linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 000/129] 3.16.70-rc1 review
@ 2019-07-07 16:54 Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init() Ben Hutchings
                   ` (132 more replies)
  0 siblings, 133 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm, Denis Kirjanov

This is the start of the stable review cycle for the 3.16.70 release.
There are 129 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Jul 09 20:00:00 UTC 2019.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Aaro Koskinen (1):
      mmc: omap: fix the maximum timeout setting
         [a6327b5e57fdc679c842588c3be046c0b39cc127]

Aditya Pakki (1):
      md: Fix failed allocation of md_register_thread
         [e406f12dde1a8375d77ea02d91f313fb1a9c6aec]

Alistair Strachan (1):
      media: uvcvideo: Fix 'type' check leading to overflow
         [47bb117911b051bbc90764a8bff96543cbd2005f]

Aneesh Kumar K.V (1):
      powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search
         [3b4d07d2674f6b4a9281031f99d1f7efd325b16d]

Ard Biesheuvel (1):
      crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
         [eaf46edf6ea89675bd36245369c8de5063a0272c]

Arnd Bergmann (1):
      cpufreq: pxa2xx: remove incorrect __init annotation
         [9505b98ccddc454008ca7efff90044e3e857c827]

Axel Lin (1):
      regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
         [c25d47888f0fb3d836d68322d4aea2caf31a75a6]

Bart Van Assche (1):
      scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
         [32e36bfbcf31452a854263e7c7f32fbefc4b44d8]

Ben Hutchings (1):
      binder: Replace "%p" with "%pK" for stable
         [fdfb4a99b6ab8c393db19e3b92968b74ca2757b0,
          19c987241ca1216a51118b2bd0185b8bc5081783,
          7a4408c6bd3eb1dafba67986259191be081e3efb]

Buland Singh (1):
      hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable
         [24d48a61f2666630da130cc2ec2e526eacf229e3]

Christophe Leroy (4):
      powerpc/32: Clear on-stack exception marker upon exception return
         [9580b71b5a7863c24a9bd18bcd2ad759b86b1eff]
      powerpc/83xx: Also save/restore SPRG4-7 during suspend
         [36da5ff0bea2dc67298150ead8d8471575c54c7d]
      powerpc/irq: drop arch_early_irq_init()
         [607ea5090b3fb61fea1d0bc5278e6c1d40ab5bd6]
      powerpc/wii: properly disable use of BATs when requested.
         [6d183ca8baec983dc4208ca45ece3c36763df912]

Colin Ian King (4):
      rtc: 88pm80x: fix unintended sign extension
         [fb0b322537a831b5b0cb948c56f8f958ce493d3a]
      rtc: 88pm860x: fix unintended sign extension
         [dc9e47160626cdb58d5c39a4f43dcfdb27a5c004]
      rtc: ds1672: fix unintended sign extension
         [f0c04c276739ed8acbb41b4868e942a55b128dca]
      rtc: pm8xxx: fix unintended sign extension
         [e42280886018c6f77f0a90190f7cba344b0df3e0]

Dan Carpenter (1):
      xen, cpu_hotplug: Prevent an out of bounds access
         [201676095dda7e5b31a5e1d116d10fc22985075e]

Dan Robertson (1):
      btrfs: init csum_list before possible free
         [e49be14b8d80e23bb7c53d78c21717a474ade76b]

Daniel Axtens (1):
      bcache: never writeback a discard operation
         [9951379b0ca88c95876ad9778b9099e19a95d566]

Daniel Jordan (1):
      mm, swap: bounds check swap_info array accesses to avoid NULL derefs
         [c10d38cc8d3e43f946b6c2bf4602c86791587f30]

Doug Berger (1):
      irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code
         [33517881ede742107f416533b8c3e4abc56763da]

Eric Biggers (5):
      crypto: ahash - fix another early termination in hash walk
         [77568e535af7c4f97eaef1e555bf0af83772456c]
      crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
         [ba7d7433a0e998c902132bd47330e355a1eaa894]
      crypto: pcbc - remove bogus memcpy()s with src == dest
         [251b7aea34ba3c4d4fdfa9447695642eb8b8b098]
      crypto: testmgr - skip crc32c context test for ahash algorithms
         [eb5e6730db98fcc4b51148b4a819fa4bf864ae54]
      crypto: tgr192 - fix unaligned memory access
         [f990f7fb58ac8ac9a43316f09a48cff1a49dda42]

Eric Dumazet (6):
      gro_cells: make sure device is up in gro_cells_receive()
         [2a5ff07a0eb945f291e361aa6f6becca8340ba46]
      l2tp: fix infoleak in l2tp_ip6_recvmsg()
         [163d1c3d6f17556ed3c340d3789ea93be95d6c28]
      net/hsr: fix possible crash in add_timer()
         [1e027960edfaa6a43f9ca31081729b716598112b]
      netns: provide pure entropy for net_hash_mix()
         [355b98553789b646ed97ad801a619ff898471b92]
      tcp: refine memory limit test in tcp_fragment()
         [b6653b3629e5b88202be3c9abc44713973f5c4b4]
      vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
         [59cbf56fcd98ba2a715b6e97c4e43f773f956393]

Eric W. Biederman (1):
      fs/nfs: Fix nfs_parse_devname to not modify it's argument
         [40cc394be1aa18848b8757e03bd8ed23281f572e]

Felipe Franciosi (1):
      scsi: virtio_scsi: don't send sc payload with tmfs
         [3722e6a52174d7c3a00e6f5efd006ca093f346c1]

Filipe Manana (1):
      Btrfs: fix corruption reading shared and compressed extents after hole punching
         [8e928218780e2f1cf2f5891c7575e8f0b284fcce]

Finn Thain (1):
      m68k: Add -ffreestanding to CFLAGS
         [28713169d879b67be2ef2f84dcf54905de238294]

Gal Pressman (2):
      IB/usnic: Fix out of bounds index check in query pkey
         [4959d5da5737dd804255c75b8cea0a2929ce279a]
      RDMA/ocrdma: Fix out of bounds index check in query pkey
         [b188940796c7be31c1b8c25a9a0e0842c2e7a49e]

Geert Uytterhoeven (3):
      pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names
         [8e32e881947be98abaa917157fefc4a3319e90af]
      pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
         [a4b0350047f1b10207e25e72d7cd3f7826e93769]
      pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
         [0e6e448bdcf896d001a289a6112a704542d51516]

Gustavo A. R. Silva (4):
      ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
         [e2477233145f2156434afb799583bccd878f3e9f]
      applicom: Fix potential Spectre v1 vulnerabilities
         [d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c]
      drm/radeon/evergreen_cs: fix missing break in switch statement
         [cc5034a5d293dd620484d1d836aa16c6764a1c8c]
      iscsi_ibft: Fix missing break in switch statement
         [df997abeebadaa4824271009e2d2b526a70a11cb]

Halil Pasic (1):
      s390/virtio: handle find on invalid queue gracefully
         [3438b2c039b4bf26881786a1f3450f016d66ad11]

Hou Tao (1):
      9p: use inode->i_lock to protect i_size_write() under 32-bit
         [5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f]

Hugh Dickins (1):
      mm: fix potential data race in SyS_swapon
         [6f179af88f60b32c2855e7f3e16ea8e336a7043f]

Ido Schimmel (1):
      ip6mr: Do not call __IP6_INC_STATS() from preemptible context
         [87c11f1ddbbad38ad8bad47af133a8208985fbdf]

Ivan Mironov (1):
      USB: serial: cp210x: add ID for Ingenico 3070
         [dd9d3d86b08d6a106830364879c42c78db85389c]

Jack Morgenstein (2):
      net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling
         [c07d27927f2f2e96fcd27bb9fb330c9ea65612d0]
      net/mlx4_core: Fix qp mtt size calculation
         [8511a653e9250ef36b95803c375a7be0e2edb628]

Jacopo Mondi (1):
      media: v4l2: i2c: ov7670: Fix PLL bypass register values
         [61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55]

Jan Kara (2):
      ext2: Fix underflow in ext2_max_size()
         [1c2d14212b15a60300a2d4f6364753e87394c521]
      ext4: fix crash during online resizing
         [f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1]

Jann Horn (1):
      splice: don't merge into linked buffers
         [a0ce2f0aa6ad97c3d4927bf2ca54bcebdf062d55]

Jarkko Sakkinen (1):
      tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
         [442601e87a4769a8daba4976ec3afa5222ca211d]

Jay Dolan (2):
      serial: 8250_pci: Fix number of ports for ACCES serial cards
         [b896b03bc7fce43a07012cc6bf5e2ab2fddf3364]
      serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
         [78d3820b9bd39028727c6aab7297b63c093db343]

Jeremy Fertic (7):
      staging: iio: adt7316: allow adt751x to use internal vref for all dacs
         [10bfe7cc1739c22f0aa296b39e53f61e9e3f4d99]
      staging: iio: adt7316: fix dac_bits assignment
         [e9de475723de5bf207a5b7b88bdca863393e42c8]
      staging: iio: adt7316: fix handling of dac high resolution option
         [76b7fe8d6c4daf4db672eb953c892c6f6572a282]
      staging: iio: adt7316: fix register and bit definitions
         [53a6f022b4fe8645468adaffca901dbf8c3c547e]
      staging: iio: adt7316: fix the dac read calculation
         [45130fb030aec26ac28b4bb23344901df3ec3b7f]
      staging: iio: adt7316: fix the dac write calculation
         [78accaea117c1ae878774974fab91ac4a0b0e2b0]
      staging: iio: adt7316: invert the logic of the check for an ldac pin
         [85a1c11913312132d0800ca2c1c42a011f96ea92]

Jia Zhang (1):
      tpm: Fix off-by-one when reading binary_bios_measurements
         [64494d39ff630a63b5308042b20132b491e3706b]

Jiri Olsa (1):
      perf header: Fix wrong node write in NUMA_TOPOLOGY feature
         [b00ccb27f97367d89e2d7b419ed198b0985be55d]

Jordan Niethe (1):
      powerpc/powernv: Make opal log only readable by root
         [7b62f9bd2246b7d3d086e571397c14ba52645ef1]

Jun Zhang (1):
      rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
         [1d1f898df6586c5ea9aeaf349f13089c6fa37903]

Kangjie Lu (1):
      net: sh_eth: fix a missing check of of_get_phy_mode
         [035a14e71f27eefa50087963b94cbdb3580d08bf]

Kirill Smelkov (2):
      fs: stream_open - opener for stream-like files so  that read and write can run simultaneously without deadlock
         [10dce8af34226d90fa56746a934f8da5dcdba3df]
      fuse: Add FOPEN_STREAM to use stream_open()
         [bbd84f33652f852ce5992d65db4d020aba21f882]

Lubomir Rintel (2):
      libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
         [607076a904c435f2677fadaadd4af546279db68b]
      serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart
         [f4817843e39ce78aace0195a57d4e8500a65a898]

Mans Rullgard (1):
      USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
         [8d7fa3d4ea3f0ca69554215e87411494e6346fdc]

Marek Szyprowski (1):
      clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
         [b9307420196009cdf18bad55e762ac49fb9a80f4]

Michal Kazior (1):
      leds: lp55xx: fix null deref on firmware load failure
         [5ddb0869bfc1bca6cfc592c74c64a026f936638c]

NeilBrown (2):
      nfsd: fix memory corruption caused by readdir
         [b602345da6cbb135ba68cf042df8ec9a73da7981]
      security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags()
         [7b20ea2579238f5e0da4bc93276c1b63c960c9ef]

Pavel Shilovsky (2):
      CIFS: Do not reset lease state to NONE on lease break
         [7b9b9edb49ad377b1e06abf14354c227e9ac4b06]
      CIFS: Fix read after write for files with read caching
         [6dfbd84684700cb58b34e8602c01c12f3d2595c8]

Pawe? Chmiel (2):
      media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration
         [49710c32cd9d6626a77c9f5f978a5f58cb536b35]
      media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
         [19c624c6b29e244c418f8b44a711cbf5e82e3cd4]

QiaoChong (1):
      parport_pc: fix find_superio io compare code, should use equal test.
         [21698fd57984cd28207d841dbdaa026d6061bceb]

Richard Weinberger (2):
      mtd: docg3: Don't leak docg3->bbt in error path
         [45c2ebd702a468d5037cf16aa4f8ea8d67776f6a]
      mtd: docg3: Fix kasprintf() usage
         [0eb8618bd07533f423fed47399a0d6387bfe7cac]

Roman Penyaev (1):
      mm/vmalloc: fix size check for remap_vmalloc_range_partial()
         [401592d2e095947344e10ec0623adbcd58934dd4]

S.j. Wang (1):
      ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
         [cc29ea007347f39f4c5a4d27b0b555955a0277f9]

Sakari Ailus (1):
      media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
         [9dd0627d8d62a7ddb001a75f63942d92b5336561]

Sean Christopherson (1):
      KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux
         [ddfd1730fd829743e41213e32ccc8b4aa6dc8325]

Sergei Shtylyov (1):
      devres: always use dev_name() in devm_ioremap_resource()
         [8d84b18f5678d3adfdb9375dfb0d968da2dc753d]

Stanislaw Gruszka (1):
      lib/div64.c: off by one in shift
         [cdc94a37493135e355dfc0b0e086d84e3eadb50d]

Stefan Agner (1):
      ASoC: imx-sgtl5000: put of nodes if finding codec fails
         [d9866572486802bc598a3e8576a5231378d190de]

Stephen Smalley (1):
      selinux: avoid silent denials in permissive mode under RCU walk
         [3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e]

Takashi Iwai (4):
      ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
         [2757970f6d0d0a112247600b23d38c0c728ceeb3]
      mwifiex: Abort at too short BSS descriptor element
         [685c9b7750bfacd6fc1db50d86579980593b7869]
      mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
         [69ae4f6aac1578575126319d3f55550e7e440449]
      mwifiex: Fix possible buffer overflows at parsing bss descriptor
         [13ec7f10b87f5fc04c4ccbd491c94c7980236a74]

Takashi Sakamoto (1):
      ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
         [7dc661bd8d3261053b69e4e2d0050cd1ee540fc1]

Tang Junhui (1):
      bcache: treat stale && dirty keys as bad keys
         [58ac323084ebf44f8470eeb8b82660f9d0ee3689]

Tetsuo Handa (1):
      staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held.
         [ecd182cbf4e107928077866399100228d2359c60]

Tony Jones (1):
      tools lib traceevent: Fix buffer overflow in arg_eval
         [7c5b019e3a638a5a290b0ec020f6ca83d2ec2aaa]

Trond Myklebust (1):
      NFSv4.1: Reinitialise sequence results before retransmitting a request
         [c1dffe0bf7f9c3d57d9f237a7cb2a81e62babd2b]

Xiao Ni (1):
      It's wrong to add len to sector_nr in raid10 reshape twice
         [b761dcf1217760a42f7897c31dcb649f59b2333e]

Xin Long (2):
      pptp: dst_release sk_dst_cache in pptp_sock_destruct
         [9417d81f4f8adfe20a12dd1fadf73a618cbd945d]
      route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
         [ee60ad219f5c7c4fb2f047f88037770063ef785f]

Yangerkun (3):
      ext4: add mask of ext4 flags to swap
         [abdc644e8cbac2e9b19763680e5a7cf9bab2bee7]
      ext4: fix check of inode in swap_inode_boot_loader
         [67a11611e1a5211f6569044fbf8150875764d1d0]
      ext4: update quota information while swapping boot loader inode
         [aa507b5faf38784defe49f5e64605ac3c4425e26]

Yangtao Li (10):
      clk: armada-370: fix refcount leak in a370_clk_init()
         [a3c24050bdf70c958a8d98c2823b66ea761e6a31]
      clk: armada-xp: fix refcount leak in axp_clk_init()
         [db20a90a4b6745dad62753f8bd2f66afdd5abc84]
      clk: dove: fix refcount leak in dove_clk_init()
         [8d726c5128298386b907963033be93407b0c4275]
      clk: highbank: fix refcount leak in hb_clk_init()
         [5eb8ba90958de1285120dae5d3a5d2b1a360b3b4]
      clk: imx6q: fix refcount leak in imx6q_clocks_init()
         [c9ec1d8fef31b5fc9e90e99f9bd685db5caa7c5e]
      clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
         [1731e14fb30212dd8c1e9f8fc1af061e56498c55]
      clk: kirkwood: fix refcount leak in kirkwood_clk_init()
         [e7beeab9c61591cd0e690d8733d534c3f4278ff8]
      clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
         [cee82eb9532090cd1dc953e845d71f9b1445c84e]
      clk: socfpga: fix refcount leak
         [7f9705beeb3759e69165e7aff588f6488ff6c1ac]
      clk: vf610: fix refcount leak in vf610_clocks_init()
         [567177024e0313e4f0dcba7ba10c0732e50e655d]

YueHaibing (5):
      cdc-wdm: pass return value of recover_from_urb_loss
         [0742a338f5b3446a26de551ad8273fb41b2787f2]
      drm: Fix error handling in drm_legacy_addctx
         [c39191feed4540fed98badeb484833dcf659bb96]
      mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device
         [32937a82f36c7bbe08db4052de94bc7ade4e3c51]
      net-sysfs: Fix mem leak in netdev_register_kobject
         [895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab]
      tty: ipwireless: Fix potential NULL pointer dereference
         [7dd50e205b3348dc7784efbdf85723551de64a25]

Zev Weiss (1):
      kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
         [8cf7630b29701d364f8df4a50e4f1f5e752b2778]

Zhangyi (1):
      jbd2: clear dirty flag when revoking a buffer from an older transaction
         [904cdbd41d749a476863a0ca41f6f396774f26e4]

 Makefile                                           |   4 +-
 arch/arm/mach-imx/clk-imx6q.c                      |   1 +
 arch/arm/mach-imx/clk-imx6sx.c                     |   1 +
 arch/arm/mach-imx/clk-vf610.c                      |   1 +
 arch/arm/mach-s3c24xx/mach-osiris-dvs.c            |   8 +-
 arch/arm64/crypto/aes-ce-ccm-core.S                |   5 +-
 arch/m68k/Makefile                                 |   5 +-
 arch/powerpc/kernel/entry_32.S                     |   9 +
 arch/powerpc/kernel/irq.c                          |   5 -
 arch/powerpc/mm/slice.c                            |  10 +-
 arch/powerpc/platforms/83xx/suspend-asm.S          |  34 +-
 arch/powerpc/platforms/embedded6xx/wii.c           |   4 +
 arch/powerpc/platforms/powernv/opal-msglog.c       |   2 +-
 arch/x86/kvm/x86.h                                 |   7 +-
 crypto/ahash.c                                     |  42 ++-
 crypto/pcbc.c                                      |  14 +-
 crypto/shash.c                                     |  18 +-
 crypto/testmgr.c                                   |  14 +-
 crypto/tgr192.c                                    |   6 +-
 drivers/char/applicom.c                            |  35 +-
 drivers/char/hpet.c                                |   2 +-
 drivers/char/tpm/tpm_eventlog.c                    |  10 +-
 drivers/char/tpm/tpm_i2c_atmel.c                   |   9 +-
 drivers/clk/clk-highbank.c                         |   1 +
 drivers/clk/mvebu/armada-370.c                     |   4 +-
 drivers/clk/mvebu/armada-xp.c                      |   4 +-
 drivers/clk/mvebu/dove.c                           |   4 +-
 drivers/clk/mvebu/kirkwood.c                       |   5 +-
 drivers/clk/samsung/clk-exynos4.c                  |   1 +
 drivers/clk/socfpga/clk-pll.c                      |   1 +
 drivers/clocksource/exynos_mct.c                   |  14 +-
 drivers/cpufreq/pxa2xx-cpufreq.c                   |   4 +-
 drivers/firmware/iscsi_ibft.c                      |   1 +
 drivers/gpu/drm/drm_context.c                      |  15 +-
 drivers/gpu/drm/radeon/evergreen_cs.c              |   1 +
 drivers/infiniband/hw/ocrdma/ocrdma_verbs.c        |   2 +-
 drivers/infiniband/hw/usnic/usnic_ib_verbs.c       |   2 +-
 drivers/irqchip/irq-brcmstb-l2.c                   |  10 +-
 drivers/leds/leds-lp55xx-common.c                  |   4 +-
 drivers/md/bcache/extents.c                        |  13 +-
 drivers/md/bcache/writeback.h                      |   3 +
 drivers/md/raid10.c                                |   3 +-
 drivers/md/raid5.c                                 |   2 +
 drivers/media/i2c/ov7670.c                         |  16 +-
 drivers/media/platform/s5p-jpeg/jpeg-core.c        |  21 +-
 drivers/media/usb/uvc/uvc_driver.c                 |  14 +-
 drivers/media/usb/uvc/uvc_video.c                  |   8 +
 drivers/mmc/host/omap.c                            |   2 +-
 drivers/mtd/devices/docg3.c                        |  18 +-
 drivers/net/ethernet/mellanox/mlx4/cmd.c           |   8 +
 .../net/ethernet/mellanox/mlx4/resource_tracker.c  |   6 +-
 drivers/net/ethernet/renesas/sh_eth.c              |   6 +-
 drivers/net/ppp/pptp.c                             |   1 +
 drivers/net/vxlan.c                                |  10 +
 drivers/net/wireless/libertas_tf/if_usb.c          |   2 -
 drivers/net/wireless/mwifiex/ie.c                  |  30 +-
 drivers/net/wireless/mwifiex/scan.c                |  19 ++
 drivers/parport/parport_pc.c                       |   2 +-
 drivers/pinctrl/sh-pfc/pfc-r8a7778.c               |   6 +-
 drivers/pinctrl/sh-pfc/pfc-r8a7791.c               |   2 +-
 drivers/pinctrl/sh-pfc/pfc-sh73a0.c                |   3 +-
 drivers/regulator/wm831x-dcdc.c                    |   4 +-
 drivers/rtc/rtc-88pm80x.c                          |  21 +-
 drivers/rtc/rtc-88pm860x.c                         |  21 +-
 drivers/rtc/rtc-ds1672.c                           |   3 +-
 drivers/rtc/rtc-pm8xxx.c                           |   6 +-
 drivers/s390/kvm/virtio_ccw.c                      |   4 +-
 drivers/scsi/virtio_scsi.c                         |   2 -
 drivers/staging/android/ashmem.c                   |  42 ++-
 drivers/staging/android/binder.c                   |  28 +-
 drivers/staging/iio/addac/adt7316.c                |  55 ++--
 drivers/target/iscsi/iscsi_target.c                |   4 +-
 drivers/tty/ipwireless/hardware.c                  |   2 +
 drivers/tty/serial/8250/8250_pci.c                 | 141 +++++++-
 drivers/tty/serial/of_serial.c                     |   4 +
 drivers/usb/class/cdc-wdm.c                        |   2 +-
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/ftdi_sio.c                      |   2 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   6 +
 drivers/xen/cpu_hotplug.c                          |   2 +-
 drivers/xen/xenbus/xenbus_dev_frontend.c           |   2 +-
 fs/9p/v9fs_vfs.h                                   |  23 +-
 fs/9p/vfs_file.c                                   |   6 +-
 fs/9p/vfs_inode.c                                  |  23 +-
 fs/9p/vfs_inode_dotl.c                             |  27 +-
 fs/9p/vfs_super.c                                  |   4 +-
 fs/btrfs/extent_io.c                               |   4 +-
 fs/btrfs/scrub.c                                   |   2 +-
 fs/cifs/file.c                                     |  12 +-
 fs/cifs/smb2misc.c                                 |  17 +-
 fs/cifs/smb2ops.c                                  |  13 +-
 fs/ext2/super.c                                    |  39 ++-
 fs/ext4/ext4.h                                     |   3 +
 fs/ext4/ioctl.c                                    |  84 +++--
 fs/ext4/resize.c                                   |   3 +-
 fs/fuse/file.c                                     |   4 +-
 fs/jbd2/transaction.c                              |  17 +-
 fs/nfs/nfs4proc.c                                  |  15 +-
 fs/nfs/super.c                                     |   2 +-
 fs/nfsd/nfs3proc.c                                 |  16 +-
 fs/nfsd/nfs3xdr.c                                  |   1 +
 fs/open.c                                          |  18 +
 fs/pipe.c                                          |  14 +
 fs/read_write.c                                    |   5 +-
 fs/splice.c                                        |   4 +
 include/linux/fs.h                                 |   4 +
 include/linux/pipe_fs_i.h                          |   1 +
 include/linux/swap.h                               |   1 +
 include/net/gro_cells.h                            |  12 +-
 include/net/net_namespace.h                        |   2 +
 include/net/netns/hash.h                           |  17 +-
 include/uapi/linux/fuse.h                          |   2 +
 kernel/rcu/tree.c                                  |  20 +-
 kernel/sysctl.c                                    |  11 +-
 lib/devres.c                                       |   4 +-
 lib/div64.c                                        |   4 +-
 mm/swapfile.c                                      |  83 ++---
 mm/vmalloc.c                                       |   2 +-
 net/core/net-sysfs.c                               |   3 +
 net/core/net_namespace.c                           |   1 +
 net/hsr/hsr_device.c                               |  14 +-
 net/ipv4/route.c                                   |   4 +
 net/ipv4/tcp_output.c                              |   2 +-
 net/ipv6/ip6mr.c                                   |   8 +-
 net/l2tp/l2tp_ip6.c                                |   4 +-
 scripts/coccinelle/api/stream_open.cocci           | 363 +++++++++++++++++++++
 security/selinux/avc.c                             |  44 ++-
 security/selinux/hooks.c                           |   6 +-
 security/selinux/include/avc.h                     |  10 +-
 sound/firewire/bebob/bebob.c                       |  14 +-
 sound/soc/fsl/fsl_esai.c                           |   7 +-
 sound/soc/fsl/fsl_ssi.c                            |   5 +-
 sound/soc/fsl/imx-sgtl5000.c                       |   3 +-
 tools/lib/traceevent/event-parse.c                 |   2 +-
 tools/perf/util/header.c                           |   2 +-
 135 files changed, 1418 insertions(+), 459 deletions(-)

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 091/129] Btrfs: fix corruption reading shared and compressed extents after hole punching Ben Hutchings
                   ` (131 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Stephen Boyd, Yangtao Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit 567177024e0313e4f0dcba7ba10c0732e50e655d upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Fixes: 1f2c5fd5f048 ("ARM: imx: add VF610 clock support")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-imx/clk-vf610.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-imx/clk-vf610.c
+++ b/arch/arm/mach-imx/clk-vf610.c
@@ -117,6 +117,7 @@ static void __init vf610_clocks_init(str
 	np = of_find_compatible_node(NULL, NULL, "fsl,vf610-anatop");
 	anatop_base = of_iomap(np, 0);
 	BUG_ON(!anatop_base);
+	of_node_put(np);
 
 	np = ccm_node;
 	ccm_base = of_iomap(np, 0);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 006/129] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 031/129] ASoC: imx-sgtl5000: put of nodes if finding codec fails Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 041/129] ext2: Fix underflow in ext2_max_size() Ben Hutchings
                   ` (4 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Yangtao Li, Stephen Boyd

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit cee82eb9532090cd1dc953e845d71f9b1445c84e upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Fixes: e062b571777f ("clk: exynos4: register clocks using common clock framework")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/samsung/clk-exynos4.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/samsung/clk-exynos4.c
+++ b/drivers/clk/samsung/clk-exynos4.c
@@ -1032,6 +1032,7 @@ static unsigned long exynos4_get_xom(voi
 			xom = readl(chipid_base + 8);
 
 		iounmap(chipid_base);
+		of_node_put(np);
 	}
 
 	return xom;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 016/129] staging: iio: adt7316: fix the dac read calculation
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 021/129] RDMA/ocrdma: Fix out of bounds index check in query pkey Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 053/129] rtc: pm8xxx: fix unintended sign extension Ben Hutchings
                   ` (48 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jeremy Fertic, Jonathan Cameron

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit 45130fb030aec26ac28b4bb23344901df3ec3b7f upstream.

The calculation of the current dac value is using the wrong bits of the
dac lsb register. Create two macros to shift the lsb register value into
lsb position, depending on whether the dac is 10 or 12 bit. Initialize
data to 0 so, with an 8 bit dac, the msb register value can be bitwise
ORed with data.

Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -47,6 +47,8 @@
 #define ADT7516_MSB_AIN3		0xA
 #define ADT7516_MSB_AIN4		0xB
 #define ADT7316_DA_DATA_BASE		0x10
+#define ADT7316_DA_10_BIT_LSB_SHIFT	6
+#define ADT7316_DA_12_BIT_LSB_SHIFT	4
 #define ADT7316_DA_MSB_DATA_REGS	4
 #define ADT7316_LSB_DAC_A		0x10
 #define ADT7316_MSB_DAC_A		0x11
@@ -1409,7 +1411,7 @@ static IIO_DEVICE_ATTR(ex_analog_temp_of
 static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip,
 		int channel, char *buf)
 {
-	u16 data;
+	u16 data = 0;
 	u8 msb, lsb, offset;
 	int ret;
 
@@ -1434,7 +1436,11 @@ static ssize_t adt7316_show_DAC(struct a
 	if (ret)
 		return -EIO;
 
-	data = (msb << offset) + (lsb & ((1 << offset) - 1));
+	if (chip->dac_bits == 12)
+		data = lsb >> ADT7316_DA_12_BIT_LSB_SHIFT;
+	else if (chip->dac_bits == 10)
+		data = lsb >> ADT7316_DA_10_BIT_LSB_SHIFT;
+	data |= msb << offset;
 
 	return sprintf(buf, "%d\n", data);
 }


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 026/129] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 081/129] powerpc/wii: properly disable use of BATs when requested Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 119/129] l2tp: fix infoleak in l2tp_ip6_recvmsg() Ben Hutchings
                   ` (113 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Jacek Anaszewski,
	Pawe? Chmiel

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com>

commit 49710c32cd9d6626a77c9f5f978a5f58cb536b35 upstream.

Previously when doing format enumeration, it was returning all
 formats supported by driver, even if they're not supported by hw.
Add missing check for fmt_ver_flag, so it'll be fixed and only those
 supported by hw will be returned. Similar thing is already done
 in s5p_jpeg_find_format.

It was found by using v4l2-compliance tool and checking result
 of VIDIOC_ENUM_FMT/FRAMESIZES/FRAMEINTERVALS test
and using v4l2-ctl to get list of all supported formats.

Tested on s5pv210-galaxys (Samsung i9000 phone).

Fixes: bb677f3ac434 ("[media] Exynos4 JPEG codec v4l2 driver")

Signed-off-by: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
[hverkuil-cisco@xs4all.nl: fix a few alignment issues]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/platform/s5p-jpeg/jpeg-core.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
@@ -859,13 +859,16 @@ static int s5p_jpeg_querycap(struct file
 	return 0;
 }
 
-static int enum_fmt(struct s5p_jpeg_fmt *sjpeg_formats, int n,
+static int enum_fmt(struct s5p_jpeg_ctx *ctx,
+		    struct s5p_jpeg_fmt *sjpeg_formats, int n,
 		    struct v4l2_fmtdesc *f, u32 type)
 {
 	int i, num = 0;
+	unsigned int fmt_ver_flag = ctx->jpeg->variant->fmt_ver_flag;
 
 	for (i = 0; i < n; ++i) {
-		if (sjpeg_formats[i].flags & type) {
+		if (sjpeg_formats[i].flags & type &&
+		    sjpeg_formats[i].flags & fmt_ver_flag) {
 			/* index-th format of type type found ? */
 			if (num == f->index)
 				break;
@@ -891,11 +894,11 @@ static int s5p_jpeg_enum_fmt_vid_cap(str
 	struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv);
 
 	if (ctx->mode == S5P_JPEG_ENCODE)
-		return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f,
+		return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f,
 				SJPEG_FMT_FLAG_ENC_CAPTURE);
 
-	return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f,
-					SJPEG_FMT_FLAG_DEC_CAPTURE);
+	return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f,
+			SJPEG_FMT_FLAG_DEC_CAPTURE);
 }
 
 static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv,
@@ -904,11 +907,11 @@ static int s5p_jpeg_enum_fmt_vid_out(str
 	struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv);
 
 	if (ctx->mode == S5P_JPEG_ENCODE)
-		return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f,
+		return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f,
 				SJPEG_FMT_FLAG_ENC_OUTPUT);
 
-	return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f,
-					SJPEG_FMT_FLAG_DEC_OUTPUT);
+	return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f,
+			SJPEG_FMT_FLAG_DEC_OUTPUT);
 }
 
 static struct s5p_jpeg_q_data *get_q_data(struct s5p_jpeg_ctx *ctx,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 025/129] powerpc/irq: drop arch_early_irq_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 076/129] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 089/129] regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA Ben Hutchings
                   ` (88 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christophe Leroy, Thomas Gleixner,
	Michael Ellerman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit 607ea5090b3fb61fea1d0bc5278e6c1d40ab5bd6 upstream.

arch_early_irq_init() does nothing different than the weak
arch_early_irq_init() in kernel/softirq.c

Fixes: 089fb442f301 ("powerpc: Use ARCH_IRQ_INIT_FLAGS")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/irq.c | 5 -----
 1 file changed, 5 deletions(-)

--- a/arch/powerpc/kernel/irq.c
+++ b/arch/powerpc/kernel/irq.c
@@ -662,11 +662,6 @@ int irq_choose_cpu(const struct cpumask
 }
 #endif
 
-int arch_early_irq_init(void)
-{
-	return 0;
-}
-
 #ifdef CONFIG_PPC64
 static int __init setup_noirqdistrib(char *str)
 {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 036/129] rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (103 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 073/129] libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 050/129] crypto: ahash - fix another early termination in hash walk Ben Hutchings
                   ` (27 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, He, Bo, Paul E. McKenney, Zhang, Jun

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Zhang, Jun" <jun.zhang@intel.com>

commit 1d1f898df6586c5ea9aeaf349f13089c6fa37903 upstream.

The rcu_gp_kthread_wake() function is invoked when it might be necessary
to wake the RCU grace-period kthread.  Because self-wakeups are normally
a useless waste of CPU cycles, if rcu_gp_kthread_wake() is invoked from
this kthread, it naturally refuses to do the wakeup.

Unfortunately, natural though it might be, this heuristic fails when
rcu_gp_kthread_wake() is invoked from an interrupt or softirq handler
that interrupted the grace-period kthread just after the final check of
the wait-event condition but just before the schedule() call.  In this
case, a wakeup is required, even though the call to rcu_gp_kthread_wake()
is within the RCU grace-period kthread's context.  Failing to provide
this wakeup can result in grace periods failing to start, which in turn
results in out-of-memory conditions.

This race window is quite narrow, but it actually did happen during real
testing.  It would of course need to be fixed even if it was strictly
theoretical in nature.

This patch does not Cc stable because it does not apply cleanly to
earlier kernel versions.

Fixes: 48a7639ce80c ("rcu: Make callers awaken grace-period kthread")
Reported-by: "He, Bo" <bo.he@intel.com>
Co-developed-by: "Zhang, Jun" <jun.zhang@intel.com>
Co-developed-by: "He, Bo" <bo.he@intel.com>
Co-developed-by: "xiao, jin" <jin.xiao@intel.com>
Co-developed-by: Bai, Jie A <jie.a.bai@intel.com>
Signed-off: "Zhang, Jun" <jun.zhang@intel.com>
Signed-off: "He, Bo" <bo.he@intel.com>
Signed-off: "xiao, jin" <jin.xiao@intel.com>
Signed-off: Bai, Jie A <jie.a.bai@intel.com>
Signed-off-by: "Zhang, Jun" <jun.zhang@intel.com>
[ paulmck: Switch from !in_softirq() to "!in_interrupt() &&
  !in_serving_softirq() to avoid redundant wakeups and to also handle the
  interrupt-handler scenario as well as the softirq-handler scenario that
  actually occurred in testing. ]
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Link: https://lkml.kernel.org/r/CD6925E8781EFD4D8E11882D20FC406D52A11F61@SHSMSX104.ccr.corp.intel.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/rcu/tree.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -1384,15 +1384,23 @@ static int rcu_future_gp_cleanup(struct
 }
 
 /*
- * Awaken the grace-period kthread for the specified flavor of RCU.
- * Don't do a self-awaken, and don't bother awakening when there is
- * nothing for the grace-period kthread to do (as in several CPUs
- * raced to awaken, and we lost), and finally don't try to awaken
- * a kthread that has not yet been created.
+ * Awaken the grace-period kthread.  Don't do a self-awaken (unless in
+ * an interrupt or softirq handler), and don't bother awakening when there
+ * is nothing for the grace-period kthread to do (as in several CPUs raced
+ * to awaken, and we lost), and finally don't try to awaken a kthread that
+ * has not yet been created.  If all those checks are passed, track some
+ * debug information and awaken.
+ *
+ * So why do the self-wakeup when in an interrupt or softirq handler
+ * in the grace-period kthread's context?  Because the kthread might have
+ * been interrupted just as it was going to sleep, and just after the final
+ * pre-sleep check of the awaken condition.  In this case, a wakeup really
+ * is required, and is therefore supplied.
  */
 static void rcu_gp_kthread_wake(struct rcu_state *rsp)
 {
-	if (current == rsp->gp_kthread ||
+	if ((current == rsp->gp_kthread &&
+	     !in_interrupt() && !in_serving_softirq()) ||
 	    !ACCESS_ONCE(rsp->gp_flags) ||
 	    !rsp->gp_kthread)
 		return;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 035/129] applicom: Fix potential Spectre v1 vulnerabilities
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 106/129] net/hsr: fix possible crash in add_timer() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 081/129] powerpc/wii: properly disable use of BATs when requested Ben Hutchings
                   ` (115 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Greg Kroah-Hartman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c upstream.

IndexCard is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r]
drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap)

Fix this by sanitizing IndexCard before using it to index apbs.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/applicom.c | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -32,6 +32,7 @@
 #include <linux/wait.h>
 #include <linux/init.h>
 #include <linux/fs.h>
+#include <linux/nospec.h>
 
 #include <asm/io.h>
 #include <asm/uaccess.h>
@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *fil
 	TicCard = st_loc.tic_des_from_pc;	/* tic number to send            */
 	IndexCard = NumCard - 1;
 
-	if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO)
+	if (IndexCard >= MAX_BOARD)
+		return -EINVAL;
+	IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
+
+	if (!apbs[IndexCard].RamIO)
 		return -EINVAL;
 
 #ifdef DEBUG
@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file,
 	unsigned char IndexCard;
 	void __iomem *pmem;
 	int ret = 0;
+	static int warncount = 10;
 	volatile unsigned char byte_reset_it;
 	struct st_ram_io *adgl;
 	void __user *argp = (void __user *)arg;
@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file,
 	mutex_lock(&ac_mutex);	
 	IndexCard = adgl->num_card-1;
 	 
-	if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
-		static int warncount = 10;
-		if (warncount) {
-			printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1);
-			warncount--;
-		}
-		kfree(adgl);
-		mutex_unlock(&ac_mutex);
-		return -EINVAL;
-	}
+	if (cmd != 6 && IndexCard >= MAX_BOARD)
+		goto err;
+	IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
+
+	if (cmd != 6 && !apbs[IndexCard].RamIO)
+		goto err;
 
 	switch (cmd) {
 		
@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file,
 	kfree(adgl);
 	mutex_unlock(&ac_mutex);
 	return 0;
+
+err:
+	if (warncount) {
+		pr_warn("APPLICOM driver IOCTL, bad board number %d\n",
+			(int)IndexCard + 1);
+		warncount--;
+	}
+	kfree(adgl);
+	mutex_unlock(&ac_mutex);
+	return -EINVAL;
+
 }
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 038/129] mtd: docg3: Fix kasprintf() usage
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 002/129] staging: iio: adt7316: invert the logic of the check for an ldac pin Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 042/129] devres: always use dev_name() in devm_ioremap_resource() Ben Hutchings
                   ` (63 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Richard Weinberger, Brian Norris

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <richard@nod.at>

commit 0eb8618bd07533f423fed47399a0d6387bfe7cac upstream.

kasprintf() does a dynamic memory allocation and can fail.
We have to handle that case.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/devices/docg3.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -1822,7 +1822,7 @@ static void __exit doc_dbg_unregister(st
  * @chip_id: The chip ID of the supported chip
  * @mtd: The structure to fill
  */
-static void __init doc_set_driver_info(int chip_id, struct mtd_info *mtd)
+static int __init doc_set_driver_info(int chip_id, struct mtd_info *mtd)
 {
 	struct docg3 *docg3 = mtd->priv;
 	int cfg;
@@ -1835,6 +1835,8 @@ static void __init doc_set_driver_info(i
 	case DOC_CHIPID_G3:
 		mtd->name = kasprintf(GFP_KERNEL, "docg3.%d",
 				      docg3->device_id);
+		if (!mtd->name)
+			return -ENOMEM;
 		docg3->max_block = 2047;
 		break;
 	}
@@ -1857,6 +1859,8 @@ static void __init doc_set_driver_info(i
 	mtd->_block_isbad = doc_block_isbad;
 	mtd->ecclayout = &docg3_oobinfo;
 	mtd->ecc_strength = DOC_ECC_BCH_T;
+
+	return 0;
 }
 
 /**
@@ -1920,7 +1924,9 @@ doc_probe_device(struct docg3_cascade *c
 		goto nomem4;
 	}
 
-	doc_set_driver_info(chip_id, mtd);
+	ret = doc_set_driver_info(chip_id, mtd);
+	if (ret)
+		goto nomem4;
 
 	doc_hamming_ecc_init(docg3, DOC_LAYOUT_OOB_PAGEINFO_SZ);
 	doc_reload_bbt(docg3);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 046/129] scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (117 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 084/129] btrfs: init csum_list before possible free Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 085/129] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search Ben Hutchings
                   ` (13 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Bart Van Assche

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bvanassche@acm.org>

commit 32e36bfbcf31452a854263e7c7f32fbefc4b44d8 upstream.

