensa/kernel/ptrace.c
+++ b/arch/xtensa/kernel/ptrace.c
@@ -124,12 +124,37 @@ int ptrace_setregs(struct task_struct *c
 }
 
 
+#if XTENSA_HAVE_COPROCESSORS
+#define CP_OFFSETS(cp) \
+	{ \
+		.elf_xtregs_offset = offsetof(elf_xtregs_t, cp), \
+		.ti_offset = offsetof(struct thread_info, xtregs_cp.cp), \
+		.sz = sizeof(xtregs_ ## cp ## _t), \
+	}
+
+static const struct {
+	size_t elf_xtregs_offset;
+	size_t ti_offset;
+	size_t sz;
+} cp_offsets[] = {
+	CP_OFFSETS(cp0),
+	CP_OFFSETS(cp1),
+	CP_OFFSETS(cp2),
+	CP_OFFSETS(cp3),
+	CP_OFFSETS(cp4),
+	CP_OFFSETS(cp5),
+	CP_OFFSETS(cp6),
+	CP_OFFSETS(cp7),
+};
+#endif
+
 int ptrace_getxregs(struct task_struct *child, void __user *uregs)
 {
 	struct pt_regs *regs = task_pt_regs(child);
 	struct thread_info *ti = task_thread_info(child);
 	elf_xtregs_t __user *xtregs = uregs;
 	int ret = 0;
+	int i __maybe_unused;
 
 	if (!access_ok(VERIFY_WRITE, uregs, sizeof(elf_xtregs_t)))
 		return -EIO;
@@ -137,8 +162,13 @@ int ptrace_getxregs(struct task_struct *
 #if XTENSA_HAVE_COPROCESSORS
 	/* Flush all coprocessor registers to memory. */
 	coprocessor_flush_all(ti);
-	ret |= __copy_to_user(&xtregs->cp0, &ti->xtregs_cp,
-			      sizeof(xtregs_coprocessor_t));
+
+	for (i = 0; i < ARRAY_SIZE(cp_offsets); ++i)
+		ret |= __copy_to_user((char __user *)xtregs +
+				      cp_offsets[i].elf_xtregs_offset,
+				      (const char *)ti +
+				      cp_offsets[i].ti_offset,
+				      cp_offsets[i].sz);
 #endif
 	ret |= __copy_to_user(&xtregs->opt, &regs->xtregs_opt,
 			      sizeof(xtregs->opt));
@@ -154,6 +184,7 @@ int ptrace_setxregs(struct task_struct *
 	struct pt_regs *regs = task_pt_regs(child);
 	elf_xtregs_t *xtregs = uregs;
 	int ret = 0;
+	int i __maybe_unused;
 
 	if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t)))
 		return -EFAULT;
@@ -163,8 +194,11 @@ int ptrace_setxregs(struct task_struct *
 	coprocessor_flush_all(ti);
 	coprocessor_release_all(ti);
 
-	ret |= __copy_from_user(&ti->xtregs_cp, &xtregs->cp0,
-				sizeof(xtregs_coprocessor_t));
+	for (i = 0; i < ARRAY_SIZE(cp_offsets); ++i)
+		ret |= __copy_from_user((char *)ti + cp_offsets[i].ti_offset,
+					(const char __user *)xtregs +
+					cp_offsets[i].elf_xtregs_offset,
+					cp_offsets[i].sz);
 #endif
 	ret |= __copy_from_user(&regs->xtregs_opt, &xtregs->opt,
 				sizeof(xtregs->opt));


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 051/305] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (295 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 152/305] usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 023/305] ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen Ben Hutchings
                   ` (8 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dominik Brodowski, Maciej S. Szmigiero

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>

commit 95691e3eddc41da2d1cd3cca51fecdfb46bd85bc upstream.

Currently, "disable_clkrun" yenta_socket module parameter is only
implemented for TI CardBus bridges.
Add also an implementation for Ricoh bridges that have the necessary
setting documented in publicly available datasheets.

Tested on a RL5C476II with a Sunrich C-160 CardBus NIC that doesn't work
correctly unless the CLKRUN protocol is disabled.

Let's also make it clear in its description that the "disable_clkrun"
module parameter only works on these two previously mentioned brands of
CardBus bridges.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pcmcia/ricoh.h        | 35 +++++++++++++++++++++++++++++++++++
 drivers/pcmcia/yenta_socket.c |  3 ++-
 2 files changed, 37 insertions(+), 1 deletion(-)

--- a/drivers/pcmcia/ricoh.h
+++ b/drivers/pcmcia/ricoh.h
@@ -119,6 +119,10 @@
 #define  RL5C4XX_MISC_CONTROL           0x2F /* 8 bit */
 #define  RL5C4XX_ZV_ENABLE              0x08
 
+/* Misc Control 3 Register */
+#define RL5C4XX_MISC3			0x00A2 /* 16 bit */
+#define  RL5C47X_MISC3_CB_CLKRUN_DIS	BIT(1)
+
 #ifdef __YENTA_H
 
 #define rl_misc(socket)		((socket)->private[0])
@@ -156,6 +160,35 @@ static void ricoh_set_zv(struct yenta_so
         }
 }
 
+static void ricoh_set_clkrun(struct yenta_socket *socket, bool quiet)
+{
+	u16 misc3;
+
+	/*
+	 * RL5C475II likely has this setting, too, however no datasheet
+	 * is publicly available for this chip
+	 */
+	if (socket->dev->device != PCI_DEVICE_ID_RICOH_RL5C476 &&
+	    socket->dev->device != PCI_DEVICE_ID_RICOH_RL5C478)
+		return;
+
+	if (socket->dev->revision < 0x80)
+		return;
+
+	misc3 = config_readw(socket, RL5C4XX_MISC3);
+	if (misc3 & RL5C47X_MISC3_CB_CLKRUN_DIS) {
+		if (!quiet)
+			dev_dbg(&socket->dev->dev,
+				"CLKRUN feature already disabled\n");
+	} else if (disable_clkrun) {
+		if (!quiet)
+			dev_info(&socket->dev->dev,
+				 "Disabling CLKRUN feature\n");
+		misc3 |= RL5C47X_MISC3_CB_CLKRUN_DIS;
+		config_writew(socket, RL5C4XX_MISC3, misc3);
+	}
+}
+
 static void ricoh_save_state(struct yenta_socket *socket)
 {
 	rl_misc(socket) = config_readw(socket, RL5C4XX_MISC);
@@ -172,6 +205,7 @@ static void ricoh_restore_state(struct y
 	config_writew(socket, RL5C4XX_16BIT_IO_0, rl_io(socket));
 	config_writew(socket, RL5C4XX_16BIT_MEM_0, rl_mem(socket));
 	config_writew(socket, RL5C4XX_CONFIG, rl_config(socket));
+	ricoh_set_clkrun(socket, true);
 }
 
 
@@ -197,6 +231,7 @@ static int ricoh_override(struct yenta_s
 	config_writew(socket, RL5C4XX_CONFIG, config);
 
 	ricoh_set_zv(socket);
+	ricoh_set_clkrun(socket, false);
 
 	return 0;
 }
--- a/drivers/pcmcia/yenta_socket.c
+++ b/drivers/pcmcia/yenta_socket.c
@@ -26,7 +26,8 @@
 
 static bool disable_clkrun;
 module_param(disable_clkrun, bool, 0444);
-MODULE_PARM_DESC(disable_clkrun, "If PC card doesn't function properly, please try this option");
+MODULE_PARM_DESC(disable_clkrun,
+		 "If PC card doesn't function properly, please try this option (TI and Ricoh bridges only)");
 
 static bool isa_probe = 1;
 module_param(isa_probe, bool, 0444);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 194/305] libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 160/305] mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 037/305] cipso: don't use IPCB() to locate the CIPSO IP option Ben Hutchings
                   ` (183 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Diego Viola, Jens Axboe, Hans de Goede

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Diego Viola <diego.viola@gmail.com>

commit 410b5c7b48368317af95f0113692561d01d8144e upstream.

med_power_with_dipm still causes freezes after updating the firmware to
the latest version (DXT04L5Q).

Set model_rev to NULL and blacklist the device.

Signed-off-by: Diego Viola <diego.viola@gmail.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4249,7 +4249,7 @@ static const struct ata_blacklist_entry
 	/* These specific Samsung models/firmware-revs do not handle LPM well */
 	{ "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
 	{ "SAMSUNG SSD PM830 mSATA *",  "CXM13D1Q", ATA_HORKAGE_NOLPM, },
-	{ "SAMSUNG MZ7TD256HAFV-000L9", "DXT02L5Q", ATA_HORKAGE_NOLPM, },
+	{ "SAMSUNG MZ7TD256HAFV-000L9", NULL,       ATA_HORKAGE_NOLPM, },
 
 	/* devices that don't properly handle queued TRIM commands */
 	{ "Micron_M500IT_*",		"MU01",	ATA_HORKAGE_NO_NCQ_TRIM, },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 166/305] SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 271/305] virtio/s390: avoid race on vcdev->config Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 241/305] kvm: mmu: Fix race in emulated page table writes Ben Hutchings
                   ` (217 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, YueHaibing, J. Bruce Fields

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 025911a5f4e36955498ed50806ad1b02f0f76288 upstream.

There is no need to have the '__be32 *p' variable static since new value
always be assigned before use it.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/xdr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -511,7 +511,7 @@ EXPORT_SYMBOL_GPL(xdr_commit_encode);
 
 __be32 *xdr_get_next_encode_buffer(struct xdr_stream *xdr, size_t nbytes)
 {
-	static __be32 *p;
+	__be32 *p;
 	int space_left;
 	int frag1bytes, frag2bytes;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 242/305] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (291 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 253/305] ALSA: usb-audio: Avoid nested autoresume calls Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 251/305] SUNRPC: Fix leak of krb5p encode pages Ben Hutchings
                   ` (12 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jim Mattson, Neel Natu, Paolo Bonzini,
	Konrad Rzeszutek Wilk

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jim Mattson <jmattson@google.com>

commit fd65d3142f734bc4376053c8d75670041903134d upstream.

Previously, we only called indirect_branch_prediction_barrier on the
logical CPU that freed a vmcb. This function should be called on all
logical CPUs that last loaded the vmcb in question.

Fixes: 15d45071523d ("KVM/x86: Add IBPB support")
Reported-by: Neel Natu <neelnatu@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/svm.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1317,21 +1317,31 @@ out:
 	return ERR_PTR(err);
 }
 
+static void svm_clear_current_vmcb(struct vmcb *vmcb)
+{
+	int i;
+
+	for_each_online_cpu(i)
+		cmpxchg(&per_cpu(svm_data, i)->current_vmcb, vmcb, NULL);
+}
+
 static void svm_free_vcpu(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_svm *svm = to_svm(vcpu);
 
+	/*
+	 * The vmcb page can be recycled, causing a false negative in
+	 * svm_vcpu_load(). So, ensure that no logical CPU has this
+	 * vmcb page recorded as its current vmcb.
+	 */
+	svm_clear_current_vmcb(svm->vmcb);
+
 	__free_page(pfn_to_page(svm->vmcb_pa >> PAGE_SHIFT));
 	__free_pages(virt_to_page(svm->msrpm), MSRPM_ALLOC_ORDER);
 	__free_page(virt_to_page(svm->nested.hsave));
 	__free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
 	kvm_vcpu_uninit(vcpu);
 	kmem_cache_free(kvm_vcpu_cache, svm);
-	/*
-	 * The vmcb page can be recycled, causing a false negative in
-	 * svm_vcpu_load(). So do a full IBPB now.
-	 */
-	indirect_branch_prediction_barrier();
 }
 
 static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 163/305] HID: Add quirk for Microsoft PIXART OEM mouse
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 122/305] nfsd: Fix an Oops in free_session() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 232/305] Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" Ben Hutchings
                   ` (198 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jiri Kosina, Sebastian Parschauer

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Parschauer <sparschauer@suse.de>

commit e82e62e390d39c3819641cd721695702180d54fb upstream.

The PixArt OEM mice are known for disconnecting every minute in
runlevel 1 or 3 if they are not always polled. So add quirk
ALWAYS_POLL for this one as well.

References:
https://www.spinics.net/lists/linux-usb/msg88965.html
http://linet.gr.jp/~kojima/PlamoWeb/ML/htdocs/201808/msg00019.html

Signed-off-by: Sebastian Parschauer <sparschauer@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16:
 - Don't use HID_USB_DEVICE
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-ids.h           | 1 +
 drivers/hid/usbhid/hid-quirks.c | 1 +
 2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -704,6 +704,7 @@
 #define USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP 0x07e9
 #define USB_DEVICE_ID_MS_TYPE_COVER_3    0x07de
 #define USB_DEVICE_ID_MS_POWER_COVER     0x07da
+#define USB_DEVICE_ID_MS_PIXART_MOUSE    0x00cb
 
 #define USB_VENDOR_ID_MOJO		0x8282
 #define USB_DEVICE_ID_RETRO_ADAPTER	0x3201
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -117,6 +117,7 @@ static const struct hid_blacklist {
 	{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP, HID_QUIRK_NO_INIT_REPORTS },
 	{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },
 	{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER, HID_QUIRK_NO_INIT_REPORTS },
+	{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_PIXART_MOUSE, HID_QUIRK_ALWAYS_POLL },
 	{ USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GX680R_LED_PANEL, HID_QUIRK_NO_INIT_REPORTS },
 	{ USB_VENDOR_ID_NEXIO, USB_DEVICE_ID_NEXIO_MULTITOUCH_PTI0750, HID_QUIRK_NO_INIT_REPORTS },
 	{ USB_VENDOR_ID_NOVATEK, USB_DEVICE_ID_NOVATEK_MOUSE, HID_QUIRK_NO_INIT_REPORTS },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 122/305] nfsd: Fix an Oops in free_session()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (104 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 288/305] mmc: core: Reset HPI enabled state during re-init and in case of errors Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 163/305] HID: Add quirk for Microsoft PIXART OEM mouse Ben Hutchings
                   ` (199 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, J. Bruce Fields, Trond Myklebust, Trond Myklebust

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trondmy@gmail.com>

commit bb6ad5572c0022e17e846b382d7413cdcf8055be upstream.

In call_xpt_users(), we delete the entry from the list, but we
do not reinitialise it. This triggers the list poisoning when
we later call unregister_xpt_user() in nfsd4_del_conns().

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/svc_xprt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -906,7 +906,7 @@ static void call_xpt_users(struct svc_xp
 	spin_lock(&xprt->xpt_lock);
 	while (!list_empty(&xprt->xpt_users)) {
 		u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list);
-		list_del(&u->list);
+		list_del_init(&u->list);
 		u->callback(u);
 	}
 	spin_unlock(&xprt->xpt_lock);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 268/305] xhci: workaround CSS timeout on AMD SNPS 3.0 xHC
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (207 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 050/305] iio: ad5064: Fix regulator handling Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 189/305] batman-adv: Expand merged fragment buffer for full packet Ben Hutchings
                   ` (96 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Nehal Shah,
	Sandeep Singh, Kai-Heng Feng, Shyam Sundar S K, Sandeep Singh,
	Mathias Nyman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sandeep Singh <sandeep.singh@amd.com>

commit a7d57abcc8a5bdeb53bbf8e87558e8e0a2c2a29d upstream.

Occasionally AMD SNPS 3.0 xHC does not respond to
CSS when set, also it does not flag anything on SRE and HCE
to point the internal xHC errors on USBSTS register. This stalls
the entire system wide suspend and there is no point in stalling
just because of xHC CSS is not responding.

To work around this problem, if the xHC does not flag
anything on SRE and HCE, we can skip the CSS
timeout and allow the system to continue the suspend. Once the
system resume happens we can internally reset the controller
using XHCI_RESET_ON_RESUME quirk

Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Signed-off-by: Sandeep Singh <Sandeep.Singh@amd.com>
cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Use next available quirk bit
 - Fold in commit 2419f30a4a4f "USB: xhci: fix 'broken_suspend' placement ..."
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-pci.c |  4 ++++
 drivers/usb/host/xhci.c     | 26 ++++++++++++++++++++++----
 drivers/usb/host/xhci.h     |  3 +++
 3 files changed, 29 insertions(+), 4 deletions(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -130,6 +130,10 @@ static void xhci_pci_quirks(struct devic
 		 pdev->device == 0x43bb))
 		xhci->quirks |= XHCI_SUSPEND_DELAY;
 
+	if (pdev->vendor == PCI_VENDOR_ID_AMD &&
+	    (pdev->device == 0x15e0 || pdev->device == 0x15e1))
+		xhci->quirks |= XHCI_SNPS_BROKEN_SUSPEND;
+
 	if (pdev->vendor == PCI_VENDOR_ID_AMD)
 		xhci->quirks |= XHCI_TRUST_TX_LENGTH;
 
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -908,6 +908,7 @@ int xhci_suspend(struct xhci_hcd *xhci,
 	unsigned int		delay = XHCI_MAX_HALT_USEC;
 	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
 	u32			command;
+	u32			res;
 
 	if (hcd->state != HC_STATE_SUSPENDED ||
 			xhci->shared_hcd->state != HC_STATE_SUSPENDED)
@@ -954,11 +955,28 @@ int xhci_suspend(struct xhci_hcd *xhci,
 	command = readl(&xhci->op_regs->command);
 	command |= CMD_CSS;
 	writel(command, &xhci->op_regs->command);
+	xhci->broken_suspend = 0;
 	if (xhci_handshake(xhci, &xhci->op_regs->status,
 				STS_SAVE, 0, 10 * 1000)) {
-		xhci_warn(xhci, "WARN: xHC save state timeout\n");
-		spin_unlock_irq(&xhci->lock);
-		return -ETIMEDOUT;
+	/*
+	 * AMD SNPS xHC 3.0 occasionally does not clear the
+	 * SSS bit of USBSTS and when driver tries to poll
+	 * to see if the xHC clears BIT(8) which never happens
+	 * and driver assumes that controller is not responding
+	 * and times out. To workaround this, its good to check
+	 * if SRE and HCE bits are not set (as per xhci
+	 * Section 5.4.2) and bypass the timeout.
+	 */
+		res = readl(&xhci->op_regs->status);
+		if ((xhci->quirks & XHCI_SNPS_BROKEN_SUSPEND) &&
+		    (((res & STS_SRE) == 0) &&
+				((res & STS_HCE) == 0))) {
+			xhci->broken_suspend = 1;
+		} else {
+			xhci_warn(xhci, "WARN: xHC save state timeout\n");
+			spin_unlock_irq(&xhci->lock);
+			return -ETIMEDOUT;
+		}
 	}
 	spin_unlock_irq(&xhci->lock);
 
@@ -1007,7 +1025,7 @@ int xhci_resume(struct xhci_hcd *xhci, b
 	set_bit(HCD_FLAG_HW_ACCESSIBLE, &xhci->shared_hcd->flags);
 
 	spin_lock_irq(&xhci->lock);
-	if (xhci->quirks & XHCI_RESET_ON_RESUME)
+	if ((xhci->quirks & XHCI_RESET_ON_RESUME) || xhci->broken_suspend)
 		hibernated = true;
 
 	if (!hibernated) {
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1572,6 +1572,7 @@ struct xhci_hcd {
 #define XHCI_U2_DISABLE_WAKE	(1 << 27)
 #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL	(1 << 28)
 #define XHCI_SUSPEND_DELAY	(1 << 30)
+#define XHCI_SNPS_BROKEN_SUSPEND    BIT(31)
 	unsigned int		num_active_eps;
 	unsigned int		limit_active_eps;
 	/* There are two roothubs to keep track of bus suspend info for */
@@ -1588,6 +1589,8 @@ struct xhci_hcd {
 	unsigned		sw_lpm_support:1;
 	/* support xHCI 1.0 spec USB2 hardware LPM */
 	unsigned		hw_lpm_support:1;
+	/* Broken Suspend flag for SNPS Suspend resume issue */
+	unsigned		broken_suspend:1;
 	/* cached usb2 extened protocol capabilites */
 	u32                     *ext_caps;
 	unsigned int            num_ext_caps;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 245/305] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (188 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 067/305] mach64: fix image corruption due to reading accelerator registers Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 290/305] VSOCK: Send reset control packet when socket is partially bound Ben Hutchings
                   ` (115 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Chanho Min

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit b51abed8355e5556886623b2772fa6b7598d2282 upstream.

Currently the PCM core calls snd_pcm_unlink() always unconditionally
at closing a stream.  However, since snd_pcm_unlink() invokes the
global rwsem down, the lock can be easily contended.  More badly, when
a thread runs in a high priority RT-FIFO, it may stall at spinning.

Basically the call of snd_pcm_unlink() is required only for the linked
streams that are already rare occasion.  For normal use cases, this
code path is fairly superfluous.

As an optimization (and also as a workaround for the RT problem
above in normal situations without linked streams), this patch adds a
check before calling snd_pcm_unlink() and calls it only when needed.

Reported-by: Chanho Min <chanho.min@lge.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/pcm_native.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2025,7 +2025,8 @@ int snd_pcm_hw_constraints_complete(stru
 
 static void pcm_release_private(struct snd_pcm_substream *substream)
 {
-	snd_pcm_unlink(substream);
+	if (snd_pcm_stream_linked(substream))
+		snd_pcm_unlink(substream);
 }
 
 void snd_pcm_release_substream(struct snd_pcm_substream *substream)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 059/305] powerpc/pseries: Fix DTL buffer registration
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 012/305] x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 076/305] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) Ben Hutchings
                   ` (234 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Naveen N. Rao, Michael Ellerman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>

commit db787af1b8a6b4be428ee2ea7d409dafcaa4a43c upstream.

When CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set, we register the DTL
buffer for a cpu when the associated file under powerpc/dtl in debugfs
is opened. When doing so, we need to set the size of the buffer being
registered in the second u32 word of the buffer. This needs to be in big
endian, but we are not doing the conversion resulting in the below error
showing up in dmesg:

	dtl_start: DTL registration for cpu 0 (hw 0) failed with -4

Fix this in the obvious manner.

Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/platforms/pseries/dtl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/platforms/pseries/dtl.c
+++ b/arch/powerpc/platforms/pseries/dtl.c
@@ -149,7 +149,7 @@ static int dtl_start(struct dtl *dtl)
 
 	/* Register our dtl buffer with the hypervisor. The HV expects the
 	 * buffer size to be passed in the second word of the buffer */
-	((u32 *)dtl->buf)[1] = DISPATCH_LOG_BYTES;
+	((u32 *)dtl->buf)[1] = cpu_to_be32(DISPATCH_LOG_BYTES);
 
 	hwcpu = get_hard_smp_processor_id(dtl->cpu);
 	addr = __pa(dtl->buf);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 197/305] btrfs: Always try all copies when reading extent buffers
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (250 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 139/305] clockevents/drivers/i8253: Add support for PIT shutdown quirk Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 042/305] crypto: lrw - Fix out-of bounds access on counter overflow Ben Hutchings
                   ` (53 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nikolay Borisov, David Sterba, Qu Wenruo

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Borisov <nborisov@suse.com>

commit f8397d69daef06d358430d3054662fb597e37c00 upstream.

When a metadata read is served the endio routine btree_readpage_end_io_hook
is called which eventually runs the tree-checker. If tree-checker fails
to validate the read eb then it sets EXTENT_BUFFER_CORRUPT flag. This
leads to btree_read_extent_buffer_pages wrongly assuming that all
available copies of this extent buffer are wrong and failing prematurely.
Fix this modify btree_read_extent_buffer_pages to read all copies of
the data.

This failure was exhibitted in xfstests btrfs/124 which would
spuriously fail its balance operations. The reason was that when balance
was run following re-introduction of the missing raid1 disk
__btrfs_map_block would map the read request to stripe 0, which
corresponded to devid 2 (the disk which is being removed in the test):

    item 2 key (FIRST_CHUNK_TREE CHUNK_ITEM 3553624064) itemoff 15975 itemsize 112
	length 1073741824 owner 2 stripe_len 65536 type DATA|RAID1
	io_align 65536 io_width 65536 sector_size 4096
	num_stripes 2 sub_stripes 1
		stripe 0 devid 2 offset 2156920832
		dev_uuid 8466c350-ed0c-4c3b-b17d-6379b445d5c8
		stripe 1 devid 1 offset 3553624064
		dev_uuid 1265d8db-5596-477e-af03-df08eb38d2ca

This caused read requests for a checksum item that to be routed to the
stale disk which triggered the aforementioned logic involving
EXTENT_BUFFER_CORRUPT flag. This then triggered cascading failures of
the balance operation.

Fixes: a826d6dcb32d ("Btrfs: check items for correctness as we search")
Suggested-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
 - Deleted code is slightly different
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/disk-io.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -430,9 +430,9 @@ static int btree_read_extent_buffer_page
 	int mirror_num = 0;
 	int failed_mirror = 0;
 
-	clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
 	io_tree = &BTRFS_I(root->fs_info->btree_inode)->io_tree;
 	while (1) {
+		clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
 		ret = read_extent_buffer_pages(io_tree, eb, start,
 					       WAIT_COMPLETE,
 					       btree_get_extent, mirror_num);
@@ -444,14 +444,6 @@ static int btree_read_extent_buffer_page
 				ret = -EIO;
 		}
 
-		/*
-		 * This buffer's crc is fine, but its contents are corrupted, so
-		 * there is no reason to read the other copies, they won't be
-		 * any less wrong.
-		 */
-		if (test_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags))
-			break;
-
 		num_copies = btrfs_num_copies(root->fs_info,
 					      eb->start, eb->len);
 		if (num_copies == 1)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 297/305] net: macb: fix dropped RX frames due to a race
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (212 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 213/305] new helper: uaccess_kernel() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 237/305] xtensa: enable coprocessors that are being flushed Ben Hutchings
                   ` (91 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Claudiu Beznea,
	Anssi Hannula, Nicolas Ferre

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 8159ecab0db9095902d4c73605fb8787f5c7d653 upstream.

Bit RX_USED set to 0 in the address field allows the controller to write
data to the receive buffer descriptor.

The driver does not ensure the ctrl field is ready (cleared) when the
controller sees the RX_USED=0 written by the driver. The ctrl field might
only be cleared after the controller has already updated it according to
a newly received frame, causing the frame to be discarded in gem_rx() due
to unexpected ctrl field contents.

A message is logged when the above scenario occurs:

  macb ff0b0000.ethernet eth0: not whole frame pointed by descriptor

Fix the issue by ensuring that when the controller sees RX_USED=0 the
ctrl field is already cleared.

This issue was observed on a ZynqMP based system.

Fixes: 4df95131ea80 ("net/macb: change RX path for GEM")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Use bp->rx_ring[entry] instead of *desc
 - Use wmb() instead of dma_wmb()
 - Adjust filename]]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/cadence/macb.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/cadence/macb.c
+++ b/drivers/net/ethernet/cadence/macb.c
@@ -629,14 +629,19 @@ static void gem_rx_refill(struct macb *b
 
 			if (entry == RX_RING_SIZE - 1)
 				paddr |= MACB_BIT(RX_WRAP);
-			bp->rx_ring[entry].addr = paddr;
 			bp->rx_ring[entry].ctrl = 0;
+			/* Setting addr clears RX_USED and allows reception,
+			 * make sure ctrl is cleared first to avoid a race.
+			 */
+			wmb();
+			bp->rx_ring[entry].addr = paddr;
 
 			/* properly align Ethernet header */
 			skb_reserve(skb, NET_IP_ALIGN);
 		} else {
-			bp->rx_ring[entry].addr &= ~MACB_BIT(RX_USED);
 			bp->rx_ring[entry].ctrl = 0;
+			wmb();
+			bp->rx_ring[entry].addr &= ~MACB_BIT(RX_USED);
 		}
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 043/305] media: pci: cx23885: handle adding to list failure
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 077/305] ext4: fix use-after-free race in ext4_remount()'s error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 234/305] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series Ben Hutchings
                   ` (192 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans Verkuil, Mauro Carvalho Chehab,
	Nicholas Mc Guire

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit c5d59528e24ad22500347b199d52b9368e686a42 upstream.

altera_hw_filt_init() which calls append_internal() assumes
that the node was successfully linked in while in fact it can
silently fail. So the call-site needs to set return to -ENOMEM
on append_internal() returning NULL and exit through the err path.

Fixes: 349bcf02e361 ("[media] Altera FPGA based CI driver module")

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/pci/cx23885/altera-ci.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/media/pci/cx23885/altera-ci.c
+++ b/drivers/media/pci/cx23885/altera-ci.c
@@ -666,6 +666,10 @@ static int altera_hw_filt_init(struct al
 		}
 
 		temp_int = append_internal(inter);
+		if (!temp_int) {
+			ret = -ENOMEM;
+			goto err;
+		}
 		inter->filts_used = 1;
 		inter->dev = config->dev;
 		inter->fpga_rw = config->fpga_rw;
@@ -700,6 +704,7 @@ err:
 		     __func__, ret);
 
 	kfree(pid_filt);
+	kfree(inter);
 
 	return ret;
 }
@@ -735,6 +740,10 @@ int altera_ci_init(struct altera_ci_conf
 		}
 
 		temp_int = append_internal(inter);
+		if (!temp_int) {
+			ret = -ENOMEM;
+			goto err;
+		}
 		inter->cis_used = 1;
 		inter->dev = config->dev;
 		inter->fpga_rw = config->fpga_rw;
@@ -803,6 +812,7 @@ err:
 	ci_dbg_print("%s: Cannot initialize CI: Error %d.\n", __func__, ret);
 
 	kfree(state);
+	kfree(inter);
 
 	return ret;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 162/305] iommu/ipmmu-vmsa: Fix crash on early domain free
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (173 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 095/305] parisc: Fix map_pages() to not overwrite existing pte entries Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 210/305] drm/ast: Remove existing framebuffers before loading driver Ben Hutchings
                   ` (130 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Joerg Roedel, Robin Murphy

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit e5b78f2e349eef5d4fca5dc1cf5a3b4b2cc27abd upstream.

If iommu_ops.add_device() fails, iommu_ops.domain_free() is still
called, leading to a crash, as the domain was only partially
initialized:

    ipmmu-vmsa e67b0000.mmu: Cannot accommodate DMA translation for IOMMU page tables
    sata_rcar ee300000.sata: Unable to initialize IPMMU context
    iommu: Failed to add device ee300000.sata to group 0: -22
    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
    ...
    Call trace:
     ipmmu_domain_free+0x1c/0xa0
     iommu_group_release+0x48/0x68
     kobject_put+0x74/0xe8
     kobject_del.part.0+0x3c/0x50
     kobject_put+0x60/0xe8
     iommu_group_get_for_dev+0xa8/0x1f0
     ipmmu_add_device+0x1c/0x40
     of_iommu_configure+0x118/0x190

Fix this by checking if the domain's context already exists, before
trying to destroy it.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Fixes: d25a2a16f0889 ('iommu: Add driver for Renesas VMSA-compatible IPMMU')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iommu/ipmmu-vmsa.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/iommu/ipmmu-vmsa.c
+++ b/drivers/iommu/ipmmu-vmsa.c
@@ -383,6 +383,9 @@ static int ipmmu_domain_init_context(str
 
 static void ipmmu_domain_destroy_context(struct ipmmu_vmsa_domain *domain)
 {
+	if (!domain->mmu)
+		return;
+
 	/*
 	 * Disable the context. Flush the TLB as required when modifying the
 	 * context registers.


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 200/305] xtensa: fix boot parameters address translation
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 091/305] RDMA/cm: Respect returned status of cm_init_av_by_path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 230/305] ALSA: control: fix failure to return numerical ID in 'add' event Ben Hutchings
                   ` (281 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 40dc948f234b73497c3278875eb08a01d5854d3f upstream.

The bootloader may pass physical address of the boot parameters structure
to the MMUv3 kernel in the register a2. Code in the _SetupMMU block in
the arch/xtensa/kernel/head.S is supposed to map that physical address to
the virtual address in the configured virtual memory layout.

This code haven't been updated when additional 256+256 and 512+512
memory layouts were introduced and it may produce wrong addresses when
used with these layouts.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/kernel/head.S | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/arch/xtensa/kernel/head.S
+++ b/arch/xtensa/kernel/head.S
@@ -88,9 +88,12 @@ _SetupMMU:
 	initialize_mmu
 #if defined(CONFIG_MMU) && XCHAL_HAVE_PTP_MMU && XCHAL_HAVE_SPANNING_WAY
 	rsr	a2, excsave1
-	movi	a3, 0x08000000
+	movi	a3, XCHAL_KSEG_PADDR
+	bltu	a2, a3, 1f
+	sub	a2, a2, a3
+	movi	a3, XCHAL_KSEG_SIZE
 	bgeu	a2, a3, 1f
-	movi	a3, 0xd0000000
+	movi	a3, XCHAL_KSEG_CACHED_VADDR
 	add	a2, a2, a3
 	wsr	a2, excsave1
 1:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 075/305] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (280 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 027/305] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 084/305] Btrfs: don't clean dirty pages during buffered writes Ben Hutchings
                   ` (23 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Bin Meng, Bjorn Helgaas

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bin Meng <bmeng.cn@gmail.com>

commit d0c9606b31a21028fb5b753c8ad79626292accfd upstream.

Add Device IDs to the Intel GPU "spurious interrupt" quirk table.

For these devices, unplugging the VGA cable and plugging it in again causes
spurious interrupts from the IGD.  Linux eventually disables the interrupt,
but of course that disables any other devices sharing the interrupt.

The theory is that this is a VGA BIOS defect: it should have disabled the
IGD interrupt but failed to do so.

See f67fd55fa96f ("PCI: Add quirk for still enabled interrupts on Intel
Sandy Bridge GPUs") and 7c82126a94e6 ("PCI: Add new ID for Intel GPU
"spurious interrupt" quirk") for some history.

[bhelgaas: See link below for discussion about how to fix this more
generically instead of adding device IDs for every new Intel GPU.  I hope
this is the last patch to add device IDs.]

Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.com
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/quirks.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3068,7 +3068,11 @@ static void disable_igfx_irq(struct pci_
 
 	pci_iounmap(dev, regs);
 }
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 106/305] libceph: bump CEPH_MSG_MAX_DATA_LEN
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 168/305] net: stmmac: Fix RX packet size > 8191 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 282/305] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Ben Hutchings
                   ` (206 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ilya Dryomov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Dryomov <idryomov@gmail.com>

commit 94e6992bb560be8bffb47f287194adf070b57695 upstream.

If the read is large enough, we end up spinning in the messenger:

  libceph: osd0 192.168.122.1:6801 io error
  libceph: osd0 192.168.122.1:6801 io error
  libceph: osd0 192.168.122.1:6801 io error

This is a receive side limit, so only reads were affected.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/ceph/libceph.h | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -67,7 +67,13 @@ struct ceph_options {
 
 #define CEPH_MSG_MAX_FRONT_LEN	(16*1024*1024)
 #define CEPH_MSG_MAX_MIDDLE_LEN	(16*1024*1024)
-#define CEPH_MSG_MAX_DATA_LEN	(16*1024*1024)
+
+/*
+ * Handle the largest possible rbd object in one message.
+ * There is no limit on the size of cephfs objects, but it has to obey
+ * rsize and wsize mount options anyway.
+ */
+#define CEPH_MSG_MAX_DATA_LEN	(32*1024*1024)
 
 #define CEPH_AUTH_NAME_DEFAULT   "guest"
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 079/305] iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 240/305] ext2: fix potential use after free Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 263/305] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device Ben Hutchings
                   ` (220 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Luca Coelho, Kalle Valo

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Luca Coelho <luciano.coelho@intel.com>

commit 3d71c3f1f50cf309bd20659422af549bc784bfff upstream.