When using SCSI passthrough in combination with the iSCSI target driver
then cmd->t_state_lock may be obtained from interrupt context. Hence, all
code that obtains cmd->t_state_lock from thread context must disable
interrupts first. This patch avoids that lockdep reports the following:

WARNING: inconsistent lock state
4.18.0-dbg+ #1 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
iscsi_ttx/1800 [HC1[1]:SC0[2]:HE0:SE0] takes:
000000006e7b0ceb (&(&cmd->t_state_lock)->rlock){?...}, at: target_complete_cmd+0x47/0x2c0 [target_core_mod]
{HARDIRQ-ON-W} state was registered at:
 lock_acquire+0xd2/0x260
 _raw_spin_lock+0x32/0x50
 iscsit_close_connection+0x97e/0x1020 [iscsi_target_mod]
 iscsit_take_action_for_connection_exit+0x108/0x200 [iscsi_target_mod]
 iscsi_target_rx_thread+0x180/0x190 [iscsi_target_mod]
 kthread+0x1cf/0x1f0
 ret_from_fork+0x24/0x30
irq event stamp: 1281
hardirqs last  enabled at (1279): [<ffffffff970ade79>] __local_bh_enable_ip+0xa9/0x160
hardirqs last disabled at (1281): [<ffffffff97a008a5>] interrupt_entry+0xb5/0xd0
softirqs last  enabled at (1278): [<ffffffff977cd9a1>] lock_sock_nested+0x51/0xc0
softirqs last disabled at (1280): [<ffffffffc07a6e04>] ip6_finish_output2+0x124/0xe40 [ipv6]

other info that might help us debug this:
Possible unsafe locking scenario:

      CPU0
      ----
 lock(&(&cmd->t_state_lock)->rlock);
 <Interrupt>
   lock(&(&cmd->t_state_lock)->rlock);

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4201,9 +4201,9 @@ static void iscsit_release_commands_from
 		struct se_cmd *se_cmd = &cmd->se_cmd;
 
 		if (se_cmd->se_tfo != NULL) {
-			spin_lock(&se_cmd->t_state_lock);
+			spin_lock_irq(&se_cmd->t_state_lock);
 			se_cmd->transport_state |= CMD_T_FABRIC_STOP;
-			spin_unlock(&se_cmd->t_state_lock);
+			spin_unlock_irq(&se_cmd->t_state_lock);
 		}
 	}
 	spin_unlock_bh(&conn->cmd_lock);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 045/129] splice: don't merge into linked buffers
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 013/129] clk: dove: fix refcount leak in dove_clk_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 023/129] selinux: avoid silent denials in permissive mode under RCU walk Ben Hutchings
                   ` (95 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jann Horn, Al Viro

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit a0ce2f0aa6ad97c3d4927bf2ca54bcebdf062d55 upstream.

Before this patch, it was possible for two pipes to affect each other after
data had been transferred between them with tee():

============
$ cat tee_test.c

int main(void) {
  int pipe_a[2];
  if (pipe(pipe_a)) err(1, "pipe");
  int pipe_b[2];
  if (pipe(pipe_b)) err(1, "pipe");
  if (write(pipe_a[1], "abcd", 4) != 4) err(1, "write");
  if (tee(pipe_a[0], pipe_b[1], 2, 0) != 2) err(1, "tee");
  if (write(pipe_b[1], "xx", 2) != 2) err(1, "write");

  char buf[5];
  if (read(pipe_a[0], buf, 4) != 4) err(1, "read");
  buf[4] = 0;
  printf("got back: '%s'\n", buf);
}
$ gcc -o tee_test tee_test.c
$ ./tee_test
got back: 'abxx'
$
============

As suggested by Al Viro, fix it by creating a separate type for
non-mergeable pipe buffers, then changing the types of buffers in
splice_pipe_to_pipe() and link_pipe().

Fixes: 7c77f0b3f920 ("splice: implement pipe to pipe splicing")
Fixes: 70524490ee2e ("[PATCH] splice: add support for sys_tee()")
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16: Use generic_pipe_buf_steal(), as for other pipe
 types, since anon_pipe_buf_steal() does not exist here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/pipe.c                 | 14 ++++++++++++++
 fs/splice.c               |  4 ++++
 include/linux/pipe_fs_i.h |  1 +
 3 files changed, 19 insertions(+)

--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -219,6 +219,14 @@ static const struct pipe_buf_operations
 	.get = generic_pipe_buf_get,
 };
 
+static const struct pipe_buf_operations anon_pipe_buf_nomerge_ops = {
+	.can_merge = 0,
+	.confirm = generic_pipe_buf_confirm,
+	.release = anon_pipe_buf_release,
+	.steal = generic_pipe_buf_steal,
+	.get = generic_pipe_buf_get,
+};
+
 static const struct pipe_buf_operations packet_pipe_buf_ops = {
 	.can_merge = 0,
 	.confirm = generic_pipe_buf_confirm,
@@ -227,6 +235,12 @@ static const struct pipe_buf_operations
 	.get = generic_pipe_buf_get,
 };
 
+void pipe_buf_mark_unmergeable(struct pipe_buffer *buf)
+{
+	if (buf->ops == &anon_pipe_buf_ops)
+		buf->ops = &anon_pipe_buf_nomerge_ops;
+}
+
 static ssize_t
 pipe_read(struct kiocb *iocb, struct iov_iter *to)
 {
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1901,6 +1901,8 @@ retry:
 			 */
 			obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
 
+			pipe_buf_mark_unmergeable(obuf);
+
 			obuf->len = len;
 			opipe->nrbufs++;
 			ibuf->offset += obuf->len;
@@ -1975,6 +1977,8 @@ static int link_pipe(struct pipe_inode_i
 		 */
 		obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
 
+		pipe_buf_mark_unmergeable(obuf);
+
 		if (obuf->len > len)
 			obuf->len = len;
 
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -140,6 +140,7 @@ void generic_pipe_buf_get(struct pipe_in
 int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
 int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
 void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
+void pipe_buf_mark_unmergeable(struct pipe_buffer *buf);
 
 extern const struct pipe_buf_operations nosteal_pipe_buf_ops;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 052/129] rtc: 88pm80x: fix unintended sign extension
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 003/129] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 010/129] clk: armada-370: fix refcount leak in a370_clk_init() Ben Hutchings
                   ` (102 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Colin Ian King, Alexandre Belloni

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit fb0b322537a831b5b0cb948c56f8f958ce493d3a upstream.

Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.

Fix this by casting the u8 value to an unsigned long before the shift.

Detected by CoverityScan, CID#714646-714649 ("Unintended sign extension")

Fixes: 2985c29c1964 ("rtc: Add rtc support to 88PM80X PMIC")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/rtc/rtc-88pm80x.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--- a/drivers/rtc/rtc-88pm80x.c
+++ b/drivers/rtc/rtc-88pm80x.c
@@ -116,12 +116,14 @@ static int pm80x_rtc_read_time(struct de
 	unsigned char buf[4];
 	unsigned long ticks, base, data;
 	regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4);
-	base = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]);
 
 	/* load 32-bit read-only counter */
 	regmap_raw_read(info->map, PM800_RTC_COUNTER1, buf, 4);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	ticks = base + data;
 	dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);
@@ -144,7 +146,8 @@ static int pm80x_rtc_set_time(struct dev
 
 	/* load 32-bit read-only counter */
 	regmap_raw_read(info->map, PM800_RTC_COUNTER1, buf, 4);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	base = ticks - data;
 	dev_dbg(info->dev, "set base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);
@@ -165,11 +168,13 @@ static int pm80x_rtc_read_alarm(struct d
 	int ret;
 
 	regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4);
-	base = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]);
 
 	regmap_raw_read(info->map, PM800_RTC_EXPIRE1_1, buf, 4);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	ticks = base + data;
 	dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);
@@ -192,12 +197,14 @@ static int pm80x_rtc_set_alarm(struct de
 	regmap_update_bits(info->map, PM800_RTC_CONTROL, PM800_ALARM1_EN, 0);
 
 	regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4);
-	base = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]);
 
 	/* load 32-bit read-only counter */
 	regmap_raw_read(info->map, PM800_RTC_COUNTER1, buf, 4);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	ticks = base + data;
 	dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 049/129] media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 039/129] mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 072/129] cdc-wdm: pass return value of recover_from_urb_loss Ben Hutchings
                   ` (60 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Chiranjeevi Rapolu, Laurent Pinchart,
	Sakari Ailus, Mauro Carvalho Chehab

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sakari Ailus <sakari.ailus@linux.intel.com>

commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream.

The UVC video driver converts the timestamp from hardware specific unit
to one known by the kernel at the time when the buffer is dequeued. This
is fine in general, but the streamoff operation consists of the
following steps (among other things):

1. uvc_video_clock_cleanup --- the hardware clock sample array is
   released and the pointer to the array is set to NULL,

2. buffers in active state are returned to the user and

3. buf_finish callback is called on buffers that are prepared.
   buf_finish includes calling uvc_video_clock_update that accesses the
   hardware clock sample array.

The above is serialised by a queue specific mutex. Address the problem
by skipping the clock conversion if the hardware clock sample array is
already released.

Fixes: 9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel")

Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/uvc/uvc_video.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -627,6 +627,14 @@ void uvc_video_clock_update(struct uvc_s
 	u32 rem;
 	u64 y;
 
+	/*
+	 * We will get called from __vb2_queue_cancel() if there are buffers
+	 * done but not dequeued by the user, but the sample array has already
+	 * been released at that time. Just bail out in that case.
+	 */
+	if (!clock->samples)
+		return;
+
 	spin_lock_irqsave(&clock->lock, flags);
 
 	if (clock->count < clock->size)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 063/129] ext4: fix crash during online resizing
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (99 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 060/129] parport_pc: fix find_superio io compare code, should use equal test Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 055/129] bcache: treat stale && dirty keys as bad keys Ben Hutchings
                   ` (31 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Theodore Ts'o, Jan Kara

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 upstream.

When computing maximum size of filesystem possible with given number of
group descriptor blocks, we forget to include s_first_data_block into
the number of blocks. Thus for filesystems with non-zero
s_first_data_block it can happen that computed maximum filesystem size
is actually lower than current filesystem size which confuses the code
and eventually leads to a BUG_ON in ext4_alloc_group_tables() hitting on
flex_gd->count == 0. The problem can be reproduced like:

truncate -s 100g /tmp/image
mkfs.ext4 -b 1024 -E resize=262144 /tmp/image 32768
mount -t ext4 -o loop /tmp/image /mnt
resize2fs /dev/loop0 262145
resize2fs /dev/loop0 300000

Fix the problem by properly including s_first_data_block into the
computed number of filesystem blocks.

Fixes: 1c6bd7173d66 "ext4: convert file system to meta_bg if needed..."
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/resize.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1931,7 +1931,8 @@ retry:
 				le16_to_cpu(es->s_reserved_gdt_blocks);
 			n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb);
 			n_blocks_count = (ext4_fsblk_t)n_group *
-				EXT4_BLOCKS_PER_GROUP(sb);
+				EXT4_BLOCKS_PER_GROUP(sb) +
+				le32_to_cpu(es->s_first_data_block);
 			n_group--; /* set to last group number */
 		}
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 075/129] drm/radeon/evergreen_cs: fix missing break in switch statement
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 105/129] scsi: virtio_scsi: don't send sc payload with tmfs Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 005/129] clk: socfpga: fix refcount leak Ben Hutchings
                   ` (108 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alex Deucher, Gustavo A. R. Silva

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit cc5034a5d293dd620484d1d836aa16c6764a1c8c upstream.

Add missing break statement in order to prevent the code from falling
through to case CB_TARGET_MASK.

This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.

Fixes: dd220a00e8bd ("drm/radeon/kms: add support for streamout v7")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/radeon/evergreen_cs.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/radeon/evergreen_cs.c
+++ b/drivers/gpu/drm/radeon/evergreen_cs.c
@@ -1318,6 +1318,7 @@ static int evergreen_cs_check_reg(struct
 			return -EINVAL;
 		}
 		ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff);
+		break;
 	case CB_TARGET_MASK:
 		track->cb_target_mask = radeon_get_ib_value(p, idx);
 		track->cb_dirty = true;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 082/129] clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 096/129] net-sysfs: Fix mem leak in netdev_register_kobject Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 103/129] mm, swap: bounds check swap_info array accesses to avoid NULL derefs Ben Hutchings
                   ` (53 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Krzysztof Kozlowski, Daniel Lezcano,
	Chanwoo Choi, Marek Szyprowski

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit b9307420196009cdf18bad55e762ac49fb9a80f4 upstream.

While freeing interrupt handlers in error path, don't assume that all
requested interrupts are per-processor interrupts and properly release
standard interrupts too.

Reported-by: Krzysztof Kozlowski <krzk@kernel.org>
Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clocksource/exynos_mct.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -558,7 +558,19 @@ static void __init exynos4_timer_resourc
 	return;
 
 out_irq:
-	free_percpu_irq(mct_irqs[MCT_L0_IRQ], &percpu_mct_tick);
+	if (mct_int_type == MCT_INT_PPI) {
+		free_percpu_irq(mct_irqs[MCT_L0_IRQ], &percpu_mct_tick);
+	} else {
+		for_each_possible_cpu(cpu) {
+			struct mct_clock_event_device *pcpu_mevt =
+				per_cpu_ptr(&percpu_mct_tick, cpu);
+
+			if (pcpu_mevt->evt.irq != -1) {
+				free_irq(pcpu_mevt->evt.irq, pcpu_mevt);
+				pcpu_mevt->evt.irq = -1;
+			}
+		}
+	}
 }
 
 void __init mct_init(void __iomem *base, int irq_g0, int irq_l0, int irq_l1)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 083/129] mmc: omap: fix the maximum timeout setting
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 028/129] media: v4l2: i2c: ov7670: Fix PLL bypass register values Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 043/129] crypto: testmgr - skip crc32c context test for ahash algorithms Ben Hutchings
                   ` (42 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Aaro Koskinen, Ulf Hansson

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@iki.fi>

commit a6327b5e57fdc679c842588c3be046c0b39cc127 upstream.

When running OMAP1 kernel on QEMU, MMC access is annoyingly noisy:

	MMC: CTO of 0xff and 0xfe cannot be used!
	MMC: CTO of 0xff and 0xfe cannot be used!
	MMC: CTO of 0xff and 0xfe cannot be used!
	[ad inf.]

Emulator warnings appear to be valid. The TI document SPRU680 [1]
("OMAP5910 Dual-Core Processor MultiMedia Card/Secure Data Memory Card
(MMC/SD) Reference Guide") page 36 states that the maximum timeout is 253
cycles and "0xff and 0xfe cannot be used".

Fix by using 0xfd as the maximum timeout.

Tested using QEMU 2.5 (Siemens SX1 machine, OMAP310), and also checked on
real hardware using Palm TE (OMAP310), Nokia 770 (OMAP1710) and Nokia N810
(OMAP2420) that MMC works as before.

[1] http://www.ti.com/lit/ug/spru680/spru680.pdf

Fixes: 730c9b7e6630f ("[MMC] Add OMAP MMC host driver")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/omap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/omap.c
+++ b/drivers/mmc/host/omap.c
@@ -921,7 +921,7 @@ static inline void set_cmd_timeout(struc
 	reg &= ~(1 << 5);
 	OMAP_MMC_WRITE(host, SDIO, reg);
 	/* Set maximum timeout */
-	OMAP_MMC_WRITE(host, CTO, 0xff);
+	OMAP_MMC_WRITE(host, CTO, 0xfd);
 }
 
 static inline void set_data_timeout(struct mmc_omap_host *host, struct mmc_request *req)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 099/129] nfsd: fix memory corruption caused by readdir
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 129/129] netns: provide pure entropy for net_hash_mix() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 096/129] net-sysfs: Fix mem leak in netdev_register_kobject Ben Hutchings
                   ` (55 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, NeilBrown, J. Bruce Fields

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.com>

commit b602345da6cbb135ba68cf042df8ec9a73da7981 upstream.

If the result of an NFSv3 readdir{,plus} request results in the
"offset" on one entry having to be split across 2 pages, and is sized
so that the next directory entry doesn't fit in the requested size,
then memory corruption can happen.

When encode_entry() is called after encoding the last entry that fits,
it notices that ->offset and ->offset1 are set, and so stores the
offset value in the two pages as required.  It clears ->offset1 but
*does not* clear ->offset.

Normally this omission doesn't matter as encode_entry_baggage() will
be called, and will set ->offset to a suitable value (not on a page
boundary).
But in the case where cd->buflen < elen and nfserr_toosmall is
returned, ->offset is not reset.

This means that nfsd3proc_readdirplus will see ->offset with a value 4
bytes before the end of a page, and ->offset1 set to NULL.
It will try to write 8bytes to ->offset.
If we are lucky, the next page will be read-only, and the system will
  BUG: unable to handle kernel paging request at...

If we are unlucky, some innocent page will have the first 4 bytes
corrupted.

nfsd3proc_readdir() doesn't even check for ->offset1, it just blindly
writes 8 bytes to the offset wherever it is.

Fix this by clearing ->offset after it is used, and copying the
->offset handling code from nfsd3_proc_readdirplus into
nfsd3_proc_readdir.

(Note that the commit hash in the Fixes tag is from the 'history'
 tree - this bug predates git).

Fixes: 0b1d57cf7654 ("[PATCH] kNFSd: Fix nfs3 dentry encoding")
Fixes-URL: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0b1d57cf7654
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfsd/nfs3proc.c | 16 ++++++++++++++--
 fs/nfsd/nfs3xdr.c  |  1 +
 2 files changed, 15 insertions(+), 2 deletions(-)

--- a/fs/nfsd/nfs3proc.c
+++ b/fs/nfsd/nfs3proc.c
@@ -440,8 +440,19 @@ nfsd3_proc_readdir(struct svc_rqst *rqst
 					&resp->common, nfs3svc_encode_entry);
 	memcpy(resp->verf, argp->verf, 8);
 	resp->count = resp->buffer - argp->buffer;
-	if (resp->offset)
-		xdr_encode_hyper(resp->offset, argp->cookie);
+	if (resp->offset) {
+		loff_t offset = argp->cookie;
+
+		if (unlikely(resp->offset1)) {
+			/* we ended up with offset on a page boundary */
+			*resp->offset = htonl(offset >> 32);
+			*resp->offset1 = htonl(offset & 0xffffffff);
+			resp->offset1 = NULL;
+		} else {
+			xdr_encode_hyper(resp->offset, offset);
+		}
+		resp->offset = NULL;
+	}
 
 	RETURN_STATUS(nfserr);
 }
@@ -501,6 +512,7 @@ nfsd3_proc_readdirplus(struct svc_rqst *
 		} else {
 			xdr_encode_hyper(resp->offset, offset);
 		}
+		resp->offset = NULL;
 	}
 
 	RETURN_STATUS(nfserr);
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -909,6 +909,7 @@ encode_entry(struct readdir_cd *ccd, con
 		} else {
 			xdr_encode_hyper(cd->offset, offset64);
 		}
+		cd->offset = NULL;
 	}
 
 	/*


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 092/129] tools lib traceevent: Fix buffer overflow in arg_eval
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 004/129] clk: highbank: fix refcount leak in hb_clk_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 027/129] media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL Ben Hutchings
                   ` (79 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Frederic Weisbecker,
	Steven Rostedt (VMware),
	Mathias Krause, Michael Sartain, Tony Jones,
	Arnaldo Carvalho de Melo

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Jones <tonyj@suse.de>

commit 7c5b019e3a638a5a290b0ec020f6ca83d2ec2aaa upstream.

Fix buffer overflow observed when running perf test.

The overflow is when trying to evaluate "1ULL << (64 - 1)" which is
resulting in -9223372036854775808 which overflows the 20 character
buffer.

If is possible this bug has been reported before but I still don't see
any fix checked in:

See: https://www.spinics.net/lists/linux-perf-users/msg07714.html

Reported-by: Michael Sartain <mikesart@fastmail.com>
Reported-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Tony Jones <tonyj@suse.de>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a")
Link: http://lkml.kernel.org/r/20190228015532.8941-1-tonyj@suse.de
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/lib/traceevent/event-parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/lib/traceevent/event-parse.c
+++ b/tools/lib/traceevent/event-parse.c
@@ -2283,7 +2283,7 @@ static int arg_num_eval(struct print_arg
 static char *arg_eval (struct print_arg *arg)
 {
 	long long val;
-	static char buf[20];
+	static char buf[24];
 
 	switch (arg->type) {
 	case PRINT_ATOM:


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 124/129] binder: Replace "%p" with "%pK" for stable
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 102/129] mm: fix potential data race in SyS_swapon Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 121/129] tcp: refine memory limit test in tcp_fragment() Ben Hutchings
                   ` (18 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ben Hutchings

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

This was done as part of upstream commits fdfb4a99b6ab "8inder:
separate binder allocator structure from binder proc", 19c987241ca1
"binder: separate out binder_alloc functions", and 7a4408c6bd3e
"binder: make sure accesses to proc/thread are safe".  However, those
commits made lots of other changes that are not suitable for stable.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/binder.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -473,7 +473,7 @@ static void binder_insert_free_buffer(st
 	new_buffer_size = binder_buffer_size(proc, new_buffer);
 
 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-		     "%d: add free buffer, size %zd, at %p\n",
+		     "%d: add free buffer, size %zd, at %pK\n",
 		      proc->pid, new_buffer_size, new_buffer);
 
 	while (*p) {
@@ -552,7 +552,7 @@ static int binder_update_page_range(stru
 	struct mm_struct *mm;
 
 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-		     "%d: %s pages %p-%p\n", proc->pid,
+		     "%d: %s pages %pK-%pK\n", proc->pid,
 		     allocate ? "allocate" : "free", start, end);
 
 	if (end <= start)
@@ -593,7 +593,7 @@ static int binder_update_page_range(stru
 		BUG_ON(*page);
 		*page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
 		if (*page == NULL) {
-			pr_err("%d: binder_alloc_buf failed for page at %p\n",
+			pr_err("%d: binder_alloc_buf failed for page at %pK\n",
 				proc->pid, page_addr);
 			goto err_alloc_page_failed;
 		}
@@ -602,7 +602,7 @@ static int binder_update_page_range(stru
 		page_array_ptr = page;
 		ret = map_vm_area(&tmp_area, PAGE_KERNEL, &page_array_ptr);
 		if (ret) {
-			pr_err("%d: binder_alloc_buf failed to map page at %p in kernel\n",
+			pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n",
 			       proc->pid, page_addr);
 			goto err_map_kernel_failed;
 		}
@@ -706,7 +706,7 @@ static struct binder_buffer *binder_allo
 	}
 
 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-		     "%d: binder_alloc_buf size %zd got buffer %p size %zd\n",
+		     "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n",
 		      proc->pid, size, buffer, buffer_size);
 
 	has_page_addr =
@@ -736,7 +736,7 @@ static struct binder_buffer *binder_allo
 		binder_insert_free_buffer(proc, new_buffer);
 	}
 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-		     "%d: binder_alloc_buf size %zd got %p\n",
+		     "%d: binder_alloc_buf size %zd got %pK\n",
 		      proc->pid, size, buffer);
 	buffer->data_size = data_size;
 	buffer->offsets_size = offsets_size;
@@ -776,7 +776,7 @@ static void binder_delete_free_buffer(st
 		if (buffer_end_page(prev) == buffer_end_page(buffer))
 			free_page_end = 0;
 		binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-			     "%d: merge free, buffer %p share page with %p\n",
+			     "%d: merge free, buffer %pK share page with %pK\n",
 			      proc->pid, buffer, prev);
 	}
 
@@ -789,14 +789,14 @@ static void binder_delete_free_buffer(st
 			    buffer_start_page(buffer))
 				free_page_start = 0;
 			binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-				     "%d: merge free, buffer %p share page with %p\n",
+				     "%d: merge free, buffer %pK share page with %pK\n",
 				      proc->pid, buffer, prev);
 		}
 	}
 	list_del(&buffer->entry);
 	if (free_page_start || free_page_end) {
 		binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-			     "%d: merge free, buffer %p do not share page%s%s with %p or %p\n",
+			     "%d: merge free, buffer %pK do not share page%s%s with %pK or %pK\n",
 			     proc->pid, buffer, free_page_start ? "" : " end",
 			     free_page_end ? "" : " start", prev, next);
 		binder_update_page_range(proc, 0, free_page_start ?
@@ -817,7 +817,7 @@ static void binder_free_buf(struct binde
 		ALIGN(buffer->offsets_size, sizeof(void *));
 
 	binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-		     "%d: binder_free_buf %p size %zd buffer_size %zd\n",
+		     "%d: binder_free_buf %pK size %zd buffer_size %zd\n",
 		      proc->pid, buffer, size, buffer_size);
 
 	BUG_ON(buffer->free);
@@ -2825,7 +2825,7 @@ static int binder_mmap(struct file *filp
 #ifdef CONFIG_CPU_CACHE_VIPT
 	if (cache_is_vipt_aliasing()) {
 		while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {
-			pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
+			pr_info("binder_mmap: %d %lx-%lx maps %pK bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
 			vma->vm_start += PAGE_SIZE;
 		}
 	}
@@ -3083,7 +3083,7 @@ static void binder_deferred_release(stru
 
 			page_addr = proc->buffer + i * PAGE_SIZE;
 			binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
-				     "%s: %d: page %d at %p not freed\n",
+				     "%s: %d: page %d at %pK not freed\n",
 				     __func__, proc->pid, i, page_addr);
 			unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);
 			__free_page(proc->pages[i]);
@@ -3184,7 +3184,7 @@ static void print_binder_transaction(str
 static void print_binder_buffer(struct seq_file *m, const char *prefix,
 				struct binder_buffer *buffer)
 {
-	seq_printf(m, "%s %d: %p size %zd:%zd %s\n",
+	seq_printf(m, "%s %d: %pK size %zd:%zd %s\n",
 		   prefix, buffer->debug_id, buffer->data,
 		   buffer->data_size, buffer->offsets_size,
 		   buffer->transaction ? "active" : "delivered");
@@ -3287,7 +3287,7 @@ static void print_binder_node(struct seq
 
 static void print_binder_ref(struct seq_file *m, struct binder_ref *ref)
 {
-	seq_printf(m, "  ref %d: desc %d %snode %d s %d w %d d %p\n",
+	seq_printf(m, "  ref %d: desc %d %snode %d s %d w %d d %pK\n",
 		   ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ",
 		   ref->node->debug_id, ref->strong, ref->weak, ref->death);
 }


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 116/129] net: sh_eth: fix a missing check of of_get_phy_mode
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 019/129] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 024/129] crypto: pcbc - remove bogus memcpy()s with src == dest Ben Hutchings
                   ` (84 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sergei Shtylyov, Geert Uytterhoeven,
	David S. Miller, Kangjie Lu

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kangjie Lu <kjlu@umn.edu>

commit 035a14e71f27eefa50087963b94cbdb3580d08bf upstream.

of_get_phy_mode may fail and return a negative error code;
the fix checks the return value of of_get_phy_mode and
returns NULL of it fails.

Fixes: b356e978e92f ("sh_eth: add device tree support")
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/renesas/sh_eth.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -2712,12 +2712,16 @@ static struct sh_eth_plat_data *sh_eth_p
 	struct device_node *np = dev->of_node;
 	struct sh_eth_plat_data *pdata;
 	const char *mac_addr;
+	int ret;
 
 	pdata = devm_kzalloc(dev, sizeof(*pdata), GFP_KERNEL);
 	if (!pdata)
 		return NULL;
 
-	pdata->phy_interface = of_get_phy_mode(np);
+	ret = of_get_phy_mode(np);
+	if (ret < 0)
+		return NULL;
+	pdata->phy_interface = ret;
 
 	mac_addr = of_get_mac_address(np);
 	if (mac_addr)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 121/129] tcp: refine memory limit test in tcp_fragment()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (113 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 124/129] binder: Replace "%p" with "%pK" for stable Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 022/129] security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags() Ben Hutchings
                   ` (17 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Christoph Paasch,
	Greg Kroah-Hartman, Eric Dumazet

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream.

tcp_fragment() might be called for skbs in the write queue.

Memory limits might have been exceeded because tcp_sendmsg() only
checks limits at full skb (64KB) boundaries.

Therefore, we need to make sure tcp_fragment() wont punish applications
that might have setup very low SO_SNDBUF values.

Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Christoph Paasch <cpaasch@apple.com>
Tested-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/tcp_output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1091,7 +1091,7 @@ int tcp_fragment(struct sock *sk, struct
 	if (nsize < 0)
 		nsize = 0;
 
-	if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+	if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
 		return -ENOMEM;
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 122/129] fs: stream_open - opener for stream-like files so  that read and write can run simultaneously without deadlock
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 056/129] jbd2: clear dirty flag when revoking a buffer from an older transaction Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 015/129] staging: iio: adt7316: fix handling of dac high resolution option Ben Hutchings
                   ` (39 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, Kirill Smelkov,
	Christoph Hellwig, Jonathan Corbet, Juergen Gross,
	Greg Kroah-Hartman, Han-Wen Nienhuys, Julia Lawall, Yongzhi Pan,
	David Vrabel, Nikolaus Rath, Kirill Tkhai, Arnd Bergmann,
	Miklos Szeredi, Michael Kerrisk, Tejun Heo

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Smelkov <kirr@nexedi.com>

commit 10dce8af34226d90fa56746a934f8da5dcdba3df upstream.

[ while porting to 3.16 xenbus conflict was trivially resolved in a way
  that actually fixes /proc/xen/xenbus deadlock introduced in 3.14,
  because original upstream commit 581d21a2d02a to fix xenbus deadlock
  was not included into 3.16 . ]

Commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") added
locking for file.f_pos access and in particular made concurrent read and
write not possible - now both those functions take f_pos lock for the
whole run, and so if e.g. a read is blocked waiting for data, write will
deadlock waiting for that read to complete.

This caused regression for stream-like files where previously read and
write could run simultaneously, but after that patch could not do so
anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes
to /proc/xen/xenbus") which fixes such regression for particular case of
/proc/xen/xenbus.

The patch that added f_pos lock in 2014 did so to guarantee POSIX thread
safety for read/write/lseek and added the locking to file descriptors of
all regular files. In 2014 that thread-safety problem was not new as it
was already discussed earlier in 2006.

However even though 2006'th version of Linus's patch was adding f_pos
locking "only for files that are marked seekable with FMODE_LSEEK (thus
avoiding the stream-like objects like pipes and sockets)", the 2014
version - the one that actually made it into the tree as 9c225f2655e3 -
is doing so irregardless of whether a file is seekable or not.

See

    https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/
    https://lwn.net/Articles/180387
    https://lwn.net/Articles/180396

for historic context.

The reason that it did so is, probably, that there are many files that
are marked non-seekable, but e.g. their read implementation actually
depends on knowing current position to correctly handle the read. Some
examples:

	kernel/power/user.c		snapshot_read
	fs/debugfs/file.c		u32_array_read
	fs/fuse/control.c		fuse_conn_waiting_read + ...
	drivers/hwmon/asus_atk0110.c	atk_debugfs_ggrp_read
	arch/s390/hypfs/inode.c		hypfs_read_iter
	...

Despite that, many nonseekable_open users implement read and write with
pure stream semantics - they don't depend on passed ppos at all. And for
those cases where read could wait for something inside, it creates a
situation similar to xenbus - the write could be never made to go until
read is done, and read is waiting for some, potentially external, event,
for potentially unbounded time -> deadlock.

Besides xenbus, there are 14 such places in the kernel that I've found
with semantic patch (see below):

	drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write()
	drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write()
	drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write()
	drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write()
	net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write()
	drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write()
	drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write()
	drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write()
	net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write()
	drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write()
	drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write()
	drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write()
	drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write()
	drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write()

In addition to the cases above another regression caused by f_pos
locking is that now FUSE filesystems that implement open with
FOPEN_NONSEEKABLE flag, can no longer implement bidirectional
stream-like files - for the same reason as above e.g. read can deadlock
write locking on file.f_pos in the kernel.

FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f715 ("fuse:
implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp
in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and
write routines not depending on current position at all, and with both
read and write being potentially blocking operations:

See

    https://github.com/libfuse/osspd
    https://lwn.net/Articles/308445

    https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406
    https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477
    https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510

Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as
"somewhat pipe-like files ..." with read handler not using offset.
However that test implements only read without write and cannot exercise
the deadlock scenario:

    https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131
    https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163
    https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216

I've actually hit the read vs write deadlock for real while implementing
my FUSE filesystem where there is /head/watch file, for which open
creates separate bidirectional socket-like stream in between filesystem
and its user with both read and write being later performed
simultaneously. And there it is semantically not easy to split the
stream into two separate read-only and write-only channels:

    https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169

Let's fix this regression. The plan is:

1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS -
   doing so would break many in-kernel nonseekable_open users which
   actually use ppos in read/write handlers.

2. Add stream_open() to kernel to open stream-like non-seekable file
   descriptors. Read and write on such file descriptors would never use
   nor change ppos. And with that property on stream-like files read and
   write will be running without taking f_pos lock - i.e. read and write
   could be running simultaneously.

3. With semantic patch search and convert to stream_open all in-kernel
   nonseekable_open users for which read and write actually do not
   depend on ppos and where there is no other methods in file_operations
   which assume @offset access.

4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via
   steam_open if that bit is present in filesystem open reply.

   It was tempting to change fs/fuse/ open handler to use stream_open
   instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but
   grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
   and in particular GVFS which actually uses offset in its read and
   write handlers

	https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481

   so if we would do such a change it will break a real user.

5. Add stream_open and FOPEN_STREAM handling to stable kernels starting
   from v3.14+ (the kernel where 9c225f2655 first appeared).

   This will allow to patch OSSPD and other FUSE filesystems that
   provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE
   in their open handler and this way avoid the deadlock on all kernel
   versions. This should work because fs/fuse/ ignores unknown open
   flags returned from a filesystem and so passing FOPEN_STREAM to a
   kernel that is not aware of this flag cannot hurt. In turn the kernel
   that is not aware of FOPEN_STREAM will be < v3.14 where just
   FOPEN_NONSEEKABLE is sufficient to implement streams without read vs
   write deadlock.

This patch adds stream_open, converts /proc/xen/xenbus to it and adds
semantic patch to automatically locate in-kernel places that are either
required to be converted due to read vs write deadlock, or that are just
safe to be converted because read and write do not use ppos and there
are no other funky methods in file_operations.

Regarding semantic patch I've verified each generated change manually -
that it is correct to convert - and each other nonseekable_open instance
left - that it is either not correct to convert there, or that it is not
converted due to current stream_open.cocci limitations.

The script also does not convert files that should be valid to convert,
but that currently have .llseek = noop_llseek or generic_file_llseek for
unknown reason despite file being opened with nonseekable_open (e.g.
drivers/input/mousedev.c)

Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yongzhi Pan <panyongzhi@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Nikolaus Rath <Nikolaus@rath.org>
Cc: Han-Wen Nienhuys <hanwen@google.com>
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ backport to 3.16: actually fixed deadlock on /proc/xen/xenbus as 581d21a2d02a was not backported to 3.16 ]
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/xen/xenbus/xenbus_dev_frontend.c |   2 +-
 fs/open.c                                |  18 ++
 fs/read_write.c                          |   5 +-
 include/linux/fs.h                       |   4 +
 scripts/coccinelle/api/stream_open.cocci | 363 +++++++++++++++++++++++
 5 files changed, 389 insertions(+), 3 deletions(-)
 create mode 100644 scripts/coccinelle/api/stream_open.cocci

diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
index 6bd06f9d737d..3126bcafb555 100644
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -533,7 +533,7 @@ static int xenbus_file_open(struct inode *inode, struct file *filp)
 	if (xen_store_evtchn == 0)
 		return -ENOENT;
 
-	nonseekable_open(inode, filp);
+	stream_open(inode, filp);
 
 	u = kzalloc(sizeof(*u), GFP_KERNEL);
 	if (u == NULL)
diff --git a/fs/open.c b/fs/open.c
index fc44237e4a2e..c4949a39726a 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1104,3 +1104,21 @@ int nonseekable_open(struct inode *inode, struct file *filp)
 }
 
 EXPORT_SYMBOL(nonseekable_open);
+
+/*
+ * stream_open is used by subsystems that want stream-like file descriptors.
+ * Such file descriptors are not seekable and don't have notion of position
+ * (file.f_pos is always 0). Contrary to file descriptors of other regular
+ * files, .read() and .write() can run simultaneously.
+ *
+ * stream_open never fails and is marked to return int so that it could be
+ * directly used as file_operations.open .
+ */
+int stream_open(struct inode *inode, struct file *filp)
+{
+	filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS);
+	filp->f_mode |= FMODE_STREAM;
+	return 0;
+}
+
+EXPORT_SYMBOL(stream_open);
diff --git a/fs/read_write.c b/fs/read_write.c
index 07053752c148..c3b99ff5da0d 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -549,12 +549,13 @@ EXPORT_SYMBOL(vfs_write);
 
 static inline loff_t file_pos_read(struct file *file)
 {
-	return file->f_pos;
+	return file->f_mode & FMODE_STREAM ? 0 : file->f_pos;
 }
 
 static inline void file_pos_write(struct file *file, loff_t pos)
 {
-	file->f_pos = pos;
+	if ((file->f_mode & FMODE_STREAM) == 0)
+		file->f_pos = pos;
 }
 
 SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 461e82373ebd..49ca7649e5b5 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -133,6 +133,9 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
 /* Has write method(s) */
 #define FMODE_CAN_WRITE         ((__force fmode_t)0x40000)
 
+/* File is stream-like */
+#define FMODE_STREAM		((__force fmode_t)0x200000)
+
 /* File was opened by fanotify and shouldn't generate fanotify events */
 #define FMODE_NONOTIFY		((__force fmode_t)0x1000000)
 
@@ -2472,6 +2475,7 @@ extern loff_t fixed_size_llseek(struct file *file, loff_t offset,
 		int whence, loff_t size);
 extern int generic_file_open(struct inode * inode, struct file * filp);
 extern int nonseekable_open(struct inode * inode, struct file * filp);
+extern int stream_open(struct inode * inode, struct file * filp);
 
 #ifdef CONFIG_FS_XIP
 extern ssize_t xip_file_read(struct file *filp, char __user *buf, size_t len,
diff --git a/scripts/coccinelle/api/stream_open.cocci b/scripts/coccinelle/api/stream_open.cocci
new file mode 100644
index 000000000000..350145da7669
--- /dev/null
+++ b/scripts/coccinelle/api/stream_open.cocci
@@ -0,0 +1,363 @@
+// SPDX-License-Identifier: GPL-2.0
+// Author: Kirill Smelkov (kirr@nexedi.com)
+//
+// Search for stream-like files that are using nonseekable_open and convert
+// them to stream_open. A stream-like file is a file that does not use ppos in
+// its read and write. Rationale for the conversion is to avoid deadlock in
+// between read and write.
+
+virtual report
+virtual patch
+virtual explain  // explain decisions in the patch (SPFLAGS="-D explain")
+
+// stream-like reader & writer - ones that do not depend on f_pos.
+@ stream_reader @
+identifier readstream, ppos;
+identifier f, buf, len;
+type loff_t;
+@@
+  ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos)
+  {
+    ... when != ppos
+  }
+
+@ stream_writer @
+identifier writestream, ppos;
+identifier f, buf, len;
+type loff_t;
+@@
+  ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos)
+  {
+    ... when != ppos
+  }
+
+
+// a function that blocks
+@ blocks @
+identifier block_f;
+identifier wait_event =~ "^wait_event_.*";
+@@
+  block_f(...) {
+    ... when exists
+    wait_event(...)
+    ... when exists
+  }
+
+// stream_reader that can block inside.
+//
+// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait())
+// XXX currently reader_blocks supports only direct and 1-level indirect cases.
+@ reader_blocks_direct @
+identifier stream_reader.readstream;
+identifier wait_event =~ "^wait_event_.*";
+@@
+  readstream(...)
+  {
+    ... when exists
+    wait_event(...)
+    ... when exists
+  }
+
+@ reader_blocks_1 @
+identifier stream_reader.readstream;
+identifier blocks.block_f;
+@@
+  readstream(...)
+  {
+    ... when exists
+    block_f(...)
+    ... when exists
+  }
+
+@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @
+identifier stream_reader.readstream;
+@@
+  readstream(...) {
+    ...
+  }
+
+
+// file_operations + whether they have _any_ .read, .write, .llseek ... at all.
+//
+// XXX add support for file_operations xxx[N] = ...	(sound/core/pcm_native.c)
+@ fops0 @
+identifier fops;
+@@
+  struct file_operations fops = {
+    ...
+  };
+
+@ has_read @
+identifier fops0.fops;
+identifier read_f;
+@@
+  struct file_operations fops = {
+    .read = read_f,
+  };
+
+@ has_read_iter @
+identifier fops0.fops;
+identifier read_iter_f;
+@@
+  struct file_operations fops = {
+    .read_iter = read_iter_f,
+  };
+
+@ has_write @
+identifier fops0.fops;
+identifier write_f;
+@@
+  struct file_operations fops = {
+    .write = write_f,
+  };
+
+@ has_write_iter @
+identifier fops0.fops;
+identifier write_iter_f;
+@@
+  struct file_operations fops = {
+    .write_iter = write_iter_f,
+  };
+
+@ has_llseek @
+identifier fops0.fops;
+identifier llseek_f;
+@@
+  struct file_operations fops = {
+    .llseek = llseek_f,
+  };
+
+@ has_no_llseek @
+identifier fops0.fops;
+@@
+  struct file_operations fops = {
+    .llseek = no_llseek,
+  };
+
+@ has_mmap @
+identifier fops0.fops;
+identifier mmap_f;
+@@
+  struct file_operations fops = {
+    .mmap = mmap_f,
+  };
+
+@ has_copy_file_range @
+identifier fops0.fops;
+identifier copy_file_range_f;
+@@
+  struct file_operations fops = {
+    .copy_file_range = copy_file_range_f,
+  };
+
+@ has_remap_file_range @
+identifier fops0.fops;
+identifier remap_file_range_f;
+@@
+  struct file_operations fops = {
+    .remap_file_range = remap_file_range_f,
+  };
+
+@ has_splice_read @
+identifier fops0.fops;
+identifier splice_read_f;
+@@
+  struct file_operations fops = {
+    .splice_read = splice_read_f,
+  };
+
+@ has_splice_write @
+identifier fops0.fops;
+identifier splice_write_f;
+@@
+  struct file_operations fops = {
+    .splice_write = splice_write_f,
+  };
+
+
+// file_operations that is candidate for stream_open conversion - it does not
+// use mmap and other methods that assume @offset access to file.
+//
+// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now.
+// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops".
+@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @
+identifier fops0.fops;
+@@
+  struct file_operations fops = {
+  };
+
+
+// ---- conversions ----
+
+// XXX .open = nonseekable_open -> .open = stream_open
+// XXX .open = func -> openfunc -> nonseekable_open
+
+// read & write
+//
+// if both are used in the same file_operations together with an opener -
+// under that conditions we can use stream_open instead of nonseekable_open.
+@ fops_rw depends on maybe_stream @
+identifier fops0.fops, openfunc;
+identifier stream_reader.readstream;
+identifier stream_writer.writestream;
+@@
+  struct file_operations fops = {
+      .open  = openfunc,
+      .read  = readstream,
+      .write = writestream,
+  };
+
+@ report_rw depends on report @
+identifier fops_rw.openfunc;
+position p1;
+@@
+  openfunc(...) {
+    <...
+     nonseekable_open@p1
+    ...>
+  }
+
+@ script:python depends on report && reader_blocks @
+fops << fops0.fops;
+p << report_rw.p1;
+@@
+coccilib.report.print_report(p[0],
+  "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,))
+
+@ script:python depends on report && !reader_blocks @
+fops << fops0.fops;
+p << report_rw.p1;
+@@
+coccilib.report.print_report(p[0],
+  "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+
+@ explain_rw_deadlocked depends on explain && reader_blocks @
+identifier fops_rw.openfunc;
+@@
+  openfunc(...) {
+    <...
+-    nonseekable_open
++    nonseekable_open /* read & write (was deadlock) */
+    ...>
+  }
+
+
+@ explain_rw_nodeadlock depends on explain && !reader_blocks @
+identifier fops_rw.openfunc;
+@@
+  openfunc(...) {
+    <...
+-    nonseekable_open
++    nonseekable_open /* read & write (no direct deadlock) */
+    ...>
+  }
+
+@ patch_rw depends on patch @
+identifier fops_rw.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   stream_open
+    ...>
+  }
+
+
+// read, but not write
+@ fops_r depends on maybe_stream && !has_write @
+identifier fops0.fops, openfunc;
+identifier stream_reader.readstream;
+@@
+  struct file_operations fops = {
+      .open  = openfunc,
+      .read  = readstream,
+  };
+
+@ report_r depends on report @
+identifier fops_r.openfunc;
+position p1;
+@@
+  openfunc(...) {
+    <...
+    nonseekable_open@p1
+    ...>
+  }
+
+@ script:python depends on report @
+fops << fops0.fops;
+p << report_r.p1;
+@@
+coccilib.report.print_report(p[0],
+  "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+@ explain_r depends on explain @
+identifier fops_r.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   nonseekable_open /* read only */
+    ...>
+  }
+
+@ patch_r depends on patch @
+identifier fops_r.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   stream_open
+    ...>
+  }
+
+
+// write, but not read
+@ fops_w depends on maybe_stream && !has_read @
+identifier fops0.fops, openfunc;
+identifier stream_writer.writestream;
+@@
+  struct file_operations fops = {
+      .open  = openfunc,
+      .write = writestream,
+  };
+
+@ report_w depends on report @
+identifier fops_w.openfunc;
+position p1;
+@@
+  openfunc(...) {
+    <...
+    nonseekable_open@p1
+    ...>
+  }
+
+@ script:python depends on report @
+fops << fops0.fops;
+p << report_w.p1;
+@@
+coccilib.report.print_report(p[0],
+  "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+@ explain_w depends on explain @
+identifier fops_w.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   nonseekable_open /* write only */
+    ...>
+  }
+
+@ patch_w depends on patch @
+identifier fops_w.openfunc;
+@@
+  openfunc(...) {
+    <...
+-   nonseekable_open
++   stream_open
+    ...>
+  }
+
+
+// no read, no write - don't change anything


^ permalink raw reply related	[flat|nested] 138+ messages in thread

* [PATCH 3.16 128/129] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 095/129] powerpc/32: Clear on-stack exception marker upon exception return Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 106/129] net/hsr: fix possible crash in add_timer() Ben Hutchings
                   ` (117 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Takashi Iwai, Kalle Valo, huangwen

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 69ae4f6aac1578575126319d3f55550e7e440449 upstream.

A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
unconditionally, which may lead to either buffer overflow or read over
boundary.

This patch addresses the issues by checking the read size and the
destination size at each place more properly.  Along with the fixes,
the patch cleans up the code slightly by introducing a temporary
variable for the token size, and unifies the error path with the
standard goto statement.

Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
 - The tail IEs are parsed in mwifiex_set_mgmt_ies, which looks for two
   specific IEs rather than looping
 - Check IE length against tail length after calling
   cfg80211_find_vendor_ie(), but not after cfg80211_find_ie() since that
   already does it
 - On error, return without calling mwifiex_set_mgmt_beacon_data_ies()
 - Drop inapplicable change to WMM IE handling
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/ie.c | 47 +++++++++++++++--------
 1 file changed, 31 insertions(+), 16 deletions(-)

--- a/drivers/net/wireless/mwifiex/ie.c
+++ b/drivers/net/wireless/mwifiex/ie.c
@@ -328,6 +328,8 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
 	struct ieee_types_header *rsn_ie, *wpa_ie = NULL;
 	u16 rsn_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0;
 	const u8 *vendor_ie;
+	unsigned int token_len;
+	int err = 0;
 
 	if (info->tail && info->tail_len) {
 		gen_ie = kzalloc(sizeof(struct mwifiex_ie), GFP_KERNEL);
@@ -341,8 +343,13 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
 		rsn_ie = (void *)cfg80211_find_ie(WLAN_EID_RSN,
 						  info->tail, info->tail_len);
 		if (rsn_ie) {
-			memcpy(gen_ie->ie_buffer, rsn_ie, rsn_ie->len + 2);
-			ie_len = rsn_ie->len + 2;
+			token_len = rsn_ie->len + 2;
+			if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
+				err = -EINVAL;
+				goto out;
+			}
+			memcpy(gen_ie->ie_buffer + ie_len, rsn_ie, token_len);
+			ie_len += token_len;
 			gen_ie->ie_length = cpu_to_le16(ie_len);
 		}
 
@@ -352,9 +359,15 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
 						    info->tail_len);
 		if (vendor_ie) {
 			wpa_ie = (struct ieee_types_header *)vendor_ie;
-			memcpy(gen_ie->ie_buffer + ie_len,
-			       wpa_ie, wpa_ie->len + 2);
-			ie_len += wpa_ie->len + 2;
+			token_len = wpa_ie->len + 2;
+			if (token_len >
+			    info->tail + info->tail_len - (u8 *)wpa_ie ||
+			    ie_len + token_len > IEEE_MAX_IE_SIZE) {
+				err = -EINVAL;
+				goto out;
+			}
+			memcpy(gen_ie->ie_buffer + ie_len, wpa_ie, token_len);
+			ie_len += token_len;
 			gen_ie->ie_length = cpu_to_le16(ie_len);
 		}
 
@@ -362,13 +375,16 @@ int mwifiex_set_mgmt_ies(struct mwifiex_
 			if (mwifiex_update_uap_custom_ie(priv, gen_ie, &rsn_idx,
 							 NULL, NULL,
 							 NULL, NULL)) {
-				kfree(gen_ie);
-				return -1;
+				err = -EINVAL;
+				goto out;
 			}
 			priv->rsn_idx = rsn_idx;
 		}
 
+	out:
 		kfree(gen_ie);
+		if (err)
+			return err;
 	}
 
 	return mwifiex_set_mgmt_beacon_data_ies(priv, info);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 101/129] mm/vmalloc: fix size check for remap_vmalloc_range_partial()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 111/129] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 001/129] staging: iio: adt7316: fix register and bit definitions Ben Hutchings
                   ` (74 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, Luis R. Rodriguez,
	Andrey Ryabinin, Michal Hocko, Joe Perches, Roman Penyaev

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Roman Penyaev <rpenyaev@suse.de>

commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream.

When VM_NO_GUARD is not set area->size includes adjacent guard page,
thus for correct size checking get_vm_area_size() should be used, but
not area->size.

This fixes possible kernel oops when userspace tries to mmap an area on
1 page bigger than was allocated by vmalloc_user() call: the size check
inside remap_vmalloc_range_partial() accounts non-existing guard page
also, so check successfully passes but vmalloc_to_page() returns NULL
(guard page does not physically exist).

The following code pattern example should trigger an oops:

  static int oops_mmap(struct file *file, struct vm_area_struct *vma)
  {
        void *mem;

        mem = vmalloc_user(4096);
        BUG_ON(!mem);
        /* Do not care about mem leak */

        return remap_vmalloc_range(vma, mem, 0);
  }

And userspace simply mmaps size + PAGE_SIZE:

  mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0);

Possible candidates for oops which do not have any explicit size
checks:

   *** drivers/media/usb/stkwebcam/stk-webcam.c:
   v4l_stk_mmap[789]   ret = remap_vmalloc_range(vma, sbuf->buffer, 0);

Or the following one:

   *** drivers/video/fbdev/core/fbmem.c
   static int
   fb_mmap(struct file *file, struct vm_area_struct * vma)
        ...
        res = fb->fb_mmap(info, vma);

Where fb_mmap callback calls remap_vmalloc_range() directly without any
explicit checks:

   *** drivers/video/fbdev/vfb.c
   static int vfb_mmap(struct fb_info *info,
             struct vm_area_struct *vma)
   {
       return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff);
   }

Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de
Signed-off-by: Roman Penyaev <rpenyaev@suse.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Joe Perches <joe@perches.com>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/vmalloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -2141,7 +2141,7 @@ int remap_vmalloc_range_partial(struct v
 	if (!(area->flags & VM_USERMAP))
 		return -EINVAL;
 
-	if (kaddr + size > area->addr + area->size)
+	if (kaddr + size > area->addr + get_vm_area_size(area))
 		return -EINVAL;
 
 	do {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 111/129] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 044/129] crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 101/129] mm/vmalloc: fix size check for remap_vmalloc_range_partial() Ben Hutchings
                   ` (75 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David S. Miller, Eric Dumazet

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 59cbf56fcd98ba2a715b6e97c4e43f773f956393 upstream.

Same reasons than the ones explained in commit 4179cb5a4c92
("vxlan: test dev->flags & IFF_UP before calling netif_rx()")

netif_rx() or gro_cells_receive() must be called under a strict contract.

At device dismantle phase, core networking clears IFF_UP
and flush_all_backlogs() is called after rcu grace period
to make sure no incoming packet might be in a cpu backlog
and still referencing the device.

A similar protocol is used for gro_cells infrastructure, as
gro_cells_destroy() will be called only after a full rcu
grace period is observed after IFF_UP has been cleared.

Most drivers call netif_rx() from their interrupt handler,
and since the interrupts are disabled at device dismantle,
netif_rx() does not have to check dev->flags & IFF_UP

Virtual drivers do not have this guarantee, and must
therefore make the check themselves.

Otherwise we risk use-after-free and/or crashes.

Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1280,6 +1280,14 @@ static void vxlan_rcv(struct vxlan_sock
 		}
 	}
 
+	rcu_read_lock();
+
+	if (unlikely(!(vxlan->dev->flags & IFF_UP))) {
+		rcu_read_unlock();
+		atomic_long_inc(&vxlan->dev->rx_dropped);
+		goto drop;
+	}
+
 	stats = this_cpu_ptr(vxlan->dev->tstats);
 	u64_stats_update_begin(&stats->syncp);
 	stats->rx_packets++;
@@ -1288,6 +1296,8 @@ static void vxlan_rcv(struct vxlan_sock
 
 	netif_rx(skb);
 
+	rcu_read_unlock();
+
 	return;
 drop:
 	/* Consume bad packet */


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 105/129] scsi: virtio_scsi: don't send sc payload with tmfs
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 065/129] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 075/129] drm/radeon/evergreen_cs: fix missing break in switch statement Ben Hutchings
                   ` (109 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Martin K. Petersen, Paolo Bonzini,
	Felipe Franciosi

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Felipe Franciosi <felipe@nutanix.com>

commit 3722e6a52174d7c3a00e6f5efd006ca093f346c1 upstream.

The virtio scsi spec defines struct virtio_scsi_ctrl_tmf as a set of
device-readable records and a single device-writable response entry:

    struct virtio_scsi_ctrl_tmf
    {
        // Device-readable part
        le32 type;
        le32 subtype;
        u8 lun[8];
        le64 id;
        // Device-writable part
        u8 response;
    }

The above should be organised as two descriptor entries (or potentially
more if using VIRTIO_F_ANY_LAYOUT), but without any extra data after "le64
id" or after "u8 response".

The Linux driver doesn't respect that, with virtscsi_abort() and
virtscsi_device_reset() setting cmd->sc before calling virtscsi_tmf().  It
results in the original scsi command payload (or writable buffers) added to
the tmf.

This fixes the problem by leaving cmd->sc zeroed out, which makes
virtscsi_kick_cmd() add the tmf to the control vq without any payload.

Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/virtio_scsi.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -631,7 +631,6 @@ static int virtscsi_device_reset(struct
 		return FAILED;
 
 	memset(cmd, 0, sizeof(*cmd));
-	cmd->sc = sc;
 	cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){
 		.type = VIRTIO_SCSI_T_TMF,
 		.subtype = VIRTIO_SCSI_T_TMF_LOGICAL_UNIT_RESET,
@@ -654,7 +653,6 @@ static int virtscsi_abort(struct scsi_cm
 		return FAILED;
 
 	memset(cmd, 0, sizeof(*cmd));
-	cmd->sc = sc;
 	cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){
 		.type = VIRTIO_SCSI_T_TMF,
 		.subtype = VIRTIO_SCSI_T_TMF_ABORT_TASK,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 070/129] USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 118/129] net/mlx4_core: Fix qp mtt size calculation Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 129/129] netns: provide pure entropy for net_hash_mix() Ben Hutchings
                   ` (57 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johan Hovold, Mans Rullgard

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mans Rullgard <mans@mansr.com>

commit 8d7fa3d4ea3f0ca69554215e87411494e6346fdc upstream.

This adds the USB ID of the Hjelmslund Electronics USB485 Iso stick.

Signed-off-by: Mans Rullgard <mans@mansr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ftdi_sio.c     | 2 ++
 drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
 2 files changed, 8 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1033,6 +1033,8 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
 	{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
 	{ USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
+	/* EZPrototypes devices */
+	{ USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1308,6 +1308,12 @@
 #define IONICS_PLUGCOMPUTER_PID		0x0102
 
 /*
+ * EZPrototypes (PID reseller)
+ */
+#define EZPROTOTYPES_VID		0x1c40
+#define HJELMSLUND_USB485_ISO_PID	0x0477
+
+/*
  * Dresden Elektronik Sensor Terminal Board
  */
 #define DE_VID			0x1cf1 /* Vendor ID */


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 057/129] ext4: fix check of inode in swap_inode_boot_loader
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 014/129] staging: iio: adt7316: fix dac_bits assignment Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 069/129] leds: lp55xx: fix null deref on firmware load failure Ben Hutchings
                   ` (21 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Theodore Ts'o, yangerkun

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: yangerkun <yangerkun@huawei.com>

commit 67a11611e1a5211f6569044fbf8150875764d1d0 upstream.

Before really do swap between inode and boot inode, something need to
check to avoid invalid or not permitted operation, like does this inode
has inline data. But the condition check should be protected by inode
lock to avoid change while swapping. Also some other condition will not
change between swapping, but there has no problem to do this under inode
lock.

Signed-off-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: There's no support or test for filesytem encryption]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/ioctl.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -118,15 +118,6 @@ static long swap_inode_boot_loader(struc
 	struct ext4_inode_info *ei_bl;
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 
-	if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) ||
-	    IS_SWAPFILE(inode) ||
-	    ext4_has_inline_data(inode))
-		return -EINVAL;
-
-	if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) ||
-	    !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN))
-		return -EPERM;
-
 	inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
 	if (IS_ERR(inode_bl))
 		return PTR_ERR(inode_bl);
@@ -139,6 +130,19 @@ static long swap_inode_boot_loader(struc
 	 * that only 1 swap_inode_boot_loader is running. */
 	lock_two_nondirectories(inode, inode_bl);
 
+	if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) ||
+	    IS_SWAPFILE(inode) ||
+	    ext4_has_inline_data(inode)) {
+		err = -EINVAL;
+		goto journal_err_out;
+	}
+
+	if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) ||
+	    !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN)) {
+		err = -EPERM;
+		goto journal_err_out;
+	}
+
 	/* Wait for all existing dio workers */
 	ext4_inode_block_unlocked_dio(inode);
 	ext4_inode_block_unlocked_dio(inode_bl);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 062/129] pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 127/129] mwifiex: Abort at too short BSS descriptor element Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 090/129] powerpc/powernv: Make opal log only readable by root Ben Hutchings
                   ` (35 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Simon Horman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 0e6e448bdcf896d001a289a6112a704542d51516 upstream.

There are two pin groups for the FSIC SPDIF signal, but the FSIC pin
group array lists only one, and it refers to a nonexistent group.

Fixes: 2ecd4154c906b7d6 ("sh-pfc: sh73a0: Add FSI pin groups and functions")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pinctrl/sh-pfc/pfc-sh73a0.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/sh-pfc/pfc-sh73a0.c
+++ b/drivers/pinctrl/sh-pfc/pfc-sh73a0.c
@@ -2899,7 +2899,8 @@ static const char * const fsic_groups[]
 	"fsic_sclk_out",
 	"fsic_data_in",
 	"fsic_data_out",
-	"fsic_spdif",
+	"fsic_spdif_0",
+	"fsic_spdif_1",
 };
 
 static const char * const fsid_groups[] = {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 059/129] ext4: add mask of ext4 flags to swap
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 020/129] IB/usnic: Fix out of bounds index check in query pkey Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 032/129] m68k: Add -ffreestanding to CFLAGS Ben Hutchings
                   ` (10 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, yangerkun, Theodore Ts'o

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: yangerkun <yangerkun@huawei.com>

commit abdc644e8cbac2e9b19763680e5a7cf9bab2bee7 upstream.

The reason is that while swapping two inode, we swap the flags too.
Some flags such as EXT4_JOURNAL_DATA_FL can really confuse the things
since we're not resetting the address operations structure.  The
simplest way to keep things sane is to restrict the flags that can be
swapped.

Signed-off-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/ext4.h  | 3 +++
 fs/ext4/ioctl.c | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -405,6 +405,9 @@ struct flex_groups {
 /* Flags that are appropriate for non-directories/regular files. */
 #define EXT4_OTHER_FLMASK (EXT4_NODUMP_FL | EXT4_NOATIME_FL)
 
+/* The only flags that should be swapped */
+#define EXT4_FL_SHOULD_SWAP (EXT4_HUGE_FILE_FL | EXT4_EXTENTS_FL)
+
 /* Mask out flags that are inappropriate for the given type of inode. */
 static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags)
 {
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -61,6 +61,7 @@ static void swap_inode_data(struct inode
 	loff_t isize;
 	struct ext4_inode_info *ei1;
 	struct ext4_inode_info *ei2;
+	unsigned long tmp;
 
 	ei1 = EXT4_I(inode1);
 	ei2 = EXT4_I(inode2);
@@ -71,7 +72,10 @@ static void swap_inode_data(struct inode
 	memswap(&inode1->i_mtime, &inode2->i_mtime, sizeof(inode1->i_mtime));
 
 	memswap(ei1->i_data, ei2->i_data, sizeof(ei1->i_data));
-	memswap(&ei1->i_flags, &ei2->i_flags, sizeof(ei1->i_flags));
+	tmp = ei1->i_flags & EXT4_FL_SHOULD_SWAP;
+	ei1->i_flags = (ei2->i_flags & EXT4_FL_SHOULD_SWAP) |
+		(ei1->i_flags & ~EXT4_FL_SHOULD_SWAP);
+	ei2->i_flags = tmp | (ei2->i_flags & ~EXT4_FL_SHOULD_SWAP);
 	memswap(&ei1->i_disksize, &ei2->i_disksize, sizeof(ei1->i_disksize));
 	ext4_es_remove_extent(inode1, 0, EXT_MAX_BLOCKS);
 	ext4_es_remove_extent(inode2, 0, EXT_MAX_BLOCKS);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 022/129] security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 121/129] tcp: refine memory limit test in tcp_fragment() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 120/129] pptp: dst_release sk_dst_cache in pptp_sock_destruct Ben Hutchings
                   ` (16 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Al Viro, NeilBrown

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.de>

commit 7b20ea2579238f5e0da4bc93276c1b63c960c9ef upstream.

This allows MAY_NOT_BLOCK to be passed, in RCU-walk mode, through
the new avc_has_perm_flags() to avc_audit() and thence the slow_avc_audit.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16 as dependency of commit 3a28cff3bd4b
 "selinux: avoid silent denials in permissive mode under RCU walk"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/selinux/avc.c         | 18 +++++++++++++++++-
 security/selinux/hooks.c       |  2 +-
 security/selinux/include/avc.h |  9 +++++++--
 3 files changed, 25 insertions(+), 4 deletions(-)

--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -768,7 +768,23 @@ int avc_has_perm(u32 ssid, u32 tsid, u16
 
 	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
 
-	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
+	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata, 0);
+	if (rc2)
+		return rc2;
+	return rc;
+}
+
+int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
+		       u32 requested, struct common_audit_data *auditdata,
+		       int flags)
+{
+	struct av_decision avd;
+	int rc, rc2;
+
+	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
+
+	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc,
+			auditdata, flags);
 	if (rc2)
 		return rc2;
 	return rc;
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1569,7 +1569,7 @@ static int cred_has_capability(const str
 
 	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
 	if (audit == SECURITY_CAP_AUDIT) {
-		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
+		int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
 		if (rc2)
 			return rc2;
 	}
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,7 +130,8 @@ static inline int avc_audit(u32 ssid, u3
 			    u16 tclass, u32 requested,
 			    struct av_decision *avd,
 			    int result,
-			    struct common_audit_data *a)
+			    struct common_audit_data *a,
+			    int flags)
 {
 	u32 audited, denied;
 	audited = avc_audit_required(requested, avd, result, 0, &denied);
@@ -138,7 +139,7 @@ static inline int avc_audit(u32 ssid, u3
 		return 0;
 	return slow_avc_audit(ssid, tsid, tclass,
 			      requested, audited, denied, result,
-			      a, 0);
+			      a, flags);
 }
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
@@ -150,6 +151,10 @@ int avc_has_perm_noaudit(u32 ssid, u32 t
 int avc_has_perm(u32 ssid, u32 tsid,
 		 u16 tclass, u32 requested,
 		 struct common_audit_data *auditdata);
+int avc_has_perm_flags(u32 ssid, u32 tsid,
+		       u16 tclass, u32 requested,
+		       struct common_audit_data *auditdata,
+		       int flags);
 
 u32 avc_policy_seqno(void);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 019/129] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 100/129] CIFS: Fix read after write for files with read caching Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 116/129] net: sh_eth: fix a missing check of of_get_phy_mode Ben Hutchings
                   ` (85 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Krzysztof Kozlowski, Gustavo A. R. Silva

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit e2477233145f2156434afb799583bccd878f3e9f upstream.

Fix boolean expressions by using logical AND operator '&&' instead of
bitwise operator '&'.

This issue was detected with the help of Coccinelle.

Fixes: 4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
[krzk: Fix -Wparentheses warning]
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
+++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
@@ -70,16 +70,16 @@ static int osiris_dvs_notify(struct noti
 
 	switch (val) {
 	case CPUFREQ_PRECHANGE:
-		if (old_dvs & !new_dvs ||
-		    cur_dvs & !new_dvs) {
+		if ((old_dvs && !new_dvs) ||
+		    (cur_dvs && !new_dvs)) {
 			pr_debug("%s: exiting dvs\n", __func__);
 			cur_dvs = false;
 			gpio_set_value(OSIRIS_GPIO_DVS, 1);
 		}
 		break;
 	case CPUFREQ_POSTCHANGE:
-		if (!old_dvs & new_dvs ||
-		    !cur_dvs & new_dvs) {
+		if ((!old_dvs && new_dvs) ||
+		    (!cur_dvs && new_dvs)) {
 			pr_debug("entering dvs\n");
 			cur_dvs = true;
 			gpio_set_value(OSIRIS_GPIO_DVS, 0);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 014/129] staging: iio: adt7316: fix dac_bits assignment
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 012/129] clk: armada-xp: fix refcount leak in axp_clk_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 057/129] ext4: fix check of inode in swap_inode_boot_loader Ben Hutchings
                   ` (22 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jeremy Fertic, Jonathan Cameron

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit e9de475723de5bf207a5b7b88bdca863393e42c8 upstream.

The value of dac_bits is used in adt7316_show_DAC() and adt7316_store_DAC(),
and it should be either 8, 10, or 12 bits depending on the device in use. The
driver currently only assigns a value to dac_bits in
adt7316_store_da_high_resolution(). The purpose of the dac high resolution
option is not to change dac resolution for normal operation. Instead, it
is specific to an optional feature where one or two of the four dacs can
be set to output voltage proportional to temperature. If the user chooses
to set dac a and/or dac b to output voltage proportional to temperature,
the da_high_resolution attribute can optionally be enabled to use 10 bit
resolution rather than the default 8 bits. This is only available on the
10 and 12 bit dac devices. If the user attempts to read or write dacs a
or b under these settings, the driver's current behaviour is to return an
error. Dacs c and d continue to operate normally under these conditions.
With the above in mind, remove the dac_bits assignments from this function
since the value of dac_bits as used in the driver is not dependent on this
dac high resolution option.

Since the dac_bits assignments discussed above are currently the only ones
in this driver, the default value of dac_bits is 0. This results in incorrect
calculations when the dacs are read or written in adt7316_show_DAC() and
adt7316_store_DAC(). To correct this, assign a value to dac_bits in
adt7316_probe() to ensure correct operation as soon as the device is
registered and available to userspace.

Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -654,15 +654,9 @@ static ssize_t adt7316_store_da_high_res
 	u8 config3;
 	int ret;
 
-	chip->dac_bits = 8;
-
-	if (buf[0] == '1') {
+	if (buf[0] == '1')
 		config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION;
-		if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516)
-			chip->dac_bits = 12;
-		else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517)
-			chip->dac_bits = 10;
-	} else
+	else
 		config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION);
 
 	ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3);
@@ -2129,6 +2123,13 @@ int adt7316_probe(struct device *dev, st
 	else
 		return -ENODEV;
 
+	if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516)
+		chip->dac_bits = 12;
+	else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517)
+		chip->dac_bits = 10;
+	else
+		chip->dac_bits = 8;
+
 	chip->ldac_pin = adt7316_platform_data[1];
 	if (!chip->ldac_pin) {
 		chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 123/129] fuse: Add FOPEN_STREAM to use stream_open()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 015/129] staging: iio: adt7316: fix handling of dac high resolution option Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 127/129] mwifiex: Abort at too short BSS descriptor element Ben Hutchings
                   ` (37 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kirill Smelkov, Miklos Szeredi, stable

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Smelkov <kirr@nexedi.com>

commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream.

Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per
POSIX") files opened even via nonseekable_open gate read and write via lock
and do not allow them to be run simultaneously. This can create read vs
write deadlock if a filesystem is trying to implement a socket-like file
which is intended to be simultaneously used for both read and write from
filesystem client.  See commit 10dce8af3422 ("fs: stream_open - opener for
stream-like files so that read and write can run simultaneously without
deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock
on writes to /proc/xen/xenbus") for a similar deadlock example on
/proc/xen/xenbus.

To avoid such deadlock it was tempting to adjust fuse_finish_open to use
stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags,
but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and write
handlers

	https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
	https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481

so if we would do such a change it will break a real user.

Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the
opened handler is having stream-like semantics; does not use file position
and thus the kernel is free to issue simultaneous read and write request on
opened file handle.

This patch together with stream_open() should be added to stable kernels
starting from v3.14+. This will allow to patch OSSPD and other FUSE
filesystems that provide stream-like files to return FOPEN_STREAM |
FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all
kernel versions. This should work because fuse_finish_open ignores unknown
open flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel that
is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE
is sufficient to implement streams without read vs write deadlock.

Cc: stable@vger.kernel.org # v3.14+
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/file.c            | 4 +++-
 include/uapi/linux/fuse.h | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index bc8f5de48fd9..69e471b042a6 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -214,7 +214,9 @@ void fuse_finish_open(struct inode *inode, struct file *file)
 		file->f_op = &fuse_direct_io_file_operations;
 	if (!(ff->open_flags & FOPEN_KEEP_CACHE))
 		invalidate_inode_pages2(inode->i_mapping);
-	if (ff->open_flags & FOPEN_NONSEEKABLE)
+	if (ff->open_flags & FOPEN_STREAM)
+		stream_open(inode, file);
+	else if (ff->open_flags & FOPEN_NONSEEKABLE)
 		nonseekable_open(inode, file);
 	if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) {
 		struct fuse_inode *fi = get_fuse_inode(inode);
diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 25084a052a1e..cff91b018953 100644
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -205,10 +205,12 @@ struct fuse_file_lock {
  * FOPEN_DIRECT_IO: bypass page cache for this open file
  * FOPEN_KEEP_CACHE: don't invalidate the data cache on open
  * FOPEN_NONSEEKABLE: the file is not seekable
+ * FOPEN_STREAM: the file is stream-like (no file position at all)
  */
 #define FOPEN_DIRECT_IO		(1 << 0)
 #define FOPEN_KEEP_CACHE	(1 << 1)
 #define FOPEN_NONSEEKABLE	(1 << 2)
+#define FOPEN_STREAM		(1 << 4)
 
 /**
  * INIT request/reply flags


^ permalink raw reply related	[flat|nested] 138+ messages in thread

* [PATCH 3.16 129/129] netns: provide pure entropy for net_hash_mix()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 070/129] USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 099/129] nfsd: fix memory corruption caused by readdir Ben Hutchings
                   ` (56 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Amit Klein,
	Pavel Emelyanov, Benny Pinkas, Eric Dumazet

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 355b98553789b646ed97ad801a619ff898471b92 upstream.

net_hash_mix() currently uses kernel address of a struct net,
and is used in many places that could be used to reveal this
address to a patient attacker, thus defeating KASLR, for
the typical case (initial net namespace, &init_net is
not dynamically allocated)

I believe the original implementation tried to avoid spending
too many cycles in this function, but security comes first.

Also provide entropy regardless of CONFIG_NET_NS.

Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -54,6 +54,8 @@ struct net {
 #endif
 	spinlock_t		rules_mod_lock;
 
+	u32			hash_mix;
+
 	struct list_head	list;		/* list of network namespaces */
 	struct list_head	cleanup_list;	/* namespaces on death row */
 	struct list_head	exit_list;	/* Use only net_mutex */
--- a/include/net/netns/hash.h
+++ b/include/net/netns/hash.h
@@ -1,21 +1,10 @@
 #ifndef __NET_NS_HASH_H__
 #define __NET_NS_HASH_H__
 
-#include <asm/cache.h>
+#include <net/net_namespace.h>
 
-struct net;
-
-static inline unsigned int net_hash_mix(struct net *net)
+static inline u32 net_hash_mix(const struct net *net)
 {
-#ifdef CONFIG_NET_NS
-	/*
-	 * shift this right to eliminate bits, that are
-	 * always zeroed
-	 */
-
-	return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT);
-#else
-	return 0;
-#endif
+	return net->hash_mix;
 }
 #endif
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -156,6 +156,7 @@ static __net_init int setup_net(struct n
 
 	atomic_set(&net->count, 1);
 	atomic_set(&net->passive, 1);
+	get_random_bytes(&net->hash_mix, sizeof(u32));
 	net->dev_base_seq = 1;
 	net->user_ns = user_ns;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 126/129] mwifiex: Fix possible buffer overflows at parsing bss descriptor
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (106 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 125/129] media: uvcvideo: Fix 'type' check leading to overflow Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 012/129] clk: armada-xp: fix refcount leak in axp_clk_init() Ben Hutchings
                   ` (24 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Takashi Iwai, huangwen, Kalle Valo

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 upstream.

mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size.  Since the
source is given from user-space, this may trigger a heap buffer
overflow.

Fix it by putting the length check before performing memcpy().

This fix addresses CVE-2019-3846.

Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/scan.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1171,6 +1171,8 @@ int mwifiex_update_bss_desc_with_ie(stru
 		}
 		switch (element_id) {
 		case WLAN_EID_SSID:
+			if (element_len > IEEE80211_MAX_SSID_LEN)
+				return -EINVAL;
 			bss_entry->ssid.ssid_len = element_len;
 			memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
 			       element_len);
@@ -1180,6 +1182,8 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_SUPP_RATES:
+			if (element_len > MWIFIEX_SUPPORTED_RATES)
+				return -EINVAL;
 			memcpy(bss_entry->data_rates, current_ptr + 2,
 			       element_len);
 			memcpy(bss_entry->supported_rates, current_ptr + 2,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 115/129] md: Fix failed allocation of md_register_thread
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 068/129] serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 011/129] clk: kirkwood: fix refcount leak in kirkwood_clk_init() Ben Hutchings
                   ` (71 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Guoqing Jiang, Song Liu, Aditya Pakki

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aditya Pakki <pakki001@umn.edu>

commit e406f12dde1a8375d77ea02d91f313fb1a9c6aec upstream.

mddev->sync_thread can be set to NULL on kzalloc failure downstream.
The patch checks for such a scenario and frees allocated resources.

Committer node:

Added similar fix to raid5.c, as suggested by Guoqing.

Acked-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/raid10.c | 2 ++
 drivers/md/raid5.c  | 2 ++
 2 files changed, 4 insertions(+)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3820,6 +3820,8 @@ static int run(struct mddev *mddev)
 		set_bit(MD_RECOVERY_RUNNING, &mddev->recovery);
 		mddev->sync_thread = md_register_thread(md_do_sync, mddev,
 							"reshape");
+		if (!mddev->sync_thread)
+			goto out_free_conf;
 	}
 
 	return 0;
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -6180,6 +6180,8 @@ static int run(struct mddev *mddev)
 		set_bit(MD_RECOVERY_RUNNING, &mddev->recovery);
 		mddev->sync_thread = md_register_thread(md_do_sync, mddev,
 							"reshape");
+		if (!mddev->sync_thread)
+			goto abort;
 	}
 
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 108/129] lib/div64.c: off by one in shift
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 007/129] clk: imx6q: fix refcount leak in imx6q_clocks_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 018/129] drm: Fix error handling in drm_legacy_addctx Ben Hutchings
                   ` (67 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Oleg Nesterov, Siarhei Volkau,
	Linus Torvalds, Stanislaw Gruszka

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stanislaw Gruszka <sgruszka@redhat.com>

commit cdc94a37493135e355dfc0b0e086d84e3eadb50d upstream.

fls counts bits starting from 1 to 32 (returns 0 for zero argument).  If
we add 1 we shift right one bit more and loose precision from divisor,
what cause function incorect results with some numbers.

Corrected code was tested in user-space, see bugzilla:
   https://bugzilla.kernel.org/show_bug.cgi?id=202391

Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgruszka@redhat.com
Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reported-by: Siarhei Volkau <lis8215@gmail.com>
Tested-by: Siarhei Volkau <lis8215@gmail.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/div64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/lib/div64.c
+++ b/lib/div64.c
@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divi
 		quot = div_u64_rem(dividend, divisor, &rem32);
 		*remainder = rem32;
 	} else {
-		int n = 1 + fls(high);
+		int n = fls(high);
 		quot = div_u64(dividend >> n, divisor >> n);
 
 		if (quot != 0)
@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
 	if (high == 0) {
 		quot = div_u64(dividend, divisor);
 	} else {
-		int n = 1 + fls(high);
+		int n = fls(high);
 		quot = div_u64(dividend >> n, divisor >> n);
 
 		if (quot != 0)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 106/129] net/hsr: fix possible crash in add_timer()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 128/129] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 035/129] applicom: Fix potential Spectre v1 vulnerabilities Ben Hutchings
                   ` (116 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, syzbot, Arvid Brodin,
	David S. Miller

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 1e027960edfaa6a43f9ca31081729b716598112b upstream.

syzbot found another add_timer() issue, this time in net/hsr [1]

Let's use mod_timer() which is safe.

[1]
kernel BUG at kernel/time/timer.c:1136!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 15909 Comm: syz-executor.3 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kobject: 'loop2' (00000000f5629718): kobject_uevent_env
RIP: 0010:add_timer kernel/time/timer.c:1136 [inline]
RIP: 0010:add_timer+0x654/0xbe0 kernel/time/timer.c:1134
Code: 0f 94 c5 31 ff 44 89 ee e8 09 61 0f 00 45 84 ed 0f 84 77 fd ff ff e8 bb 5f 0f 00 e8 07 10 a0 ff e9 68 fd ff ff e8 ac 5f 0f 00 <0f> 0b e8 a5 5f 0f 00 0f 0b e8 9e 5f 0f 00 4c 89 b5 58 ff ff ff e9
RSP: 0018:ffff8880656eeca0 EFLAGS: 00010246
kobject: 'loop2' (00000000f5629718): fill_kobj_path: path = '/devices/virtual/block/loop2'
RAX: 0000000000040000 RBX: 1ffff1100caddd9a RCX: ffffc9000c436000
RDX: 0000000000040000 RSI: ffffffff816056c4 RDI: ffff88806a2f6cc8
RBP: ffff8880656eed58 R08: ffff888067f4a300 R09: ffff888067f4abc8
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88806a2f6cc0
R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880656eed30
FS:  00007fc2019bf700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000738000 CR3: 0000000067e8e000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 hsr_check_announce net/hsr/hsr_device.c:99 [inline]
 hsr_check_carrier_and_operstate+0x567/0x6f0 net/hsr/hsr_device.c:120
 hsr_netdev_notify+0x297/0xa00 net/hsr/hsr_main.c:51
 notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
 call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
 call_netdevice_notifiers net/core/dev.c:1765 [inline]
 dev_open net/core/dev.c:1436 [inline]
 dev_open+0x143/0x160 net/core/dev.c:1424
 team_port_add drivers/net/team/team.c:1203 [inline]
 team_add_slave+0xa07/0x15d0 drivers/net/team/team.c:1933
 do_set_master net/core/rtnetlink.c:2358 [inline]
 do_set_master+0x1d4/0x230 net/core/rtnetlink.c:2332
 do_setlink+0x966/0x3510 net/core/rtnetlink.c:2493
 rtnl_setlink+0x271/0x3b0 net/core/rtnetlink.c:2747
 rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
 netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:632
 sock_write_iter+0x27c/0x3e0 net/socket.c:923
 call_write_iter include/linux/fs.h:1869 [inline]
 do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680
 do_iter_write fs/read_write.c:956 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:937
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001
 do_writev+0xf6/0x290 fs/read_write.c:1036
 __do_sys_writev fs/read_write.c:1109 [inline]
 __se_sys_writev fs/read_write.c:1106 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457f29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc2019bec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457f29
RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc2019bf6d4
R13: 00000000004c4a60 R14: 00000000004dd218 R15: 00000000ffffffff

Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Arvid Brodin <arvid.brodin@alten.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/hsr/hsr_device.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -78,9 +78,8 @@ void hsr_check_announce(struct net_devic
 	if ((hsr_dev->operstate == IF_OPER_UP) && (old_operstate != IF_OPER_UP)) {
 		/* Went up */
 		hsr_priv->announce_count = 0;
-		hsr_priv->announce_timer.expires = jiffies +
-				msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL);
-		add_timer(&hsr_priv->announce_timer);
+		mod_timer(&hsr_priv->announce_timer,
+			  jiffies + msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL));
 	}
 
 	if ((hsr_dev->operstate != IF_OPER_UP) && (old_operstate == IF_OPER_UP))
@@ -361,6 +360,7 @@ out:
 static void hsr_announce(unsigned long data)
 {
 	struct hsr_priv *hsr_priv;
+	unsigned long interval;
 
 	hsr_priv = (struct hsr_priv *) data;
 
@@ -372,14 +372,12 @@ static void hsr_announce(unsigned long d
 	}
 
 	if (hsr_priv->announce_count < 3)
-		hsr_priv->announce_timer.expires = jiffies +
-				msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL);
+		interval = msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL);
 	else
-		hsr_priv->announce_timer.expires = jiffies +
-				msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL);
+		interval = msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL);
 
 	if (is_admin_up(hsr_priv->dev))
-		add_timer(&hsr_priv->announce_timer);
+		mod_timer(&hsr_priv->announce_timer, jiffies + interval);
 }
 
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 113/129] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 079/129] irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 003/129] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Ben Hutchings
                   ` (104 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Brendan Higgins, Kees Cook, Linus Torvalds,
	Luis Chamberlain, Zev Weiss, Iurii Zaikin

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zev Weiss <zev@bewilderbeest.net>

commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream.

This bug has apparently existed since the introduction of this function
in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git,
"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of
neighbour sysctls.").

As a minimal fix we can simply duplicate the corresponding check in
do_proc_dointvec_conv().

Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net
Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
Cc: Brendan Higgins <brendanhiggins@google.com>
Cc: Iurii Zaikin <yzaikin@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/sysctl.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2179,7 +2179,16 @@ static int do_proc_dointvec_minmax_conv(
 {
 	struct do_proc_dointvec_minmax_conv_param *param = data;
 	if (write) {
-		int val = *negp ? -*lvalp : *lvalp;
+		int val;
+		if (*negp) {
+			if (*lvalp > (unsigned long) INT_MAX + 1)
+				return -EINVAL;
+			val = -*lvalp;
+		} else {
+			if (*lvalp > (unsigned long) INT_MAX)
+				return -EINVAL;
+			val = *lvalp;
+		}
 		if ((param->min && *param->min > val) ||
 		    (param->max && *param->max < val))
 			return -EINVAL;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 103/129] mm, swap: bounds check swap_info array accesses to avoid NULL derefs
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 082/129] clocksource/drivers/exynos_mct: Fix error path in timer resources initialization Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 087/129] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held Ben Hutchings
                   ` (52 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Peter Zijlstra (Intel),
	Shaohua Li, Tejun Heo, Will Deacon, Paul McKenney,
	Stephen Rothwell, Dan Carpenter, Alan Stern, Andi Kleen,
	Daniel Jordan, Dave Hansen, Andrea Parri, Linus Torvalds,
	Omar Sandoval, Huang, Ying

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit c10d38cc8d3e43f946b6c2bf4602c86791587f30 upstream.

Dan Carpenter reports a potential NULL dereference in
get_swap_page_of_type:

  Smatch complains that the NULL checks on "si" aren't consistent.  This
  seems like a real bug because we have not ensured that the type is
  valid and so "si" can be NULL.

Add the missing check for NULL, taking care to use a read barrier to
ensure CPU1 observes CPU0's updates in the correct order:

     CPU0                           CPU1
     alloc_swap_info()              if (type >= nr_swapfiles)
       swap_info[type] = p              /* handle invalid entry */
       smp_wmb()                    smp_rmb()
       ++nr_swapfiles               p = swap_info[type]

Without smp_rmb, CPU1 might observe CPU0's write to nr_swapfiles before
CPU0's write to swap_info[type] and read NULL from swap_info[type].

Ying Huang noticed other places in swapfile.c don't order these reads
properly.  Introduce swap_type_to_swap_info to encourage correct usage.

Use READ_ONCE and WRITE_ONCE to follow the Linux Kernel Memory Model
(see tools/memory-model/Documentation/explanation.txt).

This ordering need not be enforced in places where swap_lock is held
(e.g.  si_swapinfo) because swap_lock serializes updates to nr_swapfiles
and the swap_info array.

Link: http://lkml.kernel.org/r/20190131024410.29859-1-daniel.m.jordan@oracle.com
Fixes: ec8acf20afb8 ("swap: add per-partition lock for swapfile")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Suggested-by: "Huang, Ying" <ying.huang@intel.com>
Reviewed-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Omar Sandoval <osandov@fb.com>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Cc: Shaohua Li <shli@kernel.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Tejun Heo <tj@kernel.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
 - Add swp_swap_info(), as done in upstream commit 0bcac06f27d7
   "mm, swap: skip swapcache for swapin of synchronous device"
 - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -451,6 +451,7 @@ extern sector_t map_swap_page(struct pag
 extern sector_t swapdev_block(int, pgoff_t);
 extern int page_swapcount(struct page *);
 extern struct swap_info_struct *page_swap_info(struct page *);
+extern struct swap_info_struct *swp_swap_info(swp_entry_t entry);
 extern int reuse_swap_page(struct page *);
 extern int try_to_free_swap(struct page *);
 struct backing_dev_info;
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -86,6 +86,15 @@ static DECLARE_WAIT_QUEUE_HEAD(proc_poll
 /* Activity counter to indicate that a swapon or swapoff has occurred */
 static atomic_t proc_poll_event = ATOMIC_INIT(0);
 
+static struct swap_info_struct *swap_type_to_swap_info(int type)
+{
+	if (type >= ACCESS_ONCE(nr_swapfiles))
+		return NULL;
+
+	smp_rmb();	/* Pairs with smp_wmb in alloc_swap_info. */
+	return ACCESS_ONCE(swap_info[type]);
+}
+
 static inline unsigned char swap_count(unsigned char ent)
 {
 	return ent & ~SWAP_HAS_CACHE;	/* may include COUNT_CONTINUED flag */
@@ -703,12 +712,14 @@ noswap:
 /* The only caller of this function is now suspend routine */
 swp_entry_t get_swap_page_of_type(int type)
 {
-	struct swap_info_struct *si;
+	struct swap_info_struct *si = swap_type_to_swap_info(type);
 	pgoff_t offset;
 
-	si = swap_info[type];
+	if (!si)
+		goto fail;
+
 	spin_lock(&si->lock);
-	if (si && (si->flags & SWP_WRITEOK)) {
+	if (si->flags & SWP_WRITEOK) {
 		atomic_long_dec(&nr_swap_pages);
 		/* This is called for allocating swap entry, not cache */
 		offset = scan_swap_map(si, 1);
@@ -719,6 +730,7 @@ swp_entry_t get_swap_page_of_type(int ty
 		atomic_long_inc(&nr_swap_pages);
 	}
 	spin_unlock(&si->lock);
+fail:
 	return (swp_entry_t) {0};
 }
 
@@ -730,9 +742,9 @@ static struct swap_info_struct *swap_inf
 	if (!entry.val)
 		goto out;
 	type = swp_type(entry);
-	if (type >= nr_swapfiles)
+	p = swap_type_to_swap_info(type);
+	if (!p)
 		goto bad_nofile;
-	p = swap_info[type];
 	if (!(p->flags & SWP_USED))
 		goto bad_device;
 	offset = swp_offset(entry);
@@ -1037,10 +1049,9 @@ int swap_type_of(dev_t device, sector_t
 sector_t swapdev_block(int type, pgoff_t offset)
 {
 	struct block_device *bdev;
+	struct swap_info_struct *si = swap_type_to_swap_info(type);
 
-	if ((unsigned int)type >= nr_swapfiles)
-		return 0;
-	if (!(swap_info[type]->flags & SWP_WRITEOK))
+	if (!si || !(si->flags & SWP_WRITEOK))
 		return 0;
 	return map_swap_entry(swp_entry(type, offset), &bdev);
 }
@@ -1584,7 +1595,7 @@ static sector_t map_swap_entry(swp_entry
 	struct swap_extent *se;
 	pgoff_t offset;
 
-	sis = swap_info[swp_type(entry)];
+	sis = swp_swap_info(entry);
 	*bdev = sis->bdev;
 
 	offset = swp_offset(entry);
@@ -1982,9 +1993,7 @@ static void *swap_start(struct seq_file
 	if (!l)
 		return SEQ_START_TOKEN;
 
-	for (type = 0; type < nr_swapfiles; type++) {
-		smp_rmb();	/* read nr_swapfiles before swap_info[type] */
-		si = swap_info[type];
+	for (type = 0; (si = swap_type_to_swap_info(type)); type++) {
 		if (!(si->flags & SWP_USED) || !si->swap_map)
 			continue;
 		if (!--l)
@@ -2004,9 +2013,7 @@ static void *swap_next(struct seq_file *
 	else
 		type = si->type + 1;
 
-	for (; type < nr_swapfiles; type++) {
-		smp_rmb();	/* read nr_swapfiles before swap_info[type] */
-		si = swap_info[type];
+	for (; (si = swap_type_to_swap_info(type)); type++) {
 		if (!(si->flags & SWP_USED) || !si->swap_map)
 			continue;
 		++*pos;
@@ -2111,14 +2118,14 @@ static struct swap_info_struct *alloc_sw
 	}
 	if (type >= nr_swapfiles) {
 		p->type = type;
-		swap_info[type] = p;
+		ACCESS_ONCE(swap_info[type]) = p;
 		/*
 		 * Write swap_info[type] before nr_swapfiles, in case a
 		 * racing procfs swap_start() or swap_next() is reading them.
 		 * (We never shrink nr_swapfiles, we never free this entry.)
 		 */
 		smp_wmb();
-		nr_swapfiles++;
+		ACCESS_ONCE(nr_swapfiles) = nr_swapfiles + 1;
 	} else {
 		kfree(p);
 		p = swap_info[type];
@@ -2598,7 +2605,7 @@ void si_swapinfo(struct sysinfo *val)
 static int __swap_duplicate(swp_entry_t entry, unsigned char usage)
 {
 	struct swap_info_struct *p;
-	unsigned long offset, type;
+	unsigned long offset;
 	unsigned char count;
 	unsigned char has_cache;
 	int err = -EINVAL;
@@ -2606,10 +2613,10 @@ static int __swap_duplicate(swp_entry_t
 	if (non_swap_entry(entry))
 		goto out;
 
-	type = swp_type(entry);
-	if (type >= nr_swapfiles)
+	p = swp_swap_info(entry);
+	if (!p)
 		goto bad_file;
-	p = swap_info[type];
+
 	offset = swp_offset(entry);
 
 	spin_lock(&p->lock);
@@ -2704,11 +2711,16 @@ int swapcache_prepare(swp_entry_t entry)
 	return __swap_duplicate(entry, SWAP_HAS_CACHE);
 }
 
+struct swap_info_struct *swp_swap_info(swp_entry_t entry)
+{
+	return swap_type_to_swap_info(swp_type(entry));
+}
+
 struct swap_info_struct *page_swap_info(struct page *page)
 {
-	swp_entry_t swap = { .val = page_private(page) };
+	swp_entry_t entry = { .val = page_private(page) };
 	BUG_ON(!PageSwapCache(page));
-	return swap_info[swp_type(swap)];
+	return swp_swap_info(entry);
 }
 
 /*


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 125/129] media: uvcvideo: Fix 'type' check leading to overflow
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 050/129] crypto: ahash - fix another early termination in hash walk Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 126/129] mwifiex: Fix possible buffer overflows at parsing bss descriptor Ben Hutchings
                   ` (25 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Alistair Strachan,
	syzbot, Laurent Pinchart

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alistair Strachan <astrachan@google.com>

commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.

When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.

If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.

Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.

Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/uvc/uvc_driver.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -977,11 +977,19 @@ static int uvc_parse_standard_control(st
 			return -EINVAL;
 		}
 
-		/* Make sure the terminal type MSB is not null, otherwise it
-		 * could be confused with a unit.
+		/*
+		 * Reject invalid terminal types that would cause issues:
+		 *
+		 * - The high byte must be non-zero, otherwise it would be
+		 *   confused with a unit.
+		 *
+		 * - Bit 15 must be 0, as we use it internally as a terminal
+		 *   direction flag.
+		 *
+		 * Other unknown types are accepted.
 		 */
 		type = get_unaligned_le16(&buffer[4]);
-		if ((type & 0xff00) == 0) {
+		if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
 			uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
 				"interface %d INPUT_TERMINAL %d has invalid "
 				"type 0x%04x, skipping\n", udev->devnum,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 120/129] pptp: dst_release sk_dst_cache in pptp_sock_destruct
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 022/129] security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 084/129] btrfs: init csum_list before possible free Ben Hutchings
                   ` (15 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Xin Long, Xiumei Mu

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit 9417d81f4f8adfe20a12dd1fadf73a618cbd945d upstream.

sk_setup_caps() is called to set sk->sk_dst_cache in pptp_connect,
so we have to dst_release(sk->sk_dst_cache) in pptp_sock_destruct,
otherwise, the dst refcnt will leak.

It can be reproduced by this syz log:

  r1 = socket$pptp(0x18, 0x1, 0x2)
  bind$pptp(r1, &(0x7f0000000100)={0x18, 0x2, {0x0, @local}}, 0x1e)
  connect$pptp(r1, &(0x7f0000000000)={0x18, 0x2, {0x3, @remote}}, 0x1e)

Consecutive dmesg warnings will occur:

  unregister_netdevice: waiting for lo to become free. Usage count = 1

v1->v2:
  - use rcu_dereference_protected() instead of rcu_dereference_check(),
    as suggested by Eric.

Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ppp/pptp.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -579,6 +579,7 @@ static void pptp_sock_destruct(struct so
 		pppox_unbind_sock(sk);
 	}
 	skb_queue_purge(&sk->sk_receive_queue);
+	dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1));
 }
 
 static int pptp_create(struct net *net, struct socket *sock)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 127/129] mwifiex: Abort at too short BSS descriptor element
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 123/129] fuse: Add FOPEN_STREAM to use stream_open() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 062/129] pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups Ben Hutchings
                   ` (36 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Kalle Valo

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream.

Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
the source descriptor entries contain the enough size for each type
and performs copying without checking the source size.  This may lead
to read over boundary.

Fix this by putting the source size check in appropriate places.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/scan.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1193,6 +1193,8 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_FH_PARAMS:
+			if (element_len + 2 < sizeof(*fh_param_set))
+				return -EINVAL;
 			fh_param_set =
 				(struct ieee_types_fh_param_set *) current_ptr;
 			memcpy(&bss_entry->phy_param_set.fh_param_set,
@@ -1201,6 +1203,8 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_DS_PARAMS:
+			if (element_len + 2 < sizeof(*ds_param_set))
+				return -EINVAL;
 			ds_param_set =
 				(struct ieee_types_ds_param_set *) current_ptr;
 
@@ -1212,6 +1216,8 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_CF_PARAMS:
+			if (element_len + 2 < sizeof(*cf_param_set))
+				return -EINVAL;
 			cf_param_set =
 				(struct ieee_types_cf_param_set *) current_ptr;
 			memcpy(&bss_entry->ss_param_set.cf_param_set,
@@ -1220,6 +1226,8 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_IBSS_PARAMS:
+			if (element_len + 2 < sizeof(*ibss_param_set))
+				return -EINVAL;
 			ibss_param_set =
 				(struct ieee_types_ibss_param_set *)
 				current_ptr;
@@ -1229,10 +1237,14 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_ERP_INFO:
+			if (!element_len)
+				return -EINVAL;
 			bss_entry->erp_flags = *(current_ptr + 2);
 			break;
 
 		case WLAN_EID_PWR_CONSTRAINT:
+			if (!element_len)
+				return -EINVAL;
 			bss_entry->local_constraint = *(current_ptr + 2);
 			bss_entry->sensed_11h = true;
 			break;
@@ -1272,6 +1284,9 @@ int mwifiex_update_bss_desc_with_ie(stru
 			break;
 
 		case WLAN_EID_VENDOR_SPECIFIC:
+			if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
+				return -EINVAL;
+
 			vendor_ie = (struct ieee_types_vendor_specific *)
 					current_ptr;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 117/129] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 071/129] ASoC: fsl_esai: fix register setting issue in RIGHT_J mode Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 017/129] staging: iio: adt7316: fix the dac write calculation Ben Hutchings
                   ` (99 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tariq Toukan, Jack Morgenstein, David S. Miller

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

commit c07d27927f2f2e96fcd27bb9fb330c9ea65612d0 upstream.

In procedures mlx4_cmd_use_events() and mlx4_cmd_use_polling(), we need to
guarantee that there are no FW commands in progress on the comm channel
(for VFs) or wrapped FW commands (on the PF) when SRIOV is active.

We do this by also taking the slave_cmd_mutex when SRIOV is active.

This is especially important when switching from event to polling, since we
free the command-context array during the switch.  If there are FW commands
in progress (e.g., waiting for a completion event), the completion event
handler will access freed memory.

Since the decision to use comm_wait or comm_poll is taken before grabbing
the event_sem/poll_sem in mlx4_comm_cmd_wait/poll, we must take the
slave_cmd_mutex as well (to guarantee that the decision to use events or
polling and the call to the appropriate cmd function are atomic).

Fixes: a7e1f04905e5 ("net/mlx4_core: Fix deadlock when switching between polling and event fw commands")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/cmd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
@@ -2196,6 +2196,8 @@ int mlx4_cmd_use_events(struct mlx4_dev
 	if (!priv->cmd.context)
 		return -ENOMEM;
 
+	if (mlx4_is_mfunc(dev))
+		mutex_lock(&priv->cmd.slave_cmd_mutex);
 	down_write(&priv->cmd.switch_sem);
 	for (i = 0; i < priv->cmd.max_cmds; ++i) {
 		priv->cmd.context[i].token = i;
@@ -2217,6 +2219,8 @@ int mlx4_cmd_use_events(struct mlx4_dev
 	down(&priv->cmd.poll_sem);
 	priv->cmd.use_events = 1;
 	up_write(&priv->cmd.switch_sem);
+	if (mlx4_is_mfunc(dev))
+		mutex_unlock(&priv->cmd.slave_cmd_mutex);
 
 	return err;
 }
@@ -2229,6 +2233,8 @@ void mlx4_cmd_use_polling(struct mlx4_de
 	struct mlx4_priv *priv = mlx4_priv(dev);
 	int i;
 
+	if (mlx4_is_mfunc(dev))
+		mutex_lock(&priv->cmd.slave_cmd_mutex);
 	down_write(&priv->cmd.switch_sem);
 	priv->cmd.use_events = 0;
 
@@ -2239,6 +2245,8 @@ void mlx4_cmd_use_polling(struct mlx4_de
 
 	up(&priv->cmd.poll_sem);
 	up_write(&priv->cmd.switch_sem);
+	if (mlx4_is_mfunc(dev))
+		mutex_unlock(&priv->cmd.slave_cmd_mutex);
 }
 
 struct mlx4_cmd_mailbox *mlx4_alloc_cmd_mailbox(struct mlx4_dev *dev)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 114/129] It's wrong to add len to sector_nr in raid10 reshape twice
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 033/129] pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 110/129] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race Ben Hutchings
                   ` (127 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Xiao Ni, Song Liu

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xiao Ni <xni@redhat.com>

commit b761dcf1217760a42f7897c31dcb649f59b2333e upstream.

In reshape_request it already adds len to sector_nr already. It's wrong to add len to
sector_nr again after adding pages to bio. If there is bad block it can't copy one chunk
at a time, it needs to goto read_more. Now the sector_nr is wrong. It can cause data
corruption.

Signed-off-by: Xiao Ni <xni@redhat.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/raid10.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -4506,7 +4506,6 @@ bio_full:
 	atomic_inc(&r10_bio->remaining);
 	read_bio->bi_next = NULL;
 	generic_make_request(read_bio);
-	sector_nr += nr_sectors;
 	sectors_done += nr_sectors;
 	if (sector_nr <= last)
 		goto read_more;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 112/129] gro_cells: make sure device is up in gro_cells_receive()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 018/129] drm: Fix error handling in drm_legacy_addctx Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 002/129] staging: iio: adt7316: invert the logic of the check for an ldac pin Ben Hutchings
                   ` (65 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot, David S. Miller, Eric Dumazet

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 2a5ff07a0eb945f291e361aa6f6becca8340ba46 upstream.

We keep receiving syzbot reports [1] that show that tunnels do not play
the rcu/IFF_UP rules properly.

At device dismantle phase, gro_cells_destroy() will be called
only after a full rcu grace period is observed after IFF_UP
has been cleared.

This means that IFF_UP needs to be tested before queueing packets
into netif_rx() or gro_cells.

This patch implements the test in gro_cells_receive() because
too many callers do not seem to bother enough.

[1]
BUG: unable to handle kernel paging request at fffff4ca0b9ffffe
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
kobject: 'loop2' (000000004bd7d84a): kobject_uevent_env
FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
Call Trace:
kobject: 'loop2' (000000004bd7d84a): fill_kobj_path: path = '/devices/virtual/block/loop2'
 ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010
 netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
 ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124
 vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495
 ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
 worker_thread+0x98/0xe40 kernel/workqueue.c:2319
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
CR2: fffff4ca0b9ffffe
   [ end trace 513fc9c1338d1cb3 ]
RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
kobject: 'loop3' (00000000e4ee57a6): kobject_uevent_env
R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
FS:  0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0

Fixes: c9e6bc644e55 ("net: add gro_cells infrastructure")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Adjust filename, context
 - Return type is void]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/gro_cells.h | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

--- a/include/net/gro_cells.h
+++ b/include/net/gro_cells.h
@@ -20,18 +20,23 @@ static inline void gro_cells_receive(str
 	struct gro_cell *cell = gcells->cells;
 	struct net_device *dev = skb->dev;
 
+	rcu_read_lock();
+	if (unlikely(!(dev->flags & IFF_UP)))
+		goto drop;
+
 	if (!cell || skb_cloned(skb) || !(dev->features & NETIF_F_GRO)) {
 		netif_rx(skb);
-		return;
+		goto unlock;
 	}
 
 	if (skb_rx_queue_recorded(skb))
 		cell += skb_get_rx_queue(skb) & gcells->gro_cells_mask;
 
 	if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
+drop:
 		atomic_long_inc(&dev->rx_dropped);
 		kfree_skb(skb);
-		return;
+		goto unlock;
 	}
 
 	/* We run in BH context */
@@ -42,6 +47,9 @@ static inline void gro_cells_receive(str
 		napi_schedule(&cell->napi);
 
 	spin_unlock(&cell->napi_skbs.lock);
+
+unlock:
+	rcu_read_unlock();
 }
 
 /* called unser BH context */


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 107/129] cpufreq: pxa2xx: remove incorrect __init annotation
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 104/129] s390/virtio: handle find on invalid queue gracefully Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 028/129] media: v4l2: i2c: ov7670: Fix PLL bypass register values Ben Hutchings
                   ` (44 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Rafael J. Wysocki,
	Viresh Kumar, Nathan Chancellor, Robert Jarzmik

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 9505b98ccddc454008ca7efff90044e3e857c827 upstream.

pxa_cpufreq_init_voltages() is marked __init but usually inlined into
the non-__init pxa_cpufreq_init() function. When building with clang,
it can stay as a standalone function in a discarded section, and produce
this warning:

WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the function pxa_cpufreq_init() to the function .init.text:pxa_cpufreq_init_voltages()
The function pxa_cpufreq_init() references
the function __init pxa_cpufreq_init_voltages().
This is often because pxa_cpufreq_init lacks a __init
annotation or the annotation of pxa_cpufreq_init_voltages is wrong.

Fixes: 50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/cpufreq/pxa2xx-cpufreq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/cpufreq/pxa2xx-cpufreq.c
+++ b/drivers/cpufreq/pxa2xx-cpufreq.c
@@ -191,7 +191,7 @@ static int pxa_cpufreq_change_voltage(px
 	return ret;
 }
 
-static void __init pxa_cpufreq_init_voltages(void)
+static void pxa_cpufreq_init_voltages(void)
 {
 	vcc_core = regulator_get(NULL, "vcc_core");
 	if (IS_ERR(vcc_core)) {
@@ -207,7 +207,7 @@ static int pxa_cpufreq_change_voltage(px
 	return 0;
 }
 
-static void __init pxa_cpufreq_init_voltages(void) { }
+static void pxa_cpufreq_init_voltages(void) { }
 #endif
 
 static void find_freq_tables(struct cpufreq_frequency_table **freq_table,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 119/129] l2tp: fix infoleak in l2tp_ip6_recvmsg()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 026/129] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 093/129] NFSv4.1: Reinitialise sequence results before retransmitting a request Ben Hutchings
                   ` (112 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, David S. Miller, syzbot

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 upstream.

Back in 2013 Hannes took care of most of such leaks in commit
bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")

But the bug in l2tp_ip6_recvmsg() has not been fixed.

syzbot report :

BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
 kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
 copy_to_user include/linux/uaccess.h:174 [inline]
 move_addr_to_user+0x311/0x570 net/socket.c:227
 ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
 do_recvmmsg+0x646/0x10c0 net/socket.c:2390
 __sys_recvmmsg net/socket.c:2469 [inline]
 __do_sys_recvmmsg net/socket.c:2492 [inline]
 __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
 __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445819
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf

Local variable description: ----addr@___sys_recvmsg
Variable was created at:
 ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
 do_recvmmsg+0x646/0x10c0 net/socket.c:2390

Bytes 0-31 of 32 are uninitialized
Memory access of size 32 starts at ffff8880ae62fbb0
Data copied to user address 0000000020000000

Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/l2tp/l2tp_ip6.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -664,9 +664,6 @@ static int l2tp_ip6_recvmsg(struct kiocb
 	if (flags & MSG_OOB)
 		goto out;
 
-	if (addr_len)
-		*addr_len = sizeof(*lsa);
-
 	if (flags & MSG_ERRQUEUE)
 		return ipv6_recv_error(sk, msg, len, addr_len);
 
@@ -696,6 +693,7 @@ static int l2tp_ip6_recvmsg(struct kiocb
 		lsa->l2tp_conn_id = 0;
 		if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
 			lsa->l2tp_scope_id = IP6CB(skb)->iif;
+		*addr_len = sizeof(*lsa);
 	}
 
 	if (np->rxopt.all)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 104/129] s390/virtio: handle find on invalid queue gracefully
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 034/129] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 107/129] cpufreq: pxa2xx: remove incorrect __init annotation Ben Hutchings
                   ` (45 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Cornelia Huck, Michael S. Tsirkin, Halil Pasic

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Halil Pasic <pasic@linux.ibm.com>

commit 3438b2c039b4bf26881786a1f3450f016d66ad11 upstream.

A queue with a capacity of zero is clearly not a valid virtio queue.
Some emulators report zero queue size if queried with an invalid queue
index. Instead of crashing in this case let us just return -ENOENT. To
make that work properly, let us fix the notifier cleanup logic as well.

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/kvm/virtio_ccw.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/s390/kvm/virtio_ccw.c
+++ b/drivers/s390/kvm/virtio_ccw.c
@@ -258,6 +258,8 @@ static void virtio_ccw_drop_indicators(s
 {
 	struct virtio_ccw_vq_info *info;
 
+	if (!vcdev->airq_info)
+		return;
 	list_for_each_entry(info, &vcdev->virtqueues, node)
 		drop_airq_indicator(info->vq, vcdev->airq_info);
 }
@@ -386,7 +388,7 @@ static int virtio_ccw_read_vq_conf(struc
 	ccw->count = sizeof(struct vq_config_block);
 	ccw->cda = (__u32)(unsigned long)(vcdev->config_block);
 	ccw_io_helper(vcdev, ccw, VIRTIO_CCW_DOING_READ_VQ_CONF);
-	return vcdev->config_block->num;
+	return vcdev->config_block->num ?: -ENOENT;
 }
 
 static void virtio_ccw_del_vq(struct virtqueue *vq, struct ccw1 *ccw)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 118/129] net/mlx4_core: Fix qp mtt size calculation
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 072/129] cdc-wdm: pass return value of recover_from_urb_loss Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 070/129] USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 Ben Hutchings
                   ` (58 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jack Morgenstein, Tariq Toukan, David S. Miller

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>

commit 8511a653e9250ef36b95803c375a7be0e2edb628 upstream.

Calculation of qp mtt size (in function mlx4_RST2INIT_wrapper)
ultimately depends on function roundup_pow_of_two.

If the amount of memory required by the QP is less than one page,
roundup_pow_of_two is called with argument zero.  In this case, the
roundup_pow_of_two result is undefined.

Calling roundup_pow_of_two with a zero argument resulted in the
following stack trace:

UBSAN: Undefined behaviour in ./include/linux/log2.h:61:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 4 PID: 26939 Comm: rping Tainted: G OE 4.19.0-rc1
Hardware name: Supermicro X9DR3-F/X9DR3-F, BIOS 3.2a 07/09/2015
Call Trace:
dump_stack+0x9a/0xeb
ubsan_epilogue+0x9/0x7c
__ubsan_handle_shift_out_of_bounds+0x254/0x29d
? __ubsan_handle_load_invalid_value+0x180/0x180
? debug_show_all_locks+0x310/0x310
? sched_clock+0x5/0x10
? sched_clock+0x5/0x10
? sched_clock_cpu+0x18/0x260
? find_held_lock+0x35/0x1e0
? mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core]
mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core]

Fix this by explicitly testing for zero, and returning one if the
argument is zero (assuming that the next higher power of 2 in this case
should be one).

Fixes: c82e9aa0a8bc ("mlx4_core: resource tracking for HCA resources used by guests")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2460,13 +2460,13 @@ static int qp_get_mtt_size(struct mlx4_q
 	int total_pages;
 	int total_mem;
 	int page_offset = (be32_to_cpu(qpc->params2) >> 6) & 0x3f;
+	int tot;
 
 	sq_size = 1 << (log_sq_size + log_sq_sride + 4);
 	rq_size = (srq|rss|xrc) ? 0 : (1 << (log_rq_size + log_rq_stride + 4));
 	total_mem = sq_size + rq_size;
-	total_pages =
-		roundup_pow_of_two((total_mem + (page_offset << 6)) >>
-				   page_shift);
+	tot = (total_mem + (page_offset << 6)) >> page_shift;
+	total_pages = !tot ? 1 : roundup_pow_of_two(tot);
 
 	return total_pages;
 }


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 109/129] xen, cpu_hotplug: Prevent an out of bounds access
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (101 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 055/129] bcache: treat stale && dirty keys as bad keys Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 073/129] libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer Ben Hutchings
                   ` (29 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dan Carpenter, Juergen Gross

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 201676095dda7e5b31a5e1d116d10fc22985075e upstream.

The "cpu" variable comes from the sscanf() so Smatch marks it as
untrusted data.  We can't pass a higher value than "nr_cpu_ids" to
cpu_possible() or it results in an out of bounds access.

Fixes: d68d82afd4c8 ("xen: implement CPU hotplugging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/xen/cpu_hotplug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/xen/cpu_hotplug.c
+++ b/drivers/xen/cpu_hotplug.c
@@ -47,7 +47,7 @@ static int vcpu_online(unsigned int cpu)
 }
 static void vcpu_hotplug(unsigned int cpu)
 {
-	if (!cpu_possible(cpu))
+	if (cpu >= nr_cpu_ids || !cpu_possible(cpu))
 		return;
 
 	switch (vcpu_online(cpu)) {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 110/129] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 114/129] It's wrong to add len to sector_nr in raid10 reshape twice Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 037/129] mtd: docg3: Don't leak docg3->bbt in error path Ben Hutchings
                   ` (126 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Xin Long, Jon Maxwell, David Ahern,
	David S. Miller

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit ee60ad219f5c7c4fb2f047f88037770063ef785f upstream.

The race occurs in __mkroute_output() when 2 threads lookup a dst:

  CPU A                 CPU B
  find_exception()
                        find_exception() [fnhe expires]
                        ip_del_fnhe() [fnhe is deleted]
  rt_bind_exception()

In rt_bind_exception() it will bind a deleted fnhe with the new dst, and
this dst will get no chance to be freed. It causes a dev defcnt leak and
consecutive dmesg warnings:

  unregister_netdevice: waiting for ethX to become free. Usage count = 1

Especially thanks Jon to identify the issue.

This patch fixes it by setting fnhe_daddr to 0 in ip_del_fnhe() to stop
binding the deleted fnhe with a new dst when checking fnhe's fnhe_daddr
and daddr in rt_bind_exception().

It works as both ip_del_fnhe() and rt_bind_exception() are protected by
fnhe_lock and the fhne is freed by kfree_rcu().

Fixes: deed49df7390 ("route: check and remove route cache when we get route")
Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/route.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1279,6 +1279,10 @@ static void ip_del_fnhe(struct fib_nh *n
 		if (fnhe->fnhe_daddr == daddr) {
 			rcu_assign_pointer(*fnhe_p, rcu_dereference_protected(
 				fnhe->fnhe_next, lockdep_is_held(&fnhe_lock)));
+			/* set fnhe_daddr to 0 to ensure it won't bind with
+			 * new dsts in rt_bind_exception().
+			 */
+			fnhe->fnhe_daddr = 0;
 			fnhe_flush_routes(fnhe);
 			kfree_rcu(fnhe, rcu);
 			break;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 008/129] clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init() Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 091/129] Btrfs: fix corruption reading shared and compressed extents after hole punching Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 033/129] pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names Ben Hutchings
                   ` (129 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Yangtao Li, Stephen Boyd

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit 1731e14fb30212dd8c1e9f8fc1af061e56498c55 upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Fixes: d55135689019 ("ARM: imx: add clock driver for imx6sx")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-imx/clk-imx6sx.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-imx/clk-imx6sx.c
+++ b/arch/arm/mach-imx/clk-imx6sx.c
@@ -143,6 +143,7 @@ static void __init imx6sx_clocks_init(st
 	np = of_find_compatible_node(NULL, NULL, "fsl,imx6sx-anatop");
 	base = of_iomap(np, 0);
 	WARN_ON(!base);
+	of_node_put(np);
 
 	/*                                              type               name             parent_name   base         div_mask */
 	clks[IMX6SX_CLK_PLL1_SYS]       = imx_clk_pllv3(IMX_PLLV3_SYS,     "pll1_sys",      "osc",        base,        0x7f);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 089/129] regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 025/129] powerpc/irq: drop arch_early_irq_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 100/129] CIFS: Fix read after write for files with read caching Ben Hutchings
                   ` (87 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Axel Lin, Charles Keepax, Mark Brown

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Axel Lin <axel.lin@ingics.com>

commit c25d47888f0fb3d836d68322d4aea2caf31a75a6 upstream.

The wm831x_dcdc_ilim entries needs to be uA because it is used to compare
with min_uA and max_uA.
While at it also make the array const and change to use unsigned int.

Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/regulator/wm831x-dcdc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/regulator/wm831x-dcdc.c
+++ b/drivers/regulator/wm831x-dcdc.c
@@ -327,8 +327,8 @@ static int wm831x_buckv_get_voltage_sel(
 }
 
 /* Current limit options */
-static u16 wm831x_dcdc_ilim[] = {
-	125, 250, 375, 500, 625, 750, 875, 1000
+static const unsigned int wm831x_dcdc_ilim[] = {
+	125000, 250000, 375000, 500000, 625000, 750000, 875000, 1000000
 };
 
 static int wm831x_buckv_set_current_limit(struct regulator_dev *rdev,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 100/129] CIFS: Fix read after write for files with read caching
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 089/129] regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 019/129] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify Ben Hutchings
                   ` (86 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pavel Shilovsky, Ronnie Sahlberg,
	Pavel Shilovsky, Steve French

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <piastryyy@gmail.com>

commit 6dfbd84684700cb58b34e8602c01c12f3d2595c8 upstream.

When we have a READ lease for a file and have just issued a write
operation to the server we need to purge the cache and set oplock/lease
level to NONE to avoid reading stale data. Currently we do that
only if a write operation succedeed thus not covering cases when
a request was sent to the server but a negative error code was
returned later for some other reasons (e.g. -EIOCBQUEUED or -EINTR).
Fix this by turning off caching regardless of the error code being
returned.

The patches fixes generic tests 075 and 112 from the xfs-tests.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/file.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -2661,14 +2661,16 @@ cifs_strict_writev(struct kiocb *iocb, s
 	 * these pages but not on the region from pos to ppos+len-1.
 	 */
 	written = cifs_user_writev(iocb, from);
-	if (written > 0 && CIFS_CACHE_READ(cinode)) {
+	if (CIFS_CACHE_READ(cinode)) {
 		/*
-		 * Windows 7 server can delay breaking level2 oplock if a write
-		 * request comes - break it on the client to prevent reading
-		 * an old data.
+		 * We have read level caching and we have just sent a write
+		 * request to the server thus making data in the cache stale.
+		 * Zap the cache and set oplock/lease level to NONE to avoid
+		 * reading stale data from the cache. All subsequent read
+		 * operations will read new data from the server.
 		 */
 		cifs_zap_mapping(inode);
-		cifs_dbg(FYI, "Set no oplock for inode=%p after a write operation\n",
+		cifs_dbg(FYI, "Set Oplock/Lease to NONE for inode=%p after write\n",
 			 inode);
 		cinode->oplock = 0;
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 086/129] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 023/129] selinux: avoid silent denials in permissive mode under RCU walk Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 064/129] iscsi_ibft: Fix missing break in switch statement Ben Hutchings
                   ` (93 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Takashi Sakamoto

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 7dc661bd8d3261053b69e4e2d0050cd1ee540fc1 upstream.

ALSA bebob driver has an entry for Focusrite Saffire Pro 10 I/O. The
entry matches vendor_id in root directory and model_id in unit
directory of configuration ROM for IEEE 1394 bus.

On the other hand, configuration ROM of Focusrite Liquid Saffire 56
has the same vendor_id and model_id. This device is an application of
TCAT Dice (TCD2220 a.k.a Dice Jr.) however ALSA bebob driver can be
bound to it randomly instead of ALSA dice driver. At present, drivers
in ALSA firewire stack can not handle this situation appropriately.

This commit uses more identical mod_alias for Focusrite Saffire Pro 10
I/O in ALSA bebob driver.

$ python2 crpp < /sys/bus/firewire/devices/fw1/config_rom
               ROM header and bus information block
               -----------------------------------------------------------------
400  042a829d  bus_info_length 4, crc_length 42, crc 33437
404  31333934  bus_name "1394"
408  f0649222  irmc 1, cmc 1, isc 1, bmc 1, pmc 0, cyc_clk_acc 100,
               max_rec 9 (1024), max_rom 2, gen 2, spd 2 (S400)
40c  00130e01  company_id 00130e     |
410  000606e0  device_id 01000606e0  | EUI-64 00130e01000606e0

               root directory
               -----------------------------------------------------------------
414  0009d31c  directory_length 9, crc 54044
418  04000014  hardware version
41c  0c0083c0  node capabilities per IEEE 1394
420  0300130e  vendor
424  81000012  --> descriptor leaf at 46c
428  17000006  model
42c  81000016  --> descriptor leaf at 484
430  130120c2  version
434  d1000002  --> unit directory at 43c
438  d4000006  --> dependent info directory at 450

               unit directory at 43c
               -----------------------------------------------------------------
43c  0004707c  directory_length 4, crc 28796
440  1200a02d  specifier id: 1394 TA
444  13010001  version: AV/C
448  17000006  model
44c  81000013  --> descriptor leaf at 498

               dependent info directory at 450
               -----------------------------------------------------------------
450  000637c7  directory_length 6, crc 14279
454  120007f5  specifier id
458  13000001  version
45c  3affffc7  (immediate value)
460  3b100000  (immediate value)
464  3cffffc7  (immediate value)
468  3d600000  (immediate value)

               descriptor leaf at 46c
               -----------------------------------------------------------------
46c  00056f3b  leaf_length 5, crc 28475
470  00000000  textual descriptor
474  00000000  minimal ASCII
478  466f6375  "Focu"
47c  73726974  "srit"
480  65000000  "e"

               descriptor leaf at 484
               -----------------------------------------------------------------
484  0004a165  leaf_length 4, crc 41317
488  00000000  textual descriptor
48c  00000000  minimal ASCII
490  50726f31  "Pro1"
494  30494f00  "0IO"

               descriptor leaf at 498
               -----------------------------------------------------------------
498  0004a165  leaf_length 4, crc 41317
49c  00000000  textual descriptor
4a0  00000000  minimal ASCII
4a4  50726f31  "Pro1"
4a8  30494f00  "0IO"

$ python2 crpp < /sys/bus/firewire/devices/fw1/config_rom
               ROM header and bus information block
               -----------------------------------------------------------------
400  040442e4  bus_info_length 4, crc_length 4, crc 17124
404  31333934  bus_name "1394"
408  e0ff8112  irmc 1, cmc 1, isc 1, bmc 0, pmc 0, cyc_clk_acc 255,
               max_rec 8 (512), max_rom 1, gen 1, spd 2 (S400)
40c  00130e04  company_id 00130e     |
410  018001e9  device_id 04018001e9  | EUI-64 00130e04018001e9

               root directory
               -----------------------------------------------------------------
414  00065612  directory_length 6, crc 22034
418  0300130e  vendor
41c  8100000a  --> descriptor leaf at 444
420  17000006  model
424  8100000e  --> descriptor leaf at 45c
428  0c0087c0  node capabilities per IEEE 1394
42c  d1000001  --> unit directory at 430

               unit directory at 430
               -----------------------------------------------------------------
430  000418a0  directory_length 4, crc 6304
434  1200130e  specifier id
438  13000001  version
43c  17000006  model
440  8100000f  --> descriptor leaf at 47c

               descriptor leaf at 444
               -----------------------------------------------------------------
444  00056f3b  leaf_length 5, crc 28475
448  00000000  textual descriptor
44c  00000000  minimal ASCII
450  466f6375  "Focu"
454  73726974  "srit"
458  65000000  "e"

               descriptor leaf at 45c
               -----------------------------------------------------------------
45c  000762c6  leaf_length 7, crc 25286
460  00000000  textual descriptor
464  00000000  minimal ASCII
468  4c495155  "LIQU"
46c  49445f53  "ID_S"
470  41464649  "AFFI"
474  52455f35  "RE_5"
478  36000000  "6"

               descriptor leaf at 47c
               -----------------------------------------------------------------
47c  000762c6  leaf_length 7, crc 25286
480  00000000  textual descriptor
484  00000000  minimal ASCII
488  4c495155  "LIQU"
48c  49445f53  "ID_S"
490  41464649  "AFFI"
494  52455f35  "RE_5"
498  36000000  "6"

Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/firewire/bebob/bebob.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -396,7 +396,19 @@ static const struct ieee1394_device_id b
 	/* Focusrite, SaffirePro 26 I/O */
 	SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x00000003, &saffirepro_26_spec),
 	/* Focusrite, SaffirePro 10 I/O */
-	SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x00000006, &saffirepro_10_spec),
+	{
+		// The combination of vendor_id and model_id is the same as the
+		// same as the one of Liquid Saffire 56.
+		.match_flags	= IEEE1394_MATCH_VENDOR_ID |
+				  IEEE1394_MATCH_MODEL_ID |
+				  IEEE1394_MATCH_SPECIFIER_ID |
+				  IEEE1394_MATCH_VERSION,
+		.vendor_id	= VEN_FOCUSRITE,
+		.model_id	= 0x000006,
+		.specifier_id	= 0x00a02d,
+		.version	= 0x010001,
+		.driver_data	= (kernel_ulong_t)&saffirepro_10_spec,
+	},
 	/* Focusrite, Saffire(no label and LE) */
 	SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, MODEL_FOCUSRITE_SAFFIRE_BOTH,
 			    &saffire_spec),


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 096/129] net-sysfs: Fix mem leak in netdev_register_kobject
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 099/129] nfsd: fix memory corruption caused by readdir Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 082/129] clocksource/drivers/exynos_mct: Fix error path in timer resources initialization Ben Hutchings
                   ` (54 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hulk Robot, YueHaibing, David S. Miller

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab upstream.

syzkaller report this:
BUG: memory leak
unreferenced object 0xffff88837a71a500 (size 256):
  comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s)
  hex dump (first 32 bytes):
    00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
    ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff  ........ .......
  backtrace:
    [<00000000db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751
    [<00000000dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516
    [<00000000e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline]
    [<00000000e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883
    [<000000001b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<000000001b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690
    [<0000000079b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705
    [<00000000de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline]
    [<00000000de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline]
    [<00000000de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710
    [<000000007ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
    [<00000000db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [<00000000115be9bb>] 0xffffffffffffffff

It should call kset_unregister to free 'dev->queues_kset'
in error path of register_queue_kobjects, otherwise will cause a mem leak.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: net_device pointer is called "net", confusingly]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/net-sysfs.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1219,6 +1219,9 @@ static int register_queue_kobjects(struc
 error:
 	netdev_queue_update_kobjects(net, txq, 0);
 	net_rx_queue_update_kobjects(net, rxq, 0);
+#ifdef CONFIG_SYSFS
+	kset_unregister(net->queues_kset);
+#endif
 	return error;
 }
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 098/129] CIFS: Do not reset lease state to NONE on lease break
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 064/129] iscsi_ibft: Fix missing break in switch statement Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 047/129] rtc: ds1672: fix unintended sign extension Ben Hutchings
                   ` (91 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steve French, Pavel Shilovsky, Pavel Shilovsky

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <piastryyy@gmail.com>

commit 7b9b9edb49ad377b1e06abf14354c227e9ac4b06 upstream.