The rs_rate_from_ucode_rate() function may return -EINVAL if the rate
is invalid, but none of the callsites check for the error, potentially
making us access arrays with index IWL_RATE_INVALID, which is larger
than the arrays, causing an out-of-bounds access.  This will trigger
KASAN warnings, such as the one reported in the bugzilla issue
mentioned below.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=200659

Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
 - Fix up one additional caller
 - Adjust filename, context
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/iwlwifi/mvm/rs.c
+++ b/drivers/net/wireless/iwlwifi/mvm/rs.c
@@ -1057,7 +1057,10 @@ static void rs_tx_status(void *mvm_r, st
 	 */
 	table = &lq_sta->lq;
 	ucode_rate = le32_to_cpu(table->rs_table[0]);
-	rs_rate_from_ucode_rate(ucode_rate, info->band, &rate);
+	if (rs_rate_from_ucode_rate(ucode_rate, info->band, &rate)) {
+		WARN_ON_ONCE(1);
+		return;
+	}
 	if (info->band == IEEE80211_BAND_5GHZ)
 		rate.index -= IWL_FIRST_OFDM_RATE;
 	mac_flags = info->status.rates[0].flags;
@@ -1161,7 +1164,10 @@ static void rs_tx_status(void *mvm_r, st
 	 */
 	if (info->flags & IEEE80211_TX_STAT_AMPDU) {
 		ucode_rate = le32_to_cpu(table->rs_table[0]);
-		rs_rate_from_ucode_rate(ucode_rate, info->band, &rate);
+		if (rs_rate_from_ucode_rate(ucode_rate, info->band, &rate)) {
+			WARN_ON_ONCE(1);
+			return;
+		}
 		rs_collect_tx_data(lq_sta, curr_tbl, rate.index,
 				   info->status.ampdu_len,
 				   info->status.ampdu_ack_len,
@@ -1186,7 +1192,12 @@ static void rs_tx_status(void *mvm_r, st
 		/* Collect data for each rate used during failed TX attempts */
 		for (i = 0; i <= retries; ++i) {
 			ucode_rate = le32_to_cpu(table->rs_table[i]);
-			rs_rate_from_ucode_rate(ucode_rate, info->band, &rate);
+			if (rs_rate_from_ucode_rate(ucode_rate, info->band,
+						    &rate)) {
+				WARN_ON_ONCE(1);
+				return;
+			}
+
 			/*
 			 * Only collect stats if retried rate is in the same RS
 			 * table as active/search.
@@ -2677,7 +2688,10 @@ static void rs_build_rates_table_from_fi
 	for (i = 0; i < num_rates; i++)
 		lq_cmd->rs_table[i] = ucode_rate_le32;
 
-	rs_rate_from_ucode_rate(ucode_rate, band, &rate);
+	if (rs_rate_from_ucode_rate(ucode_rate, band, &rate)) {
+		WARN_ON_ONCE(1);
+		return;
+	}
 
 	if (is_mimo(&rate))
 		lq_cmd->mimo_delim = num_rates - 1;
@@ -2928,8 +2942,11 @@ static void rs_program_fix_rate(struct i
 
 	if (lq_sta->dbg_fixed_rate) {
 		struct rs_rate rate;
-		rs_rate_from_ucode_rate(lq_sta->dbg_fixed_rate,
-					lq_sta->band, &rate);
+		if (rs_rate_from_ucode_rate(lq_sta->dbg_fixed_rate,
+					    lq_sta->band, &rate)) {
+			WARN_ON_ONCE(1);
+			return;
+		}
 		rs_fill_lq_cmd(mvm, NULL, lq_sta, &rate);
 		iwl_mvm_send_lq_cmd(lq_sta->drv, &lq_sta->lq, false);
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 247/305] dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 199/305] netfilter: nf_tables: fix use-after-free when deleting compat expressions Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 034/305] media: em28xx: make v4l2-compliance happier by starting sequence on zero Ben Hutchings
                   ` (293 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexandre Belloni, Mario Forner,
	Vinod Koul, Richard Genoud, Ludovic Desroches

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Genoud <richard.genoud@gmail.com>

commit 98f5f932254b88ce828bc8e4d1642d14e5854caa upstream.

The leak was found when opening/closing a serial port a great number of
time, increasing kmalloc-32 in slabinfo.

Each time the port was opened, dma_request_slave_channel() was called.
Then, in at_dma_xlate(), atslave was allocated with devm_kzalloc() and
never freed. (Well, it was free at module unload, but that's not what we
want).
So, here, kzalloc is more suited for the job since it has to be freed in
atc_free_chan_resources().

Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding")
Reported-by: Mario Forner <m.forner@be4energy.com>
Suggested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/at_hdmac.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -1231,6 +1231,12 @@ static void atc_free_chan_resources(stru
 	atchan->status = 0;
 	atchan->remain_desc = 0;
 
+	/*
+	 * Free atslave allocated in at_dma_xlate()
+	 */
+	kfree(chan->private);
+	chan->private = NULL;
+
 	dev_vdbg(chan2dev(chan), "free_chan_resources: done\n");
 }
 
@@ -1265,7 +1271,7 @@ static struct dma_chan *at_dma_xlate(str
 	dma_cap_zero(mask);
 	dma_cap_set(DMA_SLAVE, mask);
 
-	atslave = devm_kzalloc(&dmac_pdev->dev, sizeof(*atslave), GFP_KERNEL);
+	atslave = kzalloc(sizeof(*atslave), GFP_KERNEL);
 	if (!atslave)
 		return NULL;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 140/305] x86/hyper-v: Enable PIT shutdown quirk
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (148 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 019/305] media: v4l: event: Add subscription to list before calling "add" operation Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 129/305] kbuild: fix kernel/bounds.c 'W=1' warning Ben Hutchings
                   ` (155 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, KY Srinivasan, jgross, marcelo.cerri,
	gregkh, olaf, akataria, daniel.lezcano, apw, jasowang, devel,
	vkuznets, Thomas Gleixner, Michael Kelley, virtualization

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Kelley <mikelley@microsoft.com>

commit 1de72c706488b7be664a601cf3843bd01e327e58 upstream.

Hyper-V emulation of the PIT has a quirk such that the normal PIT shutdown
path doesn't work, because clearing the counter register restarts the
timer.

Disable the counter clearing on PIT shutdown.

Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: "devel@linuxdriverproject.org" <devel@linuxdriverproject.org>
Cc: "daniel.lezcano@linaro.org" <daniel.lezcano@linaro.org>
Cc: "virtualization@lists.linux-foundation.org" <virtualization@lists.linux-foundation.org>
Cc: "jgross@suse.com" <jgross@suse.com>
Cc: "akataria@vmware.com" <akataria@vmware.com>
Cc: "olaf@aepfle.de" <olaf@aepfle.de>
Cc: "apw@canonical.com" <apw@canonical.com>
Cc: vkuznets <vkuznets@redhat.com>
Cc: "jasowang@redhat.com" <jasowang@redhat.com>
Cc: "marcelo.cerri@canonical.com" <marcelo.cerri@canonical.com>
Cc: KY Srinivasan <kys@microsoft.com>
Link: https://lkml.kernel.org/r/1541303219-11142-3-git-send-email-mikelley@microsoft.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/cpu/mshyperv.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -18,6 +18,7 @@
 #include <linux/efi.h>
 #include <linux/interrupt.h>
 #include <linux/irq.h>
+#include <linux/i8253.h>
 #include <asm/processor.h>
 #include <asm/hypervisor.h>
 #include <asm/hyperv.h>
@@ -143,6 +144,16 @@ static void __init ms_hyperv_init_platfo
 	no_timer_check = 1;
 #endif
 
+	/*
+	 * Hyper-V VMs have a PIT emulation quirk such that zeroing the
+	 * counter register during PIT shutdown restarts the PIT. So it
+	 * continues to interrupt @18.2 HZ. Setting i8253_clear_counter
+	 * to false tells pit_shutdown() not to zero the counter so that
+	 * the PIT really is shutdown. Generation 2 VMs don't have a PIT,
+	 * and setting this value has no effect.
+	 */
+	i8253_clear_counter_on_shutdown = false;
+
 }
 
 const __refconst struct hypervisor_x86 x86_hyper_ms_hyperv = {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 066/305] mach64: fix display corruption on big endian machines
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 011/305] timer/debug: Change /proc/timer_list from 0444 to 0400 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 183/305] Drivers: hv: kvp: Fix the recent regression caused by incorrect clean-up Ben Hutchings
                   ` (203 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ville Syrjälä,
	Mikulas Patocka, Bartlomiej Zolnierkiewicz

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 3c6c6a7878d00a3ac997a779c5b9861ff25dfcc8 upstream.

The code for manual bit triple is not endian-clean. It builds the variable
"hostdword" using byte accesses, therefore we must read the variable with
"le32_to_cpu".

The patch also enables (hardware or software) bit triple only if the image
is monochrome (image->depth). If we want to blit full-color image, we
shouldn't use the triple code.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Ville Syrjälä <syrjala@sci.fi>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/aty/mach64_accel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/video/fbdev/aty/mach64_accel.c
+++ b/drivers/video/fbdev/aty/mach64_accel.c
@@ -344,7 +344,7 @@ void atyfb_imageblit(struct fb_info *inf
 		 * since Rage 3D IIc we have DP_HOST_TRIPLE_EN bit
 		 * this hwaccelerated triple has an issue with not aligned data
 		 */
-		if (M64_HAS(HW_TRIPLE) && image->width % 8 == 0)
+		if (image->depth == 1 && M64_HAS(HW_TRIPLE) && image->width % 8 == 0)
 			pix_width |= DP_HOST_TRIPLE_EN;
 	}
 
@@ -381,7 +381,7 @@ void atyfb_imageblit(struct fb_info *inf
 	src_bytes = (((image->width * image->depth) + 7) / 8) * image->height;
 
 	/* manual triple each pixel */
-	if (info->var.bits_per_pixel == 24 && !(pix_width & DP_HOST_TRIPLE_EN)) {
+	if (image->depth == 1 && info->var.bits_per_pixel == 24 && !(pix_width & DP_HOST_TRIPLE_EN)) {
 		int inbit, outbit, mult24, byte_id_in_dword, width;
 		u8 *pbitmapin = (u8*)image->data, *pbitmapout;
 		u32 hostdword;
@@ -414,7 +414,7 @@ void atyfb_imageblit(struct fb_info *inf
 				}
 			}
 			wait_for_fifo(1, par);
-			aty_st_le32(HOST_DATA0, hostdword, par);
+			aty_st_le32(HOST_DATA0, le32_to_cpu(hostdword), par);
 		}
 	} else {
 		u32 *pbitmap, dwords = (src_bytes + 3) / 4;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 234/305] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 043/305] media: pci: cx23885: handle adding to list failure Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 113/305] smb3: do not attempt cifs operation in smb3 query info error path Ben Hutchings
                   ` (191 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Michael Niewöhner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Niewöhner <linux@mniewoehner.de>

commit effd14f66cc1ef6701a19c5a56e39c35f4d395a5 upstream.

Cherry G230 Stream 2.0 (G85-231) and 3.0 (G85-232) need this quirk to
function correctly. This fixes a but where double pressing numlock locks
up the device completely with need to replug the keyboard.

Signed-off-by: Michael Niewöhner <linux@mniewoehner.de>
Tested-by: Michael Niewöhner <linux@mniewoehner.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -64,6 +64,9 @@ static const struct usb_device_id usb_qu
 	/* Microsoft LifeCam-VX700 v2.0 */
 	{ USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
 
+	/* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */
+	{ USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME },
+
 	/* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */
 	{ USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
 	{ USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 207/305] net-gro: reset skb->pkt_type in napi_reuse_skb()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 202/305] usb: core: Fix hub port connection events lost Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 173/305] fuse: fix leaked notify reply Ben Hutchings
                   ` (173 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David S. Miller, Eric Dumazet

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 33d9a2c72f086cbf1087b2fd2d1a15aa9df14a7f upstream.

eth_type_trans() assumes initial value for skb->pkt_type
is PACKET_HOST.

This is indeed the value right after a fresh skb allocation.

However, it is possible that GRO merged a packet with a different
value (like PACKET_OTHERHOST in case macvlan is used), so
we need to make sure napi->skb will have pkt_type set back to
PACKET_HOST.

Otherwise, valid packets might be dropped by the stack because
their pkt_type is not PACKET_HOST.

napi_reuse_skb() was added in commit 96e93eab2033 ("gro: Add
internal interfaces for VLAN"), but this bug always has
been there.

Fixes: 96e93eab2033 ("gro: Add internal interfaces for VLAN")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4170,6 +4170,10 @@ static void napi_reuse_skb(struct napi_s
 	skb->vlan_tci = 0;
 	skb->dev = napi->dev;
 	skb->skb_iif = 0;
+
+	/* eth_type_trans() assumes pkt_type is PACKET_HOST */
+	skb->pkt_type = PACKET_HOST;
+
 	skb->encapsulation = 0;
 	skb_shinfo(skb)->gso_type = 0;
 	skb->truesize = SKB_TRUESIZE(skb_end_offset(skb));


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 193/305] libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (150 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 129/305] kbuild: fix kernel/bounds.c 'W=1' warning Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 064/305] USB: serial: cypress_m8: fix interrupt-out transfer length Ben Hutchings
                   ` (153 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans de Goede, Jens Axboe, Diego Viola

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Diego Viola <diego.viola@gmail.com>

commit a435ab4f80f983c53b4ca4f8c12b3ddd3ca17670 upstream.

med_power_with_dipm causes my T450 to freeze with a SAMSUNG
MZ7TD256HAFV-000L9 SSD (firmware DXT02L5Q).

Switching the LPM to max_performance fixes this issue.

Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Diego Viola <diego.viola@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-core.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4249,6 +4249,7 @@ static const struct ata_blacklist_entry
 	/* These specific Samsung models/firmware-revs do not handle LPM well */
 	{ "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
 	{ "SAMSUNG SSD PM830 mSATA *",  "CXM13D1Q", ATA_HORKAGE_NOLPM, },
+	{ "SAMSUNG MZ7TD256HAFV-000L9", "DXT02L5Q", ATA_HORKAGE_NOLPM, },
 
 	/* devices that don't properly handle queued TRIM commands */
 	{ "Micron_M500IT_*",		"MU01",	ATA_HORKAGE_NO_NCQ_TRIM, },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 159/305] mount: Retest MNT_LOCKED in do_umount
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 046/305] fuse: fix blocked_waitq wakeup Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 091/305] RDMA/cm: Respect returned status of cm_init_av_by_path Ben Hutchings
                   ` (283 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Eric W. Biederman, Al Viro

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit 25d202ed820ee347edec0bf3bf553544556bf64b upstream.

It was recently pointed out that the one instance of testing MNT_LOCKED
outside of the namespace_sem is in ksys_umount.

Fix that by adding a test inside of do_umount with namespace_sem and
the mount_lock held.  As it helps to fail fails the existing test is
maintained with an additional comment pointing out that it may be racy
because the locks are not held.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/namespace.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1423,8 +1423,13 @@ static int do_umount(struct mount *mnt,
 
 	namespace_lock();
 	lock_mount_hash();
-	event++;
 
+	/* Recheck MNT_LOCKED with the locks held */
+	retval = -EINVAL;
+	if (mnt->mnt.mnt_flags & MNT_LOCKED)
+		goto out;
+
+	event++;
 	if (flags & MNT_DETACH) {
 		if (!list_empty(&mnt->mnt_list))
 			umount_tree(mnt, UMOUNT_PROPAGATE);
@@ -1438,6 +1443,7 @@ static int do_umount(struct mount *mnt,
 			retval = 0;
 		}
 	}
+out:
 	unlock_mount_hash();
 	namespace_unlock();
 	return retval;
@@ -1484,7 +1490,7 @@ SYSCALL_DEFINE2(umount, char __user *, n
 		goto dput_and_out;
 	if (!check_mnt(mnt))
 		goto dput_and_out;
-	if (mnt->mnt.mnt_flags & MNT_LOCKED)
+	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
 		goto dput_and_out;
 	retval = -EPERM;
 	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 078/305] gfs2_meta: ->mount() can get NULL dev_name
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (253 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 221/305] drm/ast: fixed cursor may disappear sometimes Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 071/305] mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus Ben Hutchings
                   ` (50 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Al Viro, syzbot+c54f8e94e6bba03b04e9

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream.

get in sync with mount_bdev() handling of the same

Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/gfs2/ops_fstype.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1365,6 +1365,9 @@ static struct dentry *gfs2_mount_meta(st
 	struct path path;
 	int error;
 
+	if (!dev_name || !*dev_name)
+		return ERR_PTR(-EINVAL);
+
 	error = kern_path(dev_name, LOOKUP_FOLLOW, &path);
 	if (error) {
 		pr_warn("path_lookup on %s returned error %d\n",


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 288/305] mmc: core: Reset HPI enabled state during re-init and in case of errors
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (103 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 032/305] media: em28xx: use a default format if TRY_FMT fails Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 122/305] nfsd: Fix an Oops in free_session() Ben Hutchings
                   ` (200 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ulf Hansson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ulf Hansson <ulf.hansson@linaro.org>

commit a0741ba40a009f97c019ae7541dc61c1fdf41efb upstream.

During a re-initialization of the eMMC card, we may fail to re-enable HPI.
In these cases, that isn't properly reflected in the card->ext_csd.hpi_en
bit, as it keeps being set. This may cause following attempts to use HPI,
even if's not enabled. Let's fix this!

Fixes: eb0d8f135b67 ("mmc: core: support HPI send command")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/core/mmc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1418,9 +1418,11 @@ static int mmc_init_card(struct mmc_host
 		if (err) {
 			pr_warning("%s: Enabling HPI failed\n",
 				   mmc_hostname(card->host));
+			card->ext_csd.hpi_en = 0;
 			err = 0;
-		} else
+		} else {
 			card->ext_csd.hpi_en = 1;
+		}
 	}
 
 	/*


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 056/305] VMCI: Resource wildcard match fixed
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 208/305] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 121/305] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Ben Hutchings
                   ` (273 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hangbin Liu, Greg Kroah-Hartman,
	Adit Ranadive, Vishnu Dasa, Jorgen Hansen

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jorgen Hansen <jhansen@vmware.com>

commit 11924ba5e671d6caef1516923e2bd8c72929a3fe upstream.

When adding a VMCI resource, the check for an existing entry
would ignore that the new entry could be a wildcard. This could
result in multiple resource entries that would match a given
handle. One disastrous outcome of this is that the
refcounting used to ensure that delayed callbacks for VMCI
datagrams have run before the datagram is destroyed can be
wrong, since the refcount could be increased on the duplicate
entry. This in turn leads to a use after free bug. This issue
was discovered by Hangbin Liu using KASAN and syzkaller.

Fixes: bc63dedb7d46 ("VMCI: resource object implementation")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Adit Ranadive <aditr@vmware.com>
Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: Drop the version change.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/misc/vmw_vmci/vmci_resource.c
+++ b/drivers/misc/vmw_vmci/vmci_resource.c
@@ -56,7 +56,8 @@ static struct vmci_resource *vmci_resour
 
 		if (r->type == type &&
 		    rid == handle.resource &&
-		    (cid == handle.context || cid == VMCI_INVALID_ID)) {
+		    (cid == handle.context || cid == VMCI_INVALID_ID ||
+		     handle.context == VMCI_INVALID_ID)) {
 			resource = r;
 			break;
 		}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 151/305] USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (258 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 188/305] batman-adv: Use only queued fragments when merging Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 003/305] x86/asm: Fix pud/pmd interfaces to handle large PAT bit Ben Hutchings
                   ` (45 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alan Stern, Greg Kroah-Hartman, Kai-Heng Feng

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 781f0766cc41a9dd2e5d118ef4b1d5d89430257b upstream.

Devices connected under Terminus Technology Inc. Hub (1a40:0101) may
fail to work after the system resumes from suspend:
[  206.063325] usb 3-2.4: reset full-speed USB device number 4 using xhci_hcd
[  206.143691] usb 3-2.4: device descriptor read/64, error -32
[  206.351671] usb 3-2.4: device descriptor read/64, error -32

Info for this hub:
T:  Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  2 Spd=480 MxCh= 4
D:  Ver= 2.00 Cls=09(hub  ) Sub=00 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=1a40 ProdID=0101 Rev=01.11
S:  Product=USB 2.0 Hub
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub

Some expirements indicate that the USB devices connected to the hub are
innocent, it's the hub itself is to blame. The hub needs extra delay
time after it resets its port.

Hence wait for extra delay, if the device is connected to this quirky
hub.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Drop module parameter changes
 - We don't have a USB_PORT_QUIRK_FAST_ENUM quirk]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2671,6 +2671,7 @@ static int hub_port_reset(struct usb_hub
 	int i, status;
 	u16 portchange, portstatus;
 	struct usb_port *port_dev = hub->ports[port1 - 1];
+	int reset_recovery_time;
 
 	if (!hub_is_superspeed(hub->hdev)) {
 		if (warm) {
@@ -2760,7 +2761,14 @@ static int hub_port_reset(struct usb_hub
 done:
 	if (status == 0) {
 		/* TRSTRCY = 10 ms; plus some extra */
-		msleep(10 + 40);
+		reset_recovery_time = 10 + 40;
+
+		/* Hub needs extra delay after resetting its port. */
+		if (hub->hdev->quirks & USB_QUIRK_HUB_SLOW_RESET)
+			reset_recovery_time += 100;
+
+		msleep(reset_recovery_time);
+
 		if (udev) {
 			struct usb_hcd *hcd = bus_to_hcd(udev->bus);
 
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -229,6 +229,9 @@ static const struct usb_device_id usb_qu
 	{ USB_DEVICE(0x1a0a, 0x0200), .driver_info =
 			USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
 
+	/* Terminus Technology Inc. Hub */
+	{ USB_DEVICE(0x1a40, 0x0101), .driver_info = USB_QUIRK_HUB_SLOW_RESET },
+
 	/* Corsair K70 RGB */
 	{ USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
 
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -59,4 +59,7 @@
 /* Device needs a pause after every control message. */
 #define USB_QUIRK_DELAY_CTRL_MSG		BIT(13)
 
+/* Hub needs extra delay after resetting its port. */
+#define USB_QUIRK_HUB_SLOW_RESET		BIT(14)
+
 #endif /* __LINUX_USB_QUIRKS_H */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 244/305] s390/qeth: fix length check in SNMP processing
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (190 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 290/305] VSOCK: Send reset control packet when socket is partially bound Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 028/305] scsi: qla2xxx: shutdown chip if reset fail Ben Hutchings
                   ` (113 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Ursula Braun, Julian Wiedmann

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <jwi@linux.ibm.com>

commit 9a764c1e59684c0358e16ccaafd870629f2cfe67 upstream.

The response for a SNMP request can consist of multiple parts, which
the cmd callback stages into a kernel buffer until all parts have been
received. If the callback detects that the staging buffer provides
insufficient space, it bails out with error.
This processing is buggy for the first part of the response - while it
initially checks for a length of 'data_len', it later copies an
additional amount of 'offsetof(struct qeth_snmp_cmd, data)' bytes.

Fix the calculation of 'data_len' for the first part of the response.
This also nicely cleans up the memcpy code.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/net/qeth_core_main.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -4414,8 +4414,8 @@ static int qeth_snmp_command_cb(struct q
 {
 	struct qeth_ipa_cmd *cmd;
 	struct qeth_arp_query_info *qinfo;
-	struct qeth_snmp_cmd *snmp;
 	unsigned char *data;
+	void *snmp_data;
 	__u16 data_len;
 
 	QETH_CARD_TEXT(card, 3, "snpcmdcb");
@@ -4423,7 +4423,6 @@ static int qeth_snmp_command_cb(struct q
 	cmd = (struct qeth_ipa_cmd *) sdata;
 	data = (unsigned char *)((char *)cmd - reply->offset);
 	qinfo = (struct qeth_arp_query_info *) reply->param;
-	snmp = &cmd->data.setadapterparms.data.snmp;
 
 	if (cmd->hdr.return_code) {
 		QETH_CARD_TEXT_(card, 4, "scer1%i", cmd->hdr.return_code);
@@ -4436,10 +4435,15 @@ static int qeth_snmp_command_cb(struct q
 		return 0;
 	}
 	data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data));
-	if (cmd->data.setadapterparms.hdr.seq_no == 1)
-		data_len -= (__u16)((char *)&snmp->data - (char *)cmd);
-	else
-		data_len -= (__u16)((char *)&snmp->request - (char *)cmd);
+	if (cmd->data.setadapterparms.hdr.seq_no == 1) {
+		snmp_data = &cmd->data.setadapterparms.data.snmp;
+		data_len -= offsetof(struct qeth_ipa_cmd,
+				     data.setadapterparms.data.snmp);
+	} else {
+		snmp_data = &cmd->data.setadapterparms.data.snmp.request;
+		data_len -= offsetof(struct qeth_ipa_cmd,
+				     data.setadapterparms.data.snmp.request);
+	}
 
 	/* check if there is enough room in userspace */
 	if ((qinfo->udata_len - qinfo->udata_offset) < data_len) {
@@ -4452,16 +4456,9 @@ static int qeth_snmp_command_cb(struct q
 	QETH_CARD_TEXT_(card, 4, "sseqn%i",
 		cmd->data.setadapterparms.hdr.seq_no);
 	/*copy entries to user buffer*/
-	if (cmd->data.setadapterparms.hdr.seq_no == 1) {
-		memcpy(qinfo->udata + qinfo->udata_offset,
-		       (char *)snmp,
-		       data_len + offsetof(struct qeth_snmp_cmd, data));
-		qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data);
-	} else {
-		memcpy(qinfo->udata + qinfo->udata_offset,
-		       (char *)&snmp->request, data_len);
-	}
+	memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len);
 	qinfo->udata_offset += data_len;
+
 	/* check if all replies received ... */
 		QETH_CARD_TEXT_(card, 4, "srtot%i",
 			       cmd->data.setadapterparms.hdr.used_total);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 167/305] ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (184 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 206/305] iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 088/305] IB/{cm, umad}: Handle av init error Ben Hutchings
                   ` (119 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tony Lindgren, Janusz Krzysztofik

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Janusz Krzysztofik <jmkrzyszt@gmail.com>

commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b upstream.

While playing with initialization order of modem device, it has been
discovered that under some circumstances (early console init, I
believe) its .pm() callback may be called before the
uart_port->private_data pointer is initialized from
plat_serial8250_port->private_data, resulting in NULL pointer
dereference.  Fix it by checking for uninitialized pointer before using
it in modem_pm().

Fixes: aabf31737a6a ("ARM: OMAP1: ams-delta: update the modem to use regulator API")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-omap1/board-ams-delta.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -511,6 +511,9 @@ static void modem_pm(struct uart_port *p
 {
 	struct modem_private_data *priv = port->private_data;
 
+	if (!priv)
+		return;
+
 	if (IS_ERR(priv->regulator))
 		return;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 073/305] staging: comedi: ni_mio_common: protect register write overflow
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 260/305] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 135/305] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Ben Hutchings
                   ` (241 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ian Abbott, Spencer E. Olson, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Spencer E. Olson" <olsonse@umich.edu>

commit 1cbca5852d6c16e85a21487a15d211195aacd4a1 upstream.

Fixes two problems introduced as early as
commit 03aef4b6dc12  ("Staging: comedi: add ni_mio_common code"):
(1) Ensures that the last four bits of NISTC_RTSI_TRIGB_OUT_REG register is
    not unduly overwritten on e-series devices.  On e-series devices, the
    first three of the last four bits are reserved.  The last bit defines
    the output selection of the RGOUT0 pin, otherwise known as
    RTSI_Sub_Selection.  For m-series devices, these last four bits are
    indeed used as the output selection of the RTSI7 pin (and the
    RTSI_Sub_Selection bit for the RGOUT0 pin is moved to the
    RTSI_Trig_Direction register.
(2) Allows all 4 RTSI_BRD lines to be treated as valid sources for RTSI
    lines.

This patch also cleans up the ni_get_rtsi_routing command for readability.

Fixes: 03aef4b6dc12  ("Staging: comedi: add ni_mio_common code")
Signed-off-by: Spencer E. Olson <olsonse@umich.edu>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Use NI_RTSI_OUTPUT_RTSI_BRD_0 + n instead of NI_RTSI_OUTPUT_RTSI_BRD(n)
 - Use num_configurable_rtsi_channels() instead of NISTC_RTSI_TRIG_NUM_CHAN()
 - Use old_RTSI_clock_channel instead of NISTC_RTSI_TRIG_OLD_CLK_CHAN
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../staging/comedi/drivers/ni_mio_common.c    | 24 +++++++++++++------
 1 file changed, 17 insertions(+), 7 deletions(-)

--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -5486,6 +5486,9 @@ static int ni_valid_rtsi_output_source(s
 	case NI_RTSI_OUTPUT_G_GATE0:
 	case NI_RTSI_OUTPUT_RGOUT0:
 	case NI_RTSI_OUTPUT_RTSI_BRD_0:
+	case NI_RTSI_OUTPUT_RTSI_BRD_0 + 1:
+	case NI_RTSI_OUTPUT_RTSI_BRD_0 + 2:
+	case NI_RTSI_OUTPUT_RTSI_BRD_0 + 3:
 		return 1;
 		break;
 	case NI_RTSI_OUTPUT_RTSI_OSC:
@@ -5513,12 +5516,19 @@ static int ni_set_rtsi_routing(struct co
 		    RTSI_Trig_Output_Bits(chan, source);
 		devpriv->stc_writew(dev, devpriv->rtsi_trig_a_output_reg,
 				    RTSI_Trig_A_Output_Register);
-	} else if (chan < 8) {
+	} else if (chan < num_configurable_rtsi_channels(dev)) {
 		devpriv->rtsi_trig_b_output_reg &= ~RTSI_Trig_Output_Mask(chan);
 		devpriv->rtsi_trig_b_output_reg |=
 		    RTSI_Trig_Output_Bits(chan, source);
 		devpriv->stc_writew(dev, devpriv->rtsi_trig_b_output_reg,
 				    RTSI_Trig_B_Output_Register);
+	} else if (chan != old_RTSI_clock_channel) {
+		/* probably should never reach this, since the
+		 * ni_valid_rtsi_output_source above errors out if chan is too
+		 * high
+		 */
+		dev_err(dev->class_dev, "%s: unknown rtsi channel\n", __func__);
+		return -EINVAL;
 	}
 	return 2;
 }
@@ -5533,12 +5543,12 @@ static unsigned ni_get_rtsi_routing(stru
 	} else if (chan < num_configurable_rtsi_channels(dev)) {
 		return RTSI_Trig_Output_Source(chan,
 					       devpriv->rtsi_trig_b_output_reg);
-	} else {
-		if (chan == old_RTSI_clock_channel)
-			return NI_RTSI_OUTPUT_RTSI_OSC;
-		printk("%s: bug! should never get here?\n", __func__);
-		return 0;
+	} else if (chan == old_RTSI_clock_channel) {
+		return NI_RTSI_OUTPUT_RTSI_OSC;
 	}
+
+	dev_err(dev->class_dev, "%s: unknown rtsi channel\n", __func__);
+	return -EINVAL;
 }
 
 static int ni_rtsi_insn_config(struct comedi_device *dev,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 105/305] genirq: Fix race on spurious interrupt detection
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 141/305] mtd: docg3: don't set conflicting BCH_CONST_PARAMS option Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 013/305] ARM: fix put_user() for gcc-8 Ben Hutchings
                   ` (177 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lukas Wunner, Mathias Duckeck,
	Thomas Gleixner, Casey Fitzpatrick, Akshay Bhat

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit 746a923b863a1065ef77324e1e43f19b1a3eab5c upstream.

Commit 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of
threaded irqs") made detection of spurious interrupts work for threaded
handlers by:

a) incrementing a counter every time the thread returns IRQ_HANDLED, and
b) checking whether that counter has increased every time the thread is
   woken.

However for oneshot interrupts, the commit unmasks the interrupt before
incrementing the counter.  If another interrupt occurs right after
unmasking but before the counter is incremented, that interrupt is
incorrectly considered spurious:

time
 |  irq_thread()
 |    irq_thread_fn()
 |      action->thread_fn()
 |      irq_finalize_oneshot()
 |        unmask_threaded_irq()            /* interrupt is unmasked */
 |
 |                  /* interrupt fires, incorrectly deemed spurious */
 |
 |    atomic_inc(&desc->threads_handled); /* counter is incremented */
 v

This is observed with a hi3110 CAN controller receiving data at high volume
(from a separate machine sending with "cangen -g 0 -i -x"): The controller
signals a huge number of interrupts (hundreds of millions per day) and
every second there are about a dozen which are deemed spurious.

In theory with high CPU load and the presence of higher priority tasks, the
number of incorrectly detected spurious interrupts might increase beyond
the 99,900 threshold and cause disablement of the interrupt.

In practice it just increments the spurious interrupt count. But that can
cause people to waste time investigating it over and over.

Fix it by moving the accounting before the invocation of
irq_finalize_oneshot().

[ tglx: Folded change log update ]

Fixes: 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of threaded irqs")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Mathias Duckeck <m.duckeck@kunbus.de>
Cc: Akshay Bhat <akshay.bhat@timesys.com>
Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.de
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/irq/manage.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -805,6 +805,9 @@ irq_forced_thread_fn(struct irq_desc *de
 
 	local_bh_disable();
 	ret = action->thread_fn(action->irq, action->dev_id);
+	if (ret == IRQ_HANDLED)
+		atomic_inc(&desc->threads_handled);
+
 	irq_finalize_oneshot(desc, action);
 	local_bh_enable();
 	return ret;
@@ -821,6 +824,9 @@ static irqreturn_t irq_thread_fn(struct
 	irqreturn_t ret;
 
 	ret = action->thread_fn(action->irq, action->dev_id);
+	if (ret == IRQ_HANDLED)
+		atomic_inc(&desc->threads_handled);
+
 	irq_finalize_oneshot(desc, action);
 	return ret;
 }
@@ -886,8 +892,6 @@ static int irq_thread(void *data)
 		irq_thread_check_affinity(desc, action);
 
 		action_ret = handler_fn(desc, action);
-		if (action_ret == IRQ_HANDLED)
-			atomic_inc(&desc->threads_handled);
 
 		wake_threads_waitq(desc);
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 068/305] bcache: fix wrong cache_misses statistics
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 054/305] ext4: fix EXT4_IOC_SWAP_BOOT Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 062/305] IB/mthca: Fix error return code in __mthca_init_one() Ben Hutchings
                   ` (277 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jens Axboe, Coly Li, tang.junhui, Michael Lyle

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "tang.junhui" <tang.junhui@zte.com.cn>

commit c157313791a999646901b3e3c6888514ebc36d62 upstream.

Currently, Cache missed IOs are identified by s->cache_miss, but actually,
there are many situations that missed IOs are not assigned a value for
s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO
(s->iop.bypass = 1), or the cache_bio allocate failed. In these situations,
it will go to out_put or out_submit, and s->cache_miss is null, which leads
bch_mark_cache_accounting() to treat this IO as a hit IO.

[ML: applied by 3-way merge]

Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
Reviewed-by: Michael Lyle <mlyle@lyle.org>
Reviewed-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/bcache/request.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -462,6 +462,7 @@ struct search {
 	unsigned		recoverable:1;
 	unsigned		write:1;
 	unsigned		read_dirty_data:1;
+	unsigned		cache_missed:1;
 
 	unsigned long		start_time;
 
@@ -651,6 +652,7 @@ static inline struct search *search_allo
 
 	s->orig_bio		= bio;
 	s->cache_miss		= NULL;
+	s->cache_missed		= 0;
 	s->d			= d;
 	s->recoverable		= 1;
 	s->write		= (bio->bi_rw & REQ_WRITE) != 0;
@@ -774,7 +776,7 @@ static void cached_dev_read_done_bh(stru
 	struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 
 	bch_mark_cache_accounting(s->iop.c, s->d,
-				  !s->cache_miss, s->iop.bypass);
+				  !s->cache_missed, s->iop.bypass);
 	trace_bcache_read(s->orig_bio, !s->cache_miss, s->iop.bypass);
 
 	if (s->iop.error)
@@ -793,6 +795,8 @@ static int cached_dev_cache_miss(struct
 	struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 	struct bio *miss, *cache_bio;
 
+	s->cache_missed = 1;
+
 	if (s->cache_miss || s->iop.bypass) {
 		miss = bio_next_split(bio, sectors, GFP_NOIO, s->d->bio_split);
 		ret = miss == bio ? MAP_DONE : MAP_CONTINUE;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 077/305] ext4: fix use-after-free race in ext4_remount()'s error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 238/305] xtensa: fix coprocessor context offset definitions Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 043/305] media: pci: cx23885: handle adding to list failure Ben Hutchings
                   ` (193 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+a2872d6feea6918008a9, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 33458eaba4dfe778a426df6a19b7aad2ff9f7eec upstream.

It's possible for ext4_show_quota_options() to try reading
s_qf_names[i] while it is being modified by ext4_remount() --- most
notably, in ext4_remount's error path when the original values of the
quota file name gets restored.

Reported-by: syzbot+a2872d6feea6918008a9@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16:
 - s/EXT4_MAXQUOTAS/MAXQUOTAS/
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1300,7 +1300,8 @@ struct ext4_sb_info {
 	u32 s_min_batch_time;
 	struct block_device *journal_bdev;
 #ifdef CONFIG_QUOTA
-	char *s_qf_names[MAXQUOTAS];		/* Names of quota files with journalled quota */
+	/* Names of quota files with journalled quota */
+	char __rcu *s_qf_names[MAXQUOTAS];
 	int s_jquota_fmt;			/* Format of quota to use */
 #endif
 	unsigned int s_want_extra_isize; /* New inodes should reserve # bytes */
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -780,6 +780,20 @@ static void dump_orphan_list(struct supe
 	}
 }
 
+#ifdef CONFIG_QUOTA
+/*
+ * This is a helper function which is used in the mount/remount
+ * codepaths (which holds s_umount) to fetch the quota file name.
+ */
+static inline char *get_qf_name(struct super_block *sb,
+				struct ext4_sb_info *sbi,
+				int type)
+{
+	return rcu_dereference_protected(sbi->s_qf_names[type],
+					 lockdep_is_held(&sb->s_umount));
+}
+#endif
+
 static void ext4_put_super(struct super_block *sb)
 {
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
@@ -833,7 +847,7 @@ static void ext4_put_super(struct super_
 	brelse(sbi->s_sbh);
 #ifdef CONFIG_QUOTA
 	for (i = 0; i < MAXQUOTAS; i++)
-		kfree(sbi->s_qf_names[i]);
+		kfree(get_qf_name(sb, sbi, i));
 #endif
 
 	/* Debugging code just in case the in-memory inode orphan list
@@ -1293,11 +1307,10 @@ static char deprecated_msg[] = "Mount op
 static int set_qf_name(struct super_block *sb, int qtype, substring_t *args)
 {
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
-	char *qname;
+	char *qname, *old_qname = get_qf_name(sb, sbi, qtype);
 	int ret = -1;
 
-	if (sb_any_quota_loaded(sb) &&
-		!sbi->s_qf_names[qtype]) {
+	if (sb_any_quota_loaded(sb) && !old_qname) {
 		ext4_msg(sb, KERN_ERR,
 			"Cannot change journaled "
 			"quota options when quota turned on");
@@ -1314,8 +1327,8 @@ static int set_qf_name(struct super_bloc
 			"Not enough memory for storing quotafile name");
 		return -1;
 	}
-	if (sbi->s_qf_names[qtype]) {
-		if (strcmp(sbi->s_qf_names[qtype], qname) == 0)
+	if (old_qname) {
+		if (strcmp(old_qname, qname) == 0)
 			ret = 1;
 		else
 			ext4_msg(sb, KERN_ERR,
@@ -1328,7 +1341,7 @@ static int set_qf_name(struct super_bloc
 			"quotafile must be on filesystem root");
 		goto errout;
 	}
-	sbi->s_qf_names[qtype] = qname;
+	rcu_assign_pointer(sbi->s_qf_names[qtype], qname);
 	set_opt(sb, QUOTA);
 	return 1;
 errout:
@@ -1340,15 +1353,16 @@ static int clear_qf_name(struct super_bl
 {
 
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
+	char *old_qname = get_qf_name(sb, sbi, qtype);
 
-	if (sb_any_quota_loaded(sb) &&
-		sbi->s_qf_names[qtype]) {
+	if (sb_any_quota_loaded(sb) && old_qname) {
 		ext4_msg(sb, KERN_ERR, "Cannot change journaled quota options"
 			" when quota turned on");
 		return -1;
 	}
-	kfree(sbi->s_qf_names[qtype]);
-	sbi->s_qf_names[qtype] = NULL;
+	rcu_assign_pointer(sbi->s_qf_names[qtype], NULL);
+	synchronize_rcu();
+	kfree(old_qname);
 	return 1;
 }
 #endif
@@ -1677,7 +1691,7 @@ static int parse_options(char *options,
 			 int is_remount)
 {
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
-	char *p;
+	char *p, __maybe_unused *usr_qf_name, __maybe_unused *grp_qf_name;
 	substring_t args[MAX_OPT_ARGS];
 	int token;
 
@@ -1704,11 +1718,13 @@ static int parse_options(char *options,
 			 "feature is enabled");
 		return 0;
 	}
-	if (sbi->s_qf_names[USRQUOTA] || sbi->s_qf_names[GRPQUOTA]) {
-		if (test_opt(sb, USRQUOTA) && sbi->s_qf_names[USRQUOTA])
+	usr_qf_name = get_qf_name(sb, sbi, USRQUOTA);
+	grp_qf_name = get_qf_name(sb, sbi, GRPQUOTA);
+	if (usr_qf_name || grp_qf_name) {
+		if (test_opt(sb, USRQUOTA) && usr_qf_name)
 			clear_opt(sb, USRQUOTA);
 
-		if (test_opt(sb, GRPQUOTA) && sbi->s_qf_names[GRPQUOTA])
+		if (test_opt(sb, GRPQUOTA) && grp_qf_name)
 			clear_opt(sb, GRPQUOTA);
 
 		if (test_opt(sb, GRPQUOTA) || test_opt(sb, USRQUOTA)) {
@@ -1742,6 +1758,7 @@ static inline void ext4_show_quota_optio
 {
 #if defined(CONFIG_QUOTA)
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
+	char *usr_qf_name, *grp_qf_name;
 
 	if (sbi->s_jquota_fmt) {
 		char *fmtname = "";
@@ -1760,11 +1777,14 @@ static inline void ext4_show_quota_optio
 		seq_printf(seq, ",jqfmt=%s", fmtname);
 	}
 
-	if (sbi->s_qf_names[USRQUOTA])
-		seq_show_option(seq, "usrjquota", sbi->s_qf_names[USRQUOTA]);
-
-	if (sbi->s_qf_names[GRPQUOTA])
-		seq_show_option(seq, "grpjquota", sbi->s_qf_names[GRPQUOTA]);
+	rcu_read_lock();
+	usr_qf_name = rcu_dereference(sbi->s_qf_names[USRQUOTA]);
+	grp_qf_name = rcu_dereference(sbi->s_qf_names[GRPQUOTA]);
+	if (usr_qf_name)
+		seq_show_option(seq, "usrjquota", usr_qf_name);
+	if (grp_qf_name)
+		seq_show_option(seq, "grpjquota", grp_qf_name);
+	rcu_read_unlock();
 #endif
 }
 
@@ -4936,6 +4956,7 @@ static int ext4_remount(struct super_blo
 	int err = 0;
 #ifdef CONFIG_QUOTA
 	int i, j;
+	char *to_free[MAXQUOTAS];
 #endif
 	char *orig_data = kstrdup(data, GFP_KERNEL);
 
@@ -4952,8 +4973,9 @@ static int ext4_remount(struct super_blo
 	old_opts.s_jquota_fmt = sbi->s_jquota_fmt;
 	for (i = 0; i < MAXQUOTAS; i++)
 		if (sbi->s_qf_names[i]) {
-			old_opts.s_qf_names[i] = kstrdup(sbi->s_qf_names[i],
-							 GFP_KERNEL);
+			char *qf_name = get_qf_name(sb, sbi, i);
+
+			old_opts.s_qf_names[i] = kstrdup(qf_name, GFP_KERNEL);
 			if (!old_opts.s_qf_names[i]) {
 				for (j = 0; j < i; j++)
 					kfree(old_opts.s_qf_names[j]);
@@ -5141,9 +5163,12 @@ restore_opts:
 #ifdef CONFIG_QUOTA
 	sbi->s_jquota_fmt = old_opts.s_jquota_fmt;
 	for (i = 0; i < MAXQUOTAS; i++) {
-		kfree(sbi->s_qf_names[i]);
-		sbi->s_qf_names[i] = old_opts.s_qf_names[i];
+		to_free[i] = get_qf_name(sb, sbi, i);
+		rcu_assign_pointer(sbi->s_qf_names[i], old_opts.s_qf_names[i]);
 	}
+	synchronize_rcu();
+	for (i = 0; i < MAXQUOTAS; i++)
+		kfree(to_free[i]);
 #endif
 	kfree(orig_data);
 	return err;
@@ -5291,7 +5316,7 @@ static int ext4_write_info(struct super_
  */
 static int ext4_quota_on_mount(struct super_block *sb, int type)
 {
-	return dquot_quota_on_mount(sb, EXT4_SB(sb)->s_qf_names[type],
+	return dquot_quota_on_mount(sb, get_qf_name(sb, EXT4_SB(sb), type),
 					EXT4_SB(sb)->s_jquota_fmt, type);
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 299/305] vxlan: Fix error path in __vxlan_dev_create()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (181 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 226/305] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 243/305] rapidio/rionet: do not free skb before reading its length Ben Hutchings
                   ` (122 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Petr Machata, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Petr Machata <petrm@mellanox.com>

commit 6db9246871394b3a136cd52001a0763676563840 upstream.

When a failure occurs in rtnl_configure_link(), the current code
calls unregister_netdevice() to roll back the earlier call to
register_netdevice(), and jumps to errout, which calls
vxlan_fdb_destroy().

However unregister_netdevice() calls transitively ndo_uninit, which is
vxlan_uninit(), and that already takes care of deleting the default FDB
entry by calling vxlan_fdb_delete_default(). Since the entry added
earlier in __vxlan_dev_create() is exactly the default entry, the
cleanup code in the errout block always leads to double free and thus a
panic.

Besides, since vxlan_fdb_delete_default() always destroys the FDB entry
with notification enabled, the deletion of the default entry is notified
even before the addition was notified.

Instead, move the unregister_netdevice() call after the manual destroy,
which solves both problems.

Fixes: 0241b836732f ("vxlan: fix default fdb entry netlink notify ordering during netdev create")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/vxlan.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2615,6 +2615,7 @@ static int vxlan_newlink(struct net *net
 	struct vxlan_dev *vxlan = netdev_priv(dev), *tmp;
 	struct vxlan_rdst *dst = &vxlan->default_dst;
 	struct vxlan_fdb *f = NULL;
+	bool unregister = false;
 	__u32 vni;
 	int err;
 	bool use_ipv6 = false;
@@ -2766,12 +2767,11 @@ static int vxlan_newlink(struct net *net
 	err = register_netdevice(dev);
 	if (err)
 		goto errout;
+	unregister = true;
 
 	err = rtnl_configure_link(dev, NULL);
-	if (err) {
-		unregister_netdevice(dev);
+	if (err)
 		goto errout;
-	}
 
 	/* notify default fdb entry */
 	if (f)
@@ -2780,9 +2780,16 @@ static int vxlan_newlink(struct net *net
 	list_add(&vxlan->next, &vn->vxlan_list);
 
 	return 0;
+
 errout:
+	/* unregister_netdevice() destroys the default FDB entry with deletion
+	 * notification. But the addition notification was not sent yet, so
+	 * destroy the entry by hand here.
+	 */
 	if (f)
 		vxlan_fdb_destroy(vxlan, f);
+	if (unregister)
+		unregister_netdevice(dev);
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 052/305] PM / devfreq: Fix devfreq_add_device() when drivers are built as modules.
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 076/305] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 209/305] hwmon: (w83795) temp4_type has writable permission Ben Hutchings
                   ` (232 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, MyungJoo Ham, Chanwoo Choi, Enric Balletbo i Serra

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Enric Balletbo i Serra <enric.balletbo@collabora.com>

commit 23c7b54ca1cd1797ef39169ab85e6d46f1c2d061 upstream.

When the devfreq driver and the governor driver are built as modules,
the call to devfreq_add_device() or governor_store() fails because the
governor driver is not loaded at the time the devfreq driver loads. The
devfreq driver has a build dependency on the governor but also should
have a runtime dependency. We need to make sure that the governor driver
is loaded before the devfreq driver.

This patch fixes this bug by adding a try_then_request_governor()
function. First tries to find the governor, and then, if it is not found,
it requests the module and tries again.

Fixes: 1b5c1be2c88e (PM / devfreq: map devfreq drivers to governor using name)
Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
[bwh: Backported to 3.16:
 - Use string literal instead of DEVFREQ_GOV_SIMPLE_ONDEMAND
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/devfreq/devfreq.c | 53 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 49 insertions(+), 4 deletions(-)

--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -11,6 +11,7 @@
  */
 
 #include <linux/kernel.h>
+#include <linux/kmod.h>
 #include <linux/sched.h>
 #include <linux/errno.h>
 #include <linux/err.h>
@@ -148,6 +149,49 @@ static struct devfreq_governor *find_dev
 	return ERR_PTR(-ENODEV);
 }
 
+/**
+ * try_then_request_governor() - Try to find the governor and request the
+ *                               module if is not found.
+ * @name:	name of the governor
+ *
+ * Search the list of devfreq governors and request the module and try again
+ * if is not found. This can happen when both drivers (the governor driver
+ * and the driver that call devfreq_add_device) are built as modules.
+ * devfreq_list_lock should be held by the caller. Returns the matched
+ * governor's pointer.
+ */
+static struct devfreq_governor *try_then_request_governor(const char *name)
+{
+	struct devfreq_governor *governor;
+	int err = 0;
+
+	if (IS_ERR_OR_NULL(name)) {
+		pr_err("DEVFREQ: %s: Invalid parameters\n", __func__);
+		return ERR_PTR(-EINVAL);
+	}
+	WARN(!mutex_is_locked(&devfreq_list_lock),
+	     "devfreq_list_lock must be locked.");
+
+	governor = find_devfreq_governor(name);
+	if (IS_ERR(governor)) {
+		mutex_unlock(&devfreq_list_lock);
+
+		if (!strncmp(name, "simple_ondemand",
+			     DEVFREQ_NAME_LEN))
+			err = request_module("governor_%s", "simpleondemand");
+		else
+			err = request_module("governor_%s", name);
+		/* Restore previous state before return */
+		mutex_lock(&devfreq_list_lock);
+		if (err)
+			return NULL;
+
+		governor = find_devfreq_governor(name);
+	}
+
+	return governor;
+}
+
 /* Load monitoring helper functions for governors use */
 
 /**
@@ -499,9 +543,8 @@ struct devfreq *devfreq_add_device(struc
 	mutex_unlock(&devfreq->lock);
 
 	mutex_lock(&devfreq_list_lock);
-	list_add(&devfreq->node, &devfreq_list);
 
-	governor = find_devfreq_governor(devfreq->governor_name);
+	governor = try_then_request_governor(devfreq->governor_name);
 	if (IS_ERR(governor)) {
 		dev_err(dev, "%s: Unable to find governor for the device\n",
 			__func__);
@@ -517,12 +560,14 @@ struct devfreq *devfreq_add_device(struc
 			__func__);
 		goto err_init;
 	}
+
+	list_add(&devfreq->node, &devfreq_list);
+
 	mutex_unlock(&devfreq_list_lock);
 
 	return devfreq;
 
 err_init:
-	list_del(&devfreq->node);
 	mutex_unlock(&devfreq_list_lock);
 
 	device_unregister(&devfreq->dev);
@@ -798,7 +843,7 @@ static ssize_t governor_store(struct dev
 		return -EINVAL;
 
 	mutex_lock(&devfreq_list_lock);
-	governor = find_devfreq_governor(str_governor);
+	governor = try_then_request_governor(str_governor);
 	if (IS_ERR(governor)) {
 		ret = PTR_ERR(governor);
 		goto out;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 282/305] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 106/305] libceph: bump CEPH_MSG_MAX_DATA_LEN Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 011/305] timer/debug: Change /proc/timer_list from 0444 to 0400 Ben Hutchings
                   ` (205 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Jörgen Storvist

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jörgen Storvist <jorgen.storvist@gmail.com>

commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream.

Added USB serial option driver support for Simcom SIM7500/SIM7600 series
cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003)

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1e0e ProdID=9003 Rev=03.18
S:  Manufacturer=SimTech, Incorporated
S:  Product=SimTech, Incorporated
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I:  If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim

Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1888,6 +1888,7 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
 	  .driver_info = (kernel_ulong_t)&simcom_sim7100e_blacklist },
+	{ USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) },	/* Simcom SIM7500/SIM7600 MBIM mode */
 	{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
 	  .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist
 	},


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 199/305] netfilter: nf_tables: fix use-after-free when deleting compat expressions
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 089/305] IB/cm: Fix sleeping while spin lock is held Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 247/305] dmaengine: at_hdmac: fix memory leak in at_dma_xlate() Ben Hutchings
                   ` (294 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pablo Neira Ayuso, Florian Westphal

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 29e3880109e357fdc607b4393f8308cef6af9413 upstream.

nft_compat ops do not have static storage duration, unlike all other
expressions.

When nf_tables_expr_destroy() returns, expr->ops might have been
free'd already, so we need to store next address before calling
expression destructor.

For same reason, we can't deref match pointer after nft_xt_put().

This can be easily reproduced by adding msleep() before
nft_match_destroy() returns.

Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nf_tables_api.c | 5 +++--
 net/netfilter/nft_compat.c    | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1682,7 +1682,7 @@ err:
 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
 				   struct nft_rule *rule)
 {
-	struct nft_expr *expr;
+	struct nft_expr *expr, *next;
 
 	/*
 	 * Careful: some expressions might not be initialized in case this
@@ -1690,8 +1690,9 @@ static void nf_tables_rule_destroy(const
 	 */
 	expr = nft_expr_first(rule);
 	while (expr != nft_expr_last(rule) && expr->ops) {
+		next = nft_expr_next(expr);
 		nf_tables_expr_destroy(ctx, expr);
-		expr = nft_expr_next(expr);
+		expr = next;
 	}
 	kfree(rule);
 }
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -398,6 +398,7 @@ nft_match_destroy(const struct nft_ctx *
 {
 	struct xt_match *match = expr->ops->data;
 	void *info = nft_expr_priv(expr);
+	struct module *me = match->me;
 	struct xt_mtdtor_param par;
 
 	par.net = ctx->net;
@@ -407,7 +408,7 @@ nft_match_destroy(const struct nft_ctx *
 	if (par.match->destroy != NULL)
 		par.match->destroy(&par);
 
-	module_put(match->me);
+	module_put(me);
 }
 
 static int


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 149/305] ext4: avoid buffer leak in ext4_orphan_add() after prior errors
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (283 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 110/305] of: add helper to lookup compatible child node Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 123/305] lockd: fix access beyond unterminated strings in prints Ben Hutchings
                   ` (20 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, Dmitry Monakhov, Vasily Averin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit feaf264ce7f8d54582e2f66eb82dd9dd124c94f3 upstream.

Fixes: d745a8c20c1f ("ext4: reduce contention on s_orphan_lock")
Fixes: 6e3617e579e0 ("ext4: Handle non empty on-disk orphan link")
Cc: Dmitry Monakhov <dmonakhov@gmail.com>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/namei.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2629,7 +2629,9 @@ int ext4_orphan_add(handle_t *handle, st
 			list_del_init(&EXT4_I(inode)->i_orphan);
 			mutex_unlock(&sbi->s_orphan_lock);
 		}
-	}
+	} else
+		brelse(iloc.bh);
+
 	jbd_debug(4, "superblock will point to %lu\n", inode->i_ino);
 	jbd_debug(4, "orphan inode %lu will point to %d\n",
 			inode->i_ino, NEXT_ORPHAN(inode));


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 228/305] ALSA: wss: Fix invalid snd_free_pages() at error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (303 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 097/305] Btrfs: fix null pointer dereference on compressed write path error Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-04 21:38 ` [PATCH 3.16 000/305] 3.16.63-rc1 review Guenter Roeck
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Sakamoto, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 7b69154171b407844c273ab4c10b5f0ddcd6aa29 upstream.

Some spurious calls of snd_free_pages() have been overlooked and
remain in the error paths of wss driver code.  Since runtime->dma_area
is managed by the PCM core helper, we shouldn't release manually.

Drop the superfluous calls.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/isa/wss/wss_lib.c | 2 --
 1 file changed, 2 deletions(-)

--- a/sound/isa/wss/wss_lib.c
+++ b/sound/isa/wss/wss_lib.c
@@ -1531,7 +1531,6 @@ static int snd_wss_playback_open(struct
 	if (err < 0) {
 		if (chip->release_dma)
 			chip->release_dma(chip, chip->dma_private_data, chip->dma1);
-		snd_free_pages(runtime->dma_area, runtime->dma_bytes);
 		return err;
 	}
 	chip->playback_substream = substream;
@@ -1572,7 +1571,6 @@ static int snd_wss_capture_open(struct s
 	if (err < 0) {
 		if (chip->release_dma)
 			chip->release_dma(chip, chip->dma_private_data, chip->dma2);
-		snd_free_pages(runtime->dma_area, runtime->dma_bytes);
 		return err;
 	}
 	chip->capture_substream = substream;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 130/305] smb3: on kerberos mount if server doesn't specify auth type use krb5
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (193 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 015/305] turn off -Wattribute-alias Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 214/305] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges Ben Hutchings
                   ` (110 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Steve French, Ronnie Sahlberg

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream.

Some servers (e.g. Azure) do not include a spnego blob in the SMB3
negotiate protocol response, so on kerberos mounts ("sec=krb5")
we can fail, as we expected the server to list its supported
auth types (OIDs in the spnego blob in the negprot response).
Change this so that on krb5 mounts we default to trying krb5 if the
server doesn't list its supported protocol mechanisms.

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifs_spnego.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -148,8 +148,10 @@ cifs_get_spnego_key(struct cifs_ses *ses
 		sprintf(dp, ";sec=krb5");
 	else if (server->sec_mskerberos)
 		sprintf(dp, ";sec=mskrb5");
-	else
-		goto out;
+	else {
+		cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
+		sprintf(dp, ";sec=krb5");
+	}
 
 	dp = description + strlen(description);
 	sprintf(dp, ";uid=0x%x",


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 277/305] aio: fix spectre gadget in lookup_ioctx
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (237 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 136/305] ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 107/305] Btrfs: fix use-after-free when dumping free space Ben Hutchings
                   ` (66 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jens Axboe, Dan Carpenter, Jeff Moyer,
	Matthew Wilcox

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Moyer <jmoyer@redhat.com>

commit a538e3ff9dabcdf6c3f477a373c629213d1c3066 upstream.

Matthew pointed out that the ioctx_table is susceptible to spectre v1,
because the index can be controlled by an attacker.  The below patch
should mitigate the attack for all of the aio system calls.

Reported-by: Matthew Wilcox <willy@infradead.org>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/aio.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/aio.c
+++ b/fs/aio.c
@@ -43,6 +43,7 @@
 
 #include <asm/kmap_types.h>
 #include <asm/uaccess.h>
+#include <linux/nospec.h>
 
 #include "internal.h"
 
@@ -1022,6 +1023,7 @@ static struct kioctx *lookup_ioctx(unsig
 	if (!table || id >= table->nr)
 		goto out;
 
+	id = array_index_nospec(id, table->nr);
 	ctx = rcu_dereference(table->table[id]);
 	if (ctx && ctx->user_id == ctx_id) {
 		if (percpu_ref_tryget_live(&ctx->users))


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 070/305] mtd: spi-nor: fsl-quadspi: fix api naming typo _init_ahb_read
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (228 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 086/305] tun: Consistently configure generic netdev params via rtnetlink Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 018/305] staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() Ben Hutchings
                   ` (75 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Boris Brezillon, Yogesh Gaur, Han Xu

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yogesh Gaur <yogeshnarayan.gaur@nxp.com>

commit dd50a1c4e56d6d2ea753f87a35b1f1e09cb877d7 upstream.

Fix api naming typo _init_ahb_read
fsl_qspi_init_abh_read --> fsl_qspi_init_ahb_read

Signed-off-by: Yogesh Gaur <yogeshnarayan.gaur@nxp.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/spi-nor/fsl-quadspi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/mtd/spi-nor/fsl-quadspi.c
+++ b/drivers/mtd/spi-nor/fsl-quadspi.c
@@ -574,7 +574,7 @@ static void fsl_qspi_set_map_addr(struct
  * causes the controller to clear the buffer, and use the sequence pointed
  * by the QUADSPI_BFGENCR[SEQID] to initiate a read from the flash.
  */
-static void fsl_qspi_init_abh_read(struct fsl_qspi *q)
+static void fsl_qspi_init_ahb_read(struct fsl_qspi *q)
 {
 	void __iomem *base = q->iobase;
 	int seqid;
@@ -647,7 +647,7 @@ static int fsl_qspi_nor_setup_last(struc
 	fsl_qspi_init_lut(q);
 
 	/* Init for AHB read */
-	fsl_qspi_init_abh_read(q);
+	fsl_qspi_init_ahb_read(q);
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 205/305] net/mlx4: Fix UBSAN warning of signed integer overflow
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 155/305] ext4: fix possible leak of sbi->s_group_desc_leak in error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 012/305] x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear Ben Hutchings
                   ` (236 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Tariq Toukan, Aya Levin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aya Levin <ayal@mellanox.com>

commit a463146e67c848cbab5ce706d6528281b7cded08 upstream.

UBSAN: Undefined behavior in
drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:626:29
signed integer overflow: 1802201963 + 1802201963 cannot be represented
in type 'int'

The union of res_reserved and res_port_rsvd[MLX4_MAX_PORTS] monitors
granting of reserved resources. The grant operation is calculated and
protected, thus both members of the union cannot be negative.  Changed
type of res_reserved and of res_port_rsvd[MLX4_MAX_PORTS] from signed
int to unsigned int, allowing large value.

Fixes: 5a0d0a6161ae ("mlx4: Structures and init/teardown for VF resource quotas")
Signed-off-by: Aya Levin <ayal@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/mlx4.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h
+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
@@ -518,8 +518,8 @@ struct slave_list {
 struct resource_allocator {
 	spinlock_t alloc_lock; /* protect quotas */
 	union {
-		int res_reserved;
-		int res_port_rsvd[MLX4_MAX_PORTS];
+		unsigned int res_reserved;
+		unsigned int res_port_rsvd[MLX4_MAX_PORTS];
 	};
 	union {
 		int res_free;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 139/305] clockevents/drivers/i8253: Add support for PIT shutdown quirk
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (249 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 024/305] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 197/305] btrfs: Always try all copies when reading extent buffers Ben Hutchings
                   ` (54 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, jgross, KY Srinivasan, akataria, olaf,
	marcelo.cerri, gregkh, apw, daniel.lezcano, virtualization,
	Michael Kelley, jasowang, devel, vkuznets, Thomas Gleixner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michael Kelley <mikelley@microsoft.com>

commit 35b69a420bfb56b7b74cb635ea903db05e357bec upstream.

Add support for platforms where pit_shutdown() doesn't work because of a
quirk in the PIT emulation. On these platforms setting the counter register
to zero causes the PIT to start running again, negating the shutdown.

Provide a global variable that controls whether the counter register is
zero'ed, which platform specific code can override.

Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: "devel@linuxdriverproject.org" <devel@linuxdriverproject.org>
Cc: "daniel.lezcano@linaro.org" <daniel.lezcano@linaro.org>
Cc: "virtualization@lists.linux-foundation.org" <virtualization@lists.linux-foundation.org>
Cc: "jgross@suse.com" <jgross@suse.com>
Cc: "akataria@vmware.com" <akataria@vmware.com>
Cc: "olaf@aepfle.de" <olaf@aepfle.de>
Cc: "apw@canonical.com" <apw@canonical.com>
Cc: vkuznets <vkuznets@redhat.com>
Cc: "jasowang@redhat.com" <jasowang@redhat.com>
Cc: "marcelo.cerri@canonical.com" <marcelo.cerri@canonical.com>
Cc: KY Srinivasan <kys@microsoft.com>
Link: https://lkml.kernel.org/r/1541303219-11142-2-git-send-email-mikelley@microsoft.com
[bwh: Backported to 3.16:
 - Don't use __ro_after_init
 - Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clocksource/i8253.c | 14 ++++++++++++--
 include/linux/i8253.h       |  1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/clocksource/i8253.c
+++ b/drivers/clocksource/i8253.c
@@ -19,6 +19,13 @@
 DEFINE_RAW_SPINLOCK(i8253_lock);
 EXPORT_SYMBOL(i8253_lock);
 
+/*
+ * Handle PIT quirk in pit_shutdown() where zeroing the counter register
+ * restarts the PIT, negating the shutdown. On platforms with the quirk,
+ * platform specific code can set this to false.
+ */
+bool i8253_clear_counter_on_shutdown = true;
+
 #ifdef CONFIG_CLKSRC_I8253
 /*
  * Since the PIT overflows every tick, its not very useful
@@ -123,8 +130,11 @@ static void init_pit_timer(enum clock_ev
 		if (evt->mode == CLOCK_EVT_MODE_PERIODIC ||
 		    evt->mode == CLOCK_EVT_MODE_ONESHOT) {
 			outb_p(0x30, PIT_MODE);
-			outb_p(0, PIT_CH0);
-			outb_p(0, PIT_CH0);
+
+			if (i8253_clear_counter_on_shutdown) {
+				outb_p(0, PIT_CH0);
+				outb_p(0, PIT_CH0);
+			}
 		}
 		break;
 
--- a/include/linux/i8253.h
+++ b/include/linux/i8253.h
@@ -21,6 +21,7 @@
 #define PIT_LATCH	((PIT_TICK_RATE + HZ/2) / HZ)
 
 extern raw_spinlock_t i8253_lock;
+extern bool i8253_clear_counter_on_shutdown;
 extern struct clock_event_device i8253_clockevent;
 extern void clockevent_i8253_init(bool oneshot);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 296/305] net: macb: Fix race condition in driver when Rx frame is dropped
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (201 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 080/305] libertas: don't set URB_ZERO_PACKET on IN USB transfer Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 225/305] exportfs: do not read dentry after free Ben Hutchings
                   ` (102 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Punnaiah Choudary Kalluri,
	Punnaiah Choudary Kalluri, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Punnaiah Choudary Kalluri <punnaiah.choudary.kalluri@xilinx.com>

commit d4c216c54197d741ed8b7ca54f13645dfb3eacde upstream.

Under heavy Rx load, observed that the Hw is updating the USED bit
and it is not updating the received frame status to the BD control
field. This could be lack of resources for processing the BDs at high
data rates. Driver drops the frame associated with this BD but not
clearing the USED bit. So, this is causing hang condition as Hw
expects USED bit to be cleared for this BD.

Signed-off-by: Punnaiah Choudary Kalluri <punnaia@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/cadence/macb.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/ethernet/cadence/macb.c
+++ b/drivers/net/ethernet/cadence/macb.c
@@ -634,6 +634,9 @@ static void gem_rx_refill(struct macb *b
 
 			/* properly align Ethernet header */
 			skb_reserve(skb, NET_IP_ALIGN);
+		} else {
+			bp->rx_ring[entry].addr &= ~MACB_BIT(RX_USED);
+			bp->rx_ring[entry].ctrl = 0;
 		}
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 202/305] usb: core: Fix hub port connection events lost
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (129 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 047/305] EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 207/305] net-gro: reset skb->pkt_type in napi_reuse_skb() Ben Hutchings
                   ` (174 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Nyman, Greg Kroah-Hartman,
	Dennis Wassenberg

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dennis Wassenberg <dennis.wassenberg@secunet.com>

commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream.

This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset
only if a device is was attached to the hub port before resetting the hub port.

Using a Lenovo T480s attached to the ultra dock it was not possible to detect
some usb-c devices at the dock usb-c ports because the hub_port_reset code
will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset.
Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the
actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit.
This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the
new device was attached such that it was not detected.

This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is
currently no device attached to the port before the hub port reset.
This will avoid clearing the connection bit for new attached devices.

Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2725,7 +2725,9 @@ static int hub_port_reset(struct usb_hub
 					USB_PORT_FEAT_C_BH_PORT_RESET);
 			usb_clear_port_feature(hub->hdev, port1,
 					USB_PORT_FEAT_C_PORT_LINK_STATE);
-			usb_clear_port_feature(hub->hdev, port1,
+
+			if (udev)
+				usb_clear_port_feature(hub->hdev, port1,
 					USB_PORT_FEAT_C_CONNECTION);
 
 			/*


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 103/305] clk: s2mps11: Add used attribute to s2mps11_dt_match
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (245 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 289/305] mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 287/305] mmc: omap_hsmmc: fix DMA API warning Ben Hutchings
                   ` (58 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Stephen Boyd, Nathan Chancellor

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit 9c940bbe2bb47e03ca5e937d30b6a50bf9c0e671 upstream.

Clang warns after commit 8985167ecf57 ("clk: s2mps11: Fix matching when
built as module and DT node contains compatible"):

drivers/clk/clk-s2mps11.c:242:34: warning: variable 's2mps11_dt_match'
is not needed and will not be emitted [-Wunneeded-internal-declaration]
static const struct of_device_id s2mps11_dt_match[] = {
                                 ^
1 warning generated.

This warning happens when a variable is used in some construct that
doesn't require a reference to that variable to be emitted in the symbol
table; in this case, it's MODULE_DEVICE_TABLE, which only needs to hold
the data of the variable, not the variable itself.

$ nm -S drivers/clk/clk-s2mps11.o | rg s2mps11_dt_match
00000078 000003d4 R __mod_of__s2mps11_dt_match_device_table

Normally, with device ID table variables, it means that the variable
just needs to be tied to the device declaration at the bottom of the
file, like s2mps11_clk_id:

$ nm -S drivers/clk/clk-s2mps11.o | rg s2mps11_clk_id
00000000 00000078 R __mod_platform__s2mps11_clk_id_device_table
00000000 00000078 r s2mps11_clk_id

However, because the comment above this deliberately doesn't want this
variable added to .of_match_table, we need to mark s2mps11_dt_match as
__used to silence this warning. This makes it clear to Clang that the
variable is used for something, even if a reference to it isn't being
emitted.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Fixes: 8985167ecf57 ("clk: s2mps11: Fix matching when built as module and DT node contains compatible")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/clk-s2mps11.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/clk-s2mps11.c
+++ b/drivers/clk/clk-s2mps11.c
@@ -306,7 +306,7 @@ MODULE_DEVICE_TABLE(platform, s2mps11_cl
  * This requires of_device_id table.  In the same time this will not change the
  * actual *device* matching so do not add .of_match_table.
  */
-static const struct of_device_id s2mps11_dt_match[] = {
+static const struct of_device_id s2mps11_dt_match[] __used = {
 	{
 		.compatible = "samsung,s2mps11-clk",
 		.data = (void *)S2MPS11X,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 099/305] scsi: esp_scsi: Track residual for PIO transfers
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 178/305] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 236/305] powerpc: Fix COFF zImage booting on old powermacs Ben Hutchings
                   ` (187 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Stan Johnson, Martin K. Petersen,
	Finn Thain, Michael Schmitz

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit fd47d919d0c336e7c22862b51ee94927ffea227a upstream.

If a target disconnects during a PIO data transfer the command may fail
when the target reconnects:

scsi host1: DMA length is zero!
scsi host1: cur adr[04380000] len[00000000]

The scsi bus is then reset. This happens because the residual reached
zero before the transfer was completed.

The usual residual calculation relies on the Transfer Count registers.
That works for DMA transfers but not for PIO transfers. Fix the problem
by storing the PIO transfer residual and using that to correctly
calculate bytes_sent.

Fixes: 6fe07aaffbf0 ("[SCSI] m68k: new mac_esp scsi driver")
Tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/esp_scsi.c | 1 +
 drivers/scsi/esp_scsi.h | 2 ++
 drivers/scsi/mac_esp.c  | 2 ++
 3 files changed, 5 insertions(+)

--- a/drivers/scsi/esp_scsi.c
+++ b/drivers/scsi/esp_scsi.c
@@ -1316,6 +1316,7 @@ static int esp_data_bytes_sent(struct es
 
 	bytes_sent = esp->data_dma_len;
 	bytes_sent -= ecount;
+	bytes_sent -= esp->send_cmd_residual;
 
 	if (!(ent->flags & ESP_CMD_FLAG_WRITE))
 		bytes_sent -= fifo_cnt;
--- a/drivers/scsi/esp_scsi.h
+++ b/drivers/scsi/esp_scsi.h
@@ -524,6 +524,8 @@ struct esp {
 
 	void			*dma;
 	int			dmarev;
+
+	u32			send_cmd_residual;
 };
 
 /* A front-end driver for the ESP chip should do the following in
--- a/drivers/scsi/mac_esp.c
+++ b/drivers/scsi/mac_esp.c
@@ -426,6 +426,8 @@ static void mac_esp_send_pio_cmd(struct
 			scsi_esp_cmd(esp, ESP_CMD_TI);
 		}
 	}
+
+	esp->send_cmd_residual = esp_count;
 }
 
 static int mac_esp_irq_pending(struct esp *esp)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 173/305] fuse: fix leaked notify reply
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (131 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 207/305] net-gro: reset skb->pkt_type in napi_reuse_skb() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 165/305] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Ben Hutchings
                   ` (172 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Miklos Szeredi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 7fabaf303458fcabb694999d6fa772cc13d4e217 upstream.

fuse_request_send_notify_reply() may fail if the connection was reset for
some reason (e.g. fs was unmounted).  Don't leak request reference in this
case.  Besides leaking memory, this resulted in fc->num_waiting not being
decremented and hence fuse_wait_aborted() left in a hanging and unkillable
state.