Currently on lease break the client sets a caching level twice:
when oplock is detected and when oplock is processed. While the
1st attempt sets the level to the value provided by the server,
the 2nd one resets the level to None unconditionally.
This happens because the oplock/lease processing code was changed
to avoid races between page cache flushes and oplock breaks.
The commit c11f1df5003d534 ("cifs: Wait for writebacks to complete
before attempting write.") fixed the races for oplocks but didn't
apply the same changes for leases resulting in overwriting the
server granted value to None. Fix this by properly processing
lease breaks.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: drop change in smb311_operations]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -420,7 +420,6 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
 	__u8 lease_state;
 	struct list_head *tmp;
 	struct cifsFileInfo *cfile;
-	struct TCP_Server_Info *server = tcon->ses->server;
 	struct cifs_pending_open *open;
 	struct cifsInodeInfo *cinode;
 	int ack_req = le32_to_cpu(rsp->Flags &
@@ -440,13 +439,25 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
 		cifs_dbg(FYI, "lease key match, lease break 0x%d\n",
 			 le32_to_cpu(rsp->NewLeaseState));
 
-		server->ops->set_oplock_level(cinode, lease_state, 0, NULL);
-
 		if (ack_req)
 			cfile->oplock_break_cancelled = false;
 		else
 			cfile->oplock_break_cancelled = true;
 
+		set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
+
+		/*
+		 * Set or clear flags depending on the lease state being READ.
+		 * HANDLE caching flag should be added when the client starts
+		 * to defer closing remote file handles with HANDLE leases.
+		 */
+		if (lease_state & SMB2_LEASE_READ_CACHING_HE)
+			set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+				&cinode->flags);
+		else
+			clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+				  &cinode->flags);
+
 		queue_work(cifsoplockd_wq, &cfile->oplock_break);
 		kfree(lw);
 		return true;
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -962,6 +962,15 @@ smb2_downgrade_oplock(struct TCP_Server_
 }
 
 static void
+smb21_downgrade_oplock(struct TCP_Server_Info *server,
+		       struct cifsInodeInfo *cinode, bool set_level2)
+{
+	server->ops->set_oplock_level(cinode,
+				      set_level2 ? SMB2_LEASE_READ_CACHING_HE :
+				      0, 0, NULL);
+}
+
+static void
 smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
 		      unsigned int epoch, bool *purge_cache)
 {
@@ -1253,7 +1262,7 @@ struct smb_version_operations smb21_oper
 	.print_stats = smb2_print_stats,
 	.is_oplock_break = smb2_is_valid_oplock_break,
 	.handle_cancelled_mid = smb2_handle_cancelled_mid,
-	.downgrade_oplock = smb2_downgrade_oplock,
+	.downgrade_oplock = smb21_downgrade_oplock,
 	.need_neg = smb2_need_neg,
 	.negotiate = smb2_negotiate,
 	.negotiate_wsize = smb2_negotiate_wsize,
@@ -1331,7 +1340,7 @@ struct smb_version_operations smb30_oper
 	.dump_share_caps = smb2_dump_share_caps,
 	.is_oplock_break = smb2_is_valid_oplock_break,
 	.handle_cancelled_mid = smb2_handle_cancelled_mid,
-	.downgrade_oplock = smb2_downgrade_oplock,
+	.downgrade_oplock = smb21_downgrade_oplock,
 	.need_neg = smb2_need_neg,
 	.negotiate = smb2_negotiate,
 	.negotiate_wsize = smb2_negotiate_wsize,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 097/129] ip6mr: Do not call __IP6_INC_STATS() from preemptible context
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (123 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 054/129] bcache: never writeback a discard operation Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 067/129] serial: 8250_pci: Fix number of ports for ACCES serial cards Ben Hutchings
                   ` (7 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Ido Schimmel, Amit Cohen

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ido Schimmel <idosch@mellanox.com>

commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf upstream.

Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from
improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot
assume preemption is disabled when incrementing the counter and
accessing a per-CPU variable.

Preemption can be enabled when we add a route in process context that
corresponds to packets stored in the unresolved queue, which are then
forwarded using this route [1].

Fix this by using IP6_INC_STATS() which takes care of disabling
preemption on architectures where it is needed.

[1]
[  157.451447] BUG: using __this_cpu_add() in preemptible [00000000] code: smcrouted/2314
[  157.460409] caller is ip6mr_forward2+0x73e/0x10e0
[  157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336
[  157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
[  157.460461] Call Trace:
[  157.460486]  dump_stack+0xf9/0x1be
[  157.460553]  check_preemption_disabled+0x1d6/0x200
[  157.460576]  ip6mr_forward2+0x73e/0x10e0
[  157.460705]  ip6_mr_forward+0x9a0/0x1510
[  157.460771]  ip6mr_mfc_add+0x16b3/0x1e00
[  157.461155]  ip6_mroute_setsockopt+0x3cb/0x13c0
[  157.461384]  do_ipv6_setsockopt.isra.8+0x348/0x4060
[  157.462013]  ipv6_setsockopt+0x90/0x110
[  157.462036]  rawv6_setsockopt+0x4a/0x120
[  157.462058]  __sys_setsockopt+0x16b/0x340
[  157.462198]  __x64_sys_setsockopt+0xbf/0x160
[  157.462220]  do_syscall_64+0x14d/0x610
[  157.462349]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Amit Cohen <amitc@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/ip6mr.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1984,10 +1984,10 @@ int ip6mr_compat_ioctl(struct sock *sk,
 
 static inline int ip6mr_forward2_finish(struct sk_buff *skb)
 {
-	IP6_INC_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
-			 IPSTATS_MIB_OUTFORWDATAGRAMS);
-	IP6_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
-			 IPSTATS_MIB_OUTOCTETS, skb->len);
+	IP6_INC_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+		      IPSTATS_MIB_OUTFORWDATAGRAMS);
+	IP6_ADD_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+		      IPSTATS_MIB_OUTOCTETS, skb->len);
 	return dst_output(skb);
 }
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 091/129] Btrfs: fix corruption reading shared and compressed extents after hole punching
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 008/129] clk: imx6sx: fix refcount leak in imx6sx_clocks_init() Ben Hutchings
                   ` (130 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Zygo Blaxell, Filipe Manana

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 8e928218780e2f1cf2f5891c7575e8f0b284fcce upstream.

In the past we had data corruption when reading compressed extents that
are shared within the same file and they are consecutive, this got fixed
by commit 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and
shared extents") and by commit 808f80b46790f ("Btrfs: update fix for read
corruption of compressed and shared extents"). However there was a case
that was missing in those fixes, which is when the shared and compressed
extents are referenced with a non-zero offset. The following shell script
creates a reproducer for this issue:

  #!/bin/bash

  mkfs.btrfs -f /dev/sdc &> /dev/null
  mount -o compress /dev/sdc /mnt/sdc

  # Create a file with 3 consecutive compressed extents, each has an
  # uncompressed size of 128Kb and a compressed size of 4Kb.
  for ((i = 1; i <= 3; i++)); do
      head -c 4096 /dev/zero
      for ((j = 1; j <= 31; j++)); do
          head -c 4096 /dev/zero | tr '\0' "\377"
      done
  done > /mnt/sdc/foobar
  sync

  echo "Digest after file creation:   $(md5sum /mnt/sdc/foobar)"

  # Clone the first extent into offsets 128K and 256K.
  xfs_io -c "reflink /mnt/sdc/foobar 0 128K 128K" /mnt/sdc/foobar
  xfs_io -c "reflink /mnt/sdc/foobar 0 256K 128K" /mnt/sdc/foobar
  sync

  echo "Digest after cloning:         $(md5sum /mnt/sdc/foobar)"

  # Punch holes into the regions that are already full of zeroes.
  xfs_io -c "fpunch 0 4K" /mnt/sdc/foobar
  xfs_io -c "fpunch 128K 4K" /mnt/sdc/foobar
  xfs_io -c "fpunch 256K 4K" /mnt/sdc/foobar
  sync

  echo "Digest after hole punching:   $(md5sum /mnt/sdc/foobar)"

  echo "Dropping page cache..."
  sysctl -q vm.drop_caches=1
  echo "Digest after hole punching:   $(md5sum /mnt/sdc/foobar)"

  umount /dev/sdc

When running the script we get the following output:

  Digest after file creation:   5a0888d80d7ab1fd31c229f83a3bbcc8  /mnt/sdc/foobar
  linked 131072/131072 bytes at offset 131072
  128 KiB, 1 ops; 0.0033 sec (36.960 MiB/sec and 295.6830 ops/sec)
  linked 131072/131072 bytes at offset 262144
  128 KiB, 1 ops; 0.0015 sec (78.567 MiB/sec and 628.5355 ops/sec)
  Digest after cloning:         5a0888d80d7ab1fd31c229f83a3bbcc8  /mnt/sdc/foobar
  Digest after hole punching:   5a0888d80d7ab1fd31c229f83a3bbcc8  /mnt/sdc/foobar
  Dropping page cache...
  Digest after hole punching:   fba694ae8664ed0c2e9ff8937e7f1484  /mnt/sdc/foobar

This happens because after reading all the pages of the extent in the
range from 128K to 256K for example, we read the hole at offset 256K
and then when reading the page at offset 260K we don't submit the
existing bio, which is responsible for filling all the page in the
range 128K to 256K only, therefore adding the pages from range 260K
to 384K to the existing bio and submitting it after iterating over the
entire range. Once the bio completes, the uncompressed data fills only
the pages in the range 128K to 256K because there's no more data read
from disk, leaving the pages in the range 260K to 384K unfilled. It is
just a slightly different variant of what was solved by commit
005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared
extents").

Fix this by forcing a bio submit, during readpages(), whenever we find a
compressed extent map for a page that is different from the extent map
for the previous page or has a different starting offset (in case it's
the same compressed extent), instead of the extent map's original start
offset.

A test case for fstests follows soon.

Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Fixes: 808f80b46790f ("Btrfs: update fix for read corruption of compressed and shared extents")
Fixes: 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared extents")
Tested-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/extent_io.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -2936,11 +2936,11 @@ static int __do_readpage(struct extent_i
 		 */
 		if (test_bit(EXTENT_FLAG_COMPRESSED, &em->flags) &&
 		    prev_em_start && *prev_em_start != (u64)-1 &&
-		    *prev_em_start != em->orig_start)
+		    *prev_em_start != em->start)
 			force_bio_submit = true;
 
 		if (prev_em_start)
-			*prev_em_start = em->orig_start;
+			*prev_em_start = em->start;
 
 		free_extent_map(em);
 		em = NULL;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 094/129] 9p: use inode->i_lock to protect i_size_write() under 32-bit
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 017/129] staging: iio: adt7316: fix the dac write calculation Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 013/129] clk: dove: fix refcount leak in dove_clk_init() Ben Hutchings
                   ` (97 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dominique Martinet, Hou Tao, Xing Gaopeng

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hou Tao <houtao1@huawei.com>

commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.

Use inode->i_lock to protect i_size_write(), else i_size_read() in
generic_fillattr() may loop infinitely in read_seqcount_begin() when
multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
simultaneously under 32-bit SMP environment, and a soft lockup will be
triggered as show below:

  watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
  Modules linked in:
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  PC is at generic_fillattr+0x104/0x108
  LR is at 0xec497f00
  pc : [<802b8898>]    lr : [<ec497f00>]    psr: 200c0013
  sp : ec497e20  ip : ed608030  fp : ec497e3c
  r10: 00000000  r9 : ec497f00  r8 : ed608030
  r7 : ec497ebc  r6 : ec497f00  r5 : ee5c1550  r4 : ee005780
  r3 : 0000052d  r2 : 00000000  r1 : ec497f00  r0 : ed608030
  Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: ac48006a  DAC: 00000051
  CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
  Hardware name: Generic DT based system
  Backtrace:
  [<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24)
  [<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc)
  [<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20)
  [<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8)
  [<801d0800>] (watchdog_timer_fn) from [<80198658>] (__hrtimer_run_queues+0x18c/0x380)
  [<801984cc>] (__hrtimer_run_queues) from [<80198e60>] (hrtimer_run_queues+0xb8/0xf0)
  [<80198da8>] (hrtimer_run_queues) from [<801973e8>] (run_local_timers+0x28/0x64)
  [<801973c0>] (run_local_timers) from [<80197460>] (update_process_times+0x3c/0x6c)
  [<80197424>] (update_process_times) from [<801ab2b8>] (tick_nohz_handler+0xe0/0x1bc)
  [<801ab1d8>] (tick_nohz_handler) from [<80843050>] (arch_timer_handler_virt+0x38/0x48)
  [<80843018>] (arch_timer_handler_virt) from [<80180a64>] (handle_percpu_devid_irq+0x8c/0x240)
  [<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>] (generic_handle_irq+0x34/0x44)
  [<8017abec>] (generic_handle_irq) from [<8017b344>] (__handle_domain_irq+0x6c/0xc4)
  [<8017b2d8>] (__handle_domain_irq) from [<801022e0>] (gic_handle_irq+0x4c/0x88)
  [<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98)
  [<802b8794>] (generic_fillattr) from [<8056b284>] (v9fs_vfs_getattr_dotl+0x74/0xa4)
  [<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>] (vfs_getattr_nosec+0x68/0x7c)
  [<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48)
  [<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec)
  [<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78)
  [<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28)

[dominique.martinet@cea.fr: updated comment to not refer to a function
in another subsystem]
Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode->i_size directly.")
Reported-by: Xing Gaopeng <xingaopeng@huawei.com>
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/9p/v9fs_vfs.h       | 23 +++++++++++++++++++++--
 fs/9p/vfs_file.c       |  6 +++++-
 fs/9p/vfs_inode.c      | 23 +++++++++++------------
 fs/9p/vfs_inode_dotl.c | 27 ++++++++++++++-------------
 fs/9p/vfs_super.c      |  4 ++--
 5 files changed, 53 insertions(+), 30 deletions(-)

--- a/fs/9p/v9fs_vfs.h
+++ b/fs/9p/v9fs_vfs.h
@@ -40,6 +40,9 @@
  */
 #define P9_LOCK_TIMEOUT (30*HZ)
 
+/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */
+#define V9FS_STAT2INODE_KEEP_ISIZE 1
+
 extern struct file_system_type v9fs_fs_type;
 extern const struct address_space_operations v9fs_addr_operations;
 extern const struct file_operations v9fs_file_operations;
@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_
 		    struct inode *inode, umode_t mode, dev_t);
 void v9fs_evict_inode(struct inode *inode);
 ino_t v9fs_qid2ino(struct p9_qid *qid);
-void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *);
-void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *);
+void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
+		      struct super_block *sb, unsigned int flags);
+void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
+			   unsigned int flags);
 int v9fs_dir_release(struct inode *inode, struct file *filp);
 int v9fs_file_open(struct inode *inode, struct file *file);
 void v9fs_inode2stat(struct inode *inode, struct p9_wstat *stat);
@@ -87,4 +92,18 @@ static inline void v9fs_invalidate_inode
 }
 
 int v9fs_open_to_dotl_flags(int flags);
+
+static inline void v9fs_i_size_write(struct inode *inode, loff_t i_size)
+{
+	/*
+	 * 32-bit need the lock, concurrent updates could break the
+	 * sequences and make i_size_read() loop forever.
+	 * 64-bit updates are atomic and can skip the locking.
+	 */
+	if (sizeof(i_size) > sizeof(long))
+		spin_lock(&inode->i_lock);
+	i_size_write(inode, i_size);
+	if (sizeof(i_size) > sizeof(long))
+		spin_unlock(&inode->i_lock);
+}
 #endif
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -484,7 +484,11 @@ v9fs_file_write_internal(struct inode *i
 		i_size = i_size_read(inode);
 		if (*offset > i_size) {
 			inode_add_bytes(inode, *offset - i_size);
-			i_size_write(inode, *offset);
+			/*
+			 * Need to serialize against i_size_write() in
+			 * v9fs_stat2inode()
+			 */
+			v9fs_i_size_write(inode, *offset);
 		}
 	}
 	if (n < 0)
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -538,7 +538,7 @@ static struct inode *v9fs_qid_iget(struc
 	if (retval)
 		goto error;
 
-	v9fs_stat2inode(st, inode, sb);
+	v9fs_stat2inode(st, inode, sb, 0);
 	v9fs_cache_inode_get_cookie(inode);
 	unlock_new_inode(inode);
 	return inode;
@@ -1074,7 +1074,7 @@ v9fs_vfs_getattr(struct vfsmount *mnt, s
 	if (IS_ERR(st))
 		return PTR_ERR(st);
 
-	v9fs_stat2inode(st, dentry->d_inode, dentry->d_inode->i_sb);
+	v9fs_stat2inode(st, dentry->d_inode, dentry->d_inode->i_sb, 0);
 	generic_fillattr(dentry->d_inode, stat);
 
 	p9stat_free(st);
@@ -1152,12 +1152,13 @@ static int v9fs_vfs_setattr(struct dentr
  * @stat: Plan 9 metadata (mistat) structure
  * @inode: inode to populate
  * @sb: superblock of filesystem
+ * @flags: control flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE)
  *
  */
 
 void
 v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
-	struct super_block *sb)
+		 struct super_block *sb, unsigned int flags)
 {
 	umode_t mode;
 	char ext[32];
@@ -1198,10 +1199,11 @@ v9fs_stat2inode(struct p9_wstat *stat, s
 	mode = p9mode2perm(v9ses, stat);
 	mode |= inode->i_mode & ~S_IALLUGO;
 	inode->i_mode = mode;
-	i_size_write(inode, stat->length);
 
+	if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE))
+		v9fs_i_size_write(inode, stat->length);
 	/* not real number of blocks, but 512 byte ones ... */
-	inode->i_blocks = (i_size_read(inode) + 512 - 1) >> 9;
+	inode->i_blocks = (stat->length + 512 - 1) >> 9;
 	v9inode->cache_validity &= ~V9FS_INO_INVALID_ATTR;
 }
 
@@ -1465,9 +1467,9 @@ int v9fs_refresh_inode(struct p9_fid *fi
 {
 	int umode;
 	dev_t rdev;
-	loff_t i_size;
 	struct p9_wstat *st;
 	struct v9fs_session_info *v9ses;
+	unsigned int flags;
 
 	v9ses = v9fs_inode2v9ses(inode);
 	st = p9_client_stat(fid);
@@ -1480,16 +1482,13 @@ int v9fs_refresh_inode(struct p9_fid *fi
 	if ((inode->i_mode & S_IFMT) != (umode & S_IFMT))
 		goto out;
 
-	spin_lock(&inode->i_lock);
 	/*
 	 * We don't want to refresh inode->i_size,
 	 * because we may have cached data
 	 */
-	i_size = inode->i_size;
-	v9fs_stat2inode(st, inode, inode->i_sb);
-	if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE)
-		inode->i_size = i_size;
-	spin_unlock(&inode->i_lock);
+	flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ?
+		V9FS_STAT2INODE_KEEP_ISIZE : 0;
+	v9fs_stat2inode(st, inode, inode->i_sb, flags);
 out:
 	p9stat_free(st);
 	kfree(st);
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -143,7 +143,7 @@ static struct inode *v9fs_qid_iget_dotl(
 	if (retval)
 		goto error;
 
-	v9fs_stat2inode_dotl(st, inode);
+	v9fs_stat2inode_dotl(st, inode, 0);
 	v9fs_cache_inode_get_cookie(inode);
 	retval = v9fs_get_acl(inode, fid);
 	if (retval)
@@ -498,7 +498,7 @@ v9fs_vfs_getattr_dotl(struct vfsmount *m
 	if (IS_ERR(st))
 		return PTR_ERR(st);
 
-	v9fs_stat2inode_dotl(st, dentry->d_inode);
+	v9fs_stat2inode_dotl(st, dentry->d_inode, 0);
 	generic_fillattr(dentry->d_inode, stat);
 	/* Change block size to what the server returned */
 	stat->blksize = st->st_blksize;
@@ -609,11 +609,13 @@ int v9fs_vfs_setattr_dotl(struct dentry
  * v9fs_stat2inode_dotl - populate an inode structure with stat info
  * @stat: stat structure
  * @inode: inode to populate
+ * @flags: ctrl flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE)
  *
  */
 
 void
-v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode)
+v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
+		      unsigned int flags)
 {
 	umode_t mode;
 	struct v9fs_inode *v9inode = V9FS_I(inode);
@@ -633,7 +635,8 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl
 		mode |= inode->i_mode & ~S_IALLUGO;
 		inode->i_mode = mode;
 
-		i_size_write(inode, stat->st_size);
+		if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE))
+			v9fs_i_size_write(inode, stat->st_size);
 		inode->i_blocks = stat->st_blocks;
 	} else {
 		if (stat->st_result_mask & P9_STATS_ATIME) {
@@ -663,8 +666,9 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl
 		}
 		if (stat->st_result_mask & P9_STATS_RDEV)
 			inode->i_rdev = new_decode_dev(stat->st_rdev);
-		if (stat->st_result_mask & P9_STATS_SIZE)
-			i_size_write(inode, stat->st_size);
+		if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) &&
+		    stat->st_result_mask & P9_STATS_SIZE)
+			v9fs_i_size_write(inode, stat->st_size);
 		if (stat->st_result_mask & P9_STATS_BLOCKS)
 			inode->i_blocks = stat->st_blocks;
 	}
@@ -946,9 +950,9 @@ ndset:
 
 int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode)
 {
-	loff_t i_size;
 	struct p9_stat_dotl *st;
 	struct v9fs_session_info *v9ses;
+	unsigned int flags;
 
 	v9ses = v9fs_inode2v9ses(inode);
 	st = p9_client_getattr_dotl(fid, P9_STATS_ALL);
@@ -960,16 +964,13 @@ int v9fs_refresh_inode_dotl(struct p9_fi
 	if ((inode->i_mode & S_IFMT) != (st->st_mode & S_IFMT))
 		goto out;
 
-	spin_lock(&inode->i_lock);
 	/*
 	 * We don't want to refresh inode->i_size,
 	 * because we may have cached data
 	 */
-	i_size = inode->i_size;
-	v9fs_stat2inode_dotl(st, inode);
-	if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE)
-		inode->i_size = i_size;
-	spin_unlock(&inode->i_lock);
+	flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ?
+		V9FS_STAT2INODE_KEEP_ISIZE : 0;
+	v9fs_stat2inode_dotl(st, inode, flags);
 out:
 	kfree(st);
 	return 0;
--- a/fs/9p/vfs_super.c
+++ b/fs/9p/vfs_super.c
@@ -169,7 +169,7 @@ static struct dentry *v9fs_mount(struct
 			goto release_sb;
 		}
 		root->d_inode->i_ino = v9fs_qid2ino(&st->qid);
-		v9fs_stat2inode_dotl(st, root->d_inode);
+		v9fs_stat2inode_dotl(st, root->d_inode, 0);
 		kfree(st);
 	} else {
 		struct p9_wstat *st = NULL;
@@ -180,7 +180,7 @@ static struct dentry *v9fs_mount(struct
 		}
 
 		root->d_inode->i_ino = v9fs_qid2ino(&st->qid);
-		v9fs_stat2inode(st, root->d_inode, sb);
+		v9fs_stat2inode(st, root->d_inode, sb, 0);
 
 		p9stat_free(st);
 		kfree(st);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 093/129] NFSv4.1: Reinitialise sequence results before retransmitting a request
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 119/129] l2tp: fix infoleak in l2tp_ip6_recvmsg() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 065/129] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Ben Hutchings
                   ` (111 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Trond Myklebust

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit c1dffe0bf7f9c3d57d9f237a7cb2a81e62babd2b upstream.

If we have to retransmit a request, we should ensure that we reinitialise
the sequence results structure, since in the event of a signal
we need to treat the request as if it had not been sent.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/nfs4proc.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -694,6 +694,13 @@ static int nfs4_sequence_done(struct rpc
 	return nfs41_sequence_done(task, res);
 }
 
+static void nfs41_sequence_res_init(struct nfs4_sequence_res *res)
+{
+	res->sr_timestamp = jiffies;
+	res->sr_status_flags = 0;
+	res->sr_status = 1;
+}
+
 int nfs41_setup_sequence(struct nfs4_session *session,
 				struct nfs4_sequence_args *args,
 				struct nfs4_sequence_res *res,
@@ -735,15 +742,9 @@ int nfs41_setup_sequence(struct nfs4_ses
 			slot->slot_nr, slot->seq_nr);
 
 	res->sr_slot = slot;
-	res->sr_timestamp = jiffies;
-	res->sr_status_flags = 0;
-	/*
-	 * sr_status is only set in decode_sequence, and so will remain
-	 * set to 1 if an rpc level failure occurs.
-	 */
-	res->sr_status = 1;
 	trace_nfs4_setup_sequence(session, args);
 out_success:
+	nfs41_sequence_res_init(res);
 	rpc_call_start(task);
 	return 0;
 out_sleep:


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 102/129] mm: fix potential data race in SyS_swapon
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 069/129] leds: lp55xx: fix null deref on firmware load failure Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 124/129] binder: Replace "%p" with "%pK" for stable Ben Hutchings
                   ` (19 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andrey Konovalov, Hugh Dickins, Al Viro

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hugh Dickins <hughd@google.com>

commit 6f179af88f60b32c2855e7f3e16ea8e336a7043f upstream.

While running KernelThreadSanitizer (ktsan) on upstream kernel with
trinity, we got a few reports from SyS_swapon, here is one of them:

Read of size 8 by thread T307 (K7621):
 [<     inlined    >] SyS_swapon+0x3c0/0x1850 SYSC_swapon mm/swapfile.c:2395
 [<ffffffff812242c0>] SyS_swapon+0x3c0/0x1850 mm/swapfile.c:2345
 [<ffffffff81e97c8a>] ia32_do_call+0x1b/0x25

Looks like the swap_lock should be taken when iterating through the
swap_info array on lines 2392 - 2401: q->swap_file may be reset to
NULL by another thread before it is dereferenced for f_mapping.

But why is that iteration needed at all?  Doesn't the claim_swapfile()
which follows do all that is needed to check for a duplicate entry -
FMODE_EXCL on a bdev, testing IS_SWAPFILE under i_mutex on a regfile?

Well, not quite: bd_may_claim() allows the same "holder" to claim the
bdev again, so we do need to use a different holder than "sys_swapon";
and we should not replace appropriate -EBUSY by inappropriate -EINVAL.

Index i was reused in a cpu loop further down: renamed cpu there.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/swapfile.c | 25 +++++++------------------
 1 file changed, 7 insertions(+), 18 deletions(-)

--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2144,11 +2144,10 @@ static int claim_swapfile(struct swap_in
 	if (S_ISBLK(inode->i_mode)) {
 		p->bdev = bdgrab(I_BDEV(inode));
 		error = blkdev_get(p->bdev,
-				   FMODE_READ | FMODE_WRITE | FMODE_EXCL,
-				   sys_swapon);
+				   FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
 		if (error < 0) {
 			p->bdev = NULL;
-			return -EINVAL;
+			return error;
 		}
 		p->old_block_size = block_size(p->bdev);
 		error = set_blocksize(p->bdev, PAGE_SIZE);
@@ -2365,7 +2364,6 @@ SYSCALL_DEFINE2(swapon, const char __use
 	struct filename *name;
 	struct file *swap_file = NULL;
 	struct address_space *mapping;
-	int i;
 	int prio;
 	int error;
 	union swap_header *swap_header;
@@ -2405,19 +2403,8 @@ SYSCALL_DEFINE2(swapon, const char __use
 
 	p->swap_file = swap_file;
 	mapping = swap_file->f_mapping;
-
-	for (i = 0; i < nr_swapfiles; i++) {
-		struct swap_info_struct *q = swap_info[i];
-
-		if (q == p || !q->swap_file)
-			continue;
-		if (mapping == q->swap_file->f_mapping) {
-			error = -EBUSY;
-			goto bad_swap;
-		}
-	}
-
 	inode = mapping->host;
+
 	/* If S_ISREG(inode->i_mode) will do mutex_lock(&inode->i_mutex); */
 	error = claim_swapfile(p, inode);
 	if (unlikely(error))
@@ -2450,6 +2437,8 @@ SYSCALL_DEFINE2(swapon, const char __use
 		goto bad_swap;
 	}
 	if (p->bdev && blk_queue_nonrot(bdev_get_queue(p->bdev))) {
+		int cpu;
+
 		p->flags |= SWP_SOLIDSTATE;
 		/*
 		 * select a random position to start with to help wear leveling
@@ -2468,9 +2457,9 @@ SYSCALL_DEFINE2(swapon, const char __use
 			error = -ENOMEM;
 			goto bad_swap;
 		}
-		for_each_possible_cpu(i) {
+		for_each_possible_cpu(cpu) {
 			struct percpu_cluster *cluster;
-			cluster = per_cpu_ptr(p->percpu_cluster, i);
+			cluster = per_cpu_ptr(p->percpu_cluster, cpu);
 			cluster_set_null(&cluster->index);
 		}
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 084/129] btrfs: init csum_list before possible free
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 120/129] pptp: dst_release sk_dst_cache in pptp_sock_destruct Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 046/129] scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock Ben Hutchings
                   ` (14 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nikolay Borisov, David Sterba, Dan Robertson

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Robertson <dan@dlrobertson.com>

commit e49be14b8d80e23bb7c53d78c21717a474ade76b upstream.

The scrub_ctx csum_list member must be initialized before scrub_free_ctx
is called. If the csum_list is not initialized beforehand, the
list_empty call in scrub_free_csums will result in a null deref if the
allocation fails in the for loop.

Fixes: a2de733c78fa ("btrfs: scrub")
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/scrub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -417,6 +417,7 @@ struct scrub_ctx *scrub_setup_ctx(struct
 	sctx->pages_per_rd_bio = pages_per_rd_bio;
 	sctx->curr = -1;
 	sctx->dev_root = dev->dev_root;
+	INIT_LIST_HEAD(&sctx->csum_list);
 	for (i = 0; i < SCRUB_BIOS_PER_SCTX; ++i) {
 		struct scrub_bio *sbio;
 
@@ -444,7 +445,6 @@ struct scrub_ctx *scrub_setup_ctx(struct
 	atomic_set(&sctx->workers_pending, 0);
 	atomic_set(&sctx->cancel_req, 0);
 	sctx->csum_size = btrfs_super_csum_size(fs_info->super_copy);
-	INIT_LIST_HEAD(&sctx->csum_list);
 
 	spin_lock_init(&sctx->list_lock);
 	spin_lock_init(&sctx->stat_lock);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 087/129] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held.
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 103/129] mm, swap: bounds check swap_info array accesses to avoid NULL derefs Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 066/129] tpm: Fix off-by-one when reading binary_bios_measurements Ben Hutchings
                   ` (51 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tetsuo Handa, Joel Fernandes, Greg Kroah-Hartman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

commit ecd182cbf4e107928077866399100228d2359c60 upstream.

ashmem_pin() is calling range_shrink() without checking whether
range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex
held should be avoided because ashmem_shrink_scan() tries to hold it.

Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin()
and make range_alloc() not to fail.

This patch is mostly meant for backporting purpose for fuzz testing on
stable/distributor kernels, for there is a plan to remove this code in
near future.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Joel Fernandes <joel@joelfernandes.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ashmem.c | 42 ++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 18 deletions(-)

--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -158,19 +158,15 @@ static inline void lru_del(struct ashmem
  * @end:	   The ending page (inclusive)
  *
  * This function is protected by ashmem_mutex.
- *
- * Return: 0 if successful, or -ENOMEM if there is an error
  */
-static int range_alloc(struct ashmem_area *asma,
-		       struct ashmem_range *prev_range, unsigned int purged,
-		       size_t start, size_t end)
+static void range_alloc(struct ashmem_area *asma,
+			struct ashmem_range *prev_range, unsigned int purged,
+			size_t start, size_t end,
+			struct ashmem_range **new_range)
 {
-	struct ashmem_range *range;
-
-	range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
-	if (unlikely(!range))
-		return -ENOMEM;
+	struct ashmem_range *range = *new_range;
 
+	*new_range = NULL;
 	range->asma = asma;
 	range->pgstart = start;
 	range->pgend = end;
@@ -180,8 +176,6 @@ static int range_alloc(struct ashmem_are
 
 	if (range_on_lru(range))
 		lru_add(range);
-
-	return 0;
 }
 
 /**
@@ -576,7 +570,8 @@ static int get_name(struct ashmem_area *
  *
  * Caller must hold ashmem_mutex.
  */
-static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
+static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
+		      struct ashmem_range **new_range)
 {
 	struct ashmem_range *range, *next;
 	int ret = ASHMEM_NOT_PURGED;
@@ -628,7 +623,7 @@ static int ashmem_pin(struct ashmem_area
 			 * second half and adjust the first chunk's endpoint.
 			 */
 			range_alloc(asma, range, range->purged,
-				    pgend + 1, range->pgend);
+				    pgend + 1, range->pgend, new_range);
 			range_shrink(range, range->pgstart, pgstart - 1);
 			break;
 		}
@@ -642,7 +637,8 @@ static int ashmem_pin(struct ashmem_area
  *
  * Caller must hold ashmem_mutex.
  */
-static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
+static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
+			struct ashmem_range **new_range)
 {
 	struct ashmem_range *range, *next;
 	unsigned int purged = ASHMEM_NOT_PURGED;
@@ -668,7 +664,8 @@ restart:
 		}
 	}
 
-	return range_alloc(asma, range, purged, pgstart, pgend);
+	range_alloc(asma, range, purged, pgstart, pgend, new_range);
+	return 0;
 }
 
 /*
@@ -701,10 +698,17 @@ static int ashmem_pin_unpin(struct ashme
 	struct ashmem_pin pin;
 	size_t pgstart, pgend;
 	int ret = -EINVAL;
+	struct ashmem_range *range = NULL;
 
 	if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
 		return -EFAULT;
 
+	if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) {
+		range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
+		if (!range)
+			return -ENOMEM;
+	}
+
 	mutex_lock(&ashmem_mutex);
 
 	if (unlikely(!asma->file))
@@ -728,10 +732,10 @@ static int ashmem_pin_unpin(struct ashme
 
 	switch (cmd) {
 	case ASHMEM_PIN:
-		ret = ashmem_pin(asma, pgstart, pgend);
+		ret = ashmem_pin(asma, pgstart, pgend, &range);
 		break;
 	case ASHMEM_UNPIN:
-		ret = ashmem_unpin(asma, pgstart, pgend);
+		ret = ashmem_unpin(asma, pgstart, pgend, &range);
 		break;
 	case ASHMEM_GET_PIN_STATUS:
 		ret = ashmem_get_pin_status(asma, pgstart, pgend);
@@ -740,6 +744,8 @@ static int ashmem_pin_unpin(struct ashme
 
 out_unlock:
 	mutex_unlock(&ashmem_mutex);
+	if (range)
+		kmem_cache_free(ashmem_range_cachep, range);
 
 	return ret;
 }


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 077/129] KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 061/129] pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 040/129] tty: ipwireless: Fix potential NULL pointer dereference Ben Hutchings
                   ` (121 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paolo Bonzini, Sean Christopherson

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit ddfd1730fd829743e41213e32ccc8b4aa6dc8325 upstream.

When installing new memslots, KVM sets bit 0 of the generation number to
indicate that an update is in-progress.  Until the update is complete,
there are no guarantees as to whether a vCPU will see the old or the new
memslots.  Explicity prevent caching MMIO accesses so as to avoid using
an access cached from the old memslots after the new memslots have been
installed.

Note that it is unclear whether or not disabling caching during the
update window is strictly necessary as there is no definitive
documentation as to what ordering guarantees KVM provides with respect
to updating memslots.  That being said, the MMIO spte code does not
allow reusing sptes created while an update is in-progress, and the
associated documentation explicitly states:

    We do not want to use an MMIO sptes created with an odd generation
    number, ...  If KVM is unlucky and creates an MMIO spte while the
    low bit is 1, the next access to the spte will always be a cache miss.

At the very least, disabling the per-vCPU MMIO cache during updates will
make its behavior consistent with the MMIO spte behavior and
documentation.

Fixes: 56f17dd3fbc4 ("kvm: x86: fix stale mmio cache bug")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -75,10 +75,15 @@ static inline u32 bit(int bitno)
 static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu,
 					gva_t gva, gfn_t gfn, unsigned access)
 {
+	u64 gen = kvm_memslots(vcpu->kvm)->generation;
+
+	if (unlikely(gen & 1))
+		return;
+
 	vcpu->arch.mmio_gva = gva & PAGE_MASK;
 	vcpu->arch.access = access;
 	vcpu->arch.mmio_gfn = gfn;
-	vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation;
+	vcpu->arch.mmio_gen = gen;
 }
 
 static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 073/129] libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 109/129] xen, cpu_hotplug: Prevent an out of bounds access Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 036/129] rcu: Do RCU GP kthread self-wakeup from softirq and interrupt Ben Hutchings
                   ` (28 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lubomir Rintel, Steve deRosier, Kalle Valo

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lubomir Rintel <lkundrak@v3.sk>

commit 607076a904c435f2677fadaadd4af546279db68b upstream.

It doesn't make sense and the USB core warns on each submit of such
URB, easily flooding the message buffer with tracebacks.

Analogous issue was fixed in regular libertas driver in commit 6528d8804780
("libertas: don't set URB_ZERO_PACKET on IN USB transfer").

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/libertas_tf/if_usb.c | 2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/libertas_tf/if_usb.c
+++ b/drivers/net/wireless/libertas_tf/if_usb.c
@@ -440,8 +440,6 @@ static int __if_usb_submit_rx_urb(struct
 			  skb_tail_pointer(skb),
 			  MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, cardp);
 
-	cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET;
-
 	lbtf_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n",
 		cardp->rx_urb);
 	ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 088/129] serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 024/129] crypto: pcbc - remove bogus memcpy()s with src == dest Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 030/129] crypto: tgr192 - fix unaligned memory access Ben Hutchings
                   ` (82 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Lubomir Rintel

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lubomir Rintel <lkundrak@v3.sk>

commit f4817843e39ce78aace0195a57d4e8500a65a898 upstream.

There are two other drivers that bind to mrvl,mmp-uart and both of them
assume register shift of 2 bits. There are device trees that lack the
property and rely on that assumption.

If this driver wins the race to bind to those devices, it should behave
the same as the older deprecated driver.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/of_serial.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/tty/serial/of_serial.c
+++ b/drivers/tty/serial/of_serial.c
@@ -93,6 +93,10 @@ static int of_platform_serial_setup(stru
 	if (of_property_read_u32(np, "reg-offset", &prop) == 0)
 		port->mapbase += prop;
 
+	/* Compatibility with the deprecated pxa driver and 8250_pxa drivers. */
+	if (of_device_is_compatible(np, "mrvl,mmp-uart"))
+		port->regshift = 2;
+
 	/* Check for registers offset within the devices address range */
 	if (of_property_read_u32(np, "reg-shift", &prop) == 0)
 		port->regshift = prop;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 095/129] powerpc/32: Clear on-stack exception marker upon exception return
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 080/129] powerpc/83xx: Also save/restore SPRG4-7 during suspend Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 128/129] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Ben Hutchings
                   ` (118 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael Ellerman, Christophe Leroy

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit 9580b71b5a7863c24a9bd18bcd2ad759b86b1eff upstream.

Clear the on-stack STACK_FRAME_REGS_MARKER on exception exit in order
to avoid confusing stacktrace like the one below.

  Call Trace:
  [c0e9dca0] [c01c42a0] print_address_description+0x64/0x2bc (unreliable)
  [c0e9dcd0] [c01c4684] kasan_report+0xfc/0x180
  [c0e9dd10] [c0895130] memchr+0x24/0x74
  [c0e9dd30] [c00a9e38] msg_print_text+0x124/0x574
  [c0e9dde0] [c00ab710] console_unlock+0x114/0x4f8
  [c0e9de40] [c00adc60] vprintk_emit+0x188/0x1c4
  --- interrupt: c0e9df00 at 0x400f330
      LR = init_stack+0x1f00/0x2000
  [c0e9de80] [c00ae3c4] printk+0xa8/0xcc (unreliable)
  [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108
  [c0e9df50] [c0c15434] start_kernel+0x310/0x488
  [c0e9dff0] [00003484] 0x3484

With this patch the trace becomes:

  Call Trace:
  [c0e9dca0] [c01c42c0] print_address_description+0x64/0x2bc (unreliable)
  [c0e9dcd0] [c01c46a4] kasan_report+0xfc/0x180
  [c0e9dd10] [c0895150] memchr+0x24/0x74
  [c0e9dd30] [c00a9e58] msg_print_text+0x124/0x574
  [c0e9dde0] [c00ab730] console_unlock+0x114/0x4f8
  [c0e9de40] [c00adc80] vprintk_emit+0x188/0x1c4
  [c0e9de80] [c00ae3e4] printk+0xa8/0xcc
  [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108
  [c0e9df50] [c0c15434] start_kernel+0x310/0x488
  [c0e9dff0] [00003484] 0x3484

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/entry_32.S | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/powerpc/kernel/entry_32.S
+++ b/arch/powerpc/kernel/entry_32.S
@@ -757,6 +757,9 @@ fast_exception_return:
 	mtcr	r10
 	lwz	r10,_LINK(r11)
 	mtlr	r10
+	/* Clear the exception_marker on the stack to avoid confusing stacktrace */
+	li	r10, 0
+	stw	r10, 8(r11)
 	REST_GPR(10, r11)
 	mtspr	SPRN_SRR1,r9
 	mtspr	SPRN_SRR0,r12
@@ -987,6 +990,9 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRE
 	mtcrf	0xFF,r10
 	mtlr	r11
 
+	/* Clear the exception_marker on the stack to avoid confusing stacktrace */
+	li	r10, 0
+	stw	r10, 8(r1)
 	/*
 	 * Once we put values in SRR0 and SRR1, we are in a state
 	 * where exceptions are not recoverable, since taking an
@@ -1024,6 +1030,9 @@ exc_exit_restart_end:
 	mtlr	r11
 	lwz	r10,_CCR(r1)
 	mtcrf	0xff,r10
+	/* Clear the exception_marker on the stack to avoid confusing stacktrace */
+	li	r10, 0
+	stw	r10, 8(r1)
 	REST_2GPRS(9, r1)
 	.globl exc_exit_restart
 exc_exit_restart:


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 090/129] powerpc/powernv: Make opal log only readable by root
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 062/129] pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 051/129] rtc: 88pm860x: fix unintended sign extension Ben Hutchings
                   ` (34 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael Ellerman, Jordan Niethe,
	Stewart Smith, Andrew Donnellan

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jordan Niethe <jniethe5@gmail.com>

commit 7b62f9bd2246b7d3d086e571397c14ba52645ef1 upstream.

Currently the opal log is globally readable. It is kernel policy to
limit the visibility of physical addresses / kernel pointers to root.
Given this and the fact the opal log may contain this information it
would be better to limit the readability to root.

Fixes: bfc36894a48b ("powerpc/powernv: Add OPAL message log interface")
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
Reviewed-by: Stewart Smith <stewart@linux.ibm.com>
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/platforms/powernv/opal-msglog.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/platforms/powernv/opal-msglog.c
+++ b/arch/powerpc/platforms/powernv/opal-msglog.c
@@ -92,7 +92,7 @@ out:
 }
 
 static struct bin_attribute opal_msglog_attr = {
-	.attr = {.name = "msglog", .mode = 0444},
+	.attr = {.name = "msglog", .mode = 0400},
 	.read = opal_msglog_read
 };
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 078/129] fs/nfs: Fix nfs_parse_devname to not modify it's argument
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 005/129] clk: socfpga: fix refcount leak Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 079/129] irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code Ben Hutchings
                   ` (106 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Trond Myklebust, Eric W. Biederman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xmission.com>

commit 40cc394be1aa18848b8757e03bd8ed23281f572e upstream.

In the rare and unsupported case of a hostname list nfs_parse_devname
will modify dev_name.  There is no need to modify dev_name as the all
that is being computed is the length of the hostname, so the computed
length can just be shorted.

Fixes: dc04589827f7 ("NFS: Use common device name parsing logic for NFSv4 and NFSv2/v3")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/super.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1893,7 +1893,7 @@ static int nfs_parse_devname(const char
 		/* kill possible hostname list: not supported */
 		comma = strchr(dev_name, ',');
 		if (comma != NULL && comma < end)
-			*comma = 0;
+			len = comma - dev_name;
 	}
 
 	if (len > maxnamlen)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 060/129] parport_pc: fix find_superio io compare code, should use equal test.
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 051/129] rtc: 88pm860x: fix unintended sign extension Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 063/129] ext4: fix crash during online resizing Ben Hutchings
                   ` (32 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sudip Mukherjee, Greg Kroah-Hartman,
	Alan Cox, QiaoChong

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: QiaoChong <qiaochong@loongson.cn>

commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream.

In the original code before 181bf1e815a2 the loop was continuing until
it finds the first matching superios[i].io and p->base.
But after 181bf1e815a2 the logic changed and the loop now returns the
pointer to the first mismatched array element which is then used in
get_superio_dma() and get_superio_irq() and thus returning the wrong
value.
Fix the condition so that it now returns the correct pointer.

Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for")
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: QiaoChong <qiaochong@loongson.cn>
[rewrite the commit message]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/parport/parport_pc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/parport/parport_pc.c
+++ b/drivers/parport/parport_pc.c
@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super
 {
 	int i;
 	for (i = 0; i < NR_SUPERIOS; i++)
-		if (superios[i].io != p->base)
+		if (superios[i].io == p->base)
 			return &superios[i];
 	return NULL;
 }


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 085/129] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 046/129] scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 020/129] IB/usnic: Fix out of bounds index check in query pkey Ben Hutchings
                   ` (12 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael Ellerman, Aneesh Kumar K.V, Laurent Dufour

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>

commit 3b4d07d2674f6b4a9281031f99d1f7efd325b16d upstream.

When doing top-down search the low_limit is not PAGE_SIZE but rather
max(PAGE_SIZE, mmap_min_addr). This handle cases in which mmap_min_addr >
PAGE_SIZE.

Fixes: fba2369e6ceb ("mm: use vm_unmapped_area() on powerpc architecture")
Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/mm/slice.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/arch/powerpc/mm/slice.c
+++ b/arch/powerpc/mm/slice.c
@@ -30,6 +30,7 @@
 #include <linux/err.h>
 #include <linux/spinlock.h>
 #include <linux/export.h>
+#include <linux/security.h>
 #include <asm/mman.h>
 #include <asm/mmu.h>
 #include <asm/spu.h>
@@ -313,6 +314,7 @@ static unsigned long slice_find_area_top
 	int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT);
 	unsigned long addr, found, prev;
 	struct vm_unmapped_area_info info;
+	unsigned long min_addr = max(PAGE_SIZE, mmap_min_addr);
 
 	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
 	info.length = len;
@@ -320,7 +322,7 @@ static unsigned long slice_find_area_top
 	info.align_offset = 0;
 
 	addr = mm->mmap_base;
-	while (addr > PAGE_SIZE) {
+	while (addr > min_addr) {
 		info.high_limit = addr;
 		if (!slice_scan_available(addr - 1, available, 0, &addr))
 			continue;
@@ -332,8 +334,8 @@ static unsigned long slice_find_area_top
 		 * Check if we need to reduce the range, or if we can
 		 * extend it to cover the previous available slice.
 		 */
-		if (addr < PAGE_SIZE)
-			addr = PAGE_SIZE;
+		if (addr < min_addr)
+			addr = min_addr;
 		else if (slice_scan_available(addr - 1, available, 0, &prev)) {
 			addr = prev;
 			goto prev_slice;
@@ -415,7 +417,7 @@ unsigned long slice_get_unmapped_area(un
 		addr = _ALIGN_UP(addr, 1ul << pshift);
 		slice_dbg(" aligned addr=%lx\n", addr);
 		/* Ignore hint if it's too large or overlaps a VMA */
-		if (addr > mm->task_size - len ||
+		if (addr > mm->task_size - len || addr < mmap_min_addr ||
 		    !slice_area_is_free(mm, addr, len))
 			addr = 0;
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 071/129] ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 010/129] clk: armada-370: fix refcount leak in a370_clk_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 117/129] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling Ben Hutchings
                   ` (100 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, S.j. Wang, Mark Brown, Fabio Estevam

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "S.j. Wang" <shengjiu.wang@nxp.com>

commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream.

The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to
wrong register, correct it.

Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Ackedy-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/fsl_esai.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/sound/soc/fsl/fsl_esai.c
+++ b/sound/soc/fsl/fsl_esai.c
@@ -392,7 +392,8 @@ static int fsl_esai_set_dai_fmt(struct s
 		break;
 	case SND_SOC_DAIFMT_RIGHT_J:
 		/* Data on rising edge of bclk, frame high, right aligned */
-		xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA;
+		xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP;
+		xcr  |= ESAI_xCR_xWA;
 		break;
 	case SND_SOC_DAIFMT_DSP_A:
 		/* Data on rising edge of bclk, frame high, 1clk before data */
@@ -449,12 +450,12 @@ static int fsl_esai_set_dai_fmt(struct s
 		return -EINVAL;
 	}
 
-	mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR;
+	mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA;
 	regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr);
 	regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr);
 
 	mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP |
-		ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA;
+		ESAI_xCCR_xFSD | ESAI_xCCR_xCKD;
 	regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr);
 	regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 074/129] perf header: Fix wrong node write in NUMA_TOPOLOGY feature
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 048/129] USB: serial: cp210x: add ID for Ingenico 3070 Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 061/129] pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group Ben Hutchings
                   ` (123 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexander Shishkin, Jiri Olsa,
	Arnaldo Carvalho de Melo, Namhyung Kim, Peter Zijlstra

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@kernel.org>

commit b00ccb27f97367d89e2d7b419ed198b0985be55d upstream.

We are currently passing the node index instead of the real node number.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: fbe96f29ce4b ("perf tools: Make perf.data more self-descriptive (v8)"
Link: http://lkml.kernel.org/r/20190219095815.15931-2-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/header.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -1009,7 +1009,7 @@ static int write_numa_topology(int fd, s
 		if (ret < 0)
 			break;
 
-		ret = write_topo_node(fd, i);
+		ret = write_topo_node(fd, j);
 		if (ret < 0)
 			break;
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 068/129] serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 001/129] staging: iio: adt7316: fix register and bit definitions Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 115/129] md: Fix failed allocation of md_register_thread Ben Hutchings
                   ` (72 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Jay Dolan

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jay Dolan <jay.dolan@accesio.com>

commit 78d3820b9bd39028727c6aab7297b63c093db343 upstream.

The four port Pericom chips have the fourth port at the wrong address.
Make use of quirk to fix it.

Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards")
Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/8250/8250_pci.c | 105 +++++++++++++++++++++++++++++
 1 file changed, 105 insertions(+)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -2183,6 +2183,111 @@ static struct pci_serial_quirk pci_seria
 		.setup		= pci_default_setup,
 		.exit		= pci_plx9050_exit,
 	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
+	{
+		.vendor     = PCI_VENDOR_ID_ACCESIO,
+		.device     = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
+		.subvendor  = PCI_ANY_ID,
+		.subdevice  = PCI_ANY_ID,
+		.setup      = pci_pericom_setup,
+	},
 	/*
 	 * SBS Technologies, Inc., PMC-OCTALPRO 232
 	 */


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 072/129] cdc-wdm: pass return value of recover_from_urb_loss
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 049/129] media: uvcvideo: Avoid NULL pointer dereference at the end of streaming Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 118/129] net/mlx4_core: Fix qp mtt size calculation Ben Hutchings
                   ` (59 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, YueHaibing

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 0742a338f5b3446a26de551ad8273fb41b2787f2 upstream.

'rv' is the correct return value, pass it upstream instead of 0

Fixes: 17d80d562fd7 ("USB: autosuspend for cdc-wdm")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-wdm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -1089,7 +1089,7 @@ static int wdm_post_reset(struct usb_int
 	rv = recover_from_urb_loss(desc);
 	mutex_unlock(&desc->wlock);
 	mutex_unlock(&desc->rlock);
-	return 0;
+	return rv;
 }
 
 static struct usb_driver wdm_driver = {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 081/129] powerpc/wii: properly disable use of BATs when requested.
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 035/129] applicom: Fix potential Spectre v1 vulnerabilities Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 026/129] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Ben Hutchings
                   ` (114 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael Ellerman, Jonathan Neuschafer,
	Christophe Leroy

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit 6d183ca8baec983dc4208ca45ece3c36763df912 upstream.

'nobats' kernel parameter or some options like CONFIG_DEBUG_PAGEALLOC
deny the use of BATS for mapping memory.

This patch makes sure that the specific wii RAM mapping function
takes it into account as well.

Fixes: de32400dd26e ("wii: use both mem1 and mem2 as ram")
Reviewed-by: Jonathan Neuschafer <j.neuschaefer@gmx.net>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/platforms/embedded6xx/wii.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/powerpc/platforms/embedded6xx/wii.c
+++ b/arch/powerpc/platforms/embedded6xx/wii.c
@@ -104,6 +104,10 @@ unsigned long __init wii_mmu_mapin_mem2(
 	/* MEM2 64MB@0x10000000 */
 	delta = wii_hole_start + wii_hole_size;
 	size = top - delta;
+
+	if (__map_without_bats)
+		return delta;
+
 	for (bl = 128<<10; bl < max_size; bl <<= 1) {
 		if (bl * 2 > size)
 			break;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 080/129] powerpc/83xx: Also save/restore SPRG4-7 during suspend
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 040/129] tty: ipwireless: Fix potential NULL pointer dereference Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 095/129] powerpc/32: Clear on-stack exception marker upon exception return Ben Hutchings
                   ` (119 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christophe Leroy, Michael Ellerman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Leroy <christophe.leroy@c-s.fr>

commit 36da5ff0bea2dc67298150ead8d8471575c54c7d upstream.

The 83xx has 8 SPRG registers and uses at least SPRG4
for DTLB handling LRU.

Fixes: 2319f1239592 ("powerpc/mm: e300c2/c3/c4 TLB errata workaround")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/platforms/83xx/suspend-asm.S | 34 ++++++++++++++++++-----
 1 file changed, 27 insertions(+), 7 deletions(-)

--- a/arch/powerpc/platforms/83xx/suspend-asm.S
+++ b/arch/powerpc/platforms/83xx/suspend-asm.S
@@ -26,13 +26,13 @@
 #define SS_MSR		0x74
 #define SS_SDR1		0x78
 #define SS_LR		0x7c
-#define SS_SPRG		0x80 /* 4 SPRGs */
-#define SS_DBAT		0x90 /* 8 DBATs */
-#define SS_IBAT		0xd0 /* 8 IBATs */
-#define SS_TB		0x110
-#define SS_CR		0x118
-#define SS_GPREG	0x11c /* r12-r31 */
-#define STATE_SAVE_SIZE 0x16c
+#define SS_SPRG		0x80 /* 8 SPRGs */
+#define SS_DBAT		0xa0 /* 8 DBATs */
+#define SS_IBAT		0xe0 /* 8 IBATs */
+#define SS_TB		0x120
+#define SS_CR		0x128
+#define SS_GPREG	0x12c /* r12-r31 */
+#define STATE_SAVE_SIZE 0x17c
 
 	.section .data
 	.align	5
@@ -103,6 +103,16 @@ _GLOBAL(mpc83xx_enter_deep_sleep)
 	stw	r7, SS_SPRG+12(r3)
 	stw	r8, SS_SDR1(r3)
 
+	mfspr	r4, SPRN_SPRG4
+	mfspr	r5, SPRN_SPRG5
+	mfspr	r6, SPRN_SPRG6
+	mfspr	r7, SPRN_SPRG7
+
+	stw	r4, SS_SPRG+16(r3)
+	stw	r5, SS_SPRG+20(r3)
+	stw	r6, SS_SPRG+24(r3)
+	stw	r7, SS_SPRG+28(r3)
+
 	mfspr	r4, SPRN_DBAT0U
 	mfspr	r5, SPRN_DBAT0L
 	mfspr	r6, SPRN_DBAT1U
@@ -493,6 +503,16 @@ mpc83xx_deep_resume:
 	mtspr	SPRN_IBAT7U, r6
 	mtspr	SPRN_IBAT7L, r7
 
+	lwz	r4, SS_SPRG+16(r3)
+	lwz	r5, SS_SPRG+20(r3)
+	lwz	r6, SS_SPRG+24(r3)
+	lwz	r7, SS_SPRG+28(r3)
+
+	mtspr	SPRN_SPRG4, r4
+	mtspr	SPRN_SPRG5, r5
+	mtspr	SPRN_SPRG6, r6
+	mtspr	SPRN_SPRG7, r7
+
 	lwz	r4, SS_SPRG+0(r3)
 	lwz	r5, SS_SPRG+4(r3)
 	lwz	r6, SS_SPRG+8(r3)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 076/129] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 047/129] rtc: ds1672: fix unintended sign extension Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 025/129] powerpc/irq: drop arch_early_irq_init() Ben Hutchings
                   ` (89 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Timur Tabi, Nicolin Chen, Mark Brown,
	Fabio Estevam, Xiubo Li, Takashi Iwai

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 2757970f6d0d0a112247600b23d38c0c728ceeb3 upstream.

The node obtained from of_find_node_by_path() has to be unreferenced
after the use, but we forgot it for the root node.

Fixes: f0fba2ad1b6b ("ASoC: multi-component - ASoC Multi-Component Support")
Cc: Timur Tabi <timur@kernel.org>
Cc: Nicolin Chen <nicoleotsuka@gmail.com>
Cc: Xiubo Li <Xiubo.Lee@gmail.com>
Cc: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16:
 - Move declaration of root to the top of the function as there is no
   suitable block scope
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/sound/soc/fsl/fsl_ssi.c
+++ b/sound/soc/fsl/fsl_ssi.c
@@ -1229,6 +1229,7 @@ static int fsl_ssi_probe(struct platform
 	struct fsl_ssi_private *ssi_private;
 	int ret = 0;
 	struct device_node *np = pdev->dev.of_node;
+	struct device_node *root;
 	const struct of_device_id *of_id;
 	const char *p, *sprop;
 	const uint32_t *iprop;
@@ -1373,7 +1374,9 @@ static int fsl_ssi_probe(struct platform
 	 * device tree.  We also pass the address of the CPU DAI driver
 	 * structure.
 	 */
-	sprop = of_get_property(of_find_node_by_path("/"), "compatible", NULL);
+	root = of_find_node_by_path("/");
+	sprop = of_get_property(root, "compatible", NULL);
+	of_node_put(root);
 	/* Sometimes the compatible name has a "fsl," prefix, so we strip it. */
 	p = strrchr(sprop, ',');
 	if (p)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 079/129] irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 078/129] fs/nfs: Fix nfs_parse_devname to not modify it's argument Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 113/129] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv Ben Hutchings
                   ` (105 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Florian Fainelli, Doug Berger, Marc Zyngier

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Doug Berger <opendmb@gmail.com>

commit 33517881ede742107f416533b8c3e4abc56763da upstream.

Using the irq_gc_lock/irq_gc_unlock functions in the suspend and
resume functions creates the opportunity for a deadlock during
suspend, resume, and shutdown. Using the irq_gc_lock_irqsave/
irq_gc_unlock_irqrestore variants prevents this possible deadlock.

Fixes: 7f646e92766e2 ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
[maz: tidied up $SUBJECT]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/irqchip/irq-brcmstb-l2.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/irqchip/irq-brcmstb-l2.c
+++ b/drivers/irqchip/irq-brcmstb-l2.c
@@ -82,8 +82,9 @@ static void brcmstb_l2_intc_suspend(stru
 {
 	struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
 	struct brcmstb_l2_intc_data *b = gc->private;
+	unsigned long flags;
 
-	irq_gc_lock(gc);
+	irq_gc_lock_irqsave(gc, flags);
 	/* Save the current mask */
 	b->saved_mask = __raw_readl(b->base + CPU_MASK_STATUS);
 
@@ -92,22 +93,23 @@ static void brcmstb_l2_intc_suspend(stru
 		__raw_writel(~gc->wake_active, b->base + CPU_MASK_SET);
 		__raw_writel(gc->wake_active, b->base + CPU_MASK_CLEAR);
 	}
-	irq_gc_unlock(gc);
+	irq_gc_unlock_irqrestore(gc, flags);
 }
 
 static void brcmstb_l2_intc_resume(struct irq_data *d)
 {
 	struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
 	struct brcmstb_l2_intc_data *b = gc->private;
+	unsigned long flags;
 
-	irq_gc_lock(gc);
+	irq_gc_lock_irqsave(gc, flags);
 	/* Clear unmasked non-wakeup interrupts */
 	__raw_writel(~b->saved_mask & ~gc->wake_active, b->base + CPU_CLEAR);
 
 	/* Restore the saved mask */
 	__raw_writel(b->saved_mask, b->base + CPU_MASK_SET);
 	__raw_writel(~b->saved_mask, b->base + CPU_MASK_CLEAR);
-	irq_gc_unlock(gc);
+	irq_gc_unlock_irqrestore(gc, flags);
 }
 
 int __init brcmstb_l2_intc_of_init(struct device_node *np,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 065/129] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 093/129] NFSv4.1: Reinitialise sequence results before retransmitting a request Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 105/129] scsi: virtio_scsi: don't send sc payload with tmfs Ben Hutchings
                   ` (110 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jarkko Sakkinen, Jerry Snitselaar, Stefan Berger

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

commit 442601e87a4769a8daba4976ec3afa5222ca211d upstream.

Return -E2BIG when the transfer is incomplete. The upper layer does
not retry, so not doing that is incorrect behaviour.

Fixes: a2871c62e186 ("tpm: Add support for Atmel I2C TPMs")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/char/tpm/tpm_i2c_atmel.c
+++ b/drivers/char/tpm/tpm_i2c_atmel.c
@@ -65,7 +65,14 @@ static int i2c_atmel_send(struct tpm_chi
 	dev_dbg(chip->dev,
 		"%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__,
 		(int)min_t(size_t, 64, len), buf, len, status);
-	return status;
+	if (status < 0)
+		return status;
+
+	/* The upper layer does not support incomplete sends. */
+	if (status != len)
+		return -E2BIG;
+
+	return 0;
 }
 
 static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 061/129] pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 074/129] perf header: Fix wrong node write in NUMA_TOPOLOGY feature Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 077/129] KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux Ben Hutchings
                   ` (122 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Simon Horman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit a4b0350047f1b10207e25e72d7cd3f7826e93769 upstream.

The entry for "scifb2_data_c" in the SCIFB2 pin group array contains a
typo, thus the group cannot be selected.

Fixes: 5088451962389924 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -4433,7 +4433,7 @@ static const char * const scifb2_groups[
 	"scifb2_data_b",
 	"scifb2_clk_b",
 	"scifb2_ctrl_b",
-	"scifb0_data_c",
+	"scifb2_data_c",
 	"scifb2_clk_c",
 	"scifb2_data_d",
 };


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 069/129] leds: lp55xx: fix null deref on firmware load failure
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 057/129] ext4: fix check of inode in swap_inode_boot_loader Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 102/129] mm: fix potential data race in SyS_swapon Ben Hutchings
                   ` (20 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jacek Anaszewski, Michal Kazior

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Kazior <michal@plume.com>

commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c upstream.

I've stumbled upon a kernel crash and the logs
pointed me towards the lp5562 driver:

> <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with error -2
> <4>[306013.894990] lp5562 0-0030: Falling back to user helper
> ...
> <3>[306073.924886] lp5562 0-0030: firmware request failed
> <1>[306073.939456] Unable to handle kernel NULL pointer dereference at virtual address 00000000
> <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58
> <4>[306074.255539] LR is at release_firmware+0x6c/0x138
> ...

After taking a look I noticed firmware_release()
could be called with either NULL or a dangling
pointer.

Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface")
Signed-off-by: Michal Kazior <michal@plume.com>
Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/leds/leds-lp55xx-common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/leds/leds-lp55xx-common.c
+++ b/drivers/leds/leds-lp55xx-common.c
@@ -214,7 +214,7 @@ static void lp55xx_firmware_loaded(const
 
 	if (!fw) {
 		dev_err(dev, "firmware request failed\n");
-		goto out;
+		return;
 	}
 
 	/* handling firmware data is chip dependent */
@@ -227,9 +227,9 @@ static void lp55xx_firmware_loaded(const
 
 	mutex_unlock(&chip->lock);
 
-out:
 	/* firmware should be released for other channel use */
 	release_firmware(chip->fw);
+	chip->fw = NULL;
 }
 
 static int lp55xx_request_firmware(struct lp55xx_chip *chip)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 066/129] tpm: Fix off-by-one when reading binary_bios_measurements
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 087/129] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 021/129] RDMA/ocrdma: Fix out of bounds index check in query pkey Ben Hutchings
                   ` (50 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jarkko Sakkinen, Jia Zhang

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jia Zhang <zhang.jia@linux.alibaba.com>

commit 64494d39ff630a63b5308042b20132b491e3706b upstream.

It is unable to read the entry when it is the only one in
binary_bios_measurements:

00000000  00 00 00 00 08 00 00 00  c4 2f ed ad 26 82 00 cb
00000010  1d 15 f9 78 41 c3 44 e7  9d ae 33 20 00 00 00 00
00000020

This is obviously a firmware problem on my linux machine:

	Manufacturer: Inspur
	Product Name: SA5212M4
	Version: 01

However, binary_bios_measurements should return it any way,
rather than nothing, after all its content is completely
valid.

Fixes: 55a82ab3181b ("tpm: add bios measurement log")
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Reviewd-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
[bwh: Backported to 3.16:
 - Fix an additional comparison in tpm1_bios_measurements_start()
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/char/tpm/tpm_eventlog.c
+++ b/drivers/char/tpm/tpm_eventlog.c
@@ -81,7 +81,7 @@ static void *tpm_bios_measurements_start
 	for (i = 0; i < *pos; i++) {
 		event = addr;
 
-		if ((addr + sizeof(struct tcpa_event)) < limit) {
+		if ((addr + sizeof(struct tcpa_event)) <= limit) {
 			if (event->event_type == 0 && event->event_size == 0)
 				return NULL;
 			addr += sizeof(struct tcpa_event) + event->event_size;
@@ -89,13 +89,13 @@ static void *tpm_bios_measurements_start
 	}
 
 	/* now check if current entry is valid */
-	if ((addr + sizeof(struct tcpa_event)) >= limit)
+	if ((addr + sizeof(struct tcpa_event)) > limit)
 		return NULL;
 
 	event = addr;
 
 	if ((event->event_type == 0 && event->event_size == 0) ||
-	    ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
+	    ((addr + sizeof(struct tcpa_event) + event->event_size) > limit))
 		return NULL;
 
 	return addr;
@@ -111,7 +111,7 @@ static void *tpm_bios_measurements_next(
 	v += sizeof(struct tcpa_event) + event->event_size;
 
 	/* now check if current entry is valid */
-	if ((v + sizeof(struct tcpa_event)) >= limit)
+	if ((v + sizeof(struct tcpa_event)) > limit)
 		return NULL;
 
 	event = v;
@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(
 		return NULL;
 
 	if ((event->event_type == 0 && event->event_size == 0) ||
-	    ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
+	    ((v + sizeof(struct tcpa_event) + event->event_size) > limit))
 		return NULL;
 
 	(*pos)++;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 067/129] serial: 8250_pci: Fix number of ports for ACCES serial cards
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 097/129] ip6mr: Do not call __IP6_INC_STATS() from preemptible context Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 031/129] ASoC: imx-sgtl5000: put of nodes if finding codec fails Ben Hutchings
                   ` (6 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jay Dolan, Greg Kroah-Hartman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jay Dolan <jay.dolan@accesio.com>

commit b896b03bc7fce43a07012cc6bf5e2ab2fddf3364 upstream.

Have the correct number of ports created for ACCES serial cards. Two port
cards show up as four ports, and four port cards show up as eight.

Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards")
Signed-off-by: Jay Dolan <jay.dolan@accesio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/8250/8250_pci.c | 36 +++++++++++++++---------------
 1 file changed, 18 insertions(+), 18 deletions(-)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -4943,10 +4943,10 @@ static struct pci_device_id serial_pci_t
 	 */
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7954 },
@@ -4955,10 +4955,10 @@ static struct pci_device_id serial_pci_t
 		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7954 },
@@ -4967,10 +4967,10 @@ static struct pci_device_id serial_pci_t
 		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7954 },
@@ -4979,13 +4979,13 @@ static struct pci_device_id serial_pci_t
 		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7951 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7954 },
@@ -4994,16 +4994,16 @@ static struct pci_device_id serial_pci_t
 		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7954 },
@@ -5012,13 +5012,13 @@ static struct pci_device_id serial_pci_t
 		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7954 },
+		pbn_pericom_PI7C9X7952 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7958 },
+		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7958 },
+		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7958 },
@@ -5027,19 +5027,19 @@ static struct pci_device_id serial_pci_t
 		pbn_pericom_PI7C9X7958 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7958 },
+		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7958 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7958 },
+		pbn_pericom_PI7C9X7954 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
 		pbn_pericom_PI7C9X7958 },
 	{	PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
 		PCI_ANY_ID, PCI_ANY_ID, 0, 0,
-		pbn_pericom_PI7C9X7958 },
+		pbn_pericom_PI7C9X7954 },
 	/*
 	 * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke)
 	 */


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 056/129] jbd2: clear dirty flag when revoking a buffer from an older transaction
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 043/129] crypto: testmgr - skip crc32c context test for ahash algorithms Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 122/129] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Ben Hutchings
                   ` (40 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, zhangyi (F), Jan Kara, Theodore Ts'o

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "zhangyi (F)" <yi.zhang@huawei.com>

commit 904cdbd41d749a476863a0ca41f6f396774f26e4 upstream.

Now, we capture a data corruption problem on ext4 while we're truncating
an extent index block. Imaging that if we are revoking a buffer which
has been journaled by the committing transaction, the buffer's jbddirty
flag will not be cleared in jbd2_journal_forget(), so the commit code
will set the buffer dirty flag again after refile the buffer.

fsx                               kjournald2
                                  jbd2_journal_commit_transaction
jbd2_journal_revoke                commit phase 1~5...
 jbd2_journal_forget
   belongs to older transaction    commit phase 6
   jbddirty not clear               __jbd2_journal_refile_buffer
                                     __jbd2_journal_unfile_buffer
                                      test_clear_buffer_jbddirty
                                       mark_buffer_dirty

Finally, if the freed extent index block was allocated again as data
block by some other files, it may corrupt the file data after writing
cached pages later, such as during unmount time. (In general,
clean_bdev_aliases() related helpers should be invoked after
re-allocation to prevent the above corruption, but unfortunately we
missed it when zeroout the head of extra extent blocks in
ext4_ext_handle_unwritten_extents()).

This patch mark buffer as freed and set j_next_transaction to the new
transaction when it already belongs to the committing transaction in
jbd2_journal_forget(), so that commit code knows it should clear dirty
bits when it is done with the buffer.

This problem can be reproduced by xfstests generic/455 easily with
seeds (3246 3247 3248 3249).

Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/jbd2/transaction.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1479,14 +1479,21 @@ int jbd2_journal_forget (handle_t *handl
 		/* However, if the buffer is still owned by a prior
 		 * (committing) transaction, we can't drop it yet... */
 		JBUFFER_TRACE(jh, "belongs to older transaction");
-		/* ... but we CAN drop it from the new transaction if we
-		 * have also modified it since the original commit. */
+		/* ... but we CAN drop it from the new transaction through
+		 * marking the buffer as freed and set j_next_transaction to
+		 * the new transaction, so that not only the commit code
+		 * knows it should clear dirty bits when it is done with the
+		 * buffer, but also the buffer can be checkpointed only
+		 * after the new transaction commits. */
 
-		if (jh->b_next_transaction) {
-			J_ASSERT(jh->b_next_transaction == transaction);
+		set_buffer_freed(bh);
+
+		if (!jh->b_next_transaction) {
 			spin_lock(&journal->j_list_lock);
-			jh->b_next_transaction = NULL;
+			jh->b_next_transaction = transaction;
 			spin_unlock(&journal->j_list_lock);
+		} else {
+			J_ASSERT(jh->b_next_transaction == transaction);
 
 			/*
 			 * only drop a reference if this transaction modified


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 064/129] iscsi_ibft: Fix missing break in switch statement
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 086/129] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 098/129] CIFS: Do not reset lease state to NONE on lease break Ben Hutchings
                   ` (92 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Konrad Rzeszutek Wilk

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit df997abeebadaa4824271009e2d2b526a70a11cb upstream.

Add missing break statement in order to prevent the code from falling
through to case ISCSI_BOOT_TGT_NAME, which is unnecessary.

This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.

Fixes: b33a84a38477 ("ibft: convert iscsi_ibft module to iscsi boot lib")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/firmware/iscsi_ibft.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/firmware/iscsi_ibft.c
+++ b/drivers/firmware/iscsi_ibft.c
@@ -503,6 +503,7 @@ static umode_t __init ibft_check_tgt_for
 	case ISCSI_BOOT_TGT_NIC_ASSOC:
 	case ISCSI_BOOT_TGT_CHAP_TYPE:
 		rc = S_IRUGO;
+		break;
 	case ISCSI_BOOT_TGT_NAME:
 		if (tgt->tgt_name_len)
 			rc = S_IRUGO;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 053/129] rtc: pm8xxx: fix unintended sign extension
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 016/129] staging: iio: adt7316: fix the dac read calculation Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 034/129] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable Ben Hutchings
                   ` (47 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Colin Ian King, Alexandre Belloni

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit e42280886018c6f77f0a90190f7cba344b0df3e0 upstream.

Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.

Fix this by casting the u8 value to an unsigned long before the shift.

Detected by CoverityScan, CID#1309693 ("Unintended sign extension")

Fixes: 9a9a54ad7aa2 ("drivers/rtc: add support for Qualcomm PMIC8xxx RTC")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/rtc/rtc-pm8xxx.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/rtc/rtc-pm8xxx.c
+++ b/drivers/rtc/rtc-pm8xxx.c
@@ -175,7 +175,8 @@ static int pm8xxx_rtc_read_time(struct d
 		}
 	}
 
-	secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24);
+	secs = value[0] | (value[1] << 8) | (value[2] << 16) |
+	       ((unsigned long)value[3] << 24);
 
 	rtc_time_to_tm(secs, tm);
 
@@ -253,7 +254,8 @@ static int pm8xxx_rtc_read_alarm(struct
 		return rc;
 	}
 
-	secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24);
+	secs = value[0] | (value[1] << 8) | (value[2] << 16) |
+	       ((unsigned long)value[3] << 24);
 
 	rtc_time_to_tm(secs, &alarm->time);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 055/129] bcache: treat stale && dirty keys as bad keys
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 063/129] ext4: fix crash during online resizing Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 109/129] xen, cpu_hotplug: Prevent an out of bounds access Ben Hutchings
                   ` (30 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tang Junhui, Jens Axboe, Coly Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tang Junhui <tang.junhui.linux@gmail.com>

commit 58ac323084ebf44f8470eeb8b82660f9d0ee3689 upstream.

Stale && dirty keys can be produced in the follow way:
After writeback in write_dirty_finish(), dirty keys k1 will
replace by clean keys k2
==>ret = bch_btree_insert(dc->disk.c, &keys, NULL, &w->key);
==>btree_insert_fn(struct btree_op *b_op, struct btree *b)
==>static int bch_btree_insert_node(struct btree *b,
       struct btree_op *op,
       struct keylist *insert_keys,
       atomic_t *journal_ref,
Then two steps:
A) update k1 to k2 in btree node memory;
   bch_btree_insert_keys(b, op, insert_keys, replace_key)
B) Write the bset(contains k2) to cache disk by a 30s delay work
   bch_btree_leaf_dirty(b, journal_ref).
But before the 30s delay work write the bset to cache device,
these things happened:
A) GC works, and reclaim the bucket k2 point to;
B) Allocator works, and invalidate the bucket k2 point to,
   and increase the gen of the bucket, and place it into free_inc
   fifo;
C) Until now, the 30s delay work still does not finish work,
   so in the disk, the key still is k1, it is dirty and stale
   (its gen is smaller than the gen of the bucket). and then the
   machine power off suddenly happens;
D) When the machine power on again, after the btree reconstruction,
   the stale dirty key appear.

In bch_extent_bad(), when expensive_debug_checks is off, it would
treat the dirty key as good even it is stale keys, and it would
cause bellow probelms:
A) In read_dirty() it would cause machine crash:
   BUG_ON(ptr_stale(dc->disk.c, &w->key, 0));
B) It could be worse when reads hits stale dirty keys, it would
   read old incorrect data.

This patch tolerate the existence of these stale && dirty keys,
and treat them as bad key in bch_extent_bad().

(Coly Li: fix indent which was modified by sender's email client)

Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/bcache/extents.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/md/bcache/extents.c
+++ b/drivers/md/bcache/extents.c
@@ -530,6 +530,7 @@ static bool bch_extent_bad(struct btree_
 	struct btree *b = container_of(bk, struct btree, keys);
 	struct bucket *g;
 	unsigned i, stale;
+	char buf[80];
 
 	if (!KEY_PTRS(k) ||
 	    bch_extent_invalid(bk, k))
@@ -539,20 +540,20 @@ static bool bch_extent_bad(struct btree_
 		if (!ptr_available(b->c, k, i))
 			return true;
 
-	if (!expensive_debug_checks(b->c) && KEY_DIRTY(k))
-		return false;
-
 	for (i = 0; i < KEY_PTRS(k); i++) {
 		g = PTR_BUCKET(b->c, k, i);
 		stale = ptr_stale(b->c, k, i);
 
+		if (stale && KEY_DIRTY(k)) {
+			bch_extent_to_text(buf, sizeof(buf), k);
+			pr_info("stale dirty pointer, stale %u, key: %s",
+				stale, buf);
+		}
+
 		btree_bug_on(stale > 96, b,
 			     "key too stale: %i, need_gc %u",
 			     stale, b->c->need_gc);
 
-		btree_bug_on(stale && KEY_DIRTY(k) && KEY_SIZE(k),
-			     b, "stale dirty pointer");
-
 		if (stale)
 			return true;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 058/129] ext4: update quota information while swapping boot loader inode
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 027/129] media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 044/129] crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling Ben Hutchings
                   ` (77 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Theodore Ts'o, yangerkun

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: yangerkun <yangerkun@huawei.com>

commit aa507b5faf38784defe49f5e64605ac3c4425e26 upstream.

While do swap between two inode, they swap i_data without update
quota information. Also, swap_inode_boot_loader can do "revert"
somtimes, so update the quota while all operations has been finished.

Signed-off-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16:
 - Include <linux/quotaops.h>
 - dquot_initialize() does not return an erro
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -14,6 +14,7 @@
 #include <linux/compat.h>
 #include <linux/mount.h>
 #include <linux/file.h>
+#include <linux/quotaops.h>
 #include <asm/uaccess.h>
 #include "ext4_jbd2.h"
 #include "ext4.h"
@@ -66,9 +67,6 @@ static void swap_inode_data(struct inode
 
 	memswap(&inode1->i_version, &inode2->i_version,
 		  sizeof(inode1->i_version));
-	memswap(&inode1->i_blocks, &inode2->i_blocks,
-		  sizeof(inode1->i_blocks));
-	memswap(&inode1->i_bytes, &inode2->i_bytes, sizeof(inode1->i_bytes));
 	memswap(&inode1->i_atime, &inode2->i_atime, sizeof(inode1->i_atime));
 	memswap(&inode1->i_mtime, &inode2->i_mtime, sizeof(inode1->i_mtime));
 
@@ -117,6 +115,9 @@ static long swap_inode_boot_loader(struc
 	struct inode *inode_bl;
 	struct ext4_inode_info *ei_bl;
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
+	qsize_t size, size_bl, diff;
+	blkcnt_t blocks;
+	unsigned short bytes;
 
 	inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
 	if (IS_ERR(inode_bl))
@@ -179,6 +180,11 @@ static long swap_inode_boot_loader(struc
 			memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data));
 	}
 
+	dquot_initialize(inode);
+
+	size = (qsize_t)(inode->i_blocks) * (1 << 9) + inode->i_bytes;
+	size_bl = (qsize_t)(inode_bl->i_blocks) * (1 << 9) + inode_bl->i_bytes;
+	diff = size - size_bl;
 	swap_inode_data(inode, inode_bl);
 
 	inode->i_ctime = inode_bl->i_ctime = ext4_current_time(inode);
@@ -194,24 +200,46 @@ static long swap_inode_boot_loader(struc
 
 	err = ext4_mark_inode_dirty(handle, inode);
 	if (err < 0) {
+		/* No need to update quota information. */
 		ext4_warning(inode->i_sb,
 			"couldn't mark inode #%lu dirty (err %d)",
 			inode->i_ino, err);
 		/* Revert all changes: */
 		swap_inode_data(inode, inode_bl);
 		ext4_mark_inode_dirty(handle, inode);
-	} else {
-		err = ext4_mark_inode_dirty(handle, inode_bl);
-		if (err < 0) {
-			ext4_warning(inode_bl->i_sb,
-				"couldn't mark inode #%lu dirty (err %d)",
-				inode_bl->i_ino, err);
-			/* Revert all changes: */
-			swap_inode_data(inode, inode_bl);
-			ext4_mark_inode_dirty(handle, inode);
-			ext4_mark_inode_dirty(handle, inode_bl);
-		}
+		goto err_out1;
 	}
+
+	blocks = inode_bl->i_blocks;
+	bytes = inode_bl->i_bytes;
+	inode_bl->i_blocks = inode->i_blocks;
+	inode_bl->i_bytes = inode->i_bytes;
+	err = ext4_mark_inode_dirty(handle, inode_bl);
+	if (err < 0) {
+		/* No need to update quota information. */
+		ext4_warning(inode_bl->i_sb,
+			"couldn't mark inode #%lu dirty (err %d)",
+			inode_bl->i_ino, err);
+		goto revert;
+	}
+
+	/* Bootloader inode should not be counted into quota information. */
+	if (diff > 0)
+		dquot_free_space(inode, diff);
+	else
+		err = dquot_alloc_space(inode, -1 * diff);
+
+	if (err < 0) {
+revert:
+		/* Revert all changes: */
+		inode_bl->i_blocks = blocks;
+		inode_bl->i_bytes = bytes;
+		swap_inode_data(inode, inode_bl);
+		ext4_mark_inode_dirty(handle, inode);
+		ext4_mark_inode_dirty(handle, inode_bl);
+	}
+
+err_out1:
 	ext4_journal_stop(handle);
 	ext4_double_up_write_data_sem(inode, inode_bl);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 054/129] bcache: never writeback a discard operation
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 032/129] m68k: Add -ffreestanding to CFLAGS Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 097/129] ip6mr: Do not call __IP6_INC_STATS() from preemptible context Ben Hutchings
                   ` (8 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Daniel Axtens, Jens Axboe, Kent Overstreet,
	Coly Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Axtens <dja@axtens.net>

commit 9951379b0ca88c95876ad9778b9099e19a95d566 upstream.