Fixes: 2d45ba381a74 ("fuse: add retrieve request")
Fixes: b8f95e5d13f5 ("fuse: umount should wait for all requests")
Reported-and-tested-by: syzbot+6339eda9cb4ebbc4c37b@syzkaller.appspotmail.com
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1682,8 +1682,10 @@ static int fuse_retrieve(struct fuse_con
 	req->in.args[1].size = total_len;
 
 	err = fuse_request_send_notify_reply(fc, req, outarg->notify_unique);
-	if (err)
+	if (err) {
 		fuse_retrieve_end(fc, req);
+		fuse_put_request(fc, req);
+	}
 
 	return err;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 127/305] rtnetlink: Disallow FDB configuration for non-Ethernet device
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 062/305] IB/mthca: Fix error return code in __mthca_init_one() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 208/305] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Ben Hutchings
                   ` (275 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vlad Yasevich, David S. Miller,
	David Ahern, Ido Schimmel

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ido Schimmel <idosch@mellanox.com>

commit da71577545a52be3e0e9225a946e5fd79cfab015 upstream.

When an FDB entry is configured, the address is validated to have the
length of an Ethernet address, but the device for which the address is
configured can be of any type.

The above can result in the use of uninitialized memory when the address
is later compared against existing addresses since 'dev->addr_len' is
used and it may be greater than ETH_ALEN, as with ip6tnl devices.

Fix this by making sure that FDB entries are only configured for
Ethernet devices.

BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863
CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x14b/0x190 lib/dump_stack.c:113
  kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956
  __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645
  memcmp+0x11d/0x180 lib/string.c:863
  dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464
  ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline]
  rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558
  rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715
  netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454
  rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733
  netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
  netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343
  netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908
  sock_sendmsg_nosec net/socket.c:621 [inline]
  sock_sendmsg net/socket.c:631 [inline]
  ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
  __sys_sendmsg net/socket.c:2152 [inline]
  __do_sys_sendmsg net/socket.c:2161 [inline]
  __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
  __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
  do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
  entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440ee9
Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0
R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
  kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline]
  kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181
  kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91
  kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100
  slab_post_alloc_hook mm/slab.h:446 [inline]
  slab_alloc_node mm/slub.c:2718 [inline]
  __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351
  __kmalloc_reserve net/core/skbuff.c:138 [inline]
  __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206
  alloc_skb include/linux/skbuff.h:996 [inline]
  netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
  netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883
  sock_sendmsg_nosec net/socket.c:621 [inline]
  sock_sendmsg net/socket.c:631 [inline]
  ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
  __sys_sendmsg net/socket.c:2152 [inline]
  __do_sys_sendmsg net/socket.c:2161 [inline]
  __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
  __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
  do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
  entry_SYSCALL_64_after_hwframe+0x63/0xe7

v2:
* Make error message more specific (David)

Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_<op>")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: David Ahern <dsahern@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Log error messages rather than using extack]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/rtnetlink.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2360,6 +2360,11 @@ static int rtnl_fdb_add(struct sk_buff *
 		return -EINVAL;
 	}
 
+	if (dev->type != ARPHRD_ETHER) {
+		pr_info("PF_BRIDGE: FDB add only supported for Ethernet devices\n");
+		return -EINVAL;
+	}
+
 	addr = nla_data(tb[NDA_LLADDR]);
 
 	err = -EOPNOTSUPP;
@@ -2457,6 +2462,11 @@ static int rtnl_fdb_del(struct sk_buff *
 		return -EINVAL;
 	}
 
+	if (dev->type != ARPHRD_ETHER) {
+		pr_info("PF_BRIDGE: FDB delete only supported for Ethernet devices\n");
+		return -EINVAL;
+	}
+
 	addr = nla_data(tb[NDA_LLADDR]);
 
 	err = -EOPNOTSUPP;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 125/305] um: Give start_idle_thread() a return code
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 090/305] IB/cm: Avoid AV ah_attr overwriting during LAP message handling Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 145/305] Btrfs: fix cur_offset in the error case for nocow Ben Hutchings
                   ` (214 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Richard Weinberger

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <richard@nod.at>

commit 7ff1e34bbdc15acab823b1ee4240e94623d50ee8 upstream.

Fixes:
arch/um/os-Linux/skas/process.c:613:1: warning: control reaches end of
non-void function [-Wreturn-type]

longjmp() never returns but gcc still warns that the end of the function
can be reached.
Add a return code and debug aid to detect this impossible case.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/um/os-Linux/skas/process.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/um/os-Linux/skas/process.c
+++ b/arch/um/os-Linux/skas/process.c
@@ -694,6 +694,11 @@ int start_idle_thread(void *stack, jmp_b
 		fatal_sigsegv();
 	}
 	longjmp(*switch_buf, 1);
+
+	/* unreachable */
+	printk(UM_KERN_ERR "impossible long jump!");
+	fatal_sigsegv();
+	return 0;
 }
 
 void initial_thread_cb_skas(void (*proc)(void *), void *arg)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 293/305] KVM: x86: Add MSR_AMD64_DC_CFG to the list of ignored MSRs
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (160 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 285/305] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 039/305] net/ipv4: defensive cipso option parsing Ben Hutchings
                   ` (143 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Radim Krčmář, Ladi Prosek

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ladi Prosek <lprosek@redhat.com>

commit 405a353a0e20d09090ad96147da6afad9b0ce056 upstream.

Hyper-V writes 0x800000000000 to MSR_AMD64_DC_CFG when running on AMD CPUs
as recommended in erratum 383, analogous to our svm_init_erratum_383.

By ignoring the MSR, this patch enables running Hyper-V in L1 on AMD.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2085,6 +2085,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
 	case MSR_VM_HSAVE_PA:
 	case MSR_AMD64_PATCH_LOADER:
 	case MSR_AMD64_BU_CFG2:
+	case MSR_AMD64_DC_CFG:
 		break;
 
 	case MSR_EFER:
@@ -2462,6 +2463,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
 	case MSR_FAM10H_MMIO_CONF_BASE:
 	case MSR_AMD64_BU_CFG2:
 	case MSR_IA32_PERF_CTL:
+	case MSR_AMD64_DC_CFG:
 		msr_info->data = 0;
 		break;
 	case MSR_P6_PERFCTR0:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 301/305] drm: Rewrite drm_ioctl_flags() to resemble the new drm_ioctl() code
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 265/305] mac80211: ignore NullFunc frames in the duplicate detection Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 304/305] ipv6: tunnels: fix two use-after-free Ben Hutchings
                   ` (228 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ville Syrjälä, Daniel Vetter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 7ef5f82b100716b23de7d2da6ff602b0842e5804 upstream.

Use the same logic when checking for valid ioctl range in
drm_ioctl_flags() that is used in drm_ioctl() to avoid
confusion.

Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/drm_drv.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -460,12 +460,13 @@ EXPORT_SYMBOL(drm_ioctl);
  */
 bool drm_ioctl_flags(unsigned int nr, unsigned int *flags)
 {
-	if ((nr >= DRM_COMMAND_END && nr < DRM_CORE_IOCTL_COUNT) ||
-	    (nr < DRM_COMMAND_BASE)) {
-		*flags = drm_ioctls[nr].flags;
-		return true;
-	}
+	if (nr >= DRM_COMMAND_BASE && nr < DRM_COMMAND_END)
+		return false;
 
-	return false;
+	if (nr >= DRM_CORE_IOCTL_COUNT)
+		return false;
+
+	*flags = drm_ioctls[nr].flags;
+	return true;
 }
 EXPORT_SYMBOL(drm_ioctl_flags);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 072/305] media: cx231xx: fix potential sign-extension overflow on large shift
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 124/305] um: Drop own definition of PTRACE_SYSEMU/_SINGLESTEP Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 155/305] ext4: fix possible leak of sbi->s_group_desc_leak in error path Ben Hutchings
                   ` (238 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Colin Ian King,
	Hans Verkuil

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit 32ae592036d7aeaabcccb2b1715373a68639a768 upstream.

Shifting the u8 value[3] by an int can lead to sign-extension
overflow. For example, if value[3] is 0xff and the shift is 24 then it
is promoted to int and then the top bit is sign-extended so that all
upper 32 bits are set.  Fix this by casting value[3] to a u32 before
the shift.

Detected by CoverityScan, CID#1016522 ("Unintended sign extension")

Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/cx231xx/cx231xx-video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/cx231xx/cx231xx-video.c
+++ b/drivers/media/usb/cx231xx/cx231xx-video.c
@@ -1271,7 +1271,7 @@ int cx231xx_g_register(struct file *file
 		ret = cx231xx_read_ctrl_reg(dev, VRT_GET_REGISTER,
 				(u16)reg->reg, value, 4);
 		reg->val = value[0] | value[1] << 8 |
-			value[2] << 16 | value[3] << 24;
+			value[2] << 16 | (u32)value[3] << 24;
 		reg->size = 4;
 		break;
 	case 1:	/* AFE - read byte */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 174/305] can: raw: check for CAN FD capable netdev in raw_sendmsg()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (270 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 065/305] printk: Fix panic caused by passing log_buf_len to command line Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 278/305] tracing: Fix memory leak in set_trigger_filter() Ben Hutchings
                   ` (33 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marc Kleine-Budde, Oliver Hartkopp

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit a43608fa77213ad5ac5f75994254b9f65d57cfa0 upstream.

When the socket is CAN FD enabled it can handle CAN FD frame
transmissions.  Add an additional check in raw_sendmsg() as a CAN2.0 CAN
driver (non CAN FD) should never see a CAN FD frame. Due to the commonly
used can_dropped_invalid_skb() function the CAN 2.0 driver would drop
that CAN FD frame anyway - but with this patch the user gets a proper
-EINVAL return code.

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16: Keep looking up devices in init_net]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/can/raw.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -686,18 +686,19 @@ static int raw_sendmsg(struct kiocb *ioc
 	} else
 		ifindex = ro->ifindex;
 
-	if (ro->fd_frames) {
+	dev = dev_get_by_index(&init_net, ifindex);
+	if (!dev)
+		return -ENXIO;
+
+	err = -EINVAL;
+	if (ro->fd_frames && dev->mtu == CANFD_MTU) {
 		if (unlikely(size != CANFD_MTU && size != CAN_MTU))
-			return -EINVAL;
+			goto put_dev;
 	} else {
 		if (unlikely(size != CAN_MTU))
-			return -EINVAL;
+			goto put_dev;
 	}
 
-	dev = dev_get_by_index(&init_net, ifindex);
-	if (!dev)
-		return -ENXIO;
-
 	skb = sock_alloc_send_skb(sk, size + sizeof(struct can_skb_priv),
 				  msg->msg_flags & MSG_DONTWAIT, &err);
 	if (!skb)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 131/305] netfilter: x_tables: add and use xt_check_proc_name
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (216 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 035/305] media: tvp5150: fix width alignment during set_selection() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 117/305] HID: hiddev: fix potential Spectre v1 Ben Hutchings
                   ` (87 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pablo Neira Ayuso, Florian Westphal,
	syzbot+0502b00edac2a0680b61, Eric Dumazet

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit b1d0a5d0cba4597c0394997b2d5fced3e3841b4e upstream.

recent and hashlimit both create /proc files, but only check that
name is 0 terminated.

This can trigger WARN() from procfs when name is "" or "/".
Add helper for this and then use it for both.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: <syzbot+0502b00edac2a0680b61@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16:
 - xt_hashlimit has only one check function
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -247,6 +247,8 @@ unsigned int *xt_alloc_entry_offsets(uns
 bool xt_find_jump_offset(const unsigned int *offsets,
 			 unsigned int target, unsigned int size);
 
+int xt_check_proc_name(const char *name, unsigned int size);
+
 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
 		   bool inv_proto);
 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -380,6 +380,36 @@ textify_hooks(char *buf, size_t size, un
 	return buf;
 }
 
+/**
+ * xt_check_proc_name - check that name is suitable for /proc file creation
+ *
+ * @name: file name candidate
+ * @size: length of buffer
+ *
+ * some x_tables modules wish to create a file in /proc.
+ * This function makes sure that the name is suitable for this
+ * purpose, it checks that name is NUL terminated and isn't a 'special'
+ * name, like "..".
+ *
+ * returns negative number on error or 0 if name is useable.
+ */
+int xt_check_proc_name(const char *name, unsigned int size)
+{
+	if (name[0] == '\0')
+		return -EINVAL;
+
+	if (strnlen(name, size) == size)
+		return -ENAMETOOLONG;
+
+	if (strcmp(name, ".") == 0 ||
+	    strcmp(name, "..") == 0 ||
+	    strchr(name, '/'))
+		return -EINVAL;
+
+	return 0;
+}
+EXPORT_SYMBOL(xt_check_proc_name);
+
 int xt_check_match(struct xt_mtchk_param *par,
 		   unsigned int size, u_int8_t proto, bool inv_proto)
 {
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -668,8 +668,9 @@ static int hashlimit_mt_check(const stru
 
 	if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
 		return -EINVAL;
-	if (info->name[sizeof(info->name)-1] != '\0')
-		return -EINVAL;
+	ret = xt_check_proc_name(info->name, sizeof(info->name));
+	if (ret)
+		return ret;
 	if (par->family == NFPROTO_IPV4) {
 		if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
 			return -EINVAL;
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -355,9 +355,9 @@ static int recent_mt_check(const struct
 			info->hit_count, ip_pkt_list_tot);
 		return -EINVAL;
 	}
-	if (info->name[0] == '\0' ||
-	    strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
-		return -EINVAL;
+	ret = xt_check_proc_name(info->name, sizeof(info->name));
+	if (ret)
+		return ret;
 
 	mutex_lock(&recent_mutex);
 	t = recent_table_lookup(recent_net, info->name);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 040/305] kgdboc: Passing ekgdboc to command line causes panic
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 215/305] usb: cdc-acm: add entry for Hiro (Conexant) modem Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 033/305] media: em28xx: fix input name for Terratec AV 350 Ben Hutchings
                   ` (287 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, He Zhe, gregkh, jslaby, Daniel Thompson,
	jason.wessel

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: He Zhe <zhe.he@windriver.com>

commit 1bd54d851f50dea6af30c3e6ff4f3e9aab5558f9 upstream.

kgdboc_option_setup does not check input argument before passing it
to strlen. The argument would be a NULL pointer if "ekgdboc", without
its value, is set in command line and thus cause the following panic.

PANIC: early exception 0xe3 IP 10:ffffffff8fbbb620 error 0 cr2 0x0
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.18-rc8+ #1
[    0.000000] RIP: 0010:strlen+0x0/0x20
...
[    0.000000] Call Trace
[    0.000000]  ? kgdboc_option_setup+0x9/0xa0
[    0.000000]  ? kgdboc_early_init+0x6/0x1b
[    0.000000]  ? do_early_param+0x4d/0x82
[    0.000000]  ? parse_args+0x212/0x330
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_options+0x20/0x23
[    0.000000]  ? rdinit_setup+0x26/0x26
[    0.000000]  ? parse_early_param+0x2d/0x39
[    0.000000]  ? setup_arch+0x2f7/0xbf4
[    0.000000]  ? start_kernel+0x5e/0x4c2
[    0.000000]  ? load_ucode_bsp+0x113/0x12f
[    0.000000]  ? secondary_startup_64+0xa5/0xb0

This patch adds a check to prevent the panic.

Cc: jason.wessel@windriver.com
Cc: gregkh@linuxfoundation.org
Cc: jslaby@suse.com
Signed-off-by: He Zhe <zhe.he@windriver.com>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/kgdboc.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/tty/serial/kgdboc.c
+++ b/drivers/tty/serial/kgdboc.c
@@ -133,6 +133,11 @@ static void kgdboc_unregister_kbd(void)
 
 static int kgdboc_option_setup(char *opt)
 {
+	if (!opt) {
+		pr_err("kgdboc: config string not provided\n");
+		return -EINVAL;
+	}
+
 	if (strlen(opt) >= MAX_CONFIG_LEN) {
 		printk(KERN_ERR "kgdboc: config string too long\n");
 		return -ENOSPC;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 290/305] VSOCK: Send reset control packet when socket is partially bound
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (189 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 245/305] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 244/305] s390/qeth: fix length check in SNMP processing Ben Hutchings
                   ` (114 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jorgen Hansen, Vishnu Dasa, Adit Ranadive,
	David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jorgen Hansen <jhansen@vmware.com>

commit a915b982d8f5e4295f64b8dd37ce753874867e88 upstream.

If a server side socket is bound to an address, but not in the listening
state yet, incoming connection requests should receive a reset control
packet in response. However, the function used to send the reset
silently drops the reset packet if the sending socket isn't bound
to a remote address (as is the case for a bound socket not yet in
the listening state). This change fixes this by using the src
of the incoming packet as destination for the reset packet in
this case.

Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reviewed-by: Adit Ranadive <aditr@vmware.com>
Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/vmw_vsock/vmci_transport.c | 67 +++++++++++++++++++++++++---------
 1 file changed, 50 insertions(+), 17 deletions(-)

--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -275,6 +275,31 @@ vmci_transport_send_control_pkt_bh(struc
 }
 
 static int
+vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
+				      struct sockaddr_vm *dst,
+				      enum vmci_transport_packet_type type,
+				      u64 size,
+				      u64 mode,
+				      struct vmci_transport_waiting_info *wait,
+				      u16 proto,
+				      struct vmci_handle handle)
+{
+	struct vmci_transport_packet *pkt;
+	int err;
+
+	pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
+	if (!pkt)
+		return -ENOMEM;
+
+	err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
+						mode, wait, proto, handle,
+						true);
+	kfree(pkt);
+
+	return err;
+}
+
+static int
 vmci_transport_send_control_pkt(struct sock *sk,
 				enum vmci_transport_packet_type type,
 				u64 size,
@@ -283,9 +308,7 @@ vmci_transport_send_control_pkt(struct s
 				u16 proto,
 				struct vmci_handle handle)
 {
-	struct vmci_transport_packet *pkt;
 	struct vsock_sock *vsk;
-	int err;
 
 	vsk = vsock_sk(sk);
 
@@ -295,17 +318,10 @@ vmci_transport_send_control_pkt(struct s
 	if (!vsock_addr_bound(&vsk->remote_addr))
 		return -EINVAL;
 
-	pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
-	if (!pkt)
-		return -ENOMEM;
-
-	err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
-						&vsk->remote_addr, type, size,
-						mode, wait, proto, handle,
-						true);
-	kfree(pkt);
-
-	return err;
+	return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
+						     &vsk->remote_addr,
+						     type, size, mode,
+						     wait, proto, handle);
 }
 
 static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
@@ -323,12 +339,29 @@ static int vmci_transport_send_reset_bh(
 static int vmci_transport_send_reset(struct sock *sk,
 				     struct vmci_transport_packet *pkt)
 {
+	struct sockaddr_vm *dst_ptr;
+	struct sockaddr_vm dst;
+	struct vsock_sock *vsk;
+
 	if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
 		return 0;
-	return vmci_transport_send_control_pkt(sk,
-					VMCI_TRANSPORT_PACKET_TYPE_RST,
-					0, 0, NULL, VSOCK_PROTO_INVALID,
-					VMCI_INVALID_HANDLE);
+
+	vsk = vsock_sk(sk);
+
+	if (!vsock_addr_bound(&vsk->local_addr))
+		return -EINVAL;
+
+	if (vsock_addr_bound(&vsk->remote_addr)) {
+		dst_ptr = &vsk->remote_addr;
+	} else {
+		vsock_addr_init(&dst, pkt->dg.src.context,
+				pkt->src_port);
+		dst_ptr = &dst;
+	}
+	return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
+					     VMCI_TRANSPORT_PACKET_TYPE_RST,
+					     0, 0, NULL, VSOCK_PROTO_INVALID,
+					     VMCI_INVALID_HANDLE);
 }
 
 static int vmci_transport_send_negotiate(struct sock *sk, size_t size)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 053/305] usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (233 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 030/305] power: supply: max8998-charger: Fix platform data retrieval Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 126/305] xtensa: add NOTES section to the linker script Ben Hutchings
                   ` (70 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Felipe Balbi, Nicholas Mc Guire

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <hofrat@osadl.org>

commit 4ab2b48c98f2ec9712452d520a381917f91ac3d2 upstream.

The allocation with fsl_alloc_request() and kmalloc() were unchecked
fixed this up with a NULL check and appropriate cleanup.

Additionally udc->ep_qh_size was reset to 0 on failure of allocation.
Similar udc->phy_mode is initially 0 (as udc_controller was
allocated with kzalloc in fsl_udc_probe()) so reset it to 0 as well
so that this function is side-effect free on failure. Not clear if
this is necessary or sensible as fsl_udc_release() probably can not
be called if fsl_udc_probe() failed - but it should not hurt.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Fixes: b504882da5 ("USB: add Freescale high-speed USB SOC device controller driver")
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/fsl_udc_core.c | 30 +++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/fsl_udc_core.c
+++ b/drivers/usb/gadget/fsl_udc_core.c
@@ -2256,8 +2256,10 @@ static int __init struct_udc_setup(struc
 	udc->phy_mode = pdata->phy_mode;
 
 	udc->eps = kzalloc(sizeof(struct fsl_ep) * udc->max_ep, GFP_KERNEL);
-	if (!udc->eps)
-		return -1;
+	if (!udc->eps) {
+		ERR("kmalloc udc endpoint status failed\n");
+		goto eps_alloc_failed;
+	}
 
 	/* initialized QHs, take care of alignment */
 	size = udc->max_ep * sizeof(struct ep_queue_head);
@@ -2271,8 +2273,7 @@ static int __init struct_udc_setup(struc
 					&udc->ep_qh_dma, GFP_KERNEL);
 	if (!udc->ep_qh) {
 		ERR("malloc QHs for udc failed\n");
-		kfree(udc->eps);
-		return -1;
+		goto ep_queue_alloc_failed;
 	}
 
 	udc->ep_qh_size = size;
@@ -2281,8 +2282,17 @@ static int __init struct_udc_setup(struc
 	/* FIXME: fsl_alloc_request() ignores ep argument */
 	udc->status_req = container_of(fsl_alloc_request(NULL, GFP_KERNEL),
 			struct fsl_req, req);
+	if (!udc->status_req) {
+		ERR("kzalloc for udc status request failed\n");
+		goto udc_status_alloc_failed;
+	}
+
 	/* allocate a small amount of memory to get valid address */
 	udc->status_req->req.buf = kmalloc(8, GFP_KERNEL);
+	if (!udc->status_req->req.buf) {
+		ERR("kzalloc for udc request buffer failed\n");
+		goto udc_req_buf_alloc_failed;
+	}
 
 	udc->resume_state = USB_STATE_NOTATTACHED;
 	udc->usb_state = USB_STATE_POWERED;
@@ -2290,6 +2300,18 @@ static int __init struct_udc_setup(struc
 	udc->remote_wakeup = 0;	/* default to 0 on reset */
 
 	return 0;
+
+udc_req_buf_alloc_failed:
+	kfree(udc->status_req);
+udc_status_alloc_failed:
+	kfree(udc->ep_qh);
+	udc->ep_qh_size = 0;
+ep_queue_alloc_failed:
+	kfree(udc->eps);
+eps_alloc_failed:
+	udc->phy_mode = 0;
+	return -1;
+
 }
 
 /*----------------------------------------------------------------


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 150/305] ext4: avoid possible double brelse() in add_new_gdb() on error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 038/305] Cipso: cipso_v4_optptr enter infinite loop Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 138/305] ext4: add missing brelse() update_backups()'s " Ben Hutchings
                   ` (249 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vasily Averin, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 4f32c38b4662312dd3c5f113d8bdd459887fb773 upstream.

Fixes: b40971426a83 ("ext4: add error checking to calls to ...")
Reported-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -845,6 +845,7 @@ static int add_new_gdb(handle_t *handle,
 	err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh);
 	if (unlikely(err)) {
 		ext4_std_error(sb, err);
+		iloc.bh = NULL;
 		goto exit_inode;
 	}
 	brelse(dind);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 069/305] bcache: fix miss key refill->end in writeback
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (199 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 252/305] SUNRPC: Fix a potential race in xprt_connect() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 080/305] libertas: don't set URB_ZERO_PACKET on IN USB transfer Ben Hutchings
                   ` (104 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Coly Li, Tang Junhui, Jens Axboe

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tang Junhui <tang.junhui.linux@gmail.com>

commit 2d6cb6edd2c7fb4f40998895bda45006281b1ac5 upstream.

refill->end record the last key of writeback, for example, at the first
time, keys (1,128K) to (1,1024K) are flush to the backend device, but
the end key (1,1024K) is not included, since the bellow code:
	if (bkey_cmp(k, refill->end) >= 0) {
		ret = MAP_DONE;
		goto out;
	}
And in the next time when we refill writeback keybuf again, we searched
key start from (1,1024K), and got a key bigger than it, so the key
(1,1024K) missed.
This patch modify the above code, and let the end key to be included to
the writeback key buffer.

Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/bcache/btree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -2354,7 +2354,7 @@ static int refill_keybuf_fn(struct btree
 	struct keybuf *buf = refill->buf;
 	int ret = MAP_CONTINUE;
 
-	if (bkey_cmp(k, refill->end) >= 0) {
+	if (bkey_cmp(k, refill->end) > 0) {
 		ret = MAP_DONE;
 		goto out;
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 198/305] netfilter: nf_tables: fix oob access
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 235/305] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 279/305] tracing: Fix memory leak of instance function hash filters Ben Hutchings
                   ` (254 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Florian Westphal, Pablo Neira Ayuso

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 3e38df136e453aa69eb4472108ebce2fb00b1ba6 upstream.

BUG: KASAN: slab-out-of-bounds in nf_tables_rule_destroy+0xf1/0x130 at addr ffff88006a4c35c8
Read of size 8 by task nft/1607

When we've destroyed last valid expr, nft_expr_next() returns an invalid expr.
We must not dereference it unless it passes != nft_expr_last() check.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1689,7 +1689,7 @@ static void nf_tables_rule_destroy(const
 	 * is called on error from nf_tables_newrule().
 	 */
 	expr = nft_expr_first(rule);
-	while (expr->ops && expr != nft_expr_last(rule)) {
+	while (expr != nft_expr_last(rule) && expr->ops) {
 		nf_tables_expr_destroy(ctx, expr);
 		expr = nft_expr_next(expr);
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 233/305] USB: usb-storage: Add new IDs to ums-realtek
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (275 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 100/305] xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 087/305] jffs2: free jffs2_sb_info through jffs2_kill_sb() Ben Hutchings
                   ` (28 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alan Stern, Kai-Heng Feng, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit a84a1bcc992f0545a51d2e120b8ca2ef20e2ea97 upstream.

There are two new Realtek card readers require ums-realtek to work
correctly.

Add the new IDs to support them.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/unusual_realtek.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/usb/storage/unusual_realtek.h
+++ b/drivers/usb/storage/unusual_realtek.h
@@ -38,4 +38,14 @@ UNUSUAL_DEV(0x0bda, 0x0159, 0x0000, 0x99
 		"USB Card Reader",
 		USB_SC_DEVICE, USB_PR_DEVICE, init_realtek_cr, 0),
 
+UNUSUAL_DEV(0x0bda, 0x0177, 0x0000, 0x9999,
+		"Realtek",
+		"USB Card Reader",
+		USB_SC_DEVICE, USB_PR_DEVICE, init_realtek_cr, 0),
+
+UNUSUAL_DEV(0x0bda, 0x0184, 0x0000, 0x9999,
+		"Realtek",
+		"USB Card Reader",
+		USB_SC_DEVICE, USB_PR_DEVICE, init_realtek_cr, 0),
+
 #endif  /* defined(CONFIG_USB_STORAGE_REALTEK) || ... */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 287/305] mmc: omap_hsmmc: fix DMA API warning
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (246 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 103/305] clk: s2mps11: Add used attribute to s2mps11_dt_match Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 195/305] Input: matrix_keypad - check for errors from of_get_named_gpio() Ben Hutchings
                   ` (57 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Russell King, Ulf Hansson

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 0b479790684192ab7024ce6a621f93f6d0a64d92 upstream.

While booting with rootfs on MMC, the following warning is encountered
on OMAP4430:

omap-dma-engine 4a056000.dma-controller: DMA-API: mapping sg segment longer than device claims to support [len=69632] [max=65536]

This is because the DMA engine has a default maximum segment size of 64K
but HSMMC sets:

        mmc->max_blk_size = 512;       /* Block Length at max can be 1024 */
        mmc->max_blk_count = 0xFFFF;    /* No. of Blocks is 16 bits */
        mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count;
        mmc->max_seg_size = mmc->max_req_size;

which ends up telling the block layer that we support a maximum segment
size of 65535*512, which exceeds the advertised DMA engine capabilities.

Fix this by clamping the maximum segment size to the lower of the
maximum request size and of the DMA engine device used for either DMA
channel.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/omap_hsmmc.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/mmc/host/omap_hsmmc.c
+++ b/drivers/mmc/host/omap_hsmmc.c
@@ -1964,7 +1964,6 @@ static int omap_hsmmc_probe(struct platf
 	mmc->max_blk_size = 512;       /* Block Length at max can be 1024 */
 	mmc->max_blk_count = 0xFFFF;    /* No. of Blocks is 16 bits */
 	mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count;
-	mmc->max_seg_size = mmc->max_req_size;
 
 	mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED |
 		     MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE;
@@ -2021,6 +2020,17 @@ static int omap_hsmmc_probe(struct platf
 		goto err_irq;
 	}
 
+	/*
+	 * Limit the maximum segment size to the lower of the request size
+	 * and the DMA engine device segment size limits.  In reality, with
+	 * 32-bit transfers, the DMA engine can do longer segments than this
+	 * but there is no way to represent that in the DMA model - if we
+	 * increase this figure here, we get warnings from the DMA API debug.
+	 */
+	mmc->max_seg_size = min3(mmc->max_req_size,
+			dma_get_max_seg_size(host->rx_chan->device->dev),
+			dma_get_max_seg_size(host->tx_chan->device->dev));
+
 	/* Request IRQ for MMC operations */
 	ret = devm_request_irq(&pdev->dev, host->irq, omap_hsmmc_irq, 0,
 			mmc_hostname(mmc), host);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 175/305] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 120/305] net: sched: gred: pass the right attribute to gred_change_table_def() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 049/305] iio: adc: at91: fix wrong channel number in triggered buffer mode Ben Hutchings
                   ` (261 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Marc Kleine-Budde

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream.

This patch factors out all non sending parts of can_get_echo_skb() into
a seperate function __can_get_echo_skb(), so that it can be re-used in
an upcoming patch.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/dev.c   | 36 +++++++++++++++++++++++++-----------
 include/linux/can/dev.h |  1 +
 2 files changed, 26 insertions(+), 11 deletions(-)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -422,14 +422,7 @@ void can_put_echo_skb(struct sk_buff *sk
 }
 EXPORT_SYMBOL_GPL(can_put_echo_skb);
 
-/*
- * Get the skb from the stack and loop it back locally
- *
- * The function is typically called when the TX done interrupt
- * is handled in the device driver. The driver must protect
- * access to priv->echo_skb, if necessary.
- */
-unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
+struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
 {
 	struct can_priv *priv = netdev_priv(dev);
 
@@ -440,13 +433,34 @@ unsigned int can_get_echo_skb(struct net
 		struct can_frame *cf = (struct can_frame *)skb->data;
 		u8 dlc = cf->can_dlc;
 
-		netif_rx(priv->echo_skb[idx]);
+		*len_ptr = dlc;
 		priv->echo_skb[idx] = NULL;
 
-		return dlc;
+		return skb;
 	}
 
-	return 0;
+	return NULL;
+}
+
+/*
+ * Get the skb from the stack and loop it back locally
+ *
+ * The function is typically called when the TX done interrupt
+ * is handled in the device driver. The driver must protect
+ * access to priv->echo_skb, if necessary.
+ */
+unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
+{
+	struct sk_buff *skb;
+	u8 len;
+
+	skb = __can_get_echo_skb(dev, idx, &len);
+	if (!skb)
+		return 0;
+
+	netif_rx(skb);
+
+	return len;
 }
 EXPORT_SYMBOL_GPL(can_get_echo_skb);
 
--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -127,6 +127,7 @@ void can_change_state(struct net_device
 
 void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
 		      unsigned int idx);
+struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr);
 unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx);
 void can_free_echo_skb(struct net_device *dev, unsigned int idx);
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 048/305] iio: adc: at91: fix acking DRDY irq on simple conversions
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (139 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 085/305] hwmon: (pmbus) Fix page count auto-detection Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 148/305] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Ben Hutchings
                   ` (164 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Cameron, Maxime Ripard,
	Ludovic Desroches, Eugen Hristev

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eugen Hristev <eugen.hristev@microchip.com>

commit bc1b45326223e7e890053cf6266357adfa61942d upstream.

When doing simple conversions, the driver did not acknowledge the DRDY irq.
If this irq status is not acked, it will be left pending, and as soon as a
trigger is enabled, the irq handler will be called, it doesn't know why
this status has occurred because no channel is pending, and then it will go
int a irq loop and board will hang.
To avoid this situation, read the LCDR after a raw conversion is done.

Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/adc/at91_adc.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -276,6 +276,8 @@ void handle_adc_eoc_trigger(int irq, str
 		iio_trigger_poll(idev->trig, iio_get_time_ns());
 	} else {
 		st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb));
+		/* Needed to ACK the DRDY interruption */
+		at91_adc_readl(st, AT91_ADC_LCDR);
 		st->done = true;
 		wake_up_interruptible(&st->wq_data_avail);
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 201/305] Btrfs: ensure path name is null terminated at btrfs_control_ioctl
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (141 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 148/305] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 273/305] bnx2fc: fix an error code in _bnx2fc_create() Ben Hutchings
                   ` (162 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Filipe Manana, Anand Jain, David Sterba

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit f505754fd6599230371cb01b9332754ddc104be1 upstream.

We were using the path name received from user space without checking that
it is null terminated. While btrfs-progs is well behaved and does proper
validation and null termination, someone could call the ioctl and pass
a non-null terminated patch, leading to buffer overrun problems in the
kernel.  The ioctl is protected by CAP_SYS_ADMIN.

So just set the last byte of the path to a null character, similar to what
we do in other ioctls (add/remove/resize device, snapshot creation, etc).

Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/super.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1771,6 +1771,7 @@ static long btrfs_control_ioctl(struct f
 	vol = memdup_user((void __user *)arg, sizeof(*vol));
 	if (IS_ERR(vol))
 		return PTR_ERR(vol);
+	vol->name[BTRFS_PATH_NAME_MAX] = '\0';
 
 	switch (cmd) {
 	case BTRFS_IOC_SCAN_DEV:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 261/305] staging: rtl8712: Fix possible buffer overrun
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 209/305] hwmon: (w83795) temp4_type has writable permission Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 265/305] mac80211: ignore NullFunc frames in the duplicate detection Ben Hutchings
                   ` (230 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Young Xiao, Dan Carpenter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Young Xiao <YangX92@hotmail.com>

commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream.

In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
overrun") we fix a potential off by one by making the limit smaller.
The better fix is to make the buffer larger.  This makes it match up
with the similar code in other drivers.

Fixes: 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun")
Signed-off-by: Young Xiao <YangX92@hotmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/rtl8712/mlme_linux.c   | 2 +-
 drivers/staging/rtl8712/rtl871x_mlme.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/rtl8712/mlme_linux.c
+++ b/drivers/staging/rtl8712/mlme_linux.c
@@ -153,7 +153,7 @@ void r8712_report_sec_ie(struct _adapter
 		p = buff;
 		p += sprintf(p, "ASSOCINFO(ReqIEs=");
 		len = sec_ie[1] + 2;
-		len =  (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;
+		len =  (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
 		for (i = 0; i < len; i++)
 			p += sprintf(p, "%02x", sec_ie[i]);
 		p += sprintf(p, ")");
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1373,7 +1373,7 @@ sint r8712_restruct_sec_ie(struct _adapt
 		     u8 *out_ie, uint in_len)
 {
 	u8 authmode = 0, securitytype, match;
-	u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
+	u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
 	u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
 	uint ielength, cnt, remove_cnt;
 	int iEntry;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 121/305] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 056/305] VMCI: Resource wildcard match fixed Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 026/305] signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init Ben Hutchings
                   ` (272 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Alex Stanoev

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Stanoev <alex@astanoev.com>

commit ac237c28d5ac1b241d58b1b7b4b9fa10efb22fb5 upstream.