Some users see panics like the following when performing fstrim on a
bcached volume:

[  529.803060] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[  530.183928] #PF error: [normal kernel read fault]
[  530.412392] PGD 8000001f42163067 P4D 8000001f42163067 PUD 1f42168067 PMD 0
[  530.750887] Oops: 0000 [#1] SMP PTI
[  530.920869] CPU: 10 PID: 4167 Comm: fstrim Kdump: loaded Not tainted 5.0.0-rc1+ #3
[  531.290204] Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 12/27/2015
[  531.693137] RIP: 0010:blk_queue_split+0x148/0x620
[  531.922205] Code: 60 38 89 55 a0 45 31 db 45 31 f6 45 31 c9 31 ff 89 4d 98 85 db 0f 84 7f 04 00 00 44 8b 6d 98 4c 89 ee 48 c1 e6 04 49 03 70 78 <8b> 46 08 44 8b 56 0c 48
8b 16 44 29 e0 39 d8 48 89 55 a8 0f 47 c3
[  532.838634] RSP: 0018:ffffb9b708df39b0 EFLAGS: 00010246
[  533.093571] RAX: 00000000ffffffff RBX: 0000000000046000 RCX: 0000000000000000
[  533.441865] RDX: 0000000000000200 RSI: 0000000000000000 RDI: 0000000000000000
[  533.789922] RBP: ffffb9b708df3a48 R08: ffff940d3b3fdd20 R09: 0000000000000000
[  534.137512] R10: ffffb9b708df3958 R11: 0000000000000000 R12: 0000000000000000
[  534.485329] R13: 0000000000000000 R14: 0000000000000000 R15: ffff940d39212020
[  534.833319] FS:  00007efec26e3840(0000) GS:ffff940d1f480000(0000) knlGS:0000000000000000
[  535.224098] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  535.504318] CR2: 0000000000000008 CR3: 0000001f4e256004 CR4: 00000000001606e0
[  535.851759] Call Trace:
[  535.970308]  ? mempool_alloc_slab+0x15/0x20
[  536.174152]  ? bch_data_insert+0x42/0xd0 [bcache]
[  536.403399]  blk_mq_make_request+0x97/0x4f0
[  536.607036]  generic_make_request+0x1e2/0x410
[  536.819164]  submit_bio+0x73/0x150
[  536.980168]  ? submit_bio+0x73/0x150
[  537.149731]  ? bio_associate_blkg_from_css+0x3b/0x60
[  537.391595]  ? _cond_resched+0x1a/0x50
[  537.573774]  submit_bio_wait+0x59/0x90
[  537.756105]  blkdev_issue_discard+0x80/0xd0
[  537.959590]  ext4_trim_fs+0x4a9/0x9e0
[  538.137636]  ? ext4_trim_fs+0x4a9/0x9e0
[  538.324087]  ext4_ioctl+0xea4/0x1530
[  538.497712]  ? _copy_to_user+0x2a/0x40
[  538.679632]  do_vfs_ioctl+0xa6/0x600
[  538.853127]  ? __do_sys_newfstat+0x44/0x70
[  539.051951]  ksys_ioctl+0x6d/0x80
[  539.212785]  __x64_sys_ioctl+0x1a/0x20
[  539.394918]  do_syscall_64+0x5a/0x110
[  539.568674]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

We have observed it where both:
1) LVM/devmapper is involved (bcache backing device is LVM volume) and
2) writeback cache is involved (bcache cache_mode is writeback)

On one machine, we can reliably reproduce it with:

 # echo writeback > /sys/block/bcache0/bcache/cache_mode
   (not sure whether above line is required)
 # mount /dev/bcache0 /test
 # for i in {0..10}; do
	file="$(mktemp /test/zero.XXX)"
	dd if=/dev/zero of="$file" bs=1M count=256
	sync
	rm $file
    done
  # fstrim -v /test

Observing this with tracepoints on, we see the following writes:

fstrim-18019 [022] .... 91107.302026: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 4260112 + 196352 hit 0 bypass 1
fstrim-18019 [022] .... 91107.302050: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 4456464 + 262144 hit 0 bypass 1
fstrim-18019 [022] .... 91107.302075: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 4718608 + 81920 hit 0 bypass 1
fstrim-18019 [022] .... 91107.302094: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 5324816 + 180224 hit 0 bypass 1
fstrim-18019 [022] .... 91107.302121: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 5505040 + 262144 hit 0 bypass 1
fstrim-18019 [022] .... 91107.302145: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 5767184 + 81920 hit 0 bypass 1
fstrim-18019 [022] .... 91107.308777: bcache_write: 73f95583-561c-408f-a93a-4cbd2498f5c8 inode 0  DS 6373392 + 180224 hit 1 bypass 0
<crash>

Note the final one has different hit/bypass flags.

This is because in should_writeback(), we were hitting a case where
the partial stripe condition was returning true and so
should_writeback() was returning true early.

If that hadn't been the case, it would have hit the would_skip test, and
as would_skip == s->iop.bypass == true, should_writeback() would have
returned false.

Looking at the git history from 'commit 72c270612bd3 ("bcache: Write out
full stripes")', it looks like the idea was to optimise for raid5/6:

       * If a stripe is already dirty, force writes to that stripe to
	 writeback mode - to help build up full stripes of dirty data

To fix this issue, make sure that should_writeback() on a discard op
never returns true.

More details of debugging:
https://www.spinics.net/lists/linux-bcache/msg06996.html

Previous reports:
 - https://bugzilla.kernel.org/show_bug.cgi?id=201051
 - https://bugzilla.kernel.org/show_bug.cgi?id=196103
 - https://www.spinics.net/lists/linux-bcache/msg06885.html

(Coly Li: minor modification to follow maximum 75 chars per line rule)

Cc: Kent Overstreet <koverstreet@google.com>
Fixes: 72c270612bd3 ("bcache: Write out full stripes")
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16: check REQ_DISCARD flag instead of calling bio_op()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/bcache/writeback.h | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -68,6 +68,9 @@ static inline bool should_writeback(stru
 	    in_use > CUTOFF_WRITEBACK_SYNC)
 		return false;
 
+	if (bio->bi_rw & REQ_DISCARD)
+		return false;
+
 	if (dc->partial_stripes_expensive &&
 	    bcache_dev_stripe_dirty(dc, bio->bi_iter.bi_sector,
 				    bio_sectors(bio)))


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 048/129] USB: serial: cp210x: add ID for Ingenico 3070
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 037/129] mtd: docg3: Don't leak docg3->bbt in error path Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 074/129] perf header: Fix wrong node write in NUMA_TOPOLOGY feature Ben Hutchings
                   ` (124 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johan Hovold, Ivan Mironov

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ivan Mironov <mironov.ivan@gmail.com>

commit dd9d3d86b08d6a106830364879c42c78db85389c upstream.

Here is how this device appears in kernel log:

	usb 3-1: new full-speed USB device number 18 using xhci_hcd
	usb 3-1: New USB device found, idVendor=0b00, idProduct=3070
	usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
	usb 3-1: Product: Ingenico 3070
	usb 3-1: Manufacturer: Silicon Labs
	usb 3-1: SerialNumber: 0001

Apparently this is a POS terminal with embedded USB-to-Serial converter.

Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -57,6 +57,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
 	{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
 	{ USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */
+	{ USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */
 	{ USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */
 	{ USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */
 	{ USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 047/129] rtc: ds1672: fix unintended sign extension
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 098/129] CIFS: Do not reset lease state to NONE on lease break Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 076/129] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() Ben Hutchings
                   ` (90 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexandre Belloni, Colin Ian King

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit f0c04c276739ed8acbb41b4868e942a55b128dca upstream.

Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.

Fix this by casting the u8 value to an unsigned long before the shift.

Detected by CoverityScan, CID#138801 ("Unintended sign extension")

Fixes: edf1aaa31fc5 ("[PATCH] RTC subsystem: DS1672 driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/rtc/rtc-ds1672.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/rtc/rtc-ds1672.c
+++ b/drivers/rtc/rtc-ds1672.c
@@ -60,7 +60,8 @@ static int ds1672_get_datetime(struct i2
 		"%s: raw read data - counters=%02x,%02x,%02x,%02x\n",
 		__func__, buf[0], buf[1], buf[2], buf[3]);
 
-	time = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	time = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+	       (buf[1] << 8) | buf[0];
 
 	rtc_time_to_tm(time, tm);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 007/129] clk: imx6q: fix refcount leak in imx6q_clocks_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 029/129] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 108/129] lib/div64.c: off by one in shift Ben Hutchings
                   ` (68 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Yangtao Li, Stephen Boyd

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit c9ec1d8fef31b5fc9e90e99f9bd685db5caa7c5e upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Fixes: 2acd1b6f889c ("ARM: i.MX6: implement clocks using common clock framework")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-imx/clk-imx6q.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-imx/clk-imx6q.c
+++ b/arch/arm/mach-imx/clk-imx6q.c
@@ -157,6 +157,7 @@ static void __init imx6q_clocks_init(str
 	np = of_find_compatible_node(NULL, NULL, "fsl,imx6q-anatop");
 	base = of_iomap(np, 0);
 	WARN_ON(!base);
+	of_node_put(np);
 
 	/* Audio/video PLL post dividers do not work on i.MX6q revision 1.0 */
 	if (cpu_is_imx6q() && imx_get_soc_revision() == IMX_CHIP_REVISION_1_0) {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 044/129] crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 058/129] ext4: update quota information while swapping boot loader inode Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 111/129] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() Ben Hutchings
                   ` (76 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Biggers, Ard Biesheuvel, Herbert Xu

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit eaf46edf6ea89675bd36245369c8de5063a0272c upstream.

The NEON MAC calculation routine fails to handle the case correctly
where there is some data in the buffer, and the input fills it up
exactly. In this case, we enter the loop at the end with w8 == 0,
while a negative value is assumed, and so the loop carries on until
the increment of the 32-bit counter wraps around, which is quite
obviously wrong.

So omit the loop altogether in this case, and exit right away.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Fixes: a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/crypto/aes-ce-ccm-core.S | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/arm64/crypto/aes-ce-ccm-core.S
+++ b/arch/arm64/crypto/aes-ce-ccm-core.S
@@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data)
 	beq	10f
 	ext	v0.16b, v0.16b, v0.16b, #1	/* rotate out the mac bytes */
 	b	7b
-8:	mov	w7, w8
+8:	cbz	w8, 91f
+	mov	w7, w8
 	add	w8, w8, #16
 9:	ext	v1.16b, v1.16b, v1.16b, #1
 	adds	w7, w7, #1
 	bne	9b
-	eor	v0.16b, v0.16b, v1.16b
+91:	eor	v0.16b, v0.16b, v1.16b
 	st1	{v0.16b}, [x0]
 10:	str	w8, [x3]
 	ret


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 043/129] crypto: testmgr - skip crc32c context test for ahash algorithms
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 083/129] mmc: omap: fix the maximum timeout setting Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 056/129] jbd2: clear dirty flag when revoking a buffer from an older transaction Ben Hutchings
                   ` (41 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu, Eric Biggers

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit eb5e6730db98fcc4b51148b4a819fa4bf864ae54 upstream.

Instantiating "cryptd(crc32c)" causes a crypto self-test failure because
the crypto_alloc_shash() in alg_test_crc32c() fails.  This is because
cryptd(crc32c) is an ahash algorithm, not a shash algorithm; so it can
only be accessed through the ahash API, unlike shash algorithms which
can be accessed through both the ahash and shash APIs.

As the test is testing the shash descriptor format which is only
applicable to shash algorithms, skip it for ahash algorithms.

(Note that it's still important to fix crypto self-test failures even
 for weird algorithm instantiations like cryptd(crc32c) that no one
 would really use; in fips_enabled mode unprivileged users can use them
 to panic the kernel, and also they prevent treating a crypto self-test
 failure as a bug when fuzzing the kernel.)

Fixes: 8e3ee85e68c5 ("crypto: crc32c - Test descriptor context format")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/testmgr.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1655,14 +1655,21 @@ static int alg_test_crc32c(const struct
 
 	err = alg_test_hash(desc, driver, type, mask);
 	if (err)
-		goto out;
+		return err;
 
 	tfm = crypto_alloc_shash(driver, type, mask);
 	if (IS_ERR(tfm)) {
+		if (PTR_ERR(tfm) == -ENOENT) {
+			/*
+			 * This crc32c implementation is only available through
+			 * ahash API, not the shash API, so the remaining part
+			 * of the test is not applicable to it.
+			 */
+			return 0;
+		}
 		printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
 		       "%ld\n", driver, PTR_ERR(tfm));
-		err = PTR_ERR(tfm);
-		goto out;
+		return PTR_ERR(tfm);
 	}
 
 	do {
@@ -1691,7 +1698,6 @@ static int alg_test_crc32c(const struct
 
 	crypto_free_shash(tfm);
 
-out:
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 051/129] rtc: 88pm860x: fix unintended sign extension
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 090/129] powerpc/powernv: Make opal log only readable by root Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 060/129] parport_pc: fix find_superio io compare code, should use equal test Ben Hutchings
                   ` (33 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alexandre Belloni, Colin Ian King

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit dc9e47160626cdb58d5c39a4f43dcfdb27a5c004 upstream.

Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.

Fix this by casting the u8 value to an unsigned long before the shift.

Detected by CoverityScan, CID#144925-144928 ("Unintended sign extension")

Fixes: 008b30408c40 ("mfd: Add rtc support to 88pm860x")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/rtc/rtc-88pm860x.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--- a/drivers/rtc/rtc-88pm860x.c
+++ b/drivers/rtc/rtc-88pm860x.c
@@ -115,11 +115,13 @@ static int pm860x_rtc_read_time(struct d
 	pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf);
 	dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1],
 		buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]);
-	base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7];
+	base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) |
+		(buf[5] << 8) | buf[7];
 
 	/* load 32-bit read-only counter */
 	pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	ticks = base + data;
 	dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);
@@ -145,7 +147,8 @@ static int pm860x_rtc_set_time(struct de
 
 	/* load 32-bit read-only counter */
 	pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	base = ticks - data;
 	dev_dbg(info->dev, "set base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);
@@ -170,10 +173,12 @@ static int pm860x_rtc_read_alarm(struct
 	pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf);
 	dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1],
 		buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]);
-	base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7];
+	base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) |
+		(buf[5] << 8) | buf[7];
 
 	pm860x_bulk_read(info->i2c, PM8607_RTC_EXPIRE1, 4, buf);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	ticks = base + data;
 	dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);
@@ -198,11 +203,13 @@ static int pm860x_rtc_set_alarm(struct d
 	pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf);
 	dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1],
 		buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]);
-	base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7];
+	base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) |
+		(buf[5] << 8) | buf[7];
 
 	/* load 32-bit read-only counter */
 	pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf);
-	data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+	data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+		(buf[1] << 8) | buf[0];
 	ticks = base + data;
 	dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
 		base, data, ticks);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 050/129] crypto: ahash - fix another early termination in hash walk
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (104 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 036/129] rcu: Do RCU GP kthread self-wakeup from softirq and interrupt Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 125/129] media: uvcvideo: Fix 'type' check leading to overflow Ben Hutchings
                   ` (26 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Eric Biggers, Herbert Xu

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream.

Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
"michael_mic", fail the improved hash tests because they sometimes
produce the wrong digest.  The bug is that in the case where a
scatterlist element crosses pages, not all the data is actually hashed
because the scatterlist walk terminates too early.  This happens because
the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
of bytes remaining in the page, then later interpreted as the number of
bytes remaining in the scatterlist element.  Fix it.

Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/ahash.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -84,17 +84,17 @@ static int hash_walk_new_entry(struct cr
 int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err)
 {
 	unsigned int alignmask = walk->alignmask;
-	unsigned int nbytes = walk->entrylen;
 
 	walk->data -= walk->offset;
 
-	if (nbytes && walk->offset & alignmask && !err) {
-		walk->offset = ALIGN(walk->offset, alignmask + 1);
-		nbytes = min(nbytes,
-			     ((unsigned int)(PAGE_SIZE)) - walk->offset);
-		walk->entrylen -= nbytes;
+	if (walk->entrylen && (walk->offset & alignmask) && !err) {
+		unsigned int nbytes;
 
+		walk->offset = ALIGN(walk->offset, alignmask + 1);
+		nbytes = min(walk->entrylen,
+			     (unsigned int)(PAGE_SIZE - walk->offset));
 		if (nbytes) {
+			walk->entrylen -= nbytes;
 			walk->data += walk->offset;
 			return nbytes;
 		}
@@ -114,7 +114,7 @@ int crypto_hash_walk_done(struct crypto_
 	if (err)
 		return err;
 
-	if (nbytes) {
+	if (walk->entrylen) {
 		walk->offset = 0;
 		walk->pg++;
 		return hash_walk_next(walk);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 034/129] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 053/129] rtc: pm8xxx: fix unintended sign extension Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 104/129] s390/virtio: handle find on invalid queue gracefully Ben Hutchings
                   ` (46 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Buland Singh, Greg Kroah-Hartman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Buland Singh <bsingh@redhat.com>

commit 24d48a61f2666630da130cc2ec2e526eacf229e3 upstream.

Commit '3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for
user processes")' introduced a new kernel command line parameter hpet_mmap,
that is required to expose the memory map of the HPET registers to
user-space. Unfortunately the kernel command line parameter 'hpet_mmap' is
broken and never takes effect due to missing '=' character in the __setup()
code of hpet_mmap_enable.

Before this patch:

dmesg output with the kernel command line parameter hpet_mmap=1

[    0.204152] HPET mmap disabled

dmesg output with the kernel command line parameter hpet_mmap=0

[    0.204192] HPET mmap disabled

After this patch:

dmesg output with the kernel command line parameter hpet_mmap=1

[    0.203945] HPET mmap enabled

dmesg output with the kernel command line parameter hpet_mmap=0

[    0.204652] HPET mmap disabled

Fixes: 3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user processes")
Signed-off-by: Buland Singh <bsingh@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/hpet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/hpet.c
+++ b/drivers/char/hpet.c
@@ -377,7 +377,7 @@ static __init int hpet_mmap_enable(char
 	pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled");
 	return 1;
 }
-__setup("hpet_mmap", hpet_mmap_enable);
+__setup("hpet_mmap=", hpet_mmap_enable);
 
 static int hpet_mmap(struct file *file, struct vm_area_struct *vma)
 {


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 033/129] pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 008/129] clk: imx6sx: fix refcount leak in imx6sx_clocks_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 114/129] It's wrong to add len to sector_nr in raid10 reshape twice Ben Hutchings
                   ` (128 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Geert Uytterhoeven, Simon Horman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 8e32e881947be98abaa917157fefc4a3319e90af upstream.

When declaring the HSPI RX1_B and TX1_B pins, two mistakes were made:
  - the rows and columns in the BGA pin matrix, from which the pin
    numbers are derived, were exchanged,
  - it was not taken into account that pin row labelling skips
    characters I, O, Q, and S.

Fix the order, and the corresponding pin names.

Notes:
  - The actual values of the pin numbers don't really matter (they just
    have to be unique), so the wrong order didn't have any impact,
  - Changing the names of the pins is user-visible, but there are no
    users in (upstream) DTS files.

Fixes: 4f82e3ee724f1712 ("sh-pfc: Support pins not associated with a GPIO port")
Fixes: 09cc76a95802e87d ("sh-pfc: r8a7778: add HSPI pin groups")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pinctrl/sh-pfc/pfc-r8a7778.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/pinctrl/sh-pfc/pfc-r8a7778.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7778.c
@@ -1265,8 +1265,8 @@ static const struct sh_pfc_pin pinmux_pi
 
 	/* Pins not associated with a GPIO port */
 	SH_PFC_PIN_NAMED(3, 20, C20),
-	SH_PFC_PIN_NAMED(20, 1, T1),
-	SH_PFC_PIN_NAMED(25, 2, Y2),
+	SH_PFC_PIN_NAMED(1, 20, A20),
+	SH_PFC_PIN_NAMED(2, 25, B25),
 };
 
 /* - macro */
@@ -1401,7 +1401,7 @@ HSPI_PFC_DAT(hspi1_a,	HSPI_CLK1_A,		HSPI
 			HSPI_RX1_A,		HSPI_TX1_A);
 
 HSPI_PFC_PIN(hspi1_b,	RCAR_GP_PIN(0, 27),	RCAR_GP_PIN(0, 26),
-			PIN_NUMBER(20, 1),	PIN_NUMBER(25, 2));
+			PIN_NUMBER(1, 20),	PIN_NUMBER(2, 25));
 HSPI_PFC_DAT(hspi1_b,	HSPI_CLK1_B,		HSPI_CS1_B,
 			HSPI_RX1_B,		HSPI_TX1_B);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 042/129] devres: always use dev_name() in devm_ioremap_resource()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 038/129] mtd: docg3: Fix kasprintf() usage Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 039/129] mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device Ben Hutchings
                   ` (62 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sergei Shtylyov, Greg Kroah-Hartman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 8d84b18f5678d3adfdb9375dfb0d968da2dc753d upstream.

devm_ioremap_resource() prefers calling devm_request_mem_region() with a
resource name instead of a device name -- this looks pretty iff a resource
name isn't specified via a device tree with a "reg-names" property (in this
case, a resource name is set to a device node's full name), but if it is,
it doesn't really scale since these names are only unique to a given device
node, not globally; so, looking at the output of 'cat /proc/iomem', you do
not have an idea which memory region belongs to which device (see "dirmap",
"regs", and "wbuf" lines below):

08000000-0bffffff : dirmap
48000000-bfffffff : System RAM
  48000000-48007fff : reserved
  48080000-48b0ffff : Kernel code
  48b10000-48b8ffff : reserved
  48b90000-48c7afff : Kernel data
  bc6a4000-bcbfffff : reserved
  bcc0f000-bebfffff : reserved
  bec0e000-bec0efff : reserved
  bec11000-bec11fff : reserved
  bec12000-bec14fff : reserved
  bec15000-bfffffff : reserved
e6050000-e605004f : gpio@e6050000
e6051000-e605104f : gpio@e6051000
e6052000-e605204f : gpio@e6052000
e6053000-e605304f : gpio@e6053000
e6054000-e605404f : gpio@e6054000
e6055000-e605504f : gpio@e6055000
e6060000-e606050b : pin-controller@e6060000
e6e60000-e6e6003f : e6e60000.serial
e7400000-e7400fff : ethernet@e7400000
ee200000-ee2001ff : regs
ee208000-ee2080ff : wbuf

I think that devm_request_mem_region() should be called with dev_name()
despite the region names won't look as pretty as before (however, we gain
more consistency with e.g. the serial driver:

08000000-0bffffff : ee200000.rpc
48000000-bfffffff : System RAM
  48000000-48007fff : reserved
  48080000-48b0ffff : Kernel code
  48b10000-48b8ffff : reserved
  48b90000-48c7afff : Kernel data
  bc6a4000-bcbfffff : reserved
  bcc0f000-bebfffff : reserved
  bec0e000-bec0efff : reserved
  bec11000-bec11fff : reserved
  bec12000-bec14fff : reserved
  bec15000-bfffffff : reserved
e6050000-e605004f : e6050000.gpio
e6051000-e605104f : e6051000.gpio
e6052000-e605204f : e6052000.gpio
e6053000-e605304f : e6053000.gpio
e6054000-e605404f : e6054000.gpio
e6055000-e605504f : e6055000.gpio
e6060000-e606050b : e6060000.pin-controller
e6e60000-e6e6003f : e6e60000.serial
e7400000-e7400fff : e7400000.ethernet
ee200000-ee2001ff : ee200000.rpc
ee208000-ee2080ff : ee200000.rpc

Fixes: 72f8c0bfa0de ("lib: devres: add convenience function to remap a resource")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 lib/devres.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/lib/devres.c
+++ b/lib/devres.c
@@ -109,7 +109,6 @@ EXPORT_SYMBOL(devm_iounmap);
 void __iomem *devm_ioremap_resource(struct device *dev, struct resource *res)
 {
 	resource_size_t size;
-	const char *name;
 	void __iomem *dest_ptr;
 
 	BUG_ON(!dev);
@@ -120,9 +119,8 @@ void __iomem *devm_ioremap_resource(stru
 	}
 
 	size = resource_size(res);
-	name = res->name ?: dev_name(dev);
 
-	if (!devm_request_mem_region(dev, res->start, size, name)) {
+	if (!devm_request_mem_region(dev, res->start, size, dev_name(dev))) {
 		dev_err(dev, "can't request region for resource %pR\n", res);
 		return IOMEM_ERR_PTR(-EBUSY);
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 040/129] tty: ipwireless: Fix potential NULL pointer dereference
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 077/129] KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 080/129] powerpc/83xx: Also save/restore SPRG4-7 during suspend Ben Hutchings
                   ` (120 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, YueHaibing

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 7dd50e205b3348dc7784efbdf85723551de64a25 upstream.

There is a potential NULL pointer dereference in case
alloc_ctrl_packet() fails and returns NULL.

Fixes: 099dc4fb6265 ("ipwireless: driver for PC Card 3G/UMTS modem")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/ipwireless/hardware.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/tty/ipwireless/hardware.c
+++ b/drivers/tty/ipwireless/hardware.c
@@ -1515,6 +1515,8 @@ static void ipw_send_setup_packet(struct
 			sizeof(struct ipw_setup_get_version_query_packet),
 			ADDR_SETUP_PROT, TL_PROTOCOLID_SETUP,
 			TL_SETUP_SIGNO_GET_VERSION_QRY);
+	if (!ver_packet)
+		return;
 	ver_packet->header.length = sizeof(struct tl_setup_get_version_qry);
 
 	/*


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 041/129] ext2: Fix underflow in ext2_max_size()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (127 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 006/129] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-08 11:05 ` [PATCH 3.16 000/129] 3.16.70-rc1 review Guenter Roeck
                   ` (3 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jan Kara, yangerkun

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 1c2d14212b15a60300a2d4f6364753e87394c521 upstream.

When ext2 filesystem is created with 64k block size, ext2_max_size()
will return value less than 0. Also, we cannot write any file in this fs
since the sb->maxbytes is less than 0. The core of the problem is that
the size of block index tree for such large block size is more than
i_blocks can carry. So fix the computation to count with this
possibility.

File size limits computed with the new function for the full range of
possible block sizes look like:

bits file_size
10     17247252480
11    275415851008
12   2196873666560
13   2197948973056
14   2198486220800
15   2198754754560
16   2198888906752

Reported-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext2/super.c | 39 +++++++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 14 deletions(-)

--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -701,7 +701,8 @@ static loff_t ext2_max_size(int bits)
 {
 	loff_t res = EXT2_NDIR_BLOCKS;
 	int meta_blocks;
-	loff_t upper_limit;
+	unsigned int upper_limit;
+	unsigned int ppb = 1 << (bits-2);
 
 	/* This is calculated to be the largest file size for a
 	 * dense, file such that the total number of
@@ -715,24 +716,34 @@ static loff_t ext2_max_size(int bits)
 	/* total blocks in file system block size */
 	upper_limit >>= (bits - 9);
 
-
-	/* indirect blocks */
-	meta_blocks = 1;
-	/* double indirect blocks */
-	meta_blocks += 1 + (1LL << (bits-2));
-	/* tripple indirect blocks */
-	meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2)));
-
-	upper_limit -= meta_blocks;
-	upper_limit <<= bits;
-
+	/* Compute how many blocks we can address by block tree */
 	res += 1LL << (bits-2);
 	res += 1LL << (2*(bits-2));
 	res += 1LL << (3*(bits-2));
+	/* Does block tree limit file size? */
+	if (res < upper_limit)
+		goto check_lfs;
+
+	res = upper_limit;
+	/* How many metadata blocks are needed for addressing upper_limit? */
+	upper_limit -= EXT2_NDIR_BLOCKS;
+	/* indirect blocks */
+	meta_blocks = 1;
+	upper_limit -= ppb;
+	/* double indirect blocks */
+	if (upper_limit < ppb * ppb) {
+		meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb);
+		res -= meta_blocks;
+		goto check_lfs;
+	}
+	meta_blocks += 1 + ppb;
+	upper_limit -= ppb * ppb;
+	/* tripple indirect blocks for the rest */
+	meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) +
+		DIV_ROUND_UP(upper_limit, ppb*ppb);
+	res -= meta_blocks;
+check_lfs:
 	res <<= bits;
-	if (res > upper_limit)
-		res = upper_limit;
-
 	if (res > MAX_LFS_FILESIZE)
 		res = MAX_LFS_FILESIZE;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 039/129] mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 042/129] devres: always use dev_name() in devm_ioremap_resource() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 049/129] media: uvcvideo: Avoid NULL pointer dereference at the end of streaming Ben Hutchings
                   ` (61 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Boris Brezillon, Robert Jarzmik, YueHaibing

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit 32937a82f36c7bbe08db4052de94bc7ade4e3c51 upstream.

Fix a static code checker warning:
drivers/mtd/devices/docg3.c:1875
 doc_probe_device() warn: passing zero to 'ERR_PTR'

Fixes: ae9d4934b2d7 ("mtd: docg3: add multiple floor support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/devices/docg3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -1939,7 +1939,7 @@ nomem3:
 nomem2:
 	kfree(docg3);
 nomem1:
-	return ERR_PTR(ret);
+	return ret ? ERR_PTR(ret) : NULL;
 }
 
 /**


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 032/129] m68k: Add -ffreestanding to CFLAGS
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (121 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 059/129] ext4: add mask of ext4 flags to swap Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 054/129] bcache: never writeback a discard operation Ben Hutchings
                   ` (9 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Finn Thain, Geert Uytterhoeven

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit 28713169d879b67be2ef2f84dcf54905de238294 upstream.

This patch fixes a build failure when using GCC 8.1:

/usr/bin/ld: block/partitions/ldm.o: in function `ldm_parse_tocblock':
block/partitions/ldm.c:153: undefined reference to `strcmp'

This is caused by a new optimization which effectively replaces a
strncmp() call with a strcmp() call. This affects a number of strncmp()
call sites in the kernel.

The entire class of optimizations is avoided with -fno-builtin, which
gets enabled by -ffreestanding. This may avoid possible future build
failures in case new optimizations appear in future compilers.

I haven't done any performance measurements with this patch but I did
count the function calls in a defconfig build. For example, there are now
23 more sprintf() calls and 39 fewer strcpy() calls. The effect on the
other libc functions is smaller.

If this harms performance we can tackle that regression by optimizing
the call sites, ideally using semantic patches. That way, clang and ICC
builds might benfit too.

Reference: https://marc.info/?l=linux-m68k&m=154514816222244&w=2
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/m68k/Makefile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/m68k/Makefile
+++ b/arch/m68k/Makefile
@@ -59,7 +59,10 @@ cpuflags-$(CONFIG_M5206e)	:= $(call cc-o
 cpuflags-$(CONFIG_M5206)	:= $(call cc-option,-mcpu=5206,-m5200)
 
 KBUILD_AFLAGS += $(cpuflags-y)
-KBUILD_CFLAGS += $(cpuflags-y) -pipe
+KBUILD_CFLAGS += $(cpuflags-y)
+
+KBUILD_CFLAGS += -pipe -ffreestanding
+
 ifdef CONFIG_MMU
 # without -fno-strength-reduce the 53c7xx.c driver fails ;-(
 KBUILD_CFLAGS += -fno-strength-reduce -ffixed-a2


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 029/129] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 011/129] clk: kirkwood: fix refcount leak in kirkwood_clk_init() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 007/129] clk: imx6q: fix refcount leak in imx6q_clocks_init() Ben Hutchings
                   ` (69 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Herbert Xu, Eric Biggers

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit ba7d7433a0e998c902132bd47330e355a1eaa894 upstream.

Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context.  In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.

It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms.  Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.

Note: we can't set CRYPTO_TFM_NEED_KEY for OPTIONAL_KEY algorithms, so
->setkey() for those must nevertheless be atomic.  That's fine for now
since only the crc32 and crc32c algorithms set OPTIONAL_KEY, and it's
not intended that OPTIONAL_KEY be used much.

[Cc stable mainly because when introducing the NEED_KEY flag I changed
 AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
 previously didn't have this problem.  So these "incompletely keyed"
 states became theoretically accessible via AF_ALG -- though, the
 opportunities for causing real mischief seem pretty limited.]

Fixes: 9fa68f620041 ("crypto: hash - prevent using keyed hashes without setting key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/ahash.c | 28 +++++++++++++++++++---------
 crypto/shash.c | 18 +++++++++++++-----
 2 files changed, 32 insertions(+), 14 deletions(-)

--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -200,6 +200,21 @@ static int ahash_setkey_unaligned(struct
 	return ret;
 }
 
+static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key,
+			  unsigned int keylen)
+{
+	return -ENOSYS;
+}
+
+static void ahash_set_needkey(struct crypto_ahash *tfm)
+{
+	const struct hash_alg_common *alg = crypto_hash_alg_common(tfm);
+
+	if (tfm->setkey != ahash_nosetkey &&
+	    !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
+		crypto_ahash_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
+}
+
 int crypto_ahash_setkey(struct crypto_ahash *tfm, const u8 *key,
 			unsigned int keylen)
 {
@@ -211,20 +226,16 @@ int crypto_ahash_setkey(struct crypto_ah
 	else
 		err = tfm->setkey(tfm, key, keylen);
 
-	if (err)
+	if (unlikely(err)) {
+		ahash_set_needkey(tfm);
 		return err;
+	}
 
 	crypto_ahash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(crypto_ahash_setkey);
 
-static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key,
-			  unsigned int keylen)
-{
-	return -ENOSYS;
-}
-
 static inline unsigned int ahash_align_buffer_size(unsigned len,
 						   unsigned long mask)
 {
@@ -493,8 +504,7 @@ static int crypto_ahash_init_tfm(struct
 
 	if (alg->setkey) {
 		hash->setkey = alg->setkey;
-		if (!(alg->halg.base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
-			crypto_ahash_set_flags(hash, CRYPTO_TFM_NEED_KEY);
+		ahash_set_needkey(hash);
 	}
 	if (alg->export)
 		hash->export = alg->export;
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -52,6 +52,13 @@ static int shash_setkey_unaligned(struct
 	return err;
 }
 
+static void shash_set_needkey(struct crypto_shash *tfm, struct shash_alg *alg)
+{
+	if (crypto_shash_alg_has_setkey(alg) &&
+	    !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
+		crypto_shash_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
+}
+
 int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key,
 			unsigned int keylen)
 {
@@ -64,8 +71,10 @@ int crypto_shash_setkey(struct crypto_sh
 	else
 		err = shash->setkey(tfm, key, keylen);
 
-	if (err)
+	if (unlikely(err)) {
+		shash_set_needkey(tfm, shash);
 		return err;
+	}
 
 	crypto_shash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
 	return 0;
@@ -367,7 +376,8 @@ int crypto_init_shash_ops_async(struct c
 	crt->final = shash_async_final;
 	crt->finup = shash_async_finup;
 	crt->digest = shash_async_digest;
-	crt->setkey = shash_async_setkey;
+	if (crypto_shash_alg_has_setkey(alg))
+		crt->setkey = shash_async_setkey;
 
 	crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) &
 				    CRYPTO_TFM_NEED_KEY);
@@ -534,9 +544,7 @@ static int crypto_shash_init_tfm(struct
 
 	hash->descsize = alg->descsize;
 
-	if (crypto_shash_alg_has_setkey(alg) &&
-	    !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
-		crypto_shash_set_flags(hash, CRYPTO_TFM_NEED_KEY);
+	shash_set_needkey(hash, alg);
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 037/129] mtd: docg3: Don't leak docg3->bbt in error path
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 110/129] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 048/129] USB: serial: cp210x: add ID for Ingenico 3070 Ben Hutchings
                   ` (125 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Richard Weinberger, Brian Norris

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <richard@nod.at>

commit 45c2ebd702a468d5037cf16aa4f8ea8d67776f6a upstream.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/devices/docg3.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -1907,7 +1907,7 @@ doc_probe_device(struct docg3_cascade *c
 
 	ret = 0;
 	if (chip_id != (u16)(~chip_id_inv)) {
-		goto nomem3;
+		goto nomem4;
 	}
 
 	switch (chip_id) {
@@ -1917,7 +1917,7 @@ doc_probe_device(struct docg3_cascade *c
 		break;
 	default:
 		doc_err("Chip id %04x is not a DiskOnChip G3 chip\n", chip_id);
-		goto nomem3;
+		goto nomem4;
 	}
 
 	doc_set_driver_info(chip_id, mtd);
@@ -1926,6 +1926,8 @@ doc_probe_device(struct docg3_cascade *c
 	doc_reload_bbt(docg3);
 	return mtd;
 
+nomem4:
+	kfree(docg3->bbt);
 nomem3:
 	kfree(mtd);
 nomem2:


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 030/129] crypto: tgr192 - fix unaligned memory access
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 088/129] serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 004/129] clk: highbank: fix refcount leak in hb_clk_init() Ben Hutchings
                   ` (81 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Eric Biggers, Herbert Xu

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit f990f7fb58ac8ac9a43316f09a48cff1a49dda42 upstream.

Fix an unaligned memory access in tgr192_transform() by using the
unaligned access helpers.

Fixes: 06ace7a9bafe ("[CRYPTO] Use standard byte order macros wherever possible")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/tgr192.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/crypto/tgr192.c
+++ b/crypto/tgr192.c
@@ -25,8 +25,9 @@
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/mm.h>
-#include <asm/byteorder.h>
 #include <linux/types.h>
+#include <asm/byteorder.h>
+#include <asm/unaligned.h>
 
 #define TGR192_DIGEST_SIZE 24
 #define TGR160_DIGEST_SIZE 20
@@ -468,10 +469,9 @@ static void tgr192_transform(struct tgr1
 	u64 a, b, c, aa, bb, cc;
 	u64 x[8];
 	int i;
-	const __le64 *ptr = (const __le64 *)data;
 
 	for (i = 0; i < 8; i++)
-		x[i] = le64_to_cpu(ptr[i]);
+		x[i] = get_unaligned_le64(data + i * sizeof(__le64));
 
 	/* save */
 	a = aa = tctx->a;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 020/129] IB/usnic: Fix out of bounds index check in query pkey
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 085/129] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 059/129] ext4: add mask of ext4 flags to swap Ben Hutchings
                   ` (11 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gal Pressman, Jason Gunthorpe, Parvi Kaustubhi

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Gal Pressman <galpress@amazon.com>

commit 4959d5da5737dd804255c75b8cea0a2929ce279a upstream.

The pkey table size is one element, index should be tested for > 0 instead
of > 1.

Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
Signed-off-by: Gal Pressman <galpress@amazon.com>
Acked-by: Parvi Kaustubhi <pkaustub@cisco.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
@@ -410,7 +410,7 @@ int usnic_ib_query_gid(struct ib_device
 int usnic_ib_query_pkey(struct ib_device *ibdev, u8 port, u16 index,
 				u16 *pkey)
 {
-	if (index > 1)
+	if (index > 0)
 		return -EINVAL;
 
 	*pkey = 0xffff;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 021/129] RDMA/ocrdma: Fix out of bounds index check in query pkey
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 066/129] tpm: Fix off-by-one when reading binary_bios_measurements Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 016/129] staging: iio: adt7316: fix the dac read calculation Ben Hutchings
                   ` (49 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jason Gunthorpe, Gal Pressman

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Gal Pressman <galpress@amazon.com>

commit b188940796c7be31c1b8c25a9a0e0842c2e7a49e upstream.

The pkey table size is one element, index should be tested for > 0 instead
of > 1.

Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter")
Signed-off-by: Gal Pressman <galpress@amazon.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -39,7 +39,7 @@
 
 int ocrdma_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey)
 {
-	if (index > 1)
+	if (index > 0)
 		return -EINVAL;
 
 	*pkey = 0xffff;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 023/129] selinux: avoid silent denials in permissive mode under RCU walk
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 045/129] splice: don't merge into linked buffers Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 086/129] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 Ben Hutchings
                   ` (94 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Stephen Smalley, BMK, Paul Moore

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Smalley <sds@tycho.nsa.gov>

commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream.

commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
results in no audit messages at all if in permissive mode because the
cache is updated during the rcu walk and thus no denial occurs on
the subsequent ref walk.  Fix this by not updating the cache when
performing a non-blocking permission check.  This only affects search
and symlink read checks during rcu walk.

Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
Reported-by: BMK <bmktuwien@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[bwh: Backported to 3.16:
 - Add flags parameter to avc_update_node(), done upstream in commit
   fa1aa143ac4a "selinux: extended permissions for ioctls"
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -528,6 +528,7 @@ static inline int avc_sidcmp(u32 x, u32
  * @perms : Permission mask bits
  * @ssid,@tsid,@tclass : identifier of an AVC entry
  * @seqno : sequence number when decision was made
+ * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.
  *
  * if a valid AVC entry doesn't exist,this function returns -ENOENT.
  * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
@@ -535,7 +536,7 @@ static inline int avc_sidcmp(u32 x, u32
  * will release later by RCU.
  */
 static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
-			   u32 seqno)
+			   u32 seqno, unsigned int flags)
 {
 	int hvalue, rc = 0;
 	unsigned long flag;
@@ -543,6 +544,23 @@ static int avc_update_node(u32 event, u3
 	struct hlist_head *head;
 	spinlock_t *lock;
 
+	/*
+	 * If we are in a non-blocking code path, e.g. VFS RCU walk,
+	 * then we must not add permissions to a cache entry
+	 * because we cannot safely audit the denial.  Otherwise,
+	 * during the subsequent blocking retry (e.g. VFS ref walk), we
+	 * will find the permissions already granted in the cache entry
+	 * and won't audit anything at all, leading to silent denials in
+	 * permissive mode that only appear when in enforcing mode.
+	 *
+	 * See the corresponding handling in slow_avc_audit(), and the
+	 * logic in selinux_inode_follow_link and selinux_inode_permission
+	 * for the VFS MAY_NOT_BLOCK flag, which is transliterated into
+	 * AVC_NONBLOCKING for avc_has_perm_noaudit().
+	 */
+	if (flags & AVC_NONBLOCKING)
+		return 0;
+
 	node = avc_alloc_node();
 	if (!node) {
 		rc = -ENOMEM;
@@ -690,7 +708,7 @@ static noinline int avc_denied(u32 ssid,
 		return -EACCES;
 
 	avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
-				tsid, tclass, avd->seqno);
+			tsid, tclass, avd->seqno, flags);
 	return 0;
 }
 
@@ -701,7 +719,7 @@ static noinline int avc_denied(u32 ssid,
  * @tsid: target security identifier
  * @tclass: target security class
  * @requested: requested permissions, interpreted based on @tclass
- * @flags:  AVC_STRICT or 0
+ * @flags:  AVC_STRICT, AVC_NONBLOCKING, or 0
  * @avd: access vector decisions
  *
  * Check the AVC to determine whether the @requested permissions are granted
@@ -781,7 +799,9 @@ int avc_has_perm_flags(u32 ssid, u32 tsi
 	struct av_decision avd;
 	int rc, rc2;
 
-	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
+	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested,
+				  (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+				  &avd);
 
 	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc,
 			auditdata, flags);
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2818,7 +2818,9 @@ static int selinux_inode_permission(stru
 	sid = cred_sid(cred);
 	isec = inode->i_security;
 
-	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
+	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms,
+				  (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+				  &avd);
 	audited = avc_audit_required(perms, &avd, rc,
 				     from_access ? FILE__AUDIT_ACCESS : 0,
 				     &denied);
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -143,6 +143,7 @@ static inline int avc_audit(u32 ssid, u3
 }
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
+#define AVC_NONBLOCKING    4	/* non blocking */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 			 u16 tclass, u32 requested,
 			 unsigned flags,


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 027/129] media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 092/129] tools lib traceevent: Fix buffer overflow in arg_eval Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 058/129] ext4: update quota information while swapping boot loader inode Ben Hutchings
                   ` (78 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jacek Anaszewski, Sylwester Nawrocki,
	Mauro Carvalho Chehab, Pawe? Chmiel, Hans Verkuil

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com>

commit 19c624c6b29e244c418f8b44a711cbf5e82e3cd4 upstream.

This commit corrects max and step values for v4l2 control for
V4L2_CID_JPEG_RESTART_INTERVAL. Max should be 0xffff and step should be 1.
It was found by using v4l2-compliance tool and checking result of
VIDIOC_QUERY_EXT_CTRL/QUERYMENU test.
Previously it was complaining that step was bigger than difference
between max and min.

Fixes: 15f4bc3b1f42 ("[media] s5p-jpeg: Add JPEG controls support")

Signed-off-by: Pawe? Chmiel <pawel.mikolaj.chmiel@gmail.com>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/platform/s5p-jpeg/jpeg-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
@@ -1363,7 +1363,7 @@ static int s5p_jpeg_controls_create(stru
 
 		v4l2_ctrl_new_std(&ctx->ctrl_handler, &s5p_jpeg_ctrl_ops,
 				  V4L2_CID_JPEG_RESTART_INTERVAL,
-				  0, 3, 0xffff, 0);
+				  0, 0xffff, 1, 0);
 		if (ctx->jpeg->variant->version == SJPEG_S5P)
 			mask = ~0x06; /* 422, 420 */
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 031/129] ASoC: imx-sgtl5000: put of nodes if finding codec fails
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (125 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 067/129] serial: 8250_pci: Fix number of ports for ACCES serial cards Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 006/129] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() Ben Hutchings
                   ` (5 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nicolin Chen, Mark Brown, Fabio Estevam,
	Stefan Agner, Daniel Baluta

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Agner <stefan@agner.ch>

commit d9866572486802bc598a3e8576a5231378d190de upstream.

Make sure to properly put the of node in case finding the codec
fails.

Fixes: 81e8e4926167 ("ASoC: fsl: add sgtl5000 clock support for imx-sgtl5000")
Signed-off-by: Stefan Agner <stefan@agner.ch>
Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/fsl/imx-sgtl5000.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/soc/fsl/imx-sgtl5000.c
+++ b/sound/soc/fsl/imx-sgtl5000.c
@@ -118,7 +118,8 @@ static int imx_sgtl5000_probe(struct pla
 	codec_dev = of_find_i2c_device_by_node(codec_np);
 	if (!codec_dev) {
 		dev_err(&pdev->dev, "failed to find codec platform device\n");
-		return -EPROBE_DEFER;
+		ret = -EPROBE_DEFER;
+		goto fail;
 	}
 
 	data = devm_kzalloc(&pdev->dev, sizeof(*data), GFP_KERNEL);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 024/129] crypto: pcbc - remove bogus memcpy()s with src == dest
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 116/129] net: sh_eth: fix a missing check of of_get_phy_mode Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 088/129] serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart Ben Hutchings
                   ` (83 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Herbert Xu, David Howells, Eric Biggers

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream.

The memcpy()s in the PCBC implementation use walk->iv as both the source
and destination, which has undefined behavior.  These memcpy()'s are
actually unneeded, because walk->iv is already used to hold the previous
plaintext block XOR'd with the previous ciphertext block.  Thus,
walk->iv is already updated to its final value.

So remove the broken and unnecessary memcpy()s.

Fixes: 91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template")
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/pcbc.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

--- a/crypto/pcbc.c
+++ b/crypto/pcbc.c
@@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(s
 	unsigned int nbytes = walk->nbytes;
 	u8 *src = walk->src.virt.addr;
 	u8 *dst = walk->dst.virt.addr;
-	u8 *iv = walk->iv;
+	u8 * const iv = walk->iv;
 
 	do {
 		crypto_xor(iv, src, bsize);
@@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(s
 	int bsize = crypto_cipher_blocksize(tfm);
 	unsigned int nbytes = walk->nbytes;
 	u8 *src = walk->src.virt.addr;
-	u8 *iv = walk->iv;
+	u8 * const iv = walk->iv;
 	u8 tmpbuf[bsize];
 
 	do {
@@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(s
 		src += bsize;
 	} while ((nbytes -= bsize) >= bsize);
 
-	memcpy(walk->iv, iv, bsize);
-
 	return nbytes;
 }
 
@@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(s
 	unsigned int nbytes = walk->nbytes;
 	u8 *src = walk->src.virt.addr;
 	u8 *dst = walk->dst.virt.addr;
-	u8 *iv = walk->iv;
+	u8 * const iv = walk->iv;
 
 	do {
 		fn(crypto_cipher_tfm(tfm), dst, src);
@@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(s
 		dst += bsize;
 	} while ((nbytes -= bsize) >= bsize);
 
-	memcpy(walk->iv, iv, bsize);
-
 	return nbytes;
 }
 
@@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(s
 	int bsize = crypto_cipher_blocksize(tfm);
 	unsigned int nbytes = walk->nbytes;
 	u8 *src = walk->src.virt.addr;
-	u8 *iv = walk->iv;
+	u8 * const iv = walk->iv;
 	u8 tmpbuf[bsize];
 
 	do {
@@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(s
 		src += bsize;
 	} while ((nbytes -= bsize) >= bsize);
 
-	memcpy(walk->iv, iv, bsize);
-
 	return nbytes;
 }
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 028/129] media: v4l2: i2c: ov7670: Fix PLL bypass register values
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 107/129] cpufreq: pxa2xx: remove incorrect __init annotation Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 083/129] mmc: omap: fix the maximum timeout setting Ben Hutchings
                   ` (43 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jacopo Mondi, Mauro Carvalho Chehab, Sakari Ailus

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jacopo Mondi <jacopo+renesas@jmondi.org>

commit 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 upstream.

The following commits:
commit f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675")
commit 04ee6d92047e ("[media] media: ov7670: add possibility to bypass pll for ov7675")
introduced the ability to bypass PLL multiplier and use input clock (xvclk)
as pixel clock output frequency for ov7675 sensor.

PLL is bypassed using register DBLV[7:6], according to ov7670 and ov7675
sensor manuals. Macros used to set DBLV register seem wrong in the
driver, as their values do not match what reported in the datasheet.

Fix by changing DBLV_* macros to use bits [7:6] and set bits [3:0] to
default 0x0a reserved value (according to datasheets).

While at there, remove a write to DBLV register in
"ov7675_set_framerate()" that over-writes the previous one to the same
register that takes "info->pll_bypass" flag into account instead of setting PLL
multiplier to 4x unconditionally.

And, while at there, since "info->pll_bypass" is only used in
set/get_framerate() functions used by ov7675 only, it is not necessary
to check for the device id at probe time to make sure that when using
ov7670 "info->pll_bypass" is set to false.

Fixes: f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675")

Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/i2c/ov7670.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

--- a/drivers/media/i2c/ov7670.c
+++ b/drivers/media/i2c/ov7670.c
@@ -167,10 +167,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
 #define REG_GFIX	0x69	/* Fix gain control */
 
 #define REG_DBLV	0x6b	/* PLL control an debugging */
-#define   DBLV_BYPASS	  0x00	  /* Bypass PLL */
-#define   DBLV_X4	  0x01	  /* clock x4 */
-#define   DBLV_X6	  0x10	  /* clock x6 */
-#define   DBLV_X8	  0x11	  /* clock x8 */
+#define   DBLV_BYPASS	  0x0a	  /* Bypass PLL */
+#define   DBLV_X4	  0x4a	  /* clock x4 */
+#define   DBLV_X6	  0x8a	  /* clock x6 */
+#define   DBLV_X8	  0xca	  /* clock x8 */
 
 #define REG_REG76	0x76	/* OV's name */
 #define   R76_BLKPCOR	  0x80	  /* Black pixel correction enable */
@@ -845,7 +845,7 @@ static int ov7675_set_framerate(struct v
 	if (ret < 0)
 		return ret;
 
-	return ov7670_write(sd, REG_DBLV, DBLV_X4);
+	return 0;
 }
 
 static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd,
@@ -1552,11 +1552,7 @@ static int ov7670_probe(struct i2c_clien
 		if (config->clock_speed)
 			info->clock_speed = config->clock_speed;
 
-		/*
-		 * It should be allowed for ov7670 too when it is migrated to
-		 * the new frame rate formula.
-		 */
-		if (config->pll_bypass && id->driver_data != MODEL_OV7670)
+		if (config->pll_bypass)
 			info->pll_bypass = true;
 
 		if (config->pclk_hb_disable)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 004/129] clk: highbank: fix refcount leak in hb_clk_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 030/129] crypto: tgr192 - fix unaligned memory access Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 092/129] tools lib traceevent: Fix buffer overflow in arg_eval Ben Hutchings
                   ` (80 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Stephen Boyd, Yangtao Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit 5eb8ba90958de1285120dae5d3a5d2b1a360b3b4 upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Fixes: 26cae166cff9 ("ARM: highbank: remove custom .init_time hook")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/clk-highbank.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/clk-highbank.c
+++ b/drivers/clk/clk-highbank.c
@@ -293,6 +293,7 @@ static __init struct clk *hb_clk_init(st
 	/* Map system registers */
 	srnp = of_find_compatible_node(NULL, NULL, "calxeda,hb-sregs");
 	hb_clk->reg = of_iomap(srnp, 0);
+	of_node_put(srnp);
 	BUG_ON(!hb_clk->reg);
 	hb_clk->reg += reg;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 018/129] drm: Fix error handling in drm_legacy_addctx
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 108/129] lib/div64.c: off by one in shift Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 112/129] gro_cells: make sure device is up in gro_cells_receive() Ben Hutchings
                   ` (66 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Daniel Vetter, YueHaibing

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit c39191feed4540fed98badeb484833dcf659bb96 upstream.

'ctx->handle' is unsigned, it never less than zero.
This patch use int 'tmp_handle' to handle the err condition.

Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20181229024907.12852-1-yuehaibing@huawei.com
[bwh: Backported to 3.16: We only have the "legacy" driver type here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/drm_context.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -309,19 +309,22 @@ int drm_addctx(struct drm_device *dev, v
 {
 	struct drm_ctx_list *ctx_entry;
 	struct drm_ctx *ctx = data;
+	int tmp_handle;
 
-	ctx->handle = drm_ctxbitmap_next(dev);
-	if (ctx->handle == DRM_KERNEL_CONTEXT) {
+	tmp_handle = drm_ctxbitmap_next(dev);
+	if (tmp_handle == DRM_KERNEL_CONTEXT) {
 		/* Skip kernel's context and get a new one. */
-		ctx->handle = drm_ctxbitmap_next(dev);
+		tmp_handle = drm_ctxbitmap_next(dev);
 	}
-	DRM_DEBUG("%d\n", ctx->handle);
-	if (ctx->handle < 0) {
+	DRM_DEBUG("%d\n", tmp_handle);
+	if (tmp_handle < 0) {
 		DRM_DEBUG("Not enough free contexts.\n");
 		/* Should this return -EBUSY instead? */
-		return -ENOMEM;
+		return tmp_handle;
 	}
 
+	ctx->handle = tmp_handle;
+
 	ctx_entry = kmalloc(sizeof(*ctx_entry), GFP_KERNEL);
 	if (!ctx_entry) {
 		DRM_DEBUG("out of memory\n");


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 005/129] clk: socfpga: fix refcount leak
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 075/129] drm/radeon/evergreen_cs: fix missing break in switch statement Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 078/129] fs/nfs: Fix nfs_parse_devname to not modify it's argument Ben Hutchings
                   ` (107 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Yangtao Li, Stephen Boyd

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit 7f9705beeb3759e69165e7aff588f6488ff6c1ac upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Fixes: 5343325ff3dd ("clk: socfpga: add a clock driver for the Arria 10 platform")
Fixes: a30d27ed739b ("clk: socfpga: fix clock driver for 3.15")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: drop changes in clk-pll-a10.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clk/socfpga/clk-pll.c
+++ b/drivers/clk/socfpga/clk-pll.c
@@ -102,6 +102,7 @@ static __init struct clk *__socfpga_pll_
 
 	clkmgr_np = of_find_compatible_node(NULL, NULL, "altr,clk-mgr");
 	clk_mgr_base_addr = of_iomap(clkmgr_np, 0);
+	of_node_put(clkmgr_np);
 	BUG_ON(!clk_mgr_base_addr);
 	pll_clk->hw.reg = clk_mgr_base_addr + reg;
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 017/129] staging: iio: adt7316: fix the dac write calculation
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 117/129] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 094/129] 9p: use inode->i_lock to protect i_size_write() under 32-bit Ben Hutchings
                   ` (98 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jeremy Fertic, Jonathan Cameron

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit 78accaea117c1ae878774974fab91ac4a0b0e2b0 upstream.

The lsb calculation is not masking the correct bits from the user input.
Subtract 1 from (1 << offset) to correctly set up the mask to be applied
to user input.

The lsb register stores its value starting at the bit 7 position.
adt7316_store_DAC() currently assumes the value is at the other end of the
register. Shift the lsb value before storing it in a new variable lsb_reg,
and write this variable to the lsb register.

Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -1448,7 +1448,7 @@ static ssize_t adt7316_show_DAC(struct a
 static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip,
 		int channel, const char *buf, size_t len)
 {
-	u8 msb, lsb, offset;
+	u8 msb, lsb, lsb_reg, offset;
 	u16 data;
 	int ret;
 
@@ -1466,9 +1466,13 @@ static ssize_t adt7316_store_DAC(struct
 		return -EINVAL;
 
 	if (chip->dac_bits > 8) {
-		lsb = data & (1 << offset);
+		lsb = data & ((1 << offset) - 1);
+		if (chip->dac_bits == 12)
+			lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT;
+		else
+			lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT;
 		ret = chip->bus.write(chip->bus.client,
-			ADT7316_DA_DATA_BASE + channel * 2, lsb);
+			ADT7316_DA_DATA_BASE + channel * 2, lsb_reg);
 		if (ret)
 			return -EIO;
 	}


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 015/129] staging: iio: adt7316: fix handling of dac high resolution option
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 122/129] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 123/129] fuse: Add FOPEN_STREAM to use stream_open() Ben Hutchings
                   ` (38 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jeremy Fertic, Jonathan Cameron

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit 76b7fe8d6c4daf4db672eb953c892c6f6572a282 upstream.

The adt7316/7 and adt7516/7 have the option to output voltage proportional
to temperature on dac a and/or dac b. The default dac resolution in this
mode is 8 bits with the dac high resolution option enabling 10 bits. None
of these settings affect dacs c and d. Remove the "1 (12 bits)" output from
the show function since that is not an option for this mode. Return
"1 (10 bits)" if the device is one of the above mentioned chips and the dac
high resolution mode is enabled.

In the store function, the driver currently allows the user to write to the
ADT7316_DA_HIGH_RESOLUTION bit regardless of the device in use. Add a check
to return an error in the case of an adt7318 or adt7519. Remove the else
statement that clears the ADT7316_DA_HIGH_RESOLUTION bit. Instead, clear it
before conditionally enabling it, depending on user input. This matches the
typical pattern in the driver when an attribute is a boolean.

Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -635,9 +635,7 @@ static ssize_t adt7316_show_da_high_reso
 	struct adt7316_chip_info *chip = iio_priv(dev_info);
 
 	if (chip->config3 & ADT7316_DA_HIGH_RESOLUTION) {
-		if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516)
-			return sprintf(buf, "1 (12 bits)\n");
-		else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517)
+		if (chip->id != ID_ADT7318 && chip->id != ID_ADT7519)
 			return sprintf(buf, "1 (10 bits)\n");
 	}
 
@@ -654,10 +652,12 @@ static ssize_t adt7316_store_da_high_res
 	u8 config3;
 	int ret;
 
+	if (chip->id == ID_ADT7318 || chip->id == ID_ADT7519)
+		return -EPERM;
+
+	config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION);
 	if (buf[0] == '1')
-		config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION;
-	else
-		config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION);
+		config3 |= ADT7316_DA_HIGH_RESOLUTION;
 
 	ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3);
 	if (ret)


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 013/129] clk: dove: fix refcount leak in dove_clk_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 094/129] 9p: use inode->i_lock to protect i_size_write() under 32-bit Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 045/129] splice: don't merge into linked buffers Ben Hutchings
                   ` (96 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Yangtao Li, Stephen Boyd, Gregory CLEMENT

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit 8d726c5128298386b907963033be93407b0c4275 upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Fixes: 8f7fc5450b64 ("clk: mvebu: dove: maintain clock init order")
Fixes: 63b8d92c793f ("clk: add Dove PLL divider support for GPU, VMeta and AXI clocks")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: There is no ddnp variable here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clk/mvebu/dove.c
+++ b/drivers/clk/mvebu/dove.c
@@ -187,7 +187,9 @@ static void __init dove_clk_init(struct
 
 	mvebu_coreclk_setup(np, &dove_coreclks);
 
-	if (cgnp)
+	if (cgnp) {
 		mvebu_clk_gating_setup(cgnp, dove_gating_desc);
+		of_node_put(cgnp);
+	}
 }
 CLK_OF_DECLARE(dove_clk, "marvell,dove-core-clock", dove_clk_init);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 011/129] clk: kirkwood: fix refcount leak in kirkwood_clk_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 115/129] md: Fix failed allocation of md_register_thread Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 029/129] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails Ben Hutchings
                   ` (70 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gregory CLEMENT, Stephen Boyd, Yangtao Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit e7beeab9c61591cd0e690d8733d534c3f4278ff8 upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Fixes: 58d516ae95cb ("clk: mvebu: kirkwood: maintain clock init order")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/clk/mvebu/kirkwood.c
+++ b/drivers/clk/mvebu/kirkwood.c
@@ -236,8 +236,11 @@ static void __init kirkwood_clk_init(str
 	else
 		mvebu_coreclk_setup(np, &kirkwood_coreclks);
 
-	if (cgnp)
+	if (cgnp) {
 		mvebu_clk_gating_setup(cgnp, kirkwood_gating_desc);
+
+		of_node_put(cgnp);
+	}
 }
 CLK_OF_DECLARE(kirkwood_clk, "marvell,kirkwood-core-clock",
 	       kirkwood_clk_init);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 003/129] staging: iio: adt7316: allow adt751x to use internal vref for all dacs
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 113/129] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 052/129] rtc: 88pm80x: fix unintended sign extension Ben Hutchings
                   ` (103 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jeremy Fertic, Jonathan Cameron

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit 10bfe7cc1739c22f0aa296b39e53f61e9e3f4d99 upstream.

With adt7516/7/9, internal vref is available for dacs a and b, dacs c and
d, or all dacs. The driver doesn't currently support internal vref for all
dacs. Change the else if to an if so both bits are checked rather than
just one or the other.

Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -1093,7 +1093,7 @@ static ssize_t adt7316_store_DAC_interna
 		ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK);
 		if (data & 0x1)
 			ldac_config |= ADT7516_DAC_AB_IN_VREF;
-		else if (data & 0x2)
+		if (data & 0x2)
 			ldac_config |= ADT7516_DAC_CD_IN_VREF;
 	} else {
 		ret = kstrtou8(buf, 16, &data);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 002/129] staging: iio: adt7316: invert the logic of the check for an ldac pin
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 112/129] gro_cells: make sure device is up in gro_cells_receive() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 038/129] mtd: docg3: Fix kasprintf() usage Ben Hutchings
                   ` (64 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Cameron, Jeremy Fertic

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit 85a1c11913312132d0800ca2c1c42a011f96ea92 upstream.

ADT7316_DA_EN_VIA_DAC_LDCA is set when the dac and ldac registers are being
used to update the dacs instead of the ldac pin. ADT7516_SEL_AIN3 is an adc
input that shares the ldac pin. Only set these bits if an ldac pin is not
being used.

This could be backported to stable, but note there are various
other bugs that probably make that a waste of time.

Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -2130,7 +2130,7 @@ int adt7316_probe(struct device *dev, st
 		return -ENODEV;
 
 	chip->ldac_pin = adt7316_platform_data[1];
-	if (chip->ldac_pin) {
+	if (!chip->ldac_pin) {
 		chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA;
 		if ((chip->id & ID_FAMILY_MASK) == ID_ADT75XX)
 			chip->config1 |= ADT7516_SEL_AIN3;


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 001/129] staging: iio: adt7316: fix register and bit definitions
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 101/129] mm/vmalloc: fix size check for remap_vmalloc_range_partial() Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 068/129] serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() Ben Hutchings
                   ` (73 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Cameron, Jeremy Fertic

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeremy Fertic <jeremyfertic@gmail.com>

commit 53a6f022b4fe8645468adaffca901dbf8c3c547e upstream.

Change two register addresses and one bit definition to match the
datasheet.

Note that there are many issues in this driver so I would
not suggest backporting these fixes to stable trees.

Signed-off-by: Jeremy Fertic <jeremyfertic@gmail.com>
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/iio/addac/adt7316.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -59,8 +59,8 @@
 #define ADT7316_CONFIG1			0x18
 #define ADT7316_CONFIG2			0x19
 #define ADT7316_CONFIG3			0x1A
-#define ADT7316_LDAC_CONFIG		0x1B
-#define ADT7316_DAC_CONFIG		0x1C
+#define ADT7316_DAC_CONFIG		0x1B
+#define ADT7316_LDAC_CONFIG		0x1C
 #define ADT7316_INT_MASK1		0x1D
 #define ADT7316_INT_MASK2		0x1E
 #define ADT7316_IN_TEMP_OFFSET		0x1F
@@ -117,7 +117,7 @@
  */
 #define ADT7316_ADCLK_22_5		0x1
 #define ADT7316_DA_HIGH_RESOLUTION	0x2
-#define ADT7316_DA_EN_VIA_DAC_LDCA	0x4
+#define ADT7316_DA_EN_VIA_DAC_LDCA	0x8
 #define ADT7516_AIN_IN_VREF		0x10
 #define ADT7316_EN_IN_TEMP_PROP_DACA	0x20
 #define ADT7316_EN_EX_TEMP_PROP_DACB	0x40


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 012/129] clk: armada-xp: fix refcount leak in axp_clk_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 126/129] mwifiex: Fix possible buffer overflows at parsing bss descriptor Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 014/129] staging: iio: adt7316: fix dac_bits assignment Ben Hutchings
                   ` (23 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gregory CLEMENT, Stephen Boyd, Yangtao Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit db20a90a4b6745dad62753f8bd2f66afdd5abc84 upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Fixes: 0a11a6ae9437 ("clk: mvebu: armada-xp: maintain clock init order")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/mvebu/armada-xp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/clk/mvebu/armada-xp.c
+++ b/drivers/clk/mvebu/armada-xp.c
@@ -202,7 +202,9 @@ static void __init axp_clk_init(struct d
 
 	mvebu_coreclk_setup(np, &axp_coreclks);
 
-	if (cgnp)
+	if (cgnp) {
 		mvebu_clk_gating_setup(cgnp, axp_gating_desc);
+		of_node_put(cgnp);
+	}
 }
 CLK_OF_DECLARE(axp_clk, "marvell,armada-xp-core-clock", axp_clk_init);


^ permalink raw reply	[flat|nested] 138+ messages in thread

* [PATCH 3.16 010/129] clk: armada-370: fix refcount leak in a370_clk_init()
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 052/129] rtc: 88pm80x: fix unintended sign extension Ben Hutchings
@ 2019-07-07 16:54 ` Ben Hutchings
  2019-07-07 16:54 ` [PATCH 3.16 071/129] ASoC: fsl_esai: fix register setting issue in RIGHT_J mode Ben Hutchings
                   ` (101 subsequent siblings)
  132 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-07 16:54 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gregory CLEMENT, Stephen Boyd, Yangtao Li

3.16.70-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yangtao Li <tiny.windzz@gmail.com>

commit a3c24050bdf70c958a8d98c2823b66ea761e6a31 upstream.

The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.

Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Fixes: 07ad6836fa21 ("clk: mvebu: armada-370: maintain clock init order")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/mvebu/armada-370.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/clk/mvebu/armada-370.c
+++ b/drivers/clk/mvebu/armada-370.c
@@ -168,8 +168,10 @@ static void __init a370_clk_init(struct
 
 	mvebu_coreclk_setup(np, &a370_coreclks);
 
-	if (cgnp)
+	if (cgnp) {
 		mvebu_clk_gating_setup(cgnp, a370_gating_desc);
+		of_node_put(cgnp);
+	}
 }
 CLK_OF_DECLARE(a370_clk, "marvell,armada-370-core-clock", a370_clk_init);
 


^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2019-07-07 16:54 ` [PATCH 3.16 041/129] ext2: Fix underflow in ext2_max_size() Ben Hutchings
@ 2019-07-08 11:05 ` Guenter Roeck
  2019-07-08 15:21   ` Ben Hutchings
  2019-07-08 13:05 ` Luke Nowakowski-Krijger
                   ` (2 subsequent siblings)
  132 siblings, 1 reply; 138+ messages in thread
From: Guenter Roeck @ 2019-07-08 11:05 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

On 7/7/19 9:54 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.70 release.
> There are 129 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Jul 09 20:00:00 UTC 2019.
> Anything received after that time might be too late.
> 

drivers/mtd/devices/docg3.c:1836:15: error: implicit declaration of function 'devm_kasprintf'

Seen in various builds.

Guenter

^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (129 preceding siblings ...)
  2019-07-08 11:05 ` [PATCH 3.16 000/129] 3.16.70-rc1 review Guenter Roeck
@ 2019-07-08 13:05 ` Luke Nowakowski-Krijger
  2019-07-08 15:29   ` Ben Hutchings
  2019-07-08 13:43 ` Amol Surati
  2019-07-09 18:07 ` Guenter Roeck
  132 siblings, 1 reply; 138+ messages in thread
From: Luke Nowakowski-Krijger @ 2019-07-08 13:05 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, torvalds, Guenter Roeck, akpm, Denis Kirjanov

Hello, 

I got 1 error when applying this patch series to the latest linux-3.16.y
stable branch

fs/fuse/file.c:218:3: error: implicit declaration of function ‘stream_open’

Thanks, 
- Luke

^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2019-07-08 13:05 ` Luke Nowakowski-Krijger
@ 2019-07-08 13:43 ` Amol Surati
  2019-07-09 18:07 ` Guenter Roeck
  132 siblings, 0 replies; 138+ messages in thread
From: Amol Surati @ 2019-07-08 13:43 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, torvalds, Guenter Roeck, akpm,
	Denis Kirjanov, linux-kernel-mentees, suratiamol

On Sun, Jul 07, 2019 at 05:54:16PM +0100, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.70 release.
> There are 129 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Jul 09 20:00:00 UTC 2019.
> Anything received after that time might be too late.
> 
> All the patches have also been committed to the linux-3.16.y-rc branch of
> https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
> A shortlog and diffstat can be found below.
> 
> Ben.


x86_64 (on debian-8.11.1), compiled and booted successfully.
No regressions (between 3.16.69 and 3.16.70-rc1).

Thanks,
-amol

^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-08 11:05 ` [PATCH 3.16 000/129] 3.16.70-rc1 review Guenter Roeck
@ 2019-07-08 15:21   ` Ben Hutchings
  0 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-08 15:21 UTC (permalink / raw)
  To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]

On Mon, 2019-07-08 at 04:05 -0700, Guenter Roeck wrote:
> On 7/7/19 9:54 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.70 release.
> > There are 129 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Tue Jul 09 20:00:00 UTC 2019.
> > Anything received after that time might be too late.
> > 
> 
> drivers/mtd/devices/docg3.c:1836:15: error: implicit declaration of function 'devm_kasprintf'
> 
> Seen in various builds.

Sorry, I dropped the patch that causes that before sending out this
series for review but I did not push to linux-stable-queue.git
afterward.  I have done that now, so hopefully your builds should go
green.

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-08 13:05 ` Luke Nowakowski-Krijger
@ 2019-07-08 15:29   ` Ben Hutchings
  2019-07-08 20:21     ` Luke Nowakowski-Krijger
  0 siblings, 1 reply; 138+ messages in thread
From: Ben Hutchings @ 2019-07-08 15:29 UTC (permalink / raw)
  To: Luke Nowakowski-Krijger
  Cc: linux-kernel, stable, torvalds, Guenter Roeck, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 546 bytes --]

On Mon, 2019-07-08 at 06:05 -0700, Luke Nowakowski-Krijger wrote:
> Hello, 
> 
> I got 1 error when applying this patch series to the latest linux-3.16.y
> stable branch
> 
> fs/fuse/file.c:218:3: error: implicit declaration of function ‘stream_open’

It is added by the previous patch and declared in <linux/fs.h>. 
fs/fuse/file.c always includes that (via fs/fuse/fuse_i.h), so I don't
see how this error can happen.

Ben.

-- 
Ben Hutchings
Time is nature's way of making sure that
everything doesn't happen at once.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-08 15:29   ` Ben Hutchings
@ 2019-07-08 20:21     ` Luke Nowakowski-Krijger
  0 siblings, 0 replies; 138+ messages in thread
From: Luke Nowakowski-Krijger @ 2019-07-08 20:21 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, torvalds, Guenter Roeck, akpm, Denis Kirjanov

On Mon, Jul 08, 2019 at 04:29:22PM +0100, Ben Hutchings wrote:
> On Mon, 2019-07-08 at 06:05 -0700, Luke Nowakowski-Krijger wrote:
> > Hello, 
> > 
> > I got 1 error when applying this patch series to the latest linux-3.16.y
> > stable branch
> > 
> > fs/fuse/file.c:218:3: error: implicit declaration of function ‘stream_open’
> 
> It is added by the previous patch and declared in <linux/fs.h>. 
> fs/fuse/file.c always includes that (via fs/fuse/fuse_i.h), so I don't
> see how this error can happen.
> 
> Ben.
>

I was actually in another src tree. My mistake.

Rebuilding it off of your tree, I get no compilation errors and it
boots on my x86_64 machine. 

> -- 
> Ben Hutchings
> Time is nature's way of making sure that
> everything doesn't happen at once.
> 
> 

Also this is a good thing to remember. 

Thanks, 
- Luke


^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
                   ` (131 preceding siblings ...)
  2019-07-08 13:43 ` Amol Surati
@ 2019-07-09 18:07 ` Guenter Roeck
  2019-07-09 18:09   ` Ben Hutchings
  132 siblings, 1 reply; 138+ messages in thread
From: Guenter Roeck @ 2019-07-09 18:07 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, torvalds, akpm, Denis Kirjanov

On Sun, Jul 07, 2019 at 05:54:16PM +0100, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.70 release.
> There are 129 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Jul 09 20:00:00 UTC 2019.
> Anything received after that time might be too late.
> 

For 3.16.69-129-g91dfb9bc310a:

Build results:
	total: 136 pass: 136 fail: 0
Qemu test results:
	total: 231 pass: 231 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 138+ messages in thread

* Re: [PATCH 3.16 000/129] 3.16.70-rc1 review
  2019-07-09 18:07 ` Guenter Roeck
@ 2019-07-09 18:09   ` Ben Hutchings
  0 siblings, 0 replies; 138+ messages in thread
From: Ben Hutchings @ 2019-07-09 18:09 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: linux-kernel, stable, torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 822 bytes --]

On Tue, 2019-07-09 at 11:07 -0700, Guenter Roeck wrote:
> On Sun, Jul 07, 2019 at 05:54:16PM +0100, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.70 release.
> > There are 129 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Tue Jul 09 20:00:00 UTC 2019.
> > Anything received after that time might be too late.
> > 
> 
> For 3.16.69-129-g91dfb9bc310a:
> 
> Build results:
> 	total: 136 pass: 136 fail: 0
> Qemu test results:
> 	total: 231 pass: 231 fail: 0

Great, thanks for checking again.

Ben.

-- 
Ben Hutchings
The Peter principle: In a hierarchy, every employee tends to rise to
their level of incompetence.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 138+ messages in thread

end of thread, other threads:[~2019-07-09 18:09 UTC | newest]

Thread overview: 138+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-07 16:54 [PATCH 3.16 000/129] 3.16.70-rc1 review Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 091/129] Btrfs: fix corruption reading shared and compressed extents after hole punching Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 008/129] clk: imx6sx: fix refcount leak in imx6sx_clocks_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 033/129] pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 114/129] It's wrong to add len to sector_nr in raid10 reshape twice Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 110/129] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 037/129] mtd: docg3: Don't leak docg3->bbt in error path Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 048/129] USB: serial: cp210x: add ID for Ingenico 3070 Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 074/129] perf header: Fix wrong node write in NUMA_TOPOLOGY feature Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 061/129] pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 077/129] KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 040/129] tty: ipwireless: Fix potential NULL pointer dereference Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 080/129] powerpc/83xx: Also save/restore SPRG4-7 during suspend Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 095/129] powerpc/32: Clear on-stack exception marker upon exception return Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 128/129] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 106/129] net/hsr: fix possible crash in add_timer() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 035/129] applicom: Fix potential Spectre v1 vulnerabilities Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 081/129] powerpc/wii: properly disable use of BATs when requested Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 026/129] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 119/129] l2tp: fix infoleak in l2tp_ip6_recvmsg() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 093/129] NFSv4.1: Reinitialise sequence results before retransmitting a request Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 065/129] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 105/129] scsi: virtio_scsi: don't send sc payload with tmfs Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 075/129] drm/radeon/evergreen_cs: fix missing break in switch statement Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 005/129] clk: socfpga: fix refcount leak Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 078/129] fs/nfs: Fix nfs_parse_devname to not modify it's argument Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 079/129] irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 113/129] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 003/129] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 052/129] rtc: 88pm80x: fix unintended sign extension Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 010/129] clk: armada-370: fix refcount leak in a370_clk_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 071/129] ASoC: fsl_esai: fix register setting issue in RIGHT_J mode Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 117/129] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 017/129] staging: iio: adt7316: fix the dac write calculation Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 094/129] 9p: use inode->i_lock to protect i_size_write() under 32-bit Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 013/129] clk: dove: fix refcount leak in dove_clk_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 045/129] splice: don't merge into linked buffers Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 023/129] selinux: avoid silent denials in permissive mode under RCU walk Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 086/129] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 064/129] iscsi_ibft: Fix missing break in switch statement Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 098/129] CIFS: Do not reset lease state to NONE on lease break Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 047/129] rtc: ds1672: fix unintended sign extension Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 076/129] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 025/129] powerpc/irq: drop arch_early_irq_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 089/129] regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 100/129] CIFS: Fix read after write for files with read caching Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 019/129] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 116/129] net: sh_eth: fix a missing check of of_get_phy_mode Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 024/129] crypto: pcbc - remove bogus memcpy()s with src == dest Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 088/129] serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 030/129] crypto: tgr192 - fix unaligned memory access Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 004/129] clk: highbank: fix refcount leak in hb_clk_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 092/129] tools lib traceevent: Fix buffer overflow in arg_eval Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 027/129] media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 058/129] ext4: update quota information while swapping boot loader inode Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 044/129] crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 111/129] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 101/129] mm/vmalloc: fix size check for remap_vmalloc_range_partial() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 001/129] staging: iio: adt7316: fix register and bit definitions Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 068/129] serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 115/129] md: Fix failed allocation of md_register_thread Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 011/129] clk: kirkwood: fix refcount leak in kirkwood_clk_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 029/129] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 007/129] clk: imx6q: fix refcount leak in imx6q_clocks_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 108/129] lib/div64.c: off by one in shift Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 018/129] drm: Fix error handling in drm_legacy_addctx Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 112/129] gro_cells: make sure device is up in gro_cells_receive() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 002/129] staging: iio: adt7316: invert the logic of the check for an ldac pin Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 038/129] mtd: docg3: Fix kasprintf() usage Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 042/129] devres: always use dev_name() in devm_ioremap_resource() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 039/129] mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 049/129] media: uvcvideo: Avoid NULL pointer dereference at the end of streaming Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 072/129] cdc-wdm: pass return value of recover_from_urb_loss Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 118/129] net/mlx4_core: Fix qp mtt size calculation Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 070/129] USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 129/129] netns: provide pure entropy for net_hash_mix() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 099/129] nfsd: fix memory corruption caused by readdir Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 096/129] net-sysfs: Fix mem leak in netdev_register_kobject Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 082/129] clocksource/drivers/exynos_mct: Fix error path in timer resources initialization Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 103/129] mm, swap: bounds check swap_info array accesses to avoid NULL derefs Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 087/129] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 066/129] tpm: Fix off-by-one when reading binary_bios_measurements Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 021/129] RDMA/ocrdma: Fix out of bounds index check in query pkey Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 016/129] staging: iio: adt7316: fix the dac read calculation Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 053/129] rtc: pm8xxx: fix unintended sign extension Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 034/129] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 104/129] s390/virtio: handle find on invalid queue gracefully Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 107/129] cpufreq: pxa2xx: remove incorrect __init annotation Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 028/129] media: v4l2: i2c: ov7670: Fix PLL bypass register values Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 083/129] mmc: omap: fix the maximum timeout setting Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 043/129] crypto: testmgr - skip crc32c context test for ahash algorithms Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 056/129] jbd2: clear dirty flag when revoking a buffer from an older transaction Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 122/129] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 015/129] staging: iio: adt7316: fix handling of dac high resolution option Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 123/129] fuse: Add FOPEN_STREAM to use stream_open() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 127/129] mwifiex: Abort at too short BSS descriptor element Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 062/129] pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 090/129] powerpc/powernv: Make opal log only readable by root Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 051/129] rtc: 88pm860x: fix unintended sign extension Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 060/129] parport_pc: fix find_superio io compare code, should use equal test Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 063/129] ext4: fix crash during online resizing Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 055/129] bcache: treat stale && dirty keys as bad keys Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 109/129] xen, cpu_hotplug: Prevent an out of bounds access Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 073/129] libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 036/129] rcu: Do RCU GP kthread self-wakeup from softirq and interrupt Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 050/129] crypto: ahash - fix another early termination in hash walk Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 125/129] media: uvcvideo: Fix 'type' check leading to overflow Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 126/129] mwifiex: Fix possible buffer overflows at parsing bss descriptor Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 012/129] clk: armada-xp: fix refcount leak in axp_clk_init() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 014/129] staging: iio: adt7316: fix dac_bits assignment Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 057/129] ext4: fix check of inode in swap_inode_boot_loader Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 069/129] leds: lp55xx: fix null deref on firmware load failure Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 102/129] mm: fix potential data race in SyS_swapon Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 124/129] binder: Replace "%p" with "%pK" for stable Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 121/129] tcp: refine memory limit test in tcp_fragment() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 022/129] security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 120/129] pptp: dst_release sk_dst_cache in pptp_sock_destruct Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 084/129] btrfs: init csum_list before possible free Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 046/129] scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 085/129] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 020/129] IB/usnic: Fix out of bounds index check in query pkey Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 059/129] ext4: add mask of ext4 flags to swap Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 032/129] m68k: Add -ffreestanding to CFLAGS Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 054/129] bcache: never writeback a discard operation Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 097/129] ip6mr: Do not call __IP6_INC_STATS() from preemptible context Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 067/129] serial: 8250_pci: Fix number of ports for ACCES serial cards Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 031/129] ASoC: imx-sgtl5000: put of nodes if finding codec fails Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 006/129] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() Ben Hutchings
2019-07-07 16:54 ` [PATCH 3.16 041/129] ext2: Fix underflow in ext2_max_size() Ben Hutchings
2019-07-08 11:05 ` [PATCH 3.16 000/129] 3.16.70-rc1 review Guenter Roeck
2019-07-08 15:21   ` Ben Hutchings
2019-07-08 13:05 ` Luke Nowakowski-Krijger
2019-07-08 15:29   ` Ben Hutchings
2019-07-08 20:21     ` Luke Nowakowski-Krijger
2019-07-08 13:43 ` Amol Surati
2019-07-09 18:07 ` Guenter Roeck
2019-07-09 18:09   ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).