The Creative Audigy SE (SB0570) card currently exhibits an audible pop
whenever playback is stopped or resumed, or during silent periods of an
audio stream. Initialise the IZD bit to the 0 to eliminate these pops.

The Infinite Zero Detection (IZD) feature on the DAC causes the output
to be shunted to Vcap after 2048 samples of silence. This discharges the
AC coupling capacitor through the output and causes the aforementioned
pop/click noise.

The behaviour of the IZD bit is described on page 15 of the WM8768GEDS
datasheet: "With IZD=1, applying MUTE for 1024 consecutive input samples
will cause all outputs to be connected directly to VCAP. This also
happens if 2048 consecutive zero input samples are applied to all 6
channels, and IZD=0. It will be removed as soon as any channel receives
a non-zero input". I believe the second sentence might be referring to
IZD=1 instead of IZD=0 given the observed behaviour of the card.

This change should make the DAC initialisation consistent with
Creative's Windows driver, as this popping persists when initialising
the card in Linux and soft rebooting into Windows, but is not present on
a cold boot to Windows.

Signed-off-by: Alex Stanoev <alex@astanoev.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/ca0106/ca0106.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/ca0106/ca0106.h
+++ b/sound/pci/ca0106/ca0106.h
@@ -582,7 +582,7 @@
 #define SPI_PL_BIT_R_R		(2<<7)	/* right channel = right */
 #define SPI_PL_BIT_R_C		(3<<7)	/* right channel = (L+R)/2 */
 #define SPI_IZD_REG		2
-#define SPI_IZD_BIT		(1<<4)	/* infinite zero detect */
+#define SPI_IZD_BIT		(0<<4)	/* infinite zero detect */
 
 #define SPI_FMT_REG		3
 #define SPI_FMT_BIT_RJ		(0<<0)	/* right justified mode */


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 238/305] xtensa: fix coprocessor context offset definitions
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 224/305] btrfs: relocation: set trans to be NULL after ending transaction Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 077/305] ext4: fix use-after-free race in ext4_remount()'s error path Ben Hutchings
                   ` (194 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 03bc996af0cc71c7f30c384d8ce7260172423b34 upstream.

Coprocessor context offsets are used by the assembly code that moves
coprocessor context between the individual fields of the
thread_info::xtregs_cp structure and coprocessor registers.
This fixes coprocessor context clobbering on flushing and reloading
during normal user code execution and user process debugging in the
presence of more than one coprocessor in the core configuration.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/kernel/asm-offsets.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/arch/xtensa/kernel/asm-offsets.c
+++ b/arch/xtensa/kernel/asm-offsets.c
@@ -82,14 +82,14 @@ int main(void)
 	DEFINE(THREAD_SP, offsetof (struct task_struct, thread.sp));
 	DEFINE(THREAD_CPENABLE, offsetof (struct thread_info, cpenable));
 #if XTENSA_HAVE_COPROCESSORS
-	DEFINE(THREAD_XTREGS_CP0, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP1, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP2, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP3, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP4, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP5, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP6, offsetof (struct thread_info, xtregs_cp));
-	DEFINE(THREAD_XTREGS_CP7, offsetof (struct thread_info, xtregs_cp));
+	DEFINE(THREAD_XTREGS_CP0, offsetof(struct thread_info, xtregs_cp.cp0));
+	DEFINE(THREAD_XTREGS_CP1, offsetof(struct thread_info, xtregs_cp.cp1));
+	DEFINE(THREAD_XTREGS_CP2, offsetof(struct thread_info, xtregs_cp.cp2));
+	DEFINE(THREAD_XTREGS_CP3, offsetof(struct thread_info, xtregs_cp.cp3));
+	DEFINE(THREAD_XTREGS_CP4, offsetof(struct thread_info, xtregs_cp.cp4));
+	DEFINE(THREAD_XTREGS_CP5, offsetof(struct thread_info, xtregs_cp.cp5));
+	DEFINE(THREAD_XTREGS_CP6, offsetof(struct thread_info, xtregs_cp.cp6));
+	DEFINE(THREAD_XTREGS_CP7, offsetof(struct thread_info, xtregs_cp.cp7));
 #endif
 	DEFINE(THREAD_XTREGS_USER, offsetof (struct thread_info, xtregs_user));
 	DEFINE(XTREGS_USER_SIZE, sizeof(xtregs_user_t));


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 119/305] hugetlbfs: dirty pages as they are added to pagecache
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (263 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 146/305] Btrfs: fix data corruption due to cloning of eof block Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 203/305] l2tp: fix a sock refcnt leak in l2tp_tunnel_register Ben Hutchings
                   ` (40 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mihcla Hocko, Kirill A . Shutemov,
	Linus Torvalds, Andrea Arcangeli, Hugh Dickins, Davidlohr Bueso,
	Alexander Viro, Aneesh Kumar K . V, Mike Kravetz,
	Naoya Horiguchi, Khalid Aziz

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Kravetz <mike.kravetz@oracle.com>

commit 22146c3ce98962436e401f7b7016a6f664c9ffb5 upstream.

Some test systems were experiencing negative huge page reserve counts and
incorrect file block counts.  This was traced to /proc/sys/vm/drop_caches
removing clean pages from hugetlbfs file pagecaches.  When non-hugetlbfs
explicit code removes the pages, the appropriate accounting is not
performed.

This can be recreated as follows:
 fallocate -l 2M /dev/hugepages/foo
 echo 1 > /proc/sys/vm/drop_caches
 fallocate -l 2M /dev/hugepages/foo
 grep -i huge /proc/meminfo
   AnonHugePages:         0 kB
   ShmemHugePages:        0 kB
   HugePages_Total:    2048
   HugePages_Free:     2047
   HugePages_Rsvd:    18446744073709551615
   HugePages_Surp:        0
   Hugepagesize:       2048 kB
   Hugetlb:         4194304 kB
 ls -lsh /dev/hugepages/foo
   4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo

To address this issue, dirty pages as they are added to pagecache.  This
can easily be reproduced with fallocate as shown above.  Read faulted
pages will eventually end up being marked dirty.  But there is a window
where they are clean and could be impacted by code such as drop_caches.
So, just dirty them all as they are added to the pagecache.

Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com
Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Mihcla Hocko <mhocko@suse.com>
Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/hugetlb.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3085,6 +3085,12 @@ retry:
 			}
 			ClearPagePrivate(page);
 
+			/*
+			 * set page dirty so that it will not be removed from
+			 * cache/file by non-hugetlbfs specific code paths.
+			 */
+			set_page_dirty(page);
+
 			spin_lock(&inode->i_lock);
 			inode->i_blocks += blocks_per_huge_page(h);
 			spin_unlock(&inode->i_lock);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 104/305] xen-swiotlb: use actually allocated size on check physical continuous
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 279/305] tracing: Fix memory leak of instance function hash filters Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 118/305] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Ben Hutchings
                   ` (252 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Boris Ostrovsky, Christoph Helwig, Joe Jin,
	Konrad Rzeszutek Wilk, Dongli Zhang, John Sobecki

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Jin <joe.jin@oracle.com>

commit 7250f422da0480d8512b756640f131b9b893ccda upstream.

xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the
order of the pages and not size argument (bytes). This is inconsistent with
range_straddles_page_boundary and memset which use the 'size' value,
which may lead to not exchanging memory with Xen (range_straddles_page_boundary()
returned true). And then the call to xen_swiotlb_free_coherent() would
actually try to exchange the memory with Xen, leading to the kernel
hitting an BUG (as the hypercall returned an error).

This patch fixes it by making the 'size' variable be of the same size
as the amount of memory allocated.

Signed-off-by: Joe Jin <joe.jin@oracle.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Christoph Helwig <hch@lst.de>
Cc: Dongli Zhang <dongli.zhang@oracle.com>
Cc: John Sobecki <john.sobecki@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
[bwh: Backported to 3.16:
 - Use PAGE_SHIFT instead of XEN_PAGE_SHIFT
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/xen/swiotlb-xen.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -311,6 +311,9 @@ xen_swiotlb_alloc_coherent(struct device
 	*/
 	flags &= ~(__GFP_DMA | __GFP_HIGHMEM);
 
+	/* Convert the size to actually allocated. */
+	size = 1UL << (order + PAGE_SHIFT);
+
 	if (dma_alloc_from_coherent(hwdev, size, dma_handle, &ret))
 		return ret;
 
@@ -366,6 +369,9 @@ xen_swiotlb_free_coherent(struct device
 	 * physical address */
 	phys = xen_bus_to_phys(dev_addr);
 
+	/* Convert the size to actually allocated. */
+	size = 1UL << (order + PAGE_SHIFT);
+
 	if (((dev_addr + size - 1 <= dma_mask)) ||
 	    range_straddles_page_boundary(phys, size))
 		xen_destroy_contiguous_region(phys, order);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 237/305] xtensa: enable coprocessors that are being flushed
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (213 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 297/305] net: macb: fix dropped RX frames due to a race Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 229/305] ALSA: sparc: Fix invalid snd_free_pages() at error path Ben Hutchings
                   ` (90 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 2958b66694e018c552be0b60521fec27e8d12988 upstream.

coprocessor_flush_all may be called from a context of a thread that is
different from the thread being flushed. In that case contents of the
cpenable special register may not match ti->cpenable of the target
thread, resulting in unhandled coprocessor exception in the kernel
context.
Set cpenable special register to the ti->cpenable of the target register
for the duration of the flush and restore it afterwards.
This fixes the following crash caused by coprocessor register inspection
in native gdb:

  (gdb) p/x $w0
  Illegal instruction in kernel: sig: 9 [#1] PREEMPT
  Call Trace:
    ___might_sleep+0x184/0x1a4
    __might_sleep+0x41/0xac
    exit_signals+0x14/0x218
    do_exit+0xc9/0x8b8
    die+0x99/0xa0
    do_illegal_instruction+0x18/0x6c
    common_exception+0x77/0x77
    coprocessor_flush+0x16/0x3c
    arch_ptrace+0x46c/0x674
    sys_ptrace+0x2ce/0x3b4
    system_call+0x54/0x80
    common_exception+0x77/0x77
  note: gdb[100] exited with preempt_count 1
  Killed

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/kernel/process.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/xtensa/kernel/process.c
+++ b/arch/xtensa/kernel/process.c
@@ -83,18 +83,21 @@ void coprocessor_release_all(struct thre
 
 void coprocessor_flush_all(struct thread_info *ti)
 {
-	unsigned long cpenable;
+	unsigned long cpenable, old_cpenable;
 	int i;
 
 	preempt_disable();
 
+	RSR_CPENABLE(old_cpenable);
 	cpenable = ti->cpenable;
+	WSR_CPENABLE(cpenable);
 
 	for (i = 0; i < XCHAL_CP_MAX; i++) {
 		if ((cpenable & 1) != 0 && coprocessor_owner[i] == ti)
 			coprocessor_flush(ti, i);
 		cpenable >>= 1;
 	}
+	WSR_CPENABLE(old_cpenable);
 
 	preempt_enable();
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 065/305] printk: Fix panic caused by passing log_buf_len to command line
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (269 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 153/305] USB: quirks: Add no-lpm quirk for Raydium touchscreens Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 174/305] can: raw: check for CAN FD capable netdev in raw_sendmsg() Ben Hutchings
                   ` (34 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sergey Senozhatsky, He Zhe, Petr Mladek, rostedt

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: He Zhe <zhe.he@windriver.com>

commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream.

log_buf_len_setup does not check input argument before passing it to
simple_strtoull. The argument would be a NULL pointer if "log_buf_len",
without its value, is set in command line and thus causes the following
panic.

PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1
[    0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70
...
[    0.000000] Call Trace:
[    0.000000]  simple_strtoull+0x29/0x70
[    0.000000]  memparse+0x26/0x90
[    0.000000]  log_buf_len_setup+0x17/0x22
[    0.000000]  do_early_param+0x57/0x8e
[    0.000000]  parse_args+0x208/0x320
[    0.000000]  ? rdinit_setup+0x30/0x30
[    0.000000]  parse_early_options+0x29/0x2d
[    0.000000]  ? rdinit_setup+0x30/0x30
[    0.000000]  parse_early_param+0x36/0x4d
[    0.000000]  setup_arch+0x336/0x99e
[    0.000000]  start_kernel+0x6f/0x4ee
[    0.000000]  x86_64_start_reservations+0x24/0x26
[    0.000000]  x86_64_start_kernel+0x6f/0x72
[    0.000000]  secondary_startup_64+0xa4/0xb0

This patch adds a check to prevent the panic.

Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com
Cc: rostedt@goodmis.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: He Zhe <zhe.he@windriver.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/printk/printk.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -837,7 +837,12 @@ static unsigned long __initdata new_log_
 /* save requested log_buf_len since it's too early to process it */
 static int __init log_buf_len_setup(char *str)
 {
-	unsigned size = memparse(str, &str);
+	unsigned int size;
+
+	if (!str)
+		return -EINVAL;
+
+	size = memparse(str, &str);
 
 	if (size)
 		size = roundup_pow_of_two(size);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 160/305] mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 172/305] ALSA: oss: Use kvzalloc() for local buffer allocations Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 194/305] libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD Ben Hutchings
                   ` (184 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Calmels, Eric W. Biederman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit df7342b240185d58d3d9665c0bbf0a0f5570ec29 upstream.

Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.

Reproducer:
  # Hide a path to all users using a tmpfs
  root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
  root@castiana:~#

  # As an unprivileged user, unshare user namespace and mount namespace
  stgraber@castiana:~$ unshare -U -m -r

  # Confirm the path is still not accessible
  root@castiana:~# ls /sys/devices/

  # Make /sys recursively unbindable and private
  root@castiana:~# mount --make-runbindable /sys
  root@castiana:~# mount --make-private /sys

  # Recursively bind-mount the rest of /sys over to /mnnt
  root@castiana:~# mount --rbind /sys/ /mnt

  # Access our hidden /sys/device as an unprivileged user
  root@castiana:~# ls /mnt/devices/
  breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
  LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
  tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual

Solve this by teaching copy_tree to fail if a mount turns out to be
both unbindable and locked.

Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/namespace.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1574,8 +1574,14 @@ struct mount *copy_tree(struct mount *mn
 			struct mount *t = NULL;
 			if (!(flag & CL_COPY_UNBINDABLE) &&
 			    IS_MNT_UNBINDABLE(s)) {
-				s = skip_mnt_tree(s);
-				continue;
+				if (s->mnt.mnt_flags & MNT_LOCKED) {
+					/* Both unbindable and locked. */
+					q = ERR_PTR(-EPERM);
+					goto out;
+				} else {
+					s = skip_mnt_tree(s);
+					continue;
+				}
 			}
 			if (!(flag & CL_COPY_MNT_NS_FILE) &&
 			    is_mnt_ns_file(s->mnt.mnt_root)) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 246/305] ALSA: hda: Add support for AMD Stoney Ridge
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (145 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 286/305] xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 170/305] mac80211_hwsim: Timer should be initialized before device registered Ben Hutchings
                   ` (158 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kai-Heng Feng, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 3deef52ce10514ccdebba8e8ab85f9cebd0eb3f7 upstream.

It's similar to other AMD audio devices, it also supports D3, which can
save some power drain.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/hda_intel.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1914,6 +1914,10 @@ static const struct pci_device_id azx_id
 	/* AMD Hudson */
 	{ PCI_DEVICE(0x1022, 0x780d),
 	  .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+	/* AMD Stoney */
+	{ PCI_DEVICE(0x1022, 0x157a),
+	  .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
+			 AZX_DCAPS_PM_RUNTIME },
 	/* AMD Raven */
 	{ PCI_DEVICE(0x1022, 0x15e3),
 	  .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 101/305] ACPICA: AML interpreter: add region addresses in global list during initialization
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (272 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 278/305] tracing: Fix memory leak in set_trigger_filter() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 259/305] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Ben Hutchings
                   ` (31 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Erik Schmauss, Rafael J. Wysocki, Jean-Marc Lenoir

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Erik Schmauss <erik.schmauss@intel.com>

commit 4abb951b73ff0a8a979113ef185651aa3c8da19b upstream.

The table load process omitted adding the operation region address
range to the global list. This omission is problematic because the OS
queries the global list to check for address range conflicts before
deciding which drivers to load. This commit may result in warning
messages that look like the following:

[    7.871761] ACPI Warning: system_IO range 0x00000428-0x0000042F conflicts with op_region 0x00000400-0x0000047F (\PMIO) (20180531/utaddress-213)
[    7.871769] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver

However, these messages do not signify regressions. It is a result of
properly adding address ranges within the global address list.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=200011
Tested-by: Jean-Marc Lenoir <archlinux@jihemel.com>
Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/acpica/dsopcode.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/acpi/acpica/dsopcode.c
+++ b/drivers/acpi/acpica/dsopcode.c
@@ -449,6 +449,10 @@ acpi_ds_eval_region_operands(struct acpi
 			  ACPI_FORMAT_UINT64(obj_desc->region.address),
 			  obj_desc->region.length));
 
+	status = acpi_ut_add_address_range(obj_desc->region.space_id,
+					   obj_desc->region.address,
+					   obj_desc->region.length, node);
+
 	/* Now the address and length are valid for this opregion */
 
 	obj_desc->region.flags |= AOPOBJ_DATA_VALID;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 276/305] USB: serial: option: add HP lt4132
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (133 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 165/305] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 217/305] ACPI / platform: Add SMB0001 HID to forbidden_id_list Ben Hutchings
                   ` (170 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Tore Anderson, Johan Hovold

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tore Anderson <tore@fud.no>

commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream.

The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem.

The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf
files included with the Windows driver. Attaching the option driver to it
doesn't result in a /dev/ttyUSB* device being created, so I've excluded it.
Note that it is also excluded for corresponding Huawei-branded devices, cf.
commit d544db293a44 ("USB: support new huawei devices in option.c").

T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  3 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs=  3
P:  Vendor=03f0 ProdID=a31d Rev=01.02
S:  Manufacturer=HP Inc.
S:  Product=HP lt4132 LTE/HSPA+ 4G Module
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA
I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I:  If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I:  If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none)
I:  If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option

T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  3 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs=  3
P:  Vendor=03f0 ProdID=a31d Rev=01.02
S:  Manufacturer=HP Inc.
S:  Product=HP lt4132 LTE/HSPA+ 4G Module
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA
I:  If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I:  If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether
I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I:  If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I:  If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option

T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  3 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs=  3
P:  Vendor=03f0 ProdID=a31d Rev=01.02
S:  Manufacturer=HP Inc.
S:  Product=HP lt4132 LTE/HSPA+ 4G Module
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA
I:  If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I:  If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:  If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option

Signed-off-by: Tore Anderson <tore@fud.no>
[ johan: drop id defines ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2075,7 +2075,12 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
-	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) },	/* HP lt2523 (Novatel E371) */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) },	/* HP lt4132 (Huawei ME906s-158) */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
 	{ } /* Terminating entry */
 };
 MODULE_DEVICE_TABLE(usb, option_ids);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 049/305] iio: adc: at91: fix wrong channel number in triggered buffer mode
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 175/305] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 128/305] Cramfs: fix abad comparison when wrap-arounds occur Ben Hutchings
                   ` (260 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ludovic Desroches, Eugen Hristev,
	Jonathan Cameron, Maxime Ripard

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eugen Hristev <eugen.hristev@microchip.com>

commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream.

When channels are registered, the hardware channel number is not the
actual iio channel number.
This is because the driver is probed with a certain number of accessible
channels. Some pins are routed and some not, depending on the description of
the board in the DT.
Because of that, channels 0,1,2,3 can correspond to hardware channels
2,3,4,5 for example.
In the buffered triggered case, we need to do the translation accordingly.
Fixed the channel number to stop reading the wrong channel.

Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/adc/at91_adc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_hand
 	struct iio_poll_func *pf = p;
 	struct iio_dev *idev = pf->indio_dev;
 	struct at91_adc_state *st = iio_priv(idev);
+	struct iio_chan_spec const *chan;
 	int i, j = 0;
 
 	for (i = 0; i < idev->masklength; i++) {
 		if (!test_bit(i, idev->active_scan_mask))
 			continue;
-		st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i));
+		chan = idev->channels + i;
+		st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel));
 		j++;
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 115/305] thermal: rcar: Make error and remove paths symmetrical with init
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (285 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 123/305] lockd: fix access beyond unterminated strings in prints Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 158/305] ext4: fix buffer leak in __ext4_read_dirblock() on error path Ben Hutchings
                   ` (18 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kuninori Morimoto, Geert Uytterhoeven,
	Eduardo Valentin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit ac71c7025ebc1ed25114b1be77dc60b7f8cb8544 upstream.

Swap interrupt disable and thermal zone unregistration in the error and
remove paths, to make them more symmetrical with the initialization
path.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/thermal/rcar_thermal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/thermal/rcar_thermal.c
+++ b/drivers/thermal/rcar_thermal.c
@@ -462,9 +462,9 @@ static int rcar_thermal_probe(struct pla
 
 error_unregister:
 	rcar_thermal_for_each_priv(priv, common) {
-		thermal_zone_device_unregister(priv->zone);
 		if (rcar_has_irq_support(priv))
 			rcar_thermal_irq_disable(priv);
+		thermal_zone_device_unregister(priv->zone);
 	}
 
 	pm_runtime_put(dev);
@@ -480,9 +480,9 @@ static int rcar_thermal_remove(struct pl
 	struct rcar_thermal_priv *priv;
 
 	rcar_thermal_for_each_priv(priv, common) {
-		thermal_zone_device_unregister(priv->zone);
 		if (rcar_has_irq_support(priv))
 			rcar_thermal_irq_disable(priv);
+		thermal_zone_device_unregister(priv->zone);
 	}
 
 	pm_runtime_put(dev);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 227/305] team: no need to do team_notify_peers or team_mcast_rejoin when disabling port
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 212/305] drm/i915: Disable LP3 watermarks on all SNB machines Ben Hutchings
                   ` (257 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Hangbin Liu, Liang Li

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>

commit 5ed9dc99107144f83b6c1bb52a69b58875baf540 upstream.

team_notify_peers() will send ARP and NA to notify peers. team_mcast_rejoin()
will send multicast join group message to notify peers. We should do this when
enabling/changed to a new port. But it doesn't make sense to do it when a port
is disabled.

On the other hand, when we set mcast_rejoin_count to 2, and do a failover,
team_port_disable() will increase mcast_rejoin.count_pending to 2 and then
team_port_enable() will increase mcast_rejoin.count_pending to 4. We will send
4 mcast rejoin messages at latest, which will make user confused. The same
with notify_peers.count.

Fix it by deleting team_notify_peers() and team_mcast_rejoin() in
team_port_disable().

Reported-by: Liang Li <liali@redhat.com>
Fixes: fc423ff00df3a ("team: add peer notification")
Fixes: 492b200efdd20 ("team: add support for sending multicast rejoins")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/team/team.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -978,8 +978,6 @@ static void team_port_disable(struct tea
 	team->en_port_count--;
 	team_queue_override_port_del(team, port);
 	team_adjust_ops(team);
-	team_notify_peers(team);
-	team_mcast_rejoin(team);
 }
 
 #define TEAM_VLAN_FEATURES (NETIF_F_ALL_CSUM | NETIF_F_SG | \


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 074/305] ima: fix showing large 'violations' or 'runtime_measurements_count'
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (196 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 036/305] PCI/ASPM: Fix link_state teardown on device removal Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 057/305] Drivers: hv: kvp: Fix two "this statement may fall through" warnings Ben Hutchings
                   ` (107 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mimi Zohar, Eric Biggers

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream.

The 12 character temporary buffer is not necessarily long enough to hold
a 'long' value.  Increase it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/integrity/ima/ima_fs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -26,14 +26,14 @@
 #include "ima.h"
 
 static int valid_policy = 1;
-#define TMPBUFLEN 12
+
 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
 				     loff_t *ppos, atomic_long_t *val)
 {
-	char tmpbuf[TMPBUFLEN];
+	char tmpbuf[32];	/* greater than largest 'long' string value */
 	ssize_t len;
 
-	len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
+	len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
 	return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 300/305] vxge: ensure data0 is initialized in when fetching firmware version information
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (152 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 064/305] USB: serial: cypress_m8: fix interrupt-out transfer length Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 302/305] drm/ioctl: Fix Spectre v1 vulnerabilities Ben Hutchings
                   ` (151 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Colin Ian King, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit f7db2beb4c2c6cc8111f5ab90fc7363ca91107b6 upstream.

Currently variable data0 is not being initialized so a garbage value is
being passed to vxge_hw_vpath_fw_api and this value is being written to
the rts_access_steer_data0 register.  There are other occurrances where
data0 is being initialized to zero (e.g. in function
vxge_hw_upgrade_read_version) so I think it makes sense to ensure data0
is initialized likewise to 0.

Detected by CoverityScan, CID#140696 ("Uninitialized scalar variable")

Fixes: 8424e00dfd52 ("vxge: serialize access to steering control register")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/neterion/vxge/vxge-config.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
@@ -808,7 +808,7 @@ __vxge_hw_vpath_fw_ver_get(struct __vxge
 	struct vxge_hw_device_date *fw_date = &hw_info->fw_date;
 	struct vxge_hw_device_version *flash_version = &hw_info->flash_version;
 	struct vxge_hw_device_date *flash_date = &hw_info->flash_date;
-	u64 data0, data1 = 0, steer_ctrl = 0;
+	u64 data0 = 0, data1 = 0, steer_ctrl = 0;
 	enum vxge_hw_status status;
 
 	status = vxge_hw_vpath_fw_api(vpath,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 240/305] ext2: fix potential use after free
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 223/305] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 079/305] iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() Ben Hutchings
                   ` (221 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jan Kara, Pan Bian

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit ecebf55d27a11538ea84aee0be643dd953f830d5 upstream.

The function ext2_xattr_set calls brelse(bh) to drop the reference count
of bh. After that, bh may be freed. However, following brelse(bh),
it reads bh->b_data via macro HDR(bh). This may result in a
use-after-free bug. This patch moves brelse(bh) after reading field.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext2/xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext2/xattr.c
+++ b/fs/ext2/xattr.c
@@ -606,9 +606,9 @@ skip_replace:
 	}
 
 cleanup:
-	brelse(bh);
 	if (!(bh && header == HDR(bh)))
 		kfree(header);
+	brelse(bh);
 	up_write(&EXT2_I(inode)->xattr_sem);
 
 	return error;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 058/305] ext4: initialize retries variable in ext4_da_write_inline_data_begin()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (223 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 092/305] clk: s2mps11: Fix matching when built as module and DT node contains compatible Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 132/305] netfilter: xt_IDLETIMER: add sysfs filename checking routine Ben Hutchings
                   ` (80 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lukas Czerner, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Czerner <lczerner@redhat.com>

commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream.

Variable retries is not initialized in ext4_da_write_inline_data_begin()
which can lead to nondeterministic number of retries in case we hit
ENOSPC. Initialize retries to zero as we do everywhere else.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inline.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -859,7 +859,7 @@ int ext4_da_write_inline_data_begin(stru
 	handle_t *handle;
 	struct page *page;
 	struct ext4_iloc iloc;
-	int retries;
+	int retries = 0;
 
 	ret = ext4_get_inode_loc(inode, &iloc);
 	if (ret)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 063/305] ALSA: usb-audio: update quirk for B&W PX to remove microphone
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (137 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 180/305] usb: xhci: fix timeout for transition from RExit to U0 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 085/305] hwmon: (pmbus) Fix page count auto-detection Ben Hutchings
                   ` (166 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Nicolas Huaman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Huaman <nicolas@herochao.de>

commit c369c8db15d51fa175d2ba85928f79d16af6b562 upstream.

A quirk in snd-usb-audio was added to automate setting sample rate to
4800k and remove the previously exposed nonfunctional microphone for
the Bowers & Wilkins PX:
commit 240a8af929c7c57dcde28682725b29cf8474e8e5
https://lore.kernel.org/patchwork/patch/919689/

However the headphones where updated shortly after that to remove the
unintentional microphone functionality. I guess because of this the
headphones now crash when connecting them via USB while the quirk is
active. Dmesg:

snd-usb-audio: probe of 2-3:1.0 failed with error -22
usb 2-3: 2:1: cannot get min/max values for control 2 (id 2)

This patch removes the microfone and allows the headphones to connect
and work out of the box. It is based on the current mainline kernel
 and successfully applied an tested on my machine (4.18.10.arch1-1).

Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
Signed-off-by: Nicolas Huaman <nicolas@herochao.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/usb/quirks-table.h | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -3281,19 +3281,14 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
 				.ifnum = 0,
 				.type = QUIRK_AUDIO_STANDARD_MIXER,
 			},
-			/* Capture */
-			{
-				.ifnum = 1,
-				.type = QUIRK_IGNORE_INTERFACE,
-			},
 			/* Playback */
 			{
-				.ifnum = 2,
+				.ifnum = 1,
 				.type = QUIRK_AUDIO_FIXED_ENDPOINT,
 				.data = &(const struct audioformat) {
 					.formats = SNDRV_PCM_FMTBIT_S16_LE,
 					.channels = 2,
-					.iface = 2,
+					.iface = 1,
 					.altsetting = 1,
 					.altset_idx = 1,
 					.attributes = UAC_EP_CS_ATTR_FILL_MAX |


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 108/305] qlcnic: fix a return in qlcnic_dcb_get_capability()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (169 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 269/305] xhci: Prevent U1/U2 link pm states if exit latency is too long Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 272/305] virtio/s390: fix race in ccw_io_helper() Ben Hutchings
                   ` (134 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David S. Miller, Dan Carpenter

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit c94f026fb742b2d3199422751dbc4f6fc0e753d8 upstream.

These functions are supposed to return one on failure and zero on
success.  Returning a zero here could cause uninitialized variable
bugs in several of the callers.  For example:

    drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1660 get_iscsi_dcb_priority()
    error: uninitialized symbol 'caps'.

Fixes: 48365e485275 ("qlcnic: dcb: Add support for CEE Netlink interface.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c
@@ -883,7 +883,7 @@ static u8 qlcnic_dcb_get_capability(stru
 	struct qlcnic_adapter *adapter = netdev_priv(netdev);
 
 	if (!test_bit(QLCNIC_DCB_STATE, &adapter->dcb->state))
-		return 0;
+		return 1;
 
 	switch (capid) {
 	case DCB_CAP_ATTR_PG:


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 223/305] uprobes: Fix handle_swbp() vs. unregister() + register() race once more
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 021/305] cpupower: remove stringop-truncation waring Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 240/305] ext2: fix potential use after free Ben Hutchings
                   ` (222 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andrea Parri, Jiri Olsa,
	Arnaldo Carvalho de Melo, Oleg Nesterov, Vince Weaver,
	Namhyung Kim, Peter Zijlstra, Paul E. McKenney, Thomas Gleixner,
	Ingo Molnar, Linus Torvalds, Stephane Eranian,
	Alexander Shishkin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andrea Parri <andrea.parri@amarulasolutions.com>

commit 09d3f015d1e1b4fee7e9bbdcf54201d239393391 upstream.

Commit:

  142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race")

added the UPROBE_COPY_INSN flag, and corresponding smp_wmb() and smp_rmb()
memory barriers, to ensure that handle_swbp() uses fully-initialized
uprobes only.

However, the smp_rmb() is mis-placed: this barrier should be placed
after handle_swbp() has tested for the flag, thus guaranteeing that
(program-order) subsequent loads from the uprobe can see the initial
stores performed by prepare_uprobe().

Move the smp_rmb() accordingly.  Also amend the comments associated
to the two memory barriers to indicate their actual locations.

Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race")
Link: http://lkml.kernel.org/r/20181122161031.15179-1-andrea.parri@amarulasolutions.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/events/uprobes.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -610,7 +610,7 @@ static int prepare_uprobe(struct uprobe
 	BUG_ON((uprobe->offset & ~PAGE_MASK) +
 			UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
 
-	smp_wmb(); /* pairs with rmb() in find_active_uprobe() */
+	smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
 	set_bit(UPROBE_COPY_INSN, &uprobe->flags);
 
  out:
@@ -1858,10 +1858,18 @@ static void handle_swbp(struct pt_regs *
 	 * After we hit the bp, _unregister + _register can install the
 	 * new and not-yet-analyzed uprobe at the same address, restart.
 	 */
-	smp_rmb(); /* pairs with wmb() in install_breakpoint() */
 	if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags)))
 		goto out;
 
+	/*
+	 * Pairs with the smp_wmb() in prepare_uprobe().
+	 *
+	 * Guarantees that if we see the UPROBE_COPY_INSN bit set, then
+	 * we must also see the stores to &uprobe->arch performed by the
+	 * prepare_uprobe() call.
+	 */
+	smp_rmb();
+
 	/* Tracing handlers use ->utask to communicate with fetch methods */
 	if (!get_utask())
 		goto out;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 248/305] dmaengine: at_hdmac: fix module unloading
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (298 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 112/305] smb3: allow stats which track session and share reconnects to be reset Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 143/305] xtensa: make sure bFLT stack is 16 byte aligned Ben Hutchings
                   ` (5 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Richard Genoud, Vinod Koul, Ludovic Desroches

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Genoud <richard.genoud@gmail.com>

commit 77e75fda94d2ebb86aa9d35fb1860f6395bf95de upstream.

of_dma_controller_free() was not called on module onloading.
This lead to a soft lockup:
watchdog: BUG: soft lockup - CPU#0 stuck for 23s!
Modules linked in: at_hdmac [last unloaded: at_hdmac]
when of_dma_request_slave_channel() tried to call ofdma->of_dma_xlate().

Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding")
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/at_hdmac.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -1564,6 +1564,8 @@ static int at_dma_remove(struct platform
 	struct resource		*io;
 
 	at_dma_off(atdma);
+	if (pdev->dev.of_node)
+		of_dma_controller_free(pdev->dev.of_node);
 	dma_async_device_unregister(&atdma->dma_common);
 
 	dma_pool_destroy(atdma->dma_desc_pool);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 158/305] ext4: fix buffer leak in __ext4_read_dirblock() on error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (286 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 115/305] thermal: rcar: Make error and remove paths symmetrical with init Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 294/305] kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs Ben Hutchings
                   ` (17 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vasily Averin, Theodore Ts'o

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vasily Averin <vvs@virtuozzo.com>

commit de59fae0043f07de5d25e02ca360f7d57bfa5866 upstream.

Fixes: dc6982ff4db1 ("ext4: refactor code to read directory blocks ...")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/namei.c | 1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -122,6 +122,7 @@ static struct buffer_head *__ext4_read_d
 	if (!is_dx_block && type == INDEX) {
 		ext4_error_inode(inode, __func__, line, block,
 		       "directory leaf block found instead of index block");
+		brelse(bh);
 		return ERR_PTR(-EIO);
 	}
 	if (!ext4_has_metadata_csum(inode->i_sb) ||


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 195/305] Input: matrix_keypad - check for errors from of_get_named_gpio()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (247 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 287/305] mmc: omap_hsmmc: fix DMA API warning Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 024/305] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Ben Hutchings
                   ` (56 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sebastian Reichel, Dmitry Torokhov, Christian Hoff

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Hoff <christian_hoff@gmx.net>

commit d55bda1b3e7c5a87f10da54fdda866a9a9cef30b upstream.

"of_get_named_gpio()" returns a negative error value if it fails
and drivers should check for this. This missing check was now
added to the matrix_keypad driver.

In my case "of_get_named_gpio()" returned -EPROBE_DEFER because
the referenced GPIOs belong to an I/O expander, which was not yet
probed at the point in time when the matrix_keypad driver was
loading. Because the driver did not check for errors from the
"of_get_named_gpio()" routine, it was assuming that "-EPROBE_DEFER"
is actually a GPIO number and continued as usual, which led to further
errors like this later on:

WARNING: CPU: 3 PID: 167 at drivers/gpio/gpiolib.c:114
gpio_to_desc+0xc8/0xd0
invalid GPIO -517

Note that the "GPIO number" -517 in the error message above is
actually "-EPROBE_DEFER".

As part of the patch a misleading error message "no platform data defined"
was also removed. This does not lead to information loss because the other
error paths in matrix_keypad_parse_dt() already print an error.

Signed-off-by: Christian Hoff <christian_hoff@gmx.net>
Suggested-by: Sebastian Reichel <sre@kernel.org>
Reviewed-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/input/keyboard/matrix_keypad.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

--- a/drivers/input/keyboard/matrix_keypad.c
+++ b/drivers/input/keyboard/matrix_keypad.c
@@ -404,7 +404,7 @@ matrix_keypad_parse_dt(struct device *de
 	struct matrix_keypad_platform_data *pdata;
 	struct device_node *np = dev->of_node;
 	unsigned int *gpios;
-	int i, nrow, ncol;
+	int ret, i, nrow, ncol;
 
 	if (!np) {
 		dev_err(dev, "device lacks DT data\n");
@@ -444,12 +444,19 @@ matrix_keypad_parse_dt(struct device *de
 		return ERR_PTR(-ENOMEM);
 	}
 
-	for (i = 0; i < pdata->num_row_gpios; i++)
-		gpios[i] = of_get_named_gpio(np, "row-gpios", i);
+	for (i = 0; i < nrow; i++) {
+		ret = of_get_named_gpio(np, "row-gpios", i);
+		if (ret < 0)
+			return ERR_PTR(ret);
+		gpios[i] = ret;
+	}
 
-	for (i = 0; i < pdata->num_col_gpios; i++)
-		gpios[pdata->num_row_gpios + i] =
-			of_get_named_gpio(np, "col-gpios", i);
+	for (i = 0; i < ncol; i++) {
+		ret = of_get_named_gpio(np, "col-gpios", i);
+		if (ret < 0)
+			return ERR_PTR(ret);
+		gpios[nrow + i] = ret;
+	}
 
 	pdata->row_gpios = gpios;
 	pdata->col_gpios = &gpios[pdata->num_row_gpios];
@@ -476,10 +483,8 @@ static int matrix_keypad_probe(struct pl
 	pdata = dev_get_platdata(&pdev->dev);
 	if (!pdata) {
 		pdata = matrix_keypad_parse_dt(&pdev->dev);
-		if (IS_ERR(pdata)) {
-			dev_err(&pdev->dev, "no platform data defined\n");
+		if (IS_ERR(pdata))
 			return PTR_ERR(pdata);
-		}
 	} else if (!pdata->keymap_data) {
 		dev_err(&pdev->dev, "no keymap data defined\n");
 		return -EINVAL;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 050/305] iio: ad5064: Fix regulator handling
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (206 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 255/305] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 268/305] xhci: workaround CSS timeout on AMD SNPS 3.0 xHC Ben Hutchings
                   ` (97 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lars-Peter Clausen, Jonathan Cameron

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lars-Peter Clausen <lars@metafoo.de>

commit 8911a43bc198877fad9f4b0246a866b26bb547ab upstream.

The correct way to handle errors returned by regualtor_get() and friends is
to propagate the error since that means that an regulator was specified,
but something went wrong when requesting it.

For handling optional regulators, e.g. when the device has an internal
vref, regulator_get_optional() should be used to avoid getting the dummy
regulator that the regulator core otherwise provides.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16: Keep using ad5064_write() instead of
 ad5064_set_config().]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/dac/ad5064.c | 53 ++++++++++++++++++++++++++++------------
 1 file changed, 38 insertions(+), 15 deletions(-)

--- a/drivers/iio/dac/ad5064.c
+++ b/drivers/iio/dac/ad5064.c
@@ -469,6 +469,41 @@ static const char * const ad5064_vref_na
 	return st->chip_info->shared_vref ? "vref" : ad5064_vref_names[vref];
 }
 
+static int ad5064_request_vref(struct ad5064_state *st, struct device *dev)
+{
+	unsigned int i;
+	int ret;
+
+	for (i = 0; i < ad5064_num_vref(st); ++i)
+		st->vref_reg[i].supply = ad5064_vref_name(st, i);
+
+	if (!st->chip_info->internal_vref)
+		return devm_regulator_bulk_get(dev, ad5064_num_vref(st),
+					       st->vref_reg);
+
+	/*
+	 * This assumes that when the regulator has an internal VREF
+	 * there is only one external VREF connection, which is
+	 * currently the case for all supported devices.
+	 */
+	st->vref_reg[0].consumer = devm_regulator_get_optional(dev, "vref");
+	if (!IS_ERR(st->vref_reg[0].consumer))
+		return 0;
+
+	ret = PTR_ERR(st->vref_reg[0].consumer);
+	if (ret != -ENODEV)
+		return ret;
+
+	/* If no external regulator was supplied use the internal VREF */
+	st->use_internal_vref = true;
+	ret = ad5064_write(st, AD5064_CMD_CONFIG, 0,
+		AD5064_CONFIG_INT_VREF_ENABLE, 0);
+	if (ret)
+		dev_err(dev, "Failed to enable internal vref: %d\n", ret);
+
+	return ret;
+}
+
 static int ad5064_probe(struct device *dev, enum ad5064_type type,
 			const char *name, ad5064_write_func write)
 {
@@ -489,23 +524,11 @@ static int ad5064_probe(struct device *d
 	st->dev = dev;
 	st->write = write;
 
-	for (i = 0; i < ad5064_num_vref(st); ++i)
-		st->vref_reg[i].supply = ad5064_vref_name(st, i);
+	ret = ad5064_request_vref(st, dev);
+	if (ret)
+		return ret;
 
-	ret = devm_regulator_bulk_get(dev, ad5064_num_vref(st),
-		st->vref_reg);
-	if (ret) {
-		if (!st->chip_info->internal_vref)
-			return ret;
-		st->use_internal_vref = true;
-		ret = ad5064_write(st, AD5064_CMD_CONFIG, 0,
-			AD5064_CONFIG_INT_VREF_ENABLE, 0);
-		if (ret) {
-			dev_err(dev, "Failed to enable internal vref: %d\n",
-				ret);
-			return ret;
-		}
-	} else {
+	if (!st->use_internal_vref) {
 		ret = regulator_bulk_enable(ad5064_num_vref(st), st->vref_reg);
 		if (ret)
 			return ret;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 169/305] mac80211_hwsim: Replace bogus hrtimer clockid
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 142/305] sunrpc: correct the computation for page_ptr when truncating Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 029/305] signal/GenWQE: Fix sending of SIGKILL Ben Hutchings
                   ` (297 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johannes Berg, Thomas Gleixner

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 8fbcfeb8a9cc803464d6c166e7991913711c612c upstream.

mac80211_hwsim initializes a hrtimer with clockid
CLOCK_MONOTONIC_RAW. That's not supported.

Use CLOCK_MONOTONIC instead.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mac80211_hwsim.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2176,7 +2176,7 @@ static int mac80211_hwsim_create_radio(i
 
 	tasklet_hrtimer_init(&data->beacon_timer,
 			     mac80211_hwsim_beacon,
-			     CLOCK_MONOTONIC_RAW, HRTIMER_MODE_ABS);
+			     CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
 
 	spin_lock_bh(&hwsim_radio_lock);
 	list_add_tail(&data->list, &hwsim_radios);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 263/305] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 079/305] iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 271/305] virtio/s390: avoid race on vcdev->config Ben Hutchings
                   ` (219 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Harry Pan, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Harry Pan <harry.pan@intel.com>

commit 2f2dde6ba89b1ef1fe23c1138131b315d9aa4019 upstream.

Some lower volume SanDisk Ultra Flair in 16GB, which the VID:PID is
in 0781:5591, will aggressively request LPM of U1/U2 during runtime,
when using this thumb drive as the OS installation key we found the
device will generate failure during U1 exit path making it dropped
from the USB bus, this causes a corrupted installation in system at
the end.

i.e.,
[  166.918296] hub 2-0:1.0: state 7 ports 7 chg 0000 evt 0004
[  166.918327] usb usb2-port2: link state change
[  166.918337] usb usb2-port2: do warm reset
[  166.970039] usb usb2-port2: not warm reset yet, waiting 50ms
[  167.022040] usb usb2-port2: not warm reset yet, waiting 200ms
[  167.276043] usb usb2-port2: status 02c0, change 0041, 5.0 Gb/s
[  167.276050] usb 2-2: USB disconnect, device number 2
[  167.276058] usb 2-2: unregistering device
[  167.276060] usb 2-2: unregistering interface 2-2:1.0
[  167.276170] xhci_hcd 0000:00:15.0: shutdown urb ffffa3c7cc695cc0 ep1in-bulk
[  167.284055] sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
[  167.284064] sd 0:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 33 04 90 00 01 00 00
...

Analyzed the USB trace in the link layer we realized it is because
of the 6-ms timer of tRecoveryConfigurationTimeout which documented
on the USB 3.2 Revision 1.0, the section 7.5.10.4.2 of "Exit from
Recovery.Configuration"; device initiates U1 exit -> Recovery.Active
-> Recovery.Configuration, then the host timer timeout makes the link
transits to eSS.Inactive -> Rx.Detect follows by a Warm Reset.

Interestingly, the other higher volume of SanDisk Ultra Flair sharing
the same VID:PID, such as 64GB, would not request LPM during runtime,
it sticks at U0 always, thus disabling LPM does not affect those thumb
drives at all.

The same odd occures in SanDisk Ultra Fit 16GB, VID:PID in 0781:5583.

Signed-off-by: Harry Pan <harry.pan@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/quirks.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -185,6 +185,10 @@ static const struct usb_device_id usb_qu
 	/* Midiman M-Audio Keystation 88es */
 	{ USB_DEVICE(0x0763, 0x0192), .driver_info = USB_QUIRK_RESET_RESUME },
 
+	/* SanDisk Ultra Fit and Ultra Flair */
+	{ USB_DEVICE(0x0781, 0x5583), .driver_info = USB_QUIRK_NO_LPM },
+	{ USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* M-Systems Flash Disk Pioneers */
 	{ USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 161/305] mount: Prevent MNT_DETACH from disconnecting locked mounts
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (288 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 294/305] kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 184/305] drivers/misc/sgi-gru: fix Spectre v1 vulnerability Ben Hutchings
                   ` (15 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric W. Biederman, Timothy Baldwin

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream.

Timothy Baldwin <timbaldwin@fastmail.co.uk> wrote:
> As per mount_namespaces(7) unprivileged users should not be able to look under mount points:
>
>   Mounts that come as a single unit from more privileged mount are locked
>   together and may not be separated in a less privileged mount namespace.
>
> However they can:
>
> 1. Create a mount namespace.
> 2. In the mount namespace open a file descriptor to the parent of a mount point.
> 3. Destroy the mount namespace.
> 4. Use the file descriptor to look under the mount point.
>
> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8.
>
> The setup:
>
> $ sudo sysctl kernel.unprivileged_userns_clone=1
> kernel.unprivileged_userns_clone = 1
> $ mkdir -p A/B/Secret
> $ sudo mount -t tmpfs hide A/B
>
>
> "Secret" is indeed hidden as expected:
>
> $ ls -lR A
> A:
> total 0
> drwxrwxrwt 2 root root 40 Feb 12 21:08 B
>
> A/B:
> total 0
>
>
> The attack revealing "Secret":
>
> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4<A"
> /proc/self/fd/4/:
> total 0
> drwxr-xr-x 3 root root 60 Feb 12 21:08 B
>
> /proc/self/fd/4/B:
> total 0
> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret
>
> /proc/self/fd/4/B/Secret:
> total 0

I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and
disconnecting all of the mounts in a mount namespace.  Fix this by
factoring drop_mounts out of drop_collected_mounts and passing
0 instead of UMOUNT_SYNC.

There are two possible behavior differences that result from this.
- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on
  the vfsmounts being unmounted.  This effects the lazy rcu walk by
  kicking the walk out of rcu mode and forcing it to be a non-lazy
  walk.
- No longer disconnecting locked mounts will keep some mounts around
  longer as they stay because the are locked to other mounts.

There are only two users of drop_collected mounts: audit_tree.c and
put_mnt_ns.

In audit_tree.c the mounts are private and there are no rcu lazy walks
only calls to iterate_mounts. So the changes should have no effect
except for a small timing effect as the connected mounts are disconnected.

In put_mnt_ns there may be references from process outside the mount
namespace to the mounts.  So the mounts remaining connected will
be the bug fix that is needed.  That rcu walks are allowed to continue
appears not to be a problem especially as the rcu walk change was about
an implementation detail not about semantics.

Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Tested-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/namespace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1641,7 +1641,7 @@ void drop_collected_mounts(struct vfsmou
 {
 	namespace_lock();
 	lock_mount_hash();
-	umount_tree(real_mount(mnt), UMOUNT_SYNC);
+	umount_tree(real_mount(mnt), 0);
 	unlock_mount_hash();
 	namespace_unlock();
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 129/305] kbuild: fix kernel/bounds.c 'W=1' warning
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (149 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 140/305] x86/hyper-v: Enable PIT shutdown quirk Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 193/305] libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9 Ben Hutchings
                   ` (154 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Masahiro Yamada, Arnd Bergmann,
	David Laight, Greg Kroah-Hartman, Kieran Bingham, Linus Torvalds

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream.

Building any configuration with 'make W=1' produces a warning:

kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes]

When also passing -Werror, this prevents us from building any other files.
Nobody ever calls the function, but we can't make it 'static' either
since we want the compiler output.

Calling it 'main' instead however avoids the warning, because gcc
does not insist on having a declaration for main.

Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/bounds.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/bounds.c
+++ b/kernel/bounds.c
@@ -13,7 +13,7 @@
 #include <linux/log2.h>
 #include <linux/spinlock_types.h>
 
-void foo(void)
+int main(void)
 {
 	/* The enum constants to put into include/generated/bounds.h */
 	DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
@@ -24,4 +24,6 @@ void foo(void)
 #endif
 	DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
 	/* End of constants */
+
+	return 0;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 113/305] smb3: do not attempt cifs operation in smb3 query info error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (113 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 234/305] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 164/305] termios, tty/tty_baudrate.c: fix buffer overrun Ben Hutchings
                   ` (190 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ronnie Sahlberg, Steve French

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream.

If backupuid mount option is sent, we can incorrectly retry
(on access denied on query info) with a cifs (FindFirst) operation
on an smb3 mount which causes the server to force the session close.

We set backup intent on open so no need for this fallback.

See kernel bugzilla 201435

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/inode.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -735,7 +735,15 @@ cifs_get_inode_info(struct inode **inode
 	} else if (rc == -EREMOTE) {
 		cifs_create_dfs_fattr(&fattr, sb);
 		rc = 0;
-	} else if (rc == -EACCES && backup_cred(cifs_sb)) {
+	} else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
+		   (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
+		      == 0)) {
+			/*
+			 * For SMB2 and later the backup intent flag is already
+			 * sent if needed on open and there is no path based
+			 * FindFirst operation to use to retry with
+			 */
+
 			srchinf = kzalloc(sizeof(struct cifs_search_info),
 						GFP_KERNEL);
 			if (srchinf == NULL) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 231/305] ALSA: control: Fix race between adding and removing a user element
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (231 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 179/305] usb: xhci: fix uninitialized completion when USB3 port got wrong status Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 030/305] power: supply: max8998-charger: Fix platform data retrieval Ben Hutchings
                   ` (72 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+dc09047bce3820621ba2, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit e1a7bfe3807974e66f971f2589d4e0197ec0fced upstream.

The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element.  This was
caught by syzkaller, hitting a KASAN use-after-free error.

This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.

This required a slight code refactoring, too.  The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it.  The former is called from the
function for adding a user control element inside the controls_rwsem.

One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem.  But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.

Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16:
 - In snd_ctl_elem_add(), free _kctl on error, not kctl
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/control.c | 80 +++++++++++++++++++++++++-------------------
 1 file changed, 45 insertions(+), 35 deletions(-)

--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -318,6 +318,40 @@ static int snd_ctl_find_hole(struct snd_
 	return 0;
 }
 
+/* add a new kcontrol object; call with card->controls_rwsem locked */
+static int __snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
+{
+	struct snd_ctl_elem_id id;
+	unsigned int idx;
+	unsigned int count;
+
+	id = kcontrol->id;
+	if (id.index > UINT_MAX - kcontrol->count)
+		return -EINVAL;
+
+	if (snd_ctl_find_id(card, &id)) {
+		dev_err(card->dev,
+			"control %i:%i:%i:%s:%i is already present\n",
+			id.iface, id.device, id.subdevice, id.name, id.index);
+		return -EBUSY;
+	}
+
+	if (snd_ctl_find_hole(card, kcontrol->count) < 0)
+		return -ENOMEM;
+
+	list_add_tail(&kcontrol->list, &card->controls);
+	card->controls_count += kcontrol->count;
+	kcontrol->id.numid = card->last_numid + 1;
+	card->last_numid += kcontrol->count;
+
+	id = kcontrol->id;
+	count = kcontrol->count;
+	for (idx = 0; idx < count; idx++, id.index++, id.numid++)
+		snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
+
+	return 0;
+}
+
 /**
  * snd_ctl_add - add the control instance to the card
  * @card: the card instance
@@ -334,45 +368,18 @@ static int snd_ctl_find_hole(struct snd_
  */
 int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
 {
-	struct snd_ctl_elem_id id;
-	unsigned int idx;
-	unsigned int count;
 	int err = -EINVAL;
 
 	if (! kcontrol)
 		return err;
 	if (snd_BUG_ON(!card || !kcontrol->info))
 		goto error;
-	id = kcontrol->id;
-	if (id.index > UINT_MAX - kcontrol->count)
-		goto error;
 
 	down_write(&card->controls_rwsem);
-	if (snd_ctl_find_id(card, &id)) {
-		up_write(&card->controls_rwsem);
-		dev_err(card->dev, "control %i:%i:%i:%s:%i is already present\n",
-					id.iface,
-					id.device,
-					id.subdevice,
-					id.name,
-					id.index);
-		err = -EBUSY;
-		goto error;
-	}
-	if (snd_ctl_find_hole(card, kcontrol->count) < 0) {
-		up_write(&card->controls_rwsem);
-		err = -ENOMEM;
-		goto error;
-	}
-	list_add_tail(&kcontrol->list, &card->controls);
-	card->controls_count += kcontrol->count;
-	kcontrol->id.numid = card->last_numid + 1;
-	card->last_numid += kcontrol->count;
-	id = kcontrol->id;
-	count = kcontrol->count;
+	err = __snd_ctl_add(card, kcontrol);
 	up_write(&card->controls_rwsem);
-	for (idx = 0; idx < count; idx++, id.index++, id.numid++)
-		snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
+	if (err < 0)
+		goto error;
 	return 0;
 
  error:
@@ -1261,14 +1268,17 @@ static int snd_ctl_elem_add(struct snd_c
 	_kctl->private_data = ue;
 	for (idx = 0; idx < _kctl->count; idx++)
 		_kctl->vd[idx].owner = file;
-	err = snd_ctl_add(card, _kctl);
-	if (err < 0)
-		return err;
-
 	down_write(&card->controls_rwsem);
+	err = __snd_ctl_add(card, _kctl);
+	if (err < 0) {
+		snd_ctl_free_one(_kctl);
+		goto unlock;
+	}
+
 	card->user_ctl_count++;
-	up_write(&card->controls_rwsem);
 
+ unlock:
+	up_write(&card->controls_rwsem);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 236/305] powerpc: Fix COFF zImage booting on old powermacs
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (117 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 099/305] scsi: esp_scsi: Track residual for PIO transfers Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 172/305] ALSA: oss: Use kvzalloc() for local buffer allocations Ben Hutchings
                   ` (186 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paul Mackerras, Michael Ellerman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Mackerras <paulus@ozlabs.org>

commit 5564597d51c8ff5b88d95c76255e18b13b760879 upstream.

Commit 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper
as a relocatable ET_DYN", 2011-04-12) changed the procedure descriptor
at the start of crt0.S to have a hard-coded start address of 0x500000
rather than a reference to _zimage_start, presumably because having
a reference to a symbol introduced a relocation which is awkward to
handle in a position-independent executable.  Unfortunately, what is
at 0x500000 in the COFF image is not the first instruction, but the
procedure descriptor itself, that is, a word containing 0x500000,
which is not a valid instruction.  Hence, booting a COFF zImage
results in a "DEFAULT CATCH!, code=FFF00700" message from Open
Firmware.

This fixes the problem by (a) putting the procedure descriptor in the
data section and (b) adding a branch to _zimage_start as the first
instruction in the program.

Fixes: 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper as a relocatable ET_DYN")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/boot/crt0.S | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/boot/crt0.S
+++ b/arch/powerpc/boot/crt0.S
@@ -15,7 +15,7 @@
 RELA = 7
 RELACOUNT = 0x6ffffff9
 
-	.text
+	.data
 	/* A procedure descriptor used when booting this as a COFF file.
 	 * When making COFF, this comes first in the link and we're
 	 * linked at 0x500000.
@@ -23,6 +23,8 @@ RELACOUNT = 0x6ffffff9
 	.globl	_zimage_start_opd
 _zimage_start_opd:
 	.long	0x500000, 0, 0, 0
+	.text
+	b	_zimage_start
 
 #ifdef __powerpc64__
 .balign 8


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 132/305] netfilter: xt_IDLETIMER: add sysfs filename checking routine
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (224 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 058/305] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 303/305] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Ben Hutchings
                   ` (79 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Taehee Yoo, Pablo Neira Ayuso

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Taehee Yoo <ap420073@gmail.com>

commit 54451f60c8fa061af9051a53be9786393947367c upstream.

When IDLETIMER rule is added, sysfs file is created under
/sys/class/xt_idletimer/timers/
But some label name shouldn't be used.
".", "..", "power", "uevent", "subsystem", etc...
So that sysfs filename checking routine is needed.

test commands:
   %iptables -I INPUT -j IDLETIMER --timeout 1 --label "power"

splat looks like:
[95765.423132] sysfs: cannot create duplicate filename '/devices/virtual/xt_idletimer/timers/power'
[95765.433418] CPU: 0 PID: 8446 Comm: iptables Not tainted 4.19.0-rc6+ #20
[95765.449755] Call Trace:
[95765.449755]  dump_stack+0xc9/0x16b
[95765.449755]  ? show_regs_print_info+0x5/0x5
[95765.449755]  sysfs_warn_dup+0x74/0x90
[95765.449755]  sysfs_add_file_mode_ns+0x352/0x500
[95765.449755]  sysfs_create_file_ns+0x179/0x270
[95765.449755]  ? sysfs_add_file_mode_ns+0x500/0x500
[95765.449755]  ? idletimer_tg_checkentry+0x3e5/0xb1b [xt_IDLETIMER]
[95765.449755]  ? rcu_read_lock_sched_held+0x114/0x130
[95765.449755]  ? __kmalloc_track_caller+0x211/0x2b0
[95765.449755]  ? memcpy+0x34/0x50
[95765.449755]  idletimer_tg_checkentry+0x4e2/0xb1b [xt_IDLETIMER]
[ ... ]

Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/xt_IDLETIMER.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -116,6 +116,22 @@ static void idletimer_tg_expired(unsigne
 	schedule_work(&timer->work);
 }
 
+static int idletimer_check_sysfs_name(const char *name, unsigned int size)
+{
+	int ret;
+
+	ret = xt_check_proc_name(name, size);
+	if (ret < 0)
+		return ret;
+
+	if (!strcmp(name, "power") ||
+	    !strcmp(name, "subsystem") ||
+	    !strcmp(name, "uevent"))
+		return -EINVAL;
+
+	return 0;
+}
+
 static int idletimer_tg_create(struct idletimer_tg_info *info)
 {
 	int ret;
@@ -126,6 +142,10 @@ static int idletimer_tg_create(struct id
 		goto out;
 	}
 
+	ret = idletimer_check_sysfs_name(info->label, sizeof(info->label));
+	if (ret < 0)
+		goto out_free_timer;
+
 	info->timer->attr.attr.name = kstrdup(info->label, GFP_KERNEL);
 	if (!info->timer->attr.attr.name) {
 		ret = -ENOMEM;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 064/305] USB: serial: cypress_m8: fix interrupt-out transfer length
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (151 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 193/305] libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 300/305] vxge: ensure data0 is initialized in when fetching firmware version information Ben Hutchings
                   ` (152 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johan Hovold

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 56445eef55cb5904096fed7a73cf87b755dfffc7 upstream.

Fix interrupt-out transfer length which was being set to the
transfer-buffer length rather than the size of the outgoing packet.

Note that no slab data was leaked as the whole transfer buffer is always
cleared before each transfer.

Fixes: 9aa8dae7b1fa ("cypress_m8: use usb_fill_int_urb where appropriate")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cypress_m8.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -773,7 +773,7 @@ send:
 
 	usb_fill_int_urb(port->interrupt_out_urb, port->serial->dev,
 		usb_sndintpipe(port->serial->dev, port->interrupt_out_endpointAddress),
-		port->interrupt_out_buffer, port->interrupt_out_size,
+		port->interrupt_out_buffer, actual_size,
 		cypress_write_int_callback, port, priv->write_urb_interval);
 	result = usb_submit_urb(port->interrupt_out_urb, GFP_ATOMIC);
 	if (result) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 229/305] ALSA: sparc: Fix invalid snd_free_pages() at error path
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (214 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 237/305] xtensa: enable coprocessors that are being flushed Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 035/305] media: tvp5150: fix width alignment during set_selection() Ben Hutchings
                   ` (89 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Sakamoto, Takashi Iwai

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 9a20332ab373b1f8f947e0a9c923652b32dab031 upstream.

Some spurious calls of snd_free_pages() have been overlooked and
remain in the error paths of sparc cs4231 driver code.  Since
runtime->dma_area is managed by the PCM core helper, we shouldn't
release manually.

Drop the superfluous calls.

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/sparc/cs4231.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/sound/sparc/cs4231.c
+++ b/sound/sparc/cs4231.c
@@ -1146,10 +1146,8 @@ static int snd_cs4231_playback_open(stru
 	runtime->hw = snd_cs4231_playback;
 
 	err = snd_cs4231_open(chip, CS4231_MODE_PLAY);
-	if (err < 0) {
-		snd_free_pages(runtime->dma_area, runtime->dma_bytes);
+	if (err < 0)
 		return err;
-	}
 	chip->playback_substream = substream;
 	chip->p_periods_sent = 0;
 	snd_pcm_set_sync(substream);
@@ -1167,10 +1165,8 @@ static int snd_cs4231_capture_open(struc
 	runtime->hw = snd_cs4231_capture;
 
 	err = snd_cs4231_open(chip, CS4231_MODE_RECORD);
-	if (err < 0) {
-		snd_free_pages(runtime->dma_area, runtime->dma_bytes);
+	if (err < 0)
 		return err;
-	}
 	chip->capture_substream = substream;
 	chip->c_periods_sent = 0;
 	snd_pcm_set_sync(substream);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 061/305] x86, hibernate: Fix nosave_regions setup for hibernation
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (165 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 081/305] spi: sh-msiof: fix deferred probing Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 096/305] parisc: Fix address in HPMC IVA Ben Hutchings
                   ` (138 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Zhimin Gu, Rafael J. Wysocki, Pavel Machek,
	Thomas Gleixner, Chen Yu

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zhimin Gu <kookoo.gu@intel.com>

commit cc55f7537db6af371e9c1c6a71161ee40f918824 upstream.

On 32bit systems, nosave_regions(non RAM areas) located between
max_low_pfn and max_pfn are not excluded from hibernation snapshot
currently, which may result in a machine check exception when
trying to access these unsafe regions during hibernation:

[  612.800453] Disabling lock debugging due to kernel taint
[  612.805786] mce: [Hardware Error]: CPU 0: Machine Check Exception: 5 Bank 6: fe00000000801136
[  612.814344] mce: [Hardware Error]: RIP !INEXACT! 60:<00000000d90be566> {swsusp_save+0x436/0x560}
[  612.823167] mce: [Hardware Error]: TSC 1f5939fe276 ADDR dd000000 MISC 30e0000086
[  612.830677] mce: [Hardware Error]: PROCESSOR 0:306c3 TIME 1529487426 SOCKET 0 APIC 0 microcode 24
[  612.839581] mce: [Hardware Error]: Run the above through 'mcelog --ascii'
[  612.846394] mce: [Hardware Error]: Machine check: Processor context corrupt
[  612.853380] Kernel panic - not syncing: Fatal machine check
[  612.858978] Kernel Offset: 0x18000000 from 0xc1000000 (relocation range: 0xc0000000-0xf7ffdfff)

This is because on 32bit systems, pages above max_low_pfn are regarded
as high memeory, and accessing unsafe pages might cause expected MCE.
On the problematic 32bit system, there are reserved memory above low
memory, which triggered the MCE:

e820 memory mapping:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009d7ff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009d800-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000d160cfff] usable
[    0.000000] BIOS-e820: [mem 0x00000000d160d000-0x00000000d1613fff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000d1614000-0x00000000d1a44fff] usable
[    0.000000] BIOS-e820: [mem 0x00000000d1a45000-0x00000000d1ecffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000d1ed0000-0x00000000d7eeafff] usable
[    0.000000] BIOS-e820: [mem 0x00000000d7eeb000-0x00000000d7ffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000d8000000-0x00000000d875ffff] usable
[    0.000000] BIOS-e820: [mem 0x00000000d8760000-0x00000000d87fffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000d8800000-0x00000000d8fadfff] usable
[    0.000000] BIOS-e820: [mem 0x00000000d8fae000-0x00000000d8ffffff] ACPI data
[    0.000000] BIOS-e820: [mem 0x00000000d9000000-0x00000000da71bfff] usable
[    0.000000] BIOS-e820: [mem 0x00000000da71c000-0x00000000da7fffff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000da800000-0x00000000dbb8bfff] usable
[    0.000000] BIOS-e820: [mem 0x00000000dbb8c000-0x00000000dbffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000dd000000-0x00000000df1fffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000f8000000-0x00000000fbffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fed00000-0x00000000fed03fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed1ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000ff000000-0x00000000ffffffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000041edfffff] usable

Fix this problem by changing pfn limit from max_low_pfn to max_pfn.
This fix does not impact 64bit system because on 64bit max_low_pfn
is the same as max_pfn.

Signed-off-by: Zhimin Gu <kookoo.gu@intel.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/setup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1234,7 +1234,7 @@ void __init setup_arch(char **cmdline_p)
 	kvm_guest_init();
 
 	e820_reserve_resources();
-	e820_mark_nosave_regions(max_low_pfn);
+	e820_mark_nosave_regions(max_pfn);
 
 	x86_init.resources.reserve_resources();
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 123/305] lockd: fix access beyond unterminated strings in prints
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (284 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 149/305] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 115/305] thermal: rcar: Make error and remove paths symmetrical with init Ben Hutchings
                   ` (19 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Amir Goldstein, J. Bruce Fields

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amir Goldstein <amir73il@gmail.com>

commit 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee upstream.

printk format used %*s instead of %.*s, so hostname_len does not limit
the number of bytes accessed from hostname.

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/lockd/host.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/lockd/host.c
+++ b/fs/lockd/host.c
@@ -339,7 +339,7 @@ struct nlm_host *nlmsvc_lookup_host(cons
 	};
 	struct lockd_net *ln = net_generic(net, lockd_net_id);
 
-	dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__,
+	dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__,
 			(int)hostname_len, hostname, rqstp->rq_vers,
 			(rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp"));
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 203/305] l2tp: fix a sock refcnt leak in l2tp_tunnel_register
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (264 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 119/305] hugetlbfs: dirty pages as they are added to pagecache Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 005/305] x86/mm: Fix regression with huge pages on PAE Ben Hutchings
                   ` (39 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Guillaume Nault, David S. Miller, Xin Long,
	Jianlin Shi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit f8504f4ca0a0e9f84546ef86e00b24d2ea9a0bd2 upstream.

This issue happens when trying to add an existent tunnel. It
doesn't call sock_put() before returning -EEXIST to release
the sock refcnt that was held by calling sock_hold() before
the existence check.

This patch is to fix it by holding the sock after doing the
existence check.

Fixes: f6cd651b056f ("l2tp: fix race in duplicate tunnel detection")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_core.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1627,12 +1627,7 @@ int l2tp_tunnel_register(struct l2tp_tun
 			goto err_sock;
 	}
 
-	sk = sock->sk;
-
-	sock_hold(sk);
-	tunnel->sock = sk;
 	tunnel->l2tp_net = net;
-
 	pn = l2tp_pernet(net);
 
 	spin_lock_bh(&pn->l2tp_tunnel_list_lock);
@@ -1647,6 +1642,10 @@ int l2tp_tunnel_register(struct l2tp_tun
 	list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
 	spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
 
+	sk = sock->sk;
+	sock_hold(sk);
+	tunnel->sock = sk;
+
 	if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
 		udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
 		udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 046/305] fuse: fix blocked_waitq wakeup
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 134/305] memory_hotplug: cond_resched in __remove_pages Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 159/305] mount: Retest MNT_LOCKED in do_umount Ben Hutchings
                   ` (284 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Miklos Szeredi

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 upstream.

Using waitqueue_active() is racy.  Make sure we issue a wake_up()
unconditionally after storing into fc->blocked.  After that it's okay to
optimize with waitqueue_active() since the first wake up provides the
necessary barrier for all waiters, not the just the woken one.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 3c18ef8117f0 ("fuse: optimize wake_up")
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dev.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -376,12 +376,19 @@ __releases(fc->lock)
 	if (req->background) {
 		req->background = 0;
 
-		if (fc->num_background == fc->max_background)
+		if (fc->num_background == fc->max_background) {
 			fc->blocked = 0;
-
-		/* Wake up next waiter, if any */
-		if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
 			wake_up(&fc->blocked_waitq);
+		} else if (!fc->blocked) {
+			/*
+			 * Wake up next waiter, if any.  It's okay to use
+			 * waitqueue_active(), as we've already synced up
+			 * fc->blocked with waiters with the wake_up() call
+			 * above.
+			 */
+			if (waitqueue_active(&fc->blocked_waitq))
+				wake_up(&fc->blocked_waitq);
+		}
 
 		if (fc->num_background == fc->congestion_threshold &&
 		    fc->connected && fc->bdi_initialized) {


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 110/305] of: add helper to lookup compatible child node
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (282 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 084/305] Btrfs: don't clean dirty pages during buffered writes Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 149/305] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Ben Hutchings
                   ` (21 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Rob Herring, Johan Hovold

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 36156f9241cb0f9e37d998052873ca7501ad4b36 upstream.

Add of_get_compatible_child() helper that can be used to lookup
compatible child nodes.

Several drivers currently use of_find_compatible_node() to lookup child
nodes while failing to notice that the of_find_ functions search the
entire tree depth-first (from a given start node) and therefore can
match unrelated nodes. The fact that these functions also drop a
reference to the node they start searching from (e.g. the parent node)
is typically also overlooked, something which can lead to use-after-free
bugs.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/of/base.c  | 25 +++++++++++++++++++++++++
 include/linux/of.h |  8 ++++++++
 2 files changed, 33 insertions(+)

--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -768,6 +768,31 @@ struct device_node *of_get_next_availabl
 EXPORT_SYMBOL(of_get_next_available_child);
 
 /**
+ * of_get_compatible_child - Find compatible child node
+ * @parent:	parent node
+ * @compatible:	compatible string
+ *
+ * Lookup child node whose compatible property contains the given compatible
+ * string.
+ *
+ * Returns a node pointer with refcount incremented, use of_node_put() on it
+ * when done; or NULL if not found.
+ */
+struct device_node *of_get_compatible_child(const struct device_node *parent,
+				const char *compatible)
+{
+	struct device_node *child;
+
+	for_each_child_of_node(parent, child) {
+		if (of_device_is_compatible(child, compatible))
+			break;
+	}
+
+	return child;
+}
+EXPORT_SYMBOL(of_get_compatible_child);
+
+/**
  *	of_get_child_by_name - Find the child node by name for a given parent
  *	@node:	parent node
  *	@name:	child name to look for.
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -237,6 +237,8 @@ extern struct device_node *of_get_next_c
 extern struct device_node *of_get_next_available_child(
 	const struct device_node *node, struct device_node *prev);
 
+extern struct device_node *of_get_compatible_child(const struct device_node *parent,
+					const char *compatible);
 extern struct device_node *of_get_child_by_name(const struct device_node *node,
 					const char *name);
 
@@ -412,6 +414,12 @@ static inline bool of_have_populated_dt(
 	return false;
 }
 
+static inline struct device_node *of_get_compatible_child(const struct device_node *parent,
+					const char *compatible)
+{
+	return NULL;
+}
+
 static inline struct device_node *of_get_child_by_name(
 					const struct device_node *node,
 					const char *name)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 107/305] Btrfs: fix use-after-free when dumping free space
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (238 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 277/305] aio: fix spectre gadget in lookup_ioctx Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 111/305] net: bcmgenet: fix OF child-node lookup Ben Hutchings
                   ` (65 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nikolay Borisov, David Sterba,
	Filipe Manana, Josef Bacik

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 9084cb6a24bf5838a665af92ded1af8363f9e563 upstream.

We were iterating a block group's free space cache rbtree without locking
first the lock that protects it (the free_space_ctl->free_space_offset
rbtree is protected by the free_space_ctl->tree_lock spinlock).

KASAN reported an use-after-free problem when iterating such a rbtree due
to a concurrent rbtree delete:

[ 9520.359168] ==================================================================
[ 9520.359656] BUG: KASAN: use-after-free in rb_next+0x13/0x90
[ 9520.359949] Read of size 8 at addr ffff8800b7ada500 by task btrfs-transacti/1721
[ 9520.360357]
[ 9520.360530] CPU: 4 PID: 1721 Comm: btrfs-transacti Tainted: G             L    4.19.0-rc8-nbor #555
[ 9520.360990] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 9520.362682] Call Trace:
[ 9520.362887]  dump_stack+0xa4/0xf5
[ 9520.363146]  print_address_description+0x78/0x280
[ 9520.363412]  kasan_report+0x263/0x390
[ 9520.363650]  ? rb_next+0x13/0x90
[ 9520.363873]  __asan_load8+0x54/0x90
[ 9520.364102]  rb_next+0x13/0x90
[ 9520.364380]  btrfs_dump_free_space+0x146/0x160 [btrfs]
[ 9520.364697]  dump_space_info+0x2cd/0x310 [btrfs]
[ 9520.364997]  btrfs_reserve_extent+0x1ee/0x1f0 [btrfs]
[ 9520.365310]  __btrfs_prealloc_file_range+0x1cc/0x620 [btrfs]
[ 9520.365646]  ? btrfs_update_time+0x180/0x180 [btrfs]
[ 9520.365923]  ? _raw_spin_unlock+0x27/0x40
[ 9520.366204]  ? btrfs_alloc_data_chunk_ondemand+0x2c0/0x5c0 [btrfs]
[ 9520.366549]  btrfs_prealloc_file_range_trans+0x23/0x30 [btrfs]
[ 9520.366880]  cache_save_setup+0x42e/0x580 [btrfs]
[ 9520.367220]  ? btrfs_check_data_free_space+0xd0/0xd0 [btrfs]
[ 9520.367518]  ? lock_downgrade+0x2f0/0x2f0
[ 9520.367799]  ? btrfs_write_dirty_block_groups+0x11f/0x6e0 [btrfs]
[ 9520.368104]  ? kasan_check_read+0x11/0x20
[ 9520.368349]  ? do_raw_spin_unlock+0xa8/0x140
[ 9520.368638]  btrfs_write_dirty_block_groups+0x2af/0x6e0 [btrfs]
[ 9520.368978]  ? btrfs_start_dirty_block_groups+0x870/0x870 [btrfs]
[ 9520.369282]  ? do_raw_spin_unlock+0xa8/0x140
[ 9520.369534]  ? _raw_spin_unlock+0x27/0x40
[ 9520.369811]  ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.370137]  commit_cowonly_roots+0x4b9/0x610 [btrfs]
[ 9520.370560]  ? commit_fs_roots+0x350/0x350 [btrfs]
[ 9520.370926]  ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.371285]  btrfs_commit_transaction+0x5e5/0x10e0 [btrfs]
[ 9520.371612]  ? btrfs_apply_pending_changes+0x90/0x90 [btrfs]
[ 9520.371943]  ? start_transaction+0x168/0x6c0 [btrfs]
[ 9520.372257]  transaction_kthread+0x21c/0x240 [btrfs]
[ 9520.372537]  kthread+0x1d2/0x1f0
[ 9520.372793]  ? btrfs_cleanup_transaction+0xb50/0xb50 [btrfs]
[ 9520.373090]  ? kthread_park+0xb0/0xb0
[ 9520.373329]  ret_from_fork+0x3a/0x50
[ 9520.373567]
[ 9520.373738] Allocated by task 1804:
[ 9520.373974]  kasan_kmalloc+0xff/0x180
[ 9520.374208]  kasan_slab_alloc+0x11/0x20
[ 9520.374447]  kmem_cache_alloc+0xfc/0x2d0
[ 9520.374731]  __btrfs_add_free_space+0x40/0x580 [btrfs]
[ 9520.375044]  unpin_extent_range+0x4f7/0x7a0 [btrfs]
[ 9520.375383]  btrfs_finish_extent_commit+0x15f/0x4d0 [btrfs]
[ 9520.375707]  btrfs_commit_transaction+0xb06/0x10e0 [btrfs]
[ 9520.376027]  btrfs_alloc_data_chunk_ondemand+0x237/0x5c0 [btrfs]
[ 9520.376365]  btrfs_check_data_free_space+0x81/0xd0 [btrfs]
[ 9520.376689]  btrfs_delalloc_reserve_space+0x25/0x80 [btrfs]
[ 9520.377018]  btrfs_direct_IO+0x42e/0x6d0 [btrfs]
[ 9520.377284]  generic_file_direct_write+0x11e/0x220
[ 9520.377587]  btrfs_file_write_iter+0x472/0xac0 [btrfs]
[ 9520.377875]  aio_write+0x25c/0x360
[ 9520.378106]  io_submit_one+0xaa0/0xdc0
[ 9520.378343]  __se_sys_io_submit+0xfa/0x2f0
[ 9520.378589]  __x64_sys_io_submit+0x43/0x50
[ 9520.378840]  do_syscall_64+0x7d/0x240
[ 9520.379081]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 9520.379387]
[ 9520.379557] Freed by task 1802:
[ 9520.379782]  __kasan_slab_free+0x173/0x260
[ 9520.380028]  kasan_slab_free+0xe/0x10
[ 9520.380262]  kmem_cache_free+0xc1/0x2c0
[ 9520.380544]  btrfs_find_space_for_alloc+0x4cd/0x4e0 [btrfs]
[ 9520.380866]  find_free_extent+0xa99/0x17e0 [btrfs]
[ 9520.381166]  btrfs_reserve_extent+0xd5/0x1f0 [btrfs]
[ 9520.381474]  btrfs_get_blocks_direct+0x60b/0xbd0 [btrfs]
[ 9520.381761]  __blockdev_direct_IO+0x10ee/0x58a1
[ 9520.382059]  btrfs_direct_IO+0x25a/0x6d0 [btrfs]
[ 9520.382321]  generic_file_direct_write+0x11e/0x220
[ 9520.382623]  btrfs_file_write_iter+0x472/0xac0 [btrfs]
[ 9520.382904]  aio_write+0x25c/0x360
[ 9520.383172]  io_submit_one+0xaa0/0xdc0
[ 9520.383416]  __se_sys_io_submit+0xfa/0x2f0
[ 9520.383678]  __x64_sys_io_submit+0x43/0x50
[ 9520.383927]  do_syscall_64+0x7d/0x240
[ 9520.384165]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 9520.384439]
[ 9520.384610] The buggy address belongs to the object at ffff8800b7ada500
                which belongs to the cache btrfs_free_space of size 72
[ 9520.385175] The buggy address is located 0 bytes inside of
                72-byte region [ffff8800b7ada500, ffff8800b7ada548)
[ 9520.385691] The buggy address belongs to the page:
[ 9520.385957] page:ffffea0002deb680 count:1 mapcount:0 mapping:ffff880108a1d700 index:0x0 compound_mapcount: 0
[ 9520.388030] flags: 0x8100(slab|head)
[ 9520.388281] raw: 0000000000008100 ffffea0002deb608 ffffea0002728808 ffff880108a1d700
[ 9520.388722] raw: 0000000000000000 0000000000130013 00000001ffffffff 0000000000000000
[ 9520.389169] page dumped because: kasan: bad access detected
[ 9520.389473]
[ 9520.389658] Memory state around the buggy address:
[ 9520.389943]  ffff8800b7ada400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.390368]  ffff8800b7ada480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.390796] >ffff8800b7ada500: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[ 9520.391223]                    ^
[ 9520.391461]  ffff8800b7ada580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.391885]  ffff8800b7ada600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 9520.392313] ==================================================================
[ 9520.392772] BTRFS critical (device vdc): entry offset 2258497536, bytes 131072, bitmap no
[ 9520.393247] BUG: unable to handle kernel NULL pointer dereference at 0000000000000011
[ 9520.393705] PGD 800000010dbab067 P4D 800000010dbab067 PUD 107551067 PMD 0
[ 9520.394059] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 9520.394378] CPU: 4 PID: 1721 Comm: btrfs-transacti Tainted: G    B        L    4.19.0-rc8-nbor #555
[ 9520.394858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 9520.395350] RIP: 0010:rb_next+0x3c/0x90
[ 9520.396461] RSP: 0018:ffff8801074ff780 EFLAGS: 00010292
[ 9520.396762] RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff81b5ac4c
[ 9520.397115] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000011
[ 9520.397468] RBP: ffff8801074ff7a0 R08: ffffed0021d64ccc R09: ffffed0021d64ccc
[ 9520.397821] R10: 0000000000000001 R11: ffffed0021d64ccb R12: ffff8800b91e0000
[ 9520.398188] R13: ffff8800a3ceba48 R14: ffff8800b627bf80 R15: 0000000000020000
[ 9520.398555] FS:  0000000000000000(0000) GS:ffff88010eb00000(0000) knlGS:0000000000000000
[ 9520.399007] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9520.399335] CR2: 0000000000000011 CR3: 0000000106b52000 CR4: 00000000000006a0
[ 9520.399679] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 9520.400023] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 9520.400400] Call Trace:
[ 9520.400648]  btrfs_dump_free_space+0x146/0x160 [btrfs]
[ 9520.400974]  dump_space_info+0x2cd/0x310 [btrfs]
[ 9520.401287]  btrfs_reserve_extent+0x1ee/0x1f0 [btrfs]
[ 9520.401609]  __btrfs_prealloc_file_range+0x1cc/0x620 [btrfs]
[ 9520.401952]  ? btrfs_update_time+0x180/0x180 [btrfs]
[ 9520.402232]  ? _raw_spin_unlock+0x27/0x40
[ 9520.402522]  ? btrfs_alloc_data_chunk_ondemand+0x2c0/0x5c0 [btrfs]
[ 9520.402882]  btrfs_prealloc_file_range_trans+0x23/0x30 [btrfs]
[ 9520.403261]  cache_save_setup+0x42e/0x580 [btrfs]
[ 9520.403570]  ? btrfs_check_data_free_space+0xd0/0xd0 [btrfs]
[ 9520.403871]  ? lock_downgrade+0x2f0/0x2f0
[ 9520.404161]  ? btrfs_write_dirty_block_groups+0x11f/0x6e0 [btrfs]
[ 9520.404481]  ? kasan_check_read+0x11/0x20
[ 9520.404732]  ? do_raw_spin_unlock+0xa8/0x140
[ 9520.405026]  btrfs_write_dirty_block_groups+0x2af/0x6e0 [btrfs]
[ 9520.405375]  ? btrfs_start_dirty_block_groups+0x870/0x870 [btrfs]
[ 9520.405694]  ? do_raw_spin_unlock+0xa8/0x140
[ 9520.405958]  ? _raw_spin_unlock+0x27/0x40
[ 9520.406243]  ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.406574]  commit_cowonly_roots+0x4b9/0x610 [btrfs]
[ 9520.406899]  ? commit_fs_roots+0x350/0x350 [btrfs]
[ 9520.407253]  ? btrfs_run_delayed_refs+0x1b8/0x230 [btrfs]
[ 9520.407589]  btrfs_commit_transaction+0x5e5/0x10e0 [btrfs]
[ 9520.407925]  ? btrfs_apply_pending_changes+0x90/0x90 [btrfs]
[ 9520.408262]  ? start_transaction+0x168/0x6c0 [btrfs]
[ 9520.408582]  transaction_kthread+0x21c/0x240 [btrfs]
[ 9520.408870]  kthread+0x1d2/0x1f0
[ 9520.409138]  ? btrfs_cleanup_transaction+0xb50/0xb50 [btrfs]
[ 9520.409440]  ? kthread_park+0xb0/0xb0
[ 9520.409682]  ret_from_fork+0x3a/0x50
[ 9520.410508] Dumping ftrace buffer:
[ 9520.410764]    (ftrace buffer empty)
[ 9520.411007] CR2: 0000000000000011
[ 9520.411297] ---[ end trace 01a0863445cf360a ]---
[ 9520.411568] RIP: 0010:rb_next+0x3c/0x90
[ 9520.412644] RSP: 0018:ffff8801074ff780 EFLAGS: 00010292
[ 9520.412932] RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff81b5ac4c
[ 9520.413274] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000011
[ 9520.413616] RBP: ffff8801074ff7a0 R08: ffffed0021d64ccc R09: ffffed0021d64ccc
[ 9520.414007] R10: 0000000000000001 R11: ffffed0021d64ccb R12: ffff8800b91e0000
[ 9520.414349] R13: ffff8800a3ceba48 R14: ffff8800b627bf80 R15: 0000000000020000
[ 9520.416074] FS:  0000000000000000(0000) GS:ffff88010eb00000(0000) knlGS:0000000000000000
[ 9520.416536] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9520.416848] CR2: 0000000000000011 CR3: 0000000106b52000 CR4: 00000000000006a0
[ 9520.418477] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 9520.418846] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 9520.419204] Kernel panic - not syncing: Fatal exception
[ 9520.419666] Dumping ftrace buffer:
[ 9520.419930]    (ftrace buffer empty)
[ 9520.420168] Kernel Offset: disabled
[ 9520.420406] ---[ end Kernel panic - not syncing: Fatal exception ]---

Fix this by acquiring the respective lock before iterating the rbtree.

Reported-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/free-space-cache.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -2141,6 +2141,7 @@ void btrfs_dump_free_space(struct btrfs_
 	struct rb_node *n;
 	int count = 0;
 
+	spin_lock(&ctl->tree_lock);
 	for (n = rb_first(&ctl->free_space_offset); n; n = rb_next(n)) {
 		info = rb_entry(n, struct btrfs_free_space, offset_index);
 		if (info->bytes >= bytes && !block_group->ro)
@@ -2150,6 +2151,7 @@ void btrfs_dump_free_space(struct btrfs_
 			   info->offset, info->bytes,
 		       (info->bitmap) ? "yes" : "no");
 	}
+	spin_unlock(&ctl->tree_lock);
 	btrfs_info(block_group->fs_info, "block group has cluster?: %s",
 	       list_empty(&block_group->cluster_list) ? "no" : "yes");
 	btrfs_info(block_group->fs_info,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 114/305] thermal: rcar_thermal: Prevent hardware access during system suspend
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (266 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 005/305] x86/mm: Fix regression with huge pages on PAE Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 216/305] HID: Add quirk for Primax PIXART OEM mice Ben Hutchings
                   ` (37 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Eduardo Valentin,
	Niklas Söderlund

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 3a31386217628ffe2491695be2db933c25dde785 upstream.

On r8a7791/koelsch, sometimes the following message is printed during
system suspend:

    rcar_thermal e61f0000.thermal: thermal sensor was broken

This happens if the workqueue runs while the device is already
suspended.  Fix this by using the freezable system workqueue instead,
cfr. commit 51e20d0e3a60cf46 ("thermal: Prevent polling from happening
during system suspend").

Fixes: e0a5172e9eec7f0d ("thermal: rcar: add interrupt support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/thermal/rcar_thermal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/thermal/rcar_thermal.c
+++ b/drivers/thermal/rcar_thermal.c
@@ -351,8 +351,8 @@ static irqreturn_t rcar_thermal_irq(int
 	rcar_thermal_for_each_priv(priv, common) {
 		if (rcar_thermal_had_changed(priv, status)) {
 			rcar_thermal_irq_disable(priv);
-			schedule_delayed_work(&priv->work,
-					      msecs_to_jiffies(300));
+			queue_delayed_work(system_freezable_wq, &priv->work,
+					   msecs_to_jiffies(300));
 		}
 	}
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 298/305] net: macb: add missing barriers when reading descriptors
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (220 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 275/305] net/mlx4_core: Correctly set PFC param if global pause is turned off Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 281/305] fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Ben Hutchings
                   ` (83 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Nicolas Ferre, Anssi Hannula

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>

commit 6e0af298066f3b6d99f58989bb0dca6f764b4c6d upstream.

When reading buffer descriptors on RX or on TX completion, an
RX_USED/TX_USED bit is checked first to ensure that the descriptors have
been populated, i.e. the ownership has been transferred. However, there
are no memory barriers to ensure that the data protected by the
RX_USED/TX_USED bit is up-to-date with respect to that bit.

Specifically:

- TX timestamp descriptors may be loaded before ctrl is loaded for the
  TX_USED check, which is racy as the descriptors may be updated between
  the loads, causing old timestamp descriptor data to be used.

- RX ctrl may be loaded before addr is loaded for the RX_USED check,
  which is racy as a new frame may be written between the loads, causing
  old ctrl descriptor data to be used.
  This issue exists for both macb_rx() and gem_rx() variants.

Fix the races by adding DMA read memory barriers on those paths and
reordering the reads in macb_rx().

I have not observed any actual problems in practice caused by these
being missing, though.

Tested on a ZynqMP based system.

Fixes: 89e5785fc8a6 ("[PATCH] Atmel MACB ethernet driver")
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Cc: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Use rmb() instead of dma_rmb()
 - Drop PTP changes
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/cadence/macb.c
+++ b/drivers/net/ethernet/cadence/macb.c
@@ -691,11 +691,15 @@ static int gem_rx(struct macb *bp, int b
 		rmb();
 
 		addr = desc->addr;
-		ctrl = desc->ctrl;
 
 		if (!(addr & MACB_BIT(RX_USED)))
 			break;
 
+		/* Ensure ctrl is at least as up-to-date as rxused */
+		rmb();
+
+		ctrl = desc->ctrl;
+
 		bp->rx_tail++;
 		count++;
 
@@ -838,11 +842,15 @@ static int macb_rx(struct macb *bp, int
 		rmb();
 
 		addr = desc->addr;
-		ctrl = desc->ctrl;
 
 		if (!(addr & MACB_BIT(RX_USED)))
 			break;
 
+		/* Ensure ctrl is at least as up-to-date as addr */
+		rmb();
+
+		ctrl = desc->ctrl;
+
 		if (ctrl & MACB_BIT(RX_SOF)) {
 			if (first_frag != -1)
 				discard_partial_frame(bp, first_frag, tail);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 264/305] mac80211: fix reordering of buffered broadcast packets
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 009/305] s390/dasd: Restore a necessary cast Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 141/305] mtd: docg3: don't set conflicting BCH_CONST_PARAMS option Ben Hutchings
                   ` (179 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johannes Berg, Felix Fietkau

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <nbd@nbd.name>

commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream.

If the buffered broadcast queue contains packets, letting new packets bypass
that queue can lead to heavy reordering, since the driver is probably throttling
transmission of buffered multicast packets after beacons.

Keep buffering packets until the buffer has been cleared (and no client
is in powersave mode).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/mac80211/tx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -417,8 +417,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i
 	if (tx->local->hw.flags & IEEE80211_HW_QUEUE_CONTROL)
 		info->hw_queue = tx->sdata->vif.cab_queue;
 
-	/* no stations in PS mode */
-	if (!atomic_read(&ps->num_sta_ps))
+	/* no stations in PS mode and no buffered packets */
+	if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
 		return TX_CONTINUE;
 
 	info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 171/305] mac80211: Clear beacon_int in ieee80211_do_stop
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (218 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 117/305] HID: hiddev: fix potential Spectre v1 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 275/305] net/mlx4_core: Correctly set PFC param if global pause is turned off Ben Hutchings
                   ` (85 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johannes Berg, Ben Greear

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Greear <greearb@candelatech.com>

commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream.

This fixes stale beacon-int values that would keep a netdev
from going up.

To reproduce:

Create two VAP on one radio.
vap1 has beacon-int 100, start it.
vap2 has beacon-int 240, start it (and it will fail
  because beacon-int mismatch).
reconfigure vap2 to have beacon-int 100 and start it.
  It will fail because the stale beacon-int 240 will be used
  in the ifup path and hostapd never gets a chance to set the
  new beacon interval.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/mac80211/iface.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -955,6 +955,8 @@ static void ieee80211_do_stop(struct iee
 	if (local->open_count == 0)
 		ieee80211_clear_tx_pending(local);
 
+	sdata->vif.bss_conf.beacon_int = 0;
+
 	/*
 	 * If the interface goes down while suspended, presumably because
 	 * the device was unplugged and that happens before our resume,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 054/305] ext4: fix EXT4_IOC_SWAP_BOOT
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 187/305] batman-adv: Check total_size when queueing fragments Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 068/305] bcache: fix wrong cache_misses statistics Ben Hutchings
                   ` (278 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Theodore Ts'o, syzbot+e81ccd4744c6c4f71354

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 18aded17492088962ef43f00825179598b3e8c58 upstream.

The code EXT4_IOC_SWAP_BOOT ioctl hasn't been updated in a while, and
it's a bit broken with respect to more modern ext4 kernels, especially
metadata checksums.

Other problems fixed with this commit:

* Don't allow installing a DAX, swap file, or an encrypted file as a
  boot loader.

* Respect the immutable and append-only flags.

* Wait until any DIO operations are finished *before* calling
  truncate_inode_pages().

* Don't swap inode->i_flags, since these flags have nothing to do with
  the inode blocks --- and it will give the IMA/audit code heartburn
  when the inode is evicted.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: syzbot+e81ccd4744c6c4f71354@syzkaller.appspotmail.com
[bwh: Backported to 3.16:
 - Drop IS_ENCRYPTED() check
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/ioctl.c | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -64,7 +64,6 @@ static void swap_inode_data(struct inode
 	ei1 = EXT4_I(inode1);
 	ei2 = EXT4_I(inode2);
 
-	memswap(&inode1->i_flags, &inode2->i_flags, sizeof(inode1->i_flags));
 	memswap(&inode1->i_version, &inode2->i_version,
 		  sizeof(inode1->i_version));
 	memswap(&inode1->i_blocks, &inode2->i_blocks,
@@ -86,6 +85,21 @@ static void swap_inode_data(struct inode
 	i_size_write(inode2, isize);
 }
 
+static void reset_inode_seed(struct inode *inode)
+{
+	struct ext4_inode_info *ei = EXT4_I(inode);
+	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+	__le32 inum = cpu_to_le32(inode->i_ino);
+	__le32 gen = cpu_to_le32(inode->i_generation);
+	__u32 csum;
+
+	if (!ext4_has_metadata_csum(inode->i_sb))
+		return;
+
+	csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)&inum, sizeof(inum));
+	ei->i_csum_seed = ext4_chksum(sbi, csum, (__u8 *)&gen, sizeof(gen));
+}
+
 /**
  * Swap the information from the given @inode and the inode
  * EXT4_BOOT_LOADER_INO. It will basically swap i_data and all other
@@ -104,10 +118,13 @@ static long swap_inode_boot_loader(struc
 	struct ext4_inode_info *ei_bl;
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 
-	if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode))
+	if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) ||
+	    IS_SWAPFILE(inode) ||
+	    ext4_has_inline_data(inode))
 		return -EINVAL;
 
-	if (!inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN))
+	if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) ||
+	    !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO);
@@ -122,15 +139,15 @@ static long swap_inode_boot_loader(struc
 	 * that only 1 swap_inode_boot_loader is running. */
 	lock_two_nondirectories(inode, inode_bl);
 
-	truncate_inode_pages(&inode->i_data, 0);
-	truncate_inode_pages(&inode_bl->i_data, 0);
-
 	/* Wait for all existing dio workers */
 	ext4_inode_block_unlocked_dio(inode);
 	ext4_inode_block_unlocked_dio(inode_bl);
 	inode_dio_wait(inode);
 	inode_dio_wait(inode_bl);
 
+	truncate_inode_pages(&inode->i_data, 0);
+	truncate_inode_pages(&inode_bl->i_data, 0);
+
 	handle = ext4_journal_start(inode_bl, EXT4_HT_MOVE_EXTENTS, 2);
 	if (IS_ERR(handle)) {
 		err = -EINVAL;
@@ -166,6 +183,8 @@ static long swap_inode_boot_loader(struc
 	inode->i_generation = sbi->s_next_generation++;
 	inode_bl->i_generation = sbi->s_next_generation++;
 	spin_unlock(&sbi->s_next_gen_lock);
+	reset_inode_seed(inode);
+	reset_inode_seed(inode_bl);
 
 	ext4_discard_preallocations(inode);
 
@@ -176,6 +195,7 @@ static long swap_inode_boot_loader(struc
 			inode->i_ino, err);
 		/* Revert all changes: */
 		swap_inode_data(inode, inode_bl);
+		ext4_mark_inode_dirty(handle, inode);
 	} else {
 		err = ext4_mark_inode_dirty(handle, inode_bl);
 		if (err < 0) {
@@ -185,6 +205,7 @@ static long swap_inode_boot_loader(struc
 			/* Revert all changes: */
 			swap_inode_data(inode, inode_bl);
 			ext4_mark_inode_dirty(handle, inode);
+			ext4_mark_inode_dirty(handle, inode_bl);
 		}
 	}
 	ext4_journal_stop(handle);


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 196/305] NFSv4: Don't exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (204 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 006/305] x86/eisa: Add missing include Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 255/305] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c Ben Hutchings
                   ` (99 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Trond Myklebust

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit 21a446cf186570168b7281b154b1993968598aca upstream.

If we exit the NFSv4 state manager due to a umount, then we can end up
leaving the NFS4CLNT_MANAGER_RUNNING flag set. If another mount causes
the nfs4_client to be rereferenced before it is destroyed, then we end
up never being able to recover state.

Fixes: 47c2199b6eb5 ("NFSv4.1: Ensure state manager thread dies on last ...")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/nfs4state.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -2427,11 +2427,12 @@ static void nfs4_state_manager(struct nf
 		nfs4_clear_state_manager_bit(clp);
 		/* Did we race with an attempt to give us more work? */
 		if (clp->cl_state == 0)
-			break;
+			return;
 		if (test_and_set_bit(NFS4CLNT_MANAGER_RUNNING, &clp->cl_state) != 0)
-			break;
+			return;
 	} while (atomic_read(&clp->cl_count) > 1);
-	return;
+	goto out_drain;
+
 out_error:
 	if (strlen(section))
 		section_sep = ": ";
@@ -2439,6 +2440,7 @@ out_error:
 			" with error %d\n", section_sep, section,
 			clp->cl_hostname, -status);
 	ssleep(1);
+out_drain:
 	nfs4_end_drain_session(clp);
 	nfs4_clear_state_manager_bit(clp);
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 060/305] powerpc/pseries: Fix how we iterate over the DTL entries
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (240 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 111/305] net: bcmgenet: fix OF child-node lookup Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 098/305] drm/i915: Large page offsets for pread/pwrite Ben Hutchings
                   ` (63 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Naveen N. Rao, Michael Ellerman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>

commit 9258227e9dd1da8feddb07ad9702845546a581c9 upstream.

When CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set, we look up dtl_idx in
the lppaca to determine the number of entries in the buffer. Since
lppaca is in big endian, we need to do an endian conversion before using
this in our calculation to determine the number of entries in the
buffer. Without this, we do not iterate over the existing entries in the
DTL buffer properly.

Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/platforms/pseries/dtl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/platforms/pseries/dtl.c
+++ b/arch/powerpc/platforms/pseries/dtl.c
@@ -184,7 +184,7 @@ static void dtl_stop(struct dtl *dtl)
 
 static u64 dtl_current_index(struct dtl *dtl)
 {
-	return lppaca_of(dtl->cpu).dtl_idx;
+	return be64_to_cpu(lppaca_of(dtl->cpu).dtl_idx);
 }
 #endif /* CONFIG_VIRT_CPU_ACCOUNTING_NATIVE */
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 062/305] IB/mthca: Fix error return code in __mthca_init_one()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 068/305] bcache: fix wrong cache_misses statistics Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 127/305] rtnetlink: Disallow FDB configuration for non-Ethernet device Ben Hutchings
                   ` (276 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Wei Yongjun, Jason Gunthorpe

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wei Yongjun <weiyongjun1@huawei.com>

commit 39f2495618c5e980d2873ea3f2d1877dd253e07a upstream.

Fix to return a negative error code from the mthca_cmd_init() error
handling case instead of 0, as done elsewhere in this function.

Fixes: 80fd8238734c ("[PATCH] IB/mthca: Encapsulate command interface init")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/mthca/mthca_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mthca/mthca_main.c
+++ b/drivers/infiniband/hw/mthca/mthca_main.c
@@ -989,7 +989,8 @@ static int __mthca_init_one(struct pci_d
 		goto err_free_dev;
 	}
 
-	if (mthca_cmd_init(mdev)) {
+	err = mthca_cmd_init(mdev);
+	if (err) {
 		mthca_err(mdev, "Failed to init command interface, aborting.\n");
 		goto err_free_dev;
 	}


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 286/305] xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (144 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 137/305] ext4: add missing brelse() add_new_gdb_meta_bg()'s error path Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 246/305] ALSA: hda: Add support for AMD Stoney Ridge Ben Hutchings
                   ` (159 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Nyman, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream.

The code to prevent a bus suspend if a USB3 port was still in link training
also reacted to USB2 port polling state.
This caused bus suspend to busyloop in some cases.
USB2 polling state is different from USB3, and should not prevent bus
suspend.

Limit the USB3 link training state check to USB3 root hub ports only.
The origial commit went to stable so this need to be applied there as well

Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected")
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-hub.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1205,7 +1205,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd
 		portsc_buf[port_index] = 0;
 
 		/* Bail out if a USB3 port has a new device in link training */
-		if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
+		if ((hcd->speed >= HCD_USB3) &&
+		    (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
 			bus_state->bus_suspended = 0;
 			spin_unlock_irqrestore(&xhci->lock, flags);
 			xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 120/305] net: sched: gred: pass the right attribute to gred_change_table_def()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 116/305] thermal: rcar_thermal: Prevent doing work after unbind Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 175/305] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Ben Hutchings
                   ` (262 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jakub Kicinski, David S. Miller

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jakub Kicinski <jakub.kicinski@netronome.com>

commit 38b4f18d56372e1e21771ab7b0357b853330186c upstream.

gred_change_table_def() takes a pointer to TCA_GRED_DPS attribute,
and expects it will be able to interpret its contents as
struct tc_gred_sopt.  Pass the correct gred attribute, instead of
TCA_OPTIONS.

This bug meant the table definition could never be changed after
Qdisc was initialized (unless whatever TCA_OPTIONS contained both
passed netlink validation and was a valid struct tc_gred_sopt...).

Old behaviour:
$ ip link add type dummy
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
RTNETLINK answers: Invalid argument

Now:
$ ip link add type dummy
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0
$ tc qdisc replace dev dummy0 parent root handle 7: \
     gred setup vqs 4 default 0

Fixes: f62d6b936df5 ("[PKT_SCHED]: GRED: Use central VQ change procedure")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_gred.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -437,7 +437,7 @@ static int gred_change(struct Qdisc *sch
 		return err;
 
 	if (tb[TCA_GRED_PARMS] == NULL && tb[TCA_GRED_STAB] == NULL)
-		return gred_change_table_def(sch, opt);
+		return gred_change_table_def(sch, tb[TCA_GRED_DPS]);
 
 	if (tb[TCA_GRED_PARMS] == NULL ||
 	    tb[TCA_GRED_STAB] == NULL)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 102/305] dm ioctl: harden copy_params()'s copy_from_user() from malicious users
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 034/305] media: em28xx: make v4l2-compliance happier by starting sequence on zero Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 191/305] libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD Ben Hutchings
                   ` (291 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mike Snitzer, Wenwen Wang

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wang6495@umn.edu>

commit 800a7340ab7dd667edf95e74d8e4f23a17e87076 upstream.

In copy_params(), the struct 'dm_ioctl' is first copied from the user
space buffer 'user' to 'param_kernel' and the field 'data_size' is
checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload
up to its 'data' member).  If the check fails, an error code EINVAL will be
returned.  Otherwise, param_kernel->data_size is used to do a second copy,
which copies from the same user-space buffer to 'dmi'.  After the second
copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'.
Given that the buffer 'user' resides in the user space, a malicious
user-space process can race to change the content in the buffer between
the two copies.  This way, the attacker can inject inconsistent data
into 'dmi' (versus previously validated 'param_kernel').

Fix redundant copying of 'minimum_data_size' from user-space buffer by
using the first copy stored in 'param_kernel'.  Also remove the
'data_size' check after the second copy because it is now unnecessary.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-ioctl.c | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1681,8 +1681,7 @@ static void free_params(struct dm_ioctl
 }
 
 static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel,
-		       int ioctl_flags,
-		       struct dm_ioctl **param, int *param_flags)
+		       int ioctl_flags, struct dm_ioctl **param, int *param_flags)
 {
 	struct dm_ioctl *dmi;
 	int secure_data;
@@ -1730,18 +1729,13 @@ static int copy_params(struct dm_ioctl _
 		return -ENOMEM;
 	}
 
-	if (copy_from_user(dmi, user, param_kernel->data_size))
-		goto bad;
+	/* Copy from param_kernel (which was already copied from user) */
+	memcpy(dmi, param_kernel, minimum_data_size);
 
-data_copied:
-	/*
-	 * Abort if something changed the ioctl data while it was being copied.
-	 */
-	if (dmi->data_size != param_kernel->data_size) {
-		DMERR("rejecting ioctl: data size modified while processing parameters");
+	if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size,
+			   param_kernel->data_size - minimum_data_size))
 		goto bad;
-	}
-
+data_copied:
 	/* Wipe the user buffer so we do not return it to userspace */
 	if (secure_data && clear_user(user, param_kernel->data_size))
 		goto bad;


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 235/305] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl()
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 212/305] drm/i915: Disable LP3 watermarks on all SNB machines Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 198/305] netfilter: nf_tables: fix oob access Ben Hutchings
                   ` (255 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Haiyang Zhang, Dexuan Cui,
	Stephen Hemminger, K. Y. Srinivasan, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dexuan Cui <decui@microsoft.com>

commit eceb05965489784f24bbf4d61ba60e475a983016 upstream.

This is a longstanding issue: if the vmbus upper-layer drivers try to
consume too many GPADLs, the host may return with an error
0xC0000044 (STATUS_QUOTA_EXCEEDED), but currently we forget to check
the creation_status, and hence we can pass an invalid GPADL handle
into the OPEN_CHANNEL message, and get an error code 0xc0000225 in
open_info->response.open_result.status, and finally we hang in
vmbus_open() -> "goto error_free_info" -> vmbus_teardown_gpadl().

With this patch, we can exit gracefully on STATUS_QUOTA_EXCEEDED.

Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: K. Y. Srinivasan <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hv/channel.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -416,6 +416,14 @@ int vmbus_establish_gpadl(struct vmbus_c
 	}
 	wait_for_completion(&msginfo->waitevent);
 
+	if (msginfo->response.gpadl_created.creation_status != 0) {
+		pr_err("Failed to establish GPADL: err = 0x%x\n",
+		       msginfo->response.gpadl_created.creation_status);
+
+		ret = -EDQUOT;
+		goto cleanup;
+	}
+
 	/* At this point, we received the gpadl created msg */
 	*gpadl_handle = gpadlmsg->gpadl;
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 124/305] um: Drop own definition of PTRACE_SYSEMU/_SINGLESTEP
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 135/305] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 072/305] media: cx231xx: fix potential sign-extension overflow on large shift Ben Hutchings
                   ` (239 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Richard Weinberger, Ritesh Raj Sarraf

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <richard@nod.at>

commit 0676b957c24bfb6e495449ba7b7e72c5b5d79233 upstream.

32bit UML used to define PTRACE_SYSEMU and PTRACE_SYSEMU_SINGLESTEP
own its own because many years ago not all libcs had these request codes
in their UAPI.
These days PTRACE_SYSEMU/_SINGLESTEP is well known and part of glibc
and our own define becomes problematic.

With change c48831d0eebf ("linux/x86: sync sys/ptrace.h with Linux 4.14
[BZ #22433]") glibc turned PTRACE_SYSEMU/_SINGLESTEP into a enum and
UML failed to build.

Let's drop our define and rely on the fact that every libc has
PTRACE_SYSEMU/_SINGLESTEP.

Cc: Ritesh Raj Sarraf <rrs@researchut.com>
Reported-and-tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/um/shared/sysdep/ptrace_32.h | 10 ----------
 1 file changed, 10 deletions(-)

--- a/arch/x86/um/shared/sysdep/ptrace_32.h
+++ b/arch/x86/um/shared/sysdep/ptrace_32.h
@@ -10,20 +10,10 @@
 
 static inline void update_debugregs(int seq) {}
 
-/* syscall emulation path in ptrace */
-
-#ifndef PTRACE_SYSEMU
-#define PTRACE_SYSEMU 31
-#endif
-
 void set_using_sysemu(int value);
 int get_using_sysemu(void);
 extern int sysemu_supported;
 
-#ifndef PTRACE_SYSEMU_SINGLESTEP
-#define PTRACE_SYSEMU_SINGLESTEP 32
-#endif
-
 #define UPT_SYSCALL_ARG1(r) UPT_BX(r)
 #define UPT_SYSCALL_ARG2(r) UPT_CX(r)
 #define UPT_SYSCALL_ARG3(r) UPT_DX(r)


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 168/305] net: stmmac: Fix RX packet size > 8191
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 218/305] mips: fix mips_get_syscall_arg o32 check Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 106/305] libceph: bump CEPH_MSG_MAX_DATA_LEN Ben Hutchings
                   ` (207 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thor Thayer, David S. Miller, Jose Abreu

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thor Thayer <thor.thayer@linux.intel.com>

commit 8137b6ef0ce469154e5cf19f8e7fe04d9a72ac5e upstream.

Ping problems with packets > 8191 as shown:

PING 192.168.1.99 (192.168.1.99) 8150(8178) bytes of data.
8158 bytes from 192.168.1.99: icmp_seq=1 ttl=64 time=0.669 ms
wrong data byte 8144 should be 0xd0 but was 0x0
16    10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
      20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
%< ---------------snip--------------------------------------
8112  b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf
      c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf
8144  0 0 0 0 d0 d1
      ^^^^^^^
Notice the 4 bytes of 0 before the expected byte of d0.

Databook notes that the RX buffer must be a multiple of 4/8/16
bytes [1].

Update the DMA Buffer size define to 8188 instead of 8192. Remove
the -1 from the RX buffer size allocations and use the new
DMA Buffer size directly.

[1] Synopsys DesignWare Cores Ethernet MAC Universal v3.70a
    [section 8.4.2 - Table 8-24]

Tested on SoCFPGA Stratix10 with ping sweep from 100 to 8300 byte packets.

Fixes: 286a83721720 ("stmmac: add CHAINED descriptor mode support (V4)")
Suggested-by: Jose Abreu <jose.abreu@synopsys.com>
Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/stmicro/stmmac/common.h    | 3 ++-
 drivers/net/ethernet/stmicro/stmmac/descs_com.h | 2 +-
 drivers/net/ethernet/stmicro/stmmac/enh_desc.c  | 2 +-
 drivers/net/ethernet/stmicro/stmmac/ring_mode.c | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -272,7 +272,8 @@ struct dma_features {
 
 /* GMAC TX FIFO is 8K, Rx FIFO is 16K */
 #define BUF_SIZE_16KiB 16384
-#define BUF_SIZE_8KiB 8192
+/* RX Buffer size must be < 8191 and multiple of 4/8/16 bytes */
+#define BUF_SIZE_8KiB 8188
 #define BUF_SIZE_4KiB 4096
 #define BUF_SIZE_2KiB 2048
 
--- a/drivers/net/ethernet/stmicro/stmmac/descs_com.h
+++ b/drivers/net/ethernet/stmicro/stmmac/descs_com.h
@@ -35,7 +35,7 @@
 /* Enhanced descriptors */
 static inline void ehn_desc_rx_set_on_ring(struct dma_desc *p, int end)
 {
-	p->des01.erx.buffer2_size = BUF_SIZE_8KiB - 1;
+	p->des01.erx.buffer2_size = BUF_SIZE_8KiB;
 	if (end)
 		p->des01.erx.end_ring = 1;
 }
--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
@@ -242,7 +242,7 @@ static void enh_desc_init_rx_desc(struct
 {
 	p->des01.all_flags = 0;
 	p->des01.erx.own = 1;
-	p->des01.erx.buffer1_size = BUF_SIZE_8KiB - 1;
+	p->des01.erx.buffer1_size = BUF_SIZE_8KiB;
 
 	if (mode == STMMAC_CHAIN_MODE)
 		ehn_desc_rx_set_on_chain(p, end);
--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
@@ -120,7 +120,7 @@ static void stmmac_clean_desc3(void *pri
 static int stmmac_set_16kib_bfsize(int mtu)
 {
 	int ret = 0;
-	if (unlikely(mtu >= BUF_SIZE_8KiB))
+	if (unlikely(mtu > BUF_SIZE_8KiB))
 		ret = BUF_SIZE_16KiB;
 	return ret;
 }


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 055/305] w1: omap-hdq: fix missing bus unregister at removal
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 094/305] KVM: nVMX: Always reflect #NM VM-exits to L1 Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 250/305] tun: forbid iface creation with rtnl ops Ben Hutchings
                   ` (244 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andreas Kemnade, Greg Kroah-Hartman

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Kemnade <andreas@kemnade.info>

commit a007734618fee1bf35556c04fa498d41d42c7301 upstream.

The bus master was not removed after unloading the module
or unbinding the driver. That lead to oopses like this

[  127.842987] Unable to handle kernel paging request at virtual address bf01d04c
[  127.850646] pgd = 70e3cd9a
[  127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000
[  127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
[  127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq]
[  127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12
[  127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree)
[  127.890441] PC is at 0xbf01d04c
[  127.893798] LR is at w1_search_process_cb+0x4c/0xfc
[  127.898956] pc : [<bf01d04c>]    lr : [<c05f9580>]    psr: a0070013
[  127.905609] sp : cf885f48  ip : bf01d04c  fp : ddf1e11c
[  127.911132] r10: cf8fe040  r9 : c05f8d00  r8 : cf8fe040
[  127.916656] r7 : 000000f0  r6 : cf8fe02c  r5 : cf8fe000  r4 : cf8fe01c
[  127.923553] r3 : c05f8d00  r2 : 000000f0  r1 : cf8fe000  r0 : dde1ef10
[  127.930450] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[  127.938018] Control: 10c5387d  Table: 8f8f0019  DAC: 00000051
[  127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f)
[  127.951171] Stack: (0xcf885f48 to 0xcf886000)
[  127.955810] 5f40:                   cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00
[  127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000
[  127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000
[  127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
[  127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[  128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118)
[  128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148)
[  128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
[  128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8)
[  128.037017] 5fa0:                                     00000000 00000000 00000000 00000000
[  128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[  128.061340] Code: bad PC value
[  128.064697] ---[ end trace af066e33c0e14119 ]---

Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/w1/masters/omap_hdq.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/w1/masters/omap_hdq.c
+++ b/drivers/w1/masters/omap_hdq.c
@@ -622,6 +622,8 @@ static int omap_hdq_remove(struct platfo
 	/* remove module dependency */
 	pm_runtime_disable(&pdev->dev);
 
+	w1_remove_master_device(&omap_w1_master);
+
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 313+ messages in thread

* [PATCH 3.16 042/305] crypto: lrw - Fix out-of bounds access on counter overflow
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (251 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 197/305] btrfs: Always try all copies when reading extent buffers Ben Hutchings
@ 2019-02-03 13:45 ` Ben Hutchings
  2019-02-03 13:45 ` [PATCH 3.16 221/305] drm/ast: fixed cursor may disappear sometimes Ben Hutchings
                   ` (52 subsequent siblings)
  305 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-03 13:45 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Herbert Xu, Ondrej Mosnacek, Eric Biggers

3.16.63-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Mosnacek <omosnace@redhat.com>

commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.

When the LRW block counter overflows, the current implementation returns
128 as the index to the precomputed multiplication table, which has 128
entries. This patch fixes it to return the correct value (127).

Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/lrw.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl
 		return x + ffz(val);
 	}
 
-	return x;
+	/*
+	 * If we get here, then x == 128 and we are incrementing the counter
+	 * from all ones to all zeros. This means we must return index 127, i.e.
+	 * the one corresponding to key2*{ 1,...,1 }.
+	 */
+	return 127;
 }
 
 static int crypt(struct blkcipher_desc *d,


^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
  2019-02-03 13:45 ` [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak Ben Hutchings
@ 2019-02-03 19:05   ` Jiri Kosina
  2019-02-03 21:37     ` Andi Kleen
  0 siblings, 1 reply; 313+ messages in thread
From: Jiri Kosina @ 2019-02-03 19:05 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, akpm, Denis Kirjanov, WoodhouseDavid,
	Josh Poimboeuf, Andi Kleen, SchauflerCasey, Andrea Arcangeli,
	Thomas Gleixner, Peter Zijlstra

On Sun, 3 Feb 2019, Ben Hutchings wrote:

> 3.16.63-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Jiri Kosina <jkosina@suse.cz>
> 
> commit dbfe2953f63c640463c630746cd5d9de8b2f63ae upstream.

You really want the whole IBPB+STIBP revamp from upstream, otherwise 
you're going to get noticeable performance penalties on some workloads 
with some microcodes.

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
  2019-02-03 19:05   ` Jiri Kosina
@ 2019-02-03 21:37     ` Andi Kleen
  2019-02-05  1:13       ` Ben Hutchings
  0 siblings, 1 reply; 313+ messages in thread
From: Andi Kleen @ 2019-02-03 21:37 UTC (permalink / raw)
  To: Jiri Kosina
  Cc: Ben Hutchings, linux-kernel, stable, akpm, Denis Kirjanov,
	WoodhouseDavid, Josh Poimboeuf, SchauflerCasey, Andrea Arcangeli,
	Thomas Gleixner, Peter Zijlstra

On Sun, Feb 03, 2019 at 08:05:53PM +0100, Jiri Kosina wrote:
> On Sun, 3 Feb 2019, Ben Hutchings wrote:
> 
> > 3.16.63-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Jiri Kosina <jkosina@suse.cz>
> > 
> > commit dbfe2953f63c640463c630746cd5d9de8b2f63ae upstream.
> 
> You really want the whole IBPB+STIBP revamp from upstream, otherwise 
> you're going to get noticeable performance penalties on some workloads 
> with some microcodes.

Yes, we would need the opt-in/opt-out support too.

Please don't merge it just as is.

-Andi

^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 000/305] 3.16.63-rc1 review
  2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
                   ` (304 preceding siblings ...)
  2019-02-03 13:45 ` [PATCH 3.16 228/305] ALSA: wss: Fix invalid snd_free_pages() at error path Ben Hutchings
@ 2019-02-04 21:38 ` Guenter Roeck
  2019-02-04 23:51   ` Ben Hutchings
  305 siblings, 1 reply; 313+ messages in thread
From: Guenter Roeck @ 2019-02-04 21:38 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, torvalds, Denis Kirjanov, akpm

On Sun, Feb 03, 2019 at 02:45:07PM +0100, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.63 release.
> There are 305 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Feb 08 18:00:00 UTC 2019.
> Anything received after that time might be too late.
> 

Build results:
	total: 137 pass: 136 fail: 1
Failed builds: 
	i386:tools/perf 
Qemu test results:
	total: 222 pass: 222 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 000/305] 3.16.63-rc1 review
  2019-02-04 21:38 ` [PATCH 3.16 000/305] 3.16.63-rc1 review Guenter Roeck
@ 2019-02-04 23:51   ` Ben Hutchings
  0 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-04 23:51 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: linux-kernel, stable, torvalds, Denis Kirjanov, akpm

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

On Mon, 2019-02-04 at 13:38 -0800, Guenter Roeck wrote:
> On Sun, Feb 03, 2019 at 02:45:07PM +0100, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.63 release.
> > There are 305 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Feb 08 18:00:00 UTC 2019.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 137 pass: 136 fail: 1
> Failed builds: 
> 	i386:tools/perf 
> Qemu test results:
> 	total: 222 pass: 222 fail: 0

Great, thanks for checking.

Ben.

-- 
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
  2019-02-03 21:37     ` Andi Kleen
@ 2019-02-05  1:13       ` Ben Hutchings
  0 siblings, 0 replies; 313+ messages in thread
From: Ben Hutchings @ 2019-02-05  1:13 UTC (permalink / raw)
  To: Andi Kleen, Jiri Kosina
  Cc: linux-kernel, stable, akpm, Denis Kirjanov, WoodhouseDavid,
	Josh Poimboeuf, SchauflerCasey, Andrea Arcangeli,
	Thomas Gleixner, Peter Zijlstra

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

On Sun, 2019-02-03 at 13:37 -0800, Andi Kleen wrote:
> On Sun, Feb 03, 2019 at 08:05:53PM +0100, Jiri Kosina wrote:
> > On Sun, 3 Feb 2019, Ben Hutchings wrote:
> > 
> > > 3.16.63-rc1 review patch.  If anyone has any objections, please let me know.
> > > 
> > > ------------------
> > > 
> > > From: Jiri Kosina <jkosina@suse.cz>
> > > 
> > > commit dbfe2953f63c640463c630746cd5d9de8b2f63ae upstream.
> > 
> > You really want the whole IBPB+STIBP revamp from upstream, otherwise 
> > you're going to get noticeable performance penalties on some workloads 
> > with some microcodes.
> 
> Yes, we would need the opt-in/opt-out support too.
> 
> Please don't merge it just as is.

Thanks, I've now dropped this.

Ben.

-- 
Ben Hutchings
It is impossible to make anything foolproof
because fools are so ingenious.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
  2019-02-03 13:45 ` [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Ben Hutchings
@ 2019-06-07 15:09   ` Doug Anderson
  2019-06-07 15:34     ` Greg KH
  0 siblings, 1 reply; 313+ messages in thread
From: Doug Anderson @ 2019-06-07 15:09 UTC (permalink / raw)
  To: stable
  Cc: LKML, Andrew Morton, Denis Kirjanov, Nadav Amit,
	Mauro Carvalho Chehab, Laurent Pinchart, Ben Hutchings,
	Tomasz Figa, Guenter Roeck

Hi,

On Sun, Feb 3, 2019 at 5:50 AM Ben Hutchings <ben@decadent.org.uk> wrote:
>
> 3.16.63-rc1 review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Nadav Amit <namit@vmware.com>
>
> commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream.
>
> The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of
> (entity->pads) is not a power of two. As a stop-gap, until a better
> solution is adapted, use roundup() instead.
>
> Found by a static assertion. Compile-tested only.
>
> Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity")
>
> Signed-off-by: Nadav Amit <namit@vmware.com>
> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  drivers/media/usb/uvc/uvc_driver.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/drivers/media/usb/uvc/uvc_driver.c
> +++ b/drivers/media/usb/uvc/uvc_driver.c
> @@ -826,7 +826,7 @@ static struct uvc_entity *uvc_alloc_enti
>         unsigned int size;
>         unsigned int i;
>
> -       extra_size = ALIGN(extra_size, sizeof(*entity->pads));
> +       extra_size = roundup(extra_size, sizeof(*entity->pads));
>         num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1;
>         size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads
>              + num_inputs;

Funny that this commit made its way to 3.16 but didn't make its way to
4.19 (at least checking 4.19.43).  I haven't seen any actual crashes
caused by the lack of this commit but it seems like the kind of thing
we probably want picked back to other stable kernels too.

-Doug

^ permalink raw reply	[flat|nested] 313+ messages in thread

* Re: [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
  2019-06-07 15:09   ` Doug Anderson
@ 2019-06-07 15:34     ` Greg KH
  0 siblings, 0 replies; 313+ messages in thread
From: Greg KH @ 2019-06-07 15:34 UTC (permalink / raw)
  To: Doug Anderson
  Cc: stable, LKML, Andrew Morton, Denis Kirjanov, Nadav Amit,
	Mauro Carvalho Chehab, Laurent Pinchart, Ben Hutchings,
	Tomasz Figa, Guenter Roeck

On Fri, Jun 07, 2019 at 08:09:27AM -0700, Doug Anderson wrote:
> Hi,
> 
> On Sun, Feb 3, 2019 at 5:50 AM Ben Hutchings <ben@decadent.org.uk> wrote:
> >
> > 3.16.63-rc1 review patch.  If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Nadav Amit <namit@vmware.com>
> >
> > commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream.
> >
> > The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of
> > (entity->pads) is not a power of two. As a stop-gap, until a better
> > solution is adapted, use roundup() instead.
> >
> > Found by a static assertion. Compile-tested only.
> >
> > Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity")
> >
> > Signed-off-by: Nadav Amit <namit@vmware.com>
> > Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > ---
> >  drivers/media/usb/uvc/uvc_driver.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/drivers/media/usb/uvc/uvc_driver.c
> > +++ b/drivers/media/usb/uvc/uvc_driver.c
> > @@ -826,7 +826,7 @@ static struct uvc_entity *uvc_alloc_enti
> >         unsigned int size;
> >         unsigned int i;
> >
> > -       extra_size = ALIGN(extra_size, sizeof(*entity->pads));
> > +       extra_size = roundup(extra_size, sizeof(*entity->pads));
> >         num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1;
> >         size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads
> >              + num_inputs;
> 
> Funny that this commit made its way to 3.16 but didn't make its way to
> 4.19 (at least checking 4.19.43).  I haven't seen any actual crashes
> caused by the lack of this commit but it seems like the kind of thing
> we probably want picked back to other stable kernels too.

Good idea, now queued up.

greg k-h

^ permalink raw reply	[flat|nested] 313+ messages in thread

end of thread, other threads:[~2019-06-07 15:35 UTC | newest]

Thread overview: 313+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-03 13:45 [PATCH 3.16 000/305] 3.16.63-rc1 review Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 157/305] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 041/305] usb: chipidea: Prevent unbalanced IRQ disable Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 109/305] llc: do not use sk_eat_skb() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 220/305] drm/ast: change resolution may cause screen blurred Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 186/305] uio: Fix an Oops on load Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 258/305] mmc: core: use mrq->sbc when sending CMD23 for RPMB Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 142/305] sunrpc: correct the computation for page_ptr when truncating Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 169/305] mac80211_hwsim: Replace bogus hrtimer clockid Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 029/305] signal/GenWQE: Fix sending of SIGKILL Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 089/305] IB/cm: Fix sleeping while spin lock is held Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 199/305] netfilter: nf_tables: fix use-after-free when deleting compat expressions Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 247/305] dmaengine: at_hdmac: fix memory leak in at_dma_xlate() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 034/305] media: em28xx: make v4l2-compliance happier by starting sequence on zero Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 102/305] dm ioctl: harden copy_params()'s copy_from_user() from malicious users Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 191/305] libata: Apply NOLPM quirk for SAMSUNG MZMPC128HBFU-000MV SSD Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 177/305] can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 215/305] usb: cdc-acm: add entry for Hiro (Conexant) modem Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 040/305] kgdboc: Passing ekgdboc to command line causes panic Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 033/305] media: em28xx: fix input name for Terratec AV 350 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 134/305] memory_hotplug: cond_resched in __remove_pages Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 046/305] fuse: fix blocked_waitq wakeup Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 159/305] mount: Retest MNT_LOCKED in do_umount Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 091/305] RDMA/cm: Respect returned status of cm_init_av_by_path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 200/305] xtensa: fix boot parameters address translation Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 230/305] ALSA: control: fix failure to return numerical ID in 'add' event Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 187/305] batman-adv: Check total_size when queueing fragments Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 054/305] ext4: fix EXT4_IOC_SWAP_BOOT Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 068/305] bcache: fix wrong cache_misses statistics Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 062/305] IB/mthca: Fix error return code in __mthca_init_one() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 127/305] rtnetlink: Disallow FDB configuration for non-Ethernet device Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 208/305] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 056/305] VMCI: Resource wildcard match fixed Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 121/305] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 026/305] signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 204/305] usb: xhci: Prevent bus suspend if a port connect change or polling state is detected Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 022/305] libertas_tf: prevent underflow in process_cmdrequest() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 305/305] x86/vdso: Fix vDSO syscall fallback asm constraint regression Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 156/305] ext4: release bs.bh before re-using in ext4_xattr_block_find() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 249/305] hfs: do not free node before using Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 093/305] KVM: x86: remove code for lazy FPU handling Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 257/305] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 116/305] thermal: rcar_thermal: Prevent doing work after unbind Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 120/305] net: sched: gred: pass the right attribute to gred_change_table_def() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 175/305] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 049/305] iio: adc: at91: fix wrong channel number in triggered buffer mode Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 128/305] Cramfs: fix abad comparison when wrap-arounds occur Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 025/305] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Ben Hutchings
2019-06-07 15:09   ` Doug Anderson
2019-06-07 15:34     ` Greg KH
2019-02-03 13:45 ` [PATCH 3.16 227/305] team: no need to do team_notify_peers or team_mcast_rejoin when disabling port Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 212/305] drm/i915: Disable LP3 watermarks on all SNB machines Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 235/305] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 198/305] netfilter: nf_tables: fix oob access Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 279/305] tracing: Fix memory leak of instance function hash filters Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 104/305] xen-swiotlb: use actually allocated size on check physical continuous Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 118/305] ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 038/305] Cipso: cipso_v4_optptr enter infinite loop Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 150/305] ext4: avoid possible double brelse() in add_new_gdb() on error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 138/305] ext4: add missing brelse() update_backups()'s " Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 274/305] scsi: bnx2fc: Fix NULL dereference in error handling Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 031/305] s390/qeth: invoke softirqs after napi_schedule() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 094/305] KVM: nVMX: Always reflect #NM VM-exits to L1 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 055/305] w1: omap-hdq: fix missing bus unregister at removal Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 250/305] tun: forbid iface creation with rtnl ops Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 260/305] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 073/305] staging: comedi: ni_mio_common: protect register write overflow Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 135/305] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 124/305] um: Drop own definition of PTRACE_SYSEMU/_SINGLESTEP Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 072/305] media: cx231xx: fix potential sign-extension overflow on large shift Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 155/305] ext4: fix possible leak of sbi->s_group_desc_leak in error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 205/305] net/mlx4: Fix UBSAN warning of signed integer overflow Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 012/305] x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 059/305] powerpc/pseries: Fix DTL buffer registration Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 076/305] ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905) Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 052/305] PM / devfreq: Fix devfreq_add_device() when drivers are built as modules Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 209/305] hwmon: (w83795) temp4_type has writable permission Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 261/305] staging: rtl8712: Fix possible buffer overrun Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 265/305] mac80211: ignore NullFunc frames in the duplicate detection Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 301/305] drm: Rewrite drm_ioctl_flags() to resemble the new drm_ioctl() code Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 304/305] ipv6: tunnels: fix two use-after-free Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 017/305] staging: comedi: quatech_daqp_cs: use comedi_timeout() in ao (*insn_write) Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 154/305] USB: misc: appledisplay: add 20" Apple Cinema Display Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 256/305] media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 021/305] cpupower: remove stringop-truncation waring Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 223/305] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 240/305] ext2: fix potential use after free Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 079/305] iwlwifi: mvm: check return value of rs_rate_from_ucode_rate() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 263/305] usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 271/305] virtio/s390: avoid race on vcdev->config Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 166/305] SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 241/305] kvm: mmu: Fix race in emulated page table writes Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 090/305] IB/cm: Avoid AV ah_attr overwriting during LAP message handling Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 125/305] um: Give start_idle_thread() a return code Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 145/305] Btrfs: fix cur_offset in the error case for nocow Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 270/305] kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 133/305] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 008/305] s390/timex: fix get_tod_clock_ext() inline assembly Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 176/305] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 218/305] mips: fix mips_get_syscall_arg o32 check Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 168/305] net: stmmac: Fix RX packet size > 8191 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 106/305] libceph: bump CEPH_MSG_MAX_DATA_LEN Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 282/305] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 011/305] timer/debug: Change /proc/timer_list from 0444 to 0400 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 066/305] mach64: fix display corruption on big endian machines Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 183/305] Drivers: hv: kvp: Fix the recent regression caused by incorrect clean-up Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 032/305] media: em28xx: use a default format if TRY_FMT fails Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 288/305] mmc: core: Reset HPI enabled state during re-init and in case of errors Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 122/305] nfsd: Fix an Oops in free_session() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 163/305] HID: Add quirk for Microsoft PIXART OEM mouse Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 232/305] Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 020/305] sparc32: Fix inverted invalid_frame_pointer checks on sigreturns Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 224/305] btrfs: relocation: set trans to be NULL after ending transaction Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 238/305] xtensa: fix coprocessor context offset definitions Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 077/305] ext4: fix use-after-free race in ext4_remount()'s error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 043/305] media: pci: cx23885: handle adding to list failure Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 234/305] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 113/305] smb3: do not attempt cifs operation in smb3 query info error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 164/305] termios, tty/tty_baudrate.c: fix buffer overrun Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 178/305] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 099/305] scsi: esp_scsi: Track residual for PIO transfers Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 236/305] powerpc: Fix COFF zImage booting on old powermacs Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 172/305] ALSA: oss: Use kvzalloc() for local buffer allocations Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 160/305] mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 194/305] libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 037/305] cipso: don't use IPCB() to locate the CIPSO IP option Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 001/305] x86/asm: Add pud/pmd mask interfaces to handle large PAT bit Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 009/305] s390/dasd: Restore a necessary cast Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 264/305] mac80211: fix reordering of buffered broadcast packets Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 141/305] mtd: docg3: don't set conflicting BCH_CONST_PARAMS option Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 105/305] genirq: Fix race on spurious interrupt detection Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 013/305] ARM: fix put_user() for gcc-8 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 047/305] EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 202/305] usb: core: Fix hub port connection events lost Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 207/305] net-gro: reset skb->pkt_type in napi_reuse_skb() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 173/305] fuse: fix leaked notify reply Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 165/305] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 276/305] USB: serial: option: add HP lt4132 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 217/305] ACPI / platform: Add SMB0001 HID to forbidden_id_list Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 083/305] btrfs: wait on caching when putting the bg cache Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 180/305] usb: xhci: fix timeout for transition from RExit to U0 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 063/305] ALSA: usb-audio: update quirk for B&W PX to remove microphone Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 085/305] hwmon: (pmbus) Fix page count auto-detection Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 048/305] iio: adc: at91: fix acking DRDY irq on simple conversions Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 148/305] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 201/305] Btrfs: ensure path name is null terminated at btrfs_control_ioctl Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 273/305] bnx2fc: fix an error code in _bnx2fc_create() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 137/305] ext4: add missing brelse() add_new_gdb_meta_bg()'s error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 286/305] xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 246/305] ALSA: hda: Add support for AMD Stoney Ridge Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 170/305] mac80211_hwsim: Timer should be initialized before device registered Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 019/305] media: v4l: event: Add subscription to list before calling "add" operation Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 140/305] x86/hyper-v: Enable PIT shutdown quirk Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 129/305] kbuild: fix kernel/bounds.c 'W=1' warning Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 193/305] libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 064/305] USB: serial: cypress_m8: fix interrupt-out transfer length Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 300/305] vxge: ensure data0 is initialized in when fetching firmware version information Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 302/305] drm/ioctl: Fix Spectre v1 vulnerabilities Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 007/305] x86/boot: eboot.c: Include string function declarations Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 219/305] iser: set sector for ambiguous mr status errors Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 295/305] x86/mtrr: Don't copy uninitialized gentry fields back to userspace Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 267/305] cifs: Fix separator when building path from dentry Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 045/305] x86/speculation: Apply IBPB more strictly to avoid cross-process data leak Ben Hutchings
2019-02-03 19:05   ` Jiri Kosina
2019-02-03 21:37     ` Andi Kleen
2019-02-05  1:13       ` Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 285/305] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 293/305] KVM: x86: Add MSR_AMD64_DC_CFG to the list of ignored MSRs Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 039/305] net/ipv4: defensive cipso option parsing Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 280/305] fuse: cleanup fuse_file refcounting Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 192/305] libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 081/305] spi: sh-msiof: fix deferred probing Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 061/305] x86, hibernate: Fix nosave_regions setup for hibernation Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 096/305] parisc: Fix address in HPMC IVA Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 014/305] disable new gcc-7.1.1 warnings for now Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 269/305] xhci: Prevent U1/U2 link pm states if exit latency is too long Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 108/305] qlcnic: fix a return in qlcnic_dcb_get_capability() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 272/305] virtio/s390: fix race in ccw_io_helper() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 004/305] x86/mm: Simplify p[g4um]d_page() macros Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 095/305] parisc: Fix map_pages() to not overwrite existing pte entries Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 162/305] iommu/ipmmu-vmsa: Fix crash on early domain free Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 210/305] drm/ast: Remove existing framebuffers before loading driver Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 082/305] btrfs: fix error handling in btrfs_dev_replace_start Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 044/305] net: phy: Stop with excessive soft reset Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 190/305] netfilter: nf_tables: don't use position attribute on rule replacement Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 147/305] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 292/305] KVM: Handle MSR_IA32_PERF_CTL Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 226/305] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 299/305] vxlan: Fix error path in __vxlan_dev_create() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 243/305] rapidio/rionet: do not free skb before reading its length Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 206/305] iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed numbers Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 167/305] ARM: OMAP1: ams-delta: Fix possible use of uninitialized field Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 088/305] IB/{cm, umad}: Handle av init error Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 284/305] vhost: make sure used idx is seen before log in vhost_add_used_n() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 067/305] mach64: fix image corruption due to reading accelerator registers Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 245/305] ALSA: pcm: Call snd_pcm_unlink() conditionally at closing Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 290/305] VSOCK: Send reset control packet when socket is partially bound Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 244/305] s390/qeth: fix length check in SNMP processing Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 028/305] scsi: qla2xxx: shutdown chip if reset fail Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 015/305] turn off -Wattribute-alias Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 130/305] smb3: on kerberos mount if server doesn't specify auth type use krb5 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 214/305] HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 036/305] PCI/ASPM: Fix link_state teardown on device removal Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 074/305] ima: fix showing large 'violations' or 'runtime_measurements_count' Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 057/305] Drivers: hv: kvp: Fix two "this statement may fall through" warnings Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 252/305] SUNRPC: Fix a potential race in xprt_connect() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 069/305] bcache: fix miss key refill->end in writeback Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 080/305] libertas: don't set URB_ZERO_PACKET on IN USB transfer Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 296/305] net: macb: Fix race condition in driver when Rx frame is dropped Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 225/305] exportfs: do not read dentry after free Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 006/305] x86/eisa: Add missing include Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 196/305] NFSv4: Don't exit the state manager without clearing NFS4CLNT_MANAGER_RUNNING Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 255/305] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 050/305] iio: ad5064: Fix regulator handling Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 268/305] xhci: workaround CSS timeout on AMD SNPS 3.0 xHC Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 189/305] batman-adv: Expand merged fragment buffer for full packet Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 002/305] x86/asm: Move PUD_PAGE macros to page_types.h Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 262/305] usb: appledisplay: Add 27" Apple Cinema Display Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 213/305] new helper: uaccess_kernel() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 297/305] net: macb: fix dropped RX frames due to a race Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 237/305] xtensa: enable coprocessors that are being flushed Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 229/305] ALSA: sparc: Fix invalid snd_free_pages() at error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 035/305] media: tvp5150: fix width alignment during set_selection() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 131/305] netfilter: x_tables: add and use xt_check_proc_name Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 117/305] HID: hiddev: fix potential Spectre v1 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 171/305] mac80211: Clear beacon_int in ieee80211_do_stop Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 275/305] net/mlx4_core: Correctly set PFC param if global pause is turned off Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 298/305] net: macb: add missing barriers when reading descriptors Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 281/305] fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 092/305] clk: s2mps11: Fix matching when built as module and DT node contains compatible Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 058/305] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 132/305] netfilter: xt_IDLETIMER: add sysfs filename checking routine Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 303/305] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 016/305] staging: comedi: quatech_daqp_cs: fix bug in daqp_ao_insn_write() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 086/305] tun: Consistently configure generic netdev params via rtnetlink Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 070/305] mtd: spi-nor: fsl-quadspi: fix api naming typo _init_ahb_read Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 018/305] staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 179/305] usb: xhci: fix uninitialized completion when USB3 port got wrong status Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 231/305] ALSA: control: Fix race between adding and removing a user element Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 030/305] power: supply: max8998-charger: Fix platform data retrieval Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 053/305] usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 126/305] xtensa: add NOTES section to the linker script Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 239/305] xtensa: fix coprocessor part of ptrace_{get,set}xregs Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 136/305] ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 277/305] aio: fix spectre gadget in lookup_ioctx Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 107/305] Btrfs: fix use-after-free when dumping free space Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 111/305] net: bcmgenet: fix OF child-node lookup Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 060/305] powerpc/pseries: Fix how we iterate over the DTL entries Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 098/305] drm/i915: Large page offsets for pread/pwrite Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 181/305] sysv: return 'err' instead of 0 in __sysv_write_inode Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 144/305] xfrm: Fix bucket count reported to userspace Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 289/305] mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 103/305] clk: s2mps11: Add used attribute to s2mps11_dt_match Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 287/305] mmc: omap_hsmmc: fix DMA API warning Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 195/305] Input: matrix_keypad - check for errors from of_get_named_gpio() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 024/305] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 139/305] clockevents/drivers/i8253: Add support for PIT shutdown quirk Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 197/305] btrfs: Always try all copies when reading extent buffers Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 042/305] crypto: lrw - Fix out-of bounds access on counter overflow Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 221/305] drm/ast: fixed cursor may disappear sometimes Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 078/305] gfs2_meta: ->mount() can get NULL dev_name Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 071/305] mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 182/305] floppy: fix race condition in __floppy_read_block_0() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 254/305] ALSA: usb-audio: Replace probing flag with active refcount Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 188/305] batman-adv: Use only queued fragments when merging Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 151/305] USB: Wait for extra delay time after USB_PORT_FEAT_RESET for quirky hub Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 003/305] x86/asm: Fix pud/pmd interfaces to handle large PAT bit Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 222/305] Btrfs: fix race between enabling quotas and subvolume creation Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 266/305] USB: check usb_get_extra_descriptor for proper size Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 146/305] Btrfs: fix data corruption due to cloning of eof block Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 119/305] hugetlbfs: dirty pages as they are added to pagecache Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 203/305] l2tp: fix a sock refcnt leak in l2tp_tunnel_register Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 005/305] x86/mm: Fix regression with huge pages on PAE Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 114/305] thermal: rcar_thermal: Prevent hardware access during system suspend Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 216/305] HID: Add quirk for Primax PIXART OEM mice Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 153/305] USB: quirks: Add no-lpm quirk for Raydium touchscreens Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 065/305] printk: Fix panic caused by passing log_buf_len to command line Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 174/305] can: raw: check for CAN FD capable netdev in raw_sendmsg() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 278/305] tracing: Fix memory leak in set_trigger_filter() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 101/305] ACPICA: AML interpreter: add region addresses in global list during initialization Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 259/305] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 100/305] xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 233/305] USB: usb-storage: Add new IDs to ums-realtek Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 087/305] jffs2: free jffs2_sb_info through jffs2_kill_sb() Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 283/305] scsi: sd: use mempool for discard special page Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 291/305] KVM: X86: Fix NULL deref in vcpu_scan_ioapic Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 027/305] scsi: qla2xxx: Fix incorrect port speed being set for FC adapters Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 075/305] PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 084/305] Btrfs: don't clean dirty pages during buffered writes Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 110/305] of: add helper to lookup compatible child node Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 149/305] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 123/305] lockd: fix access beyond unterminated strings in prints Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 115/305] thermal: rcar: Make error and remove paths symmetrical with init Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 158/305] ext4: fix buffer leak in __ext4_read_dirblock() on error path Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 294/305] kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 161/305] mount: Prevent MNT_DETACH from disconnecting locked mounts Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 184/305] drivers/misc/sgi-gru: fix Spectre v1 vulnerability Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 253/305] ALSA: usb-audio: Avoid nested autoresume calls Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 242/305] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 251/305] SUNRPC: Fix leak of krb5p encode pages Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 010/305] ipv6: Fix another sparse warning on rt6i_node Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 152/305] usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 051/305] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 023/305] ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 112/305] smb3: allow stats which track session and share reconnects to be reset Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 248/305] dmaengine: at_hdmac: fix module unloading Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 143/305] xtensa: make sure bFLT stack is 16 byte aligned Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 185/305] misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 211/305] exportfs: fix 'passing zero to ERR_PTR()' warning Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 097/305] Btrfs: fix null pointer dereference on compressed write path error Ben Hutchings
2019-02-03 13:45 ` [PATCH 3.16 228/305] ALSA: wss: Fix invalid snd_free_pages() at error path Ben Hutchings
2019-02-04 21:38 ` [PATCH 3.16 000/305] 3.16.63-rc1 review Guenter Roeck
2019-02-04 23:51   ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